A good thing is where your life becomes sweeter, funnier, easier or more pleasant in some way. Having two approaches to MAC pushed by the two leading Linux vendors makes my life (or the part I spend as a sysadmin) harder fer cryin' out loud!
What is it with Unix-like operating systems and non-primitive access control? Every Unix flavor adopted different approaches to "Red Book" security in the 1980s on top of the barely-adequate-for-academic-use Unix permissions model. Those that survived have never standardized in all those years. I really hate to see Red Hat and SuSE continue on that well-worn path. And before you say Open Source is different in this regard, take a look at the competing desktops. It's roughly 10 years that both major projects have been pursuing seperate paths. And freedesktop.org proves the point. They are expending an awful lot of effort to bridge the gap those competing projects dug between themselves.
Competing approaches are fine for research into the best way to get things done. They are also a spur to development of different approaches. But MAC is not new computer science that needs researching. And choice is often actually the enemy in a production business computing environment.
I fourth or fifth or whatever Dreamhost. I've only been with them for six months, but they keep upping bandwith, mailboxes and other stuff for new accounts. Every time they do that, they give the same boost to existing customers! Nice touch. Then they told me about a recent flaw in Movable Type that I would have twigged to fairly soon anyway. But that's the first time a hosting provider has been out in front of something like that in my experience, going back to '94 with such businesses. Another cool thing about that warning is, they stated that after a certain period, vulnerable MT installations would be turned off by them to protect the rest of us shared host users. Bravo!
If you want to sign up based on my recommendation, tell 'em egbok.com sent you. And screw the anti-referral police!
I don't want to forward port 5500 to my home box, even on an incident by incident basis. I want my mom to start an encrypted tunnel and enter a passphrase. It's OK if she writes it down, but not OK if she stores it on the computer. With scripting, that makes the process one of launching the Perl/Tk script that prompts for the hostname and/or IP address, and for the passphrase. That's two more pieces of information than your scheme using mydyndns, and one more than the original reverse VNC proposal. But for that I get:
No need to open a port in my firewall. (SSH already goes through)
End-to-end encryption
The ability to make this happen at work.
No, I don't control the firewall at work, but they have an ssh gateway, controlled by hardware token password. So I get on the phone with Mom, and give her the OTP, and bingo!
Actually, I'd just nx back to my home net. No sense in misusing work resources for this.
And the solution is not fully general. Since I'll be forwarding port 5500 over the ssh tunnel to a specific host inside my firewall, that host will have to be known to the script. I could make it easily configurable, though.
I understand the question, The reverse VNC deal meets the criterea you state. The only tricky part is having them install the server. If you preinstall VNC on the user's machine, then it's a piece of cake, for them: "Double-click on the VNC icon. Type this IP address" and you are done. The tricky stuff is on your end, under your control: forwarding the VNC port through your firewall and setting up the listening VNC client. That's pretty easy, too.
What this lacks is security over the Internet. Adding an SSH tunnel from your family member's machine into your network might be something you could script in advance, but setting it up on the fly would be difficult.
So let's see, I have cygwin on my Mom's machine. I write a script to estalish the tunnel, prompting for the IP address. She's got to type a passphrase for the key, or else I only open up the particular port when I know I'm going to be working with her. The script then fires off the VNC server with the localhost address and port for the forwarded tunnel. I could probably even write a graphical perl script to do the work. (I have a Visual Basic-free household.) That's the ticket, I think.
There was this little revolution that started really taking off about 20 years ago. It had to do with this thing called the "inner-net," or something. Anyhow, I can't get on the inner-net with a hercules. It has this odd idea that computers like to get information in "botches," so it sends and receives a botch at a time. The inner-net thingie sends info in "pockets," which are much smaller than "botches," I think. Anyhow, that's the problem.
In a company the size of IBM, with many, many years of technology legacy, a conversion to any set of standards, open, closed or half ajar is bound to be fabulously expensive. I mean, there are still app front-ends running on the mainframes, although I haven't had to use many since I started two years ago. Not Firefox, not IE, tn3270. 8)
The consensus of the postings here indicate that shallow hierachies are easier for light user/new user folks.
The desktop and file cabinet paradigms have been around quite a while, and are fairly long in the tooth. There's lots of activity around trying to come up with something better, but that's nothing new. There have been a lot of good ideas for information organization that haven't caught on over the years. Still people keep trying. I think this reflects widespread dissatisfaction with the practical application of the metaphors. Either your information is visible and undifferentiated, or it is invisible and hierarchical.
The most interesting idea I've heard to get around this is from the polymath that got injured by the unabomber. (I forget his name, and I'm too lazy to search.) He presents information in a time sequence. So you can easily find "that article I started last September about information organization, but never finished." It's perhaps not suprising how useful date-oriented retrieval is. I use 'ls -lrt' a lot. It helps, but it's imperfect. I'd like to be able to combine the date information with file type, content, size and relevance, across arbitrary hierarchies and without having to think too much about designing the search. I suppose I won't get the last feature until neural interfaces get better. 8)
Actually, the Gnome team isn't who wrote that silly article. They have been making lots of choices for their users through application of the HID, but they do retain the ability to customize most of the interface in true F/OSS style, so I can turn off the behavior I dislike. If it isn't easy for a beginner to do that, well, it's probably a good thing. It should be at least 25% as hard to get in to trouble as it is to get out.
Yeah, it's called "respect for the user." In this case it's replaced with "user interface paternalism."
Browser-mode file browsers hide the lack of thought and organisation in the filesystem structure; spatial ones do not. Folder structure should be simple and as shallow as possible..
Translation:
We know best about how to organize your files. We don't understand why you need a deep directory hierarchy, so we'll make it hard for you to use it.
What's worst, attacks on the spatial browser try to stop the innovation. While it is hard to call the GNOME's spatial Nautilius "innovative", as spatial browsers have a long history, to mention only the famous Macintosh Finder, it is certainly innovative to bring this idea back to life, after all these years of browser-like file managers domination.
Translation: You are a pinheaded luddite if you oppose this "innovation."
Apple is famous for not understanding the "enterprise" market. Their platform is cool, but they haven't a clue about how to support it in a large business environment, which is something Microsoft knows quite a bit about. Combine that with the fact that licenses for multiple tens of thousands of desktop machines adds up to heart-stopping-serious money, even at volume discounts, and you see why there is growing interest around Linux on the desktop.
Don't get me wrong, I lust after the newer Apple equipment. They are indeed the new benchmark for stable,high-performance systems. But I couldn't bring myself to pay their price, even before I started paying the IRS back. 8)
.. but the result of a malaprop automatic language translation. This came complete with a virus laden attachment:
Watched the demonstrative preview of the scherzetto " Spiral-fantastic "
then
you start the application that virtually you distoglie the sight from the images common in order to deform all I have there that watched subsequently for 1-2 min.
Truly fantastic, it sure deserves to make to turn the knowing friends and.
You do not have fear, is only an innocent game that has but its unexpected implications.
Fortunately, I haven't been near an SGI in six years. Great hardware, atrocious software. And a lack of understanding about how real servers are administered, as your experience shows.
I don't know if they've improved in recent years, and I don't care. 8)
No problem. Thanks for taking it back. That shows courage. Sorry for the counter-zinger.
Carrying on a discussion in a public forum like this is tricky. There are lots of folks looking for a fight, and a lot of nonsense besides. I find it useful to sit on my hands for a little bit before starting any posting here. Then I hit "preview" a bunch of times while composing. I'm vain about my writing, so I read it over, checking for spelling and style. By the time I'm through, I may decide to go back and change stuff I'm not too sure about. It not only saves me embarassment, but often I find that my first thoughts on a subject contain bullshit. Correcting this sometimes helps me change what I think about stuff. All I give up is some time and a shot at the "frist post." 8)
Ray Noorda left Novell at the same time DR-DOS was sold to Caldera. The lawsuit was filed shortly after. It seemed then as though Novell had objected to Noorda filing the lawsuit, and Ray had left to pursue his well-know vendetta against Microsoft, using the IP from Digital Research, who had been famously aced out of the IBM contract for a PC operating system by Bill Gates, and later crushed out of existence like so many others who tried to stand in Microsoft's way.
That Novell didn't want to be associated with a lawsuit against the notoriously vindictive and ruthless Microsoft was obvious at the time. If it wasn't so to you, (assuming you were out of grammer school in 1996) there's not much I can help you with there.
At the time, it was clear that the sale of DR-DOS to Caldera/Canopy was to allow the lawsuit to commence without tying Novell to it too closely. The details of the arrangement are interesting nevertheless. It wasn't a case of the Novell board refusing to go along with a vendetta by Ray Noorda against Microsoft. Instead,the arrangement was specifically designed to allow Novell to realize some of the monetary value the (iron-clad, caught-you-in-the-act) antitrust claims contained.
The connection to the SCO/IBM suit is also obvious, if you ignore any good guy/bad guy spin. It's the same business model playing out in the new case, but hopefully with different results.
Varations on this theme have been tried in varying environments with varying degrees of success. So called "thin clients" can acheive a result similar to reimaging a "fat" client on a daily basis. But unless you have bandwidth to burn, downloading the system images from central servers won't scale to thousands of seats very well. Satellite servers could ease this problem, but then you have a more complex, and thus more fragile system.
I like the idea of empowering users. I agree that giving them root will result in benefits that often won't be visible to the sysadmins, and would suprise them if they were visible. (See my paper for more.) The trouble is that the monolithic security model of Unix makes this tough. It's not just an issue of the local workstation. When you share files vi NFS in a heterogeneous envirionment, you have to deal with the fact that root can become any user he likes. Thus I can become you, and have my way with your data, even if you remap UID 0 to "nobody." If you say that there is no local data, that means that you have lots of NFS clients, and the forgoing becomes an issue.
There are technical fixes, of course. More recent versions of NFS get around the above problem. SELinux is a good way to provide finer grained distribution of system privilege. But these solutions are not widely deployed, and besides, a real enterprise has lots of platform diversity. A half dozen different solutions exist for each problem I've mentioned. depending on the platform. Designing a security policy that has to be implemented six different ways is tough. Add in the older versions that don't offer any solution and it becomes impossible.
Real security policies pick a model, open. closed or in-between, and just deal with the technical shortcomings as personnel issues.
At the Very Large Company I'm currently working at, they distribute sudoers nightly to thousands of hosts. Most sysadmins have no reason to be skilled at writing sudoers rules as a result.
I don't know what they do about root passwords, beyond the fact that they are not disabled, but I'd take a similar approach to them. I'd change them on a schedule through automation, and check that they work nightly or more often.
(They don't give the root password to consultants, but I do have sudo most everywhere. Go figger.)
The problem with this is single-user mode. Even though there are various tricks to get console root on various flavors of Unix, in a large organization, you can bet that a sysadmin that doesn't know the particular trick for the OS in consideration will have to go in to single-user to fix something. The consequences of this could range from annoying (3:30 AM: "Hi, Mr Senior Sysadmin Guy. How do you get root on xyz?") to fairly painful, like having a revenue-critical database server down 45 minutes longer than necessary.
It's not so idiotic. There are several approaches that allow everyone to have root. My sudoscript tool was written to fit into just such an environment. The audit trail was designed to allow the IT department (me) to figure out what went wrong when someone shot themselves in the foot. (See The Problem of PORCMOLSULB for more on my experiences with this.)
SDSC uses cfengine to enforce configuration policies. Their users do have root. (I've been looking for the;login paper that discusses how exactly they do this. It's not on Google, so it must not exist. 8) Reimaging a system works as long as you can keep a root-enabled user from storing local data, or else you don't care about the consequences of losing any such data. It's also the correct last resort if things go badly wrong.
sudoscript preserves your audit trail in root shells. It's not perfect, (there are still ways to evade the auditing) but if your concern is to have a record of root's actions so that problem diagnoses is easier, rather than keeping malicious users from doing bad stuff, then it's useful.
I thought that even nuclear fusion produced some radioactive waste--induced radioactivity or something like that. I don't happen to buy all the CO2 induced global warming hype, so I am not so concerned about emissions. Energy density is indeed the key when it comes to a practical vehicle without an internal combustion engine.
The energy density in a tank of gasoline is incredible. While it's still around, we may as well make use of it. It would be nice if we could find another chemical reaction that could produce greater power per pound of fuel, but I'm not holding my breath.
Umm, you might have a better chance of lasting to see one if you did hold your breath.
The binary torrent is ranging between 2KB/s and (rarely) 40KB/s. The source torrent, (started in frustration after watching its binary brother crawl for a while,) is cooking along at 400-450 KB/s.(Yay RCN!) They are both uploading at about 25 KB/s.
So, did all you nerds suck it down this morning? 8)
I routinely get 4+ Mbps dowload and 768K up. I don't do Kaaza or Pr0n fishing, but I occasionally download quite a lot of data, such as a Red Hat ISO set, so 2GB/day (mentioned in the article as the stated limit Cox imposes,) would crimp my style. I've never had a complaint from RCN. Their service isn't bad, which is to say, it's very good compared to the competition.
The downsides are these: they are only in a few urban areas, and they spent so much building out fiber to within 600 feet of every customer in the 90's that they will probably go bankrupt soon. In the meantime, I sing their praises and enjoy the service.
Slashdot Mirror
A good thing is where your life becomes sweeter, funnier, easier or more pleasant in some way. Having two approaches to MAC pushed by the two leading Linux vendors makes my life (or the part I spend as a sysadmin) harder fer cryin' out loud!
What is it with Unix-like operating systems and non-primitive access control? Every Unix flavor adopted different approaches to "Red Book" security in the 1980s on top of the barely-adequate-for-academic-use Unix permissions model. Those that survived have never standardized in all those years. I really hate to see Red Hat and SuSE continue on that well-worn path. And before you say Open Source is different in this regard, take a look at the competing desktops. It's roughly 10 years that both major projects have been pursuing seperate paths. And freedesktop.org proves the point. They are expending an awful lot of effort to bridge the gap those competing projects dug between themselves.
Competing approaches are fine for research into the best way to get things done. They are also a spur to development of different approaches. But MAC is not new computer science that needs researching. And choice is often actually the enemy in a production business computing environment.
Bah!
I fourth or fifth or whatever Dreamhost. I've only been with them for six months, but they keep upping bandwith, mailboxes and other stuff for new accounts. Every time they do that, they give the same boost to existing customers! Nice touch. Then they told me about a recent flaw in Movable Type that I would have twigged to fairly soon anyway. But that's the first time a hosting provider has been out in front of something like that in my experience, going back to '94 with such businesses. Another cool thing about that warning is, they stated that after a certain period, vulnerable MT installations would be turned off by them to protect the rest of us shared host users. Bravo!
If you want to sign up based on my recommendation, tell 'em egbok.com sent you. And screw the anti-referral police!
- No need to open a port in my firewall. (SSH already goes through)
- End-to-end encryption
- The ability to make this happen at work.
No, I don't control the firewall at work, but they have an ssh gateway, controlled by hardware token password. So I get on the phone with Mom, and give her the OTP, and bingo!Actually, I'd just nx back to my home net. No sense in misusing work resources for this.
And the solution is not fully general. Since I'll be forwarding port 5500 over the ssh tunnel to a specific host inside my firewall, that host will have to be known to the script. I could make it easily configurable, though.
I understand the question, The reverse VNC deal meets the criterea you state. The only tricky part is having them install the server. If you preinstall VNC on the user's machine, then it's a piece of cake, for them: "Double-click on the VNC icon. Type this IP address" and you are done. The tricky stuff is on your end, under your control: forwarding the VNC port through your firewall and setting up the listening VNC client. That's pretty easy, too.
What this lacks is security over the Internet. Adding an SSH tunnel from your family member's machine into your network might be something you could script in advance, but setting it up on the fly would be difficult.
So let's see, I have cygwin on my Mom's machine. I write a script to estalish the tunnel, prompting for the IP address. She's got to type a passphrase for the key, or else I only open up the particular port when I know I'm going to be working with her. The script then fires off the VNC server with the localhost address and port for the forwarded tunnel. I could probably even write a graphical perl script to do the work. (I have a Visual Basic-free household.) That's the ticket, I think.
There was this little revolution that started really taking off about 20 years ago. It had to do with this thing called the "inner-net," or something. Anyhow, I can't get on the inner-net with a hercules. It has this odd idea that computers like to get information in "botches," so it sends and receives a botch at a time. The inner-net thingie sends info in "pockets," which are much smaller than "botches," I think. Anyhow, that's the problem.
Time and money.
In a company the size of IBM, with many, many years of technology legacy, a conversion to any set of standards, open, closed or half ajar is bound to be fabulously expensive. I mean, there are still app front-ends running on the mainframes, although I haven't had to use many since I started two years ago. Not Firefox, not IE, tn3270 . 8)
The consensus of the postings here indicate that shallow hierachies are easier for light user/new user folks.
The desktop and file cabinet paradigms have been around quite a while, and are fairly long in the tooth. There's lots of activity around trying to come up with something better, but that's nothing new. There have been a lot of good ideas for information organization that haven't caught on over the years. Still people keep trying. I think this reflects widespread dissatisfaction with the practical application of the metaphors. Either your information is visible and undifferentiated, or it is invisible and hierarchical.
The most interesting idea I've heard to get around this is from the polymath that got injured by the unabomber. (I forget his name, and I'm too lazy to search.) He presents information in a time sequence. So you can easily find "that article I started last September about information organization, but never finished." It's perhaps not suprising how useful date-oriented retrieval is. I use 'ls -lrt' a lot. It helps, but it's imperfect. I'd like to be able to combine the date information with file type, content, size and relevance, across arbitrary hierarchies and without having to think too much about designing the search. I suppose I won't get the last feature until neural interfaces get better. 8)
Actually, the Gnome team isn't who wrote that silly article. They have been making lots of choices for their users through application of the HID, but they do retain the ability to customize most of the interface in true F/OSS style, so I can turn off the behavior I dislike. If it isn't easy for a beginner to do that, well, it's probably a good thing. It should be at least 25% as hard to get in to trouble as it is to get out.
Translation: We know best about how to organize your files. We don't understand why you need a deep directory hierarchy, so we'll make it hard for you to use it.
Translation: You are a pinheaded luddite if you oppose this "innovation."
Apple is famous for not understanding the "enterprise" market. Their platform is cool, but they haven't a clue about how to support it in a large business environment, which is something Microsoft knows quite a bit about. Combine that with the fact that licenses for multiple tens of thousands of desktop machines adds up to heart-stopping-serious money, even at volume discounts, and you see why there is growing interest around Linux on the desktop.
Don't get me wrong, I lust after the newer Apple equipment. They are indeed the new benchmark for stable,high-performance systems. But I couldn't bring myself to pay their price, even before I started paying the IRS back. 8)
Fortunately, I haven't been near an SGI in six years. Great hardware, atrocious software. And a lack of understanding about how real servers are administered, as your experience shows.
I don't know if they've improved in recent years, and I don't care. 8)
No problem. Thanks for taking it back. That shows courage. Sorry for the counter-zinger.
Carrying on a discussion in a public forum like this is tricky. There are lots of folks looking for a fight, and a lot of nonsense besides. I find it useful to sit on my hands for a little bit before starting any posting here. Then I hit "preview" a bunch of times while composing. I'm vain about my writing, so I read it over, checking for spelling and style. By the time I'm through, I may decide to go back and change stuff I'm not too sure about. It not only saves me embarassment, but often I find that my first thoughts on a subject contain bullshit. Correcting this sometimes helps me change what I think about stuff. All I give up is some time and a shot at the "frist post." 8)
That Novell didn't want to be associated with a lawsuit against the notoriously vindictive and ruthless Microsoft was obvious at the time. If it wasn't so to you, (assuming you were out of grammer school in 1996) there's not much I can help you with there.
At the time, it was clear that the sale of DR-DOS to Caldera/Canopy was to allow the lawsuit to commence without tying Novell to it too closely. The details of the arrangement are interesting nevertheless. It wasn't a case of the Novell board refusing to go along with a vendetta by Ray Noorda against Microsoft. Instead,the arrangement was specifically designed to allow Novell to realize some of the monetary value the (iron-clad, caught-you-in-the-act) antitrust claims contained.
The connection to the SCO/IBM suit is also obvious, if you ignore any good guy/bad guy spin. It's the same business model playing out in the new case, but hopefully with different results.
The post containing the rationale for the licensing change contains hundreds of trackbacks from the MT community. Guess what most of them are saying.
I like the idea of empowering users. I agree that giving them root will result in benefits that often won't be visible to the sysadmins, and would suprise them if they were visible. (See my paper for more.) The trouble is that the monolithic security model of Unix makes this tough. It's not just an issue of the local workstation. When you share files vi NFS in a heterogeneous envirionment, you have to deal with the fact that root can become any user he likes. Thus I can become you, and have my way with your data, even if you remap UID 0 to "nobody." If you say that there is no local data, that means that you have lots of NFS clients, and the forgoing becomes an issue.
There are technical fixes, of course. More recent versions of NFS get around the above problem. SELinux is a good way to provide finer grained distribution of system privilege. But these solutions are not widely deployed, and besides, a real enterprise has lots of platform diversity. A half dozen different solutions exist for each problem I've mentioned. depending on the platform. Designing a security policy that has to be implemented six different ways is tough. Add in the older versions that don't offer any solution and it becomes impossible.
Real security policies pick a model, open. closed or in-between, and just deal with the technical shortcomings as personnel issues.
I don't know what they do about root passwords, beyond the fact that they are not disabled, but I'd take a similar approach to them. I'd change them on a schedule through automation, and check that they work nightly or more often.
(They don't give the root password to consultants, but I do have sudo most everywhere. Go figger.)
The problem with this is single-user mode. Even though there are various tricks to get console root on various flavors of Unix, in a large organization, you can bet that a sysadmin that doesn't know the particular trick for the OS in consideration will have to go in to single-user to fix something. The consequences of this could range from annoying (3:30 AM: "Hi, Mr Senior Sysadmin Guy. How do you get root on xyz?") to fairly painful, like having a revenue-critical database server down 45 minutes longer than necessary.
SDSC uses cfengine to enforce configuration policies. Their users do have root. (I've been looking for the ;login paper that discusses how exactly they do this. It's not on Google, so it must not exist. 8) Reimaging a system works as long as you can keep a root-enabled user from storing local data, or else you don't care about the consequences of losing any such data. It's also the correct last resort if things go badly wrong.
sudoscript preserves your audit trail in root shells. It's not perfect, (there are still ways to evade the auditing) but if your concern is to have a record of root's actions so that problem diagnoses is easier, rather than keeping malicious users from doing bad stuff, then it's useful.
The energy density in a tank of gasoline is incredible. While it's still around, we may as well make use of it. It would be nice if we could find another chemical reaction that could produce greater power per pound of fuel, but I'm not holding my breath.
Umm, you might have a better chance of lasting to see one if you did hold your breath.
The binary torrent is ranging between 2KB/s and (rarely) 40KB/s. The source torrent, (started in frustration after watching its binary brother crawl for a while,) is cooking along at 400-450 KB/s.(Yay RCN!) They are both uploading at about 25 KB/s.
So, did all you nerds suck it down this morning? 8)
I routinely get 4+ Mbps dowload and 768K up. I don't do Kaaza or Pr0n fishing, but I occasionally download quite a lot of data, such as a Red Hat ISO set, so 2GB/day (mentioned in the article as the stated limit Cox imposes,) would crimp my style. I've never had a complaint from RCN. Their service isn't bad, which is to say, it's very good compared to the competition.
The downsides are these: they are only in a few urban areas, and they spent so much building out fiber to within 600 feet of every customer in the 90's that they will probably go bankrupt soon. In the meantime, I sing their praises and enjoy the service.
.. through the 28th, that is.
I configured the following Precision 360n:
P4/2.8Ghz/800Mhz
512Mb DDR400 RAM
Entry Keyboard
Dell Scroll Mouse
Quadro NVS 280 GDA
No Monitor/Speakers
80 Gb HD
24x CD-ROM
Floppy
FreeDOS
Cost $1,136
They have a $300 off deal through Wednesday. I configured the following system "regular" Precision 360:
P4/2.8Ghz/800Mhz
512Mb DDR400 RAM
Entry Keyboard
Dell Scroll Mouse
Quadro NVS 280 GDA
No Monitor/Speakers
80 Gb HD
24x CD-ROM
Floppy
Windows XP Pro
Cost $1,016
So, which one is the better value? The eMachine, of course!