Re: NNTP and SNTP (was Re: REVIEW Securing Windows NT/2000 Servers fo r the Internet)
So its best to implement the mimimal amount of code on the basis there will be fewer bugs in it. So why reimplement everything that moves? You just answered your own question. interface, so the sysadmin has to comprehend something completely different to what he's used to, so that he can make it secure with ease. Configuration is syntax. Familiarity with a configuration syntax does not make an application more secure. Security comes from a sysadmins who understand the archetecture, protocols and implementation. It does not come from configuration syntax. Anyone who suggests that it is a factor should either be removed or have the software they are using removed. Oh. right. I'll remember to try and download some of your software when your server is down, just so I can complain about it. My software is mirrored on tucows. Red
Re: NNTP and SNTP (was Re: REVIEW Securing Windows NT/2000 Servers fo r the Internet)
state, you have to deliberately loosen the security if that is not what you desire. This is how things should be. Cantrel++
Re: NNTP and SNTP (was Re: REVIEW Securing Windows NT/2000 Servers fo r the Internet)
On Mon, Dec 03, 2001 at 09:26:15AM +0100, Newton, Philip wrote: Dean Wilson wrote: network time syncing (And why NNTP is better than SNTP, something I could have done with about six months ago.) What are NNTP and SNTP? I presume that NNTP in this context is not the NetNews Transfer Protocol, and haven't heard of SNTP. Presumably they're both variations on *** Network Time Protocol? I suspect that the NNTP was a typo for NTP, SNTP is the Simple Network Time Protocol (RFC2030). MBM -- The American legal system is of course just the British kernel with a shorter uptime and a few clumsy security patches slapped in. -- NTK 2001-10-05
Re: NNTP and SNTP (was Re: REVIEW Securing Windows NT/2000 Servers fo r the Internet)
Matthew Byng-Maddick [EMAIL PROTECTED] writes: On Mon, Dec 03, 2001 at 09:26:15AM +0100, Newton, Philip wrote: Dean Wilson wrote: network time syncing (And why NNTP is better than SNTP, something I could have done with about six months ago.) What are NNTP and SNTP? I presume that NNTP in this context is not the NetNews Transfer Protocol, and haven't heard of SNTP. Presumably they're both variations on *** Network Time Protocol? I suspect that the NNTP was a typo for NTP, SNTP is the Simple Network Time Protocol (RFC2030). Apparently XNTP doesn't handle leap seconds correctly http://cr.yp.to/proto/utctai.html and DBJ has, surprise surprise, his own replacement... BTW the OpenBSD man page for timed(0) says If two or more time daemons, whether timed, NTP, try to adjust the same clock, temporal chaos will result. Don't cross the beams! -- 1024/D9C69DF9 steve mynott [EMAIL PROTECTED] /\ \ / x ascii ribbon campaign against html e-mail / \
Re: NNTP and SNTP (was Re: REVIEW Securing Windows NT/2000 Servers fo r the Internet)
On Mon, Dec 03, 2001 at 12:37:53PM +, Steve Mynott wrote: Matthew Byng-Maddick [EMAIL PROTECTED] writes: On Mon, Dec 03, 2001 at 09:26:15AM +0100, Newton, Philip wrote: Dean Wilson wrote: network time syncing (And why NNTP is better than SNTP, something I could have done with about six months ago.) What are NNTP and SNTP? I presume that NNTP in this context is not the NetNews Transfer Protocol, and haven't heard of SNTP. Presumably they're both variations on *** Network Time Protocol? I suspect that the NNTP was a typo for NTP, SNTP is the Simple Network Time Protocol (RFC2030). Apparently XNTP doesn't handle leap seconds correctly You mean xntpd (a software package, not a protocol) http://cr.yp.to/proto/utctai.html and DBJ has, surprise surprise, his own replacement... DJB. But yeah, I'm not surprised. The replacement I'd actually go for, if I were going for a replacement is Nick Maclaren's msntpd, as Nick is just as concerned about correctness (if not more so) as DJB, but works to a portable subset of C, and you don't have to have the rest of the system covered in alternative ways of doing things. BTW the OpenBSD man page for timed(0) says If two or more time daemons, whether timed, NTP, try to adjust the same clock, temporal chaos will result. Don't cross the beams! timed != *ntpd MBM -- I was. You just weren't trying hard enough to be SEEN. We had a SHEEP on our table. What more did you want? A bigger sheep. -- J-P Stacey and Jacqui look for each other at a meet.
Re: NNTP and SNTP (was Re: REVIEW Securing Windows NT/2000 Servers fo r the Internet)
* Matthew Byng-Maddick ([EMAIL PROTECTED]) wrote something which I have paraphrased into: DJB requires you to have the rest of the system set up with alternative ways of doing things. You mean like his /services approach, while Evil Dave (whose opinion I respect in sysadmin matters) seems to like it, I just don't see the value, and he does seem to have a OpenBSD attitude of coding it for his system and letting the rest of the world bugger off (see open ssh a few version ago). I take the view that I adopt the OS manufacturers approach for configuration/structure and don't listen to software developers when it comes to these things (although I did resist M$' approach for sometime). Greg -- Greg McCarroll http://217.34.97.146/~gem/
Re: NNTP and SNTP (was Re: REVIEW Securing Windows NT/2000 Servers fo r the Internet)
On Mon, Dec 03, 2001 at 01:22:25PM +, Greg McCarroll wrote: * Matthew Byng-Maddick ([EMAIL PROTECTED]) wrote something which I have paraphrased into: DJB requires you to have the rest of the system set up with alternative ways of doing things. You mean like his /services approach, while Evil Dave (whose opinion I That's one part of it. respect in sysadmin matters) seems to like it, I just don't see the How you implement something as a sysadmin is quite a subjective thing, and I happen not to like the idea that I ought to transfer zones to my secondary nameservers via ssh, for example, or that my configurations for my mailserver reside in /var, or that reporting a bug is a severe mental torture, because there are no bugs, only incorrect readings of the spec, and that in order to make any of his software useful, you need a myriad of patches, applied in the right order, of course. value, and he does seem to have a OpenBSD attitude of coding it for his system and letting the rest of the world bugger off (see open ssh a few version ago). That kind of thing. It's also the fact that, for example, ezmlm only really works properly if you're using qmail as the MTA. qmail only really works properly if you're using djbdns to provide your nameservice, and you have DJBs CDB etc libraries installed, and then you have to use his start-stop system for qmail, because he doesn't like the standard ones, so has chosen to write his own incompatible one. I take the view that I adopt the OS manufacturers approach for configuration/structure and don't listen to software developers when it comes to these things (although I did resist M$' approach for sometime). Sure. This is IMO a sensible approach, especially when core upgrades happen. MBM -- * rejs consults his Dell documentation rejs The useful manual is the slim one, not the great thick one. That tells me how to sit at a chair in an ergonomic manner in seventeen Slavonic and Oriental languages.
Re: NNTP and SNTP (was Re: REVIEW Securing Windows NT/2000 Servers fo r the Internet)
On Mon, Dec 03, 2001 at 01:16:40PM +, Steve Mynott wrote: Matthew Byng-Maddick [EMAIL PROTECTED] writes: On Mon, Dec 03, 2001 at 12:37:53PM +, Steve Mynott wrote: Matthew Byng-Maddick [EMAIL PROTECTED] writes: [..] Apparently XNTP doesn't handle leap seconds correctly You mean xntpd (a software package, not a protocol) Yeah typo http://cr.yp.to/proto/utctai.html and DBJ has, surprise surprise, his own replacement... DJB. But yeah, I'm not surprised. The replacement I'd actually go for, if I were going for a replacement is Nick Maclaren's msntpd, as Nick is just as concerned about correctness (if not more so) as DJB, but works to a portable subset of C, and you don't have to have the rest of the system covered in alternative ways of doing things. What's non-portable about djbware? I have had no problems compiling That it doesn't interoperate sensibly with anything else. see my other post. on a wide range of unix systems. Also you don't you have to use the alternative ways of doing things. At the expense of vastly reduced functionality. Do you have a link for msntpd? (google fails to find anything). http://www.linux.org/apps/AppId_6439.html MBM -- mobbsy OK, performing seal time again. Arf Arf. Watch the seal juggle E450s, then disappear in a puff of marketing.
Re: NNTP and SNTP (was Re: REVIEW Securing Windows NT/2000 Servers fo r the Internet)
On Mon, Dec 03, 2001 at 03:26:09PM +, Steve Mynott wrote: ftp://oozelum.csi.cam.ac.uk/dist/msntp-1.5.tar.gz which doesn't ping (looks like an unplugged student's desktop machine from the domain I would guess) csi = computing services internal. not a student. Someone who knows a fuck lot more about UNIX and C than anyone else I know (including previous IOCCC winners). MBM -- When I got my Libretto (a PC about the size of a hardback novel) my colleagues cecided that it was too small to be a laptop so it must therefore be a dicktop. -- Tony Finch
Re: NNTP and SNTP (was Re: REVIEW Securing Windows NT/2000 Servers fo r the Internet)
On Mon, Dec 03, 2001 at 03:26:09PM +, Steve Mynott wrote: Matthew Byng-Maddick [EMAIL PROTECTED] writes: On Mon, Dec 03, 2001 at 01:16:40PM +, Steve Mynott wrote: [..] What's non-portable about djbware? I have had no problems compiling That it doesn't interoperate sensibly with anything else. see my other post. interoperability != non-portable OK. Also, where did I actually say that DJBware was non-portable? (in the bit of my message that you've carefully snipped) on a wide range of unix systems. Also you don't you have to use the alternative ways of doing things. At the expense of vastly reduced functionality. That's a deliberate and correct design choice. Oh? deliberate, yes. correct, not so sure. It's hard to do even simple things properly and securely in computer programming. Yeah, so you don't comment your code, create users left, right and centre, in order to hope that they won't interact in some odd way. So its best to implement the mimimal amount of code on the basis there will be fewer bugs in it. So why reimplement everything that moves? KISS. Yes. So why reimpliment everything, with a different, incompatible interface, so the sysadmin has to comprehend something completely different to what he's used to, so that he can make it secure with ease. Do you have a link for msntpd? (google fails to find anything). http://www.linux.org/apps/AppId_6439.html I would be more likely to be impressed by this code if I could actually download it and if it were mirrored! Oh. right. I'll remember to try and download some of your software when your server is down, just so I can complain about it. and for the record I am not a total DJB freak since I prefer vsftpd to publicfile! (and he has flamed me in the past!) Bully for you! MBM -- People ask me what I do for a living, and I tell 'em I type. It's accurate, and easier to explain than I administrate a cluster of IVR computer telephony and occasionally pull shifts in the Mail Ops NOC. What do I do, really? I just sit here at my desk, and I type. I am a good typer. -- Huey
Re: NNTP and SNTP (was Re: REVIEW Securing Windows NT/2000 Servers fo r the Internet)
On Mon, Dec 03, 2001 at 04:08:57PM +, Matthew Byng-Maddick wrote: On Mon, Dec 03, 2001 at 03:26:09PM +, Steve Mynott wrote: It's hard to do even simple things properly and securely in computer programming. So its best to implement the mimimal amount of code on the basis there will be fewer bugs in it. So why reimplement everything that moves? Because nothing that moves meets his high standards. That, and he has the time/energy/ability to do something about it. KISS. Yes. So why reimpliment everything, with a different, incompatible interface, so the sysadmin has to comprehend something completely different to what he's used to, so that he can make it secure with ease. Now I haven't tried qmail or ezmlm, but it is remarkably easy to configure djb's dns, ftp and http servers to be secure. In fact that is their default state, you have to deliberately loosen the security if that is not what you desire. This is how things should be. I would be more likely to be impressed by this code if I could actually download it and if it were mirrored! Oh. right. I'll remember to try and download some of your software when your server is down, just so I can complain about it. I think that Steve phrased that badly and you misunderstood him. If I can't download the code, I *can't* be impressed by it. And it is true that the code for many of the most impressive projects is widely distributed. Frequently in all sorts of old versions :-) As for my own code, anything that I think is really important is indeed mirrored elsewhere. -- David Cantrell | [EMAIL PROTECTED] | http://www.cantrell.org.uk/david Every normal man must be tempted at times to spit on his hands, hoist the black flag, and begin slitting throats. -- H. L. Mencken
Re: NNTP and SNTP (was Re: REVIEW Securing Windows NT/2000 Servers fo r the Internet)
* Matthew Byng-Maddick ([EMAIL PROTECTED]) wrote: Bully for you! Remember, arguments are not won on mailing lists[1] with phrases like the above. Of course, humour is always IMHO welcome, and a smiley goes a long way to identifying a phrase like the above as humour before it gets out of control and its hand bags and 10 paces ;-). Ho hum. Greg [1] In fact arguments are probably never won on mailing lists, but thats another matter. -- Greg McCarroll http://217.34.97.146/~gem/
Re: NNTP and SNTP (was Re: REVIEW Securing Windows NT/2000 Servers fo r the Internet)
On Mon, Dec 03, 2001 at 03:14:28PM +, Steve Mynott wrote: /var is intended for machine specific files (traditionally /usr is machine common files and often used to exist as an NFS mount). A mail setup is machine specific and lives on /var. I'd argue that the binaries belong in /usr/bin or /usr/local/bin and the configuration files belong in /etc. FreeBSD's hier(7) seems to back this up, claiming that var is for multi-purpose log, temporary, transient, and spool files. I'm not aware of any other application that stores binaries and man pages in /var. I like qmail, though, and run it, but it's definitely quirky. Tom