It's ironic for me that you should post this on the day after I just abandoned my last home-maintained mail server in favour of Google. For the past 15 years I've been a mail administrator in some capacity for a variety of mail systems ranging from my own personal colo to a vast multi-national corporation. Solving the technical problems of building and maintaining a functional and reliable system was fun for a number of years, especially when email was dominated by geeks. But nowadays, running your own server is a perpetual nightmare.
First, there's the problem of where to host it. It has to be accessible wherever you are, and it has to be able to send mail out. If you're planning on hosting it at home, on the end of a cable/DSL/fios connection, bear in mind that your IP address will almost certainly be blackhole listed. Also, your ISP may well be blocking outgoing mail to prevent spam. You will probably have to configure your system to route all out going mail via your ISP's SMTP server. Why are you hosting an SMTP server again? If you're hosting it in a nice VM or in a colo, you're better off, but paying. Google costs you nothing. Next, storage. Obviously that's no problem because you have a mirrored RAID eleventy-five array you built yourself. If that's in the colo then you can forget about it - except when a drive goes bad or it crashes unexpectedly. But then it's fine because you're paying for support aren't you. And backups. You are backing it up aren't you? Next the server software. Personally I've had a lot of success with Sendmail/Cyrus IMAP/IMSP/Squirrelmail and friends, despite enduring jeers from other sysadmins who think they have a better combination. In the end, it doesn't matter. They all suck. They all need patching regularly. They all break. They all need tweaking on a regular basis. Then the final turd in the swimming-pool: spam. It costs you so, so much; bandwidth, around 95% of all of the inbound traffic is spam; time, configuring and maintaining spamassassin and various blackhole lists that occasionally start rejecting mail indescriminately; pride, the only time your clients contact you will be to ask why the mail is so slow and why there's so much spam. "But my gmail doesn't get this much spam - can't you filter it" they say, while you bite chunks out of your tongue. Spam to a mail administrator is like the gopher in Caddyshack: it will keep you awake and turn you into a monster. And the day will come where you, spam-slayer and junk-mail terminator, get put on a blackhole list for being a spammer. That's really fucking harsh the first time.
I could go on. but we're already in the TL;DR territory.
Most people do not host their own mail server. They live longer and healthier lives as a result. Follow their example and let Google worry about all of that for you - and in return you just have to pay them...nothing.
You don't need to be "hacked" to have a keylogger attached mr boatman (or may I call you sweaty?) You just need someone to get a job as a janitor (see the relevant article in 2600). Keyloggers come in hardware these days, and that includes the last 15 years. That's where stuff like OTP and friends come in. And as for password aging, our friend below is not alone in writing his passwords down. If people have "secure" passwords generated weekly/monthly/daily they're going to put them on post-it notes. If people have memorable passwords that are secure against a dictionary attack (it's possible my friend) then that's as much as you can do. Oh yeah you can ask "Doreen from accounts" to use KeePass to store her passwords, but it would be far simpler to go for a big piss in the wind.
OK - end users fair enough, but what about the users who *manage* the box ?
At my last job the audit procedure was totally mental. An example:
We were the engineering team for the global email backbone (around 90 servers). Our software and scripts run on all of these servers (as root in many cases). But we weren't allowed root access, so we couldn't install any thing or even debug live systems properly. That was the job of our "ops" team. We package the software, they deploy it. Any problems, they tell us and we have to fix it and redeploy it. Even though our ops team had root, they couldn't just login and do things that needed doing. They needed to file a change request - which took a week and had to be approved by about 10 people.
BUT
Despite having root they couldn't just do what they wanted. Every su was logged to a database and they had to give reasons for every one. And as for adding users, modifying system files, fixing permissions....nope - that was the job of the SAs!
So, when a problem occured on a production box, rather than logging in, suing and fixing it, the procedure was as follows:
I notice the problem.
I send an IM to my boss.
My boss organises a group IM chat to discuss the issue.
The result of the chat is that the "SA team" need to be contacted as none of us are allowed to login to the server (for corporate reasons).
The boss asks someone to page the team and to setup a conference call.
A conference call is established with 7 people, all in different countries, and we spend a while waiting for the SA team to respond to the page.
Eventually the guy arrives and we try to diagnose the problem by telling the guy (who, despite being very well meaning and competent, doesn't speak very good english or have a very good understanding of the systems involved at all.)
We realise that the only way we're going to solve it is by getting a login into the affected server.
We try to describe the measures necessary to the SA guy to perform this and fail...
...loads more tedious crap until we all realise that unless we leave the call we will die there.
I resigned.
Xcode and half-measures (Possibly OT)
on
Build a Program Now
·
· Score: 1, Interesting
What is VB for ? Is it for beginners ? If so then well done - people who don't understand the essentials of coding can now knock out their dodgy apps at a faster rate.
Is it for experienced developers ? Only Joking.
Is it for everyone across the board ? No! You have to go out of your way to develop a serious app in VB because the abstractions that make it attractive to the uninitiated are a bugger to get round.
OK, in honesty, I don't like IDEs, debuggers or any of that stuff, but if you want it simple then the problem was cracked years ago. There's a movie in existence (I have it if you want a copy) of Steve Jobbs creating a full-on-graphical app, that does database lookups and does the washing-up, and he proudly adds "and I still haven't had to write a single line of code!". This was in 1992 and on the NeXT. The wonderful development environment he was on about has grown into XCode and is given away FREE with OS-X.
Now, the idea of writing apps without needing to write code scares the pants off me...but Xcode also lets you, and indeed encourages you, to get deeper - *and makes it easier to do so* You don't even need to spark-up the IDE.
If I *had* to design a graphical dev environment then XCode is what I'd use as a reference.
As someone who is very worried about launchd and the direction on OS-X, I feel I should point out that my attitude is not "We've always done it this way so it must be perfect". It's more: "If it ain't broke, dont' fix it".
OK, XML is useful, but let's not go mad. rc is simpler, infinitely flexible and therefore, IMHO, better. And jesus cocking christ don't ditch cron until you've really ironed out all the bugs.
The fact that Apple have started converting their.plist files from XML to binary indicates a lack of thought and experience. Binary config files ? EW!
Did they learn no lessons from the Windows Registry ?
So, people want to download stuff that was already available on TV ? Perhaps, if the price wass right, they would pay for it ? Imagine if, for a quid ($1.80), you could download any programme you missed because you were down the pub when it was broadcast. Nowadays this could be deducted by SMS (in the UK at least) - who would think twice ? Think about it TV people - a whole new market. The more together punters would simply video the programme by setting the timer before they go to work. In the real world most people would be too hungover to sort this out before they run out to go to work. The same people wouldn't think twice about texting themselves a quid debt in order to download a digital version of the programme they missed. Certainly easier that finding a torrent the next day...speaking from personal experience that is.
A fair point about the input devices - they why I still used my aged Palm III. As for the other argument about loosing everything in one go - sorry don't see it. Surely syncing is much simpler with a single device ? Also, if the device has GSM (I don't know about other mobile standards) when you loose it, you can get the network to bar it thus making it a less desirable item to steal. You loose a PDA, someone gains one.
Interesting to see that amongst the list of protocols on the page (including Appletalk, ATM and HTTP), Microsoft is also kindly allowing us to licence the valuable discard protocol.
The protocol that accepts data and immediately loses it.
Why has it taken the world so long to take IPv9 seriously ? It's the only protocol that has in-built, native support for RFC2549 and, more importantly RFC527.
Linus Torvalds has already announced that 2.7 will have kernel-level support for RFC2549, but maybe now the kernel developers will go the whole hog and adopt IPv9 ?
Compare and contrast: "3. The copy protection system used for all EMI/Capitol releases including 'To the 5 Boroughs' is Macrovision's CDS-200, which sets up an audio player into the users RAM (not hard drive) to playback the RED book audio on the disk."
Vs
"The technology does activate a proprietary Macrovision player in order to play the CD on a PC, and that player converts WMA compressed files to audio on the fly."
I like an easy life. Free from Application errors, licence numbers, bugfix delays, unexplained crashes and unpredictability. Linux, BSD, Darwin and Inferno behave as they should, as one would expect, and according to the manual. If they don't, then it's a bug and it gets fixed. I like knowing my systems are going to stay up, and if they should ever fail, which in general they don't, I'd like to know they'll be fixed asap without me having to take the blame and pay.
The point I was trying to make is: if he didn't, how could they have got him ? All of the "evidence" listed a couple of posts above is just circumstantial.
How are they going to prove a specific person wrote the code ? Unless he confesses there can't be anything other than circumstantial evidence can there ?
Having said that, we *know* the poor kid's going down, which prompts the question, could anyone dump someone they don't like right in it, and then get a fat reward ?
BSD/Python: This OS is dead, it is no more
on
OpenBSD 3.5 Released
·
· Score: 0, Troll
...it's a stiff...bereft of life it rests in peace, it's climbed up the curtain and joined the choir invisibule etc ad nausium...
A "website" ? Come now. This is most certainly news. OK a "website" on your little co-lo box can go down for hours, even days. But Hotmail ? They have thousands of servers and staff all over the world. I can't imagine how you could bring such a massive, ubiquitous system like this, with all of its built in redundancy, down for such a long time without there being something fundamentally wrong with the technology. Either that or it was a deliberate attack which would be equally newsworthy.
Why replace PSTN, that uses proven, stable technology, with another technology designed for something completely different. OK, within an organisaion it makes sense if you have CAT 5 going to everyone's office already, and you have assured bandwidth in your network infrastructure, it can, and does, work. But over the Internet ? Forget it.
ATM is such a good networking medium for the phone. It was designed to allow QoS and pacing, and is therefore perfect at multiplexing audio and video. That's why the packets all hold 48 bytes!
IP was NOT! When you've got VoIP, the web, Real, P2P, pr0n etc etc etc all competing for the same bandwidth, you really start to see why telephones have no business on the internet.
The only reason there is a national/international VoIP industry is cost. If VoIP really does become a serious threat to telephone companies, all they need to do is drop the cost (for a while) and the VoIP businesses drown.
Security ? Whoever wrote that article clearly doesn't understand what telephone networks are.
Have to agree. Even though I haven't used a pen for the last 12 years, it would have to be a Parker Vector. Cheap, simple, beautiful and a pleasure to use. In the UK you often use fountain pens at school and my two Vectors did me proud. If they can cope with the battering they received with 7 years at Crown Woods Comprensive school and still write beautifully, they've got to be worth a mention.
About 5 years ago I was working at a UK ISP and managed to persuade them to let me hook up to the 6-bone. So I got a tunnel from some university or other, setup a Linux box running a bleeding-edge IPv6 stack and we were in business.
The trouble was that apart from 'ping' (which at the time was really unimpressive I can tell you - >5 second responses) there wasn't much else to do. There was an ipv6 only website that I used to go to, but it was merely one page containing a rant about how IPv6 development/deployment was doomed.
The only way I can see things moving is if the backbone network operators start allowing it and routing it alongside 4 (if they aren't already - does anyone know). The pressure to comply will then hopefully bubble down to the smaller ISPS
A few years ago, one of the ops at my place of work put a magazine in my (real-word) intray. It was a copy of Byte Magazine with a front-cover headline "Is NT the end of UNIX ?".
At the time this was a common headline in the popular rags...and then I noticed the date - February 1992:)
This crap appears every five years along with "life on Mars" and "possible cure for cancer".
A friend of mine had this idea and suggested calling it 'bogging' rather than a blogging, as you could add entried whilst on the bog. That's where I have all my profound thoughts anyway. (For non British, 'bog' = toilet).
Gobbles have got a history of releasing some pretty scary exploits (remember the apache chunking vuln ?) but this time the actual message was a release of a straightforward buffer overflow in mpg123. I suspect that the stuff about the RIAA was added to make this release more interesting - and scare the whitehats a bit more.
Having said that, I have to admit that this and several other recent bl4qh47 posts on full-discolsure have genuinely made me feel very nervous. Especially the "sourceforge is our bitch" posts....
I'd certainly feel better if someone who knows, publicly debunked these as myths. Until then I'm wearing reinforced pants.
They really don't need to spend so much on anti-piracy snake-oil, raids and expensive court cases. I have a very simple way to stop CD piracy once and for all and am willing to share it with the world:
Charge 5 quid (or dollars) a CD; no one will bother ripping them off. Not only will this stop the "piracy problem", it will actually increase profits.
Slashdot Mirror
...sounds dangerously close to calamity to my ears.
It's ironic for me that you should post this on the day after I just abandoned my last home-maintained mail server in favour of Google.
For the past 15 years I've been a mail administrator in some capacity for a variety of mail systems ranging from my own personal colo to a vast multi-national corporation. Solving the technical problems of building and maintaining a functional and reliable system was fun for a number of years, especially when email was dominated by geeks. But nowadays, running your own server is a perpetual nightmare.
First, there's the problem of where to host it. It has to be accessible wherever you are, and it has to be able to send mail out. If you're planning on hosting it at home, on the end of a cable/DSL/fios connection, bear in mind that your IP address will almost certainly be blackhole listed. Also, your ISP may well be blocking outgoing mail to prevent spam. You will probably have to configure your system to route all out going mail via your ISP's SMTP server. Why are you hosting an SMTP server again?
If you're hosting it in a nice VM or in a colo, you're better off, but paying. Google costs you nothing.
Next, storage. Obviously that's no problem because you have a mirrored RAID eleventy-five array you built yourself. If that's in the colo then you can forget about it - except when a drive goes bad or it crashes unexpectedly. But then it's fine because you're paying for support aren't you. And backups. You are backing it up aren't you?
Next the server software. Personally I've had a lot of success with Sendmail/Cyrus IMAP/IMSP/Squirrelmail and friends, despite enduring jeers from other sysadmins who think they have a better combination. In the end, it doesn't matter. They all suck. They all need patching regularly. They all break. They all need tweaking on a regular basis.
Then the final turd in the swimming-pool: spam. It costs you so, so much; bandwidth, around 95% of all of the inbound traffic is spam; time, configuring and maintaining spamassassin and various blackhole lists that occasionally start rejecting mail indescriminately; pride, the only time your clients contact you will be to ask why the mail is so slow and why there's so much spam. "But my gmail doesn't get this much spam - can't you filter it" they say, while you bite chunks out of your tongue. Spam to a mail administrator is like the gopher in Caddyshack: it will keep you awake and turn you into a monster. And the day will come where you, spam-slayer and junk-mail terminator, get put on a blackhole list for being a spammer. That's really fucking harsh the first time.
I could go on. but we're already in the TL;DR territory.
Most people do not host their own mail server. They live longer and healthier lives as a result. Follow their example and let Google worry about all of that for you - and in return you just have to pay them...nothing.
You don't need to be "hacked" to have a keylogger attached mr boatman (or may I call you sweaty?) You just need someone to get a job as a janitor (see the relevant article in 2600). Keyloggers come in hardware these days, and that includes the last 15 years. That's where stuff like OTP and friends come in.
And as for password aging, our friend below is not alone in writing his passwords down. If people have "secure" passwords generated weekly/monthly/daily they're going to put them on post-it notes. If people have memorable passwords that are secure against a dictionary attack (it's possible my friend) then that's as much as you can do. Oh yeah you can ask "Doreen from accounts" to use KeePass to store her passwords, but it would be far simpler to go for a big piss in the wind.
OK - end users fair enough, but what about the users who *manage* the box ?
At my last job the audit procedure was totally mental. An example: We were the engineering team for the global email backbone (around 90 servers). Our software and scripts run on all of these servers (as root in many cases). But we weren't allowed root access, so we couldn't install any thing or even debug live systems properly. That was the job of our "ops" team. We package the software, they deploy it. Any problems, they tell us and we have to fix it and redeploy it. Even though our ops team had root, they couldn't just login and do things that needed doing. They needed to file a change request - which took a week and had to be approved by about 10 people.
BUT
Despite having root they couldn't just do what they wanted. Every su was logged to a database and they had to give reasons for every one. And as for adding users, modifying system files, fixing permissions....nope - that was the job of the SAs!
So, when a problem occured on a production box, rather than logging in, suing and fixing it, the procedure was as follows:
I resigned.
What is VB for ?
Is it for beginners ? If so then well done - people who don't understand the essentials of coding can now knock out their dodgy apps at a faster rate.
Is it for experienced developers ? Only Joking.
Is it for everyone across the board ?
No! You have to go out of your way to develop a serious app in VB because the abstractions that make it attractive to the uninitiated are a bugger to get round.
OK, in honesty, I don't like IDEs, debuggers or any of that stuff, but if you want it simple then the problem was cracked years ago.
There's a movie in existence (I have it if you want a copy) of Steve Jobbs creating a full-on-graphical app, that does database lookups and does the washing-up, and he proudly adds "and I still haven't had to write a single line of code!". This was in 1992 and on the NeXT. The wonderful development environment he was on about has grown into XCode and is given away FREE with OS-X.
Now, the idea of writing apps without needing to write code scares the pants off me...but Xcode also lets you, and indeed encourages you, to get deeper - *and makes it easier to do so*
You don't even need to spark-up the IDE.
If I *had* to design a graphical dev environment then XCode is what I'd use as a reference.
But I prefer vi and gcc...so what do I know ?
Yes.. you'd get charged
Well done that man! I thought the term "AJAX" was bad enough but you had to go one better my using your joker: "synergize".
:)
You have a wonderful career in hell ahead of you
As someone who is very worried about launchd and the direction on OS-X, I feel I should point out that my attitude is not "We've always done it this way so it must be perfect". It's more:
.plist files from XML to binary indicates a lack of thought and experience. Binary config files ? EW!
"If it ain't broke, dont' fix it".
OK, XML is useful, but let's not go mad. rc is simpler, infinitely flexible and therefore, IMHO, better. And jesus cocking christ don't ditch cron until you've really ironed out all the bugs.
The fact that Apple have started converting their
Did they learn no lessons from the Windows Registry ?
So, people want to download stuff that was already available on TV ? Perhaps, if the price wass right, they would pay for it ?
Imagine if, for a quid ($1.80), you could download any programme you missed because you were down the pub when it was broadcast. Nowadays this could be deducted by SMS (in the UK at least) - who would think twice ?
Think about it TV people - a whole new market.
The more together punters would simply video the programme by setting the timer before they go to work. In the real world most people would be too hungover to sort this out before they run out to go to work. The same people wouldn't think twice about texting themselves a quid debt in order to download a digital version of the programme they missed. Certainly easier that finding a torrent the next day...speaking from personal experience that is.
A fair point about the input devices - they why I still used my aged Palm III.
As for the other argument about loosing everything in one go - sorry don't see it.
Surely syncing is much simpler with a single device ? Also, if the device has GSM (I don't know about other mobile standards) when you loose it, you can get the network to bar it thus making it a less desirable item to steal. You loose a PDA, someone gains one.
Interesting to see that amongst the list of protocols on the page (including Appletalk, ATM and HTTP), Microsoft is also kindly allowing us to licence the valuable discard protocol. The protocol that accepts data and immediately loses it.
So Microsoft did invent that concept then.
Why has it taken the world so long to take IPv9 seriously ?
It's the only protocol that has in-built, native support for RFC2549 and, more importantly RFC527.
Linus Torvalds has already announced that 2.7 will have kernel-level support for RFC2549, but maybe now the kernel developers will go the whole hog and adopt IPv9 ?
Compare and contrast:
"3. The copy protection system used for all EMI/Capitol releases including 'To the 5 Boroughs' is Macrovision's CDS-200, which sets up an audio player into the users RAM (not hard drive) to playback the RED book audio on the disk."
Vs
"The technology does activate a proprietary Macrovision player in order to play the CD on a PC, and that player converts WMA compressed files to audio on the fly."
So "RED book"==WMA ?
I like an easy life. Free from Application errors, licence numbers, bugfix delays, unexplained crashes and unpredictability. Linux, BSD, Darwin and Inferno behave as they should, as one would expect, and according to the manual. If they don't, then it's a bug and it gets fixed.
I like knowing my systems are going to stay up, and if they should ever fail, which in general they don't, I'd like to know they'll be fixed asap without me having to take the blame and pay.
Open source makes the world a better place.
I know!
The point I was trying to make is: if he didn't, how could they have got him ? All of the "evidence" listed a couple of posts above is just circumstantial.
How are they going to prove a specific person wrote the code ? Unless he confesses there can't be anything other than circumstantial evidence can there ?
Having said that, we *know* the poor kid's going down, which prompts the question, could anyone dump someone they don't like right in it, and then get a fat reward ?
...it's a stiff...bereft of life it rests in peace, it's climbed up the curtain and joined the choir invisibule etc ad nausium...
Only a matter of time before someone says it...
A "website" ? Come now. This is most certainly news.
:)
OK a "website" on your little co-lo box can go down for hours, even days.
But Hotmail ? They have thousands of servers and staff all over the world. I can't imagine how you could bring such a massive, ubiquitous system like this, with all of its built in redundancy, down for such a long time without there being something fundamentally wrong with the technology. Either that or it was a deliberate attack which would be equally newsworthy.
No-one but you mentioned Linux BTW
Why replace PSTN, that uses proven, stable technology, with another technology designed for something completely different.
OK, within an organisaion it makes sense if you have CAT 5 going to everyone's office already, and you have assured bandwidth in your network infrastructure, it can, and does, work. But over the Internet ? Forget it.
ATM is such a good networking medium for the phone. It was designed to allow QoS and pacing, and is therefore perfect at multiplexing audio and video. That's why the packets all hold 48 bytes!
IP was NOT! When you've got VoIP, the web, Real, P2P, pr0n etc etc etc all competing for the same bandwidth, you really start to see why telephones have no business on the internet.
The only reason there is a national/international VoIP industry is cost. If VoIP really does become a serious threat to telephone companies, all they need to do is drop the cost (for a while) and the VoIP businesses drown.
Security ? Whoever wrote that article clearly doesn't understand what telephone networks are.
Have to agree. Even though I haven't used a pen for the last 12 years, it would have to be a Parker Vector. Cheap, simple, beautiful and a pleasure to use. In the UK you often use fountain pens at school and my two Vectors did me proud. If they can cope with the battering they received with 7 years at Crown Woods Comprensive school and still write beautifully, they've got to be worth a mention.
About 5 years ago I was working at a UK ISP and managed to persuade them to let me hook up to the 6-bone. So I got a tunnel from some university or other, setup a Linux box running a bleeding-edge IPv6 stack and we were in business.
The trouble was that apart from 'ping' (which at the time was really unimpressive I can tell you - >5 second responses) there wasn't much else to do.
There was an ipv6 only website that I used to go to, but it was merely one page containing a rant about how IPv6 development/deployment was doomed.
The only way I can see things moving is if the backbone network operators start allowing it and routing it alongside 4 (if they aren't already - does anyone know). The pressure to comply will then hopefully bubble down to the smaller ISPS
A few years ago, one of the ops at my place of work put a magazine in my (real-word) intray. It was a copy of Byte Magazine with a front-cover headline "Is NT the end of UNIX ?".
:)
At the time this was a common headline in the popular rags...and then I noticed the date - February 1992
This crap appears every five years along with "life on Mars" and "possible cure for cancer".
The words "snake" and "oil" come to mind.
A friend of mine had this idea and suggested calling it 'bogging' rather than a blogging, as you could add entried whilst on the bog. That's where I have all my profound thoughts anyway.
(For non British, 'bog' = toilet).
Gobbles have got a history of releasing some pretty scary exploits (remember the apache chunking vuln ?) but this time the actual message was a release of a straightforward buffer overflow in mpg123. I suspect that the stuff about the RIAA was added to make this release more interesting - and scare the whitehats a bit more.
Having said that, I have to admit that this and several other recent bl4qh47 posts on full-discolsure have genuinely made me feel very nervous. Especially the "sourceforge is our bitch" posts....
I'd certainly feel better if someone who knows, publicly debunked these as myths. Until then I'm wearing reinforced pants.
They really don't need to spend so much on anti-piracy snake-oil, raids and expensive court cases. I have a very simple way to stop CD piracy once and for all and am willing to share it with the world:
Charge 5 quid (or dollars) a CD; no one will bother ripping them off. Not only will this stop the "piracy problem", it will actually increase profits.