From ike at blackskyresearch.net Thu Aug 1 13:44:27 2013 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Thu, 01 Aug 2013 17:44:27 +0000 Subject: [nycbug-talk] DC21, SSL all over the place... Message-ID: <201308011744.r71HiRZm011722@rs102.luxsci.com> Hi All, Just a quick note, some interesting SSL stuff from Defcon, (happening now): Nifty SSL nastiness (http deflate to find fragments of strings in https): http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/ Not Defcon, but related: "More Encryption Is Not the Solution", PHK, describes some novel attacks for cloud/carriers to trivially demolish ssl. http://queue.acm.org/detail.cfm?id=2508864 Pretty interesting reactions to the "encrypt everything" push for the interenet in the last few years... -- Does anyone have any other thoughts, urls, etc... on the "encrypt everything" topic? What ever happened to the CACert stuff people did years ago, and what's the state of viability of similar projects? Rocket- .ike From chsnyder at gmail.com Fri Aug 2 09:02:24 2013 From: chsnyder at gmail.com (Chris Snyder) Date: Fri, 2 Aug 2013 09:02:24 -0400 Subject: [nycbug-talk] DC21, SSL all over the place... In-Reply-To: <201308011744.r71HiRZm011722@rs102.luxsci.com> References: <201308011744.r71HiRZm011722@rs102.luxsci.com> Message-ID: On Thu, Aug 1, 2013 at 1:44 PM, Isaac (.ike) Levy wrote: > > Nifty SSL nastiness (http deflate to find fragments of strings in https): > http://arstechnica.com/**security/2013/08/gone-in-30-** > seconds-new-attack-plucks-**secrets-from-https-protected-**pages/ I was trying to figure out (from the article, since the presentation wasn't available yet, how this works. It seems to rely on being able to inject an arbitrary string into a page that also includes the secret you're trying to discover. I keep trying to picture a real world scenario where that's possible but I'm having a hard time... probably missing something. Not Defcon, but related: > "More Encryption Is Not the Solution", PHK, describes some novel attacks > for cloud/carriers to trivially demolish ssl. > http://queue.acm.org/detail.**cfm?id=2508864 > > Pretty interesting reactions to the "encrypt everything" push for the > interenet in the last few years... > Well exactly. SSL protects from spying on the wire, but not from spying in the datacenter. And if you're a state-level actor, you can coerce your local Certificate Authority to issue bogus certs for common services and use proxies to sniff all the traffic. The overall weakness of the model led to the zero-knowledge service movement and secure peer-to-peer networks, but a determined attacker could still compromise one of the endpoints with malware or sneaky code injection like PHK describes. The sad fact is, the Internet, and networked computers generally, are not made for secrets. Hence the need to work in the real world to ensure that state-level secrets aren't necessary. -------------- next part -------------- An HTML attachment was scrubbed... URL: From spork at bway.net Sat Aug 3 20:10:38 2013 From: spork at bway.net (Charles Sprickman) Date: Sat, 3 Aug 2013 20:10:38 -0400 Subject: [nycbug-talk] DC21, SSL all over the place... In-Reply-To: <201308011744.r71HiRZm011722@rs102.luxsci.com> References: <201308011744.r71HiRZm011722@rs102.luxsci.com> Message-ID: <3151FF7E-2A8C-4AAA-B4A5-19B3FE61C18F@bway.net> On Aug 1, 2013, at 1:44 PM, Isaac (.ike) Levy wrote: > Hi All, > > Just a quick note, some interesting SSL stuff from Defcon, (happening now): > > Nifty SSL nastiness (http deflate to find fragments of strings in https): > http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/ > Well, that might be scary, but this could really scare the crap out of you: https://www.trustwave.com/spiderlabs/advisories/TWSL2013-020.txt Sorry. I had to share that. I think it marks some kind of sea-change that I couldn't even fathom 20 years ago. Charles > Not Defcon, but related: > "More Encryption Is Not the Solution", PHK, describes some novel attacks for cloud/carriers to trivially demolish ssl. > http://queue.acm.org/detail.cfm?id=2508864 > > Pretty interesting reactions to the "encrypt everything" push for the interenet in the last few years... > > -- > Does anyone have any other thoughts, urls, etc... on the "encrypt everything" topic? > > What ever happened to the CACert stuff people did years ago, and what's the state of viability of similar projects? > > Rocket- > .ike > > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From jkeen at verizon.net Mon Aug 5 18:46:13 2013 From: jkeen at verizon.net (James E Keenan) Date: Mon, 05 Aug 2013 18:46:13 -0400 Subject: [nycbug-talk] Some history of Unix utilities Message-ID: <52002B35.7070509@verizon.net> nycbug-talk is one of the few lists I subscribe to where I know people take an interest in Unix history. This discussion of the origins of several Unix utilities popped up on the Perl 5 Porters newsgroup today. The participants are usually among the most well informed on p5p, so I figured I'd share it. Thank you very much. Jim Keenan -------- Original Message -------- Subject: Re: [perl #119095] Empty regular expression does not match in some cases Date: Mon, 5 Aug 2013 19:09:18 +0100 From: arc at cpan.org (Aaron Crane) To: Aristotle Pagaltzis CC: Perl5 Porters Newsgroups: perl.perl5.porters Aristotle Pagaltzis wrote: > A lot of the syntax and idioms lore that we think of as ?regexps?, at > least in a Unix-y tradition, is really the regexp vernacular of ed. The > entire grep utility is an extraction of an ed idiom as a stand-alone > program. > > And even when I say all this, I am almost certainly being ahistorical ? > I do not know in detail the lineage and history of ed and all its next > of kin (ex/vi, grep, sed, patch etc) and would actually be surprised if > the story weren?t more intertwined and complex than my portrayal, even > WRT just this one aspect. > > (I expect Aaron to come up behind me and embarrass me now. :-) ) Nope, your summary pretty much covers it. :-) ed(1) already exists in the First Edition manual (so before November 1971), but neither sed(1) nor grep(1) do: http://cm.bell-labs.com/cm/cs/who/dmr/man12.pdf http://cm.bell-labs.com/cm/cs/who/dmr/man13.pdf grep(1) came next, in Fourth Edition (so between February and November 1973): http://www.tuhs.org/Archive/PDP-11/Distributions/research/Dennis_v4/v4man.tar.gz In 1975, George Coulouris at Queen Mary College (in London; subsequently renamed Queen Mary and Westfield, and then Queen Mary, University of London) wrote em ("editor for mortals"), an interactive ed(1)-like editor for cursor-addressed displays. When he visited Berkeley in 1976, he took it with him, and a certain Bill Joy took it and morphed it into ex(1), which shipped in 1BSD (March 1978): http://www.eecs.qmul.ac.uk/~gc/history/ vi(1) was originally (in 2BSD, May 1979) a hard link to ex(1); when it was launched under that name, it would start in visual mode rather than normal mode, but ex(1) had all the same abilities. sed(1) didn't appear till Seventh Edition, in January 1979: http://plan9.bell-labs.com/7thEdMan/v7vol1.pdf The original diff(1) appeared in Fifth Edition (June 1974), and originally generated only "edit scripts" (? la modern `diff -e`) that could be passed to ed(1): http://www.tuhs.org/Archive/PDP-11/Distributions/research/Dennis_v5/v5man.pdf As for patch(1), Larry first wrote it in 1984, and published it in 1985; it already handled context and unified diffs at that point, as well as the traditional edit scripts: https://groups.google.com/forum/#!topic/mod.sources/xSQM63e39YY Now, Ken Thompson wrote the Unix ed(1) in PDP-11 assembler: https://code.google.com/p/unix-jun72/source/browse/trunk/src/cmd/ed2.s https://code.google.com/p/unix-jun72/source/browse/trunk/src/cmd/ed3.s This means it can be dated to some time in 1971, according to Dennis Ritchie: http://cm.bell-labs.com/who/dmr/hist.html But it turns out we can rewind a little further. A team at UCB (including L. Peter Deutsch) wrote an editor called qed in 1968: http://web.archive.org/web/20120219114658/http://www.computer-refuge.org/bitsavers/pdf/sds/ucbProjectGenie/mcjones/R-15_QED.pdf It's still possible to see the core of the ed(1) design in that, even though the details differ quite a lot; for example, the 1968 qed doesn't have regexes at all. Ken Thompson ported qed to CTSS circa 1970, and therefore shortly *before* he wrote ed(1); the manual for his port can be found here: http://cm.bell-labs.com/cm/cs/who/dmr/qedman.pdf This is much more similar to the ed(1) we know and (presumably) love, including regexes strictly more powerful than those in traditional ed(1), and slashes to delimit them (where the 1968 qed used square brackets for its search strings). And we find that the manual says "The null regular expression standing alone is equivalent to the last regular expression encountered." So this aspect of Perl can be dated back to code written no later than 1970, for a text editor running on an operating system that I suspect noone subscribed to this list has ever used. Enjoy! -- Aaron Crane ** http://aaroncrane.co.uk/ From gnn at neville-neil.com Mon Aug 5 22:06:52 2013 From: gnn at neville-neil.com (George Neville-Neil) Date: Mon, 5 Aug 2013 22:06:52 -0400 Subject: [nycbug-talk] Some gifts from Massimilliano aka Max Message-ID: <073A2593-F037-4DAE-9930-C48D8C61ED10@neville-neil.com> Howdy, I have a couple of these little boxes: https://atlas.ripe.net/about/ That you can put on your network so that RIPE can map the network. If you're one of the tinfoil hat crowd you probably won't want this but I find it amusing enough to have plugged one in. It's a cooperative set of monitoring devices, and by participating you get access to the data sets. Not sure how to parcel them out but I'm sure we'll come up with something. See y'all Wednesday. Best, George From ike at blackskyresearch.net Tue Aug 6 00:25:09 2013 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Tue, 6 Aug 2013 00:25:09 -0400 Subject: [nycbug-talk] Some history of Unix utilities In-Reply-To: <52002B35.7070509@verizon.net> References: <52002B35.7070509@verizon.net> Message-ID: <1375763161-9669233.72842856.fr764P91k010555@rs149.luxsci.com> On Aug 5, 2013, at 6:46 PM, James E Keenan wrote: > nycbug-talk is one of the few lists I subscribe to where I know people take an interest in Unix history. This discussion of the origins of several Unix utilities popped up on the Perl 5 Porters newsgroup today. The participants are usually among the most well informed on p5p, so I figured I'd share it. > > Thank you very much. > Jim Keenan Jim, I never thought I'd say anything like this, but, thanks for sharing this cross-post. Possibly the first truly delightful cross posts I'm seen on talk@! Best, .ike > > -------- Original Message -------- > Subject: Re: [perl #119095] Empty regular expression does not match in some cases > Date: Mon, 5 Aug 2013 19:09:18 +0100 > From: arc at cpan.org (Aaron Crane) > To: Aristotle Pagaltzis > CC: Perl5 Porters > Newsgroups: perl.perl5.porters > > > Aristotle Pagaltzis wrote: >> A lot of the syntax and idioms lore that we think of as ?regexps?, at >> least in a Unix-y tradition, is really the regexp vernacular of ed. The >> entire grep utility is an extraction of an ed idiom as a stand-alone >> program. >> >> And even when I say all this, I am almost certainly being ahistorical ? >> I do not know in detail the lineage and history of ed and all its next >> of kin (ex/vi, grep, sed, patch etc) and would actually be surprised if >> the story weren?t more intertwined and complex than my portrayal, even >> WRT just this one aspect. >> >> (I expect Aaron to come up behind me and embarrass me now. :-) ) > > Nope, your summary pretty much covers it. :-) > > ed(1) already exists in the First Edition manual (so before November > 1971), but neither sed(1) nor grep(1) do: > http://cm.bell-labs.com/cm/cs/who/dmr/man12.pdf > http://cm.bell-labs.com/cm/cs/who/dmr/man13.pdf > > grep(1) came next, in Fourth Edition (so between February and November 1973): > > http://www.tuhs.org/Archive/PDP-11/Distributions/research/Dennis_v4/v4man.tar.gz > > In 1975, George Coulouris at Queen Mary College (in London; > subsequently renamed Queen Mary and Westfield, and then Queen Mary, > University of London) wrote em ("editor for mortals"), an interactive > ed(1)-like editor for cursor-addressed displays. When he visited > Berkeley in 1976, he took it with him, and a certain Bill Joy took it > and morphed it into ex(1), which shipped in 1BSD (March 1978): > > http://www.eecs.qmul.ac.uk/~gc/history/ > > vi(1) was originally (in 2BSD, May 1979) a hard link to ex(1); when it > was launched under that name, it would start in visual mode rather > than normal mode, but ex(1) had all the same abilities. > > sed(1) didn't appear till Seventh Edition, in January 1979: > > http://plan9.bell-labs.com/7thEdMan/v7vol1.pdf > > The original diff(1) appeared in Fifth Edition (June 1974), and > originally generated only "edit scripts" (? la modern `diff -e`) that > could be passed to ed(1): > > http://www.tuhs.org/Archive/PDP-11/Distributions/research/Dennis_v5/v5man.pdf > > As for patch(1), Larry first wrote it in 1984, and published it in > 1985; it already handled context and unified diffs at that point, as > well as the traditional edit scripts: > > https://groups.google.com/forum/#!topic/mod.sources/xSQM63e39YY > > Now, Ken Thompson wrote the Unix ed(1) in PDP-11 assembler: > > https://code.google.com/p/unix-jun72/source/browse/trunk/src/cmd/ed2.s > https://code.google.com/p/unix-jun72/source/browse/trunk/src/cmd/ed3.s > > This means it can be dated to some time in 1971, according to Dennis Ritchie: > > http://cm.bell-labs.com/who/dmr/hist.html > > But it turns out we can rewind a little further. A team at UCB > (including L. Peter Deutsch) wrote an editor called qed in 1968: > > http://web.archive.org/web/20120219114658/http://www.computer-refuge.org/bitsavers/pdf/sds/ucbProjectGenie/mcjones/R-15_QED.pdf > > It's still possible to see the core of the ed(1) design in that, even > though the details differ quite a lot; for example, the 1968 qed > doesn't have regexes at all. > > Ken Thompson ported qed to CTSS circa 1970, and therefore shortly > *before* he wrote ed(1); the manual for his port can be found here: > > http://cm.bell-labs.com/cm/cs/who/dmr/qedman.pdf > > This is much more similar to the ed(1) we know and (presumably) love, > including regexes strictly more powerful than those in traditional > ed(1), and slashes to delimit them (where the 1968 qed used square > brackets for its search strings). And we find that the manual says > "The null regular expression standing alone is equivalent to the last > regular expression encountered." > > So this aspect of Perl can be dated back to code written no later than > 1970, for a text editor running on an operating system that I suspect > noone subscribed to this list has ever used. > > Enjoy! > > -- > Aaron Crane ** http://aaroncrane.co.uk/ > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From ike at blackskyresearch.net Tue Aug 6 00:33:56 2013 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Tue, 6 Aug 2013 00:33:56 -0400 Subject: [nycbug-talk] Some gifts from Massimilliano aka Max In-Reply-To: <073A2593-F037-4DAE-9930-C48D8C61ED10@neville-neil.com> References: <073A2593-F037-4DAE-9930-C48D8C61ED10@neville-neil.com> Message-ID: <1375763642-5278793.76351837.fr764XvQq016737@rs149.luxsci.com> On Aug 5, 2013, at 10:06 PM, George Neville-Neil wrote: > Howdy, > > I have a couple of these little boxes: https://atlas.ripe.net/about/ > > That you can put on your network so that RIPE can map the network. > > If you're one of the tinfoil hat crowd you probably won't want this but I find it amusing > enough to have plugged one in. It's a cooperative set of monitoring devices, and by > participating you get access to the data sets. > > Not sure how to parcel them out but I'm sure we'll come up with something. > > See y'all Wednesday. > > Best, > George Fascinating... What sort of internet connectivity is of interest to the project? (e.g. home internet endpoint vs. datacenter/carrier lines?) Rocket- .ike From stucchi-lists at glevia.com Tue Aug 6 04:14:16 2013 From: stucchi-lists at glevia.com (Massimiliano Stucchi) Date: Tue, 06 Aug 2013 10:14:16 +0200 Subject: [nycbug-talk] Some gifts from Massimilliano aka Max In-Reply-To: <1375763642-5278793.76351837.fr764XvQq016737@rs149.luxsci.com> References: <073A2593-F037-4DAE-9930-C48D8C61ED10@neville-neil.com> <1375763642-5278793.76351837.fr764XvQq016737@rs149.luxsci.com> Message-ID: <5200B058.4090801@glevia.com> On 8/6/13 6:33 AM, Isaac (.ike) Levy wrote: > Fascinating... > > What sort of internet connectivity is of interest to the project? (e.g. home internet endpoint vs. datacenter/carrier lines?) Any kind is okay. You can also host more than one if you can put them on different connectivity, and we especially prefer if you could also put them on different ASes. Moreover, the source code of the probes is available on github (https://github.com/RIPE-Atlas-Community), and you can contribute easily. If you have any more question, feel free to ask me. If you feel you'd like more probes, just let me know and I'll arrange that for you. Ciao! -- Massimiliano Stucchi From george at ceetonetechnology.com Tue Aug 6 09:15:52 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 06 Aug 2013 09:15:52 -0400 Subject: [nycbug-talk] Some history of Unix utilities In-Reply-To: <1375763161-9669233.72842856.fr764P91k010555@rs149.luxsci.com> References: <52002B35.7070509@verizon.net> <1375763161-9669233.72842856.fr764P91k010555@rs149.luxsci.com> Message-ID: <5200F708.1030403@ceetonetechnology.com> Isaac (.ike) Levy: > On Aug 5, 2013, at 6:46 PM, James E Keenan wrote: > >> nycbug-talk is one of the few lists I subscribe to where I know people take an interest in Unix history. This discussion of the origins of several Unix utilities popped up on the Perl 5 Porters newsgroup today. The participants are usually among the most well informed on p5p, so I figured I'd share it. >> >> Thank you very much. >> Jim Keenan > > Jim, I never thought I'd say anything like this, but, thanks for sharing this cross-post. > > Possibly the first truly delightful cross posts I'm seen on talk@! +1 on this. we need to start reflecting this more in our meetings again. ty James. g From george at ceetonetechnology.com Tue Aug 6 09:20:47 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 06 Aug 2013 09:20:47 -0400 Subject: [nycbug-talk] NYC*BUG logo Message-ID: <5200F82F.7020403@ceetonetechnology.com> So with tomorrow night's meeting, Ike is going to introduce some options for a new logo, which we can hopefully make a decision on. Certainly an appropriate topic considering it's "A Decade of NYC*BUG" presentation... g From jpb at jimby.name Tue Aug 6 13:34:55 2013 From: jpb at jimby.name (Jimmy B.) Date: Tue, 6 Aug 2013 13:34:55 -0400 Subject: [nycbug-talk] Some history of Unix utilities In-Reply-To: <52002B35.7070509@verizon.net> References: <52002B35.7070509@verizon.net> Message-ID: <20130806173455.GA34102@jimby.name> * James E Keenan [2013-08-05 22:11]: > nycbug-talk is one of the few lists I subscribe to where I know people > take an interest in Unix history. This discussion of the origins of > several Unix utilities popped up on the Perl 5 Porters newsgroup today. > The participants are usually among the most well informed on p5p, so I > figured I'd share it. > > Thank you very much. > Jim Keenan > > -------- Original Message -------- > Subject: Re: [perl #119095] Empty regular expression does not match in > some cases > Date: Mon, 5 Aug 2013 19:09:18 +0100 > From: arc at cpan.org (Aaron Crane) > To: Aristotle Pagaltzis > CC: Perl5 Porters > Newsgroups: perl.perl5.porters > > > Aristotle Pagaltzis wrote: > > A lot of the syntax and idioms lore that we think of as ???regexps???, at > > least in a Unix-y tradition, is really the regexp vernacular of ed. The > > entire grep utility is an extraction of an ed idiom as a stand-alone > > program. > > > > And even when I say all this, I am almost certainly being ahistorical ??? > > I do not know in detail the lineage and history of ed and all its next > > of kin (ex/vi, grep, sed, patch etc) and would actually be surprised if > > the story weren???t more intertwined and complex than my portrayal, even > > WRT just this one aspect. > > > > (I expect Aaron to come up behind me and embarrass me now. :-) ) > > Nope, your summary pretty much covers it. :-) > > ed(1) already exists in the First Edition manual (so before November > 1971), but neither sed(1) nor grep(1) do: > http://cm.bell-labs.com/cm/cs/who/dmr/man12.pdf > http://cm.bell-labs.com/cm/cs/who/dmr/man13.pdf > > grep(1) came next, in Fourth Edition (so between February and November > 1973): > > http://www.tuhs.org/Archive/PDP-11/Distributions/research/Dennis_v4/v4man.tar.gz > > In 1975, George Coulouris at Queen Mary College (in London; > subsequently renamed Queen Mary and Westfield, and then Queen Mary, > University of London) wrote em ("editor for mortals"), an interactive > ed(1)-like editor for cursor-addressed displays. When he visited > Berkeley in 1976, he took it with him, and a certain Bill Joy took it > and morphed it into ex(1), which shipped in 1BSD (March 1978): > > http://www.eecs.qmul.ac.uk/~gc/history/ > > vi(1) was originally (in 2BSD, May 1979) a hard link to ex(1); when it > was launched under that name, it would start in visual mode rather > than normal mode, but ex(1) had all the same abilities. > > sed(1) didn't appear till Seventh Edition, in January 1979: > > http://plan9.bell-labs.com/7thEdMan/v7vol1.pdf > > The original diff(1) appeared in Fifth Edition (June 1974), and > originally generated only "edit scripts" (? la modern `diff -e`) that > could be passed to ed(1): > > http://www.tuhs.org/Archive/PDP-11/Distributions/research/Dennis_v5/v5man.pdf > > As for patch(1), Larry first wrote it in 1984, and published it in > 1985; it already handled context and unified diffs at that point, as > well as the traditional edit scripts: > > https://groups.google.com/forum/#!topic/mod.sources/xSQM63e39YY > > Now, Ken Thompson wrote the Unix ed(1) in PDP-11 assembler: > > https://code.google.com/p/unix-jun72/source/browse/trunk/src/cmd/ed2.s > https://code.google.com/p/unix-jun72/source/browse/trunk/src/cmd/ed3.s > > This means it can be dated to some time in 1971, according to Dennis > Ritchie: > > http://cm.bell-labs.com/who/dmr/hist.html > > But it turns out we can rewind a little further. A team at UCB > (including L. Peter Deutsch) wrote an editor called qed in 1968: > > http://web.archive.org/web/20120219114658/http://www.computer-refuge.org/bitsavers/pdf/sds/ucbProjectGenie/mcjones/R-15_QED.pdf > > It's still possible to see the core of the ed(1) design in that, even > though the details differ quite a lot; for example, the 1968 qed > doesn't have regexes at all. > > Ken Thompson ported qed to CTSS circa 1970, and therefore shortly > *before* he wrote ed(1); the manual for his port can be found here: > > http://cm.bell-labs.com/cm/cs/who/dmr/qedman.pdf > > This is much more similar to the ed(1) we know and (presumably) love, > including regexes strictly more powerful than those in traditional > ed(1), and slashes to delimit them (where the 1968 qed used square > brackets for its search strings). And we find that the manual says > "The null regular expression standing alone is equivalent to the last > regular expression encountered." > > So this aspect of Perl can be dated back to code written no later than > 1970, for a text editor running on an operating system that I suspect > noone subscribed to this list has ever used. > > Enjoy! > > -- > Aaron Crane ** http://aaroncrane.co.uk/ I remember reading the announcements on Usenet in the 1980's about Henry Spencer's regex library and thinking how *way cool* that was. The library turned up in quite a few places. I seem to recall it was used in quite a few applications of that era, including NNTP and early versions of the X window protocol and Perl itself. (Please correct me if my memory has turned against me :-)) As much as I liked it, I was even happier when PCRE hit the bitwaves. Much simpler, and more powerful. Cheers, Jim B. From pete at nomadlogic.org Tue Aug 6 13:33:13 2013 From: pete at nomadlogic.org (Pete Wright) Date: Tue, 06 Aug 2013 10:33:13 -0700 Subject: [nycbug-talk] NYC*BUG logo In-Reply-To: <5200F82F.7020403@ceetonetechnology.com> References: <5200F82F.7020403@ceetonetechnology.com> Message-ID: <52013359.70900@nomadlogic.org> On 08/06/2013 06:20 AM, George Rosamond wrote: > So with tomorrow night's meeting, Ike is going to introduce some options > for a new logo, which we can hopefully make a decision on. +1 for the penguin logo! ;p > > Certainly an appropriate topic considering it's "A Decade of NYC*BUG" > presentation... wow - has it really been 10 years? congrats nycbug - i'll raise a glass of lager in your honor weds night! -pete -- Pete Wright pete at nomadlogic.org twitter => @nomadlogicLA From george at ceetonetechnology.com Tue Aug 6 13:46:17 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 06 Aug 2013 13:46:17 -0400 Subject: [nycbug-talk] NYC*BUG logo In-Reply-To: <52013359.70900@nomadlogic.org> References: <5200F82F.7020403@ceetonetechnology.com> <52013359.70900@nomadlogic.org> Message-ID: <52013669.7010305@ceetonetechnology.com> Pete Wright: > On 08/06/2013 06:20 AM, George Rosamond wrote: >> So with tomorrow night's meeting, Ike is going to introduce some options >> for a new logo, which we can hopefully make a decision on. > > +1 for the penguin logo! > ;p > I like it... throw something together petee! >> >> Certainly an appropriate topic considering it's "A Decade of NYC*BUG" >> presentation... > > wow - has it really been 10 years? congrats nycbug - i'll raise a glass > of lager in your honor weds night! > :) You were part of it from the beginning, and remained an "expat member" in my book! Should be a fun meeting. g From ike at blackskyresearch.net Tue Aug 6 14:04:12 2013 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Tue, 06 Aug 2013 18:04:12 +0000 Subject: [nycbug-talk] NYC*BUG logo Message-ID: <201308061804.r76I4Cxs023449@rs103.luxsci.com> On August 6, 2013 01:33:13 PM EDT, Pete Wright wrote: > On 08/06/2013 06:20 AM, George Rosamond wrote: >> So with tomorrow night's meeting, Ike is going to introduce some options >> for a new logo, which we can hopefully make a decision on. > > +1 for the penguin logo! > ;p Actually, I don't want to start any rumors, but I heard something about a cute rendering of a cocroach. (can't wait for rotten tomatoes to pummel me back on port 25 for that cheeze) > >> >> Certainly an appropriate topic considering it's "A Decade of NYC*BUG" >> presentation... > > wow - has it really been 10 years? congrats nycbug - i'll raise a > glass of lager in your honor weds night! You always miss the meetings man. What's up with that. If you're not there, we'll certainly be sure to raise a glass westward! Rocket- .ike > > -pete > > -- Pete Wright > pete at nomadlogic.org > twitter => @nomadlogicLA > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From spork at bway.net Tue Aug 6 14:18:01 2013 From: spork at bway.net (Charles Sprickman) Date: Tue, 6 Aug 2013 14:18:01 -0400 Subject: [nycbug-talk] NYC*BUG logo In-Reply-To: <52013359.70900@nomadlogic.org> References: <5200F82F.7020403@ceetonetechnology.com> <52013359.70900@nomadlogic.org> Message-ID: On Aug 6, 2013, at 1:33 PM, Pete Wright wrote: > On 08/06/2013 06:20 AM, George Rosamond wrote: >> So with tomorrow night's meeting, Ike is going to introduce some options >> for a new logo, which we can hopefully make a decision on. > > +1 for the penguin logo! > ;p I sure hope Ike has created something that includes a brony or a unicorn and some sparkles. http://i.imgur.com/jmVgBPZ.gif > >> >> Certainly an appropriate topic considering it's "A Decade of NYC*BUG" >> presentation... > > wow - has it really been 10 years? congrats nycbug - i'll raise a glass of lager in your honor weds night! > > -pete > > -- > Pete Wright > pete at nomadlogic.org > twitter => @nomadlogicLA > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From ike at blackskyresearch.net Tue Aug 6 14:26:49 2013 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Tue, 06 Aug 2013 18:26:49 +0000 Subject: [nycbug-talk] NYC*BUG logo Message-ID: <201308061826.r76IQnST017122@rs103.luxsci.com> On August 6, 2013 02:18:01 PM EDT, Charles Sprickman wrote: > On Aug 6, 2013, at 1:33 PM, Pete Wright wrote: > >> +1 for the penguin logo! >> ;p > > I sure hope Ike has created something that includes a brony or a > unicorn and some sparkles. > > http://i.imgur.com/jmVgBPZ.gif Astounding. Did you root my laptop? How did you get the new logo? I guess there's benefits to running an ISP, (in particular, my home DSL) :P Rocket- .ike From george at ceetonetechnology.com Tue Aug 6 14:30:28 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 06 Aug 2013 14:30:28 -0400 Subject: [nycbug-talk] NYC*BUG logo In-Reply-To: <201308061826.r76IQnST017122@rs103.luxsci.com> References: <201308061826.r76IQnST017122@rs103.luxsci.com> Message-ID: <520140C4.9030107@ceetonetechnology.com> Isaac (.ike) Levy: > > On August 6, 2013 02:18:01 PM EDT, Charles Sprickman > wrote: > >> On Aug 6, 2013, at 1:33 PM, Pete Wright wrote: >> >>> +1 for the penguin logo! >>> ;p >> >> I sure hope Ike has created something that includes a brony or a >> unicorn and some sparkles. >> >> http://i.imgur.com/jmVgBPZ.gif > > Astounding. Did you root my laptop? How did you get the new logo? > > I guess there's benefits to running an ISP, (in particular, my home DSL) :P > I guess we can scratch that item off the agenda for tomorrow then... Don't use ftp over Tor next time. nice job ike. g From pete at nomadlogic.org Tue Aug 6 16:23:13 2013 From: pete at nomadlogic.org (Pete Wright) Date: Tue, 06 Aug 2013 13:23:13 -0700 Subject: [nycbug-talk] NYC*BUG logo In-Reply-To: References: <5200F82F.7020403@ceetonetechnology.com> <52013359.70900@nomadlogic.org> Message-ID: <52015B31.3000004@nomadlogic.org> On 08/06/2013 11:18 AM, Charles Sprickman wrote: > On Aug 6, 2013, at 1:33 PM, Pete Wright wrote: > >> On 08/06/2013 06:20 AM, George Rosamond wrote: >>> So with tomorrow night's meeting, Ike is going to introduce some options >>> for a new logo, which we can hopefully make a decision on. >> +1 for the penguin logo! >> ;p > I sure hope Ike has created something that includes a brony or a unicorn and some sparkles. > > http://i.imgur.com/jmVgBPZ.gif lol - spork@ win's one (1) free internet! -p -- Pete Wright pete at nomadlogic.org twitter => @nomadlogicLA From raulcuza at gmail.com Tue Aug 6 16:56:00 2013 From: raulcuza at gmail.com (=?utf-8?Q?Ra=C3=BAl_Cuza?=) Date: Tue, 6 Aug 2013 16:56:00 -0400 Subject: [nycbug-talk] NYC*BUG logo In-Reply-To: <52015B31.3000004@nomadlogic.org> References: <5200F82F.7020403@ceetonetechnology.com> <52013359.70900@nomadlogic.org> <52015B31.3000004@nomadlogic.org> Message-ID: On Aug 6, 2013, at 16:23, Pete Wright wrote: > On 08/06/2013 11:18 AM, Charles Sprickman wrote: >> On Aug 6, 2013, at 1:33 PM, Pete Wright wrote: >> >>> On 08/06/2013 06:20 AM, George Rosamond wrote: >>>> So with tomorrow night's meeting, Ike is going to introduce some options >>>> for a new logo, which we can hopefully make a decision on. >>> +1 for the penguin logo! >>> ;p >> I sure hope Ike has created something that includes a brony or a unicorn and some sparkles. >> >> http://i.imgur.com/jmVgBPZ.gif > > lol - spork@ win's one (1) free internet! > > -p > > My work firewall blocked the gif for being obscene. Thank goodness. Sent from a mobile eMate 300 From ike at blackskyresearch.net Wed Aug 7 09:58:21 2013 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Wed, 07 Aug 2013 13:58:21 +0000 Subject: [nycbug-talk] RSA/DSA for encryption: has it's time come? Message-ID: <201308071358.r77DwLhs028247@rs103.luxsci.com> Hi All, I'd love to know what people's thoughts are on the state of older RSA/DSA encryption, versus the future of eliptic curve ECDSA: http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ -- A few years ago, a number of us were wary of the brand-spankin'-new ECC crypto for use in SSH public keys. And then months later, there were some ECDSA/ssh implementation problems exposed: http://marc.info/?l=openssh-unix-dev&m=130613765816780&w=2 So, that was 2 years ago, ECDSA implementations are now no longer in their infancy. -- What are people's thoughts on the practicality of starting to use ECDSA keys? Has anyone here seen their use mandated over RSA/DSA in a business setting? Has anyone just jumped into ECDSA bliss, and not looked back? Rocket- .ike From crossd at gmail.com Thu Aug 8 10:01:19 2013 From: crossd at gmail.com (Dan Cross) Date: Thu, 8 Aug 2013 10:01:19 -0400 Subject: [nycbug-talk] Some history of Unix utilities In-Reply-To: <20130806173455.GA34102@jimby.name> References: <52002B35.7070509@verizon.net> <20130806173455.GA34102@jimby.name> Message-ID: On Tue, Aug 6, 2013 at 1:34 PM, Jimmy B. wrote: > I remember reading the announcements on Usenet in the 1980's about > Henry Spencer's regex library and thinking how *way cool* that was. > The library turned up in quite a few places. I seem to recall it > was used in quite a few applications of that era, including NNTP > and early versions of the X window protocol and Perl itself. > (Please correct me if my memory has turned against me :-)) > > As much as I liked it, I was even happier when PCRE hit the bitwaves. > Much simpler, and more powerful. > It is actually a bit of a shame; Henry Spencer's library used the unfortunate technique of backtracking to implement search. I say unfortunate because backtracking can (and does) go exponential in both time and space, as opposed to, say, a non-deterministic finite automata simulation which has superlinear, but not exponential runtime. PCRE took advantage of backtracking and extended "regular" expressions (which are things that, by definition, can be implemented as deterministic finite automata *without additional memory*. Corollary: matches against DFA's run in constant memory and time linear in the length of the input being searched for a match) with things that cannot be implemented on finite automata, e.g., backreferences in expressions such as '(foo|bar).*\1' to match 'foo.*foo' or 'bar.*bar', but not 'foo.*bar' or 'bar.*foo', which extra state. Note that these are no longer regular expressions in the formal sense; instead, they are somewhere between regular expressions and things expressible via push-down automata. (Note: the author of the book, "Mastering Regular Expressions" gets this wrong and claims that backtracking implementations are NDFAs.) Ken Thompson had done some important work in QED on CTSS to compile regular expressions to machine code that implemented an NDFA simulation. Unix's ed didn't do this, nor did the first grep's when they were liberated from ed, hence, Unix grep can support limited back-references in a manner similar to PCRE. Some modern libraries implement DFA and NDFA matching, but necessarily omit implementing things like backreferences. RE2 is an example. This is a great introduction to the fascinating subject of regular expressions, and their history and implementation in Unix, Unix-like, and ancestor systems: http://swtch.com/~rsc/regexp/ - Dan C. -------------- next part -------------- An HTML attachment was scrubbed... URL: From george at ceetonetechnology.com Thu Aug 8 15:33:23 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Thu, 08 Aug 2013 15:33:23 -0400 Subject: [nycbug-talk] last night's meeting Message-ID: <5203F283.4070901@ceetonetechnology.com> I'm going to dump things into this email that should be separate.. I know, I know. So please don't do any heavy snipping and comment inline. First, for those who were there last night, I really should have talked more about the cross-pollination role we can and have played. I think it's vital and we've managed to create a physical and mailing list space for that to happen. Not to mention the eadler and bcallah show on IRC :) Second, we have an offer from Scale Engine to stream our meetings. Can't see why this wouldn't be a good thing. Any feedback welcome on it though. Nikolai should post numbers on the audio downloads, and it would be interesting to see what the streaming could become. Our main man Patrick will be the point person on this. Finally, the con. We get regular pings about this. Admin@, individually, etc. Attendees, past and potential sponsors. But cons take a lot of effort, way more than most people can imagine. It becomes a second fulltime job for a few people, and it is physically exhaustive, not to mention a complete disruption on a lot of people's lives. Nonetheless, our cons are tremendously successful, often make money for the BSD projects, and becomes a unique event in terms of various projects interacting. And it is well-acclaimed and complimented way beyond NYC. On that note, I mentioned us doing a day con some time into the new year. It's not a regular con time, as long as we don't bump into AsiaBSDCon, and daycons are a lot less demanding. We would not fly in people, and deal with hotels, which is usually the largest expense. We would hit topics that are current and are part of the larger debates beyond just the BSDs. And for us to hold one or two a year should not be exhausting. As per last night's discussion, we will have an organizing meeting in the near future to map things out. Feedback and input is encouraged. So *if* you want to be central to organizing the next con, you can be. g From matthewstory at gmail.com Thu Aug 8 16:20:27 2013 From: matthewstory at gmail.com (Matthew Story) Date: Thu, 8 Aug 2013 16:20:27 -0400 Subject: [nycbug-talk] Ansible with Author Michael DeHaan 8/27 Message-ID: Wanted to invite all of NYC*BUG to an event inspired by Brian Coca's NYC*BUG talk from May. Event will be held at Axial offices (where we hosted the talk with Kirk) 45 E. 20th Street, floor 12. Register with the link below: http://axialcorps-ansible.eventbrite.com/ If you don't want to register, just shoot me an email: matt.story+ansibleevent at axial.net Letting me know you'll be attending. -- regards, matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From george at ceetonetechnology.com Thu Aug 8 16:25:18 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Thu, 08 Aug 2013 16:25:18 -0400 Subject: [nycbug-talk] Ansible with Author Michael DeHaan 8/27 In-Reply-To: References: Message-ID: <5203FEAE.6000700@ceetonetechnology.com> Matthew Story: > Wanted to invite all of NYC*BUG to an event inspired by Brian Coca's > NYC*BUG talk from May. Event will be held at Axial offices (where we Now we discussed and all thought it was appropriate that NYC*BUG publicized Kirk speaking at Axial. And we all certainly appreciate that event. However, this is NOT appropriate for our talk@ list IMO. Do we really want a list when businesses or other entities start using our talk list to advertise there events. That is not why most people are here. g From gnn at neville-neil.com Thu Aug 8 16:41:50 2013 From: gnn at neville-neil.com (George Neville-Neil) Date: Thu, 8 Aug 2013 16:41:50 -0400 Subject: [nycbug-talk] last night's meeting In-Reply-To: <5203F283.4070901@ceetonetechnology.com> References: <5203F283.4070901@ceetonetechnology.com> Message-ID: On Aug 8, 2013, at 15:33 , George Rosamond wrote: > I'm going to dump things into this email that should be separate.. I > know, I know. So please don't do any heavy snipping and comment inline. > > First, for those who were there last night, I really should have talked > more about the cross-pollination role we can and have played. I think > it's vital and we've managed to create a physical and mailing list space > for that to happen. Not to mention the eadler and bcallah show on IRC :) > > Second, we have an offer from Scale Engine to stream our meetings. > Can't see why this wouldn't be a good thing. Any feedback welcome on it > though. Nikolai should post numbers on the audio downloads, and it > would be interesting to see what the streaming could become. Our main > man Patrick will be the point person on this. > > Finally, the con. We get regular pings about this. Admin@, > individually, etc. Attendees, past and potential sponsors. But cons > take a lot of effort, way more than most people can imagine. It becomes > a second fulltime job for a few people, and it is physically exhaustive, > not to mention a complete disruption on a lot of people's lives. > > Nonetheless, our cons are tremendously successful, often make money for > the BSD projects, and becomes a unique event in terms of various > projects interacting. And it is well-acclaimed and complimented way > beyond NYC. > > On that note, I mentioned us doing a day con some time into the new > year. It's not a regular con time, as long as we don't bump into > AsiaBSDCon, and daycons are a lot less demanding. We would not fly in > people, and deal with hotels, which is usually the largest expense. > > We would hit topics that are current and are part of the larger debates > beyond just the BSDs. And for us to hold one or two a year should not > be exhausting. > > As per last night's discussion, we will have an organizing meeting in > the near future to map things out. Feedback and input is encouraged. > > So *if* you want to be central to organizing the next con, you can be. BTW The one idea that popped into my head, but which I didn't have time to talk about last night is this. "Make the Switch. Moving to BSD from Linux" Most people don't know that a lot of the tools they think they have to use on Linux actually work, and work well, on the BSDs. I think that would be a good theme that appeals to our core audience. Best, George From matthewstory at gmail.com Thu Aug 8 22:04:54 2013 From: matthewstory at gmail.com (Matthew Story) Date: Thu, 8 Aug 2013 22:04:54 -0400 Subject: [nycbug-talk] Ansible with Author Michael DeHaan 8/27 In-Reply-To: <5203FEAE.6000700@ceetonetechnology.com> References: <5203FEAE.6000700@ceetonetechnology.com> Message-ID: On Thu, Aug 8, 2013 at 4:25 PM, George Rosamond < george at ceetonetechnology.com> wrote: > Matthew Story: > > Wanted to invite all of NYC*BUG to an event inspired by Brian Coca's > > NYC*BUG talk from May. Event will be held at Axial offices (where we > > Now we discussed and all thought it was appropriate that NYC*BUG > publicized Kirk speaking at Axial. And we all certainly appreciate that > event. > > However, this is NOT appropriate for our talk@ list IMO. > > Do we really want a list when businesses or other entities start using > our talk list to advertise there events. That is not why most people > are here. > As I've discussed with George Off-list. My intention here was to share an event that I thought a bunch of people who regularly attend NYC*BUG would enjoy. I thought this was right in line with Coca's talk back in May, as Coca's talk (audio/slides online) introduced me to Ansible, which lead to this event. If the general opinion is that I've abused talk here, that certainly wasn't my intention, and I will refrain from sharing events sponsored, software written, or content generated by Axial going forward through talk. -- regards, matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From george at ceetonetechnology.com Fri Aug 9 12:05:23 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Fri, 09 Aug 2013 12:05:23 -0400 Subject: [nycbug-talk] last night's meeting In-Reply-To: References: <5203F283.4070901@ceetonetechnology.com> Message-ID: <52051343.1020404@ceetonetechnology.com> George Neville-Neil: > > On Aug 8, 2013, at 15:33 , George Rosamond wrote: > >> I'm going to dump things into this email that should be separate.. I >> know, I know. So please don't do any heavy snipping and comment inline. >> >> First, for those who were there last night, I really should have talked >> more about the cross-pollination role we can and have played. I think >> it's vital and we've managed to create a physical and mailing list space >> for that to happen. Not to mention the eadler and bcallah show on IRC :) >> >> Second, we have an offer from Scale Engine to stream our meetings. >> Can't see why this wouldn't be a good thing. Any feedback welcome on it >> though. Nikolai should post numbers on the audio downloads, and it >> would be interesting to see what the streaming could become. Our main >> man Patrick will be the point person on this. >> >> Finally, the con. We get regular pings about this. Admin@, >> individually, etc. Attendees, past and potential sponsors. But cons >> take a lot of effort, way more than most people can imagine. It becomes >> a second fulltime job for a few people, and it is physically exhaustive, >> not to mention a complete disruption on a lot of people's lives. >> >> Nonetheless, our cons are tremendously successful, often make money for >> the BSD projects, and becomes a unique event in terms of various >> projects interacting. And it is well-acclaimed and complimented way >> beyond NYC. >> >> On that note, I mentioned us doing a day con some time into the new >> year. It's not a regular con time, as long as we don't bump into >> AsiaBSDCon, and daycons are a lot less demanding. We would not fly in >> people, and deal with hotels, which is usually the largest expense. >> >> We would hit topics that are current and are part of the larger debates >> beyond just the BSDs. And for us to hold one or two a year should not >> be exhausting. >> >> As per last night's discussion, we will have an organizing meeting in >> the near future to map things out. Feedback and input is encouraged. >> >> So *if* you want to be central to organizing the next con, you can be. > > BTW The one idea that popped into my head, but which I didn't have time to > talk about last night is this. "Make the Switch. Moving to BSD from Linux" > Most people don't know that a lot of the tools they think they have to use > on Linux actually work, and work well, on the BSDs. I think that would > be a good theme that appeals to our core audience. I very much agree with this. A central thrust should be establishing the relevance and utility of the BSDs in production environments. Linux has long become the default choice, and the exceptions tend to be based on either key individuals choosing a BSD or specific features of the BSDs that make it the clear winner, including licensing. I wonder, however, how this could all be structured for meetings. g From spork at bway.net Sat Aug 10 17:54:18 2013 From: spork at bway.net (Charles Sprickman) Date: Sat, 10 Aug 2013 17:54:18 -0400 Subject: [nycbug-talk] SaltStack and Ansible experience? In-Reply-To: <51F1AB87.1030400@nomadlogic.org> References: <51F1AB87.1030400@nomadlogic.org> Message-ID: <799C9E14-58A3-4CD7-A06B-9902DA3A4E3B@bway.net> On Jul 25, 2013, at 6:49 PM, Pete Wright wrote: > On 07/25/13 15:43, Charles Sprickman wrote: >> While looking through the wikipedia list of configuration management software[1], I noticed a few new entrants that appear to have some momentum, Ansible[2] and SaltStack[3]. Both appear to have a fair amount of support for the *BSDs. Both are python based. >> >> For example, looking at SaltStack's list of modules[4], I see support for lots of FreeBSD features: using pkgng (like full support - upgrading a package, fetching current package options, making a backup of an installed package), poudriere (trigger a bulk build, list/create jails and ports trees), and jails. >> >> Anyone here use either of these? Ideally I'd like something a bit lighter, but SaltStack is intriguing so far. I also need to see what Puppet currently looks like, but the few BSD-centric reviews I've seen of SaltStack and Ansible both note that support for at least FreeBSD is better than in Puppet-land and that both projects are happy to take patches. >> > > I am a pretty big fan of Ansible - and the primary dev behind it was also they guy responsible for cobbler and func (and worked at puppetlabs in a key position for a while as well). > > i've been a long time user of cobbler and func in small and *very* large environments and have been quite happy with the quality of code and its extensibility. ansible seems to have the same DNA and community that was built around cobbler, so i strongly suggest giving it a serious look. I've got both running in a small set of VMs. I'm just doing basics and running things by hand, but I have to say both Ansible and SaltStack seem very nice. Initial setup once you get past some of the jargon was easy with both. As many Ansible users noted, getting it to a point where you can copy a few files or restart services in an ad-hoc manner is easy, and SaltStack is equally simple (even though it requires a daemon, it's basically just python and 3-4 python deps). I think either would work for me. Which is making the final choice a bit harder. I'm going to keep pushing through both in this little test setup. A few things I've noticed so far: -Salt has more modules that look like huge time savers (why write your own routine to handle working with something like jails or pkgng when someone else already has), and seems to have more stuff for the *BSDs. This has no impact on the really basic stuff, but something to think about as you want to do more complex automation. -Salt had more hiccups in the initial install and a few things that seemed a bit odd - the zfs module tries to run "zfs help" on the managed host to figure out what flags the 'zfs' command will accept. The FreeBSD version of 'zfs' lacks the 'help' switch; additionally if you're on a non-zfs box, invoking 'zfs' will load the module. A recent pull from someone outside the project brought in this behavior and looking at the comments on github around that pull kind of left me thinking the barrier to entry for contributors might be a bit low. -Salt spews more non-fatal errors in normal usage (at least on FreeBSD with Python 2.7) -Both projects have succumbed to that sort of cutesy way of creating their own vocabularies, which annoys me as I feel it makes communicating concepts to new users more difficult. Ansible has less goofy names for things. -I have not used Puppet, but in reading up on both Salt and Ansible I'm finding everyone complains about Puppet not allowing you to order your actions. If that's the case, that's a good enough reason for me to pull Puppet out of the running. Even SaltStack is giving me a few reasons to worry, the larger selection of useful modules is tipping me a bit. Next week I may have changed my mind again though? Thanks for all the input, it's good to see that even if they've been stealth, there are a number of Ansible users here. Charles > -p > > > -- > Pete Wright > pete at nomadlogic.org > twitter => @nomadlogicLA > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From jpb at jimby.name Tue Aug 13 17:25:13 2013 From: jpb at jimby.name (Jim B.) Date: Tue, 13 Aug 2013 17:25:13 -0400 Subject: [nycbug-talk] (forw) FW: SANS NewsBites Vol. 15 Num. 064 : NSA Plans to Eliminate System Administrators for Improved Security; DHS Deputy Secretary Lute Takes On Global Leadership in Cybersecurity Message-ID: <20130813212513.GA54843@jimby.name> >From SANs (which I have shamelessly copied) comes news of a new direction for systems administrators - the unemployment line. Also what, exactly, is an "automated cloud infrastructure"? Thoughts? Jim B. ************************************************************************** SANS NewsBites August 9, 2013 Vol. 15, Num. 063 ************************************************************************** TOP OF THE NEWS NSA Plans to Eliminate System Administrators (August 9, 2013) In an effort to reduce the risk of information leaks, the US National Security Agency (NSA) plans to get rid of 90 percent of its contracted system administrator positions. NSA Director General Keith Alexander said that the agency plans to move to an automated cloud infrastructure. Speaking on a panel along with FBI Director Robert Mueller at a security conference in New York, Alexander referred to the recent revelations about the scope of NSA surveillance, noting that "people make mistakes. But ... no one has willfully or knowingly disobeyed the law or tried to invade ... civil liberties or privacy." http://www.nbcnews.com/technology/nsa-cut-system-administrators-90-percent-limit-data-access-6C10884390 http://arstechnica.com/information-technology/2013/08/nsa-directors-answer-to-security-first-lay-off-sysadmins/ http://www.theregister.co.uk/2013/08/09/snowden_nsa_to_sack_90_per_cent_sysadmins_keith_alexander/ [Editor's Note (Paller): A huge revelation to executives of the Snowden affair is illuminated in this decision by NSA. System administrators are powerful - too powerful. In the mainframe era, IBM and its customers invested 15 years (1967-1982) building strong controls into computers, specifically to constrain the power of the systems programmers. System administrators are now as powerful as system programmers were in the 60s and 70s, and are unconstrained. NSA is in the vanguard of a major shift coming to every organization that cares about security. The immediate implementation of the top 4 controls in the 20 Critical Controls is a core survival task for IT security organizations. See Raising the Bar for evidence (http://csis.org/publication/raising-bar-cybersecurity). Organizations failing to implement those quickly should anticipate an unstoppable board-level push to outsource system administration and management to the cloud providers.] Cheers, Jim B. From george at ceetonetechnology.com Tue Aug 13 17:08:04 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 13 Aug 2013 17:08:04 -0400 Subject: [nycbug-talk] (forw) FW: SANS NewsBites Vol. 15 Num. 064 : NSA Plans to Eliminate System Administrators for Improved Security; DHS Deputy Secretary Lute Takes On Global Leadership in Cybersecurity In-Reply-To: <20130813212513.GA54843@jimby.name> References: <20130813212513.GA54843@jimby.name> Message-ID: <520AA034.8040801@ceetonetechnology.com> Jim B.: > > From SANs (which I have shamelessly copied) comes news of a new direction > for systems administrators - the unemployment line. > > Also what, exactly, is an "automated cloud infrastructure"? > > Thoughts? > Jim B. > > ************************************************************************** > SANS NewsBites August 9, 2013 Vol. 15, Num. 063 > ************************************************************************** > TOP OF THE NEWS > NSA Plans to Eliminate System Administrators > (August 9, 2013) > In an effort to reduce the risk of information leaks, the US National > Security Agency (NSA) plans to get rid of 90 percent of its contracted > system administrator positions. NSA Director General Keith Alexander > said that the agency plans to move to an automated cloud infrastructure. > Speaking on a panel along with FBI Director Robert Mueller at a security > conference in New York, Alexander referred to the recent revelations Well, while this just refers to the NSA's imagined restructuring, despite the heavy privatization of government function like this, you are dead right. 20 years ago: "I'm a webmaster" Today: WTF is a "webmaster" And in sysadmin land, it's also very true, and I've made a lot of references to it myself. One situation I dealt with a year ago... a friend says a growing 300 person firm needs a sysadmin, and could I help. Of course I'm imagining some dynamic, scaling situation, when essentially they needed a recent grad who knew how to cloud services... or could be trained in 30 mins to do so. Yes, we have the buzzword of 'devops', and some people think it means sysadmins have to have heavy coding skills (again), but it's really a cover for the larger deskilling process IMHO. One devops = sysadmin + a dev g From briancoca+nycbug at gmail.com Tue Aug 13 19:14:31 2013 From: briancoca+nycbug at gmail.com (Brian Coca) Date: Tue, 13 Aug 2013 19:14:31 -0400 Subject: [nycbug-talk] (forw) FW: SANS NewsBites Vol. 15 Num. 064 : NSA Plans to Eliminate System Administrators for Improved Security; DHS Deputy Secretary Lute Takes On Global Leadership in Cybersecurity In-Reply-To: <20130813212513.GA54843@jimby.name> References: <20130813212513.GA54843@jimby.name> Message-ID: So, instead of keeping admins in a system they can possibly audit (MACs, they did contribute the selinux thingy), use virtual systems in which you cannot audit what you do in the physical system ... like access the VM data directly? instead of vetting the admins directly, count on the cloud provider to do so ... cause vendors NEVER bait and switch personnel, specially in their own remote facility. At least they've shown they also can make horrible decisions when in a state of panic. Funny that the they think the solution is not "don't do stuff the taxpayer will not like" but "minimize the possibility of the taxpayer finding out". @George, a presentation on bsd/tor/darknets/freedombox survival packages seems more apropos every day. I have more but you probably all already know it better than I do. -------------- next part -------------- An HTML attachment was scrubbed... URL: From slynch2112 at me.com Tue Aug 13 21:21:36 2013 From: slynch2112 at me.com (Siobhan Lynch) Date: Tue, 13 Aug 2013 21:21:36 -0400 Subject: [nycbug-talk] (forw) FW: SANS NewsBites Vol. 15 Num. 064 : NSA Plans to Eliminate System Administrators for Improved Security; DHS Deputy Secretary Lute Takes On Global Leadership in Cybersecurity In-Reply-To: <520AA034.8040801@ceetonetechnology.com> References: <20130813212513.GA54843@jimby.name> <520AA034.8040801@ceetonetechnology.com> Message-ID: <74283D1A-39E1-4309-B494-9F3ACA789235@me.com> I don't post much anymore - but it seems like either out profession is moving towards smaller more boutique firms that need specialized work that can't be done in mass produced environments OR in larger companies like LinkedIn/Google/Yahoo that need Site Reliability Engineers and it's not just SysAdmins - it's the combination of Coder/Admin that many of us have become extremely proficient at through the years. I just retired from a job like that very comfortably I may add ... (Granted mostly because I am autistic - not because I am a coder/admin - I just wanted to cash out my stock and go back to school and move on to Biochemical Engineering - the next frontier....) Sent from my iPhone On Aug 13, 2013, at 5:08 PM, George Rosamond wrote: > Jim B.: >> >> From SANs (which I have shamelessly copied) comes news of a new direction >> for systems administrators - the unemployment line. >> >> Also what, exactly, is an "automated cloud infrastructure"? >> >> Thoughts? >> Jim B. >> >> ************************************************************************** >> SANS NewsBites August 9, 2013 Vol. 15, Num. 063 >> ************************************************************************** >> TOP OF THE NEWS >> NSA Plans to Eliminate System Administrators >> (August 9, 2013) >> In an effort to reduce the risk of information leaks, the US National >> Security Agency (NSA) plans to get rid of 90 percent of its contracted >> system administrator positions. NSA Director General Keith Alexander >> said that the agency plans to move to an automated cloud infrastructure. >> Speaking on a panel along with FBI Director Robert Mueller at a security >> conference in New York, Alexander referred to the recent revelations > > Well, while this just refers to the NSA's imagined restructuring, > despite the heavy privatization of government function like this, you > are dead right. > > 20 years ago: "I'm a webmaster" Today: WTF is a "webmaster" > > And in sysadmin land, it's also very true, and I've made a lot of > references to it myself. > > One situation I dealt with a year ago... a friend says a growing 300 > person firm needs a sysadmin, and could I help. Of course I'm imagining > some dynamic, scaling situation, when essentially they needed a recent > grad who knew how to cloud services... or could be trained in 30 mins to > do so. > > Yes, we have the buzzword of 'devops', and some people think it means > sysadmins have to have heavy coding skills (again), but it's really a > cover for the larger deskilling process IMHO. One devops = sysadmin + a dev > > g > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From ike at blackskyresearch.net Thu Aug 15 16:56:00 2013 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Thu, 15 Aug 2013 20:56:00 +0000 Subject: [nycbug-talk] =?utf-8?q?RFC2109_v1_=22HTTP_Only=22_cookies=3F?= Message-ID: <201308152056.r7FKu0Xo004911@rs101.luxsci.com> Hi All, On a lark, does anyone know about the state of browser compatibility for v1 "HTTP Only" cookies, (RFC2109)? The spec is pretty old (in internet time), it's big deal in preventing XSS attacks and session hijacking, yet I simply can't find any clear stats online regarding browser compatibility. -- For anyone curiously thinking, "what is he asking that for?", I'm trying to resolve a problem in an HTTP sticky load balancing scenario, where the load balancer injects a cookie to maintain 'sticky' state. Not my idea of rational web application interaction with browsers, but I digress? The timestamp in pre v1 cookies is somehow only being set in client time, causing browsers in various time zones to flap around (also browsers with clocks out of sync). Conversely, I'm able to make the cookie session adhere to the time at the load balancers, (which we obviously have control of), but to do so, the cookie is v1 HTTP Only. And with that, I can't figure out if this is so common that my question is moot, or, so uncommon/obtuse that most browsers will break once I 'flip the switch'. Whew. Any urls, notes, anecdotes even- would be much appreciated. Best, .ike From bob at redivi.com Thu Aug 15 17:41:51 2013 From: bob at redivi.com (Bob Ippolito) Date: Thu, 15 Aug 2013 14:41:51 -0700 Subject: [nycbug-talk] RFC2109 v1 "HTTP Only" cookies? In-Reply-To: <201308152056.r7FKu0Xo004911@rs101.luxsci.com> References: <201308152056.r7FKu0Xo004911@rs101.luxsci.com> Message-ID: The most recently updated support matrix for this feature I was able to find is here: http://www.browserscope.org/?category=security On Thu, Aug 15, 2013 at 1:56 PM, Isaac (.ike) Levy wrote: > > Hi All, > > On a lark, does anyone know about the state of browser compatibility for > v1 "HTTP Only" cookies, (RFC2109)? > > The spec is pretty old (in internet time), it's big deal in preventing XSS > attacks and session hijacking, yet I simply can't find any clear stats > online regarding browser compatibility. > > -- > For anyone curiously thinking, "what is he asking that for?", I'm trying > to resolve a problem in an HTTP sticky load balancing scenario, where the > load balancer injects a cookie to maintain 'sticky' state. Not my idea of > rational web application interaction with browsers, but I digress? > > The timestamp in pre v1 cookies is somehow only being set in client time, > causing browsers in various time zones to flap around (also browsers with > clocks out of sync). Conversely, I'm able to make the cookie session > adhere to the time at the load balancers, (which we obviously have control > of), but to do so, the cookie is v1 HTTP Only. > > And with that, I can't figure out if this is so common that my question is > moot, or, so uncommon/obtuse that most browsers will break once I 'flip the > switch'. > > Whew. Any urls, notes, anecdotes even- would be much appreciated. > > Best, > .ike > > > ______________________________**_________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/**mailman/listinfo/talk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ike at blackskyresearch.net Fri Aug 16 07:56:12 2013 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Fri, 16 Aug 2013 11:56:12 +0000 Subject: [nycbug-talk] =?utf-8?q?RFC2109_v1_=22HTTP_Only=22_cookies=3F?= Message-ID: <201308161156.r7GBuC4M003752@rs103.luxsci.com> Sweet, On August 15, 2013 05:41:51 PM EDT, Bob Ippolito wrote: > The most recently updated support matrix for this feature I was able to > find is here: http://www.browserscope.org/?category=security > > > On Thu, Aug 15, 2013 at 1:56 PM, Isaac (.ike) Levy > wrote: > >> >> Hi All, >> >> On a lark, does anyone know about the state of browser compatibility for >> v1 "HTTP Only" cookies, (RFC2109)? >> >> The spec is pretty old (in internet time), it's big deal in preventing XSS >> attacks and session hijacking, yet I simply can't find any clear stats >> online regarding browser compatibility. >> >> -- >> For anyone curiously thinking, "what is he asking that for?", I'm trying >> to resolve a problem in an HTTP sticky load balancing scenario, where the >> load balancer injects a cookie to maintain 'sticky' state. Not my idea of >> rational web application interaction with browsers, but I digress? >> >> The timestamp in pre v1 cookies is somehow only being set in client time, >> causing browsers in various time zones to flap around (also browsers with >> clocks out of sync). Conversely, I'm able to make the cookie session >> adhere to the time at the load balancers, (which we obviously have control >> of), but to do so, the cookie is v1 HTTP Only. >> >> And with that, I can't figure out if this is so common that my question is >> moot, or, so uncommon/obtuse that most browsers will break once I 'flip the >> switch'. >> >> Whew. Any urls, notes, anecdotes even- would be much appreciated. >> >> Best, >> .ike Bob- that's great- exactly the kind of thing I was looking for, thanks. Also, thanks to everyone else who emailed me off-list with some great answers, all revolving around using an epoch string in the sticky-session cookie. However, I neglected to mention that this is on a netscaler, so all I have to work with is a cli/gui 'knob' of sorts- their implementation relies on cookie date-stamp, and their implementation is forcing me down this path. I truly wish it were pound or haproxy or nginx, where implementing reliable sticky http sessions would be rather trivial. Rocket- .ike From raulcuza at gmail.com Fri Aug 16 15:15:48 2013 From: raulcuza at gmail.com (Raul Cuza) Date: Fri, 16 Aug 2013 15:15:48 -0400 Subject: [nycbug-talk] BeagleBone co-founder at Make: Hardware Innovation Workshop Message-ID: There being a few BeagleBone threads on this list, I wanted to share that Jason Kridner, co-founder, BeagleBone will be at the MAKE: Hardware Innovation Workshop on Sept 18. See MAKE Magazine email link for details: http://bit.ly/1cKJpcm Anyone going to the World Maker Faire on Sept 21-22? [ http://makerfaire.com ] Ra?l From raulcuza at gmail.com Fri Aug 16 15:27:31 2013 From: raulcuza at gmail.com (Raul Cuza) Date: Fri, 16 Aug 2013 15:27:31 -0400 Subject: [nycbug-talk] OT: BeagleBone co-founder at Make: Hardware Innovation Workshop Message-ID: On Fri, Aug 16, 2013 at 3:15 PM, Raul Cuza wrote: > There being a few BeagleBone threads on this list, I wanted to share > that Jason Kridner, co-founder, BeagleBone will be at the MAKE: > Hardware Innovation Workshop on Sept 18. See MAKE Magazine email link > for details: http://bit.ly/1cKJpcm > > Anyone going to the World Maker Faire on Sept 21-22? [ http://makerfaire.com ] > > Ra?l Reading my post, I realize that it is off-topic. Appropriate warning added a little too late. Ra?l From george at ceetonetechnology.com Fri Aug 16 15:50:44 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Fri, 16 Aug 2013 15:50:44 -0400 Subject: [nycbug-talk] OT: BeagleBone co-founder at Make: Hardware Innovation Workshop In-Reply-To: References: Message-ID: <520E8294.7050201@ceetonetechnology.com> Raul Cuza: > On Fri, Aug 16, 2013 at 3:15 PM, Raul Cuza wrote: >> There being a few BeagleBone threads on this list, I wanted to share >> that Jason Kridner, co-founder, BeagleBone will be at the MAKE: >> Hardware Innovation Workshop on Sept 18. See MAKE Magazine email link >> for details: http://bit.ly/1cKJpcm >> >> Anyone going to the World Maker Faire on Sept 21-22? [ http://makerfaire.com ] >> >> Ra?l > > Reading my post, I realize that it is off-topic. Appropriate warning > added a little too late. NOT inappropriate IMHO... A bunch of us got discounts on the first BBone since I connected with Circuit Co there last year. A good number of embedded hardware vendors there to chat with. It's a great *non-corporate* event and a place where we should even have a table.. next year. g From george at ceetonetechnology.com Fri Aug 16 15:54:09 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Fri, 16 Aug 2013 15:54:09 -0400 Subject: [nycbug-talk] OT: BeagleBone co-founder at Make: Hardware Innovation Workshop In-Reply-To: <520E8294.7050201@ceetonetechnology.com> References: <520E8294.7050201@ceetonetechnology.com> Message-ID: <520E8361.3040106@ceetonetechnology.com> George Rosamond: > Raul Cuza: >> On Fri, Aug 16, 2013 at 3:15 PM, Raul Cuza wrote: >>> There being a few BeagleBone threads on this list, I wanted to share >>> that Jason Kridner, co-founder, BeagleBone will be at the MAKE: >>> Hardware Innovation Workshop on Sept 18. See MAKE Magazine email link >>> for details: http://bit.ly/1cKJpcm >>> >>> Anyone going to the World Maker Faire on Sept 21-22? [ http://makerfaire.com ] >>> >>> Ra?l >> >> Reading my post, I realize that it is off-topic. Appropriate warning >> added a little too late. > > NOT inappropriate IMHO... grrrr... why doesn't spell checks look for consistency! my bad... VERY appropriate! > > A bunch of us got discounts on the first BBone since I connected with > Circuit Co there last year. A good number of embedded hardware vendors > there to chat with. > > It's a great *non-corporate* event and a place where we should even have > a table.. next year. g From george at ceetonetechnology.com Fri Aug 16 16:34:25 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Fri, 16 Aug 2013 16:34:25 -0400 Subject: [nycbug-talk] gmail addresses and our lists Message-ID: <520E8CD1.4090603@ceetonetechnology.com> For some reason, all the gmail accounts for sub'd people are being disabled by mailman... We're looking into it. g From george at ceetonetechnology.com Wed Aug 21 20:41:27 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 21 Aug 2013 20:41:27 -0400 Subject: [nycbug-talk] social night tomorrow Message-ID: <52155E37.2050802@ceetonetechnology.com> A few of us are getting together tomorrow night, socially. Okan is briefly in town. Even if you don't know Okan, feel free to join up. We'll be at Suspenders at 111 Broadway from 730 PM, and we may move from there at some point later on. g From pete at nomadlogic.org Thu Aug 22 13:00:39 2013 From: pete at nomadlogic.org (Pete Wright) Date: Thu, 22 Aug 2013 10:00:39 -0700 Subject: [nycbug-talk] social night tomorrow In-Reply-To: <52155E37.2050802@ceetonetechnology.com> References: <52155E37.2050802@ceetonetechnology.com> Message-ID: <521643B7.20209@nomadlogic.org> On 08/21/13 17:41, George Rosamond wrote: > A few of us are getting together tomorrow night, socially. > > Okan is briefly in town. > > Even if you don't know Okan, feel free to join up. > > We'll be at Suspenders at 111 Broadway from 730 PM, and we may move from > there at some point later on. > /me raises a virtual glass to Okan. tries his hardest to *not* ask him about his true feelings on the state of linux security :) -pete -- Pete Wright pete at nomadlogic.org twitter => @nomadlogicLA From george at ceetonetechnology.com Thu Aug 22 13:04:14 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Thu, 22 Aug 2013 13:04:14 -0400 Subject: [nycbug-talk] social night tomorrow In-Reply-To: <521643B7.20209@nomadlogic.org> References: <52155E37.2050802@ceetonetechnology.com> <521643B7.20209@nomadlogic.org> Message-ID: <5216448E.4000300@ceetonetechnology.com> Pete Wright: > On 08/21/13 17:41, George Rosamond wrote: >> A few of us are getting together tomorrow night, socially. >> >> Okan is briefly in town. >> >> Even if you don't know Okan, feel free to join up. >> >> We'll be at Suspenders at 111 Broadway from 730 PM, and we may move from >> there at some point later on. >> > > /me raises a virtual glass to Okan. tries his hardest to *not* ask him > about his true feelings on the state of linux security > > :) at least *he'll* be there. Pete, however, refuses to attend meetings for years. ;) g (for those at the last meeting, Pete is one of the "expat members" referenced...) From george at ceetonetechnology.com Thu Aug 22 13:10:01 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Thu, 22 Aug 2013 13:10:01 -0400 Subject: [nycbug-talk] Con Organizing Meeting Message-ID: <521645E9.2080001@ceetonetechnology.com> So we are meeting socially tonight at 730 PM or so at Suspenders. There is NO con organizing meeting tonight. We are meeting to begin organizing for a con on Monday, September 9. Details will come soon. Anyone interested in being involved should plan on that date. Basically, we'll cover how we are looking to conduct more regular conferences, the themes, the approach, etc. For the first time in a while, I feel like we have a clear direction and a workable method for conducting worthwhile events that connect to the larger technical community. g From mspitzer at gmail.com Thu Aug 22 17:12:12 2013 From: mspitzer at gmail.com (Marc Spitzer) Date: Thu, 22 Aug 2013 17:12:12 -0400 Subject: [nycbug-talk] social night tomorrow In-Reply-To: <52155E37.2050802@ceetonetechnology.com> References: <52155E37.2050802@ceetonetechnology.com> Message-ID: Drat out of town, cheers Okan Marc On Aug 21, 2013 8:46 PM, "George Rosamond" wrote: > A few of us are getting together tomorrow night, socially. > > Okan is briefly in town. > > Even if you don't know Okan, feel free to join up. > > We'll be at Suspenders at 111 Broadway from 730 PM, and we may move from > there at some point later on. > > g > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark.saad at ymail.com Fri Aug 23 14:51:32 2013 From: mark.saad at ymail.com (Mark Saad) Date: Fri, 23 Aug 2013 14:51:32 -0400 Subject: [nycbug-talk] Do you subscribe to jobs@ Message-ID: Hey Talk, I need some BSD co-workers and if you are not subscribed to jobs then here is a shameless repost. Dig it. http://lists.nycbug.org/pipermail/jobs/2013-August/000524.html -- Mark Saad | mark.saad at ymail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From nikolai at fetissov.org Mon Aug 26 00:28:06 2013 From: nikolai at fetissov.org (Nikolai Fetissov) Date: Mon, 26 Aug 2013 08:28:06 +0400 Subject: [nycbug-talk] Missing September meeting Message-ID: Hi folks, I will have to miss September meeting, being abroad. If anybody could pick up audio recording I'd be eternally grateful. Cheers, -- Nikolai From okan at demirmen.com Tue Aug 27 16:55:41 2013 From: okan at demirmen.com (Okan Demirmen) Date: Tue, 27 Aug 2013 16:55:41 -0400 Subject: [nycbug-talk] RSA/DSA for encryption: has it's time come? In-Reply-To: <201308071358.r77DwLhs028247@rs103.luxsci.com> References: <201308071358.r77DwLhs028247@rs103.luxsci.com> Message-ID: On Wed, Aug 7, 2013 at 9:58 AM, Isaac (.ike) Levy wrote: > > Hi All, > > I'd love to know what people's thoughts are on the state of older > RSA/DSA encryption, versus the future of eliptic curve ECDSA: > > http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ > > -- > A few years ago, a number of us were wary of the brand-spankin'-new ECC > crypto for use in SSH public keys. And then months later, there were > some ECDSA/ssh implementation problems exposed: > > http://marc.info/?l=openssh-unix-dev&m=130613765816780&w=2 > > So, that was 2 years ago, ECDSA implementations are now no longer in > their infancy. > > -- > What are people's thoughts on the practicality of starting to use ECDSA > keys? > > Has anyone here seen their use mandated over RSA/DSA in a business setting? > Has anyone just jumped into ECDSA bliss, and not looked back? Not that this might mean much, but I use them. As for policies in a business setting; I gather such technical policies are made by people like you, so it's likely up to what folks like you write in said policies :) From george at ceetonetechnology.com Tue Aug 27 19:24:44 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 27 Aug 2013 19:24:44 -0400 Subject: [nycbug-talk] RSA/DSA for encryption: has it's time come? In-Reply-To: References: <201308071358.r77DwLhs028247@rs103.luxsci.com> Message-ID: <521D353C.8060607@ceetonetechnology.com> Okan Demirmen: > On Wed, Aug 7, 2013 at 9:58 AM, Isaac (.ike) Levy > wrote: >> >> Hi All, >> >> I'd love to know what people's thoughts are on the state of older >> RSA/DSA encryption, versus the future of eliptic curve ECDSA: >> >> http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ >> >> -- >> A few years ago, a number of us were wary of the brand-spankin'-new ECC >> crypto for use in SSH public keys. And then months later, there were >> some ECDSA/ssh implementation problems exposed: >> >> http://marc.info/?l=openssh-unix-dev&m=130613765816780&w=2 >> >> So, that was 2 years ago, ECDSA implementations are now no longer in >> their infancy. >> >> -- >> What are people's thoughts on the practicality of starting to use ECDSA >> keys? >> >> Has anyone here seen their use mandated over RSA/DSA in a business setting? >> Has anyone just jumped into ECDSA bliss, and not looked back? > > Not that this might mean much, but I use them. > > As for policies in a business setting; I gather such technical > policies are made by people like you, so it's likely up to what folks > like you write in said policies :) So I'm in the process of getting a client to pickup better practices with SSH, and found out even OSX 10.7.5 doesn't support ecdsa. AFAIK, Putty doesn't either yet, and I doubt SSH for Windows does either. g From bcallah at devio.us Tue Aug 27 19:29:16 2013 From: bcallah at devio.us (Brian Callahan) Date: Tue, 27 Aug 2013 19:29:16 -0400 Subject: [nycbug-talk] RSA/DSA for encryption: has it's time come? In-Reply-To: <521D353C.8060607@ceetonetechnology.com> References: <201308071358.r77DwLhs028247@rs103.luxsci.com> <521D353C.8060607@ceetonetechnology.com> Message-ID: <521D364C.1060101@devio.us> On 8/27/2013 7:24 PM, George Rosamond wrote: > Okan Demirmen: >> On Wed, Aug 7, 2013 at 9:58 AM, Isaac (.ike) Levy >> wrote: >>> >>> Hi All, >>> >>> I'd love to know what people's thoughts are on the state of older >>> RSA/DSA encryption, versus the future of eliptic curve ECDSA: >>> >>> http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ >>> >>> -- >>> A few years ago, a number of us were wary of the brand-spankin'-new ECC >>> crypto for use in SSH public keys. And then months later, there were >>> some ECDSA/ssh implementation problems exposed: >>> >>> http://marc.info/?l=openssh-unix-dev&m=130613765816780&w=2 >>> >>> So, that was 2 years ago, ECDSA implementations are now no longer in >>> their infancy. >>> >>> -- >>> What are people's thoughts on the practicality of starting to use ECDSA >>> keys? >>> >>> Has anyone here seen their use mandated over RSA/DSA in a business setting? >>> Has anyone just jumped into ECDSA bliss, and not looked back? >> >> Not that this might mean much, but I use them. >> >> As for policies in a business setting; I gather such technical >> policies are made by people like you, so it's likely up to what folks >> like you write in said policies :) > > So I'm in the process of getting a client to pickup better practices > with SSH, and found out even OSX 10.7.5 doesn't support ecdsa. > > AFAIK, Putty doesn't either yet, and I doubt SSH for Windows does either. > (slightly off-topic but...) Don't forget to make sure to update your Putty is up-to-date with the version released earlier this month, as it fixes 4 security holes! All this other discussion is for naught if we're running insecure clients (and servers)! ~Brian From okan at demirmen.com Tue Aug 27 21:48:11 2013 From: okan at demirmen.com (Okan Demirmen) Date: Tue, 27 Aug 2013 21:48:11 -0400 Subject: [nycbug-talk] RSA/DSA for encryption: has it's time come? In-Reply-To: <521D353C.8060607@ceetonetechnology.com> References: <201308071358.r77DwLhs028247@rs103.luxsci.com> <521D353C.8060607@ceetonetechnology.com> Message-ID: On Tue, Aug 27, 2013 at 7:24 PM, George Rosamond wrote: > Okan Demirmen: >> On Wed, Aug 7, 2013 at 9:58 AM, Isaac (.ike) Levy >> wrote: >>> >>> Hi All, >>> >>> I'd love to know what people's thoughts are on the state of older >>> RSA/DSA encryption, versus the future of eliptic curve ECDSA: >>> >>> http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ >>> >>> -- >>> A few years ago, a number of us were wary of the brand-spankin'-new ECC >>> crypto for use in SSH public keys. And then months later, there were >>> some ECDSA/ssh implementation problems exposed: >>> >>> http://marc.info/?l=openssh-unix-dev&m=130613765816780&w=2 >>> >>> So, that was 2 years ago, ECDSA implementations are now no longer in >>> their infancy. >>> >>> -- >>> What are people's thoughts on the practicality of starting to use ECDSA >>> keys? >>> >>> Has anyone here seen their use mandated over RSA/DSA in a business setting? >>> Has anyone just jumped into ECDSA bliss, and not looked back? >> >> Not that this might mean much, but I use them. >> >> As for policies in a business setting; I gather such technical >> policies are made by people like you, so it's likely up to what folks >> like you write in said policies :) > > So I'm in the process of getting a client to pickup better practices > with SSH, and found out even OSX 10.7.5 doesn't support ecdsa. > > AFAIK, Putty doesn't either yet, and I doubt SSH for Windows does either. So many things there just blew my mind...but OK, I'll mend myself later :) I'd simply recommend to them to start using keys, regardless of type - get them in the habit, and whenever these other tools get support for the new fangle stuff, just add to authorized keys and migrate. Just get them in the habit of thinking about keys instead. I'm sure you know all this.... ...and with Brian here, get their client software to something recent. From george at ceetonetechnology.com Tue Aug 27 21:50:35 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 27 Aug 2013 21:50:35 -0400 Subject: [nycbug-talk] RSA/DSA for encryption: has it's time come? In-Reply-To: References: <201308071358.r77DwLhs028247@rs103.luxsci.com> <521D353C.8060607@ceetonetechnology.com> Message-ID: <521D576B.5000600@ceetonetechnology.com> Okan Demirmen: > On Tue, Aug 27, 2013 at 7:24 PM, George Rosamond > wrote: >> Okan Demirmen: >>> On Wed, Aug 7, 2013 at 9:58 AM, Isaac (.ike) Levy >>> wrote: >>>> >>>> Hi All, >>>> >>>> I'd love to know what people's thoughts are on the state of older >>>> RSA/DSA encryption, versus the future of eliptic curve ECDSA: >>>> >>>> http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ >>>> >>>> -- >>>> A few years ago, a number of us were wary of the brand-spankin'-new ECC >>>> crypto for use in SSH public keys. And then months later, there were >>>> some ECDSA/ssh implementation problems exposed: >>>> >>>> http://marc.info/?l=openssh-unix-dev&m=130613765816780&w=2 >>>> >>>> So, that was 2 years ago, ECDSA implementations are now no longer in >>>> their infancy. >>>> >>>> -- >>>> What are people's thoughts on the practicality of starting to use ECDSA >>>> keys? >>>> >>>> Has anyone here seen their use mandated over RSA/DSA in a business setting? >>>> Has anyone just jumped into ECDSA bliss, and not looked back? >>> >>> Not that this might mean much, but I use them. >>> >>> As for policies in a business setting; I gather such technical >>> policies are made by people like you, so it's likely up to what folks >>> like you write in said policies :) >> >> So I'm in the process of getting a client to pickup better practices >> with SSH, and found out even OSX 10.7.5 doesn't support ecdsa. >> >> AFAIK, Putty doesn't either yet, and I doubt SSH for Windows does either. > > So many things there just blew my mind...but OK, I'll mend myself later :) > > I'd simply recommend to them to start using keys, regardless of type - > get them in the habit, and whenever these other tools get support for > the new fangle stuff, just add to authorized keys and migrate. Just > get them in the habit of thinking about keys instead. I'm sure you > know all this.... Like most of the sane world, they are using keys.. with passwds. I'm going the next step. > > ...and with Brian here, get their client software to something recent. > g From okan at demirmen.com Tue Aug 27 21:57:19 2013 From: okan at demirmen.com (Okan Demirmen) Date: Tue, 27 Aug 2013 21:57:19 -0400 Subject: [nycbug-talk] RSA/DSA for encryption: has it's time come? In-Reply-To: <521D576B.5000600@ceetonetechnology.com> References: <201308071358.r77DwLhs028247@rs103.luxsci.com> <521D353C.8060607@ceetonetechnology.com> <521D576B.5000600@ceetonetechnology.com> Message-ID: On Tue, Aug 27, 2013 at 9:50 PM, George Rosamond wrote: > Okan Demirmen: >> On Tue, Aug 27, 2013 at 7:24 PM, George Rosamond >> wrote: >>> Okan Demirmen: >>>> On Wed, Aug 7, 2013 at 9:58 AM, Isaac (.ike) Levy >>>> wrote: >>>>> >>>>> Hi All, >>>>> >>>>> I'd love to know what people's thoughts are on the state of older >>>>> RSA/DSA encryption, versus the future of eliptic curve ECDSA: >>>>> >>>>> http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ >>>>> >>>>> -- >>>>> A few years ago, a number of us were wary of the brand-spankin'-new ECC >>>>> crypto for use in SSH public keys. And then months later, there were >>>>> some ECDSA/ssh implementation problems exposed: >>>>> >>>>> http://marc.info/?l=openssh-unix-dev&m=130613765816780&w=2 >>>>> >>>>> So, that was 2 years ago, ECDSA implementations are now no longer in >>>>> their infancy. >>>>> >>>>> -- >>>>> What are people's thoughts on the practicality of starting to use ECDSA >>>>> keys? >>>>> >>>>> Has anyone here seen their use mandated over RSA/DSA in a business setting? >>>>> Has anyone just jumped into ECDSA bliss, and not looked back? >>>> >>>> Not that this might mean much, but I use them. >>>> >>>> As for policies in a business setting; I gather such technical >>>> policies are made by people like you, so it's likely up to what folks >>>> like you write in said policies :) >>> >>> So I'm in the process of getting a client to pickup better practices >>> with SSH, and found out even OSX 10.7.5 doesn't support ecdsa. >>> >>> AFAIK, Putty doesn't either yet, and I doubt SSH for Windows does either. >> >> So many things there just blew my mind...but OK, I'll mend myself later :) >> >> I'd simply recommend to them to start using keys, regardless of type - >> get them in the habit, and whenever these other tools get support for >> the new fangle stuff, just add to authorized keys and migrate. Just >> get them in the habit of thinking about keys instead. I'm sure you >> know all this.... > > Like most of the sane world, they are using keys.. with passwds. I'm > going the next step. I figured. So here's my issue, and you can call it a double-edged sword if you want - one is storing private keys on client that lives in an extremely hostile environment - that is the vector that needs to be addressed. Sure, remove keys and use passwords instead - then we're back to that debate. Double-edged? Maybe, but think about the use-case and attack vectors - that's all I'm saying. >> ...and with Brian here, get their client software to something recent. >> > > g From george at ceetonetechnology.com Tue Aug 27 22:07:26 2013 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 27 Aug 2013 22:07:26 -0400 Subject: [nycbug-talk] RSA/DSA for encryption: has it's time come? In-Reply-To: References: <201308071358.r77DwLhs028247@rs103.luxsci.com> <521D353C.8060607@ceetonetechnology.com> <521D576B.5000600@ceetonetechnology.com> Message-ID: <521D5B5E.9020605@ceetonetechnology.com> Okan Demirmen: > On Tue, Aug 27, 2013 at 9:50 PM, George Rosamond > wrote: >> Okan Demirmen: >>> On Tue, Aug 27, 2013 at 7:24 PM, George Rosamond >>> wrote: >>>> Okan Demirmen: >>>>> On Wed, Aug 7, 2013 at 9:58 AM, Isaac (.ike) Levy >>>>> wrote: >>>>>> >>>>>> Hi All, >>>>>> >>>>>> I'd love to know what people's thoughts are on the state of older >>>>>> RSA/DSA encryption, versus the future of eliptic curve ECDSA: >>>>>> >>>>>> http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ >>>>>> >>>>>> -- >>>>>> A few years ago, a number of us were wary of the brand-spankin'-new ECC >>>>>> crypto for use in SSH public keys. And then months later, there were >>>>>> some ECDSA/ssh implementation problems exposed: >>>>>> >>>>>> http://marc.info/?l=openssh-unix-dev&m=130613765816780&w=2 >>>>>> >>>>>> So, that was 2 years ago, ECDSA implementations are now no longer in >>>>>> their infancy. >>>>>> >>>>>> -- >>>>>> What are people's thoughts on the practicality of starting to use ECDSA >>>>>> keys? >>>>>> >>>>>> Has anyone here seen their use mandated over RSA/DSA in a business setting? >>>>>> Has anyone just jumped into ECDSA bliss, and not looked back? >>>>> >>>>> Not that this might mean much, but I use them. >>>>> >>>>> As for policies in a business setting; I gather such technical >>>>> policies are made by people like you, so it's likely up to what folks >>>>> like you write in said policies :) >>>> >>>> So I'm in the process of getting a client to pickup better practices >>>> with SSH, and found out even OSX 10.7.5 doesn't support ecdsa. >>>> >>>> AFAIK, Putty doesn't either yet, and I doubt SSH for Windows does either. >>> >>> So many things there just blew my mind...but OK, I'll mend myself later :) >>> >>> I'd simply recommend to them to start using keys, regardless of type - >>> get them in the habit, and whenever these other tools get support for >>> the new fangle stuff, just add to authorized keys and migrate. Just >>> get them in the habit of thinking about keys instead. I'm sure you >>> know all this.... >> >> Like most of the sane world, they are using keys.. with passwds. I'm >> going the next step. > > I figured. So here's my issue, and you can call it a double-edged > sword if you want - one is storing private keys on client that lives > in an extremely hostile environment - that is the vector that needs to > be addressed. Sure, remove keys and use passwords instead - then > we're back to that debate. > > Double-edged? Maybe, but think about the use-case and attack vectors - > that's all I'm saying. So this would be much easier if we could have IRC synchronized with talk@ ;) (efnet #nycbug) Security and its related fields are often relative, and dependent upon adversaries in question. And part of the relative and cumulative issue is with user behavior. Don't require a strict security policy on passwds and 12 other things overnight. Once they figure out how to create and remember multiple long passwds, then you build off that, for instance. So you have them comfortably using SSH, then keys. And keys with passwds doesn't seem so initimidating. g From zippy1981 at gmail.com Wed Aug 28 07:40:15 2013 From: zippy1981 at gmail.com (Justin Dearing) Date: Wed, 28 Aug 2013 07:40:15 -0400 Subject: [nycbug-talk] [OT] putty bounties In-Reply-To: References: Message-ID: The recent thread about ssh keys reminded me about a bounty I put to improve putty support for sshing into a Windows server. http://www.fossfactory.org/project/p247 Anyway, while that never went anywhere, and is of use to a tiny percentage of putty users. However ECDSA support would benefit most putty users. Is anyone willing to contribute to an ECDSA bounty for putty if Simon is agreeable? Justin P.s. there is also a fork of putty called kitty with some UI improvements. We could also see if that developer would add ECDSA support. -------------- next part -------------- An HTML attachment was scrubbed... URL: From idmac at free.fr Wed Aug 28 07:57:26 2013 From: idmac at free.fr (idMac) Date: Wed, 28 Aug 2013 13:57:26 +0200 Subject: [nycbug-talk] RSA/DSA for encryption: has it's time come? In-Reply-To: <521D5B5E.9020605@ceetonetechnology.com> References: <201308071358.r77DwLhs028247@rs103.luxsci.com> <521D353C.8060607@ceetonetechnology.com> <521D576B.5000600@ceetonetechnology.com> <521D5B5E.9020605@ceetonetechnology.com> Message-ID: <01DFC240-D230-4618-AA65-D1DED95C2D14@free.fr> Hi All, I know it's not enough but it could be 'one more edge' to improve secured access, it's the yubikey. Or just a usb stick transformed to be used with pamusb lib. Another thing, ECDSA is better than RSA until size is lower than 1024 or 2048 bits I read. (But I would have confirmation/infirmation of it) For example, RSA key with more than 4096 could be stronger than ECDSA key with 4096 bits. Is it true ? Thank you, Julien On 28 Aug, 2013, at 4:07 AM, George Rosamond wrote: > Okan Demirmen: >> On Tue, Aug 27, 2013 at 9:50 PM, George Rosamond >> wrote: >>> Okan Demirmen: >>>> On Tue, Aug 27, 2013 at 7:24 PM, George Rosamond >>>> wrote: >>>>> Okan Demirmen: >>>>>> On Wed, Aug 7, 2013 at 9:58 AM, Isaac (.ike) Levy >>>>>> wrote: >>>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> I'd love to know what people's thoughts are on the state of older >>>>>>> RSA/DSA encryption, versus the future of eliptic curve ECDSA: >>>>>>> >>>>>>> http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ >>>>>>> >>>>>>> -- >>>>>>> A few years ago, a number of us were wary of the brand-spankin'-new ECC >>>>>>> crypto for use in SSH public keys. And then months later, there were >>>>>>> some ECDSA/ssh implementation problems exposed: >>>>>>> >>>>>>> http://marc.info/?l=openssh-unix-dev&m=130613765816780&w=2 >>>>>>> >>>>>>> So, that was 2 years ago, ECDSA implementations are now no longer in >>>>>>> their infancy. >>>>>>> >>>>>>> -- >>>>>>> What are people's thoughts on the practicality of starting to use ECDSA >>>>>>> keys? >>>>>>> >>>>>>> Has anyone here seen their use mandated over RSA/DSA in a business setting? >>>>>>> Has anyone just jumped into ECDSA bliss, and not looked back? >>>>>> >>>>>> Not that this might mean much, but I use them. >>>>>> >>>>>> As for policies in a business setting; I gather such technical >>>>>> policies are made by people like you, so it's likely up to what folks >>>>>> like you write in said policies :) >>>>> >>>>> So I'm in the process of getting a client to pickup better practices >>>>> with SSH, and found out even OSX 10.7.5 doesn't support ecdsa. >>>>> >>>>> AFAIK, Putty doesn't either yet, and I doubt SSH for Windows does either. >>>> >>>> So many things there just blew my mind...but OK, I'll mend myself later :) >>>> >>>> I'd simply recommend to them to start using keys, regardless of type - >>>> get them in the habit, and whenever these other tools get support for >>>> the new fangle stuff, just add to authorized keys and migrate. Just >>>> get them in the habit of thinking about keys instead. I'm sure you >>>> know all this.... >>> >>> Like most of the sane world, they are using keys.. with passwds. I'm >>> going the next step. >> >> I figured. So here's my issue, and you can call it a double-edged >> sword if you want - one is storing private keys on client that lives >> in an extremely hostile environment - that is the vector that needs to >> be addressed. Sure, remove keys and use passwords instead - then >> we're back to that debate. >> >> Double-edged? Maybe, but think about the use-case and attack vectors - >> that's all I'm saying. > > So this would be much easier if we could have IRC synchronized with > talk@ ;) (efnet #nycbug) > > Security and its related fields are often relative, and dependent upon > adversaries in question. And part of the relative and cumulative issue > is with user behavior. > > Don't require a strict security policy on passwds and 12 other things > overnight. Once they figure out how to create and remember multiple > long passwds, then you build off that, for instance. So you have them > comfortably using SSH, then keys. And keys with passwds doesn't seem so > initimidating. > > g > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk -------------- next part -------------- An HTML attachment was scrubbed... URL: From okan at demirmen.com Wed Aug 28 08:38:03 2013 From: okan at demirmen.com (Okan Demirmen) Date: Wed, 28 Aug 2013 08:38:03 -0400 Subject: [nycbug-talk] RSA/DSA for encryption: has it's time come? In-Reply-To: <01DFC240-D230-4618-AA65-D1DED95C2D14@free.fr> References: <201308071358.r77DwLhs028247@rs103.luxsci.com> <521D353C.8060607@ceetonetechnology.com> <521D576B.5000600@ceetonetechnology.com> <521D5B5E.9020605@ceetonetechnology.com> <01DFC240-D230-4618-AA65-D1DED95C2D14@free.fr> Message-ID: On Wed, Aug 28, 2013 at 7:57 AM, idMac wrote: > Hi All, > > I know it's not enough but it could be 'one more edge' to improve secured > access, it's the yubikey. > Or just a usb stick transformed to be used with pamusb lib. Yes, I totally agree, especially with yubikey. > Another thing, ECDSA is better than RSA until size is lower than 1024 or > 2048 bits I read. (But I would have confirmation/infirmation of it) > For example, RSA key with more than 4096 could be stronger than ECDSA key > with 4096 bits. > > Is it true ? I won't post potentially mis-information, and leave it to someone else...archives are a killer :) > Thank you, > Julien > > On 28 Aug, 2013, at 4:07 AM, George Rosamond > wrote: > > Okan Demirmen: > > On Tue, Aug 27, 2013 at 9:50 PM, George Rosamond > wrote: > > Okan Demirmen: > > On Tue, Aug 27, 2013 at 7:24 PM, George Rosamond > wrote: > > Okan Demirmen: > > On Wed, Aug 7, 2013 at 9:58 AM, Isaac (.ike) Levy > wrote: > > > Hi All, > > I'd love to know what people's thoughts are on the state of older > RSA/DSA encryption, versus the future of eliptic curve ECDSA: > > http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ > > -- > A few years ago, a number of us were wary of the brand-spankin'-new ECC > crypto for use in SSH public keys. And then months later, there were > some ECDSA/ssh implementation problems exposed: > > http://marc.info/?l=openssh-unix-dev&m=130613765816780&w=2 > > So, that was 2 years ago, ECDSA implementations are now no longer in > their infancy. > > -- > What are people's thoughts on the practicality of starting to use ECDSA > keys? > > Has anyone here seen their use mandated over RSA/DSA in a business setting? > Has anyone just jumped into ECDSA bliss, and not looked back? > > > Not that this might mean much, but I use them. > > As for policies in a business setting; I gather such technical > policies are made by people like you, so it's likely up to what folks > like you write in said policies :) > > > So I'm in the process of getting a client to pickup better practices > with SSH, and found out even OSX 10.7.5 doesn't support ecdsa. > > AFAIK, Putty doesn't either yet, and I doubt SSH for Windows does either. > > > So many things there just blew my mind...but OK, I'll mend myself later :) > > I'd simply recommend to them to start using keys, regardless of type - > get them in the habit, and whenever these other tools get support for > the new fangle stuff, just add to authorized keys and migrate. Just > get them in the habit of thinking about keys instead. I'm sure you > know all this.... > > > Like most of the sane world, they are using keys.. with passwds. I'm > going the next step. > > > I figured. So here's my issue, and you can call it a double-edged > sword if you want - one is storing private keys on client that lives > in an extremely hostile environment - that is the vector that needs to > be addressed. Sure, remove keys and use passwords instead - then > we're back to that debate. > > Double-edged? Maybe, but think about the use-case and attack vectors - > that's all I'm saying. > > > So this would be much easier if we could have IRC synchronized with > talk@ ;) (efnet #nycbug) > > Security and its related fields are often relative, and dependent upon > adversaries in question. And part of the relative and cumulative issue > is with user behavior. > > Don't require a strict security policy on passwds and 12 other things > overnight. Once they figure out how to create and remember multiple > long passwds, then you build off that, for instance. So you have them > comfortably using SSH, then keys. And keys with passwds doesn't seem so > initimidating. > > g > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > > > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From okan at demirmen.com Wed Aug 28 08:46:10 2013 From: okan at demirmen.com (Okan Demirmen) Date: Wed, 28 Aug 2013 08:46:10 -0400 Subject: [nycbug-talk] [OT] putty bounties In-Reply-To: References: Message-ID: On Wed, Aug 28, 2013 at 7:40 AM, Justin Dearing wrote: > The recent thread about ssh keys reminded me about a bounty I put to improve > putty support for sshing into a Windows server. > > http://www.fossfactory.org/project/p247 > > Anyway, while that never went anywhere, and is of use to a tiny percentage > of putty users. However ECDSA support would benefit most putty users. Is > anyone willing to contribute to an ECDSA bounty for putty if Simon is > agreeable? It is at least on the radar: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/ecdsa.html From idmac at free.fr Thu Aug 29 03:05:13 2013 From: idmac at free.fr (idMac) Date: Thu, 29 Aug 2013 09:05:13 +0200 Subject: [nycbug-talk] RSA/DSA for encryption: has it's time come? In-Reply-To: References: <201308071358.r77DwLhs028247@rs103.luxsci.com> <521D353C.8060607@ceetonetechnology.com> <521D576B.5000600@ceetonetechnology.com> <521D5B5E.9020605@ceetonetechnology.com> <01DFC240-D230-4618-AA65-D1DED95C2D14@free.fr> Message-ID: <82B8A5E2-6DC1-4223-AD93-8EAD5CBE0B8C@free.fr> Thank you, I'll search where I read it ! > On 28 ao?t 2013, at 14:38, Okan Demirmen wrote: > >> On Wed, Aug 28, 2013 at 7:57 AM, idMac wrote: >> Hi All, >> >> I know it's not enough but it could be 'one more edge' to improve secured >> access, it's the yubikey. >> Or just a usb stick transformed to be used with pamusb lib. > > Yes, I totally agree, especially with yubikey. > >> Another thing, ECDSA is better than RSA until size is lower than 1024 or >> 2048 bits I read. (But I would have confirmation/infirmation of it) >> For example, RSA key with more than 4096 could be stronger than ECDSA key >> with 4096 bits. >> >> Is it true ? > > I won't post potentially mis-information, and leave it to someone > else...archives are a killer :) > >> Thank you, >> Julien >> >> On 28 Aug, 2013, at 4:07 AM, George Rosamond >> wrote: >> >> Okan Demirmen: >> >> On Tue, Aug 27, 2013 at 9:50 PM, George Rosamond >> wrote: >> >> Okan Demirmen: >> >> On Tue, Aug 27, 2013 at 7:24 PM, George Rosamond >> wrote: >> >> Okan Demirmen: >> >> On Wed, Aug 7, 2013 at 9:58 AM, Isaac (.ike) Levy >> wrote: >> >> >> Hi All, >> >> I'd love to know what people's thoughts are on the state of older >> RSA/DSA encryption, versus the future of eliptic curve ECDSA: >> >> http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ >> >> -- >> A few years ago, a number of us were wary of the brand-spankin'-new ECC >> crypto for use in SSH public keys. And then months later, there were >> some ECDSA/ssh implementation problems exposed: >> >> http://marc.info/?l=openssh-unix-dev&m=130613765816780&w=2 >> >> So, that was 2 years ago, ECDSA implementations are now no longer in >> their infancy. >> >> -- >> What are people's thoughts on the practicality of starting to use ECDSA >> keys? >> >> Has anyone here seen their use mandated over RSA/DSA in a business setting? >> Has anyone just jumped into ECDSA bliss, and not looked back? >> >> >> Not that this might mean much, but I use them. >> >> As for policies in a business setting; I gather such technical >> policies are made by people like you, so it's likely up to what folks >> like you write in said policies :) >> >> >> So I'm in the process of getting a client to pickup better practices >> with SSH, and found out even OSX 10.7.5 doesn't support ecdsa. >> >> AFAIK, Putty doesn't either yet, and I doubt SSH for Windows does either. >> >> >> So many things there just blew my mind...but OK, I'll mend myself later :) >> >> I'd simply recommend to them to start using keys, regardless of type - >> get them in the habit, and whenever these other tools get support for >> the new fangle stuff, just add to authorized keys and migrate. Just >> get them in the habit of thinking about keys instead. I'm sure you >> know all this.... >> >> >> Like most of the sane world, they are using keys.. with passwds. I'm >> going the next step. >> >> >> I figured. So here's my issue, and you can call it a double-edged >> sword if you want - one is storing private keys on client that lives >> in an extremely hostile environment - that is the vector that needs to >> be addressed. Sure, remove keys and use passwords instead - then >> we're back to that debate. >> >> Double-edged? Maybe, but think about the use-case and attack vectors - >> that's all I'm saying. >> >> >> So this would be much easier if we could have IRC synchronized with >> talk@ ;) (efnet #nycbug) >> >> Security and its related fields are often relative, and dependent upon >> adversaries in question. And part of the relative and cumulative issue >> is with user behavior. >> >> Don't require a strict security policy on passwds and 12 other things >> overnight. Once they figure out how to create and remember multiple >> long passwds, then you build off that, for instance. So you have them >> comfortably using SSH, then keys. And keys with passwds doesn't seem so >> initimidating. >> >> g >> >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> >> >> >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >>