When I purchased a cert from instantssl.com a while back none of all that happened. All communication was by e-mail, payment via CC (belonging to a name different to the one on the certificate).
Issued within a day, no questions asked. Fine for us but probably not the way it's supposed to be?
I hear ya. I've worked with NIS, NIS+ and kerberos and they all were a huge pain in the ass for different reasons.
NIS is insecure, passwords basically travel the wire in plain. NIS+ claims to be better but seems to be still flakey. I had all sorts of problems getting NIS+ to play well with only linux machines involved. And they are both worthless when you want to *painlessly* integrate windoze or mac os boxes.
Kerberos is a whole different beast. While most concepts (ticketing) seem to be very well thought through this one suffers from its antique design. Various daemons, bits and pieces need to interact properly on the server side. It's very easy to break it when you're not careful. On the client side you'd better have and *keep* the exact same krb-versions or you're in for some headache. Also don't even try to get it talking to windoze (havent tried mac), that one is good for hours of "fun", too.
So, I'm now playing around with ldap, in hope that it will let me do the rather simple thing I'm after: provide a central user-database to store passwords in. It can't be that hard, can it?
The documentation is heavily lacking and after setting it up and getting ldaps:// to work I'm kinda overwhelmed by the number of tasks involved with making windows, OS X and our various network services (samba, pam, otrs others) integrate with it.
Does anyone know a sane LDAP howto that explains what schema should be chosen and how to avoid some major pitfalls?
Or better and back to the topic of your post: Is there a sane alternative?
It's not like what we're trying to do would be rocket science. I can sum up the basic required functionality in a few lines:
- Central directory of username/password mappings. If more key/value pairs can
be stored per user that's fine - but not needed. - Secure authentication against that directory. A very simple protocol
over SSL would be perfectly suitable. Basically: send
username/password-hash -> receive user-record or "wrong credentials" - Integration with windoze and OSX. That's the hard part I guess, but all we
want is single signon. So whereever it hooks in it only has to enable auth
against the directory server, no other "directory service" crap is needed.
I can't believe this is an itch nobody else has scratched yet? I mean, it's 05 and we still have to go through the hellfire of setting up outdated (as in: designed decades ago!), overcomplex, unmanagable and potentially insecure (who the heck knows?) crapware for one of the most essential network services?
If anyone with some indepth windows and/or OS-X API knowledge is reading this, please drop me a line if you know how much effort it would be to write an auth-connector (as outlined above) for each. Once such connectors are available the "backend" (or "directory server") could be a friggin shell script on a unix-box, listening via tcpserver-ssl (or xinetd, or stunnel, or...), simply querying a CDB (or flat file, or BDB or SQL-DB or...). Add a PAM-module and most important unix-services would happily authenticate against it as well.
Agree'd. My P100 would play mp3 at 44khz/128kbit but it skipped the moment I started dragging a window or something (when in windows, it was better in DOS...).
Considering the poor performance on my P100 I can hardly imagine a 486/66 was able to even keep up with decoding in realtime.
At this price point, why *wouldn't* you invest in one, if simply for the sake of putting a seperate piece of hardware between your computer and your net connection? Think of it like the front door on your house... You probably have *both* a bolt lock of some type AND another lock on the doorknob itself. Why bother with this, if one lock should keep a door locked anyway? Well, it's one more measure of security and it's inexpensive enough that most people find it to be of value.
Your desktop OS should be secure in itself. You shouldn't need a separate device to protect it. It's a symptom of broken design. Your analogy is a bit off. A better one would be: Microsoft is shipping houses without doors and people are required to buy brick walls to protect themselves from thieves. It makes some everyday tasks difficult and is just the wrong approach.
If some hacker figures out there's an operational piece of equipment at your IP address, it's nice to know the first thing he's reaching is a dedicated hardware firewall device instead of a fully functional PC with full-blown operating system on it. It's going to be a lot tougher to make a D-Link or Linksys router execute your arbitrary code/commands than a PC....
Actually most of the consumer grade "hardware" firewalls run some sort of embedded linux. Many of these boxes have serious bugs. Add to that that joe average seldomly changes the default password and you realize they often provide no more but a false sense of security. So what you get is another single point of failure (our siemens DSL router at work freezes up and has to be power cycled about once every two weeks...) and a *weak* workaround for a broken OS-design.
In practise it's not even necessarily tougher to make a cheap DSL router execute arbitrary code/commands than a sane OS. In reality it's not even hard to bypass most of the routers that are deployed in SoHo/Home-environments due to the flaws and broken default configurations I mentioned.
A linux box can be easily secured even without packet filtering (assuming you know what you're doing and enable only trusted services). Mac OSX is fairly secure out of the box and comes with a *working* point & click firewall.
I can only repeat, the whole "DSL router should protect my OS" thing is a symptom of how used people have gotten used to that their OS (Microsoft Windows) cannot be trusted. The boxes are not a solution to the problem. A box of hardware can't protect you from a network attack (by plug'n'play as they're suggesting) when you don't know what you're doing.
This whole FUD spreading is such a pain in the ass. Regular people shouldn't need a firewall. The few services they need to expose to the public (webserver, filesharing, communication) should just be secure out of the box.
It ain't that hard, it's actually quite easy when you follow a few simple design principles. Obviously that's too much asked from a multi-billion dollar company like Microsoft. It's ridiculous how they humiliate themselves week over week with new remote exploits in components that shouldn't be deadling with tainted data in first place.
Maybe I get modded flaimbait for this but I feel that's part of the reason why a lot of open source software is so damn good. We try hard to do stuff right because we hate it so much when others don't.
Funny, my expirience was the opposite. I had one of the earlier via AMD boards, based on KT133 (or something, not exactly sure about the number). It had numerous flaws, one of them was that the realtime clock would jump back and forth under load. A real dealbreaker as the kernel patch to fix that issue broke other stuff (USB, NFS and other timing related things)
Re:Will it be up to the quality of past VIA chipse
on
VIA's New PT Chipsets
·
· Score: 2, Interesting
I second that. Had some trouble with some older VIA AMD chipsets and since then never bought VIA again. In particular on the board for my first Athlon the Realtime Clock would jump back and forth under load (under linux that is). There was a patch that workarounded it but that one broke other things (like NFS support, USB support and other stuff that depends on timing). I'll stay away from VIA for my linux boxes unless I come across a board that has been timetested long enough under linux to be trusted.
something I can't figure out how to do on my XP machine via a shortcut
Windoze-key + E opens a new explorer.
Now what I hate about the mac is that I can't disable these shortcuts. All of them. I wish I could fucking turn it all off and turn them back on one by one, only the ones that I deem useful. There's too much crap firing off on my ibook whenever I hit something by accident. And who the hell is the braindead fucktard who decided there should be a browser popping up when I Apple-Click in a terminal window? Next time this happens I'm gonna wipe out OSX and put linux on it, i swear...
Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
Who is accountable for the security of windows? Can I bill last months lost work-hours due to spyware-/worm recovery on windows to Microsoft or - better - personally to you, Nickie?
In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches.
Oh, let me rephrase that a little: In Microsoft's world customers have learned that Microsoft has never taken responsibility for security problems. They know that it can take months for MS to release a patch for a critical issue and that often these patches will break other things (even open new security holes) completely unrelated to the initial problem. They also know that many major MS products like Internet Explorer are commonly banned from corporate network environments for exactly these reasons.
Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft, neither is there a single sign-on system.
First, you obviously have no idea what you're talking about as your requirements for "mission-critical computing" have nothing to do with it.
Anyways, there is not one but many capable "developement environments" for linux. I assume your definition of "developement environment" would be a pretty IDE like eclipse. Most real developers I've met prefer to just work on the powerful unix shell using their editor and toolchain of choice, though.
As for single signon, again I cannot see how this relates to "mission critical computing". But you can have it on linux. There's kerberos, NIS+ and probably other options that I don't know about. Also there's samba to emulate the windows crap if you have to.
These are factors that are holding back Linux.
Look, Nickie, nothing's really holding back linux. It's fools like you writing ridiculous articles like the one I'm responding to that prove how helpless and jealous Microsoft is watching the steady growth of linux.
i hereby complain that this post that i made yesterday was modded up incorrectly. it is in no way interesting. hopefully i will be modded offtopic for bringing this up here, to balance it out.
Actually, you are correct in your assessment of your prior days post being offtopic, and as such I would recommend your current post be modded Insightful due to the nature of the content as well as the usefullness of the supplied link...
While I agree with parents' reinforcement of grandparents yesterday-post being in no way interesting I propose to mod parent down (e.g. Overrated) due to the misleading confusion of "interesting" and "offtopic". Grandparents yesterday-post was in no way "interesting" (not offtopic, as parent stated) and grandparent asked for his todays post to be modded "offtopic" to balance it out. Parents malapropism implied grandparents' yesterday-post would offtopic, that's no fair as in fact it was only "not interesting". In summary I propose to meta-moderate grandparents' yesterday posts "Interesting"-mods as "unfair", to moderate grandparents' post of today "Insightful" (agree with parent), parents post as "Overrated" and this post "Redundant".
Are there any CLI converters available to batch convert a bunch of videos to SWF? Also I'd like to have the basic controls (stop/play/back/fwd) in the movie.
Last time I looked there were no tools available (at least not for linux) to automate the conversion. Loading up the whole Macromedia shebang every time I want to put some clips online seems a bit inconvenient...
I'm not a database "pro" but what you describe sounds strange.
1) insert a row if it dosn't exist, or update one if it does?
Your DB will have to go and see whether your "row exists" (perform whatever check necessary). Putting that logic in SQL rather than the app doesn't seem like a big improvement to me. I'd rather like to see a "REPLACE" statement (somebody might come up with a better name) that works like an INSERT but will not fail on a conflicting row but overwrite it.
2) insert something with automaticaly generated Private Key value, read that value back and use it to have another record in another table point to the record you just made?
Postgres can do that kind of stuff. You'd need a good deal of faith into your RDBMS to go that route, though...
Wow, interesting idea. Maybe they've thought up something beyond WWW? I admit I haven't RTFA but if they mesh up their datacenters like that it might be more than just improving the google service.
I seem to lack the fantasy to imagine what it could be but I somehow think that if there is a company to set up the "next big thing" then it will be google (from todays point of view).
DNS sounds like an interesting starting point, but how would you make it "richer"?
Agree'd. I've not been buying anything other than seagate for my IDE-drives for a while and that's what I'm suggesting to anyone who asks. Might be just my personal expirience but over the years seagates have caused me the least trouble (read: none at all) and even survived some other drives that were bought later (namely Maxtor and IBM).
Slashdot Mirror
When I purchased a cert from instantssl.com a while back none of all that happened. All communication was by e-mail, payment via CC (belonging to a name different to the one on the certificate).
Issued within a day, no questions asked. Fine for us but probably not the way it's supposed to be?
When smuggling tuner cards through an airport beware the tuner card sensing, uh, tuner-dogs!
Worse, when smuggling them cards by sea beware the navy seals and their specially trained tuner-tuna.
I hear ya.
I've worked with NIS, NIS+ and kerberos and they all were a huge pain in the ass for different reasons.
NIS is insecure, passwords basically travel the wire in plain.
NIS+ claims to be better but seems to be still flakey. I had all sorts of problems getting NIS+ to play well with only linux machines involved. And they are both worthless when you want to *painlessly* integrate windoze or mac os boxes.
Kerberos is a whole different beast. While most concepts (ticketing) seem to be very well thought through this one suffers from its antique design. Various daemons, bits and pieces need to interact properly on the server side. It's very easy to break it when you're not careful.
On the client side you'd better have and *keep* the exact same krb-versions or you're in for some headache. Also don't even try to get it talking to windoze (havent tried mac), that one is good for hours of "fun", too.
So, I'm now playing around with ldap, in hope that it will let me do the rather simple thing I'm after: provide a central user-database to store passwords in. It can't be that hard, can it?
The documentation is heavily lacking and after setting it up and getting ldaps:// to work I'm kinda overwhelmed by the number of tasks involved with making windows, OS X and our various network services (samba, pam, otrs others) integrate with it.
Does anyone know a sane LDAP howto that explains what schema should be chosen and how to avoid some major pitfalls?
Or better and back to the topic of your post: Is there a sane alternative?
It's not like what we're trying to do would be rocket science. I can sum up the basic required functionality in a few lines:
- Central directory of username/password mappings. If more key/value pairs can
be stored per user that's fine - but not needed.
- Secure authentication against that directory. A very simple protocol
over SSL would be perfectly suitable. Basically: send
username/password-hash -> receive user-record or "wrong credentials"
- Integration with windoze and OSX. That's the hard part I guess, but all we
want is single signon. So whereever it hooks in it only has to enable auth
against the directory server, no other "directory service" crap is needed.
I can't believe this is an itch nobody else has scratched yet?
I mean, it's 05 and we still have to go through the hellfire of setting up outdated (as in: designed decades ago!), overcomplex, unmanagable and potentially insecure (who the heck knows?) crapware for one of the most essential network services?
If anyone with some indepth windows and/or OS-X API knowledge is reading this,
please drop me a line if you know how much effort it would be to write an auth-connector (as outlined above) for each. Once such connectors are available the "backend" (or "directory server") could be a friggin shell script on a unix-box, listening via tcpserver-ssl (or xinetd, or stunnel, or...), simply querying a CDB (or flat file, or BDB or SQL-DB or...).
Add a PAM-module and most important unix-services would happily authenticate against it as well.
Anyone hear me?
"Virii" is not correct.
The plural of "virus" is "Virusen".
Agree'd.
My P100 would play mp3 at 44khz/128kbit but it skipped the moment I started dragging a window or something (when in windows, it was better in DOS...).
Considering the poor performance on my P100 I can hardly imagine
a 486/66 was able to even keep up with decoding in realtime.
At this price point, why *wouldn't* you invest in one, if simply for the sake of putting a seperate piece of hardware between your computer and your net connection? Think of it like the front door on your house... You probably have *both* a bolt lock of some type AND another lock on the doorknob itself. Why bother with this, if one lock should keep a door locked anyway? Well, it's one more measure of security and it's inexpensive enough that most people find it to be of value.
Your desktop OS should be secure in itself. You shouldn't need a separate device to protect it. It's a symptom of broken design.
Your analogy is a bit off. A better one would be: Microsoft is shipping houses without doors and people are required to buy brick walls to protect themselves from thieves. It makes some everyday tasks difficult and is just the wrong approach.
If some hacker figures out there's an operational piece of equipment at your IP address, it's nice to know the first thing he's reaching is a dedicated hardware firewall device instead of a fully functional PC with full-blown operating system on it. It's going to be a lot tougher to make a D-Link or Linksys router execute your arbitrary code/commands than a PC....
Actually most of the consumer grade "hardware" firewalls run some sort of embedded linux. Many of these boxes have serious bugs. Add to that that joe average seldomly changes the default password and you realize they often provide no more but a false sense of security.
So what you get is another single point of failure (our siemens DSL router at work freezes up and has to be power cycled about once every two weeks...) and a *weak* workaround for a broken OS-design.
In practise it's not even necessarily tougher to make a cheap DSL router execute arbitrary code/commands than a sane OS. In reality it's not even hard to bypass most of the routers that are deployed in SoHo/Home-environments due to the flaws and broken default configurations I mentioned.
A linux box can be easily secured even without packet filtering (assuming you know what you're doing and enable only trusted services). Mac OSX is fairly secure out of the box and comes with a *working* point & click firewall.
I can only repeat, the whole "DSL router should protect my OS" thing is a symptom of how used people have gotten used to that their OS (Microsoft Windows) cannot be trusted. The boxes are not a solution to the problem. A box of hardware can't protect you from a network attack (by plug'n'play as they're suggesting) when you don't know what you're doing.
Mod parent insightful...
This whole FUD spreading is such a pain in the ass.
Regular people shouldn't need a firewall. The few services they need to expose to the public (webserver, filesharing, communication) should just be secure out of the box.
It ain't that hard, it's actually quite easy when you follow a few simple design principles. Obviously that's too much asked from a multi-billion dollar company like Microsoft. It's ridiculous how they humiliate themselves week over week with new remote exploits in components that shouldn't be deadling with tainted data in first place.
No, RedHat sucks.
Maybe I get modded flaimbait for this but I feel that's part of the reason why a lot of open source software is so damn good.
We try hard to do stuff right because we hate it so much when others don't.
Funny, my expirience was the opposite.
I had one of the earlier via AMD boards, based on KT133 (or something, not exactly sure about the number). It had numerous flaws, one of them was that the realtime clock would jump back and forth under load.
A real dealbreaker as the kernel patch to fix that issue broke other stuff (USB, NFS and other timing related things)
I second that. Had some trouble with some older VIA AMD chipsets and since then never bought VIA again. In particular on the board for my first Athlon the Realtime Clock would jump back and forth under load (under linux that is).
There was a patch that workarounded it but that one broke other things (like NFS support, USB support and other stuff that depends on timing).
I'll stay away from VIA for my linux boxes unless I come across a board that has been timetested long enough under linux to be trusted.
something I can't figure out how to do on my XP machine via a shortcut
Windoze-key + E opens a new explorer.
Now what I hate about the mac is that I can't disable these shortcuts. All of them. I wish I could fucking turn it all off and turn them back on one by one, only the ones that I deem useful. There's too much crap firing off on my ibook whenever I hit something by accident. And who the hell is the braindead fucktard who decided there should be a browser popping up when I Apple-Click in a terminal window? Next time this happens I'm gonna wipe out OSX and put linux on it, i swear...
Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
Who is accountable for the security of windows?
Can I bill last months lost work-hours due to spyware-/worm recovery on windows to Microsoft or - better - personally to you, Nickie?
In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches.
Oh, let me rephrase that a little:
In Microsoft's world customers have learned that Microsoft has never taken responsibility for security problems. They know that it can take months for MS to release a patch for a critical issue and that often these patches will break other things (even open new security holes) completely unrelated to the initial problem. They also know that many major MS products like Internet Explorer are commonly banned from corporate network environments for exactly these reasons.
Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft, neither is there a single sign-on system.
First, you obviously have no idea what you're talking about as your requirements for "mission-critical computing" have nothing to do with it.
Anyways, there is not one but many capable "developement environments" for linux. I assume your definition of "developement environment" would be a pretty IDE like eclipse. Most real developers I've met prefer to just work on the powerful unix shell using their editor and toolchain of choice, though.
As for single signon, again I cannot see how this relates to "mission critical computing". But you can have it on linux.
There's kerberos, NIS+ and probably other options that I don't know about.
Also there's samba to emulate the windows crap if you have to.
These are factors that are holding back Linux.
Look, Nickie, nothing's really holding back linux.
It's fools like you writing ridiculous articles like the one I'm responding to that prove how helpless and jealous Microsoft is watching the steady growth
of linux.
i hereby complain that this post that i made yesterday was modded up incorrectly. it is in no way interesting. hopefully i will be modded offtopic for bringing this up here, to balance it out.
Actually, you are correct in your assessment of your prior days post being offtopic, and as such I would recommend your current post be modded Insightful due to the nature of the content as well as the usefullness of the supplied link...
While I agree with parents' reinforcement of grandparents yesterday-post being in no way interesting I propose to mod parent down (e.g. Overrated) due to the misleading confusion of "interesting" and "offtopic". Grandparents yesterday-post was in no way "interesting" (not offtopic, as parent stated) and grandparent asked for his todays post to be modded "offtopic" to balance it out. Parents malapropism implied grandparents' yesterday-post would offtopic, that's no fair as in fact it was only "not interesting".
In summary I propose to meta-moderate grandparents' yesterday posts "Interesting"-mods as "unfair", to moderate grandparents' post of today "Insightful" (agree with parent), parents post as "Overrated" and this post "Redundant".
If it's anything like orkut you're not missing much.
Just a bunch of portugueses spamming along...
If not, what in the world are they doing with all those pins?
DRM.
Are there any CLI converters available to batch convert a bunch of videos to SWF? Also I'd like to have the basic controls (stop/play/back/fwd) in the movie.
Last time I looked there were no tools available (at least not for linux) to automate the conversion. Loading up the whole Macromedia shebang every time I want to put some clips online seems a bit inconvenient...
how come crap like this goes to frontpage while my submit of paris_hilton_2.mpg is rejected the third time...
What a waste of time.
Why use a closed source mail proxy with unknown flaws and backdoors while there are proven open source packages available for the task?
Tiger Envelopes offers everything (and more!) that ciphire does and it's open source.
summary:
- TE is open source and has gotten quite some peer review
- CH is closed source as of now
- TE supports GnuPG, PGP and BouncyCastle
- CH supports only unknown, proprietary encryption
So, who do you trust?
+10 Insightful
I'm not a database "pro" but what you describe sounds strange.
1) insert a row if it dosn't exist, or update one if it does?
Your DB will have to go and see whether your "row exists" (perform whatever check necessary). Putting that logic in SQL rather than the app doesn't seem like a big improvement to me. I'd rather like to see a "REPLACE" statement (somebody might come up with a better name) that works like an INSERT but will not fail on a conflicting row but overwrite it.
2) insert something with automaticaly generated Private Key value, read that value back and use it to have another record in another table point to the record you just made?
Postgres can do that kind of stuff. You'd need a good deal of faith into your RDBMS to go that route, though...
Wow, interesting idea.
Maybe they've thought up something beyond WWW?
I admit I haven't RTFA but if they mesh up their datacenters like that it might be more than just improving the google service.
I seem to lack the fantasy to imagine what it could be but I somehow think that if there is a company to set up the "next big thing" then it will be google (from todays point of view).
DNS sounds like an interesting starting point, but how would you make it "richer"?
Eat more Lasanga!
Agree'd. I've not been buying anything other than seagate for my IDE-drives for a while and that's what I'm suggesting to anyone who asks. Might be just my personal expirience but over the years seagates have caused me the least trouble (read: none at all) and even survived some other drives that were bought later (namely Maxtor and IBM).
What are you doing to your hardware?
Some of my IDE-drives are 2yrs and older and still ticking fine.