There are some little guys (like me) who are little in the grand scheme of things, but have some money due to some successes on-line.
I'm open sourcing 30k worth of R&D done over the last two years. Most of it is related to Xen, Clusters and security.. stuff small businesses need that I felt was too expensive for them. I also realize its the best way to get my walking talking resume in front of the clients who can afford some very custom elaborate setups. Those are the people I hope to have feeding me.
Glad to see larger fish practicing this logic in reverse, well, sort of:)
You are correct and more so than you'd think. Xen provides true isolation of its dom-u's (user VM's). The xen hypervisor is most likely some of the most efficient code ever released to the open source community.
Xen layering and management allows you to do tons of stuff, I'm already doing SSI clusters on single machines. Xen + Win2k3 has been accomplished. This with CVIP / HA-LVS all running on one nic. Slice a high end p4 into a 6 + 1 (x 128) MB cluster of isolated servers. Its truly HA in a box, and very very simple.
The reason they call it a hypervisor is just that, its a step above a supervisory process. On VT enabled platforms (The new P4's / AMD's) you really start to see what xen can do without the bottlenecks of processor architecture.
Personally I think the ease of clustering is more important (and useful to the internet at large) than the ability to play with Windows stabalized under Linux. (I love saying that knowing its actually happened hehehehhe).
I can also say NetBSD does *very* well under xen.
Here's a really cool example config of how xen could slice up a high end dual xeon.
Assume.. Dual xeon.. 3.2.. 4GB Registered 2x 250 GB SATA disks (one of my labs)
2 nics at 1000 MBPS, Connected to a gig-e switch. 100 MBPS x2 uplinks from 13 blended carriers. Basically, the average server you lease at any datacenter. Remember, you don't ever get to physically touch them. Xen is easy enough to install without needing local access.
You setup 2 smaller (maybe 256 MB each) netbsd firewalls , do some traffic shaping if you want. From there, you toss it over to an OpenSSI / Debian cluster running on the same machine.
Here's the really cool part. The bsd machines can talk to dom-0 and tell it when its time to drop nodes or add nodes, or make nodes bigger.
Need more servers? Simple . Xen them and load the ssi node image via pxe / etherboot.
Its very very easy then to setup the bridging needed to get a working cvip configuration and start weighting ports. So now you have 2 failover netbsd front end routers , failover LAMP and failover nics. Stick those SATA's in RAID1 and your only single point of faliure becomes your power supply or something going horribly wrong on domain 0. At the price it costs for those servers, you can afford 2 and pay under 500 bucks for the whole shebang if you lease them. Buying outright and co-locating is the best way. Or if your one of the fortunates with fiber coming into your own building...
Now toss xen3 in there and you have yourself a win2k3 setup hosting your certificate authoirty, snaps, etc. bring it all into AD if you want. Its a networking "magic bag".
I'm just scratching the surface. These Guys Have a really, really useful wiki, as well as some "unofficial" Debian install packages. Your average Linux geek could get it going quickly.
Keep your eyes on Xen. Its going to do good things for everyone - and its going to push commercial equals to.. well.. be more equal. Right now (afaic) Xen tips the scales in its direction.
Windows is just one of the marvels folks. Look at the big picture. Some of us have been screaming Xen for a while now.. so its sort of a triumph to see it finally getting a larger following:) Virtuozzo just cant *touch* it.
Off the soapbox. Hope someone found this useful. It took an awful long time to type. Course would help if I wasn't eating messy food..
Why the hell did I have to scroll down 4 times just to see a reply about the article, not about how certain news sites regulate their traffic?
People, the MIB just tried to open up a can of whoop ass in a public library. The interstellar cockroach landed. And you're talking about cookies.
So let me get this right. If I become a causal surfer to the washington post I'm gonna have to register? Man that sucks. I live in Manila now. I'll just pay someone to fedex me the damn paper its cheaper.
I'm an American living in Asia. I moved here about a year ago to start my own R&D center. Corporate minds are finally catching up with small business it seems. I thought they were supposed to be the ones doing the leading.
Anyway, I live in Manila. Here's why US people aren't getting the jobs they could, and here's the jobs they could be getting, in that order.
1 - PHP/MySQL/Linux are becoming classroom staples here as early as middle school. This country is focusing intently on making its people its chief export. Google a little about Filipinos working abroad. I think you'll see a case of "little brother" leading the way for US people to get jobs.
2 - Work ethic is taught here correctly. You join a company to lend your efforts to a greater good and receive compensation for doing so. The emphasis is effort before compensation
3 - Web hosts love this place. Millions of them are supported here. Java's R&D facility is a 20 minute walk from me.
Now, why we're losing jobs :
1 - We're not teaching our kids what they need to know to be competitive in the "real" it marketplace. We're still under the foolish assumption that if we throw lots of money at good schools our kids should end up with marketable skills. Not true. Parents : research the markets and find out how best to expose your kids to the tools they need to explore some of the new opportunities opening up.
2 - We're not empowering vocational rehabilitation centers with profitable internet businesses because we're a bunch of greedy bastards. Are you a web host? Go find a voc rehab center give them a re-seller account and show them how to manage it. Now they get a few hundred bucks a month they wouldn't otherwise because they can rally their community to support them, and have something useful to offer. Pay your outsourced staff to teach the teachers who will be putting this in place.
3 - We're still out chasing cyber terrorists instead of giving people money to get the needed certifications to get into the jobs they need. Companies like Red Hat want you to pay lots of money to take their tests, yet offer cut rate RHCE exams in third world countries. What gives? So either help us get them or pay for plane tickets to the Philippines or India so we can take them cheaper.
What can you do (Short of moving to another country) ? Not much. Can't beat em.. join em. Pack your bags and live / spend money in countries that have programs empowering you to learn and support yourself. Duck major snowstorms in the process:)
I'm not encouraging people to get up and do what I did. I'm merely saying there aren't many other options for some people.
When you have limited dollars to setup a small business, you are obligated to give yourself the best bang for the buck. US companies who outsource need to spend a little more money on the homefront, yes.. but bigger companies need to help lead that direction by empowering the people with knowledge of the technology they sell. Right now, its just too damn expensive for the people smart enough to work on it.
Off the soapbox. Crucifiy me if needed. I like flaming.. lets me keep my derrier warm without the hassle of smelling farts.
I think you could truly call OS/2 part of the infancy of the internet.. assuming now you've of a school that says the internet is out of its infancy. Otherwise you could call it a good start.
My first (ever) computer was a Tandy TRS 80 with a whopping 2k of RAM. Then off to Commodore land for a while.. then I finally brought myself to the PC (Clone market - as it was called at the time).
Our "clone pc's" usually had only 4 MB of RAM, and DOS took up quite a chunk of the env / dev space available. For most of us we just could not run 2 things at once even with windows 3.1 (all 11 5 1/4 disks it took to install it too! and 4 hours!) because of memory limitations. SIMM's were about $100 per meg back then. Ouch!
OS/2 let me really start to play with what a computer could do. My only other access to a multi processing setup was at work where we had a RISC machine and vax cluster.
I think IBM hit a "good" nerve in all of us who actually helped to build the internet into what it is today by keeping os/2 going.
Moreover, I think thanks should go to those who kept all of the old "treasures" going. All of the avid newsgroup posters, the hobbyist communities, etc. So if the folks at IBM are reading..
Thanks for saving part of (my) internet that I helped to build. With all of the politics surrounding the Internet at large now, I was feeling kind of down wondering if we all did the right thing by pushing it as fast as we did.
Now , OS/2 has nothing really to do with that. But it does say a big company like IBM remembers I still exist and helped them get big the last 15 years by learning and recommending their products.
THIS DOES NOT MEAN MICROSOFT SHOULD BRING BACK "bob"
If any of you (like me) had fun back in the days of dial up BBS's.. and liked OS2 (I kinda liked DesqView also) , Rob Swindell still keeps Synchronet the telnet BBS package alive (along with its OS/2 Build).
While he hasn't made much changes to them over the years the message base networks / online games are still really active. Someone mentions OS/2 and I instantly start thinking back to the days of playing Trade Wars.
Wow makes you feel like a dinosaur and not even much past 30.. But its good to see they're still alive and kicking.
I think you'll find those results interesting. This is a frustrating topic for me because it interests me far past my capacity to grasp and really chew on all of the research that is being done discovering just how the brain stores memory.
From what I understand (and I'll be cruicified for sure if I'm wrong) , the lag between the point where a memory is retreived based on some sort of stimulation (i.e. you smell a perfume your high school girlfriend used to wear) and the time you become aware you've even remembered it is staggering by brain measuring standards.
Apparently this is the transition from gut instinct to rational thought. If no established pattern exists in your wiring to relate that type of memory to that type of stimulation then "all you have to go on is a gut instinct".
So the notion that you may make better decisions while your brain's initrd is still loading isn't just showing how cool of a machine you have in your head.. its also probably a correct notion.. based again on my (admitted limited) understanding of what is being discovered.
I'd post a link, unfortunately the article I'm basing this on is in a Scientific American, and that could be one of many. I'm motivated only to post, not to get out of my chair.
Re:Perhaps if people learned the OS they use ....
on
Essential PHP Security
·
· Score: 1
Because by default installation (which is what many run with, out of the box), Debian does not suffer from many of the issues that the more popular (and sometimes commercial) Linux distributions suffer from.
Most people install, update and figure that their system is secure. This is not the case on ANY distribution of Linux.
The security issues you see surrounding PHP are not the fault of PHP. 90% of the time a properly secured server would have prevented the issue.
The issue is this : people demand hosting that allows virtually unrestricted use of PHP to power whatever script. Web hosts give them what they want - sadly, most of the time, without properly securing the OS to provide it.
PHP Security starts at the OS level. If all we had to worry about was SQL injection vulnerabilities and holes in session handlers the book would probably not have been written.
I'm not demeaning the book. I'm demeaning people that give unrestricted access to their boxes for under $2.50 and wonder why it isn't secure:) That "crap" gets mistakingly hung on PHP. And nobody who presents themselves as an authority seems to address the issue.
I'm saying, Its an issue. And Debian fixes much of it by default.
Perhaps if people learned the OS they use ....
on
Essential PHP Security
·
· Score: 4, Informative
I can't but get a little sick when I see a whole book written on something so incredibly simple.
The reason you see PHP being exploited is not the security of the host OS, not the security of PHP (well almost never) , its the lack of knowledge by the person owning the computer hosting the sites and companies like The Planet who hand them out to literally anyone with a Paypal account or credit card number.
I can in 20 minutes show any experienced Linux system administrator how to run PHP completely wide open as far as functionality is concerned on a shared hosting environment and how to do it relatively safely.
Your average web hosting company is a business person who has money to buy servers with idiot proof (nearly) control panels such as C-Panel / WHM.
They're also likely to come with RHEL, Centos 3 or 4 or Fedora. Very rarely do I see a Debian server used in a shared hosting situation (That should also tell you something).
These boxes are not secure yet they go immediately into production.
SO! To anyone who cares, (and reads this far) here is Tinkertim's checklist :
1 - Egress filtering (firewall the damn box),
2 - Get rid of that fat, bloated leaky modular kernel. Monolithic kernels are too easy to build not to do it. Don't forget to keep iptables, test with your firewall when done.
3 - Seek and loop world writeable directories, or mount them as noexec. Even doing that is not going to save you all of your trouble. As nobody I can run/bin/sh -x/tmp/mybot.sh just fine on most linux distros even if/tmp is noexec. So dammit go toss the 3 lines of code in/bin/sh that keps uid/gid 99 from doing that.
4 - Don't even THINK about using apache/proxy on a shared hosting setup. Thats just incredibly stupid and self destructive.
5 - Look around in/dev... make sure you took ALL the tools away that helps people get bad code onto your box in the first place./dev/tcp is just as lethal as leaving wget available on a fedora / RHEL installation. Use mknod and make them safe. Same with/dev/udp.. remake them.
6 - Get rid of what you don't need. Rename what you do and use scripts to help govern them. Lynx / wget / POST / GET (and everything else RHEL/Centos comes with) can be used to do dastardly things. Take advantage of user / group ownership that is found in Unix.
7 - lsof is your friend. Write a script to check for open accepting inet sockets that don't belong.
8 - (finally) VERIFY YOUR ORDERS... stop making instant setup hosting accounts. Use fraud screening services. Remember a security hole is only a problem if you sell space to someone who's intention is to exploit it.
Web hosts are the scurge of the planet. I know , I am one:) But I do things a bit differently than most. There's things you (yourself) can do if your stuck on shared hosting to ensure and nudge your host into securing their boxes.
I may just re-post later or re submit with that list too. I'm off the soap box now. My point is this. We (shared web hosts) made this problem. We have a responsibility to admit it and stop it. I'll work on some checklists and scripts to do it for the lazy bastards and GPL them. Tired of people getting rich writing books making hype about what (should be) a very trivial issue.
xx hours in each day xx tasks take up xx hours xx interruptions take away from xx tasks.
This varies greatly. You may have a nice cush univeristy job where you can get away with BOFH tactics and generally get paid to do little to nothing.
Or you could work for a web hosting company with 300 servers and one Admin. You know, the kinds of companies that give you an army of "rhce's" from india and call it help? In that case you don't need time management skills you need hard drugs, and liquor and lots of it.
My priority scale changes much like a dynamic cluster would.. whatever is prone to get me screamed at the most if it doesn't get taken care of is what gets attention. Thats either the servers or the wife, whichever talks through the earpiece when I pick up the phone.
If someone could write "The complete idiots guide to quieting a noisy pesky end user who wont STFU about their database".. I'd buy it. Otherwise I'll wait for the movie to come out on this one...
The point is most of us have unrealistic demands put on us daily. You just need to accept that you are not going to get things done, and most people aren't going to like you much less appreciate what you do (or even understand why those pesky interruptions can set you back a whole day... ).
So put this somewhere on your wall or on your cube / door / whatever. It works for me.
*** If you see me editing stuff that looks like code, stand there for 10 seconds. If I don't look your way, go away - leave your number or email on my door I will call you back. ***
Companies should educate staff more on AST (Admin sensitivity training.)
As the median income for a 20 year seasoned unix veteran is now around 40k, we just don't make enough money to put up with end user crap:) Esp when said end users are making more money than we do.
If you sample enough people's brain activity under controlled circumstances knowing if they are or are not telling their perception of the truth you are BOUND to witness some similarities.
One could mistakingly think this was progress and expand the testing only reversing it, not knowing if someone is or is not lying.
Should that be successful you'd then have the false belief you could detect if someone is lying.
Until you have many established "norms" (i.e. you have done this controlled on about 3 billion people) you can not even begin to call it reliable.
I could propose (which I have on occasion) that you could determine an individuals predisposition to violence simply by examining their anthropometrical data. I could even show you cases where it seems entirely feasable and practical.
However, until I have a reference of at least a third of the worlds varied populations cross referenced for all possible types of humans (i.e. genetic mix of parents) I could not begin to even dream its accurate.
The way to have announced this is more "Look what we did" than "Look how it can be marketed". This isn't science its industry peddling grants again.
That is when you should, in fact consider Linux over everything else.
I would pit a stripped down to bear essentials monolithic 2.6 kernel against pretty much anything else. Ask anyone else who runs wide high abuse networks mostly open to the public residing on class C ip addresses anyone with a PayPal account can have access to, instantly.
I would think what NASA meant to say was :
"We just don't feel like messing with Linux enough to get it to meet our stringent security needs so we paid someone needless tax dollars to do it for us but I think they named it [cough (censored) cough]."
Your primary concern on any network is what is on the desktops that have priviliges ON that network and also have outside internet connections.
People it is really not hard to find and detect this.
If you maintain a public web server that offers space to the masses at low cost, you better read up on :
lsof netstat
Reminder - all fedora / rhel users ,/dev/shm exists on your system and by default allows code to execute.
Reminder to apache users,/apache_root/apache/proxy exists on any new installation (for the most part) and is world-writeable , executable and owned by nobody.
Don't go forcing phpsuexec and checking gid's on port 80 via iptables. Just realize what is world writeable and executable that uid 99 can get to (generally, "nobody").
Even on public servers, creative usage of loop devices can save you a lot of late nigh aggravation answering abuse tickets.
Most hosting companies can *not* disable some of the php functionality such as shell_exec, passthru, file_get_contents, etc. It breaks too much functionality for their customers. They really have no choice but to leave a somewhat inherently insecure setup running else they can not compete with those who do.
If you get hammered, *please* just send them a polite report and ask them to locate it. Most will use mod_security, again, this can be tuned to ignore whatever malformed URL's this new variant sends.
Why does this matter to those who do not run a hosting company? Because 90% of the abuse you receive is probably coming from a compromised webserver. If everyone is very watchful over the next few weeks this will pass without too much annoyance.
Slapper is the most annoying but not the end of the world.
I've actually seen water cooled PC / Case and FISH TANK combinations.
A set of dual 3.0 's apparently provides ideal water temprature for most tropical fish.
The setup is a clear mid tower case, with a small fish tank attached to the side of it. I am sure other's here have seen it.
While I would love to setup a cluster of 20 dual xeons all liquid cooled with one huge heart in the middle beating to cool them (glow tubing, of course!) I'm still parital to the hum and whirr of my fans.
I just can't really bring mysql to put water inside of my case on purpose. I also can not bring myself to touch my eyeball to put in a contact lens.. sort of a similar unfounded phobia.
Slashdot Mirror
There are some little guys (like me) who are little in the grand scheme of things, but have some money due to some successes on-line.
.. stuff small businesses need that I felt was too expensive for them. I also realize its the best way to get my walking talking resume in front of the clients who can afford some very custom elaborate setups. Those are the people I hope to have feeding me.
:)
I'm open sourcing 30k worth of R&D done over the last two years. Most of it is related to Xen, Clusters and security
Glad to see larger fish practicing this logic in reverse, well, sort of
Off the soapbox.
You are correct and more so than you'd think. Xen provides true isolation of its dom-u's (user VM's). The xen hypervisor is most likely some of the most efficient code ever released to the open source community.
.. Dual xeon .. 3.2 .. 4GB Registered 2x 250 GB SATA disks (one of my labs)
...
.. well .. be more equal. Right now (afaic) Xen tips the scales in its direction.
.. so its sort of a triumph to see it finally getting a larger following :) Virtuozzo just cant *touch* it.
..
Xen layering and management allows you to do tons of stuff, I'm already doing SSI clusters on single machines. Xen + Win2k3 has been accomplished. This with CVIP / HA-LVS all running on one nic. Slice a high end p4 into a 6 + 1 (x 128) MB cluster of isolated servers. Its truly HA in a box, and very very simple.
The reason they call it a hypervisor is just that, its a step above a supervisory process. On VT enabled platforms (The new P4's / AMD's) you really start to see what xen can do without the bottlenecks of processor architecture.
Personally I think the ease of clustering is more important (and useful to the internet at large) than the ability to play with Windows stabalized under Linux. (I love saying that knowing its actually happened hehehehhe).
I can also say NetBSD does *very* well under xen.
Here's a really cool example config of how xen could slice up a high end dual xeon.
Assume
2 nics at 1000 MBPS, Connected to a gig-e switch. 100 MBPS x2 uplinks from 13 blended carriers. Basically, the average server you lease at any datacenter. Remember, you don't ever get to physically touch them. Xen is easy enough to install without needing local access.
You setup 2 smaller (maybe 256 MB each) netbsd firewalls , do some traffic shaping if you want. From there, you toss it over to an OpenSSI / Debian cluster running on the same machine.
Here's the really cool part. The bsd machines can talk to dom-0 and tell it when its time to drop nodes or add nodes, or make nodes bigger.
Need more servers? Simple . Xen them and load the ssi node image via pxe / etherboot.
Its very very easy then to setup the bridging needed to get a working cvip configuration and start weighting ports. So now you have 2 failover netbsd front end routers , failover LAMP and failover nics. Stick those SATA's in RAID1 and your only single point of faliure becomes your power supply or something going horribly wrong on domain 0. At the price it costs for those servers, you can afford 2 and pay under 500 bucks for the whole shebang if you lease them. Buying outright and co-locating is the best way. Or if your one of the fortunates with fiber coming into your own building
Now toss xen3 in there and you have yourself a win2k3 setup hosting your certificate authoirty, snaps, etc. bring it all into AD if you want. Its a networking "magic bag".
I'm just scratching the surface. These Guys Have a really, really useful wiki, as well as some "unofficial" Debian install packages. Your average Linux geek could get it going quickly.
Keep your eyes on Xen. Its going to do good things for everyone - and its going to push commercial equals to
Windows is just one of the marvels folks. Look at the big picture. Some of us have been screaming Xen for a while now
Off the soapbox. Hope someone found this useful. It took an awful long time to type. Course would help if I wasn't eating messy food
Why the hell did I have to scroll down 4 times just to see a reply about the article, not about how certain news sites regulate their traffic?
People, the MIB just tried to open up a can of whoop ass in a public library. The interstellar cockroach landed. And you're talking about cookies.
So let me get this right. If I become a causal surfer to the washington post I'm gonna have to register? Man that sucks. I live in Manila now. I'll just pay someone to fedex me the damn paper its cheaper.
I think they just want to enforce the "fellatio" laws better. Last I checked getting (or giving) was a $10 fine in most of Texas.
.. I think he helped make a point that many concerned people weren't quite sure how to make. :)
Unbelievable. But Believable. I'm glad this idiot exists
I'm an American living in Asia. I moved here about a year ago to start my own R&D center. Corporate minds are finally catching up with small business it seems. I thought they were supposed to be the ones doing the leading.
.. join em. Pack your bags and live / spend money in countries that have programs empowering you to learn and support yourself. Duck major snowstorms in the process :)
.. but bigger companies need to help lead that direction by empowering the people with knowledge of the technology they sell. Right now, its just too damn expensive for the people smart enough to work on it.
.. lets me keep my derrier warm without the hassle of smelling farts.
Anyway, I live in Manila. Here's why US people aren't getting the jobs they could, and here's the jobs they could be getting, in that order.
1 - PHP/MySQL/Linux are becoming classroom staples here as early as middle school. This country is focusing intently on making its people its chief export. Google a little about Filipinos working abroad. I think you'll see a case of "little brother" leading the way for US people to get jobs.
2 - Work ethic is taught here correctly. You join a company to lend your efforts to a greater good and receive compensation for doing so. The emphasis is effort before compensation
3 - Web hosts love this place. Millions of them are supported here. Java's R&D facility is a 20 minute walk from me.
Now, why we're losing jobs :
1 - We're not teaching our kids what they need to know to be competitive in the "real" it marketplace. We're still under the foolish assumption that if we throw lots of money at good schools our kids should end up with marketable skills. Not true. Parents : research the markets and find out how best to expose your kids to the tools they need to explore some of the new opportunities opening up.
2 - We're not empowering vocational rehabilitation centers with profitable internet businesses because we're a bunch of greedy bastards. Are you a web host? Go find a voc rehab center give them a re-seller account and show them how to manage it. Now they get a few hundred bucks a month they wouldn't otherwise because they can rally their community to support them, and have something useful to offer. Pay your outsourced staff to teach the teachers who will be putting this in place.
3 - We're still out chasing cyber terrorists instead of giving people money to get the needed certifications to get into the jobs they need. Companies like Red Hat want you to pay lots of money to take their tests, yet offer cut rate RHCE exams in third world countries. What gives? So either help us get them or pay for plane tickets to the Philippines or India so we can take them cheaper.
What can you do (Short of moving to another country) ? Not much. Can't beat em
I'm not encouraging people to get up and do what I did. I'm merely saying there aren't many other options for some people.
When you have limited dollars to setup a small business, you are obligated to give yourself the best bang for the buck. US companies who outsource need to spend a little more money on the homefront, yes
Off the soapbox. Crucifiy me if needed. I like flaming
I think you could truly call OS/2 part of the infancy of the internet.. assuming now you've of a school that says the internet is out of its infancy. Otherwise you could call it a good start.
..
My first (ever) computer was a Tandy TRS 80 with a whopping 2k of RAM. Then off to Commodore land for a while.. then I finally brought myself to the PC (Clone market - as it was called at the time).
Our "clone pc's" usually had only 4 MB of RAM, and DOS took up quite a chunk of the env / dev space available. For most of us we just could not run 2 things at once even with windows 3.1 (all 11 5 1/4 disks it took to install it too! and 4 hours!) because of memory limitations. SIMM's were about $100 per meg back then. Ouch!
OS/2 let me really start to play with what a computer could do. My only other access to a multi processing setup was at work where we had a RISC machine and vax cluster.
I think IBM hit a "good" nerve in all of us who actually helped to build the internet into what it is today by keeping os/2 going.
Moreover, I think thanks should go to those who kept all of the old "treasures" going. All of the avid newsgroup posters, the hobbyist communities, etc. So if the folks at IBM are reading
Thanks for saving part of (my) internet that I helped to build. With all of the politics surrounding the Internet at large now, I was feeling kind of down wondering if we all did the right thing by pushing it as fast as we did.
Now , OS/2 has nothing really to do with that. But it does say a big company like IBM remembers I still exist and helped them get big the last 15 years by learning and recommending their products.
THIS DOES NOT MEAN MICROSOFT SHOULD BRING BACK "bob"
If any of you (like me) had fun back in the days of dial up BBS's .. and liked OS2 (I kinda liked DesqView also) , Rob Swindell still keeps Synchronet the telnet BBS package alive (along with its OS/2 Build).
.. But its good to see they're still alive and kicking.
:) Fun stuff.
While he hasn't made much changes to them over the years the message base networks / online games are still really active. Someone mentions OS/2 and I instantly start thinking back to the days of playing Trade Wars.
Wow makes you feel like a dinosaur and not even much past 30
Memories
I think you'll find those results interesting. This is a frustrating topic for me because it interests me far past my capacity to grasp and really chew on all of the research that is being done discovering just how the brain stores memory.
.. its also probably a correct notion .. based again on my (admitted limited) understanding of what is being discovered.
From what I understand (and I'll be cruicified for sure if I'm wrong) , the lag between the point where a memory is retreived based on some sort of stimulation (i.e. you smell a perfume your high school girlfriend used to wear) and the time you become aware you've even remembered it is staggering by brain measuring standards.
Apparently this is the transition from gut instinct to rational thought. If no established pattern exists in your wiring to relate that type of memory to that type of stimulation then "all you have to go on is a gut instinct".
So the notion that you may make better decisions while your brain's initrd is still loading isn't just showing how cool of a machine you have in your head
I'd post a link, unfortunately the article I'm basing this on is in a Scientific American, and that could be one of many. I'm motivated only to post, not to get out of my chair.
Because by default installation (which is what many run with, out of the box), Debian does not suffer from many of the issues that the more popular (and sometimes commercial) Linux distributions suffer from. Most people install, update and figure that their system is secure. This is not the case on ANY distribution of Linux. The security issues you see surrounding PHP are not the fault of PHP. 90% of the time a properly secured server would have prevented the issue. The issue is this : people demand hosting that allows virtually unrestricted use of PHP to power whatever script. Web hosts give them what they want - sadly, most of the time, without properly securing the OS to provide it. PHP Security starts at the OS level. If all we had to worry about was SQL injection vulnerabilities and holes in session handlers the book would probably not have been written. I'm not demeaning the book. I'm demeaning people that give unrestricted access to their boxes for under $2.50 and wonder why it isn't secure :) That "crap" gets mistakingly hung on PHP. And nobody who presents themselves as an authority seems to address the issue.
I'm saying, Its an issue. And Debian fixes much of it by default.
I can't but get a little sick when I see a whole book written on something so incredibly simple.
/bin/sh -x /tmp/mybot.sh just fine on most linux distros even if /tmp is noexec. So dammit go toss the 3 lines of code in /bin/sh that keps uid/gid 99 from doing that.
/dev ... make sure you took ALL the tools away that helps people get bad code onto your box in the first place. /dev/tcp is just as lethal as leaving wget available on a fedora / RHEL installation. Use mknod and make them safe. Same with /dev/udp .. remake them.
... stop making instant setup hosting accounts. Use fraud screening services. Remember a security hole is only a problem if you sell space to someone who's intention is to exploit it.
:) But I do things a bit differently than most. There's things you (yourself) can do if your stuck on shared hosting to ensure and nudge your host into securing their boxes.
The reason you see PHP being exploited is not the security of the host OS, not the security of PHP (well almost never) , its the lack of knowledge by the person owning the computer hosting the sites and companies like The Planet who hand them out to literally anyone with a Paypal account or credit card number.
I can in 20 minutes show any experienced Linux system administrator how to run PHP completely wide open as far as functionality is concerned on a shared hosting environment and how to do it relatively safely.
Your average web hosting company is a business person who has money to buy servers with idiot proof (nearly) control panels such as C-Panel / WHM.
They're also likely to come with RHEL, Centos 3 or 4 or Fedora. Very rarely do I see a Debian server used in a shared hosting situation (That should also tell you something).
These boxes are not secure yet they go immediately into production.
SO! To anyone who cares, (and reads this far) here is Tinkertim's checklist :
1 - Egress filtering (firewall the damn box),
2 - Get rid of that fat, bloated leaky modular kernel. Monolithic kernels are too easy to build not to do it. Don't forget to keep iptables, test with your firewall when done.
3 - Seek and loop world writeable directories, or mount them as noexec. Even doing that is not going to save you all of your trouble. As nobody I can run
4 - Don't even THINK about using apache/proxy on a shared hosting setup. Thats just incredibly stupid and self destructive.
5 - Look around in
6 - Get rid of what you don't need. Rename what you do and use scripts to help govern them. Lynx / wget / POST / GET (and everything else RHEL/Centos comes with) can be used to do dastardly things. Take advantage of user / group ownership that is found in Unix.
7 - lsof is your friend. Write a script to check for open accepting inet sockets that don't belong.
8 - (finally) VERIFY YOUR ORDERS
Web hosts are the scurge of the planet. I know , I am one
I may just re-post later or re submit with that list too. I'm off the soap box now. My point is this. We (shared web hosts) made this problem. We have a responsibility to admit it and stop it. I'll work on some checklists and scripts to do it for the lazy bastards and GPL them. Tired of people getting rich writing books making hype about what (should be) a very trivial issue.
Time management is common sense. Nothing more.
.. I'd buy it. Otherwise I'll wait for the movie to come out on this one ...
... ).
:) Esp when said end users are making more money than we do.
xx hours in each day
xx tasks take up xx hours
xx interruptions take away from xx tasks.
This varies greatly. You may have a nice cush univeristy job where you can get away with BOFH tactics and generally get paid to do little to nothing.
Or you could work for a web hosting company with 300 servers and one Admin. You know, the kinds of companies that give you an army of "rhce's" from india and call it help? In that case you don't need time management skills you need hard drugs, and liquor and lots of it.
My priority scale changes much like a dynamic cluster would.. whatever is prone to get me screamed at the most if it doesn't get taken care of is what gets attention. Thats either the servers or the wife, whichever talks through the earpiece when I pick up the phone.
If someone could write "The complete idiots guide to quieting a noisy pesky end user who wont STFU about their database"
The point is most of us have unrealistic demands put on us daily. You just need to accept that you are not going to get things done, and most people aren't going to like you much less appreciate what you do (or even understand why those pesky interruptions can set you back a whole day
So put this somewhere on your wall or on your cube / door / whatever. It works for me.
***
If you see me editing stuff that looks like code, stand there for 10 seconds. If I don't look your way, go away - leave your number or email on my door I will call you back.
***
Companies should educate staff more on AST (Admin sensitivity training.)
As the median income for a 20 year seasoned unix veteran is now around 40k, we just don't make enough money to put up with end user crap
I agree whole-heartedly, this is why:
:)
If you sample enough people's brain activity under controlled circumstances knowing if they are or are not telling their perception of the truth you are BOUND to witness some similarities.
One could mistakingly think this was progress and expand the testing only reversing it, not knowing if someone is or is not lying.
Should that be successful you'd then have the false belief you could detect if someone is lying.
Until you have many established "norms" (i.e. you have done this controlled on about 3 billion people) you can not even begin to call it reliable.
I could propose (which I have on occasion) that you could determine an individuals predisposition to violence simply by examining their anthropometrical data. I could even show you cases where it seems entirely feasable and practical.
However, until I have a reference of at least a third of the worlds varied populations cross referenced for all possible types of humans (i.e. genetic mix of parents) I could not begin to even dream its accurate.
The way to have announced this is more "Look what we did" than "Look how it can be marketed". This isn't science its industry peddling grants again.
I'm off my soapbox
Tinkertim
Should be from the "just-when-i-spent-over-1200-bucks-on-custom-icons -and-banners" that said "Powerful Intel Pentium 4 Processors"
...
Not only do they dump it. It gets slashdotted.
So now "Bargain Pentium 4 processors recently dumped by intel just after being made affordable enough to deploy in bulk" ?
With AMD at least all I have to do is change the # and model.
Rat fink *as*ards!
Here goes another $1200
That is when you should, in fact consider Linux over everything else.
........
I would pit a stripped down to bear essentials monolithic 2.6 kernel against pretty much anything else. Ask anyone else who runs wide high abuse networks mostly open to the public residing on class C ip addresses anyone with a PayPal account can have access to, instantly.
I would think what NASA meant to say was :
"We just don't feel like messing with Linux enough to get it to meet our stringent security needs so we paid someone needless tax dollars to do it for us but I think they named it [cough (censored) cough]."
Your primary concern on any network is what is on the desktops that have priviliges ON that network and also have outside internet connections.
So read it again, very very carefully
People it is really not hard to find and detect this.
/dev/shm exists on your system and by default allows code to execute.
/apache_root/apache/proxy exists on any new installation (for the most part) and is world-writeable , executable and owned by nobody.
If you maintain a public web server that offers space to the masses at low cost, you better read up on :
lsof
netstat
Reminder - all fedora / rhel users ,
Reminder to apache users,
Don't go forcing phpsuexec and checking gid's on port 80 via iptables. Just realize what is world writeable and executable that uid 99 can get to (generally, "nobody").
Even on public servers, creative usage of loop devices can save you a lot of late nigh aggravation answering abuse tickets.
Most hosting companies can *not* disable some of the php functionality such as shell_exec, passthru, file_get_contents, etc. It breaks too much functionality for their customers. They really have no choice but to leave a somewhat inherently insecure setup running else they can not compete with those who do.
If you get hammered, *please* just send them a polite report and ask them to locate it. Most will use mod_security, again, this can be tuned to ignore whatever malformed URL's this new variant sends.
Why does this matter to those who do not run a hosting company? Because 90% of the abuse you receive is probably coming from a compromised webserver. If everyone is very watchful over the next few weeks this will pass without too much annoyance.
Slapper is the most annoying but not the end of the world.
HTH
tinkertim
I've actually seen water cooled PC / Case and FISH TANK combinations.
.. sort of a similar unfounded phobia.
:) Back to work.
A set of dual 3.0 's apparently provides ideal water temprature for most tropical fish.
The setup is a clear mid tower case, with a small fish tank attached to the side of it. I am sure other's here have seen it.
While I would love to setup a cluster of 20 dual xeons all liquid cooled with one huge heart in the middle beating to cool them (glow tubing, of course!) I'm still parital to the hum and whirr of my fans.
I just can't really bring mysql to put water inside of my case on purpose. I also can not bring myself to touch my eyeball to put in a contact lens
My nonsense for the hour
Derrr... MYSELF, not mysql. Ugh
tinkertim