Shit, man! I know Perth is not close (I'm in Sydney) but it took me _way_ longer than that to digest Nutshell!
History of Time is good. A lot less pictorial but just as lucid. He did a great job of keeping the books seperate in that they are not dependant on each other. Some of the chapters in 'Time are quite short - others no so.
Did the chapter in 'Nutshell about time travel leave anyone else scratching their heads? An island of insanity in a ocean of sence...
#1. Timothy. SNMP != SMTP. This is unfortunate but true.
#2. A statement like "SNMP is unsecure" is like saying "guns don't kill people, people kill people." It's the same type of logic. Debating it is futile.
#3. There are three versions of the SNMP protocol. These are v1, v2 and v3
#4. SNMPv1 is the most common. Sometimes the word security is used in the same sentance as SNMPv1. DO NOT LET THIS MISLEAD YOU!
#5. SNMPv3 has all the crypto that you need - yet uptake is a bit slow.
#6. Authentication in v1 is done by sending a "community string" in cleartext to port 161/UDP. That this is a little weak is nothing new.
#7. We are talking about two seperate problems here. Don't confuse them. The first is the old issue of "Everyone uses SNMPv1 but no one secures it" - The second problem (the one Timothy was telling us about) is about buffer overflows and format string vunrabilities in the SNMP agent and trap reciever (snmpd and snmptrapd).
Think of SNMP agent to SNMP as Apache to HTTP. That the protocol is flawed is one thing. That it's common to have bugs in the implementation that are independant of the flaws in the protocol is something else. That is what we are talking about.
SNMP is a good protocol - but it's not for everyones needs. If your box exposes snmpd on 161/UDP to the www then you deserve what you get. The place for SNMPv1 is on VLANS dedicated to network management that are not part of your 'distribution' network and are definately not part of your public network.
If someone can get to your management VLAN then you may find yourself with bigger things at hand than someone sniffing your community strings.
Here's your checklist:
[_] - SNMP isn't visible to the www from any of your endpoints.
[_] - Your endpoints have good packet filtering. Just say that you have an ADSL router and you are using SNMP on the router. Make sure that you can block packets from it's red interface and not just ask the snmp agent not to respond to non-local addresses. The reason is that if the SNMP agent has to refuse a given address then it could allready been too late.
[_] - If a box isn't being managed with SNMP - get SNMP off it.
[_] - Limit, where possible, SNMP traffic to VLANS that are designed for network management.
[_] - Where possible, use the highest possible version of the protocol. (if you can use v1, v2 and v3 then use v3!)
[_] - swap your community names often. Treat them just like any other network authentication mechanism.
[_] - Audit your own LAN for security.
but mod this up because some people still, sadly miss the point:-(
An OS is hardly "secure" or "insecure".
To illustrate my point, lets just imagine that the default install of my Win2K server is more "secure" than the default install of my debian box.
Neither of them are connected straight to DSL!
Your whole environment (firewall, router, switch, servers etc) can be secure or unsecure, that's true, but one componant can't rate the whole environment.
"I'm better than you because my Win2k box is tighter than your debian box" won't cut it here either, for the simple fact that you just can't get to my debian box so it dosen't matter if it has a hole that you can throw a cat through (which it dosen't)
So if we believe that stats, it could read more things than OS security anyway because it's about which holes are known (M$FT dosen't always feel the same open-ness as the rest on this topic, remember)
Anyway, don't let me get in the way of the flames:-)
Let's see, if you are testing a kernel for a production system with real tests (you know, you have probabbly read about them!) then if it goes down once in 100 days then it's off my list.
Aim a little higher than - as another respondant said - Windows 95 (which wasn't designed for serious use anyway!).
Some of this may be redundant - but that's the point! Redundant storage:-)
Is it you? first check
1. Power Supply. Don't run 3x 10000 RPM's off a 230W p/s. It's just not cricket.
2. Cooling. Blow wind onto them, don't suck it from them - someone smarter than me can say why, but it just works better.
3. Shock. Did the courier drop them? Did you drop them?
If it's not you them,
1. If it is the slightest bit valuable then it should be redundant.
2. Did I mention redundancy?:-)
I have a seagate SCSI disk in a MicroVAX that has hardly missed a beat since 1987. These disks don't exist any more - they just don't make em as good. This is sad because it is a reliable disk, but not so bad because it weighs about 5kg and I can hear it spin up from the other end of the house!
Having said all that - The newer IDE disks die _way_ before they should. It pisses me of as much as the next guy. What can we do?
I never thought about ut in ICBM terms, but I think alot about using electromagnetic forces to break from the pad...
The thing that I useually come up against is the thought that I am not a rocket scientist (IANARS anyone?:-) nor is my name Michael Faraday, and the people who do this stuff for a living are smarter than me, so they must have a reason why it _won't_ work that is better than my reasoning for why it _will_ work, ya know.
Having said that my idea follows: A rocket with a base high in steel content running as an electromagnet launched from a base that has the mother of all electromagnets under it pointed the other way. At the right moment they flick one of them massive knife-switches (al la James Bond villen) and wooshga! A few hundred meters "free"?
I've had an almost reverse-situaton when I was working in support. There was a group of CAD operators that were trying to run their own NT environment as independant as they could of the rest of the infrastructure.
They fscked things up every week. One guy I remember mounted his HDD in another workstation to remove the 300Mb page file because he didn't know why it was there and then tried to boot his workstation. uurrgghh. Don't get me started on the NetBIOS broadcasts that went everywhere!
The core of the problem was purely political. Between middle managers bitching to other middle managers etc we had no authority to say "if you connect to our LAN then you do as we say". Slightly different situation to the main story in that these guys _didn't_ know how to run their boxes and blew our support time for their devision through the roof!
I maintain my own cheet-sheet of about 1x A4 page. The reason I typed my own was two-fold:
a) I couldn't find one I liked, some are out there if you search but I want one with all the stuff I forget and only the stuff I forget, and
b) When I type it out with a description for the cheet sheet I tend to remember it more.
Because of the effect b) has on a) the document gets revised regularly. It's not that much to maintain after the initial bulk has been written.
I was once going to write a web page that would let you select 4 or 6 topics that you wanted out of a list of who knows how many and they would be presented to you on a web page in a format that you could print nicely, but that never happened:-( Hey CowboyNeil, feel like adding it to slash?
I feel like I gotta balance out the Apple nostalgia here...
What I do have is a 1987 DEC MicroVAX III with:
- KA650a CPU
- a 2Gb Compaq SCSI disk (lucky to have SCSI ya know:-)
- 32Mb of RAM. That's a lot too.
- GPX framebuffer.
- 1x DEC vt320 attached.
It runs NetBSD (currently 1.4.3, waiting for time to cobble together a 1.5.1 set, or maybe -curent)
The only thing it lacks is IEEE Floating Point and NetBSD support for my framebuffer!
But the lesson that you learn from this gear is what real OS & hardware design is about. NetBSD/VAX is lightweight and this 14y/o box holds it's own on my LAN.
Makes a lot of noise, very dusty, Extrordinarly _heavy_ (I don't know exactly, but at least three times what my vintage Compaq Proliant RAID case weighs and then a bit)
The best bit of all is that it cost me AUD$0 from a kind removalist who didn't wanna carry it round.
Well, the caveat is that these are not "Applied Crypt..." quality but they have a reasonable shelf life and are of broad application:
DNS and BIND from ORilley [I know everyone is saying OR's don't belong in the library but if that _has_ to be a rule then this one _has_ to be an exception, not letting BIND's implementation cloud the desctiption of DNS.
Database Systems by Rob And Coronel. Not a "beginners" book or an "intermediate" book but a great book to take a beginner to intermediate.
Internetworking Technology Handbook from Cisco press. Minimum Cisco-ness about it. Covers all that is "now" in networking and all that is important from the "then" in networking. I think 3rd edition is the current. Also, since when is a 900pg A4 hardcover a 'handbook'
That's all I can think of for now.
There was an incedent down here in.au where a techo type guy caught his home being broken into on web cam.
The problem is that the "current afairs"-type TV programs got hold of the story and now there is no chance of the criminals goind down, despite the great mug-shots, because there isn't an unbiased 12 in the land.
So if you do catch 'em, don't go public w/ the footage until they are charged.
Slashdot Mirror
Shit, man! I know Perth is not close (I'm in Sydney) but it took me _way_ longer than that to digest Nutshell!
History of Time is good. A lot less pictorial but just as lucid. He did a great job of keeping the books seperate in that they are not dependant on each other. Some of the chapters in 'Time are quite short - others no so.
Did the chapter in 'Nutshell about time travel leave anyone else scratching their heads? An island of insanity in a ocean of sence...
Remember, that you can disable autorun!
The w3c have the good oil on the technical end of things, but they have some shocking design, if you don't believe me, see shockers like:
http://www.w3.org/MarkUp/#xhtml-basic
Oh, and don't talk to me about their bad links!
The Decstation could be MIPS or ALPHA.
I have a decstation with a alpha KN15-BA with 64mb ram runnin netbsd 1.5.1.
Runs like a dream!
#1. Timothy. SNMP != SMTP. This is unfortunate but true.
#2. A statement like "SNMP is unsecure" is like saying "guns don't kill people, people kill people." It's the same type of logic. Debating it is futile.
#3. There are three versions of the SNMP protocol. These are v1, v2 and v3
#4. SNMPv1 is the most common. Sometimes the word security is used in the same sentance as SNMPv1. DO NOT LET THIS MISLEAD YOU!
#5. SNMPv3 has all the crypto that you need - yet uptake is a bit slow.
#6. Authentication in v1 is done by sending a "community string" in cleartext to port 161/UDP. That this is a little weak is nothing new.
#7. We are talking about two seperate problems here. Don't confuse them. The first is the old issue of "Everyone uses SNMPv1 but no one secures it" - The second problem (the one Timothy was telling us about) is about buffer overflows and format string vunrabilities in the SNMP agent and trap reciever (snmpd and snmptrapd).
Think of SNMP agent to SNMP as Apache to HTTP. That the protocol is flawed is one thing. That it's common to have bugs in the implementation that are independant of the flaws in the protocol is something else. That is what we are talking about.
SNMP is a good protocol - but it's not for everyones needs. If your box exposes snmpd on 161/UDP to the www then you deserve what you get. The place for SNMPv1 is on VLANS dedicated to network management that are not part of your 'distribution' network and are definately not part of your public network.
If someone can get to your management VLAN then you may find yourself with bigger things at hand than someone sniffing your community strings.
Here's your checklist:
[_] - SNMP isn't visible to the www from any of your endpoints.
[_] - Your endpoints have good packet filtering. Just say that you have an ADSL router and you are using SNMP on the router. Make sure that you can block packets from it's red interface and not just ask the snmp agent not to respond to non-local addresses. The reason is that if the SNMP agent has to refuse a given address then it could allready been too late.
[_] - If a box isn't being managed with SNMP - get SNMP off it.
[_] - Limit, where possible, SNMP traffic to VLANS that are designed for network management.
[_] - Where possible, use the highest possible version of the protocol. (if you can use v1, v2 and v3 then use v3!)
[_] - swap your community names often. Treat them just like any other network authentication mechanism.
[_] - Audit your own LAN for security.
Hope this helps.
Exactly! Well told.
:-)
Just for clarification, the Alpha isn't dead, it's only dying.
Parts may be kept (a-la Organ Doner of dying car crash pasengers) alive in the intel IA-64 offering... but I'm not banking the farm on it.
And when the alpha is dead, it will only be as dead as my VAX!
but mod this up because some people still, sadly miss the point :-(
:-)
An OS is hardly "secure" or "insecure".
To illustrate my point, lets just imagine that the default install of my Win2K server is more "secure" than the default install of my debian box.
Neither of them are connected straight to DSL!
Your whole environment (firewall, router, switch, servers etc) can be secure or unsecure, that's true, but one componant can't rate the whole environment.
"I'm better than you because my Win2k box is tighter than your debian box" won't cut it here either, for the simple fact that you just can't get to my debian box so it dosen't matter if it has a hole that you can throw a cat through (which it dosen't)
So if we believe that stats, it could read more things than OS security anyway because it's about which holes are known (M$FT dosen't always feel the same open-ness as the rest on this topic, remember)
Anyway, don't let me get in the way of the flames
Let's see, if you are testing a kernel for a production system with real tests (you know, you have probabbly read about them!) then if it goes down once in 100 days then it's off my list.
Aim a little higher than - as another respondant said - Windows 95 (which wasn't designed for serious use anyway!).
go on, i've never done one before :-)
Everyone has one first post in them...
Some of this may be redundant - but that's the point! Redundant storage :-)
:-)
Is it you? first check
1. Power Supply. Don't run 3x 10000 RPM's off a 230W p/s. It's just not cricket.
2. Cooling. Blow wind onto them, don't suck it from them - someone smarter than me can say why, but it just works better.
3. Shock. Did the courier drop them? Did you drop them?
If it's not you them,
1. If it is the slightest bit valuable then it should be redundant.
2. Did I mention redundancy?
I have a seagate SCSI disk in a MicroVAX that has hardly missed a beat since 1987. These disks don't exist any more - they just don't make em as good. This is sad because it is a reliable disk, but not so bad because it weighs about 5kg and I can hear it spin up from the other end of the house!
Having said all that - The newer IDE disks die _way_ before they should. It pisses me of as much as the next guy. What can we do?
> Either post links [vnunet.com], facts
> [cnn.com], or other references
> [linuxtoday.com], or don't expect
> anyone to listen to you.
Some of us are here to learn how to flame from the experts.
Well, some I use and have allready/will donate to are:
.ISO for ages now.
:-)
- smoothwall linux (thankyou to the 12+ people who sent in RAID equipment when their www box went south)
- everydns.org. Use 'em and enjoy free (beer) with 100% reliability - nice people too.
- openbsd - Like Theo or not, these guys have been providing versatile and secure hosts for the cost of an
- apache - If you need an explanation, well...
BTW; you can support apache throuh buying a cool shirt or cap at copyleft.net
- Don't forget to pay the Microsoft tax on your new factory PC/Server too this year
Ok the last one was a joke
I'll show you my web server - a KN15 Alpha CPU in a DECStation 3000/400 - It's from the early '90s (I don't know precisely, but pre-93 for sure)
I love that little over-engineered thing to bits.
:-)
"Intel Inside - The worlds most marketable warning label"
...and get over your bad ol days B.S.
Yep it was a rant and I shouldn't have been tempted to reply but hey.
The people on ldp-discuss@ are the nicest and most down to earth people.
"3 yrs ago it was a bit rude - so people thought linux sucked" is not argument. The linux audience was massively different 3 yrs ago anyway.
If you wanna put your money where your mouth is check out the LDP web site for info on how to help. I hope you will be plesently suprised.
I never thought about ut in ICBM terms, but I think alot about using electromagnetic forces to break from the pad...
:-) nor is my name Michael Faraday, and the people who do this stuff for a living are smarter than me, so they must have a reason why it _won't_ work that is better than my reasoning for why it _will_ work, ya know.
The thing that I useually come up against is the thought that I am not a rocket scientist (IANARS anyone?
Having said that my idea follows: A rocket with a base high in steel content running as an electromagnet launched from a base that has the mother of all electromagnets under it pointed the other way. At the right moment they flick one of them massive knife-switches (al la James Bond villen) and wooshga! A few hundred meters "free"?
I've had an almost reverse-situaton when I was working in support. There was a group of CAD operators that were trying to run their own NT environment as independant as they could of the rest of the infrastructure.
They fscked things up every week. One guy I remember mounted his HDD in another workstation to remove the 300Mb page file because he didn't know why it was there and then tried to boot his workstation. uurrgghh. Don't get me started on the NetBIOS broadcasts that went everywhere!
The core of the problem was purely political. Between middle managers bitching to other middle managers etc we had no authority to say "if you connect to our LAN then you do as we say". Slightly different situation to the main story in that these guys _didn't_ know how to run their boxes and blew our support time for their devision through the roof!
a) I couldn't find one I liked, some are out there if you search but I want one with all the stuff I forget and only the stuff I forget, and
b) When I type it out with a description for the cheet sheet I tend to remember it more.
Because of the effect b) has on a) the document gets revised regularly. It's not that much to maintain after the initial bulk has been written.
I was once going to write a web page that would let you select 4 or 6 topics that you wanted out of a list of who knows how many and they would be presented to you on a web page in a format that you could print nicely, but that never happened :-( Hey CowboyNeil, feel like adding it to slash?
Please, until the VSS bugs are ironed out (prob won't ever be for VSS 6.0, ask again when .NET ships) use something rational.
:-)
To be fair by it's self it's ok but not very functional. Integrated with VB6 it is as buggy as hell.
But you all knew that allready
I feel like I gotta balance out the Apple nostalgia here...
:-)
What I do have is a 1987 DEC MicroVAX III with:
- KA650a CPU
- a 2Gb Compaq SCSI disk (lucky to have SCSI ya know
- 32Mb of RAM. That's a lot too.
- GPX framebuffer.
- 1x DEC vt320 attached.
It runs NetBSD (currently 1.4.3, waiting for time to cobble together a 1.5.1 set, or maybe -curent)
The only thing it lacks is IEEE Floating Point and NetBSD support for my framebuffer!
But the lesson that you learn from this gear is what real OS & hardware design is about. NetBSD/VAX is lightweight and this 14y/o box holds it's own on my LAN.
Makes a lot of noise, very dusty, Extrordinarly _heavy_ (I don't know exactly, but at least three times what my vintage Compaq Proliant RAID case weighs and then a bit)
The best bit of all is that it cost me AUD$0 from a kind removalist who didn't wanna carry it round.
DNS and BIND from ORilley [I know everyone is saying OR's don't belong in the library but if that _has_ to be a rule then this one _has_ to be an exception, not letting BIND's implementation cloud the desctiption of DNS.
Database Systems by Rob And Coronel. Not a "beginners" book or an "intermediate" book but a great book to take a beginner to intermediate.
Internetworking Technology Handbook from Cisco press. Minimum Cisco-ness about it. Covers all that is "now" in networking and all that is important from the "then" in networking. I think 3rd edition is the current. Also, since when is a 900pg A4 hardcover a 'handbook' That's all I can think of for now.
...Knowing that winning your court case dosen't change anything: Priceless.
The Linux VAX port is coming along now, not quite up to NetBSD/VAX tho :-)
Anyway, VAX isn't useless on my LAN!
Piss your co-workers/compeditors/Granny off by 0wning their IIS boxes and emailing the logs to their insurance co...
:-/
"But wait... I run apache on my IIS"
"Dosen't matter" says the insurance co "we won't drop the bill until you put in a reliable TCP/IP stack"
oh well
These days (If you have enough VUP) NetBSD is a good choice... Can't wait until OpenBSD/VAX is as mature as NetBSD/VAX
:-)
Multi-boot? Sure. Try 2 disks, 2 OS's
>>>B DUA0
2.. 1.. 0..
Then when you want the other OS:
>>>B DUA1
2... 1... 0...
Oh yeah, PLEASE stop confusing VAX and VMS. It's like confusing Alpha and NT^H^H^H Linux
There was an incedent down here in .au where a techo type guy caught his home being broken into on web cam.
The problem is that the "current afairs"-type TV programs got hold of the story and now there is no chance of the criminals goind down, despite the great mug-shots, because there isn't an unbiased 12 in the land.
So if you do catch 'em, don't go public w/ the footage until they are charged.