Dell PowerEdge 1950 Xeon Quad-Core

[Jung]

Dell PowerEdge 1950 Intel Xeon Quad-Core * 2

it's a work fine.

- kernel compile

# time make -j16
textdatabss dec hex
6382651 149620  883904  7416175 71296f
1m52.57s real 5m20.07s user 8m51.52s system

- dmesg
OpenBSD 4.2-current (GENERIC.MP) #1555: Mon Feb 11 19:29:59 MST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3488907264 (3327MB)
avail mem = 3373596672 (3217MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xcffbc000 (62 entries)
bios0: vendor Dell Inc. version 1.3.7 date 03/26/2007
bios0: Dell Inc. PowerEdge 1950
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC SPCR HPET MCFG
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1596.15 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: apic clock running at 265MHz
cpu1 at mainbus0: apid 4 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu1: 4MB 64b/line 16-way L2 cache
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu2: 4MB 64b/line 16-way L2 cache
cpu3 at mainbus0: apid 5 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu3: 4MB 64b/line 16-way L2 cache
cpu4 at mainbus0: apid 2 (application processor)
cpu4: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz
cpu4: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu4: 4MB 64b/line 16-way L2 cache
cpu5 at mainbus0: apid 6 (application processor)
cpu5: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz
cpu5: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu5: 4MB 64b/line 16-way L2 cache
cpu6 at mainbus0: apid 3 (application processor)
cpu6: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz
cpu6: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu6: 4MB 64b/line 16-way L2 cache
cpu7 at mainbus0: apid 7 (application processor)
cpu7: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz
cpu7: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu7: 4MB 64b/line 16-way L2 cache
ioapic0 at mainbus0 apid 8 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 8
ioapic1 at mainbus0 apid 9 pa 0xfec81000, version 20, 24 pins
ioapic1: misconfigured as apic 0, remapped to apid 9
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 5 (PEX2)
acpiprt2 at acpi0: bus 6 (UPST)
acpiprt3 at acpi0: bus 7 (DWN1)
acpiprt4 at acpi0: bus 9 (DWN2)
acpiprt5 at acpi0: bus 1 (PEX3)
acpiprt6 at acpi0: bus 2 (PE2P)
acpiprt7 at acpi0: bus 11 (PEX4)
acpiprt8 at acpi0: bus 13 (PEX6)
acpiprt9 at acpi0: bus 3 (SBEX)
acpiprt10 at acpi0: bus 15 (COMP)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpicpu2 at acpi0
acpicpu3 at acpi0
acpicpu4 at acpi0
acpicpu5 at acpi0
acpicpu6 at acpi0
acpicpu7 at acpi0
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12
ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12
pci1 at ppb0 bus 5
ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci2 at ppb1 bus 6
ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci3 at ppb2 bus 7
ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3
pci4 at ppb3 bus 8
bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: apic 8 int 16 (irq 5)
ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01
pci5 at ppb4 bus 9
ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
pci6 at ppb5 bus 10
ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12
pci7 at ppb6 bus 1
ppb7 at pci7 dev 0 function 0 Intel PCIE-PCIE rev 0x09
pci8 at ppb7 bus 2
mpi0 at pci8 dev 8 function 0 Symbios Logic SAS1068 rev 0x01: apic 9
int 0 (irq 5)
scsibus0 at mpi0: 

Re: [ami] Unable to set Hot Spare from bioctl on a Dell PERC 4/Di

[Matthew Mulrooney]

On Wed, 20 Feb 2008, Marco Peereboom wrote:

My natural answer is that this is a firmware issue.  But since you


I will upgrade the firmware and rerun my test case.


provided such good steps I will try to recreate this.  Thank you for
this outstanding report.


No problem :).

Matthew



On Wed, Feb 20, 2008 at 01:42:59AM -0700, Matthew Mulrooney wrote:

Hi there, I'm back with another LSI controller, and I'm experiencing
problems with creating hot spares from bioctl.  This seems to be the same
problem that I posted to misc@ on Oct 16, 2006 with the subject line of:

  [ami] Unable to set Hot Spare on MegaRAID SATA 300-8x

I've got the same symptoms, but now with a PERC 4/Di controller.  [And this
time I've found a better work around than just avoiding bioctl -H with this
LSI controller :).]

Problem summary
===
When I use bioctl to mark an Unused drive as a Hot Spare, that drive will
fail to be integrated when another disk fails.

The only way, that I've found, to make that drive properly act as a Hot
Spare, is to only set it as such from the LSI boot menu.  If you have
already marked it as a Hot Spare from bioctl, pull the Hot Spare-marked
drive, and replace it (it can be the same physical disk).  At that point
your disk should be showing up as an 'Unused' disk, from where you can go
do the thing in the LSI boot menu.

This is an improvement over my 2006 analysis of the situation, where I
couldn't find a way to reset the drive back to Unused (after Hot Sparing it
from bioctl).  The LSI boot menu requires a drive to be in an Unused state
before it will allow me to correctly mark it as a Hot Spare.


If you're interested, please let me know what I can do to be of assistance
in trouble shooting this.  I have a limited window before this box will
have to be pushed into production, and I can live with the current
situation (an after hours reboot in the case of a drive failure is
perfectly fine).

Matthew


Test case
=
s = step succeeded
F = step failed

Normal case (RAID 1 + one hot spare)
---
s Configure array from the LSI boot menu
s   Clear configuration
s   New configuration
s Disks 0, 1:  RAID 1 array
s Disk  2: Hot spare

s Install OpenBSD-4.2

s Single disk failure
s   Disk 0:  Fails (I pulled it from the hot swap cage)
s   Disk 2:  Automatically replaces it
s   Observe the RAID 1 array get fully rebuilt

s Replace failed disk
s   Replace Disk 0 with a new disk
s   Observe that Disk 0 is marked as Unused through bioctl
s   Set Disk 0 to be a hot spare (through bioctl)

s Single disk failure
s   Disk 1:  Fails (I pulled it)
F   Disk 0:  FAILS TO GET INTEGRATED, DESPITE STILL BEING MARKED AS A
 HOT SPARE - Array is still degraded.

s Reboot, enter into the LSI boot menu
s   Configure  View/Add Configurarion
s Highlight disk 0  F4 (hot spare)
s   This Physical Drive is already a HOTSPARE\nPress any key to
 continue
s   F10 (Configure), Esc, Esc
s   Exit? = YES
s   Please REBOOT YOUR SYSTEM, CTRL-ALT-DEL

s Recheck array
F   Disk 0:  Still failing to integrate.  Array still degraded.

s Attempt to shake loose the 'Hot Spare' bit from disk 0
s   Remove disk 0
s   Replace disk 0 (with the same physical disk)
s   Disk 0 is *no longer* marked as a 'Hot Spare' (either through
bioctl or through the LSI boot menu).  Yeah! :)
[I don't think I tested this method with my SATA 300-8x.]


Log file

# The output is generated by:
#   date; bioctl ami0

##
# Created a new RAID 1 array from the LSI boot menu and installed OpenBSD 4.2
Tue Feb 19 04:01:42 MST 2008
Volume  Status   Size Device
 ami0 0 Scrubbing146695782400 sd0 RAID1 3% done
  0 Online   146811125760 0:0.0   safte0 MAXTOR  ATLAS10K5_146SCAJNZM
  1 Online   146811125760 0:1.0   safte0 SEAGATE ST3146807LC DS09
 ami0 1 Hot spare146811125760 0:2.0   safte0 IBM IC35L146UCDY10-0S27F

Tue Feb 19 10:02:15 MST 2008
Volume  Status   Size Device
 ami0 0 Scrubbing146695782400 sd0 RAID1 94% done
  0 Online   146811125760 0:0.0   safte0 MAXTOR  ATLAS10K5_146SCAJNZM
  1 Online   146811125760 0:1.0   safte0 SEAGATE ST3146807LC DS09
 ami0 1 Hot spare146811125760 0:2.0   safte0 IBM IC35L146UCDY10-0S27F

Tue Feb 19 10:12:15 MST 2008
Volume  Status   Size Device
 ami0 0 Scrubbing146695782400 sd0 RAID1 97% done
  0 Online   146811125760 0:0.0   safte0 MAXTOR  ATLAS10K5_146SCAJNZM
  1 Online   146811125760 0:1.0   safte0 SEAGATE ST3146807LC DS09
 ami0 1 Hot spare146811125760 0:2.0   safte0 IBM IC35L146UCDY10-0S27F

##
# Mirroring complete
Tue Feb 19 10:22:16 MST 2008
Volume  Status   Size Device
 ami0 0 Online   146695782400 sd0 RAID1
  0 Online   146811125760 

Re: What is our ultimate goal??

[Rod Whitworth]

On Thu, 21 Feb 2008 13:15:41 +0530, Mayuresh Kathe wrote:

On Thu, Feb 21, 2008 at 1:05 PM, ropers [EMAIL PROTECTED] wrote:
 On 20/02/2008, Mayuresh Kathe [EMAIL PROTECTED] wrote:
   On Feb 20, 2008 4:58 PM, Henning Brauer [EMAIL PROTECTED] wrote:
 * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-17 13:38]:
  Wouldn't it be nice to have a high performance networking stack?

 yeah.
 guess what we have?
 exactly that.
 (which doesn't mean it could be even faster)
  
  
   Pardon if I sound ignorant, but isn't our networking stack based on
the 24 year old technology from Berkeley?

  Pardon if I sound ignorant, but isn't our Bugatti Veyron based on
  the millennia old wheel technology?

The wheel isn't the technology, it is a concept.
An implementation of the wheel concept would be the technology.
The concept is the same, but the technology is certainly different.
Are you saying your Bugatti Veyron is running on wooden wheels?

~Mayuresh


Yawnn...
Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

Re: Dell PowerEdge 1950 Xeon Quad-Core

[Jung]

it's a work fine with 4.3-beta

- kernel compile

# time make -j8
textdatabss dec hex
6139672 181824  439328  6760824 672978
1m27.80s real 4m15.21s user 6m45.58s system

- dmesg

OpenBSD 4.3-beta (GENERIC.MP) #1: Fri Feb 22 02:11:55 KST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3488907264 (3327MB)
avail mem = 3373576192 (3217MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xcffbc000 (62 entries)
bios0: vendor Dell Inc. version 1.3.7 date 03/26/2007
bios0: Dell Inc. PowerEdge 1950
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC SPCR HPET MCFG
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1596.16 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: apic clock running at 265MHz
cpu1 at mainbus0: apid 4 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu1: 4MB 64b/line 16-way L2 cache
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu2: 4MB 64b/line 16-way L2 cache
cpu3 at mainbus0: apid 5 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu3: 4MB 64b/line 16-way L2 cache
cpu4 at mainbus0: apid 2 (application processor)
cpu4: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz
cpu4: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu4: 4MB 64b/line 16-way L2 cache
cpu5 at mainbus0: apid 6 (application processor)
cpu5: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz
cpu5: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu5: 4MB 64b/line 16-way L2 cache
cpu6 at mainbus0: apid 3 (application processor)
cpu6: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz
cpu6: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu6: 4MB 64b/line 16-way L2 cache
cpu7 at mainbus0: apid 7 (application processor)
cpu7: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz
cpu7: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu7: 4MB 64b/line 16-way L2 cache
ioapic0 at mainbus0 apid 8 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 8
ioapic1 at mainbus0 apid 9 pa 0xfec81000, version 20, 24 pins
ioapic1: misconfigured as apic 0, remapped to apid 9
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 5 (PEX2)
acpiprt2 at acpi0: bus 6 (UPST)
acpiprt3 at acpi0: bus 7 (DWN1)
acpiprt4 at acpi0: bus 9 (DWN2)
acpiprt5 at acpi0: bus 1 (PEX3)
acpiprt6 at acpi0: bus 2 (PE2P)
acpiprt7 at acpi0: bus 11 (PEX4)
acpiprt8 at acpi0: bus 13 (PEX6)
acpiprt9 at acpi0: bus 3 (SBEX)
acpiprt10 at acpi0: bus 15 (COMP)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpicpu2 at acpi0
acpicpu3 at acpi0
acpicpu4 at acpi0
acpicpu5 at acpi0
acpicpu6 at acpi0
acpicpu7 at acpi0
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12
ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12
pci1 at ppb0 bus 5
ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci2 at ppb1 bus 6
ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci3 at ppb2 bus 7
ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3
pci4 at ppb3 bus 8
bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: apic 8 int 16 (irq 5)
ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01
pci5 at ppb4 bus 9
ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
pci6 at ppb5 bus 10
ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12
pci7 at ppb6 bus 1
ppb7 at pci7 dev 0 function 0 Intel PCIE-PCIE rev 0x09
pci8 at ppb7 bus 2
mpi0 at pci8 dev 8 function 0 Symbios Logic SAS1068 rev 0x01: apic 9
int 0 (irq 5)
scsibus0 at mpi0: 173 targets
sd0 at scsibus0 targ 0 lun 0: 

Projector/external monitor not working on OpenBSD 4.2-current on Thinkpad X60

[Amarendra Godbole]

I am unable to move the display to a projector or an external monitor
on my Thinkpad X60, which is running OpenBSD 4.2-current. Fn-F7 is the
keycombination to be used to switch displays, but it does not work.
Now, I am not too sure if this is a function of the OS, or Thinkpad's
firmware. Search engines turned up nothing. Can someone suggest a way
by which I can make use of an external monitor? Any software package
to control this? Thanks.

-Amarendra

Re: make release errors

[Alexander Hall]

Chris Smith wrote:

On Wednesday 20 February 2008, Alexander Hall wrote:

The ignored part in the error output. Those error messages are
typical (dare I guess you're on i386?) and not critical.


Yes, i386.


If these are the only errors you get, then you can go on with the
rest of the release.


I get this as well:
=
# cd /usr/src/distrib/sets  sh checkflist
6455a6456

./usr/sbin/authpf-noip

13115a13117

./usr/share/man/cat4/wbsio.0

13442a13445

./usr/share/man/cat8/authpf-noip.0

=


Ah, I got those too, yesterday. I guess it's new stuff that has not yet 
made it to the correct file lists or so. As release(8) says:


   Check that the contents of ${DESTDIR} pretty much match the
contents of the release `tarballs'

Thanks to the pretty much part, I assumed that is was ok, but anyone 
more educated may be of another opinion.


If I don't want X, am I basically done except for any third party 
packages desired?


Yep.

/Alexander

security alert

[Royal Bank]

RBC Financial Group

Contact Information

Online Services Security

Help

Sign-In Protection Alert - Protection de l'ouverture de session - Alerte

An attempt to access Online Banking was denied on:

Une tentative d'accider ` Banque en direct a iti refusie le:

Thursday, 18 Feb 2008 at 5:24:08 EST

Jeudi, 18 Feb 2008 ` 5:24:08 EDT

Access was denied for one of two reasons:

  * Incorrect attempts to access and Login failures.

  * Signing on from a different location or device different from your
location and your IP address.

L'acchs a iti refusi pour l'une des deux raisons suivantes :

  * La riponse ` votre question d'identification personnelle ne
correspondait pas ` nos dossiers.

  * Votre question d'identification personnelle a iti posie mais aucune
riponse n'a iti fournie.

If you remember trying to access Online Banking on the above date and
time, please select That was me.

If you do not remember trying to access Online Banking on the above date
and time, please select That was NOT me. You will then be prompted to
safeguards your account.

Si vous vous souvenez d'avoir tenti d'accider ` Banque en direct ` la
date et ` l'heure ci-dessus, cliquez sur + C'itait moi ;.

Si vous ne vous souvenez pas d'avoir tenti d'accider ` Banque en direct `
la date et ` l'heure ci-dessus, cliquez sur + Ce n'itait PAS moi ;. Le
systhme vous demandera alors de changer votre mot de passe.

That was me

That was not me

C'itait moi

Ce n'itait PAS moi

) Royal Bank of Canada 1996, 2002, 2003-2008.

Re: OpenBSD 4.1 Stable Strange Problem

[Wong Peter]

On 2/21/08, Wong Peter [EMAIL PROTECTED] wrote:

 Before this, it is not normal to me because it is very fast. Now become
 like this and also the wireless problem.

 My wireless card is Linksys Wmp54g.

 No i do not do any thing to rc.rconf .rc.local.

 /etc/hostname.rl1 :
 inet 172.16.10.1 255.240.0.0

 /etc/hostname.ral0:
 inet 192.168.5.1 255.255.0.0 NONE media autoselect \ mediaopt hostap mode
 11g nwid myname nwkey xxx

 /etc/hostname.rl0 (External Interface)
 dhcp NONE NONE NONE

 /etc/dhcpd.interfaces.
 ral0 rl1

 /etc/dhcpd.conf

 Wired

 subnet 172.16.0.0 netmask 255.240.0.0
 {
option subnet-mask 255.240.0.0;
option routers 172.16.10.1;
range 172.16.10.12 and some fixed address;
 }

 wireless

 subnet 192.168.0.0 netmask 255.255.0.0
 {
   option routers 192.168.5.1;
 }

 After boot, the wireless interface is not up and i need to manulaly bring
 it up with ifconifg ral0 192.168.5.1. AFter issues this command, the
 status of wireless interface is no network.

 Below is the ifconfig -a | less : rl1(Wired internal interfac) is not
 connected


 rl1: status: no carrier
 inet 172.16.10.1 netmask 0xfff0 broadcast 172.31.255.255

 ral0:
 UP, Broadcast, RUNNING SIMPLEX,MULTICAST
 groups: wlan
 meida IEEE 802.11 autoselect (DS1)
 status no network
 ieee802.11: nwid myname (100dBm)
 inet 192.168.5.1 netmask 0xff00 broadcast 192.168.5.255

 Routing Tables:

 Internet
 Destination GatewayFlagsRefs   Use   MtuInterface
 default 219.93.218.177  UGS 13 2142 tun0
 127/8127.0.0.1UGRS   0  0   33224 lo0
 127.0.0.1   127.0.0.1   UH   2   0   33224lo0
 155.207.113.207  219.93.218.177   UGHD   0   1682 - L tun0
 172.116/12 link#2   UC0 0-   rl1
 192.168.1/24   link#1   UC1   0  rl0
 192.168.1.1  H.AUHLc 0   0  lo0
 192.168.1.2   127.0.0.1   UGHS   0  0   lo0
 219.93.218.177   60.48.180.172  UH2  0  1492  tun0
 224/4   127.0.0.1   URS   0 0 33224 lo0

 Dmesg if as follow:

 ral0 at pci0 dev 15 function 0 Ralink Rt2561S rev 0x00: irq 10, address
 H.A ral0: MAC/BBP RT 2561C, RF Rt 2527

 Why function is 0  ?

 NAT rules:

 priv_add=192.168.0.0/16
 priv_adds=172.16.0.0/12

 nat on {ext_if} inet from $priv_add or $priv_adds to any -  {$ext_if}

 rl0 is promisc mode when i do rootkit hunter scan.
 etherip.allow=1;
 ip.redirect=0;
 ip forward = 1
 esp.enable = 1
 ah.enable=1

 Cannot ping openbsd to rl1(Wired Internal interface)

 If you need any more information, please let me know.

 I'm one of the developer of rootkit hunter.
 A billion thnaks for oyur help.








-- 
Linux

Re: ssh_config, chroot, or user rights to restrict user access?

[Lars Noodén]

LeRoy, Ted wrote:

...
I'd like to limit the user account access for the other groups,
permitting them a shell and a few commands, but no ability to browse the
box or do things like cat or cp /etc/passwd.
...


In addition to chroot, you'll want to make sure that their login shell 
is rksh and that you've fiddle with the path.  Any programs they should 
be able to run should be in a special path and the regular paths not 
even listed.

http://www.openbsd.org/cgi-bin/man.cgi?query=rksh

Regards,
-Lars

PS.  If you get a good job later as a result of the course or the 
degree, then we on the list expect kickbacks for having helped you get 
it.  ;)

http://www.openbsd.org/donations.html

Re: ssh_config, chroot, or user rights to restrict user access?

[Lars Noodén]

Josh Grosse wrote:


A new sftp chroot restriction environment is now available in -current; you
may find the discussion at the OpenBSD Journal helpful:

http://undeadly.org/cgi?action=articlesid=20080220110039


1) What is the timeline for completely dropping scp?

2) ChrootDirectory and similar features in sshd_config are great. 
DenyGroups and AllowGroups were ones that I had really wanted.


Along those lines, the example given in the undeadly article above apply 
access controls at the user level.  Applying them at the group level is 
often considered more maintainable and scalable.  The example from the 
article would look like this instead:


Match group uploaders
ForceCommand internal-sftp
ChrootDirectory /chroot

Where user djm is a member of the group uploaders.

Regards,
-Lars

Why does pf work with last matching rule wins

[Guido Tschakert]

Hi,

I wonder why pf works from top to bottom in filtering with last matching
rule wins but in adress translation from top to bottom with first
matching rule wins.

Sure, I can use quick on every rule in filtering to have first
matching rule wins.

Me thinks it would be better if both filtering and adress translation
works the same (like first rule wins), but I think there are reasons to
do it the pf way, but I don't see them.
Any enlightment for me?

thanks guido

Re: OpenBSD 4.2 with ftp-proxy, named, spamd on Alix2c1 board (+dmesg)

[Jan Stary]

On Feb 20 19:13:04, Klaus Botschen wrote:
 The Alix2c1 board is from PC Engines, 3 LAN, 1 miniPCI,
 a 433 MHz AMD Geode LX700 with 128 MB DDR DRAM,
 CompactFlash socket (see http://pcengines.ch/alix2c1.htm).

I currently use ALIX.1C as my main router/fw/named/dhcpd
(soon to be replaced by ALIX.2C1 which you use), and have
the following comments to make:

 We need /tmp, /var and /dev writeable, but this would destroy the
 CompactFlash card. We move those three directories to a memory
 based file system that will be populated during startup.

Writing into /dev, /tmp and /var would definitely NOT destroy the CF
card. Before installing, I too considered some filesystems to be mfs,
to make the card live longer; but I was told on this list by
knowledgeable people that this is not a concern any more. My ALIX is
running for about half a year now, with all filesystems being regular
ffs, with zero problems, while 'block log'-ing everything with
'pflogd -s 512 -f /var/log/pflog'.

I think it only is a concern if you write into /var/log heavily
on this kind of machine; and how often do you write into /dev and /tmp
after all? Don't bother setting up a mfs and populating it on boot
- just using noatime is fine; should the card die one day, new CF cards
will be cheaper than a fart by then (and eight times as big, too).

Jan

Re: ssh_config, chroot, or user rights to restrict user access?

[Hannah Schroeter]

Hi!

On Thu, Feb 21, 2008 at 01:49:02PM +0200, Lars Noodin wrote:
1) What is the timeline for completely dropping scp?

I hope never.

[...]

Kind regards,

Hannah.

Re: What is our ultimate goal??

[knitti]

On 2/19/08, Mayuresh Kathe [EMAIL PROTECTED] wrote:
  something as good as FireEngine,

I'm following this thread with quite some amusement, but one thing is
not in the least clear to me: why do you think you want something as
good as FireEngine. Heck, even under the assumption FireEngine is
Really Good (TM), you should compare it to  the *new* stack of FreeBSD,
whose marketing blurb has at least a bit more meaty than Sun's.
http://www.meetbsd.org/storage/kris.kennaway_meetbsd2007.pdf

SO now do you want FireEngine? Or rather SMPng networking? Or
would you like ReallyHyperFastZoomStreamCyberWoosh?
You can't decide?

You have not even shown a corner case, much less in general why
it would be desirable to completely throw away the current
architecture. I use OpenBSD since 3.0 on very small CPUs and also
on rather big ones (all i386 and amd64, though), and I don't remember
a single case in which network stack performance wouldn't at least
have met my expectations.

What performance difference are you expecting? Do you know
the implications, which the different approaches impose on the
kernel architecture? Even if there would be a developer,  who would
in principle be open to the idea, you have to show her that it is worth
the hassle. But you don't even know what you're talking about.

If *I* were a developer, I would be offended by the notion that
AnotherSolution is *that* *much* *better* (as you imply) _without_
showing any evidence.

--knitti

Re: What is our ultimate goal??

[bofh]

On Thu, Feb 21, 2008 at 8:52 AM, knitti [EMAIL PROTECTED] wrote:
  SO now do you want FireEngine? Or rather SMPng networking? Or
  would you like ReallyHyperFastZoomStreamCyberWoosh?

Now that you've brought it up, I would really like a
ReallyHyperFastZoomStreamCyberWoosh TCP stack.  Just make sure it
doesn't require 1.2Jigawatts of power and have interesting side
effects when it gets to 88mph.


-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted. -- Gene Spafford
learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related

Dubai Balanced Score Center

[Heba Munier]

Dubai Balanced Score Training Center 
   
Up Coming Program Mar 2008

- 
[http://www.bsdubai.org/programs_details.php?type=coursecat=510]
Strategies Of Modem Public Relations Dubai - City
Seasons Hotel - Mar 02To 06 / 2008
- 
[http://www.bsdubai.org/programs_details.php?type=coursecat=918] Moderm
Strategies To Supervise Security   Cairo - Grand Hayat Hotel - Mar
09To 13 / 2008 
- 
[http://www.bsdubai.net/programs_details.php?type=coursecat=CI%20422]
Effective Communication  Interpersonal Skills Cairo - Grand Hayat
Hotel - Mar 09To 13 / 2008 
- 
[http://www.bsdubai.net/programs_details.php?type=coursecat=SM%20720]
Introduction To Sales and Marketing  Cairo - Grand Hayat
Hotel - Mar 09To 13 / 2008  
- 
[http://www.bsdubai.net/programs_details.php?type=coursecat=HR%20234]
Train The Trainner Best Practices  Paris  - Le Meridiem
Etoile - Mar 23 To 27 / 2008 
- 
[http://www.bsdubai.net/programs_details.php?type=coursecat=PI%20542]
Advaned Contracts Management   Geneva - Prestol Hotel
   - Mar 23 To 27 / 2008
- 
[http://www.bsdubai.net/programs_details.php?type=coursecat=ML%20140]
Building High Performance Teams   Geneva - Prestol
Hotel  - Mar 23 To 27 / 2008  
Heba Munier
B.S. Center 
[mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]
[http://www.bsdubai.org] www.bsdubai.org
Tel:00971509228381 
Fax:0097142638827
 

This message was sent by: Heba Munier, Al-Qusaif T-Dubai, +965-9449251, Kuwait 
56970, Kuwait

Powered by iContact: http://freetrial.icontact.com

Manage your subscription: 
http://app.icontact.com/icp/mmail-mprofile.pl?r=7726955l=17117s=HAQKm=100739c=218332

Re: Why does pf work with last matching rule wins

[Darrin Chandler]

On Thu, Feb 21, 2008 at 12:19:54PM +0100, Guido Tschakert wrote:
 I wonder why pf works from top to bottom in filtering with last matching
 rule wins but in adress translation from top to bottom with first
 matching rule wins.

I've wondered about the difference between NAT and filter rules myself.
I have no answer.

 Sure, I can use quick on every rule in filtering to have first
 matching rule wins.
 
 Me thinks it would be better if both filtering and adress translation
 works the same (like first rule wins), but I think there are reasons to
 do it the pf way, but I don't see them.
 Any enlightment for me?

Don't use quick that way. If you can't stand the way PF works it would
be better to use something else. Using PF as intended will let you have
normal conversations, look at example rules, c., c.

One good reason for last match wins is that the rules proceed from most
general to most specific. This is a normal way for humans to think, and
once you get used to it I bet you like it better. For me it makes it
easier to read, write, and maintain rules than using the first-match way
of listing all exceptions without knowing the general (or default) case.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: OpenBSD 4.2 with ftp-proxy, named, spamd on Alix2c1 board (+dmesg)

[Klaus Botschen]

Hi,

 Writing into /dev, /tmp and /var would definitely NOT destroy the CF
 card.

Might be. I used none-industrial-grade CF cards, so the chance is of course 
higher.

 running for about half a year now, with all filesystems being regular

Thats fine. The machines that got replaced by the Alix board have been running 
for almost 5 years, and I hope that I don't need to touch the boards for 
several years.

 - just using noatime is fine; should the card die one day, new CF cards
 will be cheaper than a fart by then (and eight times as big, too).

That might depend... I have the theory that if you are sysadmin, the 
machines feel when you are far away, and die exactly when you can't just 
drop in and repair them :)

Cheers,
Klaus

Re: inspircd + libunwind?

[Unix Fan]

Is this the library you're looking for http://www.nongnu.org/libunwind/ ?



I found it via Google and it wasn't exactly very hard.







-Nix Fan.

Re: What is our ultimate goal??

[Miod Vallat]

 SO now do you want FireEngine? Or rather SMPng networking? Or
 would you like ReallyHyperFastZoomStreamCyberWoosh?


Now that you've brought it up, I would really like a
ReallyHyperFastZoomStreamCyberWoosh TCP stack.  Just make sure it
doesn't require 1.2Jigawatts of power and have interesting side
effects when it gets to 88mph.


But ReallyHyperFastZoomStreamCyberWoosh is designed for processors with
the HyperVirtualFuzzboxVoodooDoubleStream extension. Porting it to
OpenBSD would seriously impact performance of OpenBSD on mundane
processors.

Miod

Re: make release errors

[Chris Smith]

On Thursday 21 February 2008, Alexander Hall wrote:
 Thanks to the pretty much part, I assumed that is was ok, but
 anyone more educated may be of another opinion.

Thanks.

It's been announced that OpenBSD turned 4.3-beta, does that 
mean -current is now 4.3-beta? If so, is there anything special that 
needs to be done to stay -current through this version change?

-- 
Chris

Re: Why does pf work with last matching rule wins

[Lars Noodén]

Darrin Chandler wrote:

One good reason for last match wins is that the rules proceed from most
general to most specific. ...


I'm fairly comfortable with PF, but that way of looking at it really helps.

Regards,
-Lars

Re: Projector/external monitor not working on OpenBSD 4.2-current on Thinkpad X60

[Douglas A. Tutty]

On Thu, Feb 21, 2008 at 03:41:30PM +0530, Amarendra Godbole wrote:
 I am unable to move the display to a projector or an external monitor
 on my Thinkpad X60, which is running OpenBSD 4.2-current. Fn-F7 is the
 keycombination to be used to switch displays, but it does not work.
 Now, I am not too sure if this is a function of the OS, or Thinkpad's
 firmware. Search engines turned up nothing. Can someone suggest a way
 by which I can make use of an external monitor? Any software package
 to control this? Thanks.
 
When you boot the laptop, go into the bios (just to prevent booting).
Have the external monitor attached.  Hit your key combo and you should
get the bios screen on the external monitor.  If this works, then you're
on the right track.  If it doesn't, then you know that its not the OS
fault.

Doug.

Re: Why does pf work with last matching rule wins

[Vijay Sankar]

On February 21, 2008 05:19:54 am Guido Tschakert wrote:
 Hi,

 I wonder why pf works from top to bottom in filtering with last matching
 rule wins but in adress translation from top to bottom with first
 matching rule wins.

 Sure, I can use quick on every rule in filtering to have first
 matching rule wins.

 Me thinks it would be better if both filtering and adress translation
 works the same (like first rule wins), but I think there are reasons to
 do it the pf way, but I don't see them.
 Any enlightment for me?

 thanks guido

To me (from a layman's perspective), it seems like first match wins is more 
logical  for NAT and last match wins seems more correct for filtering. While 
writing NAT rules I have not had a situation where one NAT rule negates the 
previous rules. Whereas with filtering rules, you could conceivably have that 
issue. Also, since you have to use a filter to allow NAT (assuming you are 
not using rdr pass) to me, the current approach makes reading a pf.conf file 
easier. Anyways. FWIW, that is what I thought was the reasoning behind this 
approach. 

-- 
Vijay Sankar, M.Eng., P.Eng.
President  CEO
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6
Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED]

Re: make release errors

[Stuart Henderson]

On 2008/02/21 10:12, Chris Smith wrote:
 On Thursday 21 February 2008, Alexander Hall wrote:
  Thanks to the pretty much part, I assumed that is was ok, but
  anyone more educated may be of another opinion.
 
 Thanks.
 
 It's been announced that OpenBSD turned 4.3-beta, does that 
 mean -current is now 4.3-beta? If so, is there anything special that 
 needs to be done to stay -current through this version change?

not really, just use *43.tgz rather than *42. 

this is a good time to be testing *snapshots* in particular
(especially when new ones with 43 in the filenames turn up).

Re: Why does pf work with last matching rule wins

[Rod Dorman]

On Thursday, February 21, 2008, 09:22:25, Darrin Chandler wrote:
   ...
 One good reason for last match wins is that the rules proceed from most
 general to most specific. This is a normal way for humans to think, and
 once you get used to it I bet you like it better. For me it makes it
 easier to read, write, and maintain rules than using the first-match way
 of listing all exceptions without knowing the general (or default) case.

But that's dependent on how you look at it and approach it.

Isn't  the  general rule of thumb to allow only what you explicitly need
and reject everything else?

When  I'm working with a Cisco IOS access-list I find its much easier to
state  each  specific  allow routing to this port on this host and let
the final deny any to catch and reject the remainder.


-- 
[EMAIL PROTECTED] The avalanche has already started, it is too
Rod Dorman  late for the pebbles to vote. - Ambassador Kosh

Re: There's something about OpenBSD...

[Henri Salo]

On Thu, 21 Feb 2008 21:53:43 +0530
Mayuresh Kathe [EMAIL PROTECTED] wrote:

 What is it about OpenBSD that I can't resist it?

 After the past long exchange about our ultimate goal and a lot of
 people advising me to go over to Solaris 10, I did, I removed OpenBSD
 from one of my machines and installed Solaris Express Developers
 Edition.
 It was slick looking, very graphical with most of things you want to
 do, had Java SE 5/6 preinstalled, and had everything thing that I was
 expecting from OpenBSD.

 But yet, after 2 hours of fooling around, I came back to OpenBSD.

 For one thing, it took me almost 1.5 hours to install Solaris, compare
 that to 30 minutes with OpenBSD, including 'packages', 'src' and
 'ports'.

 The second thing was probably the knowledge that things are simple
 with OpenBSD, none of the complicated layouts thing as with Solaris.
 You could follow instructions from ancient books like Practical Unix
 and Internet Security - Second Edition to the T.

 Given all that, inspite of all the hammering I've taken over my
 comments, I'd prefer to stick with OpenBSD.

 Thanks to Theo and the core gang for delivering such a good, clean
 operating environment.

 Best,

 ~Mayuresh

Mind your heads fellow hackers. It can cause addiction.

--
Henri Salo fgeek at hack.fi +358407705733
GPG ID: 2EA46E4F  fp: 14D0 7803 BFF6 EFA0 9998  8C4B 5DFE A106 2EA4 6E4F

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

'Work from Home' 'Web Developer' 'Web Programmer' Oppurtunites

[sounder dilipan]

Hi,
We are recruting 'web designers' and 'web programmers' to work with us in
part time and full time in Contract basis.  If you or your friends or your
family members are looking for oppurtunities to work from home contact us ASAP
by phone or email or by 'yahoo messanger'

'yahoo messanger' : [EMAIL PROTECTED]
email  : [EMAIL PROTECTED]

Regards,
Dilipan
(703) 849 1269 (USA)
(416) 238 0270 (CANADA)

Re: ssh_config, chroot, or user rights to restrict user access?

[Henri Salo]

On Thu, 21 Feb 2008 14:03:40 +0100
Hannah Schroeter [EMAIL PROTECTED] wrote:

 Hi!

 On Thu, Feb 21, 2008 at 01:49:02PM +0200, Lars Noodin wrote:
 1) What is the timeline for completely dropping scp?

 I hope never.

 [...]

 Kind regards,

 Hannah.

Where did you get this information? I'm using scp every day and in few
scripts. I hope it's not going to be dropped -- ever!

--
Henri Salo fgeek at hack.fi +358407705733
GPG ID: 2EA46E4F  fp: 14D0 7803 BFF6 EFA0 9998  8C4B 5DFE A106 2EA4 6E4F

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

There's something about OpenBSD...

[Mayuresh Kathe]

What is it about OpenBSD that I can't resist it?

After the past long exchange about our ultimate goal and a lot of
people advising me to go over to Solaris 10, I did, I removed OpenBSD
from one of my machines and installed Solaris Express Developers
Edition.
It was slick looking, very graphical with most of things you want to
do, had Java SE 5/6 preinstalled, and had everything thing that I was
expecting from OpenBSD.

But yet, after 2 hours of fooling around, I came back to OpenBSD.

For one thing, it took me almost 1.5 hours to install Solaris, compare
that to 30 minutes with OpenBSD, including 'packages', 'src' and
'ports'.

The second thing was probably the knowledge that things are simple
with OpenBSD, none of the complicated layouts thing as with Solaris.
You could follow instructions from ancient books like Practical Unix
and Internet Security - Second Edition to the T.

Given all that, inspite of all the hammering I've taken over my
comments, I'd prefer to stick with OpenBSD.

Thanks to Theo and the core gang for delivering such a good, clean
operating environment.

Best,

~Mayuresh

Re: There's something about OpenBSD...

[raven]

And...you forgot to say: Sorry for my dumbness to all developers that 
give you an answer.

Now, you have to kiss all their ass.

Francesco

Mayuresh Kathe ha scritto:

What is it about OpenBSD that I can't resist it?

After the past long exchange about our ultimate goal and a lot of
people advising me to go over to Solaris 10, I did, I removed OpenBSD
from one of my machines and installed Solaris Express Developers
Edition.
It was slick looking, very graphical with most of things you want to
do, had Java SE 5/6 preinstalled, and had everything thing that I was
expecting from OpenBSD.

But yet, after 2 hours of fooling around, I came back to OpenBSD.

For one thing, it took me almost 1.5 hours to install Solaris, compare
that to 30 minutes with OpenBSD, including 'packages', 'src' and
'ports'.

The second thing was probably the knowledge that things are simple
with OpenBSD, none of the complicated layouts thing as with Solaris.
You could follow instructions from ancient books like Practical Unix
and Internet Security - Second Edition to the T.

Given all that, inspite of all the hammering I've taken over my
comments, I'd prefer to stick with OpenBSD.

Thanks to Theo and the core gang for delivering such a good, clean
operating environment.

Best,

~Mayuresh

HFSC rules not working/parsing as supposed to

[Bill Johnstone]

Hello all.

A while back (several months ago), I had a dialogue with Henning
regarding hfsc in pf not working as it was supposed to.  To be more
specific, according to previous posts and discussions, the following
bare-bones ruleset should parse OK:

  ext_if = hme0
  int_if = fxp0

  altq on $ext_if hfsc bandwidth 384Kb queue { rtq defq }
  queue  rtq hfsc(realtime 10Kb linkshare 11Kb upperlimit 21Kb)
  queue defq hfsc(default realtime 0Kb linkshare 200Kb upperlimit
300Kb)

However, running pfctl -nv -f pf.conf on this produces the following
error right after the first queue rule:

  pfctl: the sum of the child bandwidth higher than parent root_hme0

According to previous posts by Henning, if the service curves are
specified in full, the bandwidth keyword should be unnecessary.  I
agree with the people who have posted to the lists before regarding the
bandwidth keyword in hfsc as being confusing and redundant.

So the question is: why do I get this error in the first place? 
Henning didn't have time to debug this, so it didn't go any further,
but I'd appreciate any assistance in trying to figure this out now.  I
don't want to have to use the hack of bandwidth when the service
curves should fully determine the queueing configuration.

Thanks for any assistance.



  

Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  
http://tools.search.yahoo.com/newsearch/category.php?category=shopping

Re: Why does pf work with last matching rule wins

[Darrin Chandler]

On Thu, Feb 21, 2008 at 10:50:50AM -0500, Rod Dorman wrote:
 On Thursday, February 21, 2008, 09:22:25, Darrin Chandler wrote:
...
  One good reason for last match wins is that the rules proceed from most
  general to most specific. This is a normal way for humans to think, and
  once you get used to it I bet you like it better. For me it makes it
  easier to read, write, and maintain rules than using the first-match way
  of listing all exceptions without knowing the general (or default) case.
 
 But that's dependent on how you look at it and approach it.
 
 Isn't  the  general rule of thumb to allow only what you explicitly need
 and reject everything else?
 
 When  I'm working with a Cisco IOS access-list I find its much easier to
 state  each  specific  allow routing to this port on this host and let
 the final deny any to catch and reject the remainder.

Yes, but you have to read the entire Cisco rule set to know that. In
PF...

deny all
allow this
allow that

Right away you know that the default policy is deny. Explicitly, and
right up front. When looking at PF rules if the first thing isn't deny
then I immediately know that (and I am also very suspicious at that
point).

I prefer this, personally. I also think it's a good practice, generally.
I realize that other popular schemes do it the other way around and that
many people are more familiar and comfortable that way. But I am glad
that PF works as it does.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

IPSEC + Performance

[Gustavo Polillo]

How much OpenBSD performance is losted with IPSEC enable?

Re: There's something about OpenBSD...

[Mayuresh Kathe]

Sorry for my dumbness, to all developers :)

On Thu, Feb 21, 2008 at 10:56 PM, raven [EMAIL PROTECTED] wrote:
 And...you forgot to say: Sorry for my dumbness to all developers that
  give you an answer.
  Now, you have to kiss all their ass.

  Francesco

  Mayuresh Kathe ha scritto:


  What is it about OpenBSD that I can't resist it?
  
   After the past long exchange about our ultimate goal and a lot of
   people advising me to go over to Solaris 10, I did, I removed OpenBSD
   from one of my machines and installed Solaris Express Developers
   Edition.
   It was slick looking, very graphical with most of things you want to
   do, had Java SE 5/6 preinstalled, and had everything thing that I was
   expecting from OpenBSD.
  
   But yet, after 2 hours of fooling around, I came back to OpenBSD.
  
   For one thing, it took me almost 1.5 hours to install Solaris, compare
   that to 30 minutes with OpenBSD, including 'packages', 'src' and
   'ports'.
  
   The second thing was probably the knowledge that things are simple
   with OpenBSD, none of the complicated layouts thing as with Solaris.
   You could follow instructions from ancient books like Practical Unix
   and Internet Security - Second Edition to the T.
  
   Given all that, inspite of all the hammering I've taken over my
   comments, I'd prefer to stick with OpenBSD.
  
   Thanks to Theo and the core gang for delivering such a good, clean
   operating environment.
  
   Best,
  
   ~Mayuresh

ssh complaining about bad file descriptor on 4.3beta.

[Allie D.]

I'm getting bad file descriptor errors on every ssh connection on a box
that I built from source on 4.3 beta last night. Anyone else seeing this as
well ?

Feb 21 09:54:43 crusty sshd[21741]: error: getsockname failed: Bad file
descriptor

Wanted to see if anyone else is seeing it as well before I send a bug
report. 

Remote Admin Card - Dell DRAC or HP ILO2 ?

[Xavier Milliès-Lacroix]

Who wins in the OpenBSD world? DRAC (Dell Remote Admin Card) or iLo  (HP's
Integrated Lights Out) (or better ilo2) ?

We're looking at new servers and are wondering if these are worth the cash,
or which is the one to go for ?

I see some problem with ILO2 on HP DL320 G5 (/G5p ?).

We need to be able to do 'quite' everything remotely (from installing
(virtual floppy / cd / dvd) to exploitation).

Regards.

Re: Why does pf work with last matching rule wins

[Ted Unangst]

On 2/21/08, Rod Dorman [EMAIL PROTECTED] wrote:
 Isn't  the  general rule of thumb to allow only what you explicitly need
 and reject everything else?

 When  I'm working with a Cisco IOS access-list I find its much easier to
 state  each  specific  allow routing to this port on this host and let
 the final deny any to catch and reject the remainder.

so put the deny all rule first.

Re: There's something about OpenBSD...

[Henning Brauer]

* raven [EMAIL PROTECTED] [2008-02-21 18:50]:
 Now, you have to kiss all their ass.

err, I'll pass...

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: Remote Admin Card - Dell DRAC or HP ILO2 ?

[Jussi Peltola]

On Thu, Feb 21, 2008 at 07:01:21PM +0100, Xavier Millihs-Lacroix wrote:
 We need to be able to do 'quite' everything remotely (from installing
 (virtual floppy / cd / dvd) to exploitation).

I prefer PXE booted bsd.rd and a serial console, with BIOS serial
redirection it is quite close to a LOM module and does the things it can
do extremely reliably.

Re: IPSEC + Performance

[Will]

That depends what kind of hardware you have and what type of setting
it will be used in.

For example, have used a 100Mhz net4511 on a home-based connection
without much trouble, but it would be inappropriate for much above
that.

-Will

On Thu, Feb 21, 2008 at 12:37 PM, Gustavo Polillo [EMAIL PROTECTED] wrote:
 How much OpenBSD performance is losted with IPSEC enable?

Balanced Score Center Newsletter

[Heba Munier]

Y
X*X4X1Y
 YX1YX2 X'YX'X/X'X! X'YYX*YX'X2Y X(X/X9YX*YY YX-X6YX1 
X#X-X/X+ X'YY
X1X'YX, X'YX*X/X1Y
X(Y
X) YX'YYX$X*YX1X'X* YX9X'Y 2008
http://www.bsdubai.org
 

This message was sent by: Heba Munier, Al-Qusaif T-Dubai, Dubai, Dubai 56970, 
United Arab Emirates

Powered by iContact: http://freetrial.icontact.com

Manage your subscription: 
http://app.icontact.com/icp/mmail-mprofile.pl?r=7726955l=17117s=HAQKm=101377c=218332

Re: IPSec transport mode and traceroute

[Grant Mericle]

The short answer is no, not over IPSec.  You could change your IPSec filter
to only match for TCP traffic, but that's not be a feasible solution if you
need to IPSec protect ALL traffic.

Without IPSec in the picture, traceroute works by sending a UDP packet from
128.164.144.144 to 128.164.159.159 with an ephemeral port for source and
dest.   It sets the TTL to 1 and sends the packet out.  The first hop (your
gateway) gets the packet and responds with the ICMP time exceeded message. 
The ICMP message contains the original UDP packet.   Your source gets the
packet and passes it to traceroute.  Traceroute finds the original src and
dest ports and makes sure that they match the packet he sent out before he
posts the gateway IP and round trip time to the screen.
With IPSec in the picture, things change.   When traceroute sends the UDP
packet out, the ESP header is inserted after the IP header, and the protocol
is changed from 17 (UDP) to 50 (ESP).   When the gateway gets the packet, it
responds with the ICMP message.  But this time when your source gets it,
traceroute tries to compare the original src/dest ports with the incoming
src/dest ports and they don't match (because it's not accounting for this
ESP header... and the UDP packet is likely encrypted anyway).   He tosses
the packet and continues to wait until the timeout is hit.  
Every hop between your src and dest will fail this way.   You will finally
receive good data when we get to your destination because his stack undoes
the IPSec stuff and the stack processes the original UDP packet.   This time
when the stack sends back the ICMP message Port Unreachable, the src/dest
ports will match with what traceroute expects and you get the expected
output.   
Hope that helps, 
  Grant

Jason Mader-3 wrote:
 
 I've got really simple transport mode IPSec setup between two hosts:
 
 [ipsec.conf]
 ike ah transport from 128.164.144.144 to 128.164.159.159 main auth
 hmac-sha2-256 group modp1536 quick group modp1536
 
 Though traceroute from one host to the other fails at the gateway,
 despite the gateway responding,
   128.164.144.189  dns1: icmp: time exceeded in-transit [tos 0xc0]
 (ttl 255, id 12234, len 56)
 
 traceroute to dns2 (128.164.159.159), 64 hops max, 40 byte packets
   1  * * *
   2  dns2 (128.164.159.159)  0.752 ms  0.648 ms  0.604 ms
 
 Is there anything I could be doing differently so that the traceroute
 works?
 
 
 

-- 
View this message in context: 
http://www.nabble.com/IPSec-transport-mode-and-traceroute-tp15316278p15618006.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: There's something about OpenBSD...

[Nick Holland]

Mayuresh Kathe wrote:

What is it about OpenBSD that I can't resist it?

After the past long exchange about our ultimate goal and a lot of
people advising me to go over to Solaris 10, I did, I removed OpenBSD
from one of my machines and installed Solaris Express Developers
Edition.
It was slick looking, very graphical with most of things you want to
do, had Java SE 5/6 preinstalled, and had everything thing that I was
expecting from OpenBSD.

But yet, after 2 hours of fooling around, I came back to OpenBSD.

For one thing, it took me almost 1.5 hours to install Solaris, compare
that to 30 minutes with OpenBSD, including 'packages', 'src' and
'ports'.

The second thing was probably the knowledge that things are simple
with OpenBSD, none of the complicated layouts thing as with Solaris.
You could follow instructions from ancient books like Practical Unix
and Internet Security - Second Edition to the T.

Given all that, inspite of all the hammering I've taken over my
comments, I'd prefer to stick with OpenBSD.

Thanks to Theo and the core gang for delivering such a good, clean
operating environment.

Best,

~Mayuresh


yeah, I've been doing some things with Solaris for work, it's stunned
me that an OS can take most of DVD...and still be missing what I would
call absolute basics that OpenBSD has on an install that fits in half
of a CD.  I know, deep down, Solaris is a very good OS, and inspires a
lot of the work OpenBSD developers do, but man, it's got user interface
features that were fixed in MS-DOS and CP/M decades ago, and What The
Heck do you put on an entire DVD when it doesn't even have a C compiler
or some very basic management tools...


I think the conflict you saw is very much the CAUSE of the simplicity
and usability of OpenBSD.

Community or committee designed OSs are filled with compromise and bloat
to keep all parties happy.  You can feel it in most systems -- five
different ways to do one task, three different applications for the same
goal, etc.  You can just imagine people sitting around a room arguing over
things, and eventually, a compromise is reached, and things get bigger,
slower, and more bloated.  If a better way of doing something comes up,
there is fear of alienating users and developers if the old way is removed,
so things get bigger and bigger.

OpenBSD is the vision of one person.  He's surrounded himself with a bunch
of like-minded people, and they produce an OS they way they want it.

Is it for everyone?  Of course not.  Usually, you will know pretty
quickly if you agree with the design and philosophy or not.  If not,
there are plenty of alternatives out there.

Funny thing is, I suspect most users of OpenBSD are happier with the
results of having that small group of people make decisions about the
direction of the project than they would be if the entire community
had input on the direction of the project.  Yes, every individual person
would like it better if THEIR input (and only their input) steered the
project, but I suspect few would be happier if EVERYONE'S input was
blindly accepted and acted upon.


Compromise is an interesting word.  It sometimes seems to have widely
different definitions -- there's what we are taught when young is the
good sense, everyone giving-in a little for the better common good,
and of course, the security compromise which is a very bad thing.
However, I sometimes wonder about that good sense of the word...how
often do we compromise on things we know are just plain wrong, just
to avoid conflict or to make progress even when you know the progress
is in the wrong direction.  I guess you could call OpenBSD a no
compromise OS for a number of definitions. :)

So, when they say OpenBSD is written by the developers for the
developers, my response is, Thank goodness. :)


I still love this quote:
 Some of the people working on OpenBSD are nit-picking,
 anal-retentive, pedantic, intolerant, fanatical, insistent,
 demanding and relentless: in other words, the perfect people
 to be crafting an operating system.
(possibly from Rich Kulawiec, but I've not had much luck confirming
that...  and he's wrong: not some, ALL...)

Nick.

Re: Remote Admin Card - Dell DRAC or HP ILO2 ?

[Steve Shockley]

Xavier Millihs-Lacroix wrote:

Who wins in the OpenBSD world? DRAC (Dell Remote Admin Card) or iLo  (HP's
Integrated Lights Out) (or better ilo2) ?


I prefer HP ILO.  Both do more or less the same thing, but Dell seems to 
change their card interface every other week, and HP builds them into 
the system board on G3 and above.



I see some problem with ILO2 on HP DL320 G5 (/G5p ?).


You do?


We need to be able to do 'quite' everything remotely (from installing
(virtual floppy / cd / dvd) to exploitation).


For the HP you'll need an ILO license.  For the Dell you'll need a card. 
 They both cost about the same thing.


The HPs can share one of the gigabit NICs if you're short on ports and 
use VLANs.

Re: ssh_config, chroot, or user rights to restrict user access?

[Lars Noodén]

Henri Salo wrote:

...
Where did you get this information? ...


It's a question, hence the question mark.  Not a statement of fact, 
hence the absence of a period.  Serves me right for having two topics in 
the same message.


The topic that is more interesting to me is getting group level access 
control into the examples.  Applying acls at the group level makes it 
easier to manage larger userbases.


AllowGroups is particularly great and I was psyched when it showed up 
last year.


Match is more complex and may turn out to be more useful.  It means 
extra privileges, such as TcpForwarding or X11Forwarding, can be granted 
for specific groups.  Same for fine-tuning like in the example using

ForceCommand.

Regards,
-Lars

Re: Remote Admin Card - Dell DRAC or HP ILO2 ?

[Nick Nauwelaerts]

On Thu, 21 Feb 2008 19:01:21 +0100
Xavier Millihs-Lacroix [EMAIL PROTECTED] wrote:

 Who wins in the OpenBSD world? DRAC (Dell Remote Admin Card) or iLo
 (HP's Integrated Lights Out) (or better ilo2) ?

 We're looking at new servers and are wondering if these are worth the
 cash, or which is the one to go for ?

 I see some problem with ILO2 on HP DL320 G5 (/G5p ?).

 We need to be able to do 'quite' everything remotely (from installing
 (virtual floppy / cd / dvd) to exploitation).

I don't really see how this is related to openbsd, but ilo2 wins hands
down to drac, but has a costly advanced license.
Installing openbsd through ilo2 virtual cd works just fine btw.

// nick

Nike's Darcy Winslow to Address Lean and Green Summit

[Lean and Green]

Darcy Winslow of Nike to Present
Organizers of the first annual Lean and Green Summit announced the completion
of the conference agenda. This next generation event will feature keynote
presenter Darcy Winslow of Nike. Darcy is head of Nike's Women's Footwear
Division and is a champion for the company's sustainability efforts.

Attendees of the Summit will learn from industry professionals who display a
high degree of business acumen as they address their company's impact on the
world around them. Don't miss this opportunity! Register today!

www.leanandgreensummit.com

---

Summit Agenda

Thursday, July 17th

8:00am - 9:30am
Opening Program and
Keynote Presentation
Darcy Winslow
General Manager for Women's Shoes, Nike

9:30am - 9:45am
Break

9:45am - 11:15am
Engineering Sustainable Operational Processes
Presenter: Dave Gustashaw, Interface, Inc.

In this session you will be introduced to what it truly means to be
sustainable. As Dave Gustashaw will explain, sustainable operations aren't
what most people think. By explaining Interface's journey, you will learn to
look at sustainability through a different lens and how it's not simply about
compliance. In fact, if you address sustainability as Interface has,
compliance takes a backseat as a non-issue.

World Cafe and the
Technology of Participation
See next article for explanations of these tools.

11:15am - 11:30am
Break

11:30am - 12:30pm
Networking Lunch

12:30pm - 12:45pm
Break

12:45pm - 2:15pm
Design for the Environment
Presenters: Mike Gnam and Paul Chalmer from the National Center for
Manufacturing Sciences

In this session you will be presented with a holistic view of design, with
implications of materials selected. Learn lean (set-based) approaches to
design. The session will also cover concepts of cradle-to-cradle and design
chemistry, life-cycle analysis and implications for business processes and the
value proposition.

World Cafe and the
Technology of Participation

2:15pm-2:30pm
Break

2:30pm-4:00pm
People in a Green Organization
Presenter: Jeff Harvey, President and CEO of Burgerville

One of the largest barriers to Lean is often people and corporate culture.
It's no different when your company moves on the road to Green and
sustainability. Hear from Jeff Harvey, President and CEO of Burgerville how
they address the people and culture side of their business.

FROM BURGERVILLE'S WEBSITE...
Central to the heart of the company, Burgerville people are at the center of
what allows our company to live its values to their fullest extent. Without
strong, vibrant, healthy people, there can be no healthy families or healthy
community. At Burgerville, we believe in developing people throughout our
organization. Leading and thriving in the midst of change calls for alert,
reflective and creative people-people who are flexible in the face of change
and who bring their spirit and imagination to bear on the problems and issues
at hand. By growing their leadership abilities, employees learn how to
powerfully manage change and serve with love not matter the circumstances they
encounter. Leadership at this level contributes innovation and creates
sustainable impact, which grows our business and serves our community.

World Cafe and the
Technology of Participation


Friday, July 18th

8:00 am-9:30am
Performance Measurement
Presenters: Panel of Measurement Experts

How do you measure whether you are truly sustainable or not? What is your true
impact on nature? Unfortunately, there's a proliferation of different set of
metrics, so how do you make sense of what metrics make sense for your
organization.

In this session you will learn how to define metrics for green and
sustainability, so a company can measure its progress and understand what are
the important few things to measure (and not the trivial many).

Discuss how these metrics integrate (or don't integrate) with traditional
financial metrics.

Understand the conflicts with finance and directive management that come with
dedication to lean and sustainability.

World Cafe and the
Technology of Participation

9:30am-11:30am
Guided Collaboration
World Cafe, Open Space Technology
and the Technology of Participation

11:30am-12:30pm
Networking Lunch

12:30pm-3:00pm
Guided Collaboration
World Cafe, Open Space Technology
and the Technology of Participation

You will walk away from this session with a personal action plan.


www.leanandgreensummit.com

---

Not your average conference...
We've all attended conferences in which presenters talked AT us for session
after never-ending session. The Lean and Green Summit is a next-generation
conference that will involve attendees with a high degree of peer and
presenter interaction. The Summit will incorporate the proven tools of World
Cafe, Open Space Technology and the Technology of Participation. These tools
have been effectively used for decades by large and small businesses, as well
as many levels of government and civil society. Each of 

Re: There's something about OpenBSD...

[Jason Dixon]

On Feb 21, 2008, at 1:40 PM, Nick Holland wrote:


Mayuresh Kathe wrote:

What is it about OpenBSD that I can't resist it?


yeah, I've been doing some things with Solaris for work, it's stunned
me that an OS can take most of DVD...and still be missing what I would
call absolute basics that OpenBSD has on an install that fits in half
of a CD.  I know, deep down, Solaris is a very good OS, and inspires a
lot of the work OpenBSD developers do, but man, it's got user  
interface
features that were fixed in MS-DOS and CP/M decades ago, and What  
The
Heck do you put on an entire DVD when it doesn't even have a C  
compiler

or some very basic management tools...



Sun Microsystems Inc.   SunOS 5.10  Generic January 2005
-bash-3.00$ grep -r foo *
grep: illegal option -- r
Usage: grep -hblcnsviw pattern file . . .


Enough said.

---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Re: Remote Admin Card - Dell DRAC or HP ILO2 ?

[Stuart Henderson]

On 2008/02/21 14:21, Steve Shockley wrote:
 Xavier Millihs-Lacroix wrote:
 Who wins in the OpenBSD world? DRAC (Dell Remote Admin Card) or iLo  (HP's
 Integrated Lights Out) (or better ilo2) ?

 I prefer HP ILO.  Both do more or less the same thing, but Dell seems to 
 change their card interface every other week, and HP builds them into the 
 system board on G3 and above.

Whichever you choose, try and get something that doesn't share
a NIC with the OS.

I normally go for the time-honoured serial console to a box running
conserver and a masterswitch though (on a separate lan: you don't
really want this sort of thing, ILO/DRAC or masterswitch or IP KVM
or whatever else, on your main lan unprotected).

Question about ports-stable

[Joe]

Are there any plans underway to resume ports-stable maintenance? I'm  
aware that maintaining ports-stable is not a project goal or high on  
the todo list. I'd like to volunteer to assist, but I'm not sure what  
is needed.


Thanks.

Re: Remote Admin Card - Dell DRAC or HP ILO2 ?

[Xavier Milliès-Lacroix]

I really like PXE too.
But the servers to be administrate remotely would be the firewalls (two in
carp association).

Xavier

2008/2/21, Jussi Peltola [EMAIL PROTECTED]:

 On Thu, Feb 21, 2008 at 07:01:21PM +0100, Xavier Millihs-Lacroix wrote:
  We need to be able to do 'quite' everything remotely (from installing
  (virtual floppy / cd / dvd) to exploitation).

 I prefer PXE booted bsd.rd and a serial console, with BIOS serial
 redirection it is quite close to a LOM module and does the things it can
 do extremely reliably.

Re: Remote Admin Card - Dell DRAC or HP ILO2 ?

[Xavier Milliès-Lacroix]

I really like PXE too.
But the servers to be administrate remotely would be the firewalls (two in
carp association).

Xavier

Re: There's something about OpenBSD...

[Richard Daemon]

On Thu, Feb 21, 2008 at 2:30 PM, Jason Dixon [EMAIL PROTECTED] wrote:
 On Feb 21, 2008, at 1:40 PM, Nick Holland wrote:

   Mayuresh Kathe wrote:
   What is it about OpenBSD that I can't resist it?
  

  yeah, I've been doing some things with Solaris for work, it's stunned
   me that an OS can take most of DVD...and still be missing what I would
   call absolute basics that OpenBSD has on an install that fits in half
   of a CD.  I know, deep down, Solaris is a very good OS, and inspires a
   lot of the work OpenBSD developers do, but man, it's got user
   interface
   features that were fixed in MS-DOS and CP/M decades ago, and What
   The
   Heck do you put on an entire DVD when it doesn't even have a C
   compiler
   or some very basic management tools...


  Sun Microsystems Inc.   SunOS 5.10  Generic January 2005
  -bash-3.00$ grep -r foo *
  grep: illegal option -- r
  Usage: grep -hblcnsviw pattern file . . .


  Enough said.

  ---
  Jason Dixon
  DixonGroup Consulting
  http://www.dixongroup.net



Did you mean -R?

Re: Remote Admin Card - Dell DRAC or HP ILO2 ?

[Jussi Peltola]

On Thu, Feb 21, 2008 at 07:50:52PM +, Stuart Henderson wrote:
 I normally go for the time-honoured serial console to a box running
 conserver and a masterswitch though (on a separate lan: you don't
 really want this sort of thing, ILO/DRAC or masterswitch or IP KVM
 or whatever else, on your main lan unprotected).
And it's supposed to be out of band and not shared with the main
network to be really useful when you need it.

Serial consoles are easily accessed with a telephone modem connected to
the console server, redundant networking is much more complex (and I'd
say less foolproof).

-- 
Jussi Peltola

Re: pkill.c warn when no such process

[Unix Fan]

$ pkill bob; echo $? 

1

$ 



Just live with it.. ;)



Breaking compatibility just to convenience you... is not an option.







-Nix Fan.

Re: Why does pf work with last matching rule wins

[Giancarlo Razzolini]

Vijay Sankar escreveu:
 On February 21, 2008 05:19:54 am Guido Tschakert wrote:
 Hi,

 I wonder why pf works from top to bottom in filtering with last matching
 rule wins but in adress translation from top to bottom with first
 matching rule wins.

 Sure, I can use quick on every rule in filtering to have first
 matching rule wins.

 Me thinks it would be better if both filtering and adress translation
 works the same (like first rule wins), but I think there are reasons to
 do it the pf way, but I don't see them.
 Any enlightment for me?

 thanks guido

 To me (from a layman's perspective), it seems like first match wins is more
 logical  for NAT and last match wins seems more correct for filtering. While
 writing NAT rules I have not had a situation where one NAT rule negates the
 previous rules. Whereas with filtering rules, you could conceivably have
that
 issue. Also, since you have to use a filter to allow NAT (assuming you are
 not using rdr pass) to me, the current approach makes reading a pf.conf file
 easier. Anyways. FWIW, that is what I thought was the reasoning behind this
 approach.

From the performance of the openbsd.org PF Faq:

# Complexity and design of your rule set. The more complex your rule
set, the slower it is. The more packets that are filtered by keep state
and quick rules, the better the performance. The more lines that have to
be evaluated for each packet, the lower the performance.

I do use quick for all of my rule set. I come from Linux iptables, and
for me it was hard to change my way of thinking. I couldn't change it
entirely, and do use quick every time. I do this also because more
people, which also come from the iptables, do also mantain the rule
sets. Does anyone know of a tutorial or howto that focus on this
difference of first match wins vs. last match wins. I would happyly
start using the latter for writing my rule sets. This is a very
interesting discussion, as the pf faq recommends using quick for better
performance.

My 2 cents,
--
Giancarlo Razzolini
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Ubuntu 7.04 Feisty Fawn
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Remote Admin Card - Dell DRAC or HP ILO2 ?

[Xavier Milliès-Lacroix]

You are right.

I think I'll put a box like soekris in front of ILO ports to prevent hack on
ILO 
By this way I 'll be able to push CD / floppy image to the HP's servers.
During upgrade of the soerkis box. I'll use the firewall server COM port and
PXE if I should do a full reinstall.

Xavier.


2008/2/21, Jussi Peltola [EMAIL PROTECTED]:

 On Thu, Feb 21, 2008 at 07:50:52PM +, Stuart Henderson wrote:
  I normally go for the time-honoured serial console to a box running
  conserver and a masterswitch though (on a separate lan: you don't
  really want this sort of thing, ILO/DRAC or masterswitch or IP KVM
  or whatever else, on your main lan unprotected).
 And it's supposed to be out of band and not shared with the main
 network to be really useful when you need it.

 Serial consoles are easily accessed with a telephone modem connected to
 the console server, redundant networking is much more complex (and I'd
 say less foolproof).

 --
 Jussi Peltola

Re: There's something about OpenBSD...

[Han Boetes]

Jason Dixon wrote:
 Sun Microsystems Inc.   SunOS 5.10  Generic January 2005
 -bash-3.00$ grep -r foo *
 grep: illegal option -- r
 Usage: grep -hblcnsviw pattern file . . .

You are not using the default shell. :-)

The ksh implementation that comes with solaris is horrible indeed.


# Han

Re: ham,Re: ham,Re: Monitoring Bandwidth Usage, based on ports, service, client, etc.

[Richard Daemon]

On Sat, Feb 16, 2008 at 1:59 PM, Simon Slaytor [EMAIL PROTECTED] wrote:
 Sorry Richard, should have mentioned the RRD voodoo, hopefully Peter has
  set you on the right track.

  I never really liked the 'rough' graphs produced by the version of RRD
  Graph available from the packages collection. I've downloaded the latest
  1.2.6 port version from openports.se and compiled and built this. I then
  tweak nfsen adding the RRD 'slope' and anti alias features, not exactly
  accurate but very pretty!

What tweaks did you do as a tweak or is 1.2.6 worth the change alone?

TIA!

Re: There's something about OpenBSD...

[Marco Peereboom]

real men use find

On Thu, Feb 21, 2008 at 02:30:30PM -0500, Jason Dixon wrote:
 On Feb 21, 2008, at 1:40 PM, Nick Holland wrote:

 Mayuresh Kathe wrote:
 What is it about OpenBSD that I can't resist it?

 yeah, I've been doing some things with Solaris for work, it's stunned
 me that an OS can take most of DVD...and still be missing what I would
 call absolute basics that OpenBSD has on an install that fits in half
 of a CD.  I know, deep down, Solaris is a very good OS, and inspires a
 lot of the work OpenBSD developers do, but man, it's got user interface
 features that were fixed in MS-DOS and CP/M decades ago, and What The
 Heck do you put on an entire DVD when it doesn't even have a C compiler
 or some very basic management tools...


 Sun Microsystems Inc.   SunOS 5.10  Generic January 2005
 -bash-3.00$ grep -r foo *
 grep: illegal option -- r
 Usage: grep -hblcnsviw pattern file . . .


 Enough said.

 ---
 Jason Dixon
 DixonGroup Consulting
 http://www.dixongroup.net

Re: OpenBSD 4.2 with ftp-proxy, named, spamd on Alix2c1 board (+dmesg)

[Markus Hennecke]

On Thu, 21 Feb 2008, Klaus Botschen wrote:


Writing into /dev, /tmp and /var would definitely NOT destroy the CF
card.


Might be. I used none-industrial-grade CF cards, so the chance is of course
higher.


Yes, I did it. Just let /var run full and try to log a lot of stuff and 
you will write the same sector many times in a short period. Lead to an 
unusable /var partition on a consumer SanDisk CF Card. The card was 
pretty old, but I guess that there are a lot of low price CF cards out 
there that have no real wear level algorithm implemented.



running for about half a year now, with all filesystems being regular


Thats fine. The machines that got replaced by the Alix board have been running
for almost 5 years, and I hope that I don't need to touch the boards for
several years.


Putting /var on mfs is not such a bad idea if you got RAM to spare. 
Using rsync to write the changed files back on the CF card in fixed 
intervals and on shutdown should be ok.



- just using noatime is fine; should the card die one day, new CF cards
will be cheaper than a fart by then (and eight times as big, too).


That might depend... I have the theory that if you are sysadmin, the
machines feel when you are far away, and die exactly when you can't just
drop in and repair them :)


Nice theory, would explain some hardware faults I witnessed in the past 
:)


Kind regards,
  Markus

Re: There's something about OpenBSD...

[a . velichinsky]

On Thu, Feb 21, 2008 at 01:40:28PM -0500, Nick Holland wrote:
 Mayuresh Kathe wrote:
 What is it about OpenBSD that I can't resist it?
 
 After the past long exchange about our ultimate goal and a lot of
 people advising me to go over to Solaris 10, I did, I removed OpenBSD
 from one of my machines and installed Solaris Express Developers
 Edition.
 It was slick looking, very graphical with most of things you want to
 do, had Java SE 5/6 preinstalled, and had everything thing that I was
 expecting from OpenBSD.
 
 But yet, after 2 hours of fooling around, I came back to OpenBSD.
 
 For one thing, it took me almost 1.5 hours to install Solaris, compare
 that to 30 minutes with OpenBSD, including 'packages', 'src' and
 'ports'.
 
 The second thing was probably the knowledge that things are simple
 with OpenBSD, none of the complicated layouts thing as with Solaris.
 You could follow instructions from ancient books like Practical Unix
 and Internet Security - Second Edition to the T.
 
 Given all that, inspite of all the hammering I've taken over my
 comments, I'd prefer to stick with OpenBSD.
 
 Thanks to Theo and the core gang for delivering such a good, clean
 operating environment.
 
 Best,
 
 ~Mayuresh
 
 yeah, I've been doing some things with Solaris for work, it's stunned
 me that an OS can take most of DVD...and still be missing what I would
 call absolute basics that OpenBSD has on an install that fits in half
 of a CD.  I know, deep down, Solaris is a very good OS, and inspires a
 lot of the work OpenBSD developers do, but man, it's got user interface
 features that were fixed in MS-DOS and CP/M decades ago, and What The
 Heck do you put on an entire DVD when it doesn't even have a C compiler
 or some very basic management tools...

Solaris does have gcc and all the gnu stuff in the default install, you
just have to add /usr/sfw/bin to your path ... and sometimes prefix some
commands with 'g'.

For instance 'ggrep -r ...' instead of 'grep -r ...' to search recursively
with gnu grep (a worthless feature imho).

Re: There's something about OpenBSD...

[raven]

Marco Peereboom ha scritto:

real men use find

  

or locate (1)

Francesco

Re: There's something about OpenBSD...

[Jussi Peltola]

On Thu, Feb 21, 2008 at 11:22:25PM +0200, [EMAIL PROTECTED] wrote:
 For instance 'ggrep -r ...' instead of 'grep -r ...' to search recursively
 with gnu grep (a worthless feature imho).

Displaying the name of the file and the matched line nicely like grep -r
does is not elegant with find + grep without using a script or a long
and inelegant alias - or if it is, I'd be interested in how it can be
done in case I need to work on some ancient unix.

-- 
Jussi Peltola

Re: Why does pf work with last matching rule wins

[Rod Dorman]

On Thursday, February 21, 2008, 12:11:27, Darrin Chandler wrote:
 On Thu, Feb 21, 2008 at 10:50:50AM -0500, Rod Dorman wrote:
   ...
 When  I'm working with a Cisco IOS access-list I find its much easier to
 state  each  specific  allow routing to this port on this host and let
 the final deny any to catch and reject the remainder.

 Yes, but you have to read the entire Cisco rule set to know that.

Well not really, there's an implied deny any at the end (although most
people put one there anyway as a reminder)


-- 
[EMAIL PROTECTED] The avalanche has already started, it is too
Rod Dorman  late for the pebbles to vote. - Ambassador Kosh

Re: Why does pf work with last matching rule wins

[Edwards, David (JTS)]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 On Behalf Of Darrin Chandler
 Sent: Friday, 22 February 2008 12:52 AM
 To: Guido Tschakert
 Cc: OpenBSD Misc
 Subject: Re: Why does pf work with last matching rule wins
[snip]

 Don't use quick that way. If you can't stand the way PF works it would
 be better to use something else. Using PF as intended will
 let you have normal conversations, look at example rules, c., c.

 One good reason for last match wins is that the rules proceed
 from most general to most specific. This is a normal way for humans to

 think, and once you get used to it I bet you like it better. For me it
makes it
 easier to read, write, and maintain rules than using the
 first-match way of listing all exceptions without knowing the general
(or
 default) case.

To be honest, I think the opposite is the case.  From my point
of view, reading through a rule set having to keep in mind all
previous matching rules to decide the fate of a particular
packet is a headache.  And you have to read all of the rules not
just up to the first match.

But I would never ask to change the default behaviour, because
I can do it my way with the quick keyword.  Everyone is happy!

OpenBSD pf rocks!

Cold Boot Attacks on Encryption Keys

[sebastian . rother]

Little blog:
http://citp.princeton.edu/memory/

Paper:
http://citp.princeton.edu.nyud.net/pub/coldboot.pdf

Well some months ago I asked (not here.. more directly) if it would be
possible to may overwrite memory serval times in case the Box has nothing
to do. Back then there was like no interest because it was no risk not to
do it.

It's no bashing thread. I just wanna bring this to the broad attention
that simply turning OFF the PC wont magicaly kill all your PWs wich lay
around in the RAM. :-)

My suggestion is to overwrite memory like 3 times if a programm free's the
memory or if a reboot is commanded via the shell. Of course this harms
old boxes but it's still btter then loosing your SSH-Key or whatever
resists in your ram.

Furthermore OpenBSD may could overwrite periodicaly unused ram to ensure
such data gets removed.

The only place where this may could happen is in the Kernel.
Also a modified lib* may help (f.e. modified free()?)?

I'm no developer but I would be happy to read about solutions, concepts or
ideas even none gets implemented. :-)

Kind regards,
Sebastian

Re: Cold Boot Attacks on Encryption Keys

[Marco Peereboom]

Someone please send me some coffee; I can't stay awake.

Somehow I knew some moron would send it to the list. I honestly  
guessed the person right.


Let me give you an engineering opinion: bwahahahahahaha this is  
retarded.


On Feb 21, 2008, at 4:55 PM, [EMAIL PROTECTED] wrote:


Little blog:
http://citp.princeton.edu/memory/

Paper:
http://citp.princeton.edu.nyud.net/pub/coldboot.pdf

Well some months ago I asked (not here.. more directly) if it would be
possible to may overwrite memory serval times in case the Box has  
nothing
to do. Back then there was like no interest because it was no risk  
not to

do it.

It's no bashing thread. I just wanna bring this to the broad attention
that simply turning OFF the PC wont magicaly kill all your PWs wich  
lay

around in the RAM. :-)

My suggestion is to overwrite memory like 3 times if a programm  
free's the

memory or if a reboot is commanded via the shell. Of course this harms
old boxes but it's still btter then loosing your SSH-Key or whatever
resists in your ram.

Furthermore OpenBSD may could overwrite periodicaly unused ram to  
ensure

such data gets removed.

The only place where this may could happen is in the Kernel.
Also a modified lib* may help (f.e. modified free()?)?

I'm no developer but I would be happy to read about solutions,  
concepts or

ideas even none gets implemented. :-)

Kind regards,
Sebastian

Re: Cold Boot Attacks on Encryption Keys

[Edd Barrett]

On Thu, Feb 21, 2008 at 11:55:39PM +0100, [EMAIL PROTECTED] wrote:
 My suggestion is to overwrite memory like 3 times if a programm free's the
 memory or if a reboot is commanded via the shell. Of course this harms
 old boxes but it's still btter then loosing your SSH-Key or whatever
 resists in your ram.

How about a sysctl to turn that on. It will be terribly slow for users who do 
not require that level of security.

-- 

Best Regards
Edd

http://students.dec.bmth.ac.uk/ebarrett

Re: There's something about OpenBSD...

[Edd Barrett]

On Thu, Feb 21, 2008 at 11:22:25PM +0200, [EMAIL PROTECTED] wrote:

Yes quite, its all there but in odd places. Also not that make is in 
/usr/ccs/bin

The thing that put me off sx developer edition is that it requires a whopping 
760MB of RAM for install.

Solaris 10 and Solaris Express and Indiana and all the other confusing 
marketting names do not use
as much ram thank lord.

-- 

Best Regards
Edd

http://students.dec.bmth.ac.uk/ebarrett

Re: Cold Boot Attacks on Encryption Keys

[Marti Martinez]

The paper you mentioned has some info on possible countermeasures. The
best (IMO) is physically securing your RAM. This seems to fit in best
with OpenBSD's philosophy, which has never been to put much time into
thwarting attacks that require physical access to the box -- if you
have that, there are MANY avenues of attack, most of which don't
benefit much from immersing components in liquid N_2.

Marti

On Thu, Feb 21, 2008 at 3:55 PM,  [EMAIL PROTECTED] wrote:
 Little blog:
  http://citp.princeton.edu/memory/

  Paper:
  http://citp.princeton.edu.nyud.net/pub/coldboot.pdf

  Well some months ago I asked (not here.. more directly) if it would be
  possible to may overwrite memory serval times in case the Box has nothing
  to do. Back then there was like no interest because it was no risk not to
  do it.

  It's no bashing thread. I just wanna bring this to the broad attention
  that simply turning OFF the PC wont magicaly kill all your PWs wich lay
  around in the RAM. :-)

  My suggestion is to overwrite memory like 3 times if a programm free's the
  memory or if a reboot is commanded via the shell. Of course this harms
  old boxes but it's still btter then loosing your SSH-Key or whatever
  resists in your ram.

  Furthermore OpenBSD may could overwrite periodicaly unused ram to ensure
  such data gets removed.

  The only place where this may could happen is in the Kernel.
  Also a modified lib* may help (f.e. modified free()?)?

  I'm no developer but I would be happy to read about solutions, concepts or
  ideas even none gets implemented. :-)

  Kind regards,
  Sebastian





-- 
Systems Programmer, Principal
Electrical  Computer Engineering
The University of Arizona
[EMAIL PROTECTED]

Re: There's something about OpenBSD...

[Nick Bender]

On Thu, Feb 21, 2008 at 5:08 PM, Jussi Peltola [EMAIL PROTECTED] wrote:

  Displaying the name of the file and the matched line nicely like grep -r
  does is not elegant with find + grep without using a script or a long
  and inelegant alias - or if it is, I'd be interested in how it can be
  done in case I need to work on some ancient unix.

Never used -r so I'm not sure what the output looks like but how about:

  find . -type f -exec grep something {} /dev/null \;

-N

Re: There's something about OpenBSD...

[Marco Peereboom]

What's wrong with: find . -name *.[ch] -exec grep blah {} \; -print

On Feb 21, 2008, at 4:08 PM, Jussi Peltola [EMAIL PROTECTED] wrote:

On Thu, Feb 21, 2008 at 11:22:25PM +0200, [EMAIL PROTECTED]  
wrote:
For instance 'ggrep -r ...' instead of 'grep -r ...' to search  
recursively

with gnu grep (a worthless feature imho).


Displaying the name of the file and the matched line nicely like  
grep -r

does is not elegant with find + grep without using a script or a long
and inelegant alias - or if it is, I'd be interested in how it can be
done in case I need to work on some ancient unix.

--
Jussi Peltola

Re: There's something about OpenBSD...

[Jason Dixon]

On Thu, Feb 21, 2008 at 06:15:32PM -0500, Nick Bender wrote:
 On Thu, Feb 21, 2008 at 5:08 PM, Jussi Peltola [EMAIL PROTECTED] wrote:
 
   Displaying the name of the file and the matched line nicely like grep -r
   does is not elegant with find + grep without using a script or a long
   and inelegant alias - or if it is, I'd be interested in how it can be
   done in case I need to work on some ancient unix.
 
 Never used -r so I'm not sure what the output looks like but how about:
 
   find . -type f -exec grep something {} /dev/null \;

Holy crap people, it was just an example.  Believe it or not, I know
alternatives to recursive grep on Solaris.

-J.

Re: Cold Boot Attacks on Encryption Keys

[Ted Unangst]

On 2/21/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 My suggestion is to overwrite memory like 3 times if a programm free's the
 memory or if a reboot is commanded via the shell. Of course this harms
 old boxes but it's still btter then loosing your SSH-Key or whatever
 resists in your ram.

1.  what happens when the bad people pull the plug on a running computer?

2.  how long do the bad people have to read your memory after you turn it off?

Re: Cold Boot Attacks on Encryption Keys

[Brett Lymn]

On Thu, Feb 21, 2008 at 05:19:28PM -0600, Marco Peereboom wrote:
 
 Let me give you an engineering opinion: bwahahahahahaha this is  
 retarded.
 

Well, let me give you another engineering opinion based on actual
experience working on a machine with a custom graphics system - it is
not 100% reliable but DRAM can show a surprising amount of remanence
even without power/refresh.  We used to see parts of the display come
up even after the machine had been down for hours.

-- 
Brett Lymn
Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer.

Re: There's something about OpenBSD...

[a . velichinsky]

On Fri, Feb 22, 2008 at 12:08:54AM +0200, Jussi Peltola wrote:
 On Thu, Feb 21, 2008 at 11:22:25PM +0200, [EMAIL PROTECTED] wrote:
  For instance 'ggrep -r ...' instead of 'grep -r ...' to search recursively
  with gnu grep (a worthless feature imho).
 
 Displaying the name of the file and the matched line nicely like grep -r
 does is not elegant with find + grep without using a script or a long
 and inelegant alias - or if it is, I'd be interested in how it can be
 done in case I need to work on some ancient unix.

$ find DIR -type f -print0 | xargs -0 grep PATTERN

which, unlike 'find ... -exec' is just as fast as 'grep -r', and unlike
'grep -r', will skip special devices, symlinks, etc.

Re: There's something about OpenBSD...

[Edwards, David (JTS)]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 On Behalf Of Jussi Peltola
 Sent: Friday, 22 February 2008 8:39 AM
 To: misc@openbsd.org
 Subject: Re: There's something about OpenBSD...

 On Thu, Feb 21, 2008 at 11:22:25PM +0200,
 [EMAIL PROTECTED] wrote:
  For instance 'ggrep -r ...' instead of 'grep -r ...' to
  search recursively with gnu grep (a worthless feature imho).

 Displaying the name of the file and the matched line nicely
 like grep -r does is not elegant with find + grep
 without using a script or a long and inelegant alias
 - or if it is, I'd be interested in how it can be
 done in case I need to work on some ancient unix.

% find / -name '*.txt' -exec grep foo {} /dev/null \;

Re: Cold Boot Attacks on Encryption Keys

[sebastian . rother]

 On 2/21/08, [EMAIL PROTECTED] [EMAIL PROTECTED]
 wrote:
 My suggestion is to overwrite memory like 3 times if a programm free's
 the
 memory or if a reboot is commanded via the shell. Of course this harms
 old boxes but it's still btter then loosing your SSH-Key or whatever
 resists in your ram.

 1.  what happens when the bad people pull the plug on a running computer?

Well that's why I personaly mentioned a modified libary or the kernel wich
may   could overwrite the RAM 3 times or so in case it has nothing to do.

Maybe there wont be a solution wich solves everything but it's a fact that
most applications are written in a lazy way... so there's more information
stored into the ram then needed. At least this could get reduced I think..

 2.  how long do the bad people have to read your memory after you turn it
 off?

How long do you need to search the memory? Not every OS blocks root from
reading the memory so a simple grep or so may would just take 1second?
*hopefully I got your qustion correctly..*

Kind regards,
Sebastian

Re: Cold Boot Attacks on Encryption Keys

[Marco Peereboom]

And the power plug wasn't plugged in right?

On Fri, Feb 22, 2008 at 10:45:56AM +1030, Brett Lymn wrote:
 On Thu, Feb 21, 2008 at 05:19:28PM -0600, Marco Peereboom wrote:
  
  Let me give you an engineering opinion: bwahahahahahaha this is  
  retarded.
  
 
 Well, let me give you another engineering opinion based on actual
 experience working on a machine with a custom graphics system - it is
 not 100% reliable but DRAM can show a surprising amount of remanence
 even without power/refresh.  We used to see parts of the display come
 up even after the machine had been down for hours.
 
 -- 
 Brett Lymn
 Warning:
 The information contained in this email and any attached files is
 confidential to BAE Systems Australia. If you are not the intended
 recipient, any use, disclosure or copying of this email or any
 attachments is expressly prohibited.  If you have received this email
 in error, please notify us immediately. VIRUS: Every care has been
 taken to ensure this email and its attachments are virus free,
 however, any loss or damage incurred in using this email is not the
 sender's responsibility.  It is your responsibility to ensure virus
 checks are completed before installing any data sent in this email to
 your computer.

Re: Cold Boot Attacks on Encryption Keys

[Brett Lymn]

On Thu, Feb 21, 2008 at 07:12:58PM -0600, Marco Peereboom wrote:
 And the power plug wasn't plugged in right?
 

Correct.  We are not talking PC DRAM here - this was custom hardware
with a circuit breaker that really cut power to everything.  Often
when you powered it up before the firmware got around to forcing a
clear on the display ram (yes, the display ram was DRAM) you could
clearly see parts of the display.  To be honest it surprised the hell
out of me the first time I saw it too.

-- 
Brett Lymn
Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer.

Re: Cold Boot Attacks on Encryption Keys

[STeve Andre']

On Thursday 21 February 2008 19:15:56 Brett Lymn wrote:
 On Thu, Feb 21, 2008 at 05:19:28PM -0600, Marco Peereboom wrote:
  Let me give you an engineering opinion: bwahahahahahaha this is
  retarded.

 Well, let me give you another engineering opinion based on actual
 experience working on a machine with a custom graphics system - it is
 not 100% reliable but DRAM can show a surprising amount of remanence
 even without power/refresh.  We used to see parts of the display come
 up even after the machine had been down for hours.

Please let's not pummel Theo with this directly.

As far as this goes, I'll point out once that you have to have physical
ownership of the laptop to do this, and if so, all bets are off.  If one has
really really critical data on a laptop that goes into the outside world,
they should be shot.  Truly sensitive data should only go out into the
world encrypted as a backup, NOT on some random laptop!

The research is very interesting, but it doesn't apply to OpenBSD.

--STeve Andre'

Re: Cold Boot Attacks on Encryption Keys

[steve szmidt]

On Thursday 21 February 2008, Marti Martinez wrote:
 The paper you mentioned has some info on possible countermeasures. The
 best (IMO) is physically securing your RAM. This seems to fit in best
 with OpenBSD's philosophy, which has never been to put much time into
 thwarting attacks that require physical access to the box -- if you
 have that, there are MANY avenues of attack, most of which don't
 benefit much from immersing components in liquid N_2.

Certainly someone w physical access can do just about anything which is very 
possible to succeed. If you have a laptop physical protection is pretty key. 
It all comes back to Schneier's balance. Security vs easy of use/practical.

Stealing a server or desktop that has very valuable information should not be 
an easy option. It would NEVER go into a laptop. 

In the end it's good to know they can recover data from your RAM but in 
reality it will not affect many of us. Unless they could recover it hours 
later it's only going to be a problem in an organized attack. At which point 
it falls right back to physical security.

-- 

Steve Szmidt

They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety.
Benjamin Franklin

Re: Cold Boot Attacks on Encryption Keys

[Marco Peereboom]

I really have a hard time buying this.  I can see how you ended up with
some crap in that memory upon reboot but I fail to see how that memory
could retain its contents.  Not knowing the situation you might have
had some huge caps on that machine; or even battery backed up ram.  This
combined with low power mode content can be stored for days (we do that
on RAID cards).  But that is also ram that does not require a clock to
retain its contents.


On Fri, Feb 22, 2008 at 11:50:06AM +1030, Brett Lymn wrote:
 On Thu, Feb 21, 2008 at 07:12:58PM -0600, Marco Peereboom wrote:
  And the power plug wasn't plugged in right?
  
 
 Correct.  We are not talking PC DRAM here - this was custom hardware
 with a circuit breaker that really cut power to everything.  Often
 when you powered it up before the firmware got around to forcing a
 clear on the display ram (yes, the display ram was DRAM) you could
 clearly see parts of the display.  To be honest it surprised the hell
 out of me the first time I saw it too.
 
 -- 
 Brett Lymn
 Warning:
 The information contained in this email and any attached files is
 confidential to BAE Systems Australia. If you are not the intended
 recipient, any use, disclosure or copying of this email or any
 attachments is expressly prohibited.  If you have received this email
 in error, please notify us immediately. VIRUS: Every care has been
 taken to ensure this email and its attachments are virus free,
 however, any loss or damage incurred in using this email is not the
 sender's responsibility.  It is your responsibility to ensure virus
 checks are completed before installing any data sent in this email to
 your computer.

Re: Cold Boot Attacks on Encryption Keys

[sebastian . rother]

 [EMAIL PROTECTED] writes:

   My suggestion is to overwrite memory like 3 times if a programm free's
 the
   memory or if a reboot is commanded via the shell. Of course this harms
   old boxes but it's still btter then loosing your SSH-Key or whatever
   resists in your ram.

 If someone has physical control of your machine while it is active you
 have zero security.   Doing a memory overwrite in the background is not
 going to help. Accept that.

 If I can remove the case to get access to the memory to freeze it before
 chopping power I can also attach bus analyzers that watch and log every
 memory access.   If I've a log of what was written to memory wiping the
 actual memory later does NOT help.

Not at all! RAM keeps the information partly for MINUTES! It not a real
race condition or so... it's about physics and electricity.
And you're right abotu the Bug analyzer but that's a pretty uncommon
devices. I think it's a lot easier to get the RAM and analyze it then to
use a Busanalyzer.
NOt everybody owns a Bus analyzer but mostly anybody owns a MB compatible
to your memory modules...

Think about bigger netroks! You do know ANY devices wich has NO ram?
Even a simple client-PC wich boots via network has ram. And in
universities or so with about 129k users you just can't ensure that NOBODY
turns off the PC, gets the RAM, reads ya SSH key and turns the PC on again
(just in case you might used it before this brave student..)...

You could do this in like 10minutes (max!).

If you keep in mind that if you break into a bank the cops have a time
window of about 15 minutes what do you seriously exspect in universities?
A swat-team in every pc pool? :-/

And a university is just one example. Another is a central manadged global
opperating company where you just can't watch the VPN router or whatever
24/7 and where it's common that at least one provider has any issues a
month.

Of course the problem can't get solved with a 2-line patch or so.
But it could be a good start if critical applications like ssh-agent or so
would overwrite the memory they used (if no lib* change is planed).

As I said already from my point of view a modified free() may would solve
the issue (and it would be transparent to ANY software) or a change in the
kernel.

Kind regards,
Sebastian

Re: Cold Boot Attacks on Encryption Keys

[sebastian . rother]

Well Marco just fuck you and piss off...ok?
If you don't care stfu and do something else and let people talk who may
care about physical things. And phyisical in the meaning of something
related to physics... (just in case you don't know it's the thing you may
missed in school...)

Or why don't you just fix pcre or some other issues wih are still present
in OpenBSD except of nerving me with pretty unproductive comments?

And it's no shame to know nothing about physics! That's why universities
do exists.. even in your city.. I'm sure.

So seriously: if you've any productive or critical comment feel free
to post it just stop bitching 'course it does not help/solve anything
except of wasting YOUR bandwith.. right? Right... :)

Kind regards,
Sebastian

p.s.
And you'll be the last who can claim that there trolls on the oBSD
mailinglist... you're a pretty nice example so I recomment that every zoo
should have one or two of your kind

So did we exchanged now enought greetings? Then we might could go back to
the roots... thanks.

Re: Cold Boot Attacks on Encryption Keys

[sebastian . rother]

 The paper you mentioned has some info on possible countermeasures. The
 best (IMO) is physically securing your RAM. This seems to fit in best
 with OpenBSD's philosophy, which has never been to put much time into
 thwarting attacks that require physical access to the box -- if you
 have that, there are MANY avenues of attack, most of which don't
 benefit much from immersing components in liquid N_2.

 Marti

Then we could drop the whole encryption framework, or?
Why encrypting OWs? Nobody could crack the PWs if they don't have phisical
access.. why encrypting the HDDs or using IPSec? It's all about physical
security so why does OpenBSD care?

I don't think it's that easy and I don't realy angree to your point of
view. From my point of view OpenBSD does a lot to assist to keep things
secure even the physical security was brocken (a thief, a bad admin or
whatever..).

Of course there many kinds of attack but if somebody shutdowns your box
and reads the infos from your memory there's something we can do about it:
Overwriting

Tell me how to ensure phyiscal security in bigger networks?! Should I
simply shot each user or just torture 'em? :-)

I don't talk about a 50+ company where you know everybody but more about
1k+ up to 130k users and more.

For privacy it would be great to overwrite everything!
But this slows down the whole stuff too...

Well my oppinion is still: If you modify the libs so that a call of free()
involves a overwriting of the memory all applications would transparently
use it. This would mean there's no need for a kernelpatch wich overwrites
free memory. But what if a application does not use free() before it got
terminated? in this case the informations would still lay around into the
memory..

if I'm wrong please correct me.. it's just that a slowdown is needed to
solve this (even partly).

Kind regards,
Sebastian

Re: Cold Boot Attacks on Encryption Keys

[Giancarlo Razzolini]

STeve Andre' escreveu:

 The research is very interesting, but it doesn't apply to OpenBSD.

 --STeve Andre'


Why doesn't apply to openbsd? And secondly, would vnd devices be
affected by this kind of attack? I particularly believe that this could
be done, i also saw those kind of display dumps with some video cards
that have DRAM memory. Better never more let my crypt disk left open.
But there is a feature in truecrypt, that i believe can defeat this. It
can use a file in conjunction with the password. The attacker can
successfully guess the password, but without knowing the file used, it
would be pointless. The only problem is if tc keep the filename also in
memory :(. Will investigate this matter.

My regards,

--
Giancarlo Razzolini
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Ubuntu 7.04 Feisty Fawn
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Cold Boot Attacks on Encryption Keys

[Giancarlo Razzolini]

[EMAIL PROTECTED] escreveu:
 [EMAIL PROTECTED] writes:

   My suggestion is to overwrite memory like 3 times if a programm free's
 the
   memory or if a reboot is commanded via the shell. Of course this harms
   old boxes but it's still btter then loosing your SSH-Key or whatever
   resists in your ram.

 If someone has physical control of your machine while it is active you
 have zero security.   Doing a memory overwrite in the background is not
 going to help. Accept that.

 If I can remove the case to get access to the memory to freeze it before
 chopping power I can also attach bus analyzers that watch and log every
 memory access.   If I've a log of what was written to memory wiping the
 actual memory later does NOT help.

 Not at all! RAM keeps the information partly for MINUTES! It not a real
 race condition or so... it's about physics and electricity.
 And you're right abotu the Bug analyzer but that's a pretty uncommon
 devices. I think it's a lot easier to get the RAM and analyze it then to
 use a Busanalyzer.
 NOt everybody owns a Bus analyzer but mostly anybody owns a MB compatible
 to your memory modules...

 Think about bigger netroks! You do know ANY devices wich has NO ram?
 Even a simple client-PC wich boots via network has ram. And in
 universities or so with about 129k users you just can't ensure that NOBODY
 turns off the PC, gets the RAM, reads ya SSH key and turns the PC on again
 (just in case you might used it before this brave student..)...

 You could do this in like 10minutes (max!).

 If you keep in mind that if you break into a bank the cops have a time
 window of about 15 minutes what do you seriously exspect in universities?
 A swat-team in every pc pool? :-/

 And a university is just one example. Another is a central manadged global
 opperating company where you just can't watch the VPN router or whatever
 24/7 and where it's common that at least one provider has any issues a
 month.

 Of course the problem can't get solved with a 2-line patch or so.
 But it could be a good start if critical applications like ssh-agent or so
 would overwrite the memory they used (if no lib* change is planed).

 As I said already from my point of view a modified free() may would solve
 the issue (and it would be transparent to ANY software) or a change in the
 kernel.

 Kind regards,
 Sebastian


I believe this isn't as good as it sounds. Because the thief won't steal
the laptop while you are using, or give the chance for it to nicely
power down and overwrite the memory. He/She will simply turn directly
off the computer and read the memory. This feature on openbsd would be
nice from the paranoid point of view. But will be waste of code in my
opinion. Even if it's simple (which i guess isn't very simple).

My 2 cents,

--
Giancarlo Razzolini
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Ubuntu 7.04 Feisty Fawn
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Cold Boot Attacks on Encryption Keys

[Marco Peereboom]

On Fri, Feb 22, 2008 at 02:22:45AM +0100, [EMAIL PROTECTED] wrote:
 Well Marco just fuck you and piss off...ok?

I would love to but you make me reply every single time you post this
type of uninteresting shit.

 If you don't care stfu and do something else and let people talk who may
 care about physical things. And phyisical in the meaning of something
 related to physics... (just in case you don't know it's the thing you may
 missed in school...)
 
 Or why don't you just fix pcre or some other issues wih are still present
 in OpenBSD except of nerving me with pretty unproductive comments?

I would leave anything broken just to piss you off.  Really.

 
 And it's no shame to know nothing about physics! That's why universities
 do exists.. even in your city.. I'm sure.

Right, you totally know my credentials so you totally can assert my
scholastic achievements.

 
 So seriously: if you've any productive or critical comment feel free
 to post it just stop bitching 'course it does not help/solve anything
 except of wasting YOUR bandwith.. right? Right... :)

I have all kinds of productive comments, you just don't listen.  This is
not interesting.  It is a neat trick and it ends right there.

 
 Kind regards,
 Sebastian
 
 p.s.
 And you'll be the last who can claim that there trolls on the oBSD
 mailinglist... you're a pretty nice example so I recomment that every zoo
 should have one or two of your kind

You are a living trolling legend on misc and undeadly.  Quite frankly
most people are sick and tired of your antics.  You were quiet for a
while and we liked that.  Maybe you should try that again.

 
 So did we exchanged now enought greetings? Then we might could go back to
 the roots... thanks.

The roots of trolling?

Re: Remote syslog

[Steve B]

Terrific! Thanks to all who responded.

Re: There's something about OpenBSD...

[Douglas A. Tutty]

On Thu, Feb 21, 2008 at 07:26:29PM -0500, Jason Dixon wrote:
 On Thu, Feb 21, 2008 at 06:15:32PM -0500, Nick Bender wrote:
  On Thu, Feb 21, 2008 at 5:08 PM, Jussi Peltola [EMAIL PROTECTED] wrote:
  
  Never used -r so I'm not sure what the output looks like but how about:
  
find . -type f -exec grep something {} /dev/null \;
 
 Holy crap people, it was just an example.  Believe it or not, I know
 alternatives to recursive grep on Solaris.

I've heard of something having everything but the kitchen sink, but a
Heavenly version of backup software?

:)

Doug.

Re: Cold Boot Attacks on Encryption Keys

[Marti Martinez]

On Thu, Feb 21, 2008 at 6:41 PM,  [EMAIL PROTECTED] wrote:
  The paper you mentioned has some info on possible countermeasures. The
   best (IMO) is physically securing your RAM. This seems to fit in best
   with OpenBSD's philosophy, which has never been to put much time into
   thwarting attacks that require physical access to the box -- if you
   have that, there are MANY avenues of attack, most of which don't
   benefit much from immersing components in liquid N_2.
  
   Marti

  Then we could drop the whole encryption framework, or?
  Why encrypting OWs? Nobody could crack the PWs if they don't have phisical
  access.. why encrypting the HDDs or using IPSec? It's all about physical
  security so why does OpenBSD care?

Sebastian,

First off, I was not trying to be combative. I was trying to be
realistic, however, which you clearly are not; IPSec and the
encryption framework are all about physical protection? I think not.

I am not against the other countermeasures described by these
researchers; however, the performace hit of three extra load
instructions on every memory location free()'d (as you suggested)
would not be trivial, and would mostly be a waste of time; most memory
on the 1000's of desktops you have in an enterprise is not storing
hyper-sensitive data. I think that applications which are storing
crypto keys should take responsibility to overwrite them as soon as
practical, though even this wouldn't completely solve this problem.
As you noted, a modification to free() wouldn't either. However, my
point here is that applications can do this FAR more effectively than
the OS can, with no drawbacks whatsoever (other than the possibility
that something will be overlooked; however, a fault in the kernel
would be far more dangerous, and if you can't trust your security
developers to take basic precautions, why would you be using their
software anyhow?)

Security is part of a balancing act, with usability, performance and
cost as counterweights. If your organization has 1000's of desktops
with sensitive data floating around, you might want to look at taking
a more holistic approach to security, and yes, users who let people
take ram out of a system seconds after shutting it down should indeed
be shot and/or tortured.

Cheers,
Marti



  I don't think it's that easy and I don't realy angree to your point of
  view. From my point of view OpenBSD does a lot to assist to keep things
  secure even the physical security was brocken (a thief, a bad admin or
  whatever..).

  Of course there many kinds of attack but if somebody shutdowns your box
  and reads the infos from your memory there's something we can do about it:
  Overwriting

  Tell me how to ensure phyiscal security in bigger networks?! Should I
  simply shot each user or just torture 'em? :-)

  I don't talk about a 50+ company where you know everybody but more about
  1k+ up to 130k users and more.

  For privacy it would be great to overwrite everything!
  But this slows down the whole stuff too...

  Well my oppinion is still: If you modify the libs so that a call of free()
  involves a overwriting of the memory all applications would transparently
  use it. This would mean there's no need for a kernelpatch wich overwrites
  free memory. But what if a application does not use free() before it got
  terminated? in this case the informations would still lay around into the
  memory..

  if I'm wrong please correct me.. it's just that a slowdown is needed to
  solve this (even partly).

  Kind regards,
  Sebastian





-- 
Systems Programmer, Principal
Electrical  Computer Engineering
The University of Arizona
[EMAIL PROTECTED]

Re: Cold Boot Attacks on Encryption Keys

[Lars Hansson]

On Fri, Feb 22, 2008 at 9:22 AM,  [EMAIL PROTECTED] wrote:
  So seriously: if you've any productive or critical comment feel free
  to post it just stop bitching 'course it does not help/solve anything
  except of wasting YOUR bandwith.. right? Right... :)

I guess he's just too busy actually writing code. You know,
contributing to the project in a constructive and meaningful way.

---
Lars Hansson

Re: Cold Boot Attacks on Encryption Keys

[Douglas A. Tutty]

On Fri, Feb 22, 2008 at 02:41:40AM +0100, [EMAIL PROTECTED] wrote:
 
 Of course there many kinds of attack but if somebody shutdowns your box
 and reads the infos from your memory there's something we can do about it:
 Overwriting
 
 Well my oppinion is still: If you modify the libs so that a call of free()
 involves a overwriting of the memory all applications would transparently
 use it. This would mean there's no need for a kernelpatch wich overwrites
 free memory. But what if a application does not use free() before it got
 terminated? in this case the informations would still lay around into the
 memory..
 
 if I'm wrong please correct me.. it's just that a slowdown is needed to
 solve this (even partly).

Perhaps the ideal solution would be a hardware solution for people
paranoid enough to need it.  A simm that goes between the MB and the
memory that, when MB power is lost, has its own backup battery and will
immediatly overwrite the memory on main power failure.

If the threat is that someone will come along and pull the power on a
box and grab the memory, then having the OS overwrite memory whenever it
is free doesn't address the memory in use at the time the power is
pulled.  

I suppose you could have a daemon going along wiping unused memory when
the system is idle without slowing down the system much, (make it very
nice?), but it doesn't deal with in-use memory just before power down.

I don't suppose the hardware memory controller either on the CPU or the
chipset is at all programmable?  It sounds like the ideal place to put
this.

Doug.

Re: Cold Boot Attacks on Encryption Keys

[Lars Hansson]

On Fri, Feb 22, 2008 at 9:33 AM,  [EMAIL PROTECTED] wrote:
  Not at all! RAM keeps the information partly for MINUTES! It not a real
  race condition or so... it's about physics and electricity.

Wow! For minutes! While the research is interesting the chances of
actually being a victim to this is pretty damn slim in practice.

  Think about bigger netroks! You do know ANY devices wich has NO ram?
  Even a simple client-PC wich boots via network has ram. And in
  universities or so with about 129k users you just can't ensure that NOBODY
  turns off the PC, gets the RAM, reads ya SSH key and turns the PC on again
  (just in case you might used it before this brave student..)...

  You could do this in like 10minutes (max!).

10 minutes is a lot longer than seconds or even minutes.

---
Lars Hansson

Re: Cold Boot Attacks on Encryption Keys

[Brett Lymn]

On Thu, Feb 21, 2008 at 08:04:07PM -0600, Marco Peereboom wrote:
 I really have a hard time buying this. 

Yes, I can understand that - I was the same until I saw the remnants
of the display come up on the screen.

 I can see how you ended up with
 some crap in that memory upon reboot but I fail to see how that memory
 could retain its contents.  Not knowing the situation you might have
 had some huge caps on that machine; or even battery backed up ram.


Nup - no real power storage devices in the machine at all, seriously.
Technically DRAM is really a capacitor connected to a transistor - the
charge in the capacitor in the dram cell determines the 1 or 0.  How
long the cell can retain that charge depends a lot on the particular
cell - some hold the charge better than others.

-- 
Brett Lymn
Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer.

Re: Cold Boot Attacks on Encryption Keys

[Nick Holland]

Marco Peereboom wrote:
 I really have a hard time buying this.  I can see how you ended up with
 some crap in that memory upon reboot but I fail to see how that memory
 could retain its contents.  Not knowing the situation you might have
 had some huge caps on that machine; or even battery backed up ram.  This
 combined with low power mode content can be stored for days (we do that
 on RAID cards).  But that is also ram that does not require a clock to
 retain its contents.

Buy it, really.

Twenty+ years ago, I'd noticed this, having completely powered down my
computer, decided I had something more to do, flipped the power switch
right back on, and I was sitting at a command prompt.  I marveled, I did
it again, it worked again.  I called my roommate over, he and I marveled
over this...every few times we tried it, it would end up rebooting (or
Hung).  We knew that the rated refresh time was 2ms for the RAM, and
yet, here we were with the machine CLEARLY OFF (the DC fan on this thing
was deafening, no question when it had power and when it didn't) for over
a second, and coming back up right where we had powered it down.  Keep
in mind, it was most likely the reset circuit that was causing the reboot,
not fading of data in the DRAM chips.  And yes, the flash of old
screens on video cards was also a give-away that this was happening.
And yes, these were all DRAM machines, I was VERY familiar with the
circuits and designs of this machine, being this machine was documented
like none are today (I'm glancing up at the boot ROM source code for the
machine -- it came in printed form with the system!), and I had rebuilt
the RAM system on the these machines a few dozen times (I worked out an
upgrade for the things to go from 64k chips to 256k chips, allowing
the maximum of 768k on-board, it was a popular upgrade at our store).


Is the effect real?  ZERO question in my mind.  I'm amazed that it goes
as long as people are saying, but in thinking about it, I'm not so
surprised.  Keep in mind, the difference in basic design between an
EPROM and a dynamic RAM chip is just one of retention time and how
the state is changed.  EPROMs are rated for ten year retention and
routinely hold for twice that, so I'm not too surprised that the gate
of a CMOS transistor can hold a charge for a few seconds...and if that,
why not tens of seconds.  Heck, almost 30 years ago, people were
popping the cap off 4k and 16k DRAM chips, using an 8mm movie camera
lens to focus an image on the chip, charging all the cells, wait a
while and then read all the data...the light would cause the cells to
discharge faster, and you could get a crude, 1 bit, digital picture.
It took a while even then for the charge to drain off the gates
enough to see the image.

The effect is hidden by RC circuits that fire off hardware resets and
energy saving monitors that don't have a picture on the screen until
the machine has started booting (and now, LCDs which have to sync
to the image) and ROMs that clear screens and start the boot process
before we notice that the data isn't gone yet.  It's also a matter
of numbers -- If you say a DRAM has one second refresh times, but
every few months one bit may fade too fast someplace, that would
be completely unacceptable for a good system. HOWEVER, if 99%
of your data is still intact after ten seconds...you can probably
get SOME interesting data off the thing.  So, you design for the
worst possible environment, and refresh your data every 2ms or more
often...but that most certainly doesn't mean ALL the data is gone
after 20ms..or 20 seconds.

Based on what I've seen, the only part I'm having trouble with is
someone probably just got their doctorate on something that I
considered a pointless curiosity twenty years ago.  It's still a
mostly pointless curiosity, and I'm still lame at working the
system.

But yes, if someone has access to your system enough to flood
your system with liquid hydrocarbons and liquid nitrogen...you
got bigger security problems than your memory not forgetting.

Nick.

Re: There's something about OpenBSD...

[Todd Alan Smith]

On Thu, Feb 21, 2008 at 6:26 PM, Jason Dixon [EMAIL PROTECTED] wrote:

 On Thu, Feb 21, 2008 at 06:15:32PM -0500, Nick Bender wrote:
   On Thu, Feb 21, 2008 at 5:08 PM, Jussi Peltola [EMAIL PROTECTED] wrote:
  
 Displaying the name of the file and the matched line nicely like grep -r
 does is not elegant with find + grep without using a script or a long
 and inelegant alias - or if it is, I'd be interested in how it can be
 done in case I need to work on some ancient unix.
  
   Never used -r so I'm not sure what the output looks like but how about:
  
 find . -type f -exec grep something {} /dev/null \;

  Holy crap people, it was just an example.  Believe it or not, I know
  alternatives to recursive grep on Solaris.

Don't know why, but through all these posts the last few days, this
one really made me laugh out loud.