Re: [Discuss] Unusual error message after tar ops
On 7/24/2018 5:31 PM, Bill Horne wrote: > I'm able to log in using ssh with key-based authentication, but then I'm > receiving a "password:" prompt. I enter what should be the password for > the new machine, but then I get this message: Check that: Private keys are owned by the user's default UID/GID with permissions no more open than 600. .ssh and $HOME are owned by the user's default UID/GID with permissions no more open than 700. All directories above $HOME are owned by the user's default UID/GID or by root/root with permissions no more open than 755. This is new in recent-ish versions of OpenSSH. Any failure of the above causes sshd to reject key-based authentication. > Password: > newgrp: failed to crypt password with previous salt: Invalid argument > Connection to (New machine name) closed. I can think of a few possible causes but I think that the most likely is that there is a GID mismatch for the account. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] And now: Pi-Hole
I really should have set this up much sooner. It isn't difficult, and since I was already using dnsmasq for local hosts and cache anyway it was almost a straight drop-in. I had to change my local config a bit because dnsmasq gets cranky when it detects duplicate configuration directives. It's interesting to see what it blocks, and the top blocked domains list is telling: googleads.g.doubleclick.net and www.googleadservices.com look-ups are blocked 10-50 times as often as other advertising domains. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Running a mail server, or not
On 6/29/2018 3:33 PM, Derek Martin wrote: > That's essentially what I mean. But I have to replace it with > *something*... and as I think this thread has shown, there's no > one-size-fits-all-nerds solution, and exactly what to do instead > requires some thought. And some time spent on it, to reorganize I'm sorry, but whut? You stand up a Dovecot IMAP server with Maildir. > data, convert mail formats, etc., which if I'm being honest, I'm > loathe to spend. What I've mostly been trying to say is I have the Data and format conversion is simple: you don't. You use something like isync (mbsync) to copy your existing mail stores to the new server and let it do the heavy lifting. Or you can set up multiple mail servers with your MUA of choice and copy your mail from the old store to the new. Either way works. There's your mail storage. Assuming you have a working MTA: use Dovecot's deliver tool to deliver mail to users' inboxes. This applies to both direct delivery from the MTA and when using Procmail. Done. -- Rich Pieri ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Running a mail server, or not
On 6/28/2018 10:44 PM, Mike Small wrote: > And then the IMAP client wouldn't have Gnus's killer feature, the > ability to "expire" a mail so that it 1. isn't visible again unless I > open the folder to show read articles and articles with similar kinds of > marks and 2. in some number of weeks, but not the day before tomorrow I wouldn't call that a feature per se. It's an artifact of Gnus treating mail sources like Usenet news. Personally, I gave up on using Emacs for reading mail. I had too many file corruption problems caused by how RMS chose to implement 8-bit character data. -- Rich Pieri ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Running a mail server, or not
On 6/28/2018 8:03 PM, e...@linuxmail.org wrote: > Your third bullet hits a nerve with me. I see so many apps in the Google > Play store that haven't been updated in more than a year, sometimes two > or even longer, why leave it in there if the developer isn't doing > anything with it... Would be nice to see a policy that if an app isn't > updated in x number of years, contact the developer and inquire, if no > response, remove the app. Oh, no. Oh HELL! NO. That would be *SO* bad. It would be like every DRM music "purchase" service shutting down and denying you the music you paid for *and* every MMO which you paid for shutting down and leaving you with nothing rolled into one. > I think Comcast is still using dovecot for its mail server, I'm seeing > dov-this and dov-that in current mail headers and past headers actually > referenced dovecot, but I'm still not comfortable with all of their > connections from outside logged as standard SMTP. There are so many things about Comcast that I'm not comfortable about that them not saying "ESMTP" in mail headers doesn't even rate. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Running a mail server, or not
On 6/28/2018 7:32 PM, e...@linuxmail.org wrote: > For a community-developed app, it /would/ be nice to see K-9 updated a > little more frequently than 6 months. Again, so what? > Maildroid, which AFAIK, is not community-developed, has more frequent > updates. This might be a better alternative. Actually, frequent updates to a mail program suggests to me: * It's buggy * It's missing essential features * It's being padded with fluff in order to say "new!" on the app store * or some combination of the above None of which are likely to endear me to that program. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Running a mail server, or not
On 6/28/2018 7:21 PM, e...@linuxmail.org wrote: > K-9 Mail is a decent app, but it hasn't been updated since January. So what? -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Running a mail server, or not
On 6/28/2018 5:36 PM, Derek Martin wrote: > vice versa). So I chose mail stores based on my access pattern and > desired notification behavior for the given folder... ... reads that again. ... bangs head on desk. This is not something you redesign. This is a dumpster fire that you should abandon. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Running a mail server, or not
On 6/28/2018 4:03 PM, Mike Small wrote: > client side I think it can be made bearable. Or probably I should just > go find the instructions on sdf for setting up an IMAP client and > install one on the phone. One of these days. K-9 Mail. Get it. Setup is straightforward for reading and retrieving, maybe not so straightforward for sending depending on what account types you have at SDF. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Running a mail server, or not
On 6/27/2018 7:05 PM, e...@linuxmail.org wrote: > I've noticed when e-mail comes into a Comcast address, the sending mail > server (Yahoo/AOL (when it works), Gmail, mail.com, GMX, etc.), the > receiving Comcast server receives it with SMTP. But when Comcast sends > an e-mail out to one of these services, it sends with ESMTPS (secure). > Why secure connections one-way and not both directions? My WAG? Comcast are logging all connections as SMTP regardless of encryption. > I have also noticed when sending through Yahoo/AOL (again, when it > works), even though the Thunderbird settings are set to use SSL or > STARTTLS, the receiving Yahoo server always receives it with SMTP. > Server mis-configuration there? If Thunderbird is configured to use SSL/TLS for a given account or outgoing mail server then the connections are always encrypted. Always. STARTTLS is opportunistic so connections might or might not be encrypted. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Discuss Digest, Vol 85, Issue 20
On 6/27/2018 4:38 PM, Rich Braun wrote: > So? In order for anyone to mount a successful attack on my email > stream, they'd have to first find out that you're one of my > correspondents and then (somehow) correlate the 1-in-10,000 chance > that your properly-configured email server fails STARTTLS on a stream > between your server and one in Toronto somewhere--with my identity. > I'm totally cool with that. Or I become a MITM and force all STARTTLS attempts to fail, which is not hard at all if "I" control any of the backbone providers carrying the traffic (STRIPTLS, for example). You can mitigate this by requiring TLS for all SMTP connections but doing this is a self-inflicted partial denial of service attack. > There are lots of other first-world problems that keep me up at night > but prying eyes no longer are, since that 2002 federal-case. Exactly, sort of. I've long since accepted the fact that email is not private. Maybe someday it will be private but for that to requires RFC 2821 to be overhauled (again) to require trustworthy encryption and for that overhaul to become ubiquitous. I'm not holding my breath :). -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Running a mail server, or not
On 6/27/2018 3:03 PM, David Kramer wrote: > I believe very strongly in "Perfection is the enemy of progress". Just > because I can't completely protect my mail from others doesn't prevent > me from doing what I can. However, other parties having access to my It's not about achieving perfection. It's about knowing that sometimes opportunistic TLS won't be there and acting accordingly. -- Rich Pieri ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Running a mail server, or not
On 6/27/2018 1:58 PM, Rich Braun wrote: > I don't see how we're in disagreement here. Naturally, if you send to > a listserv like blu.org, there will be multiple hops (most likely but > not guaranteed to be encrypted). But if you send directly from your > email to mine, your system will connect to easydns (in Canada), which > will attempt STARTTLS but not guarantee it; once it's queued at > easydns, then it's encrypted as it gets to my private installation. I Operative words: "but not guarantee it". This contradicts the assertion that, "[t]here is no clear text SMTP on the wire." In reality there may be clear text SMTP on the wire. -- Rich Pieri ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Running a mail server, or not
On 6/26/2018 12:09 PM, Rich Braun wrote: > False. The connections begin and end with STARTTLS. There is no clear > text SMTP on the wire. An attack must be made against a server, or > the encrypted stream between. > > Prove me wrong. When I send this message, STARTTLS encrypts the SMTP connection from my Thunderbird to smtp.gmail.com where it is decrypted and queued. smtp.gmail.com connects to cheyenne.blu.org (blu.org's MX) on port 25 and delivers the message to the list address. This connection might be encrypted (opportunistic TLS) or it might not be encrypted. cheyenne runs through the list processing, and at one point connects to mx-capricab.easydns.com (your MX) on port 25 and delivers a copy to your mailbox. This connection also might be encrypted or it might not be encrypted. If you use POP or IMAP then your mail program makes a STARTTLS connection to mx-capricab to retrieve this message. The only hops that are guaranteed to be encrypted (STARTTLS) are the connections from my MUA to my mail server, and from your MUA to your mail server. The intervening hops might be encrypted, or they might not be encrypted. -- Rich Pieri ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Running a mail server, or not
On 6/25/2018 12:07 PM, Rich Braun wrote: > Not mine, at least not in clear-text. Backbone providers only see > encrypted streams between my email server and my service providers' > systems located in France and Canada. I'm not aware of any government What kind of encryption is used on the backbone connections between your providers in France, Canada and mine in the US? Answer: none. There's clear text SMTP in there somewhere and that somewhere can be used to eavesdrop. > surveillance that siphons off regular users' encrypted (SSL) > transmissions for decryption later: there's just too much of that > data for today's technology except for targeted cases where a > government has reason to look at a specific data stream. (Remember, Governments don't need to do that. All they need, assuming they care, is a list of correspondents. Take the lot into custody and apply the prisoner's dilemma. > every SSL website prefixed https: uses the same type of encryption > that my email server does.) My take: email isn't private. Trying to make it private is a waste of my time, and I have plenty of better things to waste my time on than this. -- Rich Pieri ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Linux has 100% of Market Share.
On 6/18/2018 6:21 PM, Dan Ritter wrote: > If all you need is a large number of processors working on > different chunks of data, you're absolutely right, Marco. Such as the kind of high throughput compute that HTCondor was designed to manage. You don't see this kind of compute cluster listed in the Top 500 even though some of the largest high throughput compute grids out there would easily be in the Top 10 by TFlop/s counts. You can get a lot of compute together by grid connecting HT pools. For what it's worth, about five years ago the HTCondor people set up a 4000-core single pool on AWS as a proof of concept. > If you need to solve physical simulations and models that > require lots of interprocessor communications, no, you can't > just run out to Amazon and say "Give me a data center full > of machines for 24 hours". Such as what you would throw at a high performance cluster like a Beowulf or pretty much anything ever in the Top 500. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] Need help configuring OpenVPN on OpenWRT/Windows 10
I have a snazzy new Linksys WRT3200ACM. I installed davidc502's June 2 OpenWRT firmware build. And I followed these instructions for setting up the VPN server: https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup Copied the configuration and cert/key files to the Windows 10 notebook, installed the Windows OpenVPN GUI client. Tried version 2.4.6 but it errored a lot and wouldn't connect (I had similar problems with the old Netgear router with OEM firmware). Tried version 2.3.18 which connects but does not route traffic through the tunnel. Any suggestions as to what I'm missing? -- Rich Pieri ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Linux has 100% of Market Share.
On 6/9/2018 8:32 AM, Bill Bogstad wrote: > I knew that Linux was big in supercomputing clusters, but I didn't > realize that it now owned that market. It's owned that market for years. There are some POWER-based systems running AIX like Deep Blue but most of them are AMD64 which means either Windows or something on a Linux kernel. -- Rich Pieri ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] through the looking glass
On 6/3/2018 5:55 PM, John Abreau wrote: > In the test(1) command, if I recall correctly, the greater-than > operator is "-gt", not ">", and the less-than operator is "-lt", not > "<". Yup, but they along with ge/le and eq/ne are for integer comparisons. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Changes to OpenDNS?
On 6/3/2018 12:52 AM, Richard Pieri wrote: > Put the old router back in, still getting the OpenDNS crap. Traced it to > dnsmasq on my home server which is using OpenDNS IPs even when I tell it > to only use 8.8.8.8 (for example). Still digging. :P Oh, by Ghu this is stupid. Or maybe I'm stupid or tired or something or all of the above. dnsmasq was picking up the old OpenDNS servers from the backup copy of the config file (local.conf.bak). It looks at *everything* in /etc/dnsmasq.d, not just files with a conf extension. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Changes to OpenDNS?
On 6/2/2018 11:16 PM, Richard Pieri wrote: > Did Cisco change how the standard OpenDNS servers work? > > Or am I seeing an effect of setting up a new router with OpenWRT this > evening? Put the old router back in, still getting the OpenDNS crap. Traced it to dnsmasq on my home server which is using OpenDNS IPs even when I tell it to only use 8.8.8.8 (for example). Still digging. :P -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] Changes to OpenDNS?
Did Cisco change how the standard OpenDNS servers work? Or am I seeing an effect of setting up a new router with OpenWRT this evening? -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] through the looking glass
On 6/1/2018 7:32 PM, dan moylan wrote: > also b2 writes out empty files abc and xyz. > > i've surely missed something fundamental, or did i just > step into an alternate universe? What you missed isn't so obvious. "[" is a synonym for /bin/test with the caveat that a closing "]" is required. What's happening is that "[ $st1 > $st2 ]" becomes: /bin/test abc > xyz "/bin/test abc" returns true, and you get an empty file because test generates no output, only return codes 0 (true) or 1 (false). The portable fix is to rewrite your logic because the test command only allows for "=" and "!=" in string comparisons. The bash-specific fix is to change your single brackets to double brackets: "[[ $st1 > $st2 ]]". "[[" is a bash built-in and it bypasses all of the above problems. But it's not portable. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] netpbm
On 5/15/2018 5:02 PM, dan moylan wrote: > i've managed to copy all but pamflip from old installations, > but what's happened? where can i find pamflip? Rolled into pnmflip: pnmflip(1) General Commands Manual pnmflip(1) NAME pnmflip - perform one or more flip operations on a portable anymap Anyway, might I suggest migrating to ImageMagick? -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] PGP/GPG and S/MIME Vulnerability
https://www.schneier.com/blog/archives/2018/05/details_on_a_ne.html > 2. The vulnerability isn't with PGP or S/MIME itself, but in the way > they interact with modern e-mail programs. You can see this in the > two suggested short-term mitigations: "No decryption in the e-mail > client," and "disable HTML rendering." -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] I Hate Ubuntu
On 5/13/2018 3:36 PM, Bill Ricker wrote: > Rather more interesting would be a report from Ubuntu's upstream full > distro, Debian. > > There was no doubt a major decrease in upstream contributions to Gnome > during the Unity circus. And as fallout from the init system controversies that lead Ian Jackson to resign as Committee chair. The post-Jackson Committee have made no secret of the fact that they do not like Canonical's politics. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] I Hate Ubuntu
On 5/9/2018 10:51 AM, Mike Small wrote: > So maybe the problem is with wanting one operating system to fit all > problems. Was listening to a John Maddog Hall interview where he > described the "bad old days" when there were 7 or 8 operating system on > PDP _'s (forget the model he named), each for different purposes, > e.g. real time, real time but not so much as the last one, ... So now > maybe the time is ripe to swing back a little. This seems a significant part of it. It is possible to have "one" OS that fits different purposes given sufficient resources for the task. Microsoft of course does this with the two major branches of Windows, desktop editions and Server. Likewise Red Hat with the Server and Workstation editions of RHEL. Canonical used to do this with the Ubuntu server editions but now the only difference between Ubuntu desktop and server is the default package sets, and server has a text based installer. Therein lies the rub. Netplan might make perfect sense on appliances like tablets and game consoles but it has no business being on professional workstations and servers. As an aside, some PDP applications were the operating systems. MUMPS at MGH for example. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] I Hate Ubuntu
On 5/8/2018 4:32 PM, A. Richard Miller wrote: > Here, Rich, try this: > http://www.ubuntugeek.com/disable-netplan-on-ubuntu-17-10.html > > Then you can save your hate for more deserving targets. I think you're missing the point. Points. First, these Ubuntu installs are for product testing. For paying customers. Who won't be disabling Netplan. Which means disabling Netplan in the test environments DOES. NOT. HAPPEN. Second, the YAML version forces dependencies on NetworkManager, systemd, and a(nother) YAML parser without making management of network interfaces any better or easier by hand and only minimally by automation tools like Ansible. Netplan is vendor gratuitous changes and I will continue to hate Ubuntu for engaging in the practice. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] I Hate Ubuntu
On 5/8/2018 4:05 PM, Dan Ritter wrote: > required? it's not automatically overruled by the presence of > interfaces in /etc/network/interfaces? Seems to be the case. This is for product testing at work so I can't hack up the stock OS. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] I Hate Ubuntu
Specifically, I hate Ubuntu 17 and 18. Specifically, I hate Netplan which is a requirement in Ubuntu 17 and 18. Because static YAML files are superior to static interfaces files? Here's my home server's interfaces file: # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug enp0s31f6 iface enp0s31f6 inet static address 192.168.1.202/24 gateway 192.168.1.2 dns-nameservers 192.168.1.202 dns-search rgo.gweep.net And here is the rough equivalent for Netplan: network: version 2: ethernets: enp0s31f6: addresses: - 192.168.1.202/24 gateway4: 192.168.1.2 nameservers: addresses: - 192.168.1.202 search: - rgo.gweep.net Aside from Netplan's dependencies on systemd-networkd (pffft) and NetworkManager (snicker), I'm just not seeing how the Netplan way is better than the interfaces file. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] systemd reboot
On 3/5/2018 1:10 PM, Mike Small wrote: > Thanks, this is great info. Curiously, in my local reproduction of the > issue the lying hardware involved is qemu's virtio simulated disk. So > maybe their simulation is super realistic, eh? No. Virtio is a bridge between guests and host. It doesn't simulate anything. I still don't think that this is the real root cause, though. Only because the time I did see something like what you describe the cause was an inconsistent mirror set. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] systemd reboot
The old "sync;sync;sync;halt" mantra is folklore from the days before we had a shutdown/reboot command which does this for us. The first sync flushes any dirty buffers, the second blocks waiting for the first to complete ensuring that there are no dirty buffers when the system goes down, and the third... makes us feel good (it has no technical benefit). This doesn't work as expected today because most drives lie about committing writes to permanent storage. The second sync won't block unless the size of data in dirty kernel buffers exceeds the drives' write cache capacity and then it will block only long enough for that ratio to flip. If the system restarts, loses power, whatever, when the drives' on-board caches have not been committed then there will be data loss. The Linux kernel code which guarantees that writes are committed doesn't actually work because it relies on drives not lying about their cache commits. In which case the explicit sync in the script doesn't do anything in terms of flushing data to disk. It does add a small delay between running update-grub and the reboot which, I guess, gives your drives enough time to commit their caches. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] systemd reboot
On 3/2/2018 9:09 PM, Mike Small wrote: > I see behaviour where if I change something under /etc/grub.d/, run > update-grub and then immediately run /sbin/reboot, upon start up grub > sees the old grub.cfg not the new one. This is a Ubuntu Xenial based I don't think systemd has anything to do with it. My guess is that you have more than one /boot/grub on the system (perhaps a replica, perhaps a dual-boot system), possibly more than one grub2 installed, and the active loader is reading from one of those alternate /boot/grub points. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
On 2/20/2018 8:09 PM, Richard Pieri wrote: > syncoid is exactly what I need. > Perhaps sanoid, too, but I want to see it running for a while. Or not what I need. Rather, I couldn't quite get it to do what I want. It did give me the clues I needed to do it myself which for me is good enough. Got the two StarTech docks. Sticking with eSATA for these. The ASRock board supports eSATA hotplug when the ports are set to eSATA mode in the firmware. Spinning platters are the I/O limit here (~110-115 MB/s sustained write) so it came down to the fact that the USB/SATA bridge (JMicron) passes a string of zeroes as the drives' serial numbers so only one appears in /dev/disk/by-id at a time. So yeah. Done. Good little project. In particular I really like the Node 304 case. The design leaves a lot of open space above the motherboard and the sides are wide open with the cover removed. The only time it felt cramped to work in was when I was plugging in the eSATA bracket cables because I didn't want to dismantle the power supply. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Boston Linux Meeting Reminder, tomorrow, Wednesday, February 21, 2018 - Secure Keystores with TPM 2.0
On 2/21/2018 12:50 PM, Jerry Feldman wrote: > That was written by the speaker. Are you planning on attending tonight. > Would love to hear your insights. Afraid not. But here is a relevant fact: Apple have not shipped a computer with a TPM since 2006, and even for the few months they shipped TPMs there were no drivers for them so they were unusable. Given the fact that Apple is one of the top notebook vendors in the world, and has been for more than 10 years, that's a significant number of "all notebooks" which don't have TPMs. Perhaps the speaker meant "all IBM notebooks have come with a TPM". This may actually be true but I have no data to support or refute it. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
On 2/19/2018 2:43 PM, Dan Ritter wrote: > You might want to look at sanoid/syncoid -- > https://github.com/jimsalterjrs/sanoid/ syncoid is exactly what I need. Perhaps sanoid, too, but I want to see it running for a while. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Boston Linux Meeting Reminder, tomorrow, Wednesday, February 21, 2018 - Secure Keystores with TPM 2.0
On 2/20/2018 11:32 AM, Jerry Feldman wrote: > For decades, all laptops have come with a TPM. No, they haven't. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
On 2/19/2018 12:10 PM, Richard Pieri wrote: > send/receive. I also need to get a USB3 cradle because the ASRock board > doesn't have eSATA. Annoying. Drove to Microcenter this afternoon and picked up a couple of USB docks which are prominently labeled "UASP Support". Neither of them actually support UASP. Going to return them tomorrow on my way home from work. Adding Kingwin to my list of vendors to avoid. And I'm going to order an internal SATA to eSATA bracket (Monoprice) and docks from StarTech. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
On 2/19/2018 2:43 PM, Dan Ritter wrote: > You might want to look at sanoid/syncoid -- > https://github.com/jimsalterjrs/sanoid/ Interesting. Certainly worth trying out given that snapshots are cheap. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
Finished the migration this morning. Some of my thoughts about the process. Debian 9. While I don't like the direction Debian has gone with the last few releases it remains the distribution I can most quickly stand up and configure. The system drive still has plenty of room for some other distro which may end up being Void once I get some familiarity with it. I cheated a little on the physical drive moves. The Synology had one system drive and four data drives, all 4TB WD Red, so I bought one additional 4TB data drive, swapped out the system drive for something smaller, and used the two 4TB drives for the first mirrored vdev. rsync data over, evacuate two drives from the Synology, make a new mirrored vdev, rsync the rest. Including snapshots. I need to rework my external backups. The script uses Btrfs snapshots and rsync. It needs to be adapted to use ZFS snapshots and zfs send/receive. I also need to get a USB3 cradle because the ASRock board doesn't have eSATA. > Case: Fractal Design Node 304. Mostly for the six drive bays in a Mini > ITX form factor. This case is huge for a Mini ITX. It's easily three times the volume of the 5-bay Synology. This because it can accommodate six 3.5" drives, a high-end graphics card and the power supply to run them all. And it's fanned and vented for all of the above. > Motherboard: ASRockRack C236 WSI. One of the few Socket 1151 Mini ITX > boards out there with ECC. Also, eight 6Gb/s SATA III ports on the board. ACPI is still a nightmare. In this case ACPI would (I think) cut power to the drives while they were in operation which generated write errors. I'd intended to turn ACPI off anyway but it's "good" to know that it's just as much a problem today as it was when it was first pushed on the world. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
On 2/15/2018 1:52 AM, Greg Rundlett (freephile) wrote: > So what's the approximate cost for that equipment? Just curious since I > don't have any clue what stuff goes for since I'm not in the habit of > building systems. Most of these prices are Amazon. The Motherboard is NewEgg. Case: $110 PSU: $50 Motherboard: $210 CPU: $116 RAM: $210 About $700 total for parts (no drives). The 4TB WD Red drives are $125 each. The 850 EVO is about $100. And the lightly used WD Blue drive that will be the system drive is $50. Total if I were buying with new drives would be about $1350. A similarly configured diskless FreeNAS Mini (with Avoton/Atom CPU) is $1000, and about $1900 with disks and read cache. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
Finished the initial build and running Memtest now. Parts: Case: Fractal Design Node 304. Mostly for the six drive bays in a Mini ITX form factor. PSU: Corsair CX 450. Probably more power than I need but better to have the power and not need it than needing to replace the PSU. Motherboard: ASRockRack C236 WSI. One of the few Socket 1151 Mini ITX boards out there with ECC. Also, eight 6Gb/s SATA III ports on the board. CPU: Intel Core i3-7100. Reasonable price, reasonable performance, reasonable power consumption, and ECC support (i5 and i7 don't support ECC, go fig). RAM: Kingston ValueRAM 2133MHz DDR4 ECC, 8GBx2. High performance RAM in a box like this is a waste of money. Drives: 4GB WD Red NAS Storage. These will be swapped out of the Synology box. I'll finally be converting back to ZFS from Btrfs (the box has enough RAM and CPU to handle ZFS). I have a 120GB Samsung 850 EVO not doing anything which I plan to add for L2ARC. And a bunch of Monoprice SATA cables to connect the drives. First full Memtest pass just finished. No errors. Nice. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] node.js and npm on Debian?
On 2/14/2018 10:36 AM, Kent Borg wrote: > If your answer to my "This is ridiculous!" were "Yes, but it works.", > that would be one thing. But this stuff doesn't work particularly well, Yes, it does work well, but not necessarily from your perspective. It works well from the development and deployment side. It works well from that side because WebKit has achieved what Sun attempted with Java: ubiquity. That's very appealing to any developer who wants their code everywhere and doesn't want to deal with however many bajillion ports. I'm not suggesting that this is how it should be. Just saying how it is. YMMV. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] node.js and npm on Debian?
On 2/13/2018 4:35 PM, Kent Borg wrote: > The binary for a modern-day IRC-type program (Slack) is over 80MB. Sure, > the original IRC didn't have pictures. But 80MB!? I have an internet > radio program (Tunein Radio) that has an install of 65MB. Slack isn't a chat program. It's a web browser running a chat program written in JavaScript. Which does punctuate your point: "hello world" as a JavaScript application packaged with a web browser to run it. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
On 2/5/2018 3:07 PM, Greg Rundlett (freephile) wrote: > However, they don't mention anything in the release notes yet > https://www.qnap.com/en/releasenotes/ so I'm unsure if it's "in there". Safer to assume the patches are not included unless specifically listed. > They advise: > >- Do not install applications from unknown third-party sources. >- Do not open or run unknown virtual machine (VM) images on your device. >- Do not run unknown software in Container Station. Good advice in general, but telling in the context of a Meltdown/Spectre security advisory. And not necessarily the most useful in the context of NAS vendors with a vested interest in selling lots of add-on software which may not be hard targets. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
On 2/5/2018 10:30 AM, Joe Polcari wrote: > I just got an update today which, I think, covers it. The CVE referenced in the release notes fixes a local privilege escalation bug in ipesc. The Meltdown/Spectre CVEs are still listed as "Ongoing" as of this writing: https://www.synology.com/en-us/support/security/Synology_SA_18_01 On 2/5/2018 9:33 AM, ma...@mohawksoft.com wrote: > This is common across the industry. EMC, Cisco, IBM, and others have > said basically the same thing. I would dump synology because its > crap, but not because of that. My IBM references rank Meltdown/Spectre as "High Severity". Likewise, my Netapp references rank them as "High Severity". Cisco (network side) does rank them lower because network gear has a much smaller attack surface than general purpose computers. The people on the Unity side rank them much higher. But then, Synology's failure to take these vulnerabilities seriously does put them in the "crap" category. :) -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] Mothballing Synology NAS
The Meltdown and Spectre vulnerabilities were publicly disclosed 3 January. Synology posted their own security advisory 5 days later on 8 January listing these vulnerabilities as moderate "because these vulnerabilities can only be exploited via local malicious programs." As if there were no ways for "local malicious programs" to ever be installed or injected. As of 4 February, a month after the initial disclosure, Synology have yet to release fixes for these vulnerabilities. I will be mothballing my Synology NAS box as soon as I get a replacement for it up and running. I have the parts. I just need to assemble and test them, install an OS, and move the drives. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Converting Windows to Linux
On 1/25/2018 12:53 PM, Greg Rundlett (freephile) wrote: > After "successfully" installing Ubuntu and rebooting, I get a grub prompt > so I obviously did something wrong. This is why making a complete system image with Clonezilla is always always always the first thing I do with any new system. If you really overwrote the EFI boot partition with grub then you temporarily wrecked the system because that's not Windows. That's the hardware. It's required for booting from GPT drives. Reinstall, and let the installer create and populate a new EFI partition and don't put anything else there. Give grub it's own partition to play with. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] AD/LDAP authentication
On 12/21/2017 6:54 PM, James Cassell wrote: > Looks like Red Hat has a workaround that consists of joining the > first domain using the realmd tool, then joining the second domain > using samba's 'net ads join' tool and copying the appropriate info > into sssd.conf. This worked, thank you, with some specific seasonings for how our domains and network are configured (specifically, my DMZ can't see our internal domain controllers in Europe or South America). It's not perfect. realmd can't control access so I have to manage /etc/security/access.conf by hand. This is better than managing many logins any other way. Now I need to duplicate this on SLES 12. :) -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] AD/LDAP authentication
On 12/21/2017 6:54 PM, James Cassell wrote: > Looks like Red Hat has a workaround that consists of joining the > first domain using the realmd tool, then joining the second domain > using samba's 'net ads join' tool and copying the appropriate info > into sssd.conf. This is exactly what I've been trying to figure out how to do but I couldn't find the recipe. Wrong search terms. I broke my test server and need to rebuild it but here's hoping that having a recipe to follow will get this working without bringing in any third party tools. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] AD/LDAP authentication
On 12/15/2017 9:20 AM, Grant Mongardi wrote: > Ok, that's helpful information. You're welcome. SSSD does not handle trust chaining for full user authentication. It's coming according to Red Hat but they don't have it working, yet. I don't believe Winbind ever claimed to support multiple simultaneous domains. If it did then I haven't been able to find any references for setting it up this way. The Centrify option has been brought up. It's my resort of choice if I can't get native authentication working. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] AD/LDAP authentication
On 12/14/2017 10:50 AM, Betsy Schwartz wrote: > Another direction might be to set them both up as slave servers to a > primary LDAP server . We'd rather not add more authentication servers or proxies to the mix. Using the two directories directly is preferred if at all possible. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] AD/LDAP authentication
On 12/14/2017 7:46 AM, Grant NAPC wrote: > To be fair, you haven't said exactly what you're trying to do. Is this > for a web application, a system service (SMB, FTP, etc.), or simply > SSH/SFTP/Desktop access? There are other options in certain cases that ssh logins. Some users from each domain need full shell access. And I need groups for access controls and file ownerships so even if trust chaining worked for shell logins (it currently does not on RHEL 7) I couldn't use it. If this were a vanilla Kerberos environment I'd simply configure the two realms in krb5.conf and be done with it. If you know how to do this with two or more AD domains then I'd love to see how you did it. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] AD/LDAP authentication
On a completely different topic from document conversion... My employer has two Active Directory domains. I need to set up some Linux servers (RHEL, SUSE and Ubuntu) to use both domains for user authentication. Users get accounts on one or the other, never both. This is a mandate from Legal so the easy answer is off the table. SSSD and Winbind work for binding to one domain or the other but I can't bind to both at the same time (Red Hat promised this in RHEL 7 but have yet to deliver). So I figure I can use AD for one domain and LDAP bind authentication for the other, or LDAP binds to each domain, but I can't either working. Yes, I'm doing something wrong. No, I don't know what. And, my Google-Fu is only finding single AD or LDAP auth server configurations. Has anyone here done anything like this before? Have any references you can point me at? Thanks. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] LibreOffice and .docx files
On 12/12/2017 10:03 PM, Daniel Barrett wrote: > I've written several O'Reilly books in DocBook, such as "Linux Pocket > Guide." For editing, I used Emacs and the commercial XML editor > XMLmind. The same DocBook source produced the printed book, the PDF, > and the eBook. Sure, but that's technical writing. Professional authors outside of the technical and scientific fields rarely typeset their own works. Their publishers have typesetters who take raw or minimally marked-up text and typeset that, and usually different passes for each different edition of a work. The concept of "write once, read anywhere" simply doesn't exist outside of technical writing. Never mind that writing DocBook is not writing prose. It's writing code. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] LibreOffice and .docx files
On 12/12/2017 6:49 PM, Steve Litt wrote: > The mini-markup languages fail hard when writing whole books in which > consistency is a must, and specific style to appearance conversions are > needed. This is because you can't create your own arbitrary paragraph > and character styles in the mini-markups: You must use a built in style > that's meant for something else. Which means your emphasized text, > quotation text and story text will all look like each other. Assuming you use the lightweight markup language directly. Enter Pandoc. Write your book or paper in Markdown or whatever, use Pandoc to convert (transcribe?) it to LaTeX, import your custom styles and you're golden. If you need that kind of typesetting control then you're going to be hitting LaTeX or something like it anyway. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] LibreOffice and .docx files
On 12/4/2017 8:43 PM, Dan Ritter wrote: > You would think that this poses problems of backwards compatibility with > older copies of Word, and you would be correct. Sometimes Word can't > open Word-generated files. There have been significant problems > with Word for Windows vs Word for MacOS. Also Excel for the two platforms due to the macro language incompatibilities. Which also chokes LibreOffice Calc's macro language which is incompatible with both strains of Excel. I've sometimes been able to get Google Docs or Calibre to make something useful out of ugly Word files that choke LibreOffice and Word itself. They're not reliable, though. Could try Scribus. Being an actual desktop publishing tool rather than a word processor with DTP "features" jammed into every crevice it may be able to make sense of the vomit that Word and LibreOffice generate. If it can do that then it should be able to export something less insane than the source. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Fidelity voice-recognition security?
On 11/23/2017 12:06 PM, Robert Krawitz wrote: > Which is irrelevant, since this is about voice recognition, not > fingerprints. It is relevant because the genetic and environmental factors that make fingerprints unique also have direct effects on voices. > The same applies to microphones. They aren't perfect and they vary > too. And there are a lot more variables with voices/microphones and > fingerprints: position of the mic wrt the mouth, ambient noise, > airflow, upper respiratory infections, allergies, exertion, and so > forth. No argument. I didn't say it was easy. > ...except that the synthesized voice can incorporate said analog > distortion. Decades ago Carver managed to do a pretty good job of > reproducing a much more expensive Mark Levinson amplifier, using > purely analog components; that kind of thing can be done a lot more > easily now. Again, no argument. Again, I didn't say it was easy. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Fidelity voice-recognition security?
On 11/23/2017 7:36 AM, Robert Krawitz wrote: > Bit of a difference there, you agree? Yup. Although the "we have no idea" bit is hyperbole because the reality is we do know how unique fingerprints are. Francis Galton did substantial scientific research on fingerprints back in the late 1800s. He estimated the chance of two people having the same fingerprints at around 1 in 64 billion. Take that part of the article with a salt lick (and shame on Scientific American for not calling that out) and look to the parts where it describes the specific circumstances needed to force a collision. Still, the closure contains good advice. When a chain has only one link you know exactly where to look for that weak link. :) > Meanwhile, as voice synthesis improves in fidelity... That's only part of it. Even if (when) you can accurately reproduce any arbitrary person's voice there is still the playback mechanisms. Voice coils are mechanically incapable of exactly reproducing sounds. Even the best speakers can be identified as speakers if your hearing is sensitive enough and you know what to listen for. On the flip side of that, if you inject the synthesized data stream directly into system, bypassing speaker and microphone, it can still be detected as a fake because it will lack the analog distortion expected from the handset mic. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Fidelity voice-recognition security?
On 11/22/2017 10:42 PM, Robert Krawitz wrote: > With that much leeway, there's more chance for collision, right? It depends on a lot of factors. Leeway -- the degrees of deviations allowed for a match -- is just one of the more easily quantifiable factors. https://www.scientificamerican.com/article/human-voices-are-unique-but-were-not-that-good-at-recognizing-them/ Any biometric system can be spoofed. This is as much a tautology as "any password can be cracked". The difference, ideally, is that a specific password can be cracked by anyone with sufficient power but spoofing a specific voice requires a willing twin sibling with similar enough habits (eating, drinking, smoking, exposure to atmospheric pollution, injuries or lack thereof, etc) to force a match. I don't see (hear?) voice spoofing to be a credible threat except in rare circumstances. Or financial executives cutting corners on security in order to maximize their personal wealth. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Fidelity voice-recognition security?
On 11/22/2017 1:44 PM, Robert Krawitz wrote: > And voices do change, both short and long term. What happens with > voice ID when you have a respiratory infection, blocked sinuses, what > have you? Which is why any voice authentication system needs some leeway in matching attempts with the baseline. And of course it needs to adapt to individuals' vocal changes over time. Voices can be recorded but this isn't necessarily good enough. Then again, POTS is restricted to 300Hz to 3kHz, and any system intended to operate in this range is going to have problems. But this isn't a problem intrinsic to voice authentication in principle; it's a flaw in these specific instances. Then again, again, the number of potential users limited by POTS restrictions is dwindling. Do you use any kind of voice over digital network like LTE or digital cable or FTTP or WiFi calling? Do you use standalone VoIP or chat applications? If so then you're getting 50Hz to 7kHz or better which is more than enough to capture low and high frequency harmonics needed for accurate voice authentication. It is possible to detect recordings being played back. For example, recordings made outside of controlled studio environments contain noise which won't match ambient noise during playback. Matching noise could be used to detect attempts to spoof the system. An audio engineer or forensics expert (I'm neither) could tell you other ways to detect recordings. Not suggesting that any of them are easy or that any of them can be done in real time, just that it is possible. So yeah. Voice authentication can work and it can be substantially more secure than passwords (I'm giving passwords the benefit of the doubt as to their security). In principle. Hearing it in practice still, unfortunately, remains to be heard. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Fidelity voice-recognition security?
On 11/21/2017 11:27 AM, Daniel Barrett wrote: > I declined the feature. Fingerprinting a voice uniquely over a > low-quality telephone line? I can't imagine that's more secure than a > non-obvious password. What does the security crowd here think? Passwords suck. Voices are unique. In principle, voice identification can be a good authentication system. In practice, it depends on how many retries and how much deviation from a given user's baseline the system permits. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mirroring of files to all nodes in a cluster
On 11/21/2017 2:20 PM, David Rosenstrauch wrote: > I'm looking for a Linux utility that will allow me to mirror/replicate a > directory tree onto each and every node in a cluster, so that the data > will reside on the local disk on each machine. csync2 http://oss.linbit.com/csync2/ -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Limit the number of ip addresses which can connect to a port
On 11/1/2017 12:31 PM, Tom Luo wrote: > If at the same time the person C tries to connect to port 8010 from > another ip address. the firewall should decline the new connection. This isn't possible with a firewall. Firewalls don't know users, only addresses and ports. This has to be the application. It's the only piece which has all of the information necessary for this behavior. If you can't add this yourself then submit a feature request to your vendor. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Limit the number of ip addresses which can connect to a port
On 10/31/2017 1:11 AM, John Abreau wrote: > The iptables "-s" option is for specifying the source address. This doesn't sound like what the OP wants. What it sounds like to me is that the OP wants a license manager: each active IP gets one unlimited use license or lease. The service needs to have appropriate code added to it or maybe a wrapper written around it. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Limit the number of ip addresses which can connect to a port
On 10/30/2017 6:08 PM, Tom Luo wrote: > However, this only limits the number of connections instead of the number > of ip addresses. > Any one knows how to do it? This is your application/service, not the firewall. Trying to do it with a firewall is going to be painful at best. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Sharing gnupg keyring among computers
On 9/25/2017 3:57 PM, Chuck Anderson wrote: > YubiKey isn't simply a writable USB mass storage device. It is > purpose-designed to store secrets securely. They also make a NFC > version. I've been looking at YubiKey alternatives (for other reasons) and I learned that the version 4 devices (current generation) are closed source, proprietary. I'll be the first to assert that being open is no assurance, that it isn't the number of eyes which see it but the quality of those eyes which matters. At the same time, going all-proprietary means that the "right eyes" have a much harder time of it. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] perl is dead
On 10/10/2017 1:50 PM, Bill Ricker wrote: > It may come as a surprise, but most GNU/Linux distros still ship Perl too. > Rumors of Perl's death are greatly exaggerated. Perl died the day it started barfing on my "legacy" Perl 4 scripts. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Reviving topic-Secure Wireless Router
On 9/30/2017 2:56 PM, Rich Braun wrote: > With the new router, my Apple guy downstairs reports: "That totally > fixed it!" Now we get a hundred megs through our wi-things. But it's > a tad more complicated: I had to dig through the somewhat-expanded > Netgear menus and to find separate SSID and auth settings for 2.4G > and 5.0G internal components. I now have four SSIDs broadcast where I > once had one. I did recently upgrade to 5GHz, right after that last round of home networking discussion because I discovered that the other notebook I thought was 802.11n was actually 802.11ac and prices on .11ac routers have dropped tremendously. So I got a Netgear R6400v2. I'd been running openwrt on a TP-Link 802.11n router and it was fine and all but most of the time I just don't want to play sysadmin and network admin when I come home from work. So I got the Netgear instead of another TP-Link. I didn't find the multiple SSID and auth settings to be onerous at all. Quite the contrary: Netgear puts the 2.4GHz and 5GHz configurations on the same pages so that both can be configured simultaneously. You *need* to have multiple SSIDs with consumer devices because they don't have the hardware and smarts to handle legacy devices transparently. Even Cisco enterprise gear gets it wrong sometimes so the brute force approach really is the best option for consumer kit. I briefly toyed with the guest network options to see how they work. They work. Devices on the guest nets don't see the primary LAN. I wouldn't recommend this for any kind of serious enterprise environment but it's more than adequate for home networks. Really, the only "hard" thing was copying over a handful of port forwarding rules. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Sharing gnupg keyring among computers
On 9/25/2017 3:57 PM, Chuck Anderson wrote: > YubiKey isn't simply a writable USB mass storage device. It is > purpose-designed to store secrets securely. They also make a NFC > version. It's purpose-designed to store secrets separately from the computers using them except for when they are being used. It's an important distinction. The secrets stored on a YubiKey can be extracted verbatim by any program on a computer with a YubiKey plugged into it. Regardless, the fact that they are writable makes them a potential vehicle for distributing malware. Which to me means that the only places I will use USB fobs like this is on computers owned by the fob issuers for the purpose of issuer-related tasks which require the fobs. Because... > If you don't trust the computer you are typing into, they none of > what we are discussing can help. More generally: If the computer is not compromised then the YubiKey adds nothing to the security of the system. It just makes the system more inconvenient to use. If the computer is compromised then the bad actor can pull the keys out of memory after they're loaded from the YubiKey. Either way the YubiKey provides no practical security in this regard. GnuPG version 2 itself does things to make extracting keys from RAM difficult but difficult != impossible. NB: this is using a YubiKey as an OpenPGP smartcard. Using a YubiKey as part of an n-factor or n-step authentication system is a different kettle of fish. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Sharing gnupg keyring among computers
On 9/25/2017 3:01 PM, Jerry Feldman wrote: > Thanks guys, > I have shared my keyring in the past, but never on my personal laptop, but > on my encrypted work laptop. I keep my key rings and related files synchronized across many nodes, been doing it since the early 1990s. When in doubt I wrap keys and related files in TrueCrypt disk images and synchronize those instead of the bare key files (for example: using Dropbox for sync). I have different keys for work stuff and personal stuff. I've considered storing the key ring passwords on YubiKeys but, again, little USB thingies are kind of tedious. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Sharing gnupg keyring among computers
On 9/25/2017 9:30 AM, Chuck Anderson wrote: > You could use something like YubiKey to store GPG keys. You can, but I'm not sure that USB anything is a good idea for GPG keys. If you trust the computer enough to unlock your keys on it then the fob isn't adding any security to the workflow, but it adds complexity and inconvenience. If you don't trust that computer then plugging writable storage into it is a very bad idea. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Sharing gnupg keyring among computers
I've been doing this in one form or another since the early PGP days. Given that the stated purpose of PGP and GPG is signing and encrypting mail it makes sense to have an appropriate key chain everywhere mail is sent and read. Since my most common use of GnuPG these days is XZ2C4 passwords it doesn't make sense to consider any instance a "master". Key stores and key rings are synchronized together between home and moving systems. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Secure Wireless Router for Non-Profit
On 9/15/2017 10:09 AM, Bill Horne wrote: > More importantly, they need a segmented LAN, proxy server, and > token-access controller to prevent employees or volunteers from adding > devices or users that aren't appropriate for their network. They also need a network administrator and a security officer (can be the same person) who understands their requirements and threats, and has the authority to implement and uniformly enforce security policies. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
On 9/14/2017 11:32 AM, Derek Atkins wrote: > Except that if you have TRUE 802.11b devices, it will downgrade your > 802.11g network completely to 11Mbps. Not exactly. Each device transmits and receives at its full capability up to the limits of the AP but 802.11b devices take much longer to transmit and receive packets than 802.11g/n devices. That latency does degrade faster devices' performance but it's not that bad. 802.11b is not a problem at all for 5GHz WiFi devices. Devices operating at 5GHz are unaffected by anything operating at 2.4Ghz. IMO a more serious problem than throughput with 802.11b devices is that they only do WEP. Isolating them on a DMZ with a dedicated access point is a good idea and solves the throughput degradation problem as a bonus. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
On 9/14/2017 9:11 AM, grg wrote: > Which spec are you referring to? Please cite your source. IEEE 802.3ab presentation from the IEEE. My Google-Fu is failing to find it. Might be paywalled. :P The spec hasn't changed since 1999 or so but the industry has defacto standardized things like everything being full-duplex by default. Anyway. I checked with the network admin at work. He didn't have anything to say about Cat 5 or Cat 5e because it's obsolete at the enterprise level but he did say that Cat 6e runs under 100m is more than sufficient for anything you could do in a home. The only reason to go with Cat 7 is boasting about having full 10-Gig Ethernet capability. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
On 9/13/2017 10:13 PM, Robert Krawitz wrote: > This is 1000Base-T, with standard cat 5e cable. scp isn't much slower. You're using full-duplex with Cat 5e? You're off spec. And now I'm wondering if the data corruption problems you were having a few weeks ago were a consequence of it. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
On 9/13/2017 3:49 PM, Shirley Márquez Dúlcey wrote: > Something that hasn't been noted is that, even in a wireless future, > you need to feed data to the wireless devices and wires are the best > way to do it. I need a WiFi access point on each floor to get good I kinda did but in two pieces and I didn't connect the two: run conduit with pull strings to near-ceiling work boxes where you would mount access points. Then just pull what you need as you need it. Given the premise of ripping out drywall I would suggest two boxes, one for the data conduit and the other for power (Romex). -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
On 9/13/2017 3:23 PM, Dan Ritter wrote: > I have a family of four, plus occasional guests. If I had every > device that could be connected to ethernet connected to wifi, > I would spend all my time debugging wifi problems. Either you exaggerate or you've been doing very very wrong things because for example my brother has WiFi for his family plus guests and nobody there ever spends time debugging WiFi problems. While I don't have the numbers of users that they or you have I spend essentially zero time debugging WiFi problems and I've been almost completely wireless for 3, maybe 4 years now. The singular exception was when I was futzing around with my Raspberry Pi and discovering how awful the Linux WiFi tools are. > So, no, you don't need jumbo packets to get 900+Mb/s > out of your 1000Mb/s ethernet connection. That's through > a very boring Netgear $50 switch. Information is missing. 1000Base-T is 500Mbps each way (theoretical maximum), but it works with Cat 5e. You cannot get 900Mbps throughput with 1000Base-T. It's physically impossible. Real world throughput with file data is around the 300Mbps I previously cited. 1000Base-TX is 1000Mbps each way (theoretical maximum), requires full duplex switches (I believe but don't quote me on that), and Cat 6 or Cat 7. You can get nearly 1000Mbps throughput with 1000Base-TX if your equipment meets all of these criteria. And the NICs involved have enterprise class features like all of the various CPU offloading capabilities which consumer grade equipment typically does not have. Again, since this is "future-proofing a house" and not a corporate data center I'm figuring a majority of the equipment in use is going to be consumer grade and not enterprise grade. Also, Netgear may be boring but it's the best consumer grade networking gear on the market. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
On 9/13/2017 1:48 PM, Bill Horne wrote: > WiFi-only devices will require that the owner keep updating his > equipment every time his ISP adopts a new WiFi standard. I feel that the This has never been a requirement of 802.11 devices. My 802.11b and 802.11g devices still work with my 802.11n access point and I have no doubt that they will continue to work if and when I get an 802.11ac or more recent AP. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
On 9/13/2017 11:44 AM, Robert Krawitz wrote: > On Wed, 13 Sep 2017 11:38:36 -0400, Richard Pieri wrote: >> 1080p video streams (MPEG-4) need about 5-8 Mbps burst bandwidth. >> Gigabit Ethernet has practical throughput about 300Mbps. > > ??? I routinely get over 100 MB/sec (>800 Mbps) transferring files -- > even with scp -- between systems with fast enough disks. If I'm not mistaken that's with jumbo frames enabled. Consumer NICs typically do not support jumbo frames. Regardless, if you're getting ~2.5 times my throughput estimate then your MythTV usage is consuming about 2% of your available bandwidth instead of my 5% estimate, so instead of wasting 95% of the network bandwidth by not using it you're wasting 98% of it. If you were doing video editing then that would be a different story. This is large(ish) scale bulk data transfers where high sustained throughput is necessary. But then, you would do this kind of wiring in a studio environment, not the entire residence. So, yeah, whole-home wiring just doesn't make sense. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
On 9/13/2017 10:35 AM, Derek Atkins wrote: > You seem to be assuming that all traffic crosses into your ISP. While As a practical matter, the majority of my network traffic *does* cross into my ISP. > this may be true for your use case, it is certainly not the case for me. > I've got a MythTV setup, which means much of my streaming media is local > traffic. I'd much rather use a wired/switched network for that than > pollute the shared wifi. 1080p video streams (MPEG-4) need about 5-8 Mbps burst bandwidth. Gigabit Ethernet has practical throughput about 300Mbps. So that stream uses about 5% of the available bandwidth at most. Meanwhile, 802.11g (which I consider to be the least common denominator for WiFi today) can deliver 20-25Mbps which is more than enough for several simultaneous streams. It's borderline for 4K but if you're doing 4K video then you've probably upgraded to at least 802.11n if not 802.11ac. Myth/Plex are not compelling reasons for wires. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
On 9/12/2017 1:19 PM, Bill Ricker wrote: > I'm glad to hear there's someone even slower to adopt real broadband > than I was. I have real broadband: FiOS, 50/50Mbps. Had it since it became available in my neighborhood. It's just that the slowest WiFi devices I have are 802.11g. The others are 802.11n or .11ac. It doesn't much matter how much more bandwidth wired 1-Gig offers when that extra bandwidth can't be utilized. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
On 9/12/2017 12:05 PM, Derek Atkins wrote: > No, I'm pointing out that wires are better than Wifi by showing actual > capabilities. If you had a wired network then you'd have that capability > too. It's just a fact that wired networks are more capable than wireless. I do have a 1-Gig wired network. I used to have a 100Mbit wired network. It is useless for my Android tablets. It is useless for my Kobo and my Kindle. It is useless for my Vita, my PSP and my 3DS. None of these have wired networking capabilities. It is not better than wireless for my Clevo and Surface Pro and PS4 which are constrained by ISP bandwidth being less than local WiFi bandwidth. NB: I do use the wired network with a USB dongle when I make Clonezilla snapshots of the Clevo and Surface but those are not day to day usage. It is necessary for my DiskStation because it has no wireless capabilities. For about a dozen devices the wired network is necessary for 1, better than break even for 2 under special circumstances but otherwise break even, break even for 1 all the time, and a non-starter for everything else. > Wired ethernet over twisted pair has not significantly changed in 25 > years. [snip] Actually, yes, it has. The number of pairs hasn't changed but the composition of the pairs has in order to handle the progressive increases in signal frequencies. Yes, your ThinkPad has wired Ethernet. It's a business class device. Yes, your "smart" TVs have wired Ethernet. They do no better with it than they do with WiFi because the bandwidth requirements for MPEG-4 video and audio are well within WiFi capabilities. Your Macs are great examples of the direction the world is going: no wires. > But with Cat6 throughout I can always add additional APs wherever I might > need them. :) I do believe that my suggestion, going wireless, is the one you "completely disagree" with. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
On 9/12/2017 10:52 AM, Derek Atkins wrote: > I am sorry, but I completely disagree. Even with modern Wifi, I can get > much better throughput using physical wires if for no other reason than > each link can be switched and therefore isn't "shared". With Wifi, > every device is sharing the medium. I.e., I can get 20-30Gbps aggregate > across my 1Gbps physical network, versus maybe 1.2Gbps across my 1200AC > Wifi. And let's not even start with interference from my neighbors! All true, but you're not making an argument about future-proofing. You're boasting about how fast your network is. Wires aren't forever. They fail. They're supplanted by new standards. They're not even available on the most common devices today. Running wires is not future-proofing. It's future-obsolescence. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
On 9/11/2017 9:44 AM, Derek Atkins wrote: > If you had the ability to future-proof your house (imagine open studs, > so you could run anything you wanted), what would you run. Assume a max > of 6 cables per drop? I wouldn't. Wires for data are the past, not the future, for consumer applications. Instead I would update the electrical wiring. Start with a circuit breaker panel upgrade to at least include a whole residence surge protector. Each room gets at least one easily accessible box of power outlets which includes USB fast charge power. Each room also gets at least one near-ceiling power outlet box for WiFi repeaters or resonant power stations so that they can be mounted clear of furniture with a minimum of visible power cables. But if you're still dead-set on running data wires then don't run wires. Run conduit with pull strings so you can easily install whatever you need and remove it later when you decide to replace it. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] CrashPlan Home is discontinued - what's next?
On 9/6/2017 4:53 PM, Rich Braun wrote: > software you use. The tools to create such a thing are out there now, > they just need to be packaged in the way Ubuntu solved the new-user > installation problem that other Linux distros all had prior to 2007. No, they're not. The tools exist if you're already a Puppet slash Ansible slash CFengine slash Chef slash Salt slash whatever-flavor-you-decide-to-package guru. For everyone else you need a reliable, fully automatic detection system which can feed the configuration management engine and handle all of the exceptions and snowflakes and other unique things you'll find in a contemporary begadgeted home or the organically grown enterprise and everything in between. Nobody to date has been able to create such a detection system and not for lack of trying. It's the holy grail of systems monitoring. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Crashplan is discontinued
On 8/31/2017 8:36 PM, John Abreau wrote: > Has anyone published research into using multiple hashes to address this, > to determine if two files with different contents could have both identical > MD5 hashes and identical SHA1 or SHA256 hashes? And other mechanisms, yes: https://github.com/sahib/rmlint/blob/master/docs/cautions.rst -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Crashplan is discontinued
On 8/31/2017 2:10 PM, Rich Braun wrote: > One of the issues with pics is deduplication, as they're renamed > across folders. My current rsnapshot approach doesn't cope well with > that. Could git do this automatically without complex scripting? Yes, if you use Git to rename files across folders. That is, if you use "git mv" then Git will adjust it's internal pointers to say that the new location is the same file. Personally, I find Git to be a cumbersome sync or backup tool. But then, it's not a sync or backup tool despite several attempts at making it into these things. It's a snapshot tool, so if you're doing snapshots already then introducing Git is of little benefit. From that, filesystems snapshots are better managed by the filesystem. For example: Y=`date +%Y`; D=`date +%j`; H=`date +%H` btrfs su snapshot -r /btrfs/home /btrfs/.home-${Y}-${D}-${H} and run an "offline" dedupe tool like rmlint as necessary assuming you're not doing on the fly deduplication on the filesystem. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] CrashPlan Home is discontinued - what's next?
On 8/28/2017 2:24 PM, Dan Ritter wrote: > For people who don't need fancy interfaces and hand-holding, > rsync.net is probably a good choice. > > Simple pricing: > http://rsync.net/pricing.html Holy crap! that's expensive. Me? I'm still using Unison with my home server. Hardware has changed but the process remains the same. More capacity means more snapshot history but it's still the same process. I've also moved my clonezilla clones from standalone USB drives to the NAS. Made weekly, keep the most recent 5, in case I ever need to do a bare metal restore. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Hyperlink auditing question
On 8/28/2017 1:10 PM, Bill Ricker wrote: > Advertisers not paying for click-thrus might be a downside, if you > like the website. Legitimate advertisers don't use link pings for tracking clicks. Too easy to spoof. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Hyperlink auditing question
On 8/27/2017 5:39 PM, Eric Chadbourne wrote: > Is there any downside to disabling hyperlink auditing in a browser? Not that I've noticed in several years using NoScript which forbids by default. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Eclipses Re: Great talks last night, however...
On 7/23/2017 6:48 PM, Bill Ricker wrote: > Experience on Mars with Rover was exactly the opposite, a gustanado > cleared accumulated dust OFF panels and restored system efficiency. The Mars rovers' panels are constructed with electrostatic layers. Run a charge through the ES layers and they repel dust. This works well in arid environments like Mars and the deserts of Arizona, Nevada, California and the UAE, but it does increase the cost and it saps some of the power being generated so you need more capacity to offset. ES repellers don't work well, or at all, in humid environments where dust + moisture sticks like mud. For example, the high humidity that generates terrestrial tornadoes. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Eclipses Re: Great talks last night, however...
On 7/23/2017 5:01 PM, Robert Krawitz wrote: > If a tornado takes out one part of a solar power station, the rest is > still usable. Even a small tornado won't simply "take out one part of a solar power station". It's going throw dust and debris all over the place. Here's hoping your contract with NOMADD is paid up. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Eclipses Re: Great talks last night, however...
On 7/23/2017 3:42 PM, grg wrote: > In the paper they show that a conventional li-ion battery holds 90% of the > original charge after 3000 cycles (~9 years of daily cycling); and after BS. http://batteryuniversity.com/learn/article/how_to_prolong_lithium_based_batteries > Nor do those characteristics describe millions of homes and buildings. How > many buildings do you think are destroyed in Kansas by tornados each year? > Hundreds, for a survival rate of 99.99%. So no, it's not because cows are > running away from approaching tornados or because they're sharing Farmer > John's storm cellar, it's actually because 99.99% of the spots in Kansas > don't have a tornado land on them. The size of a home or even a large barn in rural Kansas is a tiny faction of the size of a 150km^2 (say) power station. Rural homes in Kansas are spread out dozens to hundreds of kilometers apart. So when a tornado touches down the chances of hitting a given home is small and the chances of it hitting several is practically nil. Unless it hits Topeka. That 150km^2 power station? That's the size of Topeka which got clobbered by a sequence of tornadoes in 1966. > I guess you'll be surprised to learn that the ground is actually an > effective heat sink; see the ground loops in heat pumps, which provide air > conditioning by sinking the removed heat into the ground. Here's a source > for you: https://energy.gov/energysaver/geothermal-heat-pumps The ground can hold a lot of heat energy but it doesn't conduct it much. That's why a GHP spreads its ground loop system out across a large area. You're not getting that from burying big battery packs unless you also install the same kind of extensive ground loop system which costs to install and maintain. Oh, and you've added an extra vulnerability to earthquakes. Yay. Can ground-based work? Maybe. I don't think so. But even if it can be done? It's still just a stop-gap being marketed as a solution by a man who has a vested interest in selling batteries. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Eclipses Re: Great talks last night, however...
On 7/23/2017 12:29 PM, grg wrote: > OK, so you're saying that instead of single-digit percentages, there are > real-world battery installations which get 75%-80% charge/discharge > efficiency; meaning that if using them we'd only need to make 20%-25% more > solar power, not 1000% more, to compensate for the loss in batteries. When new under good conditions. Those numbers drop as conditions change (extremes of heat and cold) and batteries wear out. > http://www.sandia.gov/ess/docs/pr_conferences/2014/Friday/Session10/04_Vishwanathan_V_Powin_Dispatchable_Battery.pdf And what are their numbers after 3, 4 or 5 years? > But somehow, 99.99% of people and corn and cows (not counting that > unfortunate animal in the movie Twister) have managed to survive there. > I'm betting solar panels will have a similar tornado survival rate, unless > we decide to install them only at trailer parks. That's because people and livestock can seek shelter in foul weather, and plants grow and heal or at the least can be plowed under and the land replanted. None of these describe thousands of square kilometers of solar panels. > One standard solution to weather exposure would be to house them below the > frost line, which is only 2'-3' deep in Kansas: > https://www.ngs.noaa.gov/PUBS_LIB/GeodeticBMs/#figure13 > You'll get a moderate temperature all year round. Then you're insulating them which means they'll be that much hotter when charging during warm months. See previous about heat being bad for batteries. > Luckily, the 10,000 km^2 solar+battery farm will still meet the entire US's > energy needs even if you replace the batteries more frequently. Oh, yes. Replace unsustainable batteries more frequently. That's exactly what Musk wants because guess what? He sells batteries. Can you smell the marketing yet? > Again, if you do the math, it's exactly pi. The equator is a circle; the > sunlight incident on it is its shadow at this point in space, which is a > line that is the diameter of Earth - on that line every point is always at > "noon", and it would collect all the light the equator sees. Will ascii > art help? You're ignoring the atmosphere. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Eclipses Re: Great talks last night, however...
On 7/23/2017 9:58 AM, Robert Krawitz wrote: > "As low as" 50% is a whole lot more than 10%. As low as 50% when new. Efficiency drops off as batteries age. If you've ever replaced a phone or notebook battery because the battery was worn out then you've experienced this first hand. > Supercaps have their own problems...not very dense compared to > batteries, for example. And a lot more expensive for the same > storage. You don't need the same storage. That is, you don't need 14+ hours of storage with geostationary solar stations like you do with ground stations. You only need ~70 minutes of storage which obviates the self-discharge problem that makes supercapacitors less than ideal for long term storage. This assumes one station. With 2 or more stations you will never be without exposure, further reducing the need for eclipse storage. > The pinnacle at present, maybe. While it's true we can't count on > particular breakthroughs, it's pretty clear we can count on > breakthroughs of some kind happening. There may be improvements in > Li-ion that improve lifetime, charge density, etc. Hopefully we'll You mean like Li-air and other metal-air concepts, which haven't had the several necessary breakthroughs in the past almost 50 years since the concept was introduced? Breakthroughs are rare, and when you need several for something to be viable? I wouldn't bet on it. > find something based on non-lithium chemistry, since lithium's The only element better than lithium is hydrogen. Nothing else is capable of higher charge densities. Since we can't have metallic hydrogen at room temperature and pressure we use lithium. As previously noted, Li-sulfur shows promise but it has serious problems that need to be overcome before it can be commercially viable. > scarce. And not renewable? Since when? Extract the lithium and use > it to fabricate new batteries. Recycling Li-ion batteries costs more than mining the metals and refining the plastics from fossil fuels. Until this changes they cannot be considered sustainable. And, of course, the elimination of the petrol-based plastics is necessary as well. > Interesting that we can't count on breakthroughs in battery > technology but we can in space... We don't need breakthroughs in space for SBSP. All of the technologies exist today. What we don't have is launch capacity to put 10+ kilotons (CAST's estimate for their proposed 1GW station) into orbit. Doing this doesn't require any breakthroughs, just a lot of brute force and enough nations or corporations willing to foot the bills. That said, there are advances which could significantly reduce those costs. CAST's proposal includes lunar manufacture. With no atmosphere and 1/6th the gravity, launching from the Moon is quite a lot easier than terrestrial launch. Then again, with no atmosphere and 1/6 the gravity, lunar manufacture has it's own problems to overcome. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Eclipses Re: Great talks last night, however...
> OK, so here you're saying that instead of a <10% charge/discharge > efficiency, batteries actually have a 75%-80% charge/discharge efficiency? No. I'm saying that chemical batteries have *at best* a charge efficiency of around 75-80% in the real world. > Agreed! And Utah, and Arizona, and New Mexico, and large parts of > Colorado, Wyoming, Idaho, Oregon, and Washington by your map. And don't > forget Great Plains states like Texas, Montana, North Dakota, South > Dakota... hey, I think we're over 0.15%! There are three problems that I would consider breakers for these regions: First, you just described the heart of Tornado Alley. Second, you can't charge Li-ion batteries when they are below freezing (0C) which makes much of these areas useless for Musk's storage systems for significant portions of the year. And third, high temperatures (above about 25C) reduces efficiency, and it causes batteries to wear out faster than their published ratings which means you'll be replacing them that much more frequently if you set up your stations in the non-freezing areas. > Right - as in my prior email, when you do the math it comes out to a factor > of pi (and 24/pi is 7.64 hours, within the range you give). No. It's significantly more than that because a geostationary station is always at "noon" when it's exposed to the sun while a ground station's noon is only a fraction of it's exposure period. > FWIW, on that last non-technical bit, I and I wager many others on this > mailing list see very many places in all the named locales which have good > potential for solar. And that's one of the great things about solar power: Maybe good on small scales like homes and offices. Not so good for large scale like replacing global dependence on fossil fuels. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Eclipses Re: Great talks last night, however...
On 7/22/2017 8:56 PM, Robert Krawitz wrote: > But it's considerably more than 10% in practice, right? It depends. It's as much an ideal as Musk's asserted 90% efficiency for Tesla and Powerwall when in reality Tesla and other EV owners see as low as 50% with new cells. And as noted previously, that figure drops as batteries wear. > You still need storage for those blackouts (albeit less), right? Yes, but with blackout windows of ~70 minutes you can effectively use supercapacitors which in principle should be superior to chemical batteries for short term storage. > The author is quite clear that he simply doesn't see this as being > plausible any time soon. And no doubt batteries will improve along > the way. I do doubt it. Li-ion appears to be it, the pinnacle of commercial battery technology. Li-air has potential but it needs a breakthrough to make it commercially viable and you can't count on breakthroughs. Likewise Li-sulfur which has wear and volatility (read: safety) issues. And, of course, batteries aren't renewable. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Eclipses Re: Great talks last night, however...
On 7/22/2017 12:22 PM, Robert Krawitz wrote: > 10x? Battery charging isn't that inefficient -- 85% for lead-acid > batteries, for example > (http://www.solar-facts.com/batteries/battery-charging.php). "Overall, an efficiency level of 85% is often *assumed*." Emphasis mine. The rest of that paragraph goes on to explain some of the reasons why you can and will get less than this. Also, these are lead acid batteries which have longer lifespans than the Li-ion batteries Musk is selling, and they will hold to their higher efficiencies for longer. > That's the least of the problems. You have to keep it in orbit, the > beam has to keep station (that kind of concentrated beam had better > not leak), and a geosync orbit is still eclipsed part of the time. At geostationary altitude a station is eclipsed from the sun for only 70 minutes per day, and this is only when the sun is near the equatorial plane. In practice, a geostationary PV station would have ~99.3% exposure over the course of a year vs. a ground station which has at best ~33% exposure, and that ~99.3% exposure is always "noon" vs. the ground station's noon being a fraction of its exposure time. > Care to discuss what you see as the problems and how to go about > addressing them? https://dothemath.ucsd.edu/2012/03/space-based-solar-power/ covers them pretty well, and I do agree with the conclusion that SBSP isn't worth it in the short term. Putting that much mass into orbit is too expensive right now. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss