[nycbug-talk] Some BSDCan notes

G.Rosamond george
Wed May 19 17:58:38 EDT 2004

Here are some brief notes I compiled during the BSDCan meetings.  Sorry 
if some of it seems a bit disconnected.  I find, particularly so many 
years after college, that notes are a distraction to understanding a 

Will be putting some of the trip pictures up on DN at some point in the 
near future. . .


3:30 pm Paul GBDE

Ease of changing passwd?

Can't be broken until AES is cracked

More productive to get the passphrase

no differential crack possible. . .which is a weakness in AES algorithm

review good passphrase characteristics

can pull passphrase from anywhere: keyboard, usb key, etc

two parts= sth you know + something you have

simple steps to implement

http://phk.freebsd.dk/pubs for slides

weaknesses in CGD:
	can't chance passwd without reencrypting
	not for enterprise

=	=	=	=	=	=	=	=	=	=	=	=	=

pf talk, Ryan McBride

what you can could with it and why you should use it.

protocol based

os fingerprinting, based on syn packet based on p0f, but can be spoofed

redirection, nat, binat

nat'g source port

dos bandwidth based difficult to deal with

other dos attacks can be defended against



redundancy: 	pfsync

load balancing

carp started with samba servers. . .redundancy

force routing. . .multihomed firewall

but bgp is still better. . .

if stateful connection, carp can be a problem with eg, key exchange, 

NYCBUG tutorial?

=	=	=	=	=	=	=	=	=	=	=

Friday, May 14, 11:30 am  Dan Langille, Bacula

Kern in Switzerland is the developer

Native Windows application as backup client

tar/scp, to rsync, but it doesn't solve dated material with rotation.

four main daemons, could be on separate machines:

storage, to access files, disk, as operator
client, run as wheel/root
director, manages others, as special
console, command line, talks to director, backups and restores from here

web interface, php-based

no need for cron. . .all internal to Bacula

restoring to windows, bare window restore, done by someone?

remote verification md5, "no need to do test restore" DL

configuration files


Untrusted networks. . .

need for two tunnels

dir to file client
file client to storage daemon

port redirection through firewall with NAT

mailing list has over 500 subs, busier than FBSD-hacker list
little noise

question: win laptops. . .sporatic uptime

question: interruptions?

question: clients doing restore via www interface

question: why no use ipsec, since it's one to one, as opposed to ssl, 
which is one to many

question: HFS+. . .does run on OS X, both client and servers, resource 
fork problems

question: minimum database requirement. . .can use sql lite, as long as 
db not over 2 gig.  if not, postgres

question: win client, email notification of successful job

question: file system readable?  yes/no.  can't use tar to read.

question: encryption. . do it from client side.

question:  more encryption

question: compression?  yes. ..over network included.

question: how to idiot-proof client restores.

question: console is interactive

question: it's in ports, debian, mandrake

question: unison, different versions won't talk.  doesn't need same 
version, depends is protocol has changed

More information about the talk mailing list