Oh come now, Gentoo isn't that bad in a production environment. You treat it the same as you would any other distribution except that you can compile your own packages instead of relying on binary packages. Change management doesn't change just because you're using a different flavor of Linux.
(For what it's worth, Xen makes the process a lot easier to deal with. Clone a DomU, test out the new configuration, then decide whether to use the new DomU or stick with the old DomU.)
I think the next evolution of Rogue-like games is the MMORPG. You can quote me on this: we will see a Rogue-like MMORPG before the decade is done. Not a MUD, mind you, a real Rogue/NetHack-ish MMORPG, possibly with PvP. Take that, WoW!
That reminds me (vaguely) of EQ's Dungeons of Norrath expansion. One idea that would've been very decent was if the EQ team had managed to construct a "building block" style dungeon engine. As you moved from level to level you could get an entirely randomly generated dungeon level with appropriate level monsters. (Functioning similar to how Moria/Angband generates levels.)
Things going too rough? Find a stairs leading up... Loot not good enough? Find a stairs going downward...
It would be the sort of dungeon where you round up a party and go crawling for an hour or two at your own pace. No downloaded maps, random surprises around every corner (no knowing that there are 3 mobs in the next room on a 18.32 minute timer), and you'll always be exploring new layouts.
Whenever I try to explain, that I do zip during working hours, means I am doing a great job, people give me this sheepish look...
If things dont work, its my fault...if things work, I'm a lazy bastard. Just forget about ordinary users voting for their sysadmin
Yeah, no kidding. My usual tactic is to make sure that there are spare parts everywhere, lots of blinking lights, a few dozen windows display "tail -f" on the mail queue log, and stacks of books artfully arranged with dozens of bookmarks and/or open books.
That or walk around with a piece of network cable or any other easy-to-carry but non-functional part...
I suspect that what might work without overhauling SMTP completely (and this is very much a blue sky idea).
1a) Mail servers that start caching SSH-style public keys for servers that they talk to. Then encrypt the transport between the two servers. There are definitely MITM attacks that could be mounted, but the outbound MTA might simply keep track of key-changed events in the log files. Let the admins worry about it, if they do.
1b) IPSec with opportunistic encryption for encrypting the transport. Maybe you get DNS (or secure DNS) involved for proving the validity of the public keys. Or maybe you take a page out of the SSH playbook and simply tell the user that the mail may not have been delivered to the system that we think it should've been delivered.
2) Mail clients that create a public key and hand it the POP3/IMAP server. Then the server could simply encrypt the message files as they get written to the disk using the user's public key. This runs into all sorts of issues (no web-access to your mail folder, difficulting in retrieving e-mail with another e-mail client, lost e-mail if you lose your private key). So I don't know how well that would work out in principle (probably not well).
Personally, I think securing the SMTP link is probably the most realistic. Paranoid MTA admins could decide that all keys have to be pre-validated before e-mail can be delivered to the remote system. The rest of us could simply accept the small risk of MITM and watch our log files for keys that change. Or check our destination keys against public lists of server keys (sort of a reputation service).
Kid, I'd wish a bout of severe depression on you, but that's not even something I'd do to my worst enemy. When you say "people have really unimportant lives", you're making a value judgement that you have no place making. Don't argue with me now, just think about that and come back and argue 20 years from now.
Depression is a very difficult disease to deal with. It's also a complicated disease (or set of diseases) where the symptoms of all the different types of depression are pretty much the same. There are multiple causes and they often feedback on themselves which makes things a whole lot worse. It's not a trite saying to say that depression has a significant fatality rate as a disease. It needs to be treated as a potentially life-threatening disease. But like all diseases, there are various levels of severity ranging from mild to severe.
There's external-induced (events, relationships, or other things not under your control) depression which overloads the individual and causes them to give up hope. That's more amenable to talk therapy or even simple counseling where someone sits down with you and helps you formulate a plan. Some of the exercises are learning how to separate / identify which things you can change and which things are out of your control, then focusing on changing what is possible. Other goals of therapy are to help you identify which thoughts are incorrect views of reality ("everyone thinks that I'm ugly / worthless / stupid / etc") and to take steps to challenge those thoughts. See "Feeling Good" by David D. Burns for a good book about CBT.
Then there's the chemical side of the disease where the brain (other organs) don't make the right chemicals, or the receptors for those chemicals aren't working right. (This is where things get very experimental, theoretical, and understandings are constantly revised.) Even though there are no external events that would seem to cause depression, the individual spends their waking hours in pain and is seriously considering suicide as a viable solution to end the pain. Speech becomes slow and slurred, there's mental confusion, short-term memory issues, and you feel like you're viewing the world through a piece of gauze (or an oily lens).
And the two major sides of the disease often combine in a particular case, making it even more difficult and twisted. They'll feed off of each other, as the individual starts to sabotage relationships which makes them feel even worse as a person. And which also destroys the person's support network (unless the friends understand what is going on, which is rare) making recovery an even more difficult road.
Where things get tricky is that when you are depressed, it is very difficult to seek treatment. Seeking treatment requires you to believe that you can get better, which is 180 degrees in opposition to how you feel about yourself at that point in time. You'll be worried that they'll lock you up (resulting in friends, family, coworkers, bosses thinking that you're simply "crazy"). Or you could simply be worried about being branded as "crazy" or "seeking attention" by the above people. There's a huge social stigma towards mental disease and popular culture (TV, Movies) usually perpetuate the misunderstandings and misinformation in order to make for more 'engaging' story lines.
The reality of the matter is far different. Once you've been through a successful cycle of treatment, a lot of depressives become very outgoing and honest about their disease with others. Basically, you decide that the potential stigma is nothing compared to the pain and suffering that you've been through and that your suffering was increased because you were trying to hide the fact that you have depression. That relieves a lot of the pressure and you start trying to educate people around you about the disease (if they're willing to listen). Often, that forwardness and truthfulness results in someone else realizing (or admitting to themselves) and seeking treatment.
Now, does it really mean anything? Well maybe, maybe not. (Lies, damned lies, and statistics. And it's tough to tell one from the other.) The commit logs in bitkeeper / GIT might show a better picture.
You won't get 4 PCI-E x16 slots and 12 SATA ports, but who needs that anyways? Or, you could just wait until 3Q of 07 and get a native quad core CPU.
Those of us who want to drop in PCIe RAID cards and dual/quad port PCIe NIC cards? (Both of which are usually only available in PCIe x4 sizes.) Plus for less expensive servers, 12 SATA ports could allow the use of Software RAID without having to use up a PCIe slot for a SATA card.
When you get into NIC bonding, it's not unusual to want 4-8 gigabit NICs in the unit. Especially if you're connecting to an iSCSI/AoE switch fabric and you want to connect to multiple switches for fault-tolerance (along with bonding for bandwidth). Even with dual-port NICs, you start running out of space quickly (it's better with quads, but they're hard to source).
It has made it far more practical to not have to carry around your Compact Discs when listening to music in the car.
I still prefer MP3 CDs in the car. 8-10 hours per disk, room in my visor to hold 10 disks plus I can care more in the car door pocket if needed. No worries about someone swiping my CDs or my stereo and it's one less thing I have to carry to/from the car. And most modern car stereos are starting to support MP3 CD without needing an after-market stereo.
My longest trip to date was a 3-week road trip. The MP3 CDs worked perfectly. I could load an 8hour CD up based on my mood and swap it out every few hours with little hassle.
But then, my lifestyle isn't suited to an iPod anyway. I don't spend hours per week on the bus/train/plane, I only drive to work about once every 3 weeks, and I listen to most of my music in my home office (using my laptop). So a low-maintenance solution for my car like MP3 CDs suits me perfectly.
Xen can launch windows... v3.0.3 was just released with some improvements for the HVM capabilities. It does require a newer CPU with hardware virtualization and I'm not sure of all the downsides yet. (I plan on installing a Win2000 server in a guest DomU next week after I upgrade to the 3.0.3 release.)
So.. HOW IN THE HECK do you REMOVE stuff that you cant find? I really.. REALLY.. dont want to reformat and reinstall because there is no way this should be hidden to adminstrator on Windows XP.. but it IS!
Rule #1: Once a box has been compromised, it can no longer be trusted.
Which means that it needs to be wiped, re-installed using known-clean media (original install CDs) and any data that is going to be restored needs to be carefully checked.
As good as the anti-adware / anti-spyware / anti-virus software is, we're rapidly approaching the point that a wipe / reinstall is going to be the only viable solution. The attackers are getting more sophisiticated and their tricks are filtering down to the script kiddies as common knowledge.
Now for some common-sense approaches to making the process less painful:
1) Back up your data separately from the OS. Keep your data on a separate drive/partition if possible.
2) Learn how to image the OS. Either Norton Ghost, Acronis TrueImage, or Knoppix + NTFSClone are your friends. After building the box for the first time, before connecting it to the network... image it and save the image to read-only media. Then you should create another image after getting it patched and your apps installed. After that you'll want to image after any major software install. Keep all of your image CDs/DVDs, especially the early ones. Then, after the box gets rooted, you can go back to a clean version that already has most of your software installed.
3) Protect your machines by running firewalls on the boxes and keeping them behind a firewall that protects them from the wild internet.
4) Make liberal use of your LART to train your users not to do silly things.
Plus the dozens of other basic security precautions that have been suggested over the years.
Oh, I dunno, that was at least one of the better attempts at using the old joke. Possibly because all of us find the idea that Ronald McD leading the attacking force to be especially comical.
We've not had any issues getting our hands on AM2 X2s over the past few months. What we have seen is that our vendors are periodically out of stock on the AM2 motherboards.
Which is more annoying, because we can always buy a different AM2 X2 CPU (more/less powerful) but spec'ing a different motherboard requires more research.
The big advantage of AM2 is that the chip is *very* similar to the 939 chips. Which means that manufacturers didn't have to design a whole new chipset for the new socket. Look at the PCIe motherboards from Asus, the 939 and AM2 product lines are extremely similar.
Pricing on the X2 3800+ chip has gone up a bit over the last few weeks. Both for the 939 and AM2 versions. AM2s are up to $170 from MWave/NewEgg and 939s are up to $178 from MWave. Very few 939 X2 3800+ chips left in the pipeline. OTOH, it makes the 4200+ chips a lot more attractive and we may make the jump to them.
Memory prices are also up quite a bit in the past 2 months. I used to be able to get 2GB of DDR or DDR2 for $150, now it's costing $210-$220 for two 1GB sticks.
In the Socket A Athlon Period, Intel had socket 370, 423, 478 and LGA 755. Now with AMD64, you got 740, 939, 940, AM2, and the upcoming 1207 pin socket, with talks about yet another socket revision for AM2. in the AMD64 period, Intel was phasing out 478 and was moving towards 755, and hasn't changed since.
Pin-count isn't everything. Not all Intel 755 CPUs work in all boards (same thing happened with Socket A where you had to research carefully what "steps" your motherboard would support).
The 754 (what you called a 740) socket was designed as a low-end budget line processor socket. I'm amazed that we can still buy brand new chips for what was supposed to be a limited run socket.
The 939/940 socket design is the difference between a workstation socket and a server socket. Both sockets were around for a few years. AM2 is just a different pin layout of a 939 socket, but since the AM2 CPUs support DDR2 memory, they went with a new socket to reduce market confusion. Even better, the chipsets for AM2 are almost identical to 939, which means less issues with the first generation AM2 boards. For an example of this, look at Asus motherboards and compare the 939 lineup against the AM2 lineup.
Yes, AM2 is going to be updated to AM3. But from what I recall, AM3 CPUs will be able to plug into the older AM2 socket. So those quad-core AM3s next year should fit into existing AM2 sockets. (Hopefully, nothing is ever certain until you've assembled the system.)
The 1207 pin socket is for server chips. It's basically the replacement for the aging socket 940.
Another nice feature of the AM2 socket desgination switch is that it's easy to know which AMD Athlon64 CPUs support HVM. (The 939 chips do not support it, all of the AM2 Athlon64 chips support it.)
For example, one of our customers requires that financial information it sent to the Bank of England by close of play every day. It is sent using (encrypted) e-mail.
Why, for the sake of all that is holy, are you using a "best-effort" delivery system with no guarantee on message transit time for a system that requires messages to be received by a certain time? Nothing in the SMTP protocol guarantees delivery, so unless you have setup your mail servers to be extremely aggressive at timing out message delivery attempts, mail can take up to a few days to be delivered (at the outside).
Switch to scp or sftp for time-sensitive transmissions.
Neither SAS or SATA-II drives will come close to filling a 3Gbps channel in the forseeable future. Not until perpendicular storage boosts their data density by about 4x (and possibly even longer).
Modern 750GB SATA-II drives top out at around 75-80MB/s, with 40-50MB/s as a more realistic number across the entire disk. Assuming that we could spin that disk at 15k, that's still only 150-160MB/s peak or 80-100MB/s average.
Maybe once the 2TB 7200rpm drives or the 1TB 10k or the 600GB 15k drives arrive...
We used to use NovaStor... but that has never worked well on the Windows boxes. So now I'm setting up a 1.3TB 4-disk RAID10 server (expandable to 2.6TB) and we're going to use Bacula for the Unix/Linux boxes and to backup the data on the Windows servers as well. There's also a set of 500GB IDE drives that we take offsite weekly that are on a WinXP box that I have to work into the equation. The amount of data that we have to backup daily is about 200GB but only a few percent changes daily.
All this just happens be occuring at the same time that I'm setting up Xen, central log server, a subversion server, etc. So I'm a bit overwhelmed this week.
Tape drives have proven to be too problematic for us (4mm DAT then Sony's 50GB tape drive). So instead we're going with a central backup "vault" server with hard drives as the offsite component (6+ drives in rotation). And we're slowly moving more and more files into a version control system (SVN) which eliminates a lot of the "oops" that would require us to pull a backup tape for a quick restore.
And moderately difficult to install... Don't get me wrong, it's our platform of choice and I'm working on setting up a central backup server using it. But I reckon that I still have a few hours of reading before I'll have it up and running and making backups.
(OTOH, I prefer it that way in the long run, because it forces me to learn the ins/outs of the system. Which is better then click-click-click-done and then not knowing how to fix it when things go pear-shaped.)
The problem with suggesting backup solutions is that everyone's tolerance of risk differs. Plus, different backup solutions solve different problems.
For bare metal restore, there's not much that beats a compressed dd copy of the boot sector, the boot partition and the root partition. Assuming that you have a logical partition scheme for the base OS, a bootable CD of some sort and a place to pull the compressed dd images from, you can get a server back up and running in a basic state pretty quickly. You can also get fancier by using a tar snapshot of the root partition instead of a low-level dd image.
Then there are the fancier methods of bare metal restore that use programs like Bacula, Amanda, tar, tape drives.
After that, you get into preservation of OS configuration. For which I prefer to use things like version control systems, incremental hard-link snapshots to another partition and incremental snapshots to a central backup server. I typically snapshot the entire OS, not just configuration files and the hardlinked backups using ssh/rsync keep things manageable.
Finally we get into data, and there's two goals here. Disaster recovery and archival. Archive backups can be less frequent then disaster recovery backups since the goal is to be able to pull a file from 2 years ago. Disaster recovery backup frequency depends more on your tolerance for risk. How many days / hours are you willing to lose if the building burns down (or if someone deletes a file).
You can even mitigate some data loss scenarios by putting versioning and snapshots into place to handle day-to-day accidential mistakes.
Or there's simpler ideas, like having backup operating systems installed on the partition (a bootable root with an old, clean copy) that can be booted in an emergency, run no services other then SSH, but have the tools to let you repair the primary OS volumes. Or going virtual with Xen where your servers are just files on the hard drive of the hypervisor domain and you can dump them to tape.
The whole problem with an.xxx domain vs a.kids domain is that on the one hand, you're forcing independent people to move to a domain that is likely to be blocked by just about everyone. Not to mention censorship likelihood and the huge issue of "what is porn" (a.k.a. porn is in the eye of the beholder).
Whereas with a.kids domain, webmasters will want to move there if their product is targeted at kids. You can define strict rules as to what is appropriate for the domain and enforce them. The TLD is attractive because it's very unlikely to be blocked (I can even envision web browser add-ins that only let kid's accounts visit.kids domains). And if a webmaster doesn't comply with the TLD rules, they can simply setup shop on one of the other TLDs without any punitive consequences.
It's the difference between forcing people to move to a particular neighborhood vs making a particular neighborhood very attractive but with strict community rules. The former is an exercise in frustration and pointlessness, the latter might actually work.
Slashdot Mirror
Oh come now, Gentoo isn't that bad in a production environment. You treat it the same as you would any other distribution except that you can compile your own packages instead of relying on binary packages. Change management doesn't change just because you're using a different flavor of Linux.
(For what it's worth, Xen makes the process a lot easier to deal with. Clone a DomU, test out the new configuration, then decide whether to use the new DomU or stick with the old DomU.)
I think the next evolution of Rogue-like games is the MMORPG. You can quote me on this: we will see a Rogue-like MMORPG before the decade is done. Not a MUD, mind you, a real Rogue/NetHack-ish MMORPG, possibly with PvP. Take that, WoW!
That reminds me (vaguely) of EQ's Dungeons of Norrath expansion. One idea that would've been very decent was if the EQ team had managed to construct a "building block" style dungeon engine. As you moved from level to level you could get an entirely randomly generated dungeon level with appropriate level monsters. (Functioning similar to how Moria/Angband generates levels.)
Things going too rough? Find a stairs leading up... Loot not good enough? Find a stairs going downward...
It would be the sort of dungeon where you round up a party and go crawling for an hour or two at your own pace. No downloaded maps, random surprises around every corner (no knowing that there are 3 mobs in the next room on a 18.32 minute timer), and you'll always be exploring new layouts.
Dang, your list reads pretty much like how I've gotten my last 2 jobs. Networking trumps resume stuffing.
Whenever I try to explain, that I do zip during working hours, means I am doing a great job, people give me this sheepish look... If things dont work, its my fault...if things work, I'm a lazy bastard. Just forget about ordinary users voting for their sysadmin
Yeah, no kidding. My usual tactic is to make sure that there are spare parts everywhere, lots of blinking lights, a few dozen windows display "tail -f" on the mail queue log, and stacks of books artfully arranged with dozens of bookmarks and/or open books.
That or walk around with a piece of network cable or any other easy-to-carry but non-functional part...
I suspect that what might work without overhauling SMTP completely (and this is very much a blue sky idea).
1a) Mail servers that start caching SSH-style public keys for servers that they talk to. Then encrypt the transport between the two servers. There are definitely MITM attacks that could be mounted, but the outbound MTA might simply keep track of key-changed events in the log files. Let the admins worry about it, if they do.
1b) IPSec with opportunistic encryption for encrypting the transport. Maybe you get DNS (or secure DNS) involved for proving the validity of the public keys. Or maybe you take a page out of the SSH playbook and simply tell the user that the mail may not have been delivered to the system that we think it should've been delivered.
2) Mail clients that create a public key and hand it the POP3/IMAP server. Then the server could simply encrypt the message files as they get written to the disk using the user's public key. This runs into all sorts of issues (no web-access to your mail folder, difficulting in retrieving e-mail with another e-mail client, lost e-mail if you lose your private key). So I don't know how well that would work out in principle (probably not well).
Personally, I think securing the SMTP link is probably the most realistic. Paranoid MTA admins could decide that all keys have to be pre-validated before e-mail can be delivered to the remote system. The rest of us could simply accept the small risk of MITM and watch our log files for keys that change. Or check our destination keys against public lists of server keys (sort of a reputation service).
Kid, I'd wish a bout of severe depression on you, but that's not even something I'd do to my worst enemy. When you say "people have really unimportant lives", you're making a value judgement that you have no place making. Don't argue with me now, just think about that and come back and argue 20 years from now.
Depression is a very difficult disease to deal with. It's also a complicated disease (or set of diseases) where the symptoms of all the different types of depression are pretty much the same. There are multiple causes and they often feedback on themselves which makes things a whole lot worse. It's not a trite saying to say that depression has a significant fatality rate as a disease. It needs to be treated as a potentially life-threatening disease. But like all diseases, there are various levels of severity ranging from mild to severe.
There's external-induced (events, relationships, or other things not under your control) depression which overloads the individual and causes them to give up hope. That's more amenable to talk therapy or even simple counseling where someone sits down with you and helps you formulate a plan. Some of the exercises are learning how to separate / identify which things you can change and which things are out of your control, then focusing on changing what is possible. Other goals of therapy are to help you identify which thoughts are incorrect views of reality ("everyone thinks that I'm ugly / worthless / stupid / etc") and to take steps to challenge those thoughts. See "Feeling Good" by David D. Burns for a good book about CBT.
Then there's the chemical side of the disease where the brain (other organs) don't make the right chemicals, or the receptors for those chemicals aren't working right. (This is where things get very experimental, theoretical, and understandings are constantly revised.) Even though there are no external events that would seem to cause depression, the individual spends their waking hours in pain and is seriously considering suicide as a viable solution to end the pain. Speech becomes slow and slurred, there's mental confusion, short-term memory issues, and you feel like you're viewing the world through a piece of gauze (or an oily lens).
And the two major sides of the disease often combine in a particular case, making it even more difficult and twisted. They'll feed off of each other, as the individual starts to sabotage relationships which makes them feel even worse as a person. And which also destroys the person's support network (unless the friends understand what is going on, which is rare) making recovery an even more difficult road.
Where things get tricky is that when you are depressed, it is very difficult to seek treatment. Seeking treatment requires you to believe that you can get better, which is 180 degrees in opposition to how you feel about yourself at that point in time. You'll be worried that they'll lock you up (resulting in friends, family, coworkers, bosses thinking that you're simply "crazy"). Or you could simply be worried about being branded as "crazy" or "seeking attention" by the above people. There's a huge social stigma towards mental disease and popular culture (TV, Movies) usually perpetuate the misunderstandings and misinformation in order to make for more 'engaging' story lines.
The reality of the matter is far different. Once you've been through a successful cycle of treatment, a lot of depressives become very outgoing and honest about their disease with others. Basically, you decide that the potential stigma is nothing compared to the pain and suffering that you've been through and that your suffering was increased because you were trying to hide the fact that you have depression. That relieves a lot of the pressure and you start trying to educate people around you about the disease (if they're willing to listen). Often, that forwardness and truthfulness results in someone else realizing (or admitting to themselves) and seeking treatment.
Looking at the 2.6.17 tree (gentoo-sources):
/usr/src/linux | wc /usr/src/linux | wc
# grep -ri oracle
147 1146 13245
# grep -ri redhat
947 6654 87153
Now, does it really mean anything? Well maybe, maybe not. (Lies, damned lies, and statistics. And it's tough to tell one from the other.) The commit logs in bitkeeper / GIT might show a better picture.
Maybe they're getting tired of the "yes, no, maybe" tags that always show up whenever they ask a yes/no question?
Maybe they need to start asking open-ended questions?
You won't get 4 PCI-E x16 slots and 12 SATA ports, but who needs that anyways? Or, you could just wait until 3Q of 07 and get a native quad core CPU.
Those of us who want to drop in PCIe RAID cards and dual/quad port PCIe NIC cards? (Both of which are usually only available in PCIe x4 sizes.) Plus for less expensive servers, 12 SATA ports could allow the use of Software RAID without having to use up a PCIe slot for a SATA card.
When you get into NIC bonding, it's not unusual to want 4-8 gigabit NICs in the unit. Especially if you're connecting to an iSCSI/AoE switch fabric and you want to connect to multiple switches for fault-tolerance (along with bonding for bandwidth). Even with dual-port NICs, you start running out of space quickly (it's better with quads, but they're hard to source).
It has made it far more practical to not have to carry around your Compact Discs when listening to music in the car.
I still prefer MP3 CDs in the car. 8-10 hours per disk, room in my visor to hold 10 disks plus I can care more in the car door pocket if needed. No worries about someone swiping my CDs or my stereo and it's one less thing I have to carry to/from the car. And most modern car stereos are starting to support MP3 CD without needing an after-market stereo.
My longest trip to date was a 3-week road trip. The MP3 CDs worked perfectly. I could load an 8hour CD up based on my mood and swap it out every few hours with little hassle.
But then, my lifestyle isn't suited to an iPod anyway. I don't spend hours per week on the bus/train/plane, I only drive to work about once every 3 weeks, and I listen to most of my music in my home office (using my laptop). So a low-maintenance solution for my car like MP3 CDs suits me perfectly.
Xen can launch windows... v3.0.3 was just released with some improvements for the HVM capabilities. It does require a newer CPU with hardware virtualization and I'm not sure of all the downsides yet. (I plan on installing a Win2000 server in a guest DomU next week after I upgrade to the 3.0.3 release.)
So.. HOW IN THE HECK do you REMOVE stuff that you cant find? I really.. REALLY.. dont want to reformat and reinstall because there is no way this should be hidden to adminstrator on Windows XP.. but it IS!
Rule #1: Once a box has been compromised, it can no longer be trusted.
Which means that it needs to be wiped, re-installed using known-clean media (original install CDs) and any data that is going to be restored needs to be carefully checked.
As good as the anti-adware / anti-spyware / anti-virus software is, we're rapidly approaching the point that a wipe / reinstall is going to be the only viable solution. The attackers are getting more sophisiticated and their tricks are filtering down to the script kiddies as common knowledge.
Now for some common-sense approaches to making the process less painful:
1) Back up your data separately from the OS. Keep your data on a separate drive/partition if possible.
2) Learn how to image the OS. Either Norton Ghost, Acronis TrueImage, or Knoppix + NTFSClone are your friends. After building the box for the first time, before connecting it to the network... image it and save the image to read-only media. Then you should create another image after getting it patched and your apps installed. After that you'll want to image after any major software install. Keep all of your image CDs/DVDs, especially the early ones. Then, after the box gets rooted, you can go back to a clean version that already has most of your software installed.
3) Protect your machines by running firewalls on the boxes and keeping them behind a firewall that protects them from the wild internet.
4) Make liberal use of your LART to train your users not to do silly things.
Plus the dozens of other basic security precautions that have been suggested over the years.
Oh, I dunno, that was at least one of the better attempts at using the old joke. Possibly because all of us find the idea that Ronald McD leading the attacking force to be especially comical.
We've not had any issues getting our hands on AM2 X2s over the past few months. What we have seen is that our vendors are periodically out of stock on the AM2 motherboards.
Which is more annoying, because we can always buy a different AM2 X2 CPU (more/less powerful) but spec'ing a different motherboard requires more research.
The big advantage of AM2 is that the chip is *very* similar to the 939 chips. Which means that manufacturers didn't have to design a whole new chipset for the new socket. Look at the PCIe motherboards from Asus, the 939 and AM2 product lines are extremely similar.
Pricing on the X2 3800+ chip has gone up a bit over the last few weeks. Both for the 939 and AM2 versions. AM2s are up to $170 from MWave/NewEgg and 939s are up to $178 from MWave. Very few 939 X2 3800+ chips left in the pipeline. OTOH, it makes the 4200+ chips a lot more attractive and we may make the jump to them.
Memory prices are also up quite a bit in the past 2 months. I used to be able to get 2GB of DDR or DDR2 for $150, now it's costing $210-$220 for two 1GB sticks.
In the Socket A Athlon Period, Intel had socket 370, 423, 478 and LGA 755. Now with AMD64, you got 740, 939, 940, AM2, and the upcoming 1207 pin socket, with talks about yet another socket revision for AM2. in the AMD64 period, Intel was phasing out 478 and was moving towards 755, and hasn't changed since.
Pin-count isn't everything. Not all Intel 755 CPUs work in all boards (same thing happened with Socket A where you had to research carefully what "steps" your motherboard would support).
The 754 (what you called a 740) socket was designed as a low-end budget line processor socket. I'm amazed that we can still buy brand new chips for what was supposed to be a limited run socket.
The 939/940 socket design is the difference between a workstation socket and a server socket. Both sockets were around for a few years. AM2 is just a different pin layout of a 939 socket, but since the AM2 CPUs support DDR2 memory, they went with a new socket to reduce market confusion. Even better, the chipsets for AM2 are almost identical to 939, which means less issues with the first generation AM2 boards. For an example of this, look at Asus motherboards and compare the 939 lineup against the AM2 lineup.
Yes, AM2 is going to be updated to AM3. But from what I recall, AM3 CPUs will be able to plug into the older AM2 socket. So those quad-core AM3s next year should fit into existing AM2 sockets. (Hopefully, nothing is ever certain until you've assembled the system.)
The 1207 pin socket is for server chips. It's basically the replacement for the aging socket 940.
Another nice feature of the AM2 socket desgination switch is that it's easy to know which AMD Athlon64 CPUs support HVM. (The 939 chips do not support it, all of the AM2 Athlon64 chips support it.)
For example, one of our customers requires that financial information it sent to the Bank of England by close of play every day. It is sent using (encrypted) e-mail.
Why, for the sake of all that is holy, are you using a "best-effort" delivery system with no guarantee on message transit time for a system that requires messages to be received by a certain time? Nothing in the SMTP protocol guarantees delivery, so unless you have setup your mail servers to be extremely aggressive at timing out message delivery attempts, mail can take up to a few days to be delivered (at the outside).
Switch to scp or sftp for time-sensitive transmissions.
Neither SAS or SATA-II drives will come close to filling a 3Gbps channel in the forseeable future. Not until perpendicular storage boosts their data density by about 4x (and possibly even longer).
Modern 750GB SATA-II drives top out at around 75-80MB/s, with 40-50MB/s as a more realistic number across the entire disk. Assuming that we could spin that disk at 15k, that's still only 150-160MB/s peak or 80-100MB/s average.
Maybe once the 2TB 7200rpm drives or the 1TB 10k or the 600GB 15k drives arrive...
We used to use NovaStor... but that has never worked well on the Windows boxes. So now I'm setting up a 1.3TB 4-disk RAID10 server (expandable to 2.6TB) and we're going to use Bacula for the Unix/Linux boxes and to backup the data on the Windows servers as well. There's also a set of 500GB IDE drives that we take offsite weekly that are on a WinXP box that I have to work into the equation. The amount of data that we have to backup daily is about 200GB but only a few percent changes daily.
All this just happens be occuring at the same time that I'm setting up Xen, central log server, a subversion server, etc. So I'm a bit overwhelmed this week.
Tape drives have proven to be too problematic for us (4mm DAT then Sony's 50GB tape drive). So instead we're going with a central backup "vault" server with hard drives as the offsite component (6+ drives in rotation). And we're slowly moving more and more files into a version control system (SVN) which eliminates a lot of the "oops" that would require us to pull a backup tape for a quick restore.
And moderately difficult to install... Don't get me wrong, it's our platform of choice and I'm working on setting up a central backup server using it. But I reckon that I still have a few hours of reading before I'll have it up and running and making backups.
(OTOH, I prefer it that way in the long run, because it forces me to learn the ins/outs of the system. Which is better then click-click-click-done and then not knowing how to fix it when things go pear-shaped.)
Subversion fsfs is really easy - it only changes files through atomic rename(), so you copy all the files away
I was under the impression that even with FSFS you still needed to use the hotcopy.py script in order to get a guaranteed consistent backup.
No recommendations for bacula? Or are they not even comparable?
The problem with suggesting backup solutions is that everyone's tolerance of risk differs. Plus, different backup solutions solve different problems.
For bare metal restore, there's not much that beats a compressed dd copy of the boot sector, the boot partition and the root partition. Assuming that you have a logical partition scheme for the base OS, a bootable CD of some sort and a place to pull the compressed dd images from, you can get a server back up and running in a basic state pretty quickly. You can also get fancier by using a tar snapshot of the root partition instead of a low-level dd image.
Then there are the fancier methods of bare metal restore that use programs like Bacula, Amanda, tar, tape drives.
After that, you get into preservation of OS configuration. For which I prefer to use things like version control systems, incremental hard-link snapshots to another partition and incremental snapshots to a central backup server. I typically snapshot the entire OS, not just configuration files and the hardlinked backups using ssh/rsync keep things manageable.
Finally we get into data, and there's two goals here. Disaster recovery and archival. Archive backups can be less frequent then disaster recovery backups since the goal is to be able to pull a file from 2 years ago. Disaster recovery backup frequency depends more on your tolerance for risk. How many days / hours are you willing to lose if the building burns down (or if someone deletes a file).
You can even mitigate some data loss scenarios by putting versioning and snapshots into place to handle day-to-day accidential mistakes.
Or there's simpler ideas, like having backup operating systems installed on the partition (a bootable root with an old, clean copy) that can be booted in an emergency, run no services other then SSH, but have the tools to let you repair the primary OS volumes. Or going virtual with Xen where your servers are just files on the hard drive of the hypervisor domain and you can dump them to tape.
The whole problem with an .xxx domain vs a .kids domain is that on the one hand, you're forcing independent people to move to a domain that is likely to be blocked by just about everyone. Not to mention censorship likelihood and the huge issue of "what is porn" (a.k.a. porn is in the eye of the beholder).
.kids domain, webmasters will want to move there if their product is targeted at kids. You can define strict rules as to what is appropriate for the domain and enforce them. The TLD is attractive because it's very unlikely to be blocked (I can even envision web browser add-ins that only let kid's accounts visit .kids domains). And if a webmaster doesn't comply with the TLD rules, they can simply setup shop on one of the other TLDs without any punitive consequences.
Whereas with a
It's the difference between forcing people to move to a particular neighborhood vs making a particular neighborhood very attractive but with strict community rules. The former is an exercise in frustration and pointlessness, the latter might actually work.