Re: ACPI so close I can almost taste it...

[Jean-Michel Bessot]

Is works fine in pciide when I donbt run Xorg on R400.

I think the intel driver donbt want to resume, I will see if I can
obtain more information.

crypt question/server hotel

[Jozsi Vadkan]

I want to put my server in a server hotel.

But: I don't trust my server hotel owner.

What can I do?


I can crypt my partition/hdd's that contains the data. Ok.
But: then my operating system will not be encrypted. Not Ok.


If I crypt my operating system too, then when a reboot comes,
I have to type a password to decrypt. But my server will be at 
a server hotel I can't directly use a keyboard [no service cpu]. 



What can I do [on technical side] to ensure a little more security 
to my server [e.g: crypt my partition/slice/whatever, that has the 
operating system, but without the type password problem]

Thank you for any tips/help.

Re: 4k sector disks

[J.C. Roberts]

On Thu, 8 Apr 2010 17:40:17 +1000 David Gwynne l...@animata.net wrote:

 ola,
 
 ive recently made a start on better supporting disks in openbsd that
 present 512 byte logical sectors, but actually use 4096 byte physical
 sectors on the platter. the best examples of these are the western
 digital advanced format SATA drives which have been mention on
 misc@ before. it was noted at the time that performance on these
 disks is much better if you can align your partitions and filesystems
 onto the 4k boundaries the physical sectors are on.
 
 the process of being able to better use 4k physical sectors relies on
 changes at many layers of the kernel and in the partitioning and
 filesystem utilities, beginning with fetching the details off the
 hardware, and then propagating it up the storage stack into the disk
 and block layers, and then out to userland to make smart decisions
 with.
 
 the tragedy of this situation is that i cannot find a disk that
 implements the parts of ATA specification that describe logical vs
 physical sector layouts. i have bought a couple of the WD advanced
 format drives, and some other people have bought me different models
 in the same family of drives, but none of them include the bits of
 the spec required to be useful. i dont know of any other
 manufacturers claiming to have disks with different sized logical and
 physical sectors, so this work has kinda stalled before it really
 began.
 
 however, as users we should know that the hardware has the 4k sector
 feature, so we should be able to configure machines to take
 advantage of it. i have talked to a few people who have tried to use
 these drives, but have had trouble setting them up as bootable disks.
 
 if you want to install onto one of these disks and line the /
 filesystem up on a 4k boundary, the trick is to modify the start of
 the openbsd partition (not slice) in fdisk (not disklabel) so it
 begins on sector 64, not sector 63. lining the rest of the partitions
 up in disklabel is then an easy exercise left up to the reader. if
 you line the partition up properly then things will Just Work(tm).
 
 there are western digital drives that do implement the correct parts
 of the ATA spec, i just dont know how to get hold of them. it appears
 that drives with models beginning with WD??EARS-00Z have the spec
 implemented, but drives with -00Y or before in their model name dont.
 all the local sellers only have -00Y revisions of these drives :(
 
 dlg
 

A pair of WD15EARS-00Z5B1 (Rev: 80.00A80, Jan 31 2010) disks were found
here in the Silicon Valley and a patch from dlg@ is being tested to
determine if they will meet his requirements (e.g. specific parts of
the ATA spec are implemented).

You might want to note the suggestion above from dlg@ about installing
the root filesystem (the 'a' partition) at sector 64 rather than the
default sector 63 was not necessary with these very new disks. At
present, the reason why they just work is unknown, but it is possibly
due to commits like:
http://marc.info/?l=openbsd-cvsm=127044093310329w=2
http://marc.info/?l=openbsd-cvsm=127042894602052w=2
http://marc.info/?l=openbsd-cvsm=127027862308889w=2

which have been made without having access to the needed hardware.

-jcr

Re: crypt question/server hotel

[Antti Harri]

On Sat, 17 Apr 2010, Jozsi Vadkan wrote:


I want to put my server in a server hotel.

But: I don't trust my server hotel owner.

What can I do?

[snip]

Pick another one or DIY.

--
Antti Harri

DUBAI, TIARA Residence, Palm Jumeirah.

[Elements Dubai news]

Untitled Document








New Listing HOT DEAL...



 Tiara Residence
 Palm Jumeirah
 1 Bedroom Luxury Apartment
 Area : 1,280 sq.ft.
 Floor : 5th

Fantastic View , 5 Star Facilities.

AED 2,000,000






 

 

 

 

  Floor Plan 

 

 Living Room  Balcony

 

 

 

 

 

Kitchen



 

 

 

Infinity Pool

 



www.elementsre.comrus...@elementsre.com
MOB: + 971 50 991 0434

 DubaiUAE

Rustam Abdurahmanov Residential Specialist

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
=?windows-1252?Q?logo_(2).jpg?=]

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
picture rustam.jpg]

Re: crypt question/server hotel

[Robert]

Jozsi Vadkan wrote:

I want to put my server in a server hotel.
But: I don't trust my server hotel owner.
What can I do?


1)
Even if you encrypt the whole disk and you have a remote console 
available (via serial port or KVM switch), you still will have to trust 
your provider that he doesn't sniff that traffic.


2)
If you can't detect a reboot of your machine because the attacker has 
cleaned the logs etc., then anybody with physical access can own the 
machine. I'm not aware of any way to prevent this.
(see also cold boot attack, or simply creating a disk image and doing 
a brute force attack against the image)


3)
Your only chance might be to have a card in the machine (e.g. IBM RSA) 
that allows remote control. But the traffic to it will have to be 
encrypted (- 1) and it has to detect if it was temporarily removed from 
the machine during a physical attack, and even then it needs to report 
this back to you. I don't know if there is any card out there that can 
provide this level of protection...


If you are really paranoid and the hacker type, then I guess you can 
hide a mobile phone inside the case, connect it via USB and have it 
constantly report the status (power, light sensor, GPS etc.).


In the end it is as usual a question of cost vs benefit. If your machine 
is *that* valuable then you shouldn't put it in an untrusted environment 
in the first place.


In your case I guess you should encrypt your data and have the machine 
email you if it reboots. Then you can login via SSH and enter the crypto 
key and start the stage 2 applications that need the encrypted data.
You will have to trust your provider that he doesn't do any physical 
attacks (e.g. replace OS files).


kind regards,
Robert

Re: crypt question/server hotel

[Jacob Yocom-Piatt]

Robert wrote:

Jozsi Vadkan wrote:

I want to put my server in a server hotel.
But: I don't trust my server hotel owner.
What can I do?


1)
Even if you encrypt the whole disk and you have a remote console 
available (via serial port or KVM switch), you still will have to 
trust your provider that he doesn't sniff that traffic.


2)
If you can't detect a reboot of your machine because the attacker has 
cleaned the logs etc., then anybody with physical access can own the 
machine. I'm not aware of any way to prevent this.
(see also cold boot attack, or simply creating a disk image and 
doing a brute force attack against the image)


3)
Your only chance might be to have a card in the machine (e.g. IBM RSA) 
that allows remote control. But the traffic to it will have to be 
encrypted (- 1) and it has to detect if it was temporarily removed 
from the machine during a physical attack, and even then it needs to 
report this back to you. I don't know if there is any card out there 
that can provide this level of protection...


If you are really paranoid and the hacker type, then I guess you can 
hide a mobile phone inside the case, connect it via USB and have it 
constantly report the status (power, light sensor, GPS etc.).


In the end it is as usual a question of cost vs benefit. If your 
machine is *that* valuable then you shouldn't put it in an untrusted 
environment in the first place.


In your case I guess you should encrypt your data and have the machine 
email you if it reboots. Then you can login via SSH and enter the 
crypto key and start the stage 2 applications that need the 
encrypted data.
You will have to trust your provider that he doesn't do any physical 
attacks (e.g. replace OS files).





++

solution: if the security of the machine and its data are of sufficient 
importance you cannot trust 3rd parties with it and must keep it 
somewhere you feel confident that it is physically secure.


even if you have the boot partition(s) fully encrypted there is nothing 
to stop someone from installing a fake boot prompt and yanking your 
passphrase. in most situations where the machine is running you also 
have to worry about someone freezing your RAM, powering the machine off 
and pulling your disk crypto keys directly from RAM. 'secure' memory for 
storing crypto keys is another option that is marginally better than RAM 
but requires hardware and software support.


how worried you should be about this depends on your threat model.



kind regards,
Robert

Re: crypt question/server hotel

[Jan Stary]

On Apr 17 11:49:36, Robert wrote:
 Jozsi Vadkan wrote:
 I want to put my server in a server hotel.

Why?

 But: I don't trust my server hotel owner.

Why?

 What can I do?

Find one you trust.

Re: ACPI so close I can almost taste it...

[Pau]

Hello,

I am using the intel driver on a thinkpad x200s with a xorg.conf file

It was suspending resuming very well until now. With  4.7 GENERIC.MP#509 i386
I have the problem that, when resuming, X does not wake up totally. I can
see
the applications open and I can move the mouse but nothing else.

I cannot switch to a terminal (ctrl+alt+fX); the system is in general
unresponsive

I will try now to use X without xorg.conf (I changed a couple of things).

Thanks,

Pau

2010/4/17 Jean-Michel Bessot jmbes...@lacomte.net:
 Is works fine in pciide when I dont run Xorg on R400.

 I think the intel driver dont want to resume, I will see if I can
 obtain more information.

Re: crypt question/server hotel

[Scott McEachern]

On 04/17/10 04:49, Jozsi Vadkan wrote:

I want to put my server in a server hotel.

But: I don't trust my server hotel owner.

What can I do?

   


If someone has physical access to your box, there is nothing you can do, 
period.


There are some really extraordinary (insane) things you can do to 
prevent it, but most of those solutions are only viable in lands where 
unicorns roam free.


This discussion has taken place before on this list (search the 
archives) and the answer to a truly secure machine involved it being 
placed in a 2km thick block of steel reinforced concrete at the bottom 
of an ocean.


I'm also pretty certain this has been asked on Slashdot (search their 
archives) and the simple answer involved an unmanaged server plan with a 
provider other than the untrusted one.


--
- RSM
www.erratic.ca

Re: ACPI so close I can almost taste it...

[Marco Peereboom]

Build X from source and you'll have a fighting chance.

On Sat, Apr 17, 2010 at 08:14:09AM +0200, Jean-Michel Bessot wrote:
 Is works fine in pciide when I donbt run Xorg on R400.

 I think the intel driver donbt want to resume, I will see if I can
 obtain more information.

Re: ACPI so close I can almost taste it...

[Pau]

Confirmed: When using X without the xorg.conf that I had adapted,
it's suspending and resuming perfectly.

These are the additional lines I had put in:

FontPath /usr/local/lib/X11/fonts/mscorefonts/

(...)

Option NoAccelFalse
Option AccelMethodEXA

Now it's working perfectly well. After resuming all is there: X, em0
up and running, usb, sound etc..

This is great! I had been waiting for a long time for this.

I have some 9 desktops and some ~ 16 things open all the time: gv,
plotting programmes, firefox, many vi editing files, etc

It was a pain to have to shutdown and boot again the laptop every time
I had to go home etc

Thanks a lot!

Pau

2010/4/17 Marco Peereboom sl...@peereboom.us:
 Build X from source and you'll have a fighting chance.

 On Sat, Apr 17, 2010 at 08:14:09AM +0200, Jean-Michel Bessot wrote:
 Is works fine in pciide when I donb t run Xorg on R400.

 I think the intel driver donb t want to resume, I will see if I can
 obtain more information.

Re: crypt question/server hotel

[Robert C Wittig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 On 04/17/10 04:49, Jozsi Vadkan wrote:
 I want to put my server in a server hotel.

 But: I don't trust my server hotel owner.

 What can I do?


I wouldn't do business with anyone that I didn't trust.

I don't trust very many people.

So, what I did, was I:

1) ...signed up for a commercial DSL account and leased some static IP
addresses from ATT (I trust them... sort of :) ),

2) Built myself a server rack, and several servers, mostly for spare
parts: http://robertwittig.net/workshop.html

3) Installed OpenBSD, set up Apache, sendmail, and PF, so that I had
secure, functioning web and mail services, and...

4) I really haven't had to do much care and maintenance on it, in the
last four years or so. It just emails me my logs every morning, and
takes care of business.

It just keeps running, and running, and running...


- --
- -wittig
http://www.robertwittig.com/
http://robertwittig.net/
http://robertwittig.org/
.
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/

iQEVAwUBS8n0kf9qkhAVPSgqAQKO4Af+OlrowikGF1WdFLdx/0JJwL4WJ0rge42/
v9PYPIFRqRp+4b92yPGE5oTvqpJ6SkUy6HyKqSMuCWWv8geprlOGoM6Bw7LuhMA5
R0y8Yubgdg16aKGzz9llOjFksPHfeNu2Yl3d2sEnHebPzDIzE5Wo4VxxDPEG0CVb
D+SXCBS5iCmPbwc1xOthhvbVJkvx7u0yfqy5bfEFTgA7Sk5ks/RgolVQJSseD1vU
BRuAC22Yfz3OFLFWnuSMHermxUP0Nb+ZmE08eH3F8R5+EIuyBUg5gGwMyBPCi++2
ozxz/k8QIOAbncewV6oeqLVuqk8ldz6VwJVtRiO3KPSWg1dhYzc93A==
=FZiv
-END PGP SIGNATURE-

can't mount msdos sd card (was: LG android phone mass storage mount problem)

[frantisek holop]

hmm, on Sat, Apr 17, 2010 at 01:43:01AM +0100, Pedro la Peu said that
  i am trying to mount the mass storage on my LG GW620
  android phone.
  
  ugen0 at uhub0 port 3 LG Electronics Inc. LG Mobile USB Modem rev 
 2.00/1.00 addr 2
 
 Your phone is not configured as OpenBSD needs.

for now, i am interested only in the umass component
of the phone, so ugen is fine.

i am not sure about the check condition errors:

probe(umass0:1:0): Check Condition (error 0) on opcode 0x0
probe(umass0:1:0): Check Condition (error 0) on opcode 0x0

but it seems like the umass part is working, i just can't
mount the msdos file system on the microsd card in the phone.

later i also tried putting that card from the phone into an
sd adapter and the result was the same: could not mount the card.

so it's not really a phone issue basically i think.

i also bought another card, and this one has no problem
being mounted both through the phone and/or in the sd
adaptor:

$ sudo fdisk sd1
Disk: sd1   geometry: 1973/255/63 [31711232 Sectors]
Offset: 0   Signature: 0xAA55
Starting Ending LBA Info:
 #: id  C   H   S -  C   H   S [   start:size ]
---
 0: 0C  0 130   3 -   1973 237  56 [8192:31703040 ] Win95 FAT32L
 1: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
 2: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
 3: 00  0   0   0 -  0   0   0 [   0:   0 ] unused

$ sudo disklabel sd1
# /dev/rsd1c:
type: SCSI
disk: SCSI disk
label: Android Phone
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 1973
total sectors: 31711232
rpm: 3600
interleave: 1
boundstart: 0
boundend: 31711232
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize  cpg]
  c: 317112320  unused
  i: 31703040 8192   MSDOS

the offset on this one is interesting as well,
but gives the kernel no problems.

as more information is avaliable so should some
subjects change as well :]

any ideas what can i try with the other card?
it's not really important i guess, i could always
just format it, but perhaps it's a good corner
case for msdos because the other OS' have no problem
with it...

-f
-- 
you can never get rid of a bad temper by losing it.

Re: updating packages with ports binaries

[J.C. Roberts]

On Mon, 12 Apr 2010 00:44:50 +0200 Marc Espie es...@nerim.net wrote:

 On Sun, Apr 11, 2010 at 12:26:41PM -0400, Arnaud Bergeron wrote:
  Normally, as long as you do not use -F something as an option to
  pkg_add, everything you do with it is safe.  (caveat: sometimes
  there are major upgrades, like for postgresql that require extra
  actions, but those are when you change releases)
 
 Hopefully, we'll deal with this before 4.8 as well. I have a mechanism
 to recognize those and actually check with the user if everything is
 fine.
 

If you want to know about some of the improvements to pkg_* tools, Marc
gave us some more details in the following article: 

http://www.undeadly.org/cgi?action=articlesid=20100323141307


-- 
The OpenBSD Journal - http://www.undeadly.org

Новое сообщение

[SkybowLink]

Dnapncn bpelemh qsrnj. _ unrek a{ opedknfhr| B`l sqkscs on qngd`mh~ q`ir`. 
Ok~q{: mednpncn, dnqr`rnwmn a{qrpn. Jpnle rncn - bnglnfm` onqkeds~y` p`qjpsrj` 
q`ir`, wrn, qnnrberqrbemmn, ophbkewer m` q`ir onrnj onqerhrekei, r.e. 
onremvh`k|m{u jkhemrnb. Eqkh B{ g`hmrepeqnb`m{ - ankee ondpnam` hmtnpl`vh m` 
lnel q`ire www.skybowlink.aiq.ru hkh on reketnms 909-581-41-32
Q sb., @kejq`mdp.

Re: 4.7 and AR5007

[Corey Bukolt]

I've been having trouble with a 9285 in a low end Gateway 
laptop/netbook. I've been tracking snapshots and it always locks up the 
machine when I run 'ifconfig athn0 scan' after 5 seconds or so. Can not 
switch to another terminal and can not log in over the network (fast 
ethernet, re0, which does work fine) after it locks up.

I have tried both amd64 and i386 and the issue is the same. Anything 
else I can do to help whoever might be interested in fixing it? Are 
snapshots new enough? I could send the laptop to a developer for a week 
or two if that would help, I'm in the US though. I could also just send 
the card to someone, it's useless in it's current state anyhoo.

Anyway, if anybody has any suggestions I would greatly appreciate them.

Cheers,
noah

Yes, please run ifconfig athn0 debug before you scan (from the console),
and send me the output.

Damien

I have the same laptop with the same issue and have been meaning to ask about 
it, but Noah beat me to it. 
I'd apprecate being kept in the loop about this. If there is anything I can do 
to help out, just let me know.

Corey

Л0ТЕРЕЯ ВСЕ ДЛЯ РЕМ0НТА - 2010 В КИЕВЕ

[Drozd]

 B`l opednqr`bkerq opejp`qm` bnglnfmnqr| hqo{r`r| qbn~ yd`wy h aeqok`rmn 
b{hcp`r| ophg{ bn bpel opnbedemh KNREPEH BQE DK_ PELNMR@ 2010. 

 Knrepe ayder opnxndhr| b p`lj`x b{qr`bjh +OPHLYQ: QRPNHREK\QRBN y...@hm@; 
b Lefdym`pndmnl B{qr`bnwmnl Vemrpe b o`bhk|nme 9 1 on `dpeqy: c. Jheb,  
Apnb`pqjni op-r, 15. 

 Png{cp{xh ophgnb qnqrnrq 20, 21, 22 h 23 `opek b 13.00.

 Qyoepophg{ opednqr`bkem{ jnlo`mhlh +QBERKNBNDQJHI g...@bnd ALG;,  
+QN^GJNLOKEJQ;, +JKHMJEPAYD y...@hm@;, +...@jb@ c...@kepe_;,  +HPJNL EJR;, 
+JHEBQJHI k...@jnjp@QNWM[I g...@bnd;.

Ondpnam` hmtnpl`vh  on rek: (O-4-4) 5G7~69~99.


= = = = =


iljictrtl
dcljnyp

qtfzmbz
qoewbelii

tdxlcm
rvddt

Л0ТЕРЕЯ ВСЕ ДЛЯ РЕМ0НТА - 2010 В КИЕВЕ

[Мацкевич Виктор]

 B`l opednqr`bkerq opejp`qm` bnglnfmnqr| hqo{r`r| qbn~ yd`wy h aeqok`rmn 
b{hcp`r| ophg{ bn bpel opnbedemh KNREPEH BQE DK_ PELNMR@ 2010. 

 Knrepe ayder opnxndhr| b p`lj`x b{qr`bjh +OPHLYQ: QRPNHREK\QRBN y...@hm@; 
b Lefdym`pndmnl B{qr`bnwmnl Vemrpe b o`bhk|nme 9 1 on `dpeqy: c. Jheb,  
Apnb`pqjni op-r, 15. 

 Png{cp{xh ophgnb qnqrnrq 20, 21, 22 h 23 `opek b 13.00.

 Qyoepophg{ opednqr`bkem{ jnlo`mhlh +QBERKNBNDQJHI g...@bnd ALG;,  
+QN^GJNLOKEJQ;, +JKHMJEPAYD y...@hm@;, +...@jb@ c...@kepe_;,  +HPJNL EJR;, 
+JHEBQJHI k...@jnjp@QNWM[I g...@bnd;.

Ondpnam` hmtnpl`vh  on rek: (O-4-4) 5G7~69~99.


= = = = =


uvyqyatt
ufgcem

iqyihscubf
wktqcfmhvi

wfrbcsupum
pgoaitxwty