Re: [lopsa-discuss] College degrees not required for a career in system administration
I just turned 44 and I have a GED with some Community College and going on 22 years experience. I have always thought of myself as a bad example ("Do as I say, not as I do.") when it comes to higher education. But it does look like times are changing. I have seen that a degree (any degree) helps a lot, in getting a foot in the door, when starting a career in this field. Though, people are finding the ROI on higher education is not what it used to be. I was lucky with the time and place in starting my career. (the heyday of the mid '90s in Silicon Valley) Though, in middle school, I was the one who got into BASIC on the Commodore 64, while my brothers got into the video games. My brothers are doing well, but they actually got 4 year degrees and their careers do require it. I am very much a self learner and I am always looking for the next thing to implement. :) Though I don't do temporary implementations in a lab. I look for real world implementations. Like when I dug myself into the VoIP world with wiring up the house to a channelbank and a T1 card in an Asterisk server and a couple of SIP phones. On 12/15/2016 08:44 AM, Bill Bogstad wrote: http://qz.com/858194/ibm-employees-without-college-education/ An interesting article on how you don't need a college degree to work for IBM. It quotes BLS statistics that 47% of Network and computer systems administrators don't have four year college degrees. Food for thought? -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best
Attack vectors... The difference is "can the private key (something you have) be copied?" PKI hardware token: No. File on notebook: Yes. A PKI key on its own as a file on a harddrive is equal to a really complex password. So complex that you can't remember it so it is written down. So, you encrypt the private encryption key with a passphrase. You have now put a password on your password. If the key can be copied, then it does not subscribe to something you have being unique. A passphrase can be copied, so it is also not unique. The combination of the two are not unique. Malware can attack a file on notebook and steal keystrokes for a passphrase. For PKI hardware, data is sent to the token itself where the token (using it's own processor) encrypts/signs the data with the private key. The private key cannot be copied/read off the token. The private key can only be generated/used/erased via API calls to the hardware. PKI USB tokens are basically smart card readers with a smart card permanently attached. On 12/01/16 11:07, Morgan Blackthorne wrote: I guess I'm not seeing much of a distinction between someone knowing your password and someone knowing the passphrase on your key. If you have a passphrase set, having a copy of the key does you no good without the passphrase. But there's a pretty equivalent concern about someone having both pieces of that equation vs. a normal password. Now something like an OTP setup is a different story. I agree with the enforcement perspective on keys; I wish SSH had a way to flag whether or not a passphrase was enabled for a key and then control restrictions on the server side as to what accounts are whitelisted for automation vs. normal users where a passphrase is enforced. But at the end of the day I'm unconvinced that a key is any less secure than a password, as long as you have a passphrase configured. On Thu, Dec 1, 2016 at 10:54 AM, Robert Hajime Lanning <lann...@lanning.cc <mailto:lann...@lanning.cc>> wrote: Requiring a passphrase on your private key is not enforceable. And the key can be duplicated. So if someone has a copy of your key and gets/guesses your passphrase, you won't know they have access. Having the private key generated on a PKI hardware token that *enforces* a PIN/passphrase to access, covers those bases. On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net <mailto:mor...@windsofstorm.net>> wrote: If you have a passphrase on your private key (as one should), would that not be considered something you know as well? On Thu, Dec 1, 2016 at 10:34 AM, Robert Hajime Lanning <lann...@lanning.cc <mailto:lann...@lanning.cc>> wrote: I have only implemented RSA, but I will be doing a bit of research on this topic shortly. For my current job we'll be needing MFA for a secure environment, in the next couple of months. They won't be able to afford RSA. But I do need to note that PKI key+Duo is not MFA. (Something you have + Something you have) MFA is Multi Factor Authentication and is defined as: (pick 2+ separate items) 1) Something you know (password/PIN not written down) 2) Something you have (device that can not be copied, RSA fob, PKI hardware token/smart card...) 3) Something you are (biometrics) RSA is fob + PIN. My current plan is a PKI hardware token that requires a PIN/passcode to unlock the token to use the private key contained within. The key pair is generated on the token and the private key cannot be copied off the token. Ssh and openvpn clients support PKCS#11 for PKI hardware. On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net <mailto:mor...@windsofstorm.net>> wrote: I'm an end-user of Duo at the day job and relatively happy with it. Was not involved in the setup, though. OTOH I remember someone in #lopsa saying they had problems with them and had been unhappy. Can't remember who or why offhand, hopefully they'll chime in on this thread. I will note that the most common problem with Duo that I've personally seen is when folks have it configured to give them a phone call instead of running the app and getting a push notification. In our setup, to access the windows jumpbox we start an RDP session, and after normal user auth, it then triggers a Duo challenge. But the phone call setting seems to get delayed enough that the RDP session fails with a network policy error. People adjusting their
Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best
Requiring a passphrase on your private key is not enforceable. And the key can be duplicated. So if someone has a copy of your key and gets/guesses your passphrase, you won't know they have access. Having the private key generated on a PKI hardware token that *enforces* a PIN/passphrase to access, covers those bases. On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net> wrote: >If you have a passphrase on your private key (as one should), would >that >not be considered something you know as well? > >On Thu, Dec 1, 2016 at 10:34 AM, Robert Hajime Lanning ><lann...@lanning.cc> >wrote: > >> I have only implemented RSA, but I will be doing a bit of research on >this >> topic shortly. >> >> For my current job we'll be needing MFA for a secure environment, in >the >> next couple of months. They won't be able to afford RSA. >> >> But I do need to note that PKI key+Duo is not MFA. (Something you >have + >> Something you have) >> >> MFA is Multi Factor Authentication and is defined as: (pick 2+ >separate >> items) >> >> 1) Something you know (password/PIN not written down) >> 2) Something you have (device that can not be copied, RSA fob, PKI >> hardware token/smart card...) >> 3) Something you are (biometrics) >> >> RSA is fob + PIN. >> >> My current plan is a PKI hardware token that requires a PIN/passcode >to >> unlock the token to use the private key contained within. The key >pair is >> generated on the token and the private key cannot be copied off the >token. >> >> Ssh and openvpn clients support PKCS#11 for PKI hardware. >> >> >> On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net> wrote: >>> >>> I'm an end-user of Duo at the day job and relatively happy with it. >Was >>> not involved in the setup, though. OTOH I remember someone in #lopsa >saying >>> they had problems with them and had been unhappy. Can't remember who >or why >>> offhand, hopefully they'll chime in on this thread. >>> >>> I will note that the most common problem with Duo that I've >personally >>> seen is when folks have it configured to give them a phone call >instead of >>> running the app and getting a push notification. In our setup, to >access >>> the windows jumpbox we start an RDP session, and after normal user >auth, it >>> then triggers a Duo challenge. But the phone call setting seems to >get >>> delayed enough that the RDP session fails with a network policy >error. >>> People adjusting their user config with push notifications works >better. I >>> have not looked into seeing if you can just blanket disable that o! >ption, >>> but it seems a bit odd that they offer that as a service when it >doesn't >>> work; then again, we may have a more aggressive timeout policy on >the Duo >>> portion than is recommended. Again, wasn't involved in the setup as >it >>> predated me, so I'm not sure. >>> >>> I know it also works with Linux boxes and that's on my list to check >out, >>> just haven't gotten to it yet. We'd likely only enable it on nodes >with >>> public IPs that have SSH listening/allowed, so it has been low on my >>> priority list. >>> >>> Duo is also apparently free depending on how many users/devices you >have, >>> whereas last time I heard about the RSA setup, it was very >expensive. I'm >>> planning on adding Duo support to my personal AWS Linux nodes for >SSH (so >>> key+MFA auth, no passwords allowed). >>> >>> On W! ed, Nov 30, 2016 at 10:31 AM, Kyle Stewart < >>> _kylestew...@outlook.com> wrote: >>> >>>> Hi all, hope this email finds everyone well. We're looking into >setting >>>> up two-factor authentication at my company for a 2017 project and >I'm >>>> in the "Let's get the lay of the land" phase. Right now it seems >like Duo >>>> is making big headway in this market, but I've heard good things >about RSA >>>> as well. I'd love to get some first-hand feedback from people who >have used >>>> these types of 2FA solutions who aren't sales people :) >>>> >>>> >>>> Overall I get what 2FA/MFA does, but I'm blurry on how it gets >>>> implemented - at face value I'm very interested in Duo so if anyone >has >>>> experience with Duo and setting it up (preferably alongside Palo >Alto's and >>>> GlobalProtect) that'd
Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best
I have only implemented RSA, but I will be doing a bit of research on this topic shortly. For my current job we'll be needing MFA for a secure environment, in the next couple of months. They won't be able to afford RSA. But I do need to note that PKI key+Duo is not MFA. (Something you have + Something you have) MFA is Multi Factor Authentication and is defined as: (pick 2+ separate items) 1) Something you know (password/PIN not written down) 2) Something you have (device that can not be copied, RSA fob, PKI hardware token/smart card...) 3) Something you are (biometrics) RSA is fob + PIN. My current plan is a PKI hardware token that requires a PIN/passcode to unlock the token to use the private key contained within. The key pair is generated on the token and the private key cannot be copied off the token. Ssh and openvpn clients support PKCS#11 for PKI hardware. On Dec 1, 2016, Morgan Blackthornewrote: >I'm an end-user of Duo at the day job and relatively happy with it. Was >not >involved in the setup, though. OTOH I remember someone in #lopsa saying >they had problems with them and had been unhappy. Can't remember who or >why >offhand, hopefully they'll chime in on this thread. > >I will note that the most common problem with Duo that I've personally >seen >is when folks have it configured to give them a phone call instead of >running the app and getting a push notification. In our setup, to >access >the windows jumpbox we start an RDP session, and after normal user >auth, it >then triggers a Duo challenge. But the phone call setting seems to get >delayed enough that the RDP session fails with a network policy error. >People adjusting their user config with push notifications works >better. I >have not looked into seeing if you can just blanket disable that >option, >but it seems a bit odd that they offer that as a service when it >doesn't >work; then again, we may have a more aggressive timeout policy on the >Duo >portion than is recommended. Again, wasn't involved in the setup as it >predated me, so I'm not sure. > >I know it also works with Linux boxes and that's on my list to check >out, >just haven't gotten to it yet. We'd likely only enable it on nodes with >public IPs that have SSH listening/allowed, so it has been low on my >priority list. > >Duo is also apparently free depending on how many users/devices you >have, >whereas last time I heard about the RSA setup, it was very expensive. >I'm >planning on adding Duo support to my personal AWS Linux nodes for SSH >(so >key+MFA auth, no passwords allowed). > >On Wed, Nov 30, 2016 at 10:31 AM, Kyle Stewart ><_kylestew...@outlook.com> >wrote: > >> Hi all, hope this email finds everyone well. We're looking into >setting up >> two-factor authentication at my company for a 2017 project and I'm in >the >> "Let's get the lay of the land" phase. Right now it seems like Duo is >> making big headway in this market, but I've heard good things about >RSA as >> well. I'd love to get some first-hand feedback from people who have >used >> these types of 2FA solutions who aren't sales people :) >> >> >> Overall I get what 2FA/MFA does, but I'm blurry on how it gets >implemented >> - at face value I'm very interested in Duo so if anyone has >experience with >> Duo and setting it up (preferably alongside Palo Alto's and >GlobalProtect) >> that'd be fantastic. >> >> >> Thanks in advance! >> >> >> _ >> Kyle Stewart >> >> ___ >> Discuss mailing list >> Discuss@lists.lopsa.org >> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss >> This list provided by the League of Professional System >Administrators >> http://lopsa.org/ >> >> > > > > >___ >Discuss mailing list >Discuss@lists.lopsa.org >https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss >This list provided by the League of Professional System Administrators > http://lopsa.org/ -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] genisoimage ISO trouble
I don't think they know what they are talking about. An ISO image is the size of the data (+metadata), no empty sectors. Though, you could append NULL bytes to the end of the file. My question would be, "What changed between when it was working and now?" On 11/02/2016 01:28 PM, Justin Smith wrote: Every time my company releases a new version of its software, someone creates a ~1.5GB ISO image of it using /genisoimage -J -R -D -V [volume_name]/, and then I use a Nexcopy USB duplicator to burn the ISO to 2GB flash drives. This process no longer works; it produces a "cannot get drive geometry" error. According to gparted, it's b ecause the partition table is bogus - these flash drives are created with a 7.34GB partition, which obviously isn't possible on a 2GB flash drive. Nexcopy's support insists that this is because of the way the ISO was created even though known good ISOs from other versions produce the same error. I'm supposed to "Check the partition size...and then re-master the ISO so they all match. So if you have a 1.2GB CD-ROM partition size, you need to have a 1.2GB ISO file." I don't know enough about the ins and outs of genisoimage or ISO files to know if this is accurate or not or how I would do it. Any insight would be much appreciated. --- *Justin Smith* IT Analyst MIM Software, Inc. https://www.mimsoftware.com ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/ ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] IPv6 hosting (and/or cloud)
I use linode. Their dual stack. On May 6, 2016, Tom Perrinewrote: >I'm looking for a place to move one of my very last personal physical >hosts. > >I need relatively inexpensive, dual-stack, and full host access >solution. >At-rest data encryption would be a good value add. > >Simple is critical; I wouldn't move this into AWS and then put ELB in >front >just to get dual-stack, for example. > >I need to be able to run a DNS hidden master, postfix and a very simple >apache setup (static content only, no executable code). I *might* have >to >run wordpress, but only as a last resort. > >Recommendations? > > > > >___ >Discuss mailing list >Discuss@lists.lopsa.org >https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss >This list provided by the League of Professional System Administrators > http://lopsa.org/ -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] licensing - Charity donation program?
I guess that depends on how powerful of a spell you can cast. :) On Apr 13, 2016, Ryan Finneseywrote: >I have what may been like an odd question and I don't know how many of >the list member are active in the licensing process but if 3% of your >monthly Office 365 licensing cost went to a Charity of your selection >would that influence witch Microsoft partner you would select to buy > that license? > >Cheers >Ryan > >___ >Discuss mailing list >Discuss@lists.lopsa.org >https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss >This list provided by the League of Professional System Administrators > http://lopsa.org/ -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] KVM's and PDU's
On 03/18/16 18:30, Doug Hughes wrote: All of the important electrical properties for Cat6 should have no impact on Serial. I'm pretty sure it is not a normal "serial" signal. I don't know about *recent* KVMs, but as of about 6 years ago, the dongles output a very analog signal on the Cat5. All the high powered digitization of the VGA signal was done inside the KVM unit. Over longer runs, your screen started to look like the old 1950's TVs... This was with Dell IP based KVMs. Avocent like, but not quite. The dongles looked identical, but were not interchangeable. -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] KVM's and PDU's
What Ski is getting at, is they are upgrading the cable plant and standardizing on a cable spec that has a path forward, without having to rip out the cable plant again. What you are talking about is dedicating part of the patch panel to legacy non-10GBase-T, for the foreseeable future. On 03/18/16 14:39, Doug Hughes wrote: You can run a cat5e patch from a cat6 panel. Or you can run a Cat6 patch to any rj45 port. It should "just work". You don't need to replace stuff. The rj45 end is the same: https://answers.yahoo.com/question/index?qid=20090924211618AAjS7qH Also, if you do want to change PDUs anyway, I second Derek's vociferous support for ServerTech. Apc is second. Geist has some less expensive and budget offerings that may work for you with features. Avocent also, ++ (I still like the Cyclades ACS series that Avocent bought, and you can still find them on ebay) -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] KVM's and PDU's
It's going to be some electrical property of the cabling. Remember KVMs tend to run their own proprietary analog signal. While Cat6a is better to our networking, the problem is that it is different to a device that does not do auto negotiation in their own protocol. On 03/18/16 14:58, Doug Hughes wrote: You sure it's not just a 568-A vs 568-B thing? -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] DNS strangeness with youtube.com
On 12/08/15 13:58, Ski Kacoroski wrote: One more bit of information. When I wireshark the queries, any query to youtube.com ends with: Standard query response A 208.70.74.21 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] Queries to other locations work correctly and do not have that problem. That sounds like it is something very local. Ethernet frame generation is at the broadcast domain level. -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Fwd: Slack
On 07/12/15 22:13, Allan Irving wrote: It has channels and topics. These work similarly to your use case of email. In fact, like email - you can ignore or leave the discussion. You can delete and keep specific messages. Lack of threads are just replaced with channels. You can trial it free for up to x users at no cost which was my suggestion but I doubt that will work as it would seem people are already convinced it won’t work for them. How many here have used Slack as there is a lack of knowledge regarding the features. What features does it have the makes it worth my time in deviating away from where I have most of my communications centralized? I have yet to see anything that gives a MUST HAVE feature. Basically because the email list format is not lacking anything that I need. Why should I have to bring up an new website (or even worse a separate client application) to keep up to date on what I automatically am kept up to date with via this email list format? So, the question is not Does it have equivalent features of the mail list? The question is Does it supply a feature that I require enough to warrant the deviation? Since (at least for me), there are no new requirements from when the email list was created, there is no reason to change. Also, why go to a proprietary format, when the current open format works? Why be dependent on the whims of a startup business to provide additional features that are not even needed. (It really is geared for work group collaboration, not PUBLIC mailing lists.) Instead of the current centralizing of communications in the ubiquitous email format, you are looking to move to a proprietary format accessed via proprietary clients. You are asking everyone to go elsewhere (other than their normal INBOX). You really need a VERY good reason, other than it's cool. You need to provide that it satisfies a requirement that is currently not met. -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Slack
On 07/12/15 14:15, Derek J. Balling wrote: Actually, the modern mindset has changed radically on this point. Constant change is expected, even considered good, and something you design to account for. Now, I'm not saying I'm the best at achieving this goal yet, but the tide definitely seems to have shifted from the don't change things that often model (which might be considered analogous to the waterfall-model of software development) to the constant controlled change model (a la continuous integration, etc.) Fundamentally, there are legitimately two competing schools of thought on this (obviously). However, the trend the industry seems to be moving towards is embracing the latter, not the former. We (he says, waving his hands to point around the mailing list) might not be in that camp, but make no mistake, most of the organizations that are operating at scale today *are* the ones embracing it. And that says more about us, as a community, than I think a lot of us would like to admit. I know it took me a while to come around to admitting to myself that most of what I'd learned over the last 20 years was being tossed out on its ear. How long will it take the rest of us? Who knows Ya, that's the whole Agile thing... :) Then again, Agile and CI does not mean change for change or anti-KISS. Agile and CI are about rolling out needed updates (be it bug fixes or features) quickly and often. The choice of what changes are allowed into production is where the no change for the sake of change and KISS philosophies are considered. Fail forward instead of fail back. Eventually consistent. Things at scale can't do an instant global state change. If there is a problem live with it, until the developers have a new build to push, that (hopefully) fixes it. Doesn't work in my new field... (Medical Device Startup) :) We are trying to change some of the way the FDA views things (especially in the mobile arena), but it is going to take a bit. The FDA documentation requirements pretty much dictate waterfall development. -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Fwd: Slack
It is not a Dark Ages issue. It is a ubiquity issue. This mail address has ~10 mailing lists going to it. I fully control this email address (housed on my server in my house.) If I had to check on a separate web site for this list, I would drop it. If I needed yet another client to view, I would also drop it. I don't keep up with ANY web forums, twitter, facebook, etc. I have screen sessions to the #lopsa, #lopsa-lounge, #asterisk and #gluster IRC channels that I glance at every few days when I am bored or need help with something. I just don't have time to be swapping interfaces. On 07/12/15 13:37, Allan Irving wrote: It was just a suggestion - no need for the aggressive reaction. Email is inherently insecure so I don’t see how Slack’s security comes into it. Slack offers features email never will. Additionally, as opposed to filter rules - you can open Slack when you can be bothered to respond to messages. Without filters you have an inbox full of LOPSA discuss emails. It was just a suggestion but given the response for outdated technology which is very insecure - it would seem that LOPSA really isn’t up to date. Are you really sending sensitive data over a mailing list? Then who’s to blame for it as a system administrator? A discussion list has and never should divulge confidential information seeing as this one is indexed by Google. You can stay in the dark ages but some of us are thinking ahead. Given the responses, it is clear to me that moving on into the modern century is the way forward. -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Slack
I am curious... Is the format of this being an email list an issue for you? What is it that you are looking for as requirements for a general (and free) communication means for this group? Or did you just want to post Hey this is cool... There is change for need and change for change... In operations your mentality is usually to avoid change for change and KISS. On 07/12/15 14:00, Allan Irving wrote: Personally, for my startup I don’t use the free service so the comments regarding the free service are irrelevant. Ot was just a suggestion. If you want to crap all over me for it, then so be it. However, whatever - I’d say Slack’s success speaks for itself. I don’t see how mailing lists are any better than Slack. If you do - then good for you. Such a negative vibe / element of rudeness on this mailing list. Safe to say I won’t be renewing my membership as it would appear that easy / archaic solutions are more appealing to the majority here. Most sysadmins move with the times. Slack might not be the solution but many other more advanced solutions are. If you’re so bothered about security, use PGP. As you aren’t, I don’t see how you can talk as such. Regardless - I was just putting it out there but your rude and responses have just lost you a member. As before - all the best. -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Slack
Not yet another forum/web messaging. I would only agree, if the interface is exactly like email. Shows up in my inbox on my home email server and I reply just like I am doing right now. On Jul 12, 2015, Allan Irving allanirv...@allanirving.co.uk wrote: Hi all, How do we feel about trailing Slack instead of discussion lists? I am of the belief that it would be far better and also has more features than email. http://slack.realm.io is an example of how easy it is for users to sign up - much like Mailman offers a sign up screen. Allan ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/ -- Sent with K-@ Mail - the evolution of emailing.___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] IT roles in the company
I usually see the CIO under the CFO. So, no additional direct reports. On Jun 9, 2015, Tim Kirby t...@kirbys.org wrote: The really sad part is that the CEO does not want any more direct reports, so he has an administrative VP who owns IT amongst other things. Thus there is no CIO, no C* representation. -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] The future of OpenStack?
Are we talking about OpenStack vs. other cloud management stacks (like CloudStack and the proprietary providers, AWS and the likes)? Or are we talking about movement from private clouds to public ones? On 05/17/15 07:26, Matt Lawrence wrote: I've heard from multiple people, who I respect greatly, that OpenStack is going to die off, but I just don't see it. The modern IT infrastructure is heavily populated with products and technologies that were a really bad idea in their original release. So, while I think OpenStack has some serious problems, I think it is going to be around for quite a while. I would like to hear what a number of other folks who I respect think. -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Resource query...
On 04/08/15 08:10, Craig Constantine wrote: could you poll for the UUID assigned to the file system on the drives? blkid i think is the command... I would not trust that. Aside from having to know the UUID up-front, what happens when there is no filesystem. I believe he wants to error out if the drive in slot 0 is missing or not responding without touching any other drives. Problem is that this is machine model specific. You have to know the channel path to slot 0. It will be something like: PCI slot - controller - sas channel - backplane channel -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] NIce Fraud alert system - American Express
On 02/03/15 16:46, Yves Dorfsman wrote: On 2015-02-03 16:46, Edward Ned Harvey (lopser) wrote: surprisingly good. I like to use BioWallet as an example - you use your finger to sign the screen of your phone to unlock a secure wallet. If I hand my phone to someone and tell them my password, they can't get in. Because of google authenticator etc... access to my phone is too important to use my finger (and I encrypt it): - I cannot forget my finger, with a password I can choose to go to jail or remembering my password - my passwords will die with me. If you kill me, you won't get my password, my fingers... on the other hand! He is not talking about fingerprints. He is talking about signing using your finger like a pen. (phone/tablet interface) Sure, someone cuts off your finger after you are dead... Let's see them try to copy your signing behavior, without a video or have been watching you sign. Behavior based biometrics are very interesting. Authentication by being you. :) -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Help with gmail technical problem
On 01/28/15 12:19, Graham Dunn wrote: Just like to add that if anyone knows a senior member of the LDS church in the UK with the same name as me, tell him that BMW has been suggesting his wife upgrade her car, the swim team fundraising has been going well, and that his son’s loan for university housing seems to be going through. Oh, and that @googlemail.com is the same as @gmail.com. Oh, and his lab work came in. He tested positive for ... and should see his doctor... :P -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Certificate confusion - Summary
On 10/10/14 20:51, Charles Polisher wrote: Not to keep beating a dead horse, but here's a related thing that puzzles me. I wonder if anyone else gets a different result. I've got 2 very different certs claiming to be the Google Internet Authority G2. Same subject, same auth key ID, same subject key id, same public key. Different certs. Huh? I'm sure if there's a simple explanation someone here knows it. pki.google.com: Serial Number: 146038 (0x23a76) X509v3 CRL Distribution Points: URI:http://g.symcb.com/crls/gtglobal.crl Authority Information Access: OCSP - URI:http://g.symcd.com Validity Not Before: Apr 5 15:15:55 2013 GMT Not After : Apr 4 15:15:55 2015 GMT drive.google.com: Serial Number: 146025 (0x23a69) X509v3 CRL Distribution Points: URI:http://crl.geotrust.com/crls/gtglobal.crl Authority Information Access: OCSP - URI:http://gtglobal-ocsp.geotrust.com Validity Not Before: Apr 5 15:15:55 2013 GMT Not After : Dec 31 23:59:59 2016 GMT Looks like the issuer of the original G2 cert (GeoTrust) has been bought by Symantec. Also looks like Symantec limits to a 2 year life span. (GeoTrust was 3 year cert.) BTW, both drive.google.com and pki.google.com have the same G2 cert now. (the Symantec version) In the future, you can run the following command and see if the old G2 cert (serial 23A69) is add to the old GeoTrust Certificate Revocation List (CRL). $ curl -s http://crl.geotrust.com/crls/gtglobal.crl | openssl crl -inform DER -text -noout Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA Last Update: Oct 11 06:43:00 2014 GMT Next Update: Oct 21 06:43:00 2014 GMT Revoked Certificates: Serial Number: 0234BA Revocation Date: Oct 11 14:19:52 2003 GMT Serial Number: 0235F8 Revocation Date: Aug 9 14:05:49 2006 GMT Serial Number: 02345D Revocation Date: May 22 08:08:43 2002 GMT Serial Number: 02345C Revocation Date: May 22 08:09:00 2002 GMT Serial Number: 023559 Revocation Date: Jul 22 12:59:26 2005 GMT Serial Number: 02366B Revocation Date: Jul 11 05:50:50 2007 GMT Serial Number: 02345A Revocation Date: May 21 13:48:04 2002 GMT Signature Algorithm: sha1WithRSAEncryption 7d:fd:d7:40:2a:cb:90:89:53:1f:77:42:ec:f2:3e:7e:3b:ec: ee:8e:e8:fa:36:2b:a4:07:db:5b:8d:c3:41:ca:fc:98:e8:63: da:4c:86:7d:91:76:a6:0a:aa:47:ab:26:0d:af:aa:00:ec:d2: 62:78:72:6c:60:d9:4d:82:5d:cd:98:2f:df:05:c6:e4:19:56: 60:42:e1:38:a7:ae:cb:f1:05:37:76:a4:69:04:1a:43:66:71: fc:6e:23:84:c2:73:20:3c:ad:db:f6:e2:a5:41:ca:87:e8:70: df:57:4e:ce:73:20:b7:a9:87:62:5c:36:49:42:7e:ec:f7:17: a7:ab:21:67:68:d8:5b:96:85:7a:39:35:a7:4c:fc:9a:9a:ce: e5:77:36:d3:16:9f:18:20:60:85:26:20:fb:4e:ed:07:61:8e: 7d:68:c1:f0:bc:84:c0:8a:ce:f8:88:5d:9e:73:68:4b:55:50: 11:0f:3a:5d:4a:f2:39:5a:3e:f9:4b:04:0d:cb:43:36:8c:3d: ee:c1:56:53:95:3d:03:b2:92:1b:13:52:7c:7b:cd:00:c3:56: 1a:e3:f8:03:de:41:bf:97:22:b1:90:a8:ee:18:ec:37:6e:74: bf:47:a7:c4:e8:06:22:3f:a6:b8:f5:e9:43:2c:88:99:69:c3: ab:a0:c0:dc -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Certificate confusion
That is the way SSL proxies work. You tell the browser to go to https://www.example.com/ and it expects the received certificate to be either www.example.com or *.example.com and signed by a CA that it has in its trusted CA repository. So, there are only two possibilities... 1) allow the encrypted stream untouched 2) the proxy needs to intercept the connection, establish its own connection to the server, then act as the server to the client. To act as the server, it has to have the server certificate and the private key. The server certificate that it presents to the client must be signed by a CA trusted by the client and the public key in the certificate must be the counterpart of the private key that the proxy has access to. Server (public CA) -- proxy proxy (private CA) -- client Because you are presenting certificates to the client for servers that you don't know before hand, the proxy must have the CA private key to sign the certificates on the fly. The private CA certificate must be installed in all clients to be trusted. And it must have the CA:true constraint. In the windows world, you can push out a private CA certificate with a GPO in Active Directory. Most others, you would have an internal website that allowed the download and install of the CA certificate. The certificate download should be in DER format. Most browsers will auto install with these headers: Content-Type: application/x-x509-ca-cert; name=private-ca.crt; Content-Disposition: attachment; filename=private-ca.crt; Windows: Download and run. Windows will identify it as a root CA certificate and open the certificate dialog. Click on the Install Cert button. Firefox: Firefox will automatically recognize it as a certificate and start the import. Chrome: On Linux you must download and follow these instructions: http://code.google.com/p/chromium/wiki/LinuxCertManagement Safari: Download and run. MacOS will identify it as a root CA certificate and ask if you want to install it. I had a lab at Symantec that my team and I created to dynamically bring up a development environments with dynamic URLs to access. I had scripts that would auto generate a CSR and POST it to a web service that blindly signed any CSR given to it. It was a quick and dirty solution and tiny CGI script. :) You can't use a wildcard certificate because the * only accounts for one level. *.example.com matches www.example.com and blah.example.com, but not www.blah.example.com. Of course that restriction is up to the client implementation. But, that is one issue I had run into in the past. On 10/09/14 16:46, Ski Kacoroski wrote: Hi, I need someone with more certiticate-fu than I have. I have an iBoss web filtering device that sits in between our internal users and the internet. We are trying to set it up to also filter https web pages which means it has to decrypt the connection to see what is going on. They are claiming that we have to use a self-signed cert on their device instead of our wildcard *.nsd.org cert and then install the public key on all the browsers of our internal machines which, as you can imagine, is not something we want to do or maintain. I have 6500+ macs, 3000 chromebooks, 2000 ipads, 1000 windows, and several hundred other things such as kindles, etc. In addition, several of these have multiple browsers. I appreciate any comments or ideas why we cannot get our wildcard cert to work (it works with erverything else except for an old Oracle application server where I had to get a machine specific cert). Their description is: * The certificate needed to do the decryption must be trusted by the browser to sign ALL domains. * GoDaddy and other Certificate Authorities (CA) will not sign a certificate for use with domains other than your own. So… The certificate must be self-signed with no verification path back to a trusted CA. * The *.nsd.org certificate you have will work to access the iboss UI, block or login pages. Follow up email states: The first 2 bullet points from yesterday are important to understand. There is no possibility of getting a CA certificate from anyone that is trusted by the browsers. As far as we have seen it takes a CA cert to be fully functional for intercepting HTTPS traffic and re-sign so that the browser will accept it. This means using a self-signed cert. To stress the point, imagine what damage you could do with a certificate that allowed you to pose as Google without the browser alerting the user. I can’t answer why we have had the limited success with decrypting using the *.nsd.org or how far we can push it. In a couple cases we were able to get everything working unless Chrome was used. In another case IE seemed to be the biggest problem. They each perform validity checks of their own design. Technically, the cert you have should not be accepted to sign anything. That is not a feature of the cert (CA:FALSE).
Re: [lopsa-discuss] Anything like Linode's LISH out there?
On 10/01/14 13:40, Craig Constantine wrote: Linode has a “LISH” feature. Basically, you ssh to one of their systems, and it can connect you to the console of your virtual macine (your linode). Anyone know how that actually works under the hood? …does it only work because they’re running VMs? I would really love to be able to dumpster the whole model of JavaApplet--KVM-IP—KVM-dongles . . . Unfortunately, it is a feature specific to virtual machines. For real servers, you either need to setup serial console capability (vendor dependant BIOS feature) or use a KVM-IP (vendor neutral). I have used PC Weasel in the passed, but it looks like they are not around anymore. http://en.wikipedia.org/wiki/PC_Weasel_2000 -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Why don't people join Lopsa?
On 08/11/14 11:07, Atom Powers wrote: Is LOPSA an organization for operators or engineers? I envision LOPSA to be a place for the two to meet and exchange knowledge. This whole DevOps movement... is not really about automation... It is about making the sysadmins more responsible to the developers and the developers more responsible to the sysadmins, by blurring the lines between the two. It is not about moving a narrow view up or down the stack, but pushing your limits to widen the view to include the whole stack. From volts on the wire all the way up to the business logic running in the JVM. Software can only push to the limits of the hardware and hardware only does what the software tells it to. You can only automate a system that is already working. The automation has to run on something. If your business requirements say that you need to own the datacenter, then it is you who debugs from a DB corruption down to the bad code, bad data, bad DIMM, or bad IO controller that caused it. A sysadmin/devops has the wear withal to figure out crap like this: http://mina.naguib.ca/blog/2012/10/22/the-little-ssh-that-sometimes-couldnt.html Also needs to be able to create/extend things like Puppet/Chef, implement an IDM, design DNS and email routing. Create virtual networks in AWS/Rackspace, link them to your corporate network. Configure VLANs in your corporate network. Know when to bridge and when to route. Do security audits to prove that your implementations are secure from outside threats. Understand the outside and inside threats. So, the sysadmin/devops role has grown to be way more than it used to be (the 1995 version.) It is also larger than a developer is. Automation is just a tool. It does not solve the problems that senior sysadmin/devops people work on. How do you get more IOops out of your storage system? How do you scale the database? How do you fail over an application that wasn't designed to fail over? Automation just scales the problem and the solution. It is a glorified photo copier... :P -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Https - the solution to net neutrality and ISP monopolies
On 07/22/14 14:28, Derek Balling wrote: But for your hypothetical community site, it's mainly just you, your ISP, your customers' ISP, and your customers that make your site successful, right? God forbid the /. effect happens... Immediate bankruptcy is foreseen in the future... It's like hosting your web site with DNS from UltraDNS... (pay per query... At least the last time I looked.) Shoestring startup makes an announcement and immediately goes belly up with the bandwidth/query charges... -- Mr. Flibble King of the Potato People http://www.linkedin.com/in/RobertLanning ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] rackstuds?
For your first concern, check out http://rackstuds.com/support/certification/ 343lb shear strength per stud. For your second concern, it will be an issue. Though the newer rails I have dealt with are clip-in. The screw-in did not have flanges on the bezels, but I have been lucky with what I have been buying. :) I would love to use these! :) But my current position does not have racks (all AWS). So, I could only use them at home. On 01/14/14 12:37, Brodie, Kent wrote: I haven't used these, but I do have a few observations, based on viewing what the stud things look like. First off: how freaking awesome. For most cases, this is a sysadmin WIN. I need to go get me some. Caveats: My first concern is how well these stand up for *HEAVY* equipment. Yeah, we deal with a lot of 1u/2u things these days, but occasionally we need to load a 100+ pound BEAST. Not sure how string these are? (I assume this info is in their product data sheet somewhere?) My second concern is how this works for equipment that has front panels/bezels. In many cases, the manufacturer of the rackmounted thing assumes that all that sticks out the fron of the rack side is at most- 1/8 inch or so for the screw head.These things stick out a lot, and COULD possibly get in the way of certain covers/bezels. Those concerns aside, I'm still gonna get some when they're available. ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Apache server issues
Try looking into TIME_WAIT tuning. /etc/sysctl.conf #TIME_WAIT tuning net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_syncookies = 1 Then sysctl -p On 12.20.2013 09:24, Chris Ski Kacoroski wrote: Hi, I have put an apache server in front of my primary webserver as a proxy in preparing to move to a new webserver. In testing it worked fine, but under load (we have snow today and everyone it hitting the website to see if school is open), I am getting all kinds of timeout errors and service not available pages. In server-status on the proxy, it does not look like it is loaded: Server load: 0.40 0.27 0.23 Total accesses: 99516 - Total Traffic: 2.6 GB CPU Usage: u4.35 s3.08 cu0 cs0 - .382% CPU load 51.1 requests/sec - 1.4 MB/second - 27.4 kB/request 91 requests currently being processed, 59 idle workers _KK_KK_KK_KC_K_KKC__ KKK_KK_KK___KKCC K_KKW_.. Errors are: (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 10.1.3.100:80 (webold.nsd.org) failed AH01114: HTTP: failed to make connection to backend: AH00959: ap_proxy_connect_backend disabling worker for (webold.nsd.org) for 0s Config is: VirtualHost *:80 ServerAdmin ckacoro...@nsd.org DocumentRoot /var/www Directory / Options FollowSymLinks AllowOverride None /Directory Directory /var/www/ Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all /Directory ErrorLog ${APACHE_LOG_DIR}/errormap.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. #LogLevel warn rewrite:trace2 LogLevel warn CustomLog ${APACHE_LOG_DIR}/accessmap.log combined # rewrite rules for variables after the url, e.g. after the ? RewriteEngine On # For each page we match the query string in RewriteCond and then map # it to the new page/server in RewriteRule. This version uses an external # file to map key, value pairs. There is one map for each section of # schoolcenter. RewriteMap scrapbook txt:/etc/apache2/maps/scrapbook RewriteMap docmgr txt:/etc/apache2/maps/docmgr RewriteMap dept txt:/etc/apache2/maps/dept RewriteCond %{HTTP_HOST} .*nsdproxy.* RewriteRule ^/server-status.* http://nsdproxy.nsd.org/server-status RewriteCond %{HTTP_HOST} .*schoolcenter.* RewriteRule ^/(.*) http://www.nsd.org/$1 RewriteRule ^.*components/scrapbook ${scrapbook:%{QUERY_STRING}|http://webold.nsd.org/%{REQUEST_URI}?%{QUERY_STRING}} [END,NC,QSD] RewriteRule ^.*components/docmgr ${docmgr:%{QUERY_STRING}|http://webold.nsd.org/%{REQUEST_URI}?%{QUERY_STRING}} [END,NC,QSD] RewriteRule ^.*education/dept ${dept:%{QUERY_STRING}|http://webold.nsd.org/%{REQUEST_URI}?%{QUERY_STRING}} [END,NC,QSD] # these map all of / to http://www.nsd.org so they need to be last ProxyPass / http://webold.nsd.org/ retry=0 timeout=30 ProxyPassReverse / http://webold.nsd.org/ /VirtualHost Any help/ideas are appreciated. ski -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Face-to-face exchange of contact information?
On 10/07/13 09:10, Jan Schaumann wrote: Twitter handle, preferably printed on your badge. I don't have a Twitter account. I also don't have a Facebook account. Business cards are my thing... :) It is the quickest, simplest and the least common denominator. -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Ok, I am stumped - Perl script running under cron problem - SOLVED
On 10/03/13 21:42, Paul Graydon wrote: Wow.. why would they do that? It is quite common for commands that were originally designed as a human interactive CLI. They automatically become more verbose when they think someone is watching. (ie. when it has a TTY) You really have to watch out for differences caused by the LANG variable. Sometimes I have to manually put LANG=C at the top of my scripts to have them work consistently. -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Can anyone recommend a very trustworthy PC person in Philadelphia?
On 08/17/13 12:11, Betsy Schwartz wrote: cracking up. Do you have 80-something parents? If so have you ever tried to get them to do *anything* they didn't want to do? Long-distance? I am still working on getting mom to consider just trying AOL or Gmail or Facebook chat. Just once. She's extremely hard of hearing and the phone doesn't play nice with her hearing aid. I haven't managed *that* task in five years. Switching from Word Perfect : NEVER. GONNA. HAPPEN. EVER. Probably I should go find a small-business list and ask there instead of asking on a unix list :-) Heh... My mom is ok with Word on Windows 7. Move to anything else would confuse the hell out of her. It would be years of weekly phone calls, if not daily. She is currently self sufficient, except of issues that even I can't help remotely. And she is only 67. Her mom, on the other hand, does not own a computer. She writes letters by hand in cursive (that long lost art...) There is no way I would be able to get her on a computer at all. If she ever writes her memoirs, it will most likely be on a manual typewriter. And she is 90. -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Can anyone recommend a very trustworthy PC person in Philadelphia?
On 08/17/13 13:39, Zack Williams wrote: On Aug 17, 2013, at 12:38 PM, Robert Hajime Lanning lann...@lanning.cc wrote: If she ever writes her memoirs, it will most likely be on a manual typewriter. Ah, she'll need one of these then: http://www.usbtypewriter.com That is really cool. I might have to do that for myself... :) How do you enter the difference between a linefeed and a carriage return? Your normal keyboards don't have a \n vs. \c, while the old typewriters did (carriage return lever was multi functioned.) Though, with my grandma, I might have to do repairs for the correction ribbon marks... (what delete key?) :P -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] What's your favourite home-office all-in-one printer
On 08/06/13 12:03, Yves Dorfsman wrote: On 2013-08-06 12:45, Matthew Barr wrote: We print fairly infrequently, but every time I've seen an inkjet that's used that little, it's always dried out. I'm wondering the same thing, I can go months without using colour... I ended up with a laser printer (Canon imageCLASS D480). I print *maybe* once a year. In fact, this printer was sitting in my diningroom, unopened, for about 13 months, before I finally set it up. I was finding it cheaper to by a whole new printer (@ $25), than to buy new ink, so I went laser. No need to buy new toner, until you run out. -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Mark Burgess quote from April 2013 ;login:
On 07/03/13 15:37, Joseph Kern wrote: I guess we could start by asking something like this: What is a System Administrator not responsible for? and working backwards. It depends... -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Great Interview Questions
On 05/07/13 09:15, Michael Tiernan wrote: What is the UDP three way handshake? He said he was wondering how many people would catch the question's trick. You send three UDP packets in three different directions, then shake the hand of the person next to you. -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Relentless renewal notices
On 03/29/13 14:28, Matt Lawrence wrote: On Fri, 29 Mar 2013, Moose Finklestein wrote: Have you checked your palm to see if your crystal is blinking? Perhaps it is your time for Carousel! RENEW! RENEW! That should be: Renew, renew, ok. Youngsters these days There is no sanctuary... -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Attack of the ATVs - (advanced volatile threats) ....
On 02/26/13 12:08, Graham Dunn wrote: So sneaky, even their acronym is unexpected. I wonder if it has the same background as UTC... :) -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Syslog protocols: which are people using?
On 01/26/13 16:08, David Lang wrote: GELF2 I have not heard of before Graylog Extended Log Format v2 -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] 2 factor authentication
On 01/16/13 04:44, James R Grinter wrote: On 11/01/2013 22:57, Robert Hajime Lanning wrote: RSA soft token generates the code using the serial number/PIN/time as input. Always gives you a code. not quite, with the ones I've used anyway. The user's PIN is only entered as input for the login password, along with the random value generated by the token (real, or soft. Actually, RSA did used to have a token model where the PIN was keyed into the token, and hashed to form a response, but it still didn't confirm the PIN: it merely avoided it being sent in plain text across an unsecured network connection.) Maybe RSA has both types. I implemented RSA at Seagate about 10 years ago. We used hard tokens only. A few years ago, they switched to soft tokens (cost benefit). A friend of mine, who still works there, showed me the new soft token. He entered his pin and it generated the code. -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] 2 factor authentication
On 01/11/13 11:07, Josh Smift wrote: How different is the Symantec solution from SSH with a key with a passphrase? Not that there's anything wrong with SSH with a key with a passphrase; but if that's good enough, what do you get by adding Symantec? Key can be copied. So, it does not really meet the something you have aspect. The biggest issue with the key with passphrase is that you have zero ability to enforce the passphrase strength or even if it exists. Soft tokens (any type) can be copied, dependent on the platform it is running on. Easiest is a system back/restore. Otherwise picking the right files to copy. (in the right files ssh key is a single well known file, as for Symantec or RSA soft tokens, not sure which files, but it can be known) With Symantec, it is an additional step, so you still have a service passphrase, if implemented. With RSA, you enter the knowledge part (PIN) to the soft token and it is used with the serial number and time, to generate the code. Both the user and the RSA server must know the PIN. The serial number is known by the RSA server and the token software. -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] 2 factor authentication
Both RSA and VIP have hard tokens and soft tokens. The difference is that RSA assigns tokens to the company that purchases them. (You get a list of serial numbers to import to your local or hosted RSA server.) VIP is a hosted service only. A single VIP token (designed to be a soft token, but a hard token can be purchased) is assigned to the person/device by Symantec. The software can be installed, it then negotiates the Credential ID (aka serial number) with the hosted service when first run. There is no way to enter your own ID. Any company that subscribes to the VIP service can validate ANY token. I can take my VIP token (on my smartphone) that I used for my company VPN access and install its Credential ID into my eTrade account and turn on 2 factor for that. The idea with VIP is closer to a federated login. But the VIP hosted service does not have any login information. Just validates that the code presented to it, matches the Credential ID that is presented in the same request. So, any service that uses VIP as a second authentication method, must provide its own login account to itself. Down side (and I have had to do this) is if you have to hard reset your device (what ever you have the soft token on), you have to go through all your accounts that use the token and work with the password recovery to clear the old token ID and install the new one. -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] credmgr - securely manage privileged account credentials via shamir secret sharing
On 06/25/12 16:59, Michael C Tiernan wrote: How business continuity is maintained across catastrophic events. How, when everything else has hit the fan, can I a trusted admin working in the data center get access into our systems where even the networking is down? There are times that in preparation of bring up the data center from a dead stop, I need to log into some systems and run fsck's (or other such tasks) before everything else is live. In those situations, on the console, I just boot with init=/bin/sh. It is way easier than dealing with password secrecy procedures. This includes the fact that the password is still a secret. Passwords? We don't need no stinkin' passwords! :) Can I, after getting the root password of a system in an emergency, flag a password as exposed but not compromised requiring the password to be changed and re-synced at the next possible opportunity when normal operation has been restored. Is there a way to generate password displays using clear concise (unabigous) language for reading over the phone or other verbal exchange including, should it be required, printing. (i.e. Password=bwFq display as [bravo][whisky][FOXTROT][golf]) -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Maybe I don't get it -Harassment policy
On 05/25/12 13:22, Anton Cohen wrote: On Fri, May 25, 2012 at 8:54 AM, rac...@anl.gov mailto:rac...@anl.gov wrote: Also, I think the Code-Of-Ethics really covers things. I pay for LOPSA membership because I believe in the sysadmin profession and I want to support it. I don't actually get any personal value from my membership. If I see my membership money going to lawyers to draft or review policies to cover incidents that haven't happened yet, and for which there are already rules or laws covering, I might not renew my membership. Ok, I think we need to be clear about the role of the Code of Ethics vs. the role of an Anti-Harassment policy. The Code of Ethics defines what we, as professionals, strive for as expected conduct. It is not really enforcible, outside of bouncing the perpetrator out of the organization, if we have code somewhere that specifies that to be a member, you MUST follow the Code of Ethics. The code that specifies that you MUST follow the Code of Ethics, would be an organizational policy. Since the Code of Ethics doesn't say anywhere what can be done if a violation is found, it alone is not enforcible. An Anti-Harassment policy could point to the Code of Ethics for expected behavior. It will have to also go on and specify what recourses/escalations are available upon violation. Since a policy contains the recourse/escalations, the review of the final document by legal counsel is, as most agree, necessary. As the actions specified in the recourse/escalations part can cause liability issues. A quick search on lopsa.org and I find the Etiquette Policy that states that All LOPSA members are bound by our Code of Ethics, among additional guidelines. And it contains the recourse of there will be at least one warning issued with possible more strict punitive measures depending on the medium or forum and nature of the infraction. Now this covers, in very broad strokes, what can happen if someone breaks the rules, as long as they are a member of LOPSA. (we get a stern talking to...) A conference is a whole other matter. There would have to be a policy stated in the registration process on expected behavior and recourse, since there would be non-LOPSA attendees, who never agreed to the LOPSA policies. Example of legal agreement: (I found humorous) http://lanning.cc/pub/SYMC-Ped-Agreement.jpg -- Mr. Flibble King of the Potato People ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Diversity Issues - A Bigger Problem Than Women In Tech
On 12/13/11 07:22, Mark McCullough wrote: No, the cool kids are playing Minecraft or Halo Reach, or whatever the latest video game is that month. This is not thirty years ago. I've spoken with too many kids who were clearly in the at least semi-popular class who both participated in sports and showed all the classic signs of long term computer interest. err... twenty years ago... :) I have no kids, so yes, I am not really in touch with today's school culture. I do remember at my 10 year reunion (10 years ago) the popular kid owned a few garages. :) I guess with Apple and console games, tech savvy is getting an in. -- END OF LINE -MCP ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Diversity Issues - A Bigger Problem Than Women In Tech
On 12/13/11 13:46, Dan Foster wrote: That's one way to feel old. :-) (And let's not even talk about their reactions to the high quality graphics from the Atari 2600 VCS console... :-) Wow! Man, how did you ever play games with worse than crude stick 2D graphics? Lots of imagination, son. The look on kids' face suggested they had just met someone from the stone age. Priceless!) Ok, quick note on age... My dad and I got a chuckle from the behind the scenes of Super 8. The child actors in that movie had never seen a rotary phone and had to be shown how to use one for the movie. wow, a phone without a touch screen... :) now back to the regularly scheduled program -- END OF LINE -MCP ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Diversity Issues - A Bigger Problem Than Women In Tech
On 12/12/11 20:55, Mark McCullough wrote: I find that tech employees are neither particularly loved nor vilified. It's seen by the random person on the street I speak with as a respectable profession. Now, my normal way of explaining my job is I keep the computers you use to pay your $x bill safe enough to use your credit card. That puts it in terms that they can understand, and the normal reaction from those who have actually gone so far as to ask what I do is far from disinterest. Yes, their eyes glaze over if I go into any more detail, but my eyes glaze over when I talk with an environmental engineer about what he does. It really isn't at our level that these perceived issues are at. Damion was talking about teens. Middle/High school the cool kids were working on cars and/or doing sports. The geeks and outcasts would be running DD or messing with computers. To get the diversity, you need the applicant pool to be diverse. That does not start at college graduation. It needs to be cool at the middle/high school levels. What to do about this, is left as an exercise for the reader... -- END OF LINE -MCP ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] BTY: Need Suggestions - For Backing Up Older Versions and Current Op Sys's ...
I know that Acronis' Universal Restore can slipstream new drivers during a bare metal restore. This allows restoring to different hardware/VM. I was a developer (linux appliance side) at a failed startup that OEM'd Acronis Server. Our product was partially based on this capability. You do still have to reactivate the Windows license, if it is new enough to contain that tech. Which is why one of the owners ideas of automated failover from physical to virtual (auto restore into VM upon failure detection) just wasn't going to work. On 10/17/11 12:07, Harvey Rothenberg wrote: Thanks Nick ! for your suggestion of SystemRescurCd. I will look into this project. Also thank you for, ... if the hardware dies you'll have a real hard time getting the image you made with dd working on replacement hardware, thus the virtualization suggestion. This is one of the claims that some of the commercial software claims that they handle. Can anyone confirm this capablity ? -- END OF LINE --MCP ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Datacenter move post-mortem
On 07/25/11 13:58, Paul Graydon wrote: On 07/25/2011 10:28 AM, Derek J. Balling wrote: On Jul 25, 2011, at 1:46 PM, Jonathan Rozes wrote: After much cursing (much of it at myself for not catching it beforehand), we spent the next two hours yanking it all out, unscrewing all the rails, and putting it all back together correctly. This was a containerized data center too, so only room for two people to perform the work. Unscrewing? Square-hole FTW. D It's amazing how many of our rails still required screwing into the cab, even as they took advantage of the square holes. I still hate rack-nuts, even though I managed to remove and fit about 10 of them without cutting my self (for once). Thankfully one of the guys I worked with was enthusiastic about doing them, so I left most of them to him. These are a godsend... :) http://store.cablesplususa.com/cagenuttool.html -- END OF LINE --MCP ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Monitoring Sucks!
On 07/22/11 09:44, Paul Graydon wrote: On 7/22/2011 2:29 AM, Adam Moskowitz wrote: Paul Graydon wrote: Hopefully with a good wide spread of interest and talents we could finally get a monitoring tool that doesn't actually suck! And what color pony do you want with that? Seriously, given the incredibly wide range of applications, situations, SLAs, services, constraints, conditions, and requirements, I think the idea that a single tool will solve everyone's problems is, well, nothing short of ludicrous. By making /everything/ modular and extensible, and having the monitoring platform be a framework which individual components are natively plugged in to, everything from data collection, to presentation, reporting or responding . That's what the proposal seems to boil down to. It's something we're sadly lacking with most monitoring solutions that I've ever seen. It's almost entirely 'their way or the high way', with a few bolt-ons on the side, fudged into place just to get by (with all the unreliability and risk that implies) Then you end up with HP OpenView... ugh -- END OF LINE --MCP ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Most simple security policy?
On 07/22/11 14:09, Tracy Reed wrote: On Fri, Jul 22, 2011 at 02:03:49PM -0700, Robert Hajime Lanning spake thusly: Not enforcible, unless you use something like a PKCS#11 token, where you have to authenticate to the hard token to get access to your private key. You can't enforce people not simply giving away their passwords or writing them down in silly places either. The perfect solution is non-existent. True there is no perfect solution, but at least with PKCS#11 you have a password and the token. Something you have, the token (that can't be duplicated) and something you know, the pass-phrase. Nice thing about tokens is that you *usually* know when they are missing. Passwords can be copied and you find out after the break-in. -- END OF LINE --MCP ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] 30% Apple
On 02/17/11 16:05, Brad Knowles wrote: I'm not aware of any such apps that fall into the category you have described, and I am not sure how they would be impacted. But it is a good question to ask -- I just don't have any answers for you. I wonder what Amazon will do with their Kindle app. -- END OF LINE --MCP ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] 30% Apple
On 02/17/11 16:21, Paul Graydon wrote: On 02/17/2011 02:17 PM, Robert Hajime Lanning wrote: I wonder what Amazon will do with their Kindle app. The BBC has an iPlayer app that they were going to allow international people to use for an annual fee, I guess they'll price it to take that 30% hit without impacting profits and enjoy a much nicer profit margin on the planned Android apps. ya, but with Amazon, they already have a set pricing structure that everyone is used to, that did not include a 30% take by a side distribution channel. And by side I mean, the content is not distributed by Apple. Just the app. So, all future purchases via the app take the 30% hit, with apple no longer having anything to do with it. Distribution is handled by Amazon itself along with the cell carrier. With the apps (android/i*/whatever) the carrier is paid by the consumer. With the hardware Kindle, it is paid by Amazon. -- END OF LINE --MCP ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Why Do Linux Admins Seem To Be So Much More Involved in the Community?
http://en.wikipedia.org/wiki/Somebody_Else's_Problem In all the positions I have been at, I would be reprimanded if a service that I am responsible for, was down and all I did was say it's their problem. It's a bug in their code, for sure, buy meanwhile my SLA goes to crap, the business comes to a halt, all the while I wait the possible months for them to fix it (especially if I am not a BIG customer.) I have to work the problem. I have to find a work around. This is part of managing the service and its requisite systems. On 01/27/11 16:54, Michael Ryder wrote: My boss wants me managing systems, not debugging code that's written by someone we already paid for the product or service. As much as I desire to be able to fix a problem, it's someone else's responsibility to fix their own code. Provide the original programmers with error codes, log files and any other diagnostic information they need to solve the problem. Unless I am trying to automate or streamline an administrative task, why should I spend my time fixing someone else's problem? -- END OF LINE --MCP ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Embracing the LOPSA name
GREP BOB :) -- END OF LINE --MCP Charles Jones charles.r.jo...@gmail.com wrote: On Tue, Jan 11, 2011 at 7:02 PM, Robert Novak rno...@indyramp.com wrote: On Tue, Jan 11, 2011 at 1:46 PM, Charles Jones charles.r.jo...@gmail.com wrote: The real fun comes in explaining my license plate, which is IM ROOT. Other Also fun is explaining to people who are unaware of who Cisco is. They usually think it is Sysco, which is a food service distributor :) I'd like to see a network admin with PANCHO as the license plate. Would probably have to be one older than me, as I got in to that rather late. Best geek plate I've ever seen though, I think, was OMEGA MU. I almost fell in the street when it hit me (figuratively speaking of course). My first choice was UID 0 but that was taken :) ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/ ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
Re: [lopsa-discuss] Awakening the activist wing of LOPSA?
On 01/06/11 06:39, Yves Dorfsman wrote: The first definition from http://www.dictionary.com for league is: a covenant or compact made between persons, parties, states, etc., for the promotion or maintenance of common interests or for mutual assistance or service. That sounds a lot like what we are trying to do! Often people who have never heard of something feel the need to make a comment or a judgement on what they can, so at first, just the name... Once we're known for what we do, I bet you nobody will care about the name. This is the first time I hear this argument in 5 years. I'd just stick to it, and move on with the important issues. As mentioned earlier, to me the important issues are: 1) build content (best practices, list or reviewed/approved resources, job descriptions / levels etc...) 2) PR work, start commenting on what is going on, sending press releases to the media (we need to arrive to consensus first, I believe # 1 will get us there). Yes, but... For most people, the first thing that comes to mind is bowling league. So, we have an up hill battle, just because of our name choice. -- END OF LINE --MCP ___ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/