Re: [Discuss] Thunderbird not connecting to Comcast IMAP server
Are both systems Fedora 30 with the same sets up upgrade packages? -derek On Wed, October 9, 2019 8:52 am, e...@vivaldi.net wrote: > Nothing changed on this end. > > It connected fine up until Sunday night. But I can't explain why TB > successfully connects to Comcast on one system, but not on the other. > > > -Original Message- > From: Derek Atkins > To: e...@vivaldi.net > Cc: discuss@blu.org > Sent: Wed, 09 Oct 2019 8:32 AM > Subject: Re: [Discuss] Thunderbird not connecting to Comcast IMAP server > > Did anything change on your end? Did you take any updates? > > Could it be a TLS ciphersuite incompatibility issue? > I believe that F30 disabled a BUNCH of old ciphers. > If Comcast is running an older IMAP service you might not have compatible > ciphers anymore. > > -derek > > > On Wed, October 9, 2019 8:27 am, e...@vivaldi.net wrote: >> Beginning this past Monday, Thunderbird and the SeaMonkey suite (on >> Fedora >> 30) mysteriously stopped connecting to Comcast's IMAP mail server. >> >> In trying to diagnose the issue, I also installed Evolution, which also >> failed to connect. >> >> After removing the Comcast accounts from Thunderbird, attempts were made >> to add them back in, however when Thunderbird attempted to check the >> password, that process becomes stuck, as if Thunderbird cannot resolve >> the >> IP address(es) for the Comcast server. I let it sit like that for 15 >> minutes without success, then clicked Cancel. >> >> Thunderbird otherwise connects to non-Comcast IMAP servers perfectly. >> >> I also have Geary installed and that successfully connected to the >> Comcast >> server, yet the other three email clients could not. >> >> Could this be an issue on Comcast's end? If it were a DNS or resolver >> issue, then nothing would connect. >> >> I have Thunderbird installed on a second system and it connected to >> Comcast successfully on that, last night. >> >> Thanks for any replies/suggestions. >> ___ >> Discuss mailing list >> Discuss@blu.org >> http://lists.blu.org/mailman/listinfo/discuss >> > > > -- >Derek Atkins 617-623-3745 >de...@ihtfp.com www.ihtfp.com >Computer and Internet Security Consultant > > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Thunderbird not connecting to Comcast IMAP server
Did anything change on your end? Did you take any updates? Could it be a TLS ciphersuite incompatibility issue? I believe that F30 disabled a BUNCH of old ciphers. If Comcast is running an older IMAP service you might not have compatible ciphers anymore. -derek On Wed, October 9, 2019 8:27 am, e...@vivaldi.net wrote: > Beginning this past Monday, Thunderbird and the SeaMonkey suite (on Fedora > 30) mysteriously stopped connecting to Comcast's IMAP mail server. > > In trying to diagnose the issue, I also installed Evolution, which also > failed to connect. > > After removing the Comcast accounts from Thunderbird, attempts were made > to add them back in, however when Thunderbird attempted to check the > password, that process becomes stuck, as if Thunderbird cannot resolve the > IP address(es) for the Comcast server. I let it sit like that for 15 > minutes without success, then clicked Cancel. > > Thunderbird otherwise connects to non-Comcast IMAP servers perfectly. > > I also have Geary installed and that successfully connected to the Comcast > server, yet the other three email clients could not. > > Could this be an issue on Comcast's end? If it were a DNS or resolver > issue, then nothing would connect. > > I have Thunderbird installed on a second system and it connected to > Comcast successfully on that, last night. > > Thanks for any replies/suggestions. > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] full disk backups
Eric Chadbourne writes: >> 2. rsync >>pro: reasonably simple, restartable, more efficient than dd >>con: lots of small files make it slow >> >> 3. rsnapshot >>pro: reasonably simple, enforces cron usage, built on rsync, >> multiple snapshots possible >>con: same as rsync, plus multiple snapshots can make things >> messy There is also a system called "rdiff-backup" which is sort of like rsnapshot but different. Let's you set up which directories or files get backed up. Always gives you a "current full image" with incrementals back as far as you want to go. FWIW, this is what I use to backup my servers. -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] CalDav/CardDav servers?
Cool matrix. Thanks. Alas, I don't see a column for ActiveSync. :( -derek On Wed, August 14, 2019 2:21 pm, David Kramer wrote: > I don't see it on this chart, but this is the best capabilities matrix I > can find > https://en.wikipedia.org/wiki/Comparison_of_CalDAV_and_CardDAV_implementations > > On 8/14/19 8:33 AM, Derek Atkins wrote: >> Does Radicale support Z-push (or equivalent) ActiveSync? >> >> I've been using zarafa, but I really only use it for the calendar and >> contacts. I do use it for more than just iCal; sometimes I log in to >> the >> WebUI to examine the calendar directly, but *usually* I only access it >> via >> my phone or from Evolution -- and my wife uses it from her phone and >> from >> iCalendar on her Mac. >> >> Of course, I would have to figure out how to extract (or migrate) the >> data >> from zarafa if I wanted to change to another service. >> >> -derek >> >> On Wed, August 14, 2019 8:22 am, Dan Ritter wrote: >>> David Kramer wrote: >>>> I am trying to move the functionality off my home server onto my >>>> Ubuntu >>>> node >>>> at Linode. I already have IMAP/SMTP moved over (thanks one again to >>>> those >>>> that helped). The website will be trivial. The other big part is >>>> CardDav/CalDav. >>>> >>>> Right now on my home server I am running an older version of OwnCloud >>>> (NextCloud is a fork of OwnCloud). OwnCloud is a whole groupware >>>> thing >>>> with >>>> file repo, etc, but it also has a caldav/carddav server and client. >>>> I'm >>>> thinking if I'm moving over to this linode server, running full >>>> groupware >>>> may be a little too resource heavy, since I really don't use the rest. >>>> I >>>> *MAY* install NextCloud anyway. Not sure. If I DO install some sort >>>> of >>>> groupware, I would prefer to use one that does not have built in mail >>>> server, so I don't have to worry about dovecot/postfix conflicts. >>>> >>>> The leading CalDav/CardDav with wide protocol support seem to be >>>> https://radicale.org/ and https://www.davical.org, and possibly >>>> http://sabre.io/ >>>> >>>> Does anyone have any experience with these or others? >>>> >>>> Should I just install NextCloud or some other groupware without email? >>> radicale is nearly trivial to set up. >>> >>> NextCloud can easily be set up without being an email server. >>> You just tell it how to talk to an existing one. >>> >>> If you don't want the other features of NextCloud, radicale is a >>> better choice for just being a caldav/carddav server. >>> >>> -dsr- >>> ___ >>> Discuss mailing list >>> Discuss@blu.org >>> http://lists.blu.org/mailman/listinfo/discuss >>> >> > -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] CalDav/CardDav servers?
Does Radicale support Z-push (or equivalent) ActiveSync? I've been using zarafa, but I really only use it for the calendar and contacts. I do use it for more than just iCal; sometimes I log in to the WebUI to examine the calendar directly, but *usually* I only access it via my phone or from Evolution -- and my wife uses it from her phone and from iCalendar on her Mac. Of course, I would have to figure out how to extract (or migrate) the data from zarafa if I wanted to change to another service. -derek On Wed, August 14, 2019 8:22 am, Dan Ritter wrote: > David Kramer wrote: >> I am trying to move the functionality off my home server onto my Ubuntu >> node >> at Linode. I already have IMAP/SMTP moved over (thanks one again to >> those >> that helped). The website will be trivial. The other big part is >> CardDav/CalDav. >> >> Right now on my home server I am running an older version of OwnCloud >> (NextCloud is a fork of OwnCloud). OwnCloud is a whole groupware thing >> with >> file repo, etc, but it also has a caldav/carddav server and client. I'm >> thinking if I'm moving over to this linode server, running full >> groupware >> may be a little too resource heavy, since I really don't use the rest. >> I >> *MAY* install NextCloud anyway. Not sure. If I DO install some sort of >> groupware, I would prefer to use one that does not have built in mail >> server, so I don't have to worry about dovecot/postfix conflicts. >> >> The leading CalDav/CardDav with wide protocol support seem to be >> https://radicale.org/ and https://www.davical.org, and possibly >> http://sabre.io/ >> >> Does anyone have any experience with these or others? >> >> Should I just install NextCloud or some other groupware without email? > > radicale is nearly trivial to set up. > > NextCloud can easily be set up without being an email server. > You just tell it how to talk to an existing one. > > If you don't want the other features of NextCloud, radicale is a > better choice for just being a caldav/carddav server. > > -dsr- > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Placing SIP Server in DMZ or use DNAT?
Hi, On Wed, May 22, 2019 1:10 pm, Dan Ritter wrote: > Derek Atkins wrote: >> Dan, >> >> On Wed, May 22, 2019 12:44 pm, Dan Ritter wrote: >> > >> > eth0: .121/29 >> > eth1: 10.1.1.1/30 >> > eth2: 192.168.0/24 >> > eth4: ... >> > >> > then SIP uses 10.1.1.2/30 with 10.1.1.1 as a gateway, and your >> > router adds a static route for .122/32 with 10.1.1.2 as a >> > gateway. This avoids assigning competing subnets to different >> > NICs. >> >> Hmm. So how is the SIP server configured? Is it configured with eth0 >> having two IP addresses, .122/29 and 10.1.1.2/30? If not, then how does >> the SIP server know it's supposed to be .122/29? > > SIP server: > > eth0 10.1.1.2/30 > eth0:sip a.b.c.122/32 > > SIP server route: > default via 10.1.1.1 > > Bind the SIP server only to the .122 address. I can bind SIP, but not necessarily other services. > Incoming path: internet to modem looking for a.b.c.122. Modem > gets ARP from router, hands packet for .122 to the router. > Router hands it out via eth1 to 10.1.1.2, the SIP server, which > hands it to .122. > > Return path: SIP server sends to x.y.c.d, only route is via > 10.1.1.1, so it sends it that way. The problem here is that any "unbound" service will choose the 10.1 address when going out the route to 10.1.1.1. >> I'd also be worried that SIP would attempt to send out packets "from" >> its >> .2/30 address? Do don't you still need to NAT this, somehow? > > I haven't set this up and tested it. I could be wrong. I've had issues with multi-homed (on the same port) servers in the past. It can get confused about what the source IP should be, and that can cause issues elsewhere/later. Of course this is where NAT comes into play -- you could change 10.1.1.2 <-> a.b.c.122.. >> > Yes, you need to turn on proxy arp on eth0: >> > >> > echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp >> > >> > so it will answer for the .122 when the modem asks. >> > >> > (If the modem spoke a routing protocol, you could advertise >> > reachability through that, but odds are good it does not.) >> >> I am fairly sure it does not. It's an Arris NVG599. >> >> In my ACTUAL implementation I actually don't need proxyarp because I've >> got one more box (which I didn't show earlier) which ensures that all of >> the /29 traffic gets sent to the ERPro (except for .126/29, which gets >> shunted over to the Modem). I could change that so that .122/29 gets >> sent >> to the SIP box, and the rest to the ERPro. > > I think that last bit solves all the problems, doesn't it? No, this last bit is if I wanted the SIP server outside my gateway. This was my original option 1. > -dsr- -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Placing SIP Server in DMZ or use DNAT?
Dan, On Wed, May 22, 2019 12:44 pm, Dan Ritter wrote: > > eth0: .121/29 > eth1: 10.1.1.1/30 > eth2: 192.168.0/24 > eth4: ... > > then SIP uses 10.1.1.2/30 with 10.1.1.1 as a gateway, and your > router adds a static route for .122/32 with 10.1.1.2 as a > gateway. This avoids assigning competing subnets to different > NICs. Hmm. So how is the SIP server configured? Is it configured with eth0 having two IP addresses, .122/29 and 10.1.1.2/30? If not, then how does the SIP server know it's supposed to be .122/29? I'd also be worried that SIP would attempt to send out packets "from" its .2/30 address? Do don't you still need to NAT this, somehow? > Yes, you need to turn on proxy arp on eth0: > > echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp > > so it will answer for the .122 when the modem asks. > > (If the modem spoke a routing protocol, you could advertise > reachability through that, but odds are good it does not.) I am fairly sure it does not. It's an Arris NVG599. In my ACTUAL implementation I actually don't need proxyarp because I've got one more box (which I didn't show earlier) which ensures that all of the /29 traffic gets sent to the ERPro (except for .126/29, which gets shunted over to the Modem). I could change that so that .122/29 gets sent to the SIP box, and the rest to the ERPro. Or I could have it all sent to the ERPro and then have the SIP box on another port -- but then I need to figure out how to configure that port and how to configure the SIP server, which I am still confused about as per above. > -dsr- -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Placing SIP Server in DMZ or use DNAT?
On Wed, May 22, 2019 9:34 am, Dan Ritter wrote: > Option C: pretend NAT doesn't exist for the SIP server and: > >.126 .121 > ISP -- -- -- intranet >\-- .122 > > route packets to .122 without NATting them. This assumes that > you have an interface available on the firewall. You may want to > use an RFC1918 /30 subnet between them. I had considered this approach as well, but there are several issues with it. The firewall is an Edgerouter-Pro-8. It doesn't like having the same IP or even the same network on multiple ports. And it does not have a hardware switch, so bridging ports is expensive. So imagine this: eth0: .121/29 (connected to ISP/Modem) eth1: .121/29 (connected to SIP) eth2: 192.168/24 eth3: class-C I would need specific rules to route the /29 between eth0 and eth1. SIP would need to be told that the default router is .121 instead of .126 (which I guess I can do). But the firewall would need to proxy-arp for .122 in order to get the modem to send it everything. This is where the demons lay. I'm not sure where this /30 comes into play? Could you be more explicit. > Then you can firewall stuff without NAT funkiness. NAT never > makes SIP better. Yeah, I know, which is why I'm leaning towards just putting it outside the firewall (option 1). Thanks, > -dsr- -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] Placing SIP Server in DMZ or use DNAT?
HI, I've got a network with the following configuration. I am being routed IP range a.b.c.120/29. The modem takes .126. I've configured my firewall for .121. I can add a switch between the modem and firewall to add additional machines there: .126 .121 ISP -- -- intranet I want to add a SIP server as .122. I have two ways to do this. I could put it outside the firewall and just have it be natively on .122: .126 .121 ISP -- -- intranet \-- (.122) Or I have it inside the intranet and configure the firewall to forward and rewrite packets via a set of (D)NAT rules: .126 .121/.122 ISP -- -- -- intranet \-- What do you all feel is the best approach? I feel like the former is a simpler configuration, even though it requires one more piece of hardware. On the other hand, the latter approach lets me have more visibility into the packets hitting the SIP server. I should add that I do have at least 2 phones/ATAs sitting in the intranet network that need to connect to the SIP server, but standard NAT should work for that. Currently the SIP server is sitting behind the firewall but living on a tunneled class-C network. My IP phones are able to talk to it directly, and because it's got a public IP on the class-C it is reachable from devices outside the intranet. Part of this project is to remove that extra level of latency caused by the tunnel, with the hope that removing that extra point of failure will improve my VOIP service. What do you all think? -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] RISC-V roadshow
Hi, "m.m.rajwadkar" writes: [snip] > I was wondering if anyone in the BLU Linux group is involved with the > RISC-V development. Yep, in my $DayJob we do lots of development of security tools, secure boot, etc for the RISC-V platform. Our technology is platform agnostic, but RISC-V has some interesting features that can leverage. I am also on the RISC-V Security, Crypto, TEE, and Vector Extensions working groups. > Thanks and Regards > Mayuresh > https://bit.ly/lnkmmr -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Backing up the entire filesystem
Hi, Shirley Márquez Dúlcey writes: > Another thing to keep in mind is that ZFS does have one flaw; it's a > memory hog. If you have a large ZFS filesystem you will need a LOT of > RAM to get acceptable performance. But it does represent the current > state of the art for file system data integrity. I think current standard is 1GB RAM per TB of disk, or 5GB/TB if you have dedup turned on. > I have to allow that my only experience with ZFS to date is with > FreeNAS, which is based on FreeBSD. I have moved all my bulk data > storage to a pair of NAS boxes and have a relatively small amount of > local space on each computer. FreeNAS does not use ZFS for the system > volume. Eh? My FreeNAS system uses ZFS on the boot disk? -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] [BLU/Officers] update instructions for key signing
Bill Ricker writes:
> (b) closed intranet (no BYOD allowed) where one IT org controls both the
> desktops and the webservers, and you install the Corp private selfsigned CA
> key into IT release of IE/Edge, FF, Chrome.
The downside of this latter approach is that the IT org can then sign
certs for *ANY* other site and therefore intercept all HTTPS traffic
they wish to see.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH
warl...@mit.eduPGP key available
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Supermicro
Dan Ritter writes: > On Tue, Jan 23, 2018 at 02:18:33PM -0500, Joseph Guarino wrote: >> Hello Everyone, >> >> I've got a new client that is enamored with Supermicro and wants to only >> buy their server hardware. I'm a fan (and partner with) of a few other >> vendors. Does anyone have any experience with the quality of their support? >> Any insight is appreciated. >> > > Supermicro is very good, but they want to support a retailer > more than they want to support every individual customer. > (This would change if you're buying in quantity.) Most of my servers have been based on SuperMicro motherboards. I've been very happy with their quality. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] printer issues
Hi, dan moylan writes: > using cups at localhost:631 add printer i find: > > Discovered Network Printers: HP ENVY 4500 series [D449B0] > > then clicking on that i get: > > Add Printer HP_ENVY_4500_series_D449B0 Error > Unable to get list of printer drivers: > Success > HP ENVY 4500 series (HP ENVY 4500 series [D449B0]) > > and get no farther. the printer itself is configured with a > wireless connection at 192.168.50.6 and i am able to ping > it. > > suggestions? Are you sure you have the correct HP Printer Drivers installed? hplip? It SOUNDS like that's what's going on here. -derek > j. daniel moylan > 84 harvard ave > brookline, ma 02446-6202 > 617-777-0207 (cel) > j...@moylan.us > www.moylan.us > [no html pls] > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Fidelity voice-recognition security?
Daniel Barrett writes: > I declined the feature. Fingerprinting a voice uniquely over a > low-quality telephone line? I can't imagine that's more secure than a > non-obvious password. What does the security crowd here think? "My voice is my passport. Verify me." ??? -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Limit the number of ip addresses which can connect to a port
Hi, Tom Luo writes: > Hi, Derek, > > Thanks for your suggestions. However, this is not exactly what I want. > The service is running in the server. Users can only connect to the server > using an assigned TCP port and a password. > This service using port/password to identify a user. Different users will get > different ports and their own unique password. > For example, user A will connect to port 8001 using password "testpassword". > User B will connect to port 8002 using password "testpassword2". > Every user has to pay a fee to use the service. > This works very well if no user shares port/password with other people. > To reduce this passowrd/port sharing issue, I propose to limit the number of > ip addresses connected to a port. > If a user A (assigned port 8010) shares his/her password with a person C, user > A can connect to port 8010 and use the service. > If at the same time the person C tries to connect to port 8010 from another ip > address. the firewall should decline the new connection. > I also check the connections and I see one user can have many connections to > the assigned port at the same time. So, I cannot use the number of active > connections on a port to solve this issue. > The only thing I can think about is using IP address. I think video service > providers like hulu and netflix face the same issue. But, I don't know how > they deal with the password sharing issue. > > I hope I explained the issue clearly. BTW, I don't have the source code of the > service, so I cannot change the service itself. You did, but I have a few more questions: 1) What is the client? Is this a Web-App (using a browser client)? Or is there some special client? 2) Based on #1: How are you expecting the service to request a password from the client, and how is the client supposed to deliver it? I'll note that the way Netflix handles it is # of flows. You can be logged in from any number of places, but your account is only allowed to have N flows (based on your account status). I'll also note that this is enforced by the netflix server, not by a wrapper. It's an integrated limitation process. On a side note, if you cannot change the server, then why do you care how it's used? Clearly the server-creators don't care about limiting its use. > Thanks a lot! -derek > Tom > > On Wed, Nov 1, 2017 at 10:54 AM, Derek Atkins wrote: > > Tom, > > Tom Luo writes: > > > Yes. I want only one IP gets access to the service. However, I don't own > > this application and I don't have the source code. That is why I can > only > > using firewall to handle it. > > If there is no software capable to handle this, I am thinking about > writing > > a shell script to do it myself. > > Just so I understand: You have a service running on a server which > *anyone* can use. But once *someone* is using it, further connections > can only come from that single IP address. And then, once all > connections drop again (i.e., nobody is using the service), then it > opens up to anyone on any IP address again until someone else connects? > > Do I have this right? > > If so, I'm honestly not sure how to do this outside the application > itself. You MIGHT be able to do it with tcp_wrappers with some state on > the machine for the number of open connections. > > Another option is that you MIGHT be able to do this with something like > fail2ban + firewalld. Every time there is a first-time connection then > you add a firewall rule that limits access to only that IP address, and > then once the user "logs out" you remove that restriction. Of course > you would need to ensure that the connection/disconnection get logged > properly, and you'd need to write the fail2ban scripts. > > If you cannot modify the application itself then this might be > challenging to get all the connect/disconnect messages to properly line > up. > > > Thanks, > > -derek > > -- > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory > Member, MIT Student Information Processing Board (SIPB) > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH > warl...@mit.edu PGP key available > -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Limit the number of ip addresses which can connect to a port
Tom, Tom Luo writes: > Yes. I want only one IP gets access to the service. However, I don't own > this application and I don't have the source code. That is why I can only > using firewall to handle it. > If there is no software capable to handle this, I am thinking about writing > a shell script to do it myself. Just so I understand: You have a service running on a server which *anyone* can use. But once *someone* is using it, further connections can only come from that single IP address. And then, once all connections drop again (i.e., nobody is using the service), then it opens up to anyone on any IP address again until someone else connects? Do I have this right? If so, I'm honestly not sure how to do this outside the application itself. You MIGHT be able to do it with tcp_wrappers with some state on the machine for the number of open connections. Another option is that you MIGHT be able to do this with something like fail2ban + firewalld. Every time there is a first-time connection then you add a firewall rule that limits access to only that IP address, and then once the user "logs out" you remove that restriction. Of course you would need to ensure that the connection/disconnection get logged properly, and you'd need to write the fail2ban scripts. If you cannot modify the application itself then this might be challenging to get all the connect/disconnect messages to properly line up. > Thanks, -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
Bill Horne writes: > Although _/some/_ edge devices, such as streaming video adapters or > printers, are made for only WiFi connectivity, there are always other > models which include Ethernet and/or USB connections, either with or > without WiFi. "Future Proofing" includes avoiding future purchases, so > I always recommend that edge devices have more than one method of LAN > connection available. My Roku had an RJ45. My AppleTV has an RJ45. My Printer has an RJ45. Pretty much I can count the number of Wifi-only devices in my house on one hand. -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
Richard Pieri writes: > On 9/13/2017 1:48 PM, Bill Horne wrote: >> WiFi-only devices will require that the owner keep updating his >> equipment every time his ISP adopts a new WiFi standard. I feel that the > > This has never been a requirement of 802.11 devices. My 802.11b and > 802.11g devices still work with my 802.11n access point and I have no > doubt that they will continue to work if and when I get an 802.11ac or > more recent AP. Except that if you have TRUE 802.11b devices, it will downgrade your 802.11g network completely to 11Mbps. -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
Richard Pieri writes: > On 9/13/2017 10:35 AM, Derek Atkins wrote: >> You seem to be assuming that all traffic crosses into your ISP. While > > As a practical matter, the majority of my network traffic *does* cross > into my ISP. Thank you for incorrectly projecting your usage patterns onto me. >> this may be true for your use case, it is certainly not the case for me. >> I've got a MythTV setup, which means much of my streaming media is local >> traffic. I'd much rather use a wired/switched network for that than >> pollute the shared wifi. > > 1080p video streams (MPEG-4) need about 5-8 Mbps burst bandwidth. Again, thank you for making incorrect assumptions about the type of video being tossed around. My streams are more like 10-20Mbps each. Just looking at one recording I see 14.5Mbps. > Gigabit Ethernet has practical throughput about 300Mbps. BZZT. You're off by a factor of about 3. > So that stream uses about 5% of the available bandwidth at most. Even at 20Mbps, it's really only using 2.2% of the available b/w. At 14.4Mbps it's down to 1.6%. > Meanwhile, 802.11g > (which I consider to be the least common denominator for WiFi today) can > deliver 20-25Mbps which is more than enough for several simultaneous > streams. No, realistically it can only deliver 1. That is not sufficient. > It's borderline for 4K but if you're doing 4K video then you've > probably upgraded to at least 802.11n if not 802.11ac. > > Myth/Plex are not compelling reasons for wires. Says you. Listen, this back and forth with you is fruitless. You're not going to convince me to go without wires, and I'm clearly not going to convince you that there are cases where wired networks are better. So let's just agree to disagree and then I can get input from other people with insight into the best wired technologies to install. Thanks, -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
Richard Pieri writes: > On 9/12/2017 1:19 PM, Bill Ricker wrote: >> I'm glad to hear there's someone even slower to adopt real broadband >> than I was. > > I have real broadband: FiOS, 50/50Mbps. Had it since it became available > in my neighborhood. It's just that the slowest WiFi devices I have are > 802.11g. The others are 802.11n or .11ac. It doesn't much matter how > much more bandwidth wired 1-Gig offers when that extra bandwidth can't > be utilized. You seem to be assuming that all traffic crosses into your ISP. While this may be true for your use case, it is certainly not the case for me. I've got a MythTV setup, which means much of my streaming media is local traffic. I'd much rather use a wired/switched network for that than pollute the shared wifi. -derek PS: I have a 1G fiber network to my home, although I seem to only be able to pull ~200mbps down from real sources even though speedtest.net (from a wired connection) will pull down 940mbps. Speedtest from my wifi only pulls down ~300mbps. PPS: Yes, *THIS* is boasting -- but it's also driving my decisions to include a wired network for all my background tasks so that wifi is limited only to those devices that MUST use wifi (or choose to use wifi, knowing it's capabilities are lower than the wired network). -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
Shirley Márquez Dúlcey writes: >> Indeed. I'm thinking not just IP, but also possibly HDBaseT. I'm going >> to run separate Cat5e for my PoE security cameras (which only need 100mbps). > > If you're doing it yourself the wire cost matters. If somebody else is > doing it, the wire cost is insignificant compared to the labor cost so > you might as well go with Cat6a throughout. You make a good point. My main issue with using Cat6A for the security cameras is that adding the endpoints is harder. While I *HAVE* crimped a male RJ45 onto the end of a Cat6a, I find crimping it onto a Cat5e MUCH easier (and more secure). I suspect even if I have someone else do the work (still TBD -- I'll know more today) it might still be cheaper to use 5e for the cameras. Oh, and 5e "bends" easier than 6a, making it easier to run. Besides, a Cat5e is perfectly capable of 1Gbps + PoE, which is all I need for the security cameras (which only run at 100mbps, even for 1080p). FWIW, last time I DID do it myself, but made the mistake of using RG59 siamese cable for my cameras. IP cameras have come down in price in the past 6-7 years, to the point where I can get a 1080p IP camera for even less than I paid for my NTSC cameras! Yikes. I'd like to do it myself again, but I now have 2 small kids, so I'm not sure how I'll be able to spend the 40-60 man-hours at the construction site. -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
Rich, On Tue, September 12, 2017 11:42 am, Richard Pieri wrote: > On 9/12/2017 10:52 AM, Derek Atkins wrote: >> I am sorry, but I completely disagree. Even with modern Wifi, I can get >> much better throughput using physical wires if for no other reason than >> each link can be switched and therefore isn't "shared". With Wifi, >> every device is sharing the medium. I.e., I can get 20-30Gbps aggregate >> across my 1Gbps physical network, versus maybe 1.2Gbps across my 1200AC >> Wifi. And let's not even start with interference from my neighbors! > > All true, but you're not making an argument about future-proofing. > You're boasting about how fast your network is. No, I'm pointing out that wires are better than Wifi by showing actual capabilities. If you had a wired network then you'd have that capability too. It's just a fact that wired networks are more capable than wireless. > Wires aren't forever. They fail. They're supplanted by new standards. > They're not even available on the most common devices today. Running > wires is not future-proofing. It's future-obsolescence. Wired ethernet over twisted pair has not significantly changed in 25 years. The capabilities of the technology has changed (10, 100, 1G) but the underlying physical wires haven't (generally). Sure, there's the update from Cat3 to Cat5 to Cat5e to Cat6, but Cat5e is still a 20-year-old tech. Had you installed Cat5e 20 years ago you'd still be in fine shape today. My new thinkpad, just acquired a couple months ago, still has an RJ45 jack. Sure, the two Macs in the house don't come with that, although we have the lightning adapter for my wife. All our "smart" TVs have RJ45. Desktop and Server hardware has RJ45. Will they still have RJ45 in another 10-20 years? I certainly don't see it going away from many of the devices, although it's possible that fewer laptops will come with ethernet. But with Cat6 throughout I can always add additional APs wherever I might need them. :) > Rich P. -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
Kent, Kent Borg writes: > Two suggestions. > > Short term: Look at your current needs and extrapolate from > there. Ethernet cables can be used for unrelated low-voltage signaling > or power, too. (Thermostat, for example. Or power to gizmos that > normally require a wallwart can maybe be installed without the power > supply being ugly and near.) Indeed. I'm thinking not just IP, but also possibly HDBaseT. I'm going to run separate Cat5e for my PoE security cameras (which only need 100mbps). > Long term: You can't anticipate things that don't exist, so see if you > can give yourself future access to the sealed up walls. Conduit with > string in it is good. Extra large conduit is good if that is > possible. Lots of extra empty "outlet" boxes are good. If you can > leave yourself access to a cable tray in your basement or attic or > maybe in your wall (removable baseboard or ceiling molding?) then you > can reconfigure pretty easily. I plan to run some conduit across major sections, but not necessarily to each drop. I don't know if "easily removed baseboards" will go over well with the WAF. But I'll keep it in mind. > -kb > > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > > -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Future-proofing a house for networking -- what to run?
Richard Pieri writes: > On 9/11/2017 9:44 AM, Derek Atkins wrote: >> If you had the ability to future-proof your house (imagine open studs, >> so you could run anything you wanted), what would you run. Assume a max >> of 6 cables per drop? > > I wouldn't. Wires for data are the past, not the future, for consumer > applications. Instead I would update the electrical wiring. Start with a I am sorry, but I completely disagree. Even with modern Wifi, I can get much better throughput using physical wires if for no other reason than each link can be switched and therefore isn't "shared". With Wifi, every device is sharing the medium. I.e., I can get 20-30Gbps aggregate across my 1Gbps physical network, versus maybe 1.2Gbps across my 1200AC Wifi. And let's not even start with interference from my neighbors! > circuit breaker panel upgrade to at least include a whole residence > surge protector. Each room gets at least one easily accessible box of > power outlets which includes USB fast charge power. Each room also gets > at least one near-ceiling power outlet box for WiFi repeaters or > resonant power stations so that they can be mounted clear of furniture > with a minimum of visible power cables. I know all that -- I was asking for what would be "beyond CAT6a". It sounds like maybe fiber, but I think I've been convinced that I wont need it, at least not to each drop. > But if you're still dead-set on running data wires then don't run wires. > Run conduit with pull strings so you can easily install whatever you > need and remove it later when you decide to replace it. As I said, I can't run conduit to every drop, so that's just out of the question. I can run conduit for some major cross-runs, or from basement to attic, but not to every drop. So... My current thinking is 1 RG6 and 3 or 4 CAT6a, which leaves me 1 or 2 potential keystone spots. I suppose I could 1 + 3 and use a 4-spot keystone vs. a 6-spot keystone. I'll need to decide. Honestly I'd like to have 4 cat6a drops, which means I still have 1 spot and not sure how to fill it. Suggestions? -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] Future-proofing a house for networking -- what to run?
Hi BLUers, If you had the ability to future-proof your house (imagine open studs, so you could run anything you wanted), what would you run. Assume a max of 6 cables per drop? Last time I ran 4x Cat6A and 2x RG6. However I'm never using both RG6 F-connectors, so I figured I could replace that with something else. And before you ask, yes, I *AM* using all 4 RJ45 connectors in some of my drops (and in one place I wish I had MORE Rj45). So, what else should I run? My current theory is 4x Cat6A, 1x RG6, and 1x Fiber. However I'm not sure what kind of "fiber" to run, nor what kind of connector I should use. Any suggestions or recommendations? -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] AT&T eliminating copper phone lines
On Tue, March 28, 2017 3:23 pm, Daniel Barrett wrote: > On March 28, 2017, Derek Atkins wrote: >>> 2. Add phone service to my existing Verizon FIOS Internet plan. (Con: >>> I lose my phone number of 25 years.) >> >>I don't understand this second point. Why can't you port your existing >>phone number over? > > I don't understand it either, but Verizon has confirmed it (twice). > Apparently, my home number is special. 95% of home numbers can be > ported to their FIOS Voice service, but mine can't. > > However, they can port it to Verizon Wireless. Weird. Very weird! I wonder if you could port it to VZW and then to FiOS? Or maybe, as someone else suggested, port to Google Voice and then have that redirect to FiOS? I can't understand why you could port to VZW but not FiOS. That's just weird. You could also call your alarm company and ask them for a recommendation? My alarm uses cellular to connect back to the monitor. -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] AT&T eliminating copper phone lines
Hi, On Tue, March 28, 2017 3:01 pm, Daniel Barrett wrote: > > AT&T is finally eliminating its copper phone lines in my area. (I > recall Tom Metro starting a BLU discussion when Verizon did the same > thing in 2013.) > > The alternatives for a home landline now seem to be: > > 1. Let AT&T replace my copper with a fiber optic line. (Con: Expensive > service, $100/month.) > > 2. Add phone service to my existing Verizon FIOS Internet plan. (Con: > I lose my phone number of 25 years.) I don't understand this second point. Why can't you port your existing phone number over? > 3. Switch to Vonage. (Con: Might not work with an alarm system.) > > 4. Eliminate the landline. (Con: Screws the alarm system, and > cellphone voice quality is too poor for my damaged hearing.) > > Am I missing any better options? > > -- > Dan Barrett > dbarr...@blazemonger.com -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Yesterday's Cloudflare News and Online Password Managers...
Kent Borg writes: > On 02/24/2017 11:38 AM, Kent Borg wrote: >> -kb, the Kent who recently decided he needed to use a hash in >> something he's programming at work, and there is no way he would >> have chosen SHA-1 for that, even before yesterday's news. > > If nothing else, I have always been bugged by the fact that SHA-1 is a > 160-bit result. That size always seemed wrong. 160 bits was fine back in 1991. > -kb -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Torrent of new spam
I've found that rbl checks, spamassassin, and sender-verify block a significant amount of spam. I do find a bunch of false positive sender-verify blocks... so I have to add some to a whitelist. Right now I think I have about 30-40 entries in that list. Greylisting works too, unless you have an MX that does not.. -derek Sent from my mobile device. Please excuse any typos. - Reply message - From: "Richard Pieri" To: Subject: [Discuss] Torrent of new spam Date: Sat, Feb 18, 2017 7:36 PM On 2/18/2017 12:29 PM, Daniel Barrett wrote: > Where spamassassin is based on heuristics, spastic is literal. You > simply create blacklists and whitelists for blocking & permitting > emails. The lists can include "To" and "From" addresses, subject lines > (substrings), body text, etc. Each list is a plain text file. Static lists like these are a pain to manage. When I tried it I spent more time tweaking lists than reading mail. When a previous employer of mine tried static lists it turned into a full time job for one of our sysadmins. In my experience, grey listing at the SMTP server offers the best bang for the buck. It drops on the order of 95% of incoming spam before it can get into the mail server with no false positives -- it won't drop legitimate mail. Grey listing requires no maintenance and it is very light on system resources. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] KVM, virt-manager, and CentOS7
Dan Ritter writes: >> Only mostly true. I know a handful of people who successfully changed >> their usernames. It's rare, and only done in extreme circumstances. >> But it *can* be done. > > Interesting. Without violating privacy, can you describe what > sort of thing qualifies as extreme circumstances? The two cases I can think about offhand included targeted harrassment and an inadvertantly offensive name. > -dsr- -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] KVM, virt-manager, and CentOS7
Hi, On Thu, February 9, 2017 11:40 am, ma...@mohawksoft.com wrote: > Here's the problem with all this. > > 8 characters for a name. Yes, in a hypothetical sense you have > 2.183401056×10^14 possible passwords if you use 8 ascii alpha/numeric > characters with no punctuation characters, but the vast majority of that > space are random strings not suitable for nicknames or meaningful > identifiers. For instance, I can't see that any remaining meaningful > permutations of "john smith" could possibly be left. How many email > addresses do they assign a year? How many back-logged names did they > create at first? > > When an alum dies, does their email address become available? Generally @mit.edu addresses are "recovered" approximately 1-2 years after they leave MIT. There are exceptions for certain classes of people whose accounts remain "sponsored". It's unclear what happens if a sponsored account owner passes. Then there are "alum.mit.edu" accounts, which is MIT's "Email Forwarding for Life", which allows more than 8 characters, so there's really no issue. -derek > > >> Dan Ritter writes: >> >>> On Wed, Feb 08, 2017 at 10:24:54AM -0500, Derek Atkins wrote: >>>> Eric Chadbourne writes: >>>> >>>> > Off topic, warl...@mit.edu, is the best email ever. >>>> >>>> Thanks. I've had it since 1989. >>> >>> MIT trivia: once you have a username, you can't change it. >>> >>> http://mitadmissions.org/blogs/entry/dont-screw-up-your-username >> >> Only mostly true. I know a handful of people who successfully changed >> their usernames. It's rare, and only done in extreme circumstances. >> But it *can* be done. >> >>> -dsr- >> >> -derek >> >> -- >>Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory >>Member, MIT Student Information Processing Board (SIPB) >>URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH >>warl...@mit.eduPGP key available >> ___ >> Discuss mailing list >> Discuss@blu.org >> http://lists.blu.org/mailman/listinfo/discuss >> > > > -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] KVM, virt-manager, and CentOS7
Dan Ritter writes: > On Wed, Feb 08, 2017 at 10:24:54AM -0500, Derek Atkins wrote: >> Eric Chadbourne writes: >> >> > Off topic, warl...@mit.edu, is the best email ever. >> >> Thanks. I've had it since 1989. > > MIT trivia: once you have a username, you can't change it. > > http://mitadmissions.org/blogs/entry/dont-screw-up-your-username Only mostly true. I know a handful of people who successfully changed their usernames. It's rare, and only done in extreme circumstances. But it *can* be done. > -dsr- -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] KVM, virt-manager, and CentOS7
Dan Ritter writes: > On Wed, Feb 08, 2017 at 10:24:54AM -0500, Derek Atkins wrote: >> Eric Chadbourne writes: >> >> > Off topic, warl...@mit.edu, is the best email ever. >> >> Thanks. I've had it since 1989. > > MIT trivia: once you have a username, you can't change it. > > http://mitadmissions.org/blogs/entry/dont-screw-up-your-username Only mostly true. I know a handful of people who successfully changed their usernames. It's rare, and only done in extreme circumstances. But it *can* be done. > -dsr- -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] KVM, virt-manager, and CentOS7
Hi, ma...@mohawksoft.com writes: > I tried overt on a machine that was already hosting VMs. Needless to say, > I had to painstakingly restore my KVM environment to get them back. Yeah, ovirt definitely needs a clean system. > The thing that I like about KVM and libvirt is that it works within a > standard Linux system. I've tried vmware, parallels, and a number of other Ovirt does, too. Started with regular (clean) CentOS 7.x install and followed the instructions to get it installed. If this isn't a "regular Linux system" I don't know what is. Note that ovirt is built on top of KVM and libvirt, but yes, it does expect to be self-contained. > vm environments, and they just didn't have the features to get the job > done. Networking between VMs didn't work or was a $$ feature. Snapshots > and disk compaction not available. Sharing CPUs during idle. The next step > up is vShpere and overt, which are so comprehensive that you are buried > with features and have to, more or less, commit to using their strategy. You don't have to use all the features, but yes, you do have to live by the ovirt methodology. > Sure, if you want to run a large scale vm warehouse, something like overt > is for you. If you want to host a small-ish number of VMs, or use VMs to > develop/test software for different environments and operating systems, > KVM with libvirt is much easier to set-up and use. I'm running ovirt on a single hardware system; I migrated (am migrating) off vmware-server-2. I've got over a dozen VMs running, but the main feature I needed is a web-based remote console access (so my remote users don't need shell access in order to access VM consoles). This is the main feature I wanted and ovirt provides (as did vmware-server). I don't think you can get that level of remote access from KVM + libvirt directly. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] KVM, virt-manager, and CentOS7
Eric Chadbourne writes: > Off topic, warl...@mit.edu, is the best email ever. Thanks. I've had it since 1989. > Eric -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] KVM, virt-manager, and CentOS7
I've been playing with oVirt 4.0.6 on EL7.3 and I've almost migrated all my VMs from my old VMware infrastructure. So far I'm enjoying it. I can't say it was painless to set up -- ovirt has a lot of moving parts -- but once I figured it all out it's been pretty smooth sailing. -derek Jerry Feldman writes: > A lot of this has been available in Fedora for several years. > Unfortunately, the GUI support had been lacking where vmWare and VirtualBox > provided a much easier way to do it. > > On Mon, Feb 6, 2017 at 2:04 PM, wrote: > >> Has anyone played with virt-manager and KVM on CentOS 7 lately? >> >> I was surprised by a lot of the things that were difficult or at least >> arcane in previous releases are fairly trivial now. >> >> For instance, a few years ago, bridged networking was a fairly poorly >> documented procedure of setting up a bridge, setting up the virtual lan, >> virtual adapters, etc. Now, its just a setting on the network adapter when >> you add it. >> >> I think I can easily step away from VMWare. >> >> _______ >> Discuss mailing list >> Discuss@blu.org >> http://lists.blu.org/mailman/listinfo/discuss >> -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] How to permanently remove Linux package from installation
Perhaps openbox requires cinnamon and nothing else does? The dnf would consider it a non-necessary package and remove it. You can remove it and then re-install? -derek Sent from my mobile device. Please excuse any typos. - Reply message - From: edwa...@linuxmail.org To: Subject: [Discuss] How to permanently remove Linux package from installation Date: Sat, Feb 4, 2017 6:17 PM It wants to remove openbox, along with 15 other packages. Cinnamon apparently doesn't require it, as I have that also installed on a laptop (although 32-bit) and openbox is not installed on it. Removing: arc-themenoarch20161119-3.fc25 @updates 2.3 M cinnamon x86_643.2.8-9.fc25 @updates 7.6 M cinnamon-session x86_643.2.0-1.fc25 @updates 989 k imsettings-cinnamon x86_641.7.2-1.fc25 @@commandline517 k mint-x-icons noarch1.4.0-2.fc25 @updates 95 M mint-y-icons noarch1.0.4-1.fc25 @updates 17 M openbox x86_643.6.1-2.fc24 @fedora 995 k python-beautifulsoup4noarch4.5.3-1.fc25 @updates 741 k python-html5lib noarch1:0.999-9.fc25 @@commandline1.2 M python2-cssselectnoarch0.9.2-1.fc25 @@commandline158 k python2-inotify noarch0.9.6-6.fc25 @@commandline264 k python2-lxml x86_643.7.2-1.fc25 @updates 3.4 M tint2x86_640.12.12-1.fc25 @@commandline1.2 M xawtvx86_643.103-8.fc24 @fedora 2.0 M xorg-x11-fonts-misc noarch7.5-16.fc24 @fedora 6.8 M zvbi x86_640.2.35-1.fc24@fedora 1.3 M On Sat, 04 Feb 2017 18:10:31 -0500 "Derek Atkins" wrote: > What happens when you "dnf erase .." the package? > > -derek > > Sent from my mobile device. Please excuse any typos. > > - Reply message - > From: edwa...@linuxmail.org > To: > Subject: [Discuss] How to permanently remove Linux package from > installation Date: Sat, Feb 4, 2017 5:55 PM > > Under Fedora, I previously tried out the LXDE desktop, then > subsequently removed it. One of the packages it used, openbox, > remained on the system and repeated attempts to remove this package, > have not resulted in its permanent removal. I should note that > openbox was never built for Fedora 25 and dnf installs the Fedora 24 > package. > > I located a couple of other LXDE-related packages that had remained on > the system, once removed along with openbox, the package was not > installed again through subsequent system updates. However today, > openbox again became listed and dnf installed it again. > > Is there a Linux command of some sort that will display the > dependencies of a particular package? I would like to find out exactly > what openbox requires and if no other installed package(s) requires > the same, the intent is to remove them along with openbox. > > Thank you. > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] How to permanently remove Linux package from installation
What happens when you "dnf erase .." the package? -derek Sent from my mobile device. Please excuse any typos. - Reply message - From: edwa...@linuxmail.org To: Subject: [Discuss] How to permanently remove Linux package from installation Date: Sat, Feb 4, 2017 5:55 PM Under Fedora, I previously tried out the LXDE desktop, then subsequently removed it. One of the packages it used, openbox, remained on the system and repeated attempts to remove this package, have not resulted in its permanent removal. I should note that openbox was never built for Fedora 25 and dnf installs the Fedora 24 package. I located a couple of other LXDE-related packages that had remained on the system, once removed along with openbox, the package was not installed again through subsequent system updates. However today, openbox again became listed and dnf installed it again. Is there a Linux command of some sort that will display the dependencies of a particular package? I would like to find out exactly what openbox requires and if no other installed package(s) requires the same, the intent is to remove them along with openbox. Thank you. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] FreeNAS
Hi, I've got a FreeNAS box set up with ~16TB of zraid2 (6 4TB disks). I use it as a backup storage server (to backup my other systems), a TimeMachine server for my wife's Mac, and as a distro mirror for my local systems (so I can pull from local storage instead of upstream). I overprovisioned this system; it's got 128GB RAM, but I've got room to add 24 more HDDs when the 16TB gets to be tight. Right now I'm usng about 50-60% of my available space. So far I like it. -derek Shirley Márquez Dúlcey writes: > I have long had a media server based on some variety of Linux, most > recently Ubuntu. Version 1 had five 200-250GB drives in RAID 5 in a > mini-tower and ran SuSE. That was replaced a few years back by the > current box: a MiniITX motherboard with an AMD E-350 (chosen for low > power consumption in a 24/7 box, not performance) and a pair of 1.5TB > drives, originally running Ubuntu 10.04 LTS and upgraded to 12.04 and > 14.04. But it was getting cramped so it was time for its next upgrade. > I wanted to try something a bit more packaged, so I decided to give > FreeNAS a try. The file security features of ZFS were also a draw. > (ZFS is available in Linux now - Ubuntu 16.04 LTS and various other > distros have it as an option- but the implementation in FreeBSD is > more mature.) > > I stuck with the same box but upgraded the RAM. It had 4GB RAM which > won't cut it for FreeNAS (8GB is the minimum) so I decided to max out > the platform with 16GB (2x8GB). The new DDR3 2400 sticks ($5 more than > DDR3 1600) actually went in my gaming/development box (which can take > advantage of the higher memory speed) and the DDR3 1600 sticks in that > system went into the NAS. (Memory support on the E-350 actually maxes > out at DDR3-1066 so even the 1600 is overkill, though it does have > 6-6-6 timing at that speed which is nice.) The storage: two new 4TB > drives that I got a few months ago and are finally getting around to > using. (For now the 1.5TB drives are on the shelf; they will either > get added back as a second volume or used elsewhere.) A pair of 32GB > USB flash drives round out the hardware - FreeNAS requires that you > boot from something other than the storage drives, and it will mirror > the boot drives if you use two. 8GB boot drives are the minimum, but > with 32GB at $9 each at Micro Center there didn't seem to be any point > to scrimping. > > So far so good. The hardware is way below the usual recommended > platform for FreeNAS, but it does meet the minimum requirements > (dual-core or more x86-64 CPU) and my needs are modest. It was easy to > set up and it feels like it serves up files more responsively than > Ubuntu did. (The additional RAM doesn't hurt!) Specifically, it seems > to handle seeking to a different part of a file much better than > either Ubuntu or shares from my Windows Media Center box (used > primarily as a DVR) - dragging the time slider forward in a video file > to skip past things or backward for replays is just about instant, > while the other sharing solutions often lagged. > > All in all, I can recommend FreeNAS based on my experience. If anybody > else here has used it, I'd love to hear about your experiences. > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > > -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] IPv4 tunnel providers
Tom, Tom Metro writes: > I'm looking to switch to a different ISP for a home office setup, and > one of the last details to get figured out is the static IP setup. I > have a single static IPv4 address with my current provider. The new > provider seems to want what I think is excessive to rent a single IP. > Furthermore, I have a class C that I'd like to be able to leverage, and > I like the idea of tunneling out past the ISP to some cloud termination > point so I'll have the flexibility to switch ISPs for the last mile > (either short term during an outage, or long term) without disrupting my > static IP setup. > > Prior research turned up that HE (https://tunnelbroker.net/) offers this > type of service for free, but IPv6 only, and locally Cambridge Bandwidth > Consortium (CBC, http://www.cambridge.bandwidth-consortium.us/) does this. I've been a CBC member since it began, starting as a T1 customer with a backup v4 tunnel (routing my class C) to using a tunnel full time. It's a good group of people, but it's a co-op so don't expect high levels of "customer service" -- it's all generally volunteer effort. But once stuff gets configured you rarely need to change it. NOTE, however, that if you have a dynamic IP address then CBC might not necessarily be the right solution currently; there is no automated "repoint my endpoint" process so if you get renumbered you need to manually adjust the tunnel. > (The chart here: > https://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers says HE > supports BGP peering. I wonder if that means I can announce an IPv4 route?) > > I'm looking for recommendations for other providers. That could be an > business ISP that does GRE tunnel termination, or a business-class VPN > service that will advertise routes to customer supplied IPs. A plan B > solution would be a cloud VM, though those typically don't support > customer supplied IPs. > > -Tom -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] I need some dual-booting advice
Rich Pieri writes: > On 4/12/2016 10:59 AM, Derek Atkins wrote: >> What exactly do you mean by "Shared Virtual Machine"? Can't you create >> a /vmware partition that is owned by e.g. root:vmware_users, set mode >> 6775, and put the VM config in there? > > Ker-workie. I don't know that this is the best solution but it is a > working solution which is all I really need. Yay! Glad that works! > Thank you. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Strange sendmail (and postfix) spam issue: accepting fail "from" myself?
Hi, Derek Martin writes: > On Tue, Mar 29, 2016 at 02:09:15PM -0400, Derek Atkins wrote: >> So now I want to focus on Sendmail. Any sendmail guru's out there? > > Hello Derek! > > Did you ever find a solution for this for Sendmail? I would never > call myself a Sendmail guru, especially now--but I recall I spent some > time on trying to solve this a while back and failed. It seems the > Sendmail folks believe that fixing this is a bad idea, because it can > block legitimate mail e.g. if someone at your site sends mail to > someone at another site that has a .forward file that points to an > address at your site. In case that's not clear: > > From: f...@example.com > To: b...@example.org > > And b...@example.org has a .forward file that forwards to > b...@example.com. > > Apparently, this message will get lost. This seems like it should be > a fixable problem, but pffft. > > I did just find this recipe, which appears to be outdated: > > http://www.sendmail.org/~ca/email/examples/Ted.html > > I also thought SPF and/or DMARC would fix this, but I never got around > to trying to set any of that up... Alas, no, I never did figure this out. :( In my case, I know that the "forward back to myself" is never going to happen. This is just a mailman server, so all mail is either originating locally or being relayed through mailman. There should never be a remote connection where MAIL FROM is my domain. Of course it doesn't differentiate between a connection from 127.0.0.1 and a connection from elsewhere. :( So it's blocking mailman too when I put those blocks in. I think I might just switch to postfix when I have time. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] I need some dual-booting advice
On Wed, April 13, 2016 11:21 am, Rich Pieri wrote: > On 4/13/2016 10:43 AM, Derek Atkins wrote: >> Interesting. I'm not sure if there's a way to convert a standard VM to >> a Shared VM. The "Share" menu item seems to be greyed out in my version >> of WS-Pro 12. > > If you're curious then right-click the VM in the "My Computer" list -> > Manage -> Share and follow the wizard. Like I said, the Share item is greyed out in the "Manage" menu. > Rich P. -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] I need some dual-booting advice
Rich Pieri writes: > On 4/12/2016 10:59 AM, Derek Atkins wrote: >> What exactly do you mean by "Shared Virtual Machine"? Can't you create >> a /vmware partition that is owned by e.g. root:vmware_users, set mode >> 6775, and put the VM config in there? > > I hadn't thought of that but I'll give it a shot. > > Shared virtual machines are sometimes called VMware Workstation Server > mode. Shared VMs work a lot like KVM but still running in user space > instead of in kernel space or on a bare metal hypervisor. A benefit to > shared VMs is that they can be started in the background at boot time > independent of the console UI. The tradeoff is that none of the direct > system/hardware access the console UI provides is available to them. Interesting. I'm not sure if there's a way to convert a standard VM to a Shared VM. The "Share" menu item seems to be greyed out in my version of WS-Pro 12. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] I need some dual-booting advice
Rich, Rich Pieri writes: > I have a couple of workstations I need to get set up. The owner wants to > have both Windows and RHEL6 on them. Either dual-boot or running Windows > in a virtual machine on Linux hosts is acceptable to the owner. Both > operating systems need to be available to multiple users on the console > (not simultaneously) and if Windows is virtualized then automatic USB > pass through from the console is required. > > These last two have me stumped for the best way to get these set up. My > first attempt was with KVM but USB pass through is a manual process that > has to be performed by an administrator for each device. This is not > viable. My second attempt was with a VMware workstation shared virtual > machine which I discovered the hard way doesn't do USB pass through at all. > > Is there some virtalization trick that I'm missing, something that will > do a shared virtual machine with automatic USB pass through or is > dual-booting the only way to get this working? What exactly do you mean by "Shared Virtual Machine"? Can't you create a /vmware partition that is owned by e.g. root:vmware_users, set mode 6775, and put the VM config in there? I know that Vmware workstation supports USB pass through. It's always worked for me. But I'm not sure what you mean by "shared virtual machine" because that might actually change the parameters. For me, on workstation-12, when I open a VM I can set USB to "automatically connect devices". -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Strange sendmail (and postfix) spam issue: accepting fail "from" myself?
Rich, On Tue, March 29, 2016 1:42 pm, Rich Pieri wrote: > On 3/29/2016 1:24 PM, Derek Atkins wrote: >> smtpd_relay_restrictions = > > This looks like the problem. Remove it entirely from your main.cf and > restart Postfix. This should bring the default rules which will block > relay attempts from anyone that does not match $mydestination or is not > an authenticated user. I don't think so. From http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions : For backwards compatibility, sites that migrate from Postfix versions before 2.10 can set smtpd_relay_restrictions to the empty value, and use smtpd_recipient_restrictions exactly as before. So the empty relay_restrictions should imply the equivalence to the recipient_restrictions. I think the issue was the lack of sender_login_mismatch issue in the sender restrictions. So now I want to focus on Sendmail. Any sendmail guru's out there? Thanks, > Rich P. -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Strange sendmail (and postfix) spam issue: accepting fail "from" myself?
Hi Rich, On Tue, March 29, 2016 1:15 pm, Rich Pieri wrote: > Postfix out of the box should not permit what you describe so I think > you broke something. Things to check in main.cf: mydestination, > mynetworks, relay_domains, and smtpd_relay_restrictions. I thought so, too. Here's what I've got: mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, /etc/postfix/hostlist mynetworks = 127.0.0.0/8 /24 192.168.X.0/24 [2001::::]/48 [::1]/128 [fe80::]/10 relay_domains is not set smtpd_relay_restrictions = For kicks I just added reject_unauthenticated_sender_login_mismatch to my smtpd_sender_restrictions: smtpd_sender_restrictions = permit_mynetworks, permit_tls_clientcerts, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/goodsender, check_sender_access hash:/etc/postfix/badsender, reject_unknown_sender_domain, reject_non_fqdn_sender, check_sender_access hash:/etc/postfix/sender_access, reject_unverified_sender, reject_unauthenticated_sender_login_mismatch, permit > Not sure off-hand what the sendmail equivalents are. This is my bigger concern :( One of these years I should just migrate that server over to postfix. > Rich P. -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] Strange sendmail (and postfix) spam issue: accepting fail "from" myself?
Hi, I've got a recently-occurring spam issue that I'm trying to solve. And apparently it's happening on two different servers running both sendmail and postfix. The issue is that someone is connecting from a remote system, claiming to be "from" my domain, and sending mail "to" my domain. In other words, they connect to mail.foo.example claiming to be from: sales@foo.example and sending to: user@foo.example. For some reason this is making it past my spam checks, and I don't know why. Strangely, this is happening both in postfix and in sendmail. It's quite annoying, and getting more.. "popular". Any advice from the crowd? I'm happy to share configuration data privately; on the sendmail side I *do* use relay_based_on_MX; maybe that has something to do with it? On the postfix side, I might need to explicitly disallow senders claiming to be from my own domain that aren't authenticated; I suppose I need to add "reject_unlisted_sender" to my smtpd_sender_restrictions? Thanks, -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS: encryption
Rich, On Thu, July 9, 2015 7:50 pm, Richard Pieri wrote: > If you want to step up to something a little more enterprise-y, a > Synology DS1815+ with 8x3TB is currently $2239 on Amazon right now. Does this $2239 price include the 8 drives? > It > pulls up to 250W so it will cost a little more to power so somewhere > around $4000 the first year and $1600/year to operate. WOW!!! Your electricity is EX..PEN...SIVE! Assuming my math is right, 250W is 1kWh every 4 hours, that that means 6kWh/day * 365 days/year == 2190 kWh/year. To cost $1600 to operate you're paying $0.73/kWh!?! I... don't think so. So either your math is wrong or mine is. By my math at 15c/kWh (which is MUCH more that I pay here in Georgia over the course of the year), this would cost $328.50/year to operate. > Rich P. -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS: encryption
Richard Pieri writes: > On 7/8/2015 10:23 AM, ma...@mohawksoft.com wrote: >> The problem with internal drive encryption is getting any level of >> disclosure and accountability. > > This is simply not true. > > FIPS security profiles are public record. Here's the security profile > for the cryptographic module used in several of Seagate's enterprise > SEDs: The problem with FIPS certification (and I know this first hand, having been involved in multiple FIPS certifications over the past year) is that all the cert tells you is "yes, the AES algorithm is implemented correctly" and "yes, the FIPS core performs correctly". However. (and this is the big gotcha)... the certification does not talk about HOW the crypto is used! For example, if you're running disk encryption the *crypto* can be fully FIPS compliant, but it could still do something stupid with the FIPS-certified crypto. For example, it could be using ECB mode instead of some chaining mode. Or it could somehow store the keys in an unprotected mode. Basically, FIPS only talks about what's inside the FIPS boundary, but the system as a whole is always much larger than just the FIPS boundary. As I said before, when using the disk's onboard encryption it is unlikely that you could externally verify that the disk is actually encrypting the data properly, unless the disk actually gives you the encrypted content when the crypto is not initialized. I have no idea if this is how it works; my understanding was that if the disk is encrypted then it wont give you any data without keys. I.e., you cannot verify the encryption is correct. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS: encryption
"Edward Ned Harvey (blu)" writes: >> From: John Abreau [mailto:abre...@gmail.com] >> >> "Edward Ned Harvey (blu)" writes: >> >> > You seem to think there's an obstacle which isn't really real - >> > Encryption is very cheap computationally, so cheap indeed it can be >> > done by the disks themselves. >> >> >> On Tue, Jul 7, 2015 at 1:14 PM, Derek Atkins wrote: >> I don't trust my disks to do the encryption, mostly because there's >> really no way to verify that it's doing it correctly, and the key >> management gets a lot harder. >> >> The way I read it, the message wasn't that you should trust the disk to do >> the >> encryption; it's that encryption has very low overhead today, and the >> reference to disk-based encryption was merely to illustrate that point. > > It seems silly not to trust the disk to do encryption, when you'd > trust some software that you equally haven't decompiled and inspected. You assume that I haven't done that. However, more importantly, I can easily verify that the software is doing it's job by booting the system without it and verifying the disk is actually encrypted. I can even verify *what* the encryption is (which means I can use test vectors to verify that it's encrypting properly and not doing something silly like rot13). I.e., I can pick a sector, write some known plaintext to that sector through the encryption, then turn off the encryption and read the ciphertext off the disk and compare that to the expected ciphertext. There's no way to do that kind of verification when you offload the encryption to the disk. > I am saying both: Encryption has very low overhead today, and yes it's > ok to do it in the disk hardware. Nowadays, you can download a dozen > different AES libraries in any language - including javascript. Not > that javascript is relevant in context, just to point out, AES is > SOO ubiquitous that it's literally everywhere and in > everything. The idea that the disk is going to have a broken > implementation of AES is beyond far-fetched, into unbelievable > land. And like I said - it isn't any less likely to be the case in the > overriding software. Which I guarantee also has a working > implementation of AES. This I do completely agree with. AES is everywhere. It's in our CPUs. It's even in our microcontrollers and RFID cards!!! It's pretty much ubiquitous. That doesn't mean it's actually *USED* correctly (most implementation of AES are limited to ECB mode, not even CBC, let alone XTR/CTR/CCM/GCM modes). > The only thing you need to *actually* be concerned about is where do > the keys come from, how do they get managed, and do they cause > inconvenience. And I guess it wouldn't hurt to actually plug one of > the disks into another system and confirm that encryption is *turned > on*. But as long as it's turned on, and the keys are good and managed, > yes I trust disk hardware to do the encryption just as much as I trust > the application software. This is also a concern, but I want verifiable encryption. I don't know how to verify on-disk disk encryption whereas I can verify off-disk disk encryption. (I admit that I haven't actually played with on-disk disk encryption, but my understanding is that the disk firmware blocks read/write access without proper keys instead of providing ciphertext). -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS: lots of bays vs. lots of boxes
Tom Metro writes: > Derek Atkins wrote: >> I plan to build a freenas box. I can get a 24-bay 4U case and build >> into it for about the same price as a synology... > > That's fine if you need lots of drives to achieve your capacity > requirements in the bear term. If you do, the DIY approach is very > appealing, as you can accommodate a lot of spindles for a small > incremental cost. > > I've gone down that path as a thought experiment. Having the ability to > handle lots of drives gives you the comforting feeling that you can > always expand capacity easily by adding another drive. > > But the reality is that you only need to be able to expand capacity at a > rate faster than your needs are growing, and for lots of use cases the > rate at which the industry increases density per dive outpaces this. If > not, then add a couple more drive bays, and repeat the math until your > overall array shows a predicted capacity increase from drive density > than your predicted need. > > A box with 24-bays is going to be rather expensive if your short term > needs are for only 4 or 6 bays. Unless a high percentage of those are > for "near line" backup storage, you need to support those bays with more > RAM, more SATA ports, faster CPU, more Ethernet ports, etc. The 24-bay NORCO box is under $400. At the start I'd be using at least 10 bays (6 large spinning drives in Raid-Z2, and 4 SSDs in RAID-10), moving to 12 pretty shortly thereafter (expanding the RAID-10). I suspect I'll fill another 6 bays (another Raid-Z2) as soon as my wife and I start to move our audio and video collection over. > And then you've got an expensive box with a ton of storage and a single > point of failure. I already have a single point of failure; this is just moving it to a different single point of failure. > I'm more interested in clever ways of using multiple, cheap, commodity > NAS boxes, Google-style. For example, for the same cost as that $600+ > (diskless) DIY NAS I linked to, I can get 4 of the QNAP 2-bay boxes and > maybe combine them with something like MooseFS. You get redundancy where > some number of the boxes can go down, and it still keeps working, and > you can expand capacity by adding more boxes (if drive density increases > don't keep pace). This might be an interesting exercise if I can get enough total storage. On the other hand I've found that my failures are usually related to power, which is yet another single point of failure, and one that I can't get redundantly in my house. :) > -Tom -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS: encryption
"Edward Ned Harvey (blu)" writes: >> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On >> Behalf Of Tom Metro >> >> I imagine it would be challenging to pull off encryption well with >> appliance hardware. The first problem is getting the software to do it. >> (Plus all the automation you've previously discussed to set up the keys >> on boot.) The second challenge is having the horsepower to perform the >> encryption. Not impossible if they chose their embedded CPU well, but >> unlikely to be optimized for that. > > You seem to think there's an obstacle which isn't really real - > Encryption is very cheap computationally, so cheap indeed it can be > done by the disks themselves. Yes, it's absolutely possible for > appliances to utilize disk encryption, either by using its own CPU, or > by offloading to the disks. I cannot speak to the specifics of any > particular appliance actually doing it though, as I don't use any of > them. I don't trust my disks to do the encryption, mostly because there's really no way to verify that it's doing it correctly, and the key management gets a lot harder. I'd rather use dm-crypt (or the equivalent). In either case you still need to figure out how your keys are going to get provided when the system boots. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] NAS: buy vs. build
I plan to build a freenas box. I can get a 24-bay 4U case and build into it for about the same price as a synology that can only hold half the disk space and a fraction of the ram.. the disk and ram was the vast majority of the price. -derek Sent on my mobile. Please forgive any typos. - Reply message - From: "Richard Pieri" To: Subject: [Discuss] NAS: buy vs. build Date: Fri, Jul 3, 2015 2:28 PM On 7/3/2015 2:47 PM, Tom Metro wrote: > I'd ask if FreeNAS has been ported to any of them, but given the way > FreeNAS seems to have moved towards requiring more "enterprise" hardware > (ECC RAM, and lots of it), that seems unlikely. ECC RAM is a requirement for full ZFS integrity, and "lots of it" is for deduplication. The former is good to have in any kind of storage appliance or server, and putting the L2ARC on fast SSD reduces the dependency on the latter assuming you even want to use in-band dedup. > If you do go the build route, there doesn't seem to be any way to > approach the compact packaging of the appliances, or the pricing. Just > the enclosure and hot-swap bays (a bit of steel and plastic) can end up > costing as much as the appliance above. DIY is substantially more expensive when you consider your time and the hassle of trying to work inside a microserver chassis. And you lose out on economy of scale since bare bones microservers aren't anywhere near as popular as bare bones gaming towers. > The HP micro servers that have been discussed here several times have > gone out of production, I think. In any case, they seem a bit dated now. Yeah. The N series are out, the Gen 8 series is in. And they look very tasty. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] SSD Drives
Bill, Bill Bogstad writes: > hdparm -I /dev/sd > > gives me firmware revision along with a bunch of other stuff for hard > drives. > Can't recall if I've used it with SSDs, but I suspect SATA based SSDs > should respond. It works (once I actually installed hdparm). Thanks for the suggestion: Model Number: Samsung SSD 840 EVO 1TB Serial Number: S1D9NSAF419852J Firmware Revision: EXT0BB6Q > Bill Bogstad -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] A laptop for Linux
Jack Coats writes: > I have a fairly recent T-series. T540p. When I have to, the pad works once > I got used to it. I saw where Lenovo is taking a hint and going back to > 'real buttons' on the trackpad, so I would look for that before jumping. I > just didn't know better and trusted Lenovo to not do something to far off > the beaten path. I use it mainly in a docking station with a regular USB > mouse. I also do dual-boot using Linux Mint as my main OS but to help > diagnose issues for friends, I keep Winders installed and try to boot and > update it at least monthly. Yeah, I'm with you. I upgraded from a T520 to a T540p and was very sad to learn (after the fact) that the buttons were gone. I've actually learned to like the trackpad in some cases (I like the two-fingered scrolling feature)! However I still frequently accidentally touch it and then have to go find my mouse cursor. :( Glad to hear they've corrected the mistake. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] SSD Drives
Richard Pieri writes: > On 6/22/2015 11:34 AM, Derek Atkins wrote: >> Does one require a Windows box to upgrade the firmware or can it be >> upgraded from Linux? :) > > I dunnow. Did you check Samsung's support web site? Eventually I did. The answer is "yes", assuming you want to do an online update. Otherwise you could download an ISO image that apparently might be able to boot to a firmware updater. (I have an EVO 840 in my laptop, but no idea what version of f/w it's running). -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] SSD Drives
Richard Pieri writes: > On 6/20/2015 9:27 AM, Jerry Feldman wrote: >> At last Wednesday's BLU meeting a discussion was started regarding some >> issues with the Samsung SSD drives and some bugs in their firmware. >> In my case I didn't have my laptop, but I have an Intel SSD not that it >> matters. > > There is a design flaw in the Samsung 840 EVO drives. Only the 840 EVO > drives are affected; the flaw does not affect 840 PRO or any 850 > series or any other vendor's drives. The 19nm NAND chips in 840 EVO > combined with buggy firmware caused the drives to go into error > correcting mode when reading data more than 8 weeks old. Samsung has > since released a firmware update that appears to correct the > problem. This is based on early reports 8 weeks after the firmware > release indicating that the performance degradation is no longer an > issue. Does one require a Windows box to upgrade the firmware or can it be upgraded from Linux? :) -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Color Laser question
John Abreau writes: > The Xerox Phaser fits comfortably on a desk. We have a Xerox Phaser 6600DN and we like it. My only issue is that the toner is pretty expensive. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Steve Gibson's SQRL
Bill Ricker writes: > On Wed, Feb 25, 2015 at 8:45 AM, Richard Pieri > wrote: > >> He's reinvented APOP. > > > There's certainly a similarity. Using the same techniques outside of POP > in a phone-and-browser setting is darn good idea. tl;dr And how does one know that the authentication server URL is "the right" URL and not, say, a MitM/Fishing attack? -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Finance software for Linux
Rich Braun writes: [snip] > GnuCash, I'm afraid, is even farther behind on the UI usability > front. As a long-time GnuCash user and developer, I'm curious what exactly you mean by this. What UI issues do you have/see in GnuCash? And have you let the GnuCash team know about them? -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] DNSSEC
Richard Pieri writes: > According to me, the answer to your followup question is this: given a > resolver that pre-dates RFC 3597 or does not implement RFC 3597 for > some technical reason (Internet of Things constraints perhaps?), you > cannot rely on it to pass DNSSEC RRs. Considering RFC 3597 was published in *2003* I would expect everything today to support it. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] DNSSEC
"Edward Ned Harvey (blu)" writes: > In short, the question is: > > What is the behavior of an old dns caching server, when it receives a > client query for record types that it is too old to understand? Is it > able to dumbly relay that query upstream, and dumbly relay the > response back? > > The answer to this question essentially determines whether or not > DNSSEC is broken. The answer is "it depends on the caching server", however in my hasty tests it looks like servers even as old as 2009 (e.g. Bind 9.6.1) support DNSSEC pass through. E.g.: dig @old-server verisignlabs.com +dnssec gives me RRSIG results. This is as it should be. Obviously YMMV, but DNS is designed so that a caching server does not need to fully understand the contents of RRs in order to request, cache, or serve them. However there are some specific DNSSEC processing requirements, so very old DNSSEC-unaware caching servers may not properly send RRSIGs in the authority section properly. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] free SSL certs from the EFF
John Hall writes: > I had not heard of DANE (DNS based authentication of named entities). I > found found rfc-6698 in a search .. not sure if anyone mentioned it yet. > https://datatracker.ietf.org/doc/rfc6698/ I didn't mention DANE, but it is indeed one of the "additional things" I was going to mention. Along with TLSA. Leveraging DNSSEC one can provide authoritative bindings to other infrastructure and let clients know that they should be using TLS and which certs or CAs they should be using for it. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] free SSL certs from the EFF
Richard Pieri writes: > On 12/3/2014 4:08 PM, Matthew Gillen wrote: > >> The second issue was that DNSSEC has a built-in way to MITM it, where an >> intermediary could strip out the info that indicated that a given domain >> had DNSSEC records (the claim was this was forced for compatibility). I >> think Derek refuted that, and I have to believe that >> what Richard claimed would defeat the whole purpose of DNSSEC. > > Correct. Either you enforce DNSSEC and drop yourself into a black hole > when a script kiddie plays games with UDP packets or you configure > your security aware resolver to treat unsigned and stripped DNS > answers as valid anyway. The former is not "protection"; it's locking > your computer in a safe filled with concrete and dumping it down the > Marianas Trench. The latter, well, what's the point of DNSSEC if > you're going to ignore it? A script kiddie is only going to be able to send forged additional responses, but not necessarily block the *real* responses or modify them enroute. So yes, I still want to ignore the unsigned responses in this scenario because the real responses *WILL* eventually get through. Besides, with random ports and random TIDs a script kiddie has much less of a chance of getting through. Yes, there are broken middleware boxes (most often in hotels) that can intercept and manipulate DNS. Personally I'd like to know when that's happening to me, and DNSSEC can absolutely tell me that. Then I can make a conscious choice of what to do with that information (including opening myself up to attack). Eventually those middleboxes will go away -- they've already been going away slowly. > Either way, DNSSEC really is pointless for end users. Bzzt. You keep coming back to "pointless for end users" mantra when in reality it was absolutely designed to help end users. You're welcome to continue to think that to yourself (there's no such thing as a thought police, yet) but please stop spreading your FUD around as fact. It's not helping anyone. Many people have already pointed out many ways that it helps end users. I can list many more if you wish, but if you're not going to listen it's not worth my time, I have real security work to get back to. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] free SSL certs from the EFF
Richard Pieri writes: > On 12/3/2014 10:52 AM, Derek Atkins wrote: >> Actually, it was designed to protect against that. I sat in the >> IETF meetings where that was explicitly discussed. If an intermediary >> strips the DNSSEC records out then a resolver expecting DNSSEC will >> force a validation error. > > Which results in a denial of service for clients if DNSSEC is > enforced. That's not protecting users; that's dumping them into black > holes. Some say DoS, some say protected. If someone is trying to poison my DNS Cache I'd rather ignore them and blackhole than accept their attack and go to the wrong place. Besides, DNS allows me to go ask multiple sources for information. If I'm expecting a DNSSEC response and don't get it, I know that I need to go ask somewhere else. That's a FEATURE, not a bug. If I'm sitting in a hotel room behind a broken middleware box then I know, for sure, that the middleware is breaking me; I can turn off validation at that point (or decide never to stay at that hotel again -- or both!) >> Well, it sort of does, but it's not easy. But this is why they use >> ZSKs. The Root Zone KSK is mightily protected. > > So, too, allegedly, were the keys at DigiNotar. I have no idea what the DigiNotar security practices were. I *DO* know exactly what ICANN's practices are (and I even know at least one key-holder personally). -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] free SSL certs from the EFF
Richard, Richard Pieri writes: > Derek, > > According to the DNSSEC specs, if there is no RRSIG record in the > lookup answer then a properly behaved resolver will treat it as > unsigned. Backwards compatibility with so-called insecure DNS is an > explicit requirement of DNSSEC. So, what happens when a malicious > actor inserts filters at an intermediary resolver or router that strip > RRSIG records from DNS answers? Which RFC states this? I'm quite familiar with 4033 et al, (and even moreso with their predecessors, 2535 et al). Granted, I did stop following the specs somewhere around the NSEC3 discussions, but it was certainly the case that a DNSSEC-aware resolver would always know whether to expect signed data. I.e., if there is no DS record for the zone then a DNSSEC-aware resolver knows it's not a signed zone. If there IS a DS record for the zone and then a query does not return an RRSIG or NSEC then there's a problem (verification failure). Obviously a non-DNSSEC-aware resolver doesn't care. > DNSSEC was never intended to protect you against that. It was designed > to protect high-level caches -- root zones, ISP's, big data players, > private networks, and the like -- from cache poisoning. That's it. Any > benefits that might trickle down to you are incidental. Actually, it was designed to protect against that. I sat in the IETF meetings where that was explicitly discussed. If an intermediary strips the DNSSEC records out then a resolver expecting DNSSEC will force a validation error. > Never mind that DNSSEC has no means of rolling over the root KSKs. If > a root is compromised then the whole domain hierarchy is compromised > and there currently is no way to fix that other than disabling DNSSEC > for the hierarchy or accepting loss of service for everything under > that root. Well, it sort of does, but it's not easy. But this is why they use ZSKs. The Root Zone KSK is mightily protected. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] free SSL certs from the EFF
"Edward Ned Harvey (blu)" writes: >> From: Derek Atkins [mailto:warl...@mit.edu] >> >> And you've already violated rule #1: You must trust your resolver. > > That's the point we've been talking about. I forget who said in this > thread, that DNSSEC only provides security up to the last hop, not > including the endpoint. And I say that's not (necessarily) true! > It is unavoidable that people will travel; they will connect to the > internet in coffee shops and hotels. It is not reasonable or > realistic to expect them to trust their DNS resolver implicitly. You > cannot trust the resolver, unless you are your own resolver, or the > resolver relays security information to you which you're able to > validate for yourself. It is unscalable for everybody to be their own Okay, I think I see the problem here. You are conflating multiple different DNS services: * resolver * recursive resolver * nameserver * caching nameserver These are, technically, *different* DNS services. Yes, historically they are often combined into a single process (e.g. BIND's named), or split into a small stub (e.g. libc's libresolv) and a (possibly caching) nameserver. But there is nothing that requires them to be co-located or even co-implemented. Indeed, there is nothing that says that the resolver must trust the nameserver (caching or otherwise). There is absolutely nothing preventing libresolv from performing DNSsec without running named or some other local caching nameserver. I.e., there is absolutely nothing preventing an end system from performing DNSsec without trusting the (caching) nameserver it uses. This includes not trusting the DNS nameserver provided by DHCP. All you need is a local resolver that implements DNSsec checks and uses the provided DNS nameserver(s) for lookup and caching of RRsets. > resolver - breaking the distributed nature of DNS. So really, the > only scalable solution is to provide security information to the > endpoints. Unfortunately, it's also unrealistic to expect all the > dumb linksys routers and comcast internet connections of the world to > be upgraded in any timely manner to support relaying security > information to endpoints. Yes it's possible for smart endpoints to > query DNS providers as dictated by DHCP, and become their own secure > resolvers if and only if the dumb DNS server failed to relay security > information - but this starts out at the point of being currently > unscalable. Actually, most dumb routers like that *WILL* forward DNSsec RRs just fine; it's really the obnoxious middleboxes (e.g. in hotels) that break it. > We'll probably get there someday, just obviously not right now. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] free SSL certs from the EFF
"Edward Ned Harvey (blu)" writes: >> From: Derek Atkins [mailto:warl...@mit.edu] >> >> 1) the root zone is signed with a known key, and >> 2) most of the TLDs are signed (in particular .com is definitely signed) > > When you first connected to the network, DHCP told you to use some DNS > server. When firefox, or anything else in your OS queries that DNS > server to resolve some name, you do not receive the response from the > TLD. You just get a response to your query, and not all the > subsequent queries that were necessary in order to resolve your query. > Better yet, your OS itself caches the response, so once again, FF > makes some query, and doesn't get a signed response. And you've already violated rule #1: You must trust your resolver. In general this implies running your own DNSsec-aware recursive resolver on your client (or on some other trusted host). It does mean that, in general, you should not blindly trust the DNS servers provided by DHCP. In my experience you fix this by running your own local caching name server on your laptop. That service can go off to the DNS server provided by DHCP, or it can go out to the servers on the net. Part of the design of DNSsec is that it can be proxied. > This may be a shortcoming of implementation, but if so, that doesn't > make it any less relevant, because neither your OS name caching > daemon, nor the upstream caching server are doing "the right thing" > and the world is a *long* way off from having all the dumb Linksys > routers upgraded to the point of DNS security being effectively > universally deployed. I'm not sure what you mean by "your OS name caching daemon ... are [not] doing the right thing"? > These are yet another two possible solutions to the problem - > > Don't use caching DNS servers; every client must query the TLD > directly and do all its own resolving. Or, globally adopt a new > standard where the caching DNS server gives your client not only the > response you requested, but the entire signed chain... But these > solutions very definitely do not exist as globally universally > standard deployed solutions today. > > Today, FF queries for www.google.com, and the query is handled by > whatever DNS server was doled out to the client via DHCP, and the DNS > server response is only going to be the final result of the query, > which could have been mangled in transit. There are two other ways to handle this: 1) Run a local caching nameserver on your system, or 2) Run a DNSsec-aware resolver on your system which uses the local DNS proxy as its cache. The only real difference between my #1 and #2 is where the cache is stored. The resolver still needs to query for everything up to the root, which it can receive from the cache. The cache doesn't need to be trusted if you reverify every time, so what you get from #1 is the ability to trust the cached data. I'll note that Firefox could implement #2. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] free SSL certs from the EFF
Richard Pieri writes: > On 12/1/2014 1:42 PM, Derek Atkins wrote: >> I think it depends very much on your definition of "Secure". You are >> correct that DNSsec does not provide any confidentiality services. >> However it does indeed protect the data integrity from interloping >> intermediaries and provide authenticated DNS Data. > > No, it doesn't. It only prevents cache poisoning when DNSSEC is > enforced on your resolvers. If you do not enforce DNSSEC on your > resolvers then your resolvers will accept any unsigned RRs including > those that have had the RRSIG records stripped by malicious > intermediaries. Well, duh.. And if you don't check the validity of your TLS certs then you can be MITM'ed too. Of course DNSsec requires a DNSsec-aware resolver; it cannot protect someone who doesn't want to be protected. You can put a lock on your front door but it doesn't do any good if you don't actually lock it!! But you're looking at the wrong issue; DNSsec-capable resolvers exist and have existed for years. In fact I would bet your current Linux host has a DNSsec-capable resolver. It might not be turned on by default, but they are definitely out there. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] free SSL certs from the EFF
"Edward Ned Harvey (blu)" writes: >> From: Derek Atkins [mailto:warl...@mit.edu] >> >> "Edward Ned Harvey (blu)" writes: >> > >> > Based on my understanding of DNSSEC, it doesn't add security except in >> > esoteric edge cases. Because your client doesn't have any point of >> > trust - if your client queries DNS, there's no way for your client to >> >> This is a false assumption.. Clients can (and are) populated with the >> well-known Root Zone KSK which is used to verify the root-zone ZSK which >> in turn signs the TLDs. So properly configured clients can indeed have >> a point of trust. It's effectively the same level of trust you can put >> into your "root CA list" that also must be populated on the clients. > > My point is: Let's suppose I am Firefox (or something) and I create a > query to resolve "www.google.com." I don't know if the response to > that query is supposed to be signed, and I don't have any point of > trust that I can ask, to reliably determine if the response to this > query is supposed to be signed. When I receive the response, if it I'm sorry, but you are incorrect. You absolutely know this, because: 1) the root zone is signed with a known key, and 2) most of the TLDs are signed (in particular .com is definitely signed) So, when you walk down the tree from the root to .com to google.com, .com will tell you "yes, google.com is signed, and here is the key you can use to verify their zone". So viola, you know, authoritatively AND securely, that google.com is signed. Which means you should expect www.google.com to be signed. If you get an unsigned response from google.com then you need to also receive a signed message (NSEC) that says "this is an unsigned portion of this zone", which tells you again (authoritatively and securely) that you should NOT expect a signed response. Of course, all this requires Firefox itself to process DNSsec. > happens to be signed and passes the verification process, then great! > Also, if I receive a response that is signed and fails validation, > then great! I have a conclusive answer that it's corrupt. But if I > receive an unsigned response - I have to just accept it and assume > it's valid. Nothing else I can do. This means, even if google *did* > sign their response, any intermediate malicious router could simply > strip the security from the DNS response, mangle it maliciously, and > serve it to me. Since the DNS client doesn't have any way to know for > sure that *this* DNS response was supposed to be signed, it will > happily accept the insecure (and possibly tampered) response. No, it wont accept it. That's the whole point of DNSsec. If the resolver is expecting something to be signed and the signatures get stripped off, then it's not accepted. > The only way to provide true security would be to somehow inform a DNS > client, without the possibility of tampering, information that *this* > DNS query is supposed to be signed, so the client may reject it if > it's not signed, or if the signature is incorrect or by an untrusted > authority. This is absolutely a solvable problem, by any one of > several possible techniques, but I have not yet read anything > proposing a solution in this area. Then you have not read the DNSsec specs. It absolutely solves this problem, because the root zone *IS* signed, and has been for a few years. > As far as I know, right now, DNSSEC only provides *optional* security > for normal queries, but if you manage a domain, then you can configure > your DNS servers to communicate with each other and require DNSSEC > when communicating with each other. In other words, you the admin who > has control over your domain, can dictate and configure your servers > to require your own DNS servers to use DNSSEC when communicating > amongst each other (and reject anything that isn't signed), but I'm > not aware of anything that extends this requirement to regular DNS > clients. It's optional, yes, but it's authoritatively optional. Your parent zone can authoritatively and securely relay whether your zone is signed or not. Of course, yes, this requires the client to be DNSsec aware. A non-DNSsec client must trust its resolver implicitly to perform DNSsec checks. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] free SSL certs from the EFF
"Edward Ned Harvey (blu)" writes: >> From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- >> bounces+blu=nedharvey@blu.org] On Behalf Of Matthew Gillen >> >> This is not without new attack vectors: you can only trust DNS responses >> as far as DNS-SEC goes, which unfortunately ends one-hop before >> end-systems (unless you run your own DNS server and force everything on >> your home network to use that; which I do but don't know how common >> that >> is). > > Based on my understanding of DNSSEC, it doesn't add security except in > esoteric edge cases. Because your client doesn't have any point of > trust - if your client queries DNS, there's no way for your client to This is a false assumption.. Clients can (and are) populated with the well-known Root Zone KSK which is used to verify the root-zone ZSK which in turn signs the TLDs. So properly configured clients can indeed have a point of trust. It's effectively the same level of trust you can put into your "root CA list" that also must be populated on the clients. > know *this* response is authentic for your domain. In theory, you > could start using x509 certs to sign your DNS but then there's the > chicken and egg problem. > > I don't see any way to make DNS actually secure, except to completely > scrap all of DNS in favor of a new "secure" DNS. Which could > literally be regular DNS with TLS on it, but the point is, as long as > you try to make clients compatible with *both* the secure and insecure > DNS, then attacking the secure DNS is trivial. You just block secure > DNS and cause the client to fallback to insecure DNS, or you just > substitute whatever malicious DNS response you want, knowing that the > client accepts insecure DNS responses. There is no defense. I think it depends very much on your definition of "Secure". You are correct that DNSsec does not provide any confidentiality services. However it does indeed protect the data integrity from interloping intermediaries and provide authenticated DNS Data. > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] free SSL certs from the EFF
"Edward Ned Harvey (blu)" writes: >> From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- >> bounces+blu=nedharvey@blu.org] On Behalf Of Tom Metro >> >> We sort of already have this today with StartCom (StartSSL), but they >> have limitations on their free offering. No wildcard certs, and if the >> host name even sounds like a site that might sell things (e-commerce), >> they won't issue a cert. > > Huh? I use them for numerous companies, including e-commerce. > Where'd you hear that? I'd like to know if it's completely bunk, or > if I've been accidentally slipping through the cracks all these years. I've had pushback from them because I have the domain "gnucash.org", and it has "cash" in the name. They specifically told me this was an issue. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Home security & automation
Tom Metro writes: >> ...I can buy a multi-camera and dvr setup from BJ's for a few hundred bucks. > > The multi-camera DVR setups seem appealing: Try ZoneMinder. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] to swap or not swap
Stephen Adler writes: > Thanks for the discussion. The question, which seems to have gotten lost > in the original e-mail was that I have a system with 128Gigs of memory > and I added 32Gigs of swap just because I've always added some swap to > any system I configure. (It's like brushing your teeth in the morning, > you just do it...) But with 128Gigs, which is the largest amount of > memory I've worked with in any system, it dawned on me that perhaps I > don't need any swap So, to swap or not to swap was the question. Yes, you should always have at least *some* swap, even if it's just 512M-1G, in order to swap out dead/dying/zombie processes. > thanks. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Why the dislike of X.509?
Richard, Richard Pieri writes: > On 8/28/2014 1:40 PM, Derek Atkins wrote: >> Passwords? We don't need no stinking passwords! You don't need to know >> your user's passwords, you have access to their keys! If I could dump a >> copy of your KDC database then I could then impersonate any user (or >> server!) on your network and read all their traffic. I don't need to >> know their passwords to do that. > > I don't have their keys. I have one-way hashes of their keys. And your > hypothetical dump will have the same one-way hashes. No, that wouldn't > keep you from exploiting the compromise but it would slow you down. I'm sorry, but you're just 100% wrong here. You absolutely, positively have the user (and service) keys on the KDC. The keys are a hash (well, technically KDF, a one way function) of the user's passwords. So you are somewhat correct in that yes, you have the hash of user's password. But no, you do actually have the user's *keys* on the KDC. Otherwise the Kerberos protocol wouldn't work at all. Yes, the KDC stores those keys encrypted in a "master key", but for all KDCs I've met that master key is stashed in a file on the file system. So let me rephrase, because you're right a "dump" of the kdc database is still encrypted in the master key. But if I can get a clone of the KDC disk then I've got *everything*, not just able to impersonate but as I stated before also able to read most communications that have already occurred. (The exception, of course, are protocols that use Kerberos only for authentication of a DH session key -- but very few protocols do that). But if someone does get that copy, the only thing you can do is effectively force everyone to reset their password. You basically have to rekey everyone (users and servers). It's still a PITA, but I guess you're right that there *is* a way to do it. Not that I think *anyone* has. >> A bad actor can do *everything* with a compromised KDC. Yes, there are >> steps to prevent compromise, just like there are steps to prevent >> compromise of an X.509 CA. The main difference here is that if I > > Except there aren't. X.509 lacks mechanisms to prevent and detect root > certificate compromises. It was intentionally designed this way. It was > designed this way so that, for example, government oversight and the NSA > can decrypt all messages within the agencies under their authority. This > all happens silently, undetectable by affected users, by design. Sure it does, it's called a "CRL".. And OCSP.. But yes, it's definitely more work to remove bad actors from the trusted root CA list. > Attempts have been made to address this design "feature". None to date > have proven consistently reliable. I agree with this statement. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Why the dislike of X.509?
Richard Pieri writes: > As an aside: > > On 8/26/2014 1:04 PM, Derek Atkins wrote: >> You (or someone) also brought up Kerberos. Kerberos *IS* a key escrow >> system. If an attacker breaks into your KDC they literally have all the >> keys to your kingdom. Not only can they impersonate anyone, they can go > > I operate a Kerberos realm. I am not able to tell my users their > passwords. I don't have them. Kerberos stores one-way hashes of users' > passwords. I could brute force the database with sufficient time but > that is steps removed from having the actual keys in my hands. Passwords? We don't need no stinking passwords! You don't need to know your user's passwords, you have access to their keys! If I could dump a copy of your KDC database then I could then impersonate any user (or server!) on your network and read all their traffic. I don't need to know their passwords to do that. > A bad actor can do quite a bit with a compromised KDC but these things > are well known. Steps to prevent compromise are well documented as are > steps to identify compromised KDCs and mitigate the damage that they can do. A bad actor can do *everything* with a compromised KDC. Yes, there are steps to prevent compromise, just like there are steps to prevent compromise of an X.509 CA. The main difference here is that if I compromise your KDC I can now read all the previously-encrypted traffic, whereas with a compromised X.509 CA all I can do is impersonate players in the future. I.e., a KDC Capture gives you *past* communications! -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Why the dislike of X.509?
Richard Pieri writes: > On 8/26/2014 10:37 AM, ma...@mohawksoft.com wrote: >> *any* shared or distributed authority has the same issue. > > Shared is not distributed. Shared means more than one entity has > authority. Each entity is a point of compromise for the entire system. > > Distributed means no single entity has authority; a quorum or a > unanimous consensus is required. Compromise of one entity does not > compromise the entire system. So where does DNS come in? I think most DNS experts would define it as a "distributed" system. However there *is* a single entity that has authority -- the root servers. Compromise of that would compromise the whole DNS system. However there are watchdogs all over the world whose role is preventing that. I would argue that it's not a clear dichotomy between "shared" and "distributed". -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Why the dislike of X.509?
Richard Pieri writes: > It's not that I hate OpenVPN. It's that I hate key escrow systems. Hated > them since the early 1990s. I hate them because they're single points of > compromise for entire systems. I hate them because compromise is > undetectable by users. HUH??? Non-sequitor Alert How do you jump from X509/OpenVPN to "Key Escrow Systems"???!?!??!?!!?! Let's get something clear: X.509 does NOT require any kind of Key Escrow. Period. Yes, there are some deployments of PKI/X.509 where the CA generates the keypair and hands a P12 to the user (private key + certificate). And yes, those specific deployments could implement Key Escrow. But that's a problem with that deployment model, not a problem with X.509, and those deployments are the exception, not the rule! Let me be perfectly clear: In every X.509 system that I have designed, implemented, or deployed, there was *NO KEY ESCROW*. The end user generated the keypair, sent a Certificate Request (CSR) to the CA, provided some other form or authentication, and the CA signed the CSR and returned a Certificate. At no time did the CA have a copy of the PRIVATE KEY for the user. In fact, I've never personally encountered a P12-based system (although I do know they exist). Now, the problem with CAs as implemented in X.509 (and specifically for browsers) is that in general ANY root CA can generate and sign a certificate for ANY name. So the issue (ala Diginotar) is that a rogue CA that is accepted in the public (system/browser) roots could impersonate anyone. Note that this is *impersonate* which is not the same thing as having a copy of your key. You (or someone) also brought up Kerberos. Kerberos *IS* a key escrow system. If an attacker breaks into your KDC they literally have all the keys to your kingdom. Not only can they impersonate anyone, they can go and read any communication that was performed using Kerberos as the keying system (systems employing a DH-style PFS and authenticating by Kerberos would not be succeptible, but those are fewer and further between -- generally the apps just use the KDC-provided session key). This is far different that someone who breaks into your X.509 CA -- all they can do at that point is issue new certificates, impersonating you. This would allow them to act as an authenticated man-in-the-middle because the client would accept their "fake" certificate as real (c.f. Diginotar again). -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Looking for WiFi router with certain characteristics
Bill Bogstad writes: > it can be put into: Wi-Fi Router, Access Point, and Range Extender > modes. Which it is in depends on software > configuration and how the Edimax physically connects to the rest of > your network. It might be a good idea to verify > that the device is correctly configured. Okay, here's a dumb question: What's the difference between "Access Point" mode and "Range Extender" mode? Is "RE" mode using wireless as the backhaul, whereas "AP" mode uses wired as the backhaul? > Bill Bogstad -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] access points
Michael Tiernan writes: > On 7/28/14 5:48 PM, Tom Metro wrote: >> What goes into a consumer access point is nearly 100% the same hardware > I use a Netgear router/wifi point here at home and I just found that > there's a "switch" to put it into "access point mode" which I now have > to do more reading on. > > As it is, acting as a smart box, it breaks my network into two subnets > that limits some things working. You can pretty much put most home routers into "AP Mode" (or "Bridge Mode") and bypass the "routing" functionality. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] rack mountable chassis
I just got some pull-out shelves and put my old tower cases on the shelves directly. They all fit just fine and all it cost me was the price of the shelf, which was much less than the cost of getting a new case and moving everything over. The downside is that they take up 5U (1U for the shelf and 4U for the towers on their sides). But frankly I've got plenty of room so I don't care. :) -derek "Joe Polcari" writes: > http://www.musiciansfriend.com/rackmount-cases-stands-furniture?isSuggestion > =true > > > -Original Message- > From: discuss-bounces+joe=polcari@blu.org > [mailto:discuss-bounces+joe=polcari@blu.org] On Behalf Of Stephen Adler > Sent: Wednesday, July 23, 2014 12:36 PM > To: discuss@blu.org > Subject: [Discuss] rack mountable chassis > > Guys, > > I'm back in my obession mode, this time I'm putting my basement > computers into a standard 19" rack. So any recommendations on rack > mountable chassis? I have to mid tower systems and the plan is to take > the components out of the mid tower chassis and assemble them into two > rack mountable chassis. > > Cheers. Steve. > > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > > -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Red Hat
Does Fedora count? -derek Sent on my mobile. Please forgive any typos. - Reply message - From: "Daniel J. Fitzmartin" To: "discuss@blu.org" Subject: [Discuss] Red Hat Date: Tue, Jul 8, 2014 12:55 PM All, is anyone running a Red Hat based distro or know of some one who is? Regards, Dan F. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] raid issues
Rich, On Mon, June 23, 2014 10:37 am, Richard Pieri wrote: > On 6/23/2014 9:41 AM, Stephen Adler wrote: >> drives) and are the favorite for data centers. But there's a factor of 3 >> difference between the storage capacity and size. so the problem is that > > A 24x2.5" storage box takes up three rack units plus one for a server. A > 16x3.5" storage box takes up 6-7 units plus one for a server so for the > same space that the 3.5" box uses I can have 48x2.5" disks. 7 units for > 48TB of raw capacity vs. 7 units for 96TB raw capacity. That's a factor > of 2 at most and only with very expensive 6TB 3.5" disks. The factor > drops to 1.3 with 4TB 3.5" disks and is even on with 3TB 3.5" disks. I've already showed a counter-example showing this incorrect.. You can get a 24x3.5" 4U case. So for an extra 1U I can get the same number of drives, which gives me 2x-3x on space (largest 2.5" drive I can see right now is 2GB, vs 4-6GB 3.5" drives). Of course the 2GB 2.5" drive is only 5400RPM, and as of right now costs $118 from NewEgg, versus a 7200RPM 4GB drive for $184. So for an extra 1U and 1.5x the cost I get 2x the storage and more speed (because it's still the same number of drives, but 7200 v 5400 RPM). The running cost, of course, is a little more heat and power. > There's the performance gain. Three 2.5" 7200 RPM disks together are > substantially faster than a single 3.5" 15K RPM disk for less power and > less heat which saves money on cooling costs and is good for drive > longevity. That presumes you do run more 2.5" drives than 3.5" drives. And doing so drives up the cost. To get the same amount of space I need 2-3x the number of 2.5" drives. At that point is it really still a power/heat savings? Are 2.5" drives really using less than 33-50% of the power of a 3.5" drive? > > Dell still offers most of their *Vault line with 3.5" options. There are > also plenty of bare chassis out there to build your own. -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] raid issues
HI, On Mon, June 23, 2014 10:10 am, Stephen Adler wrote: > Thanks Derek, awesome case Yeah, I plan to use that myself once I have the funding to build myself a nice server. > But I thought maybe I'm barking up the wrong tree by trying to get a > rack mountable system which has both CPU and storage. Should I be > looking at perhaps getting a 1U rack and then a separate direct attached > storage system? That could be the 2,3,4U chassis. The only thing is I'm > not too familiar with them and I'm worried about the reliability of such > a configuration. You could easily do that. There are nice server boards that will give you 4-8 i7 cores with 256G of RAM (or even more) and enough bus to handle 24 drives. > On Mon, 2014-06-23 at 09:52 -0400, Derek Atkins wrote: >> Maybe build a server around the norco RPC-4224 case? >> >> http://www.newegg.com/Product/Product.aspx?Item=N82E16811219038 >> -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] raid issues
Maybe build a server around the norco RPC-4224 case? http://www.newegg.com/Product/Product.aspx?Item=N82E16811219038 -derek On Mon, June 23, 2014 9:41 am, Stephen Adler wrote: > You guys have given me some great feed back. Thanks! > > Another question. As I try and configure this server which I'm getting > for work, the key issue is its ability to have a lot of hot swappable > disks. what I'm seeing these days is a migration to the 2.5" drives away > from the 3.5". The problem is the 2.5" drives only go up to 1 terabyte, > while the 3.5" drives go up to 6 terabytes. so what's up with this 2.5" > drive bit. The literature says that they consume less power (the 2.5" > drives) and are the favorite for data centers. But there's a factor of 3 > difference between the storage capacity and size. so the problem is that > I have very few options when it comes to buying a rack mounted server > with 3.5" hot swap-able drives. there seems to be a lot more rack > servers with 2.5" drive bays. > > Can anyone recommend a system with 16 3.5" drive bays? > > On Sun, 2014-06-22 at 14:14 +, Edward Ned Harvey (blu) wrote: >> > From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- >> > bounces+blu=nedharvey@blu.org] On Behalf Of Bill Bogstad >> > >> > Actual media that you can take physically offline may still have >> merit. >> >> I've heard tons of horror stories where some company's data, including >> all backups, were destroyed instantly. Not just redundancy, but backups >> too. >> >> I know of ONE company, where the only reason the company survived was >> because the CEO had a copy of the core IP on his iPod. >> >> Offsite and Offline. No substitute. >> ___ >> Discuss mailing list >> Discuss@blu.org >> http://lists.blu.org/mailman/listinfo/discuss >> > > > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] server mail
Eric Chadbourne writes: > On 06/21/2014 11:29 PM, David Kramer wrote: >> On 06/21/2014 01:08 PM, Eric Chadbourne wrote: >>> How do you deal with mail generated by the server? Do you have it >>> forward to your work email, use mailx, mutt, text editor... >>> >>> Thanks for any tips. >> I don't know how the pros do it but I have root's mail sent to me in >> /etc/aliases >> > > That sounds like a good option. I shall do some more googling. That's how I've done it for decades. Although I'm not a pro. Perhaps you have all your servers send to a "postmaster" list at your main server and then you can adjust the list in a single place? > Thanks! > > Eric -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] color laser printer
I don't like ePrint. I don't mind AirPrint. At least with AirPrint you need to be on the local LAN. -derek Jerry Feldman writes: > One advantage of this (and other new printers) is that it uses HP ePrint > so I can print from my phone or tablet. But, as previously mentioned, > there are security issues with WiFi, and I assume with print services > from vendors like HP. Other vendors, like Epson have similar remote > services. > > On 06/19/2014 09:09 AM, Jerry Feldman wrote: >> I bought an HP OfficeJet Pro 8600 2 years ago. It is a multi-function >> with a duplexer. I prefer it to the older HP laser printers. I don't do >> heavy doc printing, but I have had very few problems with it. It has a >> sheet feeder for fax and scanning. While I have had a jam, it was very >> easy to clear. It has a single paper cartridge, but you can buy an extra >> 250 sheet paper tray that mounts on the bottom. >> >> On 06/10/2014 07:46 AM, Edward Ned Harvey (blu) wrote: >>>> From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- >>>> bounces+blu=nedharvey@blu.org] On Behalf Of Tom Metro >>>> >>>> another reason why I favor laser >>>> printers over inkjets is that you can leave them unused for several >>>> months and not have the ink cartridges dry out. >>> I don't know if this is universally fixed on all inkjets now and >>> moving forward, but ... >>> At least in the Canon PIXMA line, this has not been a problem in >>> the last several years. >>> ___ >>> Discuss mailing list >>> Discuss@blu.org >>> http://lists.blu.org/mailman/listinfo/discuss >>> >> >> >> ___ >> Discuss mailing list >> Discuss@blu.org >> http://lists.blu.org/mailman/listinfo/discuss -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] color laser printer
We acquired a Xerox Phaser 6600DN. It's rather large in physical size, but it was relatively low cost and the toner cartridges can be replaced separately and last a while. We've loved it so far. Had it a year or more already and still working with the toner it shipped with, although we plan to buy more toner soon. Alas, the toner for this device is costly, but not too bad when you consider you don't have to replace them all at the same time. Just my $0.02. -derek Tom Metro writes: > I'm looking to replace an old laser printer whose drive motor wore out > with a new duplexing laser. I've browsed the Brother (often recommended > here) multi-function lasers online, and I see that I can get a color > laser for a fairly small incremental increase in the purchase price. > > My printer use is quite light. So much so that it seems hard to justify > even replacing the printer. > > But on occasion I do need to print lengthly documents, and that's where > the laser comes in handy (and thus the desire for duplexing, to cut down > on paper use). I'm aware that color lasers do a poor job at photo > reproduction. I have an inkjet that would meet that requirement. So > having the laser be color would be nice, but far from necessary. > > Aside from reduced print costs, another reason why I favor laser > printers over inkjets is that you can leave them unused for several > months and not have the ink cartridges dry out. > > What I'm wondering is what are the down sides to getting a color laser, > aside from the upfront costs and the additional cartridge costs? Will > the color cartridges last for years if they are rarely used? (The rubber > parts in toner cartridges will dry out eventually.) Is the printer > likely to refuse to print in monochrome if one of the color cartridges > is empty? > > Are color lasers more prone to break down? More prone to jamming? > > The Brother monochrome toner cartridges seem to run about $20 street > price. I assume the color cartridges will be more. Is the black > cartridges that go into a color printer unique, and thus produced in > lower volume and more expensive? > > -Tom -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] DMARC issue, Yahoo and beyond
And of course I, as the receiver of the message, have no way to know who actually set the reply-to header ;) -derek John Abreau writes: > Ah, I see. I misunderstood what you were saying. > > On Fri, May 23, 2014 at 4:20 PM, Derek Martin wrote: > > On Fri, May 23, 2014 at 10:26:52AM -0400, Derek Atkins wrote: > > you are subscribed to this list... which just had a reply-to set to > > reply back to the list... > > *I* set this, because: > > -- > Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 > -=-=-=-=- > This message is posted from an invalid address. Replying to it will > result in > undeliverable mail due to spam prevention. Sorry for the inconvenience. > > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > > -- > John Abreau / Executive Director, Boston Linux & Unix > Email j...@blu.org / WWW http://www.abreau.net / 2013 PGP-Key-ID 0x920063C6 > 2013 / ID 0x920063C6 / FP A5AD 6BE1 FEFE 8E4F 5C23 C2D0 E885 E17C 9200 63C6 > 2011 / ID 0x32A492D8 / FP 7834 AEC2 EFA3 565C A4B6 9BA4 0ACB AD85 32A4 92D8 > -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] DMARC issue, Yahoo and beyond
Derek Martin writes: > On Thu, May 22, 2014 at 12:05:12PM -0500, Derek Martin wrote: >> On Wed, May 21, 2014 at 06:55:13PM -0400, Richard Pieri wrote: >> > With the caveat that I did not list Mutt by name but that's quibbling. >> > Point is, as you've experienced yourself, Mutt's behavior is not >> > consistent when improperly-set Reply-To fields are in play. >> >> I admit I'd forgotten this; for the longest time I had a patch which I >> wrote to fix this applied to my mutt; Mutt dev being what it is >> (basically dead) the maintainers didn't have any interest in applying >> it. I have no use to maintain patches forever so I stopped bothering. > > I meant to also comment that with list-reply functionality, it's > (currently) largely a non-issue since reply-to is rarely set by anyone > except for some mailing lists which still think this is a good idea, > of which I am currently subscribed to zero. you are subscribed to this list... which just had a reply-to set to reply back to the list... -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] DMARC issue, Yahoo and beyond
Richard Pieri writes: > Richard Pieri wrote: >> You are incorrect. When the Reply-To field is set then all replies use >> the Reply-To field contents for the new To field. This is unexpected >> when reply to list would otherwise use the list's address. This is >> unexpected when reply to all would otherwise use all addresses in the >> original From and To fields. > > NB: I know that Gnus can be made to act the way Derek describes because > I wrote a custom Reply-To handler to deal with lists that munged > Reply-To fields. It or something like it may be in the main line Gnus code. I'd love to see this code ;) -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] DMARC issue, Yahoo and beyond
Matthew Gillen writes: > On 05/16/2014 12:52 PM, Bill Horne wrote: >> My first question is whether mailman allows the BLU to selectively munge >> headers based on the recipient's preferences: if a YahGooHotCast >> subscriber can turn off munging by themselves, then we're done, but I >> don't remember if that's possible. If the answer is "No", then I suggest >> we explore some custom-code for Mailman. > > The version I'm looking at (2.1.12) doesn't seem to have that > option. Even if it did, it would get weird: the first reply from > someone that wanted the [Discuss] munging would have a munged subject > line, which might break threading on mail clients that rely on > same-subject (do any really do that anymore?) It was added in 2.1.16, and "fixed" in 2.1.18. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] DMARC issue, Yahoo and beyond
Drew Van Zandt writes: > Yahoo may do as they like. Just because a solution is technically correct > does not mean it will not have consequences. > > Most of the people I know who have been stubbornly clinging to Yahoo! email > addresses have switched to gmail in the past few weeks. The issue is worse that that.. It will cause the list email to bounce to all the recipients of the list. As a result, Mailman will happily unsubscribe everyone from the list once some yahoo users send mail there. On the lists I maintain I just turned off automatic bounce processing. It just means that yahoo-using users wont get their email seen by list members that have DMARC processing turned on. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] SSD drives vs. Mechanical drives
Kent Borg writes: > On 05/05/2014 11:47 AM, Richard Pieri wrote: >> Any medium can fail with no warning. > > Indeed, though disks frequently (usually?) degrade with warning. SMART > monitoring can note ECC-errors, for example. And other key components > tend to have "lifetime" reliability, i.e., CPUs and RAM and > motherboards are usually replaced while still functioning. Fans > sometimes die early, but usually make a hellish noise first as a > warning. > > Flash is a bit unique in that it has an advertised finite life in > write-cycles (scarily small number per-cell with modern flash) and > though firmware cleverness extends this, they have still been observed > to die with no warning. Very unnerving. Very trendy, too: are Mac > notebooks even available without SSDs these days? Does Apple have some > magic exemption to these flash problems? Very unnerving. They do, it's called "Time Machine" which they recommend you use -- and it makes it pretty easy to do a complete restore from there. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Linux file systems
Jerry Feldman writes: > When does Hans Reiser get out of jail. The reiserfs was halfway decent. You clearly didn't care about your data surviving a system crash, did you? -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] first time build of GIT server
"Edward Ned Harvey (blu)" writes: >> From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- >> bounces+blu=nedharvey@blu.org] On Behalf Of Chris Johnson >> >> You'll need to get your team to use SSH keys, but that's standard >> practice for most git management systems (e.g. gitolite). > > That may have been true at some point, but now, it works just as well > over http or https. > > I will say, if you use http, the user's password goes across the wire > plaintext. (I confirmed with wireshark.) So my recommendation would > be to plan on using SSL right from the start. Every step along the > way in the gitlab installer, substitute "https" for "http" and so > forth. You could just use git-over-ssh. Give each developer an account on the server and then they can just: git clone ssh://usern...@git.example.com/path/to/repo.git You might also consider looking at gitolite. It uses ssh as the connection framework (although you can set up HTTP(S) access if you really need it). You store the developer's ssh public keys within gitolite so each user does not necessarily need an actual "account" on the server. In this case everyone would use: git clone ssh://g...@git.example.com/path/to/repo.git Using gitolite also provides better access control mechanisms than just using raw accounts. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] first time build of GIT server
John Malloy writes:
> Sorry for asking a newbie question
>
> How do I check/out in a package for the first time?
git init
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH
warl...@mit.eduPGP key available
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] encrypted linux systems
Stephen Adler writes: > Hi, > > I've run across an interesting situation at where where I'm required to > encrypt my desktop at home since it's owned by the government. Any > advice on how to best setup an encrypted linux system? Preferably using > some kind of encrypted hardware device which will not kill my disk IO > rate? Most modern distro's allow you to encrypt the drive when you install. It uses dm-crypt, and in my experience I don't notice any significant performance delays on my encrypted laptop. Note that this will allow you to encrypt all partitions except your /boot partition, because it does not contain a pre-boot module. If you care about encrypted pre-boot you could look into sometihng like PGP Whole Disk Encryption for Linux which actually encrypts the whole drive, not just partition-by-partition. Also note that you cannot convert an existing linux system to dm-crypt, however you *can* encrypt an existing system using PGP WDE. > Thanks. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
