From sage-members-owner@usenix.org Tue Jan 2 13:39:51 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l02LdcP6009558 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 2 Jan 2007 13:39:44 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l02LdcEX009557 for sage-members-0utGoign; Tue, 2 Jan 2007 13:39:38 -0800 (PST) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by usenix.org (8.13.6/8.13.6) with ESMTP id l02LcvSU009538 for ; Tue, 2 Jan 2007 13:39:09 -0800 (PST) Received: by py-out-1112.google.com with SMTP id z74so3728270pyg for ; Tue, 02 Jan 2007 13:38:57 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Pm+YuTjiv/nRjZW0mXibk63FiJOz6lcOYPrkE1+u2M5pwa2vGXaQLCwel9J1wumiFeG5s+Qh7Q6EffmKXTwao04L7wKlckIX/8LOFSJZ6hsuxLpoU4PE+azYoVbude1BzttISmBUr61N3ED4kh0VxHhG5FxHi20b8FGrh7ZNSFg= Received: by 10.35.121.9 with SMTP id y9mr38123729pym.1167770074824; Tue, 02 Jan 2007 12:34:34 -0800 (PST) Received: by 10.35.130.13 with HTTP; Tue, 2 Jan 2007 12:34:34 -0800 (PST) Message-ID: Date: Tue, 2 Jan 2007 12:34:34 -0800 From: "Cyrus Vesuna" To: "Rodrick Brown" Subject: Re: [SAGE] OS as an Appliance Cc: "LOPSA Discuss List" , "SAGE mailing list" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=5% X-Virus-Scanned: ClamAV 0.88.7/2406/Tue Jan 2 03:58:55 2007 on voyager.usenix.org X-Virus-Status: Clean Sender: owner-sage-members@usenix.org Precedence: bulk On 12/9/06, Rodrick Brown wrote: > I basically want to build tiny, appliance like OS images where my > servers will boot this image via PXE/BOOTP/DHCP/TFTP over a network > then nfs mount our application binaries needed for that particular > host. We sort of do this today with a few core tools and applications > which are required on all hosts. Users home directories are also nfs > mounted via automount. > Is this the only acceptable methodology? I see you are a Netapp user and they (allegedly :-) ) have this http://www.netapp.com/go/techontap/tot-march2006/0306tot_kilo.html and http://www.netapp.com/go/techontap/matl/kilo.pdf (Baylisa presentation), where they have booted about 1K diskless systems. I am not sure of what horsepower is needed on the backend to support such. However, you can imagine that you can switch over to updated versions of OS's by simply rebooting your nodes and pointing them to an updated image. > > 1) How to handle network traffic in cases of power outages 1000+ > servers going offline. I could possible see a scenario where n number > of hosts all try to pull down a new image at the same time which could > be any where from 50 ~ 200MB of data over the network. I would have to > possibly implement some kind of QoS for really important servers or > make sure I have enough Repo's close enough to minimize network > saturation. Perhaps leave the systems off at power up and have a scheduled power on (WOL) based on groups of machines in decreasing order of importance.... > 3) Local changes to the OS, No matter how much we try to stream line > our OS's we usually get a few admins/developers who must have > particular changes in the OS that does not confirm to our base build. > ie changes to something in /etc/* or /etc/{sysctl.conf,system} if > each server will pull down a new image at boot/reboot I need to figure > out how to merge back any local specific changes that were on the host > previously. This can (allegedly) be solved by the solution above.., just maintain a couple of additional images. > > 4) Boot time is another concern it currently takes most servers at > least our 1 to 8 way boxes that makes up about 85% of the servers on > the network 1~4 min to boot up from a complete power down. > Theoretically would it be possible to pull down a new image, merge any > local changes the servers had before and mount all needed file systems > in under 5min? Again, this can (allegedly) be solved by the solution above..as you would have only booting time(s) to contend with Disclaimer: I do not work for Netapp, nor am I an expert with it.. -Cyrus From sage-members-owner@usenix.org Wed Jan 3 07:25:58 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l03FPoSN014352 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 3 Jan 2007 07:25:55 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l03FPora014350 for sage-members-0utGoign; Wed, 3 Jan 2007 07:25:50 -0800 (PST) Received: from rwcrmhc14.comcast.net (rwcrmhc14.comcast.net [204.127.192.84]) by usenix.org (8.13.6/8.13.6) with ESMTP id l03FPObb014333 for ; Wed, 3 Jan 2007 07:25:34 -0800 (PST) Received: from paulntooz.homelinux.org ([24.34.212.25]) by comcast.net (rwcrmhc14) with ESMTP id <20070103152511m1400fd7r3e>; Wed, 3 Jan 2007 15:25:11 +0000 Received: from taz.comcast.net (localhost [127.0.0.1]) by paulntooz.homelinux.org (Postfix) with ESMTP id 738971AB6A; Wed, 3 Jan 2007 10:24:54 -0500 (EST) To: "Cyrus Vesuna" Cc: sage-members@sage.org Subject: [SAGE] Summary: Need help with performace diagnosis References: <87r6vk69fx.fsf@comcast.net> <200612011000.kB1A0kbJ019019@voyager.usenix.org> From: Paul Lussier Date: Wed, 03 Jan 2007 10:24:54 -0500 In-Reply-To: (Cyrus Vesuna's message of "Tue, 2 Jan 2007 18:30:12 -0800") Message-ID: <87fyasm8u1.fsf_-_@comcast.net> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-sage-members@usenix.org Precedence: bulk "Cyrus Vesuna" writes: > Hi Paul, > Did you get any closer to a solution for this issue? Hi Cyrus, Yes, we discovered a lot of things in a very short time: a) We really need to upgrade the kernel. The kernel we're using is very old (2.4.22) and doesn't manage memory very well. We added 2GB of memory to the existing 2GB and that made performance even worse. Ideally we should move up to a 2.6 kernel, but we don't have the down-time or the spare equipment to do this. b) Our NFS client mount options are horrible. All of our systems mount this single 1TB partition with the default NFS options for Linux. Considering a) we have 300+ clients, and b) they're doing lots and lots of writes, this is very bad. We really ought to be mounting with at least the following options: nfsvers=3,rw,noatime,rsize=8192,wsize=8192 (r,w)size probably ought to be up around 32k instead, since NFSv3 supports that. c) We really should have more than a single file system. This is something I argued for when the system was designed, but I lost. I've been regretting it ever since. d) We're using our space extremely inefficiently. This is a consequence of c. above. We have thousands of automated tests which run nightly, all of which write into NFS as scratch space (on a RAID5 array no less). The tests really ought to be re-factored to write scratch data locally, then move it to NFS later if it's deemed valuable. Unfortunately here, I'm fighting against a group of developers who claim that this perceived convenience is too important to change. (Ironically, they all complain when they can't get work done exactly *because* of this supposed convenience, but then blame "the system" as being "the problem" :) To alleviate some of the problems, we've done the following: 1. Dropped the main NFS server back to 2GB of RAM. 2. Moved the scratch space onto a RAID0 set on a different NFS server and set the clients to use the above mentioned mount points for this file system. We plan to change the options for the main NFS server as well, but we wanted to see how the performace of the tests was affected first by moving to a new server with more "correct" mount options. (I've been told things look really good). 3. Planned/budgeted for a new NFS server. We've decided to go with something more managable/scalable than what we currently have and are getting an OnStor NFS appliance. I apologize for the delay in providing a followup, and thanks to all who assisted me. I learned a tremendous amount from this experience! -- Seeya, Paul -- Key fingerprint = 1660 FECC 5D21 D286 F853 E808 BB07 9239 53F1 28EE From sage-members-owner@usenix.org Thu Jan 4 00:07:46 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0487jmN024070 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 4 Jan 2007 00:07:45 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0487i8r024062 for sage-members-0utGoign; Thu, 4 Jan 2007 00:07:45 -0800 (PST) Received: from slick.sigje.org (rdns.222.240.218.216.fre.communitycolo.net [216.218.240.222]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0487PPc023350 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 4 Jan 2007 00:07:36 -0800 (PST) Received: from sigje (helo=localhost) by slick.sigje.org with local-esmtp (Exim 4.63) (envelope-from ) id 1H2NdF-0004cQ-2j for sage-members@usenix.org; Thu, 04 Jan 2007 00:07:25 -0800 Date: Thu, 4 Jan 2007 00:07:25 -0800 (PST) From: Jennifer Davis To: sage-members@usenix.org Subject: [SAGE] BayLISA monitoring SIG - January 10, 2007 - 7pm Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-dmv.com-Metrics: voyager 1181; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk BayLISA recently started a monitoring SIG that has show a good amount of interest, and I wanted to let you all know about an upcoming meeting. If you are in the San Francisco area (we are not currently recording these meetings): January '07 BayLISA Monitoring SIG: Ganglia to Nagios: Bridging the Gap Ganglia Project Lead Matt Massie will be on hand to share how he's seeing Ganglia being used and what new functionality he envisions.Peter Loh and Mayank Patel from GroundWork will show how to unify the best features of Nagios and Ganglia into a highly scalable IT monitoring solution.We'll finish with freeform Q&A where you can take advantage of the assembled wisdom to tackle your thorniest (or most basic) monitoring issues. What: BayLISA Monitoring SIG IV:Ganglia to Nagios: Bridging the Gap Who: Anyone interested in IT monitoring issues and tools: newbies particularly welcome! When: Wednesday, January 10 2007, 7PM Where: GroundWork Open Source, 139 Townsend St., San Francisco How: 139 Townsend St. is very near AT&T Park. It is two blocks from the CalTrain Depot. Take the MUNI N trolley "inbound" to 2nd and King (ballpark stop) or take the 15 or 30 buses (among others) crosstown. Free evening street parking can usually be found. New Year's pizza, pop, and snacks will be provided by GroundWork. We'll open up the doors at 6:30 or so and start the formal part of the meeting promptly at 7PM. Please RSVP to rsvp@baylisa.org If you have suggestions for topics for future monitoring SIGS please email us at directors@baylisa.org. From sage-members-owner@usenix.org Thu Jan 4 07:23:17 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l04FNGk8002874 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 4 Jan 2007 07:23:17 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l04FNGx9002873 for sage-members-0utGoign; Thu, 4 Jan 2007 07:23:16 -0800 (PST) Received: from de-fe01.dejazzd.com (outlb3.dejazzd.com [66.109.229.70]) by usenix.org (8.13.6/8.13.6) with ESMTP id l04FMx5d002851 for ; Thu, 4 Jan 2007 07:23:14 -0800 (PST) Received: from de-fe02 ([10.199.5.6]) by de-fe02.dejazzd.com with ESMTP id <20070104151210.KKSM24510.de-fe02.dejazzd.com@de-fe02> for ; Thu, 4 Jan 2007 10:12:10 -0500 X-Mailer: Openwave WebEngine, version 2.8.15 (webedge20-101-1103-20040528) From: Bennett To: Subject: [SAGE] Mailbox retention settings Date: Thu, 4 Jan 2007 10:12:10 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20070104151210.KKSM24510.de-fe02.dejazzd.com@de-fe02> X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=many Fuz2=many rep=38% Sender: owner-sage-members@usenix.org Precedence: bulk Good morning, Just curious about how everyone has handled the topic of email retention? My Director and I feel that our new legal department is trying to be a bit over-restrictive and want to see how others have dealt with this. I'll post a summary after the thread seems to die off. * How long is your retention period? * If your retention policy is new, how did your users react/handle the new restrictions? * What impact, if any, did you see on your file storage after activating the retention policy? * What impact, if any, did you see in the number of requests for messages to be restored from backup? * What tools did you use to assist in the process? Thanks, - Bennett From sage-members-owner@usenix.org Thu Jan 4 08:01:40 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l04G1dF1004899 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 4 Jan 2007 08:01:40 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l04G1dZm004898 for sage-members-0utGoign; Thu, 4 Jan 2007 08:01:39 -0800 (PST) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by usenix.org (8.13.6/8.13.6) with ESMTP id l04G1C6q004884 for ; Thu, 4 Jan 2007 08:01:23 -0800 (PST) Received: by nf-out-0910.google.com with SMTP id g2so7219916nfe for ; Thu, 04 Jan 2007 08:01:12 -0800 (PST) Received: by 10.49.36.6 with SMTP id o6mr17988746nfj.1167926102836; Thu, 04 Jan 2007 07:55:02 -0800 (PST) Received: by 10.49.23.20 with HTTP; Thu, 4 Jan 2007 07:55:02 -0800 (PST) Message-ID: <8e370ab00701040755x5e7ef97cr20b65f669221ec8e@mail.gmail.com> Date: Thu, 4 Jan 2007 15:55:02 +0000 From: "Mike Knell" To: Bennett Subject: Re: [SAGE] Mailbox retention settings Cc: sage-members@usenix.org In-Reply-To: <20070104151210.KKSM24510.de-fe02.dejazzd.com@de-fe02> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070104151210.KKSM24510.de-fe02.dejazzd.com@de-fe02> X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=5% Sender: owner-sage-members@usenix.org Precedence: bulk On 1/4/07, Bennett wrote: > Good morning, > > Just curious about how everyone has handled the topic of email retention? My Director and I feel that our new legal department is trying to be a bit over-restrictive and want to see how others have dealt with this. Which country are you in? This varies... >From the point of view of the UK I've been told in the past that we have to simultaneously keep all our mail forever and delete it after three months. I've never figured out how to reconcile this, and I get the impression that both of those opinions were basically made up or based on a half-assed understanding of the legal aspects involved. m. From sage-members-owner@usenix.org Thu Jan 4 14:08:46 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l04M8gVh018851 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 4 Jan 2007 14:08:42 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l04M8gIN018850 for sage-members-0utGoign; Thu, 4 Jan 2007 14:08:42 -0800 (PST) Received: from smtp102.his.com (smtp102.his.com [216.194.225.125]) by usenix.org (8.13.6/8.13.6) with ESMTP id l04M8B94018837 for ; Thu, 4 Jan 2007 14:08:22 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by smtp102.his.com (Postfix) with ESMTP id 1C3394000E1; Thu, 4 Jan 2007 17:08:01 -0500 (EST) Received: from smtp102.his.com ([216.194.225.125]) by localhost (smtp102.his.com [216.194.225.125]) (amavisd-new, port 10024) with ESMTP id 07022-09; Thu, 4 Jan 2007 17:07:58 -0500 (EST) Received: from vhost109.his.com (vhost109.his.com [216.194.225.101]) by smtp102.his.com (Postfix) with ESMTP id A3DF14001D3; Thu, 4 Jan 2007 17:07:58 -0500 (EST) Received: from [172.16.6.235] (localhost.his.com [127.0.0.1]) by vhost109.his.com (8.13.1/8.12.3) with ESMTP id l04M7nvQ093809; Thu, 4 Jan 2007 17:07:58 -0500 (EST) (envelope-from brad@shub-internet.org) Mime-Version: 1.0 Message-Id: In-Reply-To: <20070104151210.KKSM24510.de-fe02.dejazzd.com@de-fe02> References: <20070104151210.KKSM24510.de-fe02.dejazzd.com@de-fe02> Date: Thu, 4 Jan 2007 15:27:42 -0600 To: Bennett , From: Brad Knowles Subject: Re: [SAGE] Mailbox retention settings Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: Debian amavisd-new at smtp502.his.com X-Spam-Status: No, score=-4.308 tagged_above=-99 required=5 tests=[ALL_TRUSTED=-1.8, AWL=0.091, BAYES_00=-2.599] X-Spam-Score: -4.308 X-Spam-Level: X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=4% Sender: owner-sage-members@usenix.org Precedence: bulk At 10:12 AM -0500 1/4/07, Bennett wrote: > Just curious about how everyone has handled the topic of email retention? > My Director and I feel that our new legal department is trying to be a > bit over-restrictive and want to see how others have dealt with this. I believe that some useful general advice on this topic can also be found in booklet #15 in the SAGE Short Topics series, which is available for free download to all SAGE members. See for more information. Caveat: my name appears as one of the co-authors of this booklet, so I may be a bit biased. ;) > * How long is your retention period? > > * If your retention policy is new, how did your users react/handle the > new restrictions? > > * What impact, if any, did you see on your file storage after activating > the retention policy? > > * What impact, if any, did you see in the number of requests for messages > to be restored from backup? > > * What tools did you use to assist in the process? There's a lot of background here that we don't have. For example, are you impacted by SarbOx regulations? Are you a financial services industry which is required to keep a copy of all communications (including e-mail and IMs) to and from customers for seven years? Are there other regulations that might be applicable (e.g., the UK RIP laws)? Also, what kind of customer model are you assuming? Do you want information from ISPs? I can give you data for what we did at AOL, and what we did at Belgacom Skynet, but I don't know if that's useful to you. What is your storage model? Do your clients do mostly off-line storage (e.g., a POP3 model), or do they do mostly online storage (e.g., an IMAP model)? There's lots of other questions which follow on from there. -- Brad Knowles, Trend Micro has announced that they will cancel the stop.mail-abuse.org mail forwarding service as of 15 November 2006. If you have an old e-mail account for me at this domain, please make sure you correct that with the current address. From sage-members-owner@usenix.org Thu Jan 4 16:08:38 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0508TR1023202 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 4 Jan 2007 16:08:34 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0508TbC023201 for sage-members-0utGoign; Thu, 4 Jan 2007 16:08:29 -0800 (PST) Received: from ettin.watson-wilson.ca (watson-wilson.ca [216.138.221.7]) by usenix.org (8.13.6/8.13.6) with ESMTP id l050814N023176 for ; Thu, 4 Jan 2007 16:08:12 -0800 (PST) Received: by ettin.watson-wilson.ca (Postfix, from userid 1000) id 0A7953AE28; Thu, 4 Jan 2007 19:07:49 -0500 (EST) Date: Thu, 4 Jan 2007 19:07:49 -0500 From: Neil Watson To: sage-members@usenix.org Subject: Re: [SAGE] Mailbox retention settings Message-ID: <20070105000748.GB31285@watson-wilson.ca> References: <20070104151210.KKSM24510.de-fe02.dejazzd.com@de-fe02> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: X-Message-Flag: Outlook is a dangerous and insecure program (Magic 8 ball: Outlook not good) X-Accepted-File-Formats: No proprietary Microsoft Office files please User-Agent: Mutt/1.5.13 (2006-08-11) X-watson-wilson.ca-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-watson-wilson.ca-MailScanner-From: sage@watson-wilson.ca X-Spam-Status: No X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk On Thu, Jan 04, 2007 at 03:27:42PM -0600, Brad Knowles wrote: >There's a lot of background here that we don't have. For example, >are you impacted by SarbOx regulations? Are you a financial services >industry which is required to keep a copy of all communications >(including e-mail and IMs) to and from customers for seven years? >Are there other regulations that might be applicable (e.g., the UK >RIP laws)? This law grates on me. It seems to me that corporations pay little more than lip service to the SOX data retention rules. I see them squirrel away tapes and other electronic media. However, I've not witnessed any of them plan how they will access this data 7 years later when the hardware or software required to read the data is no longer available or the media has deteriorated because no one transferred the date to new media for preservation. -- Neil Watson | Debian Linux System Administrator | Uptime 13 days http://watson-wilson.ca From sage-members-owner@usenix.org Thu Jan 4 20:25:21 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l054PBbE002596 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 4 Jan 2007 20:25:17 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l054PB4t002594 for sage-members-0utGoign; Thu, 4 Jan 2007 20:25:11 -0800 (PST) Received: from adsl-64-160-54-75.dsl.snfc21.pacbell.net (adsl-67-122-242-225.dsl.pltn13.pacbell.net [67.122.242.225]) by usenix.org (8.13.6/8.13.6) with ESMTP id l054OqdC002574 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 4 Jan 2007 20:25:03 -0800 (PST) Received: from [192.168.72.2] (wizfast.rski.net [192.168.72.2]) by adsl-64-160-54-75.dsl.snfc21.pacbell.net (8.12.8/8.12.8) with ESMTP id l054Okxo022295; Thu, 4 Jan 2007 20:24:48 -0800 Message-ID: <459DD30E.9060109@chycoski.com> Date: Thu, 04 Jan 2007 20:24:46 -0800 From: Richard Chycoski User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Neil Watson CC: sage-members@usenix.org Subject: Re: [SAGE] Mailbox retention settings References: <20070104151210.KKSM24510.de-fe02.dejazzd.com@de-fe02> <20070105000748.GB31285@watson-wilson.ca> In-Reply-To: <20070105000748.GB31285@watson-wilson.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk Neil Watson wrote: > On Thu, Jan 04, 2007 at 03:27:42PM -0600, Brad Knowles wrote: >> There's a lot of background here that we don't have. For example, >> are you impacted by SarbOx regulations? Are you a financial services >> industry which is required to keep a copy of all communications >> (including e-mail and IMs) to and from customers for seven years? Are >> there other regulations that might be applicable (e.g., the UK RIP >> laws)? > > This law grates on me. It seems to me that corporations pay little more > than lip service to the SOX data retention rules. I see them squirrel > away tapes and other electronic media. However, I've not witnessed any > of them plan how they will access this data 7 years later when the > hardware or software required to read the data is no longer available or > the media has deteriorated because no one transferred the date to new > media for preservation. Most magnetic media stored even reasonably carefully (i.e., not in the back of your car) will last more than seven years and if the typical sets of backups are done much of the mail will be duplicated on multiple backup generations, aiding in recovery. And as to finding hardware - you can find some really ancient tape drives at places like Weird Stuff (or someone's basement) to restore the old tapes - and there are also media conversion companies that will provide this service for older tape formats. There's a "million dollar nine track tape drive" in one of our data centres that was used to restore some *very* old, but valuable, data (hence the name :-). And if the government really wants to see your data, they'll find a way (via one of their three-letter-orgs?) to restore it. (:-) - Richard From sage-members-owner@usenix.org Fri Jan 5 11:59:45 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l05Jxf4g016170 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2007 11:59:41 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l05JxfUO016169 for sage-members-0utGoign; Fri, 5 Jan 2007 11:59:41 -0800 (PST) Received: from mail.reptiles.org (skink.reptiles.org [198.96.119.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l05JxCJQ016142 for ; Fri, 5 Jan 2007 11:59:23 -0800 (PST) Received: from mail.reptiles.org([198.96.119.1] port=2247) (1401 bytes) by mail.reptiles.org([198.96.119.1] port=25) via TCP with esmtp (sender: ) id for ; (dest:remote)(R=bind_hosts)(T=inet_zone_bind_smtp) Fri, 5 Jan 2007 14:58:48 -0500 (EST) (Smail-3.2.0.118 2004-May-31 #3 built 2004-Oct-14) Date: Fri, 5 Jan 2007 14:58:47 -0500 (EST) From: Cat Okita To: "Mark R. Lindsey" cc: LOPSA Discuss List , SAGE list Subject: [SAGE] Re: [lopsa-discuss] Naming conventions for servers, network gear, etc. In-Reply-To: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> Message-ID: <20070105145836.F87740@skink.reptiles.org> References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk On Fri, 5 Jan 2007, Mark R. Lindsey wrote: > Have there been any papers done on naming conventions for servers, network > gear, etc? > > E.g., when is it better to call it "core-router-bwg" versus "juniperm10i" > versus "router1"? > Or "server1" versus "dns1" versus "franko"? http://www.nanog.org/mtg-0405/ringel.html cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From sage-members-owner@usenix.org Fri Jan 5 12:18:32 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l05KIVYK016999 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2007 12:18:31 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l05KIVgZ016998 for sage-members-0utGoign; Fri, 5 Jan 2007 12:18:31 -0800 (PST) Received: from e-c-group.com (persephone.e-c-group.com [216.128.192.244]) by usenix.org (8.13.6/8.13.6) with ESMTP id l05KHrQ7016957 for ; Fri, 5 Jan 2007 12:18:04 -0800 (PST) Received: from [66.57.106.129] (account lindsey HELO [192.168.15.100]) by e-c-group.com (CommuniGate Pro SMTP 5.0.3) with ESMTPSA id 96601642; Fri, 05 Jan 2007 14:47:15 -0500 Mime-Version: 1.0 (Apple Message framework v752.3) Content-Transfer-Encoding: 7bit Message-Id: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: LOPSA Discuss List , SAGE list From: "Mark R. Lindsey" Subject: [SAGE] Naming conventions for servers, network gear, etc. Date: Fri, 5 Jan 2007 14:47:11 -0500 X-Mailer: Apple Mail (2.752.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk Have there been any papers done on naming conventions for servers, network gear, etc? E.g., when is it better to call it "core-router-bwg" versus "juniperm10i" versus "router1"? Or "server1" versus "dns1" versus "franko"? There are a few obvious up-sides and down-sides of different schemes. But has anybody really dug in and written them down? If not, I'd be interested in writing a paper on this with somebody for USENIX or SAGE. If you're interested in working with me on it, let me know. Mark R. Lindsey | ECG | +1-229-316-0013 | lindsey@e-c-group.com From sage-members-owner@usenix.org Fri Jan 5 12:42:15 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l05KgEuW018378 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2007 12:42:14 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l05KgEWu018376 for sage-members-0utGoign; Fri, 5 Jan 2007 12:42:14 -0800 (PST) Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l05KgCsH018367 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2007 12:42:13 -0800 (PST) Received: (from jrl@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l05KgCpo018365 for sage-members@usenix.org; Fri, 5 Jan 2007 12:42:12 -0800 (PST) Received: from a.mail.sonic.net (a.mail.sonic.net [64.142.16.245]) by usenix.org (8.13.6/8.13.6) with ESMTP id l05KbY25018169 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2007 12:37:44 -0800 (PST) Received: from [192.168.26.75] (64-84-9-2-sf-gw.ncircle.com [64.84.9.2]) (authenticated bits=0) by a.mail.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id l05KbLSL027212 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 5 Jan 2007 12:37:21 -0800 Message-ID: <459EB700.10803@kitchenlab.org> Date: Fri, 05 Jan 2007 12:37:20 -0800 From: "Bruce A. Mah" User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: "Mark R. Lindsey" CC: LOPSA Discuss List , SAGE list Subject: Re: [SAGE] Naming conventions for servers, network gear, etc. References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> In-Reply-To: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> X-Enigmail-Version: 0.94.1.0 OpenPGP: id=5ba052c3 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigACC5475DDFF15CB95B216800" X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=6% Sender: owner-sage-members@usenix.org Precedence: bulk This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigACC5475DDFF15CB95B216800 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable If memory serves me right, Mark R. Lindsey wrote: > Have there been any papers done on naming conventions for servers, =20 > network gear, etc? >=20 > E.g., when is it better to call it "core-router-bwg" versus =20 > "juniperm10i" versus "router1"? >=20 > Or "server1" versus "dns1" versus "franko"? >=20 > There are a few obvious up-sides and down-sides of different schemes. = > But has anybody really dug in and written them down? >=20 > If not, I'd be interested in writing a paper on this with somebody =20 > for USENIX or SAGE. If you're interested in working with me on it, =20 > let me know. This is more of a case study than a systematic treatise, but I saw this presentation at NANOG a couple years ago that seems applicable: http://www.nanog.org/mtg-0405/ringel.html Bruce. --------------enigACC5475DDFF15CB95B216800 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFnrcA2MoxcVugUsMRAse+AKCBmurmLls/cRmqURjBvIw57kvSIgCg27xH /sg2Iqzt27fWeXE3cDsHduY= =dVfZ -----END PGP SIGNATURE----- --------------enigACC5475DDFF15CB95B216800-- From sage-members-owner@usenix.org Fri Jan 5 12:47:13 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l05KlCfq018891 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2007 12:47:12 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l05KlBnt018887 for sage-members-0utGoign; Fri, 5 Jan 2007 12:47:11 -0800 (PST) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by usenix.org (8.13.6/8.13.6) with ESMTP id l05KkpOd018842 for ; Fri, 5 Jan 2007 12:46:57 -0800 (PST) Received: by nf-out-0910.google.com with SMTP id g2so7594188nfe for ; Fri, 05 Jan 2007 12:46:50 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TseOQdHbmu88TQ3FWivlgkRgbOvW8scCr5YKns44ue/dZzVISMJaUL/ZYPTIx5WJx0+PHnpEi5Mw5NAv4XRaaRMnL3dlm4iV5DbPc3m0kPnOInAplp3vbJmB4qfpj7FDW+GP1uswBERsNZLEHLvo7RhC0OtiTY/JFEcZSe0+auY= Received: by 10.82.111.8 with SMTP id j8mr2249104buc.1168029613805; Fri, 05 Jan 2007 12:40:13 -0800 (PST) Received: by 10.82.125.14 with HTTP; Fri, 5 Jan 2007 12:40:13 -0800 (PST) Message-ID: Date: Fri, 5 Jan 2007 15:40:13 -0500 From: "Nicholas Tang" To: "Cat Okita" Subject: Re: [SAGE] Re: [lopsa-discuss] Naming conventions for servers, network gear, etc. Cc: "Mark R. Lindsey" , "LOPSA Discuss List" , "SAGE list" In-Reply-To: <20070105145836.F87740@skink.reptiles.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> <20070105145836.F87740@skink.reptiles.org> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=6% Sender: owner-sage-members@usenix.org Precedence: bulk Interesting... the naming scheme we came up with internally is similar, but actually goes past the host level. The way it works is: cc[last octet of ip]-[rack number].[network].[data center].[domain] The "cc" is because the company is Community Connect and because it's short. ;) It also gives us the ability to name non-CCI devices, if there ever are any on our network. This also conveniently also breaks down in to the ip address... the ip address of any machine is 10.[data center/network].[rack].[host], so we can go back and forth transparently between ip address and physical location and host name without having to look anything up. (For instance, the 10.30 network is a subnet in one data center, the other subnets in that data center are 10.31, 10.32, etc. 10.40-10.49 is another data center, 10.50-10.59 is another, etc.) So 10.80.17.3 would be cc3-17.[subnet abbreviation].[data center abbreviation].ccops.us, and ccops.us just stands for "community connect operations". I know it's physically located in rack 17 in whatever data center the 10.8x networks are located in. And then, of course, we have CNAMEs that are based on purpose - so the CNAME indicates if it's a database server, or a mail server, or a webserver, or whatever. It works well for us, and is of course admittedly more server-centric than that one, but we have many more servers than routers/switches/etc. Nicholas On 1/5/07, Cat Okita wrote: > On Fri, 5 Jan 2007, Mark R. Lindsey wrote: > > Have there been any papers done on naming conventions for servers, network > > gear, etc? > > > > E.g., when is it better to call it "core-router-bwg" versus "juniperm10i" > > versus "router1"? > > Or "server1" versus "dns1" versus "franko"? > > http://www.nanog.org/mtg-0405/ringel.html > > cheers! > ========================================================================== > "A cat spends her life conflicted between a deep, passionate and profound > desire for fish and an equally deep, passionate and profound desire to > avoid getting wet. This is the defining metaphor of my life right now." > From sage-members-owner@usenix.org Fri Jan 5 15:23:37 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l05NNaAn026658 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2007 15:23:36 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l05NNarn026657 for sage-members-0utGoign; Fri, 5 Jan 2007 15:23:36 -0800 (PST) Received: from asav09.insightbb.com (gateway.insightbb.com [74.128.0.19]) by usenix.org (8.13.6/8.13.6) with ESMTP id l05NNSU4026646 for ; Fri, 5 Jan 2007 15:23:34 -0800 (PST) Received: from 74-130-60-177.dhcp.insightbb.com (HELO [127.0.0.1]) ([74.130.60.177]) by asav09.insightbb.com with ESMTP; 05 Jan 2007 18:17:14 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAAALJrnkVKgjyxUGdsb2JhbAANhl2GSAEBKg Message-ID: <459EDC88.7070706@insightbb.com> Date: Fri, 05 Jan 2007 18:17:28 -0500 From: Aaron Bridge User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: sage-members@sage.org Subject: [SAGE] Internet History tool Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=15% Sender: owner-sage-members@usenix.org Precedence: bulk I will going to a company who wants me to look on all their users computers see what websites they have been accessing on the Internet. Yes, I could do this by looking in History and Temporary Internet Files. Does anyone now of any "tools" or other ideas that will make this task easier and more thorough? I should mention these are Windows XP SP2 workstations. Thanks, Aaron From sage-members-owner@usenix.org Fri Jan 5 15:58:28 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l05NwRpc006509 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2007 15:58:27 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l05NwR5W006508 for sage-members-0utGoign; Fri, 5 Jan 2007 15:58:27 -0800 (PST) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.238]) by usenix.org (8.13.6/8.13.6) with ESMTP id l05Nw00Z006398 for ; Fri, 5 Jan 2007 15:58:11 -0800 (PST) Received: by nz-out-0506.google.com with SMTP id z31so1832209nzd for ; Fri, 05 Jan 2007 15:58:00 -0800 (PST) Received: by 10.64.184.14 with SMTP id h14mr16852623qbf.1168041480244; Fri, 05 Jan 2007 15:58:00 -0800 (PST) Received: by 10.64.209.2 with HTTP; Fri, 5 Jan 2007 15:58:00 -0800 (PST) Message-ID: <27d46a10701051558i590d3571od6304ef3600f8faa@mail.gmail.com> Date: Fri, 5 Jan 2007 15:58:00 -0800 From: "Benjamin Feen" To: "Aaron Bridge" Subject: Re: [SAGE] Internet History tool Cc: sage-members@sage.org In-Reply-To: <459EDC88.7070706@insightbb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <459EDC88.7070706@insightbb.com> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=7% Sender: owner-sage-members@usenix.org Precedence: bulk Reviewing DNS logs is surprisingly sufficient. Let me know when you decide to quit that job. On 1/5/07, Aaron Bridge wrote: > I will going to a company who wants me to look on all their users > computers see what websites they have been accessing on the Internet. > Yes, I could do this by looking in History and Temporary Internet > Files. Does anyone now of any "tools" or other ideas that will make > this task easier and more thorough? > > I should mention these are Windows XP SP2 workstations. > > Thanks, > Aaron > From sage-members-owner@usenix.org Fri Jan 5 16:03:52 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0603PYq009007 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2007 16:03:25 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0603PX7009005 for sage-members-0utGoign; Fri, 5 Jan 2007 16:03:25 -0800 (PST) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.235]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0602ejM007246 for ; Fri, 5 Jan 2007 16:02:51 -0800 (PST) Received: by wx-out-0506.google.com with SMTP id i27so7671119wxd for ; Fri, 05 Jan 2007 16:02:39 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jJgE3oBVaNVUyFYCCbhjGZxsgtSwXVqy2D2Ay93OP8c+/1ju22d6ule/mj4sSVwZhbRro9qaczSsRKakxiw/FOk7yHFFn1AHHwYVBhvqpaMdGbLK+/YjgX2uTW10QxFXvHEF5LBf523CSFRimLhK+01lun8BhkNMOnMb+IVRMVU= Received: by 10.70.132.2 with SMTP id f2mr44199457wxd.1168041759447; Fri, 05 Jan 2007 16:02:39 -0800 (PST) Received: by 10.70.131.11 with HTTP; Fri, 5 Jan 2007 16:02:39 -0800 (PST) Message-ID: Date: Fri, 5 Jan 2007 16:02:39 -0800 From: "Kurt Buff" To: "Aaron Bridge" Subject: Re: [SAGE] Internet History tool Cc: sage-members@sage.org In-Reply-To: <459EDC88.7070706@insightbb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <459EDC88.7070706@insightbb.com> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=5% Sender: owner-sage-members@usenix.org Precedence: bulk Here are some snippets from emails on various lists to which I've subscribed - I've made no effort at attribution, nor have I checked the links, but you'll probably find some of them useful. Of course, I know that one of your recommendations to them will be to put up a caching web proxy with authentication for future use. Kurt --------------------------------------------------------------------------------------- See the web browser history log check recommendations here: http://www.perverted-justice.com/guide/?pg=parents --------------------------------------------------------------------------------------- Part 1: Focuses on Internet Explorer http://www.securityfocus.com/infocus/1827 Part 2: Focuses on Firefox http://www.securityfocus.com/infocus/1832 --------------------------------------------------------------------------------------- ==== 1. In Focus - Browser History: What Happened? ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Occasionally, you might need to trace a user's Web-browsing path. Manual forensic analysis, which involves digging through cookie files, the browser's cache, and browser history data, isn't easy. For a good rundown on forensic analysis of browser activity, you should consider reading "Web Browser Forensics, Part 1," by Keith J. Jones and Rohyt Belani of Red Cliff Consulting. The article, published on the SecurityFocus Web site, offers a brief usage overview of some very useful tools: in particular, Pasco, Internet Explorer History Viewer, Web Historian, and Forensic Toolkit. http://list.windowsitpro.com/t?ctl=87E4:4FB69 Pasco is an open-source tool that can be used to reconstruct browser use from Microsoft Internet Explorer's (IE's) index.dat files. The files contain data such as which URLs were visited and when. Pasco is a command-line tool that creates a text-based output file. http://list.windowsitpro.com/t?ctl=87E7:4FB69 Internet Explorer History Viewer, available from Phillips Ponder, has been around for a while. It too can reconstruct IE usage and has the added benefits of being able to read Netscape history data and find fragments of deleted files in the Windows Recycle Bin. IE History costs $50. http://list.windowsitpro.com/t?ctl=87E2:4FB69 The free Web Historian, provided by Red Cliff Consulting, is more powerful than the previous two tools. It can help you analyze the historic usage of Internet Explorer, Mozilla, Firefox, Netscape, Opera, and Apple Computer's Safari. http://list.windowsitpro.com/t?ctl=87D7:4FB69 Forensic Toolkit (FTK), from AccessData, is the most powerful of the bunch, and at $995, it better be. It too can reconstruct browser use history, but it's also billed as a tool that can perform "complete and thorough forensics examinations." Among other tasks, Forensic Toolkit can index entire drives, allows quick text searches, and supports more than 270 file types. http://list.windowsitpro.com/t?ctl=87DE:4FB69 --------------------------------------------------------------------------------------- On 1/5/07, Aaron Bridge wrote: > I will going to a company who wants me to look on all their users > computers see what websites they have been accessing on the Internet. > Yes, I could do this by looking in History and Temporary Internet > Files. Does anyone now of any "tools" or other ideas that will make > this task easier and more thorough? > > I should mention these are Windows XP SP2 workstations. > > Thanks, > Aaron > From sage-members-owner@usenix.org Fri Jan 5 19:13:10 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l063DAii019343 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2007 19:13:10 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l063DAfO019342 for sage-members-0utGoign; Fri, 5 Jan 2007 19:13:10 -0800 (PST) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by usenix.org (8.13.6/8.13.6) with ESMTP id l063Ch1Z019319 for ; Fri, 5 Jan 2007 19:12:54 -0800 (PST) Received: by nf-out-0910.google.com with SMTP id l35so7167564nfa for ; Fri, 05 Jan 2007 19:12:40 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FGaObtfJf4mU4ldzttXHVnjMqgp6xLeI/1bdvIKrgnPiUavBhk70LkzMqFWxzdFVin7kvamkkyDH9jqJxu2LWWPqDD935n9iVFFu998st8lo+EAwOc2xLEpaCHIOdWuVjBxRngL2bJi9JpT+lf3RBj2XIlJ3jb8s98HekFRaFnc= Received: by 10.78.170.17 with SMTP id s17mr4829641hue.1168053160146; Fri, 05 Jan 2007 19:12:40 -0800 (PST) Received: by 10.78.136.16 with HTTP; Fri, 5 Jan 2007 19:12:40 -0800 (PST) Message-ID: Date: Fri, 5 Jan 2007 22:12:40 -0500 From: "Rodrick Brown" To: "Aaron Bridge" Subject: Re: [SAGE] Internet History tool Cc: sage-members@sage.org In-Reply-To: <459EDC88.7070706@insightbb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <459EDC88.7070706@insightbb.com> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=5% Sender: owner-sage-members@usenix.org Precedence: bulk On 1/5/07, Aaron Bridge wrote: > I will going to a company who wants me to look on all their users > computers see what websites they have been accessing on the Internet. > Yes, I could do this by looking in History and Temporary Internet > Files. Does anyone now of any "tools" or other ideas that will make > this task easier and more thorough? > > I should mention these are Windows XP SP2 workstations. > > Thanks, > Aaron > Just setup a transparent Proxy of some sort possibly squid then parse the squid access logs. -- Rodrick R. Brown From sage-members-owner@usenix.org Fri Jan 5 19:17:30 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l063HTIY019473 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2007 19:17:30 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l063HTHt019472 for sage-members-0utGoign; Fri, 5 Jan 2007 19:17:29 -0800 (PST) Received: from asav01.insightbb.com (gateway.insightbb.com [74.128.0.19]) by usenix.org (8.13.6/8.13.6) with ESMTP id l063H78g019451 for ; Fri, 5 Jan 2007 19:17:18 -0800 (PST) Received: from 74-130-60-177.dhcp.insightbb.com (HELO [127.0.0.1]) ([74.130.60.177]) by asav01.insightbb.com with ESMTP; 05 Jan 2007 22:16:58 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAAAOKinkVKgjyxUGdsb2JhbAANhl2GSAEBKg Message-ID: <459F14B8.10008@insightbb.com> Date: Fri, 05 Jan 2007 22:17:12 -0500 From: Aaron Bridge User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Rodrick Brown CC: sage-members@sage.org Subject: Re: [SAGE] Internet History tool References: <459EDC88.7070706@insightbb.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=15% Sender: owner-sage-members@usenix.org Precedence: bulk Rodrick Brown wrote: > On 1/5/07, Aaron Bridge wrote: >> I will going to a company who wants me to look on all their users >> computers see what websites they have been accessing on the Internet. >> Yes, I could do this by looking in History and Temporary Internet >> Files. Does anyone now of any "tools" or other ideas that will make >> this task easier and more thorough? >> >> I should mention these are Windows XP SP2 workstations. >> >> Thanks, >> Aaron >> > > Just setup a transparent Proxy of some sort possibly squid then parse > the squid access logs. > This would be ok for long term, but I only have four hours. This is a very confidential assignment. Nobody in the office is to know what I am doing. From sage-members-owner@usenix.org Fri Jan 5 19:33:50 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l063XnDh020280 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2007 19:33:49 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l063XmR3020279 for sage-members-0utGoign; Fri, 5 Jan 2007 19:33:48 -0800 (PST) Received: from bushido.realityfailure.org (dsl093-119-032.blt1.dsl.speakeasy.net [66.93.119.32]) by usenix.org (8.13.6/8.13.6) with ESMTP id l063XLng020267 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Fri, 5 Jan 2007 19:33:32 -0800 (PST) Received: from bushido (bushido [10.0.0.10]) by bushido.realityfailure.org (8.12.8p1/8.12.8) with ESMTP id l063XCMn023044 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Fri, 5 Jan 2007 22:33:12 -0500 Date: Fri, 5 Jan 2007 22:33:12 -0500 (EST) From: John Jasen X-X-Sender: jjasen@bushido cc: sage-members@sage.org Subject: Re: [SAGE] Internet History tool In-Reply-To: <459EDC88.7070706@insightbb.com> Message-ID: References: <459EDC88.7070706@insightbb.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Scanned-By: MIMEDefang 2.35 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (bushido.realityfailure.org [10.0.0.10]); Fri, 05 Jan 2007 22:33:12 -0500 (EST) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk On Fri, 5 Jan 2007, Aaron Bridge wrote: > I will going to a company who wants me to look on all their users computers > see what websites they have been accessing on the Internet. Yes, I could do > this by looking in History and Temporary Internet Files. Does anyone now of > any "tools" or other ideas that will make this task easier and more thorough? As a quick and dirty approach, I mount their c$ share to my system, and strings history.dat | grep http. -- -- John E. Jasen (jjasen@realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring From sage-members-owner@usenix.org Fri Jan 5 19:37:57 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l063bueO020630 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2007 19:37:56 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l063buHO020629 for sage-members-0utGoign; Fri, 5 Jan 2007 19:37:56 -0800 (PST) Received: from relay02.pair.com (relay02.pair.com [209.68.5.16]) by usenix.org (8.13.6/8.13.6) with SMTP id l063bYLx020605 for ; Fri, 5 Jan 2007 19:37:44 -0800 (PST) Received: (qmail 61370 invoked by uid 0); 6 Jan 2007 03:37:29 -0000 Received: from unknown (HELO ?66.119.212.42?) (unknown) by unknown with SMTP; 6 Jan 2007 03:37:29 -0000 X-pair-Authenticated: 66.119.212.42 Message-ID: <459F18FC.40403@deaddrop.org> Date: Fri, 05 Jan 2007 19:35:24 -0800 From: Etaoin Shrdlu Organization: dig @localhost TXT CHAOS version.bind User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728 X-Accept-Language: en-us, en MIME-Version: 1.0 To: SAGE Members Subject: Re: [SAGE] Internet History tool References: <459EDC88.7070706@insightbb.com> <459F14B8.10008@insightbb.com> In-Reply-To: <459F14B8.10008@insightbb.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=13% Sender: owner-sage-members@usenix.org Precedence: bulk Aaron Bridge wrote: > Rodrick Brown wrote: > >> On 1/5/07, Aaron Bridge wrote: >> >>> I will going to a company who wants me to look on all their users >>> computers see what websites they have been accessing on the Internet. >>> Yes, I could do this by looking in History and Temporary Internet >>> Files. Does anyone now of any "tools" or other ideas that will make >>> this task easier and more thorough? >>> >>> I should mention these are Windows XP SP2 workstations. >> [clip] > This would be ok for long term, but I only have four hours. This is a > very confidential assignment. Nobody in the office is to know what I > am doing. Four hours!?!?!? Either you vastly underestimated the difficulty of this task, or else someone else did. Do you at least have administrative access to the machines? I don't see how people are not going to know that things have been touched, and looked at. Is it supposed to take place in the middle of the night, or perhaps this weekend? You are attempting to do simple forensics on precisely *how many* machines? If it's just a couple or so, this might not be so bad, but if it's (say) twenty, or more, you've got a problem. Large. Personally, given the time constraints, I have the feeling that this may all be too little, too late, but I'd go in with Knoppix or Backtrack or similar, and reboot using those, to more easily view the "history" that IE keeps, if, and this is *very* important, they only have access to IE, and not Mozilla, or some variant thereof. When is all this supposed to take place, do you have administrator's access, and (please note, this is IMPORTANT), do you have something in writing, and does the person asking you to do this really and truly have the right to do it? Dang, this is a nasty squirmy bag of worms you could potentially be opening, especially because you say "some company" and not "the company I work at." Oy. -- I will put Chaos into fourteen lines And keep him there; and let him thence escape If he be lucky... Edna St. Vincent Millay From sage-members-owner@usenix.org Fri Jan 5 19:59:10 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l063x9Ko021400 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2007 19:59:09 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l063x8gl021399 for sage-members-0utGoign; Fri, 5 Jan 2007 19:59:08 -0800 (PST) Received: from orthanc.ca (orthanc.ca [209.89.70.53]) by usenix.org (8.13.6/8.13.6) with ESMTP id l063wke4021383 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Fri, 5 Jan 2007 19:58:57 -0800 (PST) Received: from [192.168.15.100] (d216-232-193-32.bchsia.telus.net [216.232.193.32]) (authenticated bits=0) by orthanc.ca (8.13.4/8.13.4) with ESMTP id l063QZ1a071975; Fri, 5 Jan 2007 20:26:35 -0700 (MST) (envelope-from lyndon@orthanc.ca) In-Reply-To: References: <459EDC88.7070706@insightbb.com> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Cc: "Aaron Bridge" , sage-members@sage.org Content-Transfer-Encoding: 7bit From: Lyndon Nerenberg Subject: Re: [SAGE] Internet History tool Date: Fri, 5 Jan 2007 19:25:57 -0800 To: Rodrick Brown X-Mailer: Apple Mail (2.752.2) X-Spam-Status: No, score=0.9 required=5.0 tests=AWL,BAYES_00, RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on orthanc.ca X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk > Just setup a transparent Proxy of some sort possibly squid then parse > the squid access logs. Or a snort rule, if you can coerce all the traffic through a Unix- based border router. The problem with these solutions is they can't log SSL-protected traffic (other than the destination end point network address and port). And if the client can strike any form of encrypted tunnel, you won't even get that. --lyndon From sage-members-owner@usenix.org Sat Jan 6 00:07:23 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0687M1i028458 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 6 Jan 2007 00:07:23 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0687M81028457 for sage-members-0utGoign; Sat, 6 Jan 2007 00:07:22 -0800 (PST) Received: from mailhost.nmt.edu (mailhost.NMT.EDU [129.138.4.52]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0686wfE028442 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Sat, 6 Jan 2007 00:07:11 -0800 (PST) Received: from localhost (mailhost [127.0.0.1]) by localhost.localdomain (Postfix) with ESMTP id 30F753A5826E for ; Sat, 6 Jan 2007 00:16:18 -0700 (MST) X-Virus-Scanned: by amavisd-new-2.4.3 (20060930) (RHEL AS) at nmt.edu Received: from mailhost.nmt.edu ([127.0.0.1]) by localhost (mailhost.nmt.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id opYSSvOb2B5b; Sat, 6 Jan 2007 00:16:17 -0700 (MST) Received: from [129.138.88.154] (effelant.nmt.edu [129.138.88.154]) by mailhost.nmt.edu (Postfix) with ESMTP id 229193A580E4; Sat, 6 Jan 2007 00:16:17 -0700 (MST) Message-ID: <459F4CBA.3060109@nmt.edu> Date: Sat, 06 Jan 2007 00:16:10 -0700 From: Ruth Milner Reply-To: rmilner@nmt.edu User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: sage-members@usenix.org Subject: Re: [SAGE] Internet History tool References: <459EDC88.7070706@insightbb.com> <459F14B8.10008@insightbb.com> <459F18FC.40403@deaddrop.org> In-Reply-To: <459F18FC.40403@deaddrop.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=many Fuz2=many rep=45% Sender: owner-sage-members@usenix.org Precedence: bulk Aaron Bridge wrote: > This would be ok for long term, but I only have four hours. > This is a very confidential assignment. Nobody in the office > is to know what I am doing. Unless the company has a well-established and well-publicized policy which states that a) employees have no right to expect privacy on company computers and b) such audits may be conducted at any time, this could indeed be a nasty squirmy bag of worms (as Etaoin so graphically put it :-) ). You might do some research on legal decisions, particularly on the distinction between ownership of data on company computers vs employee monitoring. So get a printed copy of that policy along with the recommended written authorization to do this work. If there isn't one, or they decline to give you either of these, I would personally be inclined to pass on the job if I possibly could. And even if you have all that, consider what could happen if the sysadmins there have system auditing enabled. If they find apparently-unauthorized access(es) and start digging, will the person who has authorized this work be in the chain of incident reporting where they can plausibly drop or explain it? Could one of the higher links in that chain be, or be connected to, the true target of the analysis, and become suspicious about it? (This is one of a very few reasons I can think of why their own admins aren't doing it, the others being incompetence or the use of outside auditors as SOP.) I see a lot of ways this could end up causing a real stink, and in most of them that stink could well reach you - weeks, months, or (given the U.S. legal system) even years down the road. Ruth From sage-members-owner@usenix.org Sat Jan 6 09:46:18 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l06HkAbr011774 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 6 Jan 2007 09:46:15 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l06Hk9sr011772 for sage-members-0utGoign; Sat, 6 Jan 2007 09:46:10 -0800 (PST) Received: from vms040pub.verizon.net (vms040pub.verizon.net [206.46.252.40]) by usenix.org (8.13.6/8.13.6) with ESMTP id l06HjjYl011738 for ; Sat, 6 Jan 2007 09:45:55 -0800 (PST) Received: from jantman.dyndns.org ([71.251.193.88]) by vms040.mailsrvcs.net (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTPA id <0JBG00DFUH71OAIU@vms040.mailsrvcs.net> for sage-members@usenix.org; Sat, 06 Jan 2007 10:45:01 -0600 (CST) Received: from jantman.dyndns.org (localhost [127.0.0.1]) by jantman.dyndns.org (Postfix) with ESMTP id A87A824D20 for ; Sat, 06 Jan 2007 11:45:00 -0500 (EST) Received: from 67.82.112.176 (SquirrelMail authenticated user jantman) by jantman.dyndns.org with HTTP; Sat, 06 Jan 2007 11:45:00 -0500 (EST) Date: Sat, 06 Jan 2007 11:45:00 -0500 (EST) From: "Jason Antman" Subject: Re: [SAGE] Naming conventions for servers, network gear, etc. In-reply-to: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> To: sage-members@usenix.org Message-id: <11248.67.82.112.176.1168101900.squirrel@jantman.dyndns.org> MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 8bit Importance: Normal X-Priority: 3 (Normal) References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> User-Agent: SquirrelMail/1.4.8 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=2% Sender: owner-sage-members@usenix.org Precedence: bulk > Have there been any papers done on naming conventions for servers, > network gear, etc? > > E.g., when is it better to call it "core-router-bwg" versus > "juniperm10i" versus "router1"? > > Or "server1" versus "dns1" versus "franko"? > > There are a few obvious up-sides and down-sides of different schemes. > But has anybody really dug in and written them down? > > If not, I'd be interested in writing a paper on this with somebody > for USENIX or SAGE. If you're interested in working with me on it, > let me know. > I work for Rutgers University, which has pretty large IT operations department. University-wide, the hosts are named using department-specific names, which are a hodgepodge of functional names such as NBCS for New Brunswick Computing Services, and "random names" - Eden, Clam, etc. Clustered servers are named such as Eden-u1, Eden-u2, etc. For my personal networks, I really prefer names that have nothing to do with the functional nature of the machine, as I view this as making network reconnaissance too easy. My home development network has "SATURN" as the main DHCP/DNS/LDAP server, and the other machines are named after Saturn's moons, allowing approximately 56 unique names. From sage-members-owner@usenix.org Sat Jan 6 10:09:18 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l06I9HMo012578 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 6 Jan 2007 10:09:18 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l06I9Huk012577 for sage-members-0utGoign; Sat, 6 Jan 2007 10:09:17 -0800 (PST) Received: from mail.reptiles.org (mail.reptiles.org [198.96.119.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l06I8r8O012546 for ; Sat, 6 Jan 2007 10:09:04 -0800 (PST) Received: from mail.reptiles.org([198.96.119.1] port=4713) (2178 bytes) by mail.reptiles.org([198.96.119.1] port=25) via TCP with esmtp (sender: ) id for ; (dest:remote)(R=bind_hosts)(T=inet_zone_bind_smtp) Sat, 6 Jan 2007 13:08:52 -0500 (EST) (Smail-3.2.0.118 2004-May-31 #3 built 2004-Oct-14) Date: Sat, 6 Jan 2007 13:08:52 -0500 (EST) From: Cat Okita To: Jason Antman cc: sage-members@usenix.org Subject: Re: [SAGE] Naming conventions for servers, network gear, etc. In-Reply-To: <11248.67.82.112.176.1168101900.squirrel@jantman.dyndns.org> Message-ID: <20070106130454.F21945@skink.reptiles.org> References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> <11248.67.82.112.176.1168101900.squirrel@jantman.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk On Sat, 6 Jan 2007, Jason Antman wrote: > For my personal networks, I really prefer names that have nothing to do > with the functional nature of the machine, as I view this as making > network reconnaissance too easy. My home development network has "SATURN" > as the main DHCP/DNS/LDAP server, and the other machines are named after > Saturn's moons, allowing approximately 56 unique names. I'm always entertained by the idea that names must somehow make doing network reconaissance easier. When was the last time you saw a scanner that worked by name, rather than by IP, _especially_ in bulk. IMNSHO "it makes things harder for crackers" simply isn't a good argument for names that have nothing to do with the nature of the machine. That's like arguing that a different colour of umbrella will somehow make it less obvious that you're using an umbrella. On your home network it doesn't much matter what you choose - presumably you're either the only admin, or one of a tiny number of admins who know their machines extremely well - but that certainly doesn't hold true as the environment scales. cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From sage-members-owner@usenix.org Sat Jan 6 10:35:26 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l06IZP3r013547 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 6 Jan 2007 10:35:26 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l06IZPE7013546 for sage-members-0utGoign; Sat, 6 Jan 2007 10:35:25 -0800 (PST) Received: from mailhost.nmt.edu (mailhost.NMT.EDU [129.138.4.52]) by usenix.org (8.13.6/8.13.6) with ESMTP id l06IZ3i8013531 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Sat, 6 Jan 2007 10:35:14 -0800 (PST) Received: from localhost (mailhost [127.0.0.1]) by localhost.localdomain (Postfix) with ESMTP id 5120E3A58E07 for ; Sat, 6 Jan 2007 11:34:58 -0700 (MST) X-Virus-Scanned: by amavisd-new-2.4.3 (20060930) (RHEL AS) at nmt.edu Received: from mailhost.nmt.edu ([127.0.0.1]) by localhost (mailhost.nmt.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3USiPOXmGA8k; Sat, 6 Jan 2007 11:34:56 -0700 (MST) Received: from [129.138.88.154] (effelant.nmt.edu [129.138.88.154]) by mailhost.nmt.edu (Postfix) with ESMTP id 5D7D33A58E1B; Sat, 6 Jan 2007 11:34:56 -0700 (MST) Message-ID: <459FEBC9.8060007@nmt.edu> Date: Sat, 06 Jan 2007 11:34:49 -0700 From: Ruth Milner Reply-To: rmilner@nmt.edu User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: sage-members@usenix.org Subject: Re: [SAGE] Naming conventions for servers, network gear, etc. References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> <11248.67.82.112.176.1168101900.squirrel@jantman.dyndns.org> <20070106130454.F21945@skink.reptiles.org> In-Reply-To: <20070106130454.F21945@skink.reptiles.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=many Fuz2=many rep=45% Sender: owner-sage-members@usenix.org Precedence: bulk Cat wrote: > I'm always entertained by the idea that names must somehow make doing > network reconaissance easier. [...] "it makes things harder for > crackers" simply isn't a good argument for names that have nothing > to do with the nature of the machine. I agree. It's really a "security through obscurity" approach - one which doesn't even cover the most commonly-used attack path. The people it actually does make things harder for, at least in an organization, are the ones who have to use and maintain the systems. Jason wrote: > My home development network has "SATURN" > as the main DHCP/DNS/LDAP server, and the other machines are named after > Saturn's moons Hmmm ... so if anyone were to look at names on this network, the system providing the most critical services is the one that all the others are orbiting around? Maybe "Saturn" should be a honeypot. :-) I always preferred the CNAME approach. You can name the server however you prefer - locational/functional/aesthetic - and create CNAMEs for the services it provides. Makes it really easy for users to remember how to find what they need, and makes no difference at all to potential attackers. Ruth From sage-members-owner@usenix.org Sat Jan 6 10:53:00 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l06Iqumt014216 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 6 Jan 2007 10:52:57 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l06Iqu2V014215 for sage-members-0utGoign; Sat, 6 Jan 2007 10:52:56 -0800 (PST) Received: from relay00.pair.com (relay00.pair.com [209.68.5.9]) by usenix.org (8.13.6/8.13.6) with SMTP id l06IqStL014202 for ; Sat, 6 Jan 2007 10:52:42 -0800 (PST) Received: (qmail 53717 invoked by uid 0); 6 Jan 2007 18:52:27 -0000 Received: from 66.119.212.42 (HELO ?66.119.212.42?) (66.119.212.42) by relay00.pair.com with SMTP; 6 Jan 2007 18:52:27 -0000 X-pair-Authenticated: 66.119.212.42 Message-ID: <459FEF6C.8090104@deaddrop.org> Date: Sat, 06 Jan 2007 10:50:20 -0800 From: Etaoin Shrdlu Organization: dig @localhost TXT CHAOS version.bind User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728 X-Accept-Language: en-us, en MIME-Version: 1.0 To: SAGE Members Subject: Re: [SAGE] Naming conventions for servers, network gear, etc. References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> <11248.67.82.112.176.1168101900.squirrel@jantman.dyndns.org> In-Reply-To: <11248.67.82.112.176.1168101900.squirrel@jantman.dyndns.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=many Fuz2=many rep=34% Sender: owner-sage-members@usenix.org Precedence: bulk Jason Antman wrote: >>Have there been any papers done on naming conventions for servers, >>network gear, etc? >> >> >I work for Rutgers University, which has pretty large IT operations >department. University-wide, the hosts are named using department-specific >names, which are a hodgepodge of functional names such as NBCS for New >Brunswick Computing Services, and "random names" - Eden, Clam, etc. >Clustered servers are named such as Eden-u1, Eden-u2, etc. > > I have found over time (and I've seen a lot of time) that *any* consistent naming scheme works. It's helpful if the names have some sort of internal sense that makes NBCS-Room449 something that is part of your responsibility, where Eden-u1 is clearly someone else's (just for example). Another thing that's important is the long view. As we know, certain operating systems and applications do *not* like being renamed (think Oracle; think Windows2k3). The less emotional attachment there is to a naming scheme for servers and network devices, the better. Let me reiterate the excellent work already quoted so many times. I don't think it gets better than that. http://www.nanog.org/mtg-0405/ringel.html >For my personal networks, I really prefer names that have nothing to do >with the functional nature of the machine, as I view this as making >network reconnaissance too easy. My home development network has "SATURN" >as the main DHCP/DNS/LDAP server, and the other machines are named after >Saturn's moons, allowing approximately 56 unique names. > > Amusing, but what on earth makes you think anyone interested in your personal network will care in the slightest about what the *name* of anything is? If it's interesting enough for someone to care, they will *know* that you have all those services running on just one machine, and it'll be over. OVER. On the other hand, unless you have the ability to support a bunch of bots, I doubt that the bad guys care. Everything's so automated now, anyway. My router is usually named rooter, because it makes me laugh. When it comes to small networks, I'd just as soon have names that are memorable for the entertainment value, as anything. Some of my favorites have been muscle cars (Cobra, Mustang), Nobel Prize winners for physics (with an honorary mention for Hawking, who *should* win), and insect predators (Mantis, Widow). -- I will put Chaos into fourteen lines And keep him there; and let him thence escape If he be lucky... Edna St. Vincent Millay From sage-members-owner@usenix.org Sat Jan 6 11:15:11 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l06JFAq9015088 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 6 Jan 2007 11:15:11 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l06JFAlI015087 for sage-members-0utGoign; Sat, 6 Jan 2007 11:15:10 -0800 (PST) Received: from adsl-64-160-54-75.dsl.snfc21.pacbell.net (adsl-67-122-242-225.dsl.pltn13.pacbell.net [67.122.242.225]) by usenix.org (8.13.6/8.13.6) with ESMTP id l06JEqeP015076 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 6 Jan 2007 11:15:03 -0800 (PST) Received: from [192.168.72.2] (wizfast.rski.net [192.168.72.2]) by adsl-64-160-54-75.dsl.snfc21.pacbell.net (8.12.8/8.12.8) with ESMTP id l06JEjxo025439; Sat, 6 Jan 2007 11:14:46 -0800 Message-ID: <459FF525.9000307@chycoski.com> Date: Sat, 06 Jan 2007 11:14:45 -0800 From: Richard Chycoski User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Cat Okita CC: Jason Antman , sage-members@usenix.org Subject: Re: [SAGE] Naming conventions for servers, network gear, etc. References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> <11248.67.82.112.176.1168101900.squirrel@jantman.dyndns.org> <20070106130454.F21945@skink.reptiles.org> In-Reply-To: <20070106130454.F21945@skink.reptiles.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk There are (at least) two divergent trains of thought for naming servers and network devices: Names completely unrelated to the function/location/OS/other characteristic, and names that are related to one or more of these characteristics. Both methods have their place and uses, and can sometimes be used together. The old Unix trait of naming a group of machines after a the names of some other group of objects (elements, planets, beers, Paris Hilton's exploits :-) usually doesn't scale to really large groups of machines, but using these kinds of names as memorable names for the clients to use for a subset of the machines, or as aliases, can work even in a large environment. There is a combination of naming schemes at Cisco. Production routers/switches/other network and utility devices are named by location and type of device, followed by 1,2,3... Some servers are named in a similar fashion, but others have a combination of location and memorable name (it effectively replaces the '1,2,3...'). The latter works something like this: BUILDING-FUNC-saturn BUILDING-FUNC-phoebe ... This has an advantage for both clients and sysadmins. Change messages relating to the clients' work are more likely to be noticed when someone who works on '...phoebe' sees a message rather than '...23'. The clients are more likely to get the right machine as well. For sysadmins who may be working on several machines, fewer mistakes of sending commands to the wrong machine are likely to happen as well. This isn't terribly useful for large farms of machines (remembering a hundred names isn't practical), but if you have a smaller number of machines of the same function that are used for distinct projects or client groups, memorable names embedded in an otherwise characteristic-related name can be useful. (Cnames are another alternative for this, but don't always work in practice.) For the most part, 'utility' devices (like network gear and farms) are best named by location, possibly their type and/or function (if this isn't dynamic), and some serial number. It's also appropriate for services that the clients never need refer to by name - for example, if you have a bunch of NFS servers but the clients only need to know the automounter directory mount points, then memorable names don't buy you as much. It's getting more difficult with systems-oriented data centres where a given machine is a chameleon, possibly even running different OSes at different times, but machine hardware type doesn't change, and unless the DC is in a trailer (these do exist!) location doesn't either. As to STO naming - 'real' security people (those who have worked for those three-letter government orgs - we have a few such people around) just laugh at the suggestion. We had a former security admin who thought that keeping the name of the security servers out of documentation and even *conversation* was a good thing - but it's trivially easy to figure out this information if you can log into *any* machine in the environment! That 'policy' has been rescinded. (:-) However, I wouldn't name the most secure machines with names that *invite* people to go after them, like 'fortknox', 'impenetrable', or 'supersecure'. There's no use laying out the red carpet, either! I remember when a university (I think it was Texas A&M?) claimed that they had a secure firewall, and hackers were gleefully penetrating this 'firewall' even as the announcements of its superiority were being broadcast. Staying low-key is a good idea to prevent encouraging the script kiddies, just don't depend on your naming to really hide anything for you. My own personal machines at home have names that are chosen by whim for the servers (and function for the utility devices) - like I did for my personal machines when I worked at the university. My desktop was 'wizard', and the other machines were wizzl, wizznd, etc. When I got my first laptop, someone suggested that I call it 'takeawiz', but I went with the more politically correct 'wizalong'... - Richard Cat Okita wrote: > On Sat, 6 Jan 2007, Jason Antman wrote: >> For my personal networks, I really prefer names that have nothing to do >> with the functional nature of the machine, as I view this as making >> network reconnaissance too easy. My home development network has >> "SATURN" >> as the main DHCP/DNS/LDAP server, and the other machines are named after >> Saturn's moons, allowing approximately 56 unique names. > > I'm always entertained by the idea that names must somehow make doing > network reconaissance easier. When was the last time you saw a scanner > that worked by name, rather than by IP, _especially_ in bulk. > > IMNSHO "it makes things harder for crackers" simply isn't a good argument > for names that have nothing to do with the nature of the machine. That's > like arguing that a different colour of umbrella will somehow make it > less obvious that you're using an umbrella. > > On your home network it doesn't much matter what you choose - presumably > you're either the only admin, or one of a tiny number of admins who know > their machines extremely well - but that certainly doesn't hold true as > the environment scales. > > cheers! > ========================================================================== > > "A cat spends her life conflicted between a deep, passionate and profound > desire for fish and an equally deep, passionate and profound desire to > avoid getting wet. This is the defining metaphor of my life right now." From sage-members-owner@usenix.org Sat Jan 6 13:28:59 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l06LSwWm018082 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 6 Jan 2007 13:28:58 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l06LSwBF018081 for sage-members-0utGoign; Sat, 6 Jan 2007 13:28:58 -0800 (PST) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by usenix.org (8.13.6/8.13.6) with ESMTP id l06LSVxx018067 for ; Sat, 6 Jan 2007 13:28:42 -0800 (PST) Received: by ug-out-1314.google.com with SMTP id m3so5779764uge for ; Sat, 06 Jan 2007 13:28:30 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XhVcoRXIP8t2ldY4kfpv3hxfKPbMGbJQXqg5uOVJBddpC+znUWqLp8K2KG+IxP5RvPyu8YiVOnOov/pMw7bL4gYacAPIMx9uphm5IGGixdDyKjwC0Inwef+dYyBHGNo8lO99TpYxpS0LfHJ89+rncM2lBKbRvT/eOG1e+tCoIYY= Received: by 10.78.178.5 with SMTP id a5mr7114478huf.1168118910525; Sat, 06 Jan 2007 13:28:30 -0800 (PST) Received: by 10.78.136.16 with HTTP; Sat, 6 Jan 2007 13:28:30 -0800 (PST) Message-ID: Date: Sat, 6 Jan 2007 16:28:30 -0500 From: "Rodrick Brown" To: "Mark R. Lindsey" Subject: Re: [SAGE] Naming conventions for servers, network gear, etc. Cc: "LOPSA Discuss List" , "SAGE list" In-Reply-To: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=7% Sender: owner-sage-members@usenix.org Precedence: bulk On 1/5/07, Mark R. Lindsey wrote: > Have there been any papers done on naming conventions for servers, > network gear, etc? > > E.g., when is it better to call it "core-router-bwg" versus > "juniperm10i" versus "router1"? > > Or "server1" versus "dns1" versus "franko"? > > There are a few obvious up-sides and down-sides of different schemes. > But has anybody really dug in and written them down? > > If not, I'd be interested in writing a paper on this with somebody > for USENIX or SAGE. If you're interested in working with me on it, > let me know. > > > > > > Mark R. Lindsey | ECG | +1-229-316-0013 | lindsey@e-c-group.com > > > Most companies I've worked for we've used a variation of the following but this approach works very well especially for large multi-region environments. scsinfpladm01 (scs) == Location "Secacus" (inf) == Business Owner in this case "Infrastructure" (p) == Server environment "production" (l) == OS type "linux" (adm) == server function "administrative" (01) == instance number. If the machine is a blade server we use something like 01xx 01 would be the blade itself followed by xx that would be the actually location of that specific blade on the chassis ie. scsinfplpadm0114 Looking at a generic hostname such as "chicsidsdb01" we know off bat its located in Chicago running a Solaris database in dev and the business owner is cash securities. -- Rodrick R. Brown From sage-members-owner@usenix.org Sat Jan 6 22:28:37 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l076SPm4000055 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 6 Jan 2007 22:28:30 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l076SOmo000054 for sage-members-0utGoign; Sat, 6 Jan 2007 22:28:24 -0800 (PST) Received: from smtp102.his.com (smtp102.his.com [216.194.225.125]) by usenix.org (8.13.6/8.13.6) with ESMTP id l076Rtx9000034 for ; Sat, 6 Jan 2007 22:28:05 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by smtp102.his.com (Postfix) with ESMTP id C542A4000F3; Sun, 7 Jan 2007 01:27:50 -0500 (EST) Received: from smtp102.his.com ([216.194.225.125]) by localhost (smtp102.his.com [216.194.225.125]) (amavisd-new, port 10024) with ESMTP id 30229-10; Sun, 7 Jan 2007 01:27:49 -0500 (EST) Received: from vhost109.his.com (vhost109.his.com [216.194.225.101]) by smtp102.his.com (Postfix) with ESMTP id EE7A44000EC; Sun, 7 Jan 2007 01:27:48 -0500 (EST) Received: from [10.0.1.11] (localhost.his.com [127.0.0.1]) by vhost109.his.com (8.13.1/8.12.3) with ESMTP id l076Rbil074860; Sun, 7 Jan 2007 01:27:48 -0500 (EST) (envelope-from brad@shub-internet.org) Mime-Version: 1.0 Message-Id: In-Reply-To: References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> Date: Sat, 6 Jan 2007 23:53:28 -0600 To: "Rodrick Brown" , "Mark R. Lindsey" From: Brad Knowles Subject: Re: [SAGE] Naming conventions for servers, network gear, etc. Cc: "LOPSA Discuss List" , "SAGE list" Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: Debian amavisd-new at smtp502.his.com X-Spam-Status: No, score=-4.31 tagged_above=-99 required=5 tests=[ALL_TRUSTED=-1.8, AWL=0.089, BAYES_00=-2.599] X-Spam-Score: -4.31 X-Spam-Level: X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=4% Sender: owner-sage-members@usenix.org Precedence: bulk At 4:28 PM -0500 1/6/07, Rodrick Brown wrote: > scsinfpladm01 > (scs) == Location "Secacus" > (inf) == Business Owner in this case "Infrastructure" > (p) == Server environment "production" > (l) == OS type "linux" > (adm) == server function "administrative" > (01) == instance number. I really, really, really hate long hostnames. Use subdomains if you need to, but don't try to have a flat namespace across the entire company or the entire world. And I wouldn't encode the OS into the hostname, either. See RFC 1178 (e.g., ) for reasons why. -- Brad Knowles, Trend Micro has announced that they will cancel the stop.mail-abuse.org mail forwarding service as of 15 November 2006. If you have an old e-mail account for me at this domain, please make sure you correct that with the current address. From sage-members-owner@usenix.org Sat Jan 6 22:28:45 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l076SXsR000066 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 6 Jan 2007 22:28:38 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l076SWLE000065 for sage-members-0utGoign; Sat, 6 Jan 2007 22:28:32 -0800 (PST) Received: from smtp303.his.com (smtp303.his.com [216.194.210.47]) by usenix.org (8.13.6/8.13.6) with ESMTP id l076S0UX000033 for ; Sat, 6 Jan 2007 22:28:10 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by smtp303.his.com (Postfix) with ESMTP id A462415B57C; Sun, 7 Jan 2007 01:27:49 -0500 (EST) Received: from smtp303.his.com ([216.194.210.47]) by localhost (smtp303.his.com [216.194.210.47]) (amavisd-new, port 10024) with ESMTP id 31594-07; Sun, 7 Jan 2007 01:27:46 -0500 (EST) Received: from vhost109.his.com (vhost109.his.com [216.194.225.101]) by smtp303.his.com (Postfix) with ESMTP id 5AFC615B59B; Sun, 7 Jan 2007 01:27:46 -0500 (EST) Received: from [10.0.1.11] (localhost.his.com [127.0.0.1]) by vhost109.his.com (8.13.1/8.12.3) with ESMTP id l076Rbij074860; Sun, 7 Jan 2007 01:27:45 -0500 (EST) (envelope-from brad@shub-internet.org) Mime-Version: 1.0 Message-Id: In-Reply-To: <459FEF6C.8090104@deaddrop.org> References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> <11248.67.82.112.176.1168101900.squirrel@jantman.dyndns.org> <459FEF6C.8090104@deaddrop.org> Date: Sat, 6 Jan 2007 23:47:53 -0600 To: Etaoin Shrdlu , SAGE Members From: Brad Knowles Subject: Re: [SAGE] Naming conventions for servers, network gear, etc. Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: Debian amavisd-new at smtp502.his.com X-Spam-Status: No, score=-4.339 tagged_above=-99 required=5 tests=[ALL_TRUSTED=-1.8, AWL=0.060, BAYES_00=-2.599] X-Spam-Score: -4.339 X-Spam-Level: X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=10% Sender: owner-sage-members@usenix.org Precedence: bulk At 10:50 AM -0800 1/6/07, Etaoin Shrdlu wrote: > Let me reiterate the excellent work already quoted so many times. I > don't think it gets better than that. > > http://www.nanog.org/mtg-0405/ringel.html That's good for naming of network devices, or large provider environments. For smaller networks, also keep in mind the guidance in RFC 1178 (see ). -- Brad Knowles, Trend Micro has announced that they will cancel the stop.mail-abuse.org mail forwarding service as of 15 November 2006. If you have an old e-mail account for me at this domain, please make sure you correct that with the current address. From sage-members-owner@usenix.org Sat Jan 6 23:02:55 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0772kq4001425 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 6 Jan 2007 23:02:51 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0772kXK001424 for sage-members-0utGoign; Sat, 6 Jan 2007 23:02:46 -0800 (PST) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0772J8k001413 for ; Sat, 6 Jan 2007 23:02:30 -0800 (PST) Received: by nf-out-0910.google.com with SMTP id g2so8046234nfe for ; Sat, 06 Jan 2007 23:02:18 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FnZQNF/+mmtddh79nkji5Zcgw2rbmWoUIHzD1BicwIGsdhBmBb7xFQqiEvgQjLr+2BLnUfU3d6bD/yIYG0lhCXbqk0QExqQQydQiPnxns5DKQ7Q24/vJm4NjD/ZzOPNda6vp3vf8qHiN3dR0xnHE5HTikyu9q5SmtiT/65aKNXg= Received: by 10.78.158.11 with SMTP id g11mr3691229hue.1168152912966; Sat, 06 Jan 2007 22:55:12 -0800 (PST) Received: by 10.78.136.16 with HTTP; Sat, 6 Jan 2007 22:55:12 -0800 (PST) Message-ID: Date: Sun, 7 Jan 2007 01:55:12 -0500 From: "Rodrick Brown" To: "Brad Knowles" Subject: Re: [SAGE] Naming conventions for servers, network gear, etc. Cc: "Mark R. Lindsey" , "LOPSA Discuss List" , "SAGE list" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=5% Sender: owner-sage-members@usenix.org Precedence: bulk On 1/7/07, Brad Knowles wrote: > At 4:28 PM -0500 1/6/07, Rodrick Brown wrote: > > > scsinfpladm01 > > (scs) == Location "Secacus" > > (inf) == Business Owner in this case "Infrastructure" > > (p) == Server environment "production" > > (l) == OS type "linux" > > (adm) == server function "administrative" > > (01) == instance number. > > I really, really, really hate long hostnames. Use subdomains if you > need to, but don't try to have a flat namespace across the entire > company or the entire world. > It really depends on your definition of a long hostname? I find subdomains to be really annoying in a practical sense especially in environments where you can easily run into issues where you have duplicate hostnames depending on your search path it can get really confusing, this is very likely in larger environments. ie. servera.foo1.domain.com servera.foo2.domain.com. > And I wouldn't encode the OS into the hostname, either. See RFC 1178 > (e.g., ) for reasons why. > The OS type indication in a hostname makes automation/scripting very simple across the board. I have not found a single issue with this scheme over the years please enlightenment on where exactly this can be problematic so far you've stated nothing but religious reasons. Brad I really value your input so please don't take this response as an attack in anyway I just want to see where exactly you feel this can be an issue. > -- > Brad Knowles, > > Trend Micro has announced that they will cancel the stop.mail-abuse.org > mail forwarding service as of 15 November 2006. If you have an old > e-mail account for me at this domain, please make sure you correct that > with the current address. > -- Rodrick R. Brown From sage-members-owner@usenix.org Sun Jan 7 03:15:54 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l07BFgGg011720 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 7 Jan 2007 03:15:47 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l07BFgw6011719 for sage-members-0utGoign; Sun, 7 Jan 2007 03:15:42 -0800 (PST) Received: from smtp303.his.com (smtp303.his.com [216.194.210.47]) by usenix.org (8.13.6/8.13.6) with ESMTP id l07BFCE7011676 for ; Sun, 7 Jan 2007 03:15:22 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by smtp303.his.com (Postfix) with ESMTP id C853C15B57E; Sun, 7 Jan 2007 06:15:11 -0500 (EST) Received: from smtp303.his.com ([216.194.210.47]) by localhost (smtp303.his.com [216.194.210.47]) (amavisd-new, port 10024) with ESMTP id 20247-01; Sun, 7 Jan 2007 06:15:08 -0500 (EST) Received: from vhost109.his.com (vhost109.his.com [216.194.225.101]) by smtp303.his.com (Postfix) with ESMTP id BA70715B588; Sun, 7 Jan 2007 06:15:08 -0500 (EST) Received: from [10.0.1.11] (localhost.his.com [127.0.0.1]) by vhost109.his.com (8.13.1/8.12.3) with ESMTP id l07BF5Dt094731; Sun, 7 Jan 2007 06:15:07 -0500 (EST) (envelope-from brad@shub-internet.org) Mime-Version: 1.0 Message-Id: In-Reply-To: References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> Date: Sun, 7 Jan 2007 05:14:05 -0600 To: "Rodrick Brown" , "Brad Knowles" From: Brad Knowles Subject: Re: [SAGE] Naming conventions for servers, network gear, etc. Cc: "Mark R. Lindsey" , "LOPSA Discuss List" , "SAGE list" Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: Debian amavisd-new at smtp502.his.com X-Spam-Status: No, score=-4.335 tagged_above=-99 required=5 tests=[ALL_TRUSTED=-1.8, AWL=0.064, BAYES_00=-2.599] X-Spam-Score: -4.335 X-Spam-Level: X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=10% Sender: owner-sage-members@usenix.org Precedence: bulk At 1:55 AM -0500 1/7/07, Rodrick Brown wrote: > It really depends on your definition of a long hostname? I find > subdomains to be really annoying in a practical sense especially in > environments where you can easily run into issues where you have > duplicate hostnames depending on your search path it can get really > confusing, this is very likely in larger environments. ie. > servera.foo1.domain.com servera.foo2.domain.com. I guess it depends on the group that is doing the O&M for these machines. But does every admin need to have full and complete access to every single machine? Do you have just five admins to manage tens of thousands of systems, spread across the world? Why type the thirteen character long "scsinfpladm01" each and every time, instead of shortening that to "padmin01" within the "inf.scs.example.com" domain, and the domain name portion might only need to be typed rarely? RFC 1178 is old enough that they didn't really worry about always creating highly organized section and paragraph numbers, I guess because they didn't think that people would be reading and referring to these documents so much, and would want a quick and unambiguous way to refer to different parts. And not all RFCs were pre-paginated, so you can't even reliably use page numbers and then paragraph numbers from there, or something similar. So, I guess we have to use section and subsection names. In the "Don't Do These" section, there is a short subsection entitled "Don't use long names." They don't mention the fact that many OSes at the time had a built-in restriction of maximum hostname length of eight characters. Instead, they give us the following timeless guidance: This is hard to quantify, but experience has shown that names longer than eight characters simply annoy people. Most systems will allow prespecified abbreviations, but why not choose a name that you don't have to abbreviate to begin with? This removes any chance of confusion. I dunno. Maybe us old-school vi types that value economy of typing over big flat namespaces are obsolete. I mean, the economy of typing "creat()" over "create()" is not much, and there is enough added confusion, that I'm not sure it makes sense. But "creat()" over "create_new_file()", that I can see. In the "Do These" section of RFC 1178, the next-to-last subsection is entitled "Don't worry about reusing someone else's hostname." Keep in mind that this document is old enough that many people would remember HOST.TXT tables, and the transition to the DNS, and consequently the introduction of domain names to the Internet. Yet, this document already recognizes the value of not even trying to keep a flat namespace. > The OS type indication in a hostname makes automation/scripting very > simple across the board. I have not found a single issue with this > scheme over the years please enlightenment on where exactly this can > be problematic so far you've stated nothing but religious reasons. > Brad I really value your input so please don't take this response as > an attack in anyway I just want to see where exactly you feel this can > be an issue. Why encode the OS in the name, when the OS might need to change overnight? Why should the change in the OS require a change in the function or the name? Does it really make a difference to the applications what OS is running on machine_named_fred? If machine_named_fred_on_linux dies, and you end up temporarily replacing it with machine_named_fred_on_freebsd, and you've got lots of applications that would be connecting to that system, why should the hostname have to change just because the OS does? Conversely, why should you have to continue to have an old OS encoded in the name, when the current OS on the box is something different? Interestingly, this particular topic doesn't seem to be addressed by RFC 1178, but I was pretty sure it had been. I had to look through it several times to be sure, and even now I don't quite believe it myself. Of course, this issue is covered in the other reference that has been recommended, namely , in the last bullet on page 7. However, this document also recommends longer names over shorter ones, too. And this also gets back to another fundamental naming question -- do we name machines, or interfaces? RFC 1178 assumes that we name only machines and doesn't even talk about interfaces, while Ringel clearly assumes that we name only interfaces and the concept of naming just machines is totally alien. So, we get theme names like "tulip" or "lily" in RFC 1178 versus "sackler-rtr-pri-x-grafton-rtr-pri" and "anderson-rtr-pri-t-vlan80" with Ringel. Nevertheless, Ringel does suggest creating CNAME aliases that would allow RFC 1178 style names to be used for occasional human convenience, while the underlying machine is actually named something totally different. Personally, I think we name both types of things, and both types of naming conventions are useful. If I was a network guy, where I had lots of devices each with potentially dozens or hundreds of interfaces, then I'd use Ringel-style naming. Or, if I was managing a very large number of machines, either in a cluster or in a farm-like environment, then I would probably end up using something like Ringel -- maybe city-building-room-row-rack-shelf. The latter would have worked pretty well at AOL, for example -- at least, for the guys who push the machines around and manage the physical inventory, while the e-mail admins could use a CNAME based system like "emoutXX" and "eminYY", the news admins could use something like "feedWW" and "readerZZ", or whatever. But if I had a smaller shop, or didn't have to deal with a great deal of systems that had large numbers of interfaces, I'd most likely go with something much more like RFC 1178. And I'd most definitely go with RFC 1178 style naming for those CNAME aliases. In either case, I think that both documents have something useful to teach us about bad things you should probably avoid doing in selecting your naming conventions, and good things you should definitely consider in selecting your naming conventions, and neither of them is a complete stand-alone reference on this subject. Where RFC 1178 and Ringel conflict, I guess you need to take a look at your particular situation and see which kind of guidance is more appropriate for your situation. Otherwise, where one addresses a particular topic that the other doesn't, then I think I'd probably use both. -- Brad Knowles, Trend Micro has announced that they will cancel the stop.mail-abuse.org mail forwarding service as of 15 November 2006. If you have an old e-mail account for me at this domain, please make sure you correct that with the current address. From sage-members-owner@usenix.org Sun Jan 7 13:36:09 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l07La0OY028788 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 7 Jan 2007 13:36:05 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l07LZxm3028787 for sage-members-0utGoign; Sun, 7 Jan 2007 13:35:59 -0800 (PST) Received: from adsl-64-160-54-75.dsl.snfc21.pacbell.net (adsl-67-122-242-225.dsl.pltn13.pacbell.net [67.122.242.225]) by usenix.org (8.13.6/8.13.6) with ESMTP id l07LZSEL028769 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 7 Jan 2007 13:35:47 -0800 (PST) Received: from [192.168.72.2] (wizfast.rski.net [192.168.72.2]) by adsl-64-160-54-75.dsl.snfc21.pacbell.net (8.12.8/8.12.8) with ESMTP id l07LZBxo010072; Sun, 7 Jan 2007 13:35:12 -0800 Message-ID: <45A1678F.3010600@chycoski.com> Date: Sun, 07 Jan 2007 13:35:11 -0800 From: Richard Chycoski User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Brad Knowles CC: Rodrick Brown , "Mark R. Lindsey" , LOPSA Discuss List , SAGE list Subject: Re: [SAGE] Naming conventions for servers, network gear, etc. References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk You naming scheme should reflect your environment. For example, our desktops are simply named -[] So, for user jsmith who has a Linux box on his desk, the hostname would be 'jsmith-lnx'. If he also has a Windows XP desktop or laptop, that would be 'jsmith-wxp'. His Solaris machine might be 'jsmith-sb100'. This works well for our 30,000+ desktop/laptop/personal systems since we have a directory that keeps track of where all the employees are located, and personal workstations tend to stay with the user. We have a flat namespace for users and networks - subdomains are worse than labelling hosts with their OSes in our company because the physical and logical organisation of the company is constantly changing. We rarely change the OS on a given machine. This doesn't work well in the data centre, but we still have the flat namespace to deal with, so have unique host names across the entire company. (Something like a half million names or more.) Why keep it flat? See the previous item - the only constant is change. You need to consider how your organisation works when you decide on a naming scheme. Most large Service Provider organisations (like phone companies, ISPs, search engine companies, etc.) that have thousands of similar machines generally use the physical location model for naming - and this makes sense. The organisation of the equipment tends to transcend the organisation of the people in an SP environment. SPs have a lot of customers pounding on a lot of gear, with a relatively smaller number of people to take care of that gear, and the purpose of most of the gear is to directly serve the customer. In an Enterprise (that is not an SP), it's normal for most of the gear to serve the employees, rather than directly serve the customers. This can put a different perspective on system naming. A large global company that is constantly changing the internal structure may need a more flexible naming scheme, especially one that doesn't require altering host names based on location or organisational role for every machine that gets 'repurposed' on a regular basis. Other large companies are quite hierarchical or balkanised, and subdomains and naming schemes that contain the life history of the device (:-) may be perfectly appropriate. It also depends on how you manage your machines. We have a database that keeps track of all of the pertinent information for every production router/switch and every data centre host in the company. Rather than encode the rack/shelf information into the hostname we generally only get it down to the room, and let people look up the rest in the database. This has been a good compromise for us as a balance between host name size, findin hosts, and keeping the number of hostname alterations down (when racks move within a data centre). Some of the more fixed network gear *is* identified down to the rack, as this gear does not move. Our network racks are bolted down to the floor, our computer racks are on wheels. The naming schemes reflect the difference in permanence of location. And a personal preference - even if subdomains are used, keep the physical hostnames unique. Functional names (like 'imap.subdomain.domain.com') are less likely to cause you a problem, but you can confuse people (and some systems) with duplicate hostnames. It gets worse when the subdomains are as cryptic as the hostnames, as in: bldg5xdm1.lon1.company.com and bldg5xdm1.lon2.company.com As to the long/short names - there are certain software packages that barf on long names, so for one particular database package we had to create eight character names (with no hyphens) for the machines, and make the CNAMES be our 'standard' names (jsmith-lnx). Ugh. I'm convinced that every naming scheme has its own nemesis out there! - Richard Brad Knowles wrote: > At 1:55 AM -0500 1/7/07, Rodrick Brown wrote: > >> It really depends on your definition of a long hostname? I find >> subdomains to be really annoying in a practical sense especially in >> environments where you can easily run into issues where you have >> duplicate hostnames depending on your search path it can get really >> confusing, this is very likely in larger environments. ie. >> servera.foo1.domain.com servera.foo2.domain.com. > > I guess it depends on the group that is doing the O&M for these > machines. But does every admin need to have full and complete access > to every single machine? Do you have just five admins to manage tens > of thousands of systems, spread across the world? > > Why type the thirteen character long "scsinfpladm01" each and every > time, instead of shortening that to "padmin01" within the > "inf.scs.example.com" domain, and the domain name portion might only > need to be typed rarely? > > > RFC 1178 is old enough that they didn't really worry about always > creating highly organized section and paragraph numbers, I guess > because they didn't think that people would be reading and referring > to these documents so much, and would want a quick and unambiguous way > to refer to different parts. And not all RFCs were pre-paginated, so > you can't even reliably use page numbers and then paragraph numbers > from there, or something similar. > > So, I guess we have to use section and subsection names. In the > "Don't Do These" section, there is a short subsection entitled "Don't > use long names." They don't mention the fact that many OSes at the > time had a built-in restriction of maximum hostname length of eight > characters. Instead, they give us the following timeless guidance: > > This is hard to quantify, but experience has shown that names > longer than eight characters simply annoy people. > > Most systems will allow prespecified abbreviations, but why not > choose a name that you don't have to abbreviate to begin with? > This removes any chance of confusion. > > > I dunno. Maybe us old-school vi types that value economy of typing > over big flat namespaces are obsolete. I mean, the economy of typing > "creat()" over "create()" is not much, and there is enough added > confusion, that I'm not sure it makes sense. But "creat()" over > "create_new_file()", that I can see. > > > In the "Do These" section of RFC 1178, the next-to-last subsection is > entitled "Don't worry about reusing someone else's hostname." Keep in > mind that this document is old enough that many people would remember > HOST.TXT tables, and the transition to the DNS, and consequently the > introduction of domain names to the Internet. Yet, this document > already recognizes the value of not even trying to keep a flat namespace. > > >> The OS type indication in a hostname makes automation/scripting very >> simple across the board. I have not found a single issue with this >> scheme over the years please enlightenment on where exactly this can >> be problematic so far you've stated nothing but religious reasons. >> Brad I really value your input so please don't take this response as >> an attack in anyway I just want to see where exactly you feel this can >> be an issue. > > Why encode the OS in the name, when the OS might need to change > overnight? Why should the change in the OS require a change in the > function or the name? > > Does it really make a difference to the applications what OS is > running on machine_named_fred? If machine_named_fred_on_linux dies, > and you end up temporarily replacing it with > machine_named_fred_on_freebsd, and you've got lots of applications > that would be connecting to that system, why should the hostname have > to change just because the OS does? Conversely, why should you have > to continue to have an old OS encoded in the name, when the current OS > on the box is something different? > > > Interestingly, this particular topic doesn't seem to be addressed by > RFC 1178, but I was pretty sure it had been. I had to look through it > several times to be sure, and even now I don't quite believe it myself. > > Of course, this issue is covered in the other reference that has been > recommended, namely , in > the last bullet on page 7. However, this document also recommends > longer names over shorter ones, too. > > > And this also gets back to another fundamental naming question -- do > we name machines, or interfaces? RFC 1178 assumes that we name only > machines and doesn't even talk about interfaces, while Ringel clearly > assumes that we name only interfaces and the concept of naming just > machines is totally alien. > > So, we get theme names like "tulip" or "lily" in RFC 1178 versus > "sackler-rtr-pri-x-grafton-rtr-pri" and "anderson-rtr-pri-t-vlan80" > with Ringel. Nevertheless, Ringel does suggest creating CNAME aliases > that would allow RFC 1178 style names to be used for occasional human > convenience, while the underlying machine is actually named something > totally different. > > > Personally, I think we name both types of things, and both types of > naming conventions are useful. > > If I was a network guy, where I had lots of devices each with > potentially dozens or hundreds of interfaces, then I'd use > Ringel-style naming. Or, if I was managing a very large number of > machines, either in a cluster or in a farm-like environment, then I > would probably end up using something like Ringel -- maybe > city-building-room-row-rack-shelf. The latter would have worked > pretty well at AOL, for example -- at least, for the guys who push the > machines around and manage the physical inventory, while the e-mail > admins could use a CNAME based system like "emoutXX" and "eminYY", the > news admins could use something like "feedWW" and "readerZZ", or > whatever. > > But if I had a smaller shop, or didn't have to deal with a great deal > of systems that had large numbers of interfaces, I'd most likely go > with something much more like RFC 1178. And I'd most definitely go > with RFC 1178 style naming for those CNAME aliases. > > > In either case, I think that both documents have something useful to > teach us about bad things you should probably avoid doing in selecting > your naming conventions, and good things you should definitely > consider in selecting your naming conventions, and neither of them is > a complete stand-alone reference on this subject. > > Where RFC 1178 and Ringel conflict, I guess you need to take a look at > your particular situation and see which kind of guidance is more > appropriate for your situation. > > Otherwise, where one addresses a particular topic that the other > doesn't, then I think I'd probably use both. > From sage-members-owner@usenix.org Mon Jan 8 03:55:40 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08BtV64017533 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 8 Jan 2007 03:55:37 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l08BtVOb017532 for sage-members-0utGoign; Mon, 8 Jan 2007 03:55:31 -0800 (PST) Received: from ettin.watson-wilson.ca (watson-wilson.ca [216.138.221.7]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08Bt3B0017512 for ; Mon, 8 Jan 2007 03:55:14 -0800 (PST) Received: by ettin.watson-wilson.ca (Postfix, from userid 1000) id CDBCE3ADE0; Mon, 8 Jan 2007 06:54:54 -0500 (EST) Date: Mon, 8 Jan 2007 06:54:54 -0500 From: Neil Watson To: sage-members@usenix.org Subject: [SAGE] Syncing PDA and Linux Message-ID: <20070108115454.GA28969@watson-wilson.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline X-Message-Flag: Outlook is a dangerous and insecure program (Magic 8 ball: Outlook not good) X-Accepted-File-Formats: No proprietary Microsoft Office files please User-Agent: Mutt/1.5.13 (2006-08-11) X-watson-wilson.ca-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-watson-wilson.ca-MailScanner-From: sage@watson-wilson.ca X-Spam-Status: No X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk I took the plunge and bought a Palm Z22 after reading 'Time management for system administrators'. I'm having a heck of a time trying to sync it. I've loaded the visor and usbserial kernel modules. When I attempt to have kpilot find the device, which appears as /dev/pilot => /dev/ttyUSBx the PDA briefly reports a sync but then goes quite. Kpilot report that it cannot find the device. I see some errors in the kernel log files: usb 1-3.2: new full speed USB device using ehci_hcd and address 39 hub 1-3:1.0: Cannot enable port 2. Maybe the USB cable is bad? hub 1-3:1.0: Cannot enable port 2. Maybe the USB cable is bad? hub 1-3:1.0: Cannot enable port 2. Maybe the USB cable is bad? hub 1-3:1.0: Cannot enable port 2. Maybe the USB cable is bad? usb 1-3.2: new full speed USB device using ehci_hcd and address 43 usb 1-3.2: device descriptor read/64, error -110 After that the /dev/ttyUSBx files disappear and do not return even when I attempt another sync. I've tried two different cables using both USB2 and USB1 ports but the error persists. I'm using kernel 2.6.19.1 and Debian Sarge. -- Neil Watson | Debian Linux System Administrator | Uptime 1 day http://watson-wilson.ca From sage-members-owner@usenix.org Mon Jan 8 10:00:24 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08I0NKB029634 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 8 Jan 2007 10:00:23 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l08I0Nt0029633 for sage-members-0utGoign; Mon, 8 Jan 2007 10:00:23 -0800 (PST) Received: from ettin.watson-wilson.ca (watson-wilson.ca [216.138.221.7]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08HxuGT029612 for ; Mon, 8 Jan 2007 10:00:06 -0800 (PST) Received: by ettin.watson-wilson.ca (Postfix, from userid 1000) id 0BD353ADE0; Mon, 8 Jan 2007 12:59:47 -0500 (EST) Date: Mon, 8 Jan 2007 12:59:47 -0500 From: Neil Watson To: sage-members@usenix.org Subject: Re: [SAGE] Syncing PDA and Linux Message-ID: <20070108175947.GC30208@watson-wilson.ca> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: X-Message-Flag: Outlook is a dangerous and insecure program (Magic 8 ball: Outlook not good) X-Accepted-File-Formats: No proprietary Microsoft Office files please User-Agent: Mutt/1.5.13 (2006-08-11) X-watson-wilson.ca-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-watson-wilson.ca-MailScanner-From: sage@watson-wilson.ca X-Spam-Status: No X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk On Mon, Jan 08, 2007 at 11:40:48AM -0500, Bill Benedetto wrote: >However, my situation is slightly different: > 1) I'm using evolution/gpilotd instead of kpilot. > 2) My syncing WAS working until some debian upgrade that I did. > I BELIEVE it was a normal etch upgrade but I HAVE upgraded my > kernel recently (from 2.6.15 to 2.6.18). > 3) I'm running Etch instead of Sarge. Since both of us are using the 2.6 kernel I think that may be the issue. The problem seems to be in the kernel's unwillingness to reliably create the /dev/ttyUSB? file. -- Neil Watson | Debian Linux System Administrator | Uptime 1 day http://watson-wilson.ca From sage-members-owner@usenix.org Mon Jan 8 10:46:52 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08Ijf2C002192 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 8 Jan 2007 10:45:41 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l08IjfIl002190 for sage-members-0utGoign; Mon, 8 Jan 2007 10:45:41 -0800 (PST) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08Ii4h1002088 for ; Mon, 8 Jan 2007 10:44:15 -0800 (PST) Received: by ug-out-1314.google.com with SMTP id m3so6124359uge for ; Mon, 08 Jan 2007 10:44:03 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=O9gf5kKftgYpTttfDZBJbnI2M8n78QHYC+u1VetDuRyOK2YFSt3ILtyZi2mBxgAmjsoSCtWJsFMQE9+IxDqASO14YMdb+Q+wJkyGLeVM+T8vozYX3KCQB7wteVEA4FngzjOIy6FXZiLCI+rwvEzo8VQJY+aKYOzPLogIKIXNlJc= Received: by 10.78.164.13 with SMTP id m13mr4169130hue.1168281843788; Mon, 08 Jan 2007 10:44:03 -0800 (PST) Received: by 10.78.136.16 with HTTP; Mon, 8 Jan 2007 10:44:03 -0800 (PST) Message-ID: Date: Mon, 8 Jan 2007 13:44:03 -0500 From: "Rodrick Brown" To: "Lamont Granquist" Subject: Re: [lopsa-discuss] Re: [SAGE] Naming conventions for servers, network gear, etc. Cc: "Brad Knowles" , "LOPSA Discuss List" , "SAGE list" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=6% Sender: owner-sage-members@usenix.org Precedence: bulk On 1/8/07, Lamont Granquist wrote: > > > > At 1:55 AM -0500 1/7/07, Rodrick Brown wrote: > >> The OS type indication in a hostname makes automation/scripting very > >> simple across the board. I have not found a single issue with this > >> scheme over the years please enlightenment on where exactly this can > >> be problematic so far you've stated nothing but religious reasons. > >> Brad I really value your input so please don't take this response as > >> an attack in anyway I just want to see where exactly you feel this can > >> be an issue. > > > > Why encode the OS in the name, when the OS might need to change overnight? > > Why should the change in the OS require a change in the function or the name? > > Yup, maintain a centralized database which records OS type and other > queriable information about the machines. Have most of that information > updated by the end hosts on provisioning and via appropriate cronjobs. > > For your configuration management use something like cfengine rather than > rdist so that you can use labels in the config file which are expanded and > set correctly on the end-host based on inspected ostype. That elminates > the need to use some kind of macro generation around your rdistfile to set > labels composed of all the linux machines in the fleet. > > For doing remote scripting query the mysql database. While you can do an > axfr zone transfer and grep out the linux boxes from DNS using your scheme > that's really a poor way to use DNS as a fleet management database. It is > ultimitely much less flexible and is overloading DNS with information that > you don't always need to know when you're using DNS. > This is pretty much the standard in any environment with more than a 100 or so servers, the ability to to identify the server's owner, OS type, and location just from the host name alone is very useful. I've yet to see a solid reason why embedding this information into the hostname inst advantageous. I don't know about you guys but I almost never have to rebuild an OS with a different OS type so this isn't an issue of much concern. -- Rodrick R. Brown From sage-members-owner@usenix.org Mon Jan 8 11:55:14 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08Js36q006727 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 8 Jan 2007 11:54:03 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l08Js2H7006725 for sage-members-0utGoign; Mon, 8 Jan 2007 11:54:03 -0800 (PST) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08JqRbM006651 for ; Mon, 8 Jan 2007 11:52:38 -0800 (PST) Received: by ug-out-1314.google.com with SMTP id m3so6141494uge for ; Mon, 08 Jan 2007 11:52:26 -0800 (PST) Received: by 10.78.131.8 with SMTP id e8mr4215238hud.1168285946381; Mon, 08 Jan 2007 11:52:26 -0800 (PST) Received: by 10.78.179.19 with HTTP; Mon, 8 Jan 2007 11:52:25 -0800 (PST) Message-ID: <9003ed000701081152j29eba11aiceab73865ce64b05@mail.gmail.com> Date: Mon, 8 Jan 2007 19:52:25 +0000 From: "Colm Buckley" To: "Rodrick Brown" Subject: Re: [lopsa-discuss] Re: [SAGE] Naming conventions for servers, network gear, etc. Cc: "Lamont Granquist" , "Brad Knowles" , "LOPSA Discuss List" , "SAGE list" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> X-Google-Sender-Auth: 9f8721590ee3960d X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=6% Sender: owner-sage-members@usenix.org Precedence: bulk On 08/01/07, Rodrick Brown wrote: > This is pretty much the standard in any environment with more than a > 100 or so servers, the ability to to identify the server's owner, OS > type, and location just from the host name alone is very useful. I've > yet to see a solid reason why embedding this information into the > hostname inst advantageous. I don't know about you guys but I almost > never have to rebuild an OS with a different OS type so this isn't an > issue of much concern. TXT records. Colm -- Colm Buckley / colm@tuatha.org / +353 87 2469146 From sage-members-owner@usenix.org Mon Jan 8 11:58:00 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08JvxoG006948 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 8 Jan 2007 11:58:00 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l08JvxF0006947 for sage-members-0utGoign; Mon, 8 Jan 2007 11:57:59 -0800 (PST) Received: from zero.monsters.org (adsl-208-191-248-1.dsl.ltrkar.swbell.net [208.191.248.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08Jvpbj006936 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 8 Jan 2007 11:57:57 -0800 (PST) Received: from [10.13.13.109] ([170.94.139.93]) (authenticated bits=0) by zero.monsters.org (8.13.7/8.13.7) with ESMTP id l08JpuQo012919 for ; Mon, 8 Jan 2007 13:51:56 -0600 Subject: Re: [SAGE] Syncing PDA and Linux From: Stephen L Johnson To: sage-members@usenix.org In-Reply-To: <20070108175947.GC30208@watson-wilson.ca> References: <20070108175947.GC30208@watson-wilson.ca> Content-Type: text/plain Date: Mon, 08 Jan 2007 13:52:28 -0600 Message-Id: <1168285948.21947.17.camel@rodan.monsters.org> Mime-Version: 1.0 X-Mailer: Evolution 2.8.2.1 (2.8.2.1-2.fc6) Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0rc7 (zero.monsters.org [208.191.248.1]); Mon, 08 Jan 2007 13:51:56 -0600 (CST) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk On Mon, 2007-01-08 at 12:59 -0500, Neil Watson wrote: > On Mon, Jan 08, 2007 at 11:40:48AM -0500, Bill Benedetto wrote: > >However, my situation is slightly different: > > 1) I'm using evolution/gpilotd instead of kpilot. > > 2) My syncing WAS working until some debian upgrade that I did. > > I BELIEVE it was a normal etch upgrade but I HAVE upgraded my > > kernel recently (from 2.6.15 to 2.6.18). > > 3) I'm running Etch instead of Sarge. > > Since both of us are using the 2.6 kernel I think that may be the issue. > The problem seems to be in the kernel's unwillingness to reliably create > the /dev/ttyUSB? file. There is some weirdness with USB synch with newer kernels (2.16 and above.) I've hit similar issues in The USB subsystems seems to connect and disconnect at random with palm devices. It seems that daemons which poll never work. One thing that seems to work is to start HotSync on the PDA. When Hotsync "Connecting to..." on the PDA, start the sync session manually on the computer side. And if all goes well the client on the computer should connect and sync. And further help can be gleamed in the list archives at the www.pilot-link.org site. Usually if you are having a problem someone else has had it before. And to get my Treo 700p to sync I've good luck using the new 0.12 version the pilot-link packing using the new libusb connection. Unfortunately all of the palm synch packages are dependent on 0.11.* versions. So I'm making do with pilot-link 0.12, connecting with usb: and the new OpenSync (www.opensync.org) (successor to MultiSync). -- Stephen L Johnson From sage-members-owner@usenix.org Mon Jan 8 12:30:48 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08KUljB008912 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 8 Jan 2007 12:30:48 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l08KUlqr008910 for sage-members-0utGoign; Mon, 8 Jan 2007 12:30:47 -0800 (PST) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.228]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08KUQgG008843 for ; Mon, 8 Jan 2007 12:30:37 -0800 (PST) Received: by wx-out-0506.google.com with SMTP id i27so8543664wxd for ; Mon, 08 Jan 2007 12:30:26 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding:sender; b=rTfw5x8nDIPZKfX7eDUgG3nx9u1X8amGKsogqJiHeHGCp9pR/8xfdSA0yCXMZT9TtfvGMKyMlkU83jr2BM0LwvZuHt5o4NX3oUjo+4g56TYtMDd2XLIqTHpkIf8xMa81oZCOH385H6G+4WE+BHxQeqVzEp/JigJ3Iv89k7xfP2w= Received: by 10.70.29.2 with SMTP id c2mr49285532wxc.1168286741999; Mon, 08 Jan 2007 12:05:41 -0800 (PST) Received: from ?10.111.51.182? ( [69.59.255.12]) by mx.google.com with ESMTP id h34sm786775wxd.2007.01.08.12.05.41; Mon, 08 Jan 2007 12:05:41 -0800 (PST) Message-ID: <45A2A406.7080403@whatexit.org> Date: Mon, 08 Jan 2007 15:05:26 -0500 From: Tom Reingold User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: sage-members@sage.org Subject: Re: [SAGE] Syncing PDA and Linux References: <20070108175947.GC30208@watson-wilson.ca> <1168285948.21947.17.camel@rodan.monsters.org> In-Reply-To: <1168285948.21947.17.camel@rodan.monsters.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=5% Sender: owner-sage-members@usenix.org Precedence: bulk pilot-link has trashed my data twice. (I believe kpilot is built upon pilot-link.) I wouldn't use it again. I had to restore from my copy on Windows back onto my Palm. If I never used Windows, or if I switched entirely from Windows to Linux, I would have lost several years of data. That would have been a disaster. My conclusion is that a Palm is no good if all you have on your desktop is Linux. I expect that happy pilot-link users will pipe up now, to counter my argument. After all, I'm just one datum. Tom Reingold Noo Joizy From sage-members-owner@usenix.org Mon Jan 8 13:15:46 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08LFj8O011263 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 8 Jan 2007 13:15:45 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l08LFiRw011262 for sage-members-0utGoign; Mon, 8 Jan 2007 13:15:45 -0800 (PST) Received: from zero.monsters.org (adsl-208-191-248-1.dsl.ltrkar.swbell.net [208.191.248.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08LFMBS011240 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 8 Jan 2007 13:15:34 -0800 (PST) Received: from [10.13.13.109] ([170.94.139.93]) (authenticated bits=0) by zero.monsters.org (8.13.7/8.13.7) with ESMTP id l08LFLuY013649 for ; Mon, 8 Jan 2007 15:15:21 -0600 Subject: Re: [SAGE] Syncing PDA and Linux From: Stephen L Johnson To: sage-members@sage.org In-Reply-To: <45A2A406.7080403@whatexit.org> References: <20070108175947.GC30208@watson-wilson.ca> <1168285948.21947.17.camel@rodan.monsters.org> <45A2A406.7080403@whatexit.org> Content-Type: text/plain Date: Mon, 08 Jan 2007 15:15:54 -0600 Message-Id: <1168290954.21947.40.camel@rodan.monsters.org> Mime-Version: 1.0 X-Mailer: Evolution 2.8.2.1 (2.8.2.1-2.fc6) Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0rc7 (zero.monsters.org [208.191.248.1]); Mon, 08 Jan 2007 15:15:21 -0600 (CST) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk On Mon, 2007-01-08 at 15:05 -0500, Tom Reingold wrote: > pilot-link has trashed my data twice. (I believe kpilot is built upon > pilot-link.) I don't know kpilot specifically, but more linked to the libpisock library which implements the low level communications and basic data access. Most of the data manipulation and comparing is done by the application themselves. I've lost data myself (most by to my own hacking and experimentation). So I do periodic, independent backs with pilot-xfer. And I'll use whatever backup mechanism the desktop software does. pilot-xfer is my off site backup. > I wouldn't use it again. I had to restore from my copy on > Windows back onto my Palm. If I never used Windows, or if I switched > entirely from Windows to Linux, I would have lost several years of data. > That would have been a disaster. I'll only use Windows if a vendor uses some type of Windows based installers. Thankfully, I don't have to resort to that often. And I have to admit I had to use a Windows Network HotSync to get the port Network HotSync was using. They changed it on this new version. (grumble, grumble) > > My conclusion is that a Palm is no good if all you have on your desktop > is Linux. > > I expect that happy pilot-link users will pipe up now, to counter my > argument. After all, I'm just one datum. Well I've been HotSync for years on all of the Palm devices I've owned. It works most of the time. And when not, I've been able to recover from any data mishaps. And I've seen my cases of Windows HotSync problems as well. But I've not seen a case where a cold reset and restore wouldn't fix. (OK there was that one instance of the magic smoke escaping...) > Tom Reingold > Noo Joizy -- Stephen L Johnson From sage-members-owner@usenix.org Mon Jan 8 13:53:12 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08Lr8aB012968 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 8 Jan 2007 13:53:08 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l08Lr7JW012967 for sage-members-0utGoign; Mon, 8 Jan 2007 13:53:07 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08Lqkk3012949 for ; Mon, 8 Jan 2007 13:52:56 -0800 (PST) Received: from [13.1.137.151] ([13.1.137.151]) by alpha.xerox.com with SMTP id <515850(1)>; Mon, 8 Jan 2007 13:52:28 PST Message-ID: <45A2BD1C.6070104@PARC.com> Date: Mon, 8 Jan 2007 13:52:28 PST From: Keith Farrar User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: sage-members@usenix.org Subject: Palm backups Re: [SAGE] Syncing PDA and Linux References: <20070108175947.GC30208@watson-wilson.ca> <1168285948.21947.17.camel@rodan.monsters.org> In-Reply-To: <1168285948.21947.17.camel@rodan.monsters.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk I store a backup of my Palm on an SD card (in addition to my Windows hot sync). Red Feline Backup - VFS Backup for Palm OS http://www.redfelineninja.dsl.pipex.com/software/rfbackup.html From sage-members-owner@usenix.org Mon Jan 8 14:59:18 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08MxEhl017835 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 8 Jan 2007 14:59:14 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l08MxDDo017834 for sage-members-0utGoign; Mon, 8 Jan 2007 14:59:13 -0800 (PST) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.228]) by usenix.org (8.13.6/8.13.6) with ESMTP id l08MwpBe017765 for ; Mon, 8 Jan 2007 14:59:02 -0800 (PST) Received: by wx-out-0506.google.com with SMTP id t12so7511237wxc for ; Mon, 08 Jan 2007 14:58:51 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=CRhoy5F1NMQHOmzIZmBydSXVmpEXeh1AT7EShDvxI9RsU2V3lC9unAWZ+EFy5c9G3+oj9uKsFMrP/W5YaHXDitpjeQmO6fxqKR71inljHjrGnaGci31M6uTNM+Mom7yhtkf0czg1ooFR2fugZIOW9+OhlW6z1doMkXjMEXu52f8= Received: by 10.70.132.2 with SMTP id f2mr49600253wxd.1168297131333; Mon, 08 Jan 2007 14:58:51 -0800 (PST) Received: by 10.70.131.11 with HTTP; Mon, 8 Jan 2007 14:58:51 -0800 (PST) Message-ID: Date: Mon, 8 Jan 2007 14:58:51 -0800 From: "Kurt Buff" To: "Etaoin Shrdlu" Subject: Re: [SAGE] Naming conventions for servers, network gear, etc. Cc: "SAGE Members" In-Reply-To: <459FEF6C.8090104@deaddrop.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> <11248.67.82.112.176.1168101900.squirrel@jantman.dyndns.org> <459FEF6C.8090104@deaddrop.org> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=5% Sender: owner-sage-members@usenix.org Precedence: bulk On 1/6/07, Etaoin Shrdlu wrote: > Jason Antman wrote: > > >>Have there been any papers done on naming conventions for servers, > >>network gear, etc? > >> > >> > >I work for Rutgers University, which has pretty large IT operations > >department. University-wide, the hosts are named using department-specific > >names, which are a hodgepodge of functional names such as NBCS for New > >Brunswick Computing Services, and "random names" - Eden, Clam, etc. > >Clustered servers are named such as Eden-u1, Eden-u2, etc. > > > > > I have found over time (and I've seen a lot of time) that *any* > consistent naming scheme works. It's helpful if the names have some sort > of internal sense that makes NBCS-Room449 something that is part of your > responsibility, where Eden-u1 is clearly someone else's (just for > example). Another thing that's important is the long view. As we know, > certain operating systems and applications do *not* like being renamed > (think Oracle; think Windows2k3). The less emotional attachment there is > to a naming scheme for servers and network devices, the better. > > Let me reiterate the excellent work already quoted so many times. I > don't think it gets better than that. > > http://www.nanog.org/mtg-0405/ringel.html > > >For my personal networks, I really prefer names that have nothing to do > >with the functional nature of the machine, as I view this as making > >network reconnaissance too easy. My home development network has "SATURN" > >as the main DHCP/DNS/LDAP server, and the other machines are named after > >Saturn's moons, allowing approximately 56 unique names. > > > > > Amusing, but what on earth makes you think anyone interested in your > personal network will care in the slightest about what the *name* of > anything is? If it's interesting enough for someone to care, they will > *know* that you have all those services running on just one machine, and > it'll be over. OVER. On the other hand, unless you have the ability to > support a bunch of bots, I doubt that the bad guys care. Everything's so > automated now, anyway. > > My router is usually named rooter, because it makes me laugh. When it > comes to small networks, I'd just as soon have names that are memorable > for the entertainment value, as anything. Some of my favorites have been > muscle cars (Cobra, Mustang), Nobel Prize winners for physics (with an > honorary mention for Hawking, who *should* win), and insect predators > (Mantis, Widow). Heh. When I was working in a small startup some years ago, I decided that various breeds of chile pepper sounded yummy for my machines - habanero, jalapeno, ancho, piquin, etc. When I got to a larger site (more than about 12 servers), I started to name them after functions again. And made the names as short as possible - fs1 for the first fileserver, etc. - because it simply made more sense. I've never had responsibility for more than 50 servers at a whack, but I'm now in a position where we have over 400 PCs on the net, and I'm enforcing a stardard of the 2-or-3 letter department code, a dash and the username. Haven't had any collisions in that namespace yet, but if we do, I'll just start using middle initials, or append a numeral, or something like that. If I ever become responsible for a larger environment, then the ideas in the Ringel presentation will definitely prove useful. Kurt From sage-members-owner@usenix.org Tue Jan 9 13:40:39 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l09LeWF0017933 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 9 Jan 2007 13:40:33 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l09LeWpI017932 for sage-members-0utGoign; Tue, 9 Jan 2007 13:40:32 -0800 (PST) Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l09LeO7s017914 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 9 Jan 2007 13:40:24 -0800 (PST) Received: (from jrl@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l09LeOvb017913 for sage-members@usenix.org; Tue, 9 Jan 2007 13:40:24 -0800 (PST) Received: from haus.nakedape.cc (haus.nakedape.cc [63.105.18.11]) by usenix.org (8.13.6/8.13.6) with ESMTP id l09JKh0I010621 for ; Tue, 9 Jan 2007 11:20:53 -0800 (PST) Received: from localhost (vidar.nakedape.cc [192.168.1.11]) by localhost.nakedape.priv (Naked Ape Mail Server) with ESMTP id B300436A7B for ; Tue, 9 Jan 2007 11:20:30 -0800 (PST) X-Virus-Scanned: by Naked Ape Mail Defender at nakedape.cc Received: from haus.nakedape.cc ([192.168.1.1]) by localhost (vidar.nakedape.cc [192.168.1.11]) (amavisd-new, port 10024) with LMTP id QAwxan3jdVET for ; Tue, 9 Jan 2007 11:20:27 -0800 (PST) Received: from [192.168.110.10] (ods-fw-pat-qw.odshp.com [65.124.255.195]) (using SSLv3 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by haus.nakedape.cc (Naked Ape Mail Server) with ESMTP id D5DBD36A29 for ; Tue, 9 Jan 2007 11:20:26 -0800 (PST) Subject: Re: [SAGE] Naming conventions for servers, network gear, etc. From: Wil Cooley Reply-To: sage-members@usenix.org To: SAGE Members In-Reply-To: <459FF525.9000307@chycoski.com> References: <0225D81E-DC98-4CD6-A356-E579432DE87D@acm.org> <11248.67.82.112.176.1168101900.squirrel@jantman.dyndns.org> <20070106130454.F21945@skink.reptiles.org> <459FF525.9000307@chycoski.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-HYZkLkqm1/AzX1lA/n5U" Organization: http://nakedape.cc Date: Tue, 09 Jan 2007 11:20:25 -0800 Message-Id: <1168370425.3885.35.camel@willow.odshp.com> Mime-Version: 1.0 X-Mailer: Evolution 2.8.2.1 (2.8.2.1-3.fc6) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk --=-HYZkLkqm1/AzX1lA/n5U Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, 2007-01-06 at 11:14 -0800, Richard Chycoski wrote: > The old Unix trait of naming a group of machines after a the names of=20 > some other group of objects (elements, planets, beers, Paris Hilton's=20 > exploits :-) usually doesn't scale to really large groups of machines,=20 > but using these kinds of names as memorable names for the clients to use=20 > for a subset of the machines, or as aliases, can work even in a large=20 > environment. It's not just that short names are memorable; they're also pronounceable, which is really important when you have to routinely *talk* about your systems. Also, one is less likely to get them confused, even before that first cup. Wil --=20 Wil Cooley http://nakedape.cc --=-HYZkLkqm1/AzX1lA/n5U Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBFo+r5Jpn3uYWUEaoRAqV4AJ0fIctHXrNbr6Au3hRTqluSEKOWtgCgjFNj U1XxJfriLdUPwwoWM0vYXh8= =FSlP -----END PGP SIGNATURE----- --=-HYZkLkqm1/AzX1lA/n5U-- From sage-members-owner@usenix.org Thu Jan 11 06:07:16 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0BE7CHP022179 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 11 Jan 2007 06:07:16 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0BE7BFv022177 for sage-members-0utGoign; Thu, 11 Jan 2007 06:07:12 -0800 (PST) Received: from ettin.watson-wilson.ca (watson-wilson.ca [216.138.221.7]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0BE6ij9022131 for ; Thu, 11 Jan 2007 06:06:55 -0800 (PST) Received: by ettin.watson-wilson.ca (Postfix, from userid 1000) id 008173ADDE; Thu, 11 Jan 2007 09:06:27 -0500 (EST) Date: Thu, 11 Jan 2007 09:06:27 -0500 From: Neil Watson To: sage-members@usenix.org Subject: [SAGE] Questions about a DMZ config Message-ID: <20070111140627.GA29385@watson-wilson.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline X-Message-Flag: Outlook is a dangerous and insecure program (Magic 8 ball: Outlook not good) X-Accepted-File-Formats: No proprietary Microsoft Office files please User-Agent: Mutt/1.5.13 (2006-08-11) X-watson-wilson.ca-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-watson-wilson.ca-MailScanner-From: sage@watson-wilson.ca X-Spam-Status: No X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk I've come across a DMZ design that I've not seen before. It seems somewhat flawed to me. I'd like to hear the opinions of other Sage members. Internet | FW | 192.168.32.0/24 (web servers, external DNS, mail gateways) | FW | 192.168.42.0/24 (middle-ware) | FW | Internal Network. All externally visible servers are NATed behind the external firewall. The DNS servers give out public IP addresses which are controlled by the firewall. There is no DNS resolution for the locale private IP addresses. This causes some interesting problems. The firewall does not allow the servers to talk to each other using their public IP addresses. This can create email problems. For example, should a server wish to send email it cannot do so via MX record lookup. Instead the server's MTA must be manually set to forward (e.g. SMART_HOST). Services that prefer to have DNS (e.g. OpenView, backup software) now only work if each host keeps a hosts file. Is this type of arrangement typical? Is another DNS service required to fix this problem or there a more serious flaw? -- Neil Watson | Debian Linux System Administrator http://watson-wilson.ca From sage-members-owner@usenix.org Thu Jan 11 06:23:22 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0BENLXX022825 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 11 Jan 2007 06:23:21 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0BENKO2022824 for sage-members-0utGoign; Thu, 11 Jan 2007 06:23:20 -0800 (PST) Received: from mail.reptiles.org (mail.reptiles.org [198.96.119.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0BEMtRF022792 for ; Thu, 11 Jan 2007 06:23:07 -0800 (PST) Received: from mail.reptiles.org([198.96.119.1] port=1553) (1729 bytes) by mail.reptiles.org([198.96.119.1] port=25) via TCP with esmtp (sender: ) id for ; (dest:remote)(R=bind_hosts)(T=inet_zone_bind_smtp) Thu, 11 Jan 2007 09:22:53 -0500 (EST) (Smail-3.2.0.118 2004-May-31 #3 built 2004-Oct-14) Date: Thu, 11 Jan 2007 09:22:53 -0500 (EST) From: Cat Okita To: Neil Watson cc: sage-members@usenix.org Subject: Re: [SAGE] Questions about a DMZ config In-Reply-To: <20070111140627.GA29385@watson-wilson.ca> Message-ID: <20070111091941.T11764@skink.reptiles.org> References: <20070111140627.GA29385@watson-wilson.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk On Thu, 11 Jan 2007, Neil Watson wrote: > I've come across a DMZ design that I've not seen before. It seems > somewhat flawed to me. I'd like to hear the opinions of other Sage > members. > > Internet > | > FW > | > 192.168.32.0/24 > (web servers, external DNS, mail gateways) > | > FW > | > 192.168.42.0/24 > (middle-ware) > | > FW > | > Internal Network. It's not an unusual configuration - I've seen it in a variety of environments. It's designed to isolate components, and typically also uses different types of firewall, for better defence against monoculture vulnerabilities. > Is this type of arrangement typical? Is another DNS service required to > fix this problem or there a more serious flaw? I'd normally expect to see split DNS here... cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From sage-members-owner@usenix.org Thu Jan 11 08:45:28 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0BGjRlv028308 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 11 Jan 2007 08:45:28 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0BGjRM0028306 for sage-members-0utGoign; Thu, 11 Jan 2007 08:45:27 -0800 (PST) Received: from coke.conundrum.com (coke.conundrum.com [216.235.9.139]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0BGj33q028283 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 11 Jan 2007 08:45:14 -0800 (PST) Received: from [192.203.0.64] ([207.35.205.106]) by coke.conundrum.com (8.13.1/8.12.6) with ESMTP id l0BGBaOs029091; Thu, 11 Jan 2007 11:11:36 -0500 (EST) (envelope-from matt@conundrum.com) In-Reply-To: <20070111091941.T11764@skink.reptiles.org> References: <20070111140627.GA29385@watson-wilson.ca> <20070111091941.T11764@skink.reptiles.org> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Matt Pounsett Subject: Re: [SAGE] Questions about a DMZ config Date: Thu, 11 Jan 2007 11:11:29 -0500 To: sage-members@usenix.org X-Pgp-Agent: GPGMail 1.1.2 (Tiger) X-Mailer: Apple Mail (2.752.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11-Jan-2007, at 09:22 , Cat Okita wrote: > On Thu, 11 Jan 2007, Neil Watson wrote: >> I've come across a DMZ design that I've not seen before. It seems >> somewhat flawed to me. I'd like to hear the opinions of other Sage >> members. > > It's not an unusual configuration - I've seen it in a variety of > environments. It's designed to isolate components, and typically also > uses different types of firewall, for better defence against > monoculture > vulnerabilities. Yeah, I've seen this one before too. And agreed, in this layout I'd expect to see split DNS (or, in BIND parlance, "DNS Views") being used. The way I'd normally implement this is a bit different though. Using a firewall with more than two ports, I'd assign one to "outside", one to "inside", and the remaining ports to the different DMZs, using non- RFC1918 addresses in the DMZs. It allows for problems stemming from monoculture, but uses less hardware, and can provide slightly more flexibility in the rules of who can speak to which DMZ, and on what ports. Matt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFpmGzae4z2vjbC8sRAjrhAKD2uG9b0onFZiewMv5CtseGfs4ccgCgxxx/ vrVEIf7R2emu6LPhxNZawAE= =F4Xe -----END PGP SIGNATURE----- From sage-members-owner@usenix.org Thu Jan 11 14:36:28 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0BMaOTp019325 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 11 Jan 2007 14:36:25 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0BMaOsj019324 for sage-members-0utGoign; Thu, 11 Jan 2007 14:36:24 -0800 (PST) Received: from smtp102.his.com (smtp102.his.com [216.194.225.125]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0BMZkWn019286 for ; Thu, 11 Jan 2007 14:35:56 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by smtp102.his.com (Postfix) with ESMTP id 8DAA8400214 for ; Thu, 11 Jan 2007 17:35:34 -0500 (EST) Received: from smtp102.his.com ([216.194.225.125]) by localhost (smtp102.his.com [216.194.225.125]) (amavisd-new, port 10024) with ESMTP id 16110-06-2 for ; Thu, 11 Jan 2007 17:35:27 -0500 (EST) Received: from vhost109.his.com (vhost109.his.com [216.194.225.101]) by smtp102.his.com (Postfix) with ESMTP id AB81C40022C for ; Thu, 11 Jan 2007 17:35:27 -0500 (EST) Received: from [10.0.1.11] (localhost.his.com [127.0.0.1]) by vhost109.his.com (8.13.1/8.12.3) with ESMTP id l0BMZI55035988 for ; Thu, 11 Jan 2007 17:35:27 -0500 (EST) (envelope-from brad@shub-internet.org) Mime-Version: 1.0 Message-Id: Date: Thu, 11 Jan 2007 16:32:30 -0600 To: SAGE Members Mailing List From: Brad Knowles Subject: [SAGE] SATLUG January 2007 Meeting: Dr. Dominique Heger from Fortuitous Technologies on high-performance parallel filesystems, such as used in clusters... Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: Debian amavisd-new at smtp502.his.com X-Spam-Status: No, score=-4.303 tagged_above=-99 required=5 tests=[ALL_TRUSTED=-1.8, AWL=0.096, BAYES_00=-2.599] X-Spam-Score: -4.303 X-Spam-Level: X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=4% Sender: owner-sage-members@usenix.org Precedence: bulk Folks, Just found out about this meeting last night, and just found out today that I might actually be able to attend. Anyway, I'm planning on being there and one thing I'd like to do is to give away a couple of copies of SAGE Booklet #15 "Internet Postmaster: Duties & Responsibilities" by Nick Christenson (with a little help from me). I'm also hoping to be at the CACTUS meeting next week (in Austin), and do the same thing there. If there's going to be a meeting this month of the Austin Storage/Networking User Group, I'll try to do the same there as well. See for more information regarding the meeting tonight, and for information regarding the location of the CACTUS meeting next week (although they don't have anything posted yet as to what the topic will be). -- Brad Knowles, Trend Micro has announced that they will cancel the stop.mail-abuse.org mail forwarding service as of 15 November 2006. If you have an old e-mail account for me at this domain, please make sure you correct that with the current address. From sage-members-owner@usenix.org Thu Jan 11 16:12:28 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0C0CFx8025235 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 11 Jan 2007 16:12:21 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0C0CFCb025234 for sage-members-0utGoign; Thu, 11 Jan 2007 16:12:15 -0800 (PST) Received: from mail.indeterminate.net (host-8.colo.spiretech.com [207.173.206.8]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0C0BhUW025189 for ; Thu, 11 Jan 2007 16:11:53 -0800 (PST) Received: from olivia.indeterminate.net (olivia.indeterminate.net [207.173.206.8]) by mail.indeterminate.net (8.11.6/8.11.6) with ESMTP id l0C0BSd01678 for ; Thu, 11 Jan 2007 16:11:28 -0800 Date: Thu, 11 Jan 2007 16:11:28 -0800 (PST) From: John Costello To: sage-members@sage.org Subject: Bugging devices Re: Other ethical questions (was: Re: [SAGE] Ethical question - to disclose or not to disclose) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: ClamAV version 'clamd / ClamAV version 0.65', clamav-milter version '0.60p' X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk On Sat, 9 Dec 2006, Brad Knowles wrote: > At 2:30 PM -0500 12/9/06, Stephen Potter wrote: > > Consider this similar situation. You come home and find a large package > > on your doorstep with no easily seen markings as to who it is from or for > > [snippity, because Stephen's note led into ...] > Okay, so lets take a real-world situation that has recently happened to us. > > A package arrives on our doorstep from FedEx. It has our street > address on it, but the recipient name is someone else. The sender's > [snipped speculation that the device could be bugged, which triggered] > [a lengthy flame war that I avoided] I have to admit that I was skeptical about the bugged-device-arriving-via-FedEx scenario, but I stayed out of the topic. The recent news that a group of U.S. contractors had bugged coins has made me a touch less skeptical. Damned strange, all this. My favorite bit from the article is "the case of a female foreign spy who seduced her American boyfriend to steal his computer passwords." That makes for a fun pick-up line at bars. Cheers, John From sage-members-owner@usenix.org Thu Jan 11 16:24:57 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0C0OuR5025956 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 11 Jan 2007 16:24:57 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0C0OuiE025955 for sage-members-0utGoign; Thu, 11 Jan 2007 16:24:56 -0800 (PST) Received: from mail.reptiles.org (whois.csas.com [198.96.119.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0C0OVZq025937 for ; Thu, 11 Jan 2007 16:24:41 -0800 (PST) Received: from mail.reptiles.org([198.96.119.1] port=4311) (1474 bytes) by mail.reptiles.org([198.96.119.1] port=25) via TCP with esmtp (sender: ) id for ; (dest:remote)(R=bind_hosts)(T=inet_zone_bind_smtp) Thu, 11 Jan 2007 19:22:54 -0500 (EST) (Smail-3.2.0.118 2004-May-31 #3 built 2004-Oct-14) Date: Thu, 11 Jan 2007 19:22:53 -0500 (EST) From: Cat Okita To: John Costello cc: sage-members@sage.org Subject: Re: Bugging devices Re: Other ethical questions (was: Re: [SAGE] Ethical question - to disclose or not to disclose) In-Reply-To: Message-ID: <20070111192132.E11764@skink.reptiles.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk On Thu, 11 Jan 2007, John Costello wrote: > My favorite bit from the article is "the case of a female foreign spy who > seduced her American boyfriend to steal his computer passwords." > > That makes for a fun pick-up line at bars. ... you mean random men don't normally walk up to you and give you passwords, or hack the phone company for you, just like they do in the movies?!? cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From sage-members-owner@usenix.org Fri Jan 19 08:18:25 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JGIOMZ029245 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 19 Jan 2007 08:18:25 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0JGIOok029244 for sage-members-0utGoign; Fri, 19 Jan 2007 08:18:24 -0800 (PST) Received: from ettin.watson-wilson.ca (watson-wilson.ca [216.138.221.7]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JGHvvo029225 for ; Fri, 19 Jan 2007 08:18:07 -0800 (PST) Received: by ettin.watson-wilson.ca (Postfix, from userid 1000) id A0CD03ADE0; Fri, 19 Jan 2007 11:17:46 -0500 (EST) Date: Fri, 19 Jan 2007 11:17:46 -0500 From: Neil Watson To: sage-members@sage.org Subject: [SAGE] Subversion, passwords and ACLs Message-ID: <20070119161746.GA31925@watson-wilson.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline X-Message-Flag: Outlook is a dangerous and insecure program (Magic 8 ball: Outlook not good) X-Accepted-File-Formats: No proprietary Microsoft Office files please User-Agent: Mutt/1.5.13 (2006-08-11) X-watson-wilson.ca-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-watson-wilson.ca-MailScanner-From: sage@watson-wilson.ca X-Spam-Status: No X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk Suppose I have a Subversion repository: /trunk/ /branches/dev /branches/qa I want to be able to limit users to certain directories. John should only be able to access branches/qa. Jane should only be able to access branches/dev. I can accomplish this using Subversion's authz-db files. Using this method users contact a running Subversion daemon. Their credentials are stored in a password-db file. I do not like that this file is plain text. I also do not like that this does not give the user's a chance to change their passwords. Is there a way to control directory access inside a repository while still using UNIX shell accounts for logins? -- Neil Watson | Debian Linux System Administrator | Uptime 6 days http://watson-wilson.ca From sage-members-owner@usenix.org Fri Jan 19 09:25:13 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JHPCAt001531 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 19 Jan 2007 09:25:13 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0JHPC4Q001530 for sage-members-0utGoign; Fri, 19 Jan 2007 09:25:12 -0800 (PST) Received: from gretel.pobox.com (gretel.pobox.com [208.58.1.197]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JHOkMv001502 for ; Fri, 19 Jan 2007 09:24:56 -0800 (PST) Received: from rune.pobox.com (rune.pobox.com [208.210.124.79]) by gretel.pobox.com (Postfix) with ESMTP id E6E095463C6A for ; Fri, 19 Jan 2007 12:03:07 -0500 (EST) Received: from rune (localhost [127.0.0.1]) by rune.pobox.com (Postfix) with ESMTP id 0F6F2AC09E for ; Fri, 19 Jan 2007 12:02:31 -0500 (EST) Received: from localhost (cpe-66-108-14-241.nyc.res.rr.com [66.108.14.241]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id E2B69AAA6E for ; Fri, 19 Jan 2007 12:02:30 -0500 (EST) Date: Fri, 19 Jan 2007 12:02:07 -0500 From: "Philip J. Hollenback" To: sage-members@sage.org Subject: [SAGE] Are cheap SSL certificates legitimate? Message-ID: <20070119170207.GH20885@hollenback.net> Reply-To: philiph@pobox.com MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: mutt-ng/devel-r655 (Darwin) X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=11% Sender: owner-sage-members@usenix.org Precedence: bulk At my work we have several internal websites which we serve over SSL with self-signed certificates. Users complain about the annoyance of having to approve loading these sites in their browser every time. Thus I decided to get some 'real' SSL certificates. After some web searching, I found that namecheap.com would sell me a certificate for $13.95. I purchases one of these and installed it. The certificate seems to work just fine. However, one of my co-workers believes that there is something fishy about these certificates since they are so inexpensive. I checked the cert out and it looks like namecheap.com actually resells certificates from rapidssl.com. The certs point to 'Equifax Secure Global eBusiness CA 1'. On the rapidssl.com site they make a big deal about how their 'single root certificates' are superior to chained certificates from other vendors. Interestingly the cheapest you can buy a certificate from rapidssl.com is $70 so apparently namecheap.com is getting them much cheaper or selling them at a loss. So: 1. Is there any reason to not use these certificates? This is for internal use at my company only, not for outward-facing websites. 2. Are single root certificates really better than chained certificates? Or is there some reason why they would be worse? 3. I'm probably going to also use these certificates to secure imap and smtp mail, again for internal use only. Any reason to not use these certs for that? Thanks, P. -- Philip J. Hollenback www.hollenback.net From sage-members-owner@usenix.org Fri Jan 19 10:21:18 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JIL9SM004169 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 19 Jan 2007 10:21:14 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0JIL9Sr004167 for sage-members-0utGoign; Fri, 19 Jan 2007 10:21:09 -0800 (PST) Received: from g2.mental.com (root@entrance.mental.com [192.31.14.10]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JIKj0i004130 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Fri, 19 Jan 2007 10:20:57 -0800 (PST) Received: from mental.com (root@twen.mi [172.16.0.5]) by g2.mental.com (8.13.7/8.13.7/mental-061228) with ESMTP id l0JI4SP5008860 for ; Fri, 19 Jan 2007 19:04:28 +0100 (CET) Received: from mental.com (lobo@localhost [127.0.0.1]) by mental.com (8.13.7/8.13.7/Lobo-051217) with ESMTP id l0JI4SHR009517 for ; Fri, 19 Jan 2007 19:04:28 +0100 (MET) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: sage-members@sage.org Subject: Re: [SAGE] Are cheap SSL certificates legitimate? In-reply-to: "Philip J. Hollenback"'s message of Fri, 19 Jan 2007 12:02:07 EST <20070119170207.GH20885@hollenback.net> Organization: mental images GmbH, Berlin, Germany Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 19 Jan 2007 19:04:28 +0100 Message-ID: <9516.1169229868@mental.com> From: Alexander Lobodzinski X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk () At my work we have several internal websites which we serve over SSL () with self-signed certificates. Users complain about the annoyance of () having to approve loading these sites in their browser every time. I cannot comment on namecheap.com, but did you consider creating a root certificate (valid 15 years or so) and use that to sign the various web/imap/smtp site certificates? Then every user has to load your root cert once and that's it. Ciao, Lobo From sage-members-owner@usenix.org Fri Jan 19 10:55:11 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JIt2hj005687 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 19 Jan 2007 10:55:08 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0JIt23t005686 for sage-members-0utGoign; Fri, 19 Jan 2007 10:55:02 -0800 (PST) Received: from aphrodite.aquezada.com (h216-235-8-211.host.egate.net [216.235.8.211]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JIseNd005662 for ; Fri, 19 Jan 2007 10:54:51 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by aphrodite.acf.aquezada.com (Postfix) with ESMTP id E51713F42E; Fri, 19 Jan 2007 13:54:39 -0500 (EST) X-Virus-Scanned: amavisd-new at aquezada.com Received: from aphrodite.acf.aquezada.com ([127.0.0.1]) by localhost (aphrodite.acf.aquezada.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 1ID1ZqpWLgmc; Fri, 19 Jan 2007 13:54:33 -0500 (EST) Received: by aphrodite.acf.aquezada.com (Postfix, from userid 1001) id 65CE13F42B; Fri, 19 Jan 2007 13:54:33 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by aphrodite.acf.aquezada.com (Postfix) with ESMTP id 60DBB3F428; Fri, 19 Jan 2007 13:54:33 -0500 (EST) Date: Fri, 19 Jan 2007 13:54:33 -0500 (EST) From: "Julian C. Dunn" X-X-Sender: jdunn@aphrodite.acf.aquezada.com To: Alexander Lobodzinski cc: sage-members@sage.org Subject: Re: [SAGE] Are cheap SSL certificates legitimate? In-Reply-To: <9516.1169229868@mental.com> Message-ID: <20070119135352.E38307@aphrodite.acf.aquezada.com> References: <9516.1169229868@mental.com> Organization: Aquezada Productions MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk On Fri, 19 Jan 2007, Alexander Lobodzinski wrote: > () At my work we have several internal websites which we serve over SSL > () with self-signed certificates. Users complain about the annoyance of > () having to approve loading these sites in their browser every time. > > I cannot comment on namecheap.com, but did you consider creating a root > certificate (valid 15 years or so) and use that to sign the various > web/imap/smtp site certificates? Then every user has to load your root > cert once and that's it. I think that what the OP is saying is that he doesn't want to make every user load a custom root certificate, possibly because of the size of his installed base or for other reasons. - Julian [ Julian C. Dunn * "You can throw confetti, ] [ WWW: www.aquezada.com/staff/julian * but you're still going ] [ PGP: 91B3 7A9D 683C 7C16 715F * through the motions, baby" ] [ 442C 6065 D533 FDC2 05B9 * - Aimee Mann ] From sage-members-owner@usenix.org Fri Jan 19 11:22:35 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JJMYuZ007201 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 19 Jan 2007 11:22:34 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0JJMXKn007199 for sage-members-0utGoign; Fri, 19 Jan 2007 11:22:33 -0800 (PST) Received: from gretel.pobox.com (gretel.pobox.com [208.58.1.197]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JJLuik007051 for ; Fri, 19 Jan 2007 11:22:16 -0800 (PST) Received: from rune.pobox.com (rune.pobox.com [208.210.124.79]) by gretel.pobox.com (Postfix) with ESMTP id E70AC5462782 for ; Fri, 19 Jan 2007 14:07:24 -0500 (EST) Received: from rune (localhost [127.0.0.1]) by rune.pobox.com (Postfix) with ESMTP id 98521AC254; Fri, 19 Jan 2007 14:06:43 -0500 (EST) Received: from localhost (cpe-66-108-14-241.nyc.res.rr.com [66.108.14.241]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 56419AC225; Fri, 19 Jan 2007 14:06:40 -0500 (EST) Date: Fri, 19 Jan 2007 14:06:17 -0500 From: "Philip J. Hollenback" To: "Julian C. Dunn" Cc: Alexander Lobodzinski , sage-members@sage.org Subject: Re: [SAGE] Are cheap SSL certificates legitimate? Message-ID: <20070119190617.GN20885@hollenback.net> Reply-To: philiph@pobox.com References: <9516.1169229868@mental.com> <20070119135352.E38307@aphrodite.acf.aquezada.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070119135352.E38307@aphrodite.acf.aquezada.com> User-Agent: mutt-ng/devel-r655 (Darwin) X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=11% Sender: owner-sage-members@usenix.org Precedence: bulk On 01/19/07, Julian C. Dunn wrote: > I think that what the OP is saying is that he doesn't want to make > every user load a custom root certificate, possibly because of the > size of his installed base or for other reasons. Right, it is just too much work to make all users load custom certificates on their machines, because there are too many platforms and too many different applications to support. -- Philip J. Hollenback www.hollenback.net From sage-members-owner@usenix.org Fri Jan 19 11:24:40 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JJOaSr007412 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 19 Jan 2007 11:24:36 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0JJOahd007411 for sage-members-0utGoign; Fri, 19 Jan 2007 11:24:36 -0800 (PST) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.230]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JJO6Jt007378 for ; Fri, 19 Jan 2007 11:24:17 -0800 (PST) Received: by wr-out-0506.google.com with SMTP id 37so493889wra for ; Fri, 19 Jan 2007 11:24:06 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; b=XfhIkazM9y4yzcYOAO9i3GvW3XW8NPr+9FsyC1rNd3puTfOLB3AaH/yXyo8aV+SZtvy0lJ4j5dpFYvZ46uHhxXyXW2uOmSt3/3Q0xl0KSxrATit+WfkS/2AzBJ1Q/9ydP8Jfd2Tsy88KukIPfmxEo4Q+0VjQy3XadvnM9LWpUdY= Received: by 10.82.120.14 with SMTP id s14mr928507buc.1169234644964; Fri, 19 Jan 2007 11:24:04 -0800 (PST) Received: from ?192.168.1.102? ( [68.6.160.137]) by mx.google.com with ESMTP id y1sm2288821hua.2007.01.19.11.24.03; Fri, 19 Jan 2007 11:24:04 -0800 (PST) From: Mike Noble To: sage-members@usenix.org Subject: Re: [SAGE] Are cheap SSL certificates legitimate? Date: Fri, 19 Jan 2007 11:23:59 -0800 User-Agent: KMail/1.9.5 References: <20070119170207.GH20885@hollenback.net> In-Reply-To: <20070119170207.GH20885@hollenback.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200701191123.59646.mgnoble@gmail.com> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=5% Sender: owner-sage-members@usenix.org Precedence: bulk On Friday 19 January 2007 09:02, Philip J. Hollenback wrote: > At my work we have several internal websites which we serve over SSL > with self-signed certificates. Users complain about the annoyance of > having to approve loading these sites in their browser every time. > Thus I decided to get some 'real' SSL certificates. > > After some web searching, I found that namecheap.com would sell me a > certificate for $13.95. I purchases one of these and installed it. > The certificate seems to work just fine. > I have used registerfly in the past and had no issues. You can get a certificate for $9.99/yr or you can spend as much as $99.99/yr. Depends on what you really need. http://www.registerfly.com/ssl/ Mike From sage-members-owner@usenix.org Fri Jan 19 11:51:50 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JJpnGK009041 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 19 Jan 2007 11:51:49 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0JJpnRG009040 for sage-members-0utGoign; Fri, 19 Jan 2007 11:51:49 -0800 (PST) Received: from smtp-roam.Stanford.EDU (smtp-roam.Stanford.EDU [171.64.10.152]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JJpVp0009026 for ; Fri, 19 Jan 2007 11:51:36 -0800 (PST) Received: from [192.168.1.3] (c-67-180-23-63.hsd1.ca.comcast.net [67.180.23.63]) (authenticated bits=0) by smtp-roam.Stanford.EDU (8.12.11/8.12.11) with ESMTP id l0JJZpGU008462 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 19 Jan 2007 11:35:53 -0800 In-Reply-To: <20070119135352.E38307@aphrodite.acf.aquezada.com> References: <9516.1169229868@mental.com> <20070119135352.E38307@aphrodite.acf.aquezada.com> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Cc: Alexander Lobodzinski , sage-members@sage.org Content-Transfer-Encoding: 7bit From: "Sandor W. Sklar" Subject: Re: [SAGE] Are cheap SSL certificates legitimate? Date: Fri, 19 Jan 2007 11:35:49 -0800 To: "Julian C. Dunn" X-Mailer: Apple Mail (2.752.2) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Sender: owner-sage-members@usenix.org Precedence: bulk On Jan 19, 2007, at 10:54 AM, Julian C. Dunn wrote: > On Fri, 19 Jan 2007, Alexander Lobodzinski wrote: > >> () At my work we have several internal websites which we serve >> over SSL >> () with self-signed certificates. Users complain about the >> annoyance of >> () having to approve loading these sites in their browser every time. >> >> I cannot comment on namecheap.com, but did you consider creating a >> root certificate (valid 15 years or so) and use that to sign the >> various web/imap/smtp site certificates? Then every user has to >> load your root cert once and that's it. > > I think that what the OP is saying is that he doesn't want to make > every user load a custom root certificate, possibly because of the > size of his installed base or for other reasons. We've switched to certs from Comodo (www.instantssl.com), which are much less expensive then those from Verisign (I think they are $70 for a two year cert.) The main problem has been that not all browsers "trust" these certs; you have to install on your server an certificate chain file that adds this trust level. Not difficult, just another thing to deal with. -s- From sage-members-owner@usenix.org Fri Jan 19 12:12:18 2007 Received: from voyager.usenix.org (localhost [127.0.0.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id l0JKC779009997 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 19 Jan 2007 12:12:14 -0800 (PST) Received: (from majordomo@localhost) by voyager.usenix.org (8.13.6/8.13.6/Submit) id l0JKC6mF009995 for sage-members-0utGoign; Fri, 19 Jan 2007 12:12:06 -0800 (PST) Received: from relay03.pair.com (relay03.pair.com [209.68.5.17]) by usenix.org (8.13.6/8.13.6) with SMTP id l0JKBi98009966 for ; Fri, 19 Jan 2007 12:11:55 -0800 (PST) Received: (qmail 55238 invoked from network); 19 Jan 2007 20:11:36 -0000 Received: from unknown (HELO ?128.112.235.206?) (unknown) by unknown with SMTP; 19 Jan 2007 20:11:36 -0000 X-pair-Authenticated: 128.112.235.206 Message-ID: <45B125F8.8050307@negate.org> Date: Fri, 19 Jan 2007 15:11:36 -0500 From: Jonathan Billings User-Agent: Thunderbird 1.5.0.9 (X11/20061220) MIME-Version: 1.0 To: sage-members@sage.org Subject: Re: [SAGE] Are cheap SSL certificates legitimate? References: <9516.1169229868@mental.com> <20070119135352.E38307@aphrodite.acf.aquezada.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=10% Sender: owner-sage-members@usenix.org Precedence: bulk Sandor W. Sklar wrote: > We've switched to certs from Comodo (www.instantssl.com), which are much > less expensive then those from Verisign (I think they are $70 for a two > year cert.) The main problem has been that not all browsers "trust" > these certs; you have to install on your server an certificate chain > file that adds this trust level. Not difficult, just another thing to > deal with. If you're installing a certificate chain file to support a certificate, and this is only for a internal site, there's no point buying a $70 SSL cert when you can make your own for free. If the clients using the internal site are using windows and use AD, I *believe* there's a way to push out the SSL root through active directory. I've seen it done but haven't ever run my own AD domain. -- Jonathan Billings