From alvin at maggie.linux-consulting.com Sat Feb 1 03:33:23 2003 From: alvin at maggie.linux-consulting.com (alvin at maggie.linux-consulting.com) Date: Sat, 1 Feb 2003 03:33:23 -0800 (PST) Subject: bad customers and court cases - summary2 In-Reply-To: <20030131154002.GC11524@mars.starshine.org> Message-ID: hi ya all ... thanx for the "insight" ... i think its good practice for questions that the court will be asking too ... :-) and, for clarifications ... - the small claims case has been filed ... court date is coming up and for another clarification... - all the problems of passwd and other issues came up AFTER my last day of "official work" - all work done after "last day" has NOT been billed and is not of the original court case for previous months of their unpaid invoices ie they got about week - 2 weeks of free help... - no problems of work done in previous months and of the unpaid invoices.. but, 1.5-2 months AFTER the last invoices ... with phony made up excuses of their own boo-boos like "passwd problems" which is a 2-5 minute problem ( an obvious attempt to wiggle out of paying the past due invoices ... or so goes my limited mentality - another tidbit... they moved from one bldg to another... and i told um i wont be going with them... which made them happy ... :-) ( also was end of my term anyway ) and for other side issues... - first thing i do when i go into new clients offices.. - what's the security and computer/access/network policy ( 90% does not hve one.. :-) - what's the budget for what we're in discussions for - what's the task and what was/is their plan of action - than i poke holes at it... i mean, give um alternatives and probably a lower bid than what they had... or more than likely, where they "need help"... - end result is usually slightly different or drastically different than what they thought they needed... or their expected budget... if they agree... we're in biz... if not... it was a "free education" on both sides.. and just my style, that i wont get along with micro-managers that dont know how to setup/admin their boxes/network ... as was this case.. - lots of flamewars ... i mean education and analysis :-) - they had hired at least 3 others i know about, to do the same work.. but i'm the one that fixed their problems ( 1 of whom i'm good buddies with now... so we both ( crack up at what problems the client got themself into now - i think it takes balls... for someone to say... "hey, i hear you're taking over this account, watchout for this, that and foo-bar" that they did or tried or was trying to fix... etc ... thanx alvin On Fri, 31 Jan 2003, Jim wrote: jim> > thanx to those that replied ... but... jim> > - question still stands... though i/we know the answer jim> > ( how long does it take you to log into a box that you're sitting jim> > ( in front of... and have permission to change its root passwd jim> jim> On a bad day: 5 minutes. (About one step every 30 seconds but most jim> of the time is waiting for the BIOS to get me to the LILO prompt). yupp ... as is the case for most admins .. and "normal users" jim> My directions have been battle tested on the Internet for several jim> years. They've been refined, even updated for GRUB (which I omitted jim> from my summary as irrelevant to Alvin's case). EVERY STEP IS THERE jim> FOR A REASON! ditto ... and they had branch offices in other countries too and they too know how to get into the systems w/o passwds ---- s> I don't want to ruin your day, but it sounds like there's an s> aspect of lawsuit with which you're unfamiliar. Just because you s> win doesn't mean you get paid. If it is a small-claims case, s> with the limit of $5K maximum, there is no particular recourse if s> the client is ordered to pay but does not pay. In small-claims, s> too, the judgement is final and there is no appeal. .. s> Collecting a judgement in a lawsuit can be quite difficult. yup... know a little about collecting after someone wins a court case and have helped others collect their $$$ too .... ( i like it when we can get a "writ of execution" ) and until than.... one step at a time and actually... you can file up to 2 small claims cases... $10K maximum if you're doing the proper paperwork i suppose ... so far, havent lost any court cases... or arbritration that is.. ( first court case of my own .... mark> It sounds like they were paying you to give them (and document) root mark> access. nah... didn't bill um for "how to get root passwd".... 2-3 days AFTER my last day with um ... - there was no exit interview either etc..etc.. mark> While that may be true, it's not going to win you any sympathy in a mark> court of law, and if you displayed any of that attitude while on the mark> job, you probably don't have a leg to stand on (IANAL). As a mark> consultant, you should always be the epitome of professionalism, no mark> matter what your opinion of the client or their ability. yup... good point.... i need to prepare and change my ways for court ... leave my attitude at the door as many of you has posted and during the course of the day.... if they start it... i'll usually take the bait and there'd be some flame wars.... - but i alwayz post both sides of the coin ... and let them decide which they want mark> That they are left in an untenable situation actually says more mark> about your ability as a consultant, rather than their knowledge of mark> computers. another tidbit... they hired someone else about 3 months before "the shit hit the fan" ... when they moved from one bldg to antoher... - that new person wanted to do everything himself... and so it went ... till they figured out that they couldnt get root passwd ... even though its been documented on paper on the machines... probably a dozen times... :-) mark> If you were an employee of mine, you'd be headed quickly for the mark> door about now. usually, i quit long before that :-) mark> Just to state the obvious, if your customers were smart enough to mark> understand all this stuff on their own, they'd never have had to mark> hire you in the first place. If you're selling your expert mark> knowledge, then you have to package it appropriately. yup... everything i do is documented .... - heavily documented ... as to who changed what, when, where and why documented enough, that they've tried to do it their own way... make up their own changes and break the "process" ... sorta fun to watch... thanx again all for your comments... alvin From extasia at mindspring.com Tue Feb 4 14:44:17 2003 From: extasia at mindspring.com (David Alban) Date: Tue, 4 Feb 2003 14:44:17 -0800 Subject: [baylisa] Matching envelope "From" header using SpamAssassin Message-ID: <20030204144417.A24546@new.gerasimov.net> Greetings! Found a solution before sending the question. Thought I'd share the solution. The solution was to use: header FOO_BAR_MSG ALL =~ /^From\s+owner-foo-bar Also, it occurs to me that I could have used procmail to examine the envelope From header and had procmail insert a header like: X-From-Foo-Bar: yes and then had SpamAssassin do the test: header FROM_FOO_BAR exists:X-From-Foo-Bar David P.S. FYI, the "header" related rules are documented in: http://spamassassin.org/doc/Mail_SpamAssassin_Conf.html --- Original question Greetings! I'm a member of email list foo-bar. I want SpamAssassin to deliver all foo-bar messages to my inbox, and not to the spam trap. I need to add a rule for this. The problem is, the only thing that reliably identifies this particular list is the envelope From header. The "To:" and "Cc:" headers inside the message can't be relied upon because folks sometimes bcc the list. I can't figure out how to come up with a rule for this. I tried: header FOO_BAR_MSG From =~ /owner-foo-bar/ describe FOO_BAR_MSG Message to the foo-bar list But this seems to want to examine the "From:" header inside the message. Has anyone solved this problem? Thanks! David -- Live in a world of your own, but always welcome visitors. *** Come to sig-beer-west! http://www.extasia.org/sig-beer-west/ Unix sysadmin available: http://www.extasia.org/resume/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: From windsor at warthog.com Tue Feb 4 18:22:34 2003 From: windsor at warthog.com (Rob Windsor) Date: Tue, 04 Feb 2003 20:22:34 -0600 Subject: bad customers and court cases - followup In-Reply-To: Your message of "Sat, 01 Feb 2003 03:33:23 PST." Message-ID: <200302050222.h152MYe26218@warthog.com> On Sat, 01 Feb 2003 03:33:23 PST, verily did alvin write: > hi ya all ... > thanx for the "insight" ... i think its good practice > for questions that the court will be asking too ... :-) It doesn't hurt to pay out the $125 (er, $500, Calif, my bad) to get the advice of an attorney, even when pursuing your claim in Small Claims court. If the Calif JPs are anything like the midwest JPs, you'll get a judgement that's "fair" and not necessarily "the law". This can be good or bad. 8^) Rob++ (was in JP court last June over rent deposit -- of course I won :) ---------------------------------------- Internet: windsor at warthog.com __o Life: Rob at Carrollton.Texas.USA.Earth _`\<,_ (_)/ (_) The weather is here, wish you were beautiful. From bill at wards.net Tue Feb 4 20:02:16 2003 From: bill at wards.net (William R Ward) Date: Tue, 4 Feb 2003 20:02:16 -0800 Subject: [baylisa] Matching envelope "From" header using SpamAssassin In-Reply-To: <20030204144417.A24546@new.gerasimov.net> References: <20030204144417.A24546@new.gerasimov.net> Message-ID: <15936.36040.269668.387304@komodo.home.wards.net> I never use "To" or "Cc" for filtering list mail. Most mailing list managers insert some kind of header that can be used, such as "List-Id:" or "Sender:" or "X-List:" or even "X-Unsubscribe:." These are preferable for filtering, as it helps you distinguish list mail even if it is BCC'd. There's no need for the SpamAssassin rule though; just put the rule for '^From .*owner-foo-bar' in your .procmailrc ahead of the SpamAssassin stuff. --Bill. David Alban writes: >Greetings! > >Found a solution before sending the question. Thought I'd share the >solution. The solution was to use: > > header FOO_BAR_MSG ALL =~ /^From\s+owner-foo-bar > >Also, it occurs to me that I could have used procmail to examine the >envelope From header and had procmail insert a header like: > > X-From-Foo-Bar: yes > >and then had SpamAssassin do the test: > > header FROM_FOO_BAR exists:X-From-Foo-Bar > >David > >P.S. FYI, the "header" related rules are documented in: > > http://spamassassin.org/doc/Mail_SpamAssassin_Conf.html > >--- Original question > >Greetings! > >I'm a member of email list foo-bar. I want SpamAssassin to deliver >all foo-bar messages to my inbox, and not to the spam trap. I need to >add a rule for this. The problem is, the only thing that reliably >identifies this particular list is the envelope From header. The "To:" >and "Cc:" headers inside the message can't be relied upon because folks >sometimes bcc the list. > >I can't figure out how to come up with a rule for this. I tried: > > header FOO_BAR_MSG From =~ /owner-foo-bar/ > describe FOO_BAR_MSG Message to the foo-bar list > >But this seems to want to examine the "From:" header inside the message. > >Has anyone solved this problem? > >Thanks! >David >-- >Live in a world of your own, but always welcome visitors. > *** >Come to sig-beer-west! http://www.extasia.org/sig-beer-west/ >Unix sysadmin available: http://www.extasia.org/resume/ -- William R Ward bill at wards.net http://www.wards.net/~bill/ ----------------------------------------------------------------------------- "A foolish consistency is the hobgoblin of little minds, adored by little statesmen and philosophers and divines." - Emerson From extasia at extasia.org Wed Feb 5 10:59:34 2003 From: extasia at extasia.org (David Alban) Date: Wed, 5 Feb 2003 10:59:34 -0800 Subject: (fwd) Odd problem with new Apple... Message-ID: <20030205105934.B2421@new.gerasimov.net> Can someone help Jon? [Please reply to him, or Cc him on replies--he's not on the baylisa list. Thanks!] ----- Forwarded message from "J. Lasser" ----- Date: Wed, 5 Feb 2003 12:24:48 -0500 From: "J. Lasser" To: DC SAGE Subject: [dc-sage] Odd problem with new Apple... User-Agent: Mutt/1.4i Reply-To: "J. Lasser" Wondering if anyone else has run into this yet... or if I'm missing something obvious... Our story: We have a PowerBook 12" with an Airport Extreme card installed that can't access the Internet via wireless. We have a slightly complicated network: Attached to our wireless hub we have a 10baseT hub. Attached to that 10baseT hub is a Turtle Beach Audiotron and a network cable. When the network cable is plugged into the Powerbook, it picks up a DHCP address and talks on the 'net without incident. Our subnet is 216.181.177.184/255.255.255.248. Our gateway to the Internet is 216.181.177.185, which is another box on the wireless network. Other systems can access the gateway, and hence the Internet, without incident. When we're hooked up with a wire, we have no problem. But it doesn't seem happy with the wireless. The laptop has worked fine via wireless on at least one other wireless network. That network used a Linksys WAP11 wireless hub. My network used a Netgear ME102, though I swapped that out for a Linksys BEFW11S4 with no change in behavior. (An incompatibility there was my first guess...) We have freshly rebooted the system, though these problems occurred before that reboot as well. We have our default-DHCP-has-failed IP address from OS X, but nothing else. Our signal meter shows all bars, and our correct wireless network is selected. Let's see what happens when we try to ping something else on the wireless network: > This is our TCPDump Window >> This is our other terminal > [jon at gumball jon]$ sudo tcpdump -v -i en1 > Password: > tcpdump: listening on en1 >> [jon at gumball jon]$ ping 216.181.177.190 >> PING 216.181.177.190 (216.181.177.190): 56 data bytes > 11:08:26.744487 arp who-has 216.181.177.190 tell gumball.local > 11:08:26.748550 arp reply 216.181.177.190 is-at 0:4:32:0:1d:34 OK, so ARP is working... > 11:08:26.748596 gumball.local > 216.181.177.190: icmp: echo request (ttl 255, id 3416, len 84) > 11:08:26.752732 216.181.177.190 > gumball.local: icmp: echo reply (ttl 32, id 52424, len 84) We send the request; the reply is sent. >> 64 bytes from 216.181.177.190: icmp_seq=0 ttl=32 time=8.683 ms >> 64 bytes from 216.181.177.190: icmp_seq=1 ttl=32 time=4.65 ms We see the packets, and report them as delivered. > 11:08:26.775745 snap 0:0:f8:8:0 216.181.0.17 > 216.181.177.190: icmp: host gumball.local unreachable (ttl 252, id 6872, len 56) Someone upstream reports that they can't route the packets to our imaginary Apple-provided IP address... > 11:08:27.200422 gumball.local.49155 > 224.0.0.251.5353: [udp sum ok] udp 46 (ttl 255, id 3426, len 74) > 11:08:27.201158 gumball.local.5353 > 224.0.0.251.5353: udp 67 (ttl 255, id 3428, len 95) Mysterious Apple traffic that I don't know what it means. > 11:08:27.744703 gumball.local > 216.181.177.190: icmp: echo request (ttl 255, id 3439, len 84) > 11:08:27.749219 216.181.177.190 > gumball.local: icmp: echo reply (ttl 32, id 52680, len 84) More of these until we stop our ping process. Now let's ping 216.181.177.185. That machine is our Internet gateway, DHCP server, file server, etc. The .185 address is its wireless card. (It has a non-wireless address of .177, but that's a different subnet.) >> [jon at gumball jon]$ ping 216.181.177.185 >> PING 216.181.177.185 (216.181.177.185): 56 data bytes > 1:12:06.361116 arp who-has 216.181.177.185 tell gumball.local > 11:12:06.535906 snap 0:0:f8:8:6 arp reply 216.181.177.185 is-at 0:2:2d:8:58:99 > 11:12:06.536845 snap 0:0:f8:8:6 arp reply 216.181.177.185 is-at 0:2:2d:8:58:99 > 11:12:07.361340 arp who-has 216.181.177.185 tell gumball.local > 11:12:07.457486 snap 0:0:f8:8:6 arp reply 216.181.177.185 is-at 0:2:2d:8:58:99 > 11:12:07.458719 snap 0:0:f8:8:6 arp reply 216.181.177.185 is-at 0:2:2d:8:58:99 [ . . . several more of these . . . ] So .185 is sending out its ARP. It's arriving at our PowerBook. But our network stack isn't really happy to deal with it. > 11:12:35.335616 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x328f9bb0 file ""[|bootp] (ttl 255, id 16480, len 328) This is our box, requesting a DHCP address. I've not asked for one, so presumably it's just something that happens at intervals... > 11:12:35.415966 snap 0:0:f8:8:6 arp who-has 216.181.177.187 tell 216.181.177.185 > 11:12:35.721286 snap 0:0:f8:8:6 arp who-has 216.181.177.187 tell 216.181.177.185 > 11:12:36.405988 snap 0:0:f8:8:6 arp who-has 216.181.177.187 tell 216.181.177.185 Our server pings a potential address; nobody responds. Good, the server can hand this address out. > 11:12:36.416478 snap 0:0:f8:8:0 216.181.177.185.bootps > 255.255.255.255.bootpc: xid:0x328f9bb0 Y:216.181.177.187 S:216.181.177.185 ether 0:3:93:e8:5f:b5 [|bootp] (DF) (ttl 64, id 0, len 328) The given ethernet address is, in fact, the address of our PowerBook's Airport Extreme card. So we've been assigned 216.181.177.187. > 11:12:36.642021 snap 0:0:f8:8:6 arp who-has 216.181.177.187 tell 216.181.177.185 > 11:12:36.643765 snap 0:0:f8:8:0 216.181.177.185.bootps > 255.255.255.255.bootpc: xid:0x328f9bb0 Y:216.181.177.187 S:216.181.177.185 ether 0:3:93:e8:5f:b5 file ""[|bootp] (DF) (ttl 64, id 0, len 328) > 11:12:36.796179 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x328f9bb1 secs:1 [|bootp] (ttl 255, id 6248, len 328) > 11:12:36.952087 snap 0:0:f8:8:0 216.181.177.185.bootps > 255.255.255.255.bootpc: xid:0x328f9bb1 secs:1 Y:216.181.177.187 S:216.181.177.185 ether 0:3:93:e8:5f:b5 [|bootp] (DF) (ttl 64, id 0, len 328) > 11:12:37.258038 snap 0:0:f8:8:0 216.181.177.185.bootps > 255.255.255.255.bootpc: xid:0x328f9bb1 secs:1 Y:216.181.177.187 S:216.181.177.185 ether 0:3:93:e8:5f:b5 [|bootp] (DF) (ttl 64, id 0, len 328) > 11:12:37.405842 snap 0:0:f8:8:6 arp who-has 216.181.177.187 tell 216.181.177.185 > 11:12:37.563575 snap 0:0:f8:8:6 arp who-has 216.181.177.187 tell 216.181.177.185 [ . . . repeat this a whole lot . . . ] Unfortunately, though we've seen the packets on the interface, our box doesn't recognize that it was assigned this address, and doesn't respond to an ARP (and, presumably, a ping) asking us to confirm our new address. Other experiments tried: I swapped the server's wireless card with one in a laptop here that I was able to ping. Afterwards, I was still able to ping the laptop and still unable to ping the server. Both laptop and server run Red Hat Linux. Both wireless cards were Lucent Orinoco cards of differing vintages. I manually put 216.181.177.185 in our ARP table on the powerbook. Though I saw the echo requests being sent via TCPDump, there were no echo reply messages. Note that earlier, prior to my let's-clean-everything-up-for-a-real-test reboot, I *swear* I saw echo reply messages with this configuration, but (a) the system didn't report responses to its pings and (b) I'm unable to reproduce this at present. I manually set our address and netmask as per our (ignored) DHCP response. Still able to ping systems on our subnet (both wireless boxes a la the laptop and boxes plugged into the wireless hub) but not .185. And so I'm unable to get out to the Internet from the box, as that's our gateway. As mentioned far, far above, I swapped my wireless hub with no change. And, also as mentioned above, the laptop has worked fine on other wireless networks... I'm at a total loss as to how to proceed. It seems to me that it's something at the kernel level: we're seeing the packets on the interface when we run TCPDump (yes, the problems also occur when we're not monitoring the network), but the system isn't processing them properly --- we're not taking the DHCP address assigned to us, we're not even dealing properly with ARP for one host. The DHCP server shouldn't be the problem, as the same server works fine when we're plugged into the same subnet. It's not the wireless card in the one box we can't talk with, since we've swapped that out. It's not a reception problem, again, as we can see the packets on the local system. But what is it? -- Jon Lasser Home: jon at lasser.org | Work:jon at cluestickconsulting.com http://www.tux.org/~lasser/ | http://www.cluestickconsulting.com Buy my book, _Think_Unix_! http://www.tux.org/~lasser/think-unix/ ====================================================================== + This message was forwarded by the dc-sage at dc-sage.org mailing list + + To unsubscribe or make subscription changes, send an E-mail to: + + mladmin at dc-sage.org with an English description of your request.+ ====================================================================== ----- End forwarded message ----- -- Live in a world of your own, but always welcome visitors. *** Come to sig-beer-west! http://www.extasia.org/sig-beer-west/ Unix sysadmin available: http://www.extasia.org/resume/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: From extasia at extasia.org Thu Feb 6 14:22:38 2003 From: extasia at extasia.org (David Alban) Date: Thu, 6 Feb 2003 14:22:38 -0800 Subject: Help! DriveReady SeekComplete Error Message-ID: <20030206142238.A28941@new.gerasimov.net> Greetings! On my thinkpad laptop (running SuSE linux), I observe: $ cat /var/log/messages > /dev/null cat: /var/log/messages: Input/output error And at the end of /var/log/messages, I see: Feb 6 11:07:03 tomkagai kernel: hda: dma_intr: status=0x51 { DriveReady SeekCom plete Error } Feb 6 11:07:03 tomkagai kernel: hda: dma_intr: error=0x40 { UncorrectableError }, LBAsect=11431971, sector=4295264 Feb 6 11:07:03 tomkagai kernel: end_request: I/O error, dev 03:05 (hda), sector 4295264 /var/log is in the root filesystem, which is a reiserfs filesystem. But the errors make me think its a hardware problem, not a filesystem problem. But I can get a shell from the installation CD, mount / and run reiserfsck if folks think it'll help. Repeated attempts to access the entire messages file result in the same sector (4295264) being indicated in the error messages each time. Help! What are my options? This is a critical machine. Here are some (what I think might be) relevant lines from dmesg output: PIIX4: IDE controller on PCI bus 00 dev 39 PIIX4: chipset revision 1 PIIX4: not 100% native mode: will probe irqs later ide0: BM-DMA at 0x1c10-0x1c17, BIOS settings: hda:DMA, hdb:pio ide1: BM-DMA at 0x1c18-0x1c1f, BIOS settings: hdc:DMA, hdd:pio hda: HITACHI_DK23AA-12B, ATA DISK drive hda: 23572080 sectors (12069 MB) w/512KiB Cache, CHS=1559/240/63, UDMA(33) Thanks! David -- Live in a world of your own, but always welcome visitors. *** Come to sig-beer-west! http://www.extasia.org/sig-beer-west/ Unix sysadmin available: http://www.extasia.org/resume/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: From alvin at maggie.linux-consulting.com Thu Feb 6 16:06:25 2003 From: alvin at maggie.linux-consulting.com (alvin at maggie.linux-consulting.com) Date: Thu, 6 Feb 2003 16:06:25 -0800 (PST) Subject: Help! DriveReady SeekComplete Error In-Reply-To: <20030206142238.A28941@new.gerasimov.net> Message-ID: hi ya On Thu, 6 Feb 2003, David Alban wrote: > Greetings! > > On my thinkpad laptop (running SuSE linux), I observe: > > $ cat /var/log/messages > /dev/null > cat: /var/log/messages: Input/output error > > And at the end of /var/log/messages, I see: > > Feb 6 11:07:03 tomkagai kernel: hda: dma_intr: status=0x51 { DriveReady SeekCom > plete Error } > Feb 6 11:07:03 tomkagai kernel: hda: dma_intr: error=0x40 { UncorrectableError > }, LBAsect=11431971, sector=4295264 > Feb 6 11:07:03 tomkagai kernel: end_request: I/O error, dev 03:05 (hda), sector > 4295264 those errors are typical errors when you have one or more of the following.. a. mixed ata-66 w/ ata-100 and ata-133 drives ( dont mix different speed drives on the same ide cable ) cdrom should be on different cables than disks b. verify that your kernel has the chipset enabled and/or patched for the ide controller c. check your cables should be 80-conductor ... no kinks, no rubbing against metal d. check your +12V power stability ( yeah.. you need a scope but.. ) e. your disks is about to die... -- backup everything onto a new backup server... leave the prev backups alone as it might have the only good copy of your data and see if the symtoms go away or if it crashes > hda: HITACHI_DK23AA-12B, ATA DISK drive > hda: 23572080 sectors (12069 MB) w/512KiB Cache, CHS=1559/240/63, UDMA(33) good drives.. c ya alvin From jimd at mars.starshine.org Thu Feb 6 18:16:05 2003 From: jimd at mars.starshine.org (jimd at mars.starshine.org) Date: Thu, 6 Feb 2003 18:16:05 -0800 Subject: Help! DriveReady SeekComplete Error In-Reply-To: References: <20030206142238.A28941@new.gerasimov.net> Message-ID: <20030207021605.GB8778@mars.starshine.org> On Thu, Feb 06, 2003 at 04:06:25PM -0800, alvin at maggie.linux-consulting.com wrote: > hi ya > On Thu, 6 Feb 2003, David Alban wrote: >> Greetings! >> On my thinkpad laptop (running SuSE linux), I observe: >> >> $ cat /var/log/messages > /dev/null >> cat: /var/log/messages: Input/output error >> And at the end of /var/log/messages, I see: >> Feb 6 11:07:03 tomkagai kernel: hda: dma_intr: status=0x51 { DriveReady SeekCom >> plete Error } >> Feb 6 11:07:03 tomkagai kernel: hda: dma_intr: error=0x40 { UncorrectableError >> }, LBAsect=11431971, sector=4295264 > > Feb 6 11:07:03 tomkagai kernel: end_request: I/O error, dev 03:05 (hda), sector >> 4295264 I would bring the system up in single user mode and run e2fsck -c on each of the filesystems. This should (transparently) run the badblocks program and cause fcsk to mark any badblocks (such as 4295264) so that the system will refrain from trying to use them. Other than that I would look at replace that hard drive at your earliest convenience (recognizing that you may be stricken with considerable *inconvenience* if you don't find a "convenient" time to do so soon). -- Jim Dennis From dparter at cs.wisc.edu Fri Feb 7 11:48:14 2003 From: dparter at cs.wisc.edu (David Parter) Date: Fri, 07 Feb 2003 13:48:14 -0600 Subject: for your members: SAGE CODE OF ETHICS: Final Draft for Comments Message-ID: <200302071948.NAA13391@yfandes.cs.wisc.edu> [Note from postmaster at baylisa.org: This message was directed to blw at baylisa.org. I had seen a version of it on the sage-members list, and my first inclination was to consider that those most directly affected would be SAGE members, and would have thus had an opportunity to have seen it on sage-members -- and repeating the message for those who had already seen it would unlikely be considered a positive thing. In any case, I saw no reason for the message to be sent to blw -- it is certainly not more "blw" material than "BayLISA general membership" material. As I was about to drop it on the floor, the thought occurred to me that although there is at this time no relationship between SAGE and BayLISA, nor may a valid logical inference be made regarding an individual's status with respect to one, given that individual's status with respect to the other, there may be considerable value to SAGE, BayLISA, and individual members, as well as the community in which we live and ply our craft, to be gained by a broader exposure to a Code of Ethics. It is for this reason that I have elected to send the message on to baylisa at baylisa.org. If you don't like that, please feel free to contact postmaster@ or blw@; I see no need to drag baylisa@ into such a meta-discussion at this time. dhw -- postmaster at baylisa.org] Please pass this announcement on to your members. thanks, --david On February 1, 2003, the SAGE Executive Committee approved a new draft SAGE Code of Ethics for public comment. The comment period will last until March 5, 2003, at which time the comments will be considered, and a final draft submitted to the SAGE Executive Committee with a recommendation. Please check out the SAGE 2003 Draft Code of Ethics and let us know what you think: http://sageweb.sage.org/about/ethics.html Comments should be posted to the SAGEwire story: http://sagewire.sage.org/article.pl?sid=03/02/07/0227248 thanks, --david David Parter SAGE Executive Committee From strata at virtual.net Mon Feb 10 08:01:46 2003 From: strata at virtual.net (Strata Rose Chalup) Date: Mon, 10 Feb 2003 11:01:46 -0500 Subject: may interest sysadmins: solar power tax proposed in CA Message-ID: <3E47CCEA.D425BACA@virtual.net> Feel like paying an "exit tax" to the CPUC if you are generating power at home or for your company with solar panels? If not, you have until about the end of this month (Feb) to gripe about it or it will probably happen. Here's the skinny: http://www.solarexpert.com/grid-tie/Action-Alert.html http://www.cooperativecommunityenergy.com/news/industry/Exit_fees.html Here's a link that you can use to put in your ZIP and get your US and state/local level reps so you can complain (or support, if that's your thing): http://www.congress.org/congressorg/home/ cheers, Strata -- ======================================================================== Strata Rose Chalup [KF6NBZ] strata "@" virtual.net VirtualNet Consulting http://www.virtual.net/ ** Project Management & Architecture for ISP/ASP Systems Integration ** ========================================================================= From extasia at extasia.org Tue Feb 11 16:52:24 2003 From: extasia at extasia.org (David Alban) Date: Tue, 11 Feb 2003 16:52:24 -0800 Subject: SIG-BEER-WEST this Saturday, 2/15 in San Francisco Message-ID: <20030211165224.A19859@gerasimov.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SIG-beer-west Saturday, February 15, 2002 at 6:00pm San Francisco, CA Beer. Mental stimulation. *** This month: sig-beer-west's first birthday! *** This event: * Saturday, 02/15/2003, 6:00pm, at the Toronado, San Francisco Coming events (third Saturdays): * Saturday, 03/15/2003, 6:00pm * Saturday, 04/19/2003, 6:00pm * Saturday, 05/17/2003, 6:00pm * Saturday, 06/21/2003, 6:00pm San Francisco's next social event for computer sysadmins and their friends, sig-beer-west, will take place on Saturday, February 15, 2002 at the [1]Toronado in San Francisco, CA. The Toronado has an impressive selection of [2]draught and [3]bottled beer. Festivities will start at 6:00pm and continue until we've all left. The Toronado has an excellent selection of beer, but no food. It is perfectly okay to score food from neighboring establishments and bring it back to the Toronado to eat. Also, after we are all full with beer we may roam off to a nearby restaurant. [1] http://www.toronado.com/ [2] http://www.toronado.com/draft.htm [3] http://www.toronado.com/bottles.htm Everyone is welcome at this event. We mean it! Please feel free to forward this information and to invite friends, co-workers, and others who might enjoy lifting a glass with interesting folks from all over the place. (O.K., you do have to be of legal drinking age to attend.) For directions to the Toronado, please use the [4]excellent directions at their website. When you show up at the Toronado, you should look for some kind of botched sig-beer-west sign. We will try to make it obvious who we are. :-) [4] http://www.toronado.com/map.htm Note: Check the tables in the back room for us if you don't see us at the tables by the bar. The back room is back and to the left. Any Comments, Questions, or Suggestions of Things to Do Later on That Evening ... email [5]Fiid or [6]David. [5] mailto:fiid at fiid.net [6] mailto:extasia at mindspring.com sig-beer-west FAQ 1. Q: Your announcement says "computer sysadmins and their friends". How do I know if I'm a friend of a computer sysadmin? I don't even know what one is. A: You're a friend of a computer sysadmin if you can find the sig-beer-west sign at this month's sig-beer-west event. 2. Q: I'm not really a beer person. In fact I'm interested in hanging out, but not in drinking. Would I be welcome? A: Absolutely! The point is to enjoy each others' company. Please do join us. 3. Q: Is parking difficult around the Toronado, like maybe I should factor this into my travel time? A: Yes. ______________________________________________________________________ sig-beer-west was started in February 2001 when a couple Washington, D.C. based systems administrators who moved to the San Francisco Bay area wanted to continue a [7]dc-sage tradition, sig-beer, which is described in dc-sage web space as: SIG-beer, as in "Special Interest Group - Beer" ala ACM, or as in "send the BEER signal to that process". The original SIG-beer gathering takes place in Washington DC, usually on the first Saturday night of the month. [7] http://www.dc-sage.org/ ______________________________________________________________________ Last modified: $Date: 2003-02-01 00:33:11-08 $ - -- Live in a world of your own, but always welcome visitors. *** Come to sig-beer-west! http://www.extasia.org/sig-beer-west/ Unix sysadmin available: http://www.extasia.org/resume/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+SZkyPh0M9c/OpdARApRrAJ9ZZn6c19lje8QwrUg5YpC0KjRlrQCgmSLD uALJV6kGUkErdL4+1/S3CJc= =3Isg -----END PGP SIGNATURE----- -- Live in a world of your own, but always welcome visitors. *** Come to sig-beer-west! http://www.extasia.org/sig-beer-west/ Unix sysadmin available: http://www.extasia.org/resume/ From holland at guidancetech.com Thu Feb 13 08:49:45 2003 From: holland at guidancetech.com (Rich Holland) Date: Thu, 13 Feb 2003 11:49:45 -0500 Subject: Sendmail replacements? Message-ID: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> [Approved despite the HTML. Sigh. -- postmaster at baylisa.org] It's been several years since I did any significant SMTP work, and now I find that I've got to configure a bunch of machines and a central hub to relay mail for the others. My first thought was rewriting headers by changing the sendmail.cf file, but now that I think about it, this may be the time to replace sendmail with something "easier" or "better" or "more secure" but I'm out of touch with the state of the art in SMTP mailers. Anyone have any suggestions? Thanks! Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: From rkim at networktology.com Thu Feb 13 09:29:18 2003 From: rkim at networktology.com (Roy Kim) Date: Thu, 13 Feb 2003 09:29:18 -0800 (PST) Subject: Sendmail replacements? In-Reply-To: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> Message-ID: Postfix is an excelent choice for replacing sendmail. http://www.postfix.org Features: It runs as a non-root user. It runs as multiple processes. It has a human readable config file. It runs MUCH faster than sendmail. Roy Kim Networktology Inc. On Thu, 13 Feb 2003, Rich Holland wrote: > [Approved despite the HTML. Sigh. -- postmaster at baylisa.org] > > It's been several years since I did any significant SMTP work, and now I > find that I've got to configure a bunch of machines and a central hub to > relay mail for the others. My first thought was rewriting headers by > changing the sendmail.cf file, but now that I think about it, this may > be the time to replace sendmail with something "easier" or "better" or > "more secure" but I'm out of touch with the state of the art in SMTP > mailers. > > > > Anyone have any suggestions? > > > > Thanks! > Rich > > From kls at merlot.com Thu Feb 13 09:19:04 2003 From: kls at merlot.com (Kurt Sussman) Date: Thu, 13 Feb 2003 09:19:04 -0800 Subject: Sendmail replacements? In-Reply-To: References: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> Message-ID: <20030213171904.GL14805@merlot.com> I've been running Postfix for a few years now, and I like it a lot. However, I've just discovered Exim, and I might choose that for its simpler configuration if I had to set up email for a small office. Both can work with SpamAssassin and POP-before-SMTP and all the usual add-ons. Both can read their lists from a database or LDAP or DB files. I guess since you're starting from scratch either way, check the docs and see which seem the most useful to you. You'll be referring to them a lot. --Kurt Roy Kim (rkim at networktology.com) typed this ... > > Postfix is an excelent choice for replacing sendmail. > > http://www.postfix.org > > Features: > It runs as a non-root user. > It runs as multiple processes. > It has a human readable config file. > It runs MUCH faster than sendmail. > > Roy Kim > > Networktology Inc. > > > On Thu, 13 Feb 2003, Rich Holland wrote: > > > > [Approved despite the HTML. Sigh. -- postmaster at baylisa.org] > > > > It's been several years since I did any significant SMTP work, and now I > > find that I've got to configure a bunch of machines and a central hub to > > relay mail for the others. My first thought was rewriting headers by > > changing the sendmail.cf file, but now that I think about it, this may > > be the time to replace sendmail with something "easier" or "better" or > > "more secure" but I'm out of touch with the state of the art in SMTP > > mailers. > > > > > > > > Anyone have any suggestions? > > > > > > > > Thanks! > > Rich > > > > > -- ---------------------------------------------------------------------- Merlot Research Group, Inc http://www.merlot.com kls at merlot.com GPG key 82505A74 Jabber: MerlotQA From david at catwhisker.org Thu Feb 13 09:45:20 2003 From: david at catwhisker.org (David Wolfskill) Date: Thu, 13 Feb 2003 09:45:20 -0800 (PST) Subject: Has anyone had a useful interaction with remove@dun.dnsrbl.com??!? Message-ID: <200302131745.h1DHjKwB059543@bunrab.catwhisker.org> >Date: Thu, 13 Feb 2003 09:31:13 -0800 (PST) >From: Mail Delivery Subsystem >To: >Subject: Returned mail: see transcript for details >... > ----- The following addresses had permanent fatal errors ----- > > (reason: 550 5.2.1 Mailbox unavailable. Your IP address 63.193.123.122 is blacklisted using DNSRBL-DUN. Details: (Dialup) http://www.dnsrbl.com/lookupserver.jsp.) >.... Y'know, I have never been keen on blocking netblocks merely because they are home to transiently-connected machines. And 63.193.123.122 is *not* a dialup, and is *not* dynamic. I have sent messages to remove at dnsrbl.com twice in the last 5 days, pointing out that this has been a static assignment since August 1999, and asking what justifcation they have for listing it in dun.dnsrbl.com. The only response so far has been one auto-response to each. If anyone has managed to have a useful interaction with these folks, please speak up, and let me know how that is done. In the mean time, I will do what I can to let folks know that choosing to use that service is also choosing to reject my mail. For whatever that might be worth. :-(! Not a happy camper, david (links to my resume at http://www.catwhisker.org/~david) -- David H. Wolfskill david at catwhisker.org WARNING: Use of Microsoft products may be hazardous to your system's integrity. From mallen at byte-me.org Thu Feb 13 09:47:00 2003 From: mallen at byte-me.org (Mark Allen) Date: Thu, 13 Feb 2003 09:47:00 -0800 Subject: Sendmail replacements? In-Reply-To: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh>; from holland@guidancetech.com on Thu, Feb 13, 2003 at 11:49:45AM -0500 References: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> Message-ID: <20030213094700.A6327@sephiroth.byte-me.org> On Thu, Feb 13, 2003 at 11:49:45AM -0500, Rich Holland wrote: [It's been a few years, and I need a mail relay] > Anyone have any suggestions? Religious war #1092: The "better", "more secure" Mail Transport Agent. Not going there. :) In no particular order here are the four MTAs that leap to mind immediately. All of them could do your task. 1) sendmail - the original. My personal preference. Yes, it's byzantine and maybe overly complicated, but I know it well, and "in general" it tends to "do the right thing." Since 8.9.3, there's been a huge focus on security issues. My personal opinion is that the "buggy, security hole ridden" claims are mostly religious screeds at this point. YMMV. 2) qmail - Requires a bit of mail spool and mailbox configuration. (i.e., not a direct sendmail drop in replacement.) Widely used and enjoyed. 3) postfix - Many of my friends use this MTA. They all seem to like it. Conveniently, a drop in sendmail replacement. Seems easier to configure than sendmail, but that's a perception rather than an empirical observation. 4) exim - Don't know much about it. I've encountered it mostly in Debian based Linux boxen. Find more opinion, source and HOW TOs by using your favorite Internet search method. Best regards, Mark -- Mark Allen -- mallen at byte-me.org -- http://www.byte-me.org/~mallen/ PGP: 0x5CDC2161 Mark Allen (Personal Key) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: From dannyman at toldme.com Thu Feb 13 09:49:50 2003 From: dannyman at toldme.com (Danny Howard) Date: Thu, 13 Feb 2003 09:49:50 -0800 Subject: Sendmail replacements? In-Reply-To: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> References: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> Message-ID: <20030213174950.GE5918@pianosa.catch22.org> Rich, There is Qmail and there is POstfix. Qmail is older. It is written by the iconoclast mathematician djb. It prides itself on being gratuituously different. No, really! It prefers to live in, of all places, /var/qmail! Whee! And instead of normal config files, there's a directory, with one file holding a value for each configuration directive. Ah, and .forward files are passe, it is all about .qmail, and forwarding addresses technically should be preceded by an &. For all this, Qmail is very cool because it is a bunch of paranoid little daemons with limited privs talking to each other. It performs very well, and is extremely secure. Then Wietse came along. He wrote Postfix. Postfix is shaped very much like Qmail, only it takes pains to be user-friendly. It honors Sendmail's .forward files, for example, and a lot of conventions with, say, "virtual user tables" while throwing out the whole sendmail.cf monstrosity in favor of TWO, count them, TWO system configuration files. The one you expect to edit is highly commented, and comes with a whole set of example config files for particular purposes. Postfix is awesome, though, because of its architecture, it sometimes has certain limitations that I can't recall. Maybe it is ETRN for a single domain doesn't work, or at one time, did not work. And there used to be limitations on how much address rewriting and header munging it could do in one pass, only because the config file syntax is not completely extensible like Sendmail's, and Wietse hadn't implemented every last bizzaro feature that the people wanted. But I haven't implemented a Postfix install in awhile. In fact, I haven't implemented much of anything in awhile. Does anyone want me to implement something for them? My resume is at http://meat.net/~dannyman/resume.html. :) Thanks for tolerating my self-promotion. -danny -- http://dannyman.toldme.com/ From greg at kulosa.org Thu Feb 13 10:13:28 2003 From: greg at kulosa.org (Greg Kulosa) Date: Thu, 13 Feb 2003 10:13:28 -0800 Subject: Sendmail replacements? In-Reply-To: ; from rkim@networktology.com on Thu, Feb 13, 2003 at 09:29:18AM -0800 References: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> Message-ID: <20030213101328.A4677@jaxom.dhcp.kulosa.org> > Features: > It runs as a non-root user. > It runs as multiple processes. > It has a human readable config file. > It runs MUCH faster than sendmail. Ditto for qmail. Qmail also does virtual domains. With virtual domains, each user does _not_ need an entry in the /etc/passwd file to get POP (or IMAP) service. There is just one user per domain, and all mail for that domain is stored in that home directory. Once a virtual domain is set up, you can add mailboxes, aliases, etc. via a web interface, if you want. This same web interface allows users to change their POP passwords, or to forward their E-mail (Like for when they travel). There is also an add-on module that lets you scan each incoming/outgoing message for viruses. This has really kept the latest E-mail viruses (KLEZ, mostly) from infecting the whole user base. There is a Linux binary command-line scanner from McCafee that I use. Anyway, I like qmail a lot, and am about to install it at another place for their mailhub. See http://www.qmail.org/ for documentation and add-ons. -- Greg A. Kulosa | "The avalanche has already started, it is too Systems Administrator | late for the pebbles to vote." - Ambassador Kosh Independent Consultant |___________________________________________________ greg at kulosa.org From jxh at jxh.com Thu Feb 13 10:35:40 2003 From: jxh at jxh.com (Jim Hickstein) Date: Thu, 13 Feb 2003 10:35:40 -0800 Subject: Sendmail replacements? In-Reply-To: <20030213171904.GL14805@merlot.com> References: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> <20030213171904.GL14805@merlot.com> Message-ID: <18920000.1045161340@jxh.mirapoint.com> A co-worker tells me I will be remiss if I don't plug my own product, here. I work for Mirapoint. www.mirapoint.com. It's a machine, not a software package; and commercial, not free. (And high-end, not cheap. Think tens of thousands to millions of users.) Still, I'm a customer myself, in production (www.imap-partners.net) and I'm very happy. I get to sleep at night, and I had to do almost no work to set it up and very little to keep it going. I finally grew out of my sendmail masochism (though I enjoyed it plenty at the time). :-) From star at starshine.org Thu Feb 13 10:47:27 2003 From: star at starshine.org (Heather Stern) Date: Thu, 13 Feb 2003 10:47:27 -0800 Subject: Sendmail replacements? In-Reply-To: <20030213094700.A6327@sephiroth.byte-me.org> References: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> <20030213094700.A6327@sephiroth.byte-me.org> Message-ID: <20030213184727.GB11012@starshine.org> > > Anyone have any suggestions? > > Religious war #1092: The "better", "more secure" Mail Transport Agent. > Not going there. :) Too late :D > In no particular order here are the four MTAs that leap to mind immediately. > All of them could do your task. I'll add some comments about some minor ones, and some impersonal comments abotu the control file style of the ones which I have configured. It's so far been my experience that the control-file stuff is what makes people think of one or the other as hard, easy, or only suitable for mad scientists willing to cackle *ah haha ha* "It's Alive!" when it accepts mail. Rather like the "pine vs. elm" or "vi vs. emacs" arguments of old. > 1) sendmail - the original. My personal preference. Yes, it's byzantine > and maybe overly complicated, but I know it well, and "in general" it > tends to "do the right thing." Since 8.9.3, there's been a huge focus on > security issues. My personal opinion is that the "buggy, security hole > ridden" claims are mostly religious screeds at this point. YMMV. Regardless of claims to the contrary it is possible to configure it for optimized queu handling; the fact that any given style of setup isn't the default state is more a problem about whether the sysadmin wishes to spend some time on it. The config file format from the mailer's point of view is in the sendmail.cf file - whose top third is composed of useful comments attached to one-liner options, and whose bottom two/thirds is line noise of the finest caliber. However, most sysadmins use the sendmail.mc file to configure it, which takes weird little options without comments and feeds them through m4 to autogenerate sendmail.cf, line noise and all. Since some features ... errr, FEATURE()s require blobs of line noise, it's considered easiest. It's common for the options to take a "get your data from a file" setting, so /etc/mail usually contains these postmaster-readable data files. The sendmail.org, sendmail.com, and sendmail.net addresses lead to entirely different sets of *very* helpful information. There are a handful of ways to help protect systems from the fact that sendmail is a monolithic program run by root. Its primary needs for root are (1) port 25, and (2) ability to become the right user for local delivery purposes. > 2) qmail - Requires a bit of mail spool and mailbox configuration. (i.e., > not a direct sendmail drop in replacement.) Widely used and enjoyed. qmail, like postfix, splits its functions into parts which run at different privileges, protecting them from a number of "hey one sploit and the box is m1n3" troubles. The config files come as a puddle of small parts, each designed to control the aspect they are about. And it's very often helped by dotfiles in the users' directories; the ezmlm mailing list depends on those heavily. I don't like having these control bits scattered so; YMMV. qmail's mailbox format, called Maildirs, is also used by courier-imap; however users of that mail layout aren't limited to qmail, because minor tweaks to local delivery agents allow anybody to deliver in that style. It has been claimed that this style is less fragile about damaging mail when there are storage and transmit problems. > 3) postfix - Many of my friends use this MTA. They all seem to > like it. Conveniently, a drop in sendmail replacement. Seems easier > to configure than sendmail, but that's a perception rather than an > empirical observation. Under debian, its default queueing configuration seems much faster. The comments in the config files were adequate and the side documentation covered the rest verbosely. It seems to me that setting up virtual mail-sites is much easier here, but I'm the sort who prefers to avoid helper-UIs for these things - there are scads of such helper UIs for configuring sendmail virtualhosts and at least one for configuring qmail virtualhosts. This is the MTA which I use at my own site, and it serves me quite well. > 4) exim - Don't know much about it. I've encountered it mostly in > Debian based Linux boxen. Written by people who had a fondness for smail but knew that it had to die. I've not found it particularly easy to grok, myself, so I cannot comment further upon it, except to say how easy Debian makes it to pick any of its smtp-servers as your mailerdaemon. > Find more opinion, source and HOW TOs by using your favorite > Internet search method. In the case of apps whose name you know, I'd start at http://freshmeat.net, type their name into the engine, and pull up their small description, then link through to their home pages. Once satisfied I'd come back to freshmeat and check other things in the SMTP server category (browsing the site index system). I have had personal experience with one other MTA, the one that comes with the Courier suite of features. As of a few months ago it was desperately underpowered and not particularly easy (though not impossible) to configure. I did not consider it ready for prime time, and since the site was heavily dependent on its mail, we went for a more prominent maildaemon, with local-delivery to maildirs set up. I messed around a little with Masqmail, the MTA which goes with masqdialer and is supposed to be optimized for sites which are often disconnected or may move - in other words, allegedly ideal for laptops. If you can figure out how to tweak it's notion of when you're connected or not, it looks pretty slick. Otherwise, postfix and sendmail at least have means to deal with being disconnected. Just about any MTA should be able to handle "queue only" and have some command for "flush the queue" - since flushing the queue is an important command for moving the site to a new box. I know someone who, deciding their antispam policy was not met by the current local-deliveries, replaced the local delivery agents found with his MTA (qmail) and the ever popular external replacement (procmail) with his own, "grandma". grandma delivers to maildirs and is optimized for a whitelist/ blacklist view of the world. A gentle reminder that these all work best if your DNS is in good working order so your MX records are valid, is in order. There's a great resource "Ask Mr.DNS" about the best gory details in DNS setup. And of course, a shameless plug; I'm a consultant, so if you need someone to come in from offsite and work on one of these, feel free to contact me privately. . | . Heather Stern | star at starshine.org --->*<--- Starshine Technical Services - * - consulting at starshine.org ' | ` Sysadmin Support and Training | (800) 938-4078 From chuck+baylisa at snew.com Thu Feb 13 11:07:08 2003 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Thu, 13 Feb 2003 14:07:08 -0500 Subject: Sendmail replacements? In-Reply-To: References: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> Message-ID: <20030213190708.GA16665@snew.com> Quoting Roy Kim (rkim at networktology.com): > Postfix is an excelent choice for replacing sendmail. > http://www.postfix.org > Features: > It runs as a non-root user. Sendmail 8.12 doesn't run as root. Hell, without local deliveries and with a plug to make port25 connections go high (ipfilter), NO sendmail needed to run as root. > It runs as multiple processes. Sendmail doesn't spawn multiple processes, saving memory and overhead. > It has a human readable config file. With a pretty GUI, the most Jr Admin can run sendmail Pro, nobody should read sendmail.cf, the m4 file generates it (sendmail.cf analogous to readign the "ls(1)" binary. You want to change the ls.c source to effect changes in the ls(1) binary.). I've used config files based on the same 25 line .m4 files for 10 years. > It runs MUCH faster than sendmail. Sendmail 8.11 is faster than Postfix, once tuned. (Had a job where a postfix guy claimed this too. His postfix and machine were well tuned and smoked sendmail. 10 minutes of sendmail changes made that different). I enjoy the myth, but repetition won't make it true. 8.12 can smoke 8.12 esp on a gateway (no local deliveries). Sendmail has paid fulltime developers and a large .org group working on it. I can find plenty of Sendmail admins about anywhere in the country (if you're looking in the bay, I'm in Oakland :). Sendmail has commercial products and support. I'm not in love with the product, it could be better and should be, but if a secretary can handle managing the IMAP server and adding/removing users it's good. If s/he can add/remove access map entries and aliases, all the better (though those really want to be in LDAP for all to share). It's actively developed; I use Milters (mail filter API programs) to scan for and block spam during the SMTP connection (never enters my site). I could run anti-virus milters but I don't use Outlook. I've also had folks complain that "sendmail is too complex! By the way, can you have it only send > 100k messages after 8PM when my ISDN rate is cheaper?" (yes and yes). It's nice to have all those switches available. 98% of installs will change 2% of the defaults, though. I've used sendmail at small businesses and I've used them at some excessively large mail environments. If you need an appliance and are okay with black boxes, mirapoint runs an IMAP server on a FreeBSD box and backups work fine upto 63GB or so. Exim and Postfix are worth looking at if you want to look at something. QMail 2, if it ever comes out, looks interesting. From rick at linuxmafia.com Thu Feb 13 11:20:02 2003 From: rick at linuxmafia.com (Rick Moen) Date: Thu, 13 Feb 2003 11:20:02 -0800 Subject: Sendmail replacements? In-Reply-To: <20030213094700.A6327@sephiroth.byte-me.org> References: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> <20030213094700.A6327@sephiroth.byte-me.org> Message-ID: <20030213192001.GO26173@linuxmafia.com> Quoting Mark Allen (mallen at byte-me.org): > Find more opinion, source and HOW TOs by using your favorite > Internet search method. I have a collection of same, and classification of the main options by architecture category, here: http://linuxmafia.com/~rick/linux-info/mtas -- Cheers, It is by caffeine alone I set my mind in motion. Rick Moen It is by the beans of Java that thoughts acquire speed, rick@ The hands acquire shaking, the shaking becomes a warning, linuxmafia.com It is by caffeine alone I set my mind in motion. From john at ragingkegger.com Thu Feb 13 11:48:54 2003 From: john at ragingkegger.com (John Brunn) Date: Thu, 13 Feb 2003 11:48:54 -0800 (PST) Subject: Sendmail replacements? In-Reply-To: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> Message-ID: I can't say enough good things about exim. I've been using it for about 2 years now, and I've never had any problems. Nothing against the other MTA's, but once I tried exim I never felt the need to use another one. Config file is extrememly easy to use, rewrites are cake... www.exim.org has excellent documentation and is constantly being updated. We've gotten excellent throughput from our mail relays using it, getting well over 100k messages / day each. However, exim uses the philosophy "95% of all mail can be delivered right away". Therefore, it is optimized to send mail as soon as it gets it. If you are expecting to have a large queue on the server (or mail that won't be able to be delivered for a while because of remote mail servers, etc) then I believe postfix or qmail might be a better choice. However, for mail relays or an internal mail server, as i've stated before, i can't say enough good things about it. As someone else stated, compiling exim is not a 2 minute job. You have to look into the make file and compile in the options that you want. But once you get it running, the configuration is easy. My next step is compiling in spamassassin... -John Brunn On Thu, 13 Feb 2003, Rich Holland wrote: > [Approved despite the HTML. Sigh. -- postmaster at baylisa.org] > > It's been several years since I did any significant SMTP work, and now I > find that I've got to configure a bunch of machines and a central hub to > relay mail for the others. My first thought was rewriting headers by > changing the sendmail.cf file, but now that I think about it, this may > be the time to replace sendmail with something "easier" or "better" or > "more secure" but I'm out of touch with the state of the art in SMTP > mailers. > > > > Anyone have any suggestions? > > > > Thanks! > Rich > > From sc at sfik.com Thu Feb 13 12:11:46 2003 From: sc at sfik.com (Simon Cooper) Date: Thu, 13 Feb 2003 12:11:46 -0800 (PST) Subject: Sendmail replacements? In-Reply-To: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> Message-ID: A couple of comments and random thoughts about qmail, postfix and mailers. - architecturally they are different! qmail has a master program which starts children who inherit their operating environment (and some control parameters) from the parent. This is part of the design. postfix is a gaggle of daemons who communicate parameters via pipes. They do not inherit control characteristics from their parent. The daemons are also suspicious of what they are passed and "validate" all input. This is part of the design. - the way they are written is different! D. J. Bernstein (qmail's primary author) treats whitespace and comments as a non-renewable resource! Much of his code would not be out of place as a submission to the IOCCC. If you need to debug a code problem or want to add a feature then you'll likely end up spending considerable time doing it. Wietse Zweitze Venema (Postfix's primary author) writes code which is legible, and with insightful comments. You'll spend less time debugging a code problem or trying to add a feature. - All of the (major) "religious war" mailers were written either by academics, professionals with a strong academia background or students. - None of exim, postfix or qmail were written by a student who was an undergraduate or graduate at the time! Consequently none of the programs get my labeling as: "graduate code" or "undergraduate code". (Both sendmail and bind qualify!) Having said these things, all of Exim, Postfix and qmail get the job done. I run postfix. Simon. On Thu, 13 Feb 2003, Rich Holland wrote: > [Approved despite the HTML. Sigh. -- postmaster at baylisa.org] > > It's been several years since I did any significant SMTP work, and now I > find that I've got to configure a bunch of machines and a central hub to > relay mail for the others. My first thought was rewriting headers by > changing the sendmail.cf file, but now that I think about it, this may > be the time to replace sendmail with something "easier" or "better" or > "more secure" but I'm out of touch with the state of the art in SMTP > mailers. > > > > Anyone have any suggestions? > > > > Thanks! > Rich > > From wolfgang+gnus20030213T120724 at wsrcc.com Thu Feb 13 12:12:45 2003 From: wolfgang+gnus20030213T120724 at wsrcc.com (Wolfgang S. Rupprecht) Date: 13 Feb 2003 12:12:45 -0800 Subject: Has anyone had a useful interaction with remove@dun.dnsrbl.com??!? References: <200302131745.h1DHjKwB059543@bunrab.catwhisker.org> Message-ID: david at catwhisker.org (David Wolfskill) writes: > > ----- The following addresses had permanent fatal errors ----- > > > > (reason: 550 5.2.1 Mailbox unavailable. Your IP address 63.193.123.122 is blacklisted using DNSRBL-DUN. Details: (Dialup) http://www.dnsrbl.com/lookupserver.jsp.) I'm not a fan of the dialup lists either. Many of them have made noises at one time or other of listing all cable-modems and dsl's irregardless of them being static or dynamic addresses. 63.193.123.122: IPv4 'adsl-63-193-123-122.dsl.snfc21.pacbell.net' Since pacbell didn't give any meaningful names to the IP addresses several of the dialup list maintainers assumed that they were dynamic DSL. I think most of them have since fixed their listings. You can check most of the dnsbl's from this page: http://www.moensted.dk/spam/ -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/ (NOTE: The email address above is valid. Edit it at your own peril.) From claw at kanga.nu Thu Feb 13 12:14:00 2003 From: claw at kanga.nu (J C Lawrence) Date: Thu, 13 Feb 2003 12:14:00 -0800 Subject: Sendmail replacements? In-Reply-To: Message from "Rich Holland" of "Thu, 13 Feb 2003 11:49:45 EST." <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> References: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> Message-ID: <12312.1045167240@kanga.nu> On Thu, 13 Feb 2003 11:49:45 -0500 Rich Holland wrote: > It's been several years since I did any significant SMTP work, and now > I find that I've got to configure a bunch of machines and a central > hub to relay mail for the others. Aye, that's called a "smarthost". > My first thought was rewriting headers by changing the sendmail.cf > file, but now that I think about it, this may be the time to replace > sendmail with something "easier" or "better" or "more secure" but I'm > out of touch with the state of the art in SMTP mailers. You're going to be told about Exim, Postfix, Qmail and Sendmail. Start out by realising that this is a field rife with subjective opinion and preferences reported as fact. Of the lot above I've used Exim and Postfix extensively. I like 'em both. Shockingly I like 'em for different reasons and use them in different cases. Postfix screams (in a non ear wax drilling way). With minor effort on a $2,000 box I find I can sustain 2,400 outbound deliveries per minute (to Internet sites across the cloud). That runs up to a few million a day without blinking. The configuration is trivial, well documented, consolidated into two files, and pleasant. Exim is a delight. Extremely well documented and configurable out the wazoo. On the same $2,000 box with similar levels of effort to Postfix I've gotten 2,200 outbound deliveries per minute with similar effort levels. I run and use both. I like both. - Exim is absurdly configurable and extensible. It rivals Sendmail for the number of buttons that can be tweaked. Happily the vast majority have intelligent defaults and can be left alone. More happily it has excellent documentation on the buttons. - Exim is amazingly easy to integrate with external systems, tools, mail processing systems etc. Postfix isn't bad in that regard, but Exim is better. As a quick example for my TMDA integrations I needed alias pipes to be run as a specific UID/GID. That's trivial under Exim and not under Postfix. -- The above point warrants more attention. Exim is amazingly good at integration. SpamAssassin, TMDA, virus scanners, outbound mail processors, per address filtering, system wide filters, you name it. Exim just smiles and asks for more -- and all with a config file you can come back to two years later and understand on the first reading. - Exim is very friendly to localhost by default. It has a number of knobs for things like system load, number of messages received etc, that make it easy to keep Exim friendly to other services running on the same box. Similarly its easy to configure Exim such that it essentially never impacts localhost operation, even under large spools). - Exim doesn't handle large spools well. There are a number of things you can do to improve that condition (like split spools), but the baseline remains: If you're heading into the hundreds of thousands of spool entries Exim is going to start to suffer. There are some ugly contention points on the core control files in Exim which don't improve matters there. Postfix handles large spools with considerably more ease, and has a flatter smoother scaling curve in that regard. - Philip Hazel (Exim author) and Wietse Venema (Postfix author) are pleasant, responsive, friendly, and generally good sorts that are about as much of a joy to work with as you could ever hope for. Both have large active support communities for their MTAs. I see that Rick Moen (:waves) later quotes a quote of my comments on them, so I'll leave that there. I (and others) have made various comments in the Mailman FAQ that you might find useful: http://www.python.org/cgi-bin/faqw-mm.py?req=index > Anyone have any suggestions? Boy, most people don't invite nuclear strikes. -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw at kanga.nu He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. From chuck+baylisa at snew.com Thu Feb 13 12:24:14 2003 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Thu, 13 Feb 2003 15:24:14 -0500 Subject: Sendmail replacements? (correction) In-Reply-To: <20030213190708.GA16665@snew.com> References: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> <20030213190708.GA16665@snew.com> Message-ID: <20030213202414.GC18014@snew.com> Quoting Chuck Yerkes (chuck+baylisa at snew.com): > Quoting Roy Kim (rkim at networktology.com): > > Postfix is an excelent choice for replacing sendmail. > > http://www.postfix.org > > Features: > > It runs as a non-root user. > > Sendmail 8.12 doesn't run as root. Hell, without local > deliveries and with a plug to make port25 connections go high > (ipfilter), NO sendmail needed to run as root. I've misstated... sendmail 8.12 DOES run as root. It doesn't run as setUID any longer. It needs to be root to bind to port 25. It needs to be root to become a user to process .forward files and, sometimes, to deliver locally. If you have ipfilter or something, you can have it redirect port 25 up to, say, port 2525. Then it can runs as non root. If you don't have .forward files (or local mail users), and you deliver to a smart mailstore (cyrus, etc), you can talk to an LMTPD socket and not be root. Generally when using Cyrus or Sendmail Inc's IMAP, it runs as root long enough to bind to 25 and then runs as a RunAs user. Sendmail 8.10 on are also not sendmail of 1990. It suffers from a long history. Ford Model T's were very dangerous in crashes. That doesn't means that those dangers are still present in current day Fords. Despite Allan Pallers "top SANS vulnerabilities list", sendmail is well audited and well understood. It also supports SMTP/TLS and SMTP/Auth. QMail only supports them with plug-ins with DJB decries as foul. Postfix supports SMTP/TLS as well. Weitse is easier to deal with than Dr Dan. From claw at kanga.nu Thu Feb 13 12:37:06 2003 From: claw at kanga.nu (J C Lawrence) Date: Thu, 13 Feb 2003 12:37:06 -0800 Subject: Sendmail replacements? (correction) In-Reply-To: Message from Chuck Yerkes of "Thu, 13 Feb 2003 15:24:14 EST." <20030213202414.GC18014@snew.com> References: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh> <20030213190708.GA16665@snew.com> <20030213202414.GC18014@snew.com> Message-ID: <13127.1045168626@kanga.nu> On Thu, 13 Feb 2003 15:24:14 -0500 Chuck Yerkes wrote: > It (sendmail) also supports SMTP/TLS and SMTP/Auth. QMail only > supports them with plug-ins with DJB decries as foul. > Postfix supports SMTP/TLS as well. Exim and Postfix both support SMTP/TLS, SMTP/Auth, and the normal hooks for silly things like POP-before-SMTP. At that sort of base feature level there's little if anything to compare among them (except for DJB's other silliness you mention). > Weitse is easier to deal with than Dr Dan. Understatement. Philip Hazel is also rather pleasant. Their mailing lists reflect this: the QMail lists have regular bouts of newbie/FAQ derision whereas the exim and postfix lists tend to be much more supportive and constructive. -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw at kanga.nu He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. From wolfgang+gnus20030213T121722 at wsrcc.com Thu Feb 13 12:30:03 2003 From: wolfgang+gnus20030213T121722 at wsrcc.com (Wolfgang S. Rupprecht) Date: 13 Feb 2003 12:30:03 -0800 Subject: Sendmail replacements? References: <00d401c2d37f$ea0e7ac0$3d964790@hackintosh>, <20030213190708.GA16665@snew.com> Message-ID: chuck+baylisa at snew.com (Chuck Yerkes) writes: > Sendmail 8.12 doesn't run as root. Hell, without local > deliveries and with a plug to make port25 connections go high > (ipfilter), NO sendmail needed to run as root. I've run sendmail since what was probably day 2 so it wasn't easy for me to switch to postfix but the anti-spam filtering of postfix are such a bit better that I bit the bullet. First and foremost, postfix's filtering is set up more like an IP filter. You get to chose the order that the filters get applied and when to cut short the tests and either reject or accept the email message without running the rest of the tests. You also get to do sanity tests on the HELO string (as well as the traditional client-ip address and sender-address.) You can trivially filter for spoofed mail, where mail claiming to be from your machine comes in via the external interface. The filter files can be either hash databases or lists of regexp's. (The latter were very painful to do in sendmail where one needs one table per regexp.) I've got an example postfix setup here. The config files should be fairly readable even for someone that hasn't ever looked at postfix before. http://www.wsrcc.com/spam/ -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/ (NOTE: The email address above is valid. Edit it at your own peril.) From david at catwhisker.org Thu Feb 13 13:10:57 2003 From: david at catwhisker.org (David Wolfskill) Date: Thu, 13 Feb 2003 13:10:57 -0800 (PST) Subject: Has anyone had a useful interaction with remove@dun.dnsrbl.com??!? In-Reply-To: Message-ID: <200302132110.h1DLAv5X060478@bunrab.catwhisker.org> >Date: 13 Feb 2003 12:12:45 -0800 >From: wolfgang+gnus20030213T120724 at wsrcc.com (Wolfgang S. Rupprecht) >I'm not a fan of the dialup lists either. Thanks. :-) >Many of them have made noises at one time or other of listing all >cable-modems and dsl's irregardless of them being static or dynamic >addresses. Which is their right, in some sense. It does rather call into question the wisdom of using their service(s), though. > 63.193.123.122: IPv4 'adsl-63-193-123-122.dsl.snfc21.pacbell.net' >Since pacbell didn't give any meaningful names to the IP addresses Umm... 'scuse me? Please note: g1-13(4.7-S)[1] host 63.193.123.122 122.123.193.63.IN-ADDR.ARPA domain name pointer adsl-63-193-123-122.dsl.snfc21.pacbell.net g1-13(4.7-S)[2] host adsl-63-193-123-122.dsl.snfc21.pacbell.net adsl-63-193-123-122.dsl.snfc21.pacbell.net has address 63.193.123.122 g1-13(4.7-S)[3] What more could a person ask for? There's a PTR record for the IP address, and the hostname from the PTR is resolvable to the same IP address. This is A Good Thing -- and far better than a lot of other netblocks I've dealt with.... :-{ >several of the dialup list maintainers assumed that they were dynamic >DSL. Something about the word "assume" comes to mind at this point.... :-/ >I think most of them have since fixed their listings. You can >check most of the dnsbl's from this page: > http://www.moensted.dk/spam/ Ah; thanks. Not as bad as it could be: [<<|<] 63.193.123.122 [>|>>] was found in 8 lists (of 438 tested) I guess I still need to help educate the folks who are using the disservices in question.... :-( >(NOTE: The email address above is valid. Edit it at your own peril.) I just elided it, figuring that since you responded to a post to the baylisa list, you'd see the response posted to the same list. :-} Thanks, david (links to my resume at http://www.catwhisker.org/~david) -- David H. Wolfskill david at catwhisker.org WARNING: Use of Microsoft products may be hazardous to your system's integrity. From rsr at inorganic.org Fri Feb 14 01:49:02 2003 From: rsr at inorganic.org (Roy S. Rapoport) Date: Fri, 14 Feb 2003 01:49:02 -0800 (PST) Subject: Sendmail replacements? (correction) In-Reply-To: <13127.1045168626@kanga.nu> Message-ID: On Thu, 13 Feb 2003, J C Lawrence wrote: > > Weitse is easier to deal with than Dr Dan. > > Understatement. Philip Hazel is also rather pleasant. Their mailing > lists reflect this: the QMail lists have regular bouts of newbie/FAQ > derision whereas the exim and postfix lists tend to be much more > supportive and constructive. I must be the only person in the world who refuses to use QMail pretty much solely because of my perception of DJB's personality and interaction style. But hey, that's OK. sendmail satisfies my "can you support this adequately at 3am after being woken up from two hours of sleep having come back drunk from a dance club?" preference. One of these days RSN I'd like to get to that point with postfix. -roy From jeff at drinktomi.com Fri Feb 14 11:29:25 2003 From: jeff at drinktomi.com (Jeff with The Big Yellow Suit) Date: Fri, 14 Feb 2003 11:29:25 -0800 (PST) Subject: Sendmail replacements? (correction) In-Reply-To: References: <13127.1045168626@kanga.nu> Message-ID: <37627.208.200.221.3.1045250965.squirrel@mail.gigo.com> Roy S. Rapoport said: > sendmail satisfies my "can you support this adequately at 3am after > being woken up from two hours of sleep having come back drunk from a > dance club?" preference. Nice to hear that someone else has this requirement. -jeff From berry at housebsd.org Fri Feb 14 11:55:09 2003 From: berry at housebsd.org (Sean Berry) Date: Fri, 14 Feb 2003 13:55:09 -0600 (CST) Subject: Sendmail replacements? (correction) In-Reply-To: <37627.208.200.221.3.1045250965.squirrel@mail.gigo.com> Message-ID: Requirement, hell, about 5% of my billed hours used to come from this category. -- Sean Berry works with UNIX, especially Solaris and NetBSD. His opinions are not necessarily those of his employers. (650) 281-6610 He enjoys photography. Current work at http://www.housebsd.org/~berry/photo/ On Fri, 14 Feb 2003, Jeff with The Big Yellow Suit wrote: > Roy S. Rapoport said: > > sendmail satisfies my "can you support this adequately at 3am after > > being woken up from two hours of sleep having come back drunk from a > > dance club?" preference. > > Nice to hear that someone else has this requirement. > > -jeff > > > > > From htsun at earthlink.net Sat Feb 15 12:28:21 2003 From: htsun at earthlink.net (H.T. Sun) Date: Sat, 15 Feb 2003 12:28:21 -0800 Subject: WAN simulation in LAN Message-ID: <3E4EA2E5.80302@earthlink.net> Hi, Does anybody know any good tools that could simulate WAN (latency, bandwidth limitation) connections in a LAN environment? Thanks a lot HT From npc at gangofone.com Sat Feb 15 13:14:28 2003 From: npc at gangofone.com (Nick Christenson) Date: Sat, 15 Feb 2003 13:14:28 -0800 (PST) Subject: WAN simulation in LAN In-Reply-To: <3E4EA2E5.80302@earthlink.net> Message-ID: <200302152114.h1FLES7n048665@discovery.gangofone.com> > Hi, > > Does anybody know any good tools that could > simulate WAN (latency, bandwidth limitation) > connections in a LAN environment? Dummynet on FreeBSD is my favorite: http://info.iet.unipi.it/~luigi/ip_dummynet/ There is also NISTNet for Linux: http://snad.ncsl.nist.gov/itg/nistnet/ http://linux.oreillynet.com/pub/a/linux/2000/06/22/LinuxAdmin.html There are problably others. Hope this helps. -- Nick Christenson npc at gangofone.com From david at catwhisker.org Sat Feb 15 13:19:22 2003 From: david at catwhisker.org (David Wolfskill) Date: Sat, 15 Feb 2003 13:19:22 -0800 (PST) Subject: WAN simulation in LAN In-Reply-To: <3E4EA2E5.80302@earthlink.net> Message-ID: <200302152119.h1FLJMcL068716@bunrab.catwhisker.org> >Date: Sat, 15 Feb 2003 12:28:21 -0800 >From: "H.T. Sun" > Does anybody know any good tools that could > simulate WAN (latency, bandwidth limitation) > connections in a LAN environment? I suspect that a fair amount of this will be dependent on quite a bit that was not stated. :-) That said, this is one of the main purposes behind the Luigi Rizzo's development of "dummynet" for FreeBSD; from "man dummynet": HISTORY dummynet was initially implemented as a testing tool for TCP congestion control by Luigi Rizzo , as described on ACM Computer Communication Review, Jan.97 issue. Later it has been then modified to work at the ip and bridging level, integrated with the IPFW packet fil- ter, and extended to support multiple queueing and scheduling policies. Cheers, david (links to my resume at http://www.catwhisker.org/~david) -- David H. Wolfskill david at catwhisker.org WARNING: Use of Microsoft products may be hazardous to your system's integrity. From fscked at pacbell.net Sat Feb 15 14:23:36 2003 From: fscked at pacbell.net (richard childers / kg6hac) Date: Sat, 15 Feb 2003 14:23:36 -0800 Subject: WAN simulation in LAN References: <3E4EA2E5.80302@earthlink.net> Message-ID: <3E4EBDE7.E8E94102@pacbell.net> ipfw(8) provides tunnels, which can be used to provide latency, I recall. -- richard "H.T. Sun" wrote: > Hi, > > Does anybody know any good tools that could > simulate WAN (latency, bandwidth limitation) > connections in a LAN environment? > > Thanks a lot > > HT From extasia at extasia.org Sun Feb 16 12:23:53 2003 From: extasia at extasia.org (David Alban) Date: Sun, 16 Feb 2003 12:23:53 -0800 Subject: Which Red Hat? Message-ID: <20030216122353.A8937@gerasimov.net> Greetings! I want to do a clean install of Red Hat on a P133 box w/scsi. I want to put two network cards in the box, with one for dsl and one for my internal network. The box will be a firewall. I've heard folks say various things about the different Red Hat versions. Can anyone recommend a particular version (or set of versions)? Or, can anyone recommend against a particular version, or set thereof? Thanks, David -- Live in a world of your own, but always welcome visitors. *** Come to sig-beer-west! http://www.extasia.org/sig-beer-west/ Unix sysadmin available: http://www.extasia.org/resume/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: From nthomas at cise.ufl.edu Sun Feb 16 13:05:49 2003 From: nthomas at cise.ufl.edu (N. Thomas) Date: Sun, 16 Feb 2003 16:05:49 -0500 Subject: Which Red Hat? In-Reply-To: <20030216122353.A8937@gerasimov.net> References: <20030216122353.A8937@gerasimov.net> Message-ID: <20030216210549.GB22931@cise.ufl.edu> * David Alban [2003-02-16 12:23:53 -0800]: > I want to do a clean install of Red Hat on a P133 box w/scsi. I want > to put two network cards in the box, with one for dsl and one for my > internal network. The box will be a firewall. > > [...] > > Can anyone recommend a particular version (or set of versions)? I don't know if Red Hat is a requirement for you, but might I recommend using some other OS instead? Red Hat is somewhat overkill for a firewall as it comes with a lot of things pre-installed that you probably don't need. Also, older versions won't be support past one year, according to Red Hat's new policy. If you want to use Linux/iptables go with Debian, it is much easier to set up a bare-bones configuration and run only what you want. If the sky's the limit, OpenBSD is probably the way to go. Not only is it ultra-secure out of the box, it's pretty easy to setup a firewall/router with it as well. Very lean, secure, etc. thomas -- N. Thomas nthomas at cise.ufl.edu Etiamsi occiderit me, in ipso sperabo From rick at linuxmafia.com Sun Feb 16 16:17:53 2003 From: rick at linuxmafia.com (Rick Moen) Date: Sun, 16 Feb 2003 16:17:53 -0800 Subject: Which Red Hat? In-Reply-To: <20030216122353.A8937@gerasimov.net> References: <20030216122353.A8937@gerasimov.net> Message-ID: <20030217001753.GG17705@linuxmafia.com> Quoting David Alban (extasia at extasia.org): > I want to do a clean install of Red Hat on a P133 box w/scsi. I want > to put two network cards in the box, with one for dsl and one for my > internal network. The box will be a firewall. > > I've heard folks say various things about the different Red Hat > versions. Can anyone recommend a particular version (or set of > versions)? Or, can anyone recommend against a particular version, or > set thereof? Are you constrained to use Red Hat, or is this personal preference, or what? It might be helpful to know the context of your question. -- "If I have seen farther than others, it is because I was standing on the shoulders of giants." (Isaac Newton) "If I have not seen as far as others, it is because giants were standing on my shoulders." (Hal Abelson) "In computer science, we stand on each other's feet." (Brian K. Reed) From alvin at maggie.linux-consulting.com Sun Feb 16 17:03:01 2003 From: alvin at maggie.linux-consulting.com (alvin at maggie.linux-consulting.com) Date: Sun, 16 Feb 2003 17:03:01 -0800 (PST) Subject: Which Red Hat? - fw In-Reply-To: <20030217001753.GG17705@linuxmafia.com> Message-ID: > Quoting David Alban (extasia at extasia.org): > > > I want to do a clean install of Red Hat on a P133 box w/scsi. I want > > to put two network cards in the box, with one for dsl and one for my > > internal network. The box will be a firewall. for a fw... - use a "secure distro".... http://www.Linux-Sec.net/distro.gwif.html#hardened ( some secure distro might be better than another ) - if you use a convenient rh distro ... ( dont use rh out of the box... as you'd probably be reinstalling again in the near future if you have lots of script kiddies that likes to play with your boxes - less probelms w/ rh-8.0 w/ all the patches - lots of to do and dont do .. regardless of which distro and the "to do" is the same for any/all distro more fw stuff http://www.Linux-Sec.net/FW/ ( it probably wont work for some of you... and yes... netsol is having db problems right now it seems w/ freshly expired domains... normally you have 30-45 days before one disappers ..but not "today" ( i've been ignoring those 3mon or 6 months ahead of expiration ( junk mails... till its too late :-0 - it'd probably be a good idea to check your domain expirations c ya alvin From extasia at extasia.org Sun Feb 16 19:59:36 2003 From: extasia at extasia.org (David Alban) Date: Sun, 16 Feb 2003 19:59:36 -0800 Subject: Which Red Hat? In-Reply-To: <20030217001753.GG17705@linuxmafia.com>; from rick@linuxmafia.com on Sun, Feb 16, 2003 at 04:17:53PM -0800 References: <20030216122353.A8937@gerasimov.net> <20030217001753.GG17705@linuxmafia.com> Message-ID: <20030216195936.A13627@gerasimov.net> At 2003/02/16/16:17 -0800 Rick Moen wrote: > Are you constrained to use Red Hat, or is this personal preference, or > what? It might be helpful to know the context of your question. My requirements are: . decent security (whether out of the box or wrangled) . support for my hardware . lots of docs available on the net Red hat is not a requirement. Having rtfm'd a bit, and having discovered that openbsd supports my pci ide controller, my scsi card[1], and my network cards, I might go with openbsd. I had thought that there would be buttloads of docs on the net for red hat. But there may well be sufficient docs for openbsd, too. More rtfm'ing necessary... David [1] At least, I *think* it supports my scsi card. dmesg reports: scsi0 : Adaptec AIC7XXX EISA/VLB/PCI SCSI HBA DRIVER, Rev 6.2.4 aic7870: Single Channel A, SCSI Id=7, 16/253 SCBs http://www.openbsd.org/i386.html says: Adaptec AHA-[23]94x[W] cards and some on-board PCI designs using the AIC7870 and AIC7880 chips. It's the "some on-board PCI designs using the AIC7870 and AIC7880 chips" (specifically the word "some") that makes me wonder. Anyone know of a source of info that would say definitively one way or the other? -- Live in a world of your own, but always welcome visitors. *** Come to sig-beer-west! http://www.extasia.org/sig-beer-west/ Unix sysadmin available: http://www.extasia.org/resume/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: From rick at linuxmafia.com Mon Feb 17 02:35:54 2003 From: rick at linuxmafia.com (Rick Moen) Date: Mon, 17 Feb 2003 02:35:54 -0800 Subject: Which Red Hat? In-Reply-To: <20030216195936.A13627@gerasimov.net> References: <20030216122353.A8937@gerasimov.net> <20030217001753.GG17705@linuxmafia.com> <20030216195936.A13627@gerasimov.net> Message-ID: <20030217103554.GT17705@linuxmafia.com> Quoting David Alban (extasia at extasia.org): > My requirements are: > > . decent security (whether out of the box or wrangled) > . support for my hardware > . lots of docs available on the net Practically any x86 'nix can be considered to qualify -- especially by partisans of that 'nix. You've essentially invited people to put their sysadminly prejudices on parade. For example, I'd use Debian for that purpose. Or FreeBSD. And we could have a long conversation about why, with frequent asides from kibbitzers as to why I'm deluded and am leading you astray. ;-> > Red hat is not a requirement. Having rtfm'd a bit, and having > discovered that openbsd supports my pci ide controller, my scsi > card[1], and my network cards, I might go with openbsd. What you've described are kernel requirements, not OS/distribution requirements. I.e., you're saying you want an x86 'nix OS/distribution whose kernel can be made to support an AIC7870. Sounds do-able with practically any x86 'nix. > It's the "some on-board PCI designs using the AIC7870 and > AIC7880 chips" (specifically the word "some") that makes me > wonder. Well, I could say rude things about Red Hat Software's recent inability to reliably support (in their default installation kernels) certain AIC7xxx chipsets, e.g., those on Intel Lancewood motherboards. Which is one reason why, e.g., http://www.kainx.org/vermillion/ exists. But that would risk my having to argue with fans of RH's distribution, wouldn't it? -- Cheers, "Besides, Debian runs Web sites, Red Hat runs Rick Moen Quake, and Windows runs Half-Life." rick at linuxmafia.com -- Bryce Kerley (on Slashdot) From fscked at pacbell.net Mon Feb 17 07:51:46 2003 From: fscked at pacbell.net (richard childers / kg6hac) Date: Mon, 17 Feb 2003 07:51:46 -0800 Subject: CFS v TCFS v SFS v ? Message-ID: <3E510512.353EF242@pacbell.net> I'm evaluating filesystems which provide encryption under FreeBSD. The following acronyms means the following things: CFS: Cryptographic File System TCFS: Translucent CFS SFS: Secure File System So far I have installed and configured CFS; I'm still meditating upon exactly how to best integrate its service into an operating system. I have not yet begun evaluating TCFS or SFS. I'm not sure the SFS server is still up (www.securefs.org, according to my mile-high research). Does anyone know of any specific pitfalls (or advantages) to any of these packages? Have I missed any other encrypting filesystems? Thanks, -- richard From david at catwhisker.org Mon Feb 17 08:37:21 2003 From: david at catwhisker.org (David Wolfskill) Date: Mon, 17 Feb 2003 08:37:21 -0800 (PST) Subject: CFS v TCFS v SFS v ? In-Reply-To: <3E510512.353EF242@pacbell.net> Message-ID: <200302171637.h1HGbL9W073061@bunrab.catwhisker.org> >Date: Mon, 17 Feb 2003 07:51:46 -0800 >From: richard childers / kg6hac >I'm evaluating filesystems which provide encryption under >FreeBSD. >The following acronyms means the following things: >CFS: Cryptographic File System >TCFS: Translucent CFS >SFS: Secure File System >... >Have I missed any other encrypting filesystems? GBDE -- available only in FreeBSD-5.x (which recently acquired "-RELEASE" status for the first time, but you don't want to use 5.0 for GBDE, as I recall). The acronym stands for "GEOM-based disk encryption". It is not, strictly speaking, an "encrypting filesystem," as this is below the level of "filesystem": you can put any sort of file system on it that you could on a "raw" disk. Thus, the idea is that you can set up a (piece of a) disk en encrypted via GDBE, then create a filesystem of your choice on it; absent the key(s) to unlock the disk in question, even the type of filesystem that is on it should be non-trivial to determine. For more information: d144(5.0-C)[1] apropos gbde gbde(4) - Geom Based Disk Encryption gbde(8) - operation and management utility for Geom Based Disk Encryption d144(5.0-C)[2] I haven't done anything with it (yet), but Lucky Green came to a recent BAFUG meeting (January's) and mentioned it with a fair degree of enthusiasm (or so I perceived; I could be wrong). Cheers, david (links to my resume at http://www.catwhisker.org/~david) -- David H. Wolfskill david at catwhisker.org WARNING: Use of Microsoft products may be hazardous to your system's integrity. From fscked at pacbell.net Mon Feb 17 11:46:18 2003 From: fscked at pacbell.net (richard childers / kg6hac) Date: Mon, 17 Feb 2003 11:46:18 -0800 Subject: CFS v TCFS v SFS v GBDE v ? References: <200302171637.h1HGbL9W073061@bunrab.catwhisker.org> Message-ID: <3E513C0A.36C2F319@pacbell.net> This is interesting; thanks, David. Further research suggests that TCFS has been experimentally ported to OpenBSD and NetBSD but not formally ported to FreeBSD; my operating system of choice. TCFS appears to be a bastard child of CFS, dependent upon NFS and intended to permit sharing of encrypted contents across insecure networks. It appears to rely upon an interesting mechanism for access to the contents, where each client only has a portion of the key required to unencrypt the data and access to all (or a majority) of these clients - essentially, their consensus - is required before the data can be decrypted. The threshhold can be adjusted. Regrettably, TCFS is still heavily reliant upon the loopback mechanism used by NFS; and my gut feeling is that while consensus mechanisms are intellectually interesting, that from an administrative point of view they represent a snake's pit of dependencies, like NFS, but with the clients voting on every disk operation. Also, much of this functionality is provided, at a lower level, by VPNs and IPSEC, rendering the need for securing shared data, explicitly at the filesystem level, less urgent. However, the need for a locally encrypted storage mechanism that does not mandate managing pass phrases for each separate file is still visible. David, your description of GBDE provoked me to wonder if GBDE was derived from ccd (with which I have not yet worked). I seem to recall that ccd conceptually paralleled a product with which I have worked - SunOS metadevices - where one can create partitions on a disk ... associate them with pseudo device drivers that treated them as mirrored, or concatenated, devices ... associate -these- pseudo device drivers with other, next-level pseudo device drivers, that concatenated the mirrors, or mirrored the concatenation ... until the desired level of functionality was achieved. I wonder because it occurs to me that this code base would be an excellent place to start if one were to wish to develop such a thing as an encrypted filesystem, without needing it to depend upon NFS or a loopback device. As for CFS, it occured to me that it could be pushed into an NFS role; but I'm still thinking about weaknesses (outside of the usual RPC stuff). Thanks, -- richard David Wolfskill wrote: > >Date: Mon, 17 Feb 2003 07:51:46 -0800 > >From: richard childers / kg6hac > > >I'm evaluating filesystems which provide encryption under > >FreeBSD. > > >The following acronyms means the following things: > > >CFS: Cryptographic File System > >TCFS: Translucent CFS > >SFS: Secure File System > > >... > > >Have I missed any other encrypting filesystems? > > GBDE -- available only in FreeBSD-5.x (which recently acquired > "-RELEASE" status for the first time, but you don't want to use 5.0 for > GBDE, as I recall). > > The acronym stands for "GEOM-based disk encryption". > > It is not, strictly speaking, an "encrypting filesystem," as this is > below the level of "filesystem": you can put any sort of file system on > it that you could on a "raw" disk. Thus, the idea is that you can set > up a (piece of a) disk en encrypted via GDBE, then create a filesystem > of your choice on it; absent the key(s) to unlock the disk in question, > even the type of filesystem that is on it should be non-trivial to > determine. > > For more information: > > d144(5.0-C)[1] apropos gbde > gbde(4) - Geom Based Disk Encryption > gbde(8) - operation and management utility for Geom Based Disk Encryption > d144(5.0-C)[2] > > I haven't done anything with it (yet), but Lucky Green came to a recent > BAFUG meeting (January's) and mentioned it with a fair degree of > enthusiasm (or so I perceived; I could be wrong). > > Cheers, > david (links to my resume at http://www.catwhisker.org/~david) > -- > David H. Wolfskill david at catwhisker.org > WARNING: Use of Microsoft products may be hazardous to your system's integrity. From chuck+baylisa at snew.com Mon Feb 17 17:12:45 2003 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Mon, 17 Feb 2003 17:12:45 -0800 Subject: Which Red Hat? In-Reply-To: <20030216122353.A8937@gerasimov.net> References: <20030216122353.A8937@gerasimov.net> Message-ID: <20030218011245.GA3076@snew.com> Quoting David Alban (extasia at extasia.org): > Greetings! > > I want to do a clean install of Red Hat on a P133 box w/scsi. I want > to put two network cards in the box, with one for dsl and one for my > internal network. The box will be a firewall. > > I've heard folks say various things about the different Red Hat > versions. Can anyone recommend a particular version (or set of > versions)? Or, can anyone recommend against a particular version, or > set thereof? Redhat advanced server is supposed to be the "enterprise edition" of RedHat. It's supposed to be long and well supported and slower changing than Linuxes usually are. I like BSD's by personal choice. OpenBSD goes on about being security focussed, but much of the changes they've made have found their ways into Free and Net. I waffle between Net and OpenBSD builds on a Soekris box (www.soekris.com - about the size of a hub, boots from a compact flash). The biggest problems I find on any Unix is the large amount of crap that's installed by default. I just remove inetd.conf on Solaris as a first step. Then it's a matter of stripping out startup scripts. Same for all other Unixes. I've pushed several OS vendors (free and non) to START OUT with a minimal config. Many of us dealt with Sun putting out an /etc/hosts.equiv with "+ +" in it for YEARS in SunOS 4.x. Let me run a scrip to turn things on. SGI and Redhat have chkconfig; Sun foisted System V on us, but never gave us real management tools. (should nfsserver even try to run if rpcbind/portmap is not on? Why does inetd get started with no inetd.conf file? (that one took OpenBSD 20 minutes to fix when I reported it) Does anyone NEED echo?). OpenBSD comes with ssh turned on and that's about it (and portmap for reasons I don't get). This is nice. It's also repeatable with some work on other OSs. -OpenBSD is implementing readonly segments of ELF - something noone else is doing. OpenBSD-current is painful right now. -NetBSD is in the middle of adding decent threading at the moment. -FreeBSD is going through a big change with 5.0. 4.7 is stable, but 5.0 has some nice things. -Solaris doesn't really want to run on one or two CPU machines. They finally have newer user-land tools (tcsh, zsh, ssh, apache! and "perl"! About freaking time). -RedHat and Suse both have good enterprise releases after demands from IBM and the like. No corp wants to have to upgrade OSs every 4 months with major changes every year. Support may be an issue. Playing "juggle the RPMs" when you need a new kernel sucks. Getting the Enterprise versions may be helpful here. Then you get to choose proxies (you wouldn't let your users connect with random programs to strangers, would you) And we're back to "firewall classic". See the firewalls at greatcircle archives back to 1993 for more on those topics. Usually, the best choice for a bastion's OS is one you are very familiar with. More to the point, one you are NOT very familiar with, will not serve you well. And of course, you do the full gambit of setting up strong filtering on your router after the Firewall and have another router inside the firewall that ideally is from another company/different OS. (Belts and suspenders). But it sounds like a home gateway type thing. So why not just use a little NAT box for $80 with no fan, no disk, no worries. Sure, it won't do IPSec or run IPv6 tunnels, but it will basically keep new connections from being opened to your inside machines. From claw at kanga.nu Mon Feb 17 17:51:33 2003 From: claw at kanga.nu (J C Lawrence) Date: Mon, 17 Feb 2003 17:51:33 -0800 Subject: Which Red Hat? In-Reply-To: Message from Chuck Yerkes of "Mon, 17 Feb 2003 17:12:45 PST." <20030218011245.GA3076@snew.com> References: <20030216122353.A8937@gerasimov.net> <20030218011245.GA3076@snew.com> Message-ID: <2069.1045533093@kanga.nu> On Mon, 17 Feb 2003 17:12:45 -0800 Chuck Yerkes wrote: > Redhat advanced server is supposed to be the "enterprise edition" of > RedHat. It's supposed to be long and well supported and slower > changing than Linuxes usually are. Yeah, uhhhhuhh, sure. RHAS is the one that shipped with GCC 2.96 -- the unofficial GCC release that's both full of bugs with a different ABI to both GCC 2,95 and GCC v3 -- and is targeted as the platform actively supported by Oracle right? The same Oracle whose OCCI libraries are compiled with GCC 2.95 and thus can't be reliably linked against under RHAS...? The RHAS whose vendor (RH) replies to queries on these subjects with, "Uhhhhhhh...", while Oracle replies with, "Uhhh, we're not sure what compiler we used..." (despite the fact that its quite clear to tell under nm). Sorry, I had a sudden urge to vent there. > Usually, the best choice for a bastion's OS is one you are very > familiar with. More to the point, one you are NOT very familiar with, > will not serve you well. Sooth. > And of course, you do the full gambit of setting up strong filtering > on your router after the Firewall and have another router inside the > firewall that ideally is from another company/different OS. (Belts > and suspenders). I like making security equipment from atypical hardware platforms. Sure, use a "standard" OS (*BSD, Linux, whatever), but run it on something interesting. Run it on Alpha, on MIPS, on PA-RISC, something not x86. If possible run something other than OEM OS on that hardware (eg not-Solaris on SPARC, not-OSX on PPC, not-HP-UX on PA-RISC, etc). The more you deviate from the base line, the more likely the canned script kiddie scripts will fail. Fail because the CPU instruction sets are different, fail because the stack sizes or direction of stack growth is off, fail because the heap semantics aren't the same, fail due to different endianness, fail due to different word size... Sure, it doesn't close the door on an exploit given a wily and intelligent cracker, but it shuts down the vast majority of them who beat me in a patch install, and I'm a big fan of anything which increases cracker barrier to entry, especially when it doesn't cost me a nickel (older non-x86 hardware is cheap). -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw at kanga.nu He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. From rick at linuxmafia.com Mon Feb 17 19:01:18 2003 From: rick at linuxmafia.com (Rick Moen) Date: Mon, 17 Feb 2003 19:01:18 -0800 Subject: Which Red Hat? In-Reply-To: <2069.1045533093@kanga.nu> References: <20030216122353.A8937@gerasimov.net> <20030218011245.GA3076@snew.com> <2069.1045533093@kanga.nu> Message-ID: <20030218030118.GJ17705@linuxmafia.com> [Concurring with J C:} Quoting J C Lawrence (claw at kanga.nu): > I like making security equipment from atypical hardware platforms. > Sure, use a "standard" OS (*BSD, Linux, whatever), but run it on > something interesting. Run it on Alpha, on MIPS, on PA-RISC, something > not x86. I like this idea, a lot. For one thing, buffer overflows are much less of a problem on anything but x86. One recurring problem is that _cheap_ non-x86 hardware only rarely can be conveniently made to have two reliable ethernet interfaces. If you can find them used, NetWinders (StrongARM-based or Transmeta Crusoe) are good, being small, low-power, and quiet. They came with one 10Base-T and one 10/100 port. Occasionally, you can find very cheap, low-end x86 laptops with two PCMCIA ports (e.g., late 486). Comes with its own UPS. -- Cheers, "Teach a man to make fire, and he will be warm Rick Moen for a day. Set a man on fire, and he will be warm rick at linuxmafia.com for the rest of his life." -- John A. Hrastar From claw at kanga.nu Mon Feb 17 21:35:30 2003 From: claw at kanga.nu (J C Lawrence) Date: Mon, 17 Feb 2003 21:35:30 -0800 Subject: Which Red Hat? In-Reply-To: Message from Rick Moen of "Mon, 17 Feb 2003 19:01:18 PST." <20030218030118.GJ17705@linuxmafia.com> References: <20030216122353.A8937@gerasimov.net> <20030218011245.GA3076@snew.com> <2069.1045533093@kanga.nu> <20030218030118.GJ17705@linuxmafia.com> Message-ID: <7328.1045546530@kanga.nu> On Mon, 17 Feb 2003 19:01:18 -0800 Rick Moen wrote: > [Concurring with J C:} Damn it rick, you're going to embarrass somebody if you keep that up. Quoting J C Lawrence (claw at kanga.nu): >> I like making security equipment from atypical hardware platforms. >> Sure, use a "standard" OS (*BSD, Linux, whatever), but run it on >> something interesting. Run it on Alpha, on MIPS, on PA-RISC, >> something not x86. > I like this idea, a lot. For one thing, buffer overflows are much > less of a problem on anything but x86. Not really. They're still a problem, its just that the exploits commonly found on cracker sites tend to be written with x86 in mind and don't adapt cleanly to other platforms. Its also worth remembering that buffer/stack based exploits are just one possible exploit path among many. > One recurring problem is that _cheap_ non-x86 hardware only rarely can > be conveniently made to have two reliable ethernet interfaces. If you > can find them used, NetWinders (StrongARM-based or Transmeta Crusoe) > are good, being small, low-power, and quiet. They came with one > 10Base-T and one 10/100 port. Alpha based Multias are another fairly readily available solution. Get the right model and they have an open PCI-slot in addition to the 10bT on the mother. Throw a 4-port NIC on there and you can build quite a nice little router/firewall (done that). SGI Indy's (the purple mini-towers) also tend to be readily available and extra NICs for them are cheap enough. > Occasionally, you can find very cheap, low-end x86 laptops with two > PCMCIA ports (e.g., late 486). Comes with its own UPS. Weirdstuff used to have a readily supply of such. Unfortunately, by definition they're x86. -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw at kanga.nu He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. From rick at linuxmafia.com Mon Feb 17 21:54:34 2003 From: rick at linuxmafia.com (Rick Moen) Date: Mon, 17 Feb 2003 21:54:34 -0800 Subject: Which Red Hat? In-Reply-To: <7328.1045546530@kanga.nu> References: <20030216122353.A8937@gerasimov.net> <20030218011245.GA3076@snew.com> <2069.1045533093@kanga.nu> <20030218030118.GJ17705@linuxmafia.com> <7328.1045546530@kanga.nu> Message-ID: <20030218055433.GP17705@linuxmafia.com> Quoting J C Lawrence (claw at kanga.nu): [buffer overflows, non-x86 architectures] > Not really. They're still a problem, its just that the exploits > commonly found on cracker sites tend to be written with x86 in mind > and don't adapt cleanly to other platforms. I wish I could refer you to it specifically, but I recall a fairly convincing paper explaining why PPC in particular doesn't really have a problem, for reasons inherent to the architecture rather than just a matter of popularity. Sorry, but I don't have it handy. > Alpha based Multias are another fairly readily available solution. They are reported to run hot, though. > SGI Indy's (the purple mini-towers) also tend to be readily available > and extra NICs for them are cheap enough. I've seen those around, and wouldn't mind having one. They're reasonable-sized, if not nowhere near as compact as NetWinders. -- Cheers, Rick Moen Emacs is a decent operating system, rick at linuxmafia.com but it still lacks a good text editor. From claw at kanga.nu Mon Feb 17 22:29:25 2003 From: claw at kanga.nu (J C Lawrence) Date: Mon, 17 Feb 2003 22:29:25 -0800 Subject: Which Red Hat? In-Reply-To: Message from Rick Moen of "Mon, 17 Feb 2003 21:54:34 PST." <20030218055433.GP17705@linuxmafia.com> References: <20030216122353.A8937@gerasimov.net> <20030218011245.GA3076@snew.com> <2069.1045533093@kanga.nu> <20030218030118.GJ17705@linuxmafia.com> <7328.1045546530@kanga.nu> <20030218055433.GP17705@linuxmafia.com> Message-ID: <8498.1045549765@kanga.nu> On Mon, 17 Feb 2003 21:54:34 -0800 Rick Moen wrote: > Quoting J C Lawrence (claw at kanga.nu): [buffer overflows, non-x86 > architectures] >> Not really. They're still a problem, its just that the exploits >> commonly found on cracker sites tend to be written with x86 in mind >> and don't adapt cleanly to other platforms. > I wish I could refer you to it specifically, but I recall a fairly > convincing paper explaining why PPC in particular doesn't really have > a problem, for reasons inherent to the architecture rather than just a > matter of popularity. Sorry, but I don't have it handy. Ahh yeah, now you mention it I recall something in that direction as well. Will dig. >> Alpha based Multias are another fairly readily available solution. > They are reported to run hot, though. They do if you use a drive internal to the case (they really only have room for a laptop drive internally). Either mount a small fan on the case or use an external narrow SCSI drive (they've SCSI on the mother). >> SGI Indy's (the purple mini-towers) also tend to be readily available >> and extra NICs for them are cheap enough. > I've seen those around, and wouldn't mind having one. They seem to come on the market in spurts. Indigo2s may be more readily available now as the Indys fall wayback in age. > They're reasonable-sized, if not nowhere near as compact as > NetWinders. True. As I recently migrated everything except my desktop to a 2.5m rack in the garage ($50 off craigslist bundled with a 4U AT case) I've found I don't care about that much any more -- well, except in the winter when my office is no where near as warm as it used to be. -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw at kanga.nu He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. From sc at sfik.com Mon Feb 17 23:38:16 2003 From: sc at sfik.com (Simon Cooper) Date: Mon, 17 Feb 2003 23:38:16 -0800 (PST) Subject: Which Red Hat? In-Reply-To: <20030218055433.GP17705@linuxmafia.com> Message-ID: On Mon, 17 Feb 2003, Rick Moen wrote: ...text zapped... > > SGI Indy's (the purple mini-towers) also tend to be readily available > > and extra NICs for them are cheap enough. If you want to pick a colour, then an Indy is/was Cyan. They are the offset pizza box systems - they don't come in "vertical", although some were part of the S, M, L, XL (T-shirt) "Challenge" branding. Indy's are mostly R4k (some R5k) based systems. The Indigo-2 was, ah indigo in colour, and could be mounted in the "desk side" vertical configuration. This may be what you are talking about. The original Indigo systems are from the 1991/2 era, the Indy from 1993. I'm not entirely sure when the Indigo-2 came out, but it was definitely later than the Indy. The Indigo-2 is R10K based. Anyhow, both the Indy and Indigo-2 will run the latest version of IRIX 6.5.20. We've (disclaimer: I work for SGI) just released a version of ipfilter, the PD filtering software from Darren Reed. The software is free, you pay for support, see http://www.sgi.com/software/ipfilter.html My advice to anyone building a firewall - use an operating system you are familiar with. Otherwise, how are you going to know if someone has been messing with it, or how to fix something in a hurry? Simon. From sc at sfik.com Mon Feb 17 23:44:59 2003 From: sc at sfik.com (Simon Cooper) Date: Mon, 17 Feb 2003 23:44:59 -0800 (PST) Subject: Which Red Hat? In-Reply-To: Message-ID: On Mon, 17 Feb 2003, Simon Cooper wrote: ...text zapped... > Anyhow, both the Indy and Indigo-2 will run the latest version of IRIX > 6.5.20. We've (disclaimer: I work for SGI) just released a version of > ipfilter, the PD filtering software from Darren Reed. The software is free, > you pay for support, see http://www.sgi.com/software/ipfilter.html 'Tis bad form to correct oneself, but the latest "released to customers" version of IRIX is 6.5.19. Simon. From ulf at Alameda.net Tue Feb 18 09:17:26 2003 From: ulf at Alameda.net (Ulf Zimmermann) Date: Tue, 18 Feb 2003 09:17:26 -0800 Subject: Which Red Hat? In-Reply-To: ; from sc@sfik.com on Mon, Feb 17, 2003 at 11:38:16PM -0800 References: <20030218055433.GP17705@linuxmafia.com> Message-ID: <20030218091726.C33318@seven.alameda.net> On Mon, Feb 17, 2003 at 11:38:16PM -0800, Simon Cooper wrote: > On Mon, 17 Feb 2003, Rick Moen wrote: > > ...text zapped... > > > > SGI Indy's (the purple mini-towers) also tend to be readily available > > > and extra NICs for them are cheap enough. > > If you want to pick a colour, then an Indy is/was Cyan. They are the offset > pizza box systems - they don't come in "vertical", although some were part > of the S, M, L, XL (T-shirt) "Challenge" branding. Indy's are mostly R4k > (some R5k) based systems. > > The Indigo-2 was, ah indigo in colour, and could be mounted in the "desk > side" vertical configuration. This may be what you are talking about. > > The original Indigo systems are from the 1991/2 era, the Indy from 1993. > I'm not entirely sure when the Indigo-2 came out, but it was definitely > later than the Indy. The Indigo-2 is R10K based. > > Anyhow, both the Indy and Indigo-2 will run the latest version of IRIX > 6.5.20. We've (disclaimer: I work for SGI) just released a version of > ipfilter, the PD filtering software from Darren Reed. The software is free, > you pay for support, see http://www.sgi.com/software/ipfilter.html > > My advice to anyone building a firewall - use an operating system you are > familiar with. Otherwise, how are you going to know if someone has been > messing with it, or how to fix something in a hurry? > > Simon. Actually, you were able to get Indigo 2 with R4k cpus first, then R10k. -- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204 You can find my resume at: http://seven.Alameda.net/~ulf/resume.html From chuck+baylisa at snew.com Tue Feb 18 13:07:19 2003 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Tue, 18 Feb 2003 13:07:19 -0800 Subject: buffer overflows, non-x86 architectures (Re: Which Red Hat?) In-Reply-To: <8498.1045549765@kanga.nu> References: <20030216122353.A8937@gerasimov.net> <20030218011245.GA3076@snew.com> <2069.1045533093@kanga.nu> <20030218030118.GJ17705@linuxmafia.com> <7328.1045546530@kanga.nu> <20030218055433.GP17705@linuxmafia.com> <8498.1045549765@kanga.nu> Message-ID: <20030218210719.GA11666@snew.com> Quoting J C Lawrence (claw at kanga.nu): > On Mon, 17 Feb 2003 21:54:34 -0800 Rick Moen wrote: > > Quoting J C Lawrence (claw at kanga.nu): > >> SGI Indy's (the purple mini-towers) also tend to be readily available > >> and extra NICs for them are cheap enough. > > > I've seen those around, and wouldn't mind having one. > > They seem to come on the market in spurts. Indigo2s may be more readily > available now as the Indys fall wayback in age. I've used Irix since 3.x. I have a couple Indy's here. I *like* SGI; I've pushed for them hard at resistant companies and I've used them at post production (film/tv) houses. Again, I like SGIs machines; I hate that the (used to) sell proprietary $$$$ RAM and kept costs for users very high. Extra costs for NFS, eg., even in 5.x kept them out of a very large bank I worked at because it was one of a list of things that irked us a lot. (and a test buy - a presentor - that died and needed 4 MONTHS to get fixed was the nail in that coffin). When I was working with trading floor Sun's (SunOS 4) and DECs (ultrix/OSF1) a lot and admiring the solidity with Ultrix uptimes exceeding 500 days of several machines, a friend offered that working with the SGI's was a lot like working with dragsters and race cars. You worked on them, got them set for a run and, man!, nothing was faster. The Sun's and DECs were nice trucks and busses that didn't go fast, but always chugged along. Like the hardware, like Irix. But I have to say Irix is the last OS I'd put on a machine that needed to be secure. It's lovely and aimed for user friendliness and at speed. It's history is long with security holes. So fine, they live behind a firewall. [hell, we put dedicated firewalls in front of Tandems that never crashed, but offered ZERO way to restrict access to them]. It's also questionable whether a desktop SGI wants to be a home firewall in California. They run REALLY hot and suck power. Their case design, I swear, seems to be built it until it catches fire, then take that last item out. A friend starts using his Indigo when his home office is cold. AS for non-x86, yes, when a BIND buffer attack hit the net, I was away. I was amused to find named.cores but not too concerned that the kiddies were overflowing my buffers with MIPS code. A watcher just restarted named (chrooted, anyhow). From mallen at byte-me.org Tue Feb 18 13:40:04 2003 From: mallen at byte-me.org (Mark Allen) Date: Tue, 18 Feb 2003 13:40:04 -0800 Subject: Paid Sun Patches Message-ID: <20030218134004.A26184@sephiroth.byte-me.org> Some Sun patch advisories require a SunSolve contract... I'm just curious if there's any consensus out there about whether it's worth the time, money and hassle to have a software contract, or if I'm really okay sticking with the free-access public patches. My operating environment is mostly light duty work behind a firewall. (ie., no direct Internet facing services, and applications like low volume mail hub, DNS secondary, etc.) Mark -- Mark Allen -- mallen at byte-me.org -- http://www.byte-me.org/~mallen/ PGP: 0x5CDC2161 Mark Allen (Personal Key) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: From rick at linuxmafia.com Tue Feb 18 14:05:10 2003 From: rick at linuxmafia.com (Rick Moen) Date: Tue, 18 Feb 2003 14:05:10 -0800 Subject: buffer overflows, non-x86 architectures (Re: Which Red Hat?) In-Reply-To: <20030218210719.GA11666@snew.com> References: <20030216122353.A8937@gerasimov.net> <20030218011245.GA3076@snew.com> <2069.1045533093@kanga.nu> <20030218030118.GJ17705@linuxmafia.com> <7328.1045546530@kanga.nu> <20030218055433.GP17705@linuxmafia.com> <8498.1045549765@kanga.nu> <20030218210719.GA11666@snew.com> Message-ID: <20030218220510.GW17705@linuxmafia.com> Quoting Chuck Yerkes (chuck+baylisa at snew.com): > But I have to say Irix is the last OS I'd put on a machine that needed > to be secure. Fortunately, Debian will run on r4k-ip22 MIPS machines (SGI Indy / I2 / Challenge S). As will NetBSD/sgimips. > It's also questionable whether a desktop SGI wants to be a home > firewall in California. They run REALLY hot and suck power. Those really small ones, mentioned earlier, might qualify. I'll have to check. -- Cheers, There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. rick at linuxmafia.com From chuck+baylisa at snew.com Tue Feb 18 14:18:14 2003 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Tue, 18 Feb 2003 14:18:14 -0800 Subject: Paid Sun Patches In-Reply-To: <20030218134004.A26184@sephiroth.byte-me.org> References: <20030218134004.A26184@sephiroth.byte-me.org> Message-ID: <20030218221814.GA13186@snew.com> Here's one criteria: If the machine dies, will your life suck? Quoting Mark Allen (mallen at byte-me.org): > Some Sun patch advisories require a SunSolve contract... I'm > just curious if there's any consensus out there about whether > it's worth the time, money and hassle to have a software contract, > or if I'm really okay sticking with the free-access public patches. > > My operating environment is mostly light duty work behind a firewall. > (ie., no direct Internet facing services, and applications like low > volume mail hub, DNS secondary, etc.) From npc at gangofone.com Tue Feb 18 14:30:52 2003 From: npc at gangofone.com (Nick Christenson) Date: Tue, 18 Feb 2003 14:30:52 -0800 (PST) Subject: Paid Sun Patches In-Reply-To: <20030218134004.A26184@sephiroth.byte-me.org> Message-ID: <200302182230.h1IMUqAQ084436@discovery.gangofone.com> -- Start of PGP signed section. > Some Sun patch advisories require a SunSolve contract... I'm > just curious if there's any consensus Consensus? I don't know about that. > out there about whether > it's worth the time, money and hassle to have a software contract, > or if I'm really okay sticking with the free-access public patches. If there is a consensus, I suspect it will be, "it depends". If I have loads of Solaris boxes running mission-critical apps, if I'm using unusual drivers, hardware, or configurations, or if I'm really pushing the box, I'd almost certainly feel a software support contract was worthwhile. Also, if I worked at a place that had hard annual budgets, I'd insist on a complete hardware and software support contract so I could budget up front exactly how much money a machine would cost me over the course of a year. Not much is worse than having a machine break and having no money to fix it. If I just had a few Solaris boxes in non-mission critical, non-intensive roles, I probably wouldn't bother to get support contracts for them or feel I needed non-free SunSolve access. It all depends. > My operating environment is mostly light duty work behind a firewall. > (ie., no direct Internet facing services, and applications like low > volume mail hub, DNS secondary, etc.) Do you consider these services enterprise-critical? What will you do if something serious or inexplicable comes up with one of these boxes? If you can deal with these situations and can fade the downtime, then you probably don't need an extensive support contract. If you can't, then I'd want an insurance policy of some sort. What that needs to be would depend... . I believe this is the correct answer, even if it doesn't help you much. Good luck, -- Nick Christenson npc at gangofone.com From ulf at Alameda.net Tue Feb 18 14:37:05 2003 From: ulf at Alameda.net (Ulf Zimmermann) Date: Tue, 18 Feb 2003 14:37:05 -0800 Subject: buffer overflows, non-x86 architectures (Re: Which Red Hat?) In-Reply-To: <20030218210719.GA11666@snew.com>; from chuck+baylisa@snew.com on Tue, Feb 18, 2003 at 01:07:19PM -0800 References: <20030216122353.A8937@gerasimov.net> <20030218011245.GA3076@snew.com> <2069.1045533093@kanga.nu> <20030218030118.GJ17705@linuxmafia.com> <7328.1045546530@kanga.nu> <20030218055433.GP17705@linuxmafia.com> <8498.1045549765@kanga.nu> <20030218210719.GA11666@snew.com> Message-ID: <20030218143705.D33318@seven.alameda.net> On Tue, Feb 18, 2003 at 01:07:19PM -0800, Chuck Yerkes wrote: > Quoting J C Lawrence (claw at kanga.nu): > > On Mon, 17 Feb 2003 21:54:34 -0800 Rick Moen wrote: > > > Quoting J C Lawrence (claw at kanga.nu): > > >> SGI Indy's (the purple mini-towers) also tend to be readily available > > >> and extra NICs for them are cheap enough. > > > > > I've seen those around, and wouldn't mind having one. > > > > They seem to come on the market in spurts. Indigo2s may be more readily > > available now as the Indys fall wayback in age. > > I've used Irix since 3.x. I have a couple Indy's here. I > *like* SGI; I've pushed for them hard at resistant companies > and I've used them at post production (film/tv) houses. > > Again, I like SGIs machines; I hate that the (used to) sell > proprietary $$$$ RAM and kept costs for users very high. > Extra costs for NFS, eg., even in 5.x kept them out of a very > large bank I worked at because it was one of a list of things > that irked us a lot. (and a test buy - a presentor - that died > and needed 4 MONTHS to get fixed was the nail in that coffin). > > When I was working with trading floor Sun's (SunOS 4) and DECs > (ultrix/OSF1) a lot and admiring the solidity with Ultrix uptimes > exceeding 500 days of several machines, a friend offered that > working with the SGI's was a lot like working with dragsters and > race cars. You worked on them, got them set for a run and, man!, > nothing was faster. The Sun's and DECs were nice trucks and busses > that didn't go fast, but always chugged along. > > Like the hardware, like Irix. > > But I have to say Irix is the last OS I'd put on a machine that > needed to be secure. It's lovely and aimed for user friendliness > and at speed. It's history is long with security holes. So fine, > they live behind a firewall. [hell, we put dedicated firewalls > in front of Tandems that never crashed, but offered ZERO way to > restrict access to them]. > > It's also questionable whether a desktop SGI wants to be > a home firewall in California. They run REALLY hot and suck > power. Their case design, I swear, seems to be built it until > it catches fire, then take that last item out. > > A friend starts using his Indigo when his home office is cold. > > > AS for non-x86, yes, when a BIND buffer attack hit the net, I was > away. I was amused to find named.cores but not too concerned that > the kiddies were overflowing my buffers with MIPS code. > A watcher just restarted named (chrooted, anyhow). The one thing which really irked me about SGI was the way sales worked. Everyone was on commission so none of the sales droids were interested in selling a small Indy to an enduser as they didn't make much money on it and it took too much time for them. I worked for SGI and had several friends who tried to buy an Indy. :-( -- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204 You can find my resume at: http://seven.Alameda.net/~ulf/resume.html From dannyman at toldme.com Tue Feb 18 14:55:13 2003 From: dannyman at toldme.com (Danny Howard) Date: Tue, 18 Feb 2003 14:55:13 -0800 Subject: Grammar and Munging [was Re: Paid Sun Patches] In-Reply-To: <20030218221814.GA13186@snew.com> References: <20030218134004.A26184@sephiroth.byte-me.org> <20030218221814.GA13186@snew.com> Message-ID: <20030218225513.GN5469@pianosa.catch22.org> On Tue, Feb 18, 2003 at 02:18:14PM -0800, Chuck Yerkes wrote: > Here's one criteria: There can be only one criterion. * notices mail header. Hey, Chuck, have you read http://www.unicom.com/pw/reply-to-harmful.html ? Apparently the BayLISA list doesn't munge the Reply-to: headers, it is only your posts that set Reply-to: to the list. You prefer to be flamed in public and not private? :) * opts not to "fix" his e-mail given the potentially intersting discussion among SysAdmins that may ensue. -danny -- http://dannyman.toldme.com/ From star at starshine.org Tue Feb 18 15:01:41 2003 From: star at starshine.org (Heather Stern) Date: Tue, 18 Feb 2003 15:01:41 -0800 Subject: Meeting this week (Thurs, 7:30-9:30p) Message-ID: <20030218230141.GA2658@starshine.org> Hi everyone. In a fit of imperfect sysadmin'ing, my atjob was eaten by some dev work I've been up to. That's what I get for being an engineer and a sysadmin in the same week :) For Those Who Don't Read Subject Lines . . . . . . . . BayLISA, the Bay Area Large Installation System Administrators February 20, Thursday officially starting at 7:30 pm Who and What . . . . . . . . . . . . . . . . . . . . . Joe Little, Stanford University Security on a University Campus: the Story of SULinux Some of his colleagues may also be present. R&D Labs are a special challenge for system administration as the very defenses you need can be perceived to harm the research effort. Hardware is mixed at least and often new and unusual. Joe will describe the choices that he and David Brumley made while developing a hardened disttribution that's worth studying. Where . . . . . . . . . . . . . . . . . . . . . . . . . 10500 N. De Anza Blvd. Cupertino. http://www.baylisa.org/locations/current.html for some maps... If you are coming via the 280 Fwy: exit, turn south for a *very* short distance, Mariani is a light. turn left there and *immediately* turn right into the parking lot with the blue apples. Go all the way around the building to the other side. Park where convenient but that's where the entrance door to our audittorium is. If you are coming by way of 85, there's two options. The recommended one seems to be get back on the highway, go "north" to the nearby 280 junture, then exit the 280 at De Anza and use those directions. If you're stubborn, need to go by groceries, or just like this way, then you want to *keep going North* until you pass Stevens Creek, pay attention as you pas the Donut Wheel coffee shop, and enter the parking lot with blue apples on your right. If you've reached Mariani you went too far, but just turn right and make your way into the parking lot. Count thou not to Infinite, the Loop is way too far. For anyone using map engines, please doublecheck that it puts your mark NORTH of Stevens Creek, and not by very far, either (a couple of lights, in driving it). The "S.De Anza" mark wouldn't be terribly close to Apple. New Members Are Always Welcome . . . . . . . . . . . . Our meetings are free and open to the public. It is our membership that funds bringing in the great speakers every month. We have an ongoing special. If you bring someone who joins as a member and has never been a member before - at all - then your own membership will be extended by one year. It's been asked, so I mention - yes, outside food and drink are fine. We're bringing a snack spread and sodas as usual. Please try to be neat. Thanks in advance. A bunch of us like to go out afterwards for some sort of dinner, drinks and more conversation at one of the local latenight restaurants. -* Heather Stern * Arch (secretary) BayLISA Board * http://www.baylisa.org/ *- From david at catwhisker.org Tue Feb 18 15:27:29 2003 From: david at catwhisker.org (David Wolfskill) Date: Tue, 18 Feb 2003 15:27:29 -0800 (PST) Subject: Reply-To header (was: Re: Grammar and Munging [was Re: Paid Sun Patches]) In-Reply-To: <20030218225513.GN5469@pianosa.catch22.org> Message-ID: <200302182327.h1INRTpt077572@bunrab.catwhisker.org> >Date: Tue, 18 Feb 2003 14:55:13 -0800 >From: Danny Howard >* notices mail header. >Hey, Chuck, have you read http://www.unicom.com/pw/reply-to-harmful.html >? Apparently the BayLISA list doesn't munge the Reply-to: headers, >.... You got that right. Your current postmaster considers Reply-To to be a header for the author of a message to set to whatever list of addresses the author chooses -- and not for mailing list management software to mess with. Note, by the way, that the word "list" was placed in the above rather intentionally. :-) >* opts not to "fix" his e-mail given the potentially intersting >discussion among SysAdmins that may ensue. I expect that there are a lot of folks who, upon reading this part of the discussion, would find themselves bored to tears.... Cheers, david (postmaster at baylisa.org) -- David H. Wolfskill david at catwhisker.org WARNING: Use of Microsoft products may be hazardous to your system's integrity. From fscked at pacbell.net Tue Feb 18 15:50:36 2003 From: fscked at pacbell.net (richard childers / kg6hac) Date: Tue, 18 Feb 2003 15:50:36 -0800 Subject: Support Contracts (was Re: Paid Sun Patches) References: <20030218134004.A26184@sephiroth.byte-me.org> Message-ID: <3E52C6CB.6B17EDC4@pacbell.net> (1) How much does the support contract cost, per year? (2) How much is support, on a per diem basis, per hour? (3) How many hours of per diem support can you buy before it becomes cost-effective to have a support contract? (4) How much (worst case) does downtime, cost, per hour, to your organization? (5) How much would it cost to assemble a set of spare parts onsite, and would it be cost-effective, in light of (1), (2), (3) and (4)? (After all, you don't need to go to Heald College to learn how to swap parts, any more than you need a BS/CS to install software, or an accounting degree to do basic cost:effect analysis, for that matter.) These are the critical questions you should ask when evaluating support contracts. I find that question (4) is a good test of the integrity of my management and my employer. For instance: One NFS server providing home directories to 1000 users whom are each costing a company $20 an hour (not counting overheads like rent and utilities) is $20K per hour, or $160,000 per eight-hour shift. One shift of downtime may be enough to pay for 32 separate 4-hour-response, 365 days a year support contracts. The problem lies in convincing the people whom originally set the budget that (a) they are wrong, and (b) you are right. Jobs are lost over issues like these; care is indicated. -- richard Mark Allen wrote: > Some Sun patch advisories require a SunSolve contract... I'm > just curious if there's any consensus out there about whether > it's worth the time, money and hassle to have a software contract, > or if I'm really okay sticking with the free-access public patches. > > My operating environment is mostly light duty work behind a firewall. > (ie., no direct Internet facing services, and applications like low > volume mail hub, DNS secondary, etc.) > > Mark > -- > Mark Allen -- mallen at byte-me.org -- http://www.byte-me.org/~mallen/ > PGP: 0x5CDC2161 Mark Allen (Personal Key) > > ----------------------------------------------------------------- > Part 1.2Type: application/pgp-signature From claw at kanga.nu Tue Feb 18 16:51:50 2003 From: claw at kanga.nu (J C Lawrence) Date: Tue, 18 Feb 2003 16:51:50 -0800 Subject: Grammar and Munging [was Re: Paid Sun Patches] In-Reply-To: Message from Danny Howard of "Tue, 18 Feb 2003 14:55:13 PST." <20030218225513.GN5469@pianosa.catch22.org> References: <20030218134004.A26184@sephiroth.byte-me.org> <20030218221814.GA13186@snew.com> <20030218225513.GN5469@pianosa.catch22.org> Message-ID: <32567.1045615910@kanga.nu> On Tue, 18 Feb 2003 14:55:13 -0800 Danny Howard wrote: > Hey, Chuck, have you read > http://www.unicom.com/pw/reply-to-harmful.html ? Apparently the > BayLISA list doesn't munge the Reply-to: headers, it is only your > posts that set Reply-to: to the list. You prefer to be flamed in > public and not private? :) Setting Reply-To is the correct/appropriate way to indicate that you don't wish to be CC'ed on list replies. > * opts not to "fix" his e-mail given the potentially intersting > discussion among SysAdmins that may ensue. Hehn. As long as we don't get into the mail-followup-to silliness. -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw at kanga.nu He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. From star at starshine.org Tue Feb 18 16:46:22 2003 From: star at starshine.org (Heather Stern) Date: Tue, 18 Feb 2003 16:46:22 -0800 Subject: Support Contracts (was Re: Paid Sun Patches) In-Reply-To: <3E52C6CB.6B17EDC4@pacbell.net> References: <20030218134004.A26184@sephiroth.byte-me.org> <3E52C6CB.6B17EDC4@pacbell.net> Message-ID: <20030219004622.GD2810@starshine.org> > (4) How much (worst case) does downtime, cost, per hour, to your > organization? The real nature of the word "evaluate" applies best. Any problems that you might consider the offer to be helpful against, consider their value. Whether that value is in vague, human terms like "Would your life suck if it weren't dealt with" - or cold hard cash like "N employees times T hours and normally cranking out D dollars worth of product/research except when they are down" - or something in between like playing weasel words about what really means "down" and what merely means "slow"... A problem which a friend of mine likes to refer to as a reminder to management, that 2 + 2 = 4, no matter who'd like it to be 3, or 5. If your corporate entity's life is in danger should it fail to keep around the hearts and lungs A.K.A. [email|the database|your app's name here\, then by all means get yourself some ongoing support guarantees. Deciding whether that can be better handled by a consultant, the vendor, or by making darn sure your own people can do that job, is part of the things to analyse. The risks need to be analyzed too. Only having an outsider know all the skeletons in your server closet could be a fine way to end up in a pinch when he's called by 4 clients at once. Having a vendor who won't offer patches unless you pay up might be something you'd consider a risk if you think another vendor's products can serve the same purpose. Having your own people able to do the job might lead to a risk that they'll have to do that instead of the job you've hired them for - but on the flip side, they'd be able to spot if a consultant or vendor is trying to snow the company out of some extra bucks. I'd ask a few more things about what I get for the contract. Do I get better patches, or the same ones ahead of others? Do the patches normally offer safe rollback in case of trouble? What credits do I get if I don't get patches that are offered, if my rep can't get back to me and so on? And is there other equipment which can do the same duty, but doesn't cost as much (in some aspect: money, configurability, or time)? I like to keep my basic policy simple: save early (plan ahead) save often (keep an eye on things continuously) save extras (check that your backups can be restored!) Everything else is an implementation detail. Details are important too :) To the one who started this thread, kudos - for planning ahead. . | . Heather Stern | star at starshine.org --->*<--- Starshine Technical Services - * - consulting at starshine.org ' | ` Sysadmin Support and Training | (800) 938-4078 From claw at kanga.nu Tue Feb 18 17:29:30 2003 From: claw at kanga.nu (J C Lawrence) Date: Tue, 18 Feb 2003 17:29:30 -0800 Subject: Support Contracts (was Re: Paid Sun Patches) In-Reply-To: Message from richard childers / kg6hac of "Tue, 18 Feb 2003 15:50:36 PST." <3E52C6CB.6B17EDC4@pacbell.net> References: <20030218134004.A26184@sephiroth.byte-me.org> <3E52C6CB.6B17EDC4@pacbell.net> Message-ID: <1172.1045618170@kanga.nu> On Tue, 18 Feb 2003 15:50:36 -0800 richard childers > wrote: > The problem lies in convincing the people whom originally set the > budget that (a) they are wrong, and (b) you are right. Jobs are lost > over issues like these; care is indicated. Be careful there. The calculation really isn't a pure cost vs cost balance, tho we'd like to think it is. I've seen enough good people canned for making wise long term decisions that simply weren't comfortable in the moment of pain. Disasters and the motivations to assign blame are strong forces. A long track record of saving small money (which in sum exceeds the corresponding single large expense) is trivially overlooked by most humans given an opportunity to point a finger and say, "Its his fault! He should have had a support contract! Fire him!" The fact that you can pull paperwork showing no net loss (or even a profit) over the last N years is pretty easy to overlook when the pain is RIGHT NOW and alimentary canal deposits are hitting the rotary air movers of half a dozen dept heads. -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw at kanga.nu He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. From claw at kanga.nu Tue Feb 18 17:37:03 2003 From: claw at kanga.nu (J C Lawrence) Date: Tue, 18 Feb 2003 17:37:03 -0800 Subject: Support Contracts (was Re: Paid Sun Patches) In-Reply-To: Message from star@starshine.org (Heather Stern) of "Tue, 18 Feb 2003 16:46:22 PST." <20030219004622.GD2810@starshine.org> References: <20030218134004.A26184@sephiroth.byte-me.org> <3E52C6CB.6B17EDC4@pacbell.net> <20030219004622.GD2810@starshine.org> Message-ID: <1352.1045618623@kanga.nu> On Tue, 18 Feb 2003 16:46:22 -0800 Heather Stern wrote: > Whether that value is in vague, human terms like "Would your life suck > if it weren't dealt with" - or cold hard cash like "N employees times > T hours and normally cranking out D dollars worth of product/research > except when they are down" - or something in between like playing > weasel words about what really means "down" and what merely means > "slow"... Another hairy bit is that cost analysis is not constant over time. A down email system has one expense during normal production. It has a rather different expense when your sales staff are in the final stages of negotiating a $20M contract. That's a whole different value of '2'... > A problem which a friend of mine likes to refer to as a reminder to > management, that 2 + 2 = 4, no matter who'd like it to be 3, or 5. Or, paraphrasing, 2+2==5 for sufficiently large values of 2, and 2+2==3 for sufficiently small values of 2. In percentage terms that's one heck of a spread. -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw at kanga.nu He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. From star at starshine.org Thu Feb 20 07:39:39 2003 From: star at starshine.org (Heather Stern) Date: Thu, 20 Feb 2003 07:39:39 -0800 Subject: meeting 7:30pm tonight Message-ID: <20030220153939.GA19241@starshine.org> Hello folks. Just a little note to remind everyone that the BayLISA meeting is tonight... The speaker is Joe Little, speaking about Stanford University's own security enahnced Linux variant, SULinux. We mmet at Apple; see http://www.baylisa.org/locations/current.html if you need directions (and missed yesterday's). You'll want to arrive a little earlier than 7:30 pm (when everything starts) if you'd like a good seat. We'll have snacks. We have pint glasses and T-shirts and lots of free parking. Don't forget your checkbook* if your BayLISA membership has expired or you have an inclination to join. If you're already a member or your company is alreadya corporate member, then a very big THANKS! It's our members that allow us to be able to keep bringing in great speakers. * or if you join us online using PayPal, don't forget your paperwork to complete the transaction. I'll see you there! :) -* Heather Stern * Arch (secretary) BayLISA Board * http://www.baylisa.org/ *- From extasia at extasia.org Thu Feb 20 11:30:42 2003 From: extasia at extasia.org (David Alban) Date: Thu, 20 Feb 2003 11:30:42 -0800 Subject: Good selection of laptop drives? Message-ID: <20030220113042.A14216@gerasimov.net> Greetings! Can someone recommend any stores which are likely to have a good selection of new 5400 rpm laptop drives? Fry's in Palo Alto didn't. I'm located mid-peninsula, but could go fairly far for a good recommendation. Thanks, David P.S. The drives I found online all seem to require a the better part of week (or more) to get to me. -- Live in a world of your own, but always welcome visitors. *** Come to sig-beer-west! http://www.extasia.org/sig-beer-west/ Unix sysadmin available: http://www.extasia.org/resume/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: From abrinker at ix.netcom.com Thu Feb 20 12:11:14 2003 From: abrinker at ix.netcom.com (Alan Brinker) Date: Thu, 20 Feb 2003 12:11:14 -0800 Subject: Good selection of laptop drives? References: <20030220113042.A14216@gerasimov.net> Message-ID: <3E553662.D862A33B@ix.netcom.com> Hi David, Try CSC in Sunnyvale. Their number is 408 330 5563. Let me know how you do. Alan Brinker David Alban wrote: > Greetings! > > Can someone recommend any stores which are likely to have a good > selection of new 5400 rpm laptop drives? Fry's in Palo Alto didn't. > I'm located mid-peninsula, but could go fairly far for a good > recommendation. > > Thanks, > David > > P.S. The drives I found online all seem to require a the better part > of week (or more) to get to me. > -- > Live in a world of your own, but always welcome visitors. > *** > Come to sig-beer-west! http://www.extasia.org/sig-beer-west/ > Unix sysadmin available: http://www.extasia.org/resume/ > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature From jxh at jxh.com Thu Feb 20 12:16:21 2003 From: jxh at jxh.com (Jim Hickstein) Date: Thu, 20 Feb 2003 12:16:21 -0800 Subject: Good selection of laptop drives? In-Reply-To: <20030220113042.A14216@gerasimov.net> References: <20030220113042.A14216@gerasimov.net> Message-ID: <39820000.1045772181@jxh.mirapoint.com> We've been buying the IBM [1] TravelStar drives mail-order. Did other Fry's stores show any inventory? You might also check with www.diskdepot.com, in Sunnyvale. [1] Now Hitachi. Time will tell whether this is good or bad. From scott at benetech.org Thu Feb 20 12:27:49 2003 From: scott at benetech.org (Scott Weikart) Date: Thu, 20 Feb 2003 12:27:49 -0800 Subject: Good selection of laptop drives? In-Reply-To: <20030220113042.A14216@gerasimov.net> References: <20030220113042.A14216@gerasimov.net> Message-ID: <03022012274909.01413@sandino.dnsalias.org> On Thursday 20 February 2003 11:30 am, David Alban wrote: > Can someone recommend any stores which are likely to have a good > selection of new 5400 rpm laptop drives? Fry's in Palo Alto didn't. I only buy disk drives "boxed for retail" at Fry's. Their bare drives could have been bought on the gray market. I hear that, when an OEM rejects a pallet full of disk drives because of low quality, the whole pallet often ends up on the gray market. [About four years ago I bought three very-cheap SCSI drives from Fry's, and two of them failed within a month of use.] The same situation holds for DRAM. A pair of no-brand SIMMs from Fry's both developed errors (and they didn't have parity/ECC, so they really scrambled the Windows registry). So, I would only buy bare drives from Fry's if they went into a RAID array. And I would only buy bare DIMMs from Fry's if they had parity bits e.g. 168-pin DIMMs, x72 (and the motherboard implements ECC). > P.S. The drives I found online all seem to require a the better part > of week (or more) to get to me. That's surprising to me. I would assume you could find stock somewhere, and then get next day delivery. By the way, after checking out a few laptops, it looks like you can put thinner disks into laptops designed for thicker disks. I.e. the mounting holes for various thicknesses of laptop disks seem to be in line with the connector (and in the same position), so that thinner disks always work. So, don't bother to order the same thickness disk that came with the laptop (which may be old enough to have limited stock). Buy a newer/thinner/bigger/more-available disk. You would want the power consumption to be the same or less, but thinner/newer seems to always mean lower power. -scott p.s. The opinions in this message are my own, not those of my employer. From scott at igc.org Thu Feb 20 12:39:28 2003 From: scott at igc.org (Scott Weikart) Date: Thu, 20 Feb 2003 12:39:28 -0800 Subject: Good selection of laptop drives? In-Reply-To: <20030220113042.A14216@gerasimov.net> References: <20030220113042.A14216@gerasimov.net> Message-ID: <0302201239280C.01413@sandino.dnsalias.org> Pardon the potential duplicate, I sent this message earlier from an email address that's not subscribed to the list. On Thursday 20 February 2003 11:30 am, David Alban wrote: > Can someone recommend any stores which are likely to have a good > selection of new 5400 rpm laptop drives? Fry's in Palo Alto didn't. I only buy disk drives "boxed for retail" at Fry's. Their bare drives could have been bought on the gray market. I hear that, when an OEM rejects a pallet full of disk drives because of low quality, the whole pallet often ends up on the gray market. [About four years ago I bought three very-cheap SCSI drives from Fry's, and two of them failed within a month of use.] The same situation holds for DRAM. A pair of no-brand SIMMs from Fry's both developed errors (and they didn't have parity/ECC, so they really scrambled the Windows registry). So, I would only buy bare drives from Fry's if they went into a RAID array. And I would only buy bare DIMMs from Fry's if they had parity bits e.g. 168-pin DIMMs, x72 (and the motherboard implements ECC). > P.S. The drives I found online all seem to require a the better part > of week (or more) to get to me. That's surprising to me. I would assume you could find stock somewhere, and then get next day delivery. By the way, after checking out a few laptops, it looks like you can put thinner disks into laptops designed for thicker disks. I.e. the mounting holes for various thicknesses of laptop disks seem to be in line with the connector (and in the same position), so that thinner disks always work. So, don't bother to order the same thickness disk that came with the laptop (which may be old enough to have limited stock). Buy a newer/thinner/bigger/more-available disk. You would want the power consumption to be the same or less, but thinner/newer seems to always mean lower power. -scott p.s. The opinions in this message are my own, not those of my employer. From chuck+baylisa at snew.com Thu Feb 20 12:42:30 2003 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Thu, 20 Feb 2003 15:42:30 -0500 Subject: Grammar and Munging [was Re: Paid Sun Patches] In-Reply-To: <20030218225513.GN5469@pianosa.catch22.org> References: <20030218134004.A26184@sephiroth.byte-me.org> <20030218221814.GA13186@snew.com> <20030218225513.GN5469@pianosa.catch22.org> Message-ID: <20030220204230.GA6168@snew.com> Quoting Danny Howard (dannyman at toldme.com): > On Tue, Feb 18, 2003 at 02:18:14PM -0800, Chuck Yerkes wrote: ... > Hey, Chuck, have you read http://www.unicom.com/pw/reply-to-harmful.html > ? Apparently the BayLISA list doesn't munge the Reply-to: headers, it > is only your posts that set Reply-to: to the list. You prefer to be > flamed in public and not private? :) > > * opts not to "fix" his e-mail given the potentially intersting > discussion among SysAdmins that may ensue. No, I find that many (most) people, even system admins, send back to ALL, not just to the list. I'm on the list, I don't want to get it into my INBOX as well. As threads grow, I find myself getting messages replying to things I no longer care about. You want to send me a message, then spent a moment and look at the headers. It's a discussion list, I set (actually mutt does the work for me) the reply-to header back to the list. It's my right. It's not the list doing it. Sometimes, I'll Bcc the originator, but that's just to ensure that if s/he, like me, doesn't read his baylisa folder regularly, that s/he gets to see it. Bcc so that when someone does Reply-To of THIS, they dont' get two. See? I'm nice. chuck From abrinker at ix.netcom.com Thu Feb 20 12:45:09 2003 From: abrinker at ix.netcom.com (Alan Brinker) Date: Thu, 20 Feb 2003 12:45:09 -0800 Subject: Good selection of laptop drives? References: <20030220113042.A14216@gerasimov.net> <39820000.1045772181@jxh.mirapoint.com> Message-ID: <3E553E55.BF4983EB@ix.netcom.com> Sorry but I didn't catch that you wanted laptop. Duh. Disk Drive Depot doesn't carry anything in laptop drives over +/-1.5 gig. CSC is their parent company and a commercial supplier. I just did a search for a laptop drive and bought from CDW but Central Computer also had some in stock. 408 248 5888. Alan Jim Hickstein wrote: > We've been buying the IBM [1] TravelStar drives mail-order. Did other > Fry's stores show any inventory? You might also check with > www.diskdepot.com, in Sunnyvale. > > [1] Now Hitachi. Time will tell whether this is good or bad. From abrinker at ix.netcom.com Thu Feb 20 12:48:49 2003 From: abrinker at ix.netcom.com (Alan Brinker) Date: Thu, 20 Feb 2003 12:48:49 -0800 Subject: Good selection of laptop drives? References: <20030220113042.A14216@gerasimov.net> <03022012274909.01413@sandino.dnsalias.org> Message-ID: <3E553F30.F13B91E9@ix.netcom.com> You have to be careful though that you check that your laptop will handle the larger drive. If not, buy a bios overlay. There are only two companies that I found that handle them. I have a one that I will sell with warranty. Alan Scott Weikart wrote: > On Thursday 20 February 2003 11:30 am, David Alban wrote: > > Can someone recommend any stores which are likely to have a good > > selection of new 5400 rpm laptop drives? Fry's in Palo Alto didn't. > > I only buy disk drives "boxed for retail" at Fry's. Their bare > drives could have been bought on the gray market. I hear that, when > an OEM rejects a pallet full of disk drives because of low quality, > the whole pallet often ends up on the gray market. [About four > years ago I bought three very-cheap SCSI drives from Fry's, and two > of them failed within a month of use.] > > The same situation holds for DRAM. A pair of no-brand SIMMs from > Fry's both developed errors (and they didn't have parity/ECC, so > they really scrambled the Windows registry). > > So, I would only buy bare drives from Fry's if they went into a RAID > array. And I would only buy bare DIMMs from Fry's if they had > parity bits e.g. 168-pin DIMMs, x72 (and the motherboard implements > ECC). > > > P.S. The drives I found online all seem to require a the better part > > of week (or more) to get to me. > > That's surprising to me. I would assume you could find stock > somewhere, and then get next day delivery. > > By the way, after checking out a few laptops, it looks like you can > put thinner disks into laptops designed for thicker disks. I.e. the > mounting holes for various thicknesses of laptop disks seem to be in > line with the connector (and in the same position), so that thinner > disks always work. > > So, don't bother to order the same thickness disk that came with the > laptop (which may be old enough to have limited stock). Buy a > newer/thinner/bigger/more-available disk. You would want the power > consumption to be the same or less, but thinner/newer seems to > always mean lower power. > > -scott > > p.s. The opinions in this message are my own, not those of my > employer. From jxh at jxh.com Thu Feb 20 13:00:10 2003 From: jxh at jxh.com (Jim Hickstein) Date: Thu, 20 Feb 2003 13:00:10 -0800 Subject: Good selection of laptop drives? In-Reply-To: <3E553E55.BF4983EB@ix.netcom.com> References: <20030220113042.A14216@gerasimov.net> <39820000.1045772181@jxh.mirapoint.com> <3E553E55.BF4983EB@ix.netcom.com> Message-ID: <43690000.1045774810@jxh.mirapoint.com> > Sorry but I didn't catch that you wanted laptop. Duh. Disk Drive Depot > doesn't carry anything in laptop drives over +/-1.5 gig. CSC is their Toxic waste. :-) > parent company and a commercial supplier. I just did a search for a > laptop drive and bought from CDW but Central Computer also had some in > stock. 408 248 5888. We also use Zones for a lot of stuff (www.zones.com, formerly Multiple Zones i.e. PC Zone, Mac Zone, etc.), and they treat us well. But that's mail order. Still, they can often ship same day. I do find that rotational speed is very important. I myself paid a significant premium for an early 5411-rpm IBM Travelstar back when the ordinary drives were 4200 rpm. Big difference; no regrets. The 48GH is what we're buying these days, IIRC. http://www.storage.ibm.com/ From alvin at maggie.linux-consulting.com Thu Feb 20 13:58:13 2003 From: alvin at maggie.linux-consulting.com (alvin at maggie.linux-consulting.com) Date: Thu, 20 Feb 2003 13:58:13 -0800 (PST) Subject: Good selection of laptop drives? In-Reply-To: <20030220113042.A14216@gerasimov.net> Message-ID: hi ya david On Thu, 20 Feb 2003, David Alban wrote: > Greetings! > > Can someone recommend any stores which are likely to have a good > selection of new 5400 rpm laptop drives? Fry's in Palo Alto didn't. > I'm located mid-peninsula, but could go fairly far for a good > recommendation. centralcomputer.com will order whatever drive/cpu/mem/mb you want ( usually next day or two delivery esp for relatively easy to find laptops as opposed to hard to find p3 800eb style cpu ) my list of laptop drive webstores ( never bought any from the webstores ) ( like brick-n-mortar type of places ) http://www.Linux-1U.net/Disks/Laptop/ c ya alvin From dannyman at toldme.com Thu Feb 20 14:42:52 2003 From: dannyman at toldme.com (Danny Howard) Date: Thu, 20 Feb 2003 14:42:52 -0800 Subject: Mail Filtering Best Practices In-Reply-To: <20030220204230.GA6168@snew.com> References: <20030218134004.A26184@sephiroth.byte-me.org> <20030218221814.GA13186@snew.com> <20030218225513.GN5469@pianosa.catch22.org> <20030220204230.GA6168@snew.com> Message-ID: <20030220224252.GK5469@pianosa.catch22.org> On Thu, Feb 20, 2003 at 03:42:30PM -0500, Chuck Yerkes wrote: > No, I find that many (most) people, even system admins, send back > to ALL, not just to the list. I'm on the list, I don't want to > get it into my INBOX as well. As threads grow, I find myself > getting messages replying to things I no longer care about. It is not difficult to cache message-ids and deliver subsequent identical ones to /dev/null. The easiest way I've found to do this is to check the return code of "formail -D". This method is also handy in that it yields for you the desired behaviour with a single procmail recipe. Your current strategy only works with the 2% or so of Internet e-mail users who follow your own methodology. Because this methodology contradicts the best practices proposed in "Considered Harmful" it seems likely that only a tiny minority will adopt that methodology. > You want to send me a message, then spent a moment and look at the > headers. That's asking an awful lot of most people, even if they are in the habit of manually sanity-checking mail headers. > It's a discussion list, I set (actually mutt does the work for me) > the reply-to header back to the list. It's my right. It's not > the list doing it. I wouldn't presume to trample on your rights, I only seek to amend your wrongs. > Sometimes, I'll Bcc the originator, but that's just to ensure that > if s/he, like me, doesn't read his baylisa folder regularly, that > s/he gets to see it. Bcc so that when someone does Reply-To of > THIS, they dont' get two. See? I'm nice. Another common filtering rule in the SPAM Age, is that e-mail that is not addressed TO you in the envelope is more likely to be SPAM. If you want to send a message TO someone, then it seems a very good idea to mark the envelope appropriately. Over the years, I've come up with this general algorithm: 1) Check with Spam software. If Spam, file in "Spam". 2) Check against headers added by various list managers, file in list folders. 3) If mail is addressed TO me in the headers, it goes in Inbox. 4) Anything left over goes to Inbox or Spam, depending on the efficacy of step 1. :) Duplicate-ID supression works in this scheme as well, anywhere before step 2. I'm thinking this might be a fun article, so I'm keeping this on baylisa to solicit feedback. -danny -- http://dannyman.toldme.com/ From baylisa at az0.altern8.net Thu Feb 20 15:05:04 2003 From: baylisa at az0.altern8.net (Vince Hoang) Date: Thu, 20 Feb 2003 13:05:04 -1000 Subject: Mail Filtering Best Practices In-Reply-To: <20030220224252.GK5469@pianosa.catch22.org> References: <20030218134004.A26184@sephiroth.byte-me.org> <20030218221814.GA13186@snew.com> <20030218225513.GN5469@pianosa.catch22.org> <20030220204230.GA6168@snew.com> <20030220224252.GK5469@pianosa.catch22.org> Message-ID: <20030220230504.GH61514@anarchy.com> On Thu, Feb 20, 2003 at 02:42:52PM -0800, Danny Howard wrote: > Another common filtering rule in the SPAM Age, is that e-mail > that is not addressed TO you in the envelope is more likely > to be SPAM. If you want to send a message TO someone, then it > seems a very good idea to mark the envelope appropriately. Since I did not copy your address directly in the reply, I suppose you are reading this message in your spam folder. -Vince From david at catwhisker.org Thu Feb 20 15:17:45 2003 From: david at catwhisker.org (David Wolfskill) Date: Thu, 20 Feb 2003 15:17:45 -0800 (PST) Subject: Mail Filtering Best Practices In-Reply-To: <20030220224252.GK5469@pianosa.catch22.org> Message-ID: <200302202317.h1KNHjuF084737@bunrab.catwhisker.org> >Date: Thu, 20 Feb 2003 14:42:52 -0800 >From: Danny Howard >It is not difficult to cache message-ids and deliver subsequent >identical ones to /dev/null. That may be, but dealing with the occasional source of messages that does not supply a Message-Id header at all will tend to make this rather less effective than it might otherwise be. :-( I get fairly aggressive about dealing with spam sometimes. And I do the filtering at the MTA. The results of that filtering got to the point recently where it seemed to me that a significant amount of the remaining spam -- gut feel was around 30 - 50% -- had the distinguishing characteristic that the messages in question arrived without a Message-Id header at all. Now, in looking over RFC 2822, the Message-Id is an optional header; it merely SHOULD (vs. MUST) be supplied. However, I can think of no legitimate justification for sending a message without one. So I went ahead & implemented that check in the sendmail.cf I use for the SMTP server here (catwhisker.org, not baylisa.org). About a week later, I had occasion to interact witha mailing list server over at LISTSERV.NODAK.EDU. They have a straightforward-seeming Web form for specifying stuff, and a CGI that reads the results of the form and sends email to the specified address, requesting that you confirm that you really want to be subscribed to the list. Now, make no mistake: I consider that much of the implementation a Good Thing. As it happens, because I had recently made the above-described change, I happened to have a window open, doing a tail -F /var/log/maillog.0 | egrep '(reject=|did not issue)' just so I could be aware of collateral damage from that change. When I did not receive the confirmation within a couple of minutes, I looked at the message log. Sure enough: Feb 16 18:17:30 janus sm-mta[60727]: h1H2HUi9060727: ruleset=check_eoh, arg1=5, arg2=406, relay=listserv.NoDak.edu [134.129.111.8], reject=553 5.0.0 Do not expect me to track your messages for you Feb 16 18:17:31 janus sm-mta[60727]: h1H2HUi9060727: from=, size=1570, class=0, nrcpts=1, msgid=<200302170217.h1H2HUi9060727 at janus.catwhisker.org>, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=listserv.NoDak.edu [134.129.111.8] Feb 16 18:17:31 janus sm-mta[60727]: h1H2HUi9060727: to=, delay=00:00:01, pri=30406, stat=Do not expect me to track your messages for you Nuts. Since I really did want to subscribe to the list, I put an exemption in for that machine. :-( A day later, I sent a query off to postmaster at listserv.nodak.edu, asking if there actually was a reason they sent out messages without Message-Id headers. No response to date; I'm not holding my breath. (OK; I confess that I strongly suspect that the term "LISTSERV" explains a great deal of the misconfiguration that I perceive.) Oh -- I'll gladly receive suggestions for improving the message. :-} And if folks think such a check ought to be implemented for baylisa.org, I'm willing to discuss it, and possibly even do it. :-} Cheers, david (links to my resume at http://www.catwhisker.org/~david) -- David H. Wolfskill david at catwhisker.org WARNING: Use of Microsoft products may be hazardous to your system's integrity. From alvin at maggie.linux-consulting.com Thu Feb 20 16:15:42 2003 From: alvin at maggie.linux-consulting.com (alvin at maggie.linux-consulting.com) Date: Thu, 20 Feb 2003 16:15:42 -0800 (PST) Subject: Mail Filtering Best Practices In-Reply-To: <20030220224252.GK5469@pianosa.catch22.org> Message-ID: hi ya On Thu, 20 Feb 2003, Danny Howard wrote: > Over the years, I've come up with this general algorithm: my basic rules... they are considered spam if... - they have a host/domain that does not reolve ( reverse dns ) - their messgage id is faked - coming from a non-existent user - addressed to non-existing users on my end - subject line has "whacky disallowed phrasess" - specific domains and ip# are unconditionally disallowed - few more tidbits - i dont get many/any "false positives" .. i do NOT want to read the spam twice.... nor do i want to save their spam locally - price for that is i do get a few that gets thru and i promptly add them to the "disallowed list" ( and yup .. i use sendmail + check-local .. sorry ..am a dinosaur ) http://www.Linux-Sec.net/Mail/AntiSpam c ya alvin > 1) Check with Spam software. If Spam, file in "Spam". > 2) Check against headers added by various list managers, file in list > folders. > 3) If mail is addressed TO me in the headers, it goes in Inbox. > 4) Anything left over goes to Inbox or Spam, depending on the efficacy > of step 1. :) > > Duplicate-ID supression works in this scheme as well, anywhere before > step 2. I'm thinking this might be a fun article, so I'm keeping this > on baylisa to solicit feedback. > > -danny From claw at kanga.nu Thu Feb 20 18:26:23 2003 From: claw at kanga.nu (J C Lawrence) Date: Thu, 20 Feb 2003 18:26:23 -0800 Subject: Mail Filtering Best Practices In-Reply-To: Message from of "Thu, 20 Feb 2003 16:15:42 PST." References: Message-ID: <7008.1045794383@kanga.nu> On Thu, 20 Feb 2003 16:15:42 -0800 (PST) alvin wrote: > On Thu, 20 Feb 2003, Danny Howard wrote: >> Over the years, I've come up with this general algorithm: ...deletia... > - i dont get many/any "false positives" .. I use the following user.prefs for SpamAssassin under procmail: required_hits 5 auto_report_threshold 30 ok_locales en rewrite_subject 0 report_header 2 defang_mime 0 That's worked out extremely well for me. After that I run TMDA on all my public impersonal accounts (postmaster, webmaster, list-owner etc). Wonderful tool -- especially the dated and sender addresses. -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw at kanga.nu He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. From star at starshine.org Thu Feb 20 18:54:41 2003 From: star at starshine.org (Heather Stern) Date: Thu, 20 Feb 2003 18:54:41 -0800 Subject: Mail Filtering Best Practices In-Reply-To: <200302202317.h1KNHjuF084737@bunrab.catwhisker.org> References: <20030220224252.GK5469@pianosa.catch22.org> <200302202317.h1KNHjuF084737@bunrab.catwhisker.org> Message-ID: <20030221025441.GC482@starshine.org> > tail -F /var/log/maillog.0 | egrep '(reject=|did not issue)' > > just so I could be aware of collateral damage from that change. > > When I did not receive the confirmation within a couple of minutes, I > looked at the message log. Sure enough: > > > Feb 16 18:17:30 janus sm-mta[60727]: h1H2HUi9060727: ruleset=check_eoh, arg1=5, arg2=406, relay=listserv.NoDak.edu [134.129.111.8], reject=553 5.0.0 Do not expect me to track your messages for you > Feb 16 18:17:31 janus sm-mta[60727]: h1H2HUi9060727: from=, size=1570, class=0, nrcpts=1, msgid=<200302170217.h1H2HUi9060727 at janus.catwhisker.org>, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=listserv.NoDak.edu [134.129.111.8] > Feb 16 18:17:31 janus sm-mta[60727]: h1H2HUi9060727: to=, delay=00:00:01, pri=30406, stat=Do not expect me to track your messages for you > > > Nuts. Since I really did want to subscribe to the list, I put an > exemption in for that machine. :-( > > A day later, I sent a query off to postmaster at listserv.nodak.edu, asking > if there actually was a reason they sent out messages without Message-Id > headers. No response to date; I'm not holding my breath. (OK; I confess > that I strongly suspect that the term "LISTSERV" explains a great deal > of the misconfiguration that I perceive.) Hmm. One of my clients has had fairly happy succes with dropping mails with malformed Message ID fields in the spambait trap. Of course his whitelist goes first. But no message IDs at all? > Oh -- I'll gladly receive suggestions for improving the message. :-} > > And if folks think such a check ought to be implemented for baylisa.org, > I'm willing to discuss it, and possibly even do it. :-} In the handful of R2CH threads I've been in - more in recent months it seems - it all comes down to policy. If the list owners do *not* have a preference where the traffic is to stay - public or private - then leaving reply-to alone seems fair enough. The most common cries on the pro-header side (either end) are that people are too dumb to do the right thing when it's needed. We're the email version of a room full of sysadmins. I think we're bright enough to check headers if we explicitly want something taken private. But I note that if mail starts on a list, and becomes private, you'd be wise to *mention* it, if you want it to stay there rather than just be a quiet stray comment amid the hubbub. For my own inbox, asides to seek out my consulting services, are, of course, always welcome. Filtering methods used here include: whitelisting known pals and mailing lists Also sorts them out into logical groups so I can focus better checks on wild charsets -- the ones I don't read, mainly I may have to relax this soon for japanese; not because I'm learning it, but because I may have contacts at a conference who use that chara=set, and may not be able to whitelist them all at once. messages which consist of an attachment and nothing else usually spam trying to avoid internal-text based checking, but sometimes someone may send an attachment "loose" after a couple of messages that are supposed to be heads-up for it. lame header effects check nessage ID, a few types of glitches that seem to indicate injected mail. egregious words check not too bright, but that's what scoring is for a few "victimized" recipient accounts for me go after the spam checks rather than before. items flagging no special known qualities go in a greylisted mailbox. spam that gets there I refile rather than delete so I can improve the scanning tricks. The charsets and attachments nailed a lot more of the total than I would have expected. None of these require DNS hits. That's what the MTA is for. Heather Stern - star at starshine.org -*- Starshine Technical Services Sysadmin Support & Training -*- consulting at starshine.org From claw at kanga.nu Thu Feb 20 19:21:46 2003 From: claw at kanga.nu (J C Lawrence) Date: Thu, 20 Feb 2003 19:21:46 -0800 Subject: Mail Filtering Best Practices In-Reply-To: Message from star@starshine.org (Heather Stern) of "Thu, 20 Feb 2003 18:54:41 PST." <20030221025441.GC482@starshine.org> References: <20030220224252.GK5469@pianosa.catch22.org> <200302202317.h1KNHjuF084737@bunrab.catwhisker.org> <20030221025441.GC482@starshine.org> Message-ID: <8364.1045797706@kanga.nu> On Thu, 20 Feb 2003 18:54:41 -0800 Heather Stern wrote: > a few "victimized" recipient accounts for me go after the spam > checks rather than before. Aye, I've salted various webpages, both obviously and not so obviously with email addresses that feed directly into razor report as well as a private folder for SPAM trapping. They don't get a whole lot of traffic (30 - 40 messages a month), and they're right at the end of my SPAM checks, but it was a cheap enough thing to do... -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw at kanga.nu He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. From jimd at mars.starshine.org Sat Feb 22 17:56:18 2003 From: jimd at mars.starshine.org (jimd at mars.starshine.org) Date: Sat, 22 Feb 2003 17:56:18 -0800 Subject: CFS v TCFS v SFS v ? In-Reply-To: <200302171637.h1HGbL9W073061@bunrab.catwhisker.org> References: <3E510512.353EF242@pacbell.net> <200302171637.h1HGbL9W073061@bunrab.catwhisker.org> Message-ID: <20030223015618.GC1446@mars.starshine.org> On Mon, Feb 17, 2003 at 08:37:21AM -0800, David Wolfskill wrote: >>Date: Mon, 17 Feb 2003 07:51:46 -0800 >>From: richard childers / kg6hac >>I'm evaluating filesystems which provide encryption under >>FreeBSD. >>The following acronyms means the following things: >>CFS: Cryptographic File System >>TCFS: Translucent CFS >>SFS: Secure File System >>... > >Have I missed any other encrypting filesystems? > GBDE -- available only in FreeBSD-5.x (which recently acquired > "-RELEASE" status for the first time, but you don't want to use 5.0 for > GBDE, as I recall). > The acronym stands for "GEOM-based disk encryption". > It is not, strictly speaking, an "encrypting filesystem," as this is > below the level of "filesystem": you can put any sort of file system on > it that you could on a "raw" disk. Thus, the idea is that you can set > up a (piece of a) disk en encrypted via GDBE, then create a filesystem > of your choice on it; absent the key(s) to unlock the disk in question, > even the type of filesystem that is on it should be non-trivial to > determine. This sounds very similar to the ppdd (privacy protected disk device) patches that have been available for Linux for a few years. I've never used it, but I've never heard complaints from its users either. As with gbde ppdd is a block layer device under Linux --- similar to the md (multi-device) drivers, it acts as a shim between the logical device layer (used by the VFS subsystem) and the physical device. Thus you can make any sort of filesystem on your ppdd devices; in fact you can even mkswap on it, so that your virtual memory pages are encrypted as they go to the disk. Another Linux specific option is the encrypted loop package; which has been part of the "international crypto patches" to the kernel for a number of years. In that case you'd use a command like the mount and losetup commands to mount and "unlock" the filesystem. I haven't used this one either. Even if I had, I'm not qualified to comment on the quality of the encryption and key management in either of them. -- Jim Dennis From jeff at drinktomi.com Tue Feb 25 15:08:21 2003 From: jeff at drinktomi.com (Jeff with The Big Yellow Suit) Date: Tue, 25 Feb 2003 15:08:21 -0800 (PST) Subject: Managed Security Monitoring Services vs In House Monitoring Message-ID: <48722.208.200.221.3.1046214501.squirrel@mail.gigo.com> I'm working in an environment in which security is ..um..deficient, and I'm going to be tasked with putting together a plan to tighten things down, and I'm considering between outsourcing the job of intrusion detection versus doing it in house. The primary limitation in doing this is likeley to be brain cycles. Quite simply the staff is stretched far too thinly, they are not historically very good at the daily care and feeding of complex beasties. I envision any sort of inhouse system going in with a bang and then languishing for lack of updates and passion. I've seen it happen too many times. For those reasons I'm leaning heavily towards outsourcing. The obvious candidate is Counterpane, but I'd like to get people's feelings about this, and I'd also like to scare up a list of services doing similar things. Any help and or horror stories would be appreciated. -jeff From dan_bethe at yahoo.com Tue Feb 25 15:31:26 2003 From: dan_bethe at yahoo.com (Dan Bethe) Date: Tue, 25 Feb 2003 15:31:26 -0800 (PST) Subject: Managed Security Monitoring Services vs In House Monitoring In-Reply-To: <48722.208.200.221.3.1046214501.squirrel@mail.gigo.com> Message-ID: <20030225233126.51414.qmail@web11001.mail.yahoo.com> Hey all. I'd like to recommend an inquiry to Protectix.com, which is a security consulting and appliance company based mostly on open source software and falling back to whichever tools are best for the given job. They produce their own open-source-based firewall and VPN appliances. They do IPsec VPNs on openbsd which are able to peer with a lot of proprietary and weird VPN setups if needed. So they know the range of what's out there in the wild. They can do ongoing monitoring, remote management, on-call 24x7, etc. And they're the nicest guys ever. Call Kevin at 408-557-6995. --- Jeff with The Big Yellow Suit wrote: > I'm working in an environment in which security is ..um..deficient, > and I'm going to be tasked with putting together a plan to > tighten things down, and I'm considering between outsourcing > the job of intrusion detection versus doing it in house. > > The primary limitation in doing this is likeley to be brain > cycles. Quite simply the staff is stretched far too thinly, > they are not historically very good at the daily care > and feeding of complex beasties. I envision any sort of > inhouse system going in with a bang and then languishing > for lack of updates and passion. I've seen it happen too > many times. > > For those reasons I'm leaning heavily towards outsourcing. > The obvious candidate is Counterpane, but I'd like to get > people's feelings about this, and I'd also like to scare up > a list of services doing similar things. Any help and or > horror stories would be appreciated. > > -jeff > > > __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ From slf at dreamscape.org Tue Feb 25 15:58:36 2003 From: slf at dreamscape.org (Steven L. Fountain) Date: Tue, 25 Feb 2003 15:58:36 -0800 (PST) Subject: broadcast apologies... --recruiters: keep it coming!-- Message-ID: Apologies for broadcasting my resume to the whole list. At least theres blood in the water and the recruiters are sharking. Amen! Keep it coming.. Everyone can benefit from such activity. -slf slf at dreamscape.org [enraptured] . http://dreamscape.org | 925.895.1500 : "The future is veiled from our eyes. The threads of each man's fate : extend well beyond the boundaries of the visible world. Where they : lead, we cannot see. Who can say that today's key will not be : tomorrow's lock, or today's lock not tomorrow's key?" Nizami 12th C. From alvin at maggie.linux-consulting.com Tue Feb 25 16:25:40 2003 From: alvin at maggie.linux-consulting.com (alvin at maggie.linux-consulting.com) Date: Tue, 25 Feb 2003 16:25:40 -0800 (PST) Subject: Managed Security Monitoring Services vs In House Monitoring In-Reply-To: <48722.208.200.221.3.1046214501.squirrel@mail.gigo.com> Message-ID: hi ya jeff On Tue, 25 Feb 2003, Jeff with The Big Yellow Suit wrote: > I'm working in an environment in which security is ..um..deficient, > and I'm going to be tasked with putting together a plan to > tighten things down, and I'm considering between outsourcing > the job of intrusion detection versus doing it in house. by my definition, an outsourced "security and ids" is already a breach of security ... period .. - unless that outfit carries e/o insurance for say enough to cover damages and losses from a breach from hackers and other un-permitted activities ( insurance like what counterpane carries in the $xxxM ( when they do some security work > The primary limitation in doing this is likeley to be brain > cycles. Quite simply the staff is stretched far too thinly, you really do not want "brain cycles" to do montioring ( very bad idea ) but you really do want brain cycles to define the security policy and how people and machines get to do certain tasks -- everything should be automated ... not brain cycles .. - brain cycles goes on vacation - brain cycles gets sick - brain cycles go home after 8 hrs - brain cycles gets distracted for other things - brain cycles are only as good as they wanna be ... - a good hacker/cracker just needs a few seconds/minutes to do what they need ... ( but depends on what it is that we're trying to prevent too vs receover from said activities ) > they are not historically very good at the daily care > and feeding of complex beasties. I envision any sort of > inhouse system going in with a bang and then languishing > for lack of updates and passion. I've seen it happen too > many times. fairly easy to install host ids and network ids - lots of tools out there http://www.Linux-Sec.net/IDS ( similarly for auditing tools and monitoring tools ) -- i prefer my custom tools that md5 all the stuff i care about > For those reasons I'm leaning heavily towards outsourcing. > The obvious candidate is Counterpane, but I'd like to get counterpane carries e/o for encryption technology etc and not sure if they also have the same for ids type of security > people's feelings about this, and I'd also like to scare up > a list of services doing similar things. Any help and or > horror stories would be appreciated. c ya alvin From chuck+baylisa at snew.com Tue Feb 25 17:53:20 2003 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Tue, 25 Feb 2003 20:53:20 -0500 Subject: Managed Security Monitoring Services vs In House Monitoring In-Reply-To: References: <48722.208.200.221.3.1046214501.squirrel@mail.gigo.com> Message-ID: <20030226015320.GA29710@snew.com> But brain cycles are required to note unusualness and to keep things up to date. Outsourcing common for security things: No companies I ever worked at hired the security guards at the doors and walking around at night. I don't sit and watch my house alarm all the time; I hire someone else to do that. I CAN have pre-set, known secure incoming connections from Internet these days (not so true in 1991 when I first started connecting companies to the Internet). Machines can be placed on your premises and accessed remotely, securely. Heck, Intrusion Detection Systems don't even need to SEND onto the monitored network (I've clipped AUI connectors before). If outsourcing means it will get done and maintained and even thought about, that's ALWAYS better than an inhouse project that languishes, whose logs and alerts get ignored and which dies off. Much better security. And if I can hire folks who think, dream and pee IDS and security 24/7, then I'll do better than when a motivated person decides one day, to just shut off outbound port 53 cause he thinks it might possibly be bad. (that's happened). Quoting alvin at maggie.linux-consulting.com (alvin at maggie.linux-consulting.com): > On Tue, 25 Feb 2003, Jeff with The Big Yellow Suit wrote: > > I'm working in an environment in which security is ..um..deficient, > > and I'm going to be tasked with putting together a plan to > > tighten things down, and I'm considering between outsourcing > > the job of intrusion detection versus doing it in house. > > by my definition, an outsourced "security and ids" is already > a breach of security ... period .. > - unless that outfit carries e/o insurance for say > enough to cover damages and losses from a breach > from hackers and other un-permitted activities > ( insurance like what counterpane carries in the $xxxM > ( when they do some security work > > > The primary limitation in doing this is likeley to be brain > > cycles. Quite simply the staff is stretched far too thinly, > > you really do not want "brain cycles" to do montioring ( very bad idea ) > > but you really do want brain cycles to define the security policy > and how people and machines get to do certain tasks > > -- everything should be automated ... not brain cycles .. > - brain cycles goes on vacation > - brain cycles gets sick > - brain cycles go home after 8 hrs > - brain cycles gets distracted for other things > - brain cycles are only as good as they wanna be > ... > > - a good hacker/cracker just needs a few seconds/minutes > to do what they need ... ( but depends on what it is that > we're trying to prevent too vs receover from said activities ) > > > they are not historically very good at the daily care > > and feeding of complex beasties. I envision any sort of > > inhouse system going in with a bang and then languishing > > for lack of updates and passion. I've seen it happen too > > many times. > > fairly easy to install host ids and network ids > - lots of tools out there > > http://www.Linux-Sec.net/IDS > ( similarly for auditing tools and monitoring tools ) > > -- i prefer my custom tools that md5 all the stuff > i care about > > > For those reasons I'm leaning heavily towards outsourcing. > > The obvious candidate is Counterpane, but I'd like to get > > counterpane carries e/o for encryption technology etc > and not sure if they also have the same for ids type of security > > > people's feelings about this, and I'd also like to scare up > > a list of services doing similar things. Any help and or > > horror stories would be appreciated. From alvin at maggie.linux-consulting.com Tue Feb 25 18:32:09 2003 From: alvin at maggie.linux-consulting.com (alvin at maggie.linux-consulting.com) Date: Tue, 25 Feb 2003 18:32:09 -0800 (PST) Subject: Managed Security Monitoring Services vs In House Monitoring In-Reply-To: <27262.208.200.221.3.1046223931.squirrel@mail.gigo.com> Message-ID: hi ya jeff fun stuff !! ... thanx for your post ... again, if we're using my dumb rules ... i run on the following assumptions/requirements - i assume that the cracker will do a 'rm -rf /" of the hacked system and probably attack other servers too either inside or others on the internet - i assume that the cracker can get in and hide themself temporarily within a couple of minutes of a successful exploit or stolen/simple passwd - i assume that 80% - 90% of the attacks/false positives will be internally generated "errors" - i assume all errors are real .. and try to eliminate any and all "false positives" -- no time to chase "false positives" - for the next 5-10% will be successful script kiddie "testing/auditing your servers" ... once they are in .. what damage can they do ?? - have had a few script kiddie get in but there was nothing they could do in terms of additional damages - i will plead "why me" to dedicated crackers/hackers that want in no matter what i do - issue is do you report that foo at ip w.x.y.z tried or did attack your server... ( specifically port scanners ) that too takes too much energy/effort and most law enforcement wont do anything either .. unless it was a govt servers --- with those simple/silly assumptions ... a. Make a "security policy" for your hosts Make a "security policy" for your network and network topology b. i minimize damage by having backups ( live or hidden ) - and minimize damage by having different networks c. minimize damage by assuming that all incoming connections are from insecure (home) networks ( [cr/h]acker follow them into their work pcs ) - direct certain people only to certain networks and keep other servers away from that network - major network topology issue and what data is sensitive d. i minimize what other machines they can attack - each machine has different root passwd - no passwdless login ( must be typed ) - if they used an exploit to get access, than we have a more serious "patch is too old process" to be fixed/changed -- this is where "brains" is needed ... what sequence and when to "thoroughly check patches" e. if the machine goes down... it will stay down till some looks at it f. how often do you want to run your ids checks ?? - is it cron based ?? - is it constantly runnning ?? - if it's post proceessing the log files .. it's too late in my book .. you've already been [cr/h]acked ... - if you changed your monitoring rules to ignore certain activity to prevent the "false positives", tha they [h/cr]acker tooo can come in thru that ignored set of monitoring rules i get tons of attacks on some of the servers i babysit ( but not a single false positive... they're in by the time ( i know about it ... and i can usually watch them try this and try that ( and i do not have the time to chase false positives ... --- for servers... i want to do a md5 across /home/httpd/* for webservers -- anytime anybody updates the website, it is to be followed by a "md5 udpate" -- similarly for mail servers, fw, loghosts, etc --- for binaries... - its md5'd and saved off ( tripwire and similar is too too big and too cumbersome - only useful if you think your binaries been trojaned ( again too late if its been changed ... --- for patches.. - have a duplicate set of servers, apply the patches and test that everything still works == not a trivial task -- == miss something and you wont hear the end of it == -- ie... all that stuff is not "monitoring" yet.... == == lots of stuff to do .. before "monitoring" is an issue == just my rules... c ya alvin On Tue, 25 Feb 2003, Jeff with The Big Yellow Suit wrote: > Alvin wrote: > > On Tue, 25 Feb 2003, Jeff with The Big Yellow Suit wrote: > > > > by my definition, an outsourced "security and ids" is already > > a breach of security ... period .. > > Not "security and IDS", just IDS. > > I'm not considering outsourcing management or response handling. > I'm not considering letting outsiders poke around on the internal > network. I don't want to give away the keys. > > I do however want the logs monitored intelligently. I do > want this done 24 hours a day. I do want intelligent people > putting effort into identifying false positives. > > > - unless that outfit carries e/o insurance for say > > enough to cover damages and losses from a breach > > from hackers and other un-permitted activities > > I do not expect, and do not anticipate, that the IDS service > will be able to _prevent_ intrusions. The insurance issue > isn't at question. I expect them to be _better_ at detecting > intrusions than any system which the in house staff can > maintain and correctly interpret. > > Nobody is ever going to be able to prevent all intrusions. > The key is to detect and respond quickly. > > >> The primary limitation in doing this is likeley to be brain > >> cycles. Quite simply the staff is stretched far too thinly, > > > > you really do not want "brain cycles" to do montioring ( very bad idea ) > > > > -- everything should be automated ... not brain cycles .. > > Correct, but at this point no IDS system that I've ever > heard of can do enough recognition to eliminate the need > for a skilled and knowledgable security person to analyze > the copious false positives in a prompt manner. > > Any more than four or five false positives in a day at > this company and the staff is going to turn off the alarms > and the IDS will fade into obscurity. > > > but you really do want brain cycles to define the security policy and > > how people and machines get to do certain tasks > > Exactly. And no matter what it takes a shitload of brains and > skill to manage and correctly interpret the results from an > IDS system in a timely manner. This is real expertise that > just isn't available from the folks in house, or if it is > available then it is going to take time from other things > (such as keeping up with patches and automating painful tasks.) > > > - a good hacker/cracker just needs a few seconds/minutes > > to do what they need ... ( but depends on what it is that > > we're trying to prevent too vs receover from said activities ) > > Which is exactly why you need more than one person to > distinguish between false positives and real events, and > why you need them to be doing this pretty much constantly > 24x7. That is already more than three headcount, and > expensive headcount at that. Which this company doesn't > have, and which it is probably not going to get. > > > fairly easy to install host ids and network ids > > - lots of tools out there > > > > http://www.Linux-Sec.net/IDS > > ( similarly for auditing tools and monitoring tools ) > > I am doing an analysis of what it takes to set up and _maintain_ > the an internal IDS. I've got an understanding and a set of > directions to head. That's not the part that I really need > help with. > > An IDS infrastructure is much easier to install than it is > to feed, bath, and groom. Lots of signatures to keep up > with. Lots of false positives to go through. Lots of > rapid response. Doable, but it still requires lots of > brain cycles that are possibly better applied elsewhere. > > > counterpane carries e/o for encryption technology etc > > and not sure if they also have the same for ids type of security > > These days Counterpane is primarily an IDS outsourcing > company. They give you a box. You drop the box in your > site. You point logs and such to the box. The box does > data reduction and preliminary analysis. From their > it pipes positives to their NOC. They sort through it. > They call you if they find something. They handle updating > signatures on the box multiple times per week. > > -jeff > > > From pmm at igtc.com Tue Feb 25 18:39:34 2003 From: pmm at igtc.com (Paul M. Moriarty) Date: Tue, 25 Feb 2003 18:39:34 -0800 Subject: Managed Security Monitoring Services vs In House Monitoring In-Reply-To: References: <27262.208.200.221.3.1046223931.squirrel@mail.gigo.com> Message-ID: <20030226023934.GC1012@igtc.igtc.com> alvin at maggie.linux-consulting.com writes: > ... > > again, if we're using my dumb rules ... i run on the > following assumptions/requirements Hmmm... or assuming they're script kiddies, they'll get in and say "oh shit, now what do i do?" ;) From alvin at maggie.linux-consulting.com Tue Feb 25 19:07:28 2003 From: alvin at maggie.linux-consulting.com (alvin at maggie.linux-consulting.com) Date: Tue, 25 Feb 2003 19:07:28 -0800 (PST) Subject: Managed Security - script kiddies In-Reply-To: <20030226023934.GC1012@igtc.igtc.com> Message-ID: On Tue, 25 Feb 2003, Paul M. Moriarty wrote: > alvin at maggie.linux-consulting.com writes: > > > ... > > > > again, if we're using my dumb rules ... i run on the > > following assumptions/requirements > > Hmmm... or assuming they're script kiddies, they'll get in and say "oh shit, > now what do i do?" ;) almost... i assume 80- 90% are internal attacks including myself - that renders a server useless for a short time say due to a bad patch or bad kernel etc -- i worry about the "internal attacks" !! -- i dont mind they try once or twice or few hundred times ( note that they get reported if they try a few hundred times ) -- i do mind if they got in !! -- ie ... i get no "false positives" than 10% due to script kiddies that does a lot of free testing and free audits of your (external?) servers and security precautions - i dont mind that they get in and say "now what script, what else can u the script) do" -- those are harmless usually.. and i treat it like a wake up call to do more "very expensive" patch testing last 1% or so of dedicated/purposeful attacks are beyond my brains or lacking brains thereof and would need to hire a "real pro" - mitnick-shinomura example comes to mind ( ie no matter what you do, the other will keep trying ( and dont forget the obvious which in turn leaves me to the even dumber rule, put your car/house key in a safe place !! ( that includes computer room keys too ) - especially if you have visitors that come and go like a PC store ( and yes,,, on wed or thur last week... some teenage kid walked ( off w/ my house and car keys ... and yes i have backup keys ( but did have to change the lock on the office and postpone a ( meeting - security camera monitoring didnt help ... recording turned out to be broken -- do NOT depend on 3rd party monitoring unless they are financially liable for their "monitoring ooops" ( my silly rule ) c ya alvin From star at starshine.org Wed Feb 26 10:15:56 2003 From: star at starshine.org (Heather Stern) Date: Wed, 26 Feb 2003 10:15:56 -0800 Subject: Managed Security Monitoring Services vs In House Monitoring In-Reply-To: <48722.208.200.221.3.1046214501.squirrel@mail.gigo.com> References: <48722.208.200.221.3.1046214501.squirrel@mail.gigo.com> Message-ID: <20030226181556.GB20310@starshine.org> On Tue, Feb 25, 2003 at 03:08:21PM -0800, Jeff with The Big Yellow Suit wrote: > I'm working in an environment in which security is ..um..deficient, > and I'm going to be tasked with putting together a plan to > tighten things down, and I'm considering between outsourcing > the job of intrusion detection versus doing it in house. Forget not, also planning your systems so that they can suffer the least amount of damage, and so they have the least amount of volatility (except for the data you are really feeding them, which of course you have an active backup plan for, including checking the backups to make sure they are recoverable). Some sites have gone to having their webservers runn off of read-only media; either jumpered at the SCSU drive, or running off of CD, with minimal volatile space, and a data drive that's seperate. Combine with logging kept elsewhere (maybe by sending it up a nulmodem to a server which isn't really "on the net" at all) and you've got a lot less places to go looking for holes. You also have a well defined sense of what the given box is supposed to *do* for a living, and that makes a less brainy person able to figure out when it's "up to something wicked". > The primary limitation in doing this is likeley to be brain > cycles. Quite simply the staff is stretched far too thinly, > they are not historically very good at the daily care > and feeding of complex beasties. I envision any sort of > inhouse system going in with a bang and then languishing > for lack of updates and passion. I've seen it happen too > many times. > > For those reasons I'm leaning heavily towards outsourcing. > The obvious candidate is Counterpane, but I'd like to get > people's feelings about this, and I'd also like to scare up > a list of services doing similar things. Any help and or > horror stories would be appreciated. > > -jeff I believe Addamark, who spoke for BayLISA in the last year or so, manages huge volumes of logs in a way that's supposed to make looking for the interesting stuff far less painful. I believe you'll also want physical security measures, and plans about what to do when one of your own "goes rogue", and plans for what to expect to fail if any given chunk of hardware goes south. Bets in your quest :) . | . Heather Stern | star at starshine.org --->*<--- Starshine Technical Services - * - consulting at starshine.org ' | ` Sysadmin Support and Training | (800) 938-4078 From rjwitte at rjwitte.com Wed Feb 26 12:38:51 2003 From: rjwitte at rjwitte.com (Russ Witte) Date: Wed, 26 Feb 2003 15:38:51 -0500 (EST) Subject: Managed Security Monitoring Services vs In House Monitoring In-Reply-To: <20030226181556.GB20310@starshine.org> Message-ID: > >I believe Addamark, who spoke for BayLISA in the last year or so, >manages huge volumes of logs in a way that's supposed to make looking >for the interesting stuff far less painful. > Addamark was recently in the news because they discovered a competitors break-in through their own tools (searching the logs). The article was mostly publicity fluff, but it does point out the significance of reviewing the obvious places. Russ From jxh at jxh.com Thu Feb 27 17:11:53 2003 From: jxh at jxh.com (Jim Hickstein) Date: Thu, 27 Feb 2003 17:11:53 -0800 Subject: Shipping cartons for Sony Multiscan 400PS Message-ID: <57670000.1046394713@jxh.mirapoint.com> I unwisely discarded the cartons and foam inserts for a pair of Sony 400PS monitors, and now I want to use them. (My usually-strong packrat instinct was overridden when we ran out of storage space at the office.) Does anyone on this list happen to have a couple of these, carefully preserved against such a need? Do I need to (gasp) look on eBay? (Silly, isn't it? But I'll bet I can find 'em.) Or even buy new ones from Sony? I will happily come and pick them up. Thanks! From alvin at maggie.linux-consulting.com Thu Feb 27 17:51:43 2003 From: alvin at maggie.linux-consulting.com (alvin at maggie.linux-consulting.com) Date: Thu, 27 Feb 2003 17:51:43 -0800 (PST) Subject: Shipping cartons for Sony Multiscan 400PS In-Reply-To: <57670000.1046394713@jxh.mirapoint.com> Message-ID: hi ya if you do all the work.. probably will have to cut and shape it to your stuff i have some (not many) spare foam from monitors... and foam/bubble wrap in general for shipping stuff aound this little blue rock have cardboard coming out of my !@#$%^ that i wanna get out of here c ya alvin - psst... i pay several hundred $$$ for foam ... :-) so those are excluded since its for 1U anyway - psst... i pay mroe several hundred for cardboard too... - and a ton more $$$ for silly things like screws... that adds up real fast :-) On Thu, 27 Feb 2003, Jim Hickstein wrote: > I unwisely discarded the cartons and foam inserts for a pair of Sony 400PS > monitors, and now I want to use them. (My usually-strong packrat instinct > was overridden when we ran out of storage space at the office.) > > Does anyone on this list happen to have a couple of these, carefully > preserved against such a need? Do I need to (gasp) look on eBay? (Silly, > isn't it? But I'll bet I can find 'em.) Or even buy new ones from Sony? > > I will happily come and pick them up. > > Thanks! > From herb at urusei.net Thu Feb 27 17:53:35 2003 From: herb at urusei.net (Herb Leong) Date: Thu, 27 Feb 2003 17:53:35 -0800 Subject: Shipping cartons for Sony Multiscan 400PS In-Reply-To: <57670000.1046394713@jxh.mirapoint.com> References: <57670000.1046394713@jxh.mirapoint.com> Message-ID: <3E5EC11F.1010106@urusei.net> Jim Hickstein wrote: > I unwisely discarded the cartons and foam inserts for a pair of Sony > 400PS monitors, and now I want to use them. (My usually-strong packrat > instinct was overridden when we ran out of storage space at the office.) > > Does anyone on this list happen to have a couple of these, carefully > preserved against such a need? Do I need to (gasp) look on eBay? > (Silly, isn't it? But I'll bet I can find 'em.) Or even buy new ones > from Sony? Bubble wrap the monitors (use at least two layers of the thick stuff) and put them in boxs from U-Haul, MBE, or the like. Use that heavy duty stranded packing tape. /herb From alvin at maggie.linux-consulting.com Thu Feb 27 18:32:39 2003 From: alvin at maggie.linux-consulting.com (alvin at maggie.linux-consulting.com) Date: Thu, 27 Feb 2003 18:32:39 -0800 (PST) Subject: Shipping cartons for Sony Multiscan 400PS In-Reply-To: <3E5EC11F.1010106@urusei.net> Message-ID: hi ya if you're moving it yourself... its not so bad if you're having tom-dick-n-harry starving-students moving company move it... than i'd move all electronics in my own card/u-haul trailor and if not... one can always use a 2x4 and make a crate and/or buy those steel shelf from homedepot and assemble some steel shelf too and tie the monitor down to the shelf suspened on air/strings/ropes bubble wrap might not help ...as the corners of the 50lb monitor will pierce the bubble of air -- need "solid foam" or at least hard enough foam - or few layers of carboard between the bubble wrap and the monitor c ya alvin On Thu, 27 Feb 2003, Herb Leong wrote: > > Bubble wrap the monitors (use at least two layers of the thick stuff) > and put them in boxs from U-Haul, MBE, or the like. Use that heavy duty > stranded packing tape. > > /herb > From alvin at maggie.linux-consulting.com Thu Feb 27 18:53:31 2003 From: alvin at maggie.linux-consulting.com (alvin at maggie.linux-consulting.com) Date: Thu, 27 Feb 2003 18:53:31 -0800 (PST) Subject: more spring cleaning?? Message-ID: hi ya donno if any of you want/need/been lookng for some new and/or some old parts ... or 1.0Ghz p3/athlon class motherboards .. i got a pile o stuff from non-paying customers or test mb that didnt work out for what we needed -- basically new ... plug it in ...see if worked or not and shelf'd it until next time ... -- if you bought our 1U stuff before... you can get a good discount -- otherwise ... need to get rid of um ... -- Extra parts floating around ... http://www.Linux-1U.net/ExtraStuff/stuff.txt ( prices shown are just what is supposed retail many moons ago ( or still semi close to it -- note .. this is NOT a $0.10 on the dollar kinda sale more like at least "equivalent value" in helping out - hardware circuit guys ( power suppy, fcc/ul types - pci card designs ( nic, rs232, parallel port - bootable cdrom types - i have enuff coasters :-) - firewall types - penetration test/exploit code - lcd drivers w/ membrane switches - fan detection circuit types - probably can build a working server out of it with some elbow grease - aka not afraid of finding parts and installing *bsd or *nix or ... ( just stuff that needs to be done ... for next generation stuff ( i think its fun stuff -- maybe a weekend "circuit-design-a-thon" ?? - or "hack a server a thon " ?? winner gets a system or ??? ( pre-negotiated ) but more of a "i need xxx really bad" because foo company doesn't have $$$ to buy spare equipement or test systems and need a loaner .. or some saaab story... that we both can benefit -- you have to come buy to pick up stuff ... and hopefully deliver on promises we made to each other ;-) -- too expensive for shipping -- am avoiding going to fleat market ( mar 8 ) and other places like wierdstuff, halted.. - would rather some wanting soul or non-profit get the savings -- or "simply best offer" ... - no silly.. no POs.. no credit cards .. ;-) -- just havent figured out the best venue/process to get rid of the stuff c ya alvin From chuck+baylisa at snew.com Fri Feb 28 09:23:36 2003 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Fri, 28 Feb 2003 09:23:36 -0800 Subject: Shipping cartons for Sony Multiscan 400PS In-Reply-To: References: <3E5EC11F.1010106@urusei.net> Message-ID: <20030228172336.GD5328@snew.com> Quoting alvin at maggie.linux-consulting.com (alvin at maggie.linux-consulting.com): ... > if you're having tom-dick-n-harry starving-students moving company > move it... than i'd move all electronics in my own card/u-haul trailor > and if not... one can always use a 2x4 and make a crate and/or > buy those steel shelf from homedepot and assemble some steel shelf too > and tie the monitor down to the shelf suspened on air/strings/ropes > > bubble wrap might not help ...as the corners of the 50lb monitor will > pierce the bubble of air -- need "solid foam" or at least hard enough > foam > - or few layers of carboard between the bubble wrap and the monitor Steel or wood are silly (and GREATLY inflate moving costs). Pro Office movers will usually have wood wheeled crates that take several monitors. If you're moving an office. And they take the liability which is handy. I did a week or so of work at UPS a while back. In passing, I grumbled about a fairly well destroyed box that I got. ("No, I'm not signing for it until I open it to see what this big HOLE in the box did to the contents"). The guy there, a manager but a 20 year veteran, taught me about packing: Double pack. A little layer of packing (foam, bubble wrap, whatever) then a box TIGHTLY around it. Then put THAT box inside a larger box that's padded well (foam, bubble wrap etc). The inner box ends up keeping the object a nice orderly (non-sharp) square that's not going to puncture bubble wrap, or squish aside peanuts (or "minions" to my friend). The outer box might get violated, but the inner box is unlikely to be. When I moved, the monitors got wrapped in blanket, bubble wrap, into a box. Then THAT box was padded (with coats and clothes for me, but more wrap for you) and into a large 2.5x2.5x2.5' box. Shaking it resulted in little movement. Don't go sparse on peanuts. Better is large sheets of foam for heavy objects. They absorb impact. UPS can still drop things and denies their insurance covers "shock damage" (like my pal's ebayed guitar amp that we believe took an 8-12 foot drop - box intact, magnet attached to back of case. DOA), but this mitigates some of the pointy-object damage. From bill at wards.net Fri Feb 28 10:30:32 2003 From: bill at wards.net (William R Ward) Date: Fri, 28 Feb 2003 10:30:32 -0800 Subject: Shipping cartons for Sony Multiscan 400PS In-Reply-To: <20030228172336.GD5328@snew.com> References: <3E5EC11F.1010106@urusei.net> <20030228172336.GD5328@snew.com> Message-ID: <15967.43720.728386.426459@komodo.home.wards.net> For what it's worth, whenever I've moved, I have put computer monitors on a car seat, screen facing the seat back, held in place with a seat belt. Haven't lost one yet. This approach does not scale well, however. --Bill. -- William R Ward bill at wards.net http://www.wards.net/~bill/ ----------------------------------------------------------------------------- "A foolish consistency is the hobgoblin of little minds, adored by little statesmen and philosophers and divines." - Emerson From jxh at jxh.com Fri Feb 28 10:55:36 2003 From: jxh at jxh.com (Jim Hickstein) Date: Fri, 28 Feb 2003 10:55:36 -0800 Subject: Shipping cartons for Sony Multiscan 400PS In-Reply-To: References: Message-ID: <9770000.1046458536@jxh.mirapoint.com> > if you do all the work.. probably will have to cut and shape > it to your stuff I'm holding out for the real thing. There must be a dozen with a couple miles of here. The car will be on a trailer, so I'm reluctant to give it any load. These can go in blankets in the truck, but I'd really rather have their original boxes. Eh. From extasia at extasia.org Fri Feb 28 13:48:49 2003 From: extasia at extasia.org (David Alban) Date: Fri, 28 Feb 2003 13:48:49 -0800 Subject: Valicert Secure Transport Message-ID: <20030228134849.A1695@gerasimov.net> Forwarded on behalf of Sweth. Please include Sweth in your replies. Thanks! ----- Forwarded message from Sweth Chandramouli ----- Date: Fri, 28 Feb 2003 15:53:05 -0500 From: Sweth Chandramouli To: DC-SAGE Subject: [dc-sage] Valicert Secure Transport Reply-To: Sweth Chandramouli Anyone got any experience with the above, or know of anyone who does? I've got to make a decision on whether to drop $50k on it by Monday, and while the sales droids make it sound like exactly what I need, I'd like an objective opinion. (Well, what I'd really like is a week to play with the demo version of it, but apparently I'm not going to have that luxury...) -- Sweth. -- Sweth Chandramouli Idiopathic Systems Consulting svc at idiopathic.net http://www.idiopathic.net/ ====================================================================== + This message was forwarded by the dc-sage at dc-sage.org mailing list + + To unsubscribe or make subscription changes, send an E-mail to: + + mladmin at dc-sage.org with an English description of your request.+ ====================================================================== -- Live in a world of your own, but always welcome visitors. *** Come to sig-beer-west! http://www.extasia.org/sig-beer-west/ Unix sysadmin available: http://www.extasia.org/resume/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: From chuck+baylisa at snew.com Fri Feb 28 14:12:30 2003 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Fri, 28 Feb 2003 17:12:30 -0500 Subject: Valicert Secure Transport In-Reply-To: <20030228134849.A1695@gerasimov.net> References: <20030228134849.A1695@gerasimov.net> Message-ID: <20030228221230.GD8725@snew.com> Dunno who's stopping you from getting a demo: "Gee, it sounds just perfect. I'd love to get this in and evaluate it. Lets see, how about March 15-May 1st. I'll be able to run it through all out tests then." Then you do things like call in with support questions and see how their support is, etc. If your mgmt is limiting you, make them understand (and print off emails) that this $50k rush is THEIRS not yours. If the vendor is keeping you from a demo then "thanks, but we'll look elsewhere" is a big way to motivate a change of attitude. > ----- Forwarded message from Sweth Chandramouli ----- > > Date: Fri, 28 Feb 2003 15:53:05 -0500 > From: Sweth Chandramouli > To: DC-SAGE > Subject: [dc-sage] Valicert Secure Transport > Reply-To: Sweth Chandramouli > > Anyone got any experience with the above, or know of anyone > who does? I've got to make a decision on whether to drop $50k on it by > Monday, and while the sales droids make it sound like exactly what I > need, I'd like an objective opinion. (Well, what I'd really like is a > week to play with the demo version of it, but apparently I'm not going > to have that luxury...)