Re: OpenBSD sucks
qw er wrote: It really sucks. it is slow. I was going to avoid this, but I can't... I can say qw er sucks, [s]he is really dumb, but it really doesn't prove much in the grand scheme of things. What part of OpenBSD do you think sucks, and no more trolling. What part is slow? It's quick to boot here - quicker than even the most cut down Linux, and certainly quicker than EvilOS(TM). Please be more specific. If you think it's slow, post your dmesg so we can see your hardware spec and tell us where it's slow! A
Re: extenal storage and backup
I prefer base64 encoded printouts, to be rekeyed by interns should the system fail. I don't trust the interns so I use FIRE to encrypt the base 64 after it's been printed.
Re: rdate issue
I would really recommend against using rdate like this, it jumps the clock. ntpd skews the clock (makes it run slightly fast or slow until the time is correct), so you don't miss out on any seconds (which sometimes skips cron jobs, makes logging more confusing, and can cause a lot of trouble with some other applications). the -a option fixes the skew problem. -a Use the adjtime(2) call to gradually skew the local time to the remote time rather than just hopping. I still recommend ntp if you need to continually update the clock. It's always worked for me in the past. Ntpd (AFIK) continually monitors the difference between your clock and the remote server to try and adjust the skew for a more accurate local clock. Rdate doesn't. Cheers, A
Re: rdate issue
I decided to get the time syncronization for all those boxes. In the gateway machine, i managed to get the following in crontab: */5 * * * * /usr/sbin/rdate -4ncva ptbtime1.ptb.de | /usr/bin/logger -t NTP snip Everything is working ok except because of those two boxes always have a time about 20/22 seconds after my gateway time, like in the output for date command: Have you considered running ntpd instead of rdate? If nothing more, the daemon removes the need to have crontabs updating the clock. I have no explanation for why the times are about 20 seconds out other than the gateway might be taking its time to wake up the rdate daemon. Cheers, A
Re: vpn in OBSD 4.1
Hi. i looking tutorial for install vpn in obsd 4.1 with client microsoft xp or mac also support netbios for file or print sharing so what can i use openvpn , ipsec , vpn ? You obviously haven't looked very far? OpenVPN and pptp are in Ports. I use OpenVPN for ease of use on *BSD, Linux, Mac, Windows. Netbios sharing comes down to how you've configured the VPN tunnel (routed, bridged, WINS). You're well advised to go do some reading on your own. If you had you would have discovered that OpenVPN ahs a tutorial page for configuring the server, as does the readily available PPTP server. Installing is left as an (Easy) exercise to you. A
Re: GUI programming languages
i have no formal CS background so am at a loss for good candidates. the applications in question are click here, prints something in a text box, etc ones that are not very complex. a language that allows me to generate GUIs quickly and securely would be nice. I've been hacking with Qt on Linux. I don't know if that even builds on OpenBSD. You can come up to speed with it and make a GUI within a day or so. It's ported to a few languages too so you don't have to use C++. Qt is either GPL or pay-for commercial though. The Qt designer tool is really quite good - does all the leg work and all you need to do is derive a class from the one you get out of designer and create some methods with the right names... kerblammo, functional GUI :) Someone else suggested wxPython. Another good choice. wx has C++ bindings, and any number of other language bindings as well. You'd be hard pressed to go past it for truly free development (it's not GPL'd so you don't suffer the viral problems of GPL). Cheers, A
Re: OpenBSD 4.1 Torrents
Um, can you site a single *real world* example of where md5 sums have been co-opted in any way? Yes, md5 now has a weakness, but really, are there any cases of anyone having actually exploited it? It's that kind of attitude that is responsible for probably more than half of the breaches that happen. Show me someone who wants to attack _my_ company; there's nothing here worth getting! Attackers don't care. They'll often exploit something for the sake of having done it. They don't see a company (usually). They see a machine they can gain control of and use for their own means. MD5 is proven weak. It's possible to take almost any file and its MD5 then create an identically sized file with the same hash in a reasonable time. This can be used to pass out an arbitrary CD image that completely trashes the contents of your hard disk. It doesn't even need to be OpenBSD on the CD. This isn't about IF the problem will occur, but WHEN! There is a known exploit and anybody who doesn't take steps to mitigate that now is just crazy (or lazy). The original point is that BitTorrent makes it easy to seed this kind of crap. Torrent not an official source, but you can easily create OpenBSD-4.1.torrent from your new file with a matching MD5 to the official and sit back and laugh as people start posting to the openbsd forums j00 1337 BSD h4x0rz are w4nx0rz for 3r4z1ng my d15k5 I'm not an expert on this, but I do read. Enlightenment is encouraged if I'm missing something here. Explains the paragraph above :) Cheers, Adam
Re: pf - drop or return - is stealth mode overrated?
I find 'return' to be easier to work with. The LAN I am primarily thinking about is both infested with Windows and accessible via VPN - and the VPN has some Windows clients. Considering the people on said LAN, who are both sweet and smart but not in general computer-savvy, I'd be highly surprised if an attacker spent much time on the firewall. Windows... This stealth mode you talk of, wasn't it a term coined by the irrefutable GRC in his quest to rub snake oil all over everything so it runs faster? I only ever hear users of the EvilOS talking about stealthing their boxes. Not replying may save a little bit of upload bandwitdh which may count if you're heavily scanned and have an asymmetric link with little outgoing bandwidth... but that is about all.
Re: 4.0-stable lockup SOLVED (temporarily)
The solution I came to is very simple. Currently I only need one of em (dual card), so I disabled the second one. When I boot the router, my network usage rises up to 96%. I simlpy mark that unusable interface (em1) as up and few seconds later I mark the same interface down. My network usage drops significantly, currently I am looking it shows 75%. The router is running without locking for 25 hours now. I am also planning an upgrade to 4.1 if there are changes to em driver. Out of curiosity, they're not connected to the same ethernet segment are they? Cheers, A
Re: Routing all traffic to PPTP VPN tunnel
My computer is connected to internet through a router whose internal address is 192.168.1.1. Here is some interesting stuff after the vpn as been brought up: ifconfig tun0 tun0: flags=8011UP,POINTOPOINT,MULTICAST mtu 1500 groups: tun inet 132.204.232.32 -- 132.204.2.20 netmask 0x Internet: DestinationGateway FlagsRefs UseMtu Interface default192.168.1.1UGS 2 468 - fxp0 10.5.9/24 vpn.CC.UMontreal.C UGS 00 1500 tun0 Your default route still goes out your local router. That's really probably what you want in most cases - access to university resources and raw Internet access through the local connection with lower latency and probably faster speed. You need to add a host route to the VPN server that goes via your local router. If you just change the default then the machine can't know how to get encrypted data to the VPN server and so then it can't do anything at all. A
Re: 4.0-stable lockup
Any idea how to diagnose the problem? Turn on as much verbose logging as you can and see what you get. Do you get any kernel crash messages on the console when the machine hangs or does it just hang up and die? Your first port of call is to get the system logs out of the machine. Sending them to the console is a start. Sending them to another machine via serial will let you go back through them after it's crashed and look for symptoms. I don't know enough about the guts of OpenBSD to help diagnose the crash, but is there a way to turn on verbose kernel logging? If there is that would help narrow things down a little. It's difficult to diagnose a problem like this, but clear your mind of assumptions. It could be anything - bad memory, bad CPU, bad network card, bad software, bad disks, etc. You need to start ruling out all of those things. In my experience hard lockup are almost always due to failing hardware rather than the OS (unless you're running unstable development drivers for bleeding edge hardware). Memory can be stressed by hefty compiles. Building the kernel is a good test. Does a kernel compile succeed? How about if you use make -j 4 to run 4 tasks in parallel and use up more RAM? That also stresses the CPU. You could boot one of those *cough* Linux live CDs with a memory tester on it and run a memory test overnight to look for failures but that's not reliable in many border cases. Are the disks OK? Smart can be used to check for some kinds of errors. Look in the logs for disk access failures. Finally, if you think it's network related unplug the network and stress test the machine. Try a different NIC if you have one lying about. Regards, A
Re: Finding a ral(4) cardbus card
Hi, Would anyone else consider that a good indicator? I mean, that would be great if that was the case all around. I got to know the return guy at Best Buy so well, he let me bring my laptop in, and opened boxes to find wireless for them... I open 5 different ones before we had to quit (read: his manager showed up to ask WTF?.) I hope he still works there... MacOS was a BSD base at some point, was it not? Mac support isn't a good indicator but I think the OP was pointing out that for this particular card you need to go find one that says Mac support on the box to get the RAL version. Cheers, A
Re: a question kinda pff topic
to summarize matthew 17:20, nothing is impossible, but that does not mean that doing something that is not impossible is a good idea. i would recommend not making it out of wood for the following reasons: Wood burns better than aluminium or steel too... in the unfortunate event that one of your components ignites. tolerance, ease of assembly, load-bearing, re-usability... pretty much any reason you'd want to use a rack If you just want an easy way to stack everything out of the way at home it's probably fine; if you want to do it for any business then just invest the extra money and rack mount. It's not that expensive, really. pissing into the wind and expecting it not to get all over you is the path of the faithful, so piss away if you're so inclined! Wear a raincoat if you are so inclined :) Each to his own. We're geeks. We do things for the sake of doing them. Why do you think things like OpenBSD exist? Not all geeks limit themselves to homebrew software; some have wider interests and skills :) A
Re: Why Linus Torvalds won't donate to OpenSSH
I recently wrote Linus Torvalds asking why I don't see his name listed on the OpenBSD donations page (http://www.openbsd.org/donations.html), since I figured he uses OpenSSH. Apart from the fact that was a private email from Linus to you and you broadcast it publically (if you really did email him and he really did reply) who cares what Linus thinks? He is over there with his little chubby baby called Linux. He's like any other parent. He thinks his chubby wrinkly bubby is the best one. Let him have that - his chubby baby is a damned sight better behaved than the babies of a certain ugly commercial parent. If Linus comes in here and starts demanding features be added to OpenSSH then you can pull him up on whether he donates or not. Until then live and let live. (and what Damian said) A
Re: scp problem with remote filename escaping
I'm sure you'll give some really good reason why the files have to be named that way... Try admining boxes which are used by EvilOS users - all of their files will be called My\ blah.
Re: scp problem with remote filename escaping
I scp'd a file called 'a b' to an openbsd server here, then scp'd it back a couple time in different ways. It worked only when using the quotes AND escaping, like so: scp [EMAIL PROTECTED]:a\ b . That's because of the shell. The shell on the client sees the quotes and doesn't escape the space. The space is escaped when it gets to the SFTP daemon at the other end. Without both, the shell at the client does the escaping and sends a single argument to the scp client. This sends that argument to the server, which presumably sees the space and assumes you're asking for two files called A and B. You need the \ character to arrive unaltered at the scp server. scp [EMAIL PROTECTED]:a\\\ b . should work as well. A
Re: Serial Port Network
snip Investigate PPP. You can start a PPP server on one and a PPP client on the other and they will immediately be able to to talk and share data. If all you need is remote login from one to the other investigate putting a console on the serial port of one machine then using something like Kermit or Minicom to log in. The advantage is it's really simple just to get a login that way rather than messing about with PPP, and Kermit/Minicom support file transfers if you need to dump files from one machine to the other. A
Re: Long WEP key
Right. As long as we understand that it sucks, it's OK to use? I know when I think about securing my data I'm interested in keeping only the average joes out. I don't know about you, but I use wireless security as an extra layer. It might suck, but it keeps the next door neighbour's laptop from authenticating on my network without his (or my) permission. I just tunnel a VPN over the top and route that through to the wired side. Safe, secure, and it keeps average joe schmuck from always logging onto my network then coming and complaining that i am hacking his laptop when he sees it log onto my network. WEP/WPA have their uses, just not in security. If you understand that you dont' get any security you can add another layer! If you don't understand it, then you're probably not qualified to be deploying a wireless network anyway. Maybe it's OK to run telnetd so long as it's on port 10023 too? Not funny: I've seen people advise moving the port number of all sorts of services for security then recommending turning off all of the inconvenient security options in the daemon now that it is securly on another port that nobody will ever think to look at, and if they do they won't know what server is there anyway. This was from a supposed IT security expert.. A
Re: [OT] Long WEP key
no, you're not. it's not that easy. (and I just leave mine wide open) As far as I know, if you leave it open you're not liable because you cannot prove who would have strolled by. If you put any sort of security at all to prevent outsiders it can be reasonably assumed that you were the person who did whatever you did... Now, I am not a lawyer but I have had interesting discussions with legal types about it. There is mixed views and there was no precedent last we discussed it. A
Re: VPN
It may not be the wisest thing to be trying PPTP. In addition to the technical problems you are encountering, there seem to be some grave issues with the protocol itself, http://www.schneier.com/pptp-faq.html which are apparently not resolved entirely even in later versions. PPTP sucks, but if you have some models of Palm device it's all you get to use - they just don't do anything more secure. Sure, it's all software but i have yet to see an IPSec or SSL-based VPN client for my Palm. It's useless wireless won't even do WPA (ok, so I got it before WPA was around, but there isn't even a software upgrade). IPsec and SSL are both standards and, as such, supported even by legacy platforms. It might be useful to phase out PPTP in favor of IPsec. IPSec can be confusing to configure the first time round - it took me a little while to come to terms with it. It has the advantage the newer version of Winblows support it out of the box, so your average L-user will have no trouble getting on your VPN. (s/no trobule/minimal trouble/). OpenVPN is ssl-based and seems to work quite well. It's also able to be easily tunneled over HTTP proxies if you need to access the VPN from behind a restrictive firewall. I've used OpenVPN on Linux servers, clients and Windows boxes. Never had a hiccup with it. I don't know how well it works in OpenBSD though. If you're stuck with PPTP just be sure to know its limits. Read the web page posted before and probably keep it on a separate box with different usernames/passwords to your main machines. You might consider allowing access to only certain services via the VPN too, just to limit the damage that can occur due to PPTP's inherrent insecurity. I found that the free servers were really painfully slow too - I don't know whether that's an artificial limitation or not because the server was never very heavily loaded and PPTP wouldn't do more than a couple of megabits a second over a solid wireless connection. Cheers, A
Re: Installing Skype
After all this talk about blob-only software... Skype is absolute proof of why we shouldn't have blob-only software. The recent hoo-ha about it grabbing BIOS dumps and sending them back to the servers on X86 machines really shows that software can do nasty things. Nobody even noticed because they do it very discretely. -http://www.asterisk.org/ Tried on OpenBSD, doesn't work. Not only is there a port, but there was some banter on this list from people who have it working on OpenBSD just last week! -http://www.openwengo.com/ Tried on OpenBSD, doesn't work. The secret sauce is available for browsing so it wouldn't be that hard to port. I am gathering it's mostly the audio interface that differs between Linux and BSD. -http://www.gizmoproject.com/ Tried on OpenBSD, doesn't work. I see not the sauce for Gizmo anywhere. http://www.freeworlddialup.com is free, and standards compliant so you can use any SIP-compatible soft or hard-phone. The only thing they're really missing is callout/in, and even then they have a project in the works for that. Regards, A
Re: usb networking
If this works with a powered USB hub, then it is a result of insufficient USB power from the Zaurus, during the early startup time. I put the usb hub out there for the single purpose of powering it. Only th eone pieve of gear on the hub, too, so need another idea. Are you using a powered hub or a non-powered one? Your reply seems a bit vague. Hint: If you don't plug an AC-adaptor or battery pack into the hub then it's not powered. A
Re: Important OpenBSD errata
You have a valid point: any bug is a security problem. However, the topic is not my management practices and the tradeoffs involved therein. The topic is the efficacy of the security-announce list. If I knew security-announce was broken I could write a screen-scraper to check the errata page for me. The simple assumption that has never failed me is everything is broken, don't trust it. Cheers, A
Re: Firefox destroi my openbsd 3.9
/dev/rwd0h: UNEXPECTED INCONSISTENCY; RUN fsck_fss MANUALLY. /dev/rwd0d: file system is clean; not cheking /dev/rwd0g: file system is clean; not cheking /dev/rwd0e: file system is clean; not cheking THE FOLLOWING FILE SYSTEM HAD AN UNEXPECTED INCONSISTENCY: fss: /dev/rwd0h (/home) Automatic file system chek failed; help! Enter pahtname of shell or RETURN forsh: This means that the filesystem has an error that can't be automatically corrected. You need to start a root shell by hitting returns and then check the filesystem manually. You will probably also having to accept the changes fsck wants to make. Be mindful that at this stage you haven't anything. If you are careless you can lose data here. You should have read the first and last lines I quoted. They are telling you exactly what to do. Regards, A