Re: [Discuss] free email less intrusive than google
Political correctness is synonymous with respect for other people. Anytime someone says they're sick of being politically correct, it means they want to be disrespectful of other people, without any backlash. The white man in the room doesn't get to tell us what's racist and what's not racist. If the majority of black people would feel that's a racist term, then by definition, it is. Cotton pickin isn't racist, just like the confederate flag isn't racist. Meaning - they both are. Because the majority of African Americans feel they are. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] free email less intrusive than google
You can get encrypted, private mail, at https://protonmail.com and https://tutanota.com "Cotton pickin" is a racist term. Please learn to eliminate it from your vocabulary. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Converting "rich" (MIME) email to plain text
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Michael Tiernan > > I'm sure that I'm not the first who tried to find an easy way to filter > a piece of email so that only the plain text comes out. > > I can find lots of things about going plain to HTML but I've not seen > anything that allows you to just extract the "Content-Type: text/plain" > section of an email. > > Any pointers available? I don't want to try and reinvent the reinvented > wheel. Where is the original? I like C# / mono programming, so I would personally write a 10-line program to download mail and extract the parts I want, using MailKit. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] looking for non-cisco router and firewall
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of John Boland > > my colo folks just notified me that the firewall and router we're using is > subject to another set of exploits. > the equipment we're using is no longer maintained and we're in the midst of > changing colo providers. the new colo provides firewall services. we've > already setup the rules with them. > in the meantime, i need something reasonably priced (i.e., cheap) to tide > us over for the next couple of months. > > for now, does anyone know if just dropping udp packets will mitidate this > exploit? I'm confused by several things - You have a question if dropping udp packets will mitigate this exploit. What exploit? Are you talking about a specific exploit? For "reasonably priced," I would immediately suggest pfsense, but you said that entails learning curve, which suggests to me that you've never tried it. I would say there is zero learning curve to setup pfsense, until you start trying to do more advanced things with it, like openvpn or something like that. The only thing you need to know is: First connect the LAN side to a switch (or crossover cable) with your laptop. Install it from a CD or ISO or bootable USB or whatever. During install, assign a LAN IP address. Then browse to it via http or https from the laptop. All of this is explained by the bootable install media. Especially just for a couple of months, it seems silly to buy a new hardware firewall. I would certainly say, that setting up pfsense is faster and easier than setting up any cisco device, even if you're a cisco expert who knows nothing about pfsense. It's just way, way easier. You said you need 100Mbit externally and 1Gbit internally. This confuses me. If there's an upstream bottleneck of 100Mbit, then why do you need >100Mbit on the LAN side? ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] DMARC, SPF, DKIM
> From: Dan Ritter [mailto:d...@randomstring.org] > > I have been perfectly happy running randomstring.org (at home) > and $WORKPLACE's mail servers with none of DMARC, SPF or DKIM > for years and years now. Ignorance is bliss. :-) Or some phrase involving "head in the sand." :-) Ignoring climate change doesn't make it not real. :-) Because of not using any spf/dkim/dmarc, the mail you send is more likely to land in other peoples' spam folders, so you don't reach them and you'll rarely ever know. Also, when some spammer wants to spam your friends, they forge messages from you, and your friends are more likely to receive it, and fall for whatever the phishing bait is. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] DMARC, SPF, DKIM
Because I'm pretty sure there's a relatively high concentration of people here who maintain their own mail servers, I want to bring this up as an often overlooked practice you should be following: It is advisable to use DMARC (https://dmarc.org/), in addition to SPF and/or DKIM. DMARC addresses common problems of SPF and DKIM; specifically, DMARC was created because so many domains have SPF and DKIM misconfigured, resulting in recipient mail servers often ignoring the SPF and DKIM failures. Utilizing *all* SPF, DKIM, and DMARC, yields the highest confidence threshold, and best result. >From >http://www.mcafee.com/us/resources/solution-briefs/sb-spf-dkim-dmarc-demystified.pdf "using DMARC feedback, an organization may determine that there are valid IP ranges that are not included in their SPF records, allowing them to update the records and increase the accuracy of their DMARC posture." ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Delivering mail to folders
> From: j...@gapps.blu.org [mailto:j...@gapps.blu.org] On Behalf Of John > Abreau > > Apparently I've been doing it "wrong" all these years. I've always created my > own CA and signed my certificates with it, and I thought that's what the term > "self-signed" meant. That's the opposite of "doing it wrong." If you create a CA, for example by a process like this: http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php in which you have a CA root private key, which signs itself as a CA, and you keep that directory full of files sitting around someplace secure, and the root private key is used only for signing certs (is not used directly as a website cert), and you generate a different private key for each website cert, and then you install the CA root cert (with public key) into the trusted root store of your clients... Then you've done it exactly right. (Assuming proper implementation choices, such as key length and stuff like that). But this process is complex enough that very few people do it, especially when you can get free certs from a publicly recognized CA. When people say they have a webserver with a self-signed cert, in virtually all cases, that means they followed a process like this (the top result I got by searching for "generate self signed certificate"): http://www.akadia.com/services/ssh_test_certificate.html In this process, you generate a key, and use that key to sign a certificate of itself. There was never any CA. A good clue to look for is whether or not the "openssl ca" command was used, and if the CA root cert is separate and distinct from the server cert. The CA root private key should never exist on any of the servers. It should be air-gapped, encrypted, kept in a bank vault. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Delivering mail to folders
The important characteristic is whether or not the CA root private key is ever exposed to any servers or clients. For example, if you used a self-signed cert (no separate CA) on a server, that server requires the CA root private key in order to serve webpages, and if you installed that cert into the CA root trust store of your clients, then if the server gets compromised, the attacker can impersonate literally any domain on any server, completely undermining your entire SSL/TLS infrastructure, with the ability to MITM attack every connection. If you generate a CA, keep its private key private, and use it to sign a separate server cert, then if the server gets compromised, the worst the attacker can do is malicious things with the compromised server. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Delivering mail to folders
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Tom Metro > > > Ever-so-slightly better than no encryption. > > Huh? We're talking about using a self-signed cert for IMAP access, right? > > Self-signed certs have all the same cryptographic benefits as a CA > signed cert, including having your client validate the cert, if you > install your own root cert on your clients. > > The only down-side to self-signed certs is the inconvenience of having > to install the root certs on your clients. This is why they aren't used > for public web sites. Creating a self-signed cert isn't the same thing as creating your own CA and installing the CA root as a trusted root on your clients. If you create your own CA and distribute your own CA root to all your clients - as you said - you'll get pretty good security (unless you screw something up). A self-signed cert is one which certifies itself. The client cannot follow any chain to a trusted root, so the client needs to either reject the cert, or prompt for user interaction (in which case, users almost invariably click "accept," and thus are easy to attack via MITM). If the user accepts the cert, some clients (such as firefox) have the option to do certificate pinning, so it won't prompt again when it sees the same self-signed cert, similar to the way ssh behaves when connecting to a new unrecognized server. But if you have a client that prompts you to accept a self-signed cert, and you accept it, and the client pins it, and at a later time the cert changes (MITM attack)... Does the client prompt you again? Openssh refuses to talk to a server with a pubkey different from the pinned key, as it should. But every SSL client I've ever seen (firefox, chrome, ie, etc) will prompt you again to accept the unrecognized cert, so even highly technical and reasonably alert people are still vulnerable to the MITM attack on a self-signed cert. ... As David in particularly would be, because he mentioned a checkbox for "ssl accept any certificate," and asked "is that a good option?" ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Delivering mail to folders
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of David Kramer > > would > it be reasonable and possible to use a self-signed cert for starters Ever-so-slightly better than no encryption. The only difference is whether or not it's possible for someone to accidentally see your traffic, or if they have to make a point of intentionally looking into it. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Delivering mail to folders
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of David Kramer > > I also complicated > things by trying to use an SSL certificate from https://letsencrypt.org > instead of self-signed, I'm a huge fan of free certs from https://startssl.com, and personally I don't think letsencrypt deserves the hype. But I have nothing against letsencrypt. No matter how you do it, making the internet a better place is a good thing. > Current status: > I backed up /etc and nuked Postfix and Dovecot and starting over. You should be using ansible or something to make these changes. That way you can easily rebuild and test systems, and the next time you have to migrate to a new server (because centos 10 came out and centos 7 will stop receiving updates, or something like that)... You'll know exactly how the old one was configured. The migration process is *way* easier. > I also coudn't log in from my Android phone (certs prolly) Let's encrypt has a root (they named it ISRG Root), and an intermediate (they named it Let's Encrypt Authority, which I'll abbreviate LEA). Normally the intermediate gets signed by the root, and so it is, but since their root isn't trusted by clients yet, they partnered with IdenTrust, so IdenTrust *also* signs the LEA intermediate. When you install your cert into your server, you have to make sure you install the right chain. That is - You have to install the LEA intermediate that's signed by IdenTrust, and not the one that's signed by ISRG Root. > - letsencrypt sounded like a good option at the time, but it is still > kinda in beta, and I couldn't connect my phone to the mail server, even > saying "ssl accept any certificate". Is that a good option? Eek. No, that is NOT a good option. You should literally never do that, if your traffic goes over the internet. Although not trivial, it is *nearly* trivial for an attacker to hack a router, configure it to automatically detect self-signed certs flying by, and automatically perform a MITM attack. > I'm willing > to pay a reasonable price for a cert if I can use it for web and mail > and there are advantages over free ones. There are only two free options. Let's encrypt, and startssl. The complaint people sometimes have about startssl is that revokation is $25. The cheapest non-free cert is RapidSSL from namecheap for $11. So to determine which is the best option for you, you need to calculate the probability of needing a revokation (let's say 1%) and compare 1% of $25 versus $11 to get a new one that includes free revokation. Sorry, I neglected to mention - The *actual* cheapest non-free cert is PositiveSSL, for $9, but it's signed by two intermediates, which is so unusual that a lot of clients don't test that configuration well, so a lot of clients aren't compatible with PositiveSSL. Ask me how I found out. ;-) Fortunately, they issued me a refund that I applied toward RapidSSL. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Local ISP Recommendations?
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Kent Borg > > I am toying with getting faster dynamic IP service for less, but > bouncing through a static IP in the cloud. Maybe I have two networks You can always run a tor service. Assuming http. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Local ISP Recommendations?
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Derek Martin > > Thank you for reminding me why I refuse to do business with Comcast... Agreed, but most of us probably don't use Comcrap, unless there's no alternative. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Local ISP Recommendations?
> From: Mike Small [mailto:sma...@sdf.org] > > Has this scenario, [...] ever happened to anyone > in a real legal case where the innocent party wasn't able to > establish his or her innocence? Dunno. Those people aren't called "innocent." There's no way to identify false convictions, except by later exonerations. It's not like new forms of innocence-proving evidence are being created, like DNA evidence etc. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Local ISP Recommendations?
Since I've been in security for the last few years, I've talked to a zillion people about a zillion things, and one IT guy told me he ran the company's mailserver, which apparently got hacked and used to distribute some sort of illegal material. He found out when the FBI showed up and confiscated the server. They determined it was probably not the company's fault, so they returned the server (without any hard drives, a couple months later). By that time, the company had already resumed email service on some external provider (users are bound to notice and complain about several weeks of outage). I think if you run your own mail server, unless you do mailservers professionally (24/7, with IPS/IDS, and watch the RedHat security channels and patch critical vulnerabilities in < 1day, etc etc) you expose yourself to unnecessary spam, and risk of being hacked. The risk of being hacked is *not* so much the risk of someone accessing your mail. It's the risk of someone doing illegal shit on your system, and you getting the blame for it. Try 10 years in prison, and being permanently registered as a sex offender, probably getting divorced, because someone thought that was *your* kiddie porn. You find yourself in the position of being presumed guilty, having to prove your innocence, because illegal material was indeed found in your system, or in your account. P.S. The same risk applies to cloud services, if you don't use strong passwords and 2-Factor on dropbox/gmail/etc. Using a password manager is a very important part of keeping yourself safe online. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] cheap realiable web hosting service
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Bouman MC > > I need a reliable and cheap web hosting service that won't delete the > web site for spite and entertainment when they're have a bad > day...which just happened to me today. Any suggestions? MCB Are you looking for shared hosting like dreamhost? Or are you looking for something like distributed & shared application hosting, like Azure and AWS hosted applications? Or are you looking for a VPS, like EC2/Digitalocean and others, where you manage your own service? Some of the above have free and/or cheap ($5/mo) entry-level offerings. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Local ISP Recommendations?
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Kent Borg > > I am looking for ISP recommendations. In Somerville. When I lived in Somerville a few years ago, the only choices were Comcast and RCN cable. We had both, and while customer service is shitty for both, RCN seems to be considerably less evil in opposition to net neutrality, bring your own hardware, and stuff like that. I don't know if you can get a static IP, but you can use dynamic dns. I use FreeDNS. Be aware that all the ISP's that I know of will block inbound access when/if they feel like it. In Arlington, we have Fios, and I expected it to be much greater than comcast/rcn, but it's not. I daresay the signal quality is probably better on fios (fiber optic leading to the house, and then coax splitter from the basement, instead of coax splitting at the street) and the uplink speed is probably better (30Mbit symmetric), but aside from that, it's the same old shitty customer service and shitty internet, with boat loads of frustration anytime you need to deal with them. Still provided by an evil company. I daresay verizon is even more evil than comcast - one of our experiences on verizon was the "channel realignment," where they took away half our channels in the middle of the 2yr contract, and when I argued with them for hours over the phone, I eventually caved in and agreed to pay the extra $5/mo to get our channels back - and then they slapped us with a $400 early termination fee on the first contract, while enrolling us in a *new* 2yr contract at the higher rate. T hey have earned all the bad karma the world can deliver them. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] one vs many static IP addresses
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Dan Ritter > > ... in which case you really, really want one of those DNS > servers to be located in a different network, perhaps on the > other side of a continent. Yeah, I thought it was funny to suggest multiple IP's on the same server or network, in order to satisfy the redundant DNS requirement. ;-) ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] External security Re: one vs many static IP addresses
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Rich Braun > > It's 2016 and the whole concept of passwords for user auth is obsolete; > they're hard to remember, don't get changed enough, and fairly easy to > break. *cough* There are very real weaknesses to using passwords, sure, but to say it's obsolete means you're living on a different planet. > If you're relying solely on a memorized pass-phrase to access anything via a > public IP address, you're not doing it right these days. Does this include > you? Seriously, what you just said is impossible. Even if you're using a password manager, or some type of cloud storage (something other than a USB fob) to keep some sort of private key with you at all times, backed up and safe from compromise by a pickpocket or mugger... You have to login to your password manager with a password. The right thing to do is memorize one really strong password, and use it to secure all your other randomly generated passwords. PS. Something I'm working on right now is a cryptographic random sentence generator using small words (2-4 chars). Sentences like: ads have down if god fits last seas date max as air uses zone land tries fair and rock owns sign These are easily memorizable, and about 40 bits each. Certainly strong enough to use in a password manager to protect against thugs. String a couple of them together and it would be strong enough to thwart sophisticated attacks, and if you string 3 of them together it would be sufficient to thwart a hostile government. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] 4K (or 5K) resolution for Linux desktop
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Stephen Adler > > I personally will never buy another bit of apple hardware because apple > is "evil". Pah. Name a competitor that isn't "evil." Remember we're talking about massive international corporations with tens of thousands (sometimes hundreds of thousands) of employees, all having different minds. Labeling any of them "evil" is like labeling any other group. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] one vs many static IP addresses
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Stephen Adler > > the use of apache virtual > hosting, the question I have is if there is any reason to use more then > 1 static IP address to run my web and sshd services from my basement > server? In the distant past, you needed multiple IP addresses to name based virtual hosting with SSL, but that problem was solved by SNI, Server Name Indication. Some very old clients (old versions of XP, and Android 2, and very few others) still don't support SNI, but those clients are inherently insecure, so maybe it's *good* to drop SSL support for those clients, and make no pretense that anything they do is secure. SNI was introduced in TLS 1.0, which is currently the oldest unbroken version of SSL/TLS. Anything older than TLS 1.0 is SSLv2 and SSLv3, both of which are deprecated and broken. If you have more than one physical server (and no firewall/NAT box/load balancer) then you might need more than one IP address. Aside from these issues, apache can serve all your content over a single IP just as well as it can over multiple IP's. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] Linux on laptops
I'm looking for a small, light, cheap, laptop to run linux. I prefer either ubuntu desktop or fedora. I know there's a very good chance that any random linux will work fine on any random laptop I buy, but I certainly prefer to have some greater assurance - ideally it's an officially supported distro, or maybe there's some unofficial guide that demonstrates support. Any suggestions? ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Linux on laptops
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Kent Borg > > Something that has intrigued me recently is the idea of running a fairly > standard Linux on a Chromebook. They are small and cheap, and have long > battery life. The issue that leads me here today is as follows: I have an Acer Chromebook C710. Dual core Celeron 1.1GHz, 2GB ram (one slot populated, one slot available), 320GB hard drive, multitouch pad. It's pretty nice. So I looked up how to install linux on it. The answer is Chrubuntu, http://chromeos-cr48.blogspot.com/2013/05/chrubuntu-one-script-to-rule-them-all_31.html This got ubuntu 12.04 installed (quite painfully I might add). So the first thing I did was apply updates, and suddenly there's no graphics anymore. Text only login. Needless to say, that's not acceptable. The root cause is the Chromebook BIOS can't boot a standard bootloader. Linux is assuming grub, which is not correct, so weird things happen loading the wrong kernel or the wrong initrd. You can't boot from a USB into rescue mode to fix it. You have to restore to factory from a Chromebook USB recovery fob, and start all over. I strongly discourage getting a chromebook with the intent of using it for anything other than a chromebook. But if you already have one - Sure, give it a try. Worst case, you have to download a Chromebook recovery fob in order to get back to a supported chrome OS. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Linux on laptops
So far, all the good responses seem to say, basically, pay more money. The system76 and zareason (and base model Dell and Lenovo) laptops start around $700 minimum. What I really want is exactly this: http://www.newegg.com/Product/Product.aspx?Item=1TS-000X-000J1 With a different OS. A few years ago, they sold laptops like these in Toys-R-Us, as laptops for kids, that you didn't have to worry about viruses. (Which is slightly misleading, but not entirely). So far, what I'm inclined to do, is go to a local store such as Microcenter or BestBuy, ask them what their return policy is, create a "dd" image of the internal hard drive before first power-on, and then simply blow it away with a linux installer. See what happens. If I return one because I don't like it, I won't be in any trouble. If I return two, they might be suspicious. If I return three, they might give me a hard time. Depending on the store, sometimes you can say, "Can I buy 3 laptops, and then return 2 after I decide which one I like best?" ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Dropping obsolete commands (Linux Pocket Guide)
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Chuck Anderson > > According to Ted Ts'o (filesystem developer), it is NOT a recommended > way to backup your filesystem: > > http://www.gossamer-threads.com/lists/linux/kernel/1197768 > > "It does read the mounted block device directly, and so it's certainly > not a _recommended_ way to back up your ext4 filesystem. It should That's correct, but unfortunately, it doesn't leave you with anything else you can use. The problem is that the live filesystem can have stuff changing while the operation is in progress. Because you're not using a block-level snapshot. So even if you use something like rsync or rsnapshot, the tool will walk the live filesystem (on top of the filesystem layer, unlike dump which operates below the filesystem layer, but that distinction is irrelevant) the filesystem could be changing while in the middle of an rsync operation. Or tar, or cpio, or whatever. Your database files are not safe with *any* of these tools, because of no block-level snapshot. If you make a block level snapshot, for example with lvm, you could then safely backup the snapshot block device, just as you could safely mount the snapshot and run rsync. But god, lvm snapshot, what a nightmare. This is the reason ZFS was invented. Maybe btrfs will be good someday too (maybe it already is). ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Dropping obsolete commands (Linux Pocket Guide)
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Daniel Barrett > > > 1. dump and restore > > I grew up with these commands, but personally haven't used them in > well over a decade. What do you think? If you want to backup your filesystem and preserve every little tiny detail that people don't normally think of - like named pipes, and character special devices, and hard links, and weird stuff like that, dump & restore are the only sure-fire ways to do it, because the dump & restore source code is written by the same people who write the EXT filesystem code. You might make a comment about use netcat instead of telnet, for network diagnostics, but aside from that, telnet is obsolete as a remote terminal protocol. And all the other stuff, I agree, is obsolete. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] laptop as router
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Mike Small > > Speaking of routers, are there any caveats to using an old laptop as a > router? I'm about to move into a 1 BR. The retail router we have now I've done this with laptops, desktops, soekris, and vmware systems running the router OS as a guest VM. With a laptop, the main caveat is the 2nd NIC. Previously I carefully selected a PCMCIA card that would be compatible. Nowadays I guess you probably have to use a carefully selected USB adapter. I recommend using pfSense or monowall instead of rolling your own BSD. Way, way, way easier, more featureful, probably more secure. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] [kind of off topic] noise canceling headphones
There's a major difference between Active Noise Cancellation and Passive Noise Isolation Passive can be extremely cheap, block out everything except what the headphones are generating. Active is usually expensive, and usually does a really good job of blocking periodic or repetitive noise waves, like machine noise and hum from noisy equipment. I've often heard people say their active (Bose) headphones allow peoples' voices to pass through while blocking machine noise and stuff like that. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] 19,000 person company passwords stolen via HTTPS
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Dr. Anthony Gabrielson > > > On Oct 6, 2015, at 10:52 AM, Rich Pieriwrote: > > > > The problem isn't encryption or lack thereof. The problem is that the way > > we handle authentication is fundamentally broken. Centralized > > authentication is literally an all eggs in one basket deal. Steal the > > basket and > > you get all the eggs. > > You are describing one specific approach, not all authentication systems have > the problem you outline. I have no idea what RP was talking about, or if there was a point at all, but Anthony, you're right. I know in CBCrypt, there is no basket with all the eggs. > > The problem is further compounded by the belief that encrypting > > everything will save the world and make everything better. It won't. > > Encrypting a broken authentication system and a bass-ackwards verification > > system will not make them any less broken and bass-ackwards. > > It may not make everything better - but you will can cut down on the MiTM > and increase the noise. Increasing the noise will go along way to make an > adversaries job more difficult. Again, I don't know if RP was making any real point, but Anthony, you're right. When passwords are exposed to servers, it makes it very easy for hackers such as referenced in the Ars article, to steal their passwords, and then compromise their accounts on other services, as well continued breach of the compromised service. For point of comparison, if a hacker breaches the TLS channel on a CBCrypt server, they still cannot access the users' information on *either* the compromised server, or anything else. When bad guys want to sell bad material, they don't use their own accounts. They find somebody's hacked accounts and use them instead. Peoples' usernames and passwords are sold on the black market every minute of every day. There is a monetary value for bad employees to steal their users' passwords and sell them. The weaker the security in the world, the more innocent people the bad guys have available to hide behind, and the more innocent people get mistakenly arrested for having kiddie porn (for example) discovered in their Dropbox (for example). Weaker security can be proven to never be effective at catching bad guys ( http://bit.ly/1K9gEFP ), and weaker security leads to more victimized innocent people. So yes, the absolute correct response is more encryption, more security. Save the world, make everything better. Yes. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] 19,000 person company passwords stolen via HTTPS
This is the reason why you should care about authentication and encryption happening without exposing passwords or encryption keys to servers. In this case, it was hackers planting a malicious DLL to capture plaintext passwords received during HTTPS login sessions, but there's nothing preventing bad employees from doing this exact type of thing - by editing a PHP file or whatever. This type of attack affects not only the employees of the compromised company, and the company's private information, but all the customers, partners, and users of the company who happen to use that server or service. All because your password gets sent to the company over the HTTPS connection. There is zero upside to sending the password, when there exist standard techniques to prove you know something without exposing the thing. http://arstechnica.com/security/2015/10/new-outlook-mailserver-attack-steals-massive-number-of-passwords/ Somebody on this list once called me a corporate shill for promoting https://cbcrypt.org, but this is MIT open source, free work that we produce at work and distribute to the world. We gain nothing if you use it. Even if our competitors use it, then suddenly our competitors would become not-the-problem, and the world is better, which means we're winning. We gain a good feeling if you use it, even our competitors. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Fwd: Hey FCC, Don't Lock Down Our Wi-Fi Routers | WIRED
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Shirley Márquez Dúlcey > > A router locked down in that way could not incorporate any GPLv3 code. I don't see any reason locked-down firmware would violate GPLv3. As long as you announce what code you're using, and distribute the code. > Eliminating the ability to install alternative firmware will hurt a > lot of people Agreed. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Cloud-backup solutions for Linux?
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of John Abreau > > When I backup Postgresql databases, I use pg_dumpall to dump the data into > a text file; I don't try to backup the binary database files. > > I'm not familiar with MongoDB, but I would be surprised if it didn't have a > similar option to dump its data to a text file. Databases, indeed, cannot be backed up by naively copying the database file while the daemon is alive. The daemons are, however, smart enough to leave the file(s) in a consistent state (or use something akin to journaling) so the daemon is able to recover after an interruption. I am confident saying that literally every database has these characteristics - even Mongo and Sqlite. I have specifically verified this is correct with Sqlite. As for the filesystem being in an "inconsistent" state after interruption - That's what journaling is for. If you were in the middle of a "rm" or "mv" operation or something like that, journaling remembers it and correctly handles it after system restore - either by completing the operation or by backing it out as if it never happened. Automatically. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Cloud-backup solutions for Linux?
> From: Bill Bogstad [mailto:bogs...@pobox.com] > > While some OSes/filesystems handle power interruption well at this > point, it seems to me that there are lots of apps/servers which do not > and which people still need to use. Particularly in a VM environment > where you might be running legacy OS/app combinations because you > can't replace them, it seems to me that suggesting this method as a > generic way to backup VMs is not really appropriate. Sure we should > all replace our old software systems with ones that use transactions > to protect against this kind of failure, but I don't think we are > there yet. I haven't seen an OS, Filesystem, or a daemon, it at least 15 years, that couldn't gracefully survive a power interruption. Except ownCloud. ;-) ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Cloud-backup solutions for Linux?
> From: Bill Bogstad [mailto:bogs...@pobox.com] > > > 2- Use a snapshotting filesystem like btrfs or zfs in the host, so the host > > can > replicate the guest storage to another location seamlessly. > > I don't see how this can work in a way that would be useful. > Filesystem snapshots of your emulated disk images by the host OS may > give you a single point in time copy, but they don't guarantee that > the copy is in any way consistent. This is one of my favorite modes of operation. I run a ZFS host, and have guest VM's residing in zvol's, which get snapshotted and replicated periodically to additional attached storage, and offsite and offline. If something happens, like the whole machine explodes or whatever, then I restore the guest snapshot, and power it on. The behavior of the guest machine is exactly as if the guest machine had been running and then suddenly the guest power was yanked or kernel panic or something. The guest storage device is a precise snapshot of what the guest storage would have looked like at the instant that the storage snapshot occurred. If you're running an OS or some daemon that can't survive a power interruption, time to find a new OS or switch to a different daemon. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Cloud-backup solutions for Linux?
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Daniel Barrett > > One piece I've never fully worked out is backing up the live VM's > (VMware Workstation) running on my Linux box. For VM's, you only have three choices: 1- Install backup software or something in the guest, let the guest back itself up. 2- Use a snapshotting filesystem like btrfs or zfs in the host, so the host can replicate the guest storage to another location seamlessly. or 3- Shutdown the guest, and then use some sort of "regular" copy method. Tar, cp, whatever. It's very difficult to do this in any sort of time or space efficiency, but it might be possible, and sometimes you have no other choice. Y'know - or just don't backup the guest machine. If you do all your work in git or something, and you can easily rebuild the guest from scratch. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Accidental rm -rf (was Cloud-backup solutions for Linux?)
> From: Kent Borg [mailto:kentb...@borg.org] > > -kb, the Kent who also never types scary commands like "rm -rf > /home/jruser/somedirectory" in left-to-right order, for fear he might > bump the return too soon; rather he types out the base command, then the > entire path complete... and only then goes back and adds the dangerous > "-rf"-part. Heheh, what I do is this: ls -ld /foo/bar/* Did I see it display precisely the things I want to destroy? If so, hit the up-key and replace "ls -ld" with "rm -rf" ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Cloud-backup solutions for Linux?
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Matt Shields > > What's > sad about this back and forth is that a few people already made up their > minds to dismiss my solution because it doesn't fit their needs or > definition. Most people care about ownCloud destroying data on network interruptions, because with mobile devices and laptops, that's a normal part of life. I've talked with hundreds of IT people about file sync, being that it's my business, and of all the people I've ever talked with about ownCloud, exactly two of them have said they recommend it. You're the second one. Most people don't care (but should) about privacy in the cloud, which ownCloud also doesn't do. You only get privacy with ownCloud if you operate your own physical server physically secured on-premise in your basement or network closet or something. Even if you enable server-side encryption on ownCloud, the encryption keys are stored on the server, so it's almost pointless. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Cloud-backup solutions for Linux?
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Matt Shields > > Check out ownCloud. It let's you run your own cloud based backup service. Oh god, no. If you're thinking about ownCloud, try Synctuary instead. I probably can't make a statement about ownCloud without getting sued (I work for Concept Blossom and am a developer who works on Synctuary), so I'll just ask you to ask yourself these questions: What happens if you're in the middle of a file transfer, and the wifi drops, or the ethernet cable is removed, or you roam from one wifi to another, or close the lid of your computer? What happens if you create a file with a character in its name, that's not allowed on some other platform? The two most common ways this happens are: Someone on the mac creates a file with a ":" colon character in its name, which is not allowed on windows. Or someone on windows creates a file with a unicode 8211, the emphasized hyphen character, which is not allowed on linux. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Cloud-backup solutions for Linux?
> From: Matt Shields [mailto:m...@mattshields.org] > > So far have not had a single issue. I repeat the question: What happens if you interrupt the client or network in the middle of a file transfer? What happens if you create a file with a disallowed character in its name? Be sure to md5sum or something, before and after transfer, to ensure you'll notice if anything unexpected occurs. Be sure to look at the filesystem of the platforms where the disallowed character is disallowed. To see what appears there, if anything. > My main reason for not using something like Synctuary, Dropbox, etc is > this: https://www.conceptblossom.com/pricing I would rather write a > custom rsync (or something else for Win) script to automatically sync my > personal files rather than pay for something. Synctuary is free for up to 3 users. Although the OP specifically asked about linux, and I admit the linux Synctuary client isn't as good as it should be. Ubuntu only, and sometimes crashes. But never causes data loss, which is more than I can say for the competition. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Cloud-backup solutions for Linux?
Also, Synctuary and ownCloud are more for sync/sharing/replication. Not really a backup product. To the OP, I would suggest rsnapshot or rsync for his purposes, not so much Synctuary or ownCloud. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Cloud-backup solutions for Linux?
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Rich Braun > > Here's why I ask: For a few years I've been using CrashPlan as my primary > backup, and rsnapshot as a secondary. What's wrong with rsnapshot? ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Reusing Passwords on Different Sites Should be OK
> From: Bill Ricker [mailto:bill.n1...@gmail.com] > Sent: Thursday, September 17, 2015 10:11 PM > > Reusing passwords requires the users to know that the encryption is of a > safe variety. Most users are not qualified to tell good crypto from bad > crypto. Heck, most programmers can't be qualified to use good cypto > correctly. > Password Encryption done client-side must be handled very carefully to > avoid replay attacks yet still actually validate something. Sounds like a > half- > hearted attempt at Challenge-response. > tl;dr No. Everybody knows they shouldn't login to anything over http:// We've all been trained to use https:// and ensure we have green checkmark security shields or whatever. Because thousands of random unknown employees maintaining the routers on the Internet could access the http traffic. When you login via HTTPS, to google, facebook, twitter, and thousands of other sites, there are still thousands of unknown employees maintaining the load balancers and web servers at the other end, who could access the traffic. It is a no-brainer. You should not send your password or encryption keys, even over https. You need to prove you know your secret without exposing it. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Reusing Passwords on Different Sites Should be OK
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Matthew Gillen > > just because a malicious employee could run > wireshark on the production boxes doesn't make me forfeit my expectation > of privacy. We all know that we shouldn't login to things over http:// and we've all been trained to use https:// every time. Because random employees of the ISP and other networks could use wireshark, we know we have no reasonable expectation of privacy over http:// The world needs to know, the same problem is still true over https, but instead of thousands of employees operating the routers of the internet, it's thousands of employees operating the load balancers and web servers at google, twitter, facebook, akamai, etc. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Reusing Passwords on Different Sites Should be OK
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Chris Markiewicz > > This is such a bizarre interpretation of "Third-party". A password > should be considered a secret between two parties: client and server. > But again, conceded that this is a problem. I get what you're saying - You're not saying that I'm trying to twist third party doctrine into something it's not. You're saying third party doctrine is itself a bizarre interpretation, that contradicts what a rational person would expect to be held private. And you're right. The case example to demonstrate this is lavabit. He created that whole business for the explicit purpose of providing privacy and security. That's the premise on which he gained all his users, and yet, when the feds came after him, they told him his users had no reasonable expectation of privacy. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] Reusing Passwords on Different Sites Should be OK
The present standard practice is for clients/users to establish an HTTPS connection and then send username and password over the wire, where the server will encrypt it using a rate-limiting function such as pbkdf2, bcrypt, or scrypt, to protect it against hackers or bad employees who have access to the password file or database or whatever. But wait! We should assume, that hackers and bad employees who can access the password file can also access the encryption programs (drupal, wordpress, apache, etc that run bcrypt etc) and have access to the password in-memory before it's encrypted. Worse yet, even if the server is never breached and the employees are always perfect, users sacrifice their legal right to privacy by merely making it possible for the employees to see it. https://en.wikipedia.org/wiki/Third-party_doctrine This is like a person writing their password on a postcard and assuming the mail carriers will never bother to look at it. Why do we make a distinction between the employees operating the routers on the internet, and the employees operating the web servers at google and facebook and everywhere else? We know we should never login to an http:// site because the random unknown employees who operate internet routers could see the credentials in-flight. We've all been trained to only login on valid https:// sites, even though potentially thousands of random unknown employees might be at work on the other end, able to see the credentials in-flight. tl;dr There is no good reason to do the encryption on the server. It should be ok to reuse passwords on different sites, as long as the passwords are never exposed to the servers. I work at Concept Blossom, and we're promoting awareness about this issue. We produce https://cbcrypt.org MIT open-source crypto library to address this issue. We're resource constrained on development, so development is taking place, but slower than we wish. Please spread the word and raise awareness as you wish. Even if some other implementation eventually becomes dominant instead of CBCrypt, this is a big important issue that I don't want affecting my daughter when she grows up. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Reusing Passwords on Different Sites Should be OK
If you agree with me, you could up-vote this issue on slashdot. (Click the [+] button) http://slashdot.org/submission/4951477/reusing-passwords-on-different-sites-should-be-ok ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Reusing Passwords on Different Sites Should be OK
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Matthew Gillen > > > https://en.wikipedia.org/wiki/Third-party_doctrine This is like a > > person writing their password on a postcard and assuming the mail > > carriers will never bother to look at it. > > I don't think that is actually sound legal reasoning. Has that > interpretation come out of a court? http://lavabit.com/ > Just because a malicious FedEx > employee could open your package doesn't mean you forfeit your right to > privacy. No, no - This is actually a court case, referenced by the above wikipedia article. The case example is a postcard versus a letter in an envelope. Even though the envelope is a trivial security measure, it means the sender had a "reasonable expectation of privacy," and therefore has not forfeited the right to privacy. But the postcard could be seen by the mail carriers, and therefore has no reasonable expectation of privacy, and therefore no right to privacy. In the case of lavabit, even though their service explicitly was marketed for the purpose of privacy, the mere fact that their employees *could* access user information meant that legally they were required to. Which violated Ladar's principles, so he shutdown the business instead of betraying his customers' trust. > Likewise, just because a malicious employee could run > wireshark on the production boxes doesn't make me forfeit my expectation > of privacy. That's exactly what it means - as long as you with your wireshark are *able* to access some information, because it's not encrypted and the user hasn't gone to any effort to conceal it (another one of the measurements described in the aforementioned court case) that means it's like a postcard and not like a sealed envelope. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mr Robot
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Edward Ned Harvey (blu) > > Yes, I am > definitely afraid of the backlash for being an activist and trying to fix big > problems. This is painfully relevant: They want to target (for killing) bloggers and journalists that they don't like. This is the USA. https://twitter.com/Conceptblossom/status/641624941201334272 https://twitter.com/trevortimm/status/641443270686605313 http://abcnews.go.com/International/annoying-deadly-debate-killing-isiss-twitter-tough-guys/story?id=33603248 Commenting on the strategy of targeting propagandists and "Twitter tough-guys," someone referred to as "Senior counter-terrorism official" says: "We are the angel of death. This war is a propaganda war too. Why only limit it to military leaders? Should we be ignoring the propagandists that speak English and are tech savvy who know how to reach westerners?" a senior counter-terrorism official knowledgeable about the counter-ISIS strategy told ABC News. "I don't see why you would want to curtail either targeting strategy. This is also a war of ideas." Personally I'm going to comment, that "war of ideas" is dangerously similar to "war of ideals" or "religious war." It's not targeting individuals who engage in military communications - it's targeting people whose ideas disagree with your own. This is how they justify it: "While the White House declined to comment for this report on the targeting of propagandists in general, a senior administration official defended the targeting of Hussain specifically. 'We've been clear that Junaid Hussain was more than a mere propagandist. He was a key recruiter of Westerners and sought to direct attacks in the United States, specifically targeting U.S. military personnel and other government officials,' the official said." Somehow there's a disconnect between the White House spokesperson talking about the individual who coordinated targeted attacks using Twitter as a communication medium, and the officials who go with "We are the angel of death" and "war of ideas." ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mr Robot
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Eric Chadbourne > > I stopped reading your post right there. I am not willful, sheepish, or > blind. That's the definition of willful ignorance. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mr Robot
> From: Dan Ritter [mailto:d...@randomstring.org] > > For most people in most places, blindly clicking "yup" on the > terms of service is exactly what they should do. > > 99% will not get into legal trouble. Oh, try this on for size: Spotify, music streaming, essentially internet radio: requires access to contacts, photos, files, location, microphone. And probably some other stuff. A lot of people find that excessively creepy, and question if any of it is necessary to provide the service they want. Some of it might actually be useful, such as microphone to do voice commands, and location services to determine if you're in the middle of running and therefore in the mood for running music. My personal favorite: The "flashlight" search on android. At minimum, a flashlight app needs access to "Camera." But among the most popular apps, >10 million downloads, requires Location, Photos/Media/Files, Wi-Fi connection information, Device ID & Call History. That is not a situation where blindly clicking "yup" is what people should do. It's not about the user getting into legal trouble, it's about granting the service provider or the app manufacturer way crazy too much access into your life. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mr Robot
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Eric Chadbourne > > > There was nothing insulting in any of what I said > > Really? > > "...It's nothing more than willful, sheepish ignorance, akin to blindly > accepting > all the Terms of Service on every app..." > > That was your response right at the top. Look at the facts, read the email, > see who started. It was clearly you. Seems pointless to respond any further, but yeah. If you say that criminals and the CIA don't use coercive rubber hose tactics against people saying and doing things they don't like, yes that's willful ignorance. No it's not an insult for me to say so. "Willful ignorance" is simply a term that means you choose to ignore something you don't like. Sheepish means you're going along with the crowd. The same thought pattern that leads people to blindly accepting Terms of Service. No, those are not insults. If there's anything interesting to talk about further, let's do that. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mr Robot
> From: Dan Ritter [mailto:d...@randomstring.org] > > Uh, no, you just changed from "accepting ToS blindly" to > "granting permissions blindly". What's your point? Yes, the permission grants are baked into the ToS and/or privacy policy. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mr Robot
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Eric Chadbourne > > Are you 13? Stop being an insulting bore. Heheheh, ok fine. I'll also re-send on-list. ;-) There was nothing insulting in any of what I said, and there wasn't any disagreement between us about anything - So when you got offended and shut down because I said you're being willfully ignorant, you shouldn't have been offended, and you shouldn't have used that as a reason to disengage conversation. (But you're certainly entitled if that's what you want). And when you said "Neither is anyone who disagrees with you," you're imagining some sort of conflicting position between you and me, that actually doesn't exist. You don't have to read what I write, and you certainly don't have to like it, but you're the one saying insulting things to me, not the other way around. FWIW, I'm not insulted, despite your attempts to be insulting. I am feeling decidedly "meh" about the whole exchange. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mr Robot
> From: Dan Ritter [mailto:d...@randomstring.org] > > For most people in most places, blindly clicking "yup" on the > terms of service is exactly what they should do. > > 99% will not get into legal trouble. Actually, that's not the point - By accepting the ToS and granting permission for their employees to access whatever, you both open the door for their bad employees to illegally use your stuff, and you waive your legal right to privacy so it becomes legal for the NSA to indiscriminately harvest it all without any warrant or probable cause. And that includes your password. No right to privacy on your password because you voluntarily used it to login to their service, which means you sent it to them. All of the above is solved, if passwords and encryption keys are never exposed. Unfortunately, for example, the Dropbox terms of service https://www.dropbox.com/terms says you grant them access to your stuff because it "enables us to offer the Services." The reality is, they don't need access to your stuff in order to do file sync. I certainly know Synctuary does file sync without any access to the files, passwords, or encryption keys. Third Party Doctrine: This is what sank Lavabit. People who voluntarily give information to third parties have "no reasonable expectation of privacy." https://en.wikipedia.org/wiki/Third-party_doctrine AT employees stole and sold customers' private information http://arstechnica.com/tech-policy/2015/04/att-fined-25-million-after-call-center-employees-stole-customers-data/ Stolen Uber Customer Accounts Are for Sale on the Dark Web for $1 http://motherboard.vice.com/read/stolen-uber-customer-accounts-are-for-sale-on-the-dark-web-for-1 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mr Robot
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On > Behalf Of Eric Chadbourne > > I don't think either of us are going to > be beaten by the CIA tomorrow. > > Criminal gangs with rubber hoses probably > aren't going come hunting for you if you try to write or implement good > crypto on your backup project. That's what everyone says. It's nothing more than willful, sheepish ignorance, akin to blindly accepting all the Terms of Service on every app. Do you follow any of the news or politics in this country? We have politicians voting - unanimously - to show they believe climate change is a hoax, risking the future of the world in order to support the fossil energy lobby, despite overwhelming consensus of the actual scientists who study it. We have politicians, and even the director of the FBI, and prime minister of the UK, pushing for encryption backdoors and saying "don't make us force you into it" despite overwhelming consensus of the security experts saying that it can never work and would be harmful and destructive to try. Meanwhile, everything is getting backdoors anyway. Ask Ladar Levison what would have happened to him if he had stayed in business and refused to provide the backdoor. They might not have used the rubber hose on him, but indefinite detention would certainly be on the menu. Look up Frank Olson. There's also an incredibly well done special covering his case, by Dr. G's America's Most Shocking Cases (which is actually just an excellent series - I'm bummed that it only ran for one season). Every government around the world has procedures to make assassinations look like accidents. We've seen cases of radioactive material dropped onto a Japan politician's rooftop by miniature drone, and drive-by parabolic radiation emitters, used to "accidentally" kill people via cancer or radiation poisoning a few months later. Recently, China tries to silence Miss World Canada's human rights advocacy by threatening her father. http://bit.ly/1Vikv6B Every blogger, journalist, and activist receives death threats. It comes with the job. We've had at least 3 bloggers killed this week. And Al-Jazeera journalists imprisoned in Egypt. As evidence against them, prosecutors played footage of a trotting horse, and the music video for "Somebody That I Used To Know" by Gotye. It sounds so insane you don't want to believe it, you think "Am I reading The Onion?" but then every news source reports the same thing, for over a year. Now the guys are in prison, trying to work with The Committee to Protect Journalists, and lawyers and activists abroad, trying to get deported from Egypt. We like to sit in our protective bubbles, thinking "That's just oppressive foreign regimes," which makes you think, "That must be exactly how people abroad view us and 'indefinite detention without sufficient evidence for a trial' and 'enhanced interrogation' at Gitmo." So at some point, you have to give up denial and accept that it's reality. Not only is i t reality, but it happens in this country too, and it happens against our own citizens such as Ladar and Frank. The goal we're pushing for in https://cbcrypt.org is a universal standard login protocol that allows logins and encryption to happen without ever exposing passwords or encryption keys. We're working on a video that explains it, but that video is to be released about a week or two from now. Follow @Conceptblossom or like Concept Blossom on facebook, or just email me off-list if you want to be alerted when that video is available. Yes, I am definitely afraid of the backlash for being an activist and trying to fix big problems. At stake are billions of dollars in criminal organizations - billions of dollars in legitimate companies such as Dropbox and Google and Microsoft that legally use and share their users' data - political leanings of many governments around the world - and many lives of many people. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Replacing AD with Samba4
From: Rich Braun [mailto:ri...@pioneer.ci.net] I guess I didn't make it clear: this is my home LAN. My domain controllers exist solely to support a couple of Windows instances that run software that has yet to become available on Linux, and/or devices that want to communicate with SMB network shares. Oh - Uh - That makes a lot of sense now. ;-) The part that's still missing is: Why run a domain at all? Why not just let the couple of windows boxen run standalone, and use basic authentication to the SMB share? ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Replacing AD with Samba4
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Rich Braun Any suggestions? Is this known to work? Maybe I should just keep my Windows servers? But they're 6+ years old and probably fraught with security holes. I know it's not what you want to hear, but I'm sure Microsoft doesn't test their desktop OSes against Samba AD servers, so even if it works now, I wouldn't count on it for a production work environment. It will cost like $300/yr for windows server, which is nothing to a business. (That's if you pay $600 every other year for Server Standard, which permits you to run on two separate VM's simultaneously.) I just don't see anything to gain by trying to deviate from windows server. Unless you want to support a non-windows organization. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS: encryption
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Tom Metro You seem to think there's an obstacle which isn't really real - Encryption is very cheap computationally, so cheap indeed it can be done by the disks themselves. Yes, disk that have hardware acceleration for that purpose. Yes, aka self encrypting drives. Which are very common and readily available. If you don't have a self-encrypting drive, then obviously the encryption must be done on your CPU. Some appliances have support for self-encrypting drives. The appliance only needs to store the encryption key somehow (exercise left to reader) and in BIOS, tell the drives to encrypt themselves. I know how Microsoft securely stores the encryption keys in TPM - I can't speak to any other OSes or appliances that use the TPM or other techniques. While we are certainly heading in the direction where the CPU overhead for encryption can be ignored, even in low-end embedded devices, we are not there yet. We are certainly there, *except* in situations with puny cpu's and no hardware acceleration. On a CPU that has AES-NI (the AES New Instruction set, which was new around 6-7 years ago), you can max out your SATA bus and it will utilize around 3-4% CPU time of a single core. This compares to around 30-40% if you don't have AES-NI. But admittedly - this is an x86 laptop processor, which is going to be much more powerful than a little ARM or similar. So even if you lack the hardware acceleration, you don't get CPU performance limited; you just burn some unnecessary CPU power. Doing AES-256 CBC 1024, the Pi is about 10x slower than an i5 per the Agreed. It is not going to work well, to run encryption on an ARM processor without AES hardware acceleration. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS: lots of bays vs. lots of boxes
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Rich Braun As drive capacities increased, transfer speed also did. (You have updated your motherboards to 6G SATA, right?) Nope. Well - Drives increased speed up to around 1Gbit/sec around 10 years ago, and there they stayed, and there they still are. They're limited by the frequency response of the heads. It took a surprisingly long time for SSD's to get faster than sustainable 1Gbit/sec, but they've accomplished it now. Nowadays, I expect a typical SSD to actually be limited by the 6Gbit bus. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] VPS suggestions
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Eric Chadbourne Any VPS suggestions? For the last year I’ve been using Digital Ocean. The price is right and the servers are fast. Unfortunately it appears apt-get can’t update the kernel. You have to use their web based gui. This isn’t acceptable to me. I use DO. Haven't had that problem... The only thing I've experienced that's even remotely similar was when the ubuntu 12.04 hardware enablement stack changed (by ubuntu) I had to do some extra steps to upgrade to the new HWE. But it wasn't too bad, and it was all on the ssh terminal... Have you contacted their support? Maybe there's some setting you could change? I wonder what exactly you're experiencing, and I wonder why you're experiencing it but I'm not. I have various flavors of ubuntu server, all 12.04 and 14.04. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS: encryption
Yay, I started a flame war. :-D (Sorry). Anyway, if anybody cares, I'm not a cryptographer but I am a pro crypto developer. The difference is you're a mathematician who understands how to design a good s-box, versus you're a software developer who understands the correct usage of all the crypto components. I'm the latter. If somebody wants my opinion on something, please call my attention to it - I didn't see anything I wanted to respond to, but maybe it was just buried in the noise. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS: encryption
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Derek Martin The difference is, the software most of us rely on is open source, and is known to have been inspected by some very smart 3rd parties who Au contraire. How did I know this was going to turn into an open source is more secure myth? It's a myth. First of all, no matter what you do, you're putting blind trust into *some* third party. When you download binaries of an open source project, compiled by themselves, you're blindly trusting that they didn't backdoor it when they built it. Sure you could download and build yourself - but then you're placing blind trust in *yourself*. Did you really truly read all the code and understand it all? Of course not. When you get open source code from Red Hat and Debian, you're just shifting your blind trust to a different group of people - who also patch the code with their own patches - which you equally did not read. When Red Hat and Debian download source code from all the 3rd parties, do you really think they read it, much less understand it? They don't do that any more than *you* would, if you were the person downloading and building those packages from source. So you shouldn't place blind trust in them any more than you would in yourself. As evidenced by Shellshock. Second of all, as evidenced by the whole linux kernel RDRAND fiasco 2-3 years ago, even when people *do* read the open source code, flaws get maliciously introduced anyway. And the community can even notice, and get up in arms and throw public temper tantrums and get media involvement - and sometimes the open source software producer will *still* cram the backdoor down your throats. And Red Hat and Debian and everybody else will swallow it and redistribute it. The characteristics that determines whether or not accidental or intentional sabotage is introduced - are the skill and character of the people submitting code. There is no characteristic of open source vs closed source code that fundamentally attract or repel people of good skill or character. Open source and Closed source code have an *equal* proportion of people with good or bad skill and character. But most of all, evidenced by Heartbleed, POODLEv1, POODLEv2, and ShellShock - Nobody's reading the open source code. Since I became a crypto developer a few years ago, I spend my time now reading open source stuff, and observing the behavior of closed source stuff. It is my opinion that both are about equal in terms of crypto correctness. And it is my opinion that both are about equally responsive to submissions, when I report security flaws to them - Both open source and closed source, *sometimes* act on reported flaws, and sometimes don't. But the primitives - block ciphers, hashing functions - are all solid. The weaknesses get introduced in how they're linked together, how they're used, and how the keys are generated and stored/communicated. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS: encryption
From: John Abreau [mailto:abre...@gmail.com] Edward Ned Harvey (blu) b...@nedharvey.com writes: You seem to think there's an obstacle which isn't really real - Encryption is very cheap computationally, so cheap indeed it can be done by the disks themselves. On Tue, Jul 7, 2015 at 1:14 PM, Derek Atkins warl...@mit.edu wrote: I don't trust my disks to do the encryption, mostly because there's really no way to verify that it's doing it correctly, and the key management gets a lot harder. The way I read it, the message wasn't that you should trust the disk to do the encryption; it's that encryption has very low overhead today, and the reference to disk-based encryption was merely to illustrate that point. It seems silly not to trust the disk to do encryption, when you'd trust some software that you equally haven't decompiled and inspected. I am saying both: Encryption has very low overhead today, and yes it's ok to do it in the disk hardware. Nowadays, you can download a dozen different AES libraries in any language - including javascript. Not that javascript is relevant in context, just to point out, AES is SOO ubiquitous that it's literally everywhere and in everything. The idea that the disk is going to have a broken implementation of AES is beyond far-fetched, into unbelievable land. And like I said - it isn't any less likely to be the case in the overriding software. Which I guarantee also has a working implementation of AES. The only thing you need to *actually* be concerned about is where do the keys come from, how do they get managed, and do they cause inconvenience. And I guess it wouldn't hurt to actually plug one of the disks into another system and confirm that encryption is *turned on*. But as long as it's turned on, and the keys are good and managed, yes I trust disk hardware to do the encryption just as much as I trust the application software. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS: ZFS vs. BtrFS
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Tom Metro (Is there any other solution outside of a NetApp file or BtrFS compare in this area? Maybe with vast quantities of cheap storage, the space inefficiency of snapshots is less of a concern.) Yeah, lots. MS uses volume shadow services. And all the big guys (isilon etc) have some solution in this area. I hear a small number of people using lvm snapshots and AFS. But I don't really understand your comment about space inefficiency of snapshots - in my mind, nothing could be more efficient, except to not have snapshots (allow data deletion). ...ZFS on linux. Apparently ZFS on linux has been working well now, for at least a couple of years. We keep hearing rumors of that, but anyone actually using it? I haven't personally used it, but I've heard it enough times that I've decided I'm going to do it next time I need something like this. Literally the only reason I use openindiana is to get a ZFS box, and I'd definitely prefer ubuntu or centos. How about BtrFS now? I thought I saw some distributions switching to it as a primary FS. It's probably ready. Around 3-ish years ago was the last time I tried it, and it was *almost* ready then. Meaning, I built a server, and tested the ever-loving hell out of it, and it passed all my tests. But then I put it into production and we would occasionally see weird behaviors, and after a very time consuming waste of effort spread over a few months, it was finally tracked down to btrfs. So on that server we scrapped btrfs (and solved the problem), but it was long enough ago that I wouldn't discourage trying again. I would *only* consider software RAID. So when I say RAID that's what I mean. I lump ZFS's RAID-Z with other software RAID, and don't consider it JBOD, as it is not using 100% of the storage for data. Umm... I have a feeling you already know this, but the way you've phrased above seems like maybe not? You definitely shouldn't lump zfs and btrfs in with other software raid, because the huge, major reason to use zfs/btrfs software raid instead of hardware raid (besides system compatibility - ability to move disks from one system to another) is the ability to detect correct data errors. When the hardware presents only a single device to the OS, if a data error occurs, then the OS has no way to tell the hardware try reading the other copy, to see if it's good. This means hardware JBOD and software raid are necessary for the OS to do error correction. But many software raids (lvm, for example) don't do checksumming and error correction. Now whether the overhead of RAID-Z is low enough that it makes more sense to use that over Ext4 on JBOD for a low-reliability backup pool is another matter. This comment doesn't make any sense to me. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS: lots of bays vs. lots of boxes
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Tom Metro I'm more interested in clever ways of using multiple, cheap, commodity NAS boxes, Google-style. For example, for the same cost as that $600+ (diskless) DIY NAS I linked to, I can get 4 of the QNAP 2-bay boxes and maybe combine them with something like MooseFS. You get redundancy where some number of the boxes can go down, and it still keeps working, and you can expand capacity by adding more boxes (if drive density increases don't keep pace). I think the leaders in this space are glusterfs, and ceph. But I'm sure each one has their own individual strengths and weaknesses. Among them is compatibility - I don't think you're going to get anything like this to work with windows or mac clients, or have an android or ios app. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS: encryption
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Tom Metro I imagine it would be challenging to pull off encryption well with appliance hardware. The first problem is getting the software to do it. (Plus all the automation you've previously discussed to set up the keys on boot.) The second challenge is having the horsepower to perform the encryption. Not impossible if they chose their embedded CPU well, but unlikely to be optimized for that. You seem to think there's an obstacle which isn't really real - Encryption is very cheap computationally, so cheap indeed it can be done by the disks themselves. Yes, it's absolutely possible for appliances to utilize disk encryption, either by using its own CPU, or by offloading to the disks. I cannot speak to the specifics of any particular appliance actually doing it though, as I don't use any of them. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] Anybody else seeing this? (Amazon AWS problem)
About an hour ago, our alert systems started spamming us. It seems like a problem with Amazon AWS, US East. I'm able to access at least two of the systems in US East via https - but one of them is not responding to ssh - So I figured I would reboot it via AWS control panel - And when I login to the AWS control panel, it says we have no instances and no storage. Which is a panic and crap your pants situation. I'm obviously in progress contacting Amazon support, but I'm wondering if anyone else is seeing anything. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Anybody else seeing this? (Amazon AWS problem)
Yup, something weird on their firewalls. Right now, I have two machines in our colo, with different externally facing IP's that are both in the same network segment, both continuously pinging a machine in Amazon. As I sit here, intermittently for no apparent reason, the amazon machine stops replying to one of them for a while, and then starts replying again, etc. I've reported it to them. Awaiting response. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Anybody else seeing this? (Amazon AWS problem)
From: greg.rundl...@gmail.com [mailto:greg.rundl...@gmail.com] On Behalf Of Greg Rundlett (freephile) As for the crap your pants moment when nothing is right in your control panel, I've noticed that if you have more than one AWS login, that it can be difficult to login to the right account. I've been duped before by logging in and seeing the wrong AWS console. You've no doubt checked your account, but it's worth mentioning. In fact, you were right. I did figure out, that I was logged into control panel with the wrong credentials, so that explained the missing servers storage. (I had already double-checked that before posting here, but I found the error on triple check. So it's no longer a crap my pants scenario.) But there's still something really weird happening with the firewall. We're still being flooded by alerts, and when I ping or ssh to the amazon machines, I'm seeing ... Here's a really weird one ... We have a couple of LAN's, whose external IP's are in the range a.b.c.d/e The amazon firewall is configured to permit (usually) echo request and ssh from a.b.c.d./e So ... machine foo on LAN1 is failing to ping or ssh machine banana and machine orange in the amazon network. But when I VPN into LAN1, I'm able to ping and ssh to banana and orange just fine. Machine bar on LAN1 is failing to ping or ssh machine banana, but successfully pinging and ssh'ing to orange. I login to AWS, and change the firewall to permit banana echo request and ssh from 0.0.0.0/0, and suddenly both foo and bar work fine. Makes no sense. Then, while I'm in the middle of something else and not changing firewall rules in amazon, suddenly the pings from bar to orange start failing. Again, makes no sense. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Juniper VPN's
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Matt Shields All the download links I've found are behind Juniper's locked down download site. If they're paying you, or anyone else doing work over that thing, they should pay Juniper for a support contract. Even if there weren't incompatibility problems (as there obviously are) there continue to be security flaws that require patching. But I assume you've already told them that, and you must be volunteering your time? ;-) ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] PC Build
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Greg Rundlett (freephile) I hardly know anything about hardware and mostly buy from newegg or tigerdirect. It's been years since I built my first linux box from scratch. Any comments, advice from regular or recent builders? I have had a *lot* of experience building systems from scratch. Something I was formerly surprised by is the lack of standard compatibility - Which doesn't surprise me anymore. Even when you buy all the right parts, conforming to the right standards, apparently those things are not well defined or not consistently implemented or not compatibility tested. Most of the time (I'd say about 75%) you end up with a pretty good cheap system that simply works fine. About 20% of the time you end up with something that has some weird compatibility quirk - like some particular brand of memory doesn't like some particular motherboard chipset, although they're supposed to work, and everything seems to work after you build it but you spend months diagnosing some weird behavior only to determine the root cause is hardware, or something like that. And 5% of the time, it is horribly broken, you wouldn't be tricked into using it, you have to change some parts in order to make it usable. I definitely advise getting something of a kit where the distributor recommends this combination of CPU, motherboard, etc. They either have tested it, or they sell a lot of that combo and get very few complaints about it. Newegg sells such kits; I've had good luck with them before. You can absolutely look at the details of the kit, and then buy those components individually; usually for about the same price. Of course you're going to customize a little bit - you want the Acme Super Graphics Card, while by default the retailer would sell the system with some other graphics card - Don't be scared to mix match a few parts as you wish. But starting with the kit and then customizing a little will help you avoid common pitfalls of selecting all your parts from scratch. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] My HP Pavilion's HD bit the dust and it is 13 years old, so instead of replacing the disk again, I would like a new laptop. But I would like to pay $300. I do not expect the best or the
hehehehe, wanna try that again with the message in the message body instead of the subject? Subject truncated. -Original Message- From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of John J. Herda Sent: Tuesday, May 26, 2015 2:58 PM To: BLU Discussion List; Jerry Feldman Subject: [Discuss] My HP Pavilion's HD bit the dust and it is 13 years old, so instead of replacing the disk again, I would like a new laptop. But I would like to pay $300. I do not expect the best or the biggest. I have been told that some computers do not li... John J. Herda 10 Tinkham Avenue Burlington, MA 01803-1538 john_j_he...@yahoo.com cell: 781-249-2396 home: 781-273-0269 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] About to rip out systemd and start over
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Rich Braun For the umpteenth time, this morning found myself at the console of a dead Linux box, unable to bring the system up because of unreconciled or circular or otherwise out-of-sequence dependencies in systemd. Are you manually creating and editing services or something? I've literally never once run into any problem like this, on any system in my entire history. I don't want to say you're doing something wrong, but that *is* the first suspicion that comes up. Maybe instead of making a generalization about systemd, you could describe what you've changed, and why you did, and what you're trying to accomplish, and maybe somebody will offer some insight on managing the systemd configuration that helps you avoid falling into those pitfalls in the future? ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Secure Email
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Greg Rundlett (freephile) I like their No Bullshit stance https://kolabnow.com/feature/sustainable Oh, um - I just read that. The No Bullshit policy is a nice catch phrase, but ... My commentary below: In times of insecurity, snake oil merchants travel the intertubes. Whether they promise end to end encryption Agreed, 100%. (but control the software that controls your key), Hold on there. Cuz that's what we do, I know something about it. Yeah, I write software that controls your key, but so what? It's open source, it's peer reviewed, and it's solid. THAT is not a flaw. Even for the closed source code, and binaries that we distribute, the government cannot compel us to write malicious or backdoored binaries. Nor would they need to - If you want to know the REAL security flaw, it's the binary distribution channels. For example, you build some software, you digitally sign it, you stick it on your website or something. Then when users download it, they have a secure https connection, and digitally signed software ... But wait! Did anyone scrutinize the phrase secure https connection? Because the reality is, WE ALL KNOW, there are hundreds of certificate authorities out there, with at least hundreds of individual humans scattered about the world who have access to the root CA private keys. And every government has control of at least one of them. So the base assumption needs to be, a government agency could establish a MITM attack to substitute malicious binaries, while maintaining solid green checkmarks and passing all the x509 validity checks. The device they tried to make Ladar install at lavabit was exactly this - a MITM device that could MITM encrypt/decrypt all the SMTP/TLS traffic. For a company that's supposed to be all about security, I'd like to see kolab acting a little more knowledgeable, relying less on marketing fluff and FUD. claim to be NSA proof (but accept US venture capital) or make other outlandish promises: If something sounds too good to be true, it most likely is. *sigh* Speaking of snakeoil. This is coming from the company that just says Hey, We're Swiss. That means we're secure. How about putting some technical details where your loud mouth is? Stop waving flashy objects in front of users' eyes, as if there's anything about US venture capital that prevents you from building good cryptographic principles into your product. I know we have taken US investment capital, and I certainly know I don't have anyone telling me how to design our product. I call Bullshit on the No Bullshit policy. Kolab Now has built up the entire chain, from choosing a Swiss data centre without foreign capital, ensuring physical control of the hardware, which it owns, to building up a software stack without proprietary components. Using advanced network defence techniques in combination with Kolab Enterprise, a solution that we have developed ourselves, Kolab Now provides the best security possible with feature rich collaboration on any platform. And we're working hard to increase what is possible both in terms of security and features. Marketing buzzwords and fluff. I call Bullshit on the No Bullshit policy. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] interesting discussion on silverlight
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Edward Ned Harvey (blu) Believe it if you want to. I'm only saying, the truth may be exactly as described, but it's hearsay from a stranger on the internet - not exactly a reliable source - it may NOT be exactly as described. If the truth is exactly as described, it's contrary to the MS recent years trend of opening source and playing nice cross-platform, but that wouldn't be surprising either. Take it as a maybe. And keep an open mind. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS Folder Encryption
I'm a little confused by your email - Your NAS device, do you have it in your home? So it's physically secure, inside a locked building with locked doors and physical keys? Do you plan to use it remotely - like when you're away from home? Do you plan to synchronize files to your laptop also, or *only* make the files accessible via network? ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Stack Script (shell script) to build Ubuntu LAMP + on Linode
From: John Abreau [mailto:abre...@gmail.com] Sent: Friday, April 17, 2015 9:09 PM Perhaps slightly off-topic, but I like to use /srv instead of /var for my websites. I create a directory /srv/www, give it a very small lvm volume, then create a separate lvm volume for each website under /srv/www. That way, If one of the websites goes nuts and tries to fill up the disk, it won't stomp on the other websites or the rest of the server. There's already more than enough stuff under /var competing for space. Of course you could do the same thing, where /var/www/www.foobar.com is itself a mountpoint. But by using a nonstandard location such as /srv, you're breaking the default selinux and apparmor rules - so you'll have to manually configure those rules - PS. Never expose a web server to the internet without selinux and/or apparmor. And various other security measures. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] OSX Mavericks root exploit, and Safari
I'd like to alert people that OSX Mavericks has a root exploit that will not be fixed. All Mac users must immediately update to Yosemite in order to maintain any semblance of security. http://arstechnica.com/security/2015/04/latest-version-of-os-x-closes-backdoor-like-bug-that-gives-attackers-root/ Also, having recently done this upgrade myself, I was almost immediately annoyed that Apple is trying to cram Safari down your throat - If you haven't launched Safari, they pop up a notification where your only choices are Try Now and Later which will repeat a few days later. Also, if you use some other browser such as Chrome or Firefox, OSX will harass you to use Safari when you close it. The You should switch to Safari instead of Chrome harassment will repeat once every few days upon closing the non-Safari browser. Safari is terrible in terms of security. Nobody should use it. To disable these annoyances, you can use this script I wrote. I recommend you don't trust me - I'm a stranger on the internet - You should first just run the curl command to see what the script does, and then repeat the curl command piped into bash to actually execute it. Just paste this onto a Terminal prompt: curl -s https://clevertrove.com/safariAnnoyance.sh | bash ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Stack Script (shell script) to build Ubuntu LAMP + on Linode
From: greg.rundl...@gmail.com [mailto:greg.rundl...@gmail.com] On Behalf Of Greg Rundlett (freephile) So, now that I'm looking at Vagrant, Juju [1], Ansible [2], Puppet [3] and others as well as revisiting the general virtualization landscape (e.g. LXC, Docker, CoreOS). Does anyone have their favorite deployment tips, playbooks or stories to share? One of my coworkers is absolutely in love with vagrant, but I don't like it because it only plays easily nice with a local virtualbox. For him, he's doing experimental or development drupal work, that works great. For me, I'm operating infrastructure to support people, I need to interact with a much broader set of vmware, aws, digital ocean - which vagrant technically *can* do, but the added complexity negates the benefit. It's just a wrapper around ansible/whatever anyway. So I just use ansible and forget vagrant. The thing I like about ansible, besides the obvious - Ok, here's the obvious - In the past, machines were sometimes not well documented, and even if they were well documented, following the documentation was manual and error prone (hence you writing your script). By writing executable documentation, you get repeatability and it becomes trivial to spin up a development machine that exactly clones the production system, then make a change on development and test, and apply the change to production. Ok, so besides the obvious, I like the fact that I don't need a dedicated control machine. I can do stuff locally on my mac, which ssh's out to the target machines to do my work for me. I find, however, that if you have any windows administrators on your team, it becomes worthwhile to build a dedicated control machine - some linux box that everyone ssh's into in order to run ansible commands. Because even with cygwin, there is no ansible on windows. (Last I knew, as far as I know.) All that script stuff you wrote is how I used to do things. The language in ansible makes a lot of that stuff trivial. For example, how do you script Go into the my.conf file, find the [FooBar] section, and if the 'whizbang' feature is in there, edit it to 5, otherwise create a line 'whizbang=5' ... Yes it can be done, but it's a pain. But this type of configuration setting is just a line in ansible. Because that's what it's designed for. And what if assumptions were made in your script that are no longer correct when you run the script? The shell script is likely to fail horribly doing terrible things. Ansible will just report the error on the specific machine, and stop running on that machine. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] OT: Do CS grads need calculus?
John says I have to say that I have never in a successful 40-year programming career ever needed to know calculus. To which I respond: I have never, in my career, needed my degree. But I'm glad to have it. And do CS grads need Acting I, or Music Theory I? Those were the free electives that I chose. Why not abolish free electives if we are only concerned about what's strictly directly applicable to a career? I am personally in favor of all these classes - and I've got to say - to my surprise, Acting I was the most rewarding class I ever took, contributing more than any other to my personal success and wellbeing. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Stack Script (shell script) to build Ubuntu LAMP + on Linode
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Greg Rundlett (freephile) Having just decided that I'm moving my operations to Linode, I'm building out a script to install a base Ubuntu 14.04 system on Linode. The system should have LAMP, plus nginx, firewall, mail (postfix), monitoring (monit), reporting (munin), Any comments, or forks welcome. https://gist.github.com/freephile/2d73f0f6cacc3d31d2f0 My comments are: This would have been a lot faster/easier/more reliable/scalable/better if done on ansible. (Or any of its competitors, but I'm personally using ansible). ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mythbuntu on VMWare slow
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of aldo albanese Hi,Not a linux guru like all of you, trying to learn it. I installed mythubuntu on VMWare 5. I noticed that the app is very slow to respond, I have it set to 4 processors and lot of memory, it should go faster. Not issues running Windows machines. I have installed the guest, there is any tuning that I may need to do to make it faster. Thanks for the help. When you say vmware 5, I guess you mean ESXi 5, on a dedicated server, bare-metal installation, right? Or some other solution? Did you go into BIOS and enable the virtualization tech, such as vt-x, and vt-d? What kind of hardware is it, did you check for firmware updates and such? After installing the guest, did you install vmware tools (or openvmtools?) ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mythbuntu on VMWare slow
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of aldo albanese I have it set to 4 processors and lot of memory, it should go faster. Oh - It is ok to overprovision processors, because the system will gracefully scale back client performance. For example if you have a system with 8 cores, and you have 3 guests that each have 4 cores, that's ok. Or even 3 guests that each have 7 cores. It is not ok to overprovision memory. Always leave at least a G or 2G available for the host OS (or more, depending on your guests configuration). The host OS will cache and buffer stuff, so the bigger your guests are, the bigger your host OS should be. I think a reasonable balance is something like ... Guests memory consumption should not exceed approx 75%-80% of the total memory in the system, and at least 1G available to the host. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Thin Provisioned LVM
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Daniel Hagerty What you are looking for is ATA TRIM support. ATA TRIM, or SCSI UNMAP ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Thin Provisioned LVM
From: ma...@mohawksoft.com [mailto:ma...@mohawksoft.com] nothing I have written about ZFS is fundamentally incorrect at this point in time You've written like 12 pages of text in the last 2 days, which will require 20 pages and a week of reference finding, in order to respond to all the things you said wrong about zfs. There's simply no way I have time for that. You said zfs blah blah is stupid. You said zfs blah blah incorrect. Bogus, nightmare, not desirable, etc... It doesn't take Martin Luther King Jr. to recognize prejudice. I respect the passion that you have for this - and I respect your expertise on lvm, and I agree 100% with the *core* of what you're saying, that for specific applications such as databases which perform their own data integrity and so forth, greater performance and better thin provisioning support can be achieved using a lighter weight file system / storage system specifically designed for those purposes. But overshadowing a lot of that core message are incorrect generalizations and statements about zfs. How to optimize it, and how it behaves. I'm cherry picking 2 points to respond to, because I don't want to waste any more time of my life on this: says give ZFS whole disks, which is stupid I happen to be an expert on this subject - and it's the exact opposite of stupid. Disks have the ability to do volatile write-back caching, which is disabled by default, but greatly improves random write performance if it's enabled. The thing is - if you give zfs the whole disk, then zfs knows no other filesystem exists on any other partition of the disk, so zfs will enable the disk write-back cache. This is safe for zfs, but would not be safe for a bunch of other filesystems, of particular importance ufs. I don't know if it would be safe for the various linux filesystems - but the point is - anything *other* than the whole disk, zfs cannot assume anything about the other systems using the disk and therefore will not enable the write-back. So yes, it is smart to give zfs the whole disk. ZFS pool growing out of control on a sparse presented to it from a SAN I haven't used it, but I hear that unmap is supported on illumos and closed-source solaris 11. Without a research deep-dive, I have every reason to expect it works. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Thin Provisioned LVM
From: ma...@mohawksoft.com [mailto:ma...@mohawksoft.com] From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of ma...@mohawksoft.com says give ZFS whole disks, which is stupid. Mark, clearly you know nothing about ZFS. Think what you wish. Maybe I'm not explaining the problem You're explaining your thoughts well - it's just that you're saying a lot of things that demonstrate lack of understanding of ZFS. Normally I like to react to those kind of things in a helpful manner, but for 1, you're certainly writing the stuff much faster than I have time to react to, and for 2, based on a zillion similar things you've written here before, I believe you have some kind of personal bias that I don't understand, some kind of personal resentment for zfs. I don't think anything I can say is going to change your mind about anything, so it would also be a waste of time for me to react to your zfs comments for your sake. I personally believe each tool is a tool, and has characteristics different from each other, and based on those characteristic differences, each tool is better for certain situations. But as I mentioned, there's *almost* no situation I can think of where I would choose lvm over zfs. I only want to tell people don't listen to what this guy says about zfs. If you want to know, start a different conversation about it. But if you want to know how to make lvm do something - ask Mark. He loves it, and uses it more extensively than anyone I know. Just don't listen to his comparisons of lvm and zfs, because they are largely inaccurate and unfairly biased. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Thin Provisioned LVM
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of ma...@mohawksoft.com says give ZFS whole disks, which is stupid. Mark, clearly you know nothing about ZFS. Also, it's clear you have an axe to grind, which makes anything you say about it take it with a grain of salt. I've personally used a lot of zfs, and a lot of lvm, and there is barely any situation that I would ever consider using lvm ever again. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Securing a VMware ESXi server at a colo site?
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of John Abreau I'm considering using the free edition of VMware ESXi 5.5 at a co-location site. If I understand correctly, the free edition doesn't include the management console application, so I would have to manage it via a web browser. How do I set it up so I can manage it remotely in a secure manner? My initial thoughts are to close every port on the host server except ssh, and lock down ssh in the usual manner: disable protocol 1, disable password Nope, nope, nope, nope. First of all, ESXi is not to be managed via ssh. Although you can enable ssh, and lots of useful things can be done that way, it's the most difficult way to do anything, it's unsupported, and lots of unexpected gotchas will certainly getchya. The right thing to do is to install vSphere Client on a windows machine, and use it to remote admin the server. The *only* thing you should do outside of vSphere Client, is to boot from the install disk, enter IP address, and root password during bare metal installation. Also configure your RAID card in BIOS. That being said - you absolutely, definitely, should not open vSphere traffic over the internet. You'll need a VPN, connected to the primary network interface of the ESXi host, which you'll use for management. Let all the VM's use a different ethernet jack, so the VM traffic is isolated from the management traffic. The only way to get to the management interface is via your VPN. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Securing a VMware ESXi server at a colo site?
From: John Abreau [mailto:abre...@gmail.com] Is the vSphere Client part of the free edition of ESXi? I thought I had read somewhere that it was only for the commercial edition of ESXi, and that you had to manage the free edition through a web interface. They're always changing stuff, but I currently use ESXi 5.1, and vSphere Client 5.1. The client username/password dialog says In vSphere 5.5, all new vSphere features are available only through vSphere Web Client. The traditional vSphere Client will continue to operate, supporting the same feature set as vSphere 5.0, but not exposing any of the new features in vSphere 5.5. I've never used the web client yet - I seem to recall that all the new features were for-cost premium features, and I seem to remember getting roadblocked with the web client when I tried it once - and I basically concluded that the new way of doing things was the non-free way. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Securing a VMware ESXi server at a colo site?
From: John Abreau [mailto:abre...@gmail.com] I did a bit of googling to see how to setup a vpn server on the ESXi host, and it seems that's not possible. And managing the host through a vpn running on a guest VM sounds unreliable; if you need to use the management console to fix a problem that affects the vpn server guest, you have no access to the management console until the problem is fixed. So it seems I'll still need a separate physical server to provide the vpn. Correct(ish). You should not imagine ESXi as being a normal linux - although it runs a linux kernel, it has little to no semblance to any normal linux distribution that you're used to. It is intended to be a bare metal black box, and it's generally best to let it be that way. As I said before, there is some useful stuff you can do via ssh, but good reasons to avoid it. Presumably you have some other backup solution available, right? Don't expect the host OS to do anything useful in terms of software raid or backups, or even hardware raid management. HW raid management is a whole separate subject - Some things you can do, others you can't. The *best* solution is to have the ESXi host running VM's, which are network shared via iscsi from a storage server, which is *designed* to do storage and iscsi well (such as a ZFS server). I like to run ESXi diskless, because they do crap for disk management. You *can* install a VPN server in a VM running on the ESXi host - and I have before - and it works fine - as long as nothing goes wrong with that guest VM. Some time ago, I had to put in extra effort to make pfSense work in a VM, but I think the recent versions actually support it, or something - you can check with pfSense if you want. Of course, if anything goes wrong with your ESXi host, you'll be glad to have a separate hardware vpn, and remote access to the iLom or whatever. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Startup?
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Tom Metro I've been involved with or on the distant periphery of the startup community for several decades, and one of the fastest ways of spotting a novice is the degree to which they are protective of their idea. Some people even expect VCs to sign an NDA. Agreed. But that's why I said be careful what you expose. Because your exit strategy, if you want to gain Angel or VC investment, will be acquisition. And in order to get acquired, it's very likely you'll need your inventions patented. And you'll be unable to patent what you publicly disclosed. So pay attention to what was written and what was said, and under what protection it would fall. I've heard from dozens of people, that VC's and Angels don't do NDA's. I have found this to be incorrect - I simply ask them, and about 80% of the time, they agreed to do it. It depends on context - No you probably won't get them doing NDA's with you as a stranger, but warmer introductions stand a good chance. It comes down to them protecting themselves - If they meet and discuss innovative ideas with dozens of entrepreneurs per week, they see so many new ideas, they can't afford the risk of being under agreement with any of them, who might be in conflict with others. You can easily enough prepare material to present, which will communicate your core idea, without causing a patent problem or other conflict. Get over the idea that people are out to steal it. The hard part is *not* the idea. It's executing the task of bringing it to market. Being willing to invest years of your time; being able to convince multiple investors and initial hires that it is worth pursing. Almost no one you will encounter can be bothered to do that. The danger is not that someone will steal it. The vastly more likely scenario is that you won't find anyone who believes enough in its validity to put money onto it. Agreed that rarely is someone out to steal your idea, and agreed that the hard part is successfully delivering to market. Disagreed that noone is interested in your original idea. The biggest surprise that hit me out of *everything* was the patent process. At some point, you're going to need to patent stuff... In my opinion a waste of time. Patents work out well for small startups about as well as people winning the lottery. Sure there are success stories, but for every one there are thousands (or hundreds of thousands) or organizations that invest the time and legal fees in patent filings that either end up being for products that fail, have no licensing market, or never benefit from the legal protection. The legal protection is probably not the reason you patented something. The legal protection is probably necessary in order to get acquired. Any competitor or potential acquirer is going to look at your product, barriers to entry, cost to recreate, and all of that is going to be a factor in how much they are willing to pay for an acquisition. So actually the legal protection *is* the reason you patented something - when those guys evaluate your business, they'll know if your patent is valuable or not. It's not that you want to use your patents for suing anyone. It's that the patents add value to the business. softer target than a VC. And now we have incubator and crowdfunding as ways to get seed cash and gain visibility to 2nd round investors. No crowdfunding, unless you're talking about something like kickstarter or indiegogo, where you sell some kind of swag or early release versions of the product. The point is - No securities via crowdfunding. I think this is described on the SEC page that I linked to before - in 2012 there were some new provisions created for crowdfunding selling securities, but I have talked to the lawyer, and it's effectively useless. Maybe someday, but not now. Ask the lawyer if you care. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Startup?
From: John Hall [mailto:johnhall...@gmail.com] What about all the expenses for administration and legal services ? Isn't this part of why you'd seek an angel investor? You'd *better* be able to swing that much yourself. A few grand of expense here or there, and a year of working without pay... Or enough taken via friends family to be able to swing it. No - your angel or VC investment (or ycombinator/masschallenge/etc) is at *minimum* $50k-$200k, but more typically $500k to $3MM. These funds are mainly dedicated to hiring developers, licensing tools, marketing people and marketing expenses, manufacturing if applicable. Things that are much larger than an individual would be able to take on themselves. They're generally expecting you have some way of dealing with legal and administrative costs, sometimes even patenting, out of pocket yourself, and depending on a lot of stuff, might expect you to already have a working product and paying customers before taking on the investment. I have been *extremely* pleased to see how much mileage we got out of asking people simply, Would you be willing to work on credit - we'll pay you later if we can - or work for some vague promise of options - I promise a non-specific number of shares and a non-specific percentage of the company, when and if we create an option pool later? When people trust you to be honest, and they acknowledge the risk of the business potentially failing, and they understand they *might* get nothing, or *might* be able to get something much bigger than their normal hourly rate if the business is successful, and they're just simply helping somebody that they like, or contributing to a cause they want to support - A lot of people are willing to contribute this way. The small investors - $50k to $200k are generally more inclined to take on early stage seed investments, where you might not have all that much developed yet, you at least have proof of concept but need more development and patent work done etc. You better be prepared to work unpaid, and *really* stretch those dollars, to deliver a lot of bang for buck. And then go for something larger, when you've got something successful and outward facing, with a proven business model and just need to expand development and marketing and sales. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Startup?
From: Edward Ned Harvey (blu) Oh. Definitely read this. It helps a *lot* to understand how you should be incorporating and who/how to invest. http://www.sec.gov/info/smallbus/qasbsec.htm Oh yeah. This too: http://fundersandfounders.com/how-funding-works-splitting-equity/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Startup?
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Steven Santos Have any of you ever pitched a big idea to an angle investor? Any advice for pitching such a big idea? Where do you find an angel investor for such a thing? This is something I now have a lot of experience with. My advice would be first of all, be careful what you say to anybody - The biggest surprise that hit me out of *everything* was the patent process. At some point, you're going to need to patent stuff, and anything you disclosed prior to filing for the patent, is potentially at risk. The US has just about the most lenient laws, where you're able to patent something up to 1 year after public disclosure, but generally speaking worldwide that is not recognized, and not a valid practice. Generally anything you disclosed prior to patenting becomes unpatentable. You're going to need legal counsel for incorporation - I have two good references I'm happy to pass along off-list - both are likely receptive to working on credit - allowing your bills to pile up until such time as you're funded and able to pay them, because they know the fastest way to destroy your startup is to demand you pay their bills straight away. Reach out to all your friends and contacts, get all their advice. Become comfortable with having everyone sign NDA's so you're not publicly disclosing anything. Get your form NDA from your legal counsel - because if you download from the internet, there are lots of different ones that are valid and invalid in different regions. Understand that all your friends contacts are going to give you conflicting advice. That's not the point. The point is, when you pitch to investors, *they* are also going to give you conflicting advice. Every one of them tell me what investors are looking for and none of them say the same thing. By talking everything over with all your friends contacts, you're going to build up buzz, and they're going to surprise you with the contacts they can introduce you to. By getting more exposure to them all, you'll be more prepared for each one. Carefully manage your exposure to investors. They are thick with each other, and nobody wants to feel like they're getting seconds on a deal that they've already heard about through some colleague in a different group. Ultimately, you'll *need* one or more of them to personally advocate you within the group. Your chances are *much* better if you can get personal introductions rather than cold approaching them. All different people are going to give you different advice about how to find and approach potential investors - Attend groups like Venture Cafe, and Ycombinator, and MassChallenge, Boston New Tech... And a bunch of others... Go attend those groups before you're ready, just so you can see what other people say and see what they present, and see what peoples' reactions are to them. You'll be improving your own personal skills just by interacting with the community. Be prepared to share some stake in the company to whoever advocates you. It is very common practice. Talk to your lawyer about what's legal and what's not; there is a fine line. You need to be careful what you say and how you say it - especially in email. Do everything you can to generate buzz. Present at meetups and conventions, etc when you're ready. Try to find some mentors who have been through this sort of stuff before. One of the best things I did was to do an initial Friends Family round of investment, in which, a handful of people I knew invested - and surprised me with the amount of knowledge they're able to contribute. I send out regular status updates and solicit their input, and anytime I have to make tough decisions, I call them up and discuss. Not only do they have valuable contributions to make - they have a stake. You'll often hear the phrase Friends, Family, and Fools, because naturally a lot of people doing this will not be very well qualified. But if you do it right and get some knowledgeable people on board, it can be valuable. Oh. Definitely read this. It helps a *lot* to understand how you should be incorporating and who/how to invest. http://www.sec.gov/info/smallbus/qasbsec.htm ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] perl/Tk
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of dan moylan trying to install perl/Tk Eee... Gross. the cpan installation went on for quite a while, but at the If there was ever an argument for why perl sucks, besides the language itself being crap, it's cpan, which sucks bigtime, for exactly the reason you're observing. Developers develop on some system, they test on their own systems, and it is *frequent* that something in cpan fails to build where you're trying to use it, and there is no way to specify an old version that was known to work on your system. any suggestions as to where i go from here? Despite me hammering on it, you're probably not going to abandon perl. Which you should do. In the past whenever I needed to make something work anyway, here's my advice - First of all, see if you can abandon cpan, and use packages that are built in to your yum repository. Much more reliable (and faster.) If that doesn't work, you can try building those modules by hand - I've had about 50% success in hand-building modules bypassing cpan. Really the best thing you could have done was to download cache the packages, and document the build process so you could repeat it in the future if you need to. But it's *such* a hassle. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Steve Gibson's SQRL
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Tom Metro SQRL Every authentication system, no matter what, is based on a combination of something you know, or something you have. Nothing against SQRL, but SQRL is something you have - it's yet another key manager - so it comes down to a choice of which characteristics and usability you like. The only thing you always have is your biometrics - but you don't always have your biometrics device (fingerprint/handprint/retina scanner etc) When passwords are chosen poorly, they offer little or no technical protection - but surprisingly, even if your password is password or 123456 it provides quite a lot of legal protection. The case study in 3rd party exposure is a postcard going through the mail vs a sealed envelope. You have no reasonable expectation of privacy for the postcard, because all the mail handlers could have seen the message plainly. The sealed envelope - while trivial to open and even stealthily re-seal - provides a reasonable expectation of privacy and therefore protected by 4th amendment. I am in favor of 2-factor authentication, involving something you know, *and* something you have. Because something you have can often be stolen or copied. But I am strongly opposed to *exposing* something you know to the server. This is what we created https://cbcrypt.org for. It takes hostid, username, and password, and converts them into an asymmetric keypair. Only the public key gets exposed to the server, so the server is able to confirm that *you* know your secret, without the server actually knowing your secret. Also, if you carefully select a long complex password, it's absolutely possible (though unusual) to memorize something complex enough to be used as an encryption key, strong enough to *actually* keep out the most sophisticated brute force attacks. Although it's rather unusual you need to select a password *that* strong. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] os x = poop?
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Eric Chadbourne The GitHub for OS X app is probably the most user friendly way to use git I’ve seen yet. The problem with the github app is the fact that it only works for github. I would recommend SourceTree instead - it's free, and excellent, and you won't have to learn a new GUI when you do something that's not on github. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Jerry Feldman Yes, I'm logging in, but I'm being coerced -- but don't let on that you know, because I'm in danger if this doesn't appear to work. I agree with this. This should also be employed in home security systems also. Of course there's an easy countermeasure to that too - The guy with the gun says Ok, login. And if you fail to put the moneyz into my hand, blam. Anybody in the hot seat would be stupid to *use* the Yes I'm logging in but I'm being coerced password, unless there was more at stake than just their own life. Useful for national security situations - not useful for protecting your bank account. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] Does anyone here know someone who's been victimized?
I have spoken with two IT people, whose servers had been compromised and used to deliver some sort of illegal content, presumably sold from malicious person 1 to malicious person 2 on the black market (silk road or whatever). Of course it's also possible to have things like a hacked dropbox or google account or whatever - used by bad people - where the legitimate user is essentially victimized, or possibly even framed for having some sort of illegal materials. I'm looking for reports or stories of that nature - Do any of you know anyone whose servers, or accounts, have been victimized and basically the cops or the FBI come knocking on your door because somebody without your knowledge stuck some illicit stuff in your account, or used your server to do bad stuff on the net? ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Rich Braun Please, flippant answers like that aren't helpful. No, Rich. Gordon is right. Your argument was thug gets bank statement, holds gun to head, and you want plausible deniability, which you lost at thug gets bank statement. The tiny grain of truth in your argument was that by forcing you to log into *any* password manager, they've gained access to *all* your stuff. Which is an argument against using any password manager, or anything other than memorizing different passwords for every site you ever use. So your argument was pretty much bunk and the grain of truth is completely impossible to ever satisfy ... except as Gordon said ... basically don't own anything. Plausible deniability is important in some cases. Not compatible with a password manager. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss