Forwarding unwilling network programs (was: Evolution and Exchange ...)
On Sat, 25 Sep 2004, at 5:22am, [EMAIL PROTECTED] wrote: > Little easier than mucking with iptables and less parts to break. Another interesting hack is the "dynamic port forwarding" feature of OpenSSH's ssh(1) program (the "-D" switch). For example: ssh -D 1080 server.example.com That opens the usual SSH session to , but it also puts a SOCKS4 server listening on port 1080 on the local (client) system. Now any clients using that SOCKS server will be dynamically forwarded so they appear to be originating from instead. If you have a SOCKS aware application (such as Mozilla), you can just tell it to use . For non-SOCKS aware programs (most of them), you can use a dynamic library preload to intercept normal sockets calls and turn them into SOCKS. The dante package (a full SOCKS implementation) includes a "socksify" script which can do this automatically on a one-by-one basis. For example, socksify evolution might work. Combine that with the SSH dynamic port forwarding described above, and Evolution will behave as if it is running on your remote SSH server. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Re-installing W98 without endangering the Linux partitions?
On Wed, 22 Sep 2004, at 6:11pm, [EMAIL PROTECTED] wrote: > Ben Scott said "me too" and then proceeded to tell us details far beyond > the scope of the question in a language that uses only English words, but > which isn't English. Heh. :) Seriously, if anyone has questions about what a particular detail means, feel free to ask. I can explain what stuff means; it's just that doing so every time is extremely time consuming, and tends to confuse things even more then they already were... :) > If somebody has one of those it might be fun to see if theres a WIN98 > directory at root level ... FYI, the "other" location one will commonly find all the Windoze installables in is C:\WINDOWS\OPTIONS\CABS > (my usual root and /boot are on hdd, which makes rerunning grub harder > than for most folks) It shouldn't really make that big a diff. Say your system's bootable hard disk is hda, and your Linux boot partition is hdd1. You should be able to boot a GRUB floppy and then run these GRUB commands root (hd3,0) setup (hd0) to install GRUB. > Everything was now back to normal. Or, at least, the way it was before. ;-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Good International Domain Registrars?
On Wed, 22 Sep 2004, at 10:45pm, [EMAIL PROTECTED] wrote: > I'm looking for recommendations for a "good" domain registrar who can > handle international registrations. Technically speaking, each country is responsible for operating or appointing their own registry for their ccTLD. You can find the list of ccTLD delegations (from the root zone) here, complete with links to the registry for each: http://www.iana.org/cctld/cctld-whois.htm So, for example, if I wanted register a domain in .UK, I would click on the ".uk -- United Kingdom" hyperlink, which takes me to a page that points me to http://www.nic.uk/ for registration services. Now, some countries consider their ccTLD to be a resource that can be exported, and will enter into agreements with other companies to resell registrations in their ccTLD. The .cc and .tv domains are famous for this. That is done strictly on a country-by-country basis, however. There is no global authority or system which administers registrations across ccTLDs, as there are with gTLDs. So, in all honestly, I don't think what you're looking for exists, period, because countries are under no obligation to offer registrations in their ccTLD via any particular method. Glossary ICANN = Internet Corporation for Assigned Names and Numbers IANA = Internet Assigned Numbers Authority TLD = Top Level Domain ccTLD = Country-Code TLD (.US, .UK, .CC, etc.) gTLD = Global/Generic TLD (.COM, .ORG, .NET, etc.) registry = organization that operates a TLD registrar = organization that accepts domain registrations for gTLDs registrant = owner of a domain name (you) For gTLDs, registrants submit registrations to their registrar of choice. Registrars act as a middle-man. Registrars submit your registration to the gTLD registry, which operates the nameservers for a TLD. This process is formally administered by ICANN. For ccTLDs, it is up to each country's registry to decide how they want to do things. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Sun "sells" Open Office to Microsoft?
Coming into this a bit late, but knowledge seems to a bit scarce around
this thread, so:
On Wed, 15 Sep 2004, at 12:08pm, [EMAIL PROTECTED] wrote:
> http://www.linuxelectrons.com/article.php/20040914141417417
Ho-hum. IANAL, but I'm pretty sure that agreement (the referenced
document in the SEC filing) is part of the Sun/Microsoft Java settlement.
The Sun/MS Java fight makes the IBM/SCO thing look like a school-yard
shoving match. After something close to a decade of litigation, both sides
have finally agreed to stop suing each other for everything imaginable.
This agreement appears to be part of that.
The bits about Open Office (Section IV) appear to be a statement that
while Microsoft agrees not to sue Sun over Open Office, Microsoft reserves
the right to sue anybody else over Open Office. So no change. Again,
ho-hum.
The discussion elsewhere about "Open Office" vs "OpenOffice.org" is a red
herring; this document references OpenOffice.org implicitly ("generally
known"). The reason OpenOffice.org insists on OpenOffice.org is that some
*other* company already had a claim to the mark "OpenOffice". Or so OO.org
has been claiming for years:
http://www.openoffice.org/FAQs/faq-other.html#6
You can read each side's propaganda about the Sun/MSFT Java fight on their
web sites:
http://www.sun.com/lawsuit/
http://www.microsoft.com/mscorp/java/
Yes, the 1 April 2004 date is legitimate, and not a joke.
--
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind. |
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Re-installing W98 without endangering the Linux partitions?
On Sat, 18 Sep 2004, at 4:36pm, [EMAIL PROTECTED] wrote: > But I'm looking for tips, war stories, and warnings as to what to say to > W98 install to minimize the likelihood of having to restore the Linux > partitions. As others have noted, this is not really that big a problem. Most versions and flavors of Windows will be quite agreeable to installing on part of a disk. Windows 9X needs to be installed on an active primary partition. As Linux largely ignores all that stuff, most simple dual-boot configurations just leave the 'doze partition set active all the time, so this may not even be an issue. Assuming you have more then one primary partition, Windows will use the active one. Simple and straight-forward. Occasionally, one will encounter an "OEM" version of Windows that will refuse to do anything but restore the entire disk to a factory image. This is usually the fault of the PC OEM (e.g., HP, Sony, etc.) and not Windows. One can run into problems when the Windows installer overwrites the disk's MBR (Master Boot Record), as many Linux boot loaders install into the MBR by default. It really isn't fair to blame Windows for this, as the MBR was never intended to contain an OS-specific boot loader -- it's really Linux breaking the rules here. You can avoid MBR problems in a couple different ways. One is to keep a suitable rescue mechanism around. If you are using GRUB as your loader, simply create a GRUB boot floppy in advance. If the MBR gets clobbered, you can then boot the GRUB floppy and use it to reinstall GRUB into the MBR. For LILO, one generally needs to boot a Linux system and re-run the map installer (/sbin/lilo) with the installed system. You can either use a self-contained rescue environment (i.e., boot from CD) for this, or prepare a LILO boot floppy for your installed system in advance. The other thing you can do is to create a primary partition for Linux, and install the boot loader in that partition. You can also use that partition for a /boot partition, small root (/) partition, or your entire Linux system. By keeping the Linux boot loader in a PBR (Partition Boot Record), you make Linux play by the rules that other OSes expect. You can then switch between Linux and Windows by toggling the "Active" partition flag. This is especially useful for systems which contain an OEM "utility partition" that the BIOS expects to access using a normal MBR. You can also optionally supplement the above by installing the first stage of the Linux boot loader into the MBR as well, leaving the one in the PBR as a stand-by in case the MBR gets clobbered. If you are unsure as to how to make a boot floppy for your particular system, please post your distribution and release, and your boot loader (GRUB, LILO, etc.) if you know it, and we can advise. Hope this helps, -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Verizon DSL and static IP address (was: Speakeasy DSL)
On Thu, 2 Sep 2004, at 1:56pm, [EMAIL PROTECTED] wrote: >> Verizon will be cheaper for the speed, but their TOS specifically forbade >> running servers last time I checked. > > Yes, they do. And they do not plan on issuing static IP's. EVER. That is not correct. You can purchase a static IP option in many (most?) Verzion DSL areas. There is a price premium, but it is very much possible. You can even host services (mail, web, etc.) on the service. We have customers doing this right now, and they have been doing so for over a year. Note that their sales/support/customer-service is still absolutely horrible. Indeed, simply finding a salesdroid that knows they offer a static IP address option is difficult. And they still don't offer any real SLA. But if all you're after is a cheap static IP address, and Verizon DSL is your only feasible option, it is possible. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Speakeasy DSL
On Thu, 2 Sep 2004, at 1:51pm, [EMAIL PROTECTED] wrote: > The only problem I've had was the initial install. Verizon came out to > the house and ran two new lines (don't ask me why) *Two* new lines is rather odd. Typically, Covad DSL (which is what Speakeasy is using) brings in DSL on a dedicated line, so that means a new loop has to be provisioned from Verizon. This is in contrast to Verizon's DSL, which typically "piggy-backs" on an existing POTS loop. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
(was: Verizon offering 3Mbps )
On Thu, 9 Sep 2004, at 10:37am, [EMAIL PROTECTED] wrote: > What's the latency like on that? I'm assuming with a 48K mile round-trip > minimum for every packet, latency must be rather high? It's closer to 100K mile. Geostationary orbit is about 25K miles up. For a round-trip, that means 25K from you to orbit, 25K to the ground station, then 25K from ground to orbit and then 25K back to you. That's roughly 550 ms of latency *at the speed of light*. And that's not even including latency introduced by the regular terrestrial networks. When doing ping tests with a Starband feed a year or two ago, I never saw a RTT less then 700 ms. It frequently went to well over 1000 ms. That is *over one full second* round-trip time for a 64 byte ICMP datagram. For comparison, I typically see between 200 and 300 ms RTT latency on a POTS dial-up link. Latency on satellite really, really sucks. Anything user interactive (SSH, games, VoIP, etc.) is going to suck, period. Satellite works great for streaming (large file downloads, multimedia, etc.), if the protocol allows for high-bandwidth, high-latency links. In TCP terms, that means you need a very large window size. Recall that TCP has to complete a three-way handshake before any data flows. That means applications that make use of many short-lived TCP connections also count as interactive. Think web browsing. You have to wait a minimum of about 2.5 seconds for each page element to load. This makes interactive web browsing nearly unusable. To solve the TCP problem, satellite carries play games with the protocols. They configure a transparent proxy to sit between you and the satellite uplink. The proxy intercepts all the TCP requests and fakes the TCP handshake locally, before the bits even hit the air. This lets the HTTP request get into the air without waiting for the "real" TCP handshake to finish. Of course, this is an incredible kludge. I expect it could conflict with other types of TCP usage, and I know it makes trouble-shooting a bear. Back when I had to deal with it, Starband had also just switched from doing that protocol magic in the "satellite modem" to doing it in software. That meant you had to run their funky and annoying Windows-only software. Satellite may be the best option if high-speed terrestrial links are not available at the location, *and* latency is not a factor. Otherwise, I strongly recommend avoiding it. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Verizon offering 3Mbps
On Wed, 1 Sep 2004, at 2:01pm, [EMAIL PROTECTED] wrote: > HB495 didn't get passed .. but it basically said that if somebody has > their access point open that they did it like that on purpose. Uhh... if it didn't get passed then it does not matter *what* the bill said. A bill has precisely zero legal value until and unless it is signed into law. Obviously, you never watched "School House Rock", or you would know this stuff. ;-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
RE: Verizon offering 3Mbps
On Wed, 1 Sep 2004, at 7:50am, [EMAIL PROTECTED] wrote: > I wish I could get it, but not in my part of Merrimack, I would need > Adelphia and I will not use them. I'd rather have Adelphia then dial-up. Yah, Adelphia sucks, but when it comes to ISPs, Sturgeon's Law is overly optimistic. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: BIOS updates still matter
On Tue, 31 Aug 2004, at 9:03am, [EMAIL PROTECTED] wrote: > But now it seems that the hardware is getting its own firmware and that > needs updating. Indeed. Some (rather esoteric) explanation, for those interested: The IBM-PC BIOS (Basic Input/Output System), strictly speaking, is the part of the system that translates various well-known software interrupt calls into hardware-specific functions. For example, INT13 (software interrupt 0x13) provides low-level disk read/write functions. The idea was that hardware would provide a BIOS interface, and software would be written to use the BIOS, giving the platform a measure of hardware abstraction. Unfortunately, the original BIOS design was junk to begin with, and poor implementation quality generally made things even worse. It was and is very common for software to go "around" the BIOS, in order to get the features, performance, and/or control needed. That was the case when the BIOS was brand new, and now it's twenty years old and hasn't aged well. In particular, almost all BIOS calls have to be made in real mode (16-bit segmented memory). That makes the BIOS useless to the Linux kernel, which runs in protected mode (32-bit flat vitalized memory). This is why you need drivers for everything in Linux, while you can limp along sometimes under 'doze and DOS. Windows 95 and 98 can still fall back on the BIOS for some things if they have to. So, people say, correctly, that "Linux doesn't use the BIOS". Now, on the original IBM-PC, most of the main ROM was dedicated to the implementation of BIOS services [1]. There was practically nothing in ROM that wasn't BIOS, so in the IBM-PC world, "BIOS" and "firmware" became somewhat synonymous. However, as Mark Komarinski notes, these days, there is plenty that happens in "firmware" that is not, technically speaking, part of the "BIOS". Hardware initialization and setup code was tiny in the IBM-PC ROM, but is huge today. PCI enumeration. PCI interrupt routing. ACPI. ISA PnP. Microprocessor configuration. Perhaps even FPGA or ASIC programming. All of that is done by the firmware. Linux needs it to be done properly. So if the firmware is buggy, Linux may break. Footnotes - [1] Also a BASIC interpreter, which I will ignore for this discussion. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Verizon offering 3Mbps
On Tue, 31 Aug 2004, at 10:06pm, [EMAIL PROTECTED] wrote: > http://www.dslreports.com/shownews/53311 http://ars.userfriendly.org/cartoons/?id=19980609 http://ars.userfriendly.org/cartoons/?id=19980610 http://ars.userfriendly.org/cartoons/?id=19980611 ;-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Boot weirdnesses
I encountered a couple of weird problems booting my primary home computer today, and I wanted to share. Possibly relevant details: - Red Hat Linux 7.3 - GRUB 0.91-4 - Epox EP-8K7A+ motherboard (w/ latest BIOS) - AHA-2940UW SCSI host adapter (BIOS 2.20) - IDE hard disk - Multiple SCSI CD/DVD drives Weirdness #1 All of a sudden, I couldn't boot Linux anymore. I would still boot my Wintendo partition, but not Linux. GRUB appeared to process the "kernel" and "initrd" commands properly, but when I issued a "boot" command, it would simply hang -- no messages at all. A three-finger-salute was required to regain control. I figured my GRUB install must have been hosed somehow, so I tried booting my GRUB floppy and loading the GRUB config file from the hard disk. Same problem. I could use the GRUB "root", "find", "cat", and "testload" commands to explore my Linux boot partition without finding anything wrong. The "debug" command changed nothing -- still no messages after the "boot" command. Eventually, I booted from CD (this led to the second weirdness; see below). I ran fsck on everything. No problems. So I mounted my hard disk filesystems and started poking around. Eventually, I did "cat grub.conf" and that's when I found "it". My grub.conf file ended with a line with no trailing newline. That is, the file did not end with a newline character. I added a newline to the file, unounted, sync'ed, rebooted, and ta-da, it worked. There must be some kind of in-memory corruption that occurs when GRUB tries to process a config file without a trailing newline. I say this because I have multiple stanzas in my config file for Linux (for various kernel choices), and *all* of them failed. So it wasn't just the last stanza that was hosed. The reason my floppy boot didn't help is that I still loaded the config file from the hard disk, which apparently triggered the same bug. This is an older version of GRUB; it may be fixed in newer releases. Regardless, though, it's something to be aware of. Weirdness #2 In the process of trying to figure out weirdness #1, I attempted to boot from CD. I used a CD-R burn of White Box Enterprise Linux 3.0 Respin 1, mainly because that was what I had on my (physical) desktop when weirdness #1 started. I loaded the CD in my Plextor CD-RW drive and reset the machine. The Adaptec BIOS found the bootable CD and said it was going to boot it. Then the GRUB menu I usually see when booting from HD appeared. (The broken one.) "Huh? What happened to the CD that the Adaptec card was supposedly going to boot from?" I even went so far as to tell my mainboard BIOS Setup not to boot from anything but my SCSI adapter, and the weirdness still occurred. I know the BIOS option did *something*, because if I set it that way and did not put a CD in any drive, the machine failed to boot anyway. I eventually discovered that if I boot that same exact CD in my Pioneer DVD reader, everything works as I would expect it. Haven't had a chance to pursue this to my satisfaction yet. If I find out more, I'll let the list know. -- Ben "I hope your computer problems are less insane then mine" Scott -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
RE: Bookstores [Was: Re: Going OT [Was: Re: Replacing PBXes with Open Source]]
As a counter-point... I've had nothing but positive experiences with Amazon's customer service, both email and voice. They respond quickly and are interested in helping. Likewise, they provide near-real-time information on availability and shipping status. All very impersonal, of course, but still very well done. At the same time, I get better prices, much better selection, and reader reviews. The only advantage "brick-and-mortar" bookstores offer me is the ability to browse the content, and that is slowly changing, too, as more and more books becomes "pre-viewable" online. Not only that, but more and more books are becoming available in pure electronic form. When there's nothing physical to sell, the physical store becomes completely superfluous. Sure, sure, many still like the physical medium of paper and ink, for one reason or another. But in the future, when everybody has grown up with e-books all around them, do you really think there will be that much call for dead trees? We are witnessing the beginning of the end of an era. Printed media is becoming obsolete. It will like tens, if not hundreds, of years to finish doing so, but the wheel has begun to turn. How appropriate that Gutenberg bracket both the beginning[1] and the end[2]. [1] http://www.bl.uk/treasures/gutenberg/homepage.html [2] http://www.gutenberg.net/ -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Free WiFI at Panera Bread on Amherst St, Nashua
Some additional commentary to add to this thread: * People have drawn the analogy to leaving your house unlocked and having stuff stolen. It's worth pointing out that, in the state of NH, if your property is not clearly posted as being private, people who wander on to it (or claim to have done so) cannot be charged with trespassing. There was even a movement in the state legislature to extend this provision to open wireless networks (dunno how far it got). * My limited and outdated understanding is that ISPs do not necessarily have the same "common carrier" status that traditional telephone companies have. Furthermore, being a "common carrier" includes not only protections but obligations. The saying "be careful what you wish for" applies. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
VoIP and paranoia (was: Replacing PBXes with Open Source)
On Wed, 25 Aug 2004, at 8:08pm, [EMAIL PROTECTED] wrote: > From a big brother perspective I'd be unhappy about the enhanced privacy > ... The VoIP providers have already been told by The Powers That Be that they must make their services "available for monitoring" for legal reasons. Ironic that the cipherpunk dream of "ubiquitous private communications" appears more likely to arrive not via high-tech computer interfaces, but as an enhancement to the old-fashioned telephone. > In either case, I'd do my level best to prevent or at least cripple the > widespread availability of PBX- and VoIP-enabled gear to the Great > Unwashed... There's not really much The Powers That Be can do about it. While they might legislate that anything connected to the PSTN is this-or-that, enforcement is practically impossible, and they have no control over pure-Internet services. More interesting will be how this effects the private sector and end-subscribers. What happens when Big Companies get involved in this? For example, who do you want to control your voice comm links: Microsoft, AOL, or Yahoo? Will their different offerings interoperate, and if so, how well? How will this effect network operators who like to claim "common carrier" status but don't provide common access to the government? -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Keep Password in KDE su
On Sun, 29 Aug 2004, at 10:27am, [EMAIL PROTECTED] wrote: > Question: What happens, and what are the dangers, when you check "Keep > Password"? How is the password stored and could this later be used as a > hole by some malware? From reading the page you linked to, I surmise that the kdesud daemon keeps a cached copy of the root password in memory. Future connections within the timeout period to that daemon will then reuse the password. Presumably, the password is never written to disk by the program itself. However, if the kdesud daemon does not protect the memory containing the root password, it could be written to swap space or a core file. I like the approach sudo uses better. sudo runs SUID-root, uses your user password, and simply keeps track of the last time you used sudo. No password caching needed, and the root password never even enters the picture at all. sudo is also not limited to KDE. Google search for kdesu and/or kdesud shows that the software in question has had security vulnerabilities in the past. Not in the password caching, but in the implementation of the program itself. That seems to be the usual case; bugs are rarely in the "security feature" itself, but in the code surrounding it. Overall, for single user systems, I suspect the threat posed by kdesu is likely to be minor in comparison to the other threats most such systems face (e.g., browser attacks, email attacks, direct attacks against public services (especially privileges services like SSH)). -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: pcmcia vs pccard vs cardbus
On Thu, 26 Aug 2004, at 11:18pm, [EMAIL PROTECTED] wrote: >> I know that pccard is the same is pcmcia (easier for consumers). What is >> cardbus? > > PCMCIA the next version (well, next in 1997) In particular, PCMCIA cards are 16-bit and use 5 volts. CardBus cards (or at least, can be) are 32-bit (faster) and 3.3 volts (saves battery power). CardBus slots can generally accept either type, but CardBus cards generally will not work in an old PCMCIA slot. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Email security (was: Gmail..)
On Sun, 22 Aug 2004, at 7:00pm, [EMAIL PROTECTED] wrote: >>> I've been waffling (heh, sorry) on whether or not I'm willing to trust to >>> Gmail, but I'll never know unless I try (for my least sensitive mail, at >>> least). > > >> If you're sending sensitive email unencrpted, you're already in trouble >> And you should know better, too. :) > > Come on, Bruce, read Bruce Schneier's regular Cryptogram newsletter > before making such broad statements. Security is *always* a tradeoff. "Security is a process, not a product." "There's no such thing as security -- only managed risk." > Private email from me to another friend of mine on the same ISP who is > also running his own TLS enabled SMTP server is plenty sufficient security > for the type of communication I have with him. Sure. But that would fit the definition of "encrypted", no? :) > Gmail (and other webmail-only services) is a whole different animal. The > email is ALWAYS on the server, no opportunity to POP it out of there as > quickly as it comes in, which is what I do with another (low volume) > externally hosted POP account. I don't understand how people construe a mail spool as a security feature. Presumably you consider the mail server untrusted. That's reasonable. But if the mail server is untrusted, you have to assume all the mail going through it is potentially compromised. Recorded, analyzed, indexed, logged, diverted, intercepted, blocked, modified, folded, spindled, or mutilated. The fact that it gets spooled on a disk, or stored longer, is insignificant compared to the larger security problem here. > ... an entire record of my email life is not available in any one > location, like it would be were I to switch entirely to Gmail. Let's say you switched "entirely" to POP on some nameless ISP. We assume that ISP is untrusted. We don't know what they (or some intruder) might be doing with their system. We *do* know all your mail is flowing through their systems, though. There is certainly ample opportunity for anyone to make an entire record of your email life, there. The only difference that I have seen with Gmail is that Google is overt about it. And is trying to turn a profit from it. :) > Except, of course, on my OWN servers. If the entire email transaction takes place on your servers, then we can assume a real security gain. But chances are, you are exchanging email with other servers. That means your ISP, their ISP, *their* ISP, their peer, their transit provider, the other guy's ISP's upstreams, the other guy's ISP, the other guy's mail server operator, maybe the other guy's IT staff, employees, ex-employees, ex-girlfriend, the hacker who has "0wned" the other guy's mail server, the software company that wrote the other guy's mail server's OS, the NSA, FBI, CIA, IBM, AT&T, and the Free Masons could all be reading your mail, for all we know. Oh, and maybe Google, too. Gmail seems to have highlighted the fact that we put a lot of trust in the hands of Internet operators. The thing I don't understand is why people are not willing to trust Google, but *are* willing to trust all those other elements. It's not that I think Google is particularly trustworthy. It's that I don't think anyone else is, either. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Auth/system-auth & POP3 daemon
On Tue, 24 Aug 2004, at 2:39pm, [EMAIL PROTECTED] wrote: > Exactly. But... Why would it work fine over one interface but time out on > the other? xinetd is not bound to any specific interface. I doubt it has anything to do with the interfaces involved, but rather, the networks (and firewalls and routers and filters (Oh my!) between you and the other system. Let's say your server is named Giant and your client is named Tiny. You see, nominally, if Tiny does not support AUTH (i.e., Tiny is not running identd or an equivalent), then there will be nothing listening on TCP port 113 on Tiny. If xinetd on Giant sends an AUTH request to Tiny, then Tiny will respond with an ICMP "Destination Port Unreachable" message. xinetd on Giant then knows that it is not going to get an AUTH response, and continues without the username. But suppose Tiny is out in the great big world. Any number of ISP routers, home NAT boxes, corporate firewalls, or network gremlins may drop the AUTH request, or drop the ICMP "Destination Port Unreachable" response. (There are a lot of IWFs who think ICMP is a hacking tool. *sigh*) So now, when Giant sends an AUTH request to Tiny, it gets... nothing... back. So xinetd on Giant has to sit there for 30 seconds (or whatever), until it times out, and assumes it is never going to get a response, one way or the other. On Tue, 24 Aug 2004, at 2:55pm, [EMAIL PROTECTED] wrote: > Now the only possible setting I know of that might do this is (from > /etc/xinetd.d/ipop3): > > log_on_success += USERID > > Could this be it? Absolutely. > If so, how can I continue to log the userid without the auth request? xinetd cannot log the user ID without AUTH. However, chances are, xinetd will not be able to log the user ID even *with* AUTH. Most systems don't support AUTH these days. Even if they did support it, AUTH is *completely* untrustworthy. All it does is ask the other system "Who are you?" and take whatever the other system says as law. You might as well just filter the evil bit in your routers (see RFC-3514). So, basically, forget about xinetd logging the user ID. Your POP3 daemon, however, presumably requires a username and password. Those are much harder to fake. I expect your POP3 daemon logs whatever details about user authentication it gets. So don't worry about xinetd logging the user ID anyway; it's the wrong tool for that job. Of course, ordinary POP3 is still clear-text, meaning the username/password are easily sniffed, and most email is hideously insecure anyway. But hey, you have to start somewhere. :) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Cannot receive broadcast,why?
On Wed, 25 Aug 2004, at 3:20am, [EMAIL PROTECTED] wrote: > My system is redhat9. It cannot receive broadcast packages, I am sure the > broadcast server send packages. I assume you mean "packets" and not "packages". What is happening (or not happening) that tells you your computer is not receiving broadcast packets? -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Auth/system-auth & POP3 daemon
On Tue, 24 Aug 2004, at 9:18am, [EMAIL PROTECTED] wrote: > You want to disable the identd service. That isn't going to help at all. The OP's system is *sending* AUTH requests; identd only *responds* to ident requests. Turning off his identd isn't going to stop his box from sending requests (and waiting for responses). :-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Auth/system-auth & POP3 daemon
On Tue, 24 Aug 2004, at 12:43am, [EMAIL PROTECTED] wrote: > I'm beginning to wonder if the identd service is somehow sending the > request to the client to identify itself to 10.x.x.x. AFAIK, identd doesn't initiate requests, it only responds to them. I expect either xinetd or the POP3 server you're using is sending the identd request to the client system, not getting an answer, and timing out after 30 seconds. I know xinetd can be configured to do this (see xinetd.conf(5) manpage). -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Connecting OO to a remote MySQL server
On 23 Aug 2004, at 9:36pm, [EMAIL PROTECTED] wrote: > Yet another thing that the Linux community needs to fix. s/Linux community/IT world/ -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Connecting OO to a remote MySQL server
On 22 Aug 2004, at 8:49pm, [EMAIL PROTECTED] wrote: >> (Yes, I have the appropriate .jar files in my ClassPath under the OO >> Security setting). > > I had a semi-colon instead of a colon in the classpath. Sigh. One of the laws in one of those "Laws of Public Forums" lists is that you will only notice your obvious mistake immediately *after* you post about it. :-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: (New) GNU User Group
On Sun, 22 Aug 2004, at 2:11am, [EMAIL PROTECTED] wrote: > I wish I could put more time into this announcement to explain the hows > whats whys etc. FWIW: One thing trying to help GNHLUG has taught me is that the that the organization and administration is the critical part, and the hard part, about being a user group. GNHLUG has web sites, mailing lists, even regular meetings, but it is still currently suffering from a lack of cohesion and direction, due mostly to a scarcity of free time. As you note on your home page, the people are the important part. Something to keep in mind in your own endeavors. On a more positive note, I'm pleased to see an effort to form a group around local interest in Free Software, and I like the direction you're taking the web site. Creating a web resource for Linux and Free Software users was one of the things I was trying to create when I took over maintenance of www.gnhlug.org last year. Props for the creative name, too. :) > I *have* launched a website: http://www.nbptgnus.org. FYI: That site took at least twenty seconds to come up for me (I'm on cable right now), and has a broken image on the home page. I dunno if you know and expected that, or if something is really borken, so I figured I'd mention it. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Email security (was: Gmail..)
On Sat, 21 Aug 2004, at 7:05pm, [EMAIL PROTECTED] wrote: > I've been waffling (heh, sorry) on whether or not I'm willing to trust to > Gmail, but I'll never know unless I try (for my least sensitive mail, at > least). If you're sending sensitive email unencrpted, you're already in trouble And you should know better, too. :) Public Service Messagge: Internet email is just about exactly as secure as a conventional post card. Don't send anything in (unprotected) email you wouldn't feel comfortable putting on a post card. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Security esoterica (was: wipe utility)
On Wed, 18 Aug 2004, at 11:51am, [EMAIL PROTECTED] wrote: > On Tue, Aug 17, 2004 at 09:58:31PM -0400, [EMAIL PROTECTED] wrote: >> Most important of all, in order to make use of data in a filesystem >> journal, you basically need to assume the attacker has achieved full root >> compromise of your system. > > Or have gained physical access to the hard disk ... I was including that in "full root compromise". :-) > If the data were valuable to others in some way, it might even be worth > breaking into your home for. Absolutely. That's why I tell people that physical security always has to come first. It's amazing how many places have *literal* security holes. >> If you were really serious, you would start by never connecting a system >> containing sensitive information to a public network like the Internet. > > For mere mortals with financial and logistical constraints, that's not > always an option. Well, it all depends. As far as capital costs go, with a removable hard drive carrier, you could achieve this for less then $100. I certainly agree, though, that it's likely overkill for most personal users. > Managing IA is about managing risks, but it's also about managing costs... Even more: They are the same thing. Two sides of the same coin, as the saying goes. In the end, just about every decision comes down to one question: Is it worth it? (It's determining the inputs to that function that make life so interesting. :-) ) >> You physically secure the whole computer. It's called "system high". > > Really? I've never heard that term before. Have any links? Well, really, I'm abusing the term slightly. What it *really* means is that everyone who has access to the computer is cleared to have access for all the information on the computer. The most common way a system-high configuration is achieved is to physically secure the whole thing. Crude, but very effective. The term comes from the classic NSA "Rainbow Series" on "Trusted Computer Systems". You can find the formal definition here: http://www.fas.org/irp/nsa/rainbow/tg004.htm Look under the entry for "modes of operation". The Rainbow books, despite their age, remain a very good resource for people in the IA field. The NSA, mission objectives aside, know what they are doing. One thing I always liked about the NSA's policies in particular is that they state and require that products alone *are not considered trusted*. Only an entire system (equipment, software, personnel and procedures) can be certified as a trusted system. That's still a rare attitude in the business world. > Well, IIRC, the best encryption that Linux can do to a partition is AES > 256. A 256-bit symmetric AES cipher is considered extremely strong by today's standards, provided it is used properly (e.g., the secret is truly random; the cipher is cycled with each data block; the secret is adequately protected; etc.). I haven't seen any analysis, one way or the other, on what's built-in to the Linux kernel. But then, I haven't looked for any, either. :-) > Do you think NSA can't crack AES 256? Well, some of the best minds in the world think it isn't feasible with today's technology. Of course, the NSA might have some kind of incredible breakthrough algorithm or something. Like that black box from the movie "Sneakers", for example. :) To answer the question: I don't know if the NSA can crack AES 256. But I do know that if they can, then nothing we do, short of absolute physical security, will keep them out. So I run through the managed risk routine. I believe it is a threat with very low probability, and counter-measures have a very high cost. I thus conclude that the counter-measures are not justified. > If you need to be certain, a dead-man timer may have value. Well, again, it's all about managed risk. "Certain" means different things to different people. In some circles, "certain" means assets are protected by 24-hour TPC (two party control) teams, and equipped with "rapid destruction mechanisms" that can be triggered in the event of "imminent compromise by hostile forces". That's about as certain as you can get, I think. Dead man timers don't give you certainty, though. If you're compromised before the dead man timer expires, you're hosed. And if you miss the timer reset, you're hosed. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Can't boot from Core 2 CD
On Wed, 18 Aug 2004, at 12:05pm, [EMAIL PROTECTED] wrote: >>> dd if=/dev/cdrom of=FC2-i386-disc1B.iso >> >> In my experience, that does not work right. Use > > Interesting. I've used exactly that approach a number of times recently, > and had no troubles. Perhaps the difference is bad sectors on the disc, > or other copy protection mechanisms that dd doesn't handle well. I'm pretty sure it has something to do with esoteric features of the various Compact Disc specifications. CDs can have multiple sessions, each with multiple tracks. An ISO-9660 filesystem can have multiple namespaces, and there does not have to be a one-to-one match of every file in every namespace. Plus the whole boot catalog thing, which is "outside" the "regular" ISO-9660 filesystem, but still part of it. How the heck do you present that as a single /dev/cdrom device? :-) I know it's made a difference with Red Hat Linux CDs (back when there *was* a Red Hat Linux) made from MD5-verified images, so it isn't a copy protection thing. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Can't boot from Core 2 CD
On Tue, 17 Aug 2004, at 10:15am, [EMAIL PROTECTED] wrote: > The file i downloaded was FC2-i386-disc1.iso and then I sucked it back out > of the cd using > > dd if=/dev/cdrom of=FC2-i386-disc1B.iso In my experience, that does not work right. Use readcd dev=/dev/sgcdrom f=cdimage.iso instead (where "/dev/sgcdrom" is the SCSI generic device for your CD-ROM drive). Also, use the "-dao" switch to "cdrecord" when recording in the first place. Someone else on this list gave me that tip, and it does appear to create a more "exact" burn of the original image. Of course, IME, when I had trouble doing a read-and-compare of CDs I burned, the discs generally still worked fine. So I'm not sure how much it matters. But it certainly can't hurt. Another compare trick I use is: mount -o loop -r /path/to/original/cdimage.iso /mnt/image diff -qr /mnt/image /mnt/cdrom That will at least verify everything in the regular filesystem is a match. Of course, your problem appears to be with the boot catalog, which is "outside" the regular filesystem. :-/ -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: MS Exchange Server competition
On Tue, 17 Aug 2004, at 1:03am, [EMAIL PROTECTED] wrote: > And one more link that seems to be the most comprehensive, most up-to-date > on the subject > > http://www.linuxmafia.com/faq/Mail/groupware.html Hm. Some of that stuff appears *very* interesting. I also see why I never found some of this before; everybody I talked to kept trying to sell me a server first, and never mentioned client-side support. On Tue, 17 Aug 2004, at 12:57am, [EMAIL PROTECTED] wrote: > Hey, where you've been? You must have just come back from vacation or > something and had a massive jones to post. All of a sudden I see you > posting on every thread for the last week. ;-) Actually, I've just been incredibly busy. And I figured replying to messages more then a week old would just confuse matters more. :) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: GRUB and two HDs
On Tue, 17 Aug 2004, at 10:51am, [EMAIL PROTECTED] wrote: > Unfortunately, this only works if both drives are in the system. If > there's only the built-in drive, it boot to greet me with "GRUB " and a > blinking cursor. I had expected that I still would have seen the menu, but > only the Windows option would have worked. So, grub has only inserted a > loader into the MBR, and still needs to read the menu from the second > drive? GRUB has multiple stages. Stage 1 typically lives in the MBR. Stage 1 has just enough marbles to find a larger stage, load it, and jump to it. In many cases, that larger stage will be stage 2. Stage 2 is the main GRUB program, which gives you the menu, CLI, and boot loader functions. You may also have a stage 1.5, which gets used when more marbles then stage 1 has are needed before stage 2 can be loaded. In most Linux distros, stage 2 is in /boot/grub/ on either the root partition, or a special partition just for /boot/. For you, that would be on the second physical disk. So when you remove it, there is no stage 2 to load. LILO works pretty much the same way, BTW. There's just less of it to load in stage 2. If you've ever seen LILO die after printing just "LI", that means it failed to find and load LILO's stage 2. I think other people have given you some good options. I suspect the option that uses the NT boot loader to chain to GRUB is best. Another option, if GRUB supports it, is to install GRUB into your NTFS partition on the first disk. I kinda doubt GRUB supports that, though. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: CDROM question
On Tue, 17 Aug 2004, at 7:24am, [EMAIL PROTECTED] wrote: > Nothing exciting - just a backup program. In a given week, I accumulate > about 10-15 CD's worth of data that needs to be backed up and the company > is too cheap to go with tape. Penny wise, pound foolish. But I'm sure I'm preaching to the choir. You might look into DVD recorders, though. They're pretty cheap, and at least you can stuff more data onto a single disc. > I'm just trying to write the application to be friendly enough that I > don't really have to engage my brain at all to perform the backups - the > friendly little program tells me everything I need to do. Well, as far as *that* goes, I imagine you could make most of it happen just by using the "eject" command. It even has an option (-t) to close an open tray. About the only tricky part is checking for the existence of media. Aside from that "dd" hack I posted before, the "cdrecord" command has a number of options that may be useful. The "-toc" and "-atip" switches, in particular, can give you details about media. The only problem is, they also cause any open CD tray to close. At least, they do on my Plextor and Yamaha SCSI CD-RW drives. I'm pretty sure there's a SCSI command that will test if a drive tray is open or closed, but I suspect you'd have to write some custom code to actually make use of it. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Slightly-Offtopic - Networking audit question
On Tue, 17 Aug 2004, at 7:38pm, [EMAIL PROTECTED] wrote: > I can't really go portscanning/pinging the crap out of the network ... We > had a couple customers say that they would leave if we did it again, even > if it was a planned event and announced. IWF detected. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: wipe utility
WARNING: This message deals with Information Assurance (IA) topics. IA is a harsh field. There is no room for hurt feelings here. If you prefer not to have personal opinions challenged, stop reading now. On Tue, 17 Aug 2004, at 7:13pm, [EMAIL PROTECTED] wrote: > All joking aside, the *actual* threat can be hard to assess at times ... Absolutely. > ... so one sometimes must make "paranoid" or worst case scenario > decisions. Sure. > Some minimal approaches such as not using journaled filesystems on > sensitive data may not be perfect, but at least I sleep a bit better at > night. Here's where I think you're going wrong. I think all you're buying yourself a false sense of security. First, there's comparative vulnerability assessment. Of all the things one could worry about, worrying about data being recovered from a filesystem journal is a bit like worrying about the lock on a medicine cabinet on the Titanic. Information assurance also includes more then just confidentiality; availability and integrity is also key. Journaling filesystems help protect that. Most important of all, in order to make use of data in a filesystem journal, you basically need to assume the attacker has achieved full root compromise of your system. At that point, you're pretty much fscked, no matter what. They could just as easily modify your kernel to divert a copy of everything you do to their system, with you none the wiser. So, sure, if it gives you a warm fuzzy, go right ahead with the "non-journaling filesystems are safer" idea. Wear a tin-foil hat, too. You never know -- there might really *be* secret government mind-control satellites. :-) > If I were really serious, I'd set up an encrypted partition with a running > cron job that expected a response from me every so often, and if it didn't > get that it would shred the partition along with the private keys. If you were really serious, you would start by never connecting a system containing sensitive information to a public network like the Internet. You physically secure the whole computer. It's called "system high". Another valid technique is to encrypt data using a long asymmetric key kept on removable media, and protected with a strong pass-phrase. Decryption is to volatile storage only (i.e., RAM). This achieves much better confidentiality then any automated system that has access to the secret keys, and also achieves much better availability, as forgetting to reset the deadman timer won't destroy anything. Deadman timers are usually a sign of an amateur. Real systems are secure regardless of how long they sit idle. > Some hard drives, btw, do come with their own security shredding abilities > built in. I haven't seen that. I'm interested. Got any links? -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: rant on pathetic example of Microsoft FUD
On Tue, 17 Aug 2004, at 7:01pm, [EMAIL PROTECTED] wrote: >> Alas, human-friendly HTML is becoming rarer and rarer everyday. These >> days, it almost seems like HTML is seen more like program output (like >> object code) then something you can actually design and write yourself. > > Tell that to my daughter. She prefers to crank out HTML by hand ... Me too. I strongly suspect we're a tiny minority. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: MS Exchange Server competition
On Tue, 17 Aug 2004, at 8:20am, [EMAIL PROTECTED] wrote: >> Do either support MAPI? That is, do they provide seamless Microsoft >> Outlook integration? > > What does MAPI give an end-user ... MAPI stands for "Messaging Application Programming Interface". In typical Microsoft fashion, it can mean a couple different things. One is the wire protocol the Exchange client modules in Outlook use to talk to the Exchange server's Information Store. That I'm not really interested in. The other thing MAPI can mean is the API that Outlook provides for storage and services. Basically, everything in Outlook -- contacts, calendar, mail, tasks, etc. -- use MAPI to actually store stuff. The details I'm a little fuzzy on. But if you have a back-end that supports MAPI, then Outlook will work "just like it does with Exchange", at least for all the client-side stuff. (You don't get Event Sinks, Forms, or any of the other fancy server-side stuff Exchange has, but most people don't use that.) While we have used Outlook with IMAP with some success, it is far from perfect. It is mail only. Contacts, calendar, and so on are still stored in a .PST file on each workstation. (PST is a self-destructing file format that even Microsoft Exchange fans hate.) Outlook also insists on putting "Sent Items" and "Drafts" in the PST file, which means they are not available via IMAP. There's no shared calendar or contact list, which a lot of organizations *do* want. Of course, you can pretty much everything most small organizations need with a combination of Outlook or Outlook Express, IMAP, phpGroupWare, SquirrelMail, and so on. It works pretty well, but it lacks the "all-in-one" package of Outlook and Exchange. Right or wrong, a lot of people are willing to pay big bucks for Windows and Exchange just so they can get that. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: MS Exchange Server competition
On Mon, 16 Aug 2004, at 9:18pm, [EMAIL PROTECTED] wrote: > I recently did an investigation for a client of Linux based alternatives > to Exchange. I found two that were very good at providing full blown > Exchange capabilities and compatibility. Do either support MAPI? That is, do they provide seamless Microsoft Outlook integration? Not just IMAP mail (which Outlooks has limits with anyway), but contacts, calendar -- the whole Outlook store. Right or wrong, that's what a lot of people want. Based on a cursory examination, it would appear Bynari's stuff does not. OpenExchange is kinda fuzzy on the details of their "Outlook Connection", but screen shots of Outlook are conspicuous by their absence. > My primary beef with [SuSE OpenExchange] is the cost. For small shops the > cost, while cheaper than Exchange by 1/2 to 1/3 less, is still > substantial. That doesn't concern me so much. The issue I usually face is that people want the kind of Outlook integration that Exchange provides, but I would like to be using a Linux server. Since nothing on Linux I know of can meet their needs, we go with Windows instead. The only product I've found that does MAPI that runs on Linux is Samsung Contact (formerly HP OpenMail), and Samsung won't talk to you unless you're buying 500 or more seats. Again, I can do things like IMAP and LDAP in Outlook, and web-based systems for the rest, right now, for free. Spending more to get the same doesn't make sense. I'm willing to spend more to get more, but I want to see that I'm actually getting more. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Can't boot from Core 2 CD
On Mon, 16 Aug 2004, at 10:56pm, [EMAIL PROTECTED] wrote: >> It's unclear from your message how far it gets before it "stops dead". >> Does it display any messages at all? > > Absolutely zip. The screen stops dead black as soon as I hit return. Wow. That's really weird. At that point, everything should still be using BIOS calls; Linux technically hasn't entered the picture yet. In fact, the system should basically think it's running from a floppy disk (emulated by the CD). I'd check BIOS settings, both in the motherboard BIOS, and in the SCSI host adapter. Check for firmware updates from the manufacturers for both, too. I'd also try using an old-fashioned floppy disk to boot the system, to see if that makes a difference. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: wipe utility
On Mon, 16 Aug 2004, at 8:33pm, [EMAIL PROTECTED] wrote: >> The US DoD says that "Secret" and higher level classified data cannot be >> sanitized off of a hard disk by software alone ... > > That is simply not true. DoD does allow for software only sanitization of > hard disks for data classified at the secret level under some conditions. > > http://www.dss.mil/infoas/index.htm > > Right site bar has Assessed Products list. That link didn't really shed any light on the subject; as you note, most of it is access-controlled. It doesn't really matter. My point was to illustrate that risk management means making intelligent decisions about assets, threats, vulnerabilities, and counter-measures. Not unreasoning fear of journaled filesystems. :-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: CDROM question
On Mon, 9 Aug 2004, at 3:54pm, [EMAIL PROTECTED] wrote: > A) If a given cdrom drive is open or closed? I think this will be drive, and maybe bus, dependent. Some drives don't even have a tray, come to think of it. I've got a slot-load, SCSI bus, CD/DVD reader on my PC here at home. > B) If there is a disc in the drive? Well, something like this might work: if dd if=/dev/cdrom of=/dev/null bs=1 count=1 ; then # something readable is there else # could not read disc fi The 'dd' command will fail with a "No medium found" error if no disc is loaded. Of course, there are other reasons you might not be able to read the device besides no being loaded. Permissions; blank CD-R/CD-RW; non-data disc; etc. > If the answer is that I have to try mounting the CD, etc, etc, it's more > work than it's worth. This isn't a big deal, I was mostly just curious. Okay, well, now I'm curious: What's your application? -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: rant on pathetic example of Microsoft FUD
On Sat, 14 Aug 2004, at 1:07am, [EMAIL PROTECTED] wrote: > I was developing a CD-ROM product which contains multiple Microsoft > PowerPointless (tm) presentations. You might as well give up on any hope of doing anything standards-compliant right there. :-/ Pedantic clarification: This isn't FUD (Fear, Uncertainty, Doubt). It is EEE (Embrace, Extend, Extinguish). The former scares people who are considering using non-Microsoft option. The later turns non-Microsoft options into Microsoft products. > Microsoft PowerPoint's idea of HTML is not anything you would recognize > surfing the web and 'viewing source'. Alas, human-friendly HTML is becoming rarer and rarer everyday. These days, it almost seems like HTML is seen more like program output (like object code) then something you can actually design and write yourself. > [HTML is a] perfectly standardized and specified language. Hah! I think that lasted for about a week after WorldWideWeb was released. Mosaic and Netscape left a grand tradition of inventing their very own flavor of HTML. Indeed, it was Microsoft's object model that was chosen by the W3C, and not Netscape's, for HTML 4.0. Remember, it was Netscape who brought us the BLINK tag. (Not defending Microsoft; rather, pointing out that there are many guilty parties here.) > This strange tongue seems to have been originated by a multi-billionaire > cult leader from Redmond, WA. His followers have unwittingly or through > no intelligence of their own spread this Word to the far reaches of the > planet. Now *that's* funny! May I quote you? > [Microsoft's programs] also generate a crateful of JavaScript, including a > browser-detection routine that basically says: > > "You're not using Microsoft Internet Explorer. This page may > contain features unsupported by your browser. Do you wish to > continue?" This is a long-standing Microsoft technique. Microsoft once added code to Hotmail that blocked non-IE browsers, only to take it down a bit latter, saying it was a "mistake". Sections of Microsoft's technical web pages have things like tree menus that are perfectly standard HTML and JavaScript (well, as standard as JavaScript can get), but have an explicit check to disable them on non-Microsoft browsers. Going back further, there was that infamous check in Windows 3.mumble that aborted the load if it found you were running DR-DOS. "DOS ain't done 'till Lotus won't run!" > I call this whole thing pathetic because it is exactly opposite of what > their customer needs or wants. For-profit companies do what generates the most profit. That may or may not be what their customer needs or wants. > Why don't they create a converter that says ... Because that would reduce their vendor lock-in leverage? -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Site defaced - what next?
On Sun, 8 Aug 2004, at 12:10pm, [EMAIL PROTECTED] wrote: > *The cast of attackers* > Saudi Arabia - the cracker who defaced my site was > from Saudi Arabia (e.g. cache3-2.jed.isu.net.sa). As soon as he put up a > new homepage for me, he obviously told a friend (cache7-4.ruh.isu.net.sa), > who visited the site moments later. Correction: The connection(s) which carried the attacks originated from those servers. That is all you can say for sure. From the name, we can suppose they are caching proxy servers. A huge problem on the Internet today is that attackers relay their attacks through third-party proxy servers. It is entirely possible that the attacker is somewhere else entirely, and was using those servers for cover. Indeed, that "friend" might have just been an alternate route for the same attacker. Of course, it is equally possible that the attacker was a "legitimate user" (I use the phrase loosely) of those proxy servers. We have no way of knowing for sure without getting in touch with the operator(s) of those servers. (And maybe not even then.) This is why I don't get excited about random probes (of the type mentioned in another recent thread here). They're practically at the level of continuous background noise at this point, and they are generally nearly impossible to trace. Keep your system secure, and someone checking the handle to see if you locked the door won't matter. Of course, that doesn't help when your system is found to be not secure, as you have discovered, Greg. :-/ You have my sympathy. It can happen even if you do everything you should, and most of us (myself included) don't even do everything we know we should. > Google -helps script kiddies find my exploitable file phpexplorer. I > didn't put this script on my server, and I don't know how Google found > it. All I can tell you from my server logs is that people are searching > for this script and my site comes at the top of the list. It is possible that the details of your compromised server were disclosed by the attacker(s), and that information was then picked up by Google. Another possibility is web logs. Are you web logs available to anyone who happens to know the right URL? If so, it is amazing how easy it is for that information to get caught by a spider. From there, the situation becomes a positive feedback loop. Don't forget that your system may have been compromised long before your web site was defaced. (Cheery thought, I know.) > Of course some people think I should just be quiet about it because the > fact that my site was compromised could make me look bad. Not that I think you're serious in that statement, but worth pointing out anyway: As you have discovered, information, once disclosed, tends to be very hard to control. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Topic (was: Site defaced - what next?)
On Tue, 10 Aug 2004, at 11:29pm, [EMAIL PROTECTED] wrote: > These factors combine to ensure that political topics will be discussed on > Linux-related mailing lists. While true, we also hope to keep the noise level sufficiently low that it doesn't overwhelm the signal. GNHLUG's primary focus is Linux and Free Software. GNHLUG exists because you cannot find a forum for that focus elsewhere. You can, however, find an (over)abundance of political forums elsewhere. While political discussions are by no means always inappropriate here, they may sometimes be more appropriate elsewhere. As someone here said, policing ourselves is the way to go. I suggest to everyone that the next time you feel like adding to a thread that really might better belong elsewhere, that you take it elsewhere instead. It's the responsible thing to do. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: MS Exchange Server competition
On Fri, 13 Aug 2004, at 11:30pm, [EMAIL PROTECTED] wrote: > People are often looking for Linux work-alikes for MS Exchange Server. > Novell just announced that they are making SUSE OpenExchange GPL. Last I looked (which was admittedly some time ago), OpenExchange was nothing more then an IMAP server bolted on to a glorified web calendar. While a useful product, about all it had in common with Microsoft Exchange was the word "Exchange" in the name. More importantly, you could get the same thing for free with any IMAP server and phpGroupWare. So OpenExchange always struck me as more of a marketing effort then a unique product. That's a valid business technique, of course. It works for Microsoft, after all. But, IMO, releasing OpenExchange as GPL isn't such a big deal, from a technical stand-point. I find it far more interesting that *Novell* -- the same company that used to threaten legal action for reverse-engineering their protocols and data structures -- is releasing major products under the GPL. > Also, there is a project called OpenGroupware which is GPL > http://opengroupware.org/en/users/faq/index.html Also these: - http://www.phpgroupware.org - http://www.phprojekt.com/ -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: wipe utility
On Fri, 13 Aug 2004, at 12:53pm, [EMAIL PROTECTED] wrote: > I keep my /tmp partition as ext2 for that sole reason. Anything sensitive > goes there, and I can shred it afterwards. Just to tweak the paranoid a bit further: The US DoD says that "Secret" and higher level classified data cannot be sanitized off of a hard disk by software alone, as most hard disks automatically copy-and-remap degraded sectors before the host OS even sees them, so parts of the disk could still contain the data. Only physical methods are sufficient. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Lost my partition table - can I recover?
I saw that you already decided to go ahead with the restore from tape (often the best call in that kind of situation), but I figured this might be useful to know anyway, so: On Thu, 5 Aug 2004, at 9:38am, [EMAIL PROTECTED] wrote: > My situation: I have an HP server with two hot-swap SCSI drive bays. It's > got a RAID controller in it ... I know some of HP's RAID controllers are just re-badged AMI (now LSI) MegaRAID controllers. So are some of Dell's. Nice cards, really. The MegaRAID line presents logical drives (LDs) to the OS. It builds LDs out of physical disks (PDs). The OS doesn't know about the physical disks; it just sees one big logical unit. The controller does whatever is needed (striping/mirroring/parity/etc) to turn your PDs into LDs. The controller keeps configuration information in NVRAM and on disk. When you deleted the LD, it wrote that fact to NVRAM and disk. That means no more LD for the OS to see. In theory, if you re-create the LD with the *exact same parameters* that it had before, the contents of the LD will still be there. Things get a bit tricky, depending on the RAID level you use, the firmware rev you have, and the type of RAID array (e.g., a RAID-1 mirror member looks just like a regular disk in most respects, but a RAID-5 array will be totally scrambled). But it can work. It's not guaranteed, of course, but I have done it before. > I am certain that all that's happened is the RAID controller re-wrote a > new partition table with no partitions. Not exactly a partition table. The RAID configuration information lives "outside" the LD the OS normally sees. I think it is kept at the end of each PD, although I'm not sure on that. The OS then puts a partition table inside the LD. If the LD-recreate trick described above works, then your partition table will re-appear, along with everything else that used to be in the LD. > Can I recover from this without having to do a reinstall? This is, ahem, a > time-critical problem. :( :( :( 866-NTI-LINUX, $95/hour is our regular rate. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: rant on pathetic example of Microsoft FUD
On Sun, 15 Aug 2004, at 12:19am, [EMAIL PROTECTED] wrote: > Please take the time to trim quoted material from your posts. On Sun, 15 Aug 2004, at 12:19am, [EMAIL PROTECTED] wrote: > Please take the time to trim quoted material from your posts. Please take the time to trim duplicated list-posting addresses from your posts. We already read your response; we didn't need to see the whole thing again, verbatim. ;-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Rockingham Park and the Northern Computer Shows: Sept. 28th (sic)
On Sun, 15 Aug 2004, at 1:09am, [EMAIL PROTECTED] wrote: > AND the two tables will cost $200 + $10. for electricity.a lot more > expensive than Hoss Traders. (sigh) This concerns me more then the morning. Not that I'm a morning person by any stretch of the imagination, but I can do it if I have to. But I'm not sure it's worth $210 just to go there and tell people they should use Linux. Most people at those shows just want to buy stuff cheap. It doesn't strike me as a good environment for education/evangelism. Of course, I'm a pessimist, so maybe listening to me isn't a good idea. In fact, it probably isn't. (Did I mention I'm a pessimist? :-) ) If you do decide you want to go through with it, and could use another warm body, I'll still be happy to volunteer. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Can't boot from Core 2 CD
On Mon, 16 Aug 2004, at 4:46pm, [EMAIL PROTECTED] wrote: > Does anyone have any idea how I can debug this problem? I can boot from > other CDs, but FC2 just stops dead. It's unclear from your message how far it gets before it "stops dead". Does it display any messages at all? -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: UPS recommendations wanted
On Mon, 16 Aug 2004, at 3:24pm, [EMAIL PROTECTED] wrote:
> I've used APC SMART-UPS 1400 at a few installations with NUT and it's
> worked properly. I haven't specified them, they just seem to be popular -
> I think it's the biggest 120V unit they make in that model range.
FYI: The Smart-UPS 1400 is discontinued. The similar Smart-UPS 1500
provides 120 volt out with a 120 volt, 15 amp input -- what the "regular
outlets" most people in the US are familiar with provide (NEMA 5-15).
That's the largest current Smart-UPS that uses a NEMA 5-15 input. Larger
models can still take a 120 volt input, but require 20 or 30 amp circuit
("funny outlets").
> I'd be surprised if there is different firmware on different capacities
> within the SMART-UPS line, but I'm no APC expert.
All the current Smart-UPS units provide similar communications features.
Some of the really old units have more limited functions, but unless the
unit is 8+ years old, that won't matter.
--
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind. |
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: UPS recommendations wanted
On Mon, 16 Aug 2004, at 11:11am, [EMAIL PROTECTED] wrote: > Is anyone willing to comment on their experiences with specific UPSes with > Linux? In my opinion, you can't go wrong with APC's Smart-UPS, Matrix, and Symmetra lines. They may not be the cheapest, but they always work, and well. Any Smart-UPS will work with apcupsd, NUT, and/or APC's own PowerChute tools on Linux. The current PowerChute stuff is agent only on Linux (needs Windoze for GUI), but I've still got a copy of PowerChute for X11 that works fine if that's what one whats. apcupsd works fine everywhere, of course. I haven't played with NUT much, because apcupsd did what I needed, but I understand the results are similar. > I'm sure some of you will say things depend on how I'm going to use it. > Well, initially like to buy an inexpensive one to use at home with RH8 and > get familiar with apcupsd and NUT. Well, the Smart-UPS 420 (the smallest model APC offers) lists for $180, which may or may not be too much for your budget for simple experimentation. APC's Back-UPS line also works with apcupsd, at least for the few models I've tried. The Back-UPS line only supports "simple signaling" -- basically, an indication that the UPS is running on battery. The Smart-UPS and fancier lines support "smart signaling", which provide two-communication and data reporting (temperature, voltage, etc.). -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Google gives into the DMCA?
On Fri, 30 Jul 2004, at 12:46pm, [EMAIL PROTECTED] wrote: > When I search for Kazza Lite Download, for non-illeageal reasons, of > course, I get this at the bottom of the page ... [DMCA stuff removed] Yah, Google has been doing this for awhile. The DMCA says they have to, and Google's not about to open themselves up to lawsuit city by trying to fight it. I believe one of the first groups to hit Google under the DMCA was the Church of Scientology, back in 2002. "Here in America, we have the best government money can buy!" -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: This monday: Webmin, Gentoo
On Thu, 29 Jul 2004, at 10:48pm, [EMAIL PROTECTED] wrote: > Gentoo - an awesome file manager. I thought Gentoo was a distribution? -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Sound issue
On Thu, 29 Jul 2004, at 9:01pm, [EMAIL PROTECTED] wrote: > The most likely thing is you don't have the proper cable running from the > back of the CD-ROM drive to the sound card. If you built the machine > yourself, one should have come with the CD-ROM drive, if not, I'm not sure > if anyone sells them ... Just about any decent computer parts vendor should have them. Radio Shack and CompUSA might have them, too. If you frequent local computer sales shows (http://www.ncshows.com), you can get them for cheap cheap cheap. Otherwise, try your local neighboorhood whitebox vendor. If all else fails: http://www.cyberguys.com/templates/searchdetail.asp?T1=120+0240 > ... and I don't know exactly what they are called. "CD-ROM drive audio cable" seems to be common. Be warned that while there seems to be a fairly reliable de facto standard for the connector on the drive, there are a couple different connectors one will see on the sound card side. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: automated social engineering at it's best (maybe?)
On Thu, 29 Jul 2004, at 2:25am, [EMAIL PROTECTED] wrote: > I didn't get what I asked for ... Well, you were rather vague in what you asked for. What are you looking for, other than a magic-wand or a big-foam-clue-bat? The following procmail recipe will route everything claiming to be from the address you posted, along with a hypothetical similar address, to the bit-bucket. If you never send mail to yourself, this will block the exact case you were complaining about. I'm not sure if that's really what you're after, though. :0: * ^From:.*(blu|gnhlug)@sophic.org /dev/null > I didn't know anything about SPF before I posted, and I still don't know > much about it (I've been too busy to check into it in detail), so I'm not > yet sure if it will be less trouble than it's worth... In a nutshell: SPF lets a domain holder publish information about what hosts are approved to send mail as "From" the domain. This means a receiving MTA can check an incoming message against SPF. If SPF exists and says the sending MTA is bogus, the receiving MTA can immediately reject the message without doubt. For example, you could publish SPF records saying that only your mail server can originate mail as "From" the domain. If you then also configured your MTA to check SPF, it would find the incoming mail (with your 'From' address listed) in violation, and could take appropriate action. > With my "e-mail environment" such as it is, it may be difficult or > impossible to set up something like this which will work reliably for me. SMTP AUTH works very well for making sure all the mail you send comes from a particular server. Even Microsoft Lookout supports it. :) > Also, a significant percentage of the viruses I receive come from cute > Korean girls that I want to date, so telling them to get a clue about > their computer is probably the wrong option... ;-) Oh, that's easy. Just say you think their PC might have a virus, but you'll happily take care of it for them, just because you like 'em so much. You do a good deed, solve a problem, and win karma, all at the same time. > The granddaddy of which is that users generally just don't want to be > bothered to (learn how to) mainain their computers. Exactly. Or, more broadly stated, "people generally just don't want to be bothered to think". People need to realize that not thinking is harmful, even dangerous. Example: Every year people get hit trains. *It's a train.* It isn't like they can sneak up on you unexpectedly. They generally follow the tracks. Yet people still find themselves in the position of being hit by them. This never fails to astound me. But I digress. :) > It is unfortunate that No Anti-virus software seems to install properly > configured by default. The latest Norton Anti-Virus is actually really good at this. Rather expensive compared to "free", though. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Sound issue
On Thu, 29 Jul 2004, at 11:51am, [EMAIL PROTECTED] wrote: >> ... This requires more computrons ... >> > > So that's the most fundmental element of computing physics, it explains so > much. ;-) Absolutely! http://www.catb.org/~esr/jargon/html/C/computron.html -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
tar and stdio (was: Anyone know of a random data generator?)
On Fri, 30 Jul 2004, at 5:21am, [EMAIL PROTECTED] wrote: > Only as the argument to the 'f' flag... > > $ cat intro |tar cf plah.tar - > tar: -: Cannot stat: No such file or directory > tar: Error exit delayed from previous errors > > The intended result in this case can be acheived by just leaving off > the '-' at the end. Then tar will read its input from stdin. Er, not with my 'tar', and I don't think in the general case, either. $ cat .bashrc | tar cf foo.tar tar: Cowardly refusing to create an empty archive Try `tar --help' for more information. $ The 'tar' program works with tar archives and filesystems, not arbitrary data streams. You can't just take the output of "cat" (or the contents of any other file or program via a file descriptor) and put them in a tar archive as an archive member. When it comes to working with a tar archive, you can use stdio because a tar archive, like any other file in Unix, is just a data stream. But the filesystem side of tar needs to be the filesystem. If you just want to move a data stream on to or off of a device, just use "dd" or "cat", or plain shell redirection. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Sound issue
On Wed, 28 Jul 2004, at 11:07am, [EMAIL PROTECTED] wrote: > When I put in a music CD, it brings up the CD player just fine, that goes > out and finds disk info to display, the CD plays, and I can hear it > through the headphone jack on the front of the drive, but no sound comes > out of the speakers. Sometimes. There are two ways to play CDDA (Compact Disc Digital Audio, i.e., "music CDs") on using a computer drive. One is to have the drive read the CDDA, convert it to analog audio internally, and pipe it out an analog feed. That is what the headphones do. That is also what a connector on the back of the drive does. The idea is you run a cable from the drive to an input on your sound card, and the sound card's built-in mixer/amp makes the speakers go. You don't even need an operating system for this, if the drive has a front-panel "Play" button. The other method is DAE (Digital Audio Extraction, AKA "ripping"). Here, the drive reads the CDDA and sends it to the host computer using the data cable (IDE, ATA, SCSI, USB, FireWire, whatever). The host computer does something with the CDDA, such as use the sound card's DSP to turn it into analog sound. This requires more computrons and more sophisticated software, but also enables things like encoding as MP3/OGG, or digital effects processing. Most likely cause of difference behaviors: When the sound works, the software is using DAE, and when it does not, it is using analog playback. This would also explain why your headphones do work. Most likely cause of the analog failures: You have a connection problem between the drive and the sound card. It could be the cable simply was never installed, or is loose, or whatever. Other possible causes of the analog failures: It could be your sound card is fried or otherwise defective. It could also be the mixer is not being programmed by the OS correctly. You do indicate the mic has never worked. The mic input and the CD input are basically two channels of the same thing, so I suspect they may be related. I usually tell people to also check their mixer settings, but you say you've done that already. If you set the mixer, exit the mixer program, and then go back in, are the settings retained? If not, that is a sign of trouble. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Samba Question
On Sat, 24 Jul 2004, at 5:31pm, [EMAIL PROTECTED] wrote: > the logs say that Samba is started but I can not get it to show up on my > windows network. Issue all of the following commands at the shell prompt on your Linux/Samba computer. Try: ps ax | grep smbd If you do not see at least one "smbd" process running, then Samba is not running. It may be that Samba is attempting to start but failing. Try: testparm The above will test your Samba configuration file. If it complains of problems, fix them. Try: smbclient -L //localhost That should list the shares on the local Samba server. If it fails, post the error message. If it works, at least part of Samba is working. If the above works, try: smbclient -L //foo where "foo" is the name of your Samba server. Let us know the results of the above, and we'll go from there. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Samba Question
On Sat, 24 Jul 2004, at 5:31pm, [EMAIL PROTECTED] wrote: > ( I now it is old but it is what I have) You know that Linux is free, right? You can go and download the latest Red Hat Linux (now called Fedora Linux) for free: http://fedora.redhat.com If you don't have the bandwidth, you can have CDs mailed to you for less then nine dollars: http://www.cheapbytes.com/ Or try one of the many other Linux distros: http://www.linux.org/dist/ Debian and Slackware are fairly mainstream (as such things go) and run well on older hardware. Or show up at one of the GNHLUG meetings, and you'll likely find someone willing to burn you a copy of whatever you want for free (or maybe cost of media). I can understand when people don't want to upgrade a network based on proprietary software; it can cost thousands and thousands of dollars, even on a very small network. But for what you're describing, the cost of a brand new version of Linux should basically be free. It's worth it. Reply to the Samba question will be in a separate message. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: automated social engineering at it's best (maybe?)
On Wed, 28 Jul 2004, at 2:07am, [EMAIL PROTECTED] wrote: > So, anyone have any good procmail recipies for this bogosity? Since you're dealing with a message that forged the sender as coming from *your domain*, you might look into things such as SPF. If you can get away with it, you could configure your public MX to refuse anything that claims to be from your own domain. If you can get away with it, a procmail rule that blackholes anything with an executable Microsoft attachment is a wonderful thing. > I'm still getting basically no spam, but what can you do when your friends > don't know how to take care of their PCs? Educate them. Or find better friends. ;-) > If you're cluless or lazy about keeping your PC in good health, you might > want to save your freinds' inboxes and check out some of the links > below... Alas, people who have clue don't need to be told, and those who don't have clue don't seem to listen. :-( Most of the worms of late are of the "Trojan horse" variety: They depend on social engineering attacks to trick people into running an attached executable. "If someone else can convince you to run their software on your computer, it isn't your computer anymore." Until people wake up and *think*, this problem will continue. > All the security fixes that Microsoft has finally gotten around to > fixing in their spare time (it must be the right link, it comes up > completely blank in Mozilla): > > http://windowsupdate.microsoft.com/ While always a good idea, this does not solve the major problem (see above). > Good free personal firewall software: > > http://www.zonelabs.com/ Might help. The problem is that the same lusers who ran the Trojan tend to authorize it to "Use the Internet" when asked by ZoneAlarm. I wish I was kidding. > Good free (for personal use) Anti-virus software: > > http://www.free-av.com/ Good anti-virus software does do a good job of protecting lusers from themselves. The problems with AV are (1) you have to use it, (2) it is reactive (and thus lusers are vulnerable until the sigs update), (3) lusers don't make sure their sigs get updated. > [There was meant to be some humor in this message, albeit sarcastic. If > you didn't see it, try harder next time... ;-)] Ha ha. Only serious. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Libranet redistribution (was: InstallFest)
On Wed, 7 Jul 2004, at 10:59am, [EMAIL PROTECTED] wrote: >> Fantastic news: we're having an Installfest, hosted by Bruce Dawson at >> Miles Smith Farm. Anyone is welcome to come - you can get your machine >> installed with a high quality Free operating system... > > Hmm. Sounds like Libranet. Since you're a Libranet fan, Bill, maybe you can point me at some authoritative information. Exactly what terms is Libranet distributed under? I'm not trolling, believe it or not; this is actually relevant to me. One thing I try to do is keep a local library of Linux distros so I can burn copies on request. However, not ever distro allows that. Examples are SuSE Linux Pro and Red Hat Enterprise Linux. What's the story with Libranet? I'm after a particular website or file I can verify; word-of-mouth or assumptions are not a grant of license. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: FTP Download issues (was: Destination show up twice in traceroute)
> Speaking of NAT issues, I've got one which is driving me nuts. > > Simple FTP downloads are failing to complete on my Linux box which is > behind a firewall/NAT setup on a Linksys router. > > I have 6 or 7 computers behind the firewall, all sharing the same IP on > the cable modem (Comcast). General fault isolation: Does the same problem happen on all hosts behind the LinkSys? Does the problem happen if you place a system outside the LinkSys, directly on the cable feed? (Be sure to take appropriate precautions (like a host-based firewall) when you test this.) > What happens is that the download dies part way through the download and > just hangs. It always seem to hang at the same percentage, though the > actual percent download varies from file to file. ... In fact, typically > I will download something to that remote server, then scp it in to my home > workstation. What you describe sounds suspiciously like a data-dependent line problem. I've seen this kind of thing twice in about fifteen years. It occurs when there is some problem in a data line that is only triggered by a particular bit pattern. So you can pump data through it all day long and never have a problem, but try to send a few dozen bytes of a particular pattern and it gets scrambled. The reason I suspect this kind of problem is that you say it always happens at the same point in the same files. That would indicate something at that point in the file is triggering the problem. You also say that SCP works. Since SCP encrypts the payload, the lines don't "see" the pattern that causes the problem. Most recently, this happened to me a couple of years ago at a client. They had an Internet feed that would drop packets if you tried to send a packet filled with bit pattern 1001100110011001100110011001 (which corresponded to the capital letter 'A' in ASCII, repeated over and over again). It took forever to track down. To see if you are having the same problem, you need to use a packet sniffer. Start sniffing on the sending host, and then start your transfer. Wait until the sender stops getting ACKs back from the receiver. Find the first packet being sent that was *not* successfully ACK'ed, and look for a data pattern. If you think you've found it, use the "ping" command, with the "-p" and "-s" switches to test. For example, I used ping -s 300 -p 41 remote-host.example.net to send packets padded with with 300 bytes of 0x41 (41 hex = 65 decimal = 'A' ASCII) to a remote host. Good luck getting this fixed on a consumer feed. I had to provide byte-level packet dumps and scream bloody murder and threaten to cancel the feed, and even then the ISP only grudgingly looked into it. And this on a frame-relay line with a 4-hour response time in the contract. You'll probably need a signed note from God before Comcast does anything about it. > Someone somewhere suggested the Linksys router might be suspect ... Well, I would certainly suggest testing that. The problem could just as easily lie in your equipment. So make sure you've tried different *everything* (routers, computers, cables, operating systems, brands of network card, etc.) before you go blaming the ISP. But the Principle of Maximum Aggravation says that it will most likely be the ISP. Hope this helps, -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Destination show up twice in traceroute
On Wed, 30 Jun 2004, at 8:21pm, [EMAIL PROTECTED] wrote: > This isn't really a Linux question but with all the networking experts on > the list, I figured this is as good a place to ask as any. To understand what you are seeing, one will have to know how IP and traceroute work. Every IP packet has a TTL (Time To Live) field. The TTL normally starts out at some reasonably high value, and gets decreased as it travels the network. In theory, TTL is decreased on a "cost" or "time" basis. In practice, most routers just decrement TTL by one no matter what. If TTL hits zero, the packet is assumed to have been "in transit" for too long, and dropped. Among other things, this keeps a routing loop from spinning packets forever. When a router encounters a packet with a TTL of zero, it normally sends a "Time Exceeded" ICMP Message to the system listed in the source address of the packet. The "traceroute" utility (TR for short) works by crafting special packets with artificially low TTL values. TR starts out by sending packets with a TTL of one. Thus, the first router that gets the packet expires it. TR gets the "Time Exceeded" Message, and reports that as the first hop. TR then sends a packet with a TTL of two. It makes it past the first router, which decreases TTL to one. The next router then expires the packet, and sends back the ICMP Message, which TR reports as the second hop. And so on. Eventually, the packet hits the destination system with a non-zero TTL. Traceroute needs some way to know that, too. Traditional traceroute sends UDP packets to port 33434, on the assumption that that port will be unused. When the destination host gets a packet for an idle port, it should send an ICMP "Port Unreachable" Message back to the sender, which TR uses to know it has found the destination. Some implementations (notably Microsoft's TRACERT.EXE) use ICMP "Echo Request" packets instead of UDP, and watch for the ICMP "Echo Response" packet. Now, back to your problems. > I'm wondering why a machine at work shows up twice on the traceroute > output (see below) when I do the trace route from home. Well, in your output, 134.241.121.88 shows up as the final destination, as well as the "gateway" before the last hop. That would indicate that TR received a "Time Exceeded" when it sent packets with a a TTL of 11, and a "Port Unreachable" with a TTL of 12. As for why *that* is happening, there are multiple possibilities. One possibility is a buggy IP stack on the destination host, that checks for TTL = 1 rather then TTL = 0. I would expect to see the same behavior for LAN traffic, then, though. Another is that the last-hop router has a bug which forwards TTL = 0 packets, causing them to reach the destination host with TTL = 0. I could also imagine some brain-damaged NAT implementation or firewall somewhere causing trouble. If you really want to know, put a sniffer between the host you are running traceroute on and its router. (Be warned that this could be considered a "security attack" in some organizations.) > Could it be that 134.241.121.88 is set up as to route packets and is > routing to itself? All IP hosts route packets to themselves. Some just also forward packets that are not to themselves. So that should not matter. (I do say "should". There are a great many subtle bugs in a great many IP stacks.) > On a side note, two routers that I might expect to be there, don't show up > at all. One is the external interface for my 10.* network at home and the > other is the main router for my site at work. As you can see, I don't even > get a * * * for either of them. When a router has to send an ICMP Message in response to a packet that cannot be forwarded (such as for "Time Exceeded"), it has to pick an IP interface (address) to originate the ICMP message from. This will typically be the interface that is closest to the destination (the host which sent the original packet). So you will not see your router's *external* interface; you will see the internal one (which is closer, and thus the router will originate the ICMP from there). I imagine your router at work falls into this category, too. In the general case, this means that running traceroute from A to B and then from B to A will generally yield different IP addresses for each hop. For that matter, there is nothing that says the path a packet travels will be the same each time, or each way. IP routing is a stateless operation. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Announcements (was: GNHLUG Nashua meeting)
On Wed, 23 Jun 2004, at 8:21am, [EMAIL PROTECTED] wrote: > I suggest that, when we secure a speaker, we make an immediate > announcement. Ooops, sorry, this was supposed to go to and not . I must have removed the wrong header when I hit "Reply". My mistake. Sorry for the noise. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Announcements (was: GNHLUG Nashua meeting)
On Tue, 22 Jun 2004, at 5:27pm, [EMAIL PROTECTED] wrote: > Sorry about the late announcement, I had the speaker some time ago ... I suggest that, when we secure a speaker, we make an immediate announcement. Even if we don't know the exact *date*. This way, there is nothing to remember -- get speaker, make announcement. Stateless operation. Make the information available as it comes in. I don't have general easy answers to our organizational issues (and, as always, I include myself in the list of people guilty of not being organized), but I think this particular idea should be easy to do. Comments? -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: GNHLUG Nashua meeting, Tomorrow, June 22nd at Marthas
On Tue, 22 Jun 2004, at 3:12pm, [EMAIL PROTECTED] wrote: > Either way these last minute announcements make it difficult for those > with busy lives to plan for and attend a distant meeting which is of > interest as this one definitely is. Me too! -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: SCSI Tape drive question
On Thu, 17 Jun 2004, at 7:19am, [EMAIL PROTECTED] wrote: > I've set up a SCSI tape drive on a system. The drive is a SONY AIT > *mumble mumble* on a symbios based card. Oh, that's easy. The answer is mumble mumble. Seriously, to help, we need information. We're not psychic. Model of tape drive. Model or chipset of SCSI host adapter (or at least the name of the Linux driver). Linux distribution and release. Kernel version. Come on Cole, you know we need this. :-) The contents of the "files" in the /proc/scsi/ directory branch are likely to be of use in determine some of this information. > I have to reboot the system to get rid of the mt process, and then power > cycle the tape drive to make it work again. If I don't power cycle the > tape drive, all mt commands will just hang and not even respond to a kill > -9. If you look as "ps aux", I'm sure you'll see the "mt" process has status of 'D', which is short for "uninterruptible sleep". That means the process is sleeping on a kernel system call. You can send the SIGKILL signal, but the process will not receive it until the kernel call completes and the process wakes up again. The kernel system call in question is doubtless a call to the SCSI device layer. The question is, what is the SCSI driver doing? Have you checked syslog and dmesg for any messages? > By "locks up", I mean that the current mt command (seemingly always > "erase") runs forever. The "erase" command typically takes a really long time to complete. That might indicate a problem with SCSI device disconnection. That is when the initiator sends a command to the target, and then the target "disconnects" from the SCSI bus while the command completes. This frees the SCSI bus for other operations. If I knew anything about your equipment, I might be able to give further insight, but since all I know is that you have a tape drive, I can only speak in generalities. BTW, why are you running erase, anyway? It's typically not needed for modern tape technologies (such as AIT). > Any thoughts? Aside from giving us the vital information already requested: I would recommend checking firmware revisions on the tape drive, host adapter, and mainboard. See if updates are available, and if so, install them. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On Tue, 15 Jun 2004, at 9:38am, [EMAIL PROTECTED] wrote: > These will be the last Linksys VPN boxes I buy ... based on my experience > trying to configure them. Yah, like I said, LinkSys is pretty horrible for VPN stuff. The thing that really worries me is: A VPN box that is doing things incorrectly will appear to work just like a VPN box that is doing things correctly. Unless you actually try and crack it, you'll never know that it, say, is using the same session key over and over again. I would have to say that I would not trust LinkSys to get a protocol suite as complex as IPsec right. It may be that all you're getting is a false sense of security. > They may have solved some of their stability problems with the latest > firmware ... The stability problems do not appear to manifest nearly as often if you only have a couple of users. Put 15 or 20 active users on the network, though, and they start crashing on a depressingly regular basis. Where I work, we recommend against LinkSys for VPN stuff, but some people ignore our warnings and buy them anyway, because they are cheap. Everybody who has done that has regretted it. This is definitely a case of getting what you pay for. On 15 Jun 2004, at 11:14am, [EMAIL PROTECTED] wrote: > Well, just to voice the other side, we've had a BEFSR81 at the house ... Totally different product, with a totally different implementation. The BEFSR81 actually has more capable firewall settings then the BEFSX41! (The BEFSX41 is limited to a total of four firewall rules.) Also, totally different usage. You're just using it as a simple NAT box. You're not using it as a VPN endpoint. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: GNHLUG LBS logo
On Mon, 14 Jun 2004, at 7:57pm, [EMAIL PROTECTED] wrote: > Just thought that I would point out that I discovered the GNHLUG Linux > Business Show logo as part of a presentation out there. ... It's from a > Linux-conversion presentation from a Albany-based cardiology practice. Quick! Get ahold of SCO's lawyers! I'm sure we can sue them for... for... I dunno... something! Copyright infringement. Misrepresentation. Communism. Jaywalking. Who cares? Just sue 'em! We demand a license and royalty payments on all past, present, and future profits, for them, their family members, their descendants, and their ancestors! We demand compensation for all the lack of unfair competition! We demand that we have something to demand! We--(erk) [The persons responsible for this message have been sacked. We apologize for the inconvenience.] -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: 1U Personal colo
On 14 Jun 2004, at 2:43pm, [EMAIL PROTECTED] wrote: > (Sorry if this is off-topic or ill-received). I, personally, find it very much on-topic, since I've been (half-heartedly) looking for just such a service. I know others here have as well, too. Perhaps we could get a GNHLUG group discount? :) > I am setting up a new program at my work ... Which is who and where? :) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On Mon, 14 Jun 2004, at 10:13am, [EMAIL PROTECTED] wrote: > Public-key crypto in SNMP would probably be unweildy, especially since > SNMP is supposed to have a light footprint to make it easy to put into > small embedded systems. That's not the point I was making. > A lot of customers just want to flip the power on in these things and have > things work Convenience is generally inversely proportional to security. > Besides, in my experience, SNMPv3 is merely a "checkoff item" in the > vast majority of deals. I find *most* things fall into that category. When was the last time you saw anyone use more then 10% of the features in MS-Word? MS-Excel? > I haven't seen much else that approaches SNMP's usefulness. I also never said SNMP was not useful. Just that it does not concern itself much with security. (One could make the argument that security is the job of the network layer (i.e., IPsec). Consider it made.) :-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On Mon, 14 Jun 2004, at 9:32am, [EMAIL PROTECTED] wrote: > He dropped one line that really annoyed me. He stated that Windows Server > 2003 performed a new authentication protocol that would break most Samba > network share setups. It's not new. There has long been a feature in NT that supports "signing" of Server Message Blocks. Samba doesn't support it. You could also set a system to require signing. With Win2K3, that is on by default. You can make it optional again with a registry tweak. You also need to do this if you have Win9X/ME boxes in your network. Ho-hum. > I may be miss-remembering this because he was also describing the new > Windows XP SP2 release which he described as "a total re-write". Yah, they totally rewrote the "1" to a "2". ;-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On Sun, 13 Jun 2004, at 9:40pm, [EMAIL PROTECTED] wrote: >> ... shared secrets went out in the 1980s ... > > Maybe, but SNMP V3 still uses it.. That's hardly an endorsement. SNMP's approach to security issues has generally been to ignore them. (SNMP = Security? Not my problem!) The fact that SNMPv3 has any security at all is a huge advance. Now you want it to be modern, too? -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On 13 Jun 2004, at 1:32pm, [EMAIL PROTECTED] wrote: >> I've had someone recommend SnapGear to me ... > > If you're speaking of the ClearPath SNAP box... No, I'm speaking of SnapGear. http://www.snapgear.com Hmmm... they appear to have been bought by CyberGuard. Since I don't really know anything about either company, the net change in my practical knowledge is zero. :-) Their products exist as something you can buy and touch, as one of our customers got them as part of a larger package from another vendor. They appeared to work. The advertised prices were very attractive. That's as much as I know. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On Fri, 11 Jun 2004, at 10:51pm, [EMAIL PROTECTED] wrote: > ... does anyone have any recommendations for VPN end point appliances. Of all the appliances I've used, my favorite is NetScreen. Outstanding features and performance at a competitive price. Gotta love that SSH CLI. SonicWall is okay. They used to require a subscribe just to use certificates, but I believe that has changed. I've had someone recommend SnapGear to me; it is apparently a Linux-based appliance. Haven't had a chance to actually look into it, though. For maximum flexibility, there is always the possibility of an SBC running Linux out of flash. > I ordered a pair of BEFSX41 LinkSys routers ... My experience with LinkSys VPN boxes is that they are flakey and have an abysmal feature set. They tend to need to be rebooted on a regular basis. No support for public key crypto (come on', shared secrets went out in the 1980s). Their firewall/filtering settings are a joke. I frequently recommend LinkSys NAT boxes for SOHO use, but IMO, they just don't cut it for VPN use. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: SCO Group stock plummets
On Thu, 10 Jun 2004, at 6:27pm, [EMAIL PROTECTED] wrote: > I'm wondering if there's another gamble involved. At today's > closing price the total market cap for SCOX is $70.49M. Let's wait a few more weeks, and we'll buy it with the change I have left over from lunch... -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Gigabit Ethernet cards?
Hello world! Anyone here have any practical opinions on good Gigabit Ethernet interface cards? Likewise, bad experiences, teaching things to avoid, are also valuable. I'm especially interested in how well the card works with Linux. Performance, stability, and driver support. Ideally, I like finding a full-featured, GPL driver in a mainline kernel. Third-party Open Source drivers are also okay. Binary-only modules are unacceptable. The motherboard of the server in question has some free 64-bit, PCI ver 2.1 slots, so that, at least, is not an issue. System is currently running a recent 2.4.x kernel. Upgrading to the latest 2.4.x is no problem. I would prefer not to have to up to 2.6 just to get the driver to work, if possible. We're in a situation where we are adding a card to an existing system. Up until now, all our work with gig has been with new stuff that shipped with gig onboard, so the decision was largely made for us. :) advTHANKSance -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Bittorrent Fedora Core 2 MD5 failures?
On Thu, 20 May 2004, at 3:34pm, [EMAIL PROTECTED] wrote: >> Anyone got suggestions for an ISO repair kit? Or am I SOL? If the MD5 checksum does not match, it means the CD image you have does not match the one that Red Hat/Fedora released. This most likely means one or more of the files on the CD is corrupt in some way. There really isn't any way to "repair" that. It would appear BitTorrent is not immune to the Slashdot effect after all. I would wait until the flash crowd around the Fedora images dissipates a bit, and then try downloading fresh images. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Need some help with a hacker exorcism....
On Mon, 17 May 2004, at 12:34pm, [EMAIL PROTECTED] wrote: > I have been hacked ... Quick answer: Copy any important data/files off to another computer, then wipe the hard disk(s) and reinstall everything from scratch. It's the only way to be sure the attacker hasn't subverted some part of the system. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
SPF and spam (was: spam filters)
On Sun, 16 May 2004, at 5:41pm, [EMAIL PROTECTED] wrote: > 2. SPF. This seems to be promoted as something we should really want - > tightening the loose SMTP rules which permit spammers to pretend to be > sending from arbitrary addresses (including yours). Background information (for the list): SPF = Sender Policy Framework. Quite simply, it lets a domain owner publish information on which hosts(s) are allowed to send mail claiming to be from that domain. For example, Yahoo can specify that only their mail servers can originate mail claiming to be from <@yahoo.com>. Since most spam forges the "From" address, this helps. SPF is a great idea. However, it is important to understand what SPF will do, and what it won't do. In particular, it cannot stop spam. At most, it will make spam accountable. And I rather doubt it will do even that much. The first problem is that, for SPF to be really effective at stopping spam, everybody has to use it. For everybody to use it, everybody will need to have clue. And if everybody had clue, we wouldn't have a spam problem in the first place. The second problem is that, even if everybody starts using SPF, there is nothing keeping spammers from registering throw-away domains by the truckload. In this world, people routinely get away with murder, gun-running, drug smugging, etc. I'm sure registering some domain names with fake credentials will not be a problem. That being said, SPF will help fight the spam problem. Specifically, it will let operators create a subsection of the Internet where the worst of the spam (which is also the bulk of the spam) is prevented. If everybody you want to receive mail from is using SPF, SPF will solve spam for you. Alas, many cannot exclude those who are not using SPF. In particular, businesses tend to want to receive mail from all their paying customers, even the clueless ones. There is also the problem of legitimate businesses sending you spam to try and get you to buy a legitimate product. For example, you register your new cordless screwdriver with Black & Decker, so now Black & Decker starts sending you advertisements for more power tools. This, however, is less of a problem. Legitimate businesses can be made to play by the rules. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: spam filters
On Sun, 16 May 2004, at 5:41pm, [EMAIL PROTECTED] wrote: > OTOH, my honest answer is that only after I 'fessed up to myself that > there's no free lunch have we been able to be in control of the spam mess. Indeed. Spam-filtering is a great "one size does NOT fit all" case. One person's spam is another person's ham. So anything that claims to be "set it and forget it" is lying, pure and simple. A good anti-spam system, as you note, will incorporate continuous feedback from the end-user. By continuously training the anti-spam system as to what is spam and what is not-spam, you can keep up with most of the tactics the spammers use to try and bypass filters. Continuous training means little additional effort on a day-to-day basis, but keeps the anti-spam system up-to-the-minute accurate with your email patterns. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: spam filters
On Fri, 14 May 2004, at 9:09pm, [EMAIL PROTECTED] wrote: > I am looking for recommendations for spam filtering. As others have said, SpamAssassin is a very good foundation. Even in the untrained "factory install" configuration, I find it does a very good job. I just used the canned procmailrc rules linked to from the SA Wiki (see the "Documentation" section of the SA web site). I was already using procmail extensively, which helped, but the canned rules are pretty self-explanatory even so. Training SpamAssassin for better results is pretty easy in an environment where people are familiar with *nix. You train SA by giving it samples of ham (not-spam mail) and spam mail. For the not-spam, I just ran it on my "saved mail" collections. Since I have well over ten-thousand saved messages, it had plenty of samples. For spam, it just meant that, rather then deleting spam, I moved it to an "also-spam" mail folder. Then I periodically run the SA learning program on that folder. With regular training, SA does an absolutely fantastic job of separating the wheat from the chaff -- or the ham from the spam, if you prefer. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Anti-spam methods (was: Re: Comcast blocking port 25? (not what you think))
On Mon, 10 May 2004, at 7:05pm, [EMAIL PROTECTED] wrote: > I think what the problem that people have is what they think the internet > is.. Exactly. And regardless of what people *think* it is, the situation is as I described it. You cannot connect to an intangible like the Internet. You can only connect to someone's equipment -- be it Comcast or MV Communications. This only matters if you're unhappy, of course. But then, if you were happy, we wouldn't be having this discussion. One usually does try to pick the best "somebody" available, of course. Given the choice between a national, mass-market, clueless provider like Comcast, or a local, cluefull, friendly ISP like MV, I'd take the local guy every time. > Luckally there are ISPs that understand this (MV is a great example) > where they give you an IP and as long as you don't break the law and do > other stupid stuff you're left alone. They're small enough to handle the spam problem on a case-by-case basis. Large ISPs have little choice but to resort to rather heavy-handed tactics. One more reason to choose the local guy. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Anti-spam methods (was: Re: Comcast blocking port 25? (not what you think))
On Mon, 10 May 2004, at 6:00pm, [EMAIL PROTECTED] wrote: >> I do predict that spammers will adapt to this new authenticated email >> world rather quickly. Namely, they will modify their spam-cannon-laden >> viruses ... > > That seems likely, but how much email is send from virus-attacked > computers? All we can tell for sure is that quite a lot of spam currently comes direct from consumer Internet feed address space. Possible sources include: - People who manage to configure open relays or open proxies, either through poorly designed software, or user incompetence. These people get relay-raped. - Spammers who buy Internet feeds, use them until they get caught, and then fade back into the woodwork. - Users who unintentionally run spam-relay software. These include Trojan software (the game that also sends spam or whatever), "click me" worms that depend on the user, and self-propagating software that attacks vulnerable software. - Users who intentionally run spam-relay software, because the spammers claim (truthfully or not) they will pay the users for doing so. > The SPF approach seems to have the goal on making DNS-based blacklists > reasonable, not addressing the spam-from-a-virus problem. SPF prevents spammers from spoofing a domain that does not want to be spoofed. That has value by itself, as it means you can now whitelist on selected "From" addresses reliably. It is unlikely SPF will actually stop spam. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Anti-spam methods (was: Re: Comcast blocking port 25? (not what you think))
On Mon, 10 May 2004, at 2:21pm, [EMAIL PROTECTED] wrote: > I'm basically on the side of individual freedoms and don't like that port > 25 egress filtering is being implemented by broadband vendors. Geeks (I include myself in this category) like to romanticize this idea of the big, happy Internet, where all people are equal, censorship is treated as damage, and so on. I'm afraid that is a myth. That mythical "Internet" does not exist, and never has. You can connect your equipment to somebody else's equipment. That's it. If you're big enough, the "somebody else" might be a peer. Most people just pay for a link or two to companies that specialize in network connections. Regardless, you're connecting to *their* equipment, and they can run it however they see fit. If nobody is willing to give you connection on their terms, you do not get connected. It has always been this way. I find it helps to keep this in mind, when people start feeling their "freedom" has been infringed because their ISP doesn't let them do everything they want to. > But as long as there are vendors that will give you an unfiltered > connection (even for a larger fee), with fixed IPs, I'll be happy. Indeed. Paying a higher fee for a higher class of service will always get you better treatment. Here, too, realize you're not just paying for IP address space, you're paying for the promise of support. Not just the guy answering the phone when you have trouble, but support in the sense that your ISP won't mess you up like this. > I do predict that spammers will adapt to this new authenticated email > world rather quickly. [...] But we will still be in a better place when > it comes to spam. When enough clueless users get disconnected from their > ISPs for spam propagation ... Heck, just the fact that it adds an audit trail to the message headers (so I, as a mail abuse victim, can trace it back more easily) is worth it. It also means an ISP will be able to notice that Subscriber #53429 is sending way more mail then is reasonable, and thus take action to cut off the spam before as much spam gets sent. > [Users] will either take more proactive measures to keep their systems > clean of viruses, or put more pressure on their operating system vendors > of choice to put security where it belongs: at a much higher priority than > convenience. Or both. Add to that: After Joe Luser has had his feed cut a few times, maybe he will think twice before installing whatever random software he finds on the net. > Sadly, I'd suggest that we all get used to this up and coming > authenticated email world. s/email// -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, 10 May 2004, at 11:23am, [EMAIL PROTECTED] wrote: >> Mail abuse. A great deal of spam and other mail abuse comes from >> computers on consumer feeds that are incorrectly configured as a mail >> relay (don't ask me how, but it happens more often then you would think), >> or have been compromised by some kind of malware and are being used as >> same. At the same time, SMTP was designed to move mail between static, >> well-connected systems. Hosts on dynamic, consumer feeds do not meet >> that definition. > > My parents are not running any kind of server. You'll notice I never said they were. Comcast doesn't (and can't) know you're not using TCP port 25 for mail abuse, though. By forcing you to authenticate to their system, and pass your mail through their system, though, they can monitor things, enforce limits, add an audit trail to the headers, etc. > That is exactly what they are trying to do, send the mail to my server so > I can do the job of dealing with their mail. Then you should be using an MSA, not an MTA. Or at least, that's what conventional net.wisdom says. Didn't you get the memo? :) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, 10 May 2004, at 11:04am, [EMAIL PROTECTED] wrote: > The solution is to add yet more and more entries into my mailertable file > in sendmail. Why don't you just relay everything through your ISP? -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, 10 May 2004, at 10:53am, [EMAIL PROTECTED] wrote: >>> Yah, that's what I'm going to have to do.. BLAH.. stupid comcast. >> >> Get used to it. More and more ISPs are adding this. And I cannot say I >> entirely disagree with the policy. > > Why? Mail abuse. A great deal of spam and other mail abuse comes from computers on consumer feeds that are incorrectly configured as a mail relay (don't ask me how, but it happens more often then you would think), or have been compromised by some kind of malware and are being used as same. At the same time, SMTP was designed to move mail between static, well-connected systems. Hosts on dynamic, consumer feeds do not meet that definition. It makes more sense for such hosts to submit mail to a smart host which can do the job right. Of course, then you have to deal with the fact that a great many MUAs are incapable of doing anything themselves, and need to be able to submit mail to an SMTP-like listener. That is why the concept of an MSA (Mail Submission Agent) was created. The idea is to separate mail submission from mail exchange. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, 10 May 2004, at 10:25am, [EMAIL PROTECTED] wrote: > Yah, that's what I'm going to have to do.. BLAH.. stupid comcast. Get used to it. More and more ISPs are adding this. And I cannot say I entirely disagree with the policy. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, 10 May 2004, at 6:47am, [EMAIL PROTECTED] wrote: > Recently my parents (that use Comcast) can no longer connect to port 25 of > my server.. one that is legit, has correct reverse and MX records. > > Has anybody else seen this? More and more ISPs are blocking port 25 outbound on consumer feeds to fight spam. I'm pretty sure that's what you're seeing. You have two options: (1) Configure their system to relay through Comcast's SMTP relay when on Comcast's network, or (2) use an alternate means of submission. An "alternate means of submission" might mean adding an additional SMTP listener on a non-standard port; using an MSA (Mail Submission Agent); using a tunnel of some kind (such as with SSH or IPsec). -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Large HD, old BIOS
On Mon, 3 May 2004, at 10:17am, [EMAIL PROTECTED] wrote: > That's what I was wondering. Not knowing much of anything about hardware, > I didn't know if the linux distro's ability to see the whole drive would > bypass the problem of the BIOS being able to see it. Well, remember, "Linux distro" means a whole lot of smaller parts. The Linux kernel might see the whole drive, but the boot loader might not. When the PC is first turned on, there is no OS IDE driver available. The only way to read the disk is by using INT13 (software interrupt 13 hex). The disk controller's BIOS has to provide an INT13 interface for the disks it controls. If you have an onboard disk controller, that BIOS is part of the motherboard firmware. If you have an add-in card, it has to provide a BIOS for that card, or you cannot boot from it (i.e., you need to boot from another device, and then load an OS driver -- this is common with cheaper add-in SCSI cards). The system BIOS (also part of the motherboard firmware), after it has finished all the other power-on tasks it is responsible for, will look for a bootable device. When it finds a hard disk with the right boot signature, it loads the first block (the master boot record) and jumps into it. The MBR code now has control. With LILO, the MBR is the first-stage boot loader. It is responsible for finding the second-stage boot loader (/boot/boot.b by default) and loading that. It has to use INT13 to do so. The second-stage loader is responsible for presenting the boot menu (if any), and then loading the kernel and initrd (if any). All of these components use INT13 (with or without LBA extensions). Not until the kernel is booted does the BIOS leave the picture. > Hmmm, that's a thought. Anybody know of a brand/model that plays well > with linux? The $50 Belkin card I bought from CompUSA works with the kernel that comes with Red Hat Linux 9. I'd give you a model number, but I can't find the card right now. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Large HD, old BIOS
On Mon, 3 May 2004, at 10:15am, [EMAIL PROTECTED] wrote: > I dunno - what is LBA? How do I find out if my drive "is LBA" or not? LBA = Logical Block Addressing. The original IBM-PC BIOS (and MS-DOS) used C/H/S "physical block addressing". Each block (AKA sector) on the disk was addressed by cylinder (track), head (side), and sector. This is a really poor way to do things, for any number of reasons. The biggest was that each C/H/S field has a fairly small number of bits allocated to it, and as drives got bigger, these limits were reached. To work around C/H/S limits, the industry came up with "geometry translation". The BIOS (or sometimes, a small "drive overlay" program that loaded before MS-DOS) would change the presentation of disk blocks around to make use of space in other fields. For example, it might present the drive as having 255 heads to keep it under 64K sectors-per-track. Of course, geometry translation is ultimately a kludge. It can be a real problem if everything isn't on the same page when it comes to the translation. The thing you're likely to care about is that the Linux kernel doesn't use the BIOS, so it has to guess as to what geometry translation scheme the BIOS might be using. If it guess wrong, the disk becomes scrambled between the two. The more intelligent way to solve this problem is LBA. LBA just addresses the entire disk as a linear series of blocks, numbered from 0 to total-number-of-sectors. Of course, not all software supported LBA. In particular, LILO lagged way behind Microsoft in implementing LBA, although that has been fixed for some time now. > How do I find out if my BIOS can handle it? Well, you could check the manual, or contact the manufacturer for support. You can also go poking around in the BIOS setup screen looking for an option for "LBA" or "Large Disk Support". This is sometimes a column in the basic hard disk settings (where you type in C/H/S numbers). -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Large HD, old BIOS
On Mon, 3 May 2004, at 9:08am, [EMAIL PROTECTED] wrote: > With lilo, it seems to just hang. I get LI and then nothing. That means LILO loaded what it though should be the second-stage boot loader, but had a problem executing it (possibly because it loaded the wrong thing). This might mean a geometry mismatch between the kernel and the BIOS. You can try installing the boot loader and kernel image on a floppy disk, and booting from that. That will typically bypass any issues with the BIOS and the hard drive, and gives you a more useful debugging platform. > With grub, I get various and sundry errors. It claims to "be loading" and > then it'll give me a (inconsistent) numeric error code. Inconsistent results often mean bad hardware. You might try running Memtest86 and/or "badblocks -w". Note that running that badblocks command will DESTROY ALL DATA on the disk. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Large HD, old BIOS
On Sun, 2 May 2004, at 9:24pm, [EMAIL PROTECTED] wrote: > I bought a motherboard, cpu and memory off a friend (P3 based). When I > got the system put together, the BIOS (which I did flash to the latest > version) only seems to recognize it as a 8.5 GB drive. However, even > though the BIOS only sees it as such, several of the distributions I've > tried see that it is indeed a 200GB drive. There are several places you can encounter limits: The disk controller itself, the system BIOS, and the OS. Multiple limits can pile up. The reasons for these limits are usually fairly arbitrary. For example, you can hit all sorts of things which just assume drives will never have more then X of one thing or another (sectors per track, cylinders per head, heads, total sectors, total bytes, etc., etc.). These can often be fixed via a simple update or patch, be it to firmware or software. Of course, there is no guarantee that a given vendor will bother to release an update. It may be that your motherboard's vendor has EOL'ed the product and you're stuck with a semi-broken BIOS. There is another limit one should be aware of, though, that is rather harder to get around. The original spec for ATA says that LBA (Logical Block Addressing) uses a 22-bit field. That works out to 128 GB (128 * 2^30 = approx 137 billion bytes). Drives bigger then that use an extension for 44-bit LBA. Patching for 44-bit LBA is generally a lot harder -- impossible if it's a hardware limit in a disk controller. I can also envision the following scenario: The kernel talks to the IDE device and gets a capacity report of 200 GB; however, the disk controller is incapable of actually handling transfer requests for blocks above 128 GB. Just because the kernel thinks it can see the whole disk doesn't mean it can access the whole disk. I do not know enough about IDE internals to know if this scenario can actually happen, but if it can, it would certainly add to the confusion. You could test this by running "badblocks" on the disk in question. As far as the BIOS vs Linux thing goes: The Linux kernel almost completely ignores the BIOS. For example, if you set the BIOS HD type to "None", Linux will still find it (assuming you can get the kernel booted). The boot loader is the only place where the BIOS really matters. The BIOS has to find and load the boot record. The code in the boot record has to load any additional boot loader code, and that has to find, load, and boot the kernel and initrd (if any). All that has to be done using the BIOS. So a BIOS problem can easily kill the boot loader. You can often work around BIOS limits by putting the boot loader within the part of the disk that the BIOS can access. This typically means creating a small (10 MB or so) /boot partition at the start of the disk. However, one can also run into problems where the disk that the Linux kernel sees is not the same disk the BIOS sees -- geometry translation is not always consistent. Also, check the jumpers on the hard disk. Some HDs can be set to lie about their capacity, in order to workaround BIOSes which lock-up when presented with disks beyond certain limits. If you have one, you can try an add-in PCI IDE controller card, which will bypass mainboard controller and BIOS problems. You can purchase such controllers for less then $50. > Despite this however, I can't seem to get the boot loader to cooperate. Information, please. Which boot loader, and what version? What behavior do you see? What error message(s), if any, and when? What distro and release? What kernel version? -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: FOSS group in education
On 28 Apr 2004, at 9:03am, [EMAIL PROTECTED] wrote: > I think they mostly need volunteers (and more interest) at this point. Where have I heard that before? ;-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: 1U servers..
On Tue, 27 Apr 2004, at 12:02pm, [EMAIL PROTECTED] wrote: > That alone would make me say no thanks to buying it. Most 1U systems tends to have some kind of funkiness to them. That's the price you pay for stuffing hardware into such a small form-factor. In particular, the CD/FDD are very often non-standard. The only exceptions to this that I've seen are when someone takes a generic motherboard and just stuffs it into a generic 1U case, which generally yields a pretty poor feature set, plus a tendency for thermal problems. That being said, Compaq (which is where the design for the "HP" Proliant in question came from) is notorious for gratuitous incompatibilities. So it may not be as bad with other systems. But in general, expect some funkiness, or don't buy a 1U. FWIW, Dell makes some decent 1U servers. One of them "starts" at $600, although that's after rebates and before shipping and taxes. That does include 3-year on-site NBD warranty service, though. One word of warning: Dell sometimes uses hardware which is only supported by binary-only drivers on Linux. That's generally not an issue if you're running one of the two big commercial distros (SuSE or Red Hat), but it can be a real problem if you're not. Of course, Dell is hardly alone in this. In general (in life, not just with computers), the more you ask, the higher the price. So you have to decide where on the price/convenience graph you want to be. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Cyrus/sieve/etc (was: Stop the maddness!)
On Tue, 27 Apr 2004, at 3:11am, [EMAIL PROTECTED] wrote: > I'd be perfectly happy to expound on my cyrus-imapd / sieve / sendmail / > mysql (or postgresql) / SMTP AUTH solution complete with virtual hosting > if anyone's interested :-). Well, I'm definitely interested. Would you be foolish^Wbrave^Wnice enough to volunteer to give a presentation at one of the local meetings? Or would you prefer just to stick to this list? Either one is cool with me. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Policy routing and Linux
On Mon, 26 Apr 2004, at 7:27pm, [EMAIL PROTECTED] wrote: > ... the commands I type don't seem to work. The system accepts them, and > appears to make changes to the routing tables, but the packets still end > up going out the wrong interface. Turns out that is not entirely true. I was testing my routing configuration by using a NetFilter DNAT (port forwarding) rule. That appears to be where things are not working. My policy routing configuration works just fine if I connect to a service running on the firewall itself. Our firewall normally doesn't run any publicly exposed services, for security reasons. So I temporarily added the "echo" service, and found it worked as desired. So it appears that NetFilter DNAT and iproute2 policy routing are not working together. Looking at a diagram of kernel routing internals, I begin to suspect why. I think NetFilter is not reversing the DNAT translation on the outbound until the packet has already transversed the kernel router, so the routing policy database thinks the packet is coming from the LAN, and thus does not apply the right policy rule. Solving this problem will have to wait for until another day. If anyone knows the answer already, your assistance will be welcomed. -- Ben Scott <[EMAIL PROTECTED]> ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
