..."he considered this small group important enough to be worth more of his time than the 14,000 people who went to JavaOne"...
Im shocked,
Its not like ubuntu is based on debian.
As far as who Shuttleworth spends his time with and what conferences he attends, well its not that surprising he went to this one is it, if Gates and Ballmer had attended however that would be news.
Seriously though, I dont like Ubuntu and I wouldnt use it, frankly I prefer debian proper, but if someone who had never touched a *nix asked what to install I'd give them one of the nice Ubuntu CD-roms I had shipped to me and tell them to knock themselves out, and chances are they'd get on well with it.
NIDNRTFA - Sorry
Its seems that the entire process of software creation through to use is often flawed. not that that applies to all software. If you use windows regularly you will know what I mean, to cite a few examples:
ZoneAlarm - How many times have you come across a computer with zonealarm on it that has been thoroughly ransacked by malware / spyware etc..? The user has tried to follow the rules and install a firewall (not suggesting ZoneAlarm is a good way to go but its an example) only to click yes every time an application wants to access the net or the PC, (warezmonster.exe wants to access the internet is that OK Yes[X] No[ ])
Or Outlook - Some poor user gets an email containing a zip or a selfdecrypting archive gets prompted that this attachment is unsafe ("But I know what it is so I'll turn off blocking safe attachments and leave it that way") and then gets stung with something nasty.
Active Directory - Group Policy, As an admin you really had to be on the ball with 2k server, (and I assume with 2k3) when presented with statements like, "Interactive logon: Do not require CTRL+ALT+DEL" Allow [ ] Deny [ ] (I cant find my favourite one...)
These are all things that could be improves, and yes it would be good if the designers put function over form, (but retained enough 'form' to make things usable), I guess its a major balancing act.
Final point is that a fairly simple way of improving security would be for MS and I guess Apple to sour out their kernel / Userland topologies and their permissions structures. but thats just a thought.
What I failed to add to the post above is that its not the architecture thats the issue, even if it is more common, the transition between architectures probably left a few holes as it wasn't a trivial move, but running OS X on intel shouldn't make it as insecure or as vulnerable as a Windows Machine, just as running GNU/Linux, BSD or Solaris (or any *nix) on intel doesnt make it "as" vulnerable as a Windows machine.
If your new powerbook is running BootCamp and your currently using XP then you need to lower your expectations, its a Mac, its running a flawed OS, so unless your careful you are going to end up with a virus, just like the other X Million windows users, regardless of hardware.
If your running OS X then I'd say your risk is just that bit lower, its a less flawed OS. My last check showed 4 viruses aimed at OS X; (Symantec) OSX.Leap.A; OSX.Inqtana.A; OSX.Inqtana.B; MacOS.MW2004.Trojan; Which is a few orders of magnitude less than for Windows XP (Nevermind all the other versions).
Sure the OS X on intel has shown a few flaws and sure some of them will be exploited but its a world away from the threat to a Windows Machine. I dont think that there is an OS out there in common usage that isnt succeptable to infection, its all about how prevelent the threat is.
If you don't like it don't install it, if your using Linux select the packages you want not the 'KDE' meta package with "all the official packages" takes a little longer but works just as well, hell if your really worried put together a metapackage of your own with just the bits you want, and none of those you don't. Yeah you will hit some issues with dependencies but not all that many, and you can get rid of a huge amount of bumf if you don't want it, I'm happily using a lightweight KDE with components of my own choosing, but if I install KDE on someone else's PC they tend to get the whole lot, and are generally happy.
Oh and for people who are not worried about bloat and people new to Linux its all "nice features" trying to make KDE attractive to people is not a bad thing, especially when you want to have all the latest wizz bang stuff.
After all Linux gives you choice, its not like you can get rid of all the boat in Windows or even the gnome metapackage...
I just want impartial unbiased honest factual relevant interesting up to date reporting to empower me to make my own decisions and take any relevant action I deem necessary....
But occasionally I want opinionated sensationalist one sided reporting with a large dose of tongue in cheek humour and honest to god trolling (then I go to/.:) )
Oh and when I want to know what's happening in United States of America and need a good laugh I check out FOX.
Ive got a stack of custom scripts and documentation and policy I could dig up if its appropriate and if its useful, too much to post here sadly. Ive spent a good 25% of my working life (well before I became self employed anyway) dealing with network implementations, sadly its 90% Win2k Server (DNS + DHCP + AD) 5% BIND and 5% general theory, get in touch if your interested (that goes for anyone else as well...) slash[removethisbit]dot[at]ictsc[dot]co[dot[uk] and Ill get it to you if it applies.
To be blunt, you dont need IP management software, you just need a decent DNS structure and DOCUMENTATION. Everyone doing their own thing is fine as long as you havent got to get anything to work together. If your networks are not interconnected it gets a bit interesting but if you are using interconnected networks just use DNS as normal and propigate down to the various networks, effectivley set up a root server for each network's dns servers to query, you retain control of the root server allowing you to add global resources, and get your net admins in each region manage theirs, put a policy together to say what you and they can and cant do naming and allocation wise and you should be sorted, you still need some communications tool but that could be as simple as a web page that allows you to a) run a DNS query and b) request an IP address for inclusion on the root server...
What DNS server system are you currently using? If your networks are not interconnected then you are going to have to produce whatever cfg is required to simply drop a load of DNS entries into a zone, you can probably get away with a csv and then format it depending on requirement, this can easily be done with a little php (and mysql if you need it to be slick).
Dont look for a technical problem for a management issue and dont try to micromanage, if your documentation, policy, planninig and topology is a mess sort that out first, there is no silver bullet. After all Preperation and Planning Prevents Piss Poor Performance.
Or is that too simplistic and am I missing something (sorry its @0600 here in the UK and Im still working on something I started yesterday morning + excuse any spelling / grammar / structural and logical errors...) - (On that note if anyone can tell me why a w3c compliant page that looks grat in FireFox Opera and Netscape can generate a "errors on this page prevent it from loading error" in IE i'd be grateful, if not Ill just bitch about it on any forums I find in the next 24 hours and then give up, who uses IE anyways...)
Just how many addressed nodes are we talking about? And how many physical networks?
I would probably start looking at this as a paper project and see if you can't rationalise your network address schemes somewhat, I've used and would recommend IPPlan generally, http://iptrack.sourceforge.net/ but I don't tend to manage networks in any meaningful way, I prefer the networks to manage themselves, getting initial configurations of DHCP and DNS schemas right and then scaling it all up, maintaining documentation of the general topology generally helps too, although actually tracking what IP address is assigned to what isn't generally all that important or at least not for more than about 10% of the addressed nodes (I reserve ranges for static addressing on servers and network devices that require them and issue them sequentially per device, everything else is dynamic).
.However you seem to be talking about more than a few thousand hosts so it will presumably be a bit different, I've never though about scaling a LAN that I have managed beyond 3000 devices, and when looking at WAN its never been a problem to have multiple networks with the same address schemes interconnect, it just involved NAT at each gateway
Just a quick one, if you are using all of the address allocation according to RFC1981 that would mean you have well in excess of 16 Million nodes, or you really need to look at how you have allocated subnets...
OK Bad explanation in this case; the general idea was that I could build a very large storage system with a vast amount of redundancy i.e. duplication of hardware and RAID on the SATA cards and get a lot more then the vendor solution both in terms of storage, features and cost. The system was intended to maintain a copy of current live data (only 400Gb of it).
If you are looking at file serving, or database storage, anything on a live server with client access or a large amount of change goes on SCSI Disks, RAID5 or 0+1 depending on the requirement, preferably with a decent server doing the work. I used to work exclusively with HP Server systems and the HP SCSI drives (New ones of which were still branded as Compaq up until about 8 months ago) and the equipment was good, we would see 1x SCSI drive foul up about every 4 months (and we'd send it to HP and get a nice new one back). But for long term large storage that isn't being processed or written continuously (as I said in this case a ready backup) I'd use SATA and then from those disk sets on to tape.
And yes a storage solution that contains all your rather valuable data should be boring as hell, and it should be maintained with loving care... Its a bitch when your data isn't there (or worse the backups that you have been running for the past 4 years turn out to be useless...)
The joke was always that buying a large storage solution (2TB+) be it NAS or server attached it was just not economically viable.
ditto, but will MS acknowledge that? Sure some companies will have issues with this but they *can* fix it, any one else is going to get the 'pirate' treatment.
Any innovation (if that's what this is - no doubt it will turn out to be something that someone else thought of in the 80's..) is welcomed in this area.
Maybe one day vendors will stop pushing overly expensive and utterly bland storage solutions. i.e. Last time I had a meeting about storage the product was: 2x Servers 2x Disk Arrays with possible storage of a little under 2TB (using 24 80Gb SCSI HDDs) with RAID 5, Oh and the storage was presented as 4 @500Gb drives to the OS (Some proprietary thing). all in at a cool £27.000, (and that was before the license for CIFS) guess how it was billed - innovative... Its a joke, so the solution? In the meantime lots of SATA Drives and file replication, eventually? maybe we can make use of all that storage that sits on every machine on the LAN that is never used...
*This comment turned into a bit of a long one, - if you need to use the bathroom or grab a coffee do so now...*
First off I think this is up to Microsoft. If they want to ensure people buy their software and crack down on unlicensed copies then that's fine. I don't and wont use MS software unless its justifiable on a cost basis, and generally it isn't. (although I would love to see a good GNU Visio replacement, preferably with a good community base... but that's another matter). So no I don't currently use any MS software anywhere, Linux on the desktop Linux and MacOS on the Laptops and PalmOS on the PDA
That aside it might actually help MS maintain market share. Some people will have to license on the back of this because it becomes possible to see when a machine hasn't been licensed.
OK so now we have Nag screens, this means that if you are using a pirated copy you get some inconvenience.
Some predictions...
Next we will see real limitations on what you can do with an unlicensed install;
No updates security or otherwise,
No upgrades, no upgrading to vista with an unlicensed XP install
No Installs, (limited to MS software I would guess and maybe some partners) New software will require your Windows install to be licensed
No unlicensed MS and Partner installs, expect the OS to prevent you running other software that doesn't meet the criteria set by MS as far as legitimacy is concerned
No access to MS and partner services, you want to use Hotmail? MSN? Windows Live? well your machine is going to have to authenticate itself. Not running windows? Oh well were trying to stop 'Piracy' and 'theft' who could fault that, if your running a non MS (or even an Old MS platform you need to upgrade / switch and license.
And all of this default in Vista, or in the very least one or two service packs into Vista.
So I expect some of criticisms of this will be
1) MS will cut themselves out of the market;
They might, but more likely they will get a few more licensed users and remember if you have to license Windows and you Have to license Office then they are going to make some money. If they do this now then they will leverage the market share they have (especially when it comes to document compatibility) BEFORE any of the alternatives (ODF) become widely accepted. The gamble on Microsofts part will be that they have everyone by the balls now but might not in two or three years time, best to try and secure that stranglehold.
Linux BSD and Apple (the Computer manufacturer not the Record Label) OS's only comprise a small market share at the moment so its worth while trying it whilst Joe User isn't aware of the alternatives or doesn't think that they are viable. Thus they can solidify and possibly extend their market share whilst increasing the proportion of that market share that is actually licensed.
2) Everyone will switch to Linux, BSD, Apple, anything to save money / hassle
Again Possible, but corporate users (Directors and managers who TRUST Microsoft) are being bombarded by things like the 'Get the facts' Campaign (which is pretty much just propaganda... in fact if you get the chance check out the case studies and then look at the companies that wrote them, most of their websites are hosted on 'Server: Apache/1.3.33 (Unix) ' including the one that has seen a significant reduction in TCO, an increase in reliability and security all by moving its web applications to 2003 server and.NET (to be fair I think they were talking about their intranet but still, practice what you preach!).
Companies however will take that on board, its the kind of thing that is used in internal company politics to the advantage of the anti-GPL crowd. Moreover as long as Joe uses a Windows box at work he's going to want to use one at home.
3) There will be a revolt, everyone adversely effec
Am I the only one here who has spent weeks of work time writing batch and vbscripts to automate operations on Wn2k Servers and networked Windows clients? If this works as advertised (and if I was still running Windows) Id use it.
Its a step in the right direction and anything that extends an admins ability to write effective scripts is a bonus. After all whilst it may have taken me a few days to write some of the more complex scripts that we used it would have taken longer to write an application in VB or C to do the same job.
(BASH is my shell of choice, its because I have an unhealthy obsession with grep...) nb Not spell checking this post - its too early
Note the ever so small browny orange dot next to linspire, denoting its a debian deriv (I think guessing by the key...) This is similar to the dots on the multi lingual distros, so I guess it does show the same thing (i.e. Linspire as a Debian derived distro...)
Not a great diagram as far as inclusion and hereditry (pedigree?) are concerned (but its not supposed to be for that so who cares) but certainly a useful one for new users.
I used to be responsible for IT security at for my previous employer and find that the biggest danger to any password based security is the user. When I started there were no passwords in use anywhere, After about a month and a half I implemented a password policy (nothing strenuous, just the requirement for a 6+ char password, with a monthly change requirement. I was not popular. (this may have been the passwords or possibly the pave and nuke job I did on all the corporate desktops killing at least 3 of those electronic pet things...)
The good news is that after the first month the number of password resets required reduced dramatically and we actually had some accounting of user activity on things like network use etc..
However 6 months in we started to note the usual issues of people sharing passwords (i.e. how come John doe is logged on on three computers at the same time...) and had to curb that.
Then we started carrying physical audits of desk areas and started to clamp down on people writing down passwords (including those people that wrote them down in a poorly obfusticated manner....)
Again our security situation improved (I should point out that we did have internal users actively engaged in 'hostile' activities for their own gain...) and we were quite happy for a while..
Finally we started to carry out regular penetration testing, including a social engineering portion, this bit surprised me most. I came to the conclusion that 70% of our user base would give out their user name an password to anyone claiming to be IT staff - including when the tester called from outside of the company, and the number showing as internal.
So in short the problem with security is always going to be with the user, that is as long as the user is authenticated by either password, or token (swipe card etc..) and will only become significantly better when security is based on something the user cant forget or lose. Oh and anyone trying to implement security is always going to be the bad guy if it causes inconvenience.... And best practice in my oppinion is finding reasonable security procedures that are applicable to your situation, whether thats a 4 digit pin, daily changing 12 character complex passwords or rectal probes and dna testing, and then more importantly implementing it in such a manner that it is actually adhered to.
"The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty..."
and
"HP shall not be liable for any damages... lost profits, business interruption... personal injury.. if you perform a similar test"
So anyone out there (especially in the states where you are allowed to arm yourselves to defend against rogue HP Disk Arrays and such like) thinking this would be a good idea should think again. And remember, to completely erase data on a HP disk array you will have to use something more efficient than.308, I suggest a B61 (http://en.wikipedia.org/wiki/B61_nuclear_bomb) although Im not sure if your right to arms extends to these....
Ive used SUS and it works a charm, but its only viable if you have windows servers in your environment, and if you are big enough to implement it properly some companies are'nt, there are also 3rd party solutions to the issue but I dont like the idea of paying for a system that applies free patches to a piece of software you have already paid for... SUS, the first version (prior to WUS WSUS or whatever they slightly re branded it to) was good I used it with AD integration to good effect most of the time, but there were still a few issues regarding reboots, and the fact that you could only dole out OS patches, as I understand it the later version allowed more granular control and was supposed to provide Other MS Patch support, so this is the way to go, if you can.
So I agree with your post, mostly.
I would like to see Microsoft simplifying their patch system though, and I would like to see them providing free support for people who hit issues after applying one.
Is it just me or wouldnt it make more sense to just have three options for updates,
1) On (or Make me safe please) Deault for all OEM and Home versions
2) Off (or I Dont Care, and whilst your at it get me on one of those botnet things)
3) Corporate (or Same as Off, - We have at least one tech who will check the patches and apply them as he sees fit) Default for corporates (VLK Media users)
That way your average user will just get the patches unless they decide otherwise, and your corporates can do the sensible thing of checking their own systems first.
What I am trying to say is that the logic should be with the consumer, a corporate user might not want to patch something that (they think) will not impact them, whilst home users should get every patch available just in case.
The logic element of only applying patches in certain circumstances is a bit off as you end up with even more possible system configurations.
Ive been down this route before with MS patches for MS SQL Server, we had an issue that MS KB listed as requiring a patch that you had to ask for, (apparently it was a rare issue that was somehow setup / hardware specific). We were 100% up to date with our patching on all our servers and then had to do this install manually on a load of boxes, about 6 months later the origional problem occured again on our test systems when another patch patched our current patch.... That little shenanigan cost me my 95% uptime record (we didnt bother with 99.999% because in a mixed environment it wasnt attainable if we were patching our Windows boxes...)
I hope that there is a point in this post somewhere, Ive not slept for about 60 hours so if there isnt, well hey. (Oh and the good news is Ive set up my own company since this little story and now I have a 100% security and uptime record with MS software, I have achieved this by not using any....)
That's true, I used to be a net admin in a 80% MS environment, and Used Linux on my desktops with no problems as far as my primary role was concerned. All the networking gear was manageable by SSH or in the very least telnet / web consoles, in fact I could manage everythingwithin my environment on my debian box, (RDC for general server admin and occasionally via KVM if you couldnt get remote access..). I'd produce reports in open office and export to PDF (great because that way no one could make any changes without coming back to me...)
The only problems I had were filling out leave forms and other HR related documents, all of which were produced using Word and Excel, OpenOffice seems to have some issues when editing word docs and saving them again when they have complex table or form structures...
(On the plus side they have binned MS Office in favour of Open Office recently, and billed it as an upgrade...)
(Disclaimer, its 3 am, I've just given up doing a code audit on the basis that I am too tired, so if this doesn't make sense, I am sorry, oh and don't take my advice or even think about relying it the following statement is as is, and comes with no warranty - would be first post but its taken me half an hour to write this..:) )
When you are logged in as root you have unlimited access to all files, and it is possible to remove or modify a file that is vital to the system, this is generally not good, and often not required. If you set up a server securely you should be able to create accounts that have the access that you require to carry out specific tasks (still preferably using sudo, or su'ing to the relevant account), this is as much a common sense measure as pure security precaution.
You could argue that you can log in as root as long as you avoid using wild card designators when executing commands and keep track of your current working directory and try not to mess anything up, but there are a load good reasons to use sudo or su to root (or preferably an account specified for a task) instead, here are the ones I find most important:
Firstly you get some accounting, if Joe Bloggs su's to root and breaks / steals / misconfigure's something, at least you know it was Joe Bloggs (or someone using Joes account)
Secondly if you have remote access only as a non root user (this should be a given, never log in via ssh or webmin or whatever as root, (it can be a nightmare when you think your on system A but are on system B and do something you didn't mean to, never mind as root...) any attacker is going to have to find a non privileged account to gain access to a system, and then gain root privileges..
Thirdly if you have set up a number of administrative users for specific tasks you can compartmentalise your systems maintenance and you don't have to give someone you don't trust root access to carry out basic maintenance.
Lastly, the less you use your root account (directly or by whatever means) the less likely you are to break it. Lets be honest, I'd love to log in as root all the time, it would make life easier, but it would get rid of quite a few of the security benefits Linux/Unix brings and I'd probably break things more often. If you get used to using the root account you will continue to use it more and more until you find yourself logged in as root surfing the web whilst playing some bzflag beta just waiting for someone or something to break your box. (not to mention the hours you would spend making it possible to log in as root and use all your apps that are (probably) not going to like being run as root).
Personally when I set up a secure server I try to ensure that I have users with the relevant rights set up for specific tasks and no more and only issue those accounts to users who require them. I mount as many of the file systems as possible read only, I try to ensure I ship log files out to a box that no-one with root privileges on the first box has access to, and I automate as many of the maintenance tasks as possible. Oh and I don't use sudo, and on hyper critical servers the full root password is known to no one, I have half my oppo has the other half, and never the two shall meet (although this causes inconvenience when you do need it...!!)
This prevents foul ups and gives you a security baseline.
Oh and if you do log in as root make sure its not ever into a Desktop Environment (or any complex environment really) because there are just too many apps executing as root at that point to keep track of properly, and way too many potential security vulnerabilities...
Slashdot Mirror
I mostly Agree totally,
However you missed the Sarcasm in the parent post.
Im shocked,
Its not like ubuntu is based on debian.
As far as who Shuttleworth spends his time with and what conferences he attends, well its not that surprising he went to this one is it, if Gates and Ballmer had attended however that would be news.
Seriously though, I dont like Ubuntu and I wouldnt use it, frankly I prefer debian proper, but if someone who had never touched a *nix asked what to install I'd give them one of the nice Ubuntu CD-roms I had shipped to me and tell them to knock themselves out, and chances are they'd get on well with it. NIDNRTFA - Sorry
Its seems that the entire process of software creation through to use is often flawed. not that that applies to all software. If you use windows regularly you will know what I mean, to cite a few examples:
ZoneAlarm - How many times have you come across a computer with zonealarm on it that has been thoroughly ransacked by malware / spyware etc..? The user has tried to follow the rules and install a firewall (not suggesting ZoneAlarm is a good way to go but its an example) only to click yes every time an application wants to access the net or the PC, (warezmonster.exe wants to access the internet is that OK Yes[X] No[ ])
Or Outlook - Some poor user gets an email containing a zip or a selfdecrypting archive gets prompted that this attachment is unsafe ("But I know what it is so I'll turn off blocking safe attachments and leave it that way") and then gets stung with something nasty.
Active Directory - Group Policy, As an admin you really had to be on the ball with 2k server, (and I assume with 2k3) when presented with statements like, "Interactive logon: Do not require CTRL+ALT+DEL" Allow [ ] Deny [ ] (I cant find my favourite one...)
These are all things that could be improves, and yes it would be good if the designers put function over form, (but retained enough 'form' to make things usable), I guess its a major balancing act.
Final point is that a fairly simple way of improving security would be for MS and I guess Apple to sour out their kernel / Userland topologies and their permissions structures. but thats just a thought.
I love that analogy, its scarily accurate!
Shame it'l be attributed to AC when quoted!
What I failed to add to the post above is that its not the architecture thats the issue, even if it is more common, the transition between architectures probably left a few holes as it wasn't a trivial move, but running OS X on intel shouldn't make it as insecure or as vulnerable as a Windows Machine, just as running GNU/Linux, BSD or Solaris (or any *nix) on intel doesnt make it "as" vulnerable as a Windows machine.
Sheesh, sorry
If your new powerbook is running BootCamp and your currently using XP then you need to lower your expectations, its a Mac, its running a flawed OS, so unless your careful you are going to end up with a virus, just like the other X Million windows users, regardless of hardware.
If your running OS X then I'd say your risk is just that bit lower, its a less flawed OS. My last check showed 4 viruses aimed at OS X; (Symantec) OSX.Leap.A; OSX.Inqtana.A; OSX.Inqtana.B; MacOS.MW2004.Trojan; Which is a few orders of magnitude less than for Windows XP (Nevermind all the other versions).
Sure the OS X on intel has shown a few flaws and sure some of them will be exploited but its a world away from the threat to a Windows Machine. I dont think that there is an OS out there in common usage that isnt succeptable to infection, its all about how prevelent the threat is.
Take your chances and see where it leaves you.
If you don't like it don't install it, if your using Linux select the packages you want not the 'KDE' meta package with "all the official packages" takes a little longer but works just as well, hell if your really worried put together a metapackage of your own with just the bits you want, and none of those you don't. Yeah you will hit some issues with dependencies but not all that many, and you can get rid of a huge amount of bumf if you don't want it, I'm happily using a lightweight KDE with components of my own choosing, but if I install KDE on someone else's PC they tend to get the whole lot, and are generally happy.
Oh and for people who are not worried about bloat and people new to Linux its all "nice features" trying to make KDE attractive to people is not a bad thing, especially when you want to have all the latest wizz bang stuff.
After all Linux gives you choice, its not like you can get rid of all the boat in Windows or even the gnome metapackage...
Just my view
I just want impartial unbiased honest factual relevant interesting up to date reporting to empower me to make my own decisions and take any relevant action I deem necessary....
/. :) )
But occasionally I want opinionated sensationalist one sided reporting with a large dose of tongue in cheek humour and honest to god trolling (then I go to
Oh and when I want to know what's happening in United States of America and need a good laugh I check out FOX.
Ive got a stack of custom scripts and documentation and policy I could dig up if its appropriate and if its useful, too much to post here sadly. Ive spent a good 25% of my working life (well before I became self employed anyway) dealing with network implementations, sadly its 90% Win2k Server (DNS + DHCP + AD) 5% BIND and 5% general theory, get in touch if your interested (that goes for anyone else as well...) slash[removethisbit]dot[at]ictsc[dot]co[dot[uk] and Ill get it to you if it applies.
To be blunt, you dont need IP management software, you just need a decent DNS structure and DOCUMENTATION. Everyone doing their own thing is fine as long as you havent got to get anything to work together. If your networks are not interconnected it gets a bit interesting but if you are using interconnected networks just use DNS as normal and propigate down to the various networks, effectivley set up a root server for each network's dns servers to query, you retain control of the root server allowing you to add global resources, and get your net admins in each region manage theirs, put a policy together to say what you and they can and cant do naming and allocation wise and you should be sorted, you still need some communications tool but that could be as simple as a web page that allows you to a) run a DNS query and b) request an IP address for inclusion on the root server...
What DNS server system are you currently using? If your networks are not interconnected then you are going to have to produce whatever cfg is required to simply drop a load of DNS entries into a zone, you can probably get away with a csv and then format it depending on requirement, this can easily be done with a little php (and mysql if you need it to be slick).
Dont look for a technical problem for a management issue and dont try to micromanage, if your documentation, policy, planninig and topology is a mess sort that out first, there is no silver bullet. After all Preperation and Planning Prevents Piss Poor Performance.
Or is that too simplistic and am I missing something (sorry its @0600 here in the UK and Im still working on something I started yesterday morning + excuse any spelling / grammar / structural and logical errors...) - (On that note if anyone can tell me why a w3c compliant page that looks grat in FireFox Opera and Netscape can generate a "errors on this page prevent it from loading error" in IE i'd be grateful, if not Ill just bitch about it on any forums I find in the next 24 hours and then give up, who uses IE anyways...)
I would probably start looking at this as a paper project and see if you can't rationalise your network address schemes somewhat, I've used and would recommend IPPlan generally, http://iptrack.sourceforge.net/ but I don't tend to manage networks in any meaningful way, I prefer the networks to manage themselves, getting initial configurations of DHCP and DNS schemas right and then scaling it all up, maintaining documentation of the general topology generally helps too, although actually tracking what IP address is assigned to what isn't generally all that important or at least not for more than about 10% of the addressed nodes (I reserve ranges for static addressing on servers and network devices that require them and issue them sequentially per device, everything else is dynamic).
.However you seem to be talking about more than a few thousand hosts so it will presumably be a bit different, I've never though about scaling a LAN that I have managed beyond 3000 devices, and when looking at WAN its never been a problem to have multiple networks with the same address schemes interconnect, it just involved NAT at each gateway
Just a quick one, if you are using all of the address allocation according to RFC1981 that would mean you have well in excess of 16 Million nodes, or you really need to look at how you have allocated subnets...
OK Bad explanation in this case; the general idea was that I could build a very large storage system with a vast amount of redundancy i.e. duplication of hardware and RAID on the SATA cards and get a lot more then the vendor solution both in terms of storage, features and cost. The system was intended to maintain a copy of current live data (only 400Gb of it).
If you are looking at file serving, or database storage, anything on a live server with client access or a large amount of change goes on SCSI Disks, RAID5 or 0+1 depending on the requirement, preferably with a decent server doing the work. I used to work exclusively with HP Server systems and the HP SCSI drives (New ones of which were still branded as Compaq up until about 8 months ago) and the equipment was good, we would see 1x SCSI drive foul up about every 4 months (and we'd send it to HP and get a nice new one back). But for long term large storage that isn't being processed or written continuously (as I said in this case a ready backup) I'd use SATA and then from those disk sets on to tape.
And yes a storage solution that contains all your rather valuable data should be boring as hell, and it should be maintained with loving care... Its a bitch when your data isn't there (or worse the backups that you have been running for the past 4 years turn out to be useless...)
The joke was always that buying a large storage solution (2TB+) be it NAS or server attached it was just not economically viable.
ditto, but will MS acknowledge that? Sure some companies will have issues with this but they *can* fix it, any one else is going to get the 'pirate' treatment.
Maybe one day vendors will stop pushing overly expensive and utterly bland storage solutions. i.e. Last time I had a meeting about storage the product was: 2x Servers 2x Disk Arrays with possible storage of a little under 2TB (using 24 80Gb SCSI HDDs) with RAID 5, Oh and the storage was presented as 4 @500Gb drives to the OS (Some proprietary thing). all in at a cool £27.000, (and that was before the license for CIFS) guess how it was billed - innovative... Its a joke, so the solution? In the meantime lots of SATA Drives and file replication, eventually? maybe we can make use of all that storage that sits on every machine on the LAN that is never used...
First off I think this is up to Microsoft. If they want to ensure people buy their software and crack down on unlicensed copies then that's fine. I don't and wont use MS software unless its justifiable on a cost basis, and generally it isn't. (although I would love to see a good GNU Visio replacement, preferably with a good community base ... but that's another matter). So no I don't currently use any MS software anywhere, Linux on the desktop Linux and MacOS on the Laptops and PalmOS on the PDA
That aside it might actually help MS maintain market share. Some people will have to license on the back of this because it becomes possible to see when a machine hasn't been licensed.
OK so now we have Nag screens, this means that if you are using a pirated copy you get some inconvenience.
Some predictions...
Next we will see real limitations on what you can do with an unlicensed install;
So I expect some of criticisms of this will be
1) MS will cut themselves out of the market;
They might, but more likely they will get a few more licensed users and remember if you have to license Windows and you Have to license Office then they are going to make some money. If they do this now then they will leverage the market share they have (especially when it comes to document compatibility) BEFORE any of the alternatives (ODF) become widely accepted. The gamble on Microsofts part will be that they have everyone by the balls now but might not in two or three years time, best to try and secure that stranglehold.
Linux BSD and Apple (the Computer manufacturer not the Record Label) OS's only comprise a small market share at the moment so its worth while trying it whilst Joe User isn't aware of the alternatives or doesn't think that they are viable. Thus they can solidify and possibly extend their market share whilst increasing the proportion of that market share that is actually licensed.
2) Everyone will switch to Linux, BSD, Apple, anything to save money / hassle
Again Possible, but corporate users (Directors and managers who TRUST Microsoft) are being bombarded by things like the 'Get the facts' Campaign (which is pretty much just propaganda... in fact if you get the chance check out the case studies and then look at the companies that wrote them, most of their websites are hosted on 'Server: Apache/1.3.33 (Unix) ' including the one that has seen a significant reduction in TCO, an increase in reliability and security all by moving its web applications to 2003 server and .NET (to be fair I think they were talking about their intranet but still, practice what you preach!).
Companies however will take that on board, its the kind of thing that is used in internal company politics to the advantage of the anti-GPL crowd. Moreover as long as Joe uses a Windows box at work he's going to want to use one at home.
3) There will be a revolt, everyone adversely effec
Am I the only one here who has spent weeks of work time writing batch and vbscripts to automate operations on Wn2k Servers and networked Windows clients? If this works as advertised (and if I was still running Windows) Id use it.
Its a step in the right direction and anything that extends an admins ability to write effective scripts is a bonus. After all whilst it may have taken me a few days to write some of the more complex scripts that we used it would have taken longer to write an application in VB or C to do the same job.
(BASH is my shell of choice, its because I have an unhealthy obsession with grep...)
nb Not spell checking this post - its too early
Note the ever so small browny orange dot next to linspire, denoting its a debian deriv (I think guessing by the key...) This is similar to the dots on the multi lingual distros, so I guess it does show the same thing (i.e. Linspire as a Debian derived distro...)
Not a great diagram as far as inclusion and hereditry (pedigree?) are concerned (but its not supposed to be for that so who cares) but certainly a useful one for new users.
I used to be responsible for IT security at for my previous employer and find that the biggest danger to any password based security is the user. When I started there were no passwords in use anywhere, After about a month and a half I implemented a password policy (nothing strenuous, just the requirement for a 6+ char password, with a monthly change requirement. I was not popular. (this may have been the passwords or possibly the pave and nuke job I did on all the corporate desktops killing at least 3 of those electronic pet things...)
The good news is that after the first month the number of password resets required reduced dramatically and we actually had some accounting of user activity on things like network use etc..
However 6 months in we started to note the usual issues of people sharing passwords (i.e. how come John doe is logged on on three computers at the same time...) and had to curb that.
Then we started carrying physical audits of desk areas and started to clamp down on people writing down passwords (including those people that wrote them down in a poorly obfusticated manner....)
Again our security situation improved (I should point out that we did have internal users actively engaged in 'hostile' activities for their own gain...) and we were quite happy for a while..
Finally we started to carry out regular penetration testing, including a social engineering portion, this bit surprised me most. I came to the conclusion that 70% of our user base would give out their user name an password to anyone claiming to be IT staff - including when the tester called from outside of the company, and the number showing as internal.
So in short the problem with security is always going to be with the user, that is as long as the user is authenticated by either password, or token (swipe card etc..) and will only become significantly better when security is based on something the user cant forget or lose. Oh and anyone trying to implement security is always going to be the bad guy if it causes inconvenience.... And best practice in my oppinion is finding reasonable security procedures that are applicable to your situation, whether thats a 4 digit pin, daily changing 12 character complex passwords or rectal probes and dna testing, and then more importantly implementing it in such a manner that it is actually adhered to.
just my thoughts
I Like the riders in the video:
... personal injury .. if you perform a similar test"
.308, I suggest a B61 (http://en.wikipedia.org/wiki/B61_nuclear_bomb) although Im not sure if your right to arms extends to these....
"The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty..."
and
"HP shall not be liable for any damages... lost profits, business interruption
So anyone out there (especially in the states where you are allowed to arm yourselves to defend against rogue HP Disk Arrays and such like) thinking this would be a good idea should think again. And remember, to completely erase data on a HP disk array you will have to use something more efficient than
Yeah, cause Vistas coming early... No.. wait.. Sorry
Ive used SUS and it works a charm, but its only viable if you have windows servers in your environment, and if you are big enough to implement it properly some companies are'nt, there are also 3rd party solutions to the issue but I dont like the idea of paying for a system that applies free patches to a piece of software you have already paid for...
SUS, the first version (prior to WUS WSUS or whatever they slightly re branded it to) was good I used it with AD integration to good effect most of the time, but there were still a few issues regarding reboots, and the fact that you could only dole out OS patches, as I understand it the later version allowed more granular control and was supposed to provide Other MS Patch support, so this is the way to go, if you can.
So I agree with your post, mostly.
I would like to see Microsoft simplifying their patch system though, and I would like to see them providing free support for people who hit issues after applying one.
Is it just me or wouldnt it make more sense to just have three options for updates, 1) On (or Make me safe please) Deault for all OEM and Home versions 2) Off (or I Dont Care, and whilst your at it get me on one of those botnet things) 3) Corporate (or Same as Off, - We have at least one tech who will check the patches and apply them as he sees fit) Default for corporates (VLK Media users) That way your average user will just get the patches unless they decide otherwise, and your corporates can do the sensible thing of checking their own systems first. What I am trying to say is that the logic should be with the consumer, a corporate user might not want to patch something that (they think) will not impact them, whilst home users should get every patch available just in case. The logic element of only applying patches in certain circumstances is a bit off as you end up with even more possible system configurations. Ive been down this route before with MS patches for MS SQL Server, we had an issue that MS KB listed as requiring a patch that you had to ask for, (apparently it was a rare issue that was somehow setup / hardware specific). We were 100% up to date with our patching on all our servers and then had to do this install manually on a load of boxes, about 6 months later the origional problem occured again on our test systems when another patch patched our current patch.... That little shenanigan cost me my 95% uptime record (we didnt bother with 99.999% because in a mixed environment it wasnt attainable if we were patching our Windows boxes...) I hope that there is a point in this post somewhere, Ive not slept for about 60 hours so if there isnt, well hey. (Oh and the good news is Ive set up my own company since this little story and now I have a 100% security and uptime record with MS software, I have achieved this by not using any....)
That's true, I used to be a net admin in a 80% MS environment, and Used Linux on my desktops with no problems as far as my primary role was concerned. All the networking gear was manageable by SSH or in the very least telnet / web consoles, in fact I could manage everythingwithin my environment on my debian box, (RDC for general server admin and occasionally via KVM if you couldnt get remote access..). I'd produce reports in open office and export to PDF (great because that way no one could make any changes without coming back to me...)
The only problems I had were filling out leave forms and other HR related documents, all of which were produced using Word and Excel, OpenOffice seems to have some issues when editing word docs and saving them again when they have complex table or form structures...
(On the plus side they have binned MS Office in favour of Open Office recently, and billed it as an upgrade...)
http://www.globalpolicy.org/socecon/crisis/2003/10 10oilpriceeuro.htm
When you are logged in as root you have unlimited access to all files, and it is possible to remove or modify a file that is vital to the system, this is generally not good, and often not required. If you set up a server securely you should be able to create accounts that have the access that you require to carry out specific tasks (still preferably using sudo, or su'ing to the relevant account), this is as much a common sense measure as pure security precaution.
You could argue that you can log in as root as long as you avoid using wild card designators when executing commands and keep track of your current working directory and try not to mess anything up, but there are a load good reasons to use sudo or su to root (or preferably an account specified for a task) instead, here are the ones I find most important:
Firstly you get some accounting, if Joe Bloggs su's to root and breaks / steals / misconfigure's something, at least you know it was Joe Bloggs (or someone using Joes account)
Secondly if you have remote access only as a non root user (this should be a given, never log in via ssh or webmin or whatever as root, (it can be a nightmare when you think your on system A but are on system B and do something you didn't mean to, never mind as root...) any attacker is going to have to find a non privileged account to gain access to a system, and then gain root privileges..
Thirdly if you have set up a number of administrative users for specific tasks you can compartmentalise your systems maintenance and you don't have to give someone you don't trust root access to carry out basic maintenance.
Lastly, the less you use your root account (directly or by whatever means) the less likely you are to break it. Lets be honest, I'd love to log in as root all the time, it would make life easier, but it would get rid of quite a few of the security benefits Linux/Unix brings and I'd probably break things more often. If you get used to using the root account you will continue to use it more and more until you find yourself logged in as root surfing the web whilst playing some bzflag beta just waiting for someone or something to break your box. (not to mention the hours you would spend making it possible to log in as root and use all your apps that are (probably) not going to like being run as root).
Personally when I set up a secure server I try to ensure that I have users with the relevant rights set up for specific tasks and no more and only issue those accounts to users who require them. I mount as many of the file systems as possible read only, I try to ensure I ship log files out to a box that no-one with root privileges on the first box has access to, and I automate as many of the maintenance tasks as possible. Oh and I don't use sudo, and on hyper critical servers the full root password is known to no one, I have half my oppo has the other half, and never the two shall meet (although this causes inconvenience when you do need it...!!)
This prevents foul ups and gives you a security baseline.
Oh and if you do log in as root make sure its not ever into a Desktop Environment (or any complex environment really) because there are just too many apps executing as root at that point to keep track of properly, and way too many potential security vulnerabilities...