Re: ACPI so close I can almost taste it...
Is works fine in pciide when I donbt run Xorg on R400. I think the intel driver donbt want to resume, I will see if I can obtain more information.
crypt question/server hotel
I want to put my server in a server hotel. But: I don't trust my server hotel owner. What can I do? I can crypt my partition/hdd's that contains the data. Ok. But: then my operating system will not be encrypted. Not Ok. If I crypt my operating system too, then when a reboot comes, I have to type a password to decrypt. But my server will be at a server hotel I can't directly use a keyboard [no service cpu]. What can I do [on technical side] to ensure a little more security to my server [e.g: crypt my partition/slice/whatever, that has the operating system, but without the type password problem] Thank you for any tips/help.
Re: 4k sector disks
On Thu, 8 Apr 2010 17:40:17 +1000 David Gwynne l...@animata.net wrote: ola, ive recently made a start on better supporting disks in openbsd that present 512 byte logical sectors, but actually use 4096 byte physical sectors on the platter. the best examples of these are the western digital advanced format SATA drives which have been mention on misc@ before. it was noted at the time that performance on these disks is much better if you can align your partitions and filesystems onto the 4k boundaries the physical sectors are on. the process of being able to better use 4k physical sectors relies on changes at many layers of the kernel and in the partitioning and filesystem utilities, beginning with fetching the details off the hardware, and then propagating it up the storage stack into the disk and block layers, and then out to userland to make smart decisions with. the tragedy of this situation is that i cannot find a disk that implements the parts of ATA specification that describe logical vs physical sector layouts. i have bought a couple of the WD advanced format drives, and some other people have bought me different models in the same family of drives, but none of them include the bits of the spec required to be useful. i dont know of any other manufacturers claiming to have disks with different sized logical and physical sectors, so this work has kinda stalled before it really began. however, as users we should know that the hardware has the 4k sector feature, so we should be able to configure machines to take advantage of it. i have talked to a few people who have tried to use these drives, but have had trouble setting them up as bootable disks. if you want to install onto one of these disks and line the / filesystem up on a 4k boundary, the trick is to modify the start of the openbsd partition (not slice) in fdisk (not disklabel) so it begins on sector 64, not sector 63. lining the rest of the partitions up in disklabel is then an easy exercise left up to the reader. if you line the partition up properly then things will Just Work(tm). there are western digital drives that do implement the correct parts of the ATA spec, i just dont know how to get hold of them. it appears that drives with models beginning with WD??EARS-00Z have the spec implemented, but drives with -00Y or before in their model name dont. all the local sellers only have -00Y revisions of these drives :( dlg A pair of WD15EARS-00Z5B1 (Rev: 80.00A80, Jan 31 2010) disks were found here in the Silicon Valley and a patch from dlg@ is being tested to determine if they will meet his requirements (e.g. specific parts of the ATA spec are implemented). You might want to note the suggestion above from dlg@ about installing the root filesystem (the 'a' partition) at sector 64 rather than the default sector 63 was not necessary with these very new disks. At present, the reason why they just work is unknown, but it is possibly due to commits like: http://marc.info/?l=openbsd-cvsm=127044093310329w=2 http://marc.info/?l=openbsd-cvsm=127042894602052w=2 http://marc.info/?l=openbsd-cvsm=127027862308889w=2 which have been made without having access to the needed hardware. -jcr
Re: crypt question/server hotel
On Sat, 17 Apr 2010, Jozsi Vadkan wrote: I want to put my server in a server hotel. But: I don't trust my server hotel owner. What can I do? [snip] Pick another one or DIY. -- Antti Harri
DUBAI, TIARA Residence, Palm Jumeirah.
Untitled Document New Listing HOT DEAL... Tiara Residence Palm Jumeirah 1 Bedroom Luxury Apartment Area : 1,280 sq.ft. Floor : 5th Fantastic View , 5 Star Facilities. AED 2,000,000 Floor Plan Living Room Balcony Kitchen Infinity Pool www.elementsre.comrus...@elementsre.com MOB: + 971 50 991 0434 DubaiUAE Rustam Abdurahmanov Residential Specialist [demime 1.01d removed an attachment of type image/jpeg which had a name of =?windows-1252?Q?logo_(2).jpg?=] [demime 1.01d removed an attachment of type image/jpeg which had a name of picture rustam.jpg]
Re: crypt question/server hotel
Jozsi Vadkan wrote: I want to put my server in a server hotel. But: I don't trust my server hotel owner. What can I do? 1) Even if you encrypt the whole disk and you have a remote console available (via serial port or KVM switch), you still will have to trust your provider that he doesn't sniff that traffic. 2) If you can't detect a reboot of your machine because the attacker has cleaned the logs etc., then anybody with physical access can own the machine. I'm not aware of any way to prevent this. (see also cold boot attack, or simply creating a disk image and doing a brute force attack against the image) 3) Your only chance might be to have a card in the machine (e.g. IBM RSA) that allows remote control. But the traffic to it will have to be encrypted (- 1) and it has to detect if it was temporarily removed from the machine during a physical attack, and even then it needs to report this back to you. I don't know if there is any card out there that can provide this level of protection... If you are really paranoid and the hacker type, then I guess you can hide a mobile phone inside the case, connect it via USB and have it constantly report the status (power, light sensor, GPS etc.). In the end it is as usual a question of cost vs benefit. If your machine is *that* valuable then you shouldn't put it in an untrusted environment in the first place. In your case I guess you should encrypt your data and have the machine email you if it reboots. Then you can login via SSH and enter the crypto key and start the stage 2 applications that need the encrypted data. You will have to trust your provider that he doesn't do any physical attacks (e.g. replace OS files). kind regards, Robert
Re: crypt question/server hotel
Robert wrote: Jozsi Vadkan wrote: I want to put my server in a server hotel. But: I don't trust my server hotel owner. What can I do? 1) Even if you encrypt the whole disk and you have a remote console available (via serial port or KVM switch), you still will have to trust your provider that he doesn't sniff that traffic. 2) If you can't detect a reboot of your machine because the attacker has cleaned the logs etc., then anybody with physical access can own the machine. I'm not aware of any way to prevent this. (see also cold boot attack, or simply creating a disk image and doing a brute force attack against the image) 3) Your only chance might be to have a card in the machine (e.g. IBM RSA) that allows remote control. But the traffic to it will have to be encrypted (- 1) and it has to detect if it was temporarily removed from the machine during a physical attack, and even then it needs to report this back to you. I don't know if there is any card out there that can provide this level of protection... If you are really paranoid and the hacker type, then I guess you can hide a mobile phone inside the case, connect it via USB and have it constantly report the status (power, light sensor, GPS etc.). In the end it is as usual a question of cost vs benefit. If your machine is *that* valuable then you shouldn't put it in an untrusted environment in the first place. In your case I guess you should encrypt your data and have the machine email you if it reboots. Then you can login via SSH and enter the crypto key and start the stage 2 applications that need the encrypted data. You will have to trust your provider that he doesn't do any physical attacks (e.g. replace OS files). ++ solution: if the security of the machine and its data are of sufficient importance you cannot trust 3rd parties with it and must keep it somewhere you feel confident that it is physically secure. even if you have the boot partition(s) fully encrypted there is nothing to stop someone from installing a fake boot prompt and yanking your passphrase. in most situations where the machine is running you also have to worry about someone freezing your RAM, powering the machine off and pulling your disk crypto keys directly from RAM. 'secure' memory for storing crypto keys is another option that is marginally better than RAM but requires hardware and software support. how worried you should be about this depends on your threat model. kind regards, Robert
Re: crypt question/server hotel
On Apr 17 11:49:36, Robert wrote: Jozsi Vadkan wrote: I want to put my server in a server hotel. Why? But: I don't trust my server hotel owner. Why? What can I do? Find one you trust.
Re: ACPI so close I can almost taste it...
Hello, I am using the intel driver on a thinkpad x200s with a xorg.conf file It was suspending resuming very well until now. With 4.7 GENERIC.MP#509 i386 I have the problem that, when resuming, X does not wake up totally. I can see the applications open and I can move the mouse but nothing else. I cannot switch to a terminal (ctrl+alt+fX); the system is in general unresponsive I will try now to use X without xorg.conf (I changed a couple of things). Thanks, Pau 2010/4/17 Jean-Michel Bessot jmbes...@lacomte.net: Is works fine in pciide when I dont run Xorg on R400. I think the intel driver dont want to resume, I will see if I can obtain more information.
Re: crypt question/server hotel
On 04/17/10 04:49, Jozsi Vadkan wrote: I want to put my server in a server hotel. But: I don't trust my server hotel owner. What can I do? If someone has physical access to your box, there is nothing you can do, period. There are some really extraordinary (insane) things you can do to prevent it, but most of those solutions are only viable in lands where unicorns roam free. This discussion has taken place before on this list (search the archives) and the answer to a truly secure machine involved it being placed in a 2km thick block of steel reinforced concrete at the bottom of an ocean. I'm also pretty certain this has been asked on Slashdot (search their archives) and the simple answer involved an unmanaged server plan with a provider other than the untrusted one. -- - RSM www.erratic.ca
Re: ACPI so close I can almost taste it...
Build X from source and you'll have a fighting chance. On Sat, Apr 17, 2010 at 08:14:09AM +0200, Jean-Michel Bessot wrote: Is works fine in pciide when I donbt run Xorg on R400. I think the intel driver donbt want to resume, I will see if I can obtain more information.
Re: ACPI so close I can almost taste it...
Confirmed: When using X without the xorg.conf that I had adapted, it's suspending and resuming perfectly. These are the additional lines I had put in: FontPath /usr/local/lib/X11/fonts/mscorefonts/ (...) Option NoAccelFalse Option AccelMethodEXA Now it's working perfectly well. After resuming all is there: X, em0 up and running, usb, sound etc.. This is great! I had been waiting for a long time for this. I have some 9 desktops and some ~ 16 things open all the time: gv, plotting programmes, firefox, many vi editing files, etc It was a pain to have to shutdown and boot again the laptop every time I had to go home etc Thanks a lot! Pau 2010/4/17 Marco Peereboom sl...@peereboom.us: Build X from source and you'll have a fighting chance. On Sat, Apr 17, 2010 at 08:14:09AM +0200, Jean-Michel Bessot wrote: Is works fine in pciide when I donb t run Xorg on R400. I think the intel driver donb t want to resume, I will see if I can obtain more information.
Re: crypt question/server hotel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/17/10 04:49, Jozsi Vadkan wrote: I want to put my server in a server hotel. But: I don't trust my server hotel owner. What can I do? I wouldn't do business with anyone that I didn't trust. I don't trust very many people. So, what I did, was I: 1) ...signed up for a commercial DSL account and leased some static IP addresses from ATT (I trust them... sort of :) ), 2) Built myself a server rack, and several servers, mostly for spare parts: http://robertwittig.net/workshop.html 3) Installed OpenBSD, set up Apache, sendmail, and PF, so that I had secure, functioning web and mail services, and... 4) I really haven't had to do much care and maintenance on it, in the last four years or so. It just emails me my logs every morning, and takes care of business. It just keeps running, and running, and running... - -- - -wittig http://www.robertwittig.com/ http://robertwittig.net/ http://robertwittig.org/ . Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iQEVAwUBS8n0kf9qkhAVPSgqAQKO4Af+OlrowikGF1WdFLdx/0JJwL4WJ0rge42/ v9PYPIFRqRp+4b92yPGE5oTvqpJ6SkUy6HyKqSMuCWWv8geprlOGoM6Bw7LuhMA5 R0y8Yubgdg16aKGzz9llOjFksPHfeNu2Yl3d2sEnHebPzDIzE5Wo4VxxDPEG0CVb D+SXCBS5iCmPbwc1xOthhvbVJkvx7u0yfqy5bfEFTgA7Sk5ks/RgolVQJSseD1vU BRuAC22Yfz3OFLFWnuSMHermxUP0Nb+ZmE08eH3F8R5+EIuyBUg5gGwMyBPCi++2 ozxz/k8QIOAbncewV6oeqLVuqk8ldz6VwJVtRiO3KPSWg1dhYzc93A== =FZiv -END PGP SIGNATURE-
can't mount msdos sd card (was: LG android phone mass storage mount problem)
hmm, on Sat, Apr 17, 2010 at 01:43:01AM +0100, Pedro la Peu said that i am trying to mount the mass storage on my LG GW620 android phone. ugen0 at uhub0 port 3 LG Electronics Inc. LG Mobile USB Modem rev 2.00/1.00 addr 2 Your phone is not configured as OpenBSD needs. for now, i am interested only in the umass component of the phone, so ugen is fine. i am not sure about the check condition errors: probe(umass0:1:0): Check Condition (error 0) on opcode 0x0 probe(umass0:1:0): Check Condition (error 0) on opcode 0x0 but it seems like the umass part is working, i just can't mount the msdos file system on the microsd card in the phone. later i also tried putting that card from the phone into an sd adapter and the result was the same: could not mount the card. so it's not really a phone issue basically i think. i also bought another card, and this one has no problem being mounted both through the phone and/or in the sd adaptor: $ sudo fdisk sd1 Disk: sd1 geometry: 1973/255/63 [31711232 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start:size ] --- 0: 0C 0 130 3 - 1973 237 56 [8192:31703040 ] Win95 FAT32L 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 3: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused $ sudo disklabel sd1 # /dev/rsd1c: type: SCSI disk: SCSI disk label: Android Phone flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 1973 total sectors: 31711232 rpm: 3600 interleave: 1 boundstart: 0 boundend: 31711232 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] c: 317112320 unused i: 31703040 8192 MSDOS the offset on this one is interesting as well, but gives the kernel no problems. as more information is avaliable so should some subjects change as well :] any ideas what can i try with the other card? it's not really important i guess, i could always just format it, but perhaps it's a good corner case for msdos because the other OS' have no problem with it... -f -- you can never get rid of a bad temper by losing it.
Re: updating packages with ports binaries
On Mon, 12 Apr 2010 00:44:50 +0200 Marc Espie es...@nerim.net wrote: On Sun, Apr 11, 2010 at 12:26:41PM -0400, Arnaud Bergeron wrote: Normally, as long as you do not use -F something as an option to pkg_add, everything you do with it is safe. (caveat: sometimes there are major upgrades, like for postgresql that require extra actions, but those are when you change releases) Hopefully, we'll deal with this before 4.8 as well. I have a mechanism to recognize those and actually check with the user if everything is fine. If you want to know about some of the improvements to pkg_* tools, Marc gave us some more details in the following article: http://www.undeadly.org/cgi?action=articlesid=20100323141307 -- The OpenBSD Journal - http://www.undeadly.org
Новое сообщение
Dnapncn bpelemh qsrnj. _ unrek a{ opedknfhr| B`l sqkscs on qngd`mh~ q`ir`. Ok~q{: mednpncn, dnqr`rnwmn a{qrpn. Jpnle rncn - bnglnfm` onqkeds~y` p`qjpsrj` q`ir`, wrn, qnnrberqrbemmn, ophbkewer m` q`ir onrnj onqerhrekei, r.e. onremvh`k|m{u jkhemrnb. Eqkh B{ g`hmrepeqnb`m{ - ankee ondpnam` hmtnpl`vh m` lnel q`ire www.skybowlink.aiq.ru hkh on reketnms 909-581-41-32 Q sb., @kejq`mdp.
Re: 4.7 and AR5007
I've been having trouble with a 9285 in a low end Gateway laptop/netbook. I've been tracking snapshots and it always locks up the machine when I run 'ifconfig athn0 scan' after 5 seconds or so. Can not switch to another terminal and can not log in over the network (fast ethernet, re0, which does work fine) after it locks up. I have tried both amd64 and i386 and the issue is the same. Anything else I can do to help whoever might be interested in fixing it? Are snapshots new enough? I could send the laptop to a developer for a week or two if that would help, I'm in the US though. I could also just send the card to someone, it's useless in it's current state anyhoo. Anyway, if anybody has any suggestions I would greatly appreciate them. Cheers, noah Yes, please run ifconfig athn0 debug before you scan (from the console), and send me the output. Damien I have the same laptop with the same issue and have been meaning to ask about it, but Noah beat me to it. I'd apprecate being kept in the loop about this. If there is anything I can do to help out, just let me know. Corey
Л0ТЕРЕЯ ВСЕ ДЛЯ РЕМ0НТА - 2010 В КИЕВЕ
B`l opednqr`bkerq opejp`qm` bnglnfmnqr| hqo{r`r| qbn~ yd`wy h aeqok`rmn b{hcp`r| ophg{ bn bpel opnbedemh KNREPEH BQE DK_ PELNMR@ 2010. Knrepe ayder opnxndhr| b p`lj`x b{qr`bjh +OPHLYQ: QRPNHREK\QRBN y...@hm@; b Lefdym`pndmnl B{qr`bnwmnl Vemrpe b o`bhk|nme 9 1 on `dpeqy: c. Jheb, Apnb`pqjni op-r, 15. Png{cp{xh ophgnb qnqrnrq 20, 21, 22 h 23 `opek b 13.00. Qyoepophg{ opednqr`bkem{ jnlo`mhlh +QBERKNBNDQJHI g...@bnd ALG;, +QN^GJNLOKEJQ;, +JKHMJEPAYD y...@hm@;, +...@jb@ c...@kepe_;, +HPJNL EJR;, +JHEBQJHI k...@jnjp@QNWM[I g...@bnd;. Ondpnam` hmtnpl`vh on rek: (O-4-4) 5G7~69~99. = = = = = iljictrtl dcljnyp qtfzmbz qoewbelii tdxlcm rvddt
Л0ТЕРЕЯ ВСЕ ДЛЯ РЕМ0НТА - 2010 В КИЕВЕ
B`l opednqr`bkerq opejp`qm` bnglnfmnqr| hqo{r`r| qbn~ yd`wy h aeqok`rmn b{hcp`r| ophg{ bn bpel opnbedemh KNREPEH BQE DK_ PELNMR@ 2010. Knrepe ayder opnxndhr| b p`lj`x b{qr`bjh +OPHLYQ: QRPNHREK\QRBN y...@hm@; b Lefdym`pndmnl B{qr`bnwmnl Vemrpe b o`bhk|nme 9 1 on `dpeqy: c. Jheb, Apnb`pqjni op-r, 15. Png{cp{xh ophgnb qnqrnrq 20, 21, 22 h 23 `opek b 13.00. Qyoepophg{ opednqr`bkem{ jnlo`mhlh +QBERKNBNDQJHI g...@bnd ALG;, +QN^GJNLOKEJQ;, +JKHMJEPAYD y...@hm@;, +...@jb@ c...@kepe_;, +HPJNL EJR;, +JHEBQJHI k...@jnjp@QNWM[I g...@bnd;. Ondpnam` hmtnpl`vh on rek: (O-4-4) 5G7~69~99. = = = = = uvyqyatt ufgcem iqyihscubf wktqcfmhvi wfrbcsupum pgoaitxwty