Re: [lopsa-discuss] College degrees not required for a career in system administration

[Robert Hajime Lanning]

I just turned 44 and I have a GED with some Community College and going 
on 22 years experience.



I have always thought of myself as a bad example ("Do as I say, not as I 
do.") when it comes to higher education. But it does look like times are 
changing.


I have seen that a degree (any degree) helps a lot, in getting a foot in 
the door, when starting a career in this field.


Though, people are finding the ROI on higher education is not what it 
used to be.


I was lucky with the time and place in starting my career. (the heyday 
of the mid '90s in Silicon Valley)


Though, in middle school, I was the one who got into BASIC on the 
Commodore 64, while my brothers got into the video games. My brothers 
are doing well, but they actually got 4 year degrees and their careers 
do require it.


I am very much a self learner and I am always looking for the next thing 
to implement. :)


Though I don't do temporary implementations in a lab.  I look for real 
world implementations.


Like when I dug myself into the VoIP world with wiring up the house to a 
channelbank and a T1 card in an Asterisk server and a couple of SIP phones.


On 12/15/2016 08:44 AM, Bill Bogstad wrote:

http://qz.com/858194/ibm-employees-without-college-education/

An interesting article on how you don't need a college degree to work
for IBM.  It quotes BLS statistics that 47% of Network and computer
systems administrators don't have four year college degrees.  Food for
thought?


--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning

___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

[Robert Hajime Lanning]

Attack vectors...

The difference is "can the private key (something you have) be copied?"

PKI hardware token: No.
File on notebook: Yes.

A PKI key on its own as a file on a harddrive is equal to a really 
complex password. So complex that you can't remember it so it is written 
down.


So, you encrypt the private encryption key with a passphrase. You have 
now put a password on your password.


If the key can be copied, then it does not subscribe to something you 
have being unique. A passphrase can be copied, so it is also not unique. 
The combination of the two are not unique.


Malware can attack a file on notebook and steal keystrokes for a passphrase.

For PKI hardware, data is sent to the token itself where the token 
(using it's own processor) encrypts/signs the data with the private key. 
The private key cannot be copied/read off the token.  The private key 
can only be generated/used/erased via API calls to the hardware.


PKI USB tokens are basically smart card readers with a smart card 
permanently attached.


On 12/01/16 11:07, Morgan Blackthorne wrote:

I guess I'm not seeing much of a distinction between someone knowing
your password and someone knowing the passphrase on your key. If you
have a passphrase set, having a copy of the key does you no good without
the passphrase. But there's a pretty equivalent concern about someone
having both pieces of that equation vs. a normal password. Now something
like an OTP setup is a different story.

I agree with the enforcement perspective on keys; I wish SSH had a way
to flag whether or not a passphrase was enabled for a key and then
control restrictions on the server side as to what accounts are
whitelisted for automation vs. normal users where a passphrase is
enforced. But at the end of the day I'm unconvinced that a key is any
less secure than a password, as long as you have a passphrase configured.

On Thu, Dec 1, 2016 at 10:54 AM, Robert Hajime Lanning
<lann...@lanning.cc <mailto:lann...@lanning.cc>> wrote:

Requiring a passphrase on your private key is not enforceable.

And the key can be duplicated. So if someone has a copy of your key
and gets/guesses your passphrase, you won't know they have access.

Having the private key generated on a PKI hardware token that
*enforces* a PIN/passphrase to access, covers those bases.

On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net
<mailto:mor...@windsofstorm.net>> wrote:

If you have a passphrase on your private key (as one should),
would that not be considered something you know as well?

    On Thu, Dec 1, 2016 at 10:34 AM, Robert Hajime Lanning
<lann...@lanning.cc <mailto:lann...@lanning.cc>> wrote:

I have only implemented RSA, but I will be doing a bit of
research on this topic shortly.

For my current job we'll be needing MFA for a secure
environment, in the next couple of months. They won't be
able to afford RSA.

But I do need to note that PKI key+Duo is not MFA.
(Something you have + Something you have)

MFA is Multi Factor Authentication and is defined as: (pick
2+ separate items)

1) Something you know (password/PIN not written down)
2) Something you have (device that can not be copied, RSA
fob, PKI hardware token/smart card...)
3) Something you are (biometrics)

RSA is fob + PIN.

My current plan is a PKI hardware token that requires a
PIN/passcode to unlock the token to use the private key
contained within. The key pair is generated on the token and
the private key cannot be copied off the token.

Ssh and openvpn clients support PKCS#11 for PKI hardware.


On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net
<mailto:mor...@windsofstorm.net>> wrote:

I'm an end-user of Duo at the day job and relatively
happy with it. Was not involved in the setup, though.
OTOH I remember someone in #lopsa saying they had
problems with them and had been unhappy. Can't remember
who or why offhand, hopefully they'll chime in on this
thread.

I will note that the most common problem with Duo that
I've personally seen is when folks have it configured to
give them a phone call instead of running the app and
getting a push notification. In our setup, to access the
windows jumpbox we start an RDP session, and after
normal user auth, it then triggers a Duo challenge. But
the phone call setting seems to get delayed enough that
the RDP session fails with a network policy error.
People adjusting their

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

[Robert Hajime Lanning]

Requiring a passphrase on your private key is not enforceable.

And the key can be duplicated. So if someone has a copy of your key and 
gets/guesses your passphrase, you won't know they have access.

Having the private key generated on a PKI hardware token that *enforces* a 
PIN/passphrase to access, covers those bases.

On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net> wrote:
>If you have a passphrase on your private key (as one should), would
>that
>not be considered something you know as well?
>
>On Thu, Dec 1, 2016 at 10:34 AM, Robert Hajime Lanning
><lann...@lanning.cc>
>wrote:
>
>> I have only implemented RSA, but I will be doing a bit of research on
>this
>> topic shortly.
>>
>> For my current job we'll be needing MFA for a secure environment, in
>the
>> next couple of months. They won't be able to afford RSA.
>>
>> But I do need to note that PKI key+Duo is not MFA. (Something you
>have +
>> Something you have)
>>
>> MFA is Multi Factor Authentication and is defined as: (pick 2+
>separate
>> items)
>>
>> 1) Something you know (password/PIN not written down)
>> 2) Something you have (device that can not be copied, RSA fob, PKI
>> hardware token/smart card...)
>> 3) Something you are (biometrics)
>>
>> RSA is fob + PIN.
>>
>> My current plan is a PKI hardware token that requires a PIN/passcode
>to
>> unlock the token to use the private key contained within. The key
>pair is
>> generated on the token and the private key cannot be copied off the
>token.
>>
>> Ssh and openvpn clients support PKCS#11 for PKI hardware.
>>
>>
>> On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net> wrote:
>>>
>>> I'm an end-user of Duo at the day job and relatively happy with it.
>Was
>>> not involved in the setup, though. OTOH I remember someone in #lopsa
>saying
>>> they had problems with them and had been unhappy. Can't remember who
>or why
>>> offhand, hopefully they'll chime in on this thread.
>>>
>>> I will note that the most common problem with Duo that I've
>personally
>>> seen is when folks have it configured to give them a phone call
>instead of
>>> running the app and getting a push notification. In our setup, to
>access
>>> the windows jumpbox we start an RDP session, and after normal user
>auth, it
>>> then triggers a Duo challenge. But the phone call setting seems to
>get
>>> delayed enough that the RDP session fails with a network policy
>error.
>>> People adjusting their user config with push notifications works
>better. I
>>> have not looked into seeing if you can just blanket disable that o!
>ption,
>>> but it seems a bit odd that they offer that as a service when it
>doesn't
>>> work; then again, we may have a more aggressive timeout policy on
>the Duo
>>> portion than is recommended. Again, wasn't involved in the setup as
>it
>>> predated me, so I'm not sure.
>>>
>>> I know it also works with Linux boxes and that's on my list to check
>out,
>>> just haven't gotten to it yet. We'd likely only enable it on nodes
>with
>>> public IPs that have SSH listening/allowed, so it has been low on my
>>> priority list.
>>>
>>> Duo is also apparently free depending on how many users/devices you
>have,
>>> whereas last time I heard about the RSA setup, it was very
>expensive. I'm
>>> planning on adding Duo support to my personal AWS Linux nodes for
>SSH (so
>>> key+MFA auth, no passwords allowed).
>>>
>>> On W! ed, Nov 30, 2016 at 10:31 AM, Kyle Stewart <
>>> _kylestew...@outlook.com> wrote:
>>>
>>>> Hi all, hope this email finds everyone well. We're looking into
>setting
>>>> up two-factor authentication at my company for a 2017 project and
>I'm
>>>> in the "Let's get the lay of the land" phase. Right now it seems
>like Duo
>>>> is making big headway in this market, but I've heard good things
>about RSA
>>>> as well. I'd love to get some first-hand feedback from people who
>have used
>>>> these types of 2FA solutions who aren't sales people :)
>>>>
>>>>
>>>> Overall I get what 2FA/MFA does, but I'm blurry on how it gets
>>>> implemented - at face value I'm very interested in Duo so if anyone
>has
>>>> experience with Duo and setting it up (preferably alongside Palo
>Alto's and
>>>> GlobalProtect) that'd 

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

[Robert Hajime Lanning]

I have only implemented RSA, but I will be doing a bit of research on this 
topic shortly.

For my current job we'll be needing MFA for a secure environment, in the next 
couple of months. They won't be able to afford RSA.

But I do need to note that PKI key+Duo is not MFA. (Something you have + 
Something you have)

MFA is Multi Factor Authentication and is defined as: (pick 2+ separate items)

1) Something you know (password/PIN not written down)
2) Something you have (device that can not be copied, RSA fob, PKI hardware 
token/smart card...)
3) Something you are (biometrics)

RSA is fob + PIN.

My current plan is a PKI hardware token that requires a PIN/passcode to unlock 
the token to use the private key contained within. The key pair is generated on 
the token and the private key cannot be copied off the token.

Ssh and openvpn clients support PKCS#11 for PKI hardware.


On Dec 1, 2016, Morgan Blackthorne  wrote:
>I'm an end-user of Duo at the day job and relatively happy with it. Was
>not
>involved in the setup, though. OTOH I remember someone in #lopsa saying
>they had problems with them and had been unhappy. Can't remember who or
>why
>offhand, hopefully they'll chime in on this thread.
>
>I will note that the most common problem with Duo that I've personally
>seen
>is when folks have it configured to give them a phone call instead of
>running the app and getting a push notification. In our setup, to
>access
>the windows jumpbox we start an RDP session, and after normal user
>auth, it
>then triggers a Duo challenge. But the phone call setting seems to get
>delayed enough that the RDP session fails with a network policy error.
>People adjusting their user config with push notifications works
>better. I
>have not looked into seeing if you can just blanket disable that
>option,
>but it seems a bit odd that they offer that as a service when it
>doesn't
>work; then again, we may have a more aggressive timeout policy on the
>Duo
>portion than is recommended. Again, wasn't involved in the setup as it
>predated me, so I'm not sure.
>
>I know it also works with Linux boxes and that's on my list to check
>out,
>just haven't gotten to it yet. We'd likely only enable it on nodes with
>public IPs that have SSH listening/allowed, so it has been low on my
>priority list.
>
>Duo is also apparently free depending on how many users/devices you
>have,
>whereas last time I heard about the RSA setup, it was very expensive.
>I'm
>planning on adding Duo support to my personal AWS Linux nodes for SSH
>(so
>key+MFA auth, no passwords allowed).
>
>On Wed, Nov 30, 2016 at 10:31 AM, Kyle Stewart
><_kylestew...@outlook.com>
>wrote:
>
>> Hi all, hope this email finds everyone well. We're looking into
>setting up
>> two-factor authentication at my company for a 2017 project and I'm in
>the
>> "Let's get the lay of the land" phase. Right now it seems like Duo is
>> making big headway in this market, but I've heard good things about
>RSA as
>> well. I'd love to get some first-hand feedback from people who have
>used
>> these types of 2FA solutions who aren't sales people :)
>>
>>
>> Overall I get what 2FA/MFA does, but I'm blurry on how it gets
>implemented
>> - at face value I'm very interested in Duo so if anyone has
>experience with
>> Duo and setting it up (preferably alongside Palo Alto's and
>GlobalProtect)
>> that'd be fantastic.
>>
>>
>> Thanks in advance!
>>
>>
>> _
>> Kyle Stewart
>>
>> ___
>> Discuss mailing list
>> Discuss@lists.lopsa.org
>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>> This list provided by the League of Professional System
>Administrators
>>  http://lopsa.org/
>>
>>
>
>
>
>
>___
>Discuss mailing list
>Discuss@lists.lopsa.org
>https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>This list provided by the League of Professional System Administrators
> http://lopsa.org/


-- 
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] genisoimage ISO trouble

[Robert Hajime Lanning]

I don't think they know what they are talking about.

An ISO image is the size of the data (+metadata), no empty sectors.  
Though, you could append NULL bytes to the end of the file.



My question would be, "What changed between when it was working and now?"


On 11/02/2016 01:28 PM, Justin Smith wrote:
Every time my company releases a new version of its software, someone 
creates a ~1.5GB ISO image of it using /genisoimage -J -R -D -V 
[volume_name]/, and then I use a Nexcopy USB duplicator to burn the 
ISO to 2GB flash drives.


This process no longer works; it produces a "cannot get drive 
geometry" error. According to gparted, it's b ecause the partition 
table is bogus - these flash drives are created with a 7.34GB 
partition, which obviously isn't possible on a 2GB flash 
drive. Nexcopy's support insists that this is because of the way the 
ISO was created even though known good ISOs from other versions 
produce the same error.


I'm supposed to "Check the partition size...and then re-master the ISO 
so they all match. So if you have a 1.2GB CD-ROM partition size, you 
need to have a 1.2GB ISO file."


I don't know enough about the ins and outs of genisoimage or ISO files 
to know if this is accurate or not or how I would do it. Any insight 
would be much appreciated.


---
*Justin Smith*
IT Analyst
MIM Software, Inc.
https://www.mimsoftware.com


___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
  http://lopsa.org/


___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] IPv6 hosting (and/or cloud)

[Robert Hajime Lanning]

I use linode. Their dual stack.

On May 6, 2016, Tom Perrine  wrote:
>I'm looking for a place to move one of my very last personal physical
>hosts.
>
>I need relatively inexpensive, dual-stack, and full host access
>solution.
>At-rest data encryption would be a good value add.
>
>Simple is critical; I wouldn't move this into AWS and then put ELB in
>front
>just to get dual-stack, for example.
>
>I need to be able to run a DNS hidden master, postfix and a very simple
>apache setup (static content only, no executable code). I *might* have
>to
>run wordpress, but only as a last resort.
>
>Recommendations?
>
>
>
>
>___
>Discuss mailing list
>Discuss@lists.lopsa.org
>https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>This list provided by the League of Professional System Administrators
> http://lopsa.org/


-- 
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] licensing - Charity donation program?

[Robert Hajime Lanning]

I guess that depends on how powerful of a spell you can cast.

:)

On Apr 13, 2016, Ryan Finnesey  wrote:
>I have what may been like an odd question and I don't know how many of
>the list member are active in the licensing process but if 3% of your
>monthly Office 365 licensing cost went to a Charity  of your selection
>would that influence witch Microsoft partner you would select to buy
> that license? 
>
>Cheers
>Ryan
>
>___
>Discuss mailing list
>Discuss@lists.lopsa.org
>https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>This list provided by the League of Professional System Administrators
> http://lopsa.org/


-- 
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] KVM's and PDU's

[Robert Hajime Lanning]

On 03/18/16 18:30, Doug Hughes wrote:

All of the important electrical properties for Cat6 should have no
impact on Serial.


I'm pretty sure it is not a normal "serial" signal.

I don't know about *recent* KVMs, but as of about 6 years ago, the 
dongles output a very analog signal on the Cat5.  All the high powered 
digitization of the VGA signal was done inside the KVM unit.


Over longer runs, your screen started to look like the old 1950's TVs...

This was with Dell IP based KVMs.  Avocent like, but not quite. The 
dongles looked identical, but were not interchangeable.


--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] KVM's and PDU's

[Robert Hajime Lanning]

What Ski is getting at, is they are upgrading the cable plant and 
standardizing on a cable spec that has a path forward, without having to 
rip out the cable plant again.


What you are talking about is dedicating part of the patch panel to 
legacy non-10GBase-T, for the foreseeable future.


On 03/18/16 14:39, Doug Hughes wrote:

You can run a cat5e patch from a cat6 panel. Or you can run a Cat6 patch
to any rj45 port. It should "just work". You don't need to replace
stuff. The rj45 end is the same:

https://answers.yahoo.com/question/index?qid=20090924211618AAjS7qH

Also, if you do want to change PDUs anyway, I second Derek's vociferous
support for ServerTech. Apc is second. Geist has some less expensive and
budget offerings that may work for you with features.

Avocent also, ++
(I still like the Cyclades ACS series that Avocent bought, and you can
still find them on ebay)


--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] KVM's and PDU's

[Robert Hajime Lanning]

It's going to be some electrical property of the cabling.

Remember KVMs tend to run their own proprietary analog signal.

While Cat6a is better to our networking, the problem is that it is 
different to a device that does not do auto negotiation in their own 
protocol.


On 03/18/16 14:58, Doug Hughes wrote:

You sure it's not just a 568-A vs 568-B thing?


--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] DNS strangeness with youtube.com

[Robert Hajime Lanning]

On 12/08/15 13:58, Ski Kacoroski wrote:

One more bit of information.  When I wireshark the queries, any query to
youtube.com ends with:

Standard query response  A 208.70.74.21 [ETHERNET FRAME CHECK
SEQUENCE INCORRECT]

Queries to other locations work correctly and do not have that problem.


That sounds like it is something very local.  Ethernet frame generation 
is at the broadcast domain level.


--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Fwd: Slack

[Robert Hajime Lanning]

On 07/12/15 22:13, Allan Irving wrote:

It has channels and topics. These work similarly to your use case of email. In 
fact, like email - you can ignore or leave the discussion.

You can delete and keep specific messages.

Lack of threads are just replaced with channels.

You can trial it free for up to x users at no cost which was my suggestion but 
I doubt that will work as it would seem people are already convinced it won’t 
work for them.

How many here have used Slack as there is a lack of knowledge regarding the 
features.


What features does it have the makes it worth my time in deviating away 
from where I have most of my communications centralized?


I have yet to see anything that gives a MUST HAVE feature.  Basically 
because the email list format is not lacking anything that I need.


Why should I have to bring up an new website (or even worse a separate 
client application) to keep up to date on what I automatically am kept 
up to date with via this email list format?


So, the question is not Does it have equivalent features of the mail 
list?  The question is Does it supply a feature that I require enough 
to warrant the deviation?


Since (at least for me), there are no new requirements from when the 
email list was created, there is no reason to change.


Also, why go to a proprietary format, when the current open format 
works?  Why be dependent on the whims of a startup business to provide 
additional features that are not even needed.  (It really is geared for 
work group collaboration, not PUBLIC mailing lists.)


Instead of the current centralizing of communications in the ubiquitous 
email format, you are looking to move to a proprietary format accessed 
via proprietary clients.


You are asking everyone to go elsewhere (other than their normal INBOX). 
 You really need a VERY good reason, other than it's cool.  You need 
to provide that it satisfies a requirement that is currently not met.


--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Slack

[Robert Hajime Lanning]

On 07/12/15 14:15, Derek J. Balling wrote:

Actually, the modern mindset has changed radically on this point.
Constant change is expected, even considered good, and something you
design to account for.

Now, I'm not saying I'm the best at achieving this goal yet, but the
tide definitely seems to have shifted from the don't change things
that often model (which might be considered analogous to the
waterfall-model of software development) to the constant controlled
change model (a la continuous integration, etc.)

Fundamentally, there are legitimately two competing schools of thought
on this (obviously). However, the trend the industry seems to be
moving towards is embracing the latter, not the former.

We (he says, waving his hands to point around the mailing list) might
not be in that camp, but make no mistake, most of the organizations
that are operating at scale today *are* the ones embracing it.

And that says more about us, as a community, than I think a lot of us
would like to admit. I know it took me a while to come around to
admitting to myself that most of what I'd learned over the last 20
years was being tossed out on its ear. How long will it take the rest
of us? Who knows


Ya, that's the whole Agile thing... :)

Then again, Agile and CI does not mean change for change or anti-KISS.

Agile and CI are about rolling out needed updates (be it bug fixes or 
features) quickly and often.


The choice of what changes are allowed into production is where the no 
change for the sake of change and KISS philosophies are considered.


Fail forward instead of fail back.  Eventually consistent.  Things at 
scale can't do an instant global state change.


If there is a problem live with it, until the developers have a new 
build to push, that (hopefully) fixes it.


Doesn't work in my new field... (Medical Device Startup) :)
We are trying to change some of the way the FDA views things (especially 
in the mobile arena), but it is going to take a bit.


The FDA documentation requirements pretty much dictate waterfall 
development.


--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Fwd: Slack

[Robert Hajime Lanning]

It is not a Dark Ages issue.  It is a ubiquity issue.

This mail address has ~10 mailing lists going to it.  I fully control 
this email address (housed on my server in my house.)


If I had to check on a separate web site for this list, I would drop it. 
 If I needed yet another client to view, I would also drop it.  I don't 
keep up with ANY web forums, twitter, facebook, etc.  I have screen 
sessions to the #lopsa, #lopsa-lounge, #asterisk and #gluster IRC 
channels that I glance at every few days when I am bored or need help 
with something.


I just don't have time to be swapping interfaces.

On 07/12/15 13:37, Allan Irving wrote:

It was just a suggestion - no need for the aggressive reaction. Email
is inherently insecure so I don’t see how Slack’s security comes into
it. Slack offers features email never will. Additionally, as opposed
to filter rules - you can open Slack when you can be bothered to
respond to messages. Without filters you have an inbox full of LOPSA
discuss emails.

It was just a suggestion but given the response for outdated
technology which is very insecure - it would seem that LOPSA really
isn’t up to date. Are you really sending sensitive data over a mailing
list? Then who’s to blame for it as a system administrator?  A
discussion list has and never should divulge confidential information
seeing as this one is indexed by Google.

You can stay in the dark ages but some of us are thinking ahead. Given
the responses, it is clear to me that moving on into the modern
century is the way forward.


--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Slack

[Robert Hajime Lanning]

I am curious...

Is the format of this being an email list an issue for you?

What is it that you are looking for as requirements for a general (and 
free) communication means for this group?


Or did you just want to post Hey this is cool...

There is change for need and change for change...  In operations your 
mentality is usually to avoid change for change and KISS.


On 07/12/15 14:00, Allan Irving wrote:

Personally, for my startup I don’t use the free service so the comments
regarding the free service are irrelevant.

Ot was just a suggestion. If you want to crap all over me for it, then
so be it.

However, whatever - I’d say Slack’s success speaks for itself. I don’t
see how mailing lists are any better than Slack. If you do - then good
for you.

Such a negative vibe / element of rudeness on this mailing list. Safe to
say I won’t be renewing my membership as it would appear that easy /
archaic solutions are more appealing to the majority here. Most
sysadmins move with the times. Slack might not be the solution but many
other more advanced solutions are. If you’re so bothered about security,
use PGP. As you aren’t, I don’t see how you can talk as such.

Regardless - I was just putting it out there but your rude and responses
have just lost you a member.

As before - all the best.


--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Slack

[Robert Hajime Lanning]

Not yet another forum/web messaging.

I would only agree, if the interface is exactly like email. Shows up in my 
inbox on my home email server and I reply just like I am doing right now.

On Jul 12, 2015, Allan Irving allanirv...@allanirving.co.uk wrote:
Hi all,

How do we feel about trailing Slack instead of discussion lists? I am
of the belief that it would be far better and also has more features
than email.

http://slack.realm.io is an example of how easy it is for users to sign
up - much like Mailman offers a sign up screen.

Allan
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

-- Sent with K-@ Mail - the evolution of emailing.___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] IT roles in the company

[Robert Hajime Lanning]

I usually see the CIO under the CFO.

So, no additional direct reports.

On Jun 9, 2015, Tim Kirby t...@kirbys.org wrote:

The really sad part is that the CEO does not want any more direct
reports, so he has an administrative VP who owns IT amongst other
things. Thus there is no CIO, no C* representation.
-- 
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] The future of OpenStack?

[Robert Hajime Lanning]

Are we talking about OpenStack vs. other cloud management stacks (like 
CloudStack and the proprietary providers, AWS and the likes)?


Or are we talking about movement from private clouds to public ones?

On 05/17/15 07:26, Matt Lawrence wrote:

I've heard from multiple people, who I respect greatly, that OpenStack
is going to die off, but I just don't see it.  The modern IT
infrastructure is heavily populated with products and technologies that
were a really bad idea in their original release. So, while I think
OpenStack has some serious problems, I think it is going to be around
for quite a while.

I would like to hear what a number of other folks who I respect think.


--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Resource query...

[Robert Hajime Lanning]

On 04/08/15 08:10, Craig Constantine wrote:

could you poll for the UUID assigned to the file system on the drives?
blkid i think is the command...


I would not trust that.  Aside from having to know the UUID up-front, 
what happens when there is no filesystem.


I believe he wants to error out if the drive in slot 0 is missing or not 
responding without touching any other drives.


Problem is that this is machine model specific.  You have to know the 
channel path to slot 0.


It will be something like:
PCI slot - controller - sas channel - backplane channel

--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] NIce Fraud alert system - American Express

[Robert Hajime Lanning]

On 02/03/15 16:46, Yves Dorfsman wrote:

On 2015-02-03 16:46, Edward Ned Harvey (lopser) wrote:

surprisingly good.  I like to use BioWallet as an example - you use your
finger to sign the screen of your phone to unlock a secure wallet.  If I
hand my phone to someone and tell them my password, they can't get in.


Because of google authenticator etc... access to my phone is too important to
use my finger (and I encrypt it):

- I cannot forget my finger, with a password I can choose to go to jail or
remembering my password

- my passwords will die with me. If you kill me, you won't get my password, my
fingers... on the other hand!



He is not talking about fingerprints.  He is talking about signing using 
your finger like a pen. (phone/tablet interface)


Sure, someone cuts off your finger after you are dead... Let's see them 
try to copy your signing behavior, without a video or have been watching 
you sign.


Behavior based biometrics are very interesting. Authentication by 
being you.


:)

--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Help with gmail technical problem

[Robert Hajime Lanning]

On 01/28/15 12:19, Graham Dunn wrote:

Just like to add that if anyone knows a senior member of the LDS church
in the UK with the same name as me, tell him that BMW has been
suggesting his wife upgrade her car, the swim team fundraising has been
going well, and that his son’s loan for university housing seems to be
going through.

Oh, and that @googlemail.com is the same as @gmail.com.


Oh, and his lab work came in.  He tested positive for ... and should see 
his doctor...


:P

--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Certificate confusion - Summary

[Robert Hajime Lanning]

On 10/10/14 20:51, Charles Polisher wrote:
 Not to keep beating a dead horse, but here's a related thing
 that puzzles me. I wonder if anyone else gets a different
 result. I've got 2 very different certs claiming to be the
 Google Internet Authority G2. Same subject, same auth key ID,
 same subject key id, same public key. Different certs. Huh?
 
 I'm sure if there's a simple explanation someone here
 knows it.

pki.google.com:
Serial Number: 146038 (0x23a76)
X509v3 CRL Distribution Points: URI:http://g.symcb.com/crls/gtglobal.crl
Authority Information Access: OCSP - URI:http://g.symcd.com
Validity
Not Before: Apr  5 15:15:55 2013 GMT
Not After : Apr  4 15:15:55 2015 GMT


drive.google.com:
Serial Number: 146025 (0x23a69)
X509v3 CRL Distribution Points: URI:http://crl.geotrust.com/crls/gtglobal.crl
Authority Information Access: OCSP - URI:http://gtglobal-ocsp.geotrust.com
Validity
 Not Before: Apr  5 15:15:55 2013 GMT
 Not After : Dec 31 23:59:59 2016 GMT


Looks like the issuer of the original G2 cert (GeoTrust) has been bought by 
Symantec.
Also looks like Symantec limits to a 2 year life span. (GeoTrust was 3 year 
cert.)

BTW, both drive.google.com and pki.google.com have the same G2 cert now.
(the Symantec version)

In the future, you can run the following command and see if the old G2 cert
(serial 23A69) is add to the old GeoTrust Certificate Revocation List (CRL).

$ curl -s http://crl.geotrust.com/crls/gtglobal.crl | openssl crl -inform DER 
-text -noout
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Last Update: Oct 11 06:43:00 2014 GMT
Next Update: Oct 21 06:43:00 2014 GMT
Revoked Certificates:
Serial Number: 0234BA
Revocation Date: Oct 11 14:19:52 2003 GMT
Serial Number: 0235F8
Revocation Date: Aug  9 14:05:49 2006 GMT
Serial Number: 02345D
Revocation Date: May 22 08:08:43 2002 GMT
Serial Number: 02345C
Revocation Date: May 22 08:09:00 2002 GMT
Serial Number: 023559
Revocation Date: Jul 22 12:59:26 2005 GMT
Serial Number: 02366B
Revocation Date: Jul 11 05:50:50 2007 GMT
Serial Number: 02345A
Revocation Date: May 21 13:48:04 2002 GMT
Signature Algorithm: sha1WithRSAEncryption
 7d:fd:d7:40:2a:cb:90:89:53:1f:77:42:ec:f2:3e:7e:3b:ec:
 ee:8e:e8:fa:36:2b:a4:07:db:5b:8d:c3:41:ca:fc:98:e8:63:
 da:4c:86:7d:91:76:a6:0a:aa:47:ab:26:0d:af:aa:00:ec:d2:
 62:78:72:6c:60:d9:4d:82:5d:cd:98:2f:df:05:c6:e4:19:56:
 60:42:e1:38:a7:ae:cb:f1:05:37:76:a4:69:04:1a:43:66:71:
 fc:6e:23:84:c2:73:20:3c:ad:db:f6:e2:a5:41:ca:87:e8:70:
 df:57:4e:ce:73:20:b7:a9:87:62:5c:36:49:42:7e:ec:f7:17:
 a7:ab:21:67:68:d8:5b:96:85:7a:39:35:a7:4c:fc:9a:9a:ce:
 e5:77:36:d3:16:9f:18:20:60:85:26:20:fb:4e:ed:07:61:8e:
 7d:68:c1:f0:bc:84:c0:8a:ce:f8:88:5d:9e:73:68:4b:55:50:
 11:0f:3a:5d:4a:f2:39:5a:3e:f9:4b:04:0d:cb:43:36:8c:3d:
 ee:c1:56:53:95:3d:03:b2:92:1b:13:52:7c:7b:cd:00:c3:56:
 1a:e3:f8:03:de:41:bf:97:22:b1:90:a8:ee:18:ec:37:6e:74:
 bf:47:a7:c4:e8:06:22:3f:a6:b8:f5:e9:43:2c:88:99:69:c3:
 ab:a0:c0:dc

-- 
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Certificate confusion

[Robert Hajime Lanning]

That is the way SSL proxies work.

You tell the browser to go to https://www.example.com/ and it expects 
the received certificate to be either www.example.com or *.example.com 
and signed by a CA that it has in its trusted CA repository.


So, there are only two possibilities...

1) allow the encrypted stream untouched
2) the proxy needs to intercept the connection, establish its own 
connection to the server, then act as the server to the client.


To act as the server, it has to have the server certificate and the 
private key.  The server certificate that it presents to the client must 
be signed by a CA trusted by the client and the public key in the 
certificate must be the counterpart of the private key that the proxy 
has access to.


Server (public CA) -- proxy
proxy (private CA) -- client

Because you are presenting certificates to the client for servers that 
you don't know before hand, the proxy must have the CA private key to 
sign the certificates on the fly.  The private CA certificate must be 
installed in all clients to be trusted.  And it must have the CA:true 
constraint.


In the windows world, you can push out a private CA certificate with a 
GPO in Active Directory.  Most others, you would have an internal 
website that allowed the download and install of the CA certificate.


The certificate download should be in DER format.  Most browsers will 
auto install with these headers:

Content-Type: application/x-x509-ca-cert; name=private-ca.crt;
Content-Disposition: attachment; filename=private-ca.crt;

Windows:
Download and run.  Windows will identify it as a root CA certificate and 
open the certificate dialog. Click on the Install Cert button.


Firefox:
Firefox will automatically recognize it as a certificate and start the 
import.


Chrome:
On Linux you must download and follow these instructions:
http://code.google.com/p/chromium/wiki/LinuxCertManagement

Safari:
Download and run.  MacOS will identify it as a root CA certificate and 
ask if you want to install it.


I had a lab at Symantec that my team and I created to dynamically bring 
up a development environments with dynamic URLs to access. I had scripts 
that would auto generate a CSR and POST it to a web service that blindly 
signed any CSR given to it.  It was a quick and dirty solution and tiny 
CGI script. :)


You can't use a wildcard certificate because the * only accounts for 
one level.


*.example.com matches www.example.com and blah.example.com, but not 
www.blah.example.com.


Of course that restriction is up to the client implementation.  But, 
that is one issue I had run into in the past.


On 10/09/14 16:46, Ski Kacoroski wrote:

Hi,

I need someone with more certiticate-fu than I have.  I have an iBoss
web filtering device that sits in between our internal users and the
internet.  We are trying to set it up to also filter https web pages
which means it has to decrypt the connection to see what is going on.
They are claiming that we have to use a self-signed cert on their device
instead of our wildcard *.nsd.org cert and then install the public key
on all the browsers of our internal machines which, as you can imagine,
is not something we want to do or maintain.  I have 6500+ macs, 3000
chromebooks, 2000 ipads, 1000 windows, and several hundred other things
such as kindles, etc.  In addition, several of these have multiple
browsers.

I appreciate any comments or ideas why we cannot get our wildcard cert
to work (it works with erverything else except for an old Oracle
application server where I had to get a machine specific cert).

Their description is:


* The certificate needed to do the decryption must be trusted by the
browser to sign ALL domains.
* GoDaddy and other Certificate Authorities (CA) will not sign a
certificate for use with domains other than your own. So… The
certificate must be self-signed with no verification path back to a
trusted CA.
* The *.nsd.org certificate you have will work to access the iboss UI,
block or login pages.

Follow up email states:
The first 2 bullet points from yesterday are important to understand.
There is no possibility of getting a CA certificate from anyone that is
trusted by the browsers. As far as we have seen it takes a CA cert to be
fully functional for intercepting HTTPS traffic and re-sign so that the
browser will accept it. This means using a self-signed cert. To stress
the point, imagine what damage you could do with a certificate that
allowed you to pose as Google without the browser alerting the user.

I can’t answer why we have had the limited success with decrypting using
the *.nsd.org or how far we can push it. In a couple cases we were able
to get everything working unless Chrome was used. In another case IE
seemed to be the biggest problem. They each perform validity checks of
their own design. Technically, the cert you have should not be accepted
to sign anything. That is not a feature of the cert (CA:FALSE).

Re: [lopsa-discuss] Anything like Linode's LISH out there?

[Robert Hajime Lanning]

On 10/01/14 13:40, Craig Constantine wrote:

Linode has a “LISH” feature. Basically, you ssh to one of their systems, and it 
can connect you to the console of your virtual macine (your linode).

Anyone know how that actually works under the hood? …does it only work because 
they’re running VMs?

I would really love to be able to dumpster the whole model of 
JavaApplet--KVM-IP—KVM-dongles . . .


Unfortunately, it is a feature specific to virtual machines.

For real servers, you either need to setup serial console capability 
(vendor dependant BIOS feature) or use a KVM-IP (vendor neutral).


I have used PC Weasel in the passed, but it looks like they are not 
around anymore.


http://en.wikipedia.org/wiki/PC_Weasel_2000

--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Why don't people join Lopsa?

[Robert Hajime Lanning]

On 08/11/14 11:07, Atom Powers wrote:
 Is LOPSA an organization for operators or engineers?

I envision LOPSA to be a place for the two to meet and
exchange knowledge.

This whole DevOps movement... is not really about automation...

It is about making the sysadmins more responsible to
the developers and the developers more responsible to
the sysadmins, by blurring the lines between the two.

It is not about moving a narrow view up or down the stack,
but pushing your limits to widen the view to include the
whole stack.  From volts on the wire all the way up to the
business logic running in the JVM.

Software can only push to the limits of the hardware and
hardware only does what the software tells it to.

You can only automate a system that is already working.
The automation has to run on something.

If your business requirements say that you need to own the
datacenter, then it is you who debugs from a DB corruption
down to the bad code, bad data, bad DIMM, or bad IO
controller that caused it.

A sysadmin/devops has the wear withal to figure out crap like this:
http://mina.naguib.ca/blog/2012/10/22/the-little-ssh-that-sometimes-couldnt.html

Also needs to be able to create/extend things like Puppet/Chef,
implement an IDM, design DNS and email routing. Create virtual
networks in AWS/Rackspace, link them to your corporate network.
Configure VLANs in your corporate network.  Know when to bridge
and when to route.  Do security audits to prove that your
implementations are secure from outside threats.  Understand the
outside and inside threats.

So, the sysadmin/devops role has grown to be way more than
it used to be (the 1995 version.) It is also larger than a
developer is.

Automation is just a tool.  It does not solve the problems that
senior sysadmin/devops people work on. How do you get more
IOops out of your storage system? How do you scale the database?
How do you fail over an application that wasn't designed to fail
over?

Automation just scales the problem and the solution.  It is a
glorified photo copier... :P

-- 
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Https - the solution to net neutrality and ISP monopolies

[Robert Hajime Lanning]

On 07/22/14 14:28, Derek Balling wrote:

But for your hypothetical community site, it's mainly just you, your
ISP, your customers' ISP, and your customers that make your site
successful, right?


God forbid the /. effect happens...

Immediate bankruptcy is foreseen in the future...

It's like hosting your web site with DNS from UltraDNS... (pay per 
query... At least the last time I looked.)


Shoestring startup makes an announcement and immediately goes belly up 
with the bandwidth/query charges...


--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] rackstuds?

[Robert Hajime Lanning]

For your first concern, check out 
http://rackstuds.com/support/certification/

343lb shear strength per stud.

For your second concern, it will be an issue.  Though the newer rails I 
have dealt with are clip-in.  The screw-in did not have flanges on the 
bezels, but I have been lucky with what I have been buying. :)


I would love to use these! :) But my current position does not have 
racks (all AWS). So, I could only use them at home.


On 01/14/14 12:37, Brodie, Kent wrote:

I haven't used these, but I do have a few observations, based on viewing what 
the stud things look like.

First off:  how freaking awesome.   For most cases, this is a sysadmin WIN.  I 
need to go get me some.

Caveats:

My first concern is how well these stand up for *HEAVY* equipment.  Yeah, we 
deal with a lot of 1u/2u things these days, but occasionally we need to load a 
100+ pound BEAST.   Not sure how string these are?  (I assume this info is in 
their product data sheet somewhere?)

My second concern is how this works for equipment that has front panels/bezels. 
 In many cases, the manufacturer of the rackmounted thing assumes that all that 
sticks out the fron of the rack side is at most- 1/8 inch or so for the screw 
head.These things stick out a lot, and COULD possibly get in the way of 
certain covers/bezels.

Those concerns aside, I'm still gonna get some when they're available.

___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Apache server issues

[Robert Hajime Lanning]

Try looking into TIME_WAIT tuning.
/etc/sysctl.conf
#TIME_WAIT tuning
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_syncookies = 1

Then sysctl -p

On 12.20.2013 09:24, Chris Ski Kacoroski wrote:

Hi,

I have put an apache server in front of my primary webserver as a
proxy in preparing to move to a new webserver.  In testing it worked
fine, but under load (we have snow today and everyone it hitting the
website to see if school is open), I am getting all kinds of timeout
errors and service not available pages.  In server-status on the
proxy, it does not look like it is loaded:

Server load: 0.40 0.27 0.23
Total accesses: 99516 - Total Traffic: 2.6 GB
CPU Usage: u4.35 s3.08 cu0 cs0 - .382% CPU load
51.1 requests/sec - 1.4 MB/second - 27.4 kB/request
91 requests currently being processed, 59 idle workers

_KK_KK_KK_KC_K_KKC__
KKK_KK_KK___KKCC
K_KKW_..






Errors are:
(70007)The timeout specified has expired: AH00957: HTTP: attempt to
connect to 10.1.3.100:80 (webold.nsd.org) failed
AH01114: HTTP: failed to make connection to backend:
AH00959: ap_proxy_connect_backend disabling worker for (webold.nsd.org) 
for 0s


Config is:
VirtualHost *:80
  ServerAdmin ckacoro...@nsd.org

  DocumentRoot /var/www
  Directory /
Options FollowSymLinks
AllowOverride None
  /Directory
  Directory /var/www/
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
  /Directory

  ErrorLog ${APACHE_LOG_DIR}/errormap.log

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  #LogLevel warn rewrite:trace2
  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/accessmap.log combined

  # rewrite rules for variables after the url, e.g. after the ?
  RewriteEngine On

  # For each page we match the query string in RewriteCond and then map
  # it to the new page/server in RewriteRule.  This version uses an 
external

  # file to map key, value pairs.  There is one map for each section of
  # schoolcenter.
  RewriteMap scrapbook txt:/etc/apache2/maps/scrapbook
  RewriteMap docmgr txt:/etc/apache2/maps/docmgr
  RewriteMap dept txt:/etc/apache2/maps/dept

  RewriteCond %{HTTP_HOST} .*nsdproxy.*
  RewriteRule ^/server-status.* http://nsdproxy.nsd.org/server-status

  RewriteCond %{HTTP_HOST} .*schoolcenter.*
  RewriteRule ^/(.*) http://www.nsd.org/$1

  RewriteRule ^.*components/scrapbook
${scrapbook:%{QUERY_STRING}|http://webold.nsd.org/%{REQUEST_URI}?%{QUERY_STRING}}
 [END,NC,QSD]
  RewriteRule ^.*components/docmgr
${docmgr:%{QUERY_STRING}|http://webold.nsd.org/%{REQUEST_URI}?%{QUERY_STRING}} 
[END,NC,QSD]
  RewriteRule ^.*education/dept
${dept:%{QUERY_STRING}|http://webold.nsd.org/%{REQUEST_URI}?%{QUERY_STRING}} 
[END,NC,QSD]


  # these map all of / to http://www.nsd.org so they need to be last
  ProxyPass   /   http://webold.nsd.org/ retry=0 timeout=30
  ProxyPassReverse  /   http://webold.nsd.org/
/VirtualHost


Any help/ideas are appreciated.

ski


--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Face-to-face exchange of contact information?

[Robert Hajime Lanning]

On 10/07/13 09:10, Jan Schaumann wrote:

Twitter handle, preferably printed on your badge.


I don't have a Twitter account.
I also don't have a Facebook account.

Business cards are my thing... :)
It is the quickest, simplest and the least common denominator.

--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Ok, I am stumped - Perl script running under cron problem - SOLVED

[Robert Hajime Lanning]

On 10/03/13 21:42, Paul Graydon wrote:

Wow.. why would they do that?



It is quite common for commands that were originally designed as a human 
interactive CLI.


They automatically become more verbose when they think someone is 
watching. (ie. when it has a TTY)


You really have to watch out for differences caused by the LANG 
variable.  Sometimes I have to manually put LANG=C at the top of my 
scripts to have them work consistently.


--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Can anyone recommend a very trustworthy PC person in Philadelphia?

[Robert Hajime Lanning]

On 08/17/13 12:11, Betsy Schwartz wrote:

cracking up.
Do you have 80-something parents?
If so have you ever tried to get them to do *anything* they didn't want
to do?
Long-distance?

I am still working on getting mom to consider just trying  AOL or Gmail
or Facebook chat.
Just once.
She's extremely hard of hearing and the phone doesn't play nice with her
hearing aid.
I haven't managed *that* task in five years.

Switching from Word Perfect : NEVER. GONNA. HAPPEN. EVER.

Probably I should go find a small-business list and ask there instead of
asking on a unix list :-)


Heh...

My mom is ok with Word on Windows 7.  Move to anything else would 
confuse the hell out of her.  It would be years of weekly phone calls, 
if not daily. She is currently self sufficient, except of issues that 
even I can't help remotely.  And she is only 67.


Her mom, on the other hand, does not own a computer. She writes letters 
by hand in cursive (that long lost art...) There is no way I would be 
able to get her on a computer at all.  If she ever writes her memoirs, 
it will most likely be on a manual typewriter.  And she is 90.


--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Can anyone recommend a very trustworthy PC person in Philadelphia?

[Robert Hajime Lanning]

On 08/17/13 13:39, Zack Williams wrote:

On Aug 17, 2013, at 12:38 PM, Robert Hajime Lanning lann...@lanning.cc wrote:


  If she ever writes her memoirs, it will most likely be on a manual typewriter.


Ah, she'll need one of these then:  http://www.usbtypewriter.com



That is really cool. I might have to do that for myself... :)

How do you enter the difference between a linefeed and a carriage 
return? Your normal keyboards don't have a \n vs. \c, while the old 
typewriters did (carriage return lever was multi functioned.)


Though, with my grandma, I might have to do repairs for the correction 
ribbon marks... (what delete key?)


:P

--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] What's your favourite home-office all-in-one printer

[Robert Hajime Lanning]

On 08/06/13 12:03, Yves Dorfsman wrote:

On 2013-08-06 12:45, Matthew Barr wrote:

We print fairly infrequently,  but every time I've seen an inkjet
that's used that little, it's always dried out.


I'm wondering the same thing, I can go months without using colour...


I ended up with a laser printer (Canon imageCLASS D480).  I print 
*maybe* once a year.  In fact, this printer was sitting in my 
diningroom, unopened, for about 13 months, before I finally set it up.


I was finding it cheaper to by a whole new printer (@ $25), than to buy 
new ink, so I went laser.  No need to buy new toner, until you run out.


--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Mark Burgess quote from April 2013 ;login:

[Robert Hajime Lanning]

On 07/03/13 15:37, Joseph Kern wrote:

I guess we could start by asking something like this: What is a System
Administrator not responsible for? and working backwards.


It depends...

--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Great Interview Questions

[Robert Hajime Lanning]

On 05/07/13 09:15, Michael Tiernan wrote:

What is the UDP three way handshake? He said he was wondering how
many people would catch the question's trick.


You send three UDP packets in three different directions, then shake the 
hand of the person next to you.


--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Relentless renewal notices

[Robert Hajime Lanning]

On 03/29/13 14:28, Matt Lawrence wrote:

On Fri, 29 Mar 2013, Moose Finklestein wrote:


Have you checked your palm to see if your crystal is blinking?
Perhaps it is your time for Carousel!

RENEW!  RENEW!


That should be:
Renew, renew, ok.

Youngsters these days


There is no sanctuary...

--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Attack of the ATVs - (advanced volatile threats) ....

[Robert Hajime Lanning]

On 02/26/13 12:08, Graham Dunn wrote:

So sneaky, even their acronym is unexpected.




I wonder if it has the same background as UTC... :)

--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Syslog protocols: which are people using?

[Robert Hajime Lanning]

On 01/26/13 16:08, David Lang wrote:

GELF2 I have not heard of before


Graylog Extended Log Format v2

--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] 2 factor authentication

[Robert Hajime Lanning]

On 01/16/13 04:44, James R Grinter wrote:

On 11/01/2013 22:57, Robert Hajime Lanning wrote:

RSA soft token generates the code using the serial number/PIN/time as
input. Always gives you a code.


not quite, with the ones I've used anyway.

The user's PIN is only entered as input for the login password, along
with the random value generated by the token (real, or soft. Actually,
RSA did used to have a token model where the PIN was keyed into the
token, and hashed to form a response, but it still didn't confirm the
PIN: it merely avoided it being sent in plain text across an unsecured
network connection.)


Maybe RSA has both types.

I implemented RSA at Seagate about 10 years ago.  We used hard tokens 
only.  A few years ago, they switched to soft tokens (cost benefit).  A 
friend of mine, who still works there, showed me the new soft token.  He 
entered his pin and it generated the code.


--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] 2 factor authentication

[Robert Hajime Lanning]

On 01/11/13 11:07, Josh Smift wrote:

How different is the Symantec solution from SSH with a key with a
passphrase? Not that there's anything wrong with SSH with a key with a
passphrase; but if that's good enough, what do you get by adding Symantec?


Key can be copied.  So, it does not really meet the something you have 
aspect.  The biggest issue with the key with passphrase is that you 
have zero ability to enforce the passphrase strength or even if it exists.


Soft tokens (any type) can be copied, dependent on the platform it is 
running on.  Easiest is a system back/restore.  Otherwise picking the 
right files to copy.  (in the right files ssh key is a single well 
known file, as for Symantec or RSA soft tokens, not sure which files, 
but it can be known)


With Symantec, it is an additional step, so you still have a service 
passphrase, if implemented.


With RSA, you enter the knowledge part (PIN) to the soft token and it is 
used with the serial number and time, to generate the code.  Both the 
user and the RSA server must know the PIN.  The serial number is known 
by the RSA server and the token software.


--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] 2 factor authentication

[Robert Hajime Lanning]

Both RSA and VIP have hard tokens and soft tokens.

The difference is that RSA assigns tokens to the company that purchases 
them.  (You get a list of serial numbers to import to your local or 
hosted RSA server.)


VIP is a hosted service only.  A single VIP token (designed to be a soft 
token, but a hard token can be purchased) is assigned to the 
person/device by Symantec.  The software can be installed, it then 
negotiates the Credential ID (aka serial number) with the hosted 
service when first run.  There is no way to enter your own ID.  Any 
company that subscribes to the VIP service can validate ANY token.


I can take my VIP token (on my smartphone) that I used for my company 
VPN access and install its Credential ID into my eTrade account and turn 
on 2 factor for that.


The idea with VIP is closer to a federated login.  But the VIP hosted 
service does not have any login information.  Just validates that the 
code presented to it, matches the Credential ID that is presented in the 
same request.  So, any service that uses VIP as a second authentication 
method, must provide its own login account to itself.


Down side (and I have had to do this) is if you have to hard reset your 
device (what ever you have the soft token on), you have to go through 
all your accounts that use the token and work with the password recovery 
to clear the old token ID and install the new one.


--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] credmgr - securely manage privileged account credentials via shamir secret sharing

[Robert Hajime Lanning]

On 06/25/12 16:59, Michael C Tiernan wrote:

How business continuity is maintained across catastrophic events.

How, when everything else has hit the fan, can I a trusted admin working in 
the data center get access into our systems where even the networking is down? There are times that 
in preparation of bring up the data center from a dead stop, I need to log into some systems and 
run fsck's (or other such tasks) before everything else is live.



In those situations, on the console, I just boot with init=/bin/sh.
It is way easier than dealing with password secrecy procedures.
This includes the fact that the password is still a secret.

Passwords? We don't need no stinkin' passwords! :)



Can I, after getting the root password of a system in an emergency, flag a password as exposed 
but not compromised requiring the password to be changed and re-synced at the next possible 
opportunity when normal operation has been restored.

Is there a way to generate password displays using clear concise (unabigous) language for 
reading over the phone or other verbal exchange including, should it be required, 
printing. (i.e. Password=bwFq display as [bravo][whisky][FOXTROT][golf])



--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Maybe I don't get it -Harassment policy

[Robert Hajime Lanning]

On 05/25/12 13:22, Anton Cohen wrote:

On Fri, May 25, 2012 at 8:54 AM, rac...@anl.gov
mailto:rac...@anl.gov wrote:
Also, I think the Code-Of-Ethics really covers things.

I pay for LOPSA membership because I believe in the sysadmin profession
and I want to support it. I don't actually get any personal value from
my membership. If I see my membership money going to lawyers to draft or
review policies to cover incidents that haven't happened yet, and for
which there are already rules or laws covering, I might not renew my
membership.


Ok, I think we need to be clear about the role of the Code of Ethics vs. 
the role of an Anti-Harassment policy.


The Code of Ethics defines what we, as professionals, strive for as 
expected conduct.  It is not really enforcible, outside of bouncing the 
perpetrator out of the organization, if we have code somewhere that 
specifies that to be a member, you MUST follow the Code of Ethics.


The code that specifies that you MUST follow the Code of Ethics, would 
be an organizational policy.  Since the Code of Ethics doesn't say 
anywhere what can be done if a violation is found, it alone is not 
enforcible.


An Anti-Harassment policy could point to the Code of Ethics for expected 
behavior.  It will have to also go on and specify what 
recourses/escalations are available upon violation.


Since a policy contains the recourse/escalations, the review of the 
final document by legal counsel is, as most agree, necessary.  As the 
actions specified in the recourse/escalations part can cause liability 
issues.


A quick search on lopsa.org and I find the Etiquette Policy that states 
that All LOPSA members are bound by our Code of Ethics, among 
additional guidelines.  And it contains the recourse of there will be 
at least one warning issued with possible more strict punitive measures 
depending on the medium or forum and nature of the infraction.


Now this covers, in very broad strokes, what can happen if someone 
breaks the rules, as long as they are a member of LOPSA. (we get a stern 
talking to...)


A conference is a whole other matter.  There would have to be a policy 
stated in the registration process on expected behavior and recourse, 
since there would be non-LOPSA attendees, who never agreed to the LOPSA 
policies.


Example of legal agreement: (I found humorous)
http://lanning.cc/pub/SYMC-Ped-Agreement.jpg

--
Mr. Flibble
King of the Potato People
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Diversity Issues - A Bigger Problem Than Women In Tech

[Robert Hajime Lanning]

On 12/13/11 07:22, Mark McCullough wrote:

 No, the cool kids are playing Minecraft or Halo Reach,
 or whatever the latest video game is that month.  This
 is not thirty years ago.  I've spoken with too many
 kids who were clearly in the at least semi-popular
 class who both participated in sports and showed all
 the classic signs of long term computer interest.
 

err... twenty years ago... :)

I have no kids, so yes, I am not really in touch with
today's school culture.

I do remember at my 10 year reunion (10 years ago) the
popular kid owned a few garages. :)

I guess with Apple and console games, tech savvy is
getting an in.

-- 
END OF LINE
   -MCP
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Diversity Issues - A Bigger Problem Than Women In Tech

[Robert Hajime Lanning]

On 12/13/11 13:46, Dan Foster wrote:
 That's one way to feel old. :-) (And let's not even talk about their
 reactions to the high quality graphics from the Atari 2600 VCS
 console... :-) Wow! Man, how did you ever play games with worse than
 crude stick 2D graphics? Lots of imagination, son. The look on kids'
 face suggested they had just met someone from the stone age. Priceless!)

Ok, quick note on age... My dad and I got a chuckle from the behind the
scenes of Super 8.  The child actors in that movie had never seen a
rotary phone and had to be shown how to use one for the movie.

wow, a phone without a touch screen... :)

now back to the regularly scheduled program

-- 
END OF LINE
   -MCP
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Diversity Issues - A Bigger Problem Than Women In Tech

[Robert Hajime Lanning]

On 12/12/11 20:55, Mark McCullough wrote:
 I find that tech employees are neither particularly loved nor
 vilified.  It's seen by the random person on the street I speak
 with as a respectable profession.  Now, my normal way of
 explaining my job is I keep the computers you use to pay your $x
 bill safe enough to use your credit card.  That puts it in terms
 that they can understand, and the normal reaction from those who
 have actually gone so far as to ask what I do is far from
 disinterest.  Yes, their eyes glaze over if I go into any more
 detail, but my eyes glaze over when I talk with an environmental
 engineer about what he does.

It really isn't at our level that these perceived issues are at.

Damion was talking about teens.  Middle/High school the cool
kids were working on cars and/or doing sports.  The geeks and
outcasts would be running DD or messing with computers.

To get the diversity, you need the applicant pool to be diverse.
That does not start at college graduation.  It needs to be cool
at the middle/high school levels.

What to do about this, is left as an exercise for the reader...

-- 
END OF LINE
   -MCP
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] BTY: Need Suggestions - For Backing Up Older Versions and Current Op Sys's ...

[Robert Hajime Lanning]

I know that Acronis' Universal Restore can slipstream new drivers during
a bare metal restore.  This allows restoring to different hardware/VM.

I was a developer (linux appliance side) at a failed startup that OEM'd
Acronis Server.  Our product was partially based on this capability.

You do still have to reactivate the Windows license, if it is new
enough to contain that tech.  Which is why one of the owners ideas of
automated failover from physical to virtual (auto restore into VM upon
failure detection) just wasn't going to work.

On 10/17/11 12:07, Harvey Rothenberg wrote:
 Thanks Nick ! for your suggestion of SystemRescurCd.  I will look into
 this project. Also thank you for,  ... if the hardware dies you'll have
 a real hard time getting the image you made with dd working on
 replacement hardware, thus the virtualization suggestion.   This is one
 of the claims that some of the commercial software claims that they
 handle.  Can anyone confirm this capablity ?

-- 
END OF LINE
  --MCP
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Datacenter move post-mortem

[Robert Hajime Lanning]

On 07/25/11 13:58, Paul Graydon wrote:
 On 07/25/2011 10:28 AM, Derek J. Balling wrote:
 On Jul 25, 2011, at 1:46 PM, Jonathan Rozes wrote:
 After much cursing (much of it at myself for not catching it
 beforehand), we spent the next two hours yanking it all out,
 unscrewing all the rails, and putting it all back together correctly.
 This was a containerized data center too, so only room for two people
 to perform the work.
 Unscrewing? Square-hole FTW.

 D
 It's amazing how many of our rails still required screwing into the cab,
 even as they took advantage of the square holes.
 
 I still hate rack-nuts, even though I managed to remove and fit about 10
 of them without cutting my self (for once).  Thankfully one of the guys
 I worked with was enthusiastic about doing them, so I left most of them
 to him.

These are a godsend... :)
http://store.cablesplususa.com/cagenuttool.html

-- 
END OF LINE
  --MCP
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Monitoring Sucks!

[Robert Hajime Lanning]

On 07/22/11 09:44, Paul Graydon wrote:
 On 7/22/2011 2:29 AM, Adam Moskowitz wrote:
 Paul Graydon wrote:
 Hopefully with a good wide spread of interest and talents we could
 finally get a monitoring tool that doesn't actually suck!
 And what color pony do you want with that?

 Seriously, given the incredibly wide range of applications, situations,
 SLAs, services, constraints, conditions, and requirements, I think the
 idea that a single tool will solve everyone's problems is, well, nothing
 short of ludicrous.
 By making /everything/ modular and extensible, and having the monitoring
 platform be a framework which individual components are natively plugged
 in to, everything from data collection, to presentation, reporting or
 responding . That's what the proposal seems to boil down to.  It's
 something we're sadly lacking with most monitoring solutions that I've
 ever seen.  It's almost entirely 'their way or the high way', with a few
 bolt-ons on the side, fudged into place just to get by (with all the
 unreliability and risk that implies)

Then you end up with HP OpenView...
ugh

-- 
END OF LINE
  --MCP
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Most simple security policy?

[Robert Hajime Lanning]

On 07/22/11 14:09, Tracy Reed wrote:
 On Fri, Jul 22, 2011 at 02:03:49PM -0700, Robert Hajime Lanning spake thusly:
 Not enforcible, unless you use something like a PKCS#11 token, where you
 have to authenticate to the hard token to get access to your private key.
 
 You can't enforce people not simply giving away their passwords or
 writing them down in silly places either. The perfect solution is
 non-existent.
 

True there is no perfect solution, but at least with PKCS#11 you have a
password and the token.  Something you have, the token (that can't be
duplicated) and something you know, the pass-phrase.

Nice thing about tokens is that you *usually* know when they are
missing.  Passwords can be copied and you find out after the break-in.

-- 
END OF LINE
  --MCP
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] 30% Apple

[Robert Hajime Lanning]

On 02/17/11 16:05, Brad Knowles wrote:
 I'm not aware of any such apps that fall into the category you have
 described, and I am not sure how they would be impacted.
 
 But it is a good question to ask -- I just don't have any answers for you.

I wonder what Amazon will do with their Kindle app.

-- 
END OF LINE
  --MCP
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] 30% Apple

[Robert Hajime Lanning]

On 02/17/11 16:21, Paul Graydon wrote:
 On 02/17/2011 02:17 PM, Robert Hajime Lanning wrote:
 I wonder what Amazon will do with their Kindle app.

 The BBC has an iPlayer app that they were going to allow international 
 people to use for an annual fee, I guess they'll price it to take that 
 30% hit without impacting profits and enjoy a much nicer profit margin 
 on the planned Android apps.

ya, but with Amazon, they already have a set pricing structure that
everyone is used to, that did not include a 30% take by a side
distribution channel.

And by side I mean, the content is not distributed by Apple.  Just
the app.  So, all future purchases via the app take the 30% hit, with
apple no longer having anything to do with it.

Distribution is handled by Amazon itself along with the cell carrier.
With the apps (android/i*/whatever) the carrier is paid by the consumer.
 With the hardware Kindle, it is paid by Amazon.

-- 
END OF LINE
  --MCP
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Why Do Linux Admins Seem To Be So Much More Involved in the Community?

[Robert Hajime Lanning]

http://en.wikipedia.org/wiki/Somebody_Else's_Problem

In all the positions I have been at, I would be reprimanded if a service
that I am responsible for, was down and all I did was say it's their
problem.

It's a bug in their code, for sure, buy meanwhile my SLA goes to crap,
the business comes to a halt, all the while I wait the possible months
for them to fix it (especially if I am not a BIG customer.)

I have to work the problem.  I have to find a work around.

This is part of managing the service and its requisite systems.

On 01/27/11 16:54, Michael Ryder wrote:
 My boss wants me managing systems, not debugging code that's written by
 someone we already paid for the product or service. 
 
 As much as I desire to be able to fix a problem, it's someone else's
 responsibility to fix their own code.
 
 Provide the original programmers with error codes, log files and any
 other diagnostic information they need to solve the problem.  Unless I
 am trying to automate or streamline an administrative task, why should I
 spend my time fixing someone else's problem?

-- 
END OF LINE
  --MCP
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Embracing the LOPSA name

[Robert Hajime Lanning]

GREP BOB
:)

--
END OF LINE
  --MCP

Charles Jones charles.r.jo...@gmail.com wrote:

On Tue, Jan 11, 2011 at 7:02 PM, Robert Novak rno...@indyramp.com wrote:

 On Tue, Jan 11, 2011 at 1:46 PM, Charles Jones
 charles.r.jo...@gmail.com wrote:
  The real fun comes in explaining my license plate, which is IM ROOT.
 Other
 
  Also fun is explaining to people who are unaware of who Cisco is. They
  usually think it is Sysco, which is a food service distributor :)

 I'd like to see a network admin with PANCHO as the license plate.
 Would probably have to be one older than me, as I got in to that
 rather late.

 Best geek plate I've ever seen though, I think, was OMEGA MU. I almost
 fell in the street when it hit me (figuratively speaking of course).


My first choice was UID 0 but that was taken :)

___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Awakening the activist wing of LOPSA?

[Robert Hajime Lanning]

On 01/06/11 06:39, Yves Dorfsman wrote:
 The first definition from http://www.dictionary.com for league is:
 a covenant or compact made between persons, parties, states, etc., for the 
 promotion or maintenance of common interests or for mutual assistance or 
 service.
 
 That sounds a lot like what we are trying to do!
 
 Often people who have never heard of something feel the need to make a 
 comment 
 or a judgement on what they can, so at first, just the name... Once we're 
 known for what we do, I bet you nobody will care about the name. This is the 
 first time I hear this argument in 5 years. I'd just stick to it, and move on 
 with the important issues. As mentioned earlier, to me the important issues 
 are:
 
 1) build content (best practices, list or reviewed/approved resources, job 
 descriptions / levels etc...)
 
 2) PR work, start commenting on what is going on, sending press releases to 
 the media (we need to arrive to consensus first, I believe # 1 will get us 
 there).

Yes, but...

For most people, the first thing that comes to mind is bowling league.

So, we have an up hill battle, just because of our name choice.

-- 
END OF LINE
  --MCP
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/