Exactly. I used to get a LOT of heat on well we "need" to be doing this. and we "need" to be doing that. Well, got together al ist of all 40-50 biggish projects on the plate and said where do you want each project. I could tell the point was driven home when one time a boss came up and said we need to get project X done.
So I pointed to the list on the whiteboard and said, well X is currently at spot 20. so I said 'which of 1-19 do you want to bump?' He looked at the list grumbled a bit and said ah crap, oh well leave it how it is.
The consensus on nanog was to use a virus scanner that has a flag that says if the virus forges from addresses (amavisd-new does for example). And if a virus is received that forges
the attachment approach is too simplistic. That will 5xx e-mail that is legitimate.
take a stroll through the nanog archives on this topic for more info.
Okay, come on/. editors. this thing is not a new one. the vulnerability is from March. so if you want to talk about postfix (which I have switched to at work and in the process of at home) then fine say so.
but don't post such a misleading article that sounds like there is a enw exploit. that just isn't responsible.
Also, although postfix is easier to use and has more features in other areas (like easier to tie in things like virus scanning, mysql based virtual mail domain handling, etc.) sendmail supports more mail transports.
Yes those transports are now basically extinct, but give credit where credit is due. I am, tired of hearing everybody bash sendmail without giving it the respect it deserves. yes its code is old and has had issues. like most software projects you learn a lot the first time around (and even DJB fanatics should realize that qmail was written with the lessons learned from sendmail in mind -- whther conscious or subconscious).
So is it time for people to be moving on yes. Is it proper to sell people on this idea by basically lying and ignoring the past no.
As someone who has done lots of interviewing over the years. I know that personally if a resume has a PhD on it (whether during initial screening or for an interview) I will wondering if the person has enough pragmatism to do the job.
Mainly means an extra tough set of interview questions. Typically I have found hiring managers that go goo-goo-ga-ga over PhD's also go nuts over people with buzzword experience.
I know I am rare these days in that I look for people who can think. I don't care nearly as much as what you literally know walking in, but if you can think and learn. I try for people who have a engineering mindset rather than a technical one.
So, PhD's don't impress me. Doesn't mean I won't higher one, but side projects, and ability to think during the interview will get far higher rewards than a degree.
For the dead people? well depends on whether or not you believe in an afterlife. I'll leave that (even more) off-topic dicussion for another time.
As for the rest of us, a VERY big difference. just ask most anti-terrorism forces. It is far harder to stop someone who isn't afraid to die carrying out a bombing. If the bomber wants to live, enforcement agencies have more options on stopping them.
Not only do I agree, but have an additional point to make. If Hans was refering to RedHat (and it seems pretty obvious he was) then he is mistaken. I have NEVER been threatened by RedHat to have a support contract invalidated. The basic effective policy I have experienced is if you install something outside of what they ship they will try to help but you may end up on your on. Or at least showing the problem also exists in the stock verision. I don't tap RedHat support very often (generally internal staff and basic net research solves the problem) but when we have we have gotten good results. Far better than I have gotten from other commercial support contracts (think companies like Cisco, Microsoft and Sun).
wow, from the looks of things fai has been around for a bit (well the sourceforge project is from 2000), but you are the FIRST debian person to point me at it (I have a buddy who has been trying to get me to switch for years and knows the lack of an automated install has been a major sticking point). It will be interesting to see its features. it touts itself as being better than kickstart which I find very powerful (haven't found something I couldn't do yet), so we'll see if the reality matches the ego:).
I also don't recall seeing any mention of it when there was a dicussion in the debain forums about a new installer either.
Oh well, thanks for the pointer. means I will consider Debian for future home use. (with the reqs for a supported by ISV's at work can't use at work)
one word: kickstart until Debian has such a custimizable install that allows for easy to reproduce server installs, won't bother looking more at it. I have gotten way too much hooked on telling a server to re-install and two boots later (the first boot doing the install itself) it is fully back up with all services properly configured. I always no exactly what is on the machine and that I can reproduce it in case 1) hardware dies 2) we need to have more of them.
(ca't speak for the *BSD's since I haven't really looked at BSD since a roomate ran BSDI way back when)
As to actual topic of this story: we are going with RH7.3 for most of our servers. We are running RHEL (formally known as RHAS) AS and ES on some boxes in order to 1) have support from software folks (like Oracle) 2) have a support account at RedHat. We are running.3 since it is basicalyl compatible with the current RHEL version (so same tools/scripts will run on both).
We have staff to handle support of linux on our own (we have been doing in for a few years now on RH6.2) so the end of life of RH7.3 at the end of 2003 doesn't scare us.
So if your org can support itself and you don't need/want to be on an officially supported platform for some third party commercial product, go with the "retail" or "consumer" line.
Also if you are lucky you can get a clause about the company not owning any work on Open Source projects. I managed to get one in mine. The spirit of the company is to give back, but having the legal okay makes things just so much eaiser (and safer for both you and the OSS project).
How about keeping both of you happy. have the fixed expiration be 2 years. That is a nunber that I have been tossing around in my head for a few years now.
It seems to better match the constitutional grant for "limited times" than the 20 currently in use.
Can you really tell me you think giving a monopoly for 20 years betters science? How about copyright for 90 years past the death of the author (I think that is what it just got extended to)?
right. I know that was the original context. in the message I replied to debian was mentioned in a more general sense (at least I took it as a mroe general comment).
which I agree on postfix, we have switched to it, I love the thing. as for DJB? well, I can't stand the way he breaks every unix filesystem convention for config files:)
So yes, in the specific challange context I agree 2 hours seems reasonable. It has been a while since I did a non kickstart redhat install, but even with redhat I think I could do a secure server install in 2 hours.
hopefully I won't start a flamewar, but seeing you mention in an hour or two makes me wonder if you have ever tried kickstart under redhat (the main reason we haven't looked at debian seriously). Because of kickstart's automated abilities limited package secure installs in 5-10 minutes. Combine that with treating most machines as disposible. Makes recovery real easy. archive a copy of the server for analysis (optional) and re-install (since as most people know and apparently you point out in your book recovering from a break in without a reinstall is not exactly a trivial matter)
It is post like this that make me think/. should allow point totals to by >5. This is the #1 way to prevent the issues. As the previous poster said "Trust" is the key. Well what heklps trust? by the company continuing to show it trusts and respects the employee.
And yes it is sad that the vast majority of companies (and more appropriate the vast majority of people in management positions) just don't get it.
hmmm... interesting. So it almost looks like a suite of tools that will rsync (will an equiv, haven't looked to see what it is using under the hood) copies of files with some smarts about versioning... I'll have to put this on the tools to look at list. thanks for the link.
ROFL. that is one of the funniest comment threads I have read on slashdot in a LONG while.
(Of coruse maybe it has something to do with I am actually old enough -- aka >25 -- to remember when that show was on MTV)
Re:solution for one of the problems..
on
The New IT Crisis
·
· Score: 2
To my knowledge it has already been "fixed". The terms RedHat use are "Satellite Server" and "Proxy Server". We are currently looking into migrating to this (we are currently using a custom solution using mirror, rsync, perl and rpm).
Yes it is a paid support service, but that isn't always a bad thing:).
Also I beleive in the "Enterprise mode" (using Satelites and Proxyies) machine info is not stored at RedHat.
I'm sure if you contact RedHat sales they will be happy to send you the same blurb about it they sent us.
the poster mentions Tripwaire, but what about AIDE?
In additon to being a proper Open Source project, it allows for features that (last I heard at any rate) tripwire doesn't support, like a centralized checksum DB. That feature alone makes the tool superior (IMHO). For example it makes the verification process a lot nicer (intruder can't courrpt the local md5sum's because there aren't any).
oh, I understand that. we actually have a half dozen effective mirrors of the production environment for development/testing/etc.
I was just kind of curious on what manpower ratios you genereal use for all of these servers (both main and pre-production/dev/test). I.e. for say 10 servers (say 2 main, the other 8 in use to get the product to the 2) how many sysadmins would you generally see in use.
I have a question how much manpower (say in terms of number of sysadmins) do you generally use for say a group of 10 mid range sun servers say E4500's?
Reason I am asking is some experience we had here where an admin dealing with the intel/linux side of things was able to handle about 40 boxes each with plenty of room to sprae, whereas on the sparc/solaris side an admin was dealing with two boxes and wasn't really even able to keep up.
Not sure if you noticed but they tried using the AMI megaraid controllers. They should have tried a Mylex. In spite of what Dell tech support witll tell you (the PERC in the Dell's is a branded MegaRaid) that i960 based boards just have the performance issue, the Mylex DAC960 is i960 based and hums along just fine. I have seen 2-5x write performance increases going between the PERC and the Mylex -- and yes just proved this to management recently.
The review seems surprised that the book was very honest about C#. back in previous times of my career (when I did win16 and then later win32 C++ programming) all of the Microsoft Press books I bought and read were of good quality. And they included healthy criticisms of parts of the technologies that weren't so great.
In spite of Microsoft Press sharing the name with the company they have generally published books that are fair in their dealings with Microsoft technologies.
what about SLS? that pre-dated slackware and it used pre 1.0 kernels. I thik the first I used was 0.99pl11 based back in '92 ish... need to dig up that CD and find a date on it.
I'm not sure why you are rebooting. I haven't rebooted production servers to do a security patch in a long time. We still have lots of RH6.2 boxes running simple because of the same reason the poster said -- if they are running fine, don't bother. Which I still get patches for RH6.2 and that has been out for a while now. And since RPM is easy to do and well documented (I have yet to find a good source of doc's from sun on their package system -- found an okay one from a guy on the net) even when RedHat does stop releasing critical fixes to RH6.2 I can make the patched rpm's myself.
We had some solaris boxes for a while, and from Sun support were instructed to do reboots on the production systems after some patches were applied . And I can't forget the fun of the ecache firmware flaw in the mid range servers Sparc processors that caused them to die randomly.
For serial port (and network and threading for that matter. look at: http://www.ysl.org
okay, so I am biased (one of the authors), but the serial code works well on both linux and winNT (haven't tried the serial code on another unix). Has been use for commercial use to communicated with embedded hardware controlling oil drilling equipment.
If you grab it, definently use the cvs access (haven't done a release in a while as all active users go for the revs in CVS)
Slashdot Mirror
Exactly. I used to get a LOT of heat on well we "need" to be doing this. and we "need" to be doing that. Well, got together al ist of all 40-50 biggish projects on the plate and said where do you want each project. I could tell the point was driven home when one time a boss came up and said we need to get project X done.
So I pointed to the list on the whiteboard and said, well X is currently at spot 20. so I said 'which of 1-19 do you want to bump?' He looked at the list grumbled a bit and said ah crap, oh well leave it how it is.
the key is not to say "No". but "not now".
The consensus on nanog was to use a virus scanner that has a flag that says if the virus forges from addresses (amavisd-new does for example). And if
a virus is received that forges
the attachment approach is too simplistic. That will 5xx e-mail that is legitimate.
take a stroll through the nanog archives on this topic for more info.
Okay, come on /. editors. this thing is not a new one. the vulnerability is from March. so if you want to talk about postfix (which I have switched to at work and in the process of at home) then fine say so.
but don't post such a misleading article that sounds like there is a enw exploit. that just isn't responsible.
Also, although postfix is easier to use and has more features in other areas (like easier to tie in things like virus scanning, mysql based virtual mail domain handling, etc.) sendmail supports more mail transports.
Yes those transports are now basically extinct, but give credit where credit is due. I am, tired of hearing everybody bash sendmail without giving it the respect it deserves. yes its code is old and has had issues. like most software projects you learn a lot the first time around (and even DJB fanatics should realize that qmail was written with the lessons learned from sendmail in mind -- whther conscious or subconscious).
So is it time for people to be moving on yes. Is it proper to sell people on this idea by basically lying and ignoring the past no.
As someone who has done lots of interviewing over the years. I know that personally if a resume has a PhD on it (whether during initial screening or for an interview) I will wondering if the person has enough pragmatism to do the job.
Mainly means an extra tough set of interview questions. Typically I have found hiring managers that go goo-goo-ga-ga over PhD's also go nuts over people with buzzword experience.
I know I am rare these days in that I look for people who can think. I don't care nearly as much as what you literally know walking in, but if you can think and learn. I try for people who have a engineering mindset rather than a technical one.
So, PhD's don't impress me. Doesn't mean I won't higher one, but side projects, and ability to think during the interview will get far higher rewards than a degree.
For the dead people? well depends on whether or not you believe in an afterlife. I'll leave that (even more) off-topic dicussion for another time.
As for the rest of us, a VERY big difference. just ask most anti-terrorism forces. It is far harder to stop someone who isn't afraid to die carrying out a bombing. If the bomber wants to live, enforcement agencies have more options on stopping them.
Not only do I agree, but have an additional point to make. If Hans was refering to RedHat (and it seems pretty obvious he was) then he is mistaken. I have NEVER been threatened by RedHat to have a support contract invalidated. The basic effective policy I have experienced is if you install something outside of what they ship they will try to help but you may end up on your on. Or at least showing the problem also exists in the stock verision. I don't tap RedHat support very often (generally internal staff and basic net research solves the problem) but when we have we have gotten good results. Far better than I have gotten from other commercial support contracts (think companies like Cisco, Microsoft and Sun).
wow, from the looks of things fai has been around for a bit (well the sourceforge project is from 2000), but you are the FIRST debian person to point me at it (I have a buddy who has been trying to get me to switch for years and knows the lack of an automated install has been a major sticking point). It will be interesting to see its features. it touts itself as being better than kickstart which I find very powerful (haven't found something I couldn't do yet), so we'll see if the reality matches the ego :).
I also don't recall seeing any mention of it when there was a dicussion in the debain forums about a new installer either.
Oh well, thanks for the pointer. means I will consider Debian for future home use. (with the reqs for a supported by ISV's at work can't use at work)
one word: kickstart
.3 since it is basicalyl compatible with the current RHEL version (so same tools/scripts will run on both).
until Debian has such a custimizable install that allows for easy to reproduce server installs, won't bother looking more at it. I have gotten way too much hooked on telling a server to re-install and two boots later (the first boot doing the install itself) it is fully back up with all services properly configured. I always no exactly what is on the machine and that I can reproduce it in case 1) hardware dies 2) we need to have more of them.
(ca't speak for the *BSD's since I haven't really looked at BSD since a roomate ran BSDI way back when)
As to actual topic of this story:
we are going with RH7.3 for most of our servers. We are running RHEL (formally known as RHAS) AS and ES on some boxes in order to 1) have support from software folks (like Oracle) 2) have a support account at RedHat. We are running
We have staff to handle support of linux on our own (we have been doing in for a few years now on RH6.2) so the end of life of RH7.3 at the end of 2003 doesn't scare us.
So if your org can support itself and you don't need/want to be on an officially supported platform for some third party commercial product, go with the "retail" or "consumer" line.
Also if you are lucky you can get a clause about the company not owning any work on Open Source projects. I managed to get one in mine. The spirit of the company is to give back, but having the legal okay makes things just so much eaiser (and safer for both you and the OSS project).
How about keeping both of you happy. have the fixed expiration be 2 years. That is a nunber that I have been tossing around in my head for a few years now.
It seems to better match the constitutional grant for "limited times" than the 20 currently in use.
Can you really tell me you think giving a monopoly for 20 years betters science? How about copyright for 90 years past the death of the author (I think that is what it just got extended to)?
right. I know that was the original context. in the message I replied to debian was mentioned in a more general sense (at least I took it as a mroe general comment).
:)
which I agree on postfix, we have switched to it, I love the thing. as for DJB? well, I can't stand the way he breaks every unix filesystem convention for config files
So yes, in the specific challange context I agree 2 hours seems reasonable. It has been a while since I did a non kickstart redhat install, but even with redhat I think I could do a secure server install in 2 hours.
hopefully I won't start a flamewar, but seeing you mention in an hour or two makes me wonder if you have ever tried kickstart under redhat (the main reason we haven't looked at debian seriously). Because of kickstart's automated abilities limited package secure installs in 5-10 minutes. Combine that with treating most machines as disposible. Makes recovery real easy. archive a copy of the server for analysis (optional) and re-install (since as most people know and apparently you point out in your book recovering from a break in without a reinstall is not exactly a trivial matter)
It is post like this that make me think /. should allow point totals to by >5. This is the #1 way to prevent the issues. As the previous poster said "Trust" is the key. Well what heklps trust? by the company continuing to show it trusts and respects the employee.
And yes it is sad that the vast majority of companies (and more appropriate the vast majority of people in management positions) just don't get it.
hmmm... interesting. So it almost looks like a suite of tools that will rsync (will an equiv, haven't looked to see what it is using under the hood) copies of files with some smarts about versioning... I'll have to put this on the tools to look at list. thanks for the link.
ROFL. that is one of the funniest comment threads I have read on slashdot in a LONG while.
(Of coruse maybe it has something to do with I am actually old enough -- aka >25 -- to remember when that show was on MTV)
To my knowledge it has already been "fixed". The terms RedHat use are "Satellite Server" and "Proxy Server". We are currently looking into migrating to this (we are currently using a custom solution using mirror, rsync, perl and rpm).
:).
Yes it is a paid support service, but that isn't always a bad thing
Also I beleive in the "Enterprise mode" (using Satelites and Proxyies) machine info is not stored at RedHat.
I'm sure if you contact RedHat sales they will be happy to send you the same blurb about it they sent us.
the poster mentions Tripwaire, but what about AIDE?
In additon to being a proper Open Source project, it allows for features that (last I heard at any rate) tripwire doesn't support, like a centralized checksum DB. That feature alone makes the tool superior (IMHO). For example it makes the verification process a lot nicer (intruder can't courrpt the local md5sum's because there aren't any).
oh, I understand that. we actually have a half dozen effective mirrors of the production environment for development/testing/etc.
I was just kind of curious on what manpower ratios you genereal use for all of these servers (both main and pre-production/dev/test). I.e. for say 10 servers (say 2 main, the other 8 in use to get the product to the 2) how many sysadmins would you generally see in use.
I have a question how much manpower (say in terms of number of sysadmins) do you generally use for say a group of 10 mid range sun servers say E4500's?
Reason I am asking is some experience we had here where an admin dealing with the intel/linux side of things was able to handle about 40 boxes each with plenty of room to sprae, whereas on the sparc/solaris side an admin was dealing with two boxes and wasn't really even able to keep up.
Not sure if you noticed but they tried using the AMI megaraid controllers. They should have tried a Mylex. In spite of what Dell tech support witll tell you (the PERC in the Dell's is a branded MegaRaid) that i960 based boards just have the performance issue, the Mylex DAC960 is i960 based and hums along just fine. I have seen 2-5x write performance increases going between the PERC and the Mylex -- and yes just proved this to management recently.
The review seems surprised that the book was very honest about C#. back in previous times of my career (when I did win16 and then later win32 C++ programming) all of the Microsoft Press books I bought and read were of good quality. And they included healthy criticisms of parts of the technologies that weren't so great.
In spite of Microsoft Press sharing the name with the company they have generally published books that are fair in their dealings with Microsoft technologies.
what about SLS? that pre-dated slackware and it used pre 1.0 kernels. I thik the first I used was 0.99pl11 based back in '92 ish... need to dig up that CD and find a date on it.
mmy dirsto lineage:
SLS (92) -> SlackWare (94) ->RedHat (96)
And yes I haven't moved from RedHat, so far haven't found a distro easier to do maintainable installs on (kickstart kicks but).
Have you maintained RedHat installs?
I'm not sure why you are rebooting. I haven't rebooted production servers to do a security patch in a long time. We still have lots of RH6.2 boxes running simple because of the same reason the poster said -- if they are running fine, don't bother. Which I still get patches for RH6.2 and that has been out for a while now. And since RPM is easy to do and well documented (I have yet to find a good source of doc's from sun on their package system -- found an okay one from a guy on the net) even when RedHat does stop releasing critical fixes to RH6.2 I can make the patched rpm's myself.
We had some solaris boxes for a while, and from Sun support were instructed to do reboots on the production systems after some patches were applied . And I can't forget the fun of the ecache firmware flaw in the mid range servers Sparc processors that caused them to die randomly.
For serial port (and network and threading for that matter. look at: http://www.ysl.org
okay, so I am biased (one of the authors), but the serial code works well on both linux and winNT (haven't tried the serial code on another unix). Has been use for commercial use to communicated with embedded hardware controlling oil drilling equipment.
If you grab it, definently use the cvs access (haven't done a release in a while as all active users go for the revs in CVS)
and it is OpenSource
Yes, it is the fault of the photographers. I think is to say to digital is bad, but the mindset it enables is what can be bad.
Yes you can still destory the pictures and/or negatives, but that is done later, not live at the scene.
And people do tend to be lazy (not just photographers here). Also, we are talking large mounts of storage. More than just a few zip disks.