From rmilner@nmt.edu Thu Jan 1 12:08:39 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n01K8dAO010125 for ; Thu, 1 Jan 2009 12:08:39 -0800 (PST) (envelope-from rmilner@nmt.edu) Received: from mailhost.nmt.edu (mailhost.nmt.edu [129.138.4.52]) by usenix.org (8.13.6/8.13.6) with ESMTP id n01K8aDV016454 for ; Thu, 1 Jan 2009 12:08:39 -0800 (PST) Received: from localhost (spamhost6.NMT.EDU [129.138.4.146]) by localhost.localdomain (Postfix) with ESMTP id 2109824ED86 for ; Thu, 1 Jan 2009 13:08:31 -0700 (MST) X-Virus-Scanned: by amavisd-new-2.4.3 (20060930) (RHEL AS) at nmt.edu Received: from mailhost.nmt.edu ([129.138.4.52]) by localhost (spamhost6.nmt.edu [129.138.4.146]) (amavisd-new, port 10024) with ESMTP id Z7GIjSaIVoV7 for ; Thu, 1 Jan 2009 13:08:30 -0700 (MST) Received: by mailhost.nmt.edu (Postfix, from userid 48) id B730524EE94; Thu, 1 Jan 2009 13:08:30 -0700 (MST) Received: from 87.88.124.161 (SquirrelMail authenticated user rmilner) by webmail.nmt.edu with HTTP; Thu, 1 Jan 2009 13:08:30 -0700 (MST) Message-ID: <1384.87.88.124.161.1230840510.squirrel@webmail.nmt.edu> In-Reply-To: <495C4A3A.9070703@chycoski.com> References: <20081110183111.GA20600@hypatia.pims.math.ca> <20081110193313.GC21064@hypatia.pims.math.ca> <20081110205730.GA24653@sfu.ca> <49597ECF.4070701@chycoski.com> <48E60FDD-79C9-434D-91A5-5A4DAFD760B6@ece.cmu.edu> <20081230173653.GM21364@physics.umn.edu> <495C4A3A.9070703@chycoski.com> Date: Thu, 1 Jan 2009 13:08:30 -0700 (MST) From: "Ruth Milner" To: sage-members@usenix.org User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 X-Priority: 3 (Normal) Importance: Normal X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n01K8dAO010125 Subject: Re: [SAGE] 5-20p to 5-15p adapter -- is there such a thing? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jan 2009 20:08:40 -0000 Graham Allan wrote: > I believe it is perfectly code-legal in the US to plug 15A devices into > a 20A circuit I think what Peter van Epp was trying to say is not that it would be illegal or that it wouldn't work, but that if you plug a 15A UPS into a 20A circuit, and your UPS with all the devices it serves then for some reason hits >15A draw, the UPS will fry before the circuit breaker trips. What he was suggesting is that you keep the UPS on a breaker that has at most the same current limit, so that the UPS can be protected by it. It may not be required by law or by circuit theory, but it certainly sounds like common sense to me. Ruth From rskiadmin@chycoski.com Thu Jan 1 15:45:03 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n01Nj0IG014373 for ; Thu, 1 Jan 2009 15:45:03 -0800 (PST) (envelope-from rskiadmin@chycoski.com) Received: from adsl-67-122-242-225.dsl.pltn13.pacbell.net (adsl-67-122-242-225.dsl.pltn13.pacbell.net [67.122.242.225]) by usenix.org (8.13.6/8.13.6) with ESMTP id n01Nivbu018068 for ; Thu, 1 Jan 2009 15:45:00 -0800 (PST) Received: from [192.168.72.2] (wizfast.rski.net [192.168.72.2]) by adsl-67-122-242-225.dsl.pltn13.pacbell.net (8.13.8/8.13.8) with ESMTP id n01NimCs031921; Thu, 1 Jan 2009 15:44:49 -0800 Message-ID: <495D5570.9070608@chycoski.com> Date: Thu, 01 Jan 2009 15:44:48 -0800 From: Richard Chycoski User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) MIME-Version: 1.0 To: "Derek J. Balling" References: <20081110183111.GA20600@hypatia.pims.math.ca> <20081110193313.GC21064@hypatia.pims.math.ca> <20081110205730.GA24653@sfu.ca> <49597ECF.4070701@chycoski.com> <48E60FDD-79C9-434D-91A5-5A4DAFD760B6@ece.cmu.edu> <20081230173653.GM21364@physics.umn.edu> <495C4A3A.9070703@chycoski.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] 5-20p to 5-15p adapter -- is there such a thing? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jan 2009 23:45:04 -0000 Derek J. Balling wrote: > > On Dec 31, 2008, at 11:44 PM, Richard Chycoski wrote: >> Regulations - don't insert plug 'A' into socket 'B' unless official >> 'C' signs off on it. > > There's no regulation that I've ever heard of that is that cut and dried. > > Otherwise, you'd never be able to plug in most consumer electronics > devices which simply have NEMA 1-15P (2 pole ungrounded) connectors > into your standard wall-socket NEMA 5-15R. > > D > > My statement was an obvious oversimplification of how regulations are written. Take a look at Article 647.3 of the National Electrical Code, 2008 Edition (copyright NFPA, see ): "Use of a separately derived 120-volt single-phase 3-wire system with 60 volts on each of two ungrounded conductors to a grounded neutral conductor shall be permitted [...] provided [...] the system's use is restricted to areas under close supervision by qualified personnel." (and Regulations can be very specific about what can be done, where, and by whom. However, I did not mean to infer that *all* regulations are written this way. The section specific to 15 amp plugs in 20 amp sockets provides a specific exception: "406.7 Noninterchangeability. Receptacles, cord connectors, and attachment plugs shall be [...] such that [...] do not accept an attachment plug with a different voltage or current rating. However, a 20-ampere T-slot receptacle or cord connector shall be permitted to accept a 15-ampere attachment plug of the same voltage rating." This would imply that other socket types are not meant to be interchangeable. I couldn't find proper references to adapters - the online version of the code isn't searchable, there's just an index. I did find talk about grounding requirements for adapters, but not what kinds of adapters (current ratings, connector configurations) are permitted. The code does not seem to address 'after market add ons' as such. - Richard From fred@derf.nl Mon Jan 5 07:54:12 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n05FsBqo051620 for ; Mon, 5 Jan 2009 07:54:12 -0800 (PST) (envelope-from fred@derf.nl) Received: from mail-ew0-f20.google.com (mail-ew0-f20.google.com [209.85.219.20]) by usenix.org (8.13.6/8.13.6) with ESMTP id n05Fs7TP000525 for ; Mon, 5 Jan 2009 07:54:10 -0800 (PST) Received: by ewy13 with SMTP id 13so8097138ewy.23 for ; Mon, 05 Jan 2009 07:54:00 -0800 (PST) Received: by 10.210.90.10 with SMTP id n10mr7211474ebb.173.1231170840431; Mon, 05 Jan 2009 07:54:00 -0800 (PST) Received: by 10.210.138.14 with HTTP; Mon, 5 Jan 2009 07:54:00 -0800 (PST) Message-ID: Date: Mon, 5 Jan 2009 16:54:00 +0100 From: "Friedrich Clausen" To: "David N. Blank-Edelman" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=7% Cc: Sage Members Subject: Re: [SAGE] Choosing a virtualisation vendor. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2009 15:54:13 -0000 Hi All, Thanks for the additional information - we are mostly a Linux shop and are looking to paravirtualise where we can. I am re-reading all the above suggestions and incorporating them into our plans and considerations where applicable. To clarify further - * We are running mainly Linux (RHEL 4 and 5). * Our architectures are x86_64 and i386. * We will be paravirtualising where possible. * All our hardware are recent Dell machines CPU support for virtualisation. The current contenders are VMWare and Citrix (Xen). I would have liked to have OSS software in the evaluation list but the vendors were already chosen by the time I got involved with this project. Best regards, Fred. On Wed, Dec 24, 2008 at 2:52 AM, David N. Blank-Edelman wrote: > > On Dec 23, 2008, at 6:42 PM, Robert Brockway wrote: > >>> We're currently thinking our issues are largely due to the stock Ubuntu >>> offerings tracking too far behind the OpenVZ-issued kernel patches. This is >>> leading us to run into bugs that have already been patched. Our next plan is >>> to start testing OpenVZ using our own kernel builds. I'm curious to hear how >>> close your environment matches ours. >> >> What problems are you seeing? > > Really basic stuff wasn't working reliably like container starts and stops > (it would randomly hang), kernel panics in the host system, other fun like > that. We hadn't even gotten to the resource allocation tuning stage of > things yet before we had to back off of it in our testing for a while. We > think it is likely that if we track the OpenVZ kernel patches like you are > doing we'll have better luck. > > -- dNb > > > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From ntwrkd@gmail.com Mon Jan 5 15:44:14 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n05NiD3g069834 for ; Mon, 5 Jan 2009 15:44:14 -0800 (PST) (envelope-from ntwrkd@gmail.com) Received: from mail-gx0-f24.google.com (mail-gx0-f24.google.com [209.85.217.24]) by usenix.org (8.13.6/8.13.6) with ESMTP id n05NiA4I015524 for ; Mon, 5 Jan 2009 15:44:13 -0800 (PST) Received: by gxk5 with SMTP id 5so807408gxk.23 for ; Mon, 05 Jan 2009 15:44:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=hB2FmZrzoLcgN0G5I7WqbJr77rnXykC7rvAY/9yHt9U=; b=KLhb24PXSBtm5oMoLYBgeMQY6YzJx609wl1E/Isr+2kPqvcVZjIbJ9XCBEC5yksTTr N2n79dq8C9upbNfS7pEEY8w4wYV5JfCTt5WLHC91+YlQPfN/QXT8ADZHxX7H0lyZH9RS +Hjrrj9X46+yw7fmiaf01e7dP2NiyMsPM+5YM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=vaBsZ+Y/StHBNoCCEK/fjbfQcvlHRE9GT+jEL8UvscXWzWWYZ8rN6tR8V6JTgLmtTT iVsNr/8lCvp6etmC538jjs9pGMSHCZytDOR0vsqsh2Wh+YeMeLcTx3REHH32SCfdMEhA E0v2QyFKGbrHZWHVgXT6C4tJMn7Wkl5RwOJHs= Received: by 10.151.141.8 with SMTP id t8mr16381502ybn.201.1231198024991; Mon, 05 Jan 2009 15:27:04 -0800 (PST) Received: by 10.151.129.6 with HTTP; Mon, 5 Jan 2009 15:27:04 -0800 (PST) Message-ID: Date: Mon, 5 Jan 2009 15:27:04 -0800 From: "Matthew Sacks" To: sage-members@sage.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=2 Fuz2=2 rep=30% Subject: [SAGE] Cacti Pains - Exhausted all outlets and need a cacti expert to help. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2009 23:44:14 -0000 Even the cacti developers had no useful suggestions for this problem: Rather than re-dump the thread here, please see http://forums.cacti.net/viewtopic.php?p=147163#147163 In short, the problem is that I can poll snmp data directly from a server using an snmpget or walk, but when I try to graph it with cacti, the rra's get populated with NaN's. From dmagda@ee.ryerson.ca Mon Jan 5 18:15:43 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n062Fgqb072133 for ; Mon, 5 Jan 2009 18:15:43 -0800 (PST) (envelope-from dmagda@ee.ryerson.ca) Received: from simq2-srv.bellnexxia.net (simq2-srv.bellnexxia.net [206.47.199.152]) by usenix.org (8.13.6/8.13.6) with ESMTP id n062FcI7017739 for ; Mon, 5 Jan 2009 18:15:42 -0800 (PST) Received: from simip11-ac.srvr.bell.ca ([206.47.199.91]) by simmts12-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with ESMTP id <20090106020453.KHIX1599.simmts12-srv.bellnexxia.net@simip11-ac.srvr.bell.ca> for ; Mon, 5 Jan 2009 21:04:53 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AtwAAF5LYklMRCZq/2dsb2JhbAAIzkCFcg Received: from bas1-toronto09-1279534698.dsl.bell.ca (HELO [192.168.1.103]) ([76.68.38.106]) by simip11-ac.srvr.bell.ca with ESMTP; 05 Jan 2009 21:15:08 -0500 Message-Id: From: David Magda To: Matthew Sacks In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v929.2) Date: Mon, 5 Jan 2009 21:04:52 -0500 References: X-Mailer: Apple Mail (2.929.2) X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=2 Fuz2=2 rep=97% Cc: sage-members@sage.org Subject: Re: [SAGE] Cacti Pains - Exhausted all outlets and need a cacti expert to help. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2009 02:15:43 -0000 On Jan 5, 2009, at 18:27, Matthew Sacks wrote: > Even the cacti developers had no useful suggestions for this problem: > > Rather than re-dump the thread here, please see > http://forums.cacti.net/viewtopic.php?p=147163#147163 > > In short, the problem is that I can poll snmp data directly from a > server using an snmpget or walk, but when I try to graph it with > cacti, the rra's get populated with NaN's. Where is the data being corrupted? Can you do a packet capture (tcpdump / snoop) of the SNMP packets leaving the target to see that they're sent okay? If that's fine, another capture of the SNMP data arriving on polling host. If the actual packets are fine, see what the Cacti scripts / binaries are doing with strace / truss. Not sure if you could put the running of the binary under a debugger, or perhaps DTrace if you're on Unix that has it. From jamesk@okeating.net Tue Jan 6 08:33:50 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n06GXo50094497 for ; Tue, 6 Jan 2009 08:33:50 -0800 (PST) (envelope-from jamesk@okeating.net) Received: from smtp.donet.com (smtp.donet.com [64.56.96.44]) by usenix.org (8.13.6/8.13.6) with ESMTP id n06GXloc021623 for ; Tue, 6 Jan 2009 08:33:49 -0800 (PST) Received: from smtp.donet.com (localhost.localdomain [127.0.0.1]) by smtp.donet.com (Postfix) with ESMTP id 48C9B184CD; Tue, 6 Jan 2009 11:09:45 -0500 (EST) Received: from [192.168.1.180] (arbor.donet.com [64.56.100.2]) by smtp.donet.com (Postfix) with ESMTP id 3123A18C1A; Tue, 6 Jan 2009 11:09:45 -0500 (EST) Message-ID: <49638267.6090603@okeating.net> Date: Tue, 06 Jan 2009 11:10:15 -0500 From: James Keating User-Agent: Thunderbird 2.0.0.17 (X11/20080914) MIME-Version: 1.0 To: Matthew Sacks References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AV-Checked: ClamAV using ClamSMTP X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=45% Cc: sage-members@sage.org Subject: Re: [SAGE] Cacti Pains - Exhausted all outlets and need a cacti expert to help. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2009 16:33:50 -0000 Matthew Sacks wrote: > Even the cacti developers had no useful suggestions for this problem: > > Rather than re-dump the thread here, please see > http://forums.cacti.net/viewtopic.php?p=147163#147163 > > In short, the problem is that I can poll snmp data directly from a > server using an snmpget or walk, but when I try to graph it with > cacti, the rra's get populated with NaN's. > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > Matt, Have you verified that the data is being placed into the MySQL database properly? The cacti poller places all the poller results into the poller_output table in your MySQL DB. The data for those results should be in there temporarily. You will need to be quick when looking for it, as cacti will remove it from this table after it has "processed" it for insertion to the RRA. From cat@reptiles.org Wed Jan 7 05:20:10 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n07DKAtD091569 for ; Wed, 7 Jan 2009 05:20:10 -0800 (PST) (envelope-from cat@reptiles.org) Received: from mailbox.reptiles.org (rootgecko.reptiles.org@gecko.reptiles.org [198.96.210.227]) by usenix.org (8.13.6/8.13.6) with ESMTP id n07DK7fi007496 for ; Wed, 7 Jan 2009 05:20:10 -0800 (PST) Received: from gecko.reptiles.org ([198.96.210.227] port=62484) by mailbox.reptiles.org([198.96.210.227] port=25) via TCP with esmtp (2105 bytes) (sender: ) (ident using UNIX) id for ; Wed, 7 Jan 2009 08:15:08 -0500 (EST) (Smail-3.2.0.121 2005-Nov-17 #4 built 2006-Nov-28) Date: Wed, 7 Jan 2009 08:15:07 -0500 (EST) From: Cat Okita To: sage-members@sage.org Message-ID: <20090107081433.V6482@gecko.reptiles.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: [SAGE] Vuln: OpenSSL DSA/ECDSA server checks invalid X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2009 13:20:11 -0000 This one's going to be messy -- check your code, check your certs... http://openssl.org/news/secadv_20090107.txt Incorrect checks for malformed signatures ------------------------------------------- Several functions inside OpenSSL incorrectly checked the result after calling the EVP_VerifyFinal function, allowing a malformed signature to be treated as a good signature rather than as an error. This issue affected the signature checks on DSA and ECDSA keys used with SSL/TLS. One way to exploit this flaw would be for a remote attacker who is in control of a malicious server or who can use a 'man in the middle' attack to present a malformed SSL/TLS signature from a certificate chain to a vulnerable client, bypassing validation. This vulnerability is tracked as CVE-2008-5077. The OpenSSL security team would like to thank the Google Security Team for reporting this issue. Who is affected? ----------------- Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client when connecting to a server whose certificate contains a DSA or ECDSA key. Use of OpenSSL as an SSL/TLS client when connecting to a server whose certificate uses an RSA key is NOT affected. Verification of client certificates by OpenSSL servers for any key type is NOT affected. [ ... ] ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From nicholastang@gmail.com Wed Jan 7 11:10:22 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n07JAMBh001151 for ; Wed, 7 Jan 2009 11:10:22 -0800 (PST) (envelope-from nicholastang@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.30]) by usenix.org (8.13.6/8.13.6) with ESMTP id n07JAJ2V013022 for ; Wed, 7 Jan 2009 11:10:22 -0800 (PST) Received: by yw-out-2324.google.com with SMTP id 9so2913869ywe.29 for ; Wed, 07 Jan 2009 11:10:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=+EqzZJdgZNa9ZMww8LU/k8HSzcIBRPqcixNsLLYX4XY=; b=MBznao8YX7/8ZWz7pQixizhau9wJrvdxvIT68wX0w+Hq8AhuWuKoMz+S/5Etvv7XZI C78sVe1+fEFUFGAYWd0XgiNqNpyOS9XIxbm/NPH+UeUSJNxi3FwVEN64db4PqtreAe1E dneVhXiv4HK0PbCvAGx/ENKuspWheR4KAdS1Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=JBZEBNFDU87qc2JtPwhVl0a2SjKxrrf6nnYy/UhXNBZ8YSmBlkINLmv/9D5Vr+1I6r 7nclUj55cX5zWDnSvE8HYagkCMSZbgNzYE4noCamTsYNzT71b6cU44Y+NyjFp2j4t23O f+cqe1NmMjdNd71s3mfbaTKUwU9a0QRA3Mmmc= Received: by 10.90.74.7 with SMTP id w7mr3804742aga.18.1231355418504; Wed, 07 Jan 2009 11:10:18 -0800 (PST) Received: by 10.90.97.2 with HTTP; Wed, 7 Jan 2009 11:10:18 -0800 (PST) Message-ID: Date: Wed, 7 Jan 2009 14:10:18 -0500 From: "Nicholas Tang" To: "SAGE mailing list" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080103151022.GB2316@watson-wilson.ca> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=9% Subject: Re: [SAGE] zenoss versus nagios X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2009 19:10:23 -0000 Hey all, I was asked by a list member to revisit my thoughts on this thread, so here they are. I'll post a summary, and then with the email I sent in response. SUMMARY: I still like Zenoss, but not as much as before. If you can afford to dedicate a full-time person (or two) to managing and enhancing it (and documenting and training the rest on what they're doing!), you'll get more than that back in a lot of ways. If you've got a small staff and can't do that, though, then I'd go back to recommending Nagios. Zenoss is very, very powerful, but requires a lot of effort - and constant contact - to get that power out. Nagios is much simpler and more focused. If I were going to make the choice again, I'd probably go back to using Nagios for our basic monitoring and then using fine-tuned tools for our specific type of work. THE LONGER RAMBLING VERSION: What I've realized is that while Zenoss is very powerful and very configurable, it's also very time-consuming. You get back what you put into it - and at the time, we were putting in quite a bit of time, with a person almost exclusively dedicated to managing it, tweaking it, adding to it, etc. When we had that luxury, it was great, but the problem w/ a lot of these systems is that they seem to suffer bitrot very, very quickly when left unattended. (This is true of all monitoring systems, assuming the environment it's monitoring ever changes - but the more complicated the monitoring system, and the more it tries to do, the more places it can suffer from this. Zenoss, trying to be the One True Monitoring System, has a long list of places it can suffer from bitrot. Nagios, covering a much more modest set of features, and a much more stable base built on years of experience, is less vulnerable to this.) We had some turnover, including the resident Zenoss "expert", and what I've found is that its usefulness has dropped off since then. The Zenoss guy's mission had been to set it up and then train his coworkers so it would be a fairly low-maintenance system, but while he was able to accomplish a lot, he never got to that point. Having talked to him since then, I'm not sure that it's a task that's easy - or maybe even possible - to accomplish. I think it's a bit like HP Openview in that it's extremely powerful, but without dedicating a resource (or two or three...) to it, you can't actually unlock most of that power. Some of our needs would've been met w/ the paid edition of the software, but it's so expensive we can't justify it (and it would meet some, not all, of the needs). So ultimately, while I find it disappointing, I can't really recommend it nearly as strongly as I had. We still use it, and we'll probably still use it going forward, but I'm not really wowed. Honestly, I miss the simplicity of Nagios - it did one thing, and did it well. Having to tie in Cacti and other things makes it a lot less convenient, but honestly, we don't use those graphs nearly as much as I thought we would. (When we do, though, they are very handy.) Ultimately we've been trying to find ways of doing things like monitoring that basically maintain themselves. Tools like the Coradiant Truesight have been (in my opinion) a lot more useful (although it's an expensive box) because it learns adaptively about your web traffic - but that's all it does. As a web shop, it's great for us, it's useless if you do anything else. If I was going to start over, I'd probably use some dedicated commercial tools like the Truesight and then just use something simple like Nagios + Cacti and just script a few things to tie them all together. Zenoss isn't bad at all, but you need a bigger commitment to it than we can currently afford. (The irony to all of this, of course, is that w/ its self-discovery features, the initial ramp-up time of time of Zenoss is fairly short; you install it, let it self-discover, and then start tweaking, thinking wow, the entire system's already up! But then you keep on tweaking, and adding this, and realizing that while this is nice, it'd be really nice if we did that, and... what you find, though, is that while you can get from 0 -> 25% in no time, and 0 -> 50% in a moderate amount of time, getting past that is difficult - and it seems to need regular maintenance just to keep from driving you crazy, in part because it auto-configures so much stuff but doesn't *fully* configure anything, because it needs knowledge of your network to do that. With Nagios, the 0 -> 25% takes a moderate amount of time, and 25 -> 50% another moderate amount of time, etc. but then it just sits there and works. It would take a huge amount of time to emulate all of Zenoss's features, but on the flip side, it's much easier to set up and maintain its more limited feature-set.) Nicholas On Thu, Jan 3, 2008 at 2:07 PM, Nicholas Tang wrote: > For a dissenting vote, we actually just switched from Nagios to Zenoss > in '07 - maybe 6 months ago. So far, it's been very good to us. It > does, however, require a lot of time to get to learn it - and there > are still features that Nagios has had for years that Zenoss lacks. > All in all, though, I'd give Zenoss the edge - it's got some really > nice features Nagios completely lacks, and is improving at a much more > rapid pace, fueled by a much larger core developer team. The thing > about Zenoss is that everything is centralized - you get syslog, > system check, snmpd checks, graphs, inventory, etc. all in one place, > with one install. We no longer have to maintain a Cacti instance plus > a Nagios instance plus inventories plus a Network monitoring instance > plus a syslog parser like swatch, etc. etc. etc. It's all in one > place, and because of this, you can cross-reference everything, and a > config change made in one place will affect everything, rather than > having to change it in a bunch of places. That's a huge advantage. > Autodiscover new hosts, assign them to a group, it inherits the > monitoring settings, and you immediately start collecting stats on cpu > and disk and processes, both immediate (Nagios style) and long-term > graphing (Cacti style). What used to be a laborious process (update > inventory; update Nagios by hand; update Cacti by hand; double-check > to make sure everything matches) is now mostly automated and pretty > simple. > > Bear in mind, I say this as one of the original Netsaint (pre-Nagios) > users, so I'm a big fan of it and have been using it since Netsaint > 0.2 I believe. I don't say it lightly when I say that Zenoss has been > an improvement, and as I mentioned, there are still a lot of things I > like better about Nagios. I do, however, think that Zenoss will get > those features relatively soon. > > Disclaimer: I hired a sys admin away from [major media company] who > recently rolled out Zenoss for them across multiple locations, > monitoring a few thousand servers. He spent quite a bit of time on it > there and learned a lot of the quirks and ins and outs, and then was > able to implement it here (one location, several hundred hosts) in > short fashion. I can't vouch for someone uninitiated in Zenoss - it > does take time to learn and master, but it's worth the effort in my > opinion. The initial setup was quick, but of course replicating every > custom check we had takes time. > > One note: Zenoss is not nearly as useful if you don't use snmp heavily > - we run snmpd on every server and use that to monitor 99% of the > stuff in the environment, and so it has been fantastic. We've been > moving checks from ssh (w/ keys) based checks to snmp based checks and > haven't had any real problems. > > If you'd like, I can ask him (said SA) to speak to you about it, or if > you've got any general questions, I can forward them to him and post > his response here. (He's not a member of SAGE.) > > Nicholas > > On Jan 3, 2008 1:47 PM, Paul Lathrop wrote: >> Nell, >> >> I highly recommend Nagios over Zenoss. Recently I had the opportunity >> to deploy a monitoring architecture from scratch for a company I >> consult for. We did our evaluation and with all the touted features >> Zenoss came out on top. Deployment was much easier than Nagios, and >> setting up monitors was a breeze. Unfortunately as we dug deeper into >> Zenoss functionality we ran into a number of problems. First, the >> feature set as documented just doesn't seem to be there. >> Auto-discovery of devices never worked despite hours of attempts >> including digging through the source to try to figure out how it was >> *supposed* to work. Modeling only seems to work correctly if you are >> using two specific devices (Dell and HP servers). The documentation >> makes it sound as though Zenoss makes it easy to decouple services >> from devices (important when your website doesn't run on any one >> server, but rather uses a server farm with load balancing, etc.) >> Sadly, that is not the case. Any monitors that weren't already baked >> in were extremely difficult to deploy. There was no way of setting a >> monitoring schedule, and no documentation about what the schedule >> would be by default. Documentation of Zenoss looks good, but it turns >> out to be made up of screenshots and describing the obvious, rather >> than any attempt to describe how to use it, or practical examples on >> making things work. Finally, the interface, while slick-looking, was >> buggy and unresponsive. We might have forged forward and attempted to >> be good open-source citizens and help correct these issues, but there >> were a couple of deal breakers. First, the monitoring just didn't >> work. We ran several fire drills where Zenoss reported the problem but >> failed to notice the resolution. One time, just out of curiousity, I >> left it alone for 24 hours before deciding it really wasn't going to >> pick up the fact that the issue was resolved. Second, attempts to seek >> assistance from the community and developers were generally met with >> silence, unless the question was already an FAQ. All in all, I think >> the Zenoss developers spent too much time trying to make a pretty >> interface and the marketing folks got carried away describing features >> that aren't there. >> >> Nagios is clunky, it is ugly, it is a pain to configure. It also >> works. So far, I haven't found any other Open Source monitoring system >> that does monitoring at least as well as Nagios, much less better or >> easier. I say stick with Nagios. >> >> --Paul Lathrop >> >> >> On Jan 3, 2008 7:10 AM, Neil Watson wrote: >> > I'm beginning to plan a migration from an old Nagios 1 server to perhaps >> > Nagios 3. It appears that much has changed from version 1 to 3 meaning >> > that at least some of the configurations will have to be altered or even >> > created anew. Last summer I helped to write a comparison on monitoring >> > systems. In that paper Nagios was a front running but Zenoss came out >> > on top. Now I'm considering migrating to Zenoss instead of Nagios 3. >> > >> > Does anyone here have practical experience with Zenoss? How does it >> > compare with Nagios? Is it worth switching to? >> > >> > -- >> > Neil Watson | Debian Linux >> > System Administrator | Uptime 4 days >> > http://watson-wilson.ca >> > >> > From sage@watson-wilson.ca Wed Jan 7 11:22:14 2009 Received: from ettin.watson-wilson.ca (watson-wilson.ca [216.138.221.7]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n07JMD6r001466 for ; Wed, 7 Jan 2009 11:22:14 -0800 (PST) (envelope-from sage@watson-wilson.ca) Received: by ettin.watson-wilson.ca (Postfix, from userid 1000) id F3D053ADF9; Wed, 7 Jan 2009 14:22:03 -0500 (EST) Date: Wed, 7 Jan 2009 14:22:03 -0500 From: Neil Watson To: sage-members@mailman.sage.org, SAGE mailing list Message-ID: <20090107192203.GA10307@watson-wilson.ca> References: <20080103151022.GB2316@watson-wilson.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: X-Accepted-File-Formats: No proprietary Microsoft Office files please User-Agent: Mutt/1.5.18 (2008-05-17) MailScanner-NULL-Check: 1231960927.83704@TxtaYE8KrTmwOtJ4HWOWkg X-MailScanner-ID: F3D053ADF9.87D57 X-watson-wilson.ca-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-watson-wilson.ca-MailScanner-From: sage@watson-wilson.ca X-Spam-Status: No Subject: Re: [SAGE] zenoss versus nagios X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2009 19:22:14 -0000 I'm curios as to whether or not you've tried OpenNMS. -- Neil Watson UNIX Consultant http://watson-wilson.ca From sage@watson-wilson.ca Wed Jan 7 11:22:17 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n07JMH6m001476 for ; Wed, 7 Jan 2009 11:22:17 -0800 (PST) (envelope-from sage@watson-wilson.ca) Received: from ettin.watson-wilson.ca (watson-wilson.ca [216.138.221.7]) by usenix.org (8.13.6/8.13.6) with ESMTP id n07JMDIL013391 for ; Wed, 7 Jan 2009 11:22:17 -0800 (PST) Received: by ettin.watson-wilson.ca (Postfix, from userid 1000) id F3D053ADF9; Wed, 7 Jan 2009 14:22:03 -0500 (EST) Date: Wed, 7 Jan 2009 14:22:03 -0500 From: Neil Watson To: sage-members@mailman.sage.org, SAGE mailing list Message-ID: <20090107192203.GA10307@watson-wilson.ca> References: <20080103151022.GB2316@watson-wilson.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: X-Accepted-File-Formats: No proprietary Microsoft Office files please User-Agent: Mutt/1.5.18 (2008-05-17) MailScanner-NULL-Check: 1231960927.83704@TxtaYE8KrTmwOtJ4HWOWkg X-MailScanner-ID: F3D053ADF9.87D57 X-watson-wilson.ca-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-watson-wilson.ca-MailScanner-From: sage@watson-wilson.ca X-Spam-Status: No X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Subject: Re: [SAGE] zenoss versus nagios X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2009 19:22:18 -0000 I'm curios as to whether or not you've tried OpenNMS. -- Neil Watson UNIX Consultant http://watson-wilson.ca From nicholastang@gmail.com Thu Jan 8 07:23:40 2009 Received: from mail-gx0-f15.google.com (mail-gx0-f15.google.com [209.85.217.15]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n08FNeXb008886 for ; Thu, 8 Jan 2009 07:23:40 -0800 (PST) (envelope-from nicholastang@gmail.com) Received: by gxk8 with SMTP id 8so7376865gxk.7 for ; Thu, 08 Jan 2009 07:23:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=u1YQjCKmEQgcQKYET84Ot1XTo0ZGxvejcqa1mF/np2s=; b=hmT7rXWg0ym+BlMH+z2GfFToij9MtNsqQwu+0ANMUTICbfsduQYW2Y6kWyZYdRg4sk WlrljrLdOQitONzUHamg88kycw+sG5fUhaoyHNuejvw+34Z52NgpM1TKdtfCC5q5iFwk XWHyD+f5EJgbdi5sLBzwiZKMGFsEwErTd8L9k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=qsXrYx7/T188lYVLNwCvoLt9bdJXr08n8lg5+m0Ex5mpOp3j5SfX5ZNcXUiskI/X0r Sw3FGbDThYQgkI/zjeSdn6Fnp64Sir+n4juuhvEwnG+bwxP80lhzBFMH5dsEO2zUtb7I CT+cQ28PEvbfMKrfhpfNIVvNuJXCEC05mMm8w= Received: by 10.90.71.16 with SMTP id t16mr1537399aga.8.1231428214469; Thu, 08 Jan 2009 07:23:34 -0800 (PST) Received: by 10.90.97.2 with HTTP; Thu, 8 Jan 2009 07:23:34 -0800 (PST) Message-ID: Date: Thu, 8 Jan 2009 10:23:34 -0500 From: "Nicholas Tang" To: "Neil Watson" In-Reply-To: <20090107192203.GA10307@watson-wilson.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080103151022.GB2316@watson-wilson.ca> <20090107192203.GA10307@watson-wilson.ca> Cc: sage-members@mailman.sage.org, SAGE mailing list Subject: Re: [SAGE] zenoss versus nagios X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2009 15:23:41 -0000 Nope, not yet. Nicholas On Wed, Jan 7, 2009 at 2:22 PM, Neil Watson wrote: > I'm curios as to whether or not you've tried OpenNMS. > > -- > Neil Watson > UNIX Consultant > http://watson-wilson.ca > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From nicholastang@gmail.com Thu Jan 8 07:30:58 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n08FUw0T009299 for ; Thu, 8 Jan 2009 07:30:58 -0800 (PST) (envelope-from nicholastang@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by usenix.org (8.13.6/8.13.6) with ESMTP id n08FUspJ022908 for ; Thu, 8 Jan 2009 07:30:57 -0800 (PST) Received: by yw-out-2324.google.com with SMTP id 9so3050251ywe.29 for ; Thu, 08 Jan 2009 07:30:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=u1YQjCKmEQgcQKYET84Ot1XTo0ZGxvejcqa1mF/np2s=; b=hmT7rXWg0ym+BlMH+z2GfFToij9MtNsqQwu+0ANMUTICbfsduQYW2Y6kWyZYdRg4sk WlrljrLdOQitONzUHamg88kycw+sG5fUhaoyHNuejvw+34Z52NgpM1TKdtfCC5q5iFwk XWHyD+f5EJgbdi5sLBzwiZKMGFsEwErTd8L9k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=qsXrYx7/T188lYVLNwCvoLt9bdJXr08n8lg5+m0Ex5mpOp3j5SfX5ZNcXUiskI/X0r Sw3FGbDThYQgkI/zjeSdn6Fnp64Sir+n4juuhvEwnG+bwxP80lhzBFMH5dsEO2zUtb7I CT+cQ28PEvbfMKrfhpfNIVvNuJXCEC05mMm8w= Received: by 10.90.71.16 with SMTP id t16mr1537399aga.8.1231428214469; Thu, 08 Jan 2009 07:23:34 -0800 (PST) Received: by 10.90.97.2 with HTTP; Thu, 8 Jan 2009 07:23:34 -0800 (PST) Message-ID: Date: Thu, 8 Jan 2009 10:23:34 -0500 From: "Nicholas Tang" To: "Neil Watson" In-Reply-To: <20090107192203.GA10307@watson-wilson.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080103151022.GB2316@watson-wilson.ca> <20090107192203.GA10307@watson-wilson.ca> X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=8% Cc: sage-members@mailman.sage.org, SAGE mailing list Subject: Re: [SAGE] zenoss versus nagios X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2009 15:30:58 -0000 Nope, not yet. Nicholas On Wed, Jan 7, 2009 at 2:22 PM, Neil Watson wrote: > I'm curios as to whether or not you've tried OpenNMS. > > -- > Neil Watson > UNIX Consultant > http://watson-wilson.ca > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From andrew@prowant.us Thu Jan 8 13:01:22 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n08L1Md4055940 for ; Thu, 8 Jan 2009 13:01:22 -0800 (PST) (envelope-from andrew@prowant.us) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.175]) by usenix.org (8.13.6/8.13.6) with ESMTP id n08L1JZb004169 for ; Thu, 8 Jan 2009 13:01:22 -0800 (PST) Received: by wf-out-1314.google.com with SMTP id 26so10034033wfd.26 for ; Thu, 08 Jan 2009 13:01:19 -0800 (PST) Received: by 10.114.159.5 with SMTP id h5mr16256789wae.190.1231441567275; Thu, 08 Jan 2009 11:06:07 -0800 (PST) Received: by 10.114.80.8 with HTTP; Thu, 8 Jan 2009 11:06:07 -0800 (PST) Message-ID: <46026ea20901081106u59fc18e7r4efb4a28805d71de@mail.gmail.com> Date: Thu, 8 Jan 2009 13:06:07 -0600 From: "Andrew Prowant" To: "SAGE mailing list" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=13% Subject: [SAGE] Anyone used/using a Security Management System? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2009 21:01:23 -0000 Is anyone or has anyone used a "Security Information Management System" such as openSIMS, OSSIM, or Prelude? It seems like a great idea to have one interface for applications such as Nagios, Nessus, Snort, and Osiris/OSSEC/Samhain. If you have used an application like this, could you briefly describe how it is working for you? Are there any other programs out there like this? Thank you, Andrew From erlingre@gmail.com Fri Jan 9 03:18:29 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n09BITYB044967 for ; Fri, 9 Jan 2009 03:18:29 -0800 (PST) (envelope-from erlingre@gmail.com) Received: from mail-ew0-f20.google.com (mail-ew0-f20.google.com [209.85.219.20]) by usenix.org (8.13.6/8.13.6) with ESMTP id n09BIPD2018745 for ; Fri, 9 Jan 2009 03:18:28 -0800 (PST) Received: by ewy13 with SMTP id 13so10165124ewy.23 for ; Fri, 09 Jan 2009 03:18:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=ZbmVN0cYTDumtm9s96n5TIsAQ6vQxWVQ3CGpo4LJbKc=; b=QxReMVjXBk92l1BqkOrlB+In7BY4567RM0UZK0AHQU/wVVJj/gDeWK1S5GwVziHGBm kzUIXQgrHmkZOteQVUnJ9CfDHqygZvfp9zvGSUtjMCCpBi3p7E3DjuAWGaR4OsaZSmSm okPu2jy15vT8qgHpOYyZGJC/q1q+RsfFVnyhM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=FPCBUMKIeOR2Mz/zDOiEHJcXQVFSMxypTOvH3JrVsolTOhR0VnTyppFWf1kFmtoCtS E7v80siYbc1veW8EBjoo/kge2L76XB5JZ/N7ZmCHKfR64jmr+x73RIyyFtlohxoqp03H Hcac5CNTz0z7l56lp//oFUxlD/lB8twwAMIzk= Received: by 10.210.78.7 with SMTP id a7mr30042115ebb.111.1231499899358; Fri, 09 Jan 2009 03:18:19 -0800 (PST) Received: by 10.210.111.13 with HTTP; Fri, 9 Jan 2009 03:18:19 -0800 (PST) Message-ID: <664c5a070901090318g224634fal27d9e6813e3034f6@mail.gmail.com> Date: Fri, 9 Jan 2009 12:18:19 +0100 From: "Erling Ringen Elvsrud" To: sage-members@sage.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=7% Subject: [SAGE] Linux on z/VM: What do you think? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2009 11:18:32 -0000 Hello, My current employer have a z10 mainframe and some of the higher ups want to use zLinux with z/VM. They want to take advantage of the IFLs that are alredy in place ,and talks about consolidation of current or future x86-servers. I know nothing about mainframes, but have sensed that it is many strong opinions about running zLinux or not on them. We alredy use Linux (RHEL) extensively on x86-servers and on vmWare. We are only two employees managing Linux and feel that another platform will steal a lot of our time. There are a large group of mainframe-people here, but they do not have any experience with zLinux. Therefore we would prefer to keep Linux on x86, either on physical boxes or on vmWare. If I were to try any other platform It would be for instance Xen or other virtualization tech. on x86. As far as I know Linux on mainframes are a tiny fraction of the installed Linux-instances so I'm afraid it is harder to get any help and harder to learn. We alredy have several tools like RH Satellite Server and Puppet for managing about 200 servers on x86 and vmWare and I'm a bit concerned if we are able to continue using them for Linux on mainframe as well. My current feeling is that Linux on mainframe is not a good idea. Mainly because it is a small platform where everything including knowledge is expensive. We alredy use Linux on two other platforms and must continue to do so. Linux on x86 including both physical and viritual-servers are ubiquitous so both hardware and knowledge are cheap. I may of course be totally wrong as I know very little about mainframes, so if anyone can enlighten me, please do so. What do you think? Thanks, Erling Ringen Elvsrud From skippylou@gmail.com Fri Jan 9 06:11:39 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n09EBdHU078010 for ; Fri, 9 Jan 2009 06:11:39 -0800 (PST) (envelope-from skippylou@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.29]) by usenix.org (8.13.6/8.13.6) with ESMTP id n09EBZcT021164 for ; Fri, 9 Jan 2009 06:11:38 -0800 (PST) Received: by yx-out-2324.google.com with SMTP id 31so3228281yxl.29 for ; Fri, 09 Jan 2009 06:11:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=dwqZYUdDG7QLPkwF/IuXolzkD4irUicmuNvVZt2HBBM=; b=JwsyZvlGTrB6cS54dOukQixrhYHkms5x8ZhJo/OeJYh4qkfZXr7ji73emsSSxAWMqh vvFTOAl/J6bhY9U+wccSEP+ZWnB8hGq5Vfo20Jr6TAWV/5Xq3uhctZrrfV7NZuX9ndC6 Miq10f28F4E9Uw+gq88VlPkRZ6MG10j/AGTIc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=jeXYTPtEEVruJ3niujK8Cc+1kL+RfZNyRG+rem/zV709GKHwHGlYPLMZZ5NkWO1ef6 wkK4yea8F3oV2qkzUpmTOoGq1HVbCz3KMh1OIp7Ti29BkJjgCOvzKTMeZZaJU0TLwhgN 1q6TukTbFiyBCT7sCOE9cye7o2+vEcdBE90Wo= Received: by 10.231.19.204 with SMTP id c12mr1116046ibb.20.1231509891359; Fri, 09 Jan 2009 06:04:51 -0800 (PST) Received: by 10.231.11.13 with HTTP; Fri, 9 Jan 2009 06:04:51 -0800 (PST) Message-ID: <1edd27fb0901090604i317c76abiafd1862b4cb62b0b@mail.gmail.com> Date: Fri, 9 Jan 2009 09:04:51 -0500 From: ScottO To: "Andrew Prowant" In-Reply-To: <46026ea20901081106u59fc18e7r4efb4a28805d71de@mail.gmail.com> MIME-Version: 1.0 References: <46026ea20901081106u59fc18e7r4efb4a28805d71de@mail.gmail.com> X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=8% Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Cc: SAGE mailing list Subject: Re: [SAGE] Anyone used/using a Security Management System? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2009 14:11:40 -0000 I use Prelude in this way (as a SIM or security event management system of sorts). It works very well. Basically it provides the secure (tls) framework for transporting alerts in a unified format (idmef), storage of those messages, a web-frontend and numerous output options. It also has its own log analyzer and a correlation engine to correlate additional alerts from various systems (snort and syslog for example). There are alot of security tools that are natively supported, such as snort, nessus, ossec, etc. If you need to implement a new tool or custom tool in, there are also what they call easy bindings - which is an easy to use api for getting alerts into our out of the prelude system, with many languages supported (perl, python, etc.) They do also sell commercial add-ons for enhanced functionality, etc. Hope this helps, Scott On Thu, Jan 8, 2009 at 2:06 PM, Andrew Prowant wrote: > Is anyone or has anyone used a "Security Information Management > System" such as openSIMS, OSSIM, or Prelude? It seems like a great > idea to have one interface for applications such as Nagios, Nessus, > Snort, and Osiris/OSSEC/Samhain. If you have used an application like > this, could you briefly describe how it is working for you? > > Are there any other programs out there like this? > > Thank you, > Andrew > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From hal@deer-run.com Fri Jan 9 08:13:48 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n09GDliw050343 for ; Fri, 9 Jan 2009 08:13:48 -0800 (PST) (envelope-from hal@deer-run.com) Received: from newwinkle.deer-run.com (newwinkle.deer-run.com [67.18.149.10]) by usenix.org (8.13.6/8.13.6) with ESMTP id n09GDiMZ001459 for ; Fri, 9 Jan 2009 08:13:47 -0800 (PST) Received: from deer.deer-run.com (newwinkle.deer-run.com [67.18.149.10] (may be forged)) by newwinkle.deer-run.com (8.13.1/8.13.1) with ESMTP id n09GCnh9009232; Fri, 9 Jan 2009 10:12:49 -0600 Received: from deer.deer-run.com (deer.deer-run.com [10.66.1.2]) by deer.deer-run.com (8.13.8/8.13.8) with ESMTP id n09GCnop015892; Fri, 9 Jan 2009 08:12:49 -0800 Received: (from hal@localhost) by deer.deer-run.com (8.13.8/8.13.8/Submit) id n09GCm2q015891; Fri, 9 Jan 2009 08:12:48 -0800 Date: Fri, 9 Jan 2009 08:12:48 -0800 From: Hal Pomeranz To: sage-members@sage.org, discuss@lopsa.org Message-ID: <20090109161248.GA15844@deer-run.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.2i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (newwinkle.deer-run.com [67.18.149.10]); Fri, 09 Jan 2009 10:12:50 -0600 (CST) X-Scanned-By: MIMEDefang 2.56 on 67.18.149.10 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: [SAGE] SANS Log Management survey X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2009 16:13:48 -0000 If you're dealing with logs and Log Management, could you please take a few minutes and complete the following survey: https://www.surveymonkey.com/s.aspx?sm=FCwjvfHzkGml4stgnYQ7rg_3d_3d SANS is trying to gather a community consensus around Log Management, which will help to provide feedback to vendors and maybe help Log Management products not suck quite so badly in general. Thanks in advance for your time and assistance. -- Hal Pomeranz, Founder/CEO Deer Run Associates hal@deer-run.com Network Connectivity and Security, Systems Management, Training From rskiadmin@chycoski.com Fri Jan 9 10:14:47 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n09IElF3018247 for ; Fri, 9 Jan 2009 10:14:47 -0800 (PST) (envelope-from rskiadmin@chycoski.com) Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by usenix.org (8.13.6/8.13.6) with ESMTP id n09IEi0H008448 for ; Fri, 9 Jan 2009 10:14:47 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.37,240,1231113600"; d="scan'208";a="226878113" Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-6.cisco.com with ESMTP; 09 Jan 2009 18:14:35 +0000 Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n09IETaY031473; Fri, 9 Jan 2009 10:14:29 -0800 Received: from [10.19.54.154] (sjc-rac-8719.cisco.com [10.19.54.154]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id n09IET5J025609; Fri, 9 Jan 2009 18:14:29 GMT Message-ID: <49679404.2030300@chycoski.com> Date: Fri, 09 Jan 2009 10:14:28 -0800 From: Richard Chycoski User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: Erling Ringen Elvsrud References: <664c5a070901090318g224634fal27d9e6813e3034f6@mail.gmail.com> In-Reply-To: <664c5a070901090318g224634fal27d9e6813e3034f6@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Authentication-Results: sj-dkim-2; header.From=rskiadmin@chycoski.com; dkim=neutral X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=4% Cc: sage-members@sage.org Subject: Re: [SAGE] Linux on z/VM: What do you think? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: rskiadmin@chycoski.com List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2009 18:14:48 -0000 "Hey, you young whipper-snapper! Them thar my-cro computers will never amount to anything! All *real* computing will only ever happen on mainframes!!!" I actually did hear this kind of talk from some of the less-enlightened (and much older) computer people in the '70s and even the '80s - fortunately I worked with much more progressive people (although we did go kicking and screaming into the Unix world in the early '90s :-). I was an IBM mainframe systems programmer, although not on IBM OSes, and I worked on mainframe-minicomputer interfaces. IBM is trying to squeeze more life out of their mainframe architecture by offering Linux on the platform - an IFL is a zSeries processor with some features disabled so that it won't run zOS, and they are selling them more cheaply (for now) while trying not to undercut the price of the (same) machines running zOS. This is a typical IBM marketing tactic (IBM has *always* been a marketing and service company, technology is only a means to that end), and IFL users *could* end up with some nasty pricing surprises down the road once IBM has infiltrated an organisation... Yes, you have a bunch of mainframers. However, zLinux is a *completely* different animal than what they are used to. They don't think in terms of shell scripts and C code, but rather JCL (Job Control Language) and zASM (Assembler) or other languages like COBOL or RPG. If management thinks that they're going to leverage their knowledge base into Linux - this just doesn't happen without retraining. Only the hardware support people are directly transferable, and if you choose to run zLinux under zVM (zVM and its precursors are what inspired VMware - it is a virtual machine environment for mainframes) you end up with the worst of both worlds - the mainframers won't understand the guest environment, and the Linux sysadmins won't understand the host environment. Cross training will be required. If Linux is run on 'bare' IFMs, it will be much like moving to yet-another Linux hardware platform like PowerPC or MIPS (zSeries is big-endian), but your mainframers will basically be starting over, and your Linux sysadmins will need to learn about this new hardware platform - that you probably won't be able to touch directly - the IBM CEs will have to handle most (all?) of that. Introduce your 'higher ups' to VMware ESX, Vmotion, and modern Linux environments, then do a cost analysis of the difference between that and zSeries hardware/software costs. Also mention that you aren't locked into a single vendor (IBM) and can get even better prices when multiple vendors are bidding for your contracts. This can even be used as leverage against IBM since your company could choose to move more of its operations to non-mainframe Linux over time - you might even find IBM giving you better discounts on your mainframes (and bidding for your non-mainframe environments with more reasonable prices). Look into the costs of the necessary cross-training, and even push IBM to introduce you to some of their clients that have done what you are doing - and get cost analyses from these clients if you can. To change your bosses' opinions, you need to think in business terms (money) rather than technology terms. This is how IBM manipulates your bosses - they speak money, not tech. You need to do the same. IBM and Microsoft are the same in this regard. They don't sell to Dilbert, they sell to Dilbert's boss. If you are interested in learning more about the enemy^H^H^H^H^HHmainframes, put Hercules on a Linux (or Windows) machine (even a laptop is fine) and bring up MVS (a previous name for what is now z/OS - IBM just keeps renaming the OS that they built in the '60s :-). There are current versions of z/OS that will run under Hercules, but it isn't clear whether or not this is legal due to the licensing issues for z/OS. You can, however, run zLinux under Hercules (with no licensing hassles), see: Hercules is a mainframe (370/390/z-series) emulator. If you do get coerced into running zLinux it can help you learn about mainframes, but be prepared for a very different world full of 'channel programs' and 'abend codes'. See: and the Yahoo groups: hercules-390 H390-VM H390-MVS Beware - most of the people on the Hercules groups are lifelong mainframers, and most have little experience with Linux or non-mainframe environments. Again, they don't think in terms of shell scripts and C code, but rather JCL (Job Control Language) and zASM (Assembler). They're not snobbish - they've just been mainframers all of their lives. (Most of the Hercules supporters are older than I am, and I first opened up a mainframe in 1975. :-) You get to learn all about your hardware - on most IBM mainframe operating systems, you have to specify record formats, record lengths, and block sizes for your disk files, and they have to be compatible with the actual disk drive underneath. Tapes (even virtual ones) are even more fun! Can you say 'BLP' (Bypass Label Processing)? Welcome to the 'maze of twisting passages, all looking alike'. :-) - Richard Erling Ringen Elvsrud wrote: > Hello, > > My current employer have a z10 mainframe and some of the higher ups > want to use zLinux with z/VM. They want to take advantage of the IFLs > that are alredy in place ,and talks about consolidation of current or > future x86-servers. > > I know nothing about mainframes, but have sensed that it is many > strong opinions about running zLinux or not on them. We alredy use > Linux (RHEL) extensively on x86-servers and on vmWare. We are only two > employees managing Linux and feel > that another platform will steal a lot of our time. There are a large > group of mainframe-people here, but they do not have any experience > with zLinux. > Therefore we would prefer to keep Linux on x86, either on physical > boxes or on vmWare. If I were to try any other platform It would be > for instance Xen or other virtualization tech. on x86. > > As far as I know Linux on mainframes are a tiny fraction of the > installed Linux-instances so I'm afraid it is harder to get any help > and harder to learn. We alredy have several tools like RH Satellite > Server and Puppet for managing about 200 servers on x86 and vmWare and > I'm a bit concerned if we are able to continue using them for Linux on > mainframe as well. > > My current feeling is that Linux on mainframe is not a good idea. > Mainly because it is a small platform where everything including > knowledge is expensive. We alredy use Linux on two other platforms and > must continue to do so. Linux on x86 including both physical and > viritual-servers are ubiquitous so both hardware and knowledge are > cheap. I may of course be totally wrong as I know very little about > mainframes, so if anyone can enlighten me, please do so. > > What do you think? > > Thanks, > > Erling Ringen Elvsrud > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members From ntwrkd@gmail.com Sat Jan 10 02:43:40 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0AAhdJW049235 for ; Sat, 10 Jan 2009 02:43:39 -0800 (PST) (envelope-from ntwrkd@gmail.com) Received: from rn-out-0910.google.com (rn-out-0910.google.com [64.233.170.185]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0AAhasf027363 for ; Sat, 10 Jan 2009 02:43:39 -0800 (PST) Received: by rn-out-0910.google.com with SMTP id k40so6721778rnd.0 for ; Sat, 10 Jan 2009 02:43:35 -0800 (PST) Received: by 10.150.144.17 with SMTP id r17mr5812849ybd.106.1231576804575; Sat, 10 Jan 2009 00:40:04 -0800 (PST) Received: by 10.151.135.6 with HTTP; Sat, 10 Jan 2009 00:40:04 -0800 (PST) Message-ID: Date: Sat, 10 Jan 2009 00:40:04 -0800 From: "Matthew Sacks" To: "James Keating" In-Reply-To: <49638267.6090603@okeating.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <49638267.6090603@okeating.net> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=8% Cc: sage-members@sage.org Subject: Re: [SAGE] Cacti Pains - Exhausted all outlets and need a cacti expert to help. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jan 2009 10:43:40 -0000 I've checked into this. I think what was happening is there was multiple crontab entries, so the poller_output table was getting clobbered so it could never update the RRA. It seems to be trending now, and I am going to let it run over the weekend before I confirm it as "fixed". Thanks for your help! On Tue, Jan 6, 2009 at 8:10 AM, James Keating wrote: > Matthew Sacks wrote: >> >> Even the cacti developers had no useful suggestions for this problem: >> >> Rather than re-dump the thread here, please see >> http://forums.cacti.net/viewtopic.php?p=147163#147163 >> >> In short, the problem is that I can poll snmp data directly from a >> server using an snmpget or walk, but when I try to graph it with >> cacti, the rra's get populated with NaN's. >> _______________________________________________ >> sage-members mailing list >> sage-members@mailman.sage.org >> http://mailman.sage.org/mailman/listinfo/sage-members >> > > Matt, > > Have you verified that the data is being placed into the MySQL database > properly? > > The cacti poller places all the poller results into the poller_output table > in your MySQL DB. The data for those results should be in there > temporarily. You will need to be quick when looking for it, as cacti will > remove it from this table after it has "processed" it for insertion to the > RRA. > > > From philiph@pobox.com Sat Jan 10 11:23:29 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0AJNQKL032796 for ; Sat, 10 Jan 2009 11:23:29 -0800 (PST) (envelope-from philiph@pobox.com) Received: from sasl.smtp.pobox.com (a-sasl-fastnet.sasl.smtp.pobox.com [207.106.133.19]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0AJNNIq003983 for ; Sat, 10 Jan 2009 11:23:26 -0800 (PST) Received: from localhost.localdomain (unknown [127.0.0.1]) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTP id 85D8D8FD67; Sat, 10 Jan 2009 14:23:17 -0500 (EST) Received: from ourtownadd-lm.mine.nu (unknown [208.87.58.107]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTPSA id 98C968FD66; Sat, 10 Jan 2009 14:23:14 -0500 (EST) Message-Id: From: "Philip J. Hollenback" To: Daniel Feenberg In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sat, 10 Jan 2009 11:23:08 -0800 References: <89DBC913-382C-4ED2-8177-9F2E92EEE8ED@pobox.com> <49527206.3060306@bio.umass.edu> X-Mailer: Apple Mail (2.930.3) X-Pobox-Relay-ID: 22348C3A-DF4C-11DD-A09B-5720C92D7133-80990599!a-sasl-fastnet.pobox.com X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE Members Subject: Re: [SAGE] moving from amanda tape backup to external disk backup X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jan 2009 19:23:29 -0000 On Dec 24, 2008, at 12:53 PM, Daniel Feenberg wrote: > The OP has only 40 GB (and "growing slowly") to backup. That is > really important. For $5,000 the OP can buy 40 1 terabyte drives and > rotate them weekly, monthly and annually for many years. If backups > are frequent and multiple backups are kept there is no need to > involve RAID. Disk is really the way for him to go, and there is no > need to discourage him with lots of FUD. > > It is true that there is a big difference between a backup and an > archive - and both are important, but it isn't true that tape is the > only way to have an archive. Disks can store incrementals also. > > We have been powering down our disk to disk backup machines every > day for several years after an fsnyc and none have ever failed to > fsck on reboot. If drives exist that don't respond to this > correctly, they aren't the cheap WD and Seagate IDE/SATA drives you > can buy at Micro-center. > > We have limited experience with external sata connectors, but after > perhaps 50 uses there is no obvious wear. A broken connector > wouldn't be a serious problem, either. I'm currently setting this up using rsnapshot to do snapshots to the external drives. So far it is looking like a workable solution. I think the key is that 1TB drives are so cheap that I can buy many of them and rotate as Daniel says, thus spreading the risk of disk failure between multiple disks (some of which will be offsite). Also with rsnapshot I can do several hourly, daily, weekly etc. snapshots and it is very easy to access the data in those snapshots as they appear as regular files. rsnapshot does all the snapshots via hard links. One snag I ran in to is that I can't hot-swap the external SATA connector. If the external drive is connected at powerup the system finds it just fine and enumerates it as /dev/sdd. However if I connect the external sata drive after powerup I just see the message nv_sata: Secondary device added but the nv_sata driver doesn't create an actual drive device. Similarly if I remove it I see nv_sata: Secondary device removed so the driver is aware of the new device but something is missing regarding drive enumeration. On the plus side it doesn't panic the machine. This is a CentOS 4.4 machine so I am hoping that a newer nv_sata driver in say CentOS 4.7 or CentOS 5 might fix this. However for now I've fallen back to using USB 2.0 instead. The transfer rates for usb are 25MB/s vs. 50MB/s for external SATA which is usable for our purposes. Thanks to everyone for the great suggestions. P. -- Philip J. Hollenback philiph@pobox.com From dj@gregor.com Sun Jan 11 22:15:59 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0C6FxC1030815 for ; Sun, 11 Jan 2009 22:15:59 -0800 (PST) (envelope-from dj@gregor.com) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0C6FuQJ021651 for ; Sun, 11 Jan 2009 22:15:59 -0800 (PST) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 07D8220EB9D for ; Mon, 12 Jan 2009 01:10:45 -0500 (EST) Received: from web7.messagingengine.com ([10.202.2.216]) by compute1.internal (MEProxy); Mon, 12 Jan 2009 01:10:45 -0500 Received: by web7.messagingengine.com (Postfix, from userid 99) id D486B1AA50; Mon, 12 Jan 2009 01:10:44 -0500 (EST) Message-Id: <1231740644.10123.1294231737@webmail.messagingengine.com> X-Sasl-Enc: kwWWBDDmxsUA8+mcZJjeqcY/LB07Zntm9AdjKm22KPMA 1231740644 From: "DJ Gregor" To: "SAGE members" Content-Disposition: inline Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="ISO-8859-1" MIME-Version: 1.0 X-Mailer: MessagingEngine.com Webmail Interface References: <664c5a070901090318g224634fal27d9e6813e3034f6@mail.gmail.com> In-Reply-To: <664c5a070901090318g224634fal27d9e6813e3034f6@mail.gmail.com> Date: Mon, 12 Jan 2009 01:10:44 -0500 X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=23% Subject: Re: [SAGE] Linux on z/VM: What do you think? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 06:16:00 -0000 On Fri, 9 Jan 2009 12:18:19 +0100, "Erling Ringen Elvsrud" said: > My current employer have a z10 mainframe and some of the higher ups > want to use zLinux with z/VM. They want to take advantage of the IFLs > that are alredy in place ,and talks about consolidation of current or > future x86-servers. One key question: are those IFLs actually paid-for, enabled, and ready-to-run, or are they just sitting in the box that's on the floor? In the latter case, there isn't a big difference from having the un-paid-for IFLs in your z10 when compared to yet-to-be-purchased physical servers, aside from the fact that you can turn on those IFLs as fast as you can write a check, whereas it takes significantly longer to purchase, take delivery of, and install a physical server. > We are only two > employees managing Linux and feel > that another platform will steal a lot of our time. There are a large > group of mainframe-people here, but they do not have any experience > with zLinux. That sounds like it may be difficult to add another physical platform to your Linux mix. As Richard Chycoski has said, you can't get by without retraining some staff, and likely both your Linux people and your z/VM people will need to learn the other side. If you are short on Linux people, maybe the focus of the retraining is bringing the z/VM people over to Linux. You can find a moderate amount of information about the paths that people have taken to do Linux & z/VM here: http://linuxvm.org/Present/#share111 > Therefore we would prefer to keep Linux on x86, either on physical > boxes or on vmWare. If I were to try any other platform It would be > for instance Xen or other virtualization tech. on x86. One nice advantage of using x86, whether you virtualize on it or not, is that you have significant competition at most levels of the stack: HW, VM (getting better), OS, and application (e.g.: various J2EE application servers). That will help keep prices relatively low and ensure features continually improve. A side-note: when doing a TCO comparison, make sure you compare one virtualized offering against another virtualized offering, and that you are *not* comparing a lone virtualized offering against physical servers. IMHO, there are two things you need to evaluate independently: 1) The benefits of doing virtualization vs. not doing virtualization. 2) Assuming you are doing virtualization, what are the additional benefits of choosing one virtualization platform over another. I think your biggest win comes with #1, and you generally don't see a big difference in #2. Most virtualization TCO studies and calculators I've seen bundle #1 and #2 together, which might make a single virtualization solution look great in isolation--until you compare it to other virtualization solutions. This doesn't just happen with virtualization, but is pretty common when someone is marketing a new technology to you. For example, do you really care much about which airline you take between New York to London, or do you care most about the fact that you aren't taking a boat? Again, as Richard has said, you need to communicate with your management in business terms and boil it down to an apples to apples comparison and money. Management don't care if you would be doing load distribution with VMWare DRS or by having one big honkin' z10 with z/VM, or that you'd do DR with some scripts in the z10 world vs. VMWare SRM, they just want to know how much each total solution costs and that they deliver the same set of features to the business (in this case, no performance degradation for key guests and DR within X hours). Good luck, - djg -- DJ Gregor dj@gregor.com From erlingre@gmail.com Mon Jan 12 00:16:25 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0C8GPxX033378 for ; Mon, 12 Jan 2009 00:16:25 -0800 (PST) (envelope-from erlingre@gmail.com) Received: from mail-ew0-f20.google.com (mail-ew0-f20.google.com [209.85.219.20]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0C8GLHb016510 for ; Mon, 12 Jan 2009 00:16:24 -0800 (PST) Received: by ewy13 with SMTP id 13so11300694ewy.23 for ; Mon, 12 Jan 2009 00:16:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=PKN1/JRBYNn7Tfsx1o8I6s5saUVJL6Udkv9XST7eX9E=; b=WRPrqitpBl6bx3cHWRbEWIfmQuQUHant7nbsEb8m+aTBLWpk+pwmiX6bNphUYA05r0 YSNYPBMao4UfoCS/5Z1+YAQ8OYMtBwgmJc0P1bAQfqEhXGkoS6pTKb6ASUEk53+j0Ngy sN2nRcu/cMAE70uKSNJ/gZoMpfUg7IrVv1+T0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=HoUF3+x3qGP8z3Q2/9K+vnY/VNABmh8VGCiyuqAyPA85aM2Fklgjat7gKgwTgAIzUx PEDRBaxrYY5n46BFILHla8LxToKuvv1C4K6BLDMzpPp3fiE6xwv0IjJ/1Byw+MAc3wYI JtK5JGQ+KdbQIw/48BPH4Soyozb1WMumkw6iY= Received: by 10.210.38.5 with SMTP id l5mr10915438ebl.102.1231748175527; Mon, 12 Jan 2009 00:16:15 -0800 (PST) Received: by 10.210.111.13 with HTTP; Mon, 12 Jan 2009 00:16:15 -0800 (PST) Message-ID: <664c5a070901120016w19205dc2g7b09232bfb632e81@mail.gmail.com> Date: Mon, 12 Jan 2009 09:16:15 +0100 From: "Erling Ringen Elvsrud" To: sage-members@sage.org In-Reply-To: <1231740644.10123.1294231737@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <664c5a070901090318g224634fal27d9e6813e3034f6@mail.gmail.com> <1231740644.10123.1294231737@webmail.messagingengine.com> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=8% Subject: Re: [SAGE] Linux on z/VM: What do you think? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 08:16:25 -0000 Thank you all for helpful answers! Best regards, Erling Ringen Elvsrud From eric@explosive.net Mon Jan 12 08:16:50 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CGGoXk046514 for ; Mon, 12 Jan 2009 08:16:50 -0800 (PST) (envelope-from eric@explosive.net) Received: from hexogen.explosive.net (hexogen.explosive.net [64.142.102.5]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CGGltD023616 for ; Mon, 12 Jan 2009 08:16:49 -0800 (PST) Received: from localhost (localhost.localdomain [127.0.0.1]) by localhost.explosive.net (Postfix) with ESMTP id ABF2466C08F; Mon, 12 Jan 2009 08:16:44 -0800 (PST) X-Virus-Scanned: amavisd-new at explosive.net Received: from hexogen.explosive.net ([64.142.102.5]) by localhost (hexogen.explosive.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bYMPEmdUs1ug; Mon, 12 Jan 2009 08:16:43 -0800 (PST) Received: from [192.168.2.8] (sublimit.explosive.net [64.142.102.7]) by hexogen.explosive.net (Postfix) with ESMTP id 16E3366C08A; Mon, 12 Jan 2009 08:16:43 -0800 (PST) In-Reply-To: <46026ea20901081106u59fc18e7r4efb4a28805d71de@mail.gmail.com> References: <46026ea20901081106u59fc18e7r4efb4a28805d71de@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v753.1) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Eric Sorenson Date: Mon, 12 Jan 2009 08:16:37 -0800 To: Andrew Prowant X-Mailer: Apple Mail (2.753.1) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE mailing list Subject: Re: [SAGE] Anyone used/using a Security Management System? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 16:16:50 -0000 At a previous job I set up a system using Sguil , following Richard Bejtlich's excellent book "The Tao of Network Security Monitoring". It was a *lot* of work to get set up but it did work as advertised and provided a pretty useful window onto our network (and impressed the socks off the SOX auditors whose requirement that we do IDS/IPS was the primary driver for its implementation). The biggest point in Sguil's favor is the "tao of NSM" book. It provides a great methodology for using the system effectively, so you don't end up with software without a framework for integrating it into the larger policy and response structure of the organization -- actually, the book should probably be mandatory reading regardless of what tool you end up with. The biggest drawback is the extremely hacker-centric nature of the codebase; I had to learn some Tcl/Tk to fix little bugs and implement tweaks to the UI (nothing's configurable; or rather everything's configurable once you find out what Tcl to change). There's a supportive community and development is active. I actually miss that setup a lot and sort of wish I had a mandate to get back into it at my current job. On Jan 8, 2009, at 11:06 AM, Andrew Prowant wrote: > Is anyone or has anyone used a "Security Information Management > System" such as openSIMS, OSSIM, or Prelude? It seems like a great > idea to have one interface for applications such as Nagios, Nessus, > Snort, and Osiris/OSSEC/Samhain. If you have used an application like > this, could you briefly describe how it is working for you? > > Are there any other programs out there like this? > -- - Eric Sorenson - N37 17.255 W121 55.738 - http://ahpook.vox.com/ - From Wesley.Simon@lsi.com Mon Jan 12 13:34:53 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CLYr57055546 for ; Mon, 12 Jan 2009 13:34:53 -0800 (PST) (envelope-from Wesley.Simon@lsi.com) Received: from exprod7og101.obsmtp.com (exprod7og101.obsmtp.com [64.18.2.155]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CLYoC1000857 for ; Mon, 12 Jan 2009 13:34:52 -0800 (PST) Received: from source ([147.145.40.20]) by exprod7ob101.postini.com ([64.18.6.12]) with SMTP ID DSNKSWu3eV6qF2Yvlft8/kEw1tgxnJJXSUzV@postini.com; Mon, 12 Jan 2009 13:34:52 PST Received: from milmhbs0.lsil.com (mhbs.lsil.com [147.145.1.30]) by mail0.lsil.com (8.12.11/8.12.11) with ESMTP id n0CLYmjF025924 for ; Mon, 12 Jan 2009 13:34:48 -0800 (PST) Received: from coscas01.lsi.com (coscas01.co.lsil.com [172.21.36.60]) by milmhbs0.lsil.com (8.12.11/8.12.11) with ESMTP id n0CLYm9U011969 for ; Mon, 12 Jan 2009 13:34:48 -0800 Received: from cosmail02.lsi.com ([172.21.36.36]) by coscas01.lsi.com ([172.21.36.60]) with mapi; Mon, 12 Jan 2009 14:34:47 -0700 From: "Simon, Wesley" To: SAGE mailing list Date: Mon, 12 Jan 2009 14:34:45 -0700 Thread-Topic: on-call policy Thread-Index: Acl0/ZZfykbfZbtLTC2ZYY9DSOcMSQ== Message-ID: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.39 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=13% Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Subject: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 21:34:53 -0000 Hi everyone, I am trying to get our management to adopt an on-call policy. Does anyone = on here have experience with going from no policy to one that works and is = fair? Also, what kind of policies do you have? Thanks, Wesley Simon System Administrator LSI Corporation Engenio Storage Group 3718 North Rock Road Wichita, Kansas 67226 P: 316.636.8078 F: 316.636.8487 From cat@reptiles.org Mon Jan 12 13:43:27 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CLhREr056083 for ; Mon, 12 Jan 2009 13:43:27 -0800 (PST) (envelope-from cat@reptiles.org) Received: from mailbox.reptiles.org (rootgecko.reptiles.org@[198.96.210.227]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CLhNc7001945 for ; Mon, 12 Jan 2009 13:43:26 -0800 (PST) Received: from mailbox.reptiles.org ([198.96.210.227] port=63118) by mailbox.reptiles.org([198.96.210.227] port=25) via TCP with esmtp (1985 bytes) (sender: ) (ident using UNIX) id for ; Mon, 12 Jan 2009 16:43:06 -0500 (EST) (Smail-3.2.0.121 2005-Nov-17 #4 built 2006-Nov-28) Date: Mon, 12 Jan 2009 16:43:04 -0500 (EST) From: Cat Okita To: "Simon, Wesley" In-Reply-To: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> Message-ID: <20090112163859.G6482@gecko.reptiles.org> References: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 21:43:27 -0000 On Mon, 12 Jan 2009, Simon, Wesley wrote: > I am trying to get our management to adopt an on-call policy. Does anyone > on here have experience with going from no policy to one that works and is > fair? Also, what kind of policies do you have? Heh. That's rather like saying "I'd like to buy a car" without adding in any other information :) There's a lot of things that play into an on-call policy. In no order at all, a few things to think about: - how many people are involved - what are you supporting - how critical is what you're supporting - what response time is expected - what can you be called for - is compensation involved - is remote access available, or is this on-site work - who can call you - is there unique expertise that will pull in people that aren't on call Obvously a case of "50-odd people on call for dire emergencies in 1 week rotations" is wildly different from "1 person on call 7x24x365" cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From Wesley.Simon@lsi.com Mon Jan 12 13:50:59 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CLowrX056590 for ; Mon, 12 Jan 2009 13:50:58 -0800 (PST) (envelope-from Wesley.Simon@lsi.com) Received: from exprod7og115.obsmtp.com (exprod7ob115.obsmtp.com [64.18.2.216]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CLotuI004887 for ; Mon, 12 Jan 2009 13:50:58 -0800 (PST) Received: from source ([147.145.40.20]) by exprod7ob115.postini.com ([64.18.6.12]) with SMTP ID DSNKSWu7PQhnnNNqfOOPRfBDVtGbuqm4viuj@postini.com; Mon, 12 Jan 2009 13:50:58 PST Received: from milmhbs0.lsil.com (mhbs.lsil.com [147.145.1.30]) by mail0.lsil.com (8.12.11/8.12.11) with ESMTP id n0CLop8k027710; Mon, 12 Jan 2009 13:50:51 -0800 (PST) Received: from coscas01.lsi.com (coscas01.co.lsil.com [172.21.36.60]) by milmhbs0.lsil.com (8.12.11/8.12.11) with ESMTP id n0CLopOB016002; Mon, 12 Jan 2009 13:50:51 -0800 Received: from cosmail02.lsi.com ([172.21.36.36]) by coscas01.lsi.com ([172.21.36.60]) with mapi; Mon, 12 Jan 2009 14:50:50 -0700 From: "Simon, Wesley" To: Cat Okita Date: Mon, 12 Jan 2009 14:50:48 -0700 Thread-Topic: [SAGE] on-call policy Thread-Index: Acl0/szteZaEPnzxTbivDsb36BHWwAAACuVg Message-ID: <8CEE3947B21C6946A5CFDFA589C276CB84FCB9A6@cosmail02.lsi.com> In-Reply-To: <20090112163859.G6482@gecko.reptiles.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.39 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=16% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n0CLowrX056590 Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 21:50:59 -0000 Cat, Number of people: 2, there are some remote hands-on people that can be utilized. This is an engineering software development organization spanning 7 sites and 5 time zones: ~1000 users. Mostly remote access. Your other questions are details that need to be considered: compensation, who can call, response time, etc. Wesley Simon 316.636.8078 -----Original Message----- From: Cat Okita [mailto:cat@reptiles.org] Sent: Monday, January 12, 2009 3:43 PM To: Simon, Wesley Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy On Mon, 12 Jan 2009, Simon, Wesley wrote: > I am trying to get our management to adopt an on-call policy. Does anyone > on here have experience with going from no policy to one that works and is > fair? Also, what kind of policies do you have? Heh. That's rather like saying "I'd like to buy a car" without adding in any other information :) There's a lot of things that play into an on-call policy. In no order at all, a few things to think about: - how many people are involved - what are you supporting - how critical is what you're supporting - what response time is expected - what can you be called for - is compensation involved - is remote access available, or is this on-site work - who can call you - is there unique expertise that will pull in people that aren't on call Obvously a case of "50-odd people on call for dire emergencies in 1 week rotations" is wildly different from "1 person on call 7x24x365" cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From kurt.buff@gmail.com Mon Jan 12 13:54:28 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CLsSUI056735 for ; Mon, 12 Jan 2009 13:54:28 -0800 (PST) (envelope-from kurt.buff@gmail.com) Received: from mail-gx0-f12.google.com (mail-gx0-f12.google.com [209.85.217.12]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CLsOQ1006162 for ; Mon, 12 Jan 2009 13:54:27 -0800 (PST) Received: by gxk5 with SMTP id 5so19892gxk.19 for ; Mon, 12 Jan 2009 13:54:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=RTW01FBwpxTrAA7aq5CGMz/lyfmw6uhP+9puhYOSBDk=; b=Rm7v0QLo8x9BdZcqru5V0F5i74PhVCHUxkY2+gJD6Qm1gT0W2q7DKyX9GHwor/Aejp B4P/pL5/KqpgMht5bSk0D6YxScapLHxpL+UmPH2QyxcRPoDW8UKBWQYAGMY+Em2zMwxy uQ8H7oz/b5T6kqzTCSOewV6Yv2KtBsAVO2tr0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=Hd36JQ4ZyBbjos7inR9jkof1KKhH1C8HMLX3ug9spE6gCBVyLXcuZtVohTtZWW39WB HoVqB3IkqAA68ZKKlw31S10H3RKgXZEzZ0pfmXTnZPuGmLpbfte7pWcL6/JBS1OYnsH1 2bJGf8r1p6x/l4ixI5y47oub7JWZBdQvqdF6U= Received: by 10.142.237.20 with SMTP id k20mr12561990wfh.74.1231797258989; Mon, 12 Jan 2009 13:54:18 -0800 (PST) Received: by 10.142.115.3 with HTTP; Mon, 12 Jan 2009 13:54:18 -0800 (PST) Message-ID: Date: Mon, 12 Jan 2009 13:54:18 -0800 From: "Kurt Buff" To: "Simon, Wesley" In-Reply-To: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=6% Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 21:54:29 -0000 We have a company-issued phone that rotates amongst the staff. We pay a small amount per weeknight on call, and 2.5 times that per weekend night or holiday. As a supervisor of three FTEs (one's a contractor, and doesn't share in the rotation, so effectively it's just three who share the rotation), I take one week in three, as do the others. If/when the contractor is hired, there'll be 4 of us. We're pretty flexible about making exceptions for vacations, etc.. The rotation starts Friday evening, and ends Thursday evening. It works well, except that I'm always the backup on call, but that's the burden of being part of management. The IT director, to whom I report, is always the tertiary, but neither of us get pay for being backups. It's working well for us. Kurt On Mon, Jan 12, 2009 at 1:34 PM, Simon, Wesley wrote: > Hi everyone, > > I am trying to get our management to adopt an on-call policy. Does anyone on here have experience with going from no policy to one that works and is fair? Also, what kind of policies do you have? > > Thanks, > > > Wesley Simon > System Administrator > LSI Corporation > Engenio Storage Group > 3718 North Rock Road > Wichita, Kansas 67226 > P: 316.636.8078 > F: 316.636.8487 > > > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From njt@ayvali.org Mon Jan 12 13:55:54 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CLts8w056874 for ; Mon, 12 Jan 2009 13:55:54 -0800 (PST) (envelope-from njt@ayvali.org) Received: from zaph.org (zaph.org [208.86.224.136]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CLtoOt006688 for ; Mon, 12 Jan 2009 13:55:53 -0800 (PST) Received: by zaph.org (Postfix, from userid 1002) id 93BECB9AD; Mon, 12 Jan 2009 16:55:49 -0500 (EST) Date: Mon, 12 Jan 2009 16:55:49 -0500 From: "N.J. Thomas" To: "Simon, Wesley" Message-ID: <20090112215549.GF91938@zaph.org> References: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> User-Agent: Mutt/1.4.2.3i X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 21:55:54 -0000 * Simon, Wesley [2009-01-12 14:34:45+0000]: > I am trying to get our management to adopt an on-call policy. Does > anyone on here have experience with going from no policy to one that > works and is fair? Some suggestions off the top of my head from past experience: - do weekly rotations, i.e. Monday morning to Monday morning (this works good for teams of 3 or more) - have at least two upcoming months scheduled and available in print and on the web - send out an automated weekly email that notifies the relevant people of who is on call for that time period - the person on call must carry a pager/beeper, or nowadays, smartphone that they can receive realtime emails, alerts, pages, and phone calls from your ticketing, monitoring, or help desk system, or from users - at one place I was at, we had a toll-free 800 number that was rotated to point at the cell of person who was on call; at any given time a user could call the 800 number and reach on call sysadmin for that week; kind of expensive for small shops, but very useful for larger places where you deal with many non-tech people > Also, what kind of policies do you have? The general policy is that the person on call is the first responder within some reasonable amount of time (usually an hour) to any notification. They don't necessarily have to solve the problem or fix the issue, but they should be able to say something like "We received the alert/email, are aware of the problem, and are looking into resolving the situation." Oftentimes, especially when the alert comes from a non-tech person during off hours, the assurance that the sysadmin team is aware of the problem and looking into it is more important than the actual fix. Thomas From cat@reptiles.org Mon Jan 12 14:00:47 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CM0lrA057121 for ; Mon, 12 Jan 2009 14:00:47 -0800 (PST) (envelope-from cat@reptiles.org) Received: from mailbox.reptiles.org (rootgecko.reptiles.org@mailbox.reptiles.org [198.96.210.227]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CM0iet007038 for ; Mon, 12 Jan 2009 14:00:47 -0800 (PST) Received: from (invalid client hostname: the DNS A record for the hostname 'www.reptiles.ca' does not match the address [198.96.210.227])www.reptiles.ca ([198.96.210.227] port=50277) by mailbox.reptiles.org([198.96.210.227] port=25) via TCP with esmtp (1923 bytes) (sender: ) (ident using UNIX) id for ; Mon, 12 Jan 2009 17:00:42 -0500 (EST) (Smail-3.2.0.121 2005-Nov-17 #4 built 2006-Nov-28) Date: Mon, 12 Jan 2009 17:00:41 -0500 (EST) From: Cat Okita To: "Simon, Wesley" In-Reply-To: <8CEE3947B21C6946A5CFDFA589C276CB84FCB9A6@cosmail02.lsi.com> Message-ID: <20090112165805.J6482@gecko.reptiles.org> References: <8CEE3947B21C6946A5CFDFA589C276CB84FCB9A6@cosmail02.lsi.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 22:00:48 -0000 On Mon, 12 Jan 2009, Simon, Wesley wrote: > Number of people: 2, there are some remote hands-on people that can be > utilized. > This is an engineering software development organization spanning 7 sites > and 5 time zones: ~1000 users. > Mostly remote access. > > Your other questions are details that need to be considered: compensation, > who can call, response time, etc. To put it pretty bluntly, I can't think of a way to have 2 people on any sort of 'busy' on-call rotation that doesn't burn out both people. What type of work are you doing? Is this "the clearcase server is down" or "I don't understand how clearcase works, please hold my hand"? Do you get a lot of after hours calls? Spanning 5 time zones w/ ~1000 users, I'd have to suspect that there's always -something-. cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From kurt.buff@gmail.com Mon Jan 12 14:02:55 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CM2tR2057244 for ; Mon, 12 Jan 2009 14:02:55 -0800 (PST) (envelope-from kurt.buff@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.171]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CM2qJs007192 for ; Mon, 12 Jan 2009 14:02:55 -0800 (PST) Received: by wf-out-1314.google.com with SMTP id 26so11946937wfd.26 for ; Mon, 12 Jan 2009 14:02:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=UpYK87+GfnHq6SL5tCcP2qAciWM1kB3AH+YJoOSFY3w=; b=XYhO61zBTeScr1W4JIQxVoP13Hahe3NOdhCR1R7Iwt/FXyGJ5KXCLpSbMi4wVJfMMa rmx3Qnl+Fy/Uy/TM8CjovUSQ/uJXOi1CCncTZWzw+w5IrBzclSTKSC9YkbtNQwROZySy WkbqLRabCE6ejk7/CQSjL+3mUiY8//jZ8sdfs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=Q35066OEpI5aZE7IULfW+d5mfInvQUHc8XnLtw9Up+HV0UQCfIfgfxCBpxdypMruh1 Gmyb1oe4NOjMVfGJCH+lFncKxm7adsKTB1d9znibmaWQsL0sviyIVFyMa33l2Rx4tQIh lSimst7KXkeFMZz0b+HUMCipZ6E5N/54q9VK0= Received: by 10.142.139.14 with SMTP id m14mr1006999wfd.276.1231797469411; Mon, 12 Jan 2009 13:57:49 -0800 (PST) Received: by 10.142.115.3 with HTTP; Mon, 12 Jan 2009 13:57:49 -0800 (PST) Message-ID: Date: Mon, 12 Jan 2009 13:57:49 -0800 From: "Kurt Buff" To: "Cat Okita" In-Reply-To: <20090112163859.G6482@gecko.reptiles.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> <20090112163859.G6482@gecko.reptiles.org> X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=11% Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 22:02:56 -0000 On Mon, Jan 12, 2009 at 1:43 PM, Cat Okita wrote: > On Mon, 12 Jan 2009, Simon, Wesley wrote: >> >> I am trying to get our management to adopt an on-call policy. Does anyone >> on here have experience with going from no policy to one that works and is >> fair? Also, what kind of policies do you have? > > Heh. That's rather like saying "I'd like to buy a car" without adding in > any other information :) > > There's a lot of things that play into an on-call policy. In no order at > all, a few things to think about: > > - how many people are involved > - what are you supporting > - how critical is what you're supporting > - what response time is expected > - what can you be called for > - is compensation involved > - is remote access available, or is this on-site work > - who can call you > - is there unique expertise that will pull in people that aren't on > call > > Obvously a case of "50-odd people on call for dire emergencies in 1 week > rotations" is wildly different from "1 person on call 7x24x365" Truth. Our IT department has nine people. It's divided into the infrastructure team (of which I'm the supervisor) and the business systems team, which the IT director supervises. Not a large environment. Kurt From hoogendyk@bio.umass.edu Mon Jan 12 14:07:10 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CM79fT057371 for ; Mon, 12 Jan 2009 14:07:09 -0800 (PST) (envelope-from hoogendyk@bio.umass.edu) Received: from marlin.bio.umass.edu (marlin.bio.umass.edu [128.119.55.19]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CM76Fv007373 for ; Mon, 12 Jan 2009 14:07:09 -0800 (PST) Received: from peredhil.bio.umass.edu (peredhil.bio.umass.edu [128.119.54.86]) (authenticated bits=0) by marlin.bio.umass.edu (8.14.2/8.14.2) with ESMTP id n0CM74x3016285 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 12 Jan 2009 17:07:05 -0500 (EST) Message-ID: <496BBF09.5010207@bio.umass.edu> Date: Mon, 12 Jan 2009 17:07:05 -0500 From: Chris Hoogendyk User-Agent: Thunderbird 2.0.0.18 (Macintosh/20081105) MIME-Version: 1.0 To: SAGE mailing list References: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> <20090112163859.G6482@gecko.reptiles.org> In-Reply-To: <20090112163859.G6482@gecko.reptiles.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (marlin.bio.umass.edu [128.119.55.19]); Mon, 12 Jan 2009 17:07:05 -0500 (EST) X-Scanned-By: MIMEDefang 2.54 on 128.119.55.19 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 22:07:10 -0000 Cat Okita wrote: > On Mon, 12 Jan 2009, Simon, Wesley wrote: >> I am trying to get our management to adopt an on-call policy. Does >> anyone on here have experience with going from no policy to one that >> works and is fair? Also, what kind of policies do you have? > > Heh. That's rather like saying "I'd like to buy a car" without adding in > any other information :) > > There's a lot of things that play into an on-call policy. In no order at > all, a few things to think about: > > - how many people are involved > - what are you supporting > - how critical is what you're supporting > - what response time is expected > - what can you be called for > - is compensation involved > - is remote access available, or is this on-site work > - who can call you > - is there unique expertise that will pull in people that aren't > on call > > Obvously a case of "50-odd people on call for dire emergencies in 1 week > rotations" is wildly different from "1 person on call 7x24x365" AND you forgot to mention whether there is a union involved or not. ;-) We get a fairly minimal additional compensation if we are required to carry a beeper or cell phone and be on call. If we are called, then we get time and a half for the extra time. More on holidays. If we choose, we can get comp time instead of the extra pay, but it has to be given in the same ratio, i.e. time and half. I believe there were also some technical regulatory items that required heavy lawyers on both sides to figure out -- classified vs. non classified employees for example. The Feds got into that and we ended up getting back compensation (retroactive). Since I'm neither a lawyer nor a union rep, I don't recall all the details -- only that I had to go back through my notes, emails, and logbooks for the last couple of years to document when I had done overtime or on call. I'm sure there are also differences between private sector and government (we are a state institution). -- --------------- Chris Hoogendyk - O__ ---- Systems Administrator c/ /'_ --- Biology & Geology Departments (*) \(*) -- 140 Morrill Science Center ~~~~~~~~~~ - University of Massachusetts, Amherst --------------- Erdös 4 From cat@reptiles.org Mon Jan 12 14:13:08 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CMD8Zw057542 for ; Mon, 12 Jan 2009 14:13:08 -0800 (PST) (envelope-from cat@reptiles.org) Received: from mailbox.reptiles.org (rootgecko.reptiles.org@skink.reptiles.org [198.96.210.227]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CMD5Qw007585 for ; Mon, 12 Jan 2009 14:13:08 -0800 (PST) Received: from mail.reptiles.org ([198.96.210.227] port=56812) by mailbox.reptiles.org([198.96.210.227] port=25) via TCP with esmtp (1726 bytes) (sender: ) (ident using UNIX) id for ; Mon, 12 Jan 2009 17:13:03 -0500 (EST) (Smail-3.2.0.121 2005-Nov-17 #4 built 2006-Nov-28) Date: Mon, 12 Jan 2009 17:13:01 -0500 (EST) From: Cat Okita To: "Simon, Wesley" In-Reply-To: <8CEE3947B21C6946A5CFDFA589C276CB84FCB9BA@cosmail02.lsi.com> Message-ID: <20090112170936.T6482@gecko.reptiles.org> References: <8CEE3947B21C6946A5CFDFA589C276CB84FCB9BA@cosmail02.lsi.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 22:13:09 -0000 On Mon, 12 Jan 2009, Simon, Wesley wrote: > Our after-hours support would consist of emergencies such as the clearcase > server is down or the power in Bangalore bounced (again). Items such as > "please reset my password" and "could you restore foo.c?" will wait until > business hours. How often does that happen? I know I've been on the hook for "critical issues only" before -- and then had a month-or-two of critical issues[0]. Are you allowed to sleep in after a night of dealing with issues in Bangalore? (12h-or-so out from North America, for folk that don't want to look it up) cheers! [0] Which, like the power in Bangalore bouncing (again) weren't in any respect under my control... ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From Wesley.Simon@lsi.com Mon Jan 12 14:17:57 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CMHvP9057656 for ; Mon, 12 Jan 2009 14:17:57 -0800 (PST) (envelope-from Wesley.Simon@lsi.com) Received: from exprod7og109.obsmtp.com (exprod7og109.obsmtp.com [64.18.2.171]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CMHso0007741 for ; Mon, 12 Jan 2009 14:17:57 -0800 (PST) Received: from source ([147.145.40.20]) by exprod7ob109.postini.com ([64.18.6.12]) with SMTP ID DSNKSWvBkFhB/fHTqr9qMN2QYJtd+/vvG4Nm@postini.com; Mon, 12 Jan 2009 14:17:57 PST Received: from milmhbs0.lsil.com (mhbs.lsil.com [147.145.1.30]) by mail0.lsil.com (8.12.11/8.12.11) with ESMTP id n0CMHorH000513; Mon, 12 Jan 2009 14:17:50 -0800 (PST) Received: from coscas01.lsi.com (coscas01.co.lsil.com [172.21.36.60]) by milmhbs0.lsil.com (8.12.11/8.12.11) with ESMTP id n0CMHoqu027397; Mon, 12 Jan 2009 14:17:50 -0800 Received: from cosmail02.lsi.com ([172.21.36.36]) by coscas01.lsi.com ([172.21.36.60]) with mapi; Mon, 12 Jan 2009 15:17:49 -0700 From: "Simon, Wesley" To: Cat Okita Date: Mon, 12 Jan 2009 15:17:48 -0700 Thread-Topic: [SAGE] on-call policy Thread-Index: Acl1AvIpkpqtqGMtSaK1mEFunvtMxQAAG1PQ Message-ID: <8CEE3947B21C6946A5CFDFA589C276CB84FCB9D3@cosmail02.lsi.com> In-Reply-To: <20090112170936.T6482@gecko.reptiles.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.39 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=15% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n0CMHvP9057656 Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 22:17:58 -0000 These things do not happen often; once a quarter to once a month. If I'm up at night, I do compensate my time as best I can. Wesley Simon 316.636.8078 -----Original Message----- From: Cat Okita [mailto:cat@reptiles.org] Sent: Monday, January 12, 2009 4:13 PM To: Simon, Wesley Cc: SAGE mailing list Subject: RE: [SAGE] on-call policy On Mon, 12 Jan 2009, Simon, Wesley wrote: > Our after-hours support would consist of emergencies such as the clearcase > server is down or the power in Bangalore bounced (again). Items such as > "please reset my password" and "could you restore foo.c?" will wait until > business hours. How often does that happen? I know I've been on the hook for "critical issues only" before -- and then had a month-or-two of critical issues[0]. Are you allowed to sleep in after a night of dealing with issues in Bangalore? (12h-or-so out from North America, for folk that don't want to look it up) cheers! [0] Which, like the power in Bangalore bouncing (again) weren't in any respect under my control... ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From Wesley.Simon@lsi.com Mon Jan 12 14:20:06 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CMK6NP057746 for ; Mon, 12 Jan 2009 14:20:06 -0800 (PST) (envelope-from Wesley.Simon@lsi.com) Received: from mail1.lsil.com (mail1.lsil.com [147.145.40.21]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CMK3jT007792 for ; Mon, 12 Jan 2009 14:20:06 -0800 (PST) Received: from exprod7og102.obsmtp.com (exprod7ob102.obsmtp.com [64.18.2.156]) by mail1.lsil.com (8.12.11/8.12.11) with SMTP id n0CM4ej1006867 for ; Mon, 12 Jan 2009 14:04:40 -0800 (PST) reinject: from source ([147.145.40.20]) by exprod7ob102.postini.com ([64.18.6.12]) with SMTP ID DSNKSWu+cqHF9tjxsJr8Ezgb5uYhYFJXznhG@postini.com; Mon, 12 Jan 2009 14:04:39 PST Received: from milmhbs0.lsil.com (mhbs.lsil.com [147.145.1.30]) by mail0.lsil.com (8.12.11/8.12.11) with ESMTP id n0CM4Wkg029009; Mon, 12 Jan 2009 14:04:32 -0800 (PST) Received: from coscas01.lsi.com (coscas01.co.lsil.com [172.21.36.60]) by milmhbs0.lsil.com (8.12.11/8.12.11) with ESMTP id n0CM4PFv018866; Mon, 12 Jan 2009 14:04:32 -0800 Received: from cosmail02.lsi.com ([172.21.36.36]) by coscas01.lsi.com ([172.21.36.60]) with mapi; Mon, 12 Jan 2009 15:04:28 -0700 From: "Simon, Wesley" To: Cat Okita Date: Mon, 12 Jan 2009 15:04:26 -0700 Thread-Topic: [SAGE] on-call policy Thread-Index: Acl1ATh01okHDYmjR3WWpnaXqzP1lAAAC7Fw Message-ID: <8CEE3947B21C6946A5CFDFA589C276CB84FCB9BA@cosmail02.lsi.com> In-Reply-To: <20090112165805.J6482@gecko.reptiles.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.39 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n0CMK6NP057746 Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 22:20:07 -0000 Our after-hours support would consist of emergencies such as the clearcase server is down or the power in Bangalore bounced (again). Items such as "please reset my password" and "could you restore foo.c?" will wait until business hours. Wesley Simon 316.636.8078 -----Original Message----- From: Cat Okita [mailto:cat@reptiles.org] Sent: Monday, January 12, 2009 4:01 PM To: Simon, Wesley Cc: SAGE mailing list Subject: RE: [SAGE] on-call policy On Mon, 12 Jan 2009, Simon, Wesley wrote: > Number of people: 2, there are some remote hands-on people that can be > utilized. > This is an engineering software development organization spanning 7 sites > and 5 time zones: ~1000 users. > Mostly remote access. > > Your other questions are details that need to be considered: compensation, > who can call, response time, etc. To put it pretty bluntly, I can't think of a way to have 2 people on any sort of 'busy' on-call rotation that doesn't burn out both people. What type of work are you doing? Is this "the clearcase server is down" or "I don't understand how clearcase works, please hold my hand"? Do you get a lot of after hours calls? Spanning 5 time zones w/ ~1000 users, I'd have to suspect that there's always -something-. cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From rskiadmin@chycoski.com Mon Jan 12 14:37:06 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CMb6jZ058383 for ; Mon, 12 Jan 2009 14:37:06 -0800 (PST) (envelope-from rskiadmin@chycoski.com) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CMb3m0008148 for ; Mon, 12 Jan 2009 14:37:05 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.37,255,1231113600"; d="scan'208";a="59231338" Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-5.cisco.com with ESMTP; 12 Jan 2009 22:24:42 +0000 Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n0CMOar9006087; Mon, 12 Jan 2009 14:24:36 -0800 Received: from [171.71.86.158] (dhcp-171-71-86-158.cisco.com [171.71.86.158]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n0CMOaVw016470; Mon, 12 Jan 2009 22:24:36 GMT Message-ID: <496BC31F.4090603@chycoski.com> Date: Mon, 12 Jan 2009 14:24:31 -0800 From: Richard Chycoski User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: "N.J. Thomas" References: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> <20090112215549.GF91938@zaph.org> In-Reply-To: <20090112215549.GF91938@zaph.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Authentication-Results: sj-dkim-2; header.From=rskiadmin@chycoski.com; dkim=neutral X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: rskiadmin@chycoski.com List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 22:37:06 -0000 N.J. Thomas wrote: > * Simon, Wesley [2009-01-12 14:34:45+0000]: >> I am trying to get our management to adopt an on-call policy. Does >> anyone on here have experience with going from no policy to one that >> works and is fair? > > Some suggestions off the top of my head from past experience: > > - at one place I was at, we had a toll-free 800 number that was > rotated to point at the cell of person who was on call; at any > given time a user could call the 800 number and reach on call > sysadmin for that week; kind of expensive for small shops, but > very useful for larger places where you deal with many non-tech > people You can do this 'for free' (or almost free) if you just use a local on your existing phone system to be forwarded. At $WORK we get a small amount of pay for being on call, more if we actually get called, and more again for 5+ and 15+ hours of service. (The amounts aren't huge, and if the 15+ turns into much more than 15+, it can dwindle in the direction of minimum wage.) Another suggestion is to pay for the actual number of hours served, with a minimum of (say) one hour's compensation for a call, and perhaps four hours if required to come on site. (This was how it worked at previous $WORK for the unionised employees.) This pay-to-play scenario is useful for two reasons: The support staff get compensated. This is good. But even but more importantly, overuse becomes a monetary issue for the department, so calling for trivial or non-urgent issues can be discouraged. This worked especially well at $WORK-1 when the department that owned the service was required to pay for out-of-hours calls. A lot of the systems were reduced in priority to can-wait-for-the-next-day service when it came down to money, which also reduced the burden on the on-call staff. It's important that high priority systems are kept functioning, but your support staff won't function well if being continuously paged outside of work hours. And with such a small pool of staff, you can quickly get overwhelmed by calls. Your policies need to be really specific about what constitutes a valid reason to call, and have defined (or at least dire) consequences for misuse. Even at current $WORK we get paged directly by client groups (which is completely against policy) - and we come down hard on offenders (directors start talking to directors, or VPs to VPs). Make sure that you don't get taken advantage of just because the work is being compensated - you need to have a life, too! - Richard [ Who is obviously not a big fan of being on call, even if it is a necessary evil. ;-] From dannyman@toldme.com Mon Jan 12 15:14:09 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CNE9Hp059170 for ; Mon, 12 Jan 2009 15:14:09 -0800 (PST) (envelope-from dannyman@toldme.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CNE5gN009080 for ; Mon, 12 Jan 2009 15:14:08 -0800 (PST) Received: by yx-out-2324.google.com with SMTP id 31so3763391yxl.29 for ; Mon, 12 Jan 2009 15:14:05 -0800 (PST) Received: by 10.90.63.6 with SMTP id l6mr14125773aga.51.1231800051878; Mon, 12 Jan 2009 14:40:51 -0800 (PST) Received: by 10.90.36.8 with HTTP; Mon, 12 Jan 2009 14:40:51 -0800 (PST) Message-ID: <2a5241e00901121440o608900b9y123a368a77ac07aa@mail.gmail.com> Date: Mon, 12 Jan 2009 14:40:51 -0800 From: "Daniel Howard" To: "Simon, Wesley" In-Reply-To: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> MIME-Version: 1.0 References: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> X-DCC-Rhyolite-Metrics: voyager 101; Body=0 Fuz1=0 Fuz2=0 rep=7% Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 23:14:10 -0000 On Mon, Jan 12, 2009 at 1:34 PM, Simon, Wesley wrote: > Hi everyone, > > I am trying to get our management to adopt an on-call policy. Does anyone > on here have experience with going from no policy to one that works and is > fair? Also, what kind of policies do you have? I have worked at numerous small companies where it was not unusual for me to pretty much be "on call" permanently. But now I work at a very large corporation where I'm on-call about one week every two months, with bonus pay. I would say that even if you have only two people, switching off primary-secondary on a weekly basis is a good way to go. Why? Because an uninterrupted night's sleep keeps a SysAdmin less weird. Being on-call all the time without a rotation is just begging for burn out. We have the escalations set up in Nagios: page comes in, must be acked in fifteen minutes, else the page goes out again, and hits primary and secondary. After that tertiary goes up the management chain. At my current environment, we're also flexible about the on-call person catching up on sleep the morning after a rough night. As much as I have enjoyed working in small shops, I gotta admit there are niceties to the Corporate Collective. Also, we hand off a physical pager, but I also channel pages to my phone as well, because sometimes messages will lag or signal will be spotty for one service or the other. Messages on my cell just go "beep" whereas the pager will yell and scream and vibrate as loudly as it can until I read the message. But yeah, an on-call rotation, even if its just two people doing primary-secondary, definitely beats no on-call policy. Cheers, -danny -- http://dannyman.toldme.com From phred@frii.com Mon Jan 12 15:26:36 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0CNQaoD059496 for ; Mon, 12 Jan 2009 15:26:36 -0800 (PST) (envelope-from phred@frii.com) Received: from sgpsmtp1.avagotech.com (smtp.avagotech.com [202.153.6.34]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0CNQWjA009391 for ; Mon, 12 Jan 2009 15:26:35 -0800 (PST) Received: from sgpsmtp1.avagotech.com (localhost.localdomain [127.0.0.1]) by localhost.avagotech.com (Postfix) with ESMTP id 81F6434356 for ; Tue, 13 Jan 2009 06:56:38 +0800 (SGT) Received: from smtp1.ftc.avagotech.net (smtp1.ftc.avagotech.net [10.10.9.11]) by sgpsmtp1.avagotech.com (Postfix) with ESMTP id F32EF342F1 for ; Tue, 13 Jan 2009 06:56:37 +0800 (SGT) Received: from [10.10.10.146] (vw.ftc.avagotech.net [10.10.10.146]) by smtp1.ftc.avagotech.net (Postfix) with ESMTP id 1C38E162A8E for ; Mon, 12 Jan 2009 15:57:30 -0700 (MST) Message-ID: <496BCAD9.1080004@frii.com> Date: Mon, 12 Jan 2009 15:57:29 -0700 From: Ray Frush User-Agent: Thunderbird 2.0.0.18 (X11/20081113) MIME-Version: 1.0 To: SAGE mailing list References: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> In-Reply-To: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2009 23:26:36 -0000 Simon, Wesley wrote: > Hi everyone, > > I am trying to get our management to adopt an on-call policy. Does anyone on here have experience with going from no policy to one that works and is fair? Also, what kind of policies do you have? > Our company has various teams assigned to do support per site. If a site doesn't have enough support staff, no systems requiring 7x24 support are installed. The small sites may have extended support hours, but only on a "best effort" basis. To compensate for being on the on-call rotation, we have "Guaranteed Availability Pay" or GAP that is a percentage of our base salary that's included in every paycheck. If the rotation 4 people, the GAP percentage is higher than if there are 6 people on rotation. We've found it impractical to have a 7x24 on-call rotation with 2 people (or less). At 6 week rotations, I found I had to spend more time in the documentation to remind myself how to do a task. Four weeks/people seems to be an ideal number as you're on call enough to stay aware of any ongoing issues/procedures. While on GAP pay, during your week in the rotation (1 out of 4) these are the expectations (SLA): 1) You will respond (soberly) by phone, chat, or remote login within 15 minutes. 2) You will be able to be on-site in less than 1 hour if needed. All of this is 7x24 of course. Requirement #2 prevents the on-call person from doing things like going for a long hike, or skiing or down to the next city (60 miles) to see a show during their week in the rotation. Without the GAP pay, any after hours support becomes "best effort". The idea of GAP pay is to provide some compensation for the inconvenience of being on-call, and some positive incentive to answer the pager at 2:45am. A "negative incentive" version of this is to require the same level of on-call response, and threaten to fire employees if they don't respond according to the SLA. Theres a major employer in town here that does not pay for on-call, calling it a requirement of the position. I don't work there ;-) ... -- Ray Frush From dmagda@ee.ryerson.ca Mon Jan 12 17:58:14 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0D1wEaJ063094 for ; Mon, 12 Jan 2009 17:58:14 -0800 (PST) (envelope-from dmagda@ee.ryerson.ca) Received: from simq2-srv.bellnexxia.net (simq2.bellnexxia.net [206.47.199.152]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0D1wABS012478 for ; Mon, 12 Jan 2009 17:58:13 -0800 (PST) Received: from simip11-ac.srvr.bell.ca ([206.47.199.91]) by simmts6-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with ESMTP id <20090113005259.BIWY1652.simmts6-srv.bellnexxia.net@simip11-ac.srvr.bell.ca> for ; Mon, 12 Jan 2009 19:52:59 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AkQBAMlwa0lMQR1u/2dsb2JhbAAI0kuFbw Received: from bas1-toronto09-1279335790.dsl.bell.ca (HELO [192.168.1.103]) ([76.65.29.110]) by simip11-ac.srvr.bell.ca with ESMTP; 12 Jan 2009 20:03:09 -0500 Message-Id: <0CD06432-4522-4A16-BE00-3A1CE7194F0B@ee.ryerson.ca> From: David Magda To: Cat Okita In-Reply-To: <20090112165805.J6482@gecko.reptiles.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Mon, 12 Jan 2009 19:52:58 -0500 References: <8CEE3947B21C6946A5CFDFA589C276CB84FCB9A6@cosmail02.lsi.com> <20090112165805.J6482@gecko.reptiles.org> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=2 Fuz2=2 rep=98% Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2009 01:58:17 -0000 On Jan 12, 2009, at 17:00, Cat Okita wrote: > To put it pretty bluntly, I can't think of a way to have 2 people on > any > sort of 'busy' on-call rotation that doesn't burn out both people. > What > type of work are you doing? Is this "the clearcase server is down" or > "I don't understand how clearcase works, please hold my hand"? I worked at a place where it was only two of us, and it was two weeks on, two weeks off. Worked well enough. From matt@conundrum.com Tue Jan 13 09:49:41 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0DHnf4v086431 for ; Tue, 13 Jan 2009 09:49:41 -0800 (PST) (envelope-from matt@conundrum.com) Received: from coke.conundrum.com (coke.conundrum.com [216.235.9.139]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0DHnbmO017876 for ; Tue, 13 Jan 2009 09:49:40 -0800 (PST) Received: from [192.0.2.59] (fw01.cr.crp.cira.ca [192.228.22.245]) by coke.conundrum.com (8.13.1/8.12.6) with ESMTP id n0DHnMo7027431; Tue, 13 Jan 2009 12:49:22 -0500 (EST) (envelope-from matt@conundrum.com) Message-Id: <44EA4254-14AD-43B1-A857-DFD16D49B805@conundrum.com> From: Matthew Pounsett To: SAGE mailing list Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Tue, 13 Jan 2009 12:49:17 -0500 References: <8BB4DDB9-2AA2-438D-ABC8-2361493E2BEC@conundrum.com> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=2 Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2009 17:49:41 -0000 On 12-Jan-2009, at 17:24 , Richard Chycoski wrote: > Even at current $WORK we get paged directly by client groups (which > is completely against policy) - and we come down hard on offenders > (directors start talking to directors, or VPs to VPs). Make sure > that you don't get taken advantage of just because the work is being > compensated - you need to have a life, too! I'm not a big fan of clients having direct access to engineers' pagers or phones. It's much better to have some sort of intermediary (tech support, or an answering service) contact the engineer who can then get back to the client when necessary to provide reassurance, ask questions, or whatever other followup is necessary. I think it's important for protection of staff (clients can get pushy and impatient -- they're the worst micro-manager ever), and it prevents the bad situation of the client speaking to a staff member who's in the process of waking up after only three hours of sleep ("Whaaa? Who is this? Can you repeat that? Why are you calling me at 4am?"). I once built a config for Asterisk that would authenticate a caller, take a message, and then start phoning numbers down an on-call list until it reached someone conscious and sober enough to punch in the right sequence to acknowledge the call. It would play them the message the client left, and then leave it to that staffer to handle the issue from there on. Assign dedicated phone number to that instruction sequence and you've got a pretty good after-hours support service, without requiring any additional staff. Matt From matt@conundrum.com Tue Jan 13 10:43:31 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0DIhV61087751 for ; Tue, 13 Jan 2009 10:43:31 -0800 (PST) (envelope-from matt@conundrum.com) Received: from coke.conundrum.com (coke.conundrum.com [216.235.9.139]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0DIhQRC019274 for ; Tue, 13 Jan 2009 10:43:29 -0800 (PST) Received: from [192.0.2.59] (fw01.cr.crp.cira.ca [192.228.22.245]) by coke.conundrum.com (8.13.1/8.12.6) with ESMTP id n0DIh7Kw030824; Tue, 13 Jan 2009 13:43:07 -0500 (EST) (envelope-from matt@conundrum.com) From: Matthew Pounsett To: John Miller In-Reply-To: <496CDFF0.7060102@oregonmetro.gov> References: <8BB4DDB9-2AA2-438D-ABC8-2361493E2BEC@conundrum.com> <44EA4254-14AD-43B1-A857-DFD16D49B805@conundrum.com> <496CDFF0.7060102@oregonmetro.gov> Message-Id: <89316441-C22D-402B-AC23-AAFCBD288E17@conundrum.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Tue, 13 Jan 2009 13:43:02 -0500 X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2009 18:43:31 -0000 On 13-Jan-2009, at 13:39 , John Miller wrote: > Matthew Pounsett wrote: > >> I once built a config for Asterisk that would authenticate a caller, >> take a message, and then start phoning numbers down an on-call list > > > Can we have that!? :^) Hehheh. I'll see if I can find it. As I recall, it didn't turn out to be that hard to implement. I think it probably took me two or three days of effort, including the self- education that was necessary since I was pretty new to Asterisk at the time. Matt From John.Miller@oregonmetro.gov Tue Jan 13 10:51:33 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0DIpWvZ087962 for ; Tue, 13 Jan 2009 10:51:33 -0800 (PST) (envelope-from John.Miller@oregonmetro.gov) Received: from mx2.metro-region.org (mx2.oregonmetro.gov [198.236.242.34]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0DIpT1m019617 for ; Tue, 13 Jan 2009 10:51:32 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.37,261,1231142400"; d="scan'208";a="34042609" Received: from unknown (HELO mex.metro-region.org) ([192.168.10.214]) by ironport2.metro-region.org with ESMTP; 13 Jan 2009 10:39:44 -0800 Received: from openworks.metro-region.org (192.168.90.16) by MEX.metro-region.org (192.168.10.214) with Microsoft SMTP Server (TLS) id 8.1.291.1; Tue, 13 Jan 2009 10:39:43 -0800 Message-ID: <496CDFF0.7060102@oregonmetro.gov> Date: Tue, 13 Jan 2009 10:39:44 -0800 From: John Miller User-Agent: Thunderbird 2.0.0.17 (X11/20080914) MIME-Version: 1.0 To: Matthew Pounsett References: <8BB4DDB9-2AA2-438D-ABC8-2361493E2BEC@conundrum.com> <44EA4254-14AD-43B1-A857-DFD16D49B805@conundrum.com> In-Reply-To: <44EA4254-14AD-43B1-A857-DFD16D49B805@conundrum.com> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2009 18:51:33 -0000 Matthew Pounsett wrote: > I once built a config for Asterisk that would authenticate a caller, > take a message, and then start phoning numbers down an on-call list > until it reached someone conscious and sober enough to punch in the > right sequence to acknowledge the call. It would play them the > message the client left, and then leave it to that staffer to handle > the issue from there on. Assign dedicated phone number to that > instruction sequence and you've got a pretty good after-hours support > service, without requiring any additional staff. Can we have that!? :^) John -- John Miller, System Architect Information Services Metro 503-797-1677 john.miller@oregonmetro.gov www.oregonmetro.gov Metro | People places. Open Spaces. From dsf@catbert.org Tue Jan 13 11:33:02 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0DJX28F089071 for ; Tue, 13 Jan 2009 11:33:02 -0800 (PST) (envelope-from dsf@catbert.org) Received: from zappy.catbert.org (zappy.catbert.org [66.220.1.91]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0DJWxKx020726 for ; Tue, 13 Jan 2009 11:33:01 -0800 (PST) Received: by zappy.catbert.org (Postfix, from userid 2000) id 38DED2C46E; Tue, 13 Jan 2009 14:23:44 -0500 (EST) Date: Tue, 13 Jan 2009 14:23:44 -0500 From: Dan Foster To: SAGE mailing list Message-ID: <20090113192343.GA9320@catbert.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: [SAGE] Don't shout at your disk drives! X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2009 19:33:02 -0000 Another I/O performance tuning tip for DBAs and storage engineers: http://www.channelregister.co.uk/2009/01/05/shouty_sun_engineer/ Interesting YouTube video from a Sun engineer with visual benchmarked data in real time to support his interesting claim. So... can I safely conclude that sites with high disk I/O wait must have a lot of red-faced people working in the data centers or loud fans with broken ball bearings? ;) I can just see it now: flaky server is on verge of drive failure. Angry admin screams at it out of frustration. Server dies. Hmm. Coincidence? ;) This was too good to resist passing up a mention of. -Dan From doebel@os.inf.tu-dresden.de Tue Jan 13 13:55:14 2009 Received: from os.inf.tu-dresden.de (os.inf.tu-dresden.de [141.76.48.99]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0DLtDDw093176; Tue, 13 Jan 2009 13:55:14 -0800 (PST) (envelope-from doebel@os.inf.tu-dresden.de) Received: from [92.78.52.30] (helo=[192.168.1.100]) by os.inf.tu-dresden.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) id 1LMrE5-00036Q-Fb; Tue, 13 Jan 2009 22:55:09 +0100 Message-ID: <496D0DBC.5040402@os.inf.tu-dresden.de> Date: Tue, 13 Jan 2009 22:55:08 +0100 From: =?UTF-8?B?QmrDtnJuIETDtmJlbA==?= User-Agent: Thunderbird 2.0.0.18 (X11/20081125) MIME-Version: 1.0 To: sage-members@mailman.sage.org, sage-announce@mailman.sage.org X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 13 Jan 2009 13:56:46 -0800 Subject: [SAGE] Project on improving performance analysis in IT administration X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2009 21:55:15 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all, in our research project, we are trying to automate the process of analyzing performance anomalies. We therefore try to understand why the measured performance in a system varies and how we can use performance monitoring to generate robust performance models for certain applications. Our goal is to help both application developers and system administrators. We want to help developers by reporting to them the top-k performance problems in the field. Common questions we aim to answer are: * What are the worst-k performing instances of my application? Return a "performance signature" that allows me to replicate the problem. * How do the worst-k performing instances differ from the best-k performing instances? Is the problem related to hardware constraints (few resources) or a misconfiguration? In connection with this project, we are carrying out a small survey that aims to help us understand the problems and state-of-the-art solutions to performance problems that are currently employed by system administrators and software developers. This is why we would appreciate if you could give us 10 minutes of your time to answer the questions at http://os.inf.tu-dresden.de/~doebel/survey/admins.php The results of the survey will be shared with the community through a scientific publication. All participants of the survey will get the chance to take part in a lottery for a 50 EUR Amazon gift card. Thanks a lot for helping us with that. Kind regards, Eno Theresa, MS Research Cambridge/UK Bjoern Doebel, TU Dresden, Germany -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkltDbkACgkQP5ijxgQLUNmvIACeI5GicQhNQYlNpcLTWslkwhtn UBQAoIYAwe6UnEYJRIqiQp7aZv1dKTYi =u3kM -----END PGP SIGNATURE----- From jdunn@aquezada.com Tue Jan 13 20:22:47 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0E4MlBb004160 for ; Tue, 13 Jan 2009 20:22:47 -0800 (PST) (envelope-from jdunn@aquezada.com) Received: from aphrodite.aquezada.com (h216-235-8-211.host.egate.net [216.235.8.211]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0E4MiNk006639 for ; Tue, 13 Jan 2009 20:22:47 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by aphrodite.acf.aquezada.com (Postfix) with ESMTP id 05B563F448 for ; Tue, 13 Jan 2009 23:13:55 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aquezada.com; h= x-mailer:mime-version:message-id:date:organization:content-type :references:in-reply-to:from:subject:received:received:received :received:x-virus-scanned; s=sel-sept-2008; t=1231906424; bh=bAw dBSU/rSw03hVBujDXSgM/lEJ58NPytyPg0+/Qzqc=; b=QHqNYqnILkxdfitIDdZ drRrvRphSStiKlsJPr41xd1NpfnE9/C8FT1KF0RIoF79ElTreTs9gtaDfv/8d5qy cY/eTbbswpsrjuxuqXHvA6JUyDpWVd7ccCs/7y8KETRXuBPDdTwNDwipixUBlbCi 3DFAmW0XNVJt+2l2cRtCcaOk= X-Virus-Scanned: amavisd-new at aquezada.com Received: from aphrodite.acf.aquezada.com ([127.0.0.1]) by localhost (aphrodite.acf.aquezada.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id qLi4T6yfdXtk for ; Tue, 13 Jan 2009 23:13:44 -0500 (EST) Received: from jupiter.acf.aquezada.com (jupiter.acf.aquezada.com [192.168.5.5]) by aphrodite.acf.aquezada.com (Postfix) with ESMTP id 4D9893F43C for ; Tue, 13 Jan 2009 23:13:44 -0500 (EST) Received: from jupiter.acf.aquezada.com (jupiter.acf.aquezada.com [127.0.0.1]) by jupiter.acf.aquezada.com (8.14.3/8.14.3) with ESMTP id n0E4Dhnn013815 for ; Tue, 13 Jan 2009 23:13:43 -0500 Received: (from jdunn@localhost) by jupiter.acf.aquezada.com (8.14.3/8.14.3/Submit) id n0E4DhSw013812 for sage-members@sage.org; Tue, 13 Jan 2009 23:13:43 -0500 X-Authentication-Warning: jupiter.acf.aquezada.com: jdunn set sender to jdunn@aquezada.com using -f From: "Julian C. Dunn" To: sage-members@sage.org In-Reply-To: <496BC31F.4090603@chycoski.com> References: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> <20090112215549.GF91938@zaph.org> <496BC31F.4090603@chycoski.com> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-RYJAaGLLfJPcMrghqB0W" Organization: Aquezada Productions Date: Wed, 14 Jan 2009 04:13:42 +0000 Message-Id: <1231906422.3720.22.camel@jupiter.acf.aquezada.com> Mime-Version: 1.0 X-Mailer: Evolution 2.24.2 (2.24.2-3.fc10) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2009 04:22:48 -0000 --=-RYJAaGLLfJPcMrghqB0W Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Mon, 2009-01-12 at 14:24 -0800, Richard Chycoski wrote: > > Some suggestions off the top of my head from past experience: > >=20 > > - at one place I was at, we had a toll-free 800 number that was > > rotated to point at the cell of person who was on call; at any > > given time a user could call the 800 number and reach on call > > sysadmin for that week; kind of expensive for small shops, but > > very useful for larger places where you deal with many non-tech > > people >=20 > You can do this 'for free' (or almost free) if you just use a local on yo= ur=20 > existing phone system to be forwarded. The phone company will also sell you packages to do this. Since we're in Canada, we use a service from Bell called Single Number Reach. They give you a nice web interface where you can configure a basic IVR and forwarding numbers. We don't give clients direct access to this number. After-hours, clients must call the central Shared Services Organization desk to get help and only if the issue is urgent enough does someone get paged (by the SSO operator). My team is on-call only for "incidents" (in ITIL parlance). "Requests" like "please give me additional permissions" or "I have a new employee starting, can s/he have an account" are handled only during business hours. [1] There are usually two people on-call in a given week. The context of this all is that I work for a medium-sized Crown corporation. We're compensated a flat $2.00/h for every hour on-call, in addition to time worked. Each call is a minimum three hour charge according to the Canadian Labour Code, at an established rate for the time and day. Calls between 12 a.m. - 6 a.m. attract a 15% premium. All told, the system works fairly well for us. I find that the best way to make sure on-call is not abused is: a) introduce some monetary incentive (for the employees), which is also a monetary "disincentive" for the customers to abuse the staff on-call; b) define sensible conditions under which staff can or cannot be called. - Julian [1] If requests do slip through and are done after hours, we charge back the costs directly to the customer's budget. Incidents are paid for by our budget. --=20 [ Julian C. Dunn * Sorry, I'm ] [ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ] [ gopher://sdf.lonestar.org/11/users/keymaker * compliant! ] [ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ] --=-RYJAaGLLfJPcMrghqB0W Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBJbWZyYGXVM/3CBbkRAmTUAKDkDnwb9dOYnMPnZBTLh96YePk34ACcDprj 7EfDOyfWp3kgq/xABVTBkoQ= =b/i2 -----END PGP SIGNATURE----- --=-RYJAaGLLfJPcMrghqB0W-- From brontolinux@gmail.com Wed Jan 14 02:32:22 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0EAWMfe015823 for ; Wed, 14 Jan 2009 02:32:22 -0800 (PST) (envelope-from brontolinux@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.236]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0EAWJQn001376 for ; Wed, 14 Jan 2009 02:32:22 -0800 (PST) Received: by rv-out-0506.google.com with SMTP id f6so533441rvb.59 for ; Wed, 14 Jan 2009 02:32:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=n1EDbX3vJ9KKXZ/eRBVBddmgPsJ3nay+qkL48u5jGxg=; b=Xcxr+F1n3ZNPVNWF7P73Z44awgNWQ+VkzS5EKvrmrclkSIC2qaY0JivmlEdIsZFvRB KG1ldg8KN8SVQu00fSWWZsnEv33WOc7TQNioURbL/56BCYaGg+xsmUyQUU3nSDCezMf3 /+d5n/mbjuJ026cHxi2q+Pw+XSyIhsk662hIE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=YLryV6u5do9t2H1mfputLFrq/tmioRy515yMl+tg8q3opa26K5nrn8T2KEdp3uPh6W psijufPGqJfTenEZx8Ui8QeUo2KUN5IPj8Obf743Kh/ZLZ1LXbYykJEZ7NbT8hWv5CLb rVCEOWYfhTA/WEO4NhDBBY+5pW6KjoeP+uGEo= Received: by 10.140.226.13 with SMTP id y13mr15803937rvg.93.1231928838757; Wed, 14 Jan 2009 02:27:18 -0800 (PST) Received: by 10.141.41.10 with HTTP; Wed, 14 Jan 2009 02:27:18 -0800 (PST) Message-ID: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> Date: Wed, 14 Jan 2009 11:27:18 +0100 From: "Marco Marongiu" To: sage-members@sage.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=9% Subject: [SAGE] SSL bureaucracy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2009 10:32:23 -0000 Dear colleagues I am having a few problems with SSL, and google returns too false positives to be useful. There is too much crap on the subject, or I am just doing it wrong. Preface: I technically know how SSL is useful in providing connection encryption, server and client authentication and so on. What I am not familiar with are the bureacracies connected to the process of getting a certificate and putting it in place. I'd be glad if someone could answer to the following questions and possibly providing a pointer to some useful documentation on the subject. The problem: we have to secure a number of web servers (= provide encryption and server authentication to clients). Q1: SSL doesn't allow multiple certificates for different domain names on the same IP, right? So we thought to ask for wildcard, multidomain certificates, which we would use on the aforementioned server and, we hoped, on others. Actually, this doesn't appear to be the case. In fact, to install that certificate in more than one host, you should buy extra Licenses, and each one costs about twice a single-server certificate. Q2: It is not clear to me (yet) if we need a license per server or per IP -e.g., if you have a load balancer hiding N servers behind it, do you need one license for the load balancer or N licenses for the N servers? What are the answers to the questions Q1 and Q2? Is the above the real thing? If not, how does it work exactly? Ciao --Marco PS: If the above is right, it looks like a common operating research problem [counting the IPs/servers he needs the certificates on, one must deduce which combination is cheaper in A*(wildcards)+B(licenses)+C(single-server) with the given constraints]. But it's ten years since I had the exam at the University :-D From samj@samj.net Wed Jan 14 03:11:26 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0EBBQYa019323 for ; Wed, 14 Jan 2009 03:11:26 -0800 (PST) (envelope-from samj@samj.net) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.168]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0EBBNJS001932 for ; Wed, 14 Jan 2009 03:11:26 -0800 (PST) Received: by wf-out-1314.google.com with SMTP id 26so497126wfd.26 for ; Wed, 14 Jan 2009 03:11:23 -0800 (PST) Received: by 10.142.78.10 with SMTP id a10mr778208wfb.270.1231931169278; Wed, 14 Jan 2009 03:06:09 -0800 (PST) Received: by 10.142.222.14 with HTTP; Wed, 14 Jan 2009 03:06:09 -0800 (PST) Message-ID: <21606dcf0901140306r74038475k2c79492eeea286ee@mail.gmail.com> Date: Wed, 14 Jan 2009 12:06:09 +0100 From: "Sam Johnston" To: "Marco Marongiu" In-Reply-To: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> MIME-Version: 1.0 References: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=13% Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Cc: sage-members@sage.org Subject: Re: [SAGE] SSL bureaucracy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2009 11:11:28 -0000 On Wed, Jan 14, 2009 at 11:27 AM, Marco Marongiu wrote: > > The problem: we have to secure a number of web servers (= provide > encryption and server authentication to clients). > > Q1: SSL doesn't allow multiple certificates for different domain names > on the same IP, right? > Not exactly - you probably want to have one certificate for each IP/port tuple (which is to say you can run multiple servers, but only one on 443 giving a 'clean' https:// URL without a port number). Second and subsequent URLs would look something like https://acme.com:8443/ (and may have problems with firewalls etc.). You can however have wildcards, and there are developments which allow the client to specify which certificate to use during the handshake (something akin to Host: header) but I'm not sure where we're at with deploying that in clients & servers. Indeed unnecessary burning of IPs makes SSL that little bit more expensive. So we thought to ask for wildcard, multidomain certificates, which we > would use on the aforementioned server and, we hoped, on others. > Actually, this doesn't appear to be the case. In fact, to install that > certificate in more than one host, you should buy extra Licenses, and > each one costs about twice a single-server certificate. > That depends on who you ask, but in any case you should probably avoid having the same private key across multiple servers. You may want to look at a reverse proxy like Pound. > Q2: It is not clear to me (yet) if we need a license per server or per > IP -e.g., if you have a load balancer hiding N servers behind it, do > you need one license for the load balancer or N licenses for the N > servers? > That depends on the CA - it may just be that you're talking to the wrong one. At the end of the day a cheap cert has similar coverage and result (the padlock) to an expensive one even if the checks are done to a different level. Sam > What are the answers to the questions Q1 and Q2? Is the above the real > thing? If not, how does it work exactly? > > Ciao > --Marco > > PS: If the above is right, it looks like a common operating research > problem [counting the IPs/servers he needs the certificates on, one > must deduce which combination is cheaper in > A*(wildcards)+B(licenses)+C(single-server) with the given > constraints]. But it's ten years since I had the exam at the > University :-D > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From jco@direwolf.com Wed Jan 14 05:41:03 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0EDf2Ba023641 for ; Wed, 14 Jan 2009 05:41:03 -0800 (PST) (envelope-from jco@direwolf.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.25]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0EDexFO003741 for ; Wed, 14 Jan 2009 05:41:02 -0800 (PST) Received: by qw-out-2122.google.com with SMTP id 8so106481qwh.59 for ; Wed, 14 Jan 2009 05:40:59 -0800 (PST) Received: by 10.214.115.6 with SMTP id n6mr140419qac.57.1231940122861; Wed, 14 Jan 2009 05:35:22 -0800 (PST) Received: from dhcp89-089-156.bbn.com (dhcp89-089-156.bbn.com [128.89.89.156]) by mx.google.com with ESMTPS id 30sm19417296yxk.37.2009.01.14.05.35.21 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 14 Jan 2009 05:35:22 -0800 (PST) Message-Id: <71314E83-AAC3-41FB-93E5-CBD149898387@direwolf.com> From: John Orthoefer To: sage-members@sage.org In-Reply-To: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> Content-Type: multipart/signed; boundary=Apple-Mail-12-229849751; micalg=sha1; protocol="application/pkcs7-signature" Mime-Version: 1.0 (Apple Message framework v929.2) Date: Wed, 14 Jan 2009 08:35:20 -0500 References: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> X-Mailer: Apple Mail (2.929.2) X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=6% X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Subject: Re: [SAGE] SSL bureaucracy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2009 13:41:03 -0000 --Apple-Mail-12-229849751 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit > Q1: SSL doesn't allow multiple certificates for different domain names > on the same IP, right? It sounds like you want to do name virtual hosting. And that doesn't work with SSL. Because Name Virtual Hosting is based off of reading the http header. By the time you get the http header the SSL connection is all set up so you can know what cert to present, it's a chicken and egg problem. There is an extension to TLS called SNI which allows things to work (which presents the domain name in the SSL header.) But IE 6 and 7 under XP doesn't support it, which means it's unacceptable for use by a lot of people. > Q2: It is not clear to me (yet) if we need a license per server or per > IP -e.g., if you have a load balancer hiding N servers behind it, do > you need one license for the load balancer or N licenses for the N > servers? This is a licensing thing, but the CAs I've dealt with allow you to use the cert on some small number of machines, like 3-5 machines. Normally, you do SSL all the way to the server, and allow the LB to do what it's good at which is dealing with connections across the machines, and not make it do the encryption for every connection which would generate additional load. johno --Apple-Mail-12-229849751-- From g.lams@itcilo.org Wed Jan 14 07:21:28 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0EFLScC026518 for ; Wed, 14 Jan 2009 07:21:28 -0800 (PST) (envelope-from g.lams@itcilo.org) Received: from mailx1.itcilo.org (mailx1.itcilo.org [195.47.232.231]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0EFLO1f005217 for ; Wed, 14 Jan 2009 07:21:27 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mailx1.itcilo.org (Postfix) with ESMTP id 0A1A14C221; Wed, 14 Jan 2009 15:21:11 +0100 (CET) Received: from mailx1.itcilo.org ([127.0.0.1]) by localhost (barracuda.itcilo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29996-10; Wed, 14 Jan 2009 15:21:10 +0100 (CET) Received: from email.itcilo.org (itc-domino.itc-ilo.org [172.20.13.25]) by mailx1.itcilo.org (Postfix) with ESMTP id C67384C1F4; Wed, 14 Jan 2009 15:21:10 +0100 (CET) In-Reply-To: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> References: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> To: "Marco Marongiu" MIME-Version: 1.0 X-Mailer: Lotus Notes Release 8.0.1 February 07, 2008 Message-ID: From: =?ISO-8859-1?Q?Ga=EBl_Lams?= Date: Wed, 14 Jan 2009 15:21:34 +0100 X-MIMETrack: Serialize by Router on ITC-DOMINO/ITCILO/IT(Release 7.0.3|September 26, 2007) at 14/01/2009 15.21.35, Serialize complete at 14/01/2009 15.21.35 X-Virus-Scanned: amavisd-new at itcilo.org X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Type: text/plain; charset="US-ASCII" X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Cc: sage-members-bounces@mailman.sage.org, sage-members@sage.org Subject: Re: [SAGE] SSL bureaucracy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2009 15:21:28 -0000 Hi > So we thought to ask for wildcard, multidomain certificates, which we > would use on the aforementioned server and, we hoped, on others. > Actually, this doesn't appear to be the case. In fact, to install that > certificate in more than one host, you should buy extra Licenses, and > each one costs about twice a single-server certificate. We bought the DigiCert wildcard certificates. you can install it on an unlimited number of servers. When I did the research 3 years ago it seemed to be the more interesting offer. We only to call once the support (had a problem in using the certificate on tomcat) and answer was fast. Regards, Gael From sage@richfox.org Wed Jan 14 08:05:14 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0EG5ENC027512 for ; Wed, 14 Jan 2009 08:05:14 -0800 (PST) (envelope-from sage@richfox.org) Received: from foxengines.net (foxengines.net [69.5.8.162]) by usenix.org (8.13.6/8.13.6) with SMTP id n0EG5AWS006033 for ; Wed, 14 Jan 2009 08:05:13 -0800 (PST) Received: (qmail 22933 invoked from network); 14 Jan 2009 15:58:28 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; h=X-Originating-IP:Date:From:X-X-Sender:Reply-To:To:Subject:Message-ID:User-Agent:MIME-Version:Content-Type; s=default; d=richfox.org; b=i3ImbofegcJIU3vuzL6uxanYLp3pvkN+ZDhapmJwbUrI98ZK722QBymnD0W/9hg50CLJpra5foqyq28szdaCsAjoQ+wbBgq2DkG2I2U/rGY8JCxoBnE+wcRbZ9c+VklHJhPttkjC0powpqILbq090a31Dc3FM/wa0mvp/gOB3XE=; X-Originating-IP: [75.67.46.103] Date: Wed, 14 Jan 2009 10:58:27 -0500 (EST) From: sage@richfox.org X-X-Sender: rfox@powerbook.localdomain To: sage-members@sage.org Message-ID: User-Agent: Alpine 1.00 (OSX 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: [SAGE] SSL Wildcard Cert Issues X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: sage@richfox.org List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2009 16:05:14 -0000 Hi, Another thread has piqued my already simmering curiosity on this topic. I'm interested in hearing specific negative aspects of SSL wildcard certifications. I'm aware of the following: * The problem of a wilcard cert being used to misrepresent a nefarious server in the event a cert has been compromised. * The problem of revocation for an entire fleet of SSL servers in the event of cert compromise. What other arguments can be made against using them? Thanks, Rich. -- From apthorpe@cynistar.net Wed Jan 14 08:28:04 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0EGS4eC027995 for ; Wed, 14 Jan 2009 08:28:04 -0800 (PST) (envelope-from apthorpe@cynistar.net) Received: from soyokaze.cynistar.net (soyokaze.cynistar.net [66.143.181.9]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0EGS1Pu006474 for ; Wed, 14 Jan 2009 08:28:04 -0800 (PST) Received: from [192.168.1.19] (68-23-244-126.ded.ameritech.net [68.23.244.126]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Robert Alan Apthorpe", Issuer "CA Cert Signing Authority" (verified OK)) by soyokaze.cynistar.net (Postfix) with ESMTP id 0F8E24C92C0 for ; Wed, 14 Jan 2009 10:00:30 -0600 (CST) Message-ID: <496E0BE2.3080405@cynistar.net> Date: Wed, 14 Jan 2009 09:59:30 -0600 From: Bob Apthorpe User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: sage-members@sage.org References: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> <71314E83-AAC3-41FB-93E5-CBD149898387@direwolf.com> In-Reply-To: <71314E83-AAC3-41FB-93E5-CBD149898387@direwolf.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Cynistar-MailScanner-Information: Please contact for more information X-Cynistar-MailScanner: Found to be clean X-Cynistar-MailScanner-SpamCheck: not spam, SpamAssassin (score=-14.9, required 7, BAYES_00 -15.00, RDNS_DYNAMIC 0.10) X-Cynistar-MailScanner-From: apthorpe@cynistar.net X-Spam-Status: No X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] SSL bureaucracy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2009 16:28:05 -0000 Hi, John Orthoefer wrote: > Normally, you do SSL all the way to the server, and allow the LB to do > what it's good at which is dealing with connections across the machines, > and not make it do the encryption for every connection which would > generate additional load. Depending on the amount of traffic you take and how poorly your web applications are designed, you may need to put the cert on the load balancer and leave the remaining short length of internal pipe unencrypted. At my previous employer we got an edict to secure all logins using our LDAP-based credentials. The central computing organization was unhelpful ("they're your apps; you figure it out..."), the apps were either third-party or scattered internal apps using ColdFusion and IIS under Win2K, and jumping through the hoops to get the certs to work with IIS was not worth the effort. It was just simpler to drop a standard PEM-formatted cert on the load balancer and set a redirect on the local boxes to bounce port 80 traffic back out to 443 with exceptions for pages that don't need encryption (it was a budget load balancer.) Eventually we got a wildcard cert and installed it everywhere for everything which was cost-effective and much easier to manage. This leads to another question: usually web apps keep their authentication in-band with normal traffic. Is there any application development guidance on separating out authentication and other should-be-encrypted sections of a site so they can be run under a shared SSL-protected hostname? For sites without an actual budget, the wildcard cert is prohibitively expensive and it'd be much easier to use the same SSL-protected hostname for all login traffic regardless of the application or virtual host the traffic ultimately goes to. Very few applications are designed to take into account virtual hosting and fiddling with per-application redirection rules is a path to madness. It'd be nice to hand[1] developers a guide on how to structure an application (a la the FHS) to allow secured login in a shared hosting environment. I don't think many application developers even see this as an issue, some might be convinced that it's good idea to implement, but I expect the ops community needs to drive this if it's going to happen. Federated authentication, SSO, and SSOish systems like OpenID are reasonable steps, but I doubt many ops organizations want to take on implementing such systems, especially when the applications still need to be modified to take advantage of them. -- Bob [1] Or to wrap around a brick and beat them mercilessly with, depending on the vendor, department, or open-source project. From seph@directionless.org Wed Jan 14 11:21:01 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0EJL0Vu032850 for ; Wed, 14 Jan 2009 11:21:01 -0800 (PST) (envelope-from seph@directionless.org) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0EJKuc1011651 for ; Wed, 14 Jan 2009 11:21:00 -0800 (PST) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 3B302211F72; Wed, 14 Jan 2009 14:20:56 -0500 (EST) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute1.internal (MEProxy); Wed, 14 Jan 2009 14:20:56 -0500 X-Sasl-enc: 2lyre6fnIJq9Ub+OS3ELMjhv0pL3aUy0Q7238+1qwatF 1231960854 Received: from bastion.directionless.org (c-98-216-105-238.hsd1.ma.comcast.net [98.216.105.238]) by mail.messagingengine.com (Postfix) with ESMTPSA id E4C8217D24; Wed, 14 Jan 2009 14:20:54 -0500 (EST) Received: by bastion.directionless.org (sSMTP sendmail emulation); Wed, 14 Jan 2009 14:20:54 -0500 From: seph To: sage@richfox.org References: Date: Wed, 14 Jan 2009 14:20:54 -0500 In-Reply-To: (sage@richfox.org's message of "Wed, 14 Jan 2009 10:58:27 -0500 (EST)") Message-ID: User-Agent: Gnus/5.110008 (No Gnus v0.8) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=23% Cc: sage-members@sage.org Subject: Re: [SAGE] SSL Wildcard Cert Issues X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2009 19:21:02 -0000 sage@richfox.org writes: > Another thread has piqued my already simmering curiosity on this > topic. I'm interested in hearing specific negative aspects of SSL > wildcard certifications. Microsoft used to be against them, old ie didn't support them. But that was a long time ago, and I think anything since since ie6 should have native support. seph From silkey@ece.utexas.edu Wed Jan 14 13:12:55 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0ELCtif036063 for ; Wed, 14 Jan 2009 13:12:55 -0800 (PST) (envelope-from silkey@ece.utexas.edu) Received: from mail02.ece.utexas.edu (postfix@mail02.ece.utexas.edu [128.83.59.39]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0ELCq8U014403 for ; Wed, 14 Jan 2009 13:12:55 -0800 (PST) Received: from fuzz.its.yale.edu (fuzz.its.yale.edu [128.36.186.133]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: silkey) by mail02.ece.utexas.edu (Postfix) with ESMTP id 7F05E81C9; Wed, 14 Jan 2009 14:49:16 -0600 (CST) Message-ID: <496E4FCB.8000005@ece.utexas.edu> Date: Wed, 14 Jan 2009 15:49:15 -0500 From: Nick Silkey User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Marco Marongiu References: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> In-Reply-To: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> X-Enigmail-Version: 0.95.7 OpenPGP: id=35EB31E2; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x35EB31E2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] SSL bureaucracy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2009 21:12:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marco Marongiu wrote: > Q1: SSL doesn't allow multiple certificates for different domain names > on the same IP, right? If youre using name-based virtual hosts, multiple SSL certs will not work. SSL certificates require full forward and reverse DNS. > So we thought to ask for wildcard, multidomain certificates, which we > would use on the aforementioned server and, we hoped, on others. Good idea. $oldjob used a wildcard with ease since we worked entirely out of a subdomain which was not subject to change. > Actually, this doesn't appear to be the case. In fact, to install that > certificate in more than one host, you should buy extra Licenses, and > each one costs about twice a single-server certificate. While it is true that wildcard certs are pricier than their non-wild brothers, your site will determine whether the economy-of-scale is worthwhile. Two servers needing commercial certs is wildly different than dozens and dozens needing the same. Also the bit about 'licenses' is confusing. Simply visit a cert reseller with the wildcarded CSR, pay, and install the new wildcard cert throughout where needed. While VeriSign practices _may_ be as such, discount resellers like GoDaddy offer wildcards for $160-200/year with no nags about 'extra licenses'. YMMV. Finally, take care that you guard the key to the wildcard cert. Should it be compromised on system A, there is the opportunity for crypto compromise on servers B, C, etc. We wildcarded at $oldjob as described, but the systems which had the key/cert were tightly controlled. You could check to see if the reseller allows multiple key+CSRs for the same wildcard namespace in order to mitigate key compromise (doubt it though), be it at no-cost or for-pay. > Q2: It is not clear to me (yet) if we need a license per server or per > IP -e.g., if you have a load balancer hiding N servers behind it, do > you need one license for the load balancer or N licenses for the N > servers? That depends on whether you are terminating SSL at the load balancer. If the answer is yes, you can horizontally-scale your nodes with only maintaining one 'for-pay' cert, stored at and served from the load balancer. Clear as mud? ;) - -- Nick Silkey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkluT8sACgkQrDQjhjXrMeK3ZQCgxEfSEHFDEie/GoEHK+k/ABS3 OrQAoJtQVb2R9P9FyWBCVR1PGMQ/ScMR =hqGQ -----END PGP SIGNATURE----- From firenet@gmail.com Wed Jan 14 14:38:03 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0EMc3b4038166 for ; Wed, 14 Jan 2009 14:38:03 -0800 (PST) (envelope-from firenet@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0EMbxuX016514 for ; Wed, 14 Jan 2009 14:38:02 -0800 (PST) Received: by yw-out-2324.google.com with SMTP id 9so393707ywe.29 for ; Wed, 14 Jan 2009 14:37:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:references:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:x-mailer :mime-version:subject:date:cc; bh=6DLevKDtT/huNAHq1438fybHXdntO/OakFgONs1Gx2c=; b=wdSmz1JHAX0c/oNJTDxRsOauKUPOLMavUVpzrbtZsUOfgG+jGbEOaRU7P736qmDuNR OX4VM+xQFuWaqTztdQF1BaK9zjqPPXLKcc60XgQQ362++MioQBNvVWNkiL1w+ZVgfJvV IYOZS2kNPivI5iGgUtedH3AuFznZr8KPYyYIo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=references:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:x-mailer:mime-version:subject:date:cc; b=VahVqKProhHrCZ6ppvRpVivZG8Fs+1/5n6R8z7/zyWzombyQXLL/Sk5nea1cVct86f OKKxXMp8pXc/h1MSyyz5mt/GX3FC6rMt1OmWMahuby+qeNdJ+zcLvZWVkSDKkzG5SsF+ TIxhGHoDbIR3JRuwSftybZZ2Q3c3IRYD4zMpk= Received: by 10.64.151.10 with SMTP id y10mr244189qbd.95.1231972206938; Wed, 14 Jan 2009 14:30:06 -0800 (PST) Received: from ?10.140.22.212? ([24.114.232.17]) by mx.google.com with ESMTPS id p30sm51954089qbp.37.2009.01.14.14.30.02 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 14 Jan 2009 14:30:06 -0800 (PST) References: Message-Id: <9833B8F6-11B9-4265-8514-7B232A39652A@gmail.com> From: Steve Scott To: seph In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Mailer: iPhone Mail (5G77) Mime-Version: 1.0 (iPhone Mail 5G77) Date: Wed, 14 Jan 2009 17:29:50 -0500 X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=7% Cc: "sage-members@sage.org" Subject: Re: [SAGE] SSL Wildcard Cert Issues X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2009 22:38:04 -0000 Not sure about Exchange 2007, but 2003 RPC over HTTPS doesn't support a wildcard cert. I seem to recall that various MS mobile OS's didn't support them as well. Steve Scott On 14-Jan-09, at 2:20 PM, seph wrote: > sage@richfox.org writes: > >> Another thread has piqued my already simmering curiosity on this >> topic. I'm interested in hearing specific negative aspects of SSL >> wildcard certifications. > > Microsoft used to be against them, old ie didn't support them. But > that > was a long time ago, and I think anything since since ie6 should have > native support. > > seph > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members From brontolinux@gmail.com Thu Jan 15 14:02:55 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0FM2tnV084907 for ; Thu, 15 Jan 2009 14:02:55 -0800 (PST) (envelope-from brontolinux@gmail.com) Received: from mail-ew0-f20.google.com (mail-ew0-f20.google.com [209.85.219.20]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0FM2pMm002436 for ; Thu, 15 Jan 2009 14:02:54 -0800 (PST) Received: by ewy13 with SMTP id 13so1497312ewy.23 for ; Thu, 15 Jan 2009 14:02:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=cs9wTnV5G9rEaUA6u7BuKY0QPnYY1fH8bwefkpysuew=; b=Y/ap9O3jgEGSmKUgP+vWVK+2bgsNDa1zm40y5zz2C14l3rwHFJVeS5N1KLse3JC9WZ LlRegPjIURQXzV5XcavrqzXctlXZYsYcZV5ax5iUrUsI3+hXjv7SlqUYrrhG86b4JOfr YCehFeegjjocUxr/MUfNASW9I+IbyZljbznZw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=OT4E5U/DGP30fO3woo4BOL2cFvwzksk7lMv5yjQ1mH/+fCUAVHD2mPBlUO3KRiRca0 1DAY81FS8ln8mPHUe8pnJ6H9IaX/ryapsIJgOWkNUI5ZF255xPqy9JNYvsLJIOGT3u8r BOOF/o5g96/0xu2pbQUp0D+RQUPi7IJnzD6VI= Received: by 10.210.86.10 with SMTP id j10mr2226290ebb.153.1232056965201; Thu, 15 Jan 2009 14:02:45 -0800 (PST) Received: from ?192.168.1.6? (static-217-133-8-17.clienti.tiscali.it [217.133.8.17]) by mx.google.com with ESMTPS id 32sm1038150nfu.61.2009.01.15.14.02.43 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 15 Jan 2009 14:02:44 -0800 (PST) Message-ID: <496FB281.5070404@gmail.com> Date: Thu, 15 Jan 2009 23:02:41 +0100 From: Marco Marongiu User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: Sam Johnston References: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> <21606dcf0901140306r74038475k2c79492eeea286ee@mail.gmail.com> In-Reply-To: <21606dcf0901140306r74038475k2c79492eeea286ee@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=8% Cc: sage-members@sage.org Subject: Re: [SAGE] SSL bureaucracy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jan 2009 22:02:57 -0000 Hi Sam and all Thanks to everybody for the quick and illuminating information. Sam Johnston wrote: > Q1: SSL doesn't allow multiple certificates for different domain names > on the same IP, right? > > > Not exactly - you probably want to have one certificate for each IP/port > tuple (which is to say you can run multiple servers, but only one on 443 > giving a 'clean' https:// URL without a port number). Second and > subsequent URLs would look something like https://acme.com:8443/ (and > may have problems with firewalls etc.). Yep, that's what I had in mind. You're right. Actually it's not limited by the IP but by the TCP socket (IPaddr,port). We are exploring with digicert, hoping they can also solve our billing needs. Thanks again Ciao --Marco -- Marco Marongiu System Administrator - Technical Author - Perl Programmer From francois@famipow.be Fri Jan 16 00:43:43 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0G8hhge098675 for ; Fri, 16 Jan 2009 00:43:43 -0800 (PST) (envelope-from francois@famipow.be) Received: from mail1b.ipow.eu (mail1b.ipow.eu [78.24.33.122]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0G8hdjl007054 for ; Fri, 16 Jan 2009 00:43:42 -0800 (PST) Received: from macbook-de-francois-bayart-3.local (213.219.133.26.adsl.dyn.edpnet.net [213.219.133.26]) by mail1b.ipow.eu (Postfix) with ESMTP id C2C80500AB for ; Fri, 16 Jan 2009 09:32:11 +0100 (CET) Message-ID: <497044CC.7030204@famipow.be> Date: Fri, 16 Jan 2009 09:26:52 +0100 From: Francois Bayart User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: sage-members@sage.org References: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> <21606dcf0901140306r74038475k2c79492eeea286ee@mail.gmail.com> <496FB281.5070404@gmail.com> In-Reply-To: <496FB281.5070404@gmail.com> X-Enigmail-Version: 0.95.7 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Subject: Re: [SAGE] SSL bureaucracy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jan 2009 08:43:43 -0000 Hi , you coul buy a multisite certificate to have in your cert the domains www.toto.com and www.tata.com, with this solution you just need to have one IP address and create virtualhosts in your webserver. I use this solution with a corporate customer and we buy this with TBS, I have contact Thwate, Geotrust and Verisign and all say "yes we can buy this" but they didn't give price on the website. TBS Certificats website : http://www.tbs-certificats.com/index.html.en#mdc The wildcard solution (when it's the same domain TLD) make some problems with Microsoft solution where the certficiate *.toto.com it's ok for pop3.toto.com but it's wrong for pop3.eu.toto.com (test it with Outlook and pop3 ssl). Regards , /François Marco Marongiu a écrit : > Hi Sam and all > > Thanks to everybody for the quick and illuminating information. > > Sam Johnston wrote: > >> Q1: SSL doesn't allow multiple certificates for different domain names >> on the same IP, right? >> >> >> Not exactly - you probably want to have one certificate for each IP/port >> tuple (which is to say you can run multiple servers, but only one on 443 >> giving a 'clean' https:// URL without a port number). Second and >> subsequent URLs would look something like https://acme.com:8443/ (and >> may have problems with firewalls etc.). >> > > Yep, that's what I had in mind. You're right. Actually it's not limited > by the IP but by the TCP socket (IPaddr,port). > > We are exploring with digicert, hoping they can also solve our billing > needs. > > Thanks again > > Ciao > --Marco > > From silkey@ece.utexas.edu Fri Jan 16 08:22:32 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0GGMV3x010010 for ; Fri, 16 Jan 2009 08:22:31 -0800 (PST) (envelope-from silkey@ece.utexas.edu) Received: from mail02.ece.utexas.edu (postfix@mail02.ece.utexas.edu [128.83.59.39]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0GGMSIC013437 for ; Fri, 16 Jan 2009 08:22:31 -0800 (PST) Received: from fuzz.its.yale.edu (fuzz.its.yale.edu [128.36.186.133]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: silkey) by mail02.ece.utexas.edu (Postfix) with ESMTP id 82B2A5829; Fri, 16 Jan 2009 10:22:27 -0600 (CST) Message-ID: <4970B442.2030502@ece.utexas.edu> Date: Fri, 16 Jan 2009 11:22:26 -0500 From: Nick Silkey User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Francois Bayart References: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> <21606dcf0901140306r74038475k2c79492eeea286ee@mail.gmail.com> <496FB281.5070404@gmail.com> <497044CC.7030204@famipow.be> In-Reply-To: <497044CC.7030204@famipow.be> X-Enigmail-Version: 0.95.7 OpenPGP: id=35EB31E2; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x35EB31E2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] SSL bureaucracy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jan 2009 16:22:32 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Francois Bayart wrote: > The wildcard solution (when it's the same domain TLD) make some problems > with Microsoft solution where the certficiate *.toto.com it's ok for > pop3.toto.com but it's wrong for pop3.eu.toto.com (test it with Outlook > and pop3 ssl). Does anyone know if this is a limitation due to Redmond nonsense, or does the architecture of SSL wildcards only allow 'one-level deep'? I ask as that discussion came up recently, but my colleagues and I didnt have a definitive answer as none of us had served a wildcard at one level of a domain from deeper subdomains (aka, *.toto.com being served from foobar.eu.toto.com without error). - -- Nick Silkey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAklwtEIACgkQrDQjhjXrMeKwWwCgq7ORUp4elERmxCLTvw26Qu4I uzAAoIjSmMeLP8G+SS+0PTUGENbpPvVZ =gwjG -----END PGP SIGNATURE----- From francois@famipow.be Tue Jan 20 13:09:52 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0KL9qRG038971 for ; Tue, 20 Jan 2009 13:09:52 -0800 (PST) (envelope-from francois@famipow.be) Received: from mail1b.ipow.eu (mail1b.ipow.eu [78.24.33.122]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0KL9mSm006816 for ; Tue, 20 Jan 2009 13:09:51 -0800 (PST) Received: from macbook-de-francois-bayart-3.local (213.219.133.26.adsl.dyn.edpnet.net [213.219.133.26]) by mail1b.ipow.eu (Postfix) with ESMTP id E7696500AA for ; Tue, 20 Jan 2009 22:09:45 +0100 (CET) Message-ID: <49763D96.9010101@famipow.be> Date: Tue, 20 Jan 2009 22:09:42 +0100 From: Francois Bayart User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: sage-members@sage.org References: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> <21606dcf0901140306r74038475k2c79492eeea286ee@mail.gmail.com> <496FB281.5070404@gmail.com> <497044CC.7030204@famipow.be> <4970B442.2030502@ece.utexas.edu> <4976398C.2040702@hamilton.edu> In-Reply-To: <4976398C.2040702@hamilton.edu> X-Enigmail-Version: 0.95.7 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Subject: Re: [SAGE] SSL bureaucracy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2009 21:09:53 -0000 Yes , sure Nicholas. But it's just strange to have this only on some client and not all. What is the standard on this ? the Opensource software are they most tolerent ? I don't have SSL error on : - Mac OS X with thunderbird V2, firefox V3 - Windows Firefox I have a SSL error with : - Mac OS X Safari, Mail - Windows IE7, Outlook, Outlook Express /François Nicholas Brockner a écrit : > The architecture is only supposed to allow for one level deep, because it would not be good for wild card certs to allow a bunch of subdomains. > > BUT. . . > > It depends on the browser you are using. Firefox used to allow this, but IE7 did not. This was the last time I checked (1.5 years ago). > > -Nick Brockner > > Nick Silkey wrote: > Francois Bayart wrote: > > >>> The wildcard solution (when it's the same domain TLD) make some > problems > >>> with Microsoft solution where the certficiate *.toto.com it's ok for > >>> pop3.toto.com but it's wrong for pop3.eu.toto.com (test it with > Outlook > >>> and pop3 ssl). > >>> > > Does anyone know if this is a limitation due to Redmond nonsense, or > does the architecture of SSL wildcards only allow 'one-level deep'? > > I ask as that discussion came up recently, but my colleagues and I didnt > have a definitive answer as none of us had served a wildcard at one > level of a domain from deeper subdomains (aka, *.toto.com being served > from foobar.eu.toto.com without error). From nbrockne@hamilton.edu Tue Jan 20 13:55:13 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0KLtCGJ039742 for ; Tue, 20 Jan 2009 13:55:12 -0800 (PST) (envelope-from nbrockne@hamilton.edu) Received: from mailer1.hamilton.edu (mailer1.hamilton.edu [150.209.8.96]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0KLt9Zu007629 for ; Tue, 20 Jan 2009 13:55:12 -0800 (PST) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from pmxchannel-daemon.mail.hamilton.edu by mail.hamilton.edu (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) id <0KDS00A02FFKQG00@mail.hamilton.edu> for sage-members@usenix.org; Tue, 20 Jan 2009 15:54:56 -0500 (EST) Received: from [150.209.7.146] (its-150-209-7-146.hamilton.edu [150.209.7.146]) by mail.hamilton.edu (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPA id <0KDS00ARTFFJ6E00@mail.hamilton.edu> for sage-members@usenix.org; Tue, 20 Jan 2009 15:54:55 -0500 (EST) Date: Tue, 20 Jan 2009 15:54:55 -0500 From: Nicholas Brockner In-reply-to: <4970B442.2030502@ece.utexas.edu> Sender: nbrockne@hamilton.edu To: SAGE Members Mailing List Message-id: <49763A1F.8030600@hamilton.edu> References: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> <21606dcf0901140306r74038475k2c79492eeea286ee@mail.gmail.com> <496FB281.5070404@gmail.com> <497044CC.7030204@famipow.be> <4970B442.2030502@ece.utexas.edu> User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] SSL bureaucracy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2009 21:55:13 -0000 The architecture is only supposed to allow for one level deep, because it would not be good for wild card certs to allow a bunch of subdomains. BUT. . . It depends on the browser you are using. Firefox used to allow this, but IE7 did not. This was the last time I checked (1.5 years ago). -Nick Brockner Nick Silkey wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Francois Bayart wrote: > >> The wildcard solution (when it's the same domain TLD) make some problems >> with Microsoft solution where the certficiate *.toto.com it's ok for >> pop3.toto.com but it's wrong for pop3.eu.toto.com (test it with Outlook >> and pop3 ssl). >> > > Does anyone know if this is a limitation due to Redmond nonsense, or > does the architecture of SSL wildcards only allow 'one-level deep'? > > I ask as that discussion came up recently, but my colleagues and I didnt > have a definitive answer as none of us had served a wildcard at one > level of a domain from deeper subdomains (aka, *.toto.com being served > from foobar.eu.toto.com without error). > > - -- > Nick Silkey > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > > iEYEARECAAYFAklwtEIACgkQrDQjhjXrMeKwWwCgq7ORUp4elERmxCLTvw26Qu4I > uzAAoIjSmMeLP8G+SS+0PTUGENbpPvVZ > =gwjG > -----END PGP SIGNATURE----- > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From hyc@symas.com Tue Jan 20 13:57:56 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0KLvuJB039782 for ; Tue, 20 Jan 2009 13:57:56 -0800 (PST) (envelope-from hyc@symas.com) Received: from lirone.symas.net (lirone.symas.net [64.71.152.235]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0KLvroa007710 for ; Tue, 20 Jan 2009 13:57:56 -0800 (PST) Received: from [76.91.220.157] (helo=[192.168.1.23]) by lirone.symas.net with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1LPOEF-0003pZ-C3; Tue, 20 Jan 2009 13:33:47 -0800 Message-ID: <49764335.2020105@symas.com> Date: Tue, 20 Jan 2009 13:33:41 -0800 From: Howard Chu User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.1b3pre) Gecko/20090115 SeaMonkey/2.0a1pre Firefox/3.0.3 MIME-Version: 1.0 To: Francois Bayart References: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> <21606dcf0901140306r74038475k2c79492eeea286ee@mail.gmail.com> <496FB281.5070404@gmail.com> <497044CC.7030204@famipow.be> <4970B442.2030502@ece.utexas.edu> <4976398C.2040702@hamilton.edu> <49763D96.9010101@famipow.be> In-Reply-To: <49763D96.9010101@famipow.be> Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] SSL bureaucracy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2009 21:57:57 -0000 Francois Bayart wrote: > Yes , sure Nicholas. But it's just strange to have this only on some > client and not all. > What is the standard on this ? the Opensource software are they most > tolerent ? See RFC2818. Mozilla-derived code has historically been pretty bad about conforming to these requirements, but the most recent versions are finally checking things according to the spec. > > > I don't have SSL error on : > - Mac OS X with thunderbird V2, firefox V3 > - Windows Firefox > > I have a SSL error with : > - Mac OS X Safari, Mail > - Windows IE7, Outlook, Outlook Express > > /François > > > Nicholas Brockner a écrit : >> The architecture is only supposed to allow for one level deep, because > it would not be good for wild card certs to allow a bunch of subdomains. >> BUT. . . >> >> It depends on the browser you are using. Firefox used to allow this, > but IE7 did not. This was the last time I checked (1.5 years ago). >> -Nick Brockner >> >> Nick Silkey wrote: >> Francois Bayart wrote: >> >>>>> The wildcard solution (when it's the same domain TLD) make some >> problems >>>>> with Microsoft solution where the certficiate *.toto.com it's ok for >>>>> pop3.toto.com but it's wrong for pop3.eu.toto.com (test it with >> Outlook >>>>> and pop3 ssl). >>>>> >> Does anyone know if this is a limitation due to Redmond nonsense, or >> does the architecture of SSL wildcards only allow 'one-level deep'? >> >> I ask as that discussion came up recently, but my colleagues and I didnt >> have a definitive answer as none of us had served a wildcard at one >> level of a domain from deeper subdomains (aka, *.toto.com being served >> from foobar.eu.toto.com without error). > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From nbrockne@hamilton.edu Tue Jan 20 14:24:46 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0KMOk4C040301 for ; Tue, 20 Jan 2009 14:24:46 -0800 (PST) (envelope-from nbrockne@hamilton.edu) Received: from mailer1.hamilton.edu (mailer1.hamilton.edu [150.209.8.96]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0KMOh2T008356 for ; Tue, 20 Jan 2009 14:24:46 -0800 (PST) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from pmxchannel-daemon.mail.hamilton.edu by mail.hamilton.edu (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) id <0KDS00C02GSUS600@mail.hamilton.edu> for sage-members@usenix.org; Tue, 20 Jan 2009 16:24:30 -0500 (EST) Received: from [150.209.7.146] (its-150-209-7-146.hamilton.edu [150.209.7.146]) by mail.hamilton.edu (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPA id <0KDS00ARJGST6E30@mail.hamilton.edu>; Tue, 20 Jan 2009 16:24:29 -0500 (EST) Date: Tue, 20 Jan 2009 16:24:29 -0500 From: Nicholas Brockner In-reply-to: <49763D96.9010101@famipow.be> Sender: nbrockne@hamilton.edu To: Francois Bayart Message-id: <4976410D.1090409@hamilton.edu> References: <8d727bb0901140227l3f68cf46p997b1e0f53f32905@mail.gmail.com> <21606dcf0901140306r74038475k2c79492eeea286ee@mail.gmail.com> <496FB281.5070404@gmail.com> <497044CC.7030204@famipow.be> <4970B442.2030502@ece.utexas.edu> <4976398C.2040702@hamilton.edu> <49763D96.9010101@famipow.be> User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 Cc: sage-members@usenix.org Subject: Re: [SAGE] SSL bureaucracy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2009 22:24:47 -0000 Francois, IE7 actually follows the standard on this one. . . . See RFC 2818: "Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com." -Nick Brockner Francois Bayart wrote: > Yes , sure Nicholas. But it's just strange to have this only on some > client and not all. > What is the standard on this ? the Opensource software are they most > tolerent ? > > > I don't have SSL error on : > - Mac OS X with thunderbird V2, firefox V3 > - Windows Firefox > > I have a SSL error with : > - Mac OS X Safari, Mail > - Windows IE7, Outlook, Outlook Express > > /François > > > Nicholas Brockner a écrit : > >> The architecture is only supposed to allow for one level deep, because >> > it would not be good for wild card certs to allow a bunch of subdomains. > >> BUT. . . >> >> It depends on the browser you are using. Firefox used to allow this, >> > but IE7 did not. This was the last time I checked (1.5 years ago). > >> -Nick Brockner >> >> Nick Silkey wrote: >> Francois Bayart wrote: >> >> >>>>> The wildcard solution (when it's the same domain TLD) make some >>>>> >> problems >> >>>>> with Microsoft solution where the certficiate *.toto.com it's ok for >>>>> pop3.toto.com but it's wrong for pop3.eu.toto.com (test it with >>>>> >> Outlook >> >>>>> and pop3 ssl). >>>>> >>>>> >> Does anyone know if this is a limitation due to Redmond nonsense, or >> does the architecture of SSL wildcards only allow 'one-level deep'? >> >> I ask as that discussion came up recently, but my colleagues and I didnt >> have a definitive answer as none of us had served a wildcard at one >> level of a domain from deeper subdomains (aka, *.toto.com being served >> from foobar.eu.toto.com without error). >> > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From aleksandar@ivanisevic.de Thu Jan 22 07:42:07 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0MFg6fO083582 for ; Thu, 22 Jan 2009 07:42:07 -0800 (PST) (envelope-from aleksandar@ivanisevic.de) Received: from mail.2e-systems.com (polaris.2e-systems.com [217.86.139.180]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0MFg2ZW017722 for ; Thu, 22 Jan 2009 07:42:06 -0800 (PST) Received: from [192.168.222.78] (alex.2e-systems.com [192.168.222.78]) by mail.2e-systems.com (Postfix) with ESMTP id DEDA718046; Thu, 22 Jan 2009 16:41:57 +0100 (CET) Message-ID: <497893C5.8010105@ivanisevic.de> Date: Thu, 22 Jan 2009 16:41:57 +0100 From: Aleksandar Ivanisevic User-Agent: Thunderbird 2.0.0.18 (X11/20081119) MIME-Version: 1.0 To: "N.J. Thomas" References: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> <20090112215549.GF91938@zaph.org> In-Reply-To: <20090112215549.GF91938@zaph.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE mailing list Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: aleksandar@ivanisevic.de List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2009 15:42:08 -0000 N.J. Thomas wrote: > * Simon, Wesley [2009-01-12 14:34:45+0000]: >> I am trying to get our management to adopt an on-call policy. Does >> anyone on here have experience with going from no policy to one that >> works and is fair? > > Some suggestions off the top of my head from past experience: > > - do weekly rotations, i.e. Monday morning to Monday morning (this > works good for teams of 3 or more) Monday mornings tend to be the busiest times, you get to deal with whatever came up over the weekend. We found out that the best time of the week to hand over oncall is Wednesday or Thursday early afternoon. In my setup on call person is also the first contact for all issues, regardless when they happened. This is important to prevent the confusion when many people start working on the same problem when a customer/user calls everyone he knows at the same time instead of using proper channels. Handover of on call is tied with a regular support meeting where all the support staff is present together with the technical project managers and the last week's issues are discussed and the whole system is sort of "handed over" to the next oncall person. From jack@coats.org Thu Jan 22 14:11:24 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0MMBOPB092060 for ; Thu, 22 Jan 2009 14:11:24 -0800 (PST) (envelope-from jack@coats.org) Received: from smarthost.csg.iadfw.net (smarthost.csg.iadfw.net [216.39.194.17]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0MMBLpe000772 for ; Thu, 22 Jan 2009 14:11:24 -0800 (PST) Received: from [216.39.194.26] (helo=vsd.csg.iadfw.net) by smarthost.csg.iadfw.net with esmtp (Exim 4.63) (envelope-from ) id 1LQ5TU-0005CY-DM for sage-members@sage.org; Thu, 22 Jan 2009 13:44:24 -0600 Received: (qmail 2669 invoked from network); 22 Jan 2009 13:44:10 -0600 Received-SPF: none (no valid SPF record) Received: from 173-99-111-241.pools.spcsdns.net (HELO ?192.168.200.2?) (173.99.111.241) by 216.39.195.133 with SMTP; 22 Jan 2009 13:44:10 -0600 Message-ID: <4978CC8A.60400@coats.org> Date: Thu, 22 Jan 2009 13:44:10 -0600 From: Jack Coats User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: SAGE mailing list References: <8CEE3947B21C6946A5CFDFA589C276CB84FCB98D@cosmail02.lsi.com> <20090112215549.GF91938@zaph.org> <497893C5.8010105@ivanisevic.de> In-Reply-To: <497893C5.8010105@ivanisevic.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] on-call policy X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2009 22:11:25 -0000 Be flexible. I have set up rotations but allow 'free swapping' of full weeks or even a day at a time, but the one initially assigned is responsible even if someone else does 'take their place'. Having a 'token' to pass, like a cell phone or pager is good. The 'on call' always works regular schedule in the week, or may have up to one day off the following week only (so that it doesn't hang on forever) in a 2 hour of on-site gets 1 hour of 'comp-time'. Personally I suggest put something in place for one rotation (so every one is on call), and accept suggestions (written) during that rotation. At the end of that rotation have a meeting, and announce changes. Don't blindly accept requested changes but don't discard any out of hand. Tell folks at the meeting that the suggestions are all appreciated and are not being individually acknowledged, but all have been weighted, many used, many merged, but all appreciated. This will help the 'troops' get some buyin! One place we had 1st level and 2nd level on call. At one time, 1st level on call was 2nd level on call the next week. If together they couldn't solve a problem, calling directly anyone on the team was considered appropriate. At another time, 1st level were more junior and rotated. 2nd level was all the senior team members and were called directly if required. To start with, no way is wrong. Just get the team buyin that the important thing is the users. As a friend used to say, "It's uptime, stupid.". Kind of harsh, but focusing on that really helps keep the calls down. Logging and running all calls to their 'root cause' helps drive the number of real calls out of the system, so being on call is much less onerous. At one time I got personally about 5 or 6 calls per week during 'sleeping hours' from our operations staff. It became a personal task, to befriend these folks, work on their education and buyin, and my calls went to 1 or 2 a month after a year. A big investment, but it gave a big payoff in customer perception of reliability, operator job enjoyment went up when they could 'fix stuff'. And my wife, well, we were happier without the interruptions! I hope this helps! ... Jack Aleksandar Ivanisevic wrote: > > > N.J. Thomas wrote: >> * Simon, Wesley [2009-01-12 14:34:45+0000]: >>> I am trying to get our management to adopt an on-call policy. Does >>> anyone on here have experience with going from no policy to one that >>> works and is fair? >> >> Some suggestions off the top of my head from past experience: >> >> - do weekly rotations, i.e. Monday morning to Monday morning (this >> works good for teams of 3 or more) > > Monday mornings tend to be the busiest times, you get to deal with > whatever came up over the weekend. We found out that the best time of > the week to hand over oncall is Wednesday or Thursday early afternoon. > > In my setup on call person is also the first contact for all issues, > regardless when they happened. This is important to prevent the > confusion when many people start working on the same problem when a > customer/user calls everyone he knows at the same time instead of > using proper channels. > > Handover of on call is tied with a regular support meeting where all > the support staff is present together with the technical project > managers and the last week's issues are discussed and the whole system > is sort of "handed over" to the next oncall person. > > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From sage@watson-wilson.ca Sun Jan 25 16:54:38 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0Q0sbpt074070 for ; Sun, 25 Jan 2009 16:54:38 -0800 (PST) (envelope-from sage@watson-wilson.ca) Received: from ettin.watson-wilson.ca (watson-wilson.ca [216.138.221.7]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0Q0sYXe025599 for ; Sun, 25 Jan 2009 16:54:37 -0800 (PST) Received: by ettin.watson-wilson.ca (Postfix, from userid 1000) id 6DCA03ADF8; Sun, 25 Jan 2009 19:54:22 -0500 (EST) Date: Sun, 25 Jan 2009 19:54:22 -0500 From: Neil Watson To: sage-members@sage.org Message-ID: <20090126005422.GA13594@watson-wilson.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline X-Accepted-File-Formats: No proprietary Microsoft Office files please User-Agent: Mutt/1.5.18 (2008-05-17) MailScanner-NULL-Check: 1233536068.00313@/ReqPYh5v7RxSQ5y69DkMw X-MailScanner-ID: 6DCA03ADF8.351D1 X-watson-wilson.ca-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-watson-wilson.ca-MailScanner-From: sage@watson-wilson.ca X-Spam-Status: No X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: [SAGE] fan noise for HP ML115 X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2009 00:54:38 -0000 Greetings, I was thinking about a new HP ML115 for my home office. I'm concerned about the noise since it's location will be under my desk. Does anyone have one of these servers? How load is it? -- Neil Watson UNIX Consultant http://watson-wilson.ca From asterr@pobox.com Mon Jan 26 03:05:23 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0QB5M0s089215 for ; Mon, 26 Jan 2009 03:05:23 -0800 (PST) (envelope-from asterr@pobox.com) Received: from sasl.smtp.pobox.com (a-sasl-fastnet.sasl.smtp.pobox.com [207.106.133.19]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0QB5JMe004585 for ; Mon, 26 Jan 2009 03:05:22 -0800 (PST) Received: from localhost.localdomain (unknown [127.0.0.1]) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTP id DE9F493C3F for ; Mon, 26 Jan 2009 06:05:13 -0500 (EST) Received: from asterr001.dev.tradingscreen.com (unknown [69.121.43.246]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTPSA id 31D6993C3D for ; Mon, 26 Jan 2009 06:05:12 -0500 (EST) Date: Mon, 26 Jan 2009 03:05:08 -0800 (PST) From: asterr X-X-Sender: asterr@zeus.socex.org To: sage-members@sage.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Pobox-Relay-ID: 34C5B7B2-EB99-11DD-B0E4-5720C92D7133-78857419!a-sasl-fastnet.pobox.com X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=45% Subject: [SAGE] Any sign of Fettle? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2009 11:05:23 -0000 Hello, I am wondering if anyone has seen any sign of Fettle from Andrew Hume yet? Thank you, Aaron Sterr From aforbes@cisco.com Mon Jan 26 04:06:02 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0QC62CN090781 for ; Mon, 26 Jan 2009 04:06:02 -0800 (PST) (envelope-from aforbes@cisco.com) Received: from av-tac-bru.cisco.com (odd-brew.cisco.com [144.254.15.119]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0QC5wec006241 for ; Mon, 26 Jan 2009 04:06:01 -0800 (PST) X-TACSUNS: Virus Scanned Received: from strange-brew.cisco.com (localhost [127.0.0.1]) by av-tac-bru.cisco.com (8.11.7p3+Sun/8.11.7) with ESMTP id n0QBmLV06355; Mon, 26 Jan 2009 12:48:21 +0100 (CET) Received: from weird-brew.cisco.com (weird-brew.cisco.com [144.254.15.118]) by strange-brew.cisco.com (8.11.7p3+Sun/8.11.7) with ESMTP id n0QBmJt14150; Mon, 26 Jan 2009 12:48:19 +0100 (CET) Received: (from aforbes@localhost) by weird-brew.cisco.com (8.11.7p3+Sun/8.11.7) id n0QBmIe14143; Mon, 26 Jan 2009 12:48:18 +0100 (CET) Date: Mon, 26 Jan 2009 12:48:18 +0100 From: Alister Forbes To: asterr Message-ID: <20090126114818.GP28540@cisco.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] Any sign of Fettle? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2009 12:06:02 -0000 Not yet, and I have been keeping an eye out. Presumably whoever it was he was waiting for isn't back from maternity leave yet. Still.. gives me more time to learn ruby. Alister On Mon, Jan 26, 2009 at 03:05:08AM -0800, asterr wrote: > Hello, > > I am wondering if anyone has seen any sign of Fettle from Andrew Hume yet? > > Thank you, > Aaron Sterr > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members -- Alister Forbes TACSUNS _.|._.|._ Cisco Systems Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html From livenyc@gmail.com Mon Jan 26 07:14:07 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0QFE706096718 for ; Mon, 26 Jan 2009 07:14:07 -0800 (PST) (envelope-from livenyc@gmail.com) Received: from ey-out-1920.google.com (ey-out-1920.google.com [74.125.78.146]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0QFE3rP010468 for ; Mon, 26 Jan 2009 07:14:06 -0800 (PST) Received: by ey-out-1920.google.com with SMTP id 3so671613eyh.22 for ; Mon, 26 Jan 2009 07:14:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=7z5Q7sdr3AQSGxJPLxShuLURJAeq93b0opb55f1fhD8=; b=Fxr2SsBsooTqIdRvcEXk1xpUBEa8zUP8GUZzFpnV4ywz2liW2S7nSWjCteSR+Glu+t i3R4A3jxc5PM2OJd2UbHdwXDzcjDOeH0PqeCr7XWPywza6ztiwxo1Mjcbzchx9BR5u0n BKJvC82fasPuwN/XE2/FgzZfUpXsK0uqXZ75c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type:content-transfer-encoding; b=HhruAnTAY8SdFsRCzX016ZV8/38/JXTEZTHXAdkEyxafe50UWDQOqSTzIkY8wjdc0f xkdH4G942AutgFjQkmCaq+xX6tsbBwIlBCu9eralA6bPIMLU/RlIa6xpQAvgHZGD2fh5 Rx29hOr545VppSWed6WPE5u/luYFaoQmSNRFw= MIME-Version: 1.0 Sender: livenyc@gmail.com Received: by 10.103.248.17 with SMTP id a17mr693591mus.97.1232982418672; Mon, 26 Jan 2009 07:06:58 -0800 (PST) Date: Mon, 26 Jan 2009 10:06:58 -0500 X-Google-Sender-Auth: b8f416ea667faaf0 Message-ID: <810cf27d0901260706ha5afeb7r84b77ff6c8904f9a@mail.gmail.com> From: Igor V To: SAGE Members Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=10% Subject: [SAGE] mailing lists in excel X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2009 15:14:07 -0000 does anyone know a better way of managing mailing lists from outlook 2003/exchange 2003 something that preferably: - eliminates the restriction on the size of the list - integrates with AD user security schema - allows membership management by end-user - something that preferably looks and feels like the integrated contact/list management thanks -iv From dustin@puryear-it.com Mon Jan 26 11:25:52 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0QJPqZT003157 for ; Mon, 26 Jan 2009 11:25:52 -0800 (PST) (envelope-from dustin@puryear-it.com) Received: from eastrmmtai103.cox.net (eastrmmtai103.cox.net [68.230.240.10]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0QJPn8f015724 for ; Mon, 26 Jan 2009 11:25:52 -0800 (PST) Received: from eastrmimpo03.cox.net ([68.1.16.126]) by eastrmmtao104.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20090126173032.OFLQ3752.eastrmmtao104.cox.net@eastrmimpo03.cox.net> for ; Mon, 26 Jan 2009 12:30:32 -0500 Received: from [192.168.222.40] ([70.183.217.90]) by eastrmimpo03.cox.net with bizsmtp id 8HWX1b00e1xcZnq02HWXbF; Mon, 26 Jan 2009 12:30:32 -0500 X-Authority-Analysis: v=1.0 c=1 a=2S-rT8OHAAAA:8 a=YLugBO4i3gF0u5-8CQUA:9 a=HXm7pqTASL3sWX4PVFsA:7 a=CrQlLOKkkCjI-j__GsH_2QcsRwcA:4 a=d0vGa3EdGPgA:10 a=50e4U0PicR4A:10 X-CM-Score: 0.00 Message-ID: <497DF336.9070204@puryear-it.com> Date: Mon, 26 Jan 2009 11:30:30 -0600 From: Dustin Puryear Organization: Puryear IT, LLC User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: sage-members@sage.org X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=62% Subject: [SAGE] NCR UNIX help.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2009 19:25:53 -0000 Hi guys- We have an NCR UNIX system that we need to update the IP configuration for. (The system was moved from one data center to another.) Alas, the system is hanging on "NFS Initialization", I assume as it tries to mount some NFS filesystems it no longer has access to. Any familiar with these systems? We can't find any documentation on how to get this box into single-user mode so we can remove the offending NFS mount entries. I'll admit that NCR UNIX is not a strength of mine. ;) The box is a re-branded Dell with a CD, floppy, and tape drive. -- Dustin Puryear President and Sr. Consultant Puryear Information Technology, LLC 225-706-8414 x112 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices/ From cat@reptiles.org Mon Jan 26 12:17:06 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0QKH6V1004437 for ; Mon, 26 Jan 2009 12:17:06 -0800 (PST) (envelope-from cat@reptiles.org) Received: from mailbox.reptiles.org (rootgecko.reptiles.org@skink.reptiles.org [198.96.210.227]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0QKH3ee017201 for ; Mon, 26 Jan 2009 12:17:05 -0800 (PST) Received: from (invalid client hostname: the DNS A record for the hostname 'www.reptiles.ca' does not match the address [198.96.210.227])www.reptiles.ca ([198.96.210.227] port=49224) by mailbox.reptiles.org([198.96.210.227] port=25) via TCP with esmtp (1782 bytes) (sender: ) (ident using UNIX) id for ; Mon, 26 Jan 2009 15:16:57 -0500 (EST) (Smail-3.2.0.121 2005-Nov-17 #4 built 2006-Nov-28) Date: Mon, 26 Jan 2009 15:16:56 -0500 (EST) From: Cat Okita To: Dustin Puryear In-Reply-To: <497DF336.9070204@puryear-it.com> Message-ID: <20090126151607.Q54427@gecko.reptiles.org> References: <497DF336.9070204@puryear-it.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] NCR UNIX help.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2009 20:17:06 -0000 On Mon, 26 Jan 2009, Dustin Puryear wrote: > We have an NCR UNIX system that we need to update the IP configuration > for. (The system was moved from one data center to another.) Alas, the > system is hanging on "NFS Initialization", I assume as it tries to mount > some NFS filesystems it no longer has access to. > > Any familiar with these systems? > > We can't find any documentation on how to get this box into single-user > mode so we can remove the offending NFS mount entries. > > I'll admit that NCR UNIX is not a strength of mine. ;) > The box is a re-branded Dell with a CD, floppy, and tape drive. Way back when, NCR unix was functionally SysVR4 with a few oddities... but it's been years since I touched it. cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From nico.halpern@mac.com Mon Jan 26 12:37:25 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0QKbPXG005134 for ; Mon, 26 Jan 2009 12:37:25 -0800 (PST) (envelope-from nico.halpern@mac.com) Received: from exchange.wgen.net (exchange.wgen.net [38.117.159.162]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0QKbMYp017649 for ; Mon, 26 Jan 2009 12:37:25 -0800 (PST) Received: from nhalpern-wks.wgenhq.net ([10.12.0.20]) by exchange.wgen.net with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 Jan 2009 15:24:53 -0500 Message-ID: <497E1C1F.4030606@mac.com> Date: Mon, 26 Jan 2009 15:25:03 -0500 From: Nico Halpern User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: Dustin Puryear References: <497DF336.9070204@puryear-it.com> In-Reply-To: <497DF336.9070204@puryear-it.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 26 Jan 2009 20:24:53.0500 (UTC) FILETIME=[258523C0:01C97FF4] X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] NCR UNIX help.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2009 20:37:26 -0000 Dustin, Have you tried a booting from media? You should be able to use a linux rescue cd, mount the root partition as UFS, and go to town on it. Dustin Puryear wrote: > Hi guys- > > We have an NCR UNIX system that we need to update the IP configuration > for. (The system was moved from one data center to another.) Alas, the > system is hanging on "NFS Initialization", I assume as it tries to mount > some NFS filesystems it no longer has access to. > > Any familiar with these systems? > > We can't find any documentation on how to get this box into single-user > mode so we can remove the offending NFS mount entries. > > I'll admit that NCR UNIX is not a strength of mine. ;) > > The box is a re-branded Dell with a CD, floppy, and tape drive. > -- Nico Halpern Non ex transverso sed deorsum! From mike@diehn.net Mon Jan 26 19:38:04 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0R3c4iE015423 for ; Mon, 26 Jan 2009 19:38:04 -0800 (PST) (envelope-from mike@diehn.net) Received: from timeus.phantom.webserversystems.com (timeus.webserversystems.com [216.118.97.175]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0R3c0ri023811 for ; Mon, 26 Jan 2009 19:38:03 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=diehn.net; h=Received:Subject:From:To:Cc:In-Reply-To:References:Content-Type:Date:Message-Id:Mime-Version:X-Mailer:Content-Transfer-Encoding:X-Source:X-Source-Args:X-Source-Dir; b=2W9DTPZs/MyY6LVXUwNeCdd74X3PMuC2oRjPJ1DQkYWoExIVkksh1CLvIkOQPInkCnLuFqPBY/4tfOBARiZU+ZAoKhcZW6hrBgo6QWbICPG0Gt7Jq8pfxidFG+ioi2VI; Received: from b11.fluent.com ([204.10.85.11] helo=[10.1.1.11]) by timeus.phantom.webserversystems.com with esmtpsa (SSLv3:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1LRXR1-0003j2-Dm; Mon, 26 Jan 2009 14:47:51 -0500 From: Mike Diehn To: Dustin Puryear In-Reply-To: <497DF336.9070204@puryear-it.com> References: <497DF336.9070204@puryear-it.com> Content-Type: text/plain Date: Mon, 26 Jan 2009 14:47:50 -0500 Message-Id: <1232999270.16269.60.camel@mjdlnx> Mime-Version: 1.0 X-Mailer: Evolution 2.24.2 Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - timeus.phantom.webserversystems.com X-AntiAbuse: Original Domain - sage.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - diehn.net X-Source: X-Source-Args: X-Source-Dir: X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] NCR UNIX help.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2009 03:38:05 -0000 I think you interrupt the the boot sequence (during the autoload messages) by hitting space and then type SUS. That gets you talking to the kernel loader. Load the kernel with "boot s" or something similar. These may help: http://www.bhami.com/rosetta.html http://www.arizonaed.com/mirror/www.introcomp.co.uk/other/ncr_unix.html On Mon, 2009-01-26 at 11:30 -0600, Dustin Puryear wrote: > Hi guys- > > We have an NCR UNIX system that we need to update the IP configuration > for. (The system was moved from one data center to another.) Alas, the > system is hanging on "NFS Initialization", I assume as it tries to mount > some NFS filesystems it no longer has access to. > > Any familiar with these systems? > > We can't find any documentation on how to get this box into single-user > mode so we can remove the offending NFS mount entries. > > I'll admit that NCR UNIX is not a strength of mine. ;) > > The box is a re-branded Dell with a CD, floppy, and tape drive. > -- Mike Diehn Enfield, NH USA From dhanks@gmail.com Tue Jan 27 11:47:39 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0RJldOq042111 for ; Tue, 27 Jan 2009 11:47:39 -0800 (PST) (envelope-from dhanks@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0RJlaWk029880 for ; Tue, 27 Jan 2009 11:47:38 -0800 (PST) Received: by yx-out-2324.google.com with SMTP id 31so2621285yxl.29 for ; Tue, 27 Jan 2009 11:47:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=Q1o1DOukjYd0iN5Hkb0uPk4cFZgJfIpnKHasgC1EuNo=; b=smc10l87aN9BPfQAUcLIYkouz1tZI3zPV5btXjxwbYazGLYrO2uP94c7aMqEGhFocF PhSD83HzwkffByuvjRBpGc8gBbwGRWA/iqgZQrnL/3+xCTe7HlqsO/wP79XPhINr1LzS 6Pv/XUX/SRw3md80b4wjbugD6kjTeiumieQmA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=eT/4IP1qXk4v6TtvhibCsXgS02WtKlU3jmwVW/qd0DRFwY6Wkz32WQn/HE6o/xPArb T5HxERutEgTQBE4zbu7JGocif9Sz8ZfCrXEvO9vqvCXUlhnETIMEJ8EZQG1mC1Osi64k m5rBAwMAcNatW0iefSTcG+zmJfzlRW0jHV0Jk= MIME-Version: 1.0 Received: by 10.143.18.16 with SMTP id v16mr1015325wfi.142.1233085655141; Tue, 27 Jan 2009 11:47:35 -0800 (PST) Date: Tue, 27 Jan 2009 11:47:35 -0800 Message-ID: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> From: Doug Hanks To: sage-members@sage.org X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=7% Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Subject: [SAGE] Network Sniffers X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2009 19:47:39 -0000 Hey guys, Anyone have any experience with commercial / hardware / blackbox network sniffers? We're looking for something easy to use, but yet as all the features you would expect to see in an enterprise environment. -- - Doug Hanks = dhanks(at)gmail(dot)com From nicholastang@gmail.com Tue Jan 27 12:08:23 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0RK8MoZ043367 for ; Tue, 27 Jan 2009 12:08:22 -0800 (PST) (envelope-from nicholastang@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.30]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0RK8JRJ000413 for ; Tue, 27 Jan 2009 12:08:22 -0800 (PST) Received: by yw-out-2324.google.com with SMTP id 9so2623985ywe.29 for ; Tue, 27 Jan 2009 12:08:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=V9sYR1MNSV8a0D9ywCxG2CbW/1qx3f3GCWCP/i0ti6w=; b=WW/xhfevPWiS9t5PSZ0qiCHce70aaZ9OYfpwz8BjG0XVqRdV2PskVZayFCcsGDpZLd QoNX4r7UW6C3qO7HU5GYkXhlwfzValnOPIEd5kG8fvEUm8WQHWXQZsjZfE0HBol4fSFI cPmjvjazEIfYfy+RjvcW/yxCGYJArTGqtV9Bs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=IHlXq20Jbp2wris8uircwcQ1vJaos5AC/ilbAXt6p4QBOPDTM79PnE1m3cpRvEgRTP NGe30Kf8/hVvsYoXEMGpIYJ1SiL/6C/SsLnvIJ+PhGekluOLnWywmzBY60M9Iv2w1w8W mF0GMv94FwLEYsnNK069hRoUboKVzqwCVG0CU= MIME-Version: 1.0 Received: by 10.231.19.204 with SMTP id c12mr179721ibb.39.1233086898404; Tue, 27 Jan 2009 12:08:18 -0800 (PST) In-Reply-To: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> References: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> Date: Tue, 27 Jan 2009 15:08:18 -0500 Message-ID: From: Nicholas Tang To: Doug Hanks Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=8% Cc: sage-members@sage.org Subject: Re: [SAGE] Network Sniffers X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2009 20:08:23 -0000 If it's general purpose, not really. If it's specifically oriented around web traffic, I'd highly recommend the Coradiant Truesight product(s). They're excessively expensive, but ridiculously cool and really quite helpful when it comes to managing a web environment. If you can get one in here, and you do significant amounts of business over the web, it'll pay for itself. If not... never mind. ;) (I'm not a shill, I'm a customer who loves the product but complains about the pricing regularly.) Nicholas On Tue, Jan 27, 2009 at 2:47 PM, Doug Hanks wrote: > Hey guys, > > Anyone have any experience with commercial / hardware / blackbox network > sniffers? > > We're looking for something easy to use, but yet as all the features you > would expect to see in an enterprise environment. > > -- > - Doug Hanks = dhanks(at)gmail(dot)com > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From shrdlu@deaddrop.org Tue Jan 27 12:21:48 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0RKLmff044055 for ; Tue, 27 Jan 2009 12:21:48 -0800 (PST) (envelope-from shrdlu@deaddrop.org) Received: from relay02.pair.com (relay02.pair.com [209.68.5.16]) by usenix.org (8.13.6/8.13.6) with SMTP id n0RKLigt000806 for ; Tue, 27 Jan 2009 12:21:47 -0800 (PST) Received: (qmail 59337 invoked by uid 0); 27 Jan 2009 20:15:04 -0000 Received: from 66.119.212.42 (HELO ?66.119.212.42?) (66.119.212.42) by relay02.pair.com with SMTP; 27 Jan 2009 20:15:04 -0000 X-pair-Authenticated: 66.119.212.42 Message-ID: <497F6B53.6000307@deaddrop.org> Date: Tue, 27 Jan 2009 12:15:15 -0800 From: Etaoin Shrdlu Organization: dig @localhost TXT CHAOS version.bind User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728 X-Accept-Language: en-us, en MIME-Version: 1.0 To: SAGE References: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> In-Reply-To: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=2% Subject: Re: [SAGE] Network Sniffers X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2009 20:21:48 -0000 Doug Hanks wrote: > Hey guys, > > Anyone have any experience with commercial / hardware / blackbox network > sniffers? > > We're looking for something easy to use, but yet as all the features you > would expect to see in an enterprise environment. http://www.narus.com/ http://en.wikipedia.org/wiki/Narus You can't get more enterprise than that. I would consider them the gold standard. I have no idea of the expense, or lack of it, but cannot imagine an environment that they could not keep up with. -- Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. Brian W. Kernighan From jens@quux.de Tue Jan 27 12:41:15 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0RKfEB0044417 for ; Tue, 27 Jan 2009 12:41:15 -0800 (PST) (envelope-from jens@quux.de) Received: from mail.adimus.de (mail.adimus.de [78.47.239.5]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0RKfAqt001409 for ; Tue, 27 Jan 2009 12:41:13 -0800 (PST) Received: (qmail 24354 invoked by uid 0); 27 Jan 2009 21:34:27 +0100 Received: by simscan 1.3.1 ppid: 24350, pid: 24352, t: 0.0614s scanners: regex: 1.3.1 Received: from unknown (HELO laphroiag.quux.de) (88.74.2.185) by mail.adimus.de with SMTP; 27 Jan 2009 21:34:27 +0100 Received: from jens by laphroiag.quux.de with local (Exim 3.36 #1 (Debian)) id 1LRude-0003Io-00 for ; Tue, 27 Jan 2009 21:34:26 +0100 To: sage-members@sage.org Organization: - X-URL: http://www.quux.de X-message-flag: HTML Mails will not be read! Send plain text! References: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> From: Jens Link Date: Tue, 27 Jan 2009 21:34:26 +0100 In-Reply-To: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> (Doug Hanks's message of "Tue\, 27 Jan 2009 11\:47\:35 -0800") Message-ID: <87k58gij3h.fsf@laphroiag.quux.de> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: Jens Link X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 X-Mailman-Approved-At: Tue, 27 Jan 2009 12:43:21 -0800 Subject: Re: [SAGE] Network Sniffers X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2009 20:41:15 -0000 Doug Hanks writes: > Hey guys, > > Anyone have any experience with commercial / hardware / blackbox network > sniffers? Most people I know use Wireshark (http://www.wireshark.org), even people with access to expensive commercial equipment. Wireshark can decode a lot more protocols then most commercial tools. > We're looking for something easy to use, but yet as all the features you > would expect to see in an enterprise environment. "Easy to use" is relative. You should know how Ethernet, TCP/IP and the application protocols you're sniffing are working in order to use any Sniffer. What features do you expect? BTW: In case somebody mentions Ethereal: Ethereal is dead. For more then two year now. Wireshark is the successor. Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jenslink@guug.de | ------------------------------------------------------------------------- From djmitche@gmail.com Tue Jan 27 12:43:38 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0RKhcXa044490 for ; Tue, 27 Jan 2009 12:43:38 -0800 (PST) (envelope-from djmitche@gmail.com) Received: from mail-qy0-f20.google.com (mail-qy0-f20.google.com [209.85.221.20]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0RKhZlG001465 for ; Tue, 27 Jan 2009 12:43:38 -0800 (PST) Received: by qyk13 with SMTP id 13so6972800qyk.23 for ; Tue, 27 Jan 2009 12:43:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=ljy24D9ZKuYO1dK94dhacAR+f2e0a9r8lhA3DkrcaRg=; b=D7imduzuOe6xsbzLw+2hHetiWsXStx73097QFVUM2UBCix17FqHdDHKQHjwUrkK6Le vbyi18f3PKw/MMk2r17/nXdQPCTLG5Ma+mKYu6CjpPhqHrq7Edo0P3Upwfkq5fzs9zVy 3fWwMcM3iAFMB0sYxhQbfQULFJB7GBcfgKsjA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=ctBZP66bj1YpfUEuXldQP5qGMVXTl3ZZJu5xXwmKzXnZUxO10BZFA6al2YUjnos3Jz x9d8xbOGkVXWPDTqmx+8U16IYqfeTrfy1tVaHmsmP6b5nMzBjUpCqHI+0GvMbUlBWFaB Ysw2VMy11VRQfajhYbExQmza8Hipsw5v4p4Uk= MIME-Version: 1.0 Sender: djmitche@gmail.com Received: by 10.214.45.5 with SMTP id s5mr5415273qas.82.1233088628991; Tue, 27 Jan 2009 12:37:08 -0800 (PST) In-Reply-To: <497F6B53.6000307@deaddrop.org> References: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> <497F6B53.6000307@deaddrop.org> Date: Tue, 27 Jan 2009 15:37:08 -0500 X-Google-Sender-Auth: b3be9f20c1368cc1 Message-ID: <42338fbf0901271237p7afc57c5t96fec0136c8485a8@mail.gmail.com> From: "Dustin J. Mitchell" To: Etaoin Shrdlu Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=9% Cc: SAGE Subject: Re: [SAGE] Network Sniffers X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2009 20:43:39 -0000 On Tue, Jan 27, 2009 at 3:15 PM, Etaoin Shrdlu wrote: > You can't get more enterprise than that. I would consider them the gold > standard. I have no idea of the expense, or lack of it, but cannot imagine > an environment that they could not keep up with. Well, they have *both* "products" and "solutions", and everyone knows that products are totally the stuff of the industrial revolution. So they could get more enterprise by dropping the products and just selling solutions. Some synergy wouldn't hurt, either. Dustin From cat@reptiles.org Tue Jan 27 12:50:10 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0RKo9Rc044655 for ; Tue, 27 Jan 2009 12:50:09 -0800 (PST) (envelope-from cat@reptiles.org) Received: from mailbox.reptiles.org (rootgecko.reptiles.org@mail.reptiles.org [198.96.210.227]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0RKo64e001692 for ; Tue, 27 Jan 2009 12:50:09 -0800 (PST) Received: from skink.reptiles.org ([198.96.210.227] port=49863) by mailbox.reptiles.org([198.96.210.227] port=25) via TCP with esmtp (2123 bytes) (sender: ) (ident using UNIX) id for ; Tue, 27 Jan 2009 15:50:01 -0500 (EST) (Smail-3.2.0.121 2005-Nov-17 #4 built 2006-Nov-28) Date: Tue, 27 Jan 2009 15:50:00 -0500 (EST) From: Cat Okita To: "Dustin J. Mitchell" In-Reply-To: <42338fbf0901271237p7afc57c5t96fec0136c8485a8@mail.gmail.com> Message-ID: <20090127154804.I54427@gecko.reptiles.org> References: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> <497F6B53.6000307@deaddrop.org> <42338fbf0901271237p7afc57c5t96fec0136c8485a8@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE Subject: Re: [SAGE] Network Sniffers X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2009 20:50:10 -0000 On Tue, 27 Jan 2009, Dustin J. Mitchell wrote: > On Tue, Jan 27, 2009 at 3:15 PM, Etaoin Shrdlu wrote: >> You can't get more enterprise than that. I would consider them the gold >> standard. I have no idea of the expense, or lack of it, but cannot imagine >> an environment that they could not keep up with. > > Well, they have *both* "products" and "solutions", and everyone knows > that products are totally the stuff of the industrial revolution. So > they could get more enterprise by dropping the products and just > selling solutions. Some synergy wouldn't hurt, either. True - and we should really define our use cases, and make sure that all stakeholders are appropriately informed and involved before sending out anything ressembling an RFI. It'd be a shame if we overlooked the option to leverage existing resources and solutions to incentivize a readily supported cross-enterprise best-of-breed platform. cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From dustin@puryear-it.com Tue Jan 27 12:58:59 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0RKwxvg044851 for ; Tue, 27 Jan 2009 12:58:59 -0800 (PST) (envelope-from dustin@puryear-it.com) Received: from eastrmmtai101.cox.net (eastrmmtai101.cox.net [68.230.240.6]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0RKwtUR001923 for ; Tue, 27 Jan 2009 12:58:58 -0800 (PST) Received: from eastrmimpo01.cox.net ([68.1.16.119]) by eastrmmtao106.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20090127191352.JELJ18213.eastrmmtao106.cox.net@eastrmimpo01.cox.net>; Tue, 27 Jan 2009 14:13:52 -0500 Received: from [192.168.222.40] ([70.183.217.90]) by eastrmimpo01.cox.net with bizsmtp id 8jDr1b00A1xcZnq02jDrkN; Tue, 27 Jan 2009 14:13:52 -0500 X-Authority-Analysis: v=1.0 c=1 a=2S-rT8OHAAAA:8 a=WpCXa3LitTAj-PMftTcA:9 a=6XL6Q_JfCN1CuFRLppoA:7 a=YVGeF8TbQ0NeUApJZlEX5_QaUpAA:4 a=d0vGa3EdGPgA:10 a=eOhzGfYXTlUA:10 X-CM-Score: 0.00 Message-ID: <497F5CEF.7020607@puryear-it.com> Date: Tue, 27 Jan 2009 13:13:51 -0600 From: Dustin Puryear Organization: Puryear IT, LLC User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Nico Halpern References: <497DF336.9070204@puryear-it.com> <497E1C1F.4030606@mac.com> In-Reply-To: <497E1C1F.4030606@mac.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=2 Fuz2=2 rep=79% Cc: sage-members@sage.org Subject: Re: [SAGE] NCR UNIX help.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2009 20:58:59 -0000 NCR UNIX uses the vxfs file system. I was able to finally figure it all out using an original CD boot and maintenance mode. Quite a pain, FYI. Nico Halpern wrote: > Dustin, > > > Have you tried a booting from media? > You should be able to use a linux rescue cd, mount the root partition as > UFS, and go to town on it. > > > > Dustin Puryear wrote: >> Hi guys- >> >> We have an NCR UNIX system that we need to update the IP configuration >> for. (The system was moved from one data center to another.) Alas, the >> system is hanging on "NFS Initialization", I assume as it tries to mount >> some NFS filesystems it no longer has access to. >> >> Any familiar with these systems? >> >> We can't find any documentation on how to get this box into single-user >> mode so we can remove the offending NFS mount entries. >> >> I'll admit that NCR UNIX is not a strength of mine. ;) >> >> The box is a re-branded Dell with a CD, floppy, and tape drive. >> > > -- > Nico Halpern > Non ex transverso sed deorsum! > > -- > This message was scanned by ESVA and is believed to be clean. > Click here to report this message as spam. > http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id= > > -- Dustin Puryear President and Sr. Consultant Puryear Information Technology, LLC 225-706-8414 x112 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices/ From ntwrkd@gmail.com Tue Jan 27 17:28:24 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0S1SNLc052160 for ; Tue, 27 Jan 2009 17:28:24 -0800 (PST) (envelope-from ntwrkd@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.30]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0S1SK6B006728 for ; Tue, 27 Jan 2009 17:28:23 -0800 (PST) Received: by yw-out-2324.google.com with SMTP id 9so2672072ywe.29 for ; Tue, 27 Jan 2009 17:28:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=2w7/ca9eGciLX15O1tjK5/w+2STjLG6ths/NrEBCs5M=; b=w1JaDO0iotB5zhjw1pt+y+u5pP1RlYbsU7BDrQRWubmHu00T0Ox4Xu5YL65c/glcw2 FcvGjDNhPMcJl2lYSeGkPHgIznFBYTRm42iUnjcNHVIUS1PHrTmq5DxF23MbotWPBJ7z +GhTKJFCFAFrT76Lt4qW2UdaAewC0XD5v6aSg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=biBWA4wA5RHw65bmw+82N29gH/DSd8hkR7m5kYPNDYTFiCzcyjGNb3UDs1IllbjkRS pZNzc0YP9WYVQhvK4zAePXI200CkmwD4U+RBXDbkmK9UNaiSpGHxkRKohv+NWZOCvokM 7QpPtAXXeXAzUHU7ADcCMR2s+sDiv2PwOaZ5g= MIME-Version: 1.0 Received: by 10.151.150.13 with SMTP id c13mr479238ybo.178.1233104669855; Tue, 27 Jan 2009 17:04:29 -0800 (PST) In-Reply-To: <20090127154804.I54427@gecko.reptiles.org> References: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> <497F6B53.6000307@deaddrop.org> <42338fbf0901271237p7afc57c5t96fec0136c8485a8@mail.gmail.com> <20090127154804.I54427@gecko.reptiles.org> Date: Tue, 27 Jan 2009 17:04:29 -0800 Message-ID: From: Matthew Sacks To: Cat Okita Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=8% Cc: SAGE Subject: Re: [SAGE] Network Sniffers X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2009 01:28:27 -0000 Sourcefire's IDSes are good. On Tue, Jan 27, 2009 at 12:50 PM, Cat Okita wrote: > On Tue, 27 Jan 2009, Dustin J. Mitchell wrote: >> >> On Tue, Jan 27, 2009 at 3:15 PM, Etaoin Shrdlu >> wrote: >>> >>> You can't get more enterprise than that. I would consider them the gold >>> standard. I have no idea of the expense, or lack of it, but cannot >>> imagine >>> an environment that they could not keep up with. >> >> Well, they have *both* "products" and "solutions", and everyone knows >> that products are totally the stuff of the industrial revolution. So >> they could get more enterprise by dropping the products and just >> selling solutions. Some synergy wouldn't hurt, either. > > True - and we should really define our use cases, and make sure that all > stakeholders are appropriately informed and involved before sending out > anything ressembling an RFI. It'd be a shame if we overlooked the option > to leverage existing resources and solutions to incentivize a readily > supported cross-enterprise best-of-breed platform. > > cheers! > ========================================================================== > "A cat spends her life conflicted between a deep, passionate and profound > desire for fish and an equally deep, passionate and profound desire to > avoid getting wet. This is the defining metaphor of my life right now." > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From rski@chycoski.com Tue Jan 27 21:00:40 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0S50c0P057091 for ; Tue, 27 Jan 2009 21:00:40 -0800 (PST) (envelope-from rski@chycoski.com) Received: from adsl-67-122-242-225.dsl.pltn13.pacbell.net (adsl-67-122-242-225.dsl.pltn13.pacbell.net [67.122.242.225]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0S50ZwN009004 for ; Tue, 27 Jan 2009 21:00:38 -0800 (PST) Received: from [192.168.72.2] (wizfast.rski.net [192.168.72.2]) by adsl-67-122-242-225.dsl.pltn13.pacbell.net (8.13.8/8.13.8) with ESMTP id n0S50Muh029088; Tue, 27 Jan 2009 21:00:25 -0800 Message-ID: <497FE666.6030708@chycoski.com> Date: Tue, 27 Jan 2009 21:00:22 -0800 From: Richard Chycoski User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Cat Okita References: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> <497F6B53.6000307@deaddrop.org> <42338fbf0901271237p7afc57c5t96fec0136c8485a8@mail.gmail.com> <20090127154804.I54427@gecko.reptiles.org> In-Reply-To: <20090127154804.I54427@gecko.reptiles.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE Subject: Re: [SAGE] Network Sniffers X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2009 05:00:41 -0000 Cat Okita wrote: > It'd be a shame if we overlooked the option > to leverage existing resources and solutions to incentivize a readily > supported cross-enterprise best-of-breed platform. Oooooooh - kitty on catnip!!!! :-) I used to really like the Network General/Netscout Sniffer. In it's original, barely-transportable form it was a fantastic instrument. It kept getting better until it got 'transformed' to Java - after which, it became too much of a pain to install and use (IMNSHO). It does have a stellar 'expert mode', which helps even a network newbie find a lot of network issues without having to understand and personally decode the underlying protocol down to the bits. I haven't attempted to install it for a couple of years, so hopefully the Java interface and compatibility issues have been attended to. Like most of the crowd, I mostly use Wireshark now. It even includes a few of $WORK's protocols that are (or were) hard to find in other products. It *has* been known to have name resolution issues, to the point where I learned to turn off name resolution when I didn't really need it. - Richard From cat@reptiles.org Tue Jan 27 21:06:06 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0S5664p057223 for ; Tue, 27 Jan 2009 21:06:06 -0800 (PST) (envelope-from cat@reptiles.org) Received: from mailbox.reptiles.org (rootgecko.reptiles.org@mailbox.reptiles.org [198.96.210.227]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0S562hS009069 for ; Tue, 27 Jan 2009 21:06:05 -0800 (PST) Received: from (invalid client hostname: the DNS A record for the hostname 'www.reptiles.ca' does not match the address [198.96.210.227])www.reptiles.ca ([198.96.210.227] port=57363) by mailbox.reptiles.org([198.96.210.227] port=25) via TCP with esmtp (2656 bytes) (sender: ) (ident using UNIX) id for ; Wed, 28 Jan 2009 00:06:00 -0500 (EST) (Smail-3.2.0.121 2005-Nov-17 #4 built 2006-Nov-28) Date: Wed, 28 Jan 2009 00:05:59 -0500 (EST) From: Cat Okita To: Richard Chycoski In-Reply-To: <497FE666.6030708@chycoski.com> Message-ID: <20090128000200.M54427@gecko.reptiles.org> References: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> <497F6B53.6000307@deaddrop.org> <42338fbf0901271237p7afc57c5t96fec0136c8485a8@mail.gmail.com> <20090127154804.I54427@gecko.reptiles.org> <497FE666.6030708@chycoski.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE Subject: Re: [SAGE] Network Sniffers X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2009 05:06:06 -0000 On Tue, 27 Jan 2009, Richard Chycoski wrote: > Cat Okita wrote: >> It'd be a shame if we overlooked the option >> to leverage existing resources and solutions to incentivize a readily >> supported cross-enterprise best-of-breed platform. > Oooooooh - kitty on catnip!!!! :-) Hell no :) Catnip just mellows you out man... :P > Like most of the crowd, I mostly use Wireshark now. It even includes a few of > $WORK's protocols that are (or were) hard to find in other products. It *has* > been known to have name resolution issues, to the point where I learned to > turn off name resolution when I didn't really need it. Functionally I'd say the problem with the original question is that it's not clear if he's asking about "how do I look at packets in real time" or "how do I track and archive packets over time" or "how do I get a hold of packets for something else to look at". I think we've skipped over "are active or passive taps better", which would be the third part -- but we've definitely wandered through the other two. Of course the OP may simply not be certain of what he's actually looking for, and will hopefully post more helpful and useful information about the problem he's trying to solve before we all wander off down a hopeless rathole[0]. cheers! [0] Hopeless because there aren't any rats at the bottom of it. ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From jnavarro@aomail.uab.es Wed Jan 28 06:27:41 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0SEReBN068896 for ; Wed, 28 Jan 2009 06:27:41 -0800 (PST) (envelope-from jnavarro@aomail.uab.es) Received: from damascus.uab.es (damascus.uab.es [158.109.168.135]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0SERbbq005303 for ; Wed, 28 Jan 2009 06:27:40 -0800 (PST) Received: from damascus.uab.es ([127.0.0.1]) by damascus.uab.es (Sun Java System Messaging Server 6.1 HotFix 0.10 (built Jan 6 2005)) with ESMTP id <0KE6005D5O0F2H80@damascus.uab.es> for sage-members@sage.org; Wed, 28 Jan 2009 14:26:39 +0100 (CET) Received: from aomail.uab.es ([158.109.65.1]) by damascus.uab.es (Sun Java System Messaging Server 6.1 HotFix 0.10 (built Jan 6 2005)) with ESMTP id <0KE6009ROO0FY3C0@damascus.uab.es> for sage-members@sage.org; Wed, 28 Jan 2009 14:26:39 +0100 (CET) Received: from [158.109.65.83] (aopcjn.uab.es [158.109.65.83]) by aomail.uab.es (Servidor de Correo) with ESMTP id 28A2416AAD6 for ; Wed, 28 Jan 2009 14:26:39 +0100 (CET) Date: Wed, 28 Jan 2009 14:26:38 +0100 From: Javier Navarro In-reply-to: <20090128000200.M54427@gecko.reptiles.org> To: SAGE Message-id: <49805D0E.3030405@caos.uab.es> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: 7BIT References: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> <"49 7F6B53.6000307"@deaddrop.org> <20090127154804.I54427@gecko.reptiles.org> <497FE666.6030708@chycoski.com> <20090128000200.M54427@gecko.reptiles.org> User-Agent: Thunderbird 2.0.0.18 (X11/20081125) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=9% X-Mailman-Approved-At: Wed, 28 Jan 2009 06:32:22 -0800 Subject: Re: [SAGE] Network Sniffers X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2009 14:27:41 -0000 What about Ntop? http://www.ntop.org/overview.html > On Tue, 27 Jan 2009, Richard Chycoski wrote: >> Cat Okita wrote: >>> It'd be a shame if we overlooked the option >>> to leverage existing resources and solutions to incentivize a >>> readily supported cross-enterprise best-of-breed platform. >> Oooooooh - kitty on catnip!!!! :-) > > Hell no :) Catnip just mellows you out man... :P > >> Like most of the crowd, I mostly use Wireshark now. It even includes >> a few of $WORK's protocols that are (or were) hard to find in other >> products. It *has* been known to have name resolution issues, to the >> point where I learned to turn off name resolution when I didn't >> really need it. > > Functionally I'd say the problem with the original question is that > it's not clear if he's asking about "how do I look at packets in > real time" or "how do I track and archive packets over time" or "how > do I get a hold of packets for something else to look at". > > I think we've skipped over "are active or passive taps better", which > would be the third part -- but we've definitely wandered through the > other two. > > Of course the OP may simply not be certain of what he's actually looking > for, and will hopefully post more helpful and useful information about > the problem he's trying to solve before we all wander off down a hopeless > rathole[0]. > > cheers! > [0] Hopeless because there aren't any rats at the bottom of it. > ========================================================================== > > "A cat spends her life conflicted between a deep, passionate and profound > desire for fish and an equally deep, passionate and profound desire to > avoid getting wet. This is the defining metaphor of my life right now." > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members From livenyc@gmail.com Wed Jan 28 06:51:07 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0SEp73U069480 for ; Wed, 28 Jan 2009 06:51:07 -0800 (PST) (envelope-from livenyc@gmail.com) Received: from yw-out-1718.google.com (yw-out-1718.google.com [74.125.46.156]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0SEp4jU005600 for ; Wed, 28 Jan 2009 06:51:07 -0800 (PST) Received: by yw-out-1718.google.com with SMTP id 6so2957064ywa.82 for ; Wed, 28 Jan 2009 06:51:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=jRPfV5G4VcqJWy9LcJ7BErh3nu6FtT6U7rw/ZzSpqc8=; b=UsuD4YNRerpOp4ut/b24wMxD2MaGsDj86OzFK4mriiQlJXjpvmySINntX84vYKtzCk DqG9C/yCjWtJqJedGgQWjv8JaLrKIKHgA08NnUYgHrVCiQdqhFGKVZUdBGO5nAUA4RHZ 2XapsoPIeBlKoREOaPixqjE69xR6U1mZIfS8I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; b=imOq3yxVc5AeEak03J4BWzEwpBq4x+TG1aoxObbTBprLpP0GJbeJbQkreIUZiig1tc llMSmXsYk0UJWzM7/vnrAXC7FZNGQXf767xRoxA9sw1XRSBwlAtdIBxYqCYxUyVPCEFh MxEbHnAM5h9ey4p7dSXUYy29YPcvigfKps1LI= MIME-Version: 1.0 Sender: livenyc@gmail.com Received: by 10.151.111.1 with SMTP id o1mr2747860ybm.28.1233154264126; Wed, 28 Jan 2009 06:51:04 -0800 (PST) Date: Wed, 28 Jan 2009 09:51:04 -0500 X-Google-Sender-Auth: 8f94192fb2eb4b06 Message-ID: <810cf27d0901280651o33f64b32g8fdbf4bc7a48bb5f@mail.gmail.com> From: Igor V To: SAGE Members X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=9% Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Subject: [SAGE] exchange mailing list alternatives X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2009 14:51:08 -0000 Exchange 2003 has nice integration with outlook for creating mailing lists. however, it also has some annoying limitations (i.e. list size limits that kick in without warning and pretty clunky way of managing existing list memberships ) is anyone using any 3rd party products that have similar level of integration with outlook without the limitations of native solution? note that i'm not looking for a dedicated mailing list solution like mailman - just looking for a better way to provide my users in managing a 500-1000 member outlook distribution list without much intervention on my part, and without a lot of extra training for them. thanks -iv From Wesley.Simon@lsi.com Wed Jan 28 07:26:17 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0SFQHIT070154 for ; Wed, 28 Jan 2009 07:26:17 -0800 (PST) (envelope-from Wesley.Simon@lsi.com) Received: from exprod7og113.obsmtp.com (exprod7og113.obsmtp.com [64.18.2.179]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0SFQE6B006017 for ; Wed, 28 Jan 2009 07:26:17 -0800 (PST) Received: from source ([147.145.40.20]) by exprod7ob113.postini.com ([64.18.6.12]) with SMTP ID DSNKSYB5ERMdA24JJ/uFVUhZUaLAYzxt+ODj@postini.com; Wed, 28 Jan 2009 07:26:17 PST Received: from milmhbs0.lsil.com (mhbs.lsil.com [147.145.1.30]) by mail0.lsil.com (8.12.11/8.12.11) with ESMTP id n0SFQ2a7026894; Wed, 28 Jan 2009 07:26:02 -0800 (PST) Received: from coscas01.lsi.com (coscas01.co.lsil.com [172.21.36.60]) by milmhbs0.lsil.com (8.12.11/8.12.11) with ESMTP id n0SFQ5Le019965; Wed, 28 Jan 2009 07:26:05 -0800 Received: from cosmail02.lsi.com ([172.21.36.36]) by coscas01.lsi.com ([172.21.36.60]) with mapi; Wed, 28 Jan 2009 08:26:02 -0700 From: "Simon, Wesley" To: Dustin Puryear Date: Wed, 28 Jan 2009 08:26:02 -0700 Thread-Topic: [SAGE] NCR UNIX help.. Thread-Index: AcmAwpCtzdqgcKjRS5KlVrRvWJvCegAmRwYQ Message-ID: <8CEE3947B21C6946A5CFDFA589C276CB8506D07A@cosmail02.lsi.com> In-Reply-To: <497F5CEF.7020607@puryear-it.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.39 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=13% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n0SFQHIT070154 Cc: "sage-members@sage.org" Subject: Re: [SAGE] NCR UNIX help.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2009 15:26:18 -0000 I manage (make sure it's running) an NCR UNIX (MP-RAS) machine that does software builds. It's a large beside-the-desk style tower machine that consumes lots of power and space in the datacenter. It has two or three SCSI drives (probably 1 or 2 GB each) inside it. I'd love to move this to VMware ESXi and recycle the hardware. Has anyone ever gotten this to run as a VM? I haven't even tried doing this yet; I probably should before the thing dies. Wesley Simon 316.636.8078 -----Original Message----- From: sage-members-bounces@mailman.sage.org [mailto:sage-members-bounces@mailman.sage.org] On Behalf Of Dustin Puryear Sent: Tuesday, January 27, 2009 1:14 PM To: Nico Halpern Cc: sage-members@sage.org Subject: Re: [SAGE] NCR UNIX help.. NCR UNIX uses the vxfs file system. I was able to finally figure it all out using an original CD boot and maintenance mode. Quite a pain, FYI. Nico Halpern wrote: > Dustin, > > > Have you tried a booting from media? > You should be able to use a linux rescue cd, mount the root partition as > UFS, and go to town on it. > > > > Dustin Puryear wrote: >> Hi guys- >> >> We have an NCR UNIX system that we need to update the IP configuration >> for. (The system was moved from one data center to another.) Alas, the >> system is hanging on "NFS Initialization", I assume as it tries to mount >> some NFS filesystems it no longer has access to. >> >> Any familiar with these systems? >> >> We can't find any documentation on how to get this box into single-user >> mode so we can remove the offending NFS mount entries. >> >> I'll admit that NCR UNIX is not a strength of mine. ;) >> >> The box is a re-branded Dell with a CD, floppy, and tape drive. >> > > -- > Nico Halpern > Non ex transverso sed deorsum! > > -- > This message was scanned by ESVA and is believed to be clean. > Click here to report this message as spam. > http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id= > > -- Dustin Puryear President and Sr. Consultant Puryear Information Technology, LLC 225-706-8414 x112 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices/ _______________________________________________ sage-members mailing list sage-members@mailman.sage.org http://mailman.sage.org/mailman/listinfo/sage-members From milburn@panix.com Wed Jan 28 08:33:49 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0SGXmo5071300 for ; Wed, 28 Jan 2009 08:33:49 -0800 (PST) (envelope-from milburn@panix.com) Received: from l2mail1.panix.com (l2mail1.panix.com [166.84.1.75]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0SGXjsU007009 for ; Wed, 28 Jan 2009 08:33:48 -0800 (PST) Received: from mail2.panix.com (mail2.panix.com [166.84.1.73]) by l2mail1.panix.com (Postfix) with ESMTP id CA19C5C288 for ; Wed, 28 Jan 2009 11:33:44 -0500 (EST) Received: from panix2.panix.com (panix2.panix.com [166.84.1.2]) by mail2.panix.com (Postfix) with ESMTP id ACF0434809; Wed, 28 Jan 2009 11:33:40 -0500 (EST) Received: by panix2.panix.com (Postfix, from userid 17636) id 34CF81A403; Wed, 28 Jan 2009 11:33:53 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by panix2.panix.com (Postfix) with ESMTP id 3357C1AC07; Wed, 28 Jan 2009 11:33:53 -0500 (EST) Date: Wed, 28 Jan 2009 11:33:53 -0500 (EST) From: "Shane B. Milburn" To: Doug Hanks In-Reply-To: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> Message-ID: References: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 Cc: sage-members@sage.org Subject: Re: [SAGE] Network Sniffers X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2009 16:33:49 -0000 I really like Network General's Infinistream (guess NetScout now) the product is always capturing traffic and I'm always able to answer the "What happened yesterday with the network?" question. The tool is pretty easy to setup and use. You can also export captures to allow individuals with wireshark to view if they need it. http://www.netscout.com/products/infinistream.asp If you can afford it, add on the Application Intellegence module. It is pretty powerful and will show you turns and other flow information you've never seen (or rarely see) about your applications. The Sniffer-U classes they teach are really good too and are worth sending at least on person to be the tool expert. cheers -shane On Tue, 27 Jan 2009, Doug Hanks wrote: > Hey guys, > > Anyone have any experience with commercial / hardware / blackbox network > sniffers? > > We're looking for something easy to use, but yet as all the features you > would expect to see in an enterprise environment. > > -- > - Doug Hanks = dhanks(at)gmail(dot)com > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > > -- Shane B. Milburn Email: milburn@panix.com Director of IT & Product Operations GPG Key ID: 9DA907DA http://twitter.com/shanemilburn From netfortius@gmail.com Wed Jan 28 09:22:37 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0SHMbiV072197 for ; Wed, 28 Jan 2009 09:22:37 -0800 (PST) (envelope-from netfortius@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.236]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0SHMY7X008290 for ; Wed, 28 Jan 2009 09:22:37 -0800 (PST) Received: by rv-out-0506.google.com with SMTP id f6so7896699rvb.59 for ; Wed, 28 Jan 2009 09:22:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=iqB1uutAS/rAq+5p7nZkn67P0X3PKvhvxCB0vIJa6cM=; b=q245F+CJzeN2idTms22eGmiNU5jTsDD6EB8lqzYRHnYULmgPwLU3ArGTnj7dU9ax7w iWWxbm0P8R9kAux0GUAHvXT3jA0lOaOC+Mba9gTty1BMKzPNywQlhSOKAny0gj0KnQog S6Tq1nkRKg9ZrlQxHxE0yG+Q5VjF9UbIBgs7E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=k9uhyDokgfT1Ivnon4YcFXKCNKaX2j43lj+/AMe7bEjsBiiCuD/4+r/kD/3R7yI+Pr /VTh62szZukzZ6p4xYh3pxIDbUY5jyxcynMkAgZfluCW+rTQD6d4LTTr+XPurK0d5kg4 VMxMG7V9DcHpXrMIeug1kfD7GSA3nyzimqqa8= MIME-Version: 1.0 Received: by 10.141.194.6 with SMTP id w6mr707872rvp.257.1233163354440; Wed, 28 Jan 2009 09:22:34 -0800 (PST) In-Reply-To: References: <82a71f8a0901271147q308ffb16v1cce251d523454d4@mail.gmail.com> Date: Wed, 28 Jan 2009 11:22:34 -0600 Message-ID: From: Network Fortius To: sage-members@sage.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=8% Subject: Re: [SAGE] Network Sniffers X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2009 17:22:38 -0000 I would strongly recommend Richard Bejtlich's book http://www.amazon.com/Tao-Network-Security-Monitoring-Intrusion/dp/0321246772\ It is worth every penny, and you should get out of it everything needed to make a good decision on what and how to address a question like the original one. If it is just for a "flavor" of what you may be able to find useful, read Richard's blog here: http://taosecurity.blogspot.com/search?q=network+monitoring ... Stefan On Wed, Jan 28, 2009 at 10:33 AM, Shane B. Milburn wrote: > > I really like Network General's Infinistream (guess NetScout now) the > product is always capturing traffic and I'm always able to answer the "What > happened yesterday with the network?" question. The tool is pretty easy to > setup and use. You can also export captures to allow individuals with > wireshark to view if they need it. > > http://www.netscout.com/products/infinistream.asp > > If you can afford it, add on the Application Intellegence module. It is > pretty powerful and will show you turns and other flow information you've > never seen (or rarely see) about your applications. The Sniffer-U classes > they teach are really good too and are worth sending at least on person to > be the tool expert. > > cheers > -shane > > On Tue, 27 Jan 2009, Doug Hanks wrote: > >> Hey guys, >> >> Anyone have any experience with commercial / hardware / blackbox network >> sniffers? >> >> We're looking for something easy to use, but yet as all the features you >> would expect to see in an enterprise environment. >> >> -- >> - Doug Hanks = dhanks(at)gmail(dot)com >> _______________________________________________ >> sage-members mailing list >> sage-members@mailman.sage.org >> http://mailman.sage.org/mailman/listinfo/sage-members >> >> > > -- > Shane B. Milburn Email: milburn@panix.com > Director of IT & Product Operations GPG Key ID: 9DA907DA > http://twitter.com/shanemilburn > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From dustin@puryear-it.com Thu Jan 29 07:54:43 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0TFshdf000937 for ; Thu, 29 Jan 2009 07:54:43 -0800 (PST) (envelope-from dustin@puryear-it.com) Received: from eastrmmtai103.cox.net (eastrmmtai103.cox.net [68.230.240.10]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0TFsdCO014210 for ; Thu, 29 Jan 2009 07:54:42 -0800 (PST) Received: from eastrmimpo03.cox.net ([68.1.16.126]) by eastrmmtao102.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20090129152627.QSXK8735.eastrmmtao102.cox.net@eastrmimpo03.cox.net>; Thu, 29 Jan 2009 10:26:27 -0500 Received: from [192.168.222.40] ([70.183.217.90]) by eastrmimpo03.cox.net with bizsmtp id 9TST1b00J1xcZnq02TSTpp; Thu, 29 Jan 2009 10:26:27 -0500 X-Authority-Analysis: v=1.0 c=1 a=2S-rT8OHAAAA:8 a=HIe_0r5zAAAA:8 a=Ki1Ee8aoZBwv09yhwNIA:9 a=85nE5qE_6vicOW1k67IA:7 a=SRZHmELjRU6cF0VyFEWKoNWuyC4A:4 a=XxCHfp_NORQA:10 a=d0vGa3EdGPgA:10 a=F-BGVnCjHXIA:10 a=5FtdkfQUxfIA:10 X-CM-Score: 0.00 Message-ID: <4981CAA3.4080004@puryear-it.com> Date: Thu, 29 Jan 2009 09:26:27 -0600 From: Dustin Puryear Organization: Puryear IT, LLC User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: "Simon, Wesley" References: <8CEE3947B21C6946A5CFDFA589C276CB8506D07A@cosmail02.lsi.com> In-Reply-To: <8CEE3947B21C6946A5CFDFA589C276CB8506D07A@cosmail02.lsi.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=2 Fuz2=2 rep=56% Cc: "sage-members@sage.org" Subject: Re: [SAGE] NCR UNIX help.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2009 15:54:43 -0000 We're looking at the same thing for this client. We should share notes! The NCR box makes everyone nervous. Simon, Wesley wrote: > > I manage (make sure it's running) an NCR UNIX (MP-RAS) machine that does software builds. It's a large beside-the-desk style tower machine that consumes lots of power and space in the datacenter. It has two or three SCSI drives (probably 1 or 2 GB each) inside it. I'd love to move this to VMware ESXi and recycle the hardware. > > Has anyone ever gotten this to run as a VM? I haven't even tried doing this yet; I probably should before the thing dies. > > > Wesley Simon > 316.636.8078 > > > -----Original Message----- > From: sage-members-bounces@mailman.sage.org [mailto:sage-members-bounces@mailman.sage.org] On Behalf Of Dustin Puryear > Sent: Tuesday, January 27, 2009 1:14 PM > To: Nico Halpern > Cc: sage-members@sage.org > Subject: Re: [SAGE] NCR UNIX help.. > > NCR UNIX uses the vxfs file system. I was able to finally figure it all > out using an original CD boot and maintenance mode. Quite a pain, FYI. > > Nico Halpern wrote: >> Dustin, >> >> >> Have you tried a booting from media? >> You should be able to use a linux rescue cd, mount the root partition as >> UFS, and go to town on it. >> >> >> >> Dustin Puryear wrote: >>> Hi guys- >>> >>> We have an NCR UNIX system that we need to update the IP configuration >>> for. (The system was moved from one data center to another.) Alas, the >>> system is hanging on "NFS Initialization", I assume as it tries to mount >>> some NFS filesystems it no longer has access to. >>> >>> Any familiar with these systems? >>> >>> We can't find any documentation on how to get this box into single-user >>> mode so we can remove the offending NFS mount entries. >>> >>> I'll admit that NCR UNIX is not a strength of mine. ;) >>> >>> The box is a re-branded Dell with a CD, floppy, and tape drive. >>> >> -- >> Nico Halpern >> Non ex transverso sed deorsum! >> >> -- >> This message was scanned by ESVA and is believed to be clean. >> Click here to report this message as spam. >> http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id= >> >> > > -- > Dustin Puryear > President and Sr. Consultant > Puryear Information Technology, LLC > 225-706-8414 x112 > http://www.puryear-it.com > > Author, "Best Practices for Managing Linux and UNIX Servers" > http://www.puryear-it.com/pubs/linux-unix-best-practices/ > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > > -- > This message was scanned by ESVA and is believed to be clean. > Click here to report this message as spam. > http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id= > > -- Dustin Puryear President and Sr. Consultant Puryear Information Technology, LLC 225-706-8414 x112 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices/ From dustin@puryear-it.com Thu Jan 29 09:14:31 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n0THEVj1002449 for ; Thu, 29 Jan 2009 09:14:31 -0800 (PST) (envelope-from dustin@puryear-it.com) Received: from eastrmmtai103.cox.net (eastrmmtai103.cox.net [68.230.240.10]) by usenix.org (8.13.6/8.13.6) with ESMTP id n0THESmu015650 for ; Thu, 29 Jan 2009 09:14:31 -0800 (PST) Received: from eastrmimpo01.cox.net ([68.1.16.119]) by eastrmmtao107.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20090129152537.RFRN23750.eastrmmtao107.cox.net@eastrmimpo01.cox.net>; Thu, 29 Jan 2009 10:25:37 -0500 Received: from [192.168.222.40] ([70.183.217.90]) by eastrmimpo01.cox.net with bizsmtp id 9TRd1b00C1xcZnq02TRdNT; Thu, 29 Jan 2009 10:25:37 -0500 X-Authority-Analysis: v=1.0 c=1 a=cxDWpjYmWl4A:10 a=HIe_0r5zAAAA:8 a=2S-rT8OHAAAA:8 a=5ln9We0MsiYvem2HBfAA:9 a=51_2A_czGx-LBuUGj2wA:7 a=q_z5In6RN717NLB2isBzD8sp9n8A:4 a=d0vGa3EdGPgA:10 a=XF7b4UCPwd8A:10 X-CM-Score: 0.00 Message-ID: <4981CA70.9070302@puryear-it.com> Date: Thu, 29 Jan 2009 09:25:36 -0600 From: Dustin Puryear Organization: Puryear IT, LLC User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Igor V References: <810cf27d0901280651o33f64b32g8fdbf4bc7a48bb5f@mail.gmail.com> In-Reply-To: <810cf27d0901280651o33f64b32g8fdbf4bc7a48bb5f@mail.gmail.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=2 Fuz2=2 rep=55% Cc: SAGE Members Subject: Re: [SAGE] exchange mailing list alternatives X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2009 17:14:32 -0000 This is probably way overboard, but with Microsoft ILM (and I assume their free version) you can do some pretty outstanding distribution list management using dynamic queries (e.g., "if you have the Title X and are in Department Y then you are in this, this, and this list"). Igor V wrote: > Exchange 2003 has nice integration with outlook for creating mailing lists. > however, it also has some annoying limitations (i.e. list size limits that > kick in without warning and pretty clunky way of managing existing list > memberships ) > > is anyone using any 3rd party products that have similar level of > integration with outlook without the limitations of native solution? > > note that i'm not looking for a dedicated mailing list solution like mailman > - just looking for a better way to provide my users in managing a 500-1000 > member outlook distribution list without much intervention on my part, and > without a lot of extra training for them. > > thanks > -iv > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > > -- > This message was scanned by ESVA and is believed to be clean. > Click here to report this message as spam. > http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id= > > -- Dustin Puryear President and Sr. Consultant Puryear Information Technology, LLC 225-706-8414 x112 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices/ From dsf@catbert.org Tue Feb 3 01:04:14 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1394Dja014575 for ; Tue, 3 Feb 2009 01:04:13 -0800 (PST) (envelope-from dsf@catbert.org) Received: from zappy.catbert.org (zappy.catbert.org [66.220.1.91]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1394AeN012758 for ; Tue, 3 Feb 2009 01:04:13 -0800 (PST) Received: by zappy.catbert.org (Postfix, from userid 2000) id 34FB82C561; Tue, 3 Feb 2009 04:04:10 -0500 (EST) Date: Tue, 3 Feb 2009 04:04:10 -0500 From: Dan Foster To: SAGE mailing list Message-ID: <20090203090410.GA4054@catbert.org> References: <20090113192343.GA9320@catbert.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Disposition: inline In-Reply-To: <20090113192343.GA9320@catbert.org> User-Agent: Mutt/1.5.18 (2008-05-17) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] Don't shout at your disk drives! X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2009 09:04:14 -0000 Hot Diggety! Dan Foster was rumored to have written: > Another I/O performance tuning tip for DBAs and storage engineers: > > http://www.channelregister.co.uk/2009/01/05/shouty_sun_engineer/ > > Interesting YouTube video from a Sun engineer with visual benchmarked > data in real time to support his interesting claim. > > So... can I safely conclude that sites with high disk I/O wait must have > a lot of red-faced people working in the data centers or loud fans with > broken ball bearings? ;) > > I can just see it now: flaky server is on verge of drive failure. Angry > admin screams at it out of frustration. Server dies. Hmm. Coincidence? > > ;) > > This was too good to resist passing up a mention of. Seems I should say something, judging from my private email. First of all, I was _NOT_ at all intending any offence or disrespect towards the Sun Fishworks engineer (Brendan Gregg) who prepared the most interesting and thought-provoking research and accompanying video. It got my attention. I had clicked on the link, not expecting it to be worth checking out, figuring it to be a fluff piece given The Register's article title. But I was quickly proven wrong -- certainly not the first time that's happened. :) I should mention that amongst vendors, I've got the greatest of respect for the fine Sun Microsystems engineers that I've had the pleasure of working with; both at work and outside of work for personal projects. I've been using Sun Microsystems products ever since my first Sun, the venerable 3/50 in a hellish configuration -- 4 MB RAM, no hard drive, EVERYTHING (_including_ swap!!) NFS-mounted over 10base2? nearly 20 years ago. Used Suns ever since. Sun engineers pulled off one of the greatest April Fools pranks of all time: they put Bill Joy's Ferrari (safely) on top of a pond in 1987. :-) I think that's extremely hard to top, even by MIT Hacks standards! http://www.sun.com/aboutsun/media/presskits/25years/sunpranks.html http://hacks.mit.edu/ People who are more familiar with my quirky style can generally vouch for the simple fact that I'm heavy on the humour in person and at work (and elsewhere) because that's just me. Good times, bad times, doesn't matter. If something tickles my funny bone, I'll be sure to pipe up! :) Again, no disrespect was intended and I sincerely apologize if anyone took it the wrong way. Especially Mr. Gregg. To be fair, here's the complete blog post of his for this that puts it in its fuller context: http://blogs.sun.com/brendan/entry/unusual_disk_latency The comments are pretty good reading, too! Most respectfully, -Daniel S. Foster, USENIX/SAGE member #46941 P.S. The 3/80 chock full of memory, local disk, and that was on a lightly populated Ethernet segment was HEAVENLY to use! From allbery@ece.cmu.edu Tue Feb 3 10:55:26 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n13ItPbB033974 for ; Tue, 3 Feb 2009 10:55:26 -0800 (PST) (envelope-from allbery@ece.cmu.edu) Received: from bache.ece.cmu.edu (BACHE.ECE.CMU.EDU [128.2.129.23]) by usenix.org (8.13.6/8.13.6) with ESMTP id n13ItMH4022588 for ; Tue, 3 Feb 2009 10:55:25 -0800 (PST) Received: from mress.kf8nh.com (static-72-77-17-40.pitbpa.fios.verizon.net [72.77.17.40]) (Authenticated sender: allbery@ECE.CMU.EDU) by bache.ece.cmu.edu (Postfix) with ESMTP id AA7F9E9; Tue, 3 Feb 2009 13:55:21 -0500 (EST) Message-Id: <5269BB5F-578F-4A16-8903-22427CADC9A5@ece.cmu.edu> From: "Brandon S. Allbery KF8NH" To: Dan Foster In-Reply-To: <20090203090410.GA4054@catbert.org> Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-1--170448744" Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Tue, 3 Feb 2009 13:55:05 -0500 References: <20090113192343.GA9320@catbert.org> <20090203090410.GA4054@catbert.org> X-Pgp-Agent: GPGMail 1.2.0 (v56) X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE mailing list Subject: Re: [SAGE] Don't shout at your disk drives! X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2009 18:55:28 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-1--170448744 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit On 2009 Feb 3, at 4:04, Dan Foster wrote: > Seems I should say something, judging from my private email. Bzuh? People need to lighten up. -- brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu electrical and computer engineering, carnegie mellon university KF8NH --Apple-Mail-1--170448744 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) iEYEARECAAYFAkmIkxMACgkQIn7hlCsL25XGmQCdFhlvF96soBPtqQOtxinl0LT7 8i0AoNL1zXzDDVOjghjQEmKbcFnSb5pr =Ztp8 -----END PGP SIGNATURE----- --Apple-Mail-1--170448744-- From gary.studwell@gmail.com Tue Feb 3 11:47:50 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n13JloWG037183 for ; Tue, 3 Feb 2009 11:47:50 -0800 (PST) (envelope-from gary.studwell@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.174]) by usenix.org (8.13.6/8.13.6) with ESMTP id n13Jll79023499 for ; Tue, 3 Feb 2009 11:47:50 -0800 (PST) Received: by wf-out-1314.google.com with SMTP id 26so2112735wfd.26 for ; Tue, 03 Feb 2009 11:47:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=QgXZDozXjem4yGxGxDexh1hQUNrzLjpQJjI/ice/zrE=; b=OjquT/FfHcIasRQvxSqJHzeFWhragCuFbrFgaAx0aJiWJqTMaAMB7R+hs+N9HfKLNr gxqRw4mUkZsE2nXKwo2DG92rWS8cdgjuOmDDaUx5b5wtGNYr09sohvXHYk8IcN4VSEAV xsEtg50uhUHgWLb1p1hm5D1FpaEacyoPls53Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=d1fJ9MCsamYPXvCCT7KAGD9cMHS12FfC/163zqoyCyUnuQ5NXzNWe65rNguCTL9/Om KaF3ErR/a7MjXqtHd/w/mRq1R6sGFZFrNJ8BKfkRbzRIzeH101CmozuUkYqKina1QT83 uOUY41vaRJ9gBYF2S2xmTB/xQ6cEA00gDpEYM= MIME-Version: 1.0 Received: by 10.142.230.11 with SMTP id c11mr2479301wfh.305.1233690467102; Tue, 03 Feb 2009 11:47:47 -0800 (PST) In-Reply-To: <5269BB5F-578F-4A16-8903-22427CADC9A5@ece.cmu.edu> References: <20090113192343.GA9320@catbert.org> <20090203090410.GA4054@catbert.org> <5269BB5F-578F-4A16-8903-22427CADC9A5@ece.cmu.edu> Date: Tue, 3 Feb 2009 12:47:47 -0700 Message-ID: From: Gary Studwell To: SAGE mailing list Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=12% Subject: Re: [SAGE] Don't shout at your disk drives! X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2009 19:47:50 -0000 On Tue, Feb 3, 2009 at 11:55 AM, Brandon S. Allbery KF8NH wrote: > On 2009 Feb 3, at 4:04, Dan Foster wrote: >> >> Seems I should say something, judging from my private email. > > Bzuh? People need to lighten up. > > -- > brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com > system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu > electrical and computer engineering, carnegie mellon university KF8NH > > sage-members@mailman.sage.org > http://mailman.sage I second that. There was nothing I can perceive as offensive or disrespectful towards Mr. Gregg, Sun, or any Sun products. The video was interesting and kind of fun, and thanks for mentioning it. (Now I want to do it!) Gary From prvs=278a18b7e=bear@nashvillewraps.com Tue Feb 3 12:11:57 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n13KBuTU037708 for ; Tue, 3 Feb 2009 12:11:57 -0800 (PST) (envelope-from prvs=278a18b7e=bear@nashvillewraps.com) Received: from mx.nashvillewraps.com (mx.nashvillewraps.com [216.248.38.240]) by usenix.org (8.13.6/8.13.6) with ESMTP id n13KBrR8023998 for ; Tue, 3 Feb 2009 12:11:56 -0800 (PST) Received: from unknown (HELO exchange3.madison1.nashvillewraps.com) ([192.168.12.73]) by mx.nashvillewraps.com with ESMTP; 03 Feb 2009 13:59:18 -0600 Received: from EXCHANGE2.madison1.nashvillewraps.com ([192.168.12.72]) by exchange3.madison1.nashvillewraps.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 3 Feb 2009 13:59:17 -0600 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Date: Tue, 3 Feb 2009 13:59:17 -0600 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Task management strategies/software? Thread-Index: AcmGOeUJUqfw/ACJSrGBadW1cv8Y3w== From: "Bear Golightly" To: X-OriginalArrivalTime: 03 Feb 2009 19:59:17.0316 (UTC) FILETIME=[E5301040:01C98639] X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=88% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n13KBuTU037708 Subject: [SAGE] Task management strategies/software? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2009 20:11:57 -0000 I got a big list of recurring daily, weekly, monthly, quarterly, etc network management tasks, along with the one-shot tasks we pick up throughout the day (provision some storage, etc.) I want to put these tasks into a task management system of some sort, separate from the trouble ticketing system, so that I can better visualize and manage what our tasks are, what we need to get done today, and which ones did/did not get done. I've looked at a few "task tracking" packages but they seem very heavy. What strategies do you use for this need? Bear Golightly Network Manager Nashville Wraps 615-338-3180 From neil@neely.cx Tue Feb 3 12:35:39 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n13KZddC038092 for ; Tue, 3 Feb 2009 12:35:39 -0800 (PST) (envelope-from neil@neely.cx) Received: from mail-ew0-f20.google.com (mail-ew0-f20.google.com [209.85.219.20]) by usenix.org (8.13.6/8.13.6) with ESMTP id n13KZanE024466 for ; Tue, 3 Feb 2009 12:35:39 -0800 (PST) Received: by ewy13 with SMTP id 13so2848533ewy.23 for ; Tue, 03 Feb 2009 12:35:30 -0800 (PST) Received: by 10.66.233.18 with SMTP id f18mr2647372ugh.28.1233693330230; Tue, 03 Feb 2009 12:35:30 -0800 (PST) Received: from ?192.168.10.14? (vpn.frii.com [216.17.222.81]) by mx.google.com with ESMTPS id d38sm1659205ugf.23.2009.02.03.12.35.27 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 03 Feb 2009 12:35:29 -0800 (PST) Message-Id: <5A6C679B-0499-40F5-A902-DBE76DAB1151@neely.cx> From: Neil Neely To: Bear Golightly In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Tue, 3 Feb 2009 13:35:20 -0700 References: X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=10% Cc: sage-members@sage.org Subject: Re: [SAGE] Task management strategies/software? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2009 20:35:40 -0000 On the opposite side of the spectrum from 'heavy' is: hiveminder http://hiveminder.com It is a free hosted task list, so trying it out only costs you a little time. It is a rather handy and easy to use task tracking system - doesn't have much in the way of bells and whistles, but it does track tasks well enough. You can interface with it a lot of ways (Email, IM, etc) I mostly just use the web interface. It's also got programmatic interfaces if you are so inclined. Neil Neely http://neil-neely.blogspot.com On Feb 3, 2009, at 12:59 PM, Bear Golightly wrote: > I got a big list of recurring daily, weekly, monthly, quarterly, etc > network management tasks, along with the one-shot tasks we pick up > throughout the day (provision some storage, etc.) > > I want to put these tasks into a task management system of some > sort, separate from the trouble ticketing system, so that I can > better visualize and manage what our tasks are, what we need to get > done today, and which ones did/did not get done. > > I've looked at a few "task tracking" packages but they seem very > heavy. > > What strategies do you use for this need? > > Bear Golightly > Network Manager > Nashville Wraps > 615-338-3180 > > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members From bergman@merctech.com Tue Feb 3 12:38:01 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n13Kc1XE038131 for ; Tue, 3 Feb 2009 12:38:01 -0800 (PST) (envelope-from bergman@merctech.com) Received: from l2mail1.panix.com (l2mail1.panix.com [166.84.1.75]) by usenix.org (8.13.6/8.13.6) with ESMTP id n13KbwSf024512 for ; Tue, 3 Feb 2009 12:38:01 -0800 (PST) Received: from mail2.panix.com (mail2.panix.com [166.84.1.73]) by l2mail1.panix.com (Postfix) with ESMTP id 783B95C2C3 for ; Tue, 3 Feb 2009 15:37:52 -0500 (EST) Received: from mailbackend.panix.com (mailbackend.panix.com [166.84.1.89]) by mail2.panix.com (Postfix) with ESMTP id 7596A3480B; Tue, 3 Feb 2009 15:37:48 -0500 (EST) Received: from merctech.com (node4.uphs.upenn.edu [165.123.243.168]) by mailbackend.panix.com (Postfix) with ESMTP id 595842B20B; Tue, 3 Feb 2009 15:37:48 -0500 (EST) Received: from mirchi (localhost [127.0.0.1]) by merctech.com (8.14.3/8.14.3) with ESMTP id n13KbloM012503; Tue, 3 Feb 2009 15:37:47 -0500 X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3 To: "Bear Golightly" From: bergman@merctech.com In-Reply-To: Your message of "Tue, 03 Feb 2009 13:59:17 CST." References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 03 Feb 2009 15:37:47 -0500 Message-ID: <12502.1233693467@mirchi> X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 Cc: sage-members@sage.org Subject: Re: [SAGE] Task management strategies/software? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: bergman@merctech.com List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2009 20:38:02 -0000 In the message dated: Tue, 03 Feb 2009 13:59:17 CST, The pithy ruminations from "Bear Golightly" on <[SAGE] Task management strategies/software?> were: => I got a big list of recurring daily, weekly, monthly, quarterly, etc networ => k management tasks, along with the one-shot tasks we pick up throughout the => day (provision some storage, etc.) => => I want to put these tasks into a task management system of some sort, separ => ate from the trouble ticketing system, so that I can better visualize and m => anage what our tasks are, what we need to get done today, and which ones di => d/did not get done. => => => I've looked at a few "task tracking" packages but they seem very heavy. => => What strategies do you use for this need? => As far as I'm conerned, there's really only one answer to this question: Time Management for System Administrators By Thomas A. Limoncelli November 2005 Pages: 226 ISBN 10: 0-596-00783-3 | ISBN 13: 9780596007836 http://oreilly.com/catalog/9780596007836/ It's a little unclear whether you're asking about strategies or implementations, but as the book points out, you don't really need a specific software package or device to follow his recommendations. As an aside, I'd be hugely grateful if someone with more coding ability than I've got would hack kdepimpi (a terrific multui-platform calendar/contact list http://sourceforge.net/projects/kdepimpi/) to fully expoit Tom's ideas. Mark => BearGolightly => Network Manager => Nashville Wraps => 615-338-3180 => => => _______________________________________________ => sage-members mailing list => sage-members@mailman.sage.org => http://mailman.sage.org/mailman/listinfo/sage-members => From yesthattom@gmail.com Tue Feb 3 12:41:59 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n13KfxEM038203 for ; Tue, 3 Feb 2009 12:41:59 -0800 (PST) (envelope-from yesthattom@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.237]) by usenix.org (8.13.6/8.13.6) with ESMTP id n13KftHJ024596 for ; Tue, 3 Feb 2009 12:41:58 -0800 (PST) Received: by rv-out-0506.google.com with SMTP id f6so2257479rvb.59 for ; Tue, 03 Feb 2009 12:41:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=XagdxuJrnWYkN5Bn41eTQieHeZ3IKEmxtw59GxyuzgY=; b=Rzb5baqN+T7TB5t1I57t6aJJ46PiZMQvREAwbWiAfLCw5/R8C+YZR5wniLQ1w+HEmo oLYLdlKuugcaF9MuD21tFon982bmgulpNGz4MnFYzwf+Gg+Cja0yRKEyw8OfRR/MToHT M0xOdVNwdg7wjqjAwsgOS5KqFLbB68wRkbxF8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=ef8OtAaCL7BtWUnnkgtexJjgJTu3lXWKz7CDxDfZRZ/NgyCF1ArOrd2MfAMywNiwjB 18jB2CeZMaVG1wmR+Bneu1N89yrAcRQDi3g6ZarLUNfD/Hii76fZX070CDDRqDksl1JY SsHu7NOTgQIOwBS04ylxkzgOgP4eXEjEiMX3Y= MIME-Version: 1.0 Received: by 10.140.157.4 with SMTP id f4mr3130433rve.108.1233693257424; Tue, 03 Feb 2009 12:34:17 -0800 (PST) In-Reply-To: References: Date: Tue, 3 Feb 2009 15:34:17 -0500 Message-ID: From: Tom Limoncelli To: Bear Golightly Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=8% X-Mailman-Approved-At: Tue, 03 Feb 2009 12:55:59 -0800 Cc: sage-members@sage.org Subject: Re: [SAGE] Task management strategies/software? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2009 20:41:59 -0000 I don't have a great solution, but this is what works for me. My daytimer has a bookmark that is clear plastic with a pocket. In the pocket fits strips of papers (comes with each year's refills). I write my weekly and monthly todo list on that slip of paper so that it is right there whenever I need it. It is low tech, but it works. For group-related todos, I have a wikipage and a cronjob that opens a ticket on Monday and the first day of the month. The ticket includes a URL to the wikipage and a note saying, "Close this ticket when the [weekly|monthly] tasks are complete." I've considered having it generate one ticket for each item, but many of them are small enough that closing the ticket would take longer than doing the task. I think a better solution would be to have a table in a wikipage (or an online spreadsheet like http://spreadsheets.google.com for example) with a row for each task and a column for each Monday of the year. People can write their name in when they've completed the task. This would provide a "sign off" capability. A great open source project would be for a web-based system specifically tuned for this kind of thing. Doing it in Django, Ruby-on-Rails, or as a plug-in for RT would make it rather fast to implement. HTH Tom On Tue, Feb 3, 2009 at 2:59 PM, Bear Golightly wrote: > I got a big list of recurring daily, weekly, monthly, quarterly, etc network management tasks, along with the one-shot tasks we pick up throughout the day (provision some storage, etc.) > > I want to put these tasks into a task management system of some sort, separate from the trouble ticketing system, so that I can better visualize and manage what our tasks are, what we need to get done today, and which ones did/did not get done. > > I've looked at a few "task tracking" packages but they seem very heavy. > > What strategies do you use for this need? > > Bear Golightly > Network Manager > Nashville Wraps > 615-338-3180 > > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > > From cmc@math.hmc.edu Tue Feb 3 14:50:38 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n13MocXk040892 for ; Tue, 3 Feb 2009 14:50:38 -0800 (PST) (envelope-from cmc@math.hmc.edu) Received: from esme.math.hmc.edu (esme.Math.HMC.Edu [134.173.34.194]) by usenix.org (8.13.6/8.13.6) with ESMTP id n13MoZAY027953 for ; Tue, 3 Feb 2009 14:50:38 -0800 (PST) Received: from vosill.math.hmc.edu (vosill.math.hmc.edu [134.173.34.88]) by esme.math.hmc.edu (8.12.11.20060308/8.12.11) with ESMTP id n13M4g1d018517 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 3 Feb 2009 14:04:42 -0800 Received: from vosill.math.hmc.edu (localhost.localdomain [127.0.0.1]) by vosill.math.hmc.edu (8.13.1/8.12.11) with ESMTP id n13M4gpI002841; Tue, 3 Feb 2009 14:04:42 -0800 From: "C.M. Connelly" Organization: Harvey Mudd College, Department of Mathematics To: Neil Neely In-reply-to: <5A6C679B-0499-40F5-A902-DBE76DAB1151@neely.cx> References: <5A6C679B-0499-40F5-A902-DBE76DAB1151@neely.cx> Comments: In-reply-to message from Neil Neely dated "Tue, 03 Feb 2009 13:35:20 -0700." X-Mailer: MH-E 8.1; nmh 1.3; GNU Emacs 22.1.1 Date: Tue, 03 Feb 2009 14:04:42 -0800 Message-ID: <2840.1233698682@vosill.math.hmc.edu> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] Task management strategies/software? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: "C.M. Connelly" List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2009 22:50:39 -0000 I'll second Neil's recommendation of Hiveminder, which is developed by the same people who do Request Tracker. You get a lot of functionality for free (including the ability for several users to share a set of tasks, assign them to one another, and so on). The things I like the most are the tags and the ability to chain tasks together with dependencies/requirements. There's also a paid version (which I have), that has some additional features such as reports and IMAP support (tasks appear in IMAP mailboxes and can be dealt with by dragging them from one mailbox to another). Claire *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Claire Connelly cmc@math.hmc.edu Systems Administrator (909) 621-8754 Department of Mathematics Harvey Mudd College *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* From jel@usenix.org Wed Feb 4 07:35:33 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n14FZXiu064900 for ; Wed, 4 Feb 2009 07:35:33 -0800 (PST) (envelope-from jel@usenix.org) Received: from shell.rawbw.com (IDENT:root@shell.rawbw.com [198.144.192.42]) by usenix.org (8.13.6/8.13.6) with ESMTP id n14FZU8U029130 for ; Wed, 4 Feb 2009 07:35:33 -0800 (PST) Received: from m208-46.dsl.rawbw.com (IDENT:stunnel@localhost [127.0.0.1]) (authenticated bits=0) by shell.rawbw.com (8.13.6/8.13.6) with ESMTP id n14FZUjc022959 for ; Wed, 4 Feb 2009 07:35:30 -0800 (PST) Message-Id: From: Jane-Ellen Long To: sage-members@sage.org Mime-Version: 1.0 (Apple Message framework v930.3) Date: Wed, 4 Feb 2009 07:35:29 -0800 References: X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=26% Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Subject: [SAGE] OTRS and VMware X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2009 15:35:34 -0000 From: "shades2@iinet.net.au" Date: February 3, 2009 5:09:39 PM PST To: sage-members@sage.org Subject: OTRS Version 2.3.3 and VMware ESXi 3.5 Reply-To: shades2@iinet.net.au We have implemented OTRS Version 2.3.3 which has a MySQL back-end. Does anyone have any war stories to share about this app, it seems pretty widely used and Wikimedia utilises it. I'd like to customise a few things about it, but I'm concerned that my whole day is then going to start revolving around a ticketing system instead of what I should be doing. Is there a lot of work involved to craft it to your organisations needs? In addition to that I've also implemented VMware ESXi 3.5 server which we are happily running with two Linux virtual machines (or client OSes). After 60 days you are required to apply the supplied key from VMware (free install) but it mentions you will lose some functionality, does anyone know exactly what functionality you lose when registering it with the freely supplied key? Thanks in advance, Mike. From neil@neely.cx Wed Feb 4 07:56:46 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n14FujGw065372 for ; Wed, 4 Feb 2009 07:56:45 -0800 (PST) (envelope-from neil@neely.cx) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.29]) by usenix.org (8.13.6/8.13.6) with ESMTP id n14FugeX029562 for ; Wed, 4 Feb 2009 07:56:45 -0800 (PST) Received: by yx-out-2324.google.com with SMTP id 31so881083yxl.29 for ; Wed, 04 Feb 2009 07:56:42 -0800 (PST) Received: by 10.142.203.19 with SMTP id a19mr2986132wfg.310.1233763001854; Wed, 04 Feb 2009 07:56:41 -0800 (PST) Received: from eng-neil-1.frii-office.frii.com??frii.com (fw01-e2.ftc.frii.net [216.17.230.105]) by mx.google.com with ESMTPS id 24sm11176759wff.37.2009.02.04.07.56.41 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 04 Feb 2009 07:56:41 -0800 (PST) Message-Id: <36D587A6-163B-47C8-A5E4-B84573BA6D22@neely.cx> From: Neil Neely To: Jane-Ellen Long In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Wed, 4 Feb 2009 08:56:36 -0700 References: X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=8% Cc: sage-members@sage.org Subject: Re: [SAGE] OTRS and VMware X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2009 15:56:46 -0000 This blog post looks like it explores the difference between free and licensed ESX pretty well. http://vmetc.com/2008/08/10/whats-the-difference-between-free-esxi-and-licensed-esxi/ Short answer: You probably aren't losing anything you care about yet - but read that article to look at the details. ESXi is a stand alone product, whereas ESX Enterprise works with Virtual Infrastructure and you can manage lots of ESX servers as one single "Data Center". You don't get features like DRS, HA, or VMotion without the Licensed product, but with only a single server those don't work anyway. Neil Neely http://neil-neely.blogspot.com On Feb 4, 2009, at 8:35 AM, Jane-Ellen Long wrote: > From: "shades2@iinet.net.au" > Date: February 3, 2009 5:09:39 PM PST > To: sage-members@sage.org > Subject: OTRS Version 2.3.3 and VMware ESXi 3.5 > Reply-To: shades2@iinet.net.au > > > > We have implemented OTRS Version 2.3.3 which has a MySQL back-end. > Does anyone > have any war stories to share about this app, it seems pretty widely > used and Wikimedia > utilises it. > > I'd like to customise a few things about it, but I'm concerned that > my whole day is then > going to start revolving around a ticketing system instead of what I > should be doing. Is there > a lot of work involved to craft it to your organisations needs? > > In addition to that I've also implemented VMware ESXi 3.5 server > which we are happily running with > two Linux virtual machines (or client OSes). After 60 days you are > required to apply the supplied > key from VMware (free install) but it mentions you will lose some > functionality, does anyone know > exactly what functionality you lose when registering it with the > freely supplied key? > > Thanks in advance, Mike. > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members From djmitche@gmail.com Wed Feb 4 09:29:06 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n14HT3s6067343 for ; Wed, 4 Feb 2009 09:29:04 -0800 (PST) (envelope-from djmitche@gmail.com) Received: from mail-qy0-f20.google.com (mail-qy0-f20.google.com [209.85.221.20]) by usenix.org (8.13.6/8.13.6) with ESMTP id n14HT0aU001850 for ; Wed, 4 Feb 2009 09:29:03 -0800 (PST) Received: by qyk13 with SMTP id 13so3396883qyk.23 for ; Wed, 04 Feb 2009 09:28:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=/xSZPptVxjsqIZ2ylJTfYMJAS7qFRqCCpc+Qp0pU2II=; b=lxJVVK8hP3W8tSyDFxCbHhUAh/qe90u5bK/B9+oJLCeMUG4iYW0XEhCGGI376AA3Zx 6+BEZpqs0EchBSUdd5bO0iTmUlVP6iguKRnsYg38EtnIW3KmX4xj1DIz6DvaDLUDK/uU Mb3qj4rfnb+k3hu78ZkpTGDuqYdDiOFOFtEzA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=G+ghPi92f0iSoU8kQx3wLgyEWhkH5qDewzQ5lZEGDW2/L9MGt38OPDLRKaEAhUcwqC bDbyxLq1TJIjFOWDDBY0uO3axMWBems0zrv+LUK5DLYcwQ7ffN80Ln9kbtwqv92tRwql 0aTv9WKDFzR3eb2LSUrDv6RzTNK1mxPxkJSjU= MIME-Version: 1.0 Sender: djmitche@gmail.com Received: by 10.214.243.18 with SMTP id q18mr7216961qah.14.1233768534609; Wed, 04 Feb 2009 09:28:54 -0800 (PST) In-Reply-To: References: Date: Wed, 4 Feb 2009 12:28:54 -0500 X-Google-Sender-Auth: 3f9a5854bec78434 Message-ID: <42338fbf0902040928u89a8c76y6936d1e552a3312e@mail.gmail.com> From: "Dustin J. Mitchell" To: Jane-Ellen Long Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=9% Cc: sage-members@sage.org Subject: Re: [SAGE] OTRS and VMware X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2009 17:29:06 -0000 On Wed, Feb 4, 2009 at 10:35 AM, Jane-Ellen Long wrote: > We have implemented OTRS Version 2.3.3 which has a MySQL back-end. Does > anyone > have any war stories to share about this app, it seems pretty widely used > and Wikimedia > utilises it. I'm exposed to OTRS as a user, and I find it almost unusable. Its web interface basically injects an email into the system, and by default it does not auto-fill the subject (so I have to retype or copy/paste the issue topic every time), and closes the issue. My usual interaction with OTRS, after the initial ticket creation, is the following: 1. Go to web page, type some comments, hit submit 2. Get told the issue needs a subject; copy/paste subject, hit submit 3. Get a confirmation email that the ticket is now closed 4. Test issue, find it not resolved; begin to type angry email to IT 5. Note that *I* closed the issue, not the IT staff 6. Re-open issue I highly recommend that my competitors employ OTRS. Dustin -- Storage Software Engineer http://www.zmanda.com From bryanf@samurai.com Wed Feb 4 10:00:13 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n14I0DHl068009 for ; Wed, 4 Feb 2009 10:00:13 -0800 (PST) (envelope-from bryanf@samurai.com) Received: from st01.samurai.com (st01.samurai.com [205.207.28.71]) by usenix.org (8.13.6/8.13.6) with ESMTP id n14I0Arg002429 for ; Wed, 4 Feb 2009 10:00:13 -0800 (PST) Received: from smtp1tor3.globalmediaxchange.com ([65.110.161.84] helo=[10.109.28.135]) by st01.samurai.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LUllM-0004TS-5d for sage-members@sage.org; Wed, 04 Feb 2009 12:42:12 -0500 Message-ID: <4989D373.8030607@samurai.com> Date: Wed, 04 Feb 2009 12:42:11 -0500 From: Bryan Fullerton User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1b3pre) Gecko/20081204 Thunderbird/3.0b1 MIME-Version: 1.0 To: sage-members@sage.org References: <42338fbf0902040928u89a8c76y6936d1e552a3312e@mail.gmail.com> In-Reply-To: <42338fbf0902040928u89a8c76y6936d1e552a3312e@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus-Scanner: Clean mail though you should still use an Antivirus X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] OTRS and VMware X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2009 18:00:14 -0000 On 04/02/2009 12:28 PM, Dustin J. Mitchell wrote: > I'm exposed to OTRS as a user, and I find it almost unusable. Its web > interface basically injects an email into the system, and by default > it does not auto-fill the subject (so I have to retype or copy/paste > the issue topic every time), and closes the issue. > Your OTRS install is misconfigured. I have never had any of the issues you mention.. Bryan From bryanf@samurai.com Wed Feb 4 10:00:21 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n14I0L2O068016 for ; Wed, 4 Feb 2009 10:00:21 -0800 (PST) (envelope-from bryanf@samurai.com) Received: from st01.samurai.com (st01.samurai.com [205.207.28.71]) by usenix.org (8.13.6/8.13.6) with ESMTP id n14I0Imu002433 for ; Wed, 4 Feb 2009 10:00:21 -0800 (PST) Received: from smtp1tor3.globalmediaxchange.com ([65.110.161.84] helo=[10.109.28.135]) by st01.samurai.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LUlhy-0004O2-PI for sage-members@sage.org; Wed, 04 Feb 2009 12:38:42 -0500 Message-ID: <4989D2A2.5000308@samurai.com> Date: Wed, 04 Feb 2009 12:38:42 -0500 From: Bryan Fullerton User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1b3pre) Gecko/20081204 Thunderbird/3.0b1 MIME-Version: 1.0 References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus-Scanner: Clean mail though you should still use an Antivirus X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 Cc: sage-members@sage.org Subject: Re: [SAGE] OTRS and VMware X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2009 18:00:22 -0000 From: "shades2@iinet.net.au" > We have implemented OTRS Version 2.3.3 which has a MySQL back-end. > Does anyone > have any war stories to share about this app, it seems pretty widely > used and Wikimedia > utilises it. I've used OTRS for many years for my small hosting company, and in the past was quite active in the OSS project. Unfortunately I don't have as much available time anymore. We use PostgreSQL as the backend, which works nicely but is not as well supported as the MySQL backend. If you anticipate large ticket volume I'd strongly recommend using the ArticleStorageFS setting, which puts the contents of each ticket on the filesystem instead of in the database. The ticket metadata is of course still stored in the DB. http://doc.otrs.org/2.3/en/html/c2515.html#performance-tuning-otrs-storage > I'd like to customise a few things about it, but I'm concerned that my > whole day is then > going to start revolving around a ticketing system instead of what I > should be doing. Is there > a lot of work involved to craft it to your organisations needs? I guess that depends what you want to customize. Certainly good to take a look at what configuration options are already included, someone might have already built in what you want. I've done zero customization of the look-and-feel, but I only have two people (including me) managing tickets. If you want to automate things definitely look at the GenericAgent tool. At the end of the day it's all Perl, so it should be pretty easy to hack things on. > In addition to that I've also implemented VMware ESXi 3.5 server which > we are happily running with > two Linux virtual machines (or client OSes). After 60 days you are > required to apply the supplied > key from VMware (free install) but it mentions you will lose some > functionality, does anyone know > exactly what functionality you lose when registering it with the > freely supplied key? I went through this late last year with our internal Dev server. Without the paid license you can't apply patches, either through RCLI or VI Update, you have to just re-install the whole OS when there are full releases. The upgrade process is very straight-forward and quick, since the OS is so tiny, but you're stuck without any incremental patches between releases which is obviously a security risk. Also, you can't use RCLI to change configuration, you can only change whatever settings are available through the server console and VI Client. Bryan From dannyman@toldme.com Thu Feb 5 18:32:59 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n162Ww2d099878 for ; Thu, 5 Feb 2009 18:32:59 -0800 (PST) (envelope-from dannyman@toldme.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by usenix.org (8.13.6/8.13.6) with ESMTP id n162Wt2Z025681 for ; Thu, 5 Feb 2009 18:32:58 -0800 (PST) Received: by yx-out-2324.google.com with SMTP id 31so263658yxl.29 for ; Thu, 05 Feb 2009 18:32:54 -0800 (PST) MIME-Version: 1.0 Received: by 10.90.26.10 with SMTP id 10mr468683agz.95.1233885723335; Thu, 05 Feb 2009 18:02:03 -0800 (PST) In-Reply-To: <12502.1233693467@mirchi> References: <12502.1233693467@mirchi> Date: Thu, 5 Feb 2009 18:02:03 -0800 Message-ID: <2a5241e00902051802l94b87a5ofaa8a564256ae8fe@mail.gmail.com> From: Daniel Howard To: bergman@merctech.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=7% Cc: sage-members@sage.org Subject: Re: [SAGE] Task management strategies/software? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2009 02:33:02 -0000 On Tue, Feb 3, 2009 at 12:37 PM, wrote: > > I've looked at a few "task tracking" packages but they seem very > > heavy. > > > > What strategies do you use for this need? > > As far as I'm conerned, there's really only one answer to this question: > > Time Management for System Administrators > By Thomas A. Limoncelli Hello, I second this. Sincerely, -daniel -- http://dannyman.toldme.com From yesthattom@gmail.com Thu Feb 5 20:53:08 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n164r8mS003465 for ; Thu, 5 Feb 2009 20:53:08 -0800 (PST) (envelope-from yesthattom@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.238]) by usenix.org (8.13.6/8.13.6) with ESMTP id n164r59s027314 for ; Thu, 5 Feb 2009 20:53:08 -0800 (PST) Received: by rv-out-0506.google.com with SMTP id f6so639522rvb.59 for ; Thu, 05 Feb 2009 20:53:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=EIybDr3ErHJ/qo5sRlaFFrSax2W25Y04Nao56S3rHV8=; b=a6y9je+JseDxhLucsFM7G18fDaoEGzdP7YKhRPmkt38PvHHpp0ocvGtTE7c7Dkxj2L k0oCpTIPkygYyf7C0TQXFJBiHfX9gsxI/gYpeyA70jYf89qkz3SGm9dFT9Sjl37hCryA qBMThd0wZK96HYGU06U+8rqbAcp2QnhmgS3+M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=GR2OtPgE/UxTQvZKMrrPh/pL89GFuW6AUYSewikpHM/KP5zT4NpwoEEaZxvrfQ2Cqh +J5BfUh3AHkpVzrzQQjXb4gWJfIubsLBVLL4hxmw1M0b2Ej5H/jiVjspiNyYVgm1arp9 BSV/bvYRoBExQiPLpuDgdTnBgmoFjpTqkf6nI= MIME-Version: 1.0 Sender: yesthattom@gmail.com Received: by 10.141.48.10 with SMTP id a10mr946024rvk.250.1233894700400; Thu, 05 Feb 2009 20:31:40 -0800 (PST) In-Reply-To: <2a5241e00902051802l94b87a5ofaa8a564256ae8fe@mail.gmail.com> References: <12502.1233693467@mirchi> <2a5241e00902051802l94b87a5ofaa8a564256ae8fe@mail.gmail.com> Date: Thu, 5 Feb 2009 23:31:40 -0500 X-Google-Sender-Auth: a6b8b148736dee73 Message-ID: From: Tom Limoncelli To: Daniel Howard Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=6% Cc: sage-members@sage.org Subject: Re: [SAGE] Task management strategies/software? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2009 04:53:09 -0000 On Thu, Feb 5, 2009 at 9:02 PM, Daniel Howard wrote: > On Tue, Feb 3, 2009 at 12:37 PM, wrote: > >> > I've looked at a few "task tracking" packages but they seem very >> > heavy. >> > >> > What strategies do you use for this need? >> >> As far as I'm conerned, there's really only one answer to this question: >> >> Time Management for System Administrators >> By Thomas A. Limoncelli > > Hello, > > I second this. I'm humbled by posts like this. However, I have to respectfully disagree. The specific question he asked is not really addressed by the book. (thus I posted what I wrote earlier). Tom P.S. The book is now being discounted heavily on amazon.com and can be read online on safaribookshelf.com From sjohnson@monsters.org Fri Feb 6 11:25:06 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n16JP6hl023188 for ; Fri, 6 Feb 2009 11:25:06 -0800 (PST) (envelope-from sjohnson@monsters.org) Received: from mothra.monsters.org (adsl-208-191-248-5.dsl.ltrkar.swbell.net [208.191.248.5]) by usenix.org (8.13.6/8.13.6) with ESMTP id n16JP2l0024094 for ; Fri, 6 Feb 2009 11:25:05 -0800 (PST) Received: from [10.13.13.204] ([170.94.139.93]) (authenticated bits=0) by mothra.monsters.org (8.14.2/8.14.2) with ESMTP id n16IaMhl026072 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 6 Feb 2009 12:36:22 -0600 From: Stephen L Johnson To: "'LOPSA Technical Discussions'" Content-Type: text/plain Date: Fri, 06 Feb 2009 12:37:19 -0600 Message-Id: <1233945439.11697.53.camel@rodan.monsters.org> Mime-Version: 1.0 X-Mailer: Evolution 2.24.3 (2.24.3-1.fc10) Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@usenix.org Subject: [SAGE] Enterprise Linux Update/Upgrade advice X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2009 19:25:06 -0000 I'm in a mixed IBM AIX and Intel Linux shop (as well as Windows and Mainframe). I'm deal mostly with the Linux systems. We're using Scientific Linux which is a whitebox Redhat Enterprise distro and a few true-red Redhat Enterprise servers as well. We're running mixed versions of RHEL. RHEL 4.3 (due to older hardware incompatibility) and RHEL 5.0. We have a policy in place for keeping out AIX TL versions up to date. Typically we have standardize at a given RHEL version for the lifetime of the hardware. And then possibly moving up to new/latest RHEL version when replacement time comes around for lots of servers. I'm looking for advice on if upgrading servers to newer RHEL versions sooner is a good idea or not. That is going from RHEL 5.0 to 5.1 or RHEL 5.0 to 5.3. Or if I should leave well enough alone. -- Stephen L Johnson From jim.ankenbrandt@gmail.com Fri Feb 6 12:03:37 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n16K3bko023756 for ; Fri, 6 Feb 2009 12:03:37 -0800 (PST) (envelope-from jim.ankenbrandt@gmail.com) Received: from yx-out-1718.google.com (yx-out-1718.google.com [74.125.44.156]) by usenix.org (8.13.6/8.13.6) with ESMTP id n16K3YxG024715 for ; Fri, 6 Feb 2009 12:03:37 -0800 (PST) Received: by yx-out-1718.google.com with SMTP id 3so450067yxi.82 for ; Fri, 06 Feb 2009 12:03:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=Pcf6gxf3zkQxVR/x1YuGnsOWFSgl5XtkV6JeI2l70ak=; b=gDeAfQyC73dVLuY9JxTZFx5kxYBKqH8GOKFx9NKf+W7GSVDV+Z4F83XcOra+HjXIL1 P7AmqnKDCSEKJrqntb7uxhCpeeTetPFhLLywQfofkCA9rpMSEpr435iHNljHGRS8ZwZ4 csdDTyO464qfvLqYGjiTjAAAYrFDiAsc4OuIA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=MxLL2rRP7bGXOiiDBsAi6SRp24bhFmXUWXI73XO/D+vf7AUzcXvyOqh2LrljVFdAj2 eU3RHm8mEo4vBcvZqXPhgbKfGczOyJ5jD2zcUvB2MS/SVnqxh1zXR/9kotAqWznwsfR+ uaCBefdGJbNbCea3YT5vodtezR1FkirnIOM3s= MIME-Version: 1.0 Received: by 10.231.16.74 with SMTP id n10mr378496iba.44.1233950613719; Fri, 06 Feb 2009 12:03:33 -0800 (PST) In-Reply-To: <1233945439.11697.53.camel@rodan.monsters.org> References: <1233945439.11697.53.camel@rodan.monsters.org> Date: Fri, 6 Feb 2009 15:03:33 -0500 Message-ID: From: Jim Ankenbrandt To: Stephen L Johnson X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=10% Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Cc: sage-members@usenix.org, LOPSA Technical Discussions Subject: Re: [SAGE] Enterprise Linux Update/Upgrade advice X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2009 20:03:38 -0000 Here at the bank I work for we tend to leave well enough alone. But we have kind of a complex environment. Oracle 10g with Hitachi SAN backend. The Hitachi certification process kind of forces us to avoid updating the kernel. It can take 6 months or more to certify a new kernel. We will patch sub-systems ( vsftp, LDAP, etc ) if necessary, but jumping releases tends to be more trouble then it is worth. Given satisfying Oracle and Hitachi requirements. When I supported Internet facing web servers we patched on a nightly basis. On Fri, Feb 6, 2009 at 1:37 PM, Stephen L Johnson wrote: > I'm in a mixed IBM AIX and Intel Linux shop (as well as Windows and > Mainframe). I'm deal mostly with the Linux systems. We're using > Scientific Linux which is a whitebox Redhat Enterprise distro and a few > true-red Redhat Enterprise servers as well. We're running mixed versions > of RHEL. RHEL 4.3 (due to older hardware incompatibility) and RHEL 5.0. > > We have a policy in place for keeping out AIX TL versions up to date. > Typically we have standardize at a given RHEL version for the lifetime > of the hardware. And then possibly moving up to new/latest RHEL version > when replacement time comes around for lots of servers. > > I'm looking for advice on if upgrading servers to newer RHEL versions > sooner is a good idea or not. That is going from RHEL 5.0 to 5.1 or RHEL > 5.0 to 5.3. Or if I should leave well enough alone. > > -- > Stephen L Johnson > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From jjasen@realityfailure.org Fri Feb 6 13:01:47 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n16L1l5S024454 for ; Fri, 6 Feb 2009 13:01:47 -0800 (PST) (envelope-from jjasen@realityfailure.org) Received: from mail.realitycontrol.org (mail.realitycontrol.org [204.9.136.39]) by usenix.org (8.13.6/8.13.6) with ESMTP id n16L1d22025648 for ; Fri, 6 Feb 2009 13:01:41 -0800 (PST) Received: from [192.83.252.8] (unknown [192.83.252.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.realitycontrol.org (Postfix) with ESMTPSA id E7F8F212FD; Fri, 6 Feb 2009 15:52:28 -0500 (EST) X-DomainKeys: Sendmail DomainKeys Filter v1.0.0 mail.realitycontrol.org E7F8F212FD DomainKey-Signature: a=rsa-sha1; s=default; d=realityfailure.org; c=simple; q=dns; b=nSrsZoSDA66oYRpJ9CQl0EJMGHcA2boV0p1erO7pRt3XbEnED/uYQEMpK23HXldoo 9U6qytFNsKgpgDPHUM6l/O3ipeZLPSimc5MS9xNYBItma2o2mTE865k+Cc+a/mt0Be2 RJfJx5u6rga9lscAvZRVlOQZ//xYgTlxFO7Wecw= X-DKIM: Sendmail DKIM Filter v2.5.5 mail.realitycontrol.org E7F8F212FD DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=realityfailure.org; s=default; t=1233953549; bh=rgZySvrqp6Jsnrwe3tXWhUsBJyA=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=LD0SsXmGtfu8 LWauCFb795IGhXjz64sN8Dn7Uhmk5w1YUm/xPGu5avpTQHgM0ETWbC6oSP/ZXGr9QF4 lFnAOAPsZhv9JnnfYiZW8cQuwaZ2+LEjxPYRrt2vWXSxW3bxS/jUdc73zVLPd7vwn1h /vjtbXqUJpjMtUDkUzErny9vc= Message-ID: <498CA310.8050402@realityfailure.org> Date: Fri, 06 Feb 2009 15:52:32 -0500 From: John Jasen User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: Stephen L Johnson References: <1233945439.11697.53.camel@rodan.monsters.org> In-Reply-To: <1233945439.11697.53.camel@rodan.monsters.org> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=1.1 required=7.0 tests=RDNS_NONE,SPF_FAIL autolearn=no version=3.2.5 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on jjasen.globaltap.com X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@usenix.org, 'LOPSA Technical Discussions' Subject: Re: [SAGE] Enterprise Linux Update/Upgrade advice X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2009 21:01:47 -0000 Stephen L Johnson wrote: > We have a policy in place for keeping out AIX TL versions up to date. > Typically we have standardize at a given RHEL version for the lifetime > of the hardware. And then possibly moving up to new/latest RHEL version > when replacement time comes around for lots of servers. > > I'm looking for advice on if upgrading servers to newer RHEL versions > sooner is a good idea or not. That is going from RHEL 5.0 to 5.1 or RHEL > 5.0 to 5.3. Or if I should leave well enough alone. 4.3 should be RHEL 4, Update 3, and 5.1 should be RHEL 5, Update 1. You, unless you have special requirements (like EMC only certifying something on RHEL 4.6, or you have custom stuff that needs kernel x.y.z, glibc a.b.c, and Xorg c.q.z) should be able to upgrade from RHEL 4 to RHEL 4.x with minimal issues, and also from RHEL 5 to 5.x. Just like with every vendor, especially the more you customize, you occasionally get a really fun patch that has unexpected results ... -- -- John E. Jasen (jjasen@realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring From cfairman@stanford.edu Fri Feb 6 13:28:48 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n16LSmO6024783 for ; Fri, 6 Feb 2009 13:28:48 -0800 (PST) (envelope-from cfairman@stanford.edu) Received: from smtp-roam.stanford.edu (smtp-roam1.Stanford.EDU [171.67.22.71]) by usenix.org (8.13.6/8.13.6) with ESMTP id n16LSjqo026026 for ; Fri, 6 Feb 2009 13:28:47 -0800 (PST) Received: from smtp-roam.stanford.edu (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 02BAA8097 for ; Fri, 6 Feb 2009 13:28:45 -0800 (PST) Received: from masdevallia.Stanford.EDU (masdevallia.Stanford.EDU [171.64.23.160]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: cfairman) by smtp-roam.stanford.edu (Postfix) with ESMTP id CD4B78067 for ; Fri, 6 Feb 2009 13:28:44 -0800 (PST) Message-Id: <3029AA69-8E90-408C-859E-F7E444EEFCF5@stanford.edu> From: Carolyn Fairman To: sage-members@usenix.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Fri, 6 Feb 2009 13:28:44 -0800 X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: [SAGE] network print server replacement for HP 4250 X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2009 21:28:48 -0000 We have an HP 4250 print server device supporting around 10 networked printers for about 130 users. I think it's a lovely device -- it doesn't exactly what we need easily and quietly -- but HP set its EOL for April. HP recommends replacing it with a ProLiant DL100 G2 Storage Server, which is serious overkill. We already have a SAN and various file server setups. We're a mostly linux server group, and I'm fine picking a server to be our print server and getting that all going. The print server was a nice handy box though. What do most folks do for a networked print server? Carolyn From dbronder@fire.its.uiowa.edu Fri Feb 6 13:42:02 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n16Lg2WK024971 for ; Fri, 6 Feb 2009 13:42:02 -0800 (PST) (envelope-from dbronder@fire.its.uiowa.edu) Received: from fire.its.uiowa.edu (fire.its.uiowa.edu [128.255.56.219]) by usenix.org (8.13.6/8.13.6) with ESMTP id n16LfxLZ026309 for ; Fri, 6 Feb 2009 13:42:01 -0800 (PST) Received: from fire.its.uiowa.edu (loopback [127.0.0.1]) by fire.its.uiowa.edu (8.13.6/8.12.9/base-aix-2.2) with ESMTP id n16LHLI4084688; Fri, 6 Feb 2009 15:17:21 -0600 Received: (from dbronder@localhost) by fire.its.uiowa.edu (8.13.6/8.12.9/its-submit-aix-1.0) id n16LHKeK050694; Fri, 6 Feb 2009 15:17:20 -0600 Message-Id: <200902062117.n16LHKeK050694@fire.its.uiowa.edu> To: sjohnson@monsters.org (Stephen L Johnson) Date: Fri, 6 Feb 2009 15:17:20 -0600 (CST) In-Reply-To: <1233945439.11697.53.camel@rodan.monsters.org> from "Stephen L Johnson" at Feb 06, 2009 12:37:19 PM From: David Bronder Organization: ITS-SPA, University of Iowa X-Bounce-Check: 9fd2f3b75ff6c1bfda557385db063eda X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@usenix.org, 'LOPSA Technical Discussions' Subject: Re: [SAGE] [lopsa-tech] Enterprise Linux Update/Upgrade advice X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2009 21:42:03 -0000 Stephen L Johnson wrote: > > I'm looking for advice on if upgrading servers to newer RHEL versions > sooner is a good idea or not. That is going from RHEL 5.0 to 5.1 or RHEL > 5.0 to 5.3. Or if I should leave well enough alone. Note that package updates for RHEL, whether security or bugfixes, are handled differently than how IBM maintains AIX Technology Levels. IBM TL's are multi-forked trees of fileset releases, so a security or bug fix can result in updated filesets for several TL's. Red Hat updates are linear within a major releases (RHEL4, RHEL5), so if you're running RHEL 5.2, any patches are just steps along the way to RHEL 5.3. A notable exception is kernel RPMs, which can get multiple releases at different update levels (sometimes, anyway). -- Hello World. David Bronder - Systems Admin Segmentation Fault ITS-SPA, Univ. of Iowa Core dumped, disk trashed, quota filled, soda warm. david-bronder@uiowa.edu From brontolinux@gmail.com Fri Feb 6 14:06:45 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n16M6jLm025383 for ; Fri, 6 Feb 2009 14:06:45 -0800 (PST) (envelope-from brontolinux@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.231]) by usenix.org (8.13.6/8.13.6) with ESMTP id n16M6gUW026679 for ; Fri, 6 Feb 2009 14:06:45 -0800 (PST) Received: by rv-out-0506.google.com with SMTP id f6so1023538rvb.59 for ; Fri, 06 Feb 2009 14:06:42 -0800 (PST) MIME-Version: 1.0 Received: by 10.141.36.10 with SMTP id o10mr1431668rvj.237.1233941744559; Fri, 06 Feb 2009 09:35:44 -0800 (PST) Date: Fri, 6 Feb 2009 18:35:44 +0100 Message-ID: <8d727bb0902060935xcec3b87w7570e525c327b213@mail.gmail.com> From: Marco Marongiu To: sage-members@sage.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=7% Subject: [SAGE] DNS TTL question X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2009 22:06:45 -0000 Hello there We are designing a service migration from one data center with a given addressing to another one with a different addressing. Eventually, we'll shorten the TTLs of the DNS records for the involved domains a few days before the migration, so that when we finally change the DNS records, the new information will spread quickly. Here are the questions: * is 10 minutes a reasonable TTL? Are values under 10 minutes reasonable, as well? * do you know if the major DNS servers out there (BIND, M$...) are fully compliant in respect of TTL or, say, M$'s DNS tries doing something "smart" caching records longer than TTL requires? Thanks in advance Ciao --Marco From yesthattom@gmail.com Fri Feb 6 16:00:46 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1700k4r027898 for ; Fri, 6 Feb 2009 16:00:46 -0800 (PST) (envelope-from yesthattom@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.231]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1700gvN028266 for ; Fri, 6 Feb 2009 16:00:45 -0800 (PST) Received: by rv-out-0506.google.com with SMTP id f6so1063796rvb.59 for ; Fri, 06 Feb 2009 16:00:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Ex99XarVvSVbnNcQgAzi+W5XiAUguSo7J5ur177tG9Q=; b=WS4WxsifBcVHSnSYww5KstqW6ngm2Vld071s2vgBfwWClbGdENu0RHonAHu3+m3Mw1 zk3gM0Z/C1jv323i+tSswd9rddEKClqVZz75UZw1OJ9Sd6CrZnGT6nxt8i5klIt+vLhL 7ssWnMc8CrJqqtv8K84xDrYY81j36weIzMzbM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=NsFmkDp5hM40vGCSKwRIpw4HpBCmcyeg4sI/dkAQeWJQllsVYRd+jZHuQ+4+AuTn12 Dc0N1kwyBTkvxuKf5WvwUiQw/aIB1da/W0R9UyB7tBoAc0u0VF1LpQWiFMh4aGrBDJ9x IFCxQyPPZjn+spfMyfHQHVnygTgx+XoNIHiAw= MIME-Version: 1.0 Received: by 10.141.51.10 with SMTP id d10mr1690893rvk.195.1233960673883; Fri, 06 Feb 2009 14:51:13 -0800 (PST) In-Reply-To: <8d727bb0902060935xcec3b87w7570e525c327b213@mail.gmail.com> References: <8d727bb0902060935xcec3b87w7570e525c327b213@mail.gmail.com> Date: Fri, 6 Feb 2009 17:51:13 -0500 Message-ID: From: Tom Limoncelli To: Marco Marongiu Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=7% X-Mailman-Approved-At: Fri, 06 Feb 2009 16:19:29 -0800 Cc: sage-members@sage.org Subject: Re: [SAGE] DNS TTL question X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2009 00:00:47 -0000 On Fri, Feb 6, 2009 at 12:35 PM, Marco Marongiu wrote: > Hello there > > We are designing a service migration from one data center with a given > addressing to another one with a different addressing. > > Eventually, we'll shorten the TTLs of the DNS records for the involved > domains a few days before the migration, so that when we finally > change the DNS records, the new information will spread quickly. > > Here are the questions: > > * is 10 minutes a reasonable TTL? Are values under 10 minutes > reasonable, as well? If I remember from Cricket's book, you generally want to set it to 1/2 the outage time. So, if you are going to be putting them into a truck and driving the machines to a new location, and expect the trip to take 4 hours, set the TTL to 2 hours. ...but I'm lazy and just use 10 minutes... > * do you know if the major DNS servers out there (BIND, M$...) are > fully compliant in respect of TTL or, say, M$'s DNS tries doing > something "smart" caching records longer than TTL requires? Browsers and operating systems do different things. Some software abides by the TTL, but most uses a DNS library that doesn't return the TTL as part of the API so they have to assume the address is good forever. Google seems to think that 300 seconds is fine: $ while true ; do host -a www.l.google.com. |grep ^www.l.goog ; done | head -1000 | awk '{ print $2 }' |sort -n -u |tail -3 298 299 300 Tom From ncarling@gmail.com Fri Feb 6 16:32:45 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n170WjRm028212 for ; Fri, 6 Feb 2009 16:32:45 -0800 (PST) (envelope-from ncarling@gmail.com) Received: from mail-qy0-f20.google.com (mail-qy0-f20.google.com [209.85.221.20]) by usenix.org (8.13.6/8.13.6) with ESMTP id n170Wg8e028646 for ; Fri, 6 Feb 2009 16:32:45 -0800 (PST) Received: by qyk13 with SMTP id 13so1499751qyk.23 for ; Fri, 06 Feb 2009 16:32:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=D6nALwx6tWqGdw3wHJwg57N4d07L4YKg3BlqBxpnIvQ=; b=nsrb/p3QhoyI+e0fnSeb7/4NikspfQYlx6B2QuqAfHCTS8XSg137F61Vjd1/8NQjIY qzw3ZVM6Ejwtkjnn5lG9NmgV/+lCcWUMNxYr1x8ATB2pNt3soWceE2UGxUXZ54FzlYBm z+7K8jIFT8NQn4Lw2K1LjQFVQaz0OjDplCF1o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=RfPxWhmtFT+ZHSIHVgleFIyGaiI9LoB0RyfKenMnjUJswRmqSQ022pokN/b1TlXCPz 06fAkBIWoHYpgQOtbkRUPD1/iz1kWwNXnFlVebjSzHAp5DedqGDYd3l1SqrjPwxg1xfF BjEVDvoSpiUFscBc/UhoiNuu+9BNTo0K7Zmjw= Received: by 10.214.241.11 with SMTP id o11mr3569040qah.138.1233966391346; Fri, 06 Feb 2009 16:26:31 -0800 (PST) Received: from ?173.105.213.133? (173-105-213-133.pools.spcsdns.net [173.105.213.133]) by mx.google.com with ESMTPS id 34sm1859400yxl.40.2009.02.06.16.26.28 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 06 Feb 2009 16:26:30 -0800 (PST) Message-ID: <498CD52F.4020706@gmail.com> Date: Fri, 06 Feb 2009 18:26:23 -0600 From: Nat Carling User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Marco Marongiu References: In-Reply-To: X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=9% Cc: sage-members@sage.org Subject: Re: [SAGE] DNS TTL question X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2009 00:32:46 -0000 Ages ago, the big providers (particularly AOL) used to do this, but I haven't had this problem in years. Anyone else? -------- Original Message -------- Subject: [SAGE] DNS TTL question From: Marco Marongiu To: sage-members@sage.org Date: 2/6/2009 11:35 AM > Hello there > > We are designing a service migration from one data center with a given > addressing to another one with a different addressing. > > Eventually, we'll shorten the TTLs of the DNS records for the involved > domains a few days before the migration, so that when we finally > change the DNS records, the new information will spread quickly. > > Here are the questions: > > * is 10 minutes a reasonable TTL? Are values under 10 minutes > reasonable, as well? > * do you know if the major DNS servers out there (BIND, M$...) are > fully compliant in respect of TTL or, say, M$'s DNS tries doing > something "smart" caching records longer than TTL requires? > > Thanks in advance > > Ciao > --Marco > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > > From ncarling@gmail.com Fri Feb 6 16:34:03 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n170Y3EH028236 for ; Fri, 6 Feb 2009 16:34:03 -0800 (PST) (envelope-from ncarling@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.25]) by usenix.org (8.13.6/8.13.6) with ESMTP id n170XxOW028672 for ; Fri, 6 Feb 2009 16:34:02 -0800 (PST) Received: by qw-out-2122.google.com with SMTP id 8so302029qwh.59 for ; Fri, 06 Feb 2009 16:33:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:x-stationery:content-type :content-transfer-encoding; bh=OL42feSX/P+tTlLuq4tTrSiOpwtfOiQ7nyiKGUxAzy8=; b=nfbXFSZOID4TTyEEDYv/cVVGGSOSXyLDii3QVzF0hQAXtjkmABeKis6YPwThPcfdxK M8vuIEcKA9nz6Y/z3hBYyqNdtvG8mZ/+U627SUtXXw1BGIPby7SDKVIFJaoDxywtrpjW 4rr8bVLIp8me8VNKiD+G6BgpPAbZJEyM7JmQI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:x-stationery:content-type :content-transfer-encoding; b=ltgRCcwedlbDVb7G01a74R9oCjzJwYZd1MjN6a2pYmajYEGHPSpBg4dmxWQ1nDnfWq v+hKxc7cazs/btQQ0YpVOm0F3DybyrKq15HBsU4L1BySq0rkvdh76OJO9PR5pyIr4jLd EcYAO5/ZjwEOLlky65S2vU4VYgcTJ2XTp4Kts= Received: by 10.214.44.8 with SMTP id r8mr3588745qar.81.1233966839405; Fri, 06 Feb 2009 16:33:59 -0800 (PST) Received: from ?173.105.213.133? (173-105-213-133.pools.spcsdns.net [173.105.213.133]) by mx.google.com with ESMTPS id 34sm1648253yxm.14.2009.02.06.16.33.57 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 06 Feb 2009 16:33:58 -0800 (PST) Message-ID: <498CD6F3.4040801@gmail.com> Date: Fri, 06 Feb 2009 18:33:55 -0600 From: Nat Carling User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Marco Marongiu References: In-Reply-To: X-Enigmail-Version: 0.95.7 X-Stationery: 0.4.8.12 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=7% Cc: sage-members@sage.org Subject: Re: [SAGE] DNS TTL question X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2009 00:34:03 -0000 Sorry - to be clear, I was only addressing the second question. The first question depends heavily upon your situation. A higher TTL means, in effect, less traffic to your DNS server, since each client will trust the answers you give it for longer. A higher TTL *also* means that it takes longer for the internet to get wind of DNS changes you make. So it's a balancing act. Questions to consider: - Are you anticipating a high volume of requests? - Are you going to change your records frequently? - When you make changes, how long are you willing to wait for the internet's idea of your zones to converge with the data on your DNS servers? Assuming you don't make changes every day, a number of sites employ the following sort of strategy: 1. Set mimimum ttl to one day 2. One day in advance of an anticipated change, reduce TTL (to whatever minimum time you can tolerate for convergence (see above)) 3. Make change 4. Increase TTL to one day again If your changes aren't typically anticipated, this won't work. When you reduce the TTL, you'll want to keep it as high as you can tolerate if you're a high-volume site, since a lower TTL implies more load on the DNS infrastructure. Personally (and I'm a low volume site that only generally does planned changes, and relatively infrequently), my plan is: - Min TTL of 1 day - Reduce to 5 min when a change is planned (in most DNS servers, you can do this on a per-record or per-zone basis if necessary). Good luck! Nat Carling -------- Original Message -------- Subject: [SAGE] DNS TTL question From: Marco Marongiu To: sage-members@sage.org Date: 2/6/2009 11:35 AM > Hello there > > We are designing a service migration from one data center with a given > addressing to another one with a different addressing. > > Eventually, we'll shorten the TTLs of the DNS records for the involved > domains a few days before the migration, so that when we finally > change the DNS records, the new information will spread quickly. > > Here are the questions: > > * is 10 minutes a reasonable TTL? Are values under 10 minutes > reasonable, as well? > * do you know if the major DNS servers out there (BIND, M$...) are > fully compliant in respect of TTL or, say, M$'s DNS tries doing > something "smart" caching records longer than TTL requires? > > Thanks in advance > > Ciao > --Marco > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > > From dmagda@ee.ryerson.ca Fri Feb 6 17:26:28 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n171QSh3029000 for ; Fri, 6 Feb 2009 17:26:28 -0800 (PST) (envelope-from dmagda@ee.ryerson.ca) Received: from simq2-srv.bellnexxia.net (simq2-qfe0.srvr.bell.ca [206.47.199.152]) by usenix.org (8.13.6/8.13.6) with ESMTP id n171QOdH029205 for ; Fri, 6 Feb 2009 17:26:27 -0800 (PST) Received: from simip9-ac.srvr.bell.ca ([206.47.199.87]) by simmts5-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with ESMTP id <20090207010357.DQLZ1658.simmts5-srv.bellnexxia.net@simip9-ac.srvr.bell.ca> for ; Fri, 6 Feb 2009 20:03:57 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgwBACNkjElMRXp1/2dsb2JhbAAIzneEGQaFcw Received: from bas1-toronto09-1279621749.dsl.bell.ca (HELO [192.168.1.103]) ([76.69.122.117]) by simip9-ac.srvr.bell.ca with ESMTP; 06 Feb 2009 20:11:28 -0500 Message-Id: <3140B95F-4F34-4B7C-82D1-9E22ED45027B@ee.ryerson.ca> From: David Magda To: Carolyn Fairman In-Reply-To: <3029AA69-8E90-408C-859E-F7E444EEFCF5@stanford.edu> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Fri, 6 Feb 2009 20:03:56 -0500 References: <3029AA69-8E90-408C-859E-F7E444EEFCF5@stanford.edu> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=2 Fuz2=2 rep=96% Cc: sage-members@usenix.org Subject: Re: [SAGE] network print server replacement for HP 4250 X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2009 01:26:29 -0000 On Feb 6, 2009, at 16:28, Carolyn Fairman wrote: > We're a mostly linux server group, and I'm fine picking a server to > be our print server and getting that all going. The print server > was a nice handy box though. What do most folks do for a networked > print server? I'm currently at a shop where it's Windows print servers (which works fine with my Linux workstation), but in a previous life we had a 1U FreeBSD system running LPRng; probably use CUPS nowadays. It also served as the DHCP server. Neither function was / is a heavy-weight task given CPUs nowadays so it was just a Pentium 3 at the time. The other option would be to use the printers' network interface directly if they have one. That's what I'm doing at home. Do you have any light-weight systems lying about not doing much else? Once set up, you'll probably never have to touch it again. As a side note, I generally always try to purchase printers that support PostScript as well (even at home). It's not expensive as it used to be, and it generally eliminates driver issues. From jco@direwolf.com Sat Feb 7 05:45:30 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n17DjUFY041952 for ; Sat, 7 Feb 2009 05:45:30 -0800 (PST) (envelope-from jco@direwolf.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.29]) by usenix.org (8.13.6/8.13.6) with ESMTP id n17DjQ9M016683 for ; Sat, 7 Feb 2009 05:45:29 -0800 (PST) Received: by yx-out-2324.google.com with SMTP id 31so474678yxl.29 for ; Sat, 07 Feb 2009 05:45:26 -0800 (PST) Received: by 10.100.105.9 with SMTP id d9mr1743498anc.142.1234012998348; Sat, 07 Feb 2009 05:23:18 -0800 (PST) Received: from Willow.Direwolf.com (pool-96-233-103-174.bstnma.fios.verizon.net [96.233.103.174]) by mx.google.com with ESMTPS id d38sm6419235and.49.2009.02.07.05.23.16 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 07 Feb 2009 05:23:17 -0800 (PST) Message-Id: <328105FA-1812-4479-A8DD-D5F9D12527BC@direwolf.com> From: John Orthoefer To: Marco Marongiu In-Reply-To: <8d727bb0902060935xcec3b87w7570e525c327b213@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sat, 7 Feb 2009 08:23:16 -0500 References: <8d727bb0902060935xcec3b87w7570e525c327b213@mail.gmail.com> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=8% Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Cc: sage-members@sage.org Subject: Re: [SAGE] DNS TTL question X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2009 13:45:31 -0000 The only TTL value that is bad, is zero. When I was at Genuity we had Cisco Distributed Director (Which tried to give you the "closest" active server to you, where closest had a lot of different metrics.) At any rate, by default it gave out TTLs of zero, meaning don't cache. But it seems different servers had different ideas about what TTL of zero means (worst was Microsoft's DNS server, which apparently thought zero meant don't give this out as this answer is expired.) However, 1 was fine. It would pass the answer to the client and then promptly forget the answer. As I recall some brand of DNS server also thought zero means NEVER expire. Most DNS caches have a way to set minimum/maxium TTLs. And there is nothing you can do about that. You are telling them how long to cache the answer with the TTL. And if people/servers don't listen really nothing you can do about. To echo what others are saying. I typically set the TTL down 300/600 when I want things to expire fast. Just remember to do it well ahead of If you TTL is set to 3 days, and you set it down to 600s an hour before the move, you still have people who 71hours left on the old records. A good example is like www.microsoft.com, which uses Akamai. Which uses something akin to Cisco DD to direct you to the nearest cache. ;; ANSWER SECTION: www.microsoft.com. 3600 IN CNAME toggle.www.ms.akadns.net. toggle.www.ms.akadns.net. 300 IN CNAME g.www.ms.akadns.net. g.www.ms.akadns.net. 300 IN CNAME lb1.www.ms.akadns.net. lb1.www.ms.akadns.net. 300 IN A 65.55.21.250 My advice use 300/600. johno On Feb 6, 2009, at 12:35 PM, Marco Marongiu wrote: > Hello there > > We are designing a service migration from one data center with a given > addressing to another one with a different addressing. > > Eventually, we'll shorten the TTLs of the DNS records for the involved > domains a few days before the migration, so that when we finally > change the DNS records, the new information will spread quickly. > > Here are the questions: > > * is 10 minutes a reasonable TTL? Are values under 10 minutes > reasonable, as well? > * do you know if the major DNS servers out there (BIND, M$...) are > fully compliant in respect of TTL or, say, M$'s DNS tries doing > something "smart" caching records longer than TTL requires? > > Thanks in advance > > Ciao > --Marco > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members From matt@conundrum.com Sat Feb 7 08:17:23 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n17GHNEk044537 for ; Sat, 7 Feb 2009 08:17:23 -0800 (PST) (envelope-from matt@conundrum.com) Received: from coke.conundrum.com (coke.conundrum.com [216.235.9.139]) by usenix.org (8.13.6/8.13.6) with ESMTP id n17GHJob017961 for ; Sat, 7 Feb 2009 08:17:22 -0800 (PST) Received: from gnt.conundrum.com (gnt.conundrum.com [216.235.13.83]) by coke.conundrum.com (8.13.1/8.12.6) with ESMTP id n17GH3ax001574; Sat, 7 Feb 2009 11:17:03 -0500 (EST) (envelope-from matt@conundrum.com) Message-Id: <732E7DAD-4D59-49B4-8BCB-86741DB356C9@conundrum.com> From: Matthew Pounsett To: SAGE mailing list In-Reply-To: <328105FA-1812-4479-A8DD-D5F9D12527BC@direwolf.com> Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-20-165661840" Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sat, 7 Feb 2009 11:16:55 -0500 References: <8d727bb0902060935xcec3b87w7570e525c327b213@mail.gmail.com> <328105FA-1812-4479-A8DD-D5F9D12527BC@direwolf.com> X-Pgp-Agent: GPGMail 1.2.0 (v56) X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] DNS TTL question X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2009 16:17:24 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-20-165661840 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit On Feb 6, 2009, at 12:35 PM, Marco Marongiu wrote: > * is 10 minutes a reasonable TTL? Are values under 10 minutes > reasonable, as well? Yes, that's quite reasonable. As someone else mentioned, the only truly bad TTL is 0. Five to ten minutes is a good value when you want things to expire quickly. > * do you know if the major DNS servers out there (BIND, M$...) are > fully compliant in respect of TTL or, say, M$'s DNS tries doing > something "smart" caching records longer than TTL requires? As noted, a TTL of 0 can have unpredictable effects. The other thing to keep in mind is that any DNS operator can set minimum or maximum TTLs on their recursive server, effectively ignoring your TTL if it falls outside that range. That sort of thing isn't extremely common, but it does happen, and there's nothing you can do about it.. except be aware that someone might hold your cached data for too long. In doing your migration, one important thing to consider which many people forget is how long before the migration you drop your TTL to the low value. Look at what the largest TTL in your zone is right now. Multiply that by two. Subtract that value from the date/time you plan to start your maintenance. That's when you should drop your TTL. So, if your current TTL is 2 days, and you plan to start your maintenance on Saturday at noon, then you should drop your TTL to the low value (5 or 10 minutes) on Tuesday at noon. This is overkill, but ensures that anyone who has the old TTL cached has enough of an opportunity to pick up the new one. Cheers, Matt --Apple-Mail-20-165661840 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkmNs/cACgkQmFeRJ0tjIxEvUQCgieA+zV/M5SRv7nDDICcw2qxt OCMAoJNJYvfxnzEoSwQ9M8vpxUcvzFVe =JQSD -----END PGP SIGNATURE----- --Apple-Mail-20-165661840-- From lopsa@nedharvey.com Sat Feb 7 12:00:15 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n17K0Fil048406 for ; Sat, 7 Feb 2009 12:00:15 -0800 (PST) (envelope-from lopsa@nedharvey.com) Received: from mail.itekmail.com (mail.itekmail.com [208.86.156.243]) by usenix.org (8.13.6/8.13.6) with ESMTP id n17K0Ce3019618 for ; Sat, 7 Feb 2009 12:00:15 -0800 (PST) X-Spam-Status: No, hits=0.0 required=2.5 tests=AWL: 0.022,BAYES_00: -1.665,TOTAL_SCORE: -1.643 X-Spam-Level: Received: from carmel ([173.48.173.212]) (authenticated user rahvee@nedharvey.com) by mail.itekmail.com (using TLSv1/SSLv3 with cipher RC4-MD5 (128 bits)); Sat, 7 Feb 2009 13:43:38 -0600 From: "Edward Ned Harvey" To: "'Stephen L Johnson'" , "'LOPSA Technical Discussions'" References: <1233945439.11697.53.camel@rodan.monsters.org> In-Reply-To: <1233945439.11697.53.camel@rodan.monsters.org> Date: Sat, 7 Feb 2009 14:43:23 -0500 Message-ID: <003601c9895c$58ca0180$0a5e0480$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcmJXFYUi0wp//cbQ1iTJENAkgTlCQ== Content-Language: en-us X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n17K0Fil048406 X-Mailman-Approved-At: Sat, 07 Feb 2009 12:07:14 -0800 Cc: sage-members@usenix.org Subject: Re: [SAGE] [lopsa-tech] Enterprise Linux Update/Upgrade advice X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2009 20:00:16 -0000 > I'm looking for advice on if upgrading servers to newer RHEL versions > sooner is a good idea or not. That is going from RHEL 5.0 to 5.1 or > RHEL > 5.0 to 5.3. Or if I should leave well enough alone. This totally depends on what your systems are used for. If you are running services that face the web, then heck yes you better keep up to date for security reasons. I'm guessing that's not the case. If the primary use is for users to run specific tools (such as my users, who are mostly cadence & synopsys users), you better do whatever the tool manufacturer recommends. If you just sort of say to your users, "Here's a bunch of machines, go nuts!" Then it doesn't really matter too much - you might as well do updates sometimes, so people get new features. From salsbury@sculptors.com Mon Feb 9 12:01:11 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n19K18MA097456 for ; Mon, 9 Feb 2009 12:01:11 -0800 (PST) (envelope-from salsbury@sculptors.com) Received: from fall-lakeland.atl.sa.earthlink.net (fall-lakeland.atl.sa.earthlink.net [207.69.195.103]) by usenix.org (8.13.6/8.13.6) with ESMTP id n19K150f007366 for ; Mon, 9 Feb 2009 12:01:08 -0800 (PST) Received: from pop-canoe.atl.sa.earthlink.net ([207.69.195.66]) by fall-lakeland.atl.sa.earthlink.net with esmtp (Exim 4.34) id 1LWcJQ-0007Av-AG for sage-members@sage.org; Mon, 09 Feb 2009 15:01:00 -0500 Received: from user-119br4d.biz.mindspring.com ([66.149.236.141] helo=fate.sculptors.com) by pop-canoe.atl.sa.earthlink.net with esmtp (Exim 3.36 #1) id 1LWcJ7-0007GY-00; Mon, 09 Feb 2009 15:00:41 -0500 Received: from [192.168.1.17] (bootstrap.sculptors.com [204.11.227.220]) by fate.sculptors.com (8.12.10/8.12.10) with ESMTP id n19K0bcw071822; Mon, 9 Feb 2009 12:00:38 -0800 (PST) (envelope-from salsbury@sculptors.com) Message-ID: <49908B65.30608@sculptors.com> Date: Mon, 09 Feb 2009 12:00:37 -0800 From: Patrick Salsbury User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Matthew Pounsett References: <8d727bb0902060935xcec3b87w7570e525c327b213@mail.gmail.com> <328105FA-1812-4479-A8DD-D5F9D12527BC@direwolf.com> <732E7DAD-4D59-49B4-8BCB-86741DB356C9@conundrum.com> In-Reply-To: <732E7DAD-4D59-49B4-8BCB-86741DB356C9@conundrum.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (fate.sculptors.com [172.16.1.1]); Mon, 09 Feb 2009 12:00:38 -0800 (PST) X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=2 Fuz2=2 rep=36% Cc: SAGE mailing list Subject: Re: [SAGE] DNS TTL question X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2009 20:01:11 -0000 Matthew Pounsett wrote: > > As noted, a TTL of 0 can have unpredictable effects. The other thing > to keep in mind is that any DNS operator can set minimum or maximum > TTLs on their recursive server, effectively ignoring your TTL if it > falls outside that range. That sort of thing isn't extremely common, > but it does happen, and there's nothing you can do about it.. except > be aware that someone might hold your cached data for too long. And keep in mind that when this happens, it is, by definition, THEIR problem, not your problem. :-) Pat From jason@jasonantman.com Mon Feb 9 22:41:50 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1A6fovF008698 for ; Mon, 9 Feb 2009 22:41:50 -0800 (PST) (envelope-from jason@jasonantman.com) Received: from vms173001pub.verizon.net (vms173001pub.verizon.net [206.46.173.1]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1A6fl67017071 for ; Mon, 9 Feb 2009 22:41:50 -0800 (PST) Received: from jantman.dyndns.org ([173.70.36.206]) by vms173001.mailsrvcs.net (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPA id <0KEU0059V54ZCM92@vms173001.mailsrvcs.net> for SAGE-members@usenix.org; Mon, 09 Feb 2009 23:41:24 -0600 (CST) Received: from [192.168.2.21] (ool-457d70d8.dyn.optonline.net [69.125.112.216]) by jantman.dyndns.org (Postfix) with ESMTPSA id AEBAF803F for ; Tue, 10 Feb 2009 00:37:53 -0500 (EST) Message-id: <49911381.8070005@jasonantman.com> Date: Tue, 10 Feb 2009 00:41:21 -0500 From: Jason Antman User-Agent: Thunderbird 2.0.0.12 (X11/20071114) MIME-version: 1.0 To: SAGE-members@usenix.org References: <3029AA69-8E90-408C-859E-F7E444EEFCF5@stanford.edu> In-reply-to: <3029AA69-8E90-408C-859E-F7E444EEFCF5@stanford.edu> X-Enigmail-Version: 0.95.6 OpenPGP: id=34EE2F92 Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=38% Subject: Re: [SAGE] network print server replacement for HP 4250 X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2009 06:41:51 -0000 Here at $university, we're running 3 print servers which support 900 user stations and an additional +/- 100 wireless users and 61 printers. As far as I remember (haven't seen the boxes in ages) they're first- or second-generation Sun x86 hardware, and handle the load perfectly (and that's running a proprietary Windows app on Server 2003). If *I* were to have designed the system (and especially for something like your installation, relatively small by our standards) I'd have gone with a Linux box running CUPS. Seems like a perfect use for some hardware that's too old to run the critical apps, but still has life in it (the Proliants will run for, literally, decades). -J Antman Carolyn Fairman wrote: > We have an HP 4250 print server device supporting around 10 networked > printers for about 130 users. > > I think it's a lovely device -- it doesn't exactly what we need easily > and quietly -- but HP set its EOL for April. HP recommends replacing > it with a ProLiant DL100 G2 Storage Server, which is serious > overkill. We already have a SAN and various file server setups. > > We're a mostly linux server group, and I'm fine picking a server to be > our print server and getting that all going. The print server was a > nice handy box though. What do most folks do for a networked print > server? > > Carolyn > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From prvs=2860f9514=bear@nashvillewraps.com Wed Feb 11 11:14:43 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1BJEgX9048787 for ; Wed, 11 Feb 2009 11:14:43 -0800 (PST) (envelope-from prvs=2860f9514=bear@nashvillewraps.com) Received: from mx.nashvillewraps.com (mx.nashvillewraps.com [216.248.38.240]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1BJEdd1010875 for ; Wed, 11 Feb 2009 11:14:42 -0800 (PST) Received: from unknown (HELO exchange3.madison1.nashvillewraps.com) ([192.168.12.73]) by mx.nashvillewraps.com with ESMTP; 11 Feb 2009 13:14:26 -0600 Received: from EXCHANGE2.madison1.nashvillewraps.com ([192.168.12.72]) by exchange3.madison1.nashvillewraps.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 11 Feb 2009 13:14:25 -0600 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Date: Wed, 11 Feb 2009 13:12:50 -0600 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [SAGE] DNS TTL question Thread-Index: AcmIp8Fo7Ehmkve8TxGFSVFiLc71EAD038gQ References: <8d727bb0902060935xcec3b87w7570e525c327b213@mail.gmail.com> From: "Bear Golightly" To: X-OriginalArrivalTime: 11 Feb 2009 19:14:25.0093 (UTC) FILETIME=[F3CD6F50:01C98C7C] X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=80% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1BJEgX9048787 Subject: Re: [SAGE] DNS TTL question X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2009 19:14:43 -0000 Regarding TTL and whether it's widely honored, I have been using Linkproof devices from Radware at various $workplaces since about 2001. We have two blocks of IP space from two different providers, and each device has two IP addresses externally, with the DNS record delegated to the Linkproof device, which replies with a single IP address to each A-record query. The Linkproof chooses one path or the other plays TTL games (ex: www.company.com TTL = 2 seconds) to allow fairly instant failover from one provider to another. As far as we know, we've never really had any issues with customers or remote workers with respect to intermediary DNS servers caching for longer than the TTL says to. As well, I've used the same strategy you're employing to move hundreds of domains in just a few hours with nary a hitch. HTH, Bear Golightly Network Manager Nashville Wraps 615-338-3180 -----Original Message----- From: sage-members-bounces@mailman.sage.org [mailto:sage-members-bounces@mailman.sage.org] On Behalf Of Marco Marongiu Sent: Friday, February 06, 2009 11:36 AM To: sage-members@sage.org Subject: [SAGE] DNS TTL question Hello there We are designing a service migration from one data center with a given addressing to another one with a different addressing. Eventually, we'll shorten the TTLs of the DNS records for the involved domains a few days before the migration, so that when we finally change the DNS records, the new information will spread quickly. Here are the questions: * is 10 minutes a reasonable TTL? Are values under 10 minutes reasonable, as well? * do you know if the major DNS servers out there (BIND, M$...) are fully compliant in respect of TTL or, say, M$'s DNS tries doing something "smart" caching records longer than TTL requires? Thanks in advance Ciao --Marco _______________________________________________ sage-members mailing list sage-members@mailman.sage.org http://mailman.sage.org/mailman/listinfo/sage-members From danstoner@gmail.com Thu Feb 12 10:00:22 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1CI0M7B078644 for ; Thu, 12 Feb 2009 10:00:22 -0800 (PST) (envelope-from danstoner@gmail.com) Received: from yx-out-1718.google.com (yx-out-1718.google.com [74.125.44.154]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1CI0Jit018918 for ; Thu, 12 Feb 2009 10:00:21 -0800 (PST) Received: by yx-out-1718.google.com with SMTP id 4so715877yxp.82 for ; Thu, 12 Feb 2009 10:00:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=S4WPOaCXAwaukww1XdUrMkX/l/09EwAFsGRK7YS2Ue4=; b=c6E947op98C/Wc0hoRl5Soj8FyF3cl4EbPaT3GxTx/C6KcOZPmxGwHkZkGA1kWbPBU 1pa2KbTrYFn8AJ1Soa4/jM5rCTPDfejauRdKFJo2gXLkrQpn2+F8JTj+c7MOthqi6mR8 9Ofq/lQ9fr/xz/+Y8R1otOnd0LMgip7G2vDx0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=UA8tVKUltSVgkaN9aLE+NtumLBFI/9RVMADxc9kkcczbZ1n7t6RDroKvZMb0avjMHl 7Rv5I5uXSA6KdTamhSz6p/vj7Ltp7BsDA8wOuz9+qkBqfEuMpfygh3hthFWR9zN7quMG qPTAbGOQD0EdC30ZfcoyfZQF8oeTlKHjZUI5w= MIME-Version: 1.0 Received: by 10.150.156.9 with SMTP id d9mr804062ybe.50.1234461618764; Thu, 12 Feb 2009 10:00:18 -0800 (PST) In-Reply-To: <3140B95F-4F34-4B7C-82D1-9E22ED45027B@ee.ryerson.ca> References: <3029AA69-8E90-408C-859E-F7E444EEFCF5@stanford.edu> <3140B95F-4F34-4B7C-82D1-9E22ED45027B@ee.ryerson.ca> Date: Thu, 12 Feb 2009 13:00:18 -0500 Message-ID: <260cfef0902121000o57cb4a1dxc1361fb66a080b5b@mail.gmail.com> From: Dan Stoner To: sage-members@usenix.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=10% Subject: Re: [SAGE] network print server replacement for HP 4250 X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 18:00:22 -0000 > The other option would be to use the printers' network interface directly if > they have one. That's what I'm doing at home. +1 mantra: All printers are to be network-attached. > As a side note, I generally always try to purchase printers that support > PostScript as well (even at home). It's not expensive as it used to be, and > it generally eliminates driver issues. +1 - Dan Stoner From rodrick.brown@gmail.com Fri Feb 13 18:01:11 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1E21BOA017066 for ; Fri, 13 Feb 2009 18:01:11 -0800 (PST) (envelope-from rodrick.brown@gmail.com) Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.181]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1E217Ib021833 for ; Fri, 13 Feb 2009 18:01:10 -0800 (PST) Received: by el-out-1112.google.com with SMTP id n30so944141elf.11 for ; Fri, 13 Feb 2009 18:01:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=Mohw/vqkxNDfiGJ+nmozUbYdL74mhcb2qlV4ViQtGeg=; b=FLQmvV1gbv6YYTkmxuFslT8LgN47XG5l31otbb13WEeEF1eT72kHpARO9qpoohRhiZ Mmf3G1kb1d0cJCCAZkInWKndbRGP6fbHCGXhm2aAuXBw0RYx1fTQbPzLDNoL7CRJoUPM TjfY1zIVBuVXteNZ50vSVtGvpgUJWvuzAuPnY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=VwKZax2si+tJhHH1DLcV/K5gH2SHA9on4xW5hXjlO6bNF/biPcGrNKkE5Tv5UljMsm zW3gdYQaSRCvSdEmIaT3EGMgQYB0gUao49TKXv8ynU/XnWcX+6vWk4ZJBpZfv/KuBI86 MfWSrcbGMHBGrO0tqrDpBaLh2ldcdHK9PnsCw= MIME-Version: 1.0 Received: by 10.151.114.9 with SMTP id r9mr1709715ybm.73.1234576867426; Fri, 13 Feb 2009 18:01:07 -0800 (PST) Date: Fri, 13 Feb 2009 21:01:07 -0500 Message-ID: From: Rodrick Brown To: SAGE mailing list , "" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 rep=8% Subject: [SAGE] Happy 1234567890 UNIX People!! X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2009 02:01:11 -0000 -- [ Rodrick R. Brown ] http://www.rodrickbrown.com http://www.linkedin.com/in/rodrickbrown From philiph@pobox.com Fri Feb 13 22:59:30 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1E6xUMq021017 for ; Fri, 13 Feb 2009 22:59:30 -0800 (PST) (envelope-from philiph@pobox.com) Received: from sasl.smtp.pobox.com (a-sasl-quonix.sasl.smtp.pobox.com [208.72.237.25]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1E6xRR7024056 for ; Fri, 13 Feb 2009 22:59:30 -0800 (PST) Received: from localhost.localdomain (unknown [127.0.0.1]) by b-sasl-quonix.sasl.smtp.pobox.com (Postfix) with ESMTP id 9B9EF2B14D for ; Sat, 14 Feb 2009 01:54:55 -0500 (EST) Received: from ourtownadd-lm.mine.nu (unknown [208.87.58.107]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by b-sasl-quonix.sasl.smtp.pobox.com (Postfix) with ESMTPSA id B449F2ABCB for ; Sat, 14 Feb 2009 01:54:52 -0500 (EST) Message-Id: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> From: "Philip J. Hollenback" To: SAGE Members Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Fri, 13 Feb 2009 22:54:50 -0800 X-Mailer: Apple Mail (2.930.3) X-Pobox-Relay-ID: 63028F72-FA64-11DD-8979-6F7C8D1D4FD0-80990599!a-sasl-quonix.pobox.com X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=31% Subject: [SAGE] Secure and simple remote mail access? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2009 06:59:31 -0000 I've got two CentOS machines set up at a site. One is directly connected to the dsl router and serves as the gateway/firewall for the site. Behind that is a server that acts as the gateway/firewall to the inside network. So basically this is a traditional DMZ configuration (although there's no longer any other machines in the DMZ). The inside server is the internal mail server using dovecot for pop and imap. It also does imap to the external gateway/firewall machine to run squirrelmail. That way users can access their work mail from home via the squirrelmail web interface on the outside machine. Now a number of users are dissatisfied with squirrelmail and would like to use some other mechanism to access their mail remotely. I've looked at other webmail interfaces and some of them have some fancy features but nothing looks compellingly better than squirrelmail. Thus I'm interested in setting up something else, like direct access to secure imap from the outside. The simplest way to do this seems to be to adjust the outside machine firewall to NAT imaps connections to the inside machine. And of course I would need to allow secure sendmail from the outside too so uses could send mail. So my question is, does anyone have any ideas on a better way to do this? I don't particularly want to open a hole directly to the inside machine for imaps but at the same time I don't want to force users to do anything complicated like set up ssh tunnels. Most of these users aren't terribly sophisticated so setting up thunderbird for a direct connection would probably be the best and simplest way to go. Thanks, P. -- Philip J. Hollenback philiph@pobox.com From philiph@pobox.com Sat Feb 14 00:22:01 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1E8M0vP022422 for ; Sat, 14 Feb 2009 00:22:01 -0800 (PST) (envelope-from philiph@pobox.com) Received: from sasl.smtp.pobox.com (a-sasl-quonix.sasl.smtp.pobox.com [208.72.237.25]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1E8LvLw005869 for ; Sat, 14 Feb 2009 00:22:00 -0800 (PST) Received: from localhost.localdomain (unknown [127.0.0.1]) by b-sasl-quonix.sasl.smtp.pobox.com (Postfix) with ESMTP id 923A72B196 for ; Sat, 14 Feb 2009 03:21:56 -0500 (EST) Received: from ourtownadd-lm.mine.nu (unknown [208.87.58.107]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by b-sasl-quonix.sasl.smtp.pobox.com (Postfix) with ESMTPSA id 2BAF22B191 for ; Sat, 14 Feb 2009 03:21:55 -0500 (EST) Message-Id: <306D6D42-C8B8-4CF8-8421-74E20A607EA1@pobox.com> From: "Philip J. Hollenback" To: SAGE Members In-Reply-To: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sat, 14 Feb 2009 00:21:49 -0800 References: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> X-Mailer: Apple Mail (2.930.3) X-Pobox-Relay-ID: 8AF4582E-FA70-11DD-AA4D-6F7C8D1D4FD0-80990599!a-sasl-quonix.pobox.com X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=31% Subject: Re: [SAGE] Secure and simple remote mail access? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2009 08:22:01 -0000 On Feb 13, 2009, at 10:54 PM, Philip J. Hollenback wrote: > Thus I'm interested in setting up something else, like direct access > to secure imap from the outside. The simplest way to do this seems > to be to adjust the outside machine firewall to NAT imaps > connections to the inside machine. And of course I would need to > allow secure sendmail from the outside too so uses could send mail. Someone already replied to me off-list and pointed me to Perdition which seems to be exactly what I need to use for proxying the imaps connections to the inside machine. Thanks as always to the amazing concentration of knowledge that is SAGE. P. -- Philip J. Hollenback philiph@pobox.com From doug@will.to Sat Feb 14 09:14:50 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1EHEol2031793 for ; Sat, 14 Feb 2009 09:14:50 -0800 (PST) (envelope-from doug@will.to) Received: from will.to (mailman.will.to [68.164.136.125]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1EHEkrA011832 for ; Sat, 14 Feb 2009 09:14:49 -0800 (PST) Received: from [205.231.100.100] (h-68-164-136-123.nycmny83.covad.net [68.164.136.123]) (authenticated bits=0) by will.to (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id n1EGmSfq016384 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 14 Feb 2009 11:48:29 -0500 Message-ID: <4996FBF1.1070809@will.to> Date: Sat, 14 Feb 2009 12:14:25 -0500 From: Doug Hughes User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: "Philip J. Hollenback" References: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> In-Reply-To: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0rc3 (will.to [68.164.136.125]); Sat, 14 Feb 2009 11:48:29 -0500 (EST) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE Members Subject: Re: [SAGE] Secure and simple remote mail access? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2009 17:14:50 -0000 Philip J. Hollenback wrote: > I've got two CentOS machines set up at a site. One is directly > connected to the dsl router and serves as the gateway/firewall for the > site. Behind that is a server that acts as the gateway/firewall to > the inside network. So basically this is a traditional DMZ > configuration (although there's no longer any other machines in the DMZ). > > The inside server is the internal mail server using dovecot for pop > and imap. It also does imap to the external gateway/firewall machine > to run squirrelmail. That way users can access their work mail from > home via the squirrelmail web interface on the outside machine. > > Now a number of users are dissatisfied with squirrelmail and would > like to use some other mechanism to access their mail remotely. I've > looked at other webmail interfaces and some of them have some fancy > features but nothing looks compellingly better than squirrelmail. > > Thus I'm interested in setting up something else, like direct access > to secure imap from the outside. The simplest way to do this seems to > be to adjust the outside machine firewall to NAT imaps connections to > the inside machine. And of course I would need to allow secure > sendmail from the outside too so uses could send mail. > > So my question is, does anyone have any ideas on a better way to do > this? I don't particularly want to open a hole directly to the inside > machine for imaps but at the same time I don't want to force users to > do anything complicated like set up ssh tunnels. Most of these users > aren't terribly sophisticated so setting up thunderbird for a direct > connection would probably be the best and simplest way to go. > I see that you've already found a solution, but I'll present another possibility. You could just turn on pop/ssl and imap/ssl? Pretty much all modern clients can support it, and you can get a real certificate on your server for trust. It's also easy to setup a proxy (e.g. stunnel) to accept ssl/imap and ssl/pop at your firewall and proxy them to your internal server in clear text if you want to keep the internal one unchanged. Or you can use something like socat as a forwarding service so the entire ssl is kept intact through to your server. From jason@jasonantman.com Sat Feb 14 21:10:18 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1F5AIsu041749 for ; Sat, 14 Feb 2009 21:10:18 -0800 (PST) (envelope-from jason@jasonantman.com) Received: from vms173003pub.verizon.net (vms173003pub.verizon.net [206.46.173.3]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1F5AFAJ019076 for ; Sat, 14 Feb 2009 21:10:17 -0800 (PST) Received: from jantman.dyndns.org ([98.109.71.49]) by vms173003.mailsrvcs.net (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPA id <0KF3009F5A854P43@vms173003.mailsrvcs.net> for sage-members@sage.org; Sat, 14 Feb 2009 22:09:41 -0600 (CST) Received: from [192.168.1.249] (ool-45746052.dyn.optonline.net [69.116.96.82]) by jantman.dyndns.org (Postfix) with ESMTPSA id F01F7803F for ; Sat, 14 Feb 2009 23:04:59 -0500 (EST) Message-id: <49979572.10409@jasonantman.com> Date: Sat, 14 Feb 2009 23:09:22 -0500 From: Jason Antman User-Agent: Thunderbird 2.0.0.18 (X11/20081112) MIME-version: 1.0 To: sage-members@sage.org References: In-reply-to: X-Enigmail-Version: 0.95.7 OpenPGP: id=34EE2F92 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=39% Subject: Re: [SAGE] Happy 1234567890 UNIX People!! X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Feb 2009 05:10:19 -0000 I was going to plan a party, but had other commitments... Rodrick Brown wrote: From anne@usenix.org Tue Feb 17 09:41:42 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1HHfgCS002375 for ; Tue, 17 Feb 2009 09:41:42 -0800 (PST) (envelope-from anne@usenix.org) Received: from lonestar.usenix.org (lonestar.usenix.org [131.106.3.102]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1HHfgge003104 for ; Tue, 17 Feb 2009 09:41:42 -0800 (PST) Received: from cosmo.usenix.org (cosmo.usenix.org [131.106.3.141]) (authenticated bits=0) by lonestar.usenix.org (8.14.2/8.14.2) with ESMTP id n1HHffge020853 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Tue, 17 Feb 2009 09:41:41 -0800 (PST) Message-Id: <1C6A81EE-766C-45E9-B853-23FA2A7B5266@usenix.org> From: Anne Dickison To: sage-members@sage.org Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v929.2) Date: Tue, 17 Feb 2009 09:41:40 -0800 X-Mailer: Apple Mail (2.929.2) X-DCC-Usenix-Metrics: voyager; whitelist X-DCC-Usenix-Metrics: lonestar; whitelist X-Spam-Status: No, score=-1.4 required=6.0 tests=ALL_TRUSTED autolearn=failed version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on lonestar Subject: [SAGE] USENIX and SAGE will be exhibiting at SCALE 7x X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 17:41:42 -0000 USENIX and SAGE will be exhibiting at SCALE 7x. SCALE is an annual open-source technical, business, and users conference. It will feature tutorial sessions as well as over 60 expo booths and BoFs. The expo will take place February 20-22, 2009, at the Westin Los Angeles Airport. Find out more here: http://scale7x.socallinuxexpo.org/ Attending SCALE? Enter the code USNX for 40% off registration, and please stop by booth #66 to say hello! From john@stoffel.org Tue Feb 17 13:46:55 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1HLktwa007083 for ; Tue, 17 Feb 2009 13:46:55 -0800 (PST) (envelope-from john@stoffel.org) Received: from Mycroft.westnet.com (Mycroft.westnet.com [216.187.52.7]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1HLkq2m022138 for ; Tue, 17 Feb 2009 13:46:55 -0800 (PST) Received: from jfsnew.stoffel.org (68-116-202-213.dhcp.oxfr.ma.charter.com [68.116.202.213]) (authenticated bits=0) by Mycroft.westnet.com (8.14.0/8.14.0) with ESMTP id n1HLSWp4004154 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 17 Feb 2009 16:28:33 -0500 (EST) Received: by jfsnew.stoffel.org (Postfix, from userid 1000) id DE4BE50194; Tue, 17 Feb 2009 16:28:31 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <18843.11262.992991.139287@stoffel.org> Date: Tue, 17 Feb 2009 16:28:30 -0500 From: "John Stoffel" To: sage-members@sage.org X-Mailer: VM 8.0.9 under Emacs 22.2.1 (i486-pc-linux-gnu) X-Virus-Scanned: ClamAV 0.94.2/8998/Mon Feb 16 22:40:00 2009 on Mycroft.westnet.com X-Virus-Status: Clean X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: [SAGE] Netapp to ZFS migration experience? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 21:46:56 -0000 Hi all, Has anyone done a migration from a mostly NFS based Netapp setup to one with the new Sun ZFS solution on the 7x00 series arrays? We're thinking about doing this at $WORK due to the *large* cost savings. We're looking at around 200Tb of disk spread across four to five sites, with reliability and performance the two main drivers. We do have some iSCSI and some CIFS volumes, but not large numbers, mostly we're NFS for compute clusters, home dirs, etc. We generally just export one *large* NFS mount point at each site for all data. It makes life simpler so we don't have to shuffle data/volumes around. Pros: - Money - no more 16Tb volume/aggregate limit, volumes can be insanely big. Or flexibly depending on your viewpoint. - multiple levels of ZFS volumes to help segregate data chunks, which still allowing me ability to resize volumes dynamically on the fly. Cons: - no per-user/qtree/volume quotas reports - Unknown reliability of Sun solution - Unknown performance of volume replication across WAN (NetApp SnapVault sucks across WAN, known Con :-) - NDMP support not tested with CommVault for backups. We do have a couple of NetApp clusters, but the boxes are so reliable, it's not a big deal to NOT have them with Sun ZFS setup. I guess I really just need to download the Sun Storage Simulator and just play with it and see how it works. Thanks for any feedback. John From ntwrkd@gmail.com Tue Feb 17 21:55:37 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1I5tbDe014524 for ; Tue, 17 Feb 2009 21:55:37 -0800 (PST) (envelope-from ntwrkd@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.29]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1I5tXKI000875 for ; Tue, 17 Feb 2009 21:55:36 -0800 (PST) Received: by yx-out-2324.google.com with SMTP id 8so1175563yxb.29 for ; Tue, 17 Feb 2009 21:55:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=6AV28ouWjnCDM59aT+78IzvJBK/qaHmPdv6+6snDMKE=; b=Re4g0tw0RZx5Fu7rDsi25q24ry6qP7Mo2i2tksgPUtGQckKkvZY4/GFD5Xt7Z+kvpi ICIjLuHowkQT5Qqa+dUG/g9/gs3HH3Uir8MV4R0WRcZASxybhqXX+AQIdPMr2VWCpzZ9 qVQMw5dON+ylE65nNA2/wVyVcubuYKAGCHqRA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=lU/pMrrf4/0DcZhIbjUbBIS4HJ3RqDrtD6Zfn5LT2/sXTILUVgQioMmMltpF5jTOKL Il0yWxaukC9ynCg9xVxr8rYGvj8P5mZR1ecxEO/ZL1MvXSWrJE43+S7eu5/GIXS3EJz9 mHE/xbkdXr9j2wO7LuzeWSG9dDZPs2PWDPcLc= MIME-Version: 1.0 Received: by 10.150.140.9 with SMTP id n9mr7185082ybd.79.1234936533561; Tue, 17 Feb 2009 21:55:33 -0800 (PST) Date: Tue, 17 Feb 2009 21:55:33 -0800 Message-ID: From: ntwrkd To: SAGE Content-Type: text/plain; charset=ISO-8859-1 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=9% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1I5tbDe014524 Subject: [SAGE] Using GCJ X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2009 05:55:37 -0000 I'm curious to know, has anyone out there had any success running GCJ as their JVM for, well, anything? I've tried it for both client and server applications and had nothing but problems. ° From rodrick.brown@gmail.com Tue Feb 17 22:45:16 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1I6jGR8015279 for ; Tue, 17 Feb 2009 22:45:16 -0800 (PST) (envelope-from rodrick.brown@gmail.com) Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.181]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1I6jCpq001468 for ; Tue, 17 Feb 2009 22:45:15 -0800 (PST) Received: by el-out-1112.google.com with SMTP id n30so1602932elf.11 for ; Tue, 17 Feb 2009 22:45:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=9TQ/ZNfijUkyuX4Yrd4H0z3wVfoVj+91ycfcJBIrYyQ=; b=mf0niNFu0YQhyuGo9Zs0jIRRuyAi+xxUsb9NgrczX04372JVVLsKQc52kfbZ3sqE21 vTxII9Bo8ipAf4NOO5R3pzTQ6sgIB4ld/UjEoZeM5IGFIOy0LkiVpi2T1NSgOrWnJfYF pqG3yeD0FUYgQ27Sv3ZnPQVH8fPxOMau0iFGI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=mFEnKHumFN45m1lPuSHS+9BKcsK0GxgYdssFom4qwoQ2unzLmCRkE5QXtA20IGN/33 mw/mkwRT9ti/SHJAJCVY/+h/mgTiiW18AB7ISDidSUAdEDCRYL8TIVUYjiyKCpInv1+I 8kDZVGp1V6naGBL2Xh3Lk05LI6HAj9Vs6na40= MIME-Version: 1.0 Received: by 10.151.13.9 with SMTP id q9mr2758478ybi.176.1234937536337; Tue, 17 Feb 2009 22:12:16 -0800 (PST) In-Reply-To: References: Date: Wed, 18 Feb 2009 01:12:16 -0500 Message-ID: From: Rodrick Brown To: ntwrkd Content-Type: text/plain; charset=ISO-8859-1 X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=9% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1I6jGR8015279 Cc: SAGE Subject: Re: [SAGE] Using GCJ X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2009 06:45:16 -0000 Its still has a long way to go before its production ready use Sun JDK :) On Wed, Feb 18, 2009 at 12:55 AM, ntwrkd wrote: > I'm curious to know, has anyone out there had any success running GCJ > as their JVM for, well, anything? > I've tried it for both client and server applications and had nothing > but problems. > > ° > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > -- [ Rodrick R. Brown ] http://www.rodrickbrown.com http://www.linkedin.com/in/rodrickbrown From djmitche@gmail.com Wed Feb 18 07:15:52 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1IFFqMj024007 for ; Wed, 18 Feb 2009 07:15:52 -0800 (PST) (envelope-from djmitche@gmail.com) Received: from mail-qy0-f18.google.com (mail-qy0-f18.google.com [209.85.221.18]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1IFFn7j018603 for ; Wed, 18 Feb 2009 07:15:52 -0800 (PST) Received: by qyk11 with SMTP id 11so590847qyk.23 for ; Wed, 18 Feb 2009 07:15:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=eK6jfBQrOer9n7xPgJGVYTaGnQxdEweTWgwhrPoE2UM=; b=A76lV5Z2yIJr0qYO/YkPgfqlJ2bQ72/cRiXBu99S9zvAMoEb8bnV49CORW/W3H2rsI qTC0ouq/S41R7CTLv51k3HwOgFntCwH6YenpVoVDfWE2Ho3Ehw9iIv7SPe1oap2nrZ8F JyWuOo0DOHI6wFCsYIfDSGhk/aHOJce4xWWQs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=bmkUm/DXtya/dE+ATZRaiqW+MDC4xVWGIVVnwC6hVgjG1l1mdM/MYej5xUvgh2FnoJ 7DXeH3Y9wfi/ZmE5KoJWpfWEPWCfXsHILQzL+X/TP5t9hjjdCrTIQOvUJlascNEvkC+g HC+4PZDVGtaQzaKKtDrEmvQ9XIxpdMKghcnVQ= MIME-Version: 1.0 Sender: djmitche@gmail.com Received: by 10.224.20.12 with SMTP id d12mr12610149qab.33.1234968851201; Wed, 18 Feb 2009 06:54:11 -0800 (PST) In-Reply-To: References: Date: Wed, 18 Feb 2009 09:54:11 -0500 X-Google-Sender-Auth: 04fc76f365da812f Message-ID: <42338fbf0902180654m8cfcd3bk4b58b7bc5a5427aa@mail.gmail.com> From: "Dustin J. Mitchell" To: ntwrkd Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=6% Cc: SAGE Subject: Re: [SAGE] Using GCJ X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2009 15:15:53 -0000 On Wed, Feb 18, 2009 at 12:55 AM, ntwrkd wrote: > I'm curious to know, has anyone out there had any success running GCJ > as their JVM for, well, anything? PyLucene is a gcj-compiled version of lucene with a Python interface. Pretty cool stuff, and while we did have a lot of trouble with it, that was due to bugs in pylucene, not the gcj implementation. Of course, ymmv :) Dustin -- Storage Software Engineer http://www.zmanda.com From dpuryear@puryear-it.com Wed Feb 18 20:54:07 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1J4s71J037449 for ; Wed, 18 Feb 2009 20:54:07 -0800 (PST) (envelope-from dpuryear@puryear-it.com) Received: from puryear-it.com (wsip-70-183-217-104.br.br.cox.net [70.183.217.104]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1J4s4sU007003 for ; Wed, 18 Feb 2009 20:54:06 -0800 (PST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Date: Wed, 18 Feb 2009 22:41:31 -0600 Message-ID: <43452C495F09D048BF7CE9F96B65688E0101B5@sbs.Puryear-IT.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Backing up large number of small files.. Thread-Index: AcmSTFOt81y1UPiyTFiFDM0gr8/W8A== From: "Dustin Puryear" To: X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1J4s71J037449 Subject: [SAGE] Backing up large number of small files.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 04:54:08 -0000 This is for the backup admins here, although anyone can certainly chime in. :) We are using Symantec Backup Exec 12.5 and backing up several serves, including one Windows 2003 server with a 600 GB directory structure that is several levels deep and, in total, has 170k+ files in it. Backing up this particular directory structure is DOG SLOW. I'm aware that this is pretty typical, but I'm wondering what we can do to speed this up. Right now this job takes several hours, while a similar job for a server without this many files may take an hour. So, it's affecting our backup schedule. Thoughts on an approach to help with this? Some thoughts I have: * I had considered doing a backup-to-disk then to tape to keep the tape unit free, but that doesn't help: We are still copying from disk to tape at some point. * Breaking up the backup so that it doesn't interfere as badly with the schedule, but we still have the issue of the backup running very slow in total. Other thoughts? Ideas? -- Dustin Puryear President and Sr. Consultant Puryear Information Technology, LLC 225-706-8414 x112 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices/ From djmitche@gmail.com Wed Feb 18 21:09:30 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1J59Uql037771 for ; Wed, 18 Feb 2009 21:09:30 -0800 (PST) (envelope-from djmitche@gmail.com) Received: from mail-qy0-f18.google.com (mail-qy0-f18.google.com [209.85.221.18]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1J59RJl007175 for ; Wed, 18 Feb 2009 21:09:30 -0800 (PST) Received: by qyk11 with SMTP id 11so433443qyk.23 for ; Wed, 18 Feb 2009 21:09:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=7HCLYefn1asWxyeXeLswAfOf+7CZnUfWYdq0ki2Bem8=; b=lFtBlsZT9rA6iSvffycS7axcnM+4F22iPVVLZ/BqYU9wxV4XE4bIRxpMCKMHCZyYl6 hiQyfv0Q8J8dWcVFK0nBS55nrwy/4GE99a8Aj6H96F9zW++W2IKHuZEyeCXzElMo0E6F /Rt/ZYr0qc6g7lauZA18Z0mAmHFjluu42grAo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=UuR+6blyODwNcOQuIzDdGmZ/7X4Jas6RsXa+k1oZ+xOIVll9MNH7o4NMBcSYoSiEge 8JEhcEoos21x5XT9tvyv88zdMX262TfnkwwMOmEVocskJtf9NLv9B26mvIBLbfn8bhqc XVrAN5JITsuT8J+yiU8LkxxqeZ9d0pjd01zCQ= MIME-Version: 1.0 Sender: djmitche@gmail.com Received: by 10.224.15.15 with SMTP id i15mr175789qaa.12.1235020162142; Wed, 18 Feb 2009 21:09:22 -0800 (PST) In-Reply-To: <43452C495F09D048BF7CE9F96B65688E0101B5@sbs.Puryear-IT.local> References: <43452C495F09D048BF7CE9F96B65688E0101B5@sbs.Puryear-IT.local> Date: Thu, 19 Feb 2009 00:09:22 -0500 X-Google-Sender-Auth: b3826863d8bf32ca Message-ID: <42338fbf0902182109p67d3e846pc92aff6795637929@mail.gmail.com> From: "Dustin J. Mitchell" To: Dustin Puryear Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=11% Cc: sage-members@sage.org Subject: Re: [SAGE] Backing up large number of small files.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 05:09:31 -0000 On Wed, Feb 18, 2009 at 11:41 PM, Dustin Puryear wrote: > Other thoughts? Ideas? Is it possible to use a different tool to back up that partition? Something like 'dump' that will just do a raw dump of the filesystem, rather than trying to traverse the directory tree? A couple of hours doesn't sound too bad for a dump, and presumably once it's off the server it's pretty quick to go to tape -- I don't understand why your idea of staging it to disk before sending it to tape didn't help? Dustin -- Storage Software Engineer http://www.zmanda.com From kurt.buff@gmail.com Wed Feb 18 21:25:27 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1J5PRoP038012 for ; Wed, 18 Feb 2009 21:25:27 -0800 (PST) (envelope-from kurt.buff@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.171]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1J5PLwY007321 for ; Wed, 18 Feb 2009 21:25:26 -0800 (PST) Received: by wf-out-1314.google.com with SMTP id 23so259684wfg.26 for ; Wed, 18 Feb 2009 21:25:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=NI/Uq9YhPvoqjojgs0RiqTTIqIWFhIVhNHVkpQyrro8=; b=u+FtyrcFPmhUGhj8aybrxRn8eZYMlPnPegSxyfcda4eml8VSAmJAPzRmM38M/QWW9X 0xCl5WAVEifMBhZdc8acXoSruWGye0EzQSva/FP1LAa7QAh5MQ8NaHgOcBBCXa3zbwef rF7a7GRS3C/ttOTSG9eAYweUbdQGIP9tkx1sE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=VboVR1fcUz9QESvE3qf+4tm5AN85iZDumEnV1YnEMQNN2CPDwCxp6qqs59DmdaF5nW mV+0U7j3bK/38CxWkesJdyOlwRib9hMOjrYh1EQ1M7QzUHCrNSGDet5azJlzxbUO7RVw wWThG32S3xQKVwlffrX9mFw2F5qtdKc/O79i8= MIME-Version: 1.0 Received: by 10.142.84.11 with SMTP id h11mr3057150wfb.337.1235021121056; Wed, 18 Feb 2009 21:25:21 -0800 (PST) In-Reply-To: <43452C495F09D048BF7CE9F96B65688E0101B5@sbs.Puryear-IT.local> References: <43452C495F09D048BF7CE9F96B65688E0101B5@sbs.Puryear-IT.local> Date: Wed, 18 Feb 2009 21:25:21 -0800 Message-ID: From: Kurt Buff To: Dustin Puryear Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-DCC-Rhyolite-Metrics: voyager 104; Body=1 Fuz1=1 Fuz2=1 rep=12% Cc: sage-members@sage.org Subject: Re: [SAGE] Backing up large number of small files.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 05:25:27 -0000 Windows has a well-known problem when a directory has more than 10k files in it - I've experienced slowdowns with as few as 1k files. There are some optimization tricks to help, though. First, if you can, reorg your directory structure to reduce the number of files per directory to under 1k per directory. Then try this: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/46656.mspx?mfr=true and this: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/28231.mspx?mfr=true On Wed, Feb 18, 2009 at 20:41, Dustin Puryear wrote: > This is for the backup admins here, although anyone can certainly chime > in. :) > > We are using Symantec Backup Exec 12.5 and backing up several serves, > including one Windows 2003 server with a 600 GB directory structure that > is several levels deep and, in total, has 170k+ files in it. > > Backing up this particular directory structure is DOG SLOW. > > I'm aware that this is pretty typical, but I'm wondering what we can do > to speed this up. Right now this job takes several hours, while a > similar job for a server without this many files may take an hour. So, > it's affecting our backup schedule. > > Thoughts on an approach to help with this? > > Some thoughts I have: > > * I had considered doing a backup-to-disk then to tape to keep the tape > unit free, but that doesn't help: We are still copying from disk to tape > at some point. > > * Breaking up the backup so that it doesn't interfere as badly with the > schedule, but we still have the issue of the backup running very slow in > total. > > Other thoughts? Ideas? > > -- > Dustin Puryear > President and Sr. Consultant > Puryear Information Technology, LLC > 225-706-8414 x112 > http://www.puryear-it.com > > Author, "Best Practices for Managing Linux and UNIX Servers" > http://www.puryear-it.com/pubs/linux-unix-best-practices/ > > > > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From bryanf@samurai.com Wed Feb 18 21:37:58 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1J5bwhg038277 for ; Wed, 18 Feb 2009 21:37:58 -0800 (PST) (envelope-from bryanf@samurai.com) Received: from st01.samurai.com (st01.samurai.com [205.207.28.71]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1J5bt7h007450 for ; Wed, 18 Feb 2009 21:37:58 -0800 (PST) Received: from h216-235-8-77.host.egate.net ([216.235.8.77] helo=[192.168.2.14]) by st01.samurai.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1La1ba-000EbP-22 for sage-members@sage.org; Thu, 19 Feb 2009 00:37:50 -0500 Message-ID: <499CF02C.5040309@samurai.com> Date: Thu, 19 Feb 2009 00:37:48 -0500 From: Bryan Fullerton User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1b3pre) Gecko/20081204 Thunderbird/3.0b1 MIME-Version: 1.0 To: sage-members@sage.org References: <43452C495F09D048BF7CE9F96B65688E0101B5@sbs.Puryear-IT.local> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus-Scanner: Clean mail though you should still use an Antivirus X-DCC-dcc-servers-Metrics: voyager 1049; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] Backing up large number of small files.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 05:37:59 -0000 On 19/02/2009 12:25 AM, Kurt Buff wrote: > Then try this: > > http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/46656.mspx?mfr=true > I'd do this one first - Microsoft now disables this "feature" by default on Vista and Windows Server 2008. Bryan From dpuryear@puryear-it.com Wed Feb 18 21:49:38 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1J5ncRl038514 for ; Wed, 18 Feb 2009 21:49:38 -0800 (PST) (envelope-from dpuryear@puryear-it.com) Received: from puryear-it.com (wsip-70-183-217-104.br.br.cox.net [70.183.217.104]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1J5nZbZ007550 for ; Wed, 18 Feb 2009 21:49:38 -0800 (PST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Date: Wed, 18 Feb 2009 23:49:33 -0600 Message-ID: <43452C495F09D048BF7CE9F96B65688E0101B6@sbs.Puryear-IT.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [SAGE] Backing up large number of small files.. Thread-Index: AcmSUECPMAEQA4jtTcaq0pfOu7OJSwABU3Xg From: "Dustin Puryear" To: "Dustin J. Mitchell" X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1J5ncRl038514 Cc: sage-members@sage.org Subject: Re: [SAGE] Backing up large number of small files.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 05:49:39 -0000 Because what's the difference in speed if you: Disk -> disk -> tape If the issue isn't disk or network IO but the fact that you have a deep directory structure with millions of files? The overhead seems to be file system and backup agent related. Sigh. By the way, I should have said "millions" and not 170k+. I was pulling that number from memory, but I was wrong. :) -----Original Message----- From: djmitche@gmail.com [mailto:djmitche@gmail.com] On Behalf Of Dustin J. Mitchell Sent: Wednesday, February 18, 2009 11:09 PM To: Dustin Puryear Cc: sage-members@sage.org Subject: Re: [SAGE] Backing up large number of small files.. On Wed, Feb 18, 2009 at 11:41 PM, Dustin Puryear wrote: > Other thoughts? Ideas? Is it possible to use a different tool to back up that partition? Something like 'dump' that will just do a raw dump of the filesystem, rather than trying to traverse the directory tree? A couple of hours doesn't sound too bad for a dump, and presumably once it's off the server it's pretty quick to go to tape -- I don't understand why your idea of staging it to disk before sending it to tape didn't help? Dustin -- Storage Software Engineer http://www.zmanda.com -- This message was scanned by ESVA and is believed to be clean. Click here to report this message as spam. http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id= From dpuryear@puryear-it.com Wed Feb 18 21:53:34 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1J5rYGQ038667 for ; Wed, 18 Feb 2009 21:53:34 -0800 (PST) (envelope-from dpuryear@puryear-it.com) Received: from puryear-it.com (wsip-70-183-217-104.br.br.cox.net [70.183.217.104]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1J5rV6j007608 for ; Wed, 18 Feb 2009 21:53:34 -0800 (PST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Date: Wed, 18 Feb 2009 23:53:30 -0600 Message-ID: <43452C495F09D048BF7CE9F96B65688E0101B7@sbs.Puryear-IT.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [SAGE] Backing up large number of small files.. Thread-Index: AcmSVCm7RwmfSFD4Rki05aVVXIVuDwAAgkZw From: "Dustin Puryear" To: "Bryce T Pier" X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1J5rYGQ038667 Cc: sage-members@sage.org Subject: Re: [SAGE] Backing up large number of small files.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 05:53:35 -0000 Hi Bryce- The last suggestion is something we're in the middle of trying. Essentially, we kick off a local ntbackup (could be zip or tar if you wanted) to create a local archive. The idea here is to not tie up the tape library for 8 hours because of a slow backup. We may not have any other choice than this, but I was hoping for some other ideas. The last access time is certainly an option, but I'm thinking it won't have a huge impact here. But we'll see. I continue to welcome ideas! :) -----Original Message----- From: Bryce T Pier [mailto:btpier@menolly.net] Sent: Wednesday, February 18, 2009 11:37 PM To: Dustin Puryear Subject: Re: [SAGE] Backing up large number of small files.. On Wed, February 18, 2009 10:41 pm, Dustin Puryear wrote: > This is for the backup admins here, although anyone can certainly chime > in. :) > > We are using Symantec Backup Exec 12.5 and backing up several serves, > including one Windows 2003 server with a 600 GB directory structure that > is several levels deep and, in total, has 170k+ files in it. > > Backing up this particular directory structure is DOG SLOW. > > I'm aware that this is pretty typical, but I'm wondering what we can do > to speed this up. Right now this job takes several hours, while a > similar job for a server without this many files may take an hour. So, > it's affecting our backup schedule. > > Thoughts on an approach to help with this? > > Some thoughts I have: > > * I had considered doing a backup-to-disk then to tape to keep the tape > unit free, but that doesn't help: We are still copying from disk to tape > at some point. > > * Breaking up the backup so that it doesn't interfere as badly with the > schedule, but we still have the issue of the backup running very slow in > total. > > Other thoughts? Ideas? I've not yet found an enterprise backup system that will handle this type of data well. I've actually core dumped NetBackup on a FS with 3 million little files in it. You'd be best to find some block level way of backing up the data. The other question is how often do you need to restore anything in that directory tree and how often does it change? Is there a way to restructure the data so that you can backup only files that have changed since the last backup more easily and then "archive" them to where they would normally reside? Short of something like that, I know of no way to make any backup software perform well on this type of data set. I think it's much more about all the meta data that needs to be dealt with than the act of writing the files to disk or tape. Another last second thought... if restoring individual files isn't common, can you use some sort of tool (cpio, tar, something... sorry my windows skills and toolsets are atrophying badly) to create one or a handle larger archive type files onto another disk, then back those up to tape? -- Bryce T Pier Unix Geek -- This message was scanned by ESVA and is believed to be clean. Click here to report this message as spam. http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id= From Tristan.Ball@leica-microsystems.com Wed Feb 18 22:11:33 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1J6BXh8039068 for ; Wed, 18 Feb 2009 22:11:33 -0800 (PST) (envelope-from Tristan.Ball@leica-microsystems.com) Received: from conan.vsl.com.au (mail.vsl.com.au [203.12.244.151]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1J6BTQZ007777 for ; Wed, 18 Feb 2009 22:11:32 -0800 (PST) X-LeicaMicrosystems-MailScanner-Watermark: 1235628354.35664@3y+ZuH/iY5BWrHFpbbUBvg Received: from romba.vsl.com.au (romba.vsl.com.au [172.22.2.68]) by conan.vsl.com.au (8.13.8/8.13.5/Debian-3) with ESMTP id n1J65sQQ020778; Thu, 19 Feb 2009 17:05:54 +1100 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Thu, 19 Feb 2009 17:05:40 +1100 Message-ID: <625858D937841B4D89752F7B6C359849168AF6@romba.vsl.com.au> In-reply-to: <43452C495F09D048BF7CE9F96B65688E0101B5@sbs.Puryear-IT.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [SAGE] Backing up large number of small files.. Thread-Index: AcmSTFOt81y1UPiyTFiFDM0gr8/W8AACYtvQ References: <43452C495F09D048BF7CE9F96B65688E0101B5@sbs.Puryear-IT.local> From: "Tristan Ball" To: "Dustin Puryear" , X-MailScanner-ID: n1J65sQQ020778 X-LeicaMicrosystems-MailScanner: Found to be clean X-LeicaMicrosystems-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=-1.44, required 5, autolearn=disabled, ALL_TRUSTED -1.44) X-LeicaMicrosystems-MailScanner-From: tristan.ball@leica-microsystems.com X-Spam-Status: No X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1J6BXh8039068 Subject: Re: [SAGE] Backing up large number of small files.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 06:11:35 -0000 Hi, Depending on how backup exec works with its disk-disk-tape option, you may find that it helps. The reason being that the data stream coming from the "small files volume" is likely to be very slow, and if you're using modern LTO style drives, they're quite possibly shoe shining, which can actually slow things down further still. It's an "it depends" situation. Even if the total backup time doesn't decrease (because you're copying the data wise), you may still get the data copied from the server quicker, which means the negative effects of the backup on the source server are reduced. And the copy to tape part will run quickly, as it will be running from backup images on disk, rather than the original source files, so you get nice big streaming IO - everyone's favourite kind. :-) We've got several similar systems here, and without resorting to fancy features like Netbackup Flashbackup, the only way I've found to back these kinds of systems up is to multi-stream. I break the backup up at as high a level as I can, and run those jobs in parallel. Obviously you have to be careful with that, as it can result in things being missed as new upper level directories are added. And, if your users are like mine, they tend to create un-balanced directory trees - 80% of the data in on 4-6th level subdirectory - which makes splitting things up painful. The other thing to consider is what the disk storage is, the more drives in the array, the more streams you can productively run (I figure about 1.5 streams per disk, on average). But perhaps you need to re-think how you do the backup. There are a number of drive imaging systems that will run on a live system, and will do "dump style" raw reads of the disks - and the better ones allow you to browse the disk image to do granular restores. Or you might look at one of the "continuous data protection" products, to constantly copy the data elsewhere, avoiding the daily/weekly "copy everything" process. Regards, Tristan. -----Original Message----- From: sage-members-bounces@mailman.sage.org [mailto:sage-members-bounces@mailman.sage.org] On Behalf Of Dustin Puryear Sent: Thursday, 19 February 2009 3:42 PM To: sage-members@sage.org Subject: [SAGE] Backing up large number of small files.. This is for the backup admins here, although anyone can certainly chime in. :) We are using Symantec Backup Exec 12.5 and backing up several serves, including one Windows 2003 server with a 600 GB directory structure that is several levels deep and, in total, has 170k+ files in it. Backing up this particular directory structure is DOG SLOW. I'm aware that this is pretty typical, but I'm wondering what we can do to speed this up. Right now this job takes several hours, while a similar job for a server without this many files may take an hour. So, it's affecting our backup schedule. Thoughts on an approach to help with this? Some thoughts I have: * I had considered doing a backup-to-disk then to tape to keep the tape unit free, but that doesn't help: We are still copying from disk to tape at some point. * Breaking up the backup so that it doesn't interfere as badly with the schedule, but we still have the issue of the backup running very slow in total. Other thoughts? Ideas? -- Dustin Puryear President and Sr. Consultant Puryear Information Technology, LLC 225-706-8414 x112 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices/ _______________________________________________ sage-members mailing list sage-members@mailman.sage.org http://mailman.sage.org/mailman/listinfo/sage-members ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ From doug@will.to Thu Feb 19 06:20:21 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1JEKKdN048509 for ; Thu, 19 Feb 2009 06:20:21 -0800 (PST) (envelope-from doug@will.to) Received: from will.to (mailman.will.to [68.164.136.125]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1JEKHDa028416 for ; Thu, 19 Feb 2009 06:20:20 -0800 (PST) Received: from [75.193.67.160] (160.sub-75-193-67.myvzw.com [75.193.67.160]) (authenticated bits=0) by will.to (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id n1JDrRHA032295 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 19 Feb 2009 08:53:45 -0500 Message-ID: <499D6A8C.4040803@will.to> Date: Thu, 19 Feb 2009 09:19:56 -0500 From: Doug Hughes User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 References: <43452C495F09D048BF7CE9F96B65688E0101B7@sbs.Puryear-IT.local> In-Reply-To: <43452C495F09D048BF7CE9F96B65688E0101B7@sbs.Puryear-IT.local> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0rc3 (will.to [68.164.136.125]); Thu, 19 Feb 2009 08:53:46 -0500 (EST) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] Backing up large number of small files.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 14:20:21 -0000 Dustin Puryear wrote: > Hi Bryce- > > The last suggestion is something we're in the middle of trying. > Essentially, we kick off a local ntbackup (could be zip or tar if you > wanted) to create a local archive. The idea here is to not tie up the > tape library for 8 hours because of a slow backup. > > We may not have any other choice than this, but I was hoping for some > other ideas. > > The last access time is certainly an option, but I'm thinking it won't > have a huge impact here. But we'll see. > > I continue to welcome ideas! :) > > this has been mentioned indirectly, but something like original disk | (tar|zip|cpio|iso) -> staging disk -> tape it will make one big file to backup which can be streamed to tape making the copy to tape be much shorter and faster overall because there is less tendency to, as they say, "shoe shine" where you can't feed the tape fast enough so it overshoots and then rewinds and does the same thing for all the small files. By streaming the data to tape you can feed it at the speed of your tape drive which is pretty darned fast. From jon@network-plumbers.com Thu Feb 19 09:19:13 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1JHJDxh052420 for ; Thu, 19 Feb 2009 09:19:13 -0800 (PST) (envelope-from jon@network-plumbers.com) Received: from m1.imap-partners.net (IDENT:mirapoint@m1.imap-partners.net [64.13.152.131]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1JHJAVv002095 for ; Thu, 19 Feb 2009 09:19:12 -0800 (PST) Received: from neutron.ads.network-plumbers.com (207-180-188-249.c3-0.hdp-ubr2.sbo-hdp.ma.cable.rcn.com [207.180.188.249]) by m1.imap-partners.net (MOS 3.10.3-GA) with ESMTP id BJI73897 (AUTH jon@network-plumbers.com) for ; Thu, 19 Feb 2009 09:13:01 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Thu, 19 Feb 2009 12:12:59 -0500 Message-ID: <24DDF862CD720843BDD148ED5DBCCAFA0BF7B2@neutron.ads.network-plumbers.com> In-Reply-To: <43452C495F09D048BF7CE9F96B65688E0101B5@sbs.Puryear-IT.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [SAGE] Backing up large number of small files.. Thread-Index: AcmSTFOt81y1UPiyTFiFDM0gr8/W8AAUok0g From: "Jon Young" To: X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1JHJDxh052420 X-Mailman-Approved-At: Thu, 19 Feb 2009 09:20:24 -0800 Subject: Re: [SAGE] Backing up large number of small files.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 17:19:13 -0000 > This is for the backup admins here, although anyone can > certainly chime in. :) > > We are using Symantec Backup Exec 12.5 and backing up several > serves, including one Windows 2003 server with a 600 GB > directory structure that is several levels deep and, in > total, has 170k+ files in it. > > Backing up this particular directory structure is DOG SLOW. My comments are not for exactly the same setup but I was solving a similar problem at a former employer. Note however that we were mostly a linux shop using different software and I did quite a bit of filesystem testing to find which linux fs worked best for this environment. Some of what I found should be valid for you. We were backing up several million very small files with an aggregate size of only a few hundred gigs (out of a total backup of ~12TB). As I went through debugging and fixing the disaster that was the company's backup I found several things: Backing up D2D2T obviously created a much lower disruption to the machine being backed up. Choice of backup software made a very big difference - they were originally running Arkeia which was horrendous (several day backup time) for this purpose because it used the filesystem as the backup database so it was replicating a massive file structure on the backup server. I used tar'ing to another filesystem over the SAN as my benchmark of the max I could possibly hope for in backup performance. When we moved to bakbone's netvault, we were able to get backup performance over gigE fairly close to what I could get over the SAN getting my backup time (to disk) for this volume down to less than 2 hours even while the others backups were running. The replication to tape was fairly quick and due to the way netvault does its backup replication, the time was more related to backup size rather than the huge number of source files. Now comes the big problem I hope you have considered. Even though we were down to ~2hrs for backing up ~400G of these several million tiny files, the restore time was approximately 40hrs (better that arkeia which could never successfully restore and failed after about a week)! The problem was that the backup software needed to query the database about the correct location for the file and where it existed amongst the various backup media for each of the millions of files. We worked extensively with bakbone trying to make this better and they basically gave up and told me this is how it should be. We ended up setting up another hot spare for this machine we replicated the data to periodically because this restore time was unacceptable to us. So, please remember to test your restore times, you may find that the backup performance is the minor problem. Hope this helps, Jon From dpuryear@puryear-it.com Thu Feb 19 14:27:05 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1JMR54t057129 for ; Thu, 19 Feb 2009 14:27:05 -0800 (PST) (envelope-from dpuryear@puryear-it.com) Received: from puryear-it.com (wsip-70-183-217-104.br.br.cox.net [70.183.217.104]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1JMR2T4011531 for ; Thu, 19 Feb 2009 14:27:05 -0800 (PST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Date: Thu, 19 Feb 2009 16:27:01 -0600 Message-ID: <43452C495F09D048BF7CE9F96B65688E0101CB@sbs.Puryear-IT.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [SAGE] Backing up large number of small files.. Thread-Index: AcmSTFOt81y1UPiyTFiFDM0gr8/W8AAUok0gABBWdbA= From: "Dustin Puryear" To: "Jon Young" , X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1JMR54t057129 Subject: Re: [SAGE] Backing up large number of small files.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 22:27:06 -0000 This is the solution we've gone with, at least for now: * Each directory begins with V#, such as: V1, V102, V199, V299, V500, etc. * We created a single job for each V#. * We do a local ntbackup of V#*.*. We would skip the ntbackup and go right to D2D, but Backup Exec won't let us specify a wildcard on our directory selections, at least that we can find. * We back that up to a local B2D device instead of directly to tape. Why the hell do we do this? Because Backup Exec wants to allocate the backup device while the pre-job is running, and we don't want the tape library (an IBM TS3200) drive locked up during the pre-job. * We then do a Duplicate from the D2D device to tape. Woo boy! It works. It's still slow at about 14 hours for 11m files (we finally got a good count on this), but it doesn't affect our backup windows for other jobs at all now. And, to be honest, it wasn't that hard to set this up using Backup Exec policies. The only trick was writing the pre and post scripts to make this work. I also wrote a nice perl script that uses Backup Exec's bemcmd to generate a pretty detailed report on our backup jobs, including last successful run status, next run time, media, etc., as a CSV. I do like Backup Exec, but their reporting assumes you want to a lot of manual labor. -----Original Message----- From: sage-members-bounces@mailman.sage.org [mailto:sage-members-bounces@mailman.sage.org] On Behalf Of Jon Young Sent: Thursday, February 19, 2009 11:13 AM To: sage-members@sage.org Subject: Re: [SAGE] Backing up large number of small files.. > This is for the backup admins here, although anyone can > certainly chime in. :) > > We are using Symantec Backup Exec 12.5 and backing up several > serves, including one Windows 2003 server with a 600 GB > directory structure that is several levels deep and, in > total, has 170k+ files in it. > > Backing up this particular directory structure is DOG SLOW. My comments are not for exactly the same setup but I was solving a similar problem at a former employer. Note however that we were mostly a linux shop using different software and I did quite a bit of filesystem testing to find which linux fs worked best for this environment. Some of what I found should be valid for you. We were backing up several million very small files with an aggregate size of only a few hundred gigs (out of a total backup of ~12TB). As I went through debugging and fixing the disaster that was the company's backup I found several things: Backing up D2D2T obviously created a much lower disruption to the machine being backed up. Choice of backup software made a very big difference - they were originally running Arkeia which was horrendous (several day backup time) for this purpose because it used the filesystem as the backup database so it was replicating a massive file structure on the backup server. I used tar'ing to another filesystem over the SAN as my benchmark of the max I could possibly hope for in backup performance. When we moved to bakbone's netvault, we were able to get backup performance over gigE fairly close to what I could get over the SAN getting my backup time (to disk) for this volume down to less than 2 hours even while the others backups were running. The replication to tape was fairly quick and due to the way netvault does its backup replication, the time was more related to backup size rather than the huge number of source files. Now comes the big problem I hope you have considered. Even though we were down to ~2hrs for backing up ~400G of these several million tiny files, the restore time was approximately 40hrs (better that arkeia which could never successfully restore and failed after about a week)! The problem was that the backup software needed to query the database about the correct location for the file and where it existed amongst the various backup media for each of the millions of files. We worked extensively with bakbone trying to make this better and they basically gave up and told me this is how it should be. We ended up setting up another hot spare for this machine we replicated the data to periodically because this restore time was unacceptable to us. So, please remember to test your restore times, you may find that the backup performance is the minor problem. Hope this helps, Jon _______________________________________________ sage-members mailing list sage-members@mailman.sage.org http://mailman.sage.org/mailman/listinfo/sage-members -- This message was scanned by ESVA and is believed to be clean. Click here to report this message as spam. http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id= From kacoroski@gmail.com Thu Feb 19 21:00:35 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1K50ZlM061853 for ; Thu, 19 Feb 2009 21:00:35 -0800 (PST) (envelope-from kacoroski@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.178]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1K50W5X015977 for ; Thu, 19 Feb 2009 21:00:35 -0800 (PST) Received: by wa-out-1112.google.com with SMTP id m33so393011wag.23 for ; Thu, 19 Feb 2009 21:00:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:reply-to:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=tE57Kr8fpRk1venLypNV9XDGSltW/ISEc0opox6JqnM=; b=bbBfwtgelgeeiar3IJg2+viEuEQeVUXLn8F146P4qlngQHxzC1hZUNhp5F8QQW6Rnq mnxdgfUri+LTgRDsN7oP2rIvvB5tmvolIDa8CtMVvrxWYSA4fK9lUUryh1bw1fslPJAa 2FMP+6oPKzATdP1gsVKJt6W2A4ywTTP8KGc9w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:reply-to:to:cc:in-reply-to:references:content-type :date:message-id:mime-version:x-mailer:content-transfer-encoding; b=LDWsP3zlQrq45mAYSUadcRwcvc/QhmOzGrrRYYeQX/ayt1u35dtH/AAXv0XeYtu0w4 GP0hogOcc00IjH6J2jcON+wRNqwg4kLj+6kBOfNnCZduzFYwaqKsblV1qdCu7Hcs1iQB zb3o6qWT4X3Fc0usEHJbvlLEXffWN48TecU4M= Received: by 10.114.198.1 with SMTP id v1mr186209waf.78.1235105595998; Thu, 19 Feb 2009 20:53:15 -0800 (PST) Received: from ?192.168.2.3? (71-35-117-238.tukw.qwest.net [71.35.117.238]) by mx.google.com with ESMTPS id k37sm4335296rvb.1.2009.02.19.20.53.13 (version=SSLv3 cipher=RC4-MD5); Thu, 19 Feb 2009 20:53:14 -0800 (PST) From: Ski Kacoroski To: Dustin Puryear In-Reply-To: <43452C495F09D048BF7CE9F96B65688E0101CB@sbs.Puryear-IT.local> References: <43452C495F09D048BF7CE9F96B65688E0101CB@sbs.Puryear-IT.local> Content-Type: text/plain Date: Thu, 19 Feb 2009 20:53:12 -0800 Message-Id: <1235105592.7706.19.camel@cherry> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=10% Cc: Jon Young , sage-members@sage.org Subject: Re: [SAGE] Backing up large number of small files.. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: kacoroski@gmail.com List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2009 05:00:36 -0000 Dustin, For what it is worth, this is the same idea I use with Netvault backup for my big NAS system. We have 12 jobs that run instead of one job. I also agree with Jon Young that restores will take much longer so you need to let people know that in case of a system failure requiring a complete restore to figure on days if your backup takes 14 hours. If this is not acceptable then they need to put the $$$ into a hot backup system. One other thing we have done is installed a Data Domain device at a site about 5 miles away from our primary site connected via GigE fiber and nfs mount it to the backup server. We now only use tapes for long term archive and run all other backups to the Data Domain device. It has paid for itself in with the reduction in labor, tape costs, and avoidance of expanding the tape system. We find that doing a restore via from the Data Domain is almost as fast as restoring from a snapshot. Highly recommended. cheers, ski On Thu, 2009-02-19 at 16:27 -0600, Dustin Puryear wrote: > This is the solution we've gone with, at least for now: > > * Each directory begins with V#, such as: V1, V102, V199, V299, V500, > etc. > * We created a single job for each V#. > * We do a local ntbackup of V#*.*. We would skip the ntbackup and go > right to D2D, but Backup Exec won't let us specify a wildcard on our > directory selections, at least that we can find. > * We back that up to a local B2D device instead of directly to tape. Why > the hell do we do this? Because Backup Exec wants to allocate the backup > device while the pre-job is running, and we don't want the tape library > (an IBM TS3200) drive locked up during the pre-job. > * We then do a Duplicate from the D2D device to tape. > > Woo boy! > > It works. It's still slow at about 14 hours for 11m files (we finally > got a good count on this), but it doesn't affect our backup windows for > other jobs at all now. > > And, to be honest, it wasn't that hard to set this up using Backup Exec > policies. The only trick was writing the pre and post scripts to make > this work. > > I also wrote a nice perl script that uses Backup Exec's bemcmd to > generate a pretty detailed report on our backup jobs, including last > successful run status, next run time, media, etc., as a CSV. I do like > Backup Exec, but their reporting assumes you want to a lot of manual > labor. > > -----Original Message----- > From: sage-members-bounces@mailman.sage.org > [mailto:sage-members-bounces@mailman.sage.org] On Behalf Of Jon Young > Sent: Thursday, February 19, 2009 11:13 AM > To: sage-members@sage.org > Subject: Re: [SAGE] Backing up large number of small files.. > > > This is for the backup admins here, although anyone can > > certainly chime in. :) > > > > We are using Symantec Backup Exec 12.5 and backing up several > > serves, including one Windows 2003 server with a 600 GB > > directory structure that is several levels deep and, in > > total, has 170k+ files in it. > > > > Backing up this particular directory structure is DOG SLOW. > My comments are not for exactly the same setup but I was solving a > similar problem at a former employer. Note however that we were mostly > a linux shop using different software and I did quite a bit of > filesystem testing to find which linux fs worked best for this > environment. Some of what I found should be valid for you. > > We were backing up several million very small files with an aggregate > size of only a few hundred gigs (out of a total backup of ~12TB). As I > went through debugging and fixing the disaster that was the company's > backup I found several things: > Backing up D2D2T obviously created a much lower disruption to the > machine being backed up. > Choice of backup software made a very big difference - they were > originally running Arkeia which was horrendous (several day backup time) > for this purpose because it used the filesystem as the backup database > so it was replicating a massive file structure on the backup server. I > used tar'ing to another filesystem over the SAN as my benchmark of the > max I could possibly hope for in backup performance. When we moved to > bakbone's netvault, we were able to get backup performance over gigE > fairly close to what I could get over the SAN getting my backup time (to > disk) for this volume down to less than 2 hours even while the others > backups were running. The replication to tape was fairly quick and due > to the way netvault does its backup replication, the time was more > related to backup size rather than the huge number of source files. > > Now comes the big problem I hope you have considered. Even though we > were down to ~2hrs for backing up ~400G of these several million tiny > files, the restore time was approximately 40hrs (better that arkeia > which could never successfully restore and failed after about a week)! > The problem was that the backup software needed to query the database > about the correct location for the file and where it existed amongst the > various backup media for each of the millions of files. We worked > extensively with bakbone trying to make this better and they basically > gave up and told me this is how it should be. We ended up setting up > another hot spare for this machine we replicated the data to > periodically because this restore time was unacceptable to us. So, > please remember to test your restore times, you may find that the backup > performance is the minor problem. > > Hope this helps, > Jon > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > > -- > This message was scanned by ESVA and is believed to be clean. > Click here to report this message as spam. > http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id= > > > > > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members -- "When we try to pick out anything by itself, we find it connected to the entire universe" John Muir Chris "Ski" Kacoroski, kacoroski@gmail.com, 206-501-9803 or ski98033 on most IM services From davebahm@gmail.com Fri Feb 20 07:14:44 2009 Received: from mail-gx0-f159.google.com (mail-gx0-f159.google.com [209.85.217.159]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1KFEh9E071357 for ; Fri, 20 Feb 2009 07:14:44 -0800 (PST) (envelope-from davebahm@gmail.com) Received: by gxk3 with SMTP id 3so672664gxk.7 for ; Fri, 20 Feb 2009 07:14:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=biBSB4ES937N+ZnoDLEmA0J8MEJuQ/AfO3AwVPAS1P4=; b=Ei6grK4iby6bLAUuWYeKbtmzt+yaHLJG+o0ayD+cLu4lPO5TxEKFQ5gVQfxDEzX3r1 ciWgnh76s6PJlkfAIXlTGRkO4+thcrllSbbCzoQRkxV6JkUMJ2E8xLJfbxpjwq7NDf3l iHdS2UxTWYjkOqATltvyWMfmolKs0nw40o9Zw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=xttvByuU/CDaERFgSyRrFhHgxMOuC24LHIWhY7qCBrTmydxv3XuBiUMLP86pF5VFjI KO4zVThFGnIQ2UhBZPAv4HsPpSgIaknYZRKx8ZlAfxrjqBqGd3g76GUpB2d5LDHYq0uJ Y6D4MgDPrwuLJgmxFXNu+yPXlkjGeItMcZ3dg= MIME-Version: 1.0 Received: by 10.100.110.16 with SMTP id i16mr1249272anc.116.1235142878099; Fri, 20 Feb 2009 07:14:38 -0800 (PST) Date: Fri, 20 Feb 2009 10:14:38 -0500 Message-ID: From: David Bahm To: sage-members@mailman.sage.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Subject: [SAGE] License management X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2009 15:14:44 -0000 Greetings all - relatively new member and SA here I was curious how everyone else is handling storing, tracking, managing your software licenses. At my current place the previous method was 'boss's head' which is commonly prone to disk errors...but aside from that we just basically have text files in corresponding folders for the software. We're a SMB so that handles it fine for storing but as far as auditing to know exactly who/what computer is using it's a nightmare. Best, David From marc@lynxconsultants.com Fri Feb 20 07:51:08 2009 Received: from mx.iwith.org (mx.iwith.org [212.203.71.220]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1KFp7nm072083 for ; Fri, 20 Feb 2009 07:51:08 -0800 (PST) (envelope-from marc@lynxconsultants.com) Received-SPF: pass (mx.iwith.org: authenticated connection) receiver=mx.iwith.org; client-ip=83.78.3.45; helo=[192.168.1.107]; envelope-from=marc@lynxconsultants.com; x-software=spfmilter 0.97 http://www.acme.com/software/spfmilter/ with libspf2-1.0.0; Received: from [192.168.1.107] (45-3.78-83.cust.bluewin.ch [83.78.3.45]) (authenticated bits=0) by mx.iwith.org (8.14.1/8.14.1) with ESMTP id n1KFp5jg021378 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 20 Feb 2009 16:51:05 +0100 Message-Id: From: Marc Cluet To: David Bahm In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Fri, 20 Feb 2009 16:51:04 +0100 References: X-Mailer: Apple Mail (2.930.3) X-Virus-Scanned: ClamAV version 0.94.2, clamav-milter version 0.94.2 on front2 X-Virus-Status: Clean X-Spam-Status: No, score=-14.9 required=3.0 tests=LOCAL_AUTH_RCVD, RDNS_DYNAMIC shortcircuit=no autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on front2 Cc: sage-members@mailman.sage.org Subject: Re: [SAGE] License management X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2009 15:51:09 -0000 In our place we do maintain a list of both hardware stock and software licenses with eNetman, it's a LAMP application, kinda basic but it covers our needs. http://sourceforge.net/projects/enetman/ On 20 Feb 2009, at 16:14, David Bahm wrote: > Greetings all - relatively new member and SA here > > I was curious how everyone else is handling storing, tracking, > managing your > software licenses. At my current place the previous method was > 'boss's > head' which is commonly prone to disk errors...but aside from that > we just > basically have text files in corresponding folders for the > software. We're > a SMB so that handles it fine for storing but as far as auditing to > know > exactly who/what computer is using it's a nightmare. > > Best, > > David > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members -- Marc Cluet (marc@lynxconsultants.com) Network and Systems Engineer Lynx Consultants - http://www.lynxconsultants.com Girona 122, pral 1 08009 Barcelona, Spain Mob. ES: +34 655 118 231 Mob. CH: +41 79 590 15 77 Mob. UK: +44 759 323 37 34 Tel.: +34 93 208 0031 From shrdlu@deaddrop.org Fri Feb 20 07:51:56 2009 Received: from relay02.pair.com (relay02.pair.com [209.68.5.16]) by hoshi.usenix.org (8.13.3/8.13.3) with SMTP id n1KFpuDJ072102 for ; Fri, 20 Feb 2009 07:51:56 -0800 (PST) (envelope-from shrdlu@deaddrop.org) Received: (qmail 60768 invoked by uid 0); 20 Feb 2009 15:51:54 -0000 Received: from 66.119.212.42 (HELO ?66.119.212.42?) (66.119.212.42) by relay02.pair.com with SMTP; 20 Feb 2009 15:51:54 -0000 X-pair-Authenticated: 66.119.212.42 Message-ID: <499ED213.4090407@deaddrop.org> Date: Fri, 20 Feb 2009 07:53:55 -0800 From: Etaoin Shrdlu Organization: dig @localhost TXT CHAOS version.bind User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728 X-Accept-Language: en-us, en MIME-Version: 1.0 CC: sage-members@mailman.sage.org References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [SAGE] License management X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2009 15:51:57 -0000 David Bahm wrote: > Greetings all - relatively new member and SA here > > I was curious how everyone else is handling storing, tracking, managing your > software licenses. At my current place the previous method was 'boss's > head' which is commonly prone to disk errors...but aside from that we just > basically have text files in corresponding folders for the software. We're > a SMB so that handles it fine for storing but as far as auditing to know > exactly who/what computer is using it's a nightmare. Spreadsheet. I used to have this as one of my responsibilities, and since it involved all sorts of need to track, and need to report, and need to separate due to different colors of money, I couldn't have survived without it. Personally, I'd use Excel. I don't find the OpenOffice version able to handle some of the fancy stuff that Excel does well. YMMV. Now, to the things you need. In this spreadsheet, use the multiple sheets features, and link from your main page to them, when necessary. Pity I don't have any examples to show you (I'm retired now), but keeping the complexity down in any particular area makes it much easier to understand what you're looking at (for the people other than the creator who are looking for specific items). Track original cost, original date of acquisition, number of licenses, type of licenses (floating, per machine, that kind of thing), yearly fees. When you add licenses to an existing set, you should have a place to make note of it. Hmmm. This is getting complicated, and I haven't yet had enough coffee to be competent. I may return to it later in the day, if this seems helpful. -- Remember, if it's in the news, don't worry about it. The very definition of news is "something that almost never happens." When something is so common that it's no longer news -- car crashes, domestic violence -- that's when you should worry about it. (Bruce Schneier) From jal@mdacorporation.com Fri Feb 20 11:20:54 2009 Received: from MSXYVR1.ds.mda.ca (mail.mda.ca [142.73.16.157]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1KJKral077382 for ; Fri, 20 Feb 2009 11:20:54 -0800 (PST) (envelope-from jal@mdacorporation.com) Received: from VMXYVR1.ds.mda.ca ([142.73.129.70]) by MSXYVR1.ds.mda.ca with Microsoft SMTPSVC(6.0.3790.3959); Fri, 20 Feb 2009 11:20:53 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 20 Feb 2009 11:20:49 -0800 Message-ID: <57F67688A8D72449AC80164DA982083104C908C2@VMXYVR1.ds.mda.ca> In-Reply-To: <499ED213.4090407@deaddrop.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [SAGE] License management Thread-Index: AcmTc/YJxRqE/gmHT6GQVKnGphx7bwAGxr7A References: <499ED213.4090407@deaddrop.org> From: "John LLOYD" To: X-OriginalArrivalTime: 20 Feb 2009 19:20:53.0492 (UTC) FILETIME=[59062B40:01C99390] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1KJKral077382 Subject: Re: [SAGE] License management X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2009 19:20:54 -0000 > Track original cost, original date of acquisition, number of > licenses, > type of licenses (floating, per machine, that kind of thing), yearly > fees. When you add licenses to an existing set, you should > have a place > to make note of it. I second this. You want to record transactions on your spreadsheet, not the "current" view. When a vendor changes ownership, product name, or product option mix, you will want to be able to retrace the history. Something along the lines of this, for buying a product one year and upgrading it a few years later 5-feb-1997 office 97 standard +1 5-jun-2001 office 97 standard -1 5-jun-2001 office 2000 upgrade +1 where "-1" means you no longer have (a right for) that particular license. To determine your current set, sum by product name, where you get "0" for old office 97 standard, and "+1" for the upgraded version office 2000. Put the sum(s) on your spreadsheet front page. If you're good with the spreadsheet hacking you can avoid showing the products with 0 counts. For a paper trail, you can simply use a serial file, consisting of file folders ordered by month or quarter, of all purchase orders, shipping documents, screen shots of downloads, etc. Add the date to the spreadsheet and a little "table scanning" through your folders will turn up the paperwork on the rare days you need it. --John From ntwrkd@gmail.com Sat Feb 21 18:15:33 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1M2FXJr011967 for ; Sat, 21 Feb 2009 18:15:33 -0800 (PST) (envelope-from ntwrkd@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.29]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1M2FUb2024045 for ; Sat, 21 Feb 2009 18:15:33 -0800 (PST) Received: by yx-out-2324.google.com with SMTP id 8so527929yxb.29 for ; Sat, 21 Feb 2009 18:15:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=d8XpYoFIcYfOfyfjc7VZwSa7wlYhPzIvdRxVQTMnbVA=; b=xkQ/9ZmKJKbQ9HMIEgtQLH9p2IqeSyHr8Wj5sBDAddg/V5Z/hr+pNsRLLnwmHo81rH BLGMYD6J5FGKrmocaHHXmDRwLaxQAt/MWmV4vp/wF2HQyaclmJ/7c1IlSPxwtNeQVovY zyjYuE0zrU7YwmxCjtLQ/iHPdq0cCtHQELkU4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=NgR8bky7f+aoSZn5ibaVTr3/ulPuwcHnip3jrbkJfssDwIuLbnOFuLLiOIJzS+nH7W 06vml5BuOyIOG+us9/HorptIFdPa8If7vprCeHm3UZ2TrviMU1d4kMnKf0PMcCjO5HBd QdunBomrkd1Cp4yrujBEJTvws5dqfL4kMqwk8= MIME-Version: 1.0 Received: by 10.150.140.9 with SMTP id n9mr2420353ybd.239.1235268930140; Sat, 21 Feb 2009 18:15:30 -0800 (PST) Date: Sat, 21 Feb 2009 18:15:30 -0800 Message-ID: From: ntwrkd To: SAGE Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=9% Subject: [SAGE] Scale 7x Expo Floor Photos X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Feb 2009 02:15:34 -0000 For those of you unable to attend SCALE 7x (http://www.socallinuxexpo.org) and interested to see who is at the expo, check out this link: http://digg.com/tech_news/SCALE_7x_Southern_California_Linux_Expo_Floor_Photos From tor@flatebo.org Wed Feb 25 14:09:52 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1PM9pNn014188 for ; Wed, 25 Feb 2009 14:09:52 -0800 (PST) (envelope-from tor@flatebo.org) Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1PM9mu0001110 for ; Wed, 25 Feb 2009 14:09:51 -0800 (PST) Received: from [10.10.1.184] (static-222.service.govdelivery.com [208.42.190.222]) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis) id 0MKp8S-1LcRwn0pxG-000NV5; Wed, 25 Feb 2009 17:09:47 -0500 Message-ID: <49A5C1A8.5080604@flatebo.org> Date: Wed, 25 Feb 2009 16:09:44 -0600 From: Torleiv Flatebo User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: sage-members@sage.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V01U2FsdGVkX19vt29g5y75C0eTPP01YiEAiWvn/EOx3ANQdti EKyTnmGfcRbPP31H4P1ig4V+69gc4xigskwiB2YHmVaPNxcXod 8VrmltGLkf4PJ14sV/bkQ== X-DCC--Metrics: voyager 1356; bulk rep Body=many Fuz1=1 Fuz2=1 rep=27% Subject: [SAGE] Fusion IO "SAN on a card" X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2009 22:09:52 -0000 Does anyone have experience using the Fusion IO cards? We are looking at using them in conjunction with Oracle (redo logs) and would like some feedback from users in the wild. *) Any problems with the drivers? *) What OS are you using? *) Are you using any host-to-host replication? *) What benefits using these cards? *) What issues/degradations have you seen using these cards? Torleiv Flatebo From twilliams@answerfinancial.com Thu Feb 26 01:30:12 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1Q9UCwY032575 for ; Thu, 26 Feb 2009 01:30:12 -0800 (PST) (envelope-from twilliams@answerfinancial.com) Received: from mail01.answerfinancial.com (mail01.answerfinancial.com [12.107.3.241]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1Q9U9DB011036 for ; Thu, 26 Feb 2009 01:30:11 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail01.answerfinancial.com (Postfix) with ESMTP id C4C681A19A7 for ; Thu, 26 Feb 2009 01:10:38 -0800 (PST) Received: from mail01.answerfinancial.com ([127.0.0.1]) by localhost (mail01.answerfinancial.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wNZM9KLfTLV5 for ; Thu, 26 Feb 2009 01:10:36 -0800 (PST) Received: from AFI01407 (afi01407.answer.answerfinancial.com [10.6.46.14]) by mail01.answerfinancial.com (Postfix) with ESMTP for ; Thu, 26 Feb 2009 01:10:36 -0800 (PST) From: "Todd Williams" To: Date: Thu, 26 Feb 2009 01:10:35 -0800 Message-ID: MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcmX8hTE29XSaBRZSbiZrxoCWW0gMA== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Subject: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 09:30:12 -0000 As I roll out the new Dell Optiplex760 Core2 Duos to the desktops (some each quarter), I find the pile of "spare" desktops growing. My current "spares" in question are 2.4GHz P4's (HP dc5000s), with 512MB memory. Not exciting, but hey, they work ok if your demands are light. At some point, of course, I'll be totally off of these older boxes. What would you do with them? The obvious choices involve giving/selling/auctioning to employees or donating to charities. But I've been to those places before, and I've see it all, including: - Parts on similar machines that are still in use start disappearing (memory, disk, special cables, whatever) - Recipients of free machines who expect support from the help desk - Highly paid employees fighting to be first in line for a chance to take home a junk machine - In an auction or giveaway intended to fairly distribute things to those who have a use or need, one employee manages to amass a large quantity of items, which he then sells for personal gain - Employees (sometimes even executives) fight over whose favorite charity should be the recipient of the donation I'm just wondering if any of you have a more hassle-free method that you use. -Todd Williams From servant74a@gmail.com Thu Feb 26 04:55:50 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1QCtoqT035720 for ; Thu, 26 Feb 2009 04:55:50 -0800 (PST) (envelope-from servant74a@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.29]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1QCtlWd014072 for ; Thu, 26 Feb 2009 04:55:50 -0800 (PST) Received: by yx-out-2324.google.com with SMTP id 8so355500yxb.29 for ; Thu, 26 Feb 2009 04:55:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=4dWXXt4bAnHzihtiA0UyLXclLuBmv9VfJXs0/0GfTxg=; b=VWWskFc1wIEfwKwblKd/q7HxZ61sIEd6KB8xcu0jQAw4po3rr4Kd1a1BT4Lg6aLNCZ MSNNuerjnXHX2VHkvzdXOTwHfCL2XXEfBvhSCz2Ain7BYCGKnI0zFu0nJQBysoc0L11M I1RqW6vQ53824xdBleQHeSa63dWon8kiJzOBo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=U1CvGUSBGwPxOECwd6SHCmrIJmkKvLJWVsvOpRF9z8iB9KmNn2D/0VG3J5Qufwjbv6 EevBr+keWQ2H2GKJ2eFMvm6H0UzxcgSZacw3PO8J8aYGsbXHs47cRNzx4fmDc74Pwddw iQNgrFbhBN1v+adAnQfQfGdQAxVAWB2FQLS9s= MIME-Version: 1.0 Sender: servant74a@gmail.com Received: by 10.90.63.6 with SMTP id l6mr661817aga.46.1235652946666; Thu, 26 Feb 2009 04:55:46 -0800 (PST) In-Reply-To: References: Date: Thu, 26 Feb 2009 06:55:46 -0600 X-Google-Sender-Auth: 27a3fa78f9685122 Message-ID: <48555fa40902260455t1421bb6qc8068c6ccdf676a9@mail.gmail.com> From: Jack Coats To: Todd Williams Content-Type: text/plain; charset=ISO-8859-1 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=9% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1QCtoqT035720 Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 12:55:51 -0000 I understand your pain. I dealt with this kind of an issue for a small bank before. If you can work out a deal with a local refurb/recycle firm to take them at no cost to you (even if you have to deliver) and obtain a EPA recycle receipt is the 'best answer'. Even though they will, you still need to wipe the disk for security sake. Even paying a bit is not a bad thing. I think Dell has a negotiable recycle policy for new machines (recycle the old no matter the brand?) And their is the Staples 'tie a $10 bill to it, deliver it to us, and we will deal with it' method. My wife works for a non-profit, and unless they contact you, the donated machines cause the NPO as much hassle as they do you. The applications they run are just as important to their business as yours are to you. To help NPO's, donate cash (first), or buy their 'cookies' or equivalent (second), or donate time (personally or as a company sponsored community support effort - third). Even if you put 'no support available from the help desk', employees (current and former) still call. And the higher up they are/have been the more hand holding they demand. If you have a parts disappearing problem, you might consider taking some apart, advertising the parts for free for the asking (with some reasonable maximum, about 2 or 3 times what you think 'personal use' would be) - no questions asked, along with a internal advertising campaign about reducing support cost due to parts 'walking off' from the office. This addresses a couple of issues, making folks aware of a problem in the business (theft), and giving those that might figure there is no other way, a face saving way out. Personally, I'd like a six pack of them. Email direct for shipping address ;) .. Jack On Thu, Feb 26, 2009 at 3:10 AM, Todd Williams wrote: > As I roll out the new  Dell Optiplex760 Core2 Duos to the desktops (some > each quarter), I find the pile of "spare" desktops growing. > My current "spares" in question are 2.4GHz P4's (HP dc5000s), with 512MB > memory.  Not exciting, but hey, they work ok if your demands are light. > At some point, of course, I'll be totally off of these older boxes. > > What would you do with them? > > The obvious choices involve giving/selling/auctioning to employees or > donating to charities. > > But I've been to those places before, and I've see it all, including: > - Parts on similar machines that are still in use start disappearing > (memory, disk, special cables, whatever) > - Recipients of free machines who expect support from the help desk > - Highly paid employees fighting to be first in line for a chance to take > home a junk machine > - In an auction or giveaway intended to fairly distribute things to those > who have a use or need, one employee manages to amass a large quantity of > items, which he then sells for personal gain > - Employees (sometimes even executives) fight over whose favorite charity > should be the recipient of the donation > > I'm just wondering if any of you have a more hassle-free method that you > use. > > -Todd Williams > > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From rski@chycoski.com Thu Feb 26 08:43:32 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1QGhWwW039424 for ; Thu, 26 Feb 2009 08:43:32 -0800 (PST) (envelope-from rski@chycoski.com) Received: from adsl-67-122-242-225.dsl.pltn13.pacbell.net (adsl-67-122-242-225.dsl.pltn13.pacbell.net [67.122.242.225]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1QGhSwN018665 for ; Thu, 26 Feb 2009 08:43:31 -0800 (PST) Received: from [192.168.72.2] (wizfast.rski.net [192.168.72.2]) by adsl-67-122-242-225.dsl.pltn13.pacbell.net (8.13.8/8.13.8) with ESMTP id n1QGhI0r027875; Thu, 26 Feb 2009 08:43:18 -0800 Message-ID: <49A6C6A6.4020806@chycoski.com> Date: Thu, 26 Feb 2009 08:43:18 -0800 From: Richard Chycoski User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Todd Williams References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 16:43:32 -0000 $WORK uses a local recycler, we collect them, and they pick them up. You might ask the local school district if they are interested, some schools are using machines much older than you are getting rid of. There is a local organisation here in the Bay Area () that also takes machines and puts the pieces together (if necessary) to make computers available to local teachers. No matter how you get rid of them, though - erase the disks before they leave your premises. A 'live CD' of your favourite flavour of Linux makes this easy (I use Knoppix, myself). Do this even (especially) if employees are taking them home. In this case, it's to protect the employees as much as the company. - Richard Todd Williams wrote: > As I roll out the new Dell Optiplex760 Core2 Duos to the desktops (some > each quarter), I find the pile of "spare" desktops growing. > My current "spares" in question are 2.4GHz P4's (HP dc5000s), with 512MB > memory. Not exciting, but hey, they work ok if your demands are light. > At some point, of course, I'll be totally off of these older boxes. > > What would you do with them? > > The obvious choices involve giving/selling/auctioning to employees or > donating to charities. > > But I've been to those places before, and I've see it all, including: > - Parts on similar machines that are still in use start disappearing > (memory, disk, special cables, whatever) > - Recipients of free machines who expect support from the help desk > - Highly paid employees fighting to be first in line for a chance to take > home a junk machine > - In an auction or giveaway intended to fairly distribute things to those > who have a use or need, one employee manages to amass a large quantity of > items, which he then sells for personal gain > - Employees (sometimes even executives) fight over whose favorite charity > should be the recipient of the donation > > I'm just wondering if any of you have a more hassle-free method that you > use. > > -Todd Williams > > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From jac@panix.com Thu Feb 26 08:55:13 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1QGtDV8039599 for ; Thu, 26 Feb 2009 08:55:13 -0800 (PST) (envelope-from jac@panix.com) Received: from l2mail1.panix.com (l2mail1.panix.com [166.84.1.75]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1QGt9Se018957 for ; Thu, 26 Feb 2009 08:55:12 -0800 (PST) Received: from mail1.panix.com (mail1.panix.com [166.84.1.72]) by l2mail1.panix.com (Postfix) with ESMTP id E1DDE5C177 for ; Thu, 26 Feb 2009 11:55:08 -0500 (EST) Received: from panix2.panix.com (panix2.panix.com [166.84.1.2]) by mail1.panix.com (Postfix) with ESMTP id 14746296A9; Thu, 26 Feb 2009 11:55:05 -0500 (EST) Received: by panix2.panix.com (Postfix, from userid 982) id B06811A403; Thu, 26 Feb 2009 11:55:11 -0500 (EST) Date: Thu, 26 Feb 2009 08:55:11 -0800 From: John Clear To: Todd Williams Message-ID: <20090226165511.GA12424@panix.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 16:55:13 -0000 On Thu, Feb 26, 2009 at 01:10:35AM -0800, Todd Williams wrote: > As I roll out the new Dell Optiplex760 Core2 Duos to the desktops (some > each quarter), I find the pile of "spare" desktops growing. > My current "spares" in question are 2.4GHz P4's (HP dc5000s), with 512MB > memory. Not exciting, but hey, they work ok if your demands are light. > At some point, of course, I'll be totally off of these older boxes. > > What would you do with them? > > The obvious choices involve giving/selling/auctioning to employees or > donating to charities. Others have covered the 'joys' of giving them to employees. Some charities specialize in refurbishing used computers. In the Bay Area, Resource Area for Teaching (www.raft.net) will take newer (their wishlist says 2002+) old computers, fix them up, and sell them to teachers at very low cost. RAFT will also take office supplies, old CDs, and all sorts of cast offs (http://raft.net/documents/MaterialWishList.pdf). In addition to the pens and computers, they also do science and art kits for teachers. I volunteer at RAFT through another charity, and we joke that RAFT is the MacGyver of charities. They can take a CD, a water bottle top, and a balloon from some failed marketing campign and turn it into a small hovercraft. Or turn a jewel case into a small greenhouse. John From tperrine@scea.com Thu Feb 26 09:15:44 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1QHFiHv039943 for ; Thu, 26 Feb 2009 09:15:44 -0800 (PST) (envelope-from tperrine@scea.com) Received: from ironport02a.scea.com (ironport02a.scea.com [160.33.44.43]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1QHFfhM019327 for ; Thu, 26 Feb 2009 09:15:44 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.38,272,1233561600"; d="scan'208";a="5010000" Received: from inbetweener01.scea.com ([160.33.45.195]) by ironport02a.scea.com with ESMTP; 26 Feb 2009 09:03:26 -0800 Received: from sceapdsd-172-31-30-203.989studios.com (sceapdsd-172-31-30-203.989studios.com [172.31.30.203]) by inbetweener01.scea.com (Postfix) with ESMTP id AD771F05C6; Thu, 26 Feb 2009 09:03:26 -0800 (PST) Message-ID: <49A6CB5E.6020805@scea.com> Date: Thu, 26 Feb 2009 09:03:26 -0800 From: Tom Perrine User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Richard Chycoski References: <49A6C6A6.4020806@chycoski.com> In-Reply-To: <49A6C6A6.4020806@chycoski.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 17:15:45 -0000 Richard Chycoski wrote: > No matter how you get rid of them, though - erase the disks before they > leave your premises. A 'live CD' of your favourite flavour of Linux > makes this easy (I use Knoppix, myself). Do this even (especially) if > employees are taking them home. In this case, it's to protect the > employees as much as the company. DBAN is a great answer: http://www.dban.org/ From yesthattom@gmail.com Thu Feb 26 09:20:28 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1QHKSKc040012 for ; Thu, 26 Feb 2009 09:20:28 -0800 (PST) (envelope-from yesthattom@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.238]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1QHKPAI019453 for ; Thu, 26 Feb 2009 09:20:27 -0800 (PST) Received: by rv-out-0506.google.com with SMTP id k40so624490rvb.59 for ; Thu, 26 Feb 2009 09:20:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=TeC9S/1y+3UvE0xpVmWUbSo1psu7nu+WIUdf3m2zevM=; b=bAQpmIlV8tWMIGpgrmVLVvlzaoYwp0YKJhLF6S2HLAfPkFYGgBGSjs5cHt3B3fDXZn S7/Ob32EEHur5GrLPgD6f+8dNqYBj4WJ7YnxIdgEid0ao3jZXnT4M8Ve5zPLXHDlijdH MIIX4OLK1RTk650xlv++RFHuvrTFGJTdm6HHs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=LaaqE1xvHmxE5CYJr1JvsURE+pnbGvqdnnJ1GvupYJKk6DBkWGpru+4TSLRtIzSdDN oZrLBqwEtlRz5SHYEce3pZ3vKJd1dAnWGa/DJvMA+nez1954QXcmuMKhVIBJkLjv5LoJ jnYgGB50degQIo+5iz/KZuEKQXsn/Kp7fz5WI= MIME-Version: 1.0 Sender: yesthattom@gmail.com Received: by 10.141.210.2 with SMTP id m2mr725550rvq.26.1235665289586; Thu, 26 Feb 2009 08:21:29 -0800 (PST) In-Reply-To: References: Date: Thu, 26 Feb 2009 11:21:29 -0500 X-Google-Sender-Auth: 98e8e11daecaba66 Message-ID: From: Tom Limoncelli To: Todd Williams Content-Type: text/plain; charset=ISO-8859-1 X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=6% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1QHKSKc040012 Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 17:20:30 -0000 On Thu, Feb 26, 2009 at 4:10 AM, Todd Williams wrote: > As I roll out the new  Dell Optiplex760 Core2 Duos to the desktops (some > each quarter), I find the pile of "spare" desktops growing. > My current "spares" in question are 2.4GHz P4's (HP dc5000s), with 512MB > memory.  Not exciting, but hey, they work ok if your demands are light. > At some point, of course, I'll be totally off of these older boxes. > > What would you do with them? Going through a third party helps deal with the requests for support, etc. http://www.google.com/search?q=e-cycle+old+computers Some places claim they're erase the disks for you. I wouldn't trust them. I prefer Darik's Boot and Nuke ("DBAN"): http://www.dban.org/ You don't even need the monitor attached. Just boot up, listen for the beep, and it starts erasing. Pull out the keyboard and move it to the next machine. (I once erased 100+ computers in a day using DBAN). Some Linux groups have projects where they take old computers, reload them with Linux, and donate them to charities. I know there's one in Ohio that does that (http://www.freegeekcolumbus.org/donate). You might check with your local Linux group to see if they do something similar. Tom From jal@mdacorporation.com Thu Feb 26 09:28:22 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1QHSMN6040188 for ; Thu, 26 Feb 2009 09:28:22 -0800 (PST) (envelope-from jal@mdacorporation.com) Received: from MSXYVR1.ds.mda.ca (mail.mda.ca [142.73.64.14]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1QHSINu019596 for ; Thu, 26 Feb 2009 09:28:21 -0800 (PST) Received: from VMXYVR1.ds.mda.ca ([142.73.129.72]) by MSXYVR1.ds.mda.ca with Microsoft SMTPSVC(6.0.3790.3959); Thu, 26 Feb 2009 09:21:09 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 26 Feb 2009 09:21:10 -0800 Message-ID: <57F67688A8D72449AC80164DA982083104CE7EBF@VMXYVR1.ds.mda.ca> In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [SAGE] What do you do with your old PCs ? Thread-Index: AcmX8hTE29XSaBRZSbiZrxoCWW0gMAARC5qQ References: From: "John LLOYD" To: X-OriginalArrivalTime: 26 Feb 2009 17:21:09.0890 (UTC) FILETIME=[9DBDFE20:01C99836] X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1QHSMN6040188 Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 17:28:22 -0000 We built a cluster out of some of them. The R&D guys use the cluster for, well, whatever R&D guys do. Gigabit switches are cheap. Cluster software supports diskless nodes. > - In an auction or giveaway intended to fairly distribute > things to those > who have a use or need, one employee manages to amass a large > quantity of > items, which he then sells for personal gain A quota of one per employee per year solves that one. --John From allan@physics.umn.edu Thu Feb 26 09:38:59 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1QHcxed040416 for ; Thu, 26 Feb 2009 09:38:59 -0800 (PST) (envelope-from allan@physics.umn.edu) Received: from crail.spa.umn.edu (crail.spa.umn.edu [128.101.220.22]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1QHcuBM019819 for ; Thu, 26 Feb 2009 09:38:59 -0800 (PST) Received: from c-75-72-245-201.hsd1.mn.comcast.net ([75.72.245.201] helo=[192.168.0.103]) by crail.spa.umn.edu with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LckCA-000I3p-Q1 for sage-members@sage.org; Thu, 26 Feb 2009 11:38:50 -0600 Message-ID: <49A6D428.4070806@physics.umn.edu> Date: Thu, 26 Feb 2009 11:40:56 -0600 From: Graham Allan User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: sage-members@sage.org References: <49A6C6A6.4020806@chycoski.com> In-Reply-To: <49A6C6A6.4020806@chycoski.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 17:38:59 -0000 We have an arrangement with a local recycler as well, but having seen the way the hardware is "loaded" into their truck I don't think there is any intention to reuse anything. (That could a reflection of how crappy the hardware is before it leaves us but I'm not sure the truck driver should get to make that call!). Interestingly we recently went through our current supply of "spare" computers, all about 5 years old, 2.8GHz P4 type machines, and found that 90% of them were suffering from leaking or bulging capacitors on the mainboard. So right away that solved the problem of whether to find a new use for them... Graham Richard Chycoski wrote: > $WORK uses a local recycler, we collect them, and they pick them up. > > You might ask the local school district if they are interested, some > schools are using machines much older than you are getting rid of. There > is a local organisation here in the Bay Area () that > also takes machines and puts the pieces together (if necessary) to make > computers available to local teachers. > > No matter how you get rid of them, though - erase the disks before they > leave your premises. A 'live CD' of your favourite flavour of Linux > makes this easy (I use Knoppix, myself). Do this even (especially) if > employees are taking them home. In this case, it's to protect the > employees as much as the company. > > - Richard > > > Todd Williams wrote: >> As I roll out the new Dell Optiplex760 Core2 Duos to the desktops (some >> each quarter), I find the pile of "spare" desktops growing. >> My current "spares" in question are 2.4GHz P4's (HP dc5000s), with 512MB >> memory. Not exciting, but hey, they work ok if your demands are light. >> At some point, of course, I'll be totally off of these older boxes. >> >> What would you do with them? >> >> The obvious choices involve giving/selling/auctioning to employees or >> donating to charities. >> >> But I've been to those places before, and I've see it all, including: >> - Parts on similar machines that are still in use start disappearing >> (memory, disk, special cables, whatever) >> - Recipients of free machines who expect support from the help desk >> - Highly paid employees fighting to be first in line for a chance to take >> home a junk machine >> - In an auction or giveaway intended to fairly distribute things to those >> who have a use or need, one employee manages to amass a large quantity of >> items, which he then sells for personal gain >> - Employees (sometimes even executives) fight over whose favorite charity >> should be the recipient of the donation >> >> I'm just wondering if any of you have a more hassle-free method that you >> use. From plathrop@tertiusfamily.net Thu Feb 26 09:46:51 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1QHkp6L040635 for ; Thu, 26 Feb 2009 09:46:51 -0800 (PST) (envelope-from plathrop@tertiusfamily.net) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.30]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1QHkmFe020003 for ; Thu, 26 Feb 2009 09:46:51 -0800 (PST) Received: by yw-out-2324.google.com with SMTP id 2so440906ywt.29 for ; Thu, 26 Feb 2009 09:46:48 -0800 (PST) MIME-Version: 1.0 Received: by 10.100.143.14 with SMTP id q14mr1776465and.47.1235668628711; Thu, 26 Feb 2009 09:17:08 -0800 (PST) In-Reply-To: <20090226165511.GA12424@panix.com> References: <20090226165511.GA12424@panix.com> Date: Thu, 26 Feb 2009 09:17:08 -0800 Message-ID: From: Paul Lathrop To: John Clear Content-Type: text/plain; charset=UTF-8 X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=9% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1QHkp6L040635 Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 17:46:52 -0000 On Thu, Feb 26, 2009 at 8:55 AM, John Clear wrote: > On Thu, Feb 26, 2009 at 01:10:35AM -0800, Todd Williams wrote: >> As I roll out the new  Dell Optiplex760 Core2 Duos to the desktops (some >> each quarter), I find the pile of "spare" desktops growing. >> My current "spares" in question are 2.4GHz P4's (HP dc5000s), with 512MB >> memory.  Not exciting, but hey, they work ok if your demands are light. >> At some point, of course, I'll be totally off of these older boxes. >> >> What would you do with them? >> >> The obvious choices involve giving/selling/auctioning to employees or >> donating to charities. > > Others have covered the 'joys' of giving them to employees. > > Some charities specialize in refurbishing used computers.  In the > Bay Area, Resource Area for Teaching (www.raft.net) will take newer > (their wishlist says 2002+) old computers, fix them up, and sell > them to teachers at very low cost. Another good Bay Area resource for this sort of thing is ACCRC: http://www.accrc.org/ >From their site: "When you give us your computer, you will receive a tax write-off, and we will attempt to fix your equipment and then give it away to someone who is unable to afford to buy a computer. If we are unable to reuse your equipment, it will be recycled in an environmentally friendly manner. To donate your equipment, simply bring it to us during our open hours. No appointment is needed. Nothing is too old or too broken. Some fees may apply for certain types of material, degaussing and for non-local pick-ups. We give free refurbished computers to schools, non-profit organizations, and economically and/or physically disadvantaged individuals. Although our computers are all old enough that they were discarded by their previous owners, the ones that we refurbish are still perfectly adequate for most home, school, and office applications. Our refurbished systems all run a Free software GNU/Linux operating system." Pretty good cause. --Paul From dpuryear@puryear-it.com Thu Feb 26 11:34:36 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1QJYZO9042717 for ; Thu, 26 Feb 2009 11:34:35 -0800 (PST) (envelope-from dpuryear@puryear-it.com) Received: from mail.puryear-it.com (wsip-70-183-217-104.br.br.cox.net [70.183.217.104]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1QJYWiJ022478 for ; Thu, 26 Feb 2009 11:34:35 -0800 (PST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Date: Thu, 26 Feb 2009 13:34:37 -0600 Message-ID: <43452C495F09D048BF7CE9F96B65688E05FB58@sbs.Puryear-IT.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [SAGE] Using GCJ Thread-Index: AcmR3KGoCC+S4wAITAOvxo5QjIWTZAGbHP5w From: "Dustin Puryear" To: "Dustin J. Mitchell" X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n1QJYZO9042717 Cc: SAGE Subject: Re: [SAGE] Using GCJ X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 19:34:36 -0000 We remove it as standard practice and install Sun's JDK. -----Original Message----- From: sage-members-bounces@mailman.sage.org [mailto:sage-members-bounces@mailman.sage.org] On Behalf Of Dustin J. Mitchell Sent: Wednesday, February 18, 2009 8:54 AM To: ntwrkd Cc: SAGE Subject: Re: [SAGE] Using GCJ On Wed, Feb 18, 2009 at 12:55 AM, ntwrkd wrote: > I'm curious to know, has anyone out there had any success running GCJ > as their JVM for, well, anything? PyLucene is a gcj-compiled version of lucene with a Python interface. Pretty cool stuff, and while we did have a lot of trouble with it, that was due to bugs in pylucene, not the gcj implementation. Of course, ymmv :) Dustin -- Storage Software Engineer http://www.zmanda.com _______________________________________________ sage-members mailing list sage-members@mailman.sage.org http://mailman.sage.org/mailman/listinfo/sage-members -- This message was scanned by ESVA and is believed to be clean. Click here to report this message as spam. http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id= From unix_fan@yahoo.com Thu Feb 26 12:25:21 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1QKPKuL043552 for ; Thu, 26 Feb 2009 12:25:20 -0800 (PST) (envelope-from unix_fan@yahoo.com) Received: from web53809.mail.re2.yahoo.com (web53809.mail.re2.yahoo.com [206.190.36.204]) by usenix.org (8.13.6/8.13.6) with SMTP id n1QKPHMa023933 for ; Thu, 26 Feb 2009 12:25:20 -0800 (PST) Received: (qmail 61002 invoked by uid 60001); 26 Feb 2009 20:18:31 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Message-ID; b=xyhEn5ftVueNokZMkHFe1e6Va6/l9QK7AXOfExPgAmxY0dqiErxu3KhliBZFP1WxiYcfBFzDZIJ7iDxcGctz5PgesSvF6n1xa+KMjJVBC6cXXJGxg3EOt00VAdcHrf57VAZUSHcT8ABYsAvq6mJatLQn1VPAjUzo63wD9geCmC8=; X-YMail-OSG: Ivh2Vk4VM1keYsr7H0OOjagXOX.TQ0GhNWRIAowveiWTF9Uzu5rjBBR81nMlp6r6l5ukT8OpscoKyKQ4nTGH7q9GNpn_K8nWeAL2BxFPEdGchBhq0Q528.XsWr7jwSx6oiQxLhpwIczRoq90DL8DKvIePRZpJubKC_rECiJkbeFbrZFomdy0QfJkdd7si55w2fldE0uwcWcqMZIC08ud1gSvvAgNEdSeIFEYiaWk Received: from [199.46.200.231] by web53809.mail.re2.yahoo.com via HTTP; Thu, 26 Feb 2009 12:18:31 PST X-Mailer: YahooMailWebService/0.7.260.1 Date: Thu, 26 Feb 2009 12:18:31 -0800 (PST) From: unix_fan To: sage-members@sage.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <176518.56933.qm@web53809.mail.re2.yahoo.com> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=3% Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 20:25:22 -0000 --- On Thu, 2/26/09, Todd Williams wrote: [] > What would you do with them? We give them to employees. Actually, it's not quite a give, we charge a nominal fee (mostly for the prep work?). The employees have to sign up on a website to have their name in the drawing. If they are picked, they can't win another for a year, or if all the employees who have signed up have won something already (whichever comes first). You know how many are going to be given away the day of the drawing, so you pick that many names. Every winner gets a date, time, and location. They go to the site where the computers are, and they get the computer. No shows get a week to reschedule or their machine gets put back in the queue for the next drawing. WRT prep work, the machine is Nuked to the DoD standard. It's loaded with the Windows version it was originally licensed for and patched. No other apps get loaded, it's plain vanilla. > But I've been to those places before, and I've see > it all, including: > - Parts on similar machines that are still in use start > disappearing We (unintentionally?) avoid that by always being one generation back. Last year it was P4s. but we've mostly got Xeons and laptops on desks now. Different incompatible memory. It's possible I haven't seen thae full extent of the problem but it exists. > - Recipients of free machines who expect support from the > help desk The pickup requires signing a sheet where they acknowledge there is no support (stated in Big Font in Bold). Since the Help Desk requires an asset tag, they won't get help if they call for something that is off the books. > - Highly paid employees fighting to be first in line for a > chance to take home a junk machine Random drawing eliminates that. > - In an auction or giveaway intended to fairly distribute > things to those who have a use or need, one employee > manages to amass a large quantity of > items, which he then sells for personal gain We have no control over resell (it is a ownership transfer) but limiting a win to once a year prevents amassing anything. > - Employees (sometimes even executives) fight over whose > favorite charity should be the recipient of the donation That's why we give to the employee. But yeah, that's a Layer 8 problem alright. From salsbury@sculptors.com Thu Feb 26 13:01:51 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1QL1pAY044345 for ; Thu, 26 Feb 2009 13:01:51 -0800 (PST) (envelope-from salsbury@sculptors.com) Received: from fall-curlleaf.atl.sa.earthlink.net (fall-curlleaf.atl.sa.earthlink.net [207.69.195.105]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1QL1mNH024686 for ; Thu, 26 Feb 2009 13:01:51 -0800 (PST) Received: from pop-altamira.atl.sa.earthlink.net ([207.69.195.62]) by fall-curlleaf.atl.sa.earthlink.net with esmtp (Exim 4.34) id 1LcnMU-0004VO-UE; Thu, 26 Feb 2009 16:01:42 -0500 Received: from user-119br4d.biz.mindspring.com ([66.149.236.141] helo=fate.sculptors.com) by pop-altamira.atl.sa.earthlink.net with esmtp (Exim 3.36 #1) id 1LcnMJ-0006a8-00; Thu, 26 Feb 2009 16:01:31 -0500 Received: from [192.168.1.17] (bootstrap.sculptors.com [204.11.227.220]) by fate.sculptors.com (8.12.10/8.12.10) with ESMTP id n1QL1UIR001065; Thu, 26 Feb 2009 13:01:30 -0800 (PST) (envelope-from salsbury@sculptors.com) Message-ID: <49A70329.8060507@sculptors.com> Date: Thu, 26 Feb 2009 13:01:29 -0800 From: Patrick Salsbury User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Tom Limoncelli References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=19% Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 21:01:53 -0000 Tom Limoncelli wrote: > Some places claim they're erase the disks for you. I wouldn't trust > them. I prefer Darik's Boot and Nuke ("DBAN"): http://www.dban.org/ > You don't even need the monitor attached. Just boot up, listen for > the beep, and it starts erasing. Pull out the keyboard and move it to > the next machine. (I once erased 100+ computers in a day using DBAN). That sounds like a cool utility for legitimate use, but boy, do I shudder thinking about what a malcontent could do with that on a USB drive! Then again, there's little protection against antisocial intent. If they're determined, they'll find a way. Pat From servant74a@gmail.com Thu Feb 26 14:14:27 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1QMERxD045708 for ; Thu, 26 Feb 2009 14:14:27 -0800 (PST) (envelope-from servant74a@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.30]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1QMENLI025897 for ; Thu, 26 Feb 2009 14:14:26 -0800 (PST) Received: by yw-out-2324.google.com with SMTP id 2so516471ywt.29 for ; Thu, 26 Feb 2009 14:14:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:cc :content-type:content-transfer-encoding; bh=j/Fx9oI1UHyZ5Md3RwE10MRSYHv3Qg7f4X28pskx10I=; b=Rxiy1D2XTSjSfqOmT02PCj9+qS5zF0JADmsKDOCtEBftyQ0c1MI/YHwZjZuGfesUzD zh8vixDXqE8FuTxihRH9wwbdEIwjbD6qS3NBRb33xExTeQJD8K1oyAObXVK2ESk8d4zY BloFxdoH4ZBL+Ygio1PFLg2WoElbtMBRIZ5rc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:cc:content-type :content-transfer-encoding; b=viPlKfgx1DHIyamXGAfC3Sc6VtE4ujeLJ+gpDqyQiDW5khAlX8VV/JSLfYsWOHaNFt Df6wUqeKzvEObHxdScesvTlgsPtML7hfa5wwHztl2WXW3PXxUTkNEtx5WAHOxYyRNAB7 sLXqGcNwQLcBfOwvGgpQ0f6VeiLD3KqpLIFKg= MIME-Version: 1.0 Sender: servant74a@gmail.com Received: by 10.90.93.17 with SMTP id q17mr923622agb.59.1235686463311; Thu, 26 Feb 2009 14:14:23 -0800 (PST) In-Reply-To: <49A70329.8060507@sculptors.com> References: <49A70329.8060507@sculptors.com> Date: Thu, 26 Feb 2009 16:14:23 -0600 X-Google-Sender-Auth: 2b7a0bd8f64f6a1d Message-ID: <48555fa40902261414l1b6ebfd3x1ae51df939bf04b5@mail.gmail.com> From: Jack Coats Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=9% Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 22:14:27 -0000 One church I was at got a bunch of computers without hard drives from Enron just as the shredders were in full bloom some years ago. After acquiring some refurb drives the computers were all useful. The 'random donations' are typically less useful from my experience. Removing the drives and a little 'creative arc welding' does wonders for security. From dmagda@ee.ryerson.ca Thu Feb 26 23:40:57 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1R7eukB053675 for ; Thu, 26 Feb 2009 23:40:56 -0800 (PST) (envelope-from dmagda@ee.ryerson.ca) Received: from toq4-srv.bellnexxia.net (toq4.bellnexxia.net [209.226.175.24]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1R7eqAc004936 for ; Thu, 26 Feb 2009 23:40:55 -0800 (PST) Received: from toip5.srvr.bell.ca ([209.226.175.88]) by tomts36-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with ESMTP id <20090227024312.PNOK6807.tomts36-srv.bellnexxia.net@toip5.srvr.bell.ca> for ; Thu, 26 Feb 2009 21:43:12 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvoAAI/dpklMQR6O/2dsb2JhbAAI2C6CU4E/Bg Received: from bas1-toronto09-1279336078.dsl.bell.ca (HELO [192.168.1.103]) ([76.65.30.142]) by toip5.srvr.bell.ca with ESMTP; 26 Feb 2009 21:51:52 -0500 Message-Id: <48A4E781-8748-40FB-A428-DCC84EC8BFF0@ee.ryerson.ca> From: David Magda To: unix_fan In-Reply-To: <176518.56933.qm@web53809.mail.re2.yahoo.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Thu, 26 Feb 2009 21:43:11 -0500 References: <176518.56933.qm@web53809.mail.re2.yahoo.com> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2009 07:40:58 -0000 On Feb 26, 2009, at 15:18, unix_fan wrote: > WRT prep work, the machine is Nuked to the DoD standard. It's loaded > with the Windows version it was originally licensed for and patched. > No other apps get loaded, it's plain vanilla. Had to do some research for this and found out that the DoD documents have now been superseded by NIST Special Publication SP 800-88 ("Guidelines for Media Sanitization") as of September 2006: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf http://en.wikipedia.org/wiki/Data_remanence If the (magnetic) media is leaving the "organization's control" the document calls for "purging", of which the SATA Secure Erase command qualifies for, as does degaussing. Appendix A gives examples for various media (paper, cell phones, routers, fax machines, etc.). For a security categorization of "High" the media has to be physically destroyed before leaving "organization control". They even given dimensions (e.g. max. particle size for DVDs is 5 mm on a side, max. total area 25 mm^2). All steps require validation that the sanitization occurs, and documenting that fact. Good advice--you don't want your bank to show up on the evening news: http://www.google.com/search?q=personal+data+ebay Overwriting once should probably be sufficient for most civilian purposes I'm guessing. From lobo@mental.com Fri Feb 27 01:11:01 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1R9B0QW055044 for ; Fri, 27 Feb 2009 01:11:00 -0800 (PST) (envelope-from lobo@mental.com) Received: from g2.mental.com (root@entrance.mental.com [192.31.14.10]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1R9AuKW021971 for ; Fri, 27 Feb 2009 01:11:00 -0800 (PST) Received: from mental.com (root@twen.mi [172.16.0.5]) by g2.mental.com (8.13.7/8.13.7/mental-080502) with ESMTP id n1R96IdL000483 for ; Fri, 27 Feb 2009 10:06:18 +0100 (CET) Received: from mental.com (lobo@localhost [127.0.0.1]) by mental.com (8.13.7/8.13.7/mental-070305) with ESMTP id n1R96I4U027560 for ; Fri, 27 Feb 2009 10:06:18 +0100 (MET) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: sage-members@sage.org In-reply-to: David Magda's message of Thu, 26 Feb 2009 21:43:11 EST <48A4E781-8748-40FB-A428-DCC84EC8BFF0@ee.ryerson.ca> Organization: mental images GmbH, Berlin, Germany Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 27 Feb 2009 10:06:18 +0100 Message-ID: <27559.1235725578@mental.com> From: Alexander Lobodzinski X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2009 09:11:01 -0000 () Overwriting once should probably be sufficient for most civilian () purposes I'm guessing. I guess for other practical purposes as well (regulations aside): http://sansforensics.wordpress.com/2009/01/15/overwriting-hard-drive-data/ Ciao, Lobo From rskiadmin@chycoski.com Fri Feb 27 09:59:15 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1RHxEaB063964 for ; Fri, 27 Feb 2009 09:59:15 -0800 (PST) (envelope-from rskiadmin@chycoski.com) Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1RHx3iO000318 for ; Fri, 27 Feb 2009 09:59:14 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.38,277,1233532800"; d="scan'208";a="148444508" Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 27 Feb 2009 17:53:38 +0000 Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n1RHra4x003305; Fri, 27 Feb 2009 09:53:36 -0800 Received: from [171.71.87.151] (dhcp-171-71-87-151.cisco.com [171.71.87.151]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id n1RHraqu005062; Fri, 27 Feb 2009 17:53:36 GMT Message-ID: <49A828A0.5000104@chycoski.com> Date: Fri, 27 Feb 2009 09:53:36 -0800 From: Richard Chycoski User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: Alexander Lobodzinski References: <27559.1235725578@mental.com> In-Reply-To: <27559.1235725578@mental.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Authentication-Results: sj-dkim-3; header.From=rskiadmin@chycoski.com; dkim=neutral X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: rskiadmin@chycoski.com List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2009 17:59:15 -0000 It's interesting that no trials were done with drives that had significant wear. One of the supposedly exploitable issues was with a drive that had been written to, then left spinning for many years, followed by a write. As the bearings wear, the placement of the tracks may not be in precisely the same location as the originals, and the 'edges' of the former tracks might be exposed. Has anyone done recent studies on this? The NSA still has disks stored in safes that they don't consider even pulverisation to be sufficiently safe as a destructive technique. However the NSA (and other, miscellaneous gov't TLAs) are: - First, and foremost - paranoid. Not necessarily a negative, given their profession. - Sticking to old information about vulnerabilities? - Maybe want people to *think* that they can get the data back off those hard drives of nefarious data that you believe you erased? :-) - Richard Alexander Lobodzinski wrote: > () Overwriting once should probably be sufficient for most civilian > () purposes I'm guessing. > > I guess for other practical purposes as well (regulations aside): > > http://sansforensics.wordpress.com/2009/01/15/overwriting-hard-drive-data/ > > Ciao, Lobo > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members From servant74a@gmail.com Fri Feb 27 11:10:11 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1RJAB5f064815 for ; Fri, 27 Feb 2009 11:10:11 -0800 (PST) (envelope-from servant74a@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1RJA8pH001492 for ; Fri, 27 Feb 2009 11:10:11 -0800 (PST) Received: by yw-out-2324.google.com with SMTP id 2so825445ywt.29 for ; Fri, 27 Feb 2009 11:10:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:cc :content-type:content-transfer-encoding; bh=3iYxpW8LiYCqJBvTePBN4UzIcuVAE9Z2kVFc8ySBebM=; b=kxn6Ci0ufkowGVawSFuvB0cXSsTn4nrb4+z2T0Xj/ns0q5zQXQI5Z4KLA/C2I/x6z/ gZnbajhMsEuchQnFkZUrbSRo89ToXiFpzKw2otPLB6dOKInlzI6G+4oYb3wSzjpAvMKI MwpozSodTnywgxV6+MvfLVRD7SqZnp2f4PKXs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:cc:content-type :content-transfer-encoding; b=ppa2JQyCwo94ljFUDfgZ0lU73T/SdBHHQA11LESbJMx4J7I8DocvlqXWxLUddwtjr+ QbhRvH1LGQLdtDS/mPChP9hHg7otUkPgGJwLKGrWON3/TD7AGfBIu6OrHbboudee1Yhj fcOjKgXEwduXf7sCFqWz2GqDGUtGCkx8tjhC0= MIME-Version: 1.0 Sender: servant74a@gmail.com Received: by 10.90.73.16 with SMTP id v16mr1457409aga.22.1235761455279; Fri, 27 Feb 2009 11:04:15 -0800 (PST) In-Reply-To: <49A828A0.5000104@chycoski.com> References: <27559.1235725578@mental.com> <49A828A0.5000104@chycoski.com> Date: Fri, 27 Feb 2009 13:04:15 -0600 X-Google-Sender-Auth: a8b562bf08b1cec6 Message-ID: <48555fa40902271104g23f52796r6b3609e47d3a36ec@mail.gmail.com> From: Jack Coats Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=9% Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2009 19:10:11 -0000 Richard, I think you are right about the being overly paranoid may not be sufficient security for some organizations. I do like the method of destruction suggested in the first Terminator movie (if I remember it right). Melting aluminum is no big deal, and any reasonable 'commercial smelting firm', like the ones that destroy firearms can significantly destroy 'round, brown, and rotating' style media, as long as they get their temperature high enough to pour ingots out of the molten metal. Then the metal could be recycled, buried as ingots, or made into bricks for the next 'more top secret than top secret' project that comes along. Or possibly punch it into small pieces and sell it back to us in the form or coins! ;) From feenberg@nber.org Fri Feb 27 11:55:31 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1RJtUur065688 for ; Fri, 27 Feb 2009 11:55:30 -0800 (PST) (envelope-from feenberg@nber.org) Received: from mail2.nber.org (mail2.nber.org [66.251.72.79]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1RJtQSq002213 for ; Fri, 27 Feb 2009 11:55:29 -0800 (PST) Received: from nber6.nber.org (nber6.nber.org [66.251.72.76]) by mail2.nber.org (8.14.1/8.13.8) with ESMTP id n1RJqb4c022069 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT); Fri, 27 Feb 2009 14:52:38 -0500 (EST) (envelope-from feenberg@nber.org) Received: from nber6.nber.org (localhost [127.0.0.1]) by nber6.nber.org (8.13.7+Sun/8.12.10) with ESMTP id n1RJmjki020965; Fri, 27 Feb 2009 14:48:45 -0500 (EST) Received: from localhost (feenberg@localhost) by nber6.nber.org (8.13.7+Sun/8.13.7/Submit) with ESMTP id n1RJmj9n020962; Fri, 27 Feb 2009 14:48:45 -0500 (EST) X-Authentication-Warning: nber6.nber.org: feenberg owned process doing -bs Date: Fri, 27 Feb 2009 14:48:45 -0500 (EST) From: Daniel Feenberg To: Richard Chycoski In-Reply-To: <49A828A0.5000104@chycoski.com> Message-ID: References: <27559.1235725578@mental.com> <49A828A0.5000104@chycoski.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Anti-Virus: Kaspersky Anti-Virus for Sendmail with Milter API 5.6.20, bases: 20090227 #1671816, check: 20090227 clean X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=44% Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2009 19:55:31 -0000 On Fri, 27 Feb 2009, Richard Chycoski wrote: > It's interesting that no trials were done with drives that had significant > wear. One of the supposedly exploitable issues was with a drive that had been > written to, then left spinning for many years, followed by a write. > > As the bearings wear, the placement of the tracks may not be in precisely the > same location as the originals, and the 'edges' of the former tracks might be > exposed. > > Has anyone done recent studies on this? > > The NSA still has disks stored in safes that they don't consider even > pulverisation to be sufficiently safe as a destructive technique. However the > NSA (and other, miscellaneous gov't TLAs) are: > Worried about the tech who doesn't know the difference between 0) rm -R /* 1) rm * 2) rm -R * 3) yes >/dev/ad3s1a 4) yes >/dev/ad3s1 5) yes >/dev/ad3 and furthermore, even if they have confidence in the tech, how does the second leiutanent who is supposed to sign off on the job confirm that the work was done, unless he also knows the difference? They may also be worried about undeleted bad sectors. Drilling through the platter is sure fire and easy to verify. There isn't any evidence that any written over sector has ever been read. While Gutmann's papers has 37 references, none of the references claim to support Gutmann's thesis. None are even about reading erased sectors but are about the design of heads. I know - I went to the library and looked them up. Gutmann sees hints in the papers that erased sectors might be read, but these are hints at an untruth. See my posting "Can Intelligence Agencies Read Overwritten Data? A response to Gutmann": http://www.nber.org/sys-admin/overwritten-data-gutmann.html Since all subsequent work merely cites Gutmann, is can not be considered additional support for this urban myth. Daniel Feenberg From jjasen@realityfailure.org Sat Feb 28 04:31:20 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1SCVHFO083768 for ; Sat, 28 Feb 2009 04:31:19 -0800 (PST) (envelope-from jjasen@realityfailure.org) Received: from mail.realitycontrol.org (mail.realitycontrol.org [204.9.136.39]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1SCVEkL023973 for ; Sat, 28 Feb 2009 04:31:17 -0800 (PST) Received: from [10.0.0.228] (cmu-24-35-43-70.mivlmd.cablespeed.com [24.35.43.70]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.realitycontrol.org (Postfix) with ESMTPSA id D8280212F9; Sat, 28 Feb 2009 07:31:05 -0500 (EST) X-DomainKeys: Sendmail DomainKeys Filter v1.0.0 mail.realitycontrol.org D8280212F9 DomainKey-Signature: a=rsa-sha1; s=default; d=realityfailure.org; c=simple; q=dns; b=OM6Zs9odk4ETY4FU9Teo/iLjKgqsHZaxpzRIQwffJHmACMOwBQl+U8VBNi+/BzKFZ 7Ef1YoigWY4rTFrpvuG8skCWAf3LD7UKShBIhDO06W2zPJxZpEcYoFmlucsjcUDxL2G 9uoj4hRkZVovXFJ/+HVdlH1LcHrZnkd3UG1mGzQ= X-DKIM: Sendmail DKIM Filter v2.5.5 mail.realitycontrol.org D8280212F9 DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=realityfailure.org; s=default; t=1235824268; bh=BmzMfT/uiarA35PSTjvR7rzirmM=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=l6PjT0qtklzC JW6HAludb/3/uQhNBkv3oIi1EYEuyIlX0o9Gqmcv3efNmRn2S72bgzv5fclQj5KC+wM mNSQi6H+diNvBmLzgWkW1Hgnl7fdMIBxfuLFTc6omXHjMjUWXrm5l2Lpc8NUUcR2jao 4G/+d6YMAF++8RnanieskY9Hk= Message-ID: <49A92E92.8080605@realityfailure.org> Date: Sat, 28 Feb 2009 07:31:14 -0500 From: John Jasen User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: Daniel Feenberg References: <27559.1235725578@mental.com> <49A828A0.5000104@chycoski.com> In-Reply-To: X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.4 required=7.0 tests=ALL_TRUSTED autolearn=failed version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on jjasen.globaltap.com X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2009 12:31:22 -0000 Daniel Feenberg wrote: > > > On Fri, 27 Feb 2009, Richard Chycoski wrote: > >> It's interesting that no trials were done with drives that had >> significant wear. One of the supposedly exploitable issues was with a >> drive that had been written to, then left spinning for many years, >> followed by a write. >> >> As the bearings wear, the placement of the tracks may not be in >> precisely the same location as the originals, and the 'edges' of the >> former tracks might be exposed. >> >> Has anyone done recent studies on this? >> >> The NSA still has disks stored in safes that they don't consider even >> pulverisation to be sufficiently safe as a destructive technique. >> However the NSA (and other, miscellaneous gov't TLAs) are: >> > > Worried about the tech who doesn't know the difference between > > 0) rm -R /* > 1) rm * > 2) rm -R * > 3) yes >/dev/ad3s1a > 4) yes >/dev/ad3s1 > 5) yes >/dev/ad3 > > and furthermore, even if they have confidence in the tech, how does the > second leiutanent who is supposed to sign off on the job confirm that > the work was done, unless he also knows the difference? They may also be > worried about undeleted bad sectors. Drilling through the platter is > sure fire and easy to verify. > > There isn't any evidence that any written over sector has ever been > read. While Gutmann's papers has 37 references, none of the references > claim to support Gutmann's thesis. None are even about reading erased > sectors but are about the design of heads. I know - I went to the > library and looked them up. Gutmann sees hints in the papers that erased > sectors might be read, but these are hints at an untruth. See my posting > "Can Intelligence Agencies Read Overwritten Data? A response to Gutmann": > > http://www.nber.org/sys-admin/overwritten-data-gutmann.html > > Since all subsequent work merely cites Gutmann, is can not be considered > additional support for this urban myth. >From what I've heard, Gutmann was discussing the possibility in older drive technology, like MFM and RLL. He has since stated that recovery should practically be impossible for more modern drives. Craig Wright (SANS GSE-Compliance and a bunch of other acronyms) either has published or is working on publishing a paper where he and a few others discuss the results they've had from attempting to recover data after a single drive wipe. If you want, I'll put you in contact with him. -- -- John E. Jasen (jjasen@realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring From feenberg@nber.org Sat Feb 28 05:23:54 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1SDNsSq084513 for ; Sat, 28 Feb 2009 05:23:54 -0800 (PST) (envelope-from feenberg@nber.org) Received: from mail2.nber.org (mail2.nber.org [66.251.72.79]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1SDNp55024739 for ; Sat, 28 Feb 2009 05:23:53 -0800 (PST) Received: from nber4.nber.org (nber4.nber.org [66.251.72.74]) by mail2.nber.org (8.14.1/8.13.8) with ESMTP id n1SDNWf7099358 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 28 Feb 2009 08:23:32 -0500 (EST) (envelope-from feenberg@nber.org) Received: from nber4.nber.org (localhost [127.0.0.1]) by nber4.nber.org (8.14.1/8.12.8) with ESMTP id n1SDNVdw030132; Sat, 28 Feb 2009 08:23:31 -0500 Received: from localhost (feenberg@localhost) by nber4.nber.org (8.14.1/8.14.1/Submit) with ESMTP id n1SDNVT2030129; Sat, 28 Feb 2009 08:23:31 -0500 X-Authentication-Warning: nber4.nber.org: feenberg owned process doing -bs Date: Sat, 28 Feb 2009 08:23:31 -0500 (EST) From: Daniel Feenberg To: John Jasen In-Reply-To: <49A92E92.8080605@realityfailure.org> Message-ID: References: <27559.1235725578@mental.com> <49A828A0.5000104@chycoski.com> <49A92E92.8080605@realityfailure.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Anti-Virus: Kaspersky Anti-Virus for Sendmail with Milter API 5.6.20, bases: 20090227 #1673546, check: 20090228 clean X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=43% Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2009 13:23:55 -0000 On Sat, 28 Feb 2009, John Jasen wrote: > >> From what I've heard, Gutmann was discussing the possibility in older > drive technology, like MFM and RLL. He has since stated that recovery > should practically be impossible for more modern drives. > > Craig Wright (SANS GSE-Compliance and a bunch of other acronyms) either > has published or is working on publishing a paper where he and a few > others discuss the results they've had from attempting to recover data > after a single drive wipe. If you want, I'll put you in contact with him. > I have the paper, it is completely convincing that the recovery of meaningfull data is impossible. Daniel Feenberg > From dmagda@ee.ryerson.ca Sat Feb 28 07:18:30 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1SFITJl086356 for ; Sat, 28 Feb 2009 07:18:30 -0800 (PST) (envelope-from dmagda@ee.ryerson.ca) Received: from toq6-srv.bellnexxia.net (wynq.bellnexxia.net [209.226.175.62]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1SFIQ2r026414 for ; Sat, 28 Feb 2009 07:18:29 -0800 (PST) Received: from toip6.srvr.bell.ca ([209.226.175.125]) by tomts20-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with ESMTP id <20090228134945.UWFM1552.tomts20-srv.bellnexxia.net@toip6.srvr.bell.ca> for ; Sat, 28 Feb 2009 08:49:45 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AlwBAPfNqElMRCe5/2dsb2JhbAAI1wKEFAY Received: from bas1-toronto09-1279535033.dsl.bell.ca (HELO [192.168.1.103]) ([76.68.39.185]) by toip6.srvr.bell.ca with ESMTP; 28 Feb 2009 08:43:42 -0500 Message-Id: <942E5A58-F493-4A88-B040-6F3FFEF7BC03@ee.ryerson.ca> From: David Magda To: Daniel Feenberg In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sat, 28 Feb 2009 08:49:45 -0500 References: <27559.1235725578@mental.com> <49A828A0.5000104@chycoski.com> <49A92E92.8080605@realityfailure.org> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2009 15:18:32 -0000 On Feb 28, 2009, at 08:23, Daniel Feenberg wrote: > I have the paper, it is completely convincing that the recovery of > meaningfull data is impossible. What's the title? Is it available online anywhere? From dmagda@ee.ryerson.ca Sat Feb 28 07:18:40 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1SFIe0R086363 for ; Sat, 28 Feb 2009 07:18:40 -0800 (PST) (envelope-from dmagda@ee.ryerson.ca) Received: from toq12-srv.bellnexxia.net (toq12.bellnexxia.net [209.226.175.119]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1SFIbMo026419 for ; Sat, 28 Feb 2009 07:18:40 -0800 (PST) Received: from toip6.srvr.bell.ca ([209.226.175.125]) by tomts40-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with ESMTP id <20090228142704.YLDM1608.tomts40-srv.bellnexxia.net@toip6.srvr.bell.ca> for ; Sat, 28 Feb 2009 09:27:04 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AhQBAP7UqElMRCe5/2dsb2JhbAAI1n+EGgY Received: from bas1-toronto09-1279535033.dsl.bell.ca (HELO [192.168.1.103]) ([76.68.39.185]) by toip6.srvr.bell.ca with ESMTP; 28 Feb 2009 09:21:01 -0500 Message-Id: <77D2F6EE-6318-45B0-8C1D-F749D4A72896@ee.ryerson.ca> From: David Magda To: Daniel Feenberg In-Reply-To: <942E5A58-F493-4A88-B040-6F3FFEF7BC03@ee.ryerson.ca> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sat, 28 Feb 2009 09:27:04 -0500 References: <27559.1235725578@mental.com> <49A828A0.5000104@chycoski.com> <49A92E92.8080605@realityfailure.org> <942E5A58-F493-4A88-B040-6F3FFEF7BC03@ee.ryerson.ca> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE mailing list Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2009 15:18:41 -0000 On Feb 28, 2009, at 08:49, David Magda wrote: > On Feb 28, 2009, at 08:23, Daniel Feenberg wrote: > >> I have the paper, it is completely convincing that the recovery of >> meaningfull data is impossible. > > What's the title? Is it available online anywhere? Never mind, found it: "Overwriting Hard Drive Data: The Great Wiping Controversy" by Craig Wright, Dave Kleiman, and Shyaam Sundhar R.S.. Lecture Notes in Computer Science by Springer Berlin / Heidelberg ISBN 978-3-540-89861-0 (p. 243-257) DOI 10.1007/978-3-540-89862-7_21 Presented at ICISS 2008 http://portal.acm.org/citation.cfm?id=1496285 Doesn't seem to be freely available online. From feenberg@nber.org Sat Feb 28 08:55:27 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1SGtQ42087833 for ; Sat, 28 Feb 2009 08:55:27 -0800 (PST) (envelope-from feenberg@nber.org) Received: from mail2.nber.org (mail2.nber.org [66.251.72.79]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1SGtMlK027789 for ; Sat, 28 Feb 2009 08:55:26 -0800 (PST) Received: from nber4.nber.org (nber4.nber.org [66.251.72.74]) by mail2.nber.org (8.14.1/8.13.8) with ESMTP id n1SGtBWQ034704 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 28 Feb 2009 11:55:12 -0500 (EST) (envelope-from feenberg@nber.org) Received: from nber4.nber.org (localhost [127.0.0.1]) by nber4.nber.org (8.14.1/8.12.8) with ESMTP id n1SGtBr9025164; Sat, 28 Feb 2009 11:55:11 -0500 Received: from localhost (feenberg@localhost) by nber4.nber.org (8.14.1/8.14.1/Submit) with ESMTP id n1SGtAC6025161; Sat, 28 Feb 2009 11:55:11 -0500 X-Authentication-Warning: nber4.nber.org: feenberg owned process doing -bs Date: Sat, 28 Feb 2009 11:55:10 -0500 (EST) From: Daniel Feenberg To: David Magda In-Reply-To: <942E5A58-F493-4A88-B040-6F3FFEF7BC03@ee.ryerson.ca> Message-ID: References: <27559.1235725578@mental.com> <49A828A0.5000104@chycoski.com> <49A92E92.8080605@realityfailure.org> <942E5A58-F493-4A88-B040-6F3FFEF7BC03@ee.ryerson.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Anti-Virus: Kaspersky Anti-Virus for Sendmail with Milter API 5.6.20, bases: 20090228 #1675117, check: 20090228 clean X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=43% Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2009 16:55:29 -0000 I can send a copy to anyone who emails me, but as far as I know it is not posted. Daniel Feenberg On Sat, 28 Feb 2009, David Magda wrote: > On Feb 28, 2009, at 08:23, Daniel Feenberg wrote: > >> I have the paper, it is completely convincing that the recovery of >> meaningfull data is impossible. > > What's the title? Is it available online anywhere? Here is the bibliographic information that I extracted from the paper, as it was sent to me by one of the authors: =========== Overwriting Hard Drive Data: The Great Wiping Controversy Craig Wright Dave Kleiman and Shyaam Sundhar R.S Abstract. Often we hear controversial opinions in digital forensics on the required or desired number of passes to utilize for properly overwriting, sometimes referred to as wiping or erasing, a modern hard drive. The controversy has caused much misconception, with persons commonly quoting that data can be recovered if it has only been overwritten once or twice. Moreover, referencing that it actually takes up to ten, and even as many as 35 (referred to as the Gutmann scheme because of the 1996 Secure Deletion of Data from Magnetic and Solid-State Memory published paper by Peter Gutmann) passes to securely overwrite the previous data. One of the chief controversies is that if a head positioning system is not exact enough, new data written to a drive may not be written back to the precise location of the original data. We demonstrate that the controversy surrounding this topic is unfounded ============== I can send a copy to anyone who emails me, but as far as I know it is not posted. Daniel Feenberg From lobo@mental.com Sat Feb 28 09:45:17 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1SHjHh4088987 for ; Sat, 28 Feb 2009 09:45:17 -0800 (PST) (envelope-from lobo@mental.com) Received: from g2.mental.com (root@entrance.mental.com [192.31.14.10]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1SHjDW0028448 for ; Sat, 28 Feb 2009 09:45:16 -0800 (PST) Received: from mental.com (root@twen.mi [172.16.0.5]) by g2.mental.com (8.13.7/8.13.7/mental-080502) with ESMTP id n1SHjBUT004648 for ; Sat, 28 Feb 2009 18:45:11 +0100 (CET) Received: from mental.com (lobo@localhost [127.0.0.1]) by mental.com (8.13.7/8.13.7/mental-070305) with ESMTP id n1SHjBhs011133 for ; Sat, 28 Feb 2009 18:45:11 +0100 (MET) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: sage-members@sage.org In-reply-to: Daniel Feenberg's message of Sat, 28 Feb 2009 11:55:10 EST Organization: mental images GmbH, Berlin, Germany Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 28 Feb 2009 18:45:11 +0100 Message-ID: <11132.1235843111@mental.com> From: Alexander Lobodzinski X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2009 17:45:18 -0000 () I can send a copy to anyone who emails me, but as far as I know it is not () posted. The link I sent yesterday points to an (obviously freely accessible) summary by Craig Wright himself. Enough meat for the occasional disk disposing person IMHO, researchers will want to dig through the full paper. Ciao, Lobo From dmagda@ee.ryerson.ca Sat Feb 28 09:59:26 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1SHxQr6089138 for ; Sat, 28 Feb 2009 09:59:26 -0800 (PST) (envelope-from dmagda@ee.ryerson.ca) Received: from toq12-srv.bellnexxia.net (toq12-srv.bellnexxia.net [209.226.175.119]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1SHxMWx028591 for ; Sat, 28 Feb 2009 09:59:25 -0800 (PST) Received: from toip3.srvr.bell.ca ([209.226.175.86]) by tomts16-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with ESMTP id <20090228173356.BMCZ1809.tomts16-srv.bellnexxia.net@toip3.srvr.bell.ca> for ; Sat, 28 Feb 2009 12:33:56 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AhQBAJMEqUlMRCe5/2dsb2JhbAAI1wyEGgY Received: from bas1-toronto09-1279535033.dsl.bell.ca (HELO [192.168.1.103]) ([76.68.39.185]) by toip3.srvr.bell.ca with ESMTP; 28 Feb 2009 12:28:21 -0500 Message-Id: From: David Magda To: SAGE mailing list In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sat, 28 Feb 2009 12:33:56 -0500 References: <27559.1235725578@mental.com> <49A828A0.5000104@chycoski.com> <49A92E92.8080605@realityfailure.org> <942E5A58-F493-4A88-B040-6F3FFEF7BC03@ee.ryerson.ca> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2009 17:59:26 -0000 On Feb 28, 2009, at 11:55, Daniel Feenberg wrote: > I can send a copy to anyone who emails me, but as far as I know it > is not posted. Craig Wright, one of the authors, has a weblog post summarizing the paper: http://tinyurl.com/8ybyh2 http://sansforensics.wordpress.com/2009/01/15/overwriting-hard-drive-data/ From the conclusion: The other overwrite patterns actually produced results as low as 36.08% (+/- 0.24). [probability of recovery]. Being that the distribution is based on a binomial choice, the chance of guessing the prior value is 50%. That is, if you toss a coin, you have a 50% chance of correctly choosing the value. In many instances, using a MFM to determine the prior value written to the hard drive was less successful than a simple coin toss. [...] Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible. Even speculating on the possible recovery of an old drive, there is no likelihood that any data would be recoverable from the drive. The forensic recovery of data using electron microscopy is infeasible. This was true both on old [non-ePRML] drives and has become more difficult over time. [...] The fallacy that data can be forensically recovered using an electron microscope or related means needs to be put to rest. From rskiadmin@chycoski.com Sat Feb 28 12:41:32 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1SKfWDl092671 for ; Sat, 28 Feb 2009 12:41:32 -0800 (PST) (envelope-from rskiadmin@chycoski.com) Received: from adsl-67-122-242-225.dsl.pltn13.pacbell.net (adsl-67-122-242-225.dsl.pltn13.pacbell.net [67.122.242.225]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1SKfSCd000644 for ; Sat, 28 Feb 2009 12:41:31 -0800 (PST) Received: from [192.168.72.2] (wizfast.rski.net [192.168.72.2]) by adsl-67-122-242-225.dsl.pltn13.pacbell.net (8.13.8/8.13.8) with ESMTP id n1SKe2ED027943; Sat, 28 Feb 2009 12:40:03 -0800 Message-ID: <49A9A122.1060705@chycoski.com> Date: Sat, 28 Feb 2009 12:40:02 -0800 From: Richard Chycoski User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Daniel Feenberg References: <27559.1235725578@mental.com> <49A828A0.5000104@chycoski.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2009 20:41:34 -0000 Daniel Feenberg wrote: > > > On Fri, 27 Feb 2009, Richard Chycoski wrote: > >> It's interesting that no trials were done with drives that had >> significant wear. One of the supposedly exploitable issues was with a >> drive that had been written to, then left spinning for many years, >> followed by a write. >> >> As the bearings wear, the placement of the tracks may not be in >> precisely the same location as the originals, and the 'edges' of the >> former tracks might be exposed. >> >> Has anyone done recent studies on this? >> >> The NSA still has disks stored in safes that they don't consider even >> pulverisation to be sufficiently safe as a destructive technique. >> However the NSA (and other, miscellaneous gov't TLAs) are: >> > > Worried about the tech who doesn't know the difference between > > 0) rm -R /* > 1) rm * > 2) rm -R * > 3) yes >/dev/ad3s1a > 4) yes >/dev/ad3s1 > 5) yes >/dev/ad3 > > and furthermore, even if they have confidence in the tech, how does > the second leiutanent who is supposed to sign off on the job confirm > that the work was done, unless he also knows the difference? They may > also be worried about undeleted bad sectors. Drilling through the > platter is sure fire and easy to verify. > > There isn't any evidence that any written over sector has ever been > read. While Gutmann's papers has 37 references, none of the references > claim to support Gutmann's thesis. None are even about reading erased > sectors but are about the design of heads. I know - I went to the > library and looked them up. Gutmann sees hints in the papers that > erased sectors might be read, but these are hints at an untruth. See > my posting "Can Intelligence Agencies Read Overwritten Data? A > response to Gutmann": > > http://www.nber.org/sys-admin/overwritten-data-gutmann.html > > Since all subsequent work merely cites Gutmann, is can not be > considered additional support for this urban myth. > > Daniel Feenberg But paranoia and conspiracy theories will keep enough people wondering - does someone (especially some spook?) know something about this that they're not telling us? This will continue to sell disk wiping programs, and keep DOD/NIST disk wiping standards evolving and 'security experts' employed. And who knows? Some spook may have found out how to do it! (I'm just helping keep the paranoia alive. :-) Another possible failure mode for disk erasure - improper operation of the disk drive itself. There is no easy way to ensure that every sector that you overwrote was actually fully written. This is a good reason for multiple passes, since the likelihood that the same sector will get missed multiple times is small. Another conspiracy-theory laden failure mode - what if some nefarious entity has modified the firmware in the drive - during or after manufacture - to make you *believe* that you've erased the disk when in fact the data is intact? These are a couple of the reasons that physical destruction of the media makes sense for highly sensitive information. Data also has relative lifetimes - some data is only valuable for fractions of a second, other data might be valuable for centuries. Just because we don't have the technology right now to extract 'erased' data, that doesn't mean that someone won't discover the old data stored in some sub-molecular-quantum-state (yes, I'm making this up as I go along!) and extract it a hundred years from now. For example - would the formula for Coca-Cola be more, or less valuable in a hundred years? Simply smashing the platters would not be enough to ensure complete destruction - grinding the remains into very small particles is better (which is why this was part of the DOD standards - I haven't looked at the NIST equivalents), but why, in the end, some organisations just never let go of their drives at all. They consider that keeping in a vault is the only way to keep them safe - I would have thought that grinding them up and putting the *remains* in the vault would be safer, though... For magnetic tape and floppy disks it has sometimes been possible to obtain old data due to the difference in head alignments. Even sloppier technology - the first ATM cards available in Canada (and therefore probably in the US too - where else would we Canadians get them? :-) had a wider magstripe than modern cards with the lower part of the stripe actually containing several small tracks with very load data density. I had problems with my card, and after having it replaced twice after using a particular ATM I used 'Magnasee' on it. This is a liquid suspension of magnetic particles used by our mainframe techs to check head alignment on tape drives. I could clearly see the data bits and misaligned data tracks written by the ATM. When I went into the bank and explained this, they were of course quite horrified. Not that their machine was out of alignment (it was) but that I knew so much about their cards. They did get the machine fixed, however! (Those old ATMs were not fully networked - apparently those extra tracks could be manipulated to 'forget' your day's transactions, letting you take out more than your daily limit...) It's stories like these that have been 'transplanted' across technologies - if we could do it on one magnetic device - they must all be vulnerable! - that keep the paranoia going. I don't know if anyone ever actually succeeded extracting misaligned-track-data on the older removable hard disks (there were always stories, but I've never seen one accurately confirmed). 'Winchester' technology hard drives (the current technology with the platters permanently embedded in the drive) do provide fewer opportunities for this kind of attack. The 'remembering the old bit' as opposed to 'drive head misalignment' argument has always sounded like an unlikely (but not zero probability) possibility, much like the 'theories' behind homeopathy, where 'resonances' in the water 'remember' the toxin that has been diluted out of existence. Err - sorry, homeopathy really *does* have a zero probability. (OK, OK, I'm starting another flame war... Send flames to me, not to the list, please! :-) - Richard From kurt.buff@gmail.com Sat Feb 28 14:11:42 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n1SMBgM7093990 for ; Sat, 28 Feb 2009 14:11:42 -0800 (PST) (envelope-from kurt.buff@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.171]) by usenix.org (8.13.6/8.13.6) with ESMTP id n1SMBdf5001890 for ; Sat, 28 Feb 2009 14:11:41 -0800 (PST) Received: by wf-out-1314.google.com with SMTP id 23so1761807wfg.26 for ; Sat, 28 Feb 2009 14:11:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=3yNOh/480/u+GIy/wLRsAeYS3TYvJmjxct+LBxZALd8=; b=xH4gRE5r+khCvdp25TazTJMkPDRiNFPZhno5cVjdm8Io53cxVifq+cR0wfJxcHMGQw dvYeIlTOg3ZbIPIj8Zn0Eh30mD4TFw/b5S4xaPRL+Jr4h4lwqbm7B20Uhk5C/e7t9cFS zYigd7Au+hX+5/fuPFhsjK3Of2EJelVO8C5aM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=FmtNc1ZGznSH2eyLK40iaxgz1AD6bDIZtuQWR63XcISkD0MhOpIh5CIvcchCJCsm9h JPtz++oFokhV0q+L4JIEGSvt0uBbch1uzZC1Hneyoc/pJdjofiRZCx6lRCz4Bo7tQlYm rzL7DL2eg99AdxfNivmT/Ig9hDY3FfYpI07k4= MIME-Version: 1.0 Received: by 10.142.240.9 with SMTP id n9mr2076672wfh.0.1235858771492; Sat, 28 Feb 2009 14:06:11 -0800 (PST) In-Reply-To: <49A9A122.1060705@chycoski.com> References: <27559.1235725578@mental.com> <49A828A0.5000104@chycoski.com> <49A9A122.1060705@chycoski.com> Date: Sat, 28 Feb 2009 14:06:11 -0800 Message-ID: From: Kurt Buff To: Richard Chycoski Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=11% Cc: SAGE mailing list Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2009 22:11:42 -0000 On Sat, Feb 28, 2009 at 12:40, Richard Chycoski wrote: > Another conspiracy-theory laden failure mode - what if some nefarious entity > has modified the firmware in the drive - during or after manufacture - to > make you *believe* that you've erased the disk when in fact the data is > intact? Because writing 30gb of data to a 30gb drive, then reading it back, proves it. Otherwise, it's a disk that is magically larger than advertised, isn't it? This bit of paranoia is easily overcome, if you're in touch with reality. I know you are, and just playing, but still... > These are a couple of the reasons that physical destruction of the media > makes sense for highly sensitive information. > > Data also has relative lifetimes - some data is only valuable for fractions > of a second, other data might be valuable for centuries. Just because we > don't have the technology right now to extract 'erased' data, that doesn't > mean that someone won't discover the old data stored in some > sub-molecular-quantum-state (yes, I'm making this up as I go along!) and > extract it a hundred years from now. > > For example - would the formula for Coca-Cola be more, or less valuable in a > hundred years? Far less valuable - by then we'll have our own gas chromatographs and other things that will make analysing that kind of thing very easy. > Simply smashing the platters would not be enough to ensure complete > destruction - grinding the remains into very small particles is better > (which is why this was part of the DOD standards - I haven't looked at the > NIST equivalents), but why, in the end, some organisations just never let go > of their drives at all. They consider that keeping in a vault is the only > way to keep them safe - I would have thought that grinding them up and > putting the *remains* in the vault would be safer, though... Heating to a few degrees above the Curie point of the magnetic media should be sufficient. > For magnetic tape and floppy disks it has sometimes been possible to obtain > old data due to the difference in head alignments. But it's also even easier to deal with than disk, because the medium is so fragile. Grab one end, and feed through a shredder, or simply put it in the furnace. > The 'remembering the old bit' as opposed to 'drive head > misalignment' argument has always sounded like an unlikely (but not zero > probability) possibility, much like the 'theories' behind homeopathy, where > 'resonances' in the water 'remember' the toxin that has been diluted out of > existence. Err - sorry, homeopathy really *does* have a zero probability. > (OK, OK, I'm starting another flame war... Send flames to me, not to the > list, please! :-) Heh. Homeopathy. Another dive into the irrational. Kurt From rskiadmin@chycoski.com Sat Feb 28 16:12:22 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n210CMCA095362 for ; Sat, 28 Feb 2009 16:12:22 -0800 (PST) (envelope-from rskiadmin@chycoski.com) Received: from adsl-67-122-242-225.dsl.pltn13.pacbell.net (adsl-67-122-242-225.dsl.pltn13.pacbell.net [67.122.242.225]) by usenix.org (8.13.6/8.13.6) with ESMTP id n210CHax003021 for ; Sat, 28 Feb 2009 16:12:21 -0800 (PST) Received: from [192.168.72.2] (wizfast.rski.net [192.168.72.2]) by adsl-67-122-242-225.dsl.pltn13.pacbell.net (8.13.8/8.13.8) with ESMTP id n210CBHL030139; Sat, 28 Feb 2009 16:12:11 -0800 Message-ID: <49A9D2DB.5090204@chycoski.com> Date: Sat, 28 Feb 2009 16:12:11 -0800 From: Richard Chycoski User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Kurt Buff References: <27559.1235725578@mental.com> <49A828A0.5000104@chycoski.com> <49A9A122.1060705@chycoski.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE mailing list Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 00:12:22 -0000 Kurt Buff wrote: > On Sat, Feb 28, 2009 at 12:40, Richard Chycoski wrote: > >> Another conspiracy-theory laden failure mode - what if some nefarious entity >> has modified the firmware in the drive - during or after manufacture - to >> make you *believe* that you've erased the disk when in fact the data is >> intact? >> > > Because writing 30gb of data to a 30gb drive, then reading it back, > proves it. Otherwise, it's a disk that is magically larger than > advertised, isn't it? This bit of paranoia is easily overcome, if > you're in touch with reality. I know you are, and just playing, but > still... > Yes, I'm playing. But I've worked with people who really do think this way. To fan the flames: How many people check that the physical drive size is the accessible drive size? A two TB drive masquerading as a 1 TB drive (and is even labeled with part number of a 1 TB drive) has a perfect place to store a complete copy of the drive... However, how the drive figures out whether you're writing the desired data or just overwriting the data with junk is left as an exercise to the reader. And yes, many 'security scenarios' leave such considerations wide open because - you never can tell. For just about any 'rational' scenario a 'competent conspiracy theorist' (yeah, oxymoron) can come up with a 'plausible' workaround. The story about the HP printer being used during the Gulf War to infect Iraqi computers certainly sounded plausible when it was broadcast by the mainstream media, and having written PostScript for HP printers I can even conceive how such a thing might be done. If the 'Dilberts' can believe that these kinds of things can happen, what about Dilberts' bosses? And who makes the rules? > >> These are a couple of the reasons that physical destruction of the media >> makes sense for highly sensitive information. >> >> Data also has relative lifetimes - some data is only valuable for fractions >> of a second, other data might be valuable for centuries. Just because we >> don't have the technology right now to extract 'erased' data, that doesn't >> mean that someone won't discover the old data stored in some >> sub-molecular-quantum-state (yes, I'm making this up as I go along!) and >> extract it a hundred years from now. >> >> For example - would the formula for Coca-Cola be more, or less valuable in a >> hundred years? >> > > Far less valuable - by then we'll have our own gas chromatographs and > other things that will make analysing that kind of thing very easy > If people just want the chemical makeup of the stuff, that can be done right now, and it isn't all that expensive to do. It's not the same as having 'the' formula. You're selling the mystique. And if the formula for Coca-Cola doesn't interest you, how about the 'eleven herbs and spices' at KFC? Uh, on second thought, I'd probably rather not know... >> Simply smashing the platters would not be enough to ensure complete >> destruction - grinding the remains into very small particles is better >> (which is why this was part of the DOD standards - I haven't looked at the >> NIST equivalents), but why, in the end, some organisations just never let go >> of their drives at all. They consider that keeping in a vault is the only >> way to keep them safe - I would have thought that grinding them up and >> putting the *remains* in the vault would be safer, though... >> > > Heating to a few degrees above the Curie point of the magnetic media > should be sufficient. > If you follow that by grinding them to bits and spreading them to the winds at 100 different locations on the earth - the spooks still won't be satisfied. This kind of security is not about rationality and science - it's about fear mongering and voodoo. > >> For magnetic tape and floppy disks it has sometimes been possible to obtain >> old data due to the difference in head alignments. >> > > But it's also even easier to deal with than disk, because the medium > is so fragile. Grab one end, and feed through a shredder, or simply > put it in the furnace. Yes, destroying tape and floppies is easy. Anyone who's had to read a ten year old tape off knows that time, all by itself, is a pretty good security measure! > >> The 'remembering the old bit' as opposed to 'drive head >> misalignment' argument has always sounded like an unlikely (but not zero >> probability) possibility, much like the 'theories' behind homeopathy, where >> 'resonances' in the water 'remember' the toxin that has been diluted out of >> existence. Err - sorry, homeopathy really *does* have a zero probability. >> (OK, OK, I'm starting another flame war... Send flames to me, not to the >> list, please! :-) >> > > Heh. Homeopathy. Another dive into the irrational. > > Kurt > "I am a rational human being." - Another oxymoron! Working in Information security is often a thankless job. To make up for the boredom and frustration, creating bogeymen to shoot at is a commonplace activity. I've worked in security groups myself. Beating one's head against the wall explaining that the very expensive lock with the ultra-inconvenient keys that is going to take years to install on the front door of the building with the "Welcome, enter here!" sign on the swinging side door gets old after a while. It's much more entertaining to come up with conspiracy theories and feed them to the SAGE list. :-) - Richard From servant74a@gmail.com Sat Feb 28 16:57:05 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n210v5Y7095804 for ; Sat, 28 Feb 2009 16:57:05 -0800 (PST) (envelope-from servant74a@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by usenix.org (8.13.6/8.13.6) with ESMTP id n210v2Rc003424 for ; Sat, 28 Feb 2009 16:57:05 -0800 (PST) Received: by yw-out-2324.google.com with SMTP id 2so1069378ywt.29 for ; Sat, 28 Feb 2009 16:57:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:cc :content-type:content-transfer-encoding; bh=T/+N/S/Lv9609jdWS/gm1d0VgsJcw37JLkzdI+sUaTk=; b=dljrmRzfHIvR8/wjo0uXFEcQdG6J57NvFuLzrEAqYd//Fma7OzStif8kZyc0OsOQGA +n1l9sulEdtyzb3oPvXGC71zIEf3aqJxBjuMa/E9Q0HIQp6W+uryflXJ3i33hYlMSegf 3GnYZRcKCV/V+BnVTdi7pmd9S4LQe6+T9/04g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:cc:content-type :content-transfer-encoding; b=rF6q82/4j8O73u/7Z3I1XUfx83u9nUGDbUwF3GdQGqUVZnJtKhqLUAgTwlLe8Tqs3H YtER9KJGHJNMzcve6DmX6agTQdmuEX1wDNziv8kNYb1GVQ/0tegpD1fuhbLx4l8l+3Hc ZheogJ7nVgZgL8f1GLBunp1JNV5AVJyicbXFI= MIME-Version: 1.0 Sender: servant74a@gmail.com Received: by 10.90.68.20 with SMTP id q20mr1552913aga.15.1235869022005; Sat, 28 Feb 2009 16:57:02 -0800 (PST) In-Reply-To: <49A9D2DB.5090204@chycoski.com> References: <27559.1235725578@mental.com> <49A828A0.5000104@chycoski.com> <49A9A122.1060705@chycoski.com> <49A9D2DB.5090204@chycoski.com> Date: Sat, 28 Feb 2009 18:57:01 -0600 X-Google-Sender-Auth: b1416e688a7b5851 Message-ID: <48555fa40902281657i2a413afdub7c1138b6017cbb7@mail.gmail.com> From: Jack Coats Content-Type: text/plain; charset=ISO-8859-1 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=9% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n210v5Y7095804 Cc: SAGE mailing list Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 00:57:06 -0000 We all know it is a conspiricy of the bald guy in the corner office and the Dogbert consultants ;) On Sat, Feb 28, 2009 at 6:12 PM, Richard Chycoski wrote: > Kurt Buff wrote: >> >> On Sat, Feb 28, 2009 at 12:40, Richard Chycoski >> wrote: >> >>> >>> Another conspiracy-theory laden failure mode - what if some nefarious >>> entity >>> has modified the firmware in the drive - during or after manufacture - to >>> make you *believe* that you've erased the disk when in fact the data is >>> intact? >>> >> >> Because writing 30gb of data to a 30gb drive, then reading it back, >> proves it. Otherwise, it's a disk that is magically larger than >> advertised, isn't it? This bit of paranoia is easily overcome, if >> you're in touch with reality. I know you are, and just playing, but >> still... >> > > Yes, I'm playing. But I've worked with people who really do think this way. > > To fan the flames: How many people check that the physical drive size is the > accessible drive size? A two TB drive masquerading as a 1 TB drive (and is > even labeled with part number of a 1 TB drive)  has a perfect place to store > a complete copy of the drive... However, how the drive figures out whether > you're writing the desired data or just overwriting the data with junk is > left as an exercise to the reader. And yes, many 'security scenarios' leave > such considerations wide open because - you never can tell. > > For just about any 'rational' scenario a 'competent conspiracy theorist' > (yeah, oxymoron) can come up with a 'plausible' workaround. The story about > the HP printer being used during the Gulf War to infect Iraqi computers > certainly sounded plausible when it was broadcast by the mainstream media, > and having written PostScript for HP printers I can even conceive how such a > thing might be done. If the 'Dilberts' can believe that these kinds of > things can happen, what about Dilberts' bosses? And who makes the rules? >> >> >>> >>> These are a couple of the reasons that physical destruction of the media >>> makes sense for highly sensitive information. >>> >>> Data also has relative lifetimes - some data is only valuable for >>> fractions >>> of a second, other data might be valuable for centuries. Just because we >>> don't have the technology right now to extract 'erased' data, that >>> doesn't >>> mean that someone won't discover the old data stored in some >>> sub-molecular-quantum-state (yes, I'm making this up as I go along!) and >>> extract it a hundred years from now. >>> >>> For example - would the formula for Coca-Cola be more, or less valuable >>> in a >>> hundred years? >>> >> >> Far less valuable - by then we'll have our own gas chromatographs and >> other things that will make analysing that kind of thing very easy >> > > If people just want the chemical makeup of the stuff, that can be done right > now, and it isn't all that expensive to do. > > It's not the same as having 'the' formula. You're selling the mystique. > > And if the formula for Coca-Cola doesn't interest you, how about the 'eleven > herbs and spices' at KFC? Uh, on second thought, I'd probably rather not > know... >>> >>> Simply smashing the platters would not be enough to ensure complete >>> destruction - grinding the remains into very small particles is better >>> (which is why this was part of the DOD standards - I haven't looked at >>> the >>> NIST equivalents), but why, in the end, some organisations just never let >>> go >>> of their drives at all. They consider that keeping in a vault is the only >>> way to keep them safe - I would have thought that grinding them up and >>> putting the *remains* in the vault would be safer, though... >>> >> >> Heating to a few degrees above the Curie point of the magnetic media >> should be sufficient. >> > > If you follow that by grinding them to bits and spreading them to the winds > at 100 different locations on the earth - the spooks still won't be > satisfied. > > This kind of security is not about rationality and science - it's about fear > mongering and voodoo. >> >> >>> >>> For magnetic tape and floppy disks it has sometimes been possible to >>> obtain >>> old data due to the difference in head alignments. >>> >> >> But it's also even easier to deal with than disk, because the medium >> is so fragile. Grab one end, and feed through a shredder, or simply >> put it in the furnace. > > Yes, destroying tape and floppies is easy. Anyone who's had to read a ten > year old tape off knows that time, all by itself, is a pretty good security > measure! > >> >>> >>> The 'remembering the old bit' as opposed to 'drive head >>> misalignment' argument has always sounded like an unlikely (but not zero >>> probability) possibility, much like the 'theories' behind homeopathy, >>> where >>> 'resonances' in the water 'remember' the toxin that has been diluted out >>> of >>> existence. Err - sorry, homeopathy really *does* have a zero probability. >>> (OK, OK, I'm starting another flame war... Send flames to me, not to the >>> list, please! :-) >>> >> >> Heh. Homeopathy. Another dive into the irrational. >> >> Kurt >> > > "I am a rational human being." - Another oxymoron! > > Working in Information security is often a thankless job. To make up for the > boredom and frustration, creating bogeymen to shoot at is a commonplace > activity. > > I've worked in security groups myself. Beating one's head against the wall > explaining that the very expensive lock with the ultra-inconvenient keys > that is going to take years to install on the front door of the building > with the "Welcome, enter here!" sign on the swinging side door gets old > after a while. It's much more entertaining to come up with conspiracy > theories and feed them to the SAGE list. :-) > > - Richard > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From kurt.buff@gmail.com Sat Feb 28 17:51:52 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n211ppt4096326 for ; Sat, 28 Feb 2009 17:51:51 -0800 (PST) (envelope-from kurt.buff@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.169]) by usenix.org (8.13.6/8.13.6) with ESMTP id n211pmAC003929 for ; Sat, 28 Feb 2009 17:51:51 -0800 (PST) Received: by wf-out-1314.google.com with SMTP id 23so1802879wfg.26 for ; Sat, 28 Feb 2009 17:51:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=zrqT/iYQQ0YQHFgQZVCDiPN8wMNZm9TLXzY18JafOb4=; b=vEB5mC+Q4nd5PTDL4XLz5fBp+MdB/ccyt3h4KhuT1AXt3A9x671uqnEMteisAWi3KC O7rOwx4AKKeXD4w/9psHe1E1XjNPGjjwyZy9OjhmbKmXY5a43e6esI8Guk+uVTJA10W2 4xpLhbH3eNVbXFzyLGCD6b5Bd2LiFhJQ7L9Jk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=sxRWwhr6v/5PMVKE5FgHW+IiNyO/a4/7k5LVFNUpaL0Wmi+NDPsXCbZk6CRI6NrNja 6qFMIm8KbZZT+5OWw+B2X+UOW4dRz2SNzx7Mrl7cx06nFVPGHh4O667L3EdLx2/ccX/V mhT2JmxuOkeZUBmCVq6Np1HdWAGzsBjJKtQsQ= MIME-Version: 1.0 Received: by 10.143.45.14 with SMTP id x14mr2143871wfj.165.1235870409277; Sat, 28 Feb 2009 17:20:09 -0800 (PST) In-Reply-To: <49A9D2DB.5090204@chycoski.com> References: <27559.1235725578@mental.com> <49A828A0.5000104@chycoski.com> <49A9A122.1060705@chycoski.com> <49A9D2DB.5090204@chycoski.com> Date: Sat, 28 Feb 2009 17:20:09 -0800 Message-ID: From: Kurt Buff To: Richard Chycoski Content-Type: text/plain; charset=UTF-8 X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=10% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n211ppt4096326 Cc: SAGE mailing list Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 01:51:52 -0000 On Sat, Feb 28, 2009 at 16:12, Richard Chycoski wrote: > Kurt Buff wrote: >> >> On Sat, Feb 28, 2009 at 12:40, Richard Chycoski >> wrote: >> >>> >>> Another conspiracy-theory laden failure mode - what if some nefarious >>> entity >>> has modified the firmware in the drive - during or after manufacture - to >>> make you *believe* that you've erased the disk when in fact the data is >>> intact? >>> >> >> Because writing 30gb of data to a 30gb drive, then reading it back, >> proves it. Otherwise, it's a disk that is magically larger than >> advertised, isn't it? This bit of paranoia is easily overcome, if >> you're in touch with reality. I know you are, and just playing, but >> still... >> > > Yes, I'm playing. But I've worked with people who really do think this way. > > To fan the flames: How many people check that the physical drive size is the > accessible drive size? A two TB drive masquerading as a 1 TB drive (and is > even labeled with part number of a 1 TB drive)  has a perfect place to store > a complete copy of the drive... However, how the drive figures out whether > you're writing the desired data or just overwriting the data with junk is > left as an exercise to the reader. And yes, many 'security scenarios' leave > such considerations wide open because - you never can tell. And, if true, the same applies - write to it, read it back - the extra TB is now useless, eh? Heh. Unless you believe in little homunculi that live in the drives and decide what is worth keeping. :) >> Heh. Homeopathy. Another dive into the irrational. >> > "I am a rational human being." - Another oxymoron! Not an oxymoron, just an incomplete description in the strictest sense - the Philosopher wasn't wrong when he called man the Rational Animal - it is our defining characteristic. While we might not be completely rational at all points, it's still better to strive towards the rational end of the scale, than to encourage the irrational, methinks. Kurt From rackow@anl.gov Sat Feb 28 21:59:35 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n215xZE4098741 for ; Sat, 28 Feb 2009 21:59:35 -0800 (PST) (envelope-from rackow@anl.gov) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by usenix.org (8.13.6/8.13.6) with ESMTP id n215xWmv006466 for ; Sat, 28 Feb 2009 21:59:34 -0800 (PST) Received: from mailhost.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id DE9FD1A; Sat, 28 Feb 2009 23:31:58 -0600 (CST) Received: from lutze.cis.anl.gov (lutze.cis.anl.gov [146.137.52.137]) by mailhost.anl.gov (Postfix) with ESMTP id 9F01CD; Sat, 28 Feb 2009 23:31:57 -0600 (CST) Received: by lutze.cis.anl.gov (Postfix, from userid 1000) id 759E6FA812F; Sat, 28 Feb 2009 23:31:57 -0600 (CST) Received: from anl.gov (localhost [127.0.0.1]) by lutze.cis.anl.gov (Postfix) with ESMTP id 4B921FA812D; Sat, 28 Feb 2009 23:31:57 -0600 (CST) To: Richard Chycoski From: rackow@mcs.anl.gov In-reply-to: Your message of "Sat, 28 Feb 2009 16:12:11 PST." <49A9D2DB.5090204@chycoski.com> Date: Sat, 28 Feb 2009 23:31:57 -0600 Sender: rackow@anl.gov Message-Id: <20090301053157.759E6FA812F@lutze.cis.anl.gov> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: rackow@anl.gov, SAGE mailing list Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 05:59:36 -0000 Even though my addr ends in .gov, I don't have any personal or professional experience in this uberparanoid world. I have heard the random stories though. >If you follow that by grinding them to bits and spreading them to the >winds at 100 different locations on the earth - the spooks still won't >be satisfied. You may be mixing reason on things here. As long as the disk exists, it can be tracked. If you tell me it's gone into the shredder/melter, what proof do you have it really went there? It's not that they don't believe the data is gone forever, they just can't prove that the disk is really gone. The chances of slipping up on paperwork is higher when attempting to prove that something is gone. If it still exists, you can find it on the shelf. From philiph@pobox.com Sat Feb 28 22:32:44 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n216Wip2099041 for ; Sat, 28 Feb 2009 22:32:44 -0800 (PST) (envelope-from philiph@pobox.com) Received: from sasl.smtp.pobox.com (a-sasl-quonix.sasl.smtp.pobox.com [208.72.237.25]) by usenix.org (8.13.6/8.13.6) with ESMTP id n216WeFT006987 for ; Sat, 28 Feb 2009 22:32:43 -0800 (PST) Received: from localhost.localdomain (unknown [127.0.0.1]) by a-sasl-quonix.sasl.smtp.pobox.com (Postfix) with ESMTP id 22DC0262D for ; Sun, 1 Mar 2009 01:32:40 -0500 (EST) Received: from ourtownadd-lm.mine.nu (unknown [208.87.58.107]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by a-sasl-quonix.sasl.smtp.pobox.com (Postfix) with ESMTPSA id A8011262B for ; Sun, 1 Mar 2009 01:32:39 -0500 (EST) Message-Id: <4F138E94-4964-4EFA-AAEA-7662EC84E2B6@pobox.com> From: "Philip J. Hollenback" To: SAGE Members Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sat, 28 Feb 2009 22:32:35 -0800 X-Mailer: Apple Mail (2.930.3) X-Pobox-Relay-ID: C33573CE-062A-11DE-A19A-CBE7E3B37BAC-80990599!a-sasl-quonix.pobox.com X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=38% Subject: [SAGE] Dealing with UPS/AC fire alarm connection malfunctions X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 06:32:44 -0000 I'm struggling with a server room issue and I wonder if anyone has any insight. This room is in a Manhattan high-rise office and has a UPS and a large AC unit. The fire code requires that both the UPS and AC be connected to the fire alarm system and automatically shut down when the fire alarm is triggered. The motivation here makes sense: you don't want the AC blowing smoke around in a fire, and you don't want the UPS to be energized if you are spraying water on it or otherwise fighting a fire. The problem is that this system has malfunctioned catastrophically twice in the past two years. The first time the AC unit was shut down by the fire alarm connection (although no alarm actually occurred). We were unable to restart the unit until we physically disconnected it from the wire that goes to the fire alarm. After this incident we reconnected the fire alarm to the AC and it has operated normally for about a year with no further failures. The second failure occurred today and was much worse because this time the UPS fire alarm connection was triggered. This is the same as hitting the EPO button on the UPS - immediate power disconnect to the whole room. This is a 50Kva UPS with a lot of systems connected to it. After the AC fire alarm failure we had the fire alarm company and an electrician inspect the system and no one could determine why the false trigger occurred. We will be getting the various technicians to inspect the system this next week but I am not hopeful that they will come up with an answer as to why this occurred. So, I am curious what others do to deal with this. Does everyone just secretly disconnect the fire alarm circuit and not tell? I don't want to violate fire codes and I understand why these disconnects are necessary. Anyone have any ideas? I'm not looking forward to another complete server room shutdown on some random Saturday. Thanks! P. -- Philip J. Hollenback philiph@pobox.com From servant74a@gmail.com Sun Mar 1 09:57:35 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n21HvYl0012746 for ; Sun, 1 Mar 2009 09:57:34 -0800 (PST) (envelope-from servant74a@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.29]) by usenix.org (8.13.6/8.13.6) with ESMTP id n21HvV2n000631 for ; Sun, 1 Mar 2009 09:57:33 -0800 (PST) Received: by yw-out-2324.google.com with SMTP id 2so1142213ywt.29 for ; Sun, 01 Mar 2009 09:57:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=ahV4xaHu5VzbJyOB7GUf/oTHkS16sVFzPMqAxHpJtig=; b=fOkgvbZPM5dCP0Ppd9ddy9xGmwYi3g/fylYpsSN7AxuFEawralPx1aTSRJLT40Jq2A 7AK77CcUweQY0yd4wSxAOSAEj0MA7mxebeEm9mJ2eCLsWFMbGKj/kSAuvCaJFD7Z6v+g 4/HhAX3eyY4m5I/aSAv1LOjKpp11PBFeaftv8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=RxgDIDIwc7mPaLMcxXLcTbrLdZE7RvLjA3084Tub3QjPEYyS6l7iV948jl+wO+TF2k N3SFH4cQ7kwhEd3CXsqPRsT6wCB8yJFXtaJi1PBQjOW+E0o4NepF+DPjzrWUfIeYE6mu iQhuRc3uOYXp9OEUmfAWJtY+G++ZUwmcszWjk= MIME-Version: 1.0 Sender: servant74a@gmail.com Received: by 10.90.35.15 with SMTP id i15mr2283377agi.83.1235929932209; Sun, 01 Mar 2009 09:52:12 -0800 (PST) In-Reply-To: <20090301053157.759E6FA812F@lutze.cis.anl.gov> References: <49A9D2DB.5090204@chycoski.com> <20090301053157.759E6FA812F@lutze.cis.anl.gov> Date: Sun, 1 Mar 2009 11:52:12 -0600 X-Google-Sender-Auth: cc6eea1c894e5c2a Message-ID: <48555fa40903010952gfc8bd6cvc9639fb4638dd@mail.gmail.com> From: Jack Coats To: rackow@mcs.anl.gov Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=10% Cc: rackow@anl.gov, SAGE mailing list Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 17:57:37 -0000 And so goes the famous saying: Just because you are paranoid doesn't mean THEY are not out to get you! For most folks in the real world, security is a relative thing, and we must all make that decision where that is. It is also different for different aspects of our lives. Organizations have the same choices as to how paranoid to be. As a tax payer, I can't and don't want to tell my hired spooks, government, military, etc how paranoid they need to be, but I trust them to be paranoid enough to cover my and their tails. I expect my bank and broker to be more secure than I am using my credit cards. I don't expect the same level of security on the money I donate in the pot where folks are ringing bells for Christmas donations, but as a donator I do expect some level of security there too. It boils down, be reasonable about what you do and the situation you are in. Being a little extra careful can pay off. Being overly careful can be a waste of resources. What's the right answer? ... I don't think there is just one. From doug@will.to Tue Mar 3 18:47:13 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n242lCaj084203 for ; Tue, 3 Mar 2009 18:47:12 -0800 (PST) (envelope-from doug@will.to) Received: from will.to (mailman.will.to [68.164.136.125]) by usenix.org (8.13.6/8.13.6) with ESMTP id n242l8WJ004677 for ; Tue, 3 Mar 2009 18:47:11 -0800 (PST) Received: from [75.220.112.236] (236.sub-75-220-112.myvzw.com [75.220.112.236]) (authenticated bits=0) by will.to (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id n242JDQU007247 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 3 Mar 2009 21:19:15 -0500 Message-ID: <49ADEBA7.6010108@will.to> Date: Tue, 03 Mar 2009 21:47:03 -0500 From: Doug Hughes User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: "Philip J. Hollenback" References: <4F138E94-4964-4EFA-AAEA-7662EC84E2B6@pobox.com> In-Reply-To: <4F138E94-4964-4EFA-AAEA-7662EC84E2B6@pobox.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0rc3 (will.to [68.164.136.125]); Tue, 03 Mar 2009 21:19:16 -0500 (EST) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE Members Subject: Re: [SAGE] Dealing with UPS/AC fire alarm connection malfunctions X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2009 02:47:13 -0000 Philip J. Hollenback wrote: > I'm struggling with a server room issue and I wonder if anyone has any > insight. This room is in a Manhattan high-rise office and has a UPS > and a large AC unit. The fire code requires that both the UPS and AC > be connected to the fire alarm system and automatically shut down when > the fire alarm is triggered. > > The motivation here makes sense: you don't want the AC blowing smoke > around in a fire, and you don't want the UPS to be energized if you > are spraying water on it or otherwise fighting a fire. The problem is > that this system has malfunctioned catastrophically twice in the past > two years. The first time the AC unit was shut down by the fire alarm > connection (although no alarm actually occurred). We were unable to > restart the unit until we physically disconnected it from the wire > that goes to the fire alarm. After this incident we reconnected the > fire alarm to the AC and it has operated normally for about a year > with no further failures. > > The second failure occurred today and was much worse because this time > the UPS fire alarm connection was triggered. This is the same as > hitting the EPO button on the UPS - immediate power disconnect to the > whole room. This is a 50Kva UPS with a lot of systems connected to it. > > After the AC fire alarm failure we had the fire alarm company and an > electrician inspect the system and no one could determine why the > false trigger occurred. We will be getting the various technicians to > inspect the system this next week but I am not hopeful that they will > come up with an answer as to why this occurred. > > So, I am curious what others do to deal with this. Does everyone just > secretly disconnect the fire alarm circuit and not tell? I don't want > to violate fire codes and I understand why these disconnects are > necessary. Anyone have any ideas? I'm not looking forward to another > complete server room shutdown on some random Saturday. > > Thanks! > P. Hi Philip. This is indeed a difficult problem with no easy answers. You don't want to break code and invalidate your insurance or cause other legal liabilities, nor do you want random shutdowns. There should definitely be an event log of some sort detailing exactly what was triggered and when, or it may be possible you have a very inconspicuous electrical short in your system that is triggered only very sporadically under certain conditions. We had something similar to this that was causing an air handler to shut down and was eventually tracked back to a wire going through a punch out on a junction box that was occassionally rubbing and causing a short which caused a relay to trip. (not as extreme as your situation) I believe we are in the same office building. I suspect either your local panel is causing you issues or there really is a slight problem in one of the cables that can only be found by tracing the entire length with exhaustive detail It may be that you just don't have the write set of skills for the people doing your investigations. You can check and see if replacing the local panel is an option, relay, or signal wire is an option. From jason@jasonantman.com Wed Mar 4 21:18:32 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n255IV9N044512 for ; Wed, 4 Mar 2009 21:18:31 -0800 (PST) (envelope-from jason@jasonantman.com) Received: from vms173017pub.verizon.net (vms173017pub.verizon.net [206.46.173.17]) by usenix.org (8.13.6/8.13.6) with ESMTP id n255ISeJ020806 for ; Wed, 4 Mar 2009 21:18:31 -0800 (PST) Received: from jantman.dyndns.org ([98.109.71.168]) by vms173017.mailsrvcs.net (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPA id <0KG000KD8PECX2KR@vms173017.mailsrvcs.net> for sage-members@sage.org; Wed, 04 Mar 2009 23:18:12 -0600 (CST) Received: from [192.168.2.21] (ool-457d70d8.dyn.optonline.net [69.125.112.216]) by jantman.dyndns.org (Postfix) with ESMTPSA id 4BD91803F for ; Thu, 05 Mar 2009 00:17:48 -0500 (EST) Message-id: <49AF6091.3050400@jasonantman.com> Date: Thu, 05 Mar 2009 00:18:09 -0500 From: Jason Antman User-Agent: Thunderbird 2.0.0.12 (X11/20071114) MIME-version: 1.0 To: sage-members@sage.org References: In-reply-to: X-Enigmail-Version: 0.95.6 OpenPGP: id=34EE2F92 Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=28% Subject: Re: [SAGE] What do you do with your old PCs ? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Mar 2009 05:18:32 -0000 Here at $UNIVERSITY, granted an atypical situation, our Materials Services department runs an on-campus surplus store that sells desktops and the like to the public after wiping the disks. Server-grade stuff gets sent to an "asset recovery" company. I would suggest against paying for "disposal" - when I was looking for a personal web server, I thought of calling the asset recovery company we use. Believe it or not, I was transferred to SALES and given a quote of $450 for a box of identical spec to one we'd paid them to take away about a month prior (and selling on Ebay for about $150). As to DBAN, if you want to automate it even more, it's possible to set DBAN up on an isolated test net using Cobbler to automatically PXE boot each machine and wipe the disks. Unfortunately this doesn't provide for any sort of "feedback" in the form of confirmation reports, but that could be done by building a new live Linux image which runs DBAN, captures the output, and sends it somewhere (DBAN at its' heart is just a single executable). I have some information on using Cobbler (a Fedora install server that automates the PXE environment) and DBAN in a blog post: http://blog.jasonantman.com/2009/02/how-to-wipe-a-bunch-of-machines-quickly/ -Jason Todd Williams wrote: > As I roll out the new Dell Optiplex760 Core2 Duos to the desktops (some > each quarter), I find the pile of "spare" desktops growing. > My current "spares" in question are 2.4GHz P4's (HP dc5000s), with 512MB > memory. Not exciting, but hey, they work ok if your demands are light. > At some point, of course, I'll be totally off of these older boxes. > > What would you do with them? > > The obvious choices involve giving/selling/auctioning to employees or > donating to charities. > > But I've been to those places before, and I've see it all, including: > - Parts on similar machines that are still in use start disappearing > (memory, disk, special cables, whatever) > - Recipients of free machines who expect support from the help desk > - Highly paid employees fighting to be first in line for a chance to take > home a junk machine > - In an auction or giveaway intended to fairly distribute things to those > who have a use or need, one employee manages to amass a large quantity of > items, which he then sells for personal gain > - Employees (sometimes even executives) fight over whose favorite charity > should be the recipient of the donation > > I'm just wondering if any of you have a more hassle-free method that you > use. > > -Todd Williams > > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > > From dhanks@gmail.com Fri Mar 6 13:00:41 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n26L0fbC096160 for ; Fri, 6 Mar 2009 13:00:41 -0800 (PST) (envelope-from dhanks@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.175]) by usenix.org (8.13.6/8.13.6) with ESMTP id n26L0c99000997 for ; Fri, 6 Mar 2009 13:00:41 -0800 (PST) Received: by wf-out-1314.google.com with SMTP id 23so663329wfg.26 for ; Fri, 06 Mar 2009 13:00:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=MixIN8GgCsKwZ11A0nRexjcsB+UB8FKL/kx0Qa+O2XY=; b=FWcf90RcJvWKWpWp9At3QnjxL8Nst7ZSzpDQZWvEaCyn58ILdSCwN237RbsZk6R0BL GFwDcuaMGdxpyJQOm8XcYwTN92ej1BKa34a21N3qjyOL8y4UFGGSGOqL8I0/KZH7fg98 k/mMoQWVyo0J2Yz8VfPxz++ZBlpQtuKA9CLms= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=MmzKdkdOOIoe66h6LSWgutpqqCZkv1/WGgJSNAbkJtwMF83u6ijLQC4P6c1cF0pYpX z4Rq42ubtNyqR52HstzibS/iS1IEaUIfaihr8jM5TFN0JsZfHfcXZ5lj+E3+chBq9I5H UfmnMoL3KHTgzPn6D7ZYNh++jDPcjYT5Tce5k= MIME-Version: 1.0 Received: by 10.142.173.8 with SMTP id v8mr1266016wfe.55.1236373237540; Fri, 06 Mar 2009 13:00:37 -0800 (PST) Date: Fri, 6 Mar 2009 13:00:37 -0800 Message-ID: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> From: Doug Hanks To: Sage Members X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=10% Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Subject: [SAGE] AIX NFS v4 and disk/file system encryption X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2009 21:00:41 -0000 Hi all, I have a requirement that requires a shared file system across different hosts. Obviously NFS comes to mind. But I also have two additional requirements: * The data must be transmitted securely - with authentication and line-level encryption * The data at rest, living on the file system or disk, must be encrypted The OS we're using is AIX. I know that NFS v4 uses 3des for encryption and has secure authentication. Also AIX has the Encrypted File System (EFS), but unfortunately you can't NFS export an EFS file system. Any ideas? -- - Doug Hanks = dhanks(at)gmail(dot)com From olivier@tharan.org Fri Mar 6 13:36:12 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n26LaCeM096732 for ; Fri, 6 Mar 2009 13:36:12 -0800 (PST) (envelope-from olivier@tharan.org) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.156]) by usenix.org (8.13.6/8.13.6) with ESMTP id n26La99i001561 for ; Fri, 6 Mar 2009 13:36:12 -0800 (PST) Received: by fg-out-1718.google.com with SMTP id e12so501382fga.23 for ; Fri, 06 Mar 2009 13:36:08 -0800 (PST) MIME-Version: 1.0 Received: by 10.86.76.20 with SMTP id y20mr2242977fga.75.1236375368055; Fri, 06 Mar 2009 13:36:08 -0800 (PST) In-Reply-To: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> References: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> Date: Fri, 6 Mar 2009 22:36:08 +0100 Message-ID: <1a6ac97c0903061336v31f09011uca6730d5ec14e4de@mail.gmail.com> From: Olivier Tharan To: Doug Hanks Content-Type: text/plain; charset=UTF-8 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=16% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n26LaCeM096732 Cc: Sage Members Subject: Re: [SAGE] AIX NFS v4 and disk/file system encryption X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2009 21:36:13 -0000 On Fri, Mar 6, 2009 at 10:00 PM, Doug Hanks wrote: > I have a requirement that requires a shared file system across different > hosts.  Obviously NFS comes to mind.  But I also have two additional > requirements: > > * The data must be transmitted securely - with authentication and line-level > encryption > * The data at rest, living on the file system or disk, must be encrypted > > The OS we're using is AIX.  I know that NFS v4 uses 3des for encryption and > has secure authentication.  Also AIX has the Encrypted File System (EFS), > but unfortunately you can't NFS export an EFS file system. On a modern OS, something like FUSE might work; there is already an ssh-based FUSE filesystem available, and if your data is encrypted on the disk, it might be possible to develop a FUSE layer to decrypt the data on the fly. I do not know if FUSE works at all on AIX, though. -- olive From doug@will.to Fri Mar 6 13:41:42 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n26Lfgcr096843 for ; Fri, 6 Mar 2009 13:41:42 -0800 (PST) (envelope-from doug@will.to) Received: from will.to (mailman.will.to [68.164.136.125]) by usenix.org (8.13.6/8.13.6) with ESMTP id n26LfdCG001675 for ; Fri, 6 Mar 2009 13:41:41 -0800 (PST) Received: from [149.77.33.118] (pants.nyc.deshaw.com [149.77.33.118]) (authenticated bits=0) by will.to (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id n26LDU8a009618 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 6 Mar 2009 16:13:30 -0500 Message-ID: <49B19890.9010603@will.to> Date: Fri, 06 Mar 2009 16:41:36 -0500 From: Doug Hughes User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Doug Hanks References: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> In-Reply-To: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0rc3 (will.to [68.164.136.125]); Fri, 06 Mar 2009 16:13:30 -0500 (EST) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: Sage Members Subject: Re: [SAGE] AIX NFS v4 and disk/file system encryption X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2009 21:41:43 -0000 Doug Hanks wrote: > Hi all, > > I have a requirement that requires a shared file system across different > hosts. Obviously NFS comes to mind. But I also have two additional > requirements: > > * The data must be transmitted securely - with authentication and line-level > encryption > * The data at rest, living on the file system or disk, must be encrypted > > The OS we're using is AIX. I know that NFS v4 uses 3des for encryption and > has secure authentication. Also AIX has the Encrypted File System (EFS), > but unfortunately you can't NFS export an EFS file system. > > Any ideas? > > I don't suppose using a different OS is an option? (several options come to mind) From hcoyote@ghostar.org Fri Mar 6 17:48:12 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n271mCln000123 for ; Fri, 6 Mar 2009 17:48:12 -0800 (PST) (envelope-from hcoyote@ghostar.org) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.238]) by usenix.org (8.13.6/8.13.6) with ESMTP id n271m9Xx005721 for ; Fri, 6 Mar 2009 17:48:11 -0800 (PST) Received: by rv-out-0506.google.com with SMTP id k40so757431rvb.59 for ; Fri, 06 Mar 2009 17:48:08 -0800 (PST) MIME-Version: 1.0 Received: by 10.141.152.9 with SMTP id e9mr1565104rvo.189.1236386669140; Fri, 06 Mar 2009 16:44:29 -0800 (PST) In-Reply-To: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> References: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> Date: Fri, 6 Mar 2009 18:44:29 -0600 Message-ID: <3bdbc7110903061644u2b2aa461t408a63c355bf6c17@mail.gmail.com> From: Travis To: Doug Hanks Content-Type: text/plain; charset=ISO-8859-1 X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=5% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n271mCln000123 Cc: Sage Members Subject: Re: [SAGE] AIX NFS v4 and disk/file system encryption X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Mar 2009 01:48:12 -0000 On Fri, Mar 6, 2009 at 3:00 PM, Doug Hanks wrote: > Hi all, > > I have a requirement that requires a shared file system across different > hosts.  Obviously NFS comes to mind.  But I also have two additional > requirements: > > * The data must be transmitted securely - with authentication and line-level > encryption > * The data at rest, living on the file system or disk, must be encrypted > > The OS we're using is AIX.  I know that NFS v4 uses 3des for encryption and > has secure authentication.  Also AIX has the Encrypted File System (EFS), > but unfortunately you can't NFS export an EFS file system. > > Any ideas? Datafort appliance from Netapp (formerly Decru)? Travis -- Travis Campbell hcoyote@ghostar.org From dhanks@gmail.com Fri Mar 6 18:26:17 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n272QHN0000604 for ; Fri, 6 Mar 2009 18:26:17 -0800 (PST) (envelope-from dhanks@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.170]) by usenix.org (8.13.6/8.13.6) with ESMTP id n272QE4L006164 for ; Fri, 6 Mar 2009 18:26:17 -0800 (PST) Received: by wf-out-1314.google.com with SMTP id 23so779616wfg.26 for ; Fri, 06 Mar 2009 18:26:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=+qmnkoHkrsZ2ZprOWsQIiSyHz7BbzDspAFVbEPtBrZw=; b=mDBpyRfWiviqb96dOR2+PqPCv8YOdolCirAC1e79MV/JbcSZ5aIEEouUfauY+TtjiH vswTjcFfTnzZoWLv8whzAQdp5XMveoWg4Ki7IOOM5QbECknOqihOxt9OMKOnzfb3m0cD UBiOPhEi+lBBRRy3Mk926yYl57k5qT+eFB+e8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=r8v3Vk97fDEpzsRiRrl8kFoib0wGHzQdbOFyHpbVPTgg8Sqe0RPpC1+y1pGBMAabV6 TgG9B1oQqBU7hFP4VUl6kt1atlzcnAbXXOxkCMv6PGLSUN0IJbEz5hzQcd0mb1Tdfc++ K+p0HctMu0qV4nAxOc1TkYcwyDksZhkfogrN4= MIME-Version: 1.0 Received: by 10.142.136.16 with SMTP id j16mr1370024wfd.184.1236392774337; Fri, 06 Mar 2009 18:26:14 -0800 (PST) In-Reply-To: <3bdbc7110903061644u2b2aa461t408a63c355bf6c17@mail.gmail.com> References: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> <3bdbc7110903061644u2b2aa461t408a63c355bf6c17@mail.gmail.com> Date: Fri, 6 Mar 2009 18:26:14 -0800 Message-ID: <82a71f8a0903061826g722a38f6j2facfdfdd1d2b9e6@mail.gmail.com> From: Doug Hanks To: Travis X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=8% Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Cc: Sage Members Subject: Re: [SAGE] AIX NFS v4 and disk/file system encryption X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Mar 2009 02:26:18 -0000 I agree with DataFort - but too expensive. Looking for a software/free solution. On Fri, Mar 6, 2009 at 4:44 PM, Travis wrote: > On Fri, Mar 6, 2009 at 3:00 PM, Doug Hanks wrote: > > Hi all, > > > > I have a requirement that requires a shared file system across different > > hosts. Obviously NFS comes to mind. But I also have two additional > > requirements: > > > > * The data must be transmitted securely - with authentication and > line-level > > encryption > > * The data at rest, living on the file system or disk, must be encrypted > > > > The OS we're using is AIX. I know that NFS v4 uses 3des for encryption > and > > has secure authentication. Also AIX has the Encrypted File System (EFS), > > but unfortunately you can't NFS export an EFS file system. > > > > Any ideas? > > > Datafort appliance from Netapp (formerly Decru)? > > Travis > -- > Travis Campbell > hcoyote@ghostar.org > -- - Doug Hanks = dhanks(at)gmail(dot)com From dbronder@fire.its.uiowa.edu Fri Mar 6 18:49:36 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n272naNx000836 for ; Fri, 6 Mar 2009 18:49:36 -0800 (PST) (envelope-from dbronder@fire.its.uiowa.edu) Received: from fire.its.uiowa.edu (fire.its.uiowa.edu [128.255.56.219]) by usenix.org (8.13.6/8.13.6) with ESMTP id n272nX7W006387 for ; Fri, 6 Mar 2009 18:49:35 -0800 (PST) Received: from fire.its.uiowa.edu (loopback [127.0.0.1]) by fire.its.uiowa.edu (8.13.6/8.12.9/base-aix-2.2) with ESMTP id n272nVff049952; Fri, 6 Mar 2009 20:49:31 -0600 Received: (from dbronder@localhost) by fire.its.uiowa.edu (8.13.6/8.12.9/its-submit-aix-1.0) id n272nVNm051646; Fri, 6 Mar 2009 20:49:31 -0600 Message-Id: <200903070249.n272nVNm051646@fire.its.uiowa.edu> To: dhanks@gmail.com (Doug Hanks) Date: Fri, 6 Mar 2009 20:49:31 -0600 (CST) In-Reply-To: <82a71f8a0903061826g722a38f6j2facfdfdd1d2b9e6@mail.gmail.com> from "Doug Hanks" at Mar 06, 2009 06:26:14 PM From: David Bronder Organization: ITS-SPA, University of Iowa X-Bounce-Check: 9fd2f3b75ff6c1bfda557385db063eda X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: Sage Members Subject: Re: [SAGE] AIX NFS v4 and disk/file system encryption X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Mar 2009 02:49:36 -0000 You don't say what physical disk subsystem you're using. If it's EMC storage, they support encryption in the latest AIX version of PowerPath. Not free, obviously, but if you're already paying for their storage... Is it viable to add encryption of the data to the application itself, so it wouldn't matter what storage system or transport is involved? (Doesn't solve the authentication part, but you could still use NFSv4 for that.) Doug Hanks wrote: > > I agree with DataFort - but too expensive. Looking for a software/free > solution. > > On Fri, Mar 6, 2009 at 4:44 PM, Travis wrote: > > > On Fri, Mar 6, 2009 at 3:00 PM, Doug Hanks wrote: > > > Hi all, > > > > > > I have a requirement that requires a shared file system across different > > > hosts. Obviously NFS comes to mind. But I also have two additional > > > requirements: > > > > > > * The data must be transmitted securely - with authentication and > > line-level > > > encryption > > > * The data at rest, living on the file system or disk, must be encrypted > > > > > > The OS we're using is AIX. I know that NFS v4 uses 3des for encryption > > and > > > has secure authentication. Also AIX has the Encrypted File System (EFS), > > > but unfortunately you can't NFS export an EFS file system. > > > > > > Any ideas? > > > > > > Datafort appliance from Netapp (formerly Decru)? > > -- Hello World. David Bronder - Systems Admin Segmentation Fault ITS-SPA, Univ. of Iowa Core dumped, disk trashed, quota filled, soda warm. david-bronder@uiowa.edu From dhanks@gmail.com Fri Mar 6 20:08:59 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2748wO3001465 for ; Fri, 6 Mar 2009 20:08:58 -0800 (PST) (envelope-from dhanks@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.172]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2748t31007265 for ; Fri, 6 Mar 2009 20:08:58 -0800 (PST) Received: by wf-out-1314.google.com with SMTP id 23so818607wfg.26 for ; Fri, 06 Mar 2009 20:08:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=H7fwykbtaHpscZqRfL7POGx65G+XSQW36nFRIsEMhGc=; b=GaZE6gqnU3Paix/8MhgEbIix4AOcDyvfs21STwPNR5dCn6OaSNNqjA5eVZSPioDvWO 9RjKdjCGYmbnNTzahlBWEE0mXg9GXCxc+Y1AYDC1dfBdgKthI02FFEMISJHVRyZFe8Go 1OJL74+gShEid9dL1EwC8QpVv9X9Flhkazbh4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Ib/h/m/vBD3mTPJ5RTwzObIvQDF/TQ8L/BPej2PrZF0+g5eSOkipZMMG8nmtzpGA9O yzHCFEB/zPIzyc38muU7Y1kOhzcM+ISSSEzyKg/6k4Bygqa6twUp/GMUUKqQ6Og5Ywjx qCeXCvF9sSKimpSj2H0jghW0LsnHzbbL7gDjE= MIME-Version: 1.0 Received: by 10.142.157.6 with SMTP id f6mr1395090wfe.317.1236398935593; Fri, 06 Mar 2009 20:08:55 -0800 (PST) In-Reply-To: <200903070249.n272nVNm051646@fire.its.uiowa.edu> References: <82a71f8a0903061826g722a38f6j2facfdfdd1d2b9e6@mail.gmail.com> <200903070249.n272nVNm051646@fire.its.uiowa.edu> Date: Fri, 6 Mar 2009 20:08:55 -0800 Message-ID: <82a71f8a0903062008g7f99b3feub170f28e2188f97@mail.gmail.com> From: Doug Hanks To: David Bronder X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=9% Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.11 Cc: Sage Members Subject: Re: [SAGE] AIX NFS v4 and disk/file system encryption X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Mar 2009 04:08:59 -0000 Physical disk is direct attached DS4800. On Fri, Mar 6, 2009 at 6:49 PM, David Bronder wrote: > You don't say what physical disk subsystem you're using. If it's EMC > storage, they support encryption in the latest AIX version of PowerPath. > Not free, obviously, but if you're already paying for their storage... > > Is it viable to add encryption of the data to the application itself, > so it wouldn't matter what storage system or transport is involved? > (Doesn't solve the authentication part, but you could still use NFSv4 > for that.) > > > Doug Hanks wrote: > > > > I agree with DataFort - but too expensive. Looking for a software/free > > solution. > > > > On Fri, Mar 6, 2009 at 4:44 PM, Travis wrote: > > > > > On Fri, Mar 6, 2009 at 3:00 PM, Doug Hanks wrote: > > > > Hi all, > > > > > > > > I have a requirement that requires a shared file system across > different > > > > hosts. Obviously NFS comes to mind. But I also have two additional > > > > requirements: > > > > > > > > * The data must be transmitted securely - with authentication and > > > line-level > > > > encryption > > > > * The data at rest, living on the file system or disk, must be > encrypted > > > > > > > > The OS we're using is AIX. I know that NFS v4 uses 3des for > encryption > > > and > > > > has secure authentication. Also AIX has the Encrypted File System > (EFS), > > > > but unfortunately you can't NFS export an EFS file system. > > > > > > > > Any ideas? > > > > > > > > > Datafort appliance from Netapp (formerly Decru)? > > > > > > -- > Hello World. David Bronder - Systems > Admin > Segmentation Fault ITS-SPA, Univ. of > Iowa > Core dumped, disk trashed, quota filled, soda warm. > david-bronder@uiowa.edu > -- - Doug Hanks = dhanks(at)gmail(dot)com From silkey@ece.utexas.edu Fri Mar 6 20:11:36 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n274BajB001527 for ; Fri, 6 Mar 2009 20:11:36 -0800 (PST) (envelope-from silkey@ece.utexas.edu) Received: from mail02.ece.utexas.edu (postfix@mail02.ece.utexas.edu [128.83.59.39]) by usenix.org (8.13.6/8.13.6) with ESMTP id n274BXui007294 for ; Fri, 6 Mar 2009 20:11:36 -0800 (PST) Received: from fuzz.local (c-71-234-192-84.hsd1.ct.comcast.net [71.234.192.84]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: silkey) by mail02.ece.utexas.edu (Postfix) with ESMTP id 6DE631C11; Fri, 6 Mar 2009 22:11:32 -0600 (CST) Message-ID: <49B1F3F3.20805@ece.utexas.edu> Date: Fri, 06 Mar 2009 23:11:31 -0500 From: Nick Silkey User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Travis References: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> <3bdbc7110903061644u2b2aa461t408a63c355bf6c17@mail.gmail.com> In-Reply-To: <3bdbc7110903061644u2b2aa461t408a63c355bf6c17@mail.gmail.com> X-Enigmail-Version: 0.95.7 OpenPGP: id=35EB31E2; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x35EB31E2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: Sage Members Subject: Re: [SAGE] AIX NFS v4 and disk/file system encryption X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Mar 2009 04:11:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Travis wrote: >> * The data must be transmitted securely - with authentication and line-level >> encryption >> * The data at rest, living on the file system or disk, must be encrypted > Datafort appliance from Netapp (formerly Decru)? Dataforts are great for data-at-rest. But once you get beyond the cryptographic looking-glass of the Decru, namely where the export terminates at the NFS client, game over. Its a shame in that specific endpoint that would likely be what is rooted and leading to dataset compromise. We eyed Dataforts/Decrus as a means to protect PCI data within an enterprise document management stack. While you do get to check-off that the data is encrypted at-rest, the above is a more likely scenario which would land you in the papers. :/ - -- Nick Silkey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkmx8/MACgkQrDQjhjXrMeIXGACeJ3QvMyDhdIEuTzEThkTq95TI HbUAniXB3jJj19IRNJEYbSN4gaLioQdZ =BovM -----END PGP SIGNATURE----- From rskiadmin@chycoski.com Fri Mar 6 20:30:05 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n274U5tn001855 for ; Fri, 6 Mar 2009 20:30:05 -0800 (PST) (envelope-from rskiadmin@chycoski.com) Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by usenix.org (8.13.6/8.13.6) with ESMTP id n274U2gK007467 for ; Fri, 6 Mar 2009 20:30:05 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.38,317,1233532800"; d="scan'208";a="152240673" Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-1.cisco.com with ESMTP; 07 Mar 2009 04:29:57 +0000 Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n274TtkC022590; Fri, 6 Mar 2009 20:29:55 -0800 Received: from [10.19.54.146] (sjc-rac-8711.cisco.com [10.19.54.146]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n274Ttt1023194; Sat, 7 Mar 2009 04:29:55 GMT Message-ID: <49B1F842.7010601@chycoski.com> Date: Fri, 06 Mar 2009 20:29:54 -0800 From: Richard Chycoski User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: Travis References: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> <3bdbc7110903061644u2b2aa461t408a63c355bf6c17@mail.gmail.com> In-Reply-To: <3bdbc7110903061644u2b2aa461t408a63c355bf6c17@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Authentication-Results: sj-dkim-1; header.From=rskiadmin@chycoski.com; dkim=neutral X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: Sage Members Subject: Re: [SAGE] AIX NFS v4 and disk/file system encryption X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: rskiadmin@chycoski.com List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Mar 2009 04:30:06 -0000 We looked at Datafort - it encrypts the data on the NetApp, but decrypts it as soon as it leaves the NetApp (when it goes through the nearby Datafort appliance), and transports it in the clear beyond. They don't have an end-to-end encryption solution. The throughput also wasn't great. - Richard Travis wrote: > On Fri, Mar 6, 2009 at 3:00 PM, Doug Hanks wrote: >> Hi all, >> >> I have a requirement that requires a shared file system across different >> hosts. Obviously NFS comes to mind. But I also have two additional >> requirements: >> >> * The data must be transmitted securely - with authentication and line-level >> encryption >> * The data at rest, living on the file system or disk, must be encrypted >> >> The OS we're using is AIX. I know that NFS v4 uses 3des for encryption and >> has secure authentication. Also AIX has the Encrypted File System (EFS), >> but unfortunately you can't NFS export an EFS file system. >> >> Any ideas? > > > Datafort appliance from Netapp (formerly Decru)? > > Travis From feenberg@nber.org Sat Mar 7 03:59:30 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n27BxTgI009756 for ; Sat, 7 Mar 2009 03:59:30 -0800 (PST) (envelope-from feenberg@nber.org) Received: from mail2.nber.org (mail2.nber.org [66.251.72.79]) by usenix.org (8.13.6/8.13.6) with ESMTP id n27BxQKh026184 for ; Sat, 7 Mar 2009 03:59:29 -0800 (PST) Received: from nber4.nber.org (nber4.nber.org [66.251.72.74]) by mail2.nber.org (8.14.1/8.13.8) with ESMTP id n27BxCe5071415 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 7 Mar 2009 06:59:13 -0500 (EST) (envelope-from feenberg@nber.org) Received: from nber4.nber.org (localhost [127.0.0.1]) by nber4.nber.org (8.14.1/8.12.8) with ESMTP id n27BxCLi006429; Sat, 7 Mar 2009 06:59:12 -0500 Received: from localhost (feenberg@localhost) by nber4.nber.org (8.14.1/8.14.1/Submit) with ESMTP id n27BxCJr006426; Sat, 7 Mar 2009 06:59:12 -0500 X-Authentication-Warning: nber4.nber.org: feenberg owned process doing -bs Date: Sat, 7 Mar 2009 06:59:12 -0500 (EST) From: Daniel Feenberg To: Richard Chycoski In-Reply-To: <49B1F842.7010601@chycoski.com> Message-ID: References: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> <3bdbc7110903061644u2b2aa461t408a63c355bf6c17@mail.gmail.com> <49B1F842.7010601@chycoski.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Anti-Virus: Kaspersky Anti-Virus for Sendmail with Milter API 5.6.20, bases: 20090306 #1693553, check: 20090307 clean X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=37% Cc: Sage Members Subject: Re: [SAGE] AIX NFS v4 and disk/file system encryption X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Mar 2009 11:59:31 -0000 On Fri, 6 Mar 2009, Richard Chycoski wrote: > We looked at Datafort - it encrypts the data on the NetApp, but decrypts it > as soon as it leaves the NetApp (when it goes through the nearby Datafort > appliance), and transports it in the clear beyond. They don't have an > end-to-end encryption solution. Isn't that going to be true of just about any combination of cryptographic filesystem and a separate cryptographic transport? That is, the data is going to be available on the file store both encrypted and plain text, becuase the transport is going to need to rencrypt from plain text, so the filesystem encryption is sort of window dressing. Put another way, encrypted files are usefull when the system is turned off, so they are nice for laptops and thumb drives which are likely to be turned off when stolen, but not very usefull for servers, since the plaintext will likely be available (at least to root on the server) at all times anyway. There may be some advantage to protecting the data from unauthorized users on the server, but only to the extent that the cryptographic key is more secure than the file permissions system, which is possible but not dependable. Now if NFS v 4. had an option to store the data in the same encrypted format as was used for transport, that would achieve your objective (and save some computation time), but I haven't heard of that capability. Daniel Feenberg > > The throughput also wasn't great. > > - Richard > > Travis wrote: >> On Fri, Mar 6, 2009 at 3:00 PM, Doug Hanks wrote: >>> Hi all, >>> >>> I have a requirement that requires a shared file system across different >>> hosts. Obviously NFS comes to mind. But I also have two additional >>> requirements: >>> >>> * The data must be transmitted securely - with authentication and >>> line-level >>> encryption >>> * The data at rest, living on the file system or disk, must be encrypted >>> >>> The OS we're using is AIX. I know that NFS v4 uses 3des for encryption >>> and >>> has secure authentication. Also AIX has the Encrypted File System (EFS), >>> but unfortunately you can't NFS export an EFS file system. >>> >>> Any ideas? >> >> >> Datafort appliance from Netapp (formerly Decru)? >> >> Travis > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From dmagda@ee.ryerson.ca Sat Mar 7 09:10:36 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n27HAaFu015619 for ; Sat, 7 Mar 2009 09:10:36 -0800 (PST) (envelope-from dmagda@ee.ryerson.ca) Received: from toq7-srv.bellnexxia.net (wynq.bellnexxia.net [209.226.175.203]) by usenix.org (8.13.6/8.13.6) with ESMTP id n27HAWsX029987 for ; Sat, 7 Mar 2009 09:10:35 -0800 (PST) Received: from toip5.srvr.bell.ca ([209.226.175.88]) by tomts10-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with ESMTP id <20090307160218.GAXX1703.tomts10-srv.bellnexxia.net@toip5.srvr.bell.ca> for ; Sat, 7 Mar 2009 11:02:18 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ao8BAHMnsklMQR+s/2dsb2JhbAAI03aEBQY Received: from bas1-toronto09-1279336364.dsl.bell.ca (HELO [192.168.1.103]) ([76.65.31.172]) by toip5.srvr.bell.ca with ESMTP; 07 Mar 2009 11:10:44 -0500 Message-Id: <81A11B4C-4020-49DC-A79F-D35943A9EFEB@ee.ryerson.ca> From: David Magda To: Daniel Feenberg In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sat, 7 Mar 2009 11:02:17 -0500 References: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> <3bdbc7110903061644u2b2aa461t408a63c355bf6c17@mail.gmail.com> <49B1F842.7010601@chycoski.com> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: Sage Members Subject: Re: [SAGE] AIX NFS v4 and disk/file system encryption X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Mar 2009 17:10:37 -0000 On Mar 7, 2009, at 06:59, Daniel Feenberg wrote: > Isn't that going to be true of just about any combination of > cryptographic filesystem and a separate cryptographic transport? > That is, the data is going to be available on the file store both > encrypted and plain text, becuase the transport is going to need to > rencrypt from plain text, so the filesystem encryption is sort of > window dressing. Does AIX support loop-backed mounts? If it does, would the following set up work On your NFS server, have /data, and in it create a file (say "topsecret.img"). Export /data to the client, so it can then access the above file. On the NFS client loop-mount the file so that it looks like a drive, and then create an EFS file system on it. All writes are encrypted, and the data should be safe-at-rest. (This assumes that your NFS server does not need to access the data as well.) From rskiadmin@chycoski.com Sat Mar 7 18:18:54 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n282Iq0J026893 for ; Sat, 7 Mar 2009 18:18:54 -0800 (PST) (envelope-from rskiadmin@chycoski.com) Received: from adsl-67-122-242-225.dsl.pltn13.pacbell.net (adsl-67-122-242-225.dsl.pltn13.pacbell.net [67.122.242.225]) by usenix.org (8.13.6/8.13.6) with ESMTP id n282IndD005999 for ; Sat, 7 Mar 2009 18:18:51 -0800 (PST) Received: from [192.168.72.2] (wizfast.rski.net [192.168.72.2]) by adsl-67-122-242-225.dsl.pltn13.pacbell.net (8.13.8/8.13.8) with ESMTP id n282Iav9010242; Sat, 7 Mar 2009 18:18:36 -0800 Message-ID: <49B32AFC.7080700@chycoski.com> Date: Sat, 07 Mar 2009 18:18:36 -0800 From: Richard Chycoski User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Daniel Feenberg References: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> <3bdbc7110903061644u2b2aa461t408a63c355bf6c17@mail.gmail.com> <49B1F842.7010601@chycoski.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: Sage Members Subject: Re: [SAGE] AIX NFS v4 and disk/file system encryption X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Mar 2009 02:18:55 -0000 Daniel Feenberg wrote: > On Fri, 6 Mar 2009, Richard Chycoski wrote: > >> We looked at Datafort - it encrypts the data on the NetApp, but >> decrypts it as soon as it leaves the NetApp (when it goes through the >> nearby Datafort appliance), and transports it in the clear beyond. >> They don't have an end-to-end encryption solution. > > Isn't that going to be true of just about any combination of > cryptographic filesystem and a separate cryptographic transport? That > is, the data is going to be available on the file store both encrypted > and plain text, becuase the transport is going to need to rencrypt > from plain text, so the filesystem encryption is sort of window > dressing. Put another way, encrypted files are usefull when the system > is turned off, so they are nice for laptops and thumb drives which are > likely to be turned off when stolen, but not very usefull for servers, > since the plaintext will likely be available (at least to root on the > server) at all times anyway. There may be some advantage to protecting > the data from unauthorized users on the server, but only to the extent > that the cryptographic key is more secure than the file permissions > system, which is possible but not dependable. > > Now if NFS v 4. had an option to store the data in the same encrypted > format as was used for transport, that would achieve your objective > (and save some computation time), but I haven't heard of that capability. > > Daniel Feenberg > >> >> The throughput also wasn't great. >> >> - Richard There are two main reasons to encrypt the data for servers. One is that the disk drives can be replaced by any vendor, and the data on the drive is useless to them. The other is for backups - especially when using an external over-the-net backup vendor. All of the data backed up to the external site is safe from the vendor. They never need have access to the decrypted data, an external decryption device like the Datafort ensures that the backup vendor never touches the unencrypted data. The data never appears on the fileserver in an unencrypted form. When we first talked with Decru sales folk, they described a system that sounded as though the data were encrypted through to the client. Our supposition was that while the Datafort appliance encrypted the data on the disk, it would decrypt/encrypt on the fly for delivery through to the end client (based on the early talks). When we got down to brass tacks, it turned out that this re-encryption was not available. (The desire of the Decru sales people to sell, along with the desire of our security folk to have a product that did what they wanted may have contributed to the initial lack of clarity of available features... but I heard the sales pitch too, and *I* thought that they had end-to-end encryption.) There's nothing stopping an appliance from doing this- if anyone finds one, please call. Our security folk have been drooling for one ever since the first (unfortunately inaccurate) sales stories about the Datafort came our way. :-) (In some ways, I kinda wonder why $WORK hasn't built one yet... Guess there's not enough money in it!) - Richard From dmagda@ee.ryerson.ca Sun Mar 8 09:44:44 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n28GiiIh040160 for ; Sun, 8 Mar 2009 09:44:44 -0700 (PDT) (envelope-from dmagda@ee.ryerson.ca) Received: from toq4-srv.bellnexxia.net (wynq.bellnexxia.net [209.226.175.24]) by usenix.org (8.13.6/8.13.6) with ESMTP id n28GieXo028218 for ; Sun, 8 Mar 2009 09:44:43 -0700 (PDT) Received: from toip5.srvr.bell.ca ([209.226.175.88]) by tomts16-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with ESMTP id <20090308161713.UJB1809.tomts16-srv.bellnexxia.net@toip5.srvr.bell.ca> for ; Sun, 8 Mar 2009 12:17:13 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApgBAPeGs0lMRCWV/2dsb2JhbAAI0wGEBQY Received: from bas1-toronto09-1279534485.dsl.bell.ca (HELO [192.168.1.103]) ([76.68.37.149]) by toip5.srvr.bell.ca with ESMTP; 08 Mar 2009 12:25:38 -0400 Message-Id: From: David Magda To: Richard Chycoski In-Reply-To: <49B32AFC.7080700@chycoski.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sun, 8 Mar 2009 12:17:12 -0400 References: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> <3bdbc7110903061644u2b2aa461t408a63c355bf6c17@mail.gmail.com> <49B1F842.7010601@chycoski.com> <49B32AFC.7080700@chycoski.com> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 Cc: Sage Members Subject: Re: [SAGE] AIX NFS v4 and disk/file system encryption X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Mar 2009 16:44:45 -0000 On Mar 7, 2009, at 21:18, Richard Chycoski wrote: > (In some ways, I kinda wonder why $WORK hasn't built one yet... > Guess there's not enough money in it!) I think the plan is to embed this into array firmware. IEEE 1619 was recently finalized, so hopefully future products will have this baked in (probably as a "valued-added" option that you pay for of course): http://en.wikipedia.org/wiki/IEEE_P1619 Sun is also working on built-in encryption for their ZFS: http://opensolaris.org/os/project/zfs-crypto/ Curious to know if any other file systems designed in the future will have this, or whether it will be offloaded to the hardware: http://yro.slashdot.org/article.pl?sid=09/01/29/0132246 From lindsey@acm.org Mon Mar 9 08:14:10 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n29FEAU5064515 for ; Mon, 9 Mar 2009 08:14:10 -0700 (PDT) (envelope-from lindsey@acm.org) Received: from e-c-group.com (mail.ispsouth.com [216.128.192.248]) by usenix.org (8.13.6/8.13.6) with ESMTP id n29FE7Yr029345 for ; Mon, 9 Mar 2009 08:14:09 -0700 (PDT) Received: from [24.172.251.165] (account lindsey HELO [172.24.127.62]) by e-c-group.com (CommuniGate Pro SMTP 5.0.13) with ESMTPSA id 120597162; Mon, 09 Mar 2009 10:14:04 -0500 Message-Id: <0290C568-1F3F-41B8-A667-3C2B1D9A8019@acm.org> From: "Mark R. Lindsey" To: Doug Hughes In-Reply-To: <49ADEBA7.6010108@will.to> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Mon, 9 Mar 2009 11:14:23 -0400 References: <4F138E94-4964-4EFA-AAEA-7662EC84E2B6@pobox.com> <49ADEBA7.6010108@will.to> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE Members Subject: Re: [SAGE] Dealing with UPS/AC fire alarm connection malfunctions X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Mar 2009 15:14:13 -0000 On Mar 3, 2009, at 9:47 PM, Doug Hughes wrote: > Philip J. Hollenback wrote: >> I'm struggling with a server room issue and I wonder if anyone has >> any insight. This room is in a Manhattan high-rise office and has >> a UPS and a large AC unit. The fire code requires that both the >> UPS and AC be connected to the fire alarm system and automatically >> shut down when the fire alarm is triggered. > Hi Philip. This is indeed a difficult problem with no easy answers. > You don't want to break code and invalidate your insurance or cause > other legal liabilities, nor do you want random shutdowns. This sounds like a sales pitch for colocation in Secaucus. (Or anywhere else but a high-rise in Manhattan.) But, for the equipment you DO need in the building, does anyone make any kind of "quorom" fire detection system? E.g., a majority of smoke detectors in a zone need to detect something before the alarm is triggered. From jsdy@gwyn.tux.org Mon Mar 9 08:14:23 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n29FEM53064523 for ; Mon, 9 Mar 2009 08:14:22 -0700 (PDT) (envelope-from jsdy@gwyn.tux.org) Received: from gwyn.tux.org (ident-user@gwyn.tux.org [207.172.156.132]) by usenix.org (8.13.6/8.13.6) with ESMTP id n29FEJEL029350 for ; Mon, 9 Mar 2009 08:14:22 -0700 (PDT) Received: from gwyn.tux.org (ident-user@localhost.localdomain [127.0.0.1]) by gwyn.tux.org (8.12.11/8.12.11) with ESMTP id n29FB3Pf010690; Mon, 9 Mar 2009 11:11:10 -0400 Received: (from jsdy@localhost) by gwyn.tux.org (8.12.11/8.12.11/Submit) id n29FB3mw010689; Mon, 9 Mar 2009 11:11:03 -0400 Date: Mon, 9 Mar 2009 11:11:02 -0400 From: Joseph S D Yao To: Friedrich Clausen Message-ID: <20090309111102.B4679@gwyn.tux.org> Mail-Followup-To: Friedrich Clausen , "David N. Blank-Edelman" , Sage Members References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from fred@derf.nl on Mon, Jan 05, 2009 at 04:54:00PM +0100 X-Accepted-File-Formats: ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (gwyn.tux.org [0.0.0.0]); Mon, 09 Mar 2009 11:11:10 -0400 (EDT) X-Virus-Scanned: ClamAV version 0.88.4, clamav-milter version 0.88.4 on gwyn.tux.org X-Virus-Status: Clean X-DCC-Usenix-Metrics: voyager; whitelist Cc: Sage Members Subject: Re: [SAGE] Choosing a virtualisation vendor. X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Mar 2009 15:14:24 -0000 On Mon, Jan 05, 2009 at 04:54:00PM +0100, Friedrich Clausen wrote: > Hi All, > > Thanks for the additional information - we are mostly a Linux shop and > are looking to paravirtualise where we can. I am re-reading all the ... Catching up ... Several people had noted that your "base operating system" should be a consideration in your choice. Don't forget to consider whether a base virtualization kernel might be another good choice, on top of which you could run different operating systems. I've seen this as a product in VMWare, and am starting to run Xen for another project, which appears to use this idea also. -- /*********************************************************************\ ** ** Joe Yao jsdy@tux.org - Joseph S. D. Yao ** \*********************************************************************/ From rskiadmin@chycoski.com Mon Mar 9 08:32:16 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n29FWGSg064801 for ; Mon, 9 Mar 2009 08:32:16 -0700 (PDT) (envelope-from rskiadmin@chycoski.com) Received: from adsl-67-122-242-225.dsl.pltn13.pacbell.net (adsl-67-122-242-225.dsl.pltn13.pacbell.net [67.122.242.225]) by usenix.org (8.13.6/8.13.6) with ESMTP id n29FWDe0029658 for ; Mon, 9 Mar 2009 08:32:16 -0700 (PDT) Received: from [192.168.72.2] (wizfast.rski.net [192.168.72.2]) by adsl-67-122-242-225.dsl.pltn13.pacbell.net (8.13.8/8.13.8) with ESMTP id n29FW64s032031; Mon, 9 Mar 2009 08:32:06 -0700 Message-ID: <49B53676.8010103@chycoski.com> Date: Mon, 09 Mar 2009 08:32:06 -0700 From: Richard Chycoski User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: "Mark R. Lindsey" References: <4F138E94-4964-4EFA-AAEA-7662EC84E2B6@pobox.com> <49ADEBA7.6010108@will.to> <0290C568-1F3F-41B8-A667-3C2B1D9A8019@acm.org> In-Reply-To: <0290C568-1F3F-41B8-A667-3C2B1D9A8019@acm.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: Doug Hughes , SAGE Members Subject: Re: [SAGE] Dealing with UPS/AC fire alarm connection malfunctions X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Mar 2009 15:32:16 -0000 Mark R. Lindsey wrote: > > On Mar 3, 2009, at 9:47 PM, Doug Hughes wrote: > >> Philip J. Hollenback wrote: >>> I'm struggling with a server room issue and I wonder if anyone has >>> any insight. This room is in a Manhattan high-rise office and has a >>> UPS and a large AC unit. The fire code requires that both the UPS >>> and AC be connected to the fire alarm system and automatically shut >>> down when the fire alarm is triggered. > >> Hi Philip. This is indeed a difficult problem with no easy answers. >> You don't want to break code and invalidate your insurance or cause >> other legal liabilities, nor do you want random shutdowns. > > This sounds like a sales pitch for colocation in Secaucus. (Or > anywhere else but a high-rise in Manhattan.) > > But, for the equipment you DO need in the building, does anyone make > any kind of "quorom" fire detection system? E.g., a majority of smoke > detectors in a zone need to detect something before the alarm is > triggered. > Most modern fire detection systems require multiple sensor detection before triggering the alarm, but there's usually only one trigger circuit to actually shut things down. This means that if the trigger circuit can give false positives without any sensor having tripped at all. - Richard From jal@mdacorporation.com Mon Mar 9 15:16:35 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n29MGZZD072052 for ; Mon, 9 Mar 2009 15:16:35 -0700 (PDT) (envelope-from jal@mdacorporation.com) Received: from msxyvr2.ds.mda.ca (mail.mda.ca [142.73.64.14]) by usenix.org (8.13.6/8.13.6) with ESMTP id n29MGWYd008121 for ; Mon, 9 Mar 2009 15:16:35 -0700 (PDT) Received: from VMXYVR1.ds.mda.ca ([142.73.129.70]) by msxyvr2.ds.mda.ca with Microsoft SMTPSVC(6.0.3790.3959); Mon, 9 Mar 2009 15:16:31 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 9 Mar 2009 15:16:29 -0700 Message-ID: <57F67688A8D72449AC80164DA982083104D39B6C@VMXYVR1.ds.mda.ca> In-Reply-To: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [SAGE] AIX NFS v4 and disk/file system encryption Thread-Index: AcmenvdERDc0kllSTQeVw2hVoHh52wCY3WCw References: <82a71f8a0903061300t7ce3ad9ex3cf22490149b914c@mail.gmail.com> From: "John LLOYD" To: "Doug Hanks" , "Sage Members" X-OriginalArrivalTime: 09 Mar 2009 22:16:31.0234 (UTC) FILETIME=[B307BE20:01C9A104] X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n29MGZZD072052 Subject: Re: [SAGE] AIX NFS v4 and disk/file system encryption X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Mar 2009 22:16:36 -0000 > I have a requirement that requires a shared file system > across different > hosts. Obviously NFS comes to mind. But I also have two additional > requirements: > > * The data must be transmitted securely - with authentication > and line-level > encryption This could be IPSEC or equivalent; the authentication for IPSEC is only at the host level. File-level access-control still relies on whatever mechanism your users (or applications) are authenticated on the client machines. > * The data at rest, living on the file system or disk, must > be encrypted Others have already suggested loopback filesystems with encryption. > > The OS we're using is AIX. I know that NFS v4 uses 3des for > encryption and > has secure authentication. Also AIX has the Encrypted File > System (EFS), > but unfortunately you can't NFS export an EFS file system. > > Any ideas? Other suggestions: iSCSI (with IPSEC, again) accessing shared LUNs with some kind of cluster filesystem with an encrypting block-device layer turned on....requires key management per client on top of the IPSEC, AIX support, and several other miracles. Encrypted FTP -- you do not mention the actual means or methods of file access. Maybe one-whole-secret-file-at-a-time is within your requirements scope? Or encrypted CVS/HG/SVN via https? Moving up a level, some kind of threat to the files-at-rest is implied with your requirements; would the client computers also be at risk from similar hazards? In general, your requirements are stated without reference to threat models so it's unclear whether there are other issues that might also need to be addressed such as client trustworthiness for keeping encryption keys safe, data-at-rest encryption on clients (including swapfiles), defence against replay attacks, etc etc etc. --John From philiph@pobox.com Mon Mar 9 21:52:36 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2A4qahj078233 for ; Mon, 9 Mar 2009 21:52:36 -0700 (PDT) (envelope-from philiph@pobox.com) Received: from sasl.smtp.pobox.com (a-sasl-quonix.sasl.smtp.pobox.com [208.72.237.25]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2A4qWho013142 for ; Mon, 9 Mar 2009 21:52:35 -0700 (PDT) Received: from localhost.localdomain (unknown [127.0.0.1]) by a-sasl-quonix.sasl.smtp.pobox.com (Postfix) with ESMTP id AC69849FF; Tue, 10 Mar 2009 00:52:31 -0400 (EDT) Received: from ourtownadd-lm.mine.nu (unknown [208.87.58.107]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by a-sasl-quonix.sasl.smtp.pobox.com (Postfix) with ESMTPSA id 7379F49FE; Tue, 10 Mar 2009 00:52:25 -0400 (EDT) Message-Id: From: "Philip J. Hollenback" To: Richard Chycoski In-Reply-To: <49B53676.8010103@chycoski.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Mon, 9 Mar 2009 21:52:24 -0700 References: <4F138E94-4964-4EFA-AAEA-7662EC84E2B6@pobox.com> <49ADEBA7.6010108@will.to> <0290C568-1F3F-41B8-A667-3C2B1D9A8019@acm.org> <49B53676.8010103@chycoski.com> X-Mailer: Apple Mail (2.930.3) X-Pobox-Relay-ID: 43A161E8-0D2F-11DE-B240-CBE7E3B37BAC-80990599!a-sasl-quonix.pobox.com X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=20% Cc: SAGE, Doug Hughes , Members Subject: Re: [SAGE] Dealing with UPS/AC fire alarm connection malfunctions X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2009 04:52:37 -0000 On Mar 9, 2009, at 8:32 AM, Richard Chycoski wrote: > Most modern fire detection systems require multiple sensor detection > before triggering the alarm, but there's usually only one trigger > circuit to actually shut things down. This means that if the trigger > circuit can give false positives without any sensor having tripped > at all. It ends up that someone else was assigned to troubleshoot this so I haven't been involved much more. However it looks like the failure may have been that the AC units shut down on a bogus fire alarm trigger and that caused enough room overheating to initiate a UPS shutdown. The AC units and UPS are all on the network and sending snmp traps so I suspect the logs should reveal what failed first. -- Philip J. Hollenback philiph@pobox.com From melgorri@hsr.ch Tue Mar 10 05:45:01 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2ACj1B1087723 for ; Tue, 10 Mar 2009 05:45:01 -0700 (PDT) (envelope-from melgorri@hsr.ch) Received: from hsrmx1.hsr.ch (hsrmx1.hsr.ch [152.96.36.50]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2ACivxg004626 for ; Tue, 10 Mar 2009 05:45:00 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by hsrmx1.hsr.ch (Postfix) with ESMTP id 73931210732 for ; Tue, 10 Mar 2009 13:37:28 +0100 (CET) Received: from hsrmx1.hsr.ch ([127.0.0.1]) by localhost (hsrmx1.hsr.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id qTJO30DB1cDv for ; Tue, 10 Mar 2009 13:37:26 +0100 (CET) Received: from sid00101.hsr.ch (sid00100.hsr.ch [152.96.20.160]) by hsrmx1.hsr.ch (Postfix) with ESMTP id BBCD621072F for ; Tue, 10 Mar 2009 13:37:26 +0100 (CET) Received: from sid00101.hsr.ch ([152.96.20.160]) by sid00101.hsr.ch ([152.96.20.160]) with mapi; Tue, 10 Mar 2009 13:37:26 +0100 From: To: Date: Tue, 10 Mar 2009 13:37:25 +0100 Thread-Topic: Best Practice DNS/bind Thread-Index: AcmhfPcahk/mbmTMQwahZ/8Q+4xKvg== Message-ID: Accept-Language: en-US, de-CH Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, de-CH Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n2ACj1B1087723 Subject: [SAGE] Best Practice DNS/bind X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2009 12:45:02 -0000 Hi all Well, just doing a fresh setup of our external DNS, having the Liu-Books on my table, and wanted to cross-check whether there are some 'best practices' we might have overlooked. Here is our setup: - Primary and secondary DNS on physically and exclusively dedicated quality servers (redundant power, raid-1, ...), in separated server rooms. - Both located in the same DMZ-security zone and subnet, serving only external domains (about 100 domains) - Minimalistic Linux-Gentoo installation with actual version of bind. - Local iptables activated restricting external traffic to DNS-queries, no webserver or DB running on the systems. - Zone files are cron-pulled (rsync'ed) from a NFS-mount (actual zone files are written there by a web application) - Quite simple configuration, with a few acl's, no-recursion, no dynamic update, TTL 8 hours, restricted controls. No dnssec, views or other specialities needed. - We don't have heavy load on the DNS servers, so we don't need load-balancing on the server level, HA-cluster and the like. - Logs will be done to a separate log-server; the server will be integrated in our Nagios alarm-system. And some questions: - We plan to have a second pair of both servers available as hot-standby virtual machines. Is there some other proposition for enhancing redundancy/availability in the worst case? - Any particular thoughts at the security level configuration for bind? And for the local ip-tables (preventing specific DOS, spoofing, and others...)? - We will use mysqlbind or nictool for web-based management of the zone-files, as well as dnsgraph for traffic. Any recommendation for other or additional (open source) tools, specifically for dns-related log-analysis too? - While copying (rsyncing) the zone files, would it make sense to pipe them through named-checkzone? Or is there some other good checking tool available? - Do you use SPF or some other technique for smtp-server validation on the recipient side? - And - please don't start a flame -, are your DNS-servers already IPv6-ready, should we really take the trouble to do this? Any criticisms and suggestions are greatly appreciated. Thx a lot and greetings from Switzerland Manuel Elgorriaga Kunze IT Services - Head of IT-Systems University of Applied Sciences Rapperswil CH - 8640 Rapperswil (Switzerland) Phone +41 (0)55 222 4 111 / 278 (direct) www.hsr.ch From trey@treyka.net Wed Mar 11 01:16:14 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2B8GEKN012226 for ; Wed, 11 Mar 2009 01:16:14 -0700 (PDT) (envelope-from trey@treyka.net) Received: from mail.kingfisherops.com (mail.treyka.net [64.22.71.37]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2B8GAw9016305 for ; Wed, 11 Mar 2009 01:16:13 -0700 (PDT) Received: from treyka.net (localhost [127.0.0.1]) by mail.kingfisherops.com (Postfix) with ESMTP id 55BEFDD93; Wed, 11 Mar 2009 09:16:05 +0100 (CET) Received: from 192.101.252.156 (SquirrelMail authenticated user trey@treyka.net) by treyka.net with HTTP; Wed, 11 Mar 2009 09:16:05 +0100 (CET) Message-ID: Date: Wed, 11 Mar 2009 09:16:05 +0100 (CET) From: "Trey Darley" To: sage-members@sage.org, discuss@lopsa.org User-Agent: SquirrelMail/1.4.15 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 Subject: [SAGE] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: trey@treyka.net List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 08:16:15 -0000 Greetings & salutations - I've looked at what's on sans.org - wondering what kind of juice y'all might have. Any input or pointers would be much appreciated. Cheers, --Trey From dan@geer.org Wed Mar 11 04:53:45 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2BBrjbH015659 for ; Wed, 11 Mar 2009 04:53:45 -0700 (PDT) (envelope-from dan@geer.org) Received: from absinthe.tinho.net (absinthe.tinho.net [166.84.5.228]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2BBrgkv019870 for ; Wed, 11 Mar 2009 04:53:44 -0700 (PDT) Received: by absinthe.tinho.net (Postfix, from userid 126) id 13DE133F32; Wed, 11 Mar 2009 07:53:36 -0400 (EDT) Received: from absinthe.tinho.net (localhost [127.0.0.1]) by absinthe.tinho.net (Postfix) with ESMTP id 11FB033F1F; Wed, 11 Mar 2009 07:53:36 -0400 (EDT) From: dan@geer.org To: trey@treyka.net In-Reply-To: Your message of "Wed, 11 Mar 2009 09:16:05 BST." Date: Wed, 11 Mar 2009 07:53:36 -0400 Message-Id: <20090311115336.13DE133F32@absinthe.tinho.net> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: discuss@lopsa.org, sage-members@sage.org Subject: Re: [SAGE] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 11:53:45 -0000 > I've looked at what's on sans.org - wondering what kind of juice y'all > might have. Any input or pointers would be much appreciated. ... Disclaimer: For five years I was the Chief Scientist ... at Verdasys and still have a commercial interest in it ... and its products, which have my fingerprints on them. ... The following is the 100 mph version for the product ... closest to your need. Less brutal text, up to and ... including conventional marketing lit, are readily ... available. The product is called Digital Guardian; it solves the data security question possibly once and for all, at least in the accountability (non-military) sense. Digital Guardian is a distributed, recording reference monitor implemented as a rootkit: an agent on every surveilled host communicating periodically with a no-wait-state collection depot arbitrarily located. The agent is small, tight, platform independent, invisible, tamper-resistant, and low-load. Any touch whatsoever of local data is captured at the innermost operating system levels as an event trigger for policy-based action at context-sensitive fine granularity. Agents do 20,000-to-1 continuous log reduction, compress and encrypt bundles of these results, and push them to the collection system with end-to-end assurance, adapting to intermittent connectivity without intervention. Consequent to its complete real-time capture, questions requiring full enumeration of past actions (prove no one outside the CFO's staff read this document) and goals requiring zero-prep reaction (application whitelists and zero-day defense) become trivially feasible. Less dramatically, forensics becomes possible at near-zero reconstruction cost, communities of trust become enforceable irrespective of conventional perimeters, data redaction at any level of granularity becomes auditably trivial and trivially auditable, silent alarms can signal enforcement authorities for anticipated events or for unanticipated exceptions, and honest people can be coached to remain honest without the risk of inadvertently preventing anyone from getting their job done. An enemy able to strike location independently and without self revelation commands the defender to focus on pre-emptive strategies, pre-emption requires intelligence, and intelligence requires surveillance. For the electronic sphere, that surveillance has as its primary unit of observation either a data object or a person; only the former is at once versatile, no-load, inescapable, and an enabler of economic benefits that justify its existence at times of lessened danger and for prosaic purposes. Day-to-day use is a pre-requisite for that tool familiarity essential to its confident use in times of heightened need, as it is with any platform. Reference customers at the Fortune 100 level and in multiple countries are available. A case study that speaks exactly to your need is at http://www.verdasys.com/pdf/CSMoodys.pdf From brad@shub-internet.org Wed Mar 11 07:58:33 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2BEwXT5018537 for ; Wed, 11 Mar 2009 07:58:33 -0700 (PDT) (envelope-from brad@shub-internet.org) Received: from smtp102.his.com (smtp102.his.com [216.194.225.125]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2BEwUum023582 for ; Wed, 11 Mar 2009 07:58:33 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by smtp102.his.com (Postfix) with ESMTP id 615361C02FE; Wed, 11 Mar 2009 10:49:33 -0400 (EDT) Received: from smtp102.his.com ([216.194.225.125]) by localhost (smtp102.his.com [216.194.225.125]) (amavisd-new, port 10024) with ESMTP id 14052-01-2; Wed, 11 Mar 2009 10:49:30 -0400 (EDT) Received: from mail101.his.com (mail101.his.com [216.194.225.77]) by smtp102.his.com (Postfix) with ESMTP id 42FE01C0316; Wed, 11 Mar 2009 10:49:30 -0400 (EDT) Received: from delenn.cc.utexas.edu (delenn.cc.utexas.edu [128.83.93.67]) (authenticated bits=0) by mail101.his.com (8.14.2/8.13.3) with ESMTP id n2BEn2IE018279 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Mar 2009 10:49:03 -0400 (EDT) (envelope-from brad@shub-internet.org) Message-ID: <49B7CF85.4000903@shub-internet.org> Date: Wed, 11 Mar 2009 09:49:41 -0500 From: Brad Knowles Organization: Shub-Internet -- The Great Line-Eater Lurking Under the Basement of the Pentagon User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: trey@treyka.net References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Debian amavisd-new at smtp102.his.com X-Spam-Status: No, score=-4.252 tagged_above=-99 required=5 tests=[ALL_TRUSTED=-1.8, AWL=0.147, BAYES_00=-2.599] X-Spam-Score: -4.252 X-Spam-Level: X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=8% Cc: discuss@lopsa.org, sage-members@sage.org Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 14:58:34 -0000 Trey Darley wrote: > I've looked at what's on sans.org - wondering what kind of juice y'all > might have. Any input or pointers would be much appreciated. Here at UT Austin, we have something called a "Position of Special Trust", see and . This helps us meet state laws regarding individuals with access to sensitive information, as well as state-wide UT Systems policies (i.e., all the dozens of universities in the state that are part of the UT System umbrella), and UT Austin policies. -- Brad Knowles If you like Jazz/R&B guitar, check out LinkedIn Profile: my friend bigsbytracks on YouTube at http://preview.tinyurl.com/bigsbytracks From dpuryear@puryear-it.com Wed Mar 11 09:06:17 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2BG6HnT019583 for ; Wed, 11 Mar 2009 09:06:17 -0700 (PDT) (envelope-from dpuryear@puryear-it.com) Received: from mail.puryear-it.com (wsip-70-183-217-104.br.br.cox.net [70.183.217.104]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2BG6DFv025099 for ; Wed, 11 Mar 2009 09:06:16 -0700 (PDT) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Date: Wed, 11 Mar 2009 11:06:02 -0600 Message-ID: <43452C495F09D048BF7CE9F96B65688E05FCDF@sbs.Puryear-IT.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IBM DS3200 SAN and Red Hat - SCSI reservation conflict Thread-Index: AcmiY0b7ONsd6Qj0TDu82iD2Ez22RQ== From: "Dustin Puryear" To: X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n2BG6HnT019583 Subject: [SAGE] IBM DS3200 SAN and Red Hat - SCSI reservation conflict X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 16:06:17 -0000 Hey guys- I'm hoping someone can shed some light on an issue we are having. We have an IBM DS3200 SAN with Qlogic FC (qla2400). We have several LUNs exported, including one that attaches to /dev/sdd1. Everything works just fine except for /dev/sdd1, which goes corrupt randomly. Quick review of our setup: Blade1 = IBM blade with FC card and RHES4.7 Blade2 = IBM blade with FC card and RHES4.7 We are using the latest Qlogic drivers and the IBM RDAC download. The goal is to setup Blade1 and Blade with Oracle and use SteelEye for failover. Both blade1 and blade2 are given the same LUNs from the SAN, but only one will ever mount a filesystem from the SAN at a time. Well, this works great except for /dev/sdd1, which keeps going corrupt. I verified that blade2 is not trying to mount anything, only blade1 right now. And, in fact, we have uninstalled SteelEye for now so someone would have to manually mount /dev/sdb1, /dev/sdd1, /dev/sde1, etc., on blade2 instead of the default of blade1. /dev/sdb1, /dev/sde1, etc are fine. Only /dev/sdd1 gets corrupted. Also, /dev/sdd1 is the only one that gets "reservation conflict" error messages in dmesg. Some info: qla2400 0000:08:01.0: Found an ISP2422, irq 209, iobase 0xffffff0000002000 qla2400 0000:08:01.0: Configuring PCI space... qla2400 0000:08:01.0: Configure NVRAM parameters... qla2400 0000:08:01.0: Verifying loaded RISC code... qla2400 0000:08:01.0: Allocated (64 KB) for EFT... qla2400 0000:08:01.0: Allocated (1413 KB) for firmware dump... qla2400 0000:08:01.0: Waiting for LIP to complete... qla2400 0000:08:01.0: LIP reset occured (f7f7). qla2400 0000:08:01.0: LIP occured (f7f7). qla2400 0000:08:01.0: LOOP UP detected (4 Gbps). qla2400 0000:08:01.0: Topology - (FL_Port), Host Loop address 0x0 scsi3 : qla2xxx qla2400 0000:08:01.0: QLogic Fibre Channel HBA Driver: 8.01.07.15 QLogic QMC2462S - IBM eServer BC 4Gb FC Expansion Card SFF ISP2422: PCI-X Mode 1 (133 MHz) @ 0000:08:01.0 hdma+, host#=3, fw=4.00.26 [IP] Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:0:10): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:0:11): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:0:12): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:0:13): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:0:14): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:1:10): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:1:11): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:1:12): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:1:13): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 The errors: SCSI device sdb: 209715200 512-byte hdwr sectors (107374 MB) SCSI device sdb: drive cache: write back SCSI device sdb: 209715200 512-byte hdwr sectors (107374 MB) SCSI device sdb: drive cache: write back sdb: sdb1 Attached scsi disk sdb at scsi5, channel 0, id 0, lun 10 Attached scsi generic sg1 at scsi5, channel 0, id 0, lun 10, type 0 Vendor: IBM Model: VirtualDisk Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 scsi(5:0:0:11): Enabled tagged queuing, queue depth 30. SCSI device sdc: 209715200 512-byte hdwr sectors (107374 MB) SCSI device sdc: drive cache: write back SCSI device sdc: 209715200 512-byte hdwr sectors (107374 MB) SCSI device sdc: drive cache: write back sdc: sdc1 Attached scsi disk sdc at scsi5, channel 0, id 0, lun 11 Attached scsi generic sg2 at scsi5, channel 0, id 0, lun 11, type 0 Vendor: IBM Model: VirtualDisk Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 scsi(5:0:0:12): Enabled tagged queuing, queue depth 30. 470 [RAIDarray.mpp]XXXX_Production_DS4700:0/1:any:12: mppVhba command 0 failure - RESERVATION CONFLICT. vcmnd SN 1317 scsi5 (0,0,12) : reservation conflict 470 [RAIDarray.mpp]XXXX_Production_DS4700:0/1:any:12: mppVhba command 0 failure - RESERVATION CONFLICT. vcmnd SN 1319 scsi5 (0,0,12) : reservation conflict 470 [RAIDarray.mpp]XXXX_Production_DS4700:0/1:any:12: mppVhba command 0 failure - RESERVATION CONFLICT. vcmnd SN 1321 scsi5 (0,0,12) : reservation conflict sdd: Unit Not Ready, error = 0x18 470 [RAIDarray.mpp]XXXX_Production_DS4700:0/1:any:12: mppVhba command 25 failure - RESERVATION CONFLICT. vcmnd SN 1323 scsi5 (0,0,12) : reservation conflict 470 [RAIDarray.mpp]XXXX_Production_DS4700:0/1:any:12: mppVhba command 25 failure - RESERVATION CONFLICT. vcmnd SN 1325 scsi5 (0,0,12) : reservation conflict 470 [RAIDarray.mpp]XXXX_Production_DS4700:0/1:any:12: mppVhba command 25 failure - RESERVATION CONFLICT. vcmnd SN 1327 scsi5 (0,0,12) : reservation conflict sdd : READ CAPACITY failed. sdd : status=c, message=00, host=0, driver=00 sdd : sense not available. SCSI device sdd: drive cache: write back 470 [RAIDarray.mpp]XXXX_Production_DS4700:0/1:any:12: mppVhba command 0 failure - RESERVATION CONFLICT. vcmnd SN 1333 scsi5 (0,0,12) : reservation conflict ... ... ... Buffer I/O error on device sdd1, logical block 39321056 Buffer I/O error on device sdd1, logical block 39321057 Buffer I/O error on device sdd1, logical block 39321058 Buffer I/O error on device sdd1, logical block 39321059 Buffer I/O error on device sdd1, logical block 39321060 Buffer I/O error on device sdd1, logical block 39321061 Buffer I/O error on device sdd1, logical block 39321062 Buffer I/O error on device sdd1, logical block 39321063 Buffer I/O error on device sdd1, logical block 39321064 Buffer I/O error on device sdd1, logical block 39321065 Thoughts? -- Dustin Puryear President and Sr. Consultant Puryear Information Technology, LLC 225-706-8414 x112 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices/ From nbrockne@hamilton.edu Wed Mar 11 11:44:23 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2BIiK5q022235 for ; Wed, 11 Mar 2009 11:44:23 -0700 (PDT) (envelope-from nbrockne@hamilton.edu) Received: from mailer1.hamilton.edu (mailer1.hamilton.edu [150.209.8.96]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2BIiHG1028779 for ; Wed, 11 Mar 2009 11:44:20 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from pmxchannel-daemon.mail.hamilton.edu by mail.hamilton.edu (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) id <0KGC00F0AUPNV300@mail.hamilton.edu> for sage-members@sage.org; Wed, 11 Mar 2009 14:44:11 -0400 (EDT) Received: from [150.209.7.146] (its-150-209-7-146.hamilton.edu [150.209.7.146]) by mail.hamilton.edu (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPA id <0KGC00FRRUPLHHE0@mail.hamilton.edu>; Wed, 11 Mar 2009 14:44:09 -0400 (EDT) Date: Wed, 11 Mar 2009 14:44:09 -0400 From: Nicholas Brockner In-reply-to: <20090311115336.13DE133F32@absinthe.tinho.net> Sender: nbrockne@hamilton.edu To: dan@geer.org Message-id: <49B80679.90709@hamilton.edu> References: <20090311115336.13DE133F32@absinthe.tinho.net> User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: discuss@lopsa.org, sage-members@sage.org Subject: Re: [SAGE] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 18:44:23 -0000 Whoa. Big Brother is watching. A rootkit for security/protection - sounds a bit familiar . . . -Nick dan@geer.org wrote: > > I've looked at what's on sans.org - wondering what kind of juice y'all > > might have. Any input or pointers would be much appreciated. > > > ... Disclaimer: For five years I was the Chief Scientist > ... at Verdasys and still have a commercial interest in it > ... and its products, which have my fingerprints on them. > ... The following is the 100 mph version for the product > ... closest to your need. Less brutal text, up to and > ... including conventional marketing lit, are readily > ... available. > > > > The product is called Digital Guardian; it solves > the data security question possibly once and for > all, at least in the accountability (non-military) > sense. > > Digital Guardian is a distributed, recording > reference monitor implemented as a rootkit: an > agent on every surveilled host communicating > periodically with a no-wait-state collection depot > arbitrarily located. The agent is small, tight, > platform independent, invisible, tamper-resistant, > and low-load. Any touch whatsoever of local data > is captured at the innermost operating system > levels as an event trigger for policy-based > action at context-sensitive fine granularity. > Agents do 20,000-to-1 continuous log reduction, > compress and encrypt bundles of these results, and > push them to the collection system with end-to-end > assurance, adapting to intermittent connectivity > without intervention. > > Consequent to its complete real-time capture, > questions requiring full enumeration of past > actions (prove no one outside the CFO's staff read > this document) and goals requiring zero-prep > reaction (application whitelists and zero-day > defense) become trivially feasible. Less > dramatically, forensics becomes possible at > near-zero reconstruction cost, communities of > trust become enforceable irrespective of > conventional perimeters, data redaction at any > level of granularity becomes auditably trivial and > trivially auditable, silent alarms can signal > enforcement authorities for anticipated events or > for unanticipated exceptions, and honest people > can be coached to remain honest without the risk > of inadvertently preventing anyone from getting > their job done. > > An enemy able to strike location independently and > without self revelation commands the defender to > focus on pre-emptive strategies, pre-emption > requires intelligence, and intelligence requires > surveillance. For the electronic sphere, that > surveillance has as its primary unit of > observation either a data object or a person; only > the former is at once versatile, no-load, > inescapable, and an enabler of economic benefits > that justify its existence at times of lessened > danger and for prosaic purposes. Day-to-day use > is a pre-requisite for that tool familiarity > essential to its confident use in times of > heightened need, as it is with any platform. > > Reference customers at the Fortune 100 level > and in multiple countries are available. > > A case study that speaks exactly to your need > is at http://www.verdasys.com/pdf/CSMoodys.pdf > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From jal@mdacorporation.com Wed Mar 11 14:04:58 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2BL4wxI026006 for ; Wed, 11 Mar 2009 14:04:58 -0700 (PDT) (envelope-from jal@mdacorporation.com) Received: from msxyvr2.ds.mda.ca (mail.mda.ca [142.73.64.14]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2BL4tqK002126 for ; Wed, 11 Mar 2009 14:04:58 -0700 (PDT) Received: from VMXYVR1.ds.mda.ca ([142.73.129.70]) by msxyvr2.ds.mda.ca with Microsoft SMTPSVC(6.0.3790.3959); Wed, 11 Mar 2009 14:04:54 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 11 Mar 2009 14:04:52 -0700 Message-ID: <57F67688A8D72449AC80164DA982083104D8CDB8@VMXYVR1.ds.mda.ca> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Sun/Storagetek StoreEdge 2530 SAS RAID Thread-Index: AcmijQSWvuKDfS9cR4CMMbhuuxPQdA== From: "John LLOYD" To: "Sage Members" X-OriginalArrivalTime: 11 Mar 2009 21:04:54.0374 (UTC) FILETIME=[06BA7060:01C9A28D] X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n2BL4wxI026006 Subject: [SAGE] Sun/Storagetek StoreEdge 2530 SAS RAID X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 21:04:59 -0000 We have a requirement for a few TB of disk for a Sun M2200M2. One vendor came back with a quote for this, basically 12x450GB and a model 2530 RAID controller for SAS disks, 512MB cache, etc. Some reviews look pretty bad -- Reviews such as http://www.sun.com/storage/disk_systems/workgroup/2530/customer-reviews. xml or http://blogs.smugmug.com/don/2007/05/16/sun-honeymoon-update-storage/ Does anybody have experience, good or bad, with this unit? --John From dan@geer.org Wed Mar 11 14:42:14 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2BLgEug027087 for ; Wed, 11 Mar 2009 14:42:14 -0700 (PDT) (envelope-from dan@geer.org) Received: from absinthe.tinho.net (absinthe.tinho.net [166.84.5.228]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2BLgB5d002985 for ; Wed, 11 Mar 2009 14:42:13 -0700 (PDT) Received: by absinthe.tinho.net (Postfix, from userid 126) id E03A133DCC; Wed, 11 Mar 2009 17:42:04 -0400 (EDT) Received: from absinthe.tinho.net (localhost [127.0.0.1]) by absinthe.tinho.net (Postfix) with ESMTP id DD89733DCB; Wed, 11 Mar 2009 17:42:04 -0400 (EDT) From: dan@geer.org To: Nicholas Brockner In-Reply-To: Your message of "Wed, 11 Mar 2009 14:44:09 EDT." <49B80679.90709@hamilton.edu> Date: Wed, 11 Mar 2009 17:42:04 -0400 Message-Id: <20090311214204.E03A133DCC@absinthe.tinho.net> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: discuss@lopsa.org, sage-members@sage.org Subject: Re: [SAGE] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 21:42:14 -0000 Nicholas Brockner writes: -+----------------------- | Whoa. | | Big Brother is watching. | | A rootkit for security/protection - sounds a bit familiar . . . | | -Nick | As much as I don't like the state of the world, I try to live in it. While that sounds disgustingly snippy, I mean it otherwise; I mean it to say that the opposition is winning and, thus, we either withdraw from the field or we adopt methods which win. I believe (which is ordinarily a redundant phrase, but not here) that when the opponent can strike without danger to themselves and without revealing where they are or even that they have struck, then the only defensive action is pre-emption, that pre-emption requires intellingence, that intelligence requires surveillance, and, thus, the remaining choice is what is the fundamental unit of observation. Please let it be data and not people, but if it is data, which moves at the speed of light, only surveillance that is indwelling can work, and that means rootkitting the system. This can easily become a rat-hole... --dan From hoogendyk@bio.umass.edu Wed Mar 11 14:48:14 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2BLmEiS027201 for ; Wed, 11 Mar 2009 14:48:14 -0700 (PDT) (envelope-from hoogendyk@bio.umass.edu) Received: from marlin.bio.umass.edu (marlin.bio.umass.edu [128.119.55.19]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2BLmBOl003182 for ; Wed, 11 Mar 2009 14:48:13 -0700 (PDT) Received: from peredhil.bio.umass.edu (peredhil.bio.umass.edu [128.119.54.86]) (authenticated bits=0) by marlin.bio.umass.edu (8.14.2/8.14.2) with ESMTP id n2BLm6p4014554 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Mar 2009 17:48:07 -0400 (EDT) Message-ID: <49B83197.8080605@bio.umass.edu> Date: Wed, 11 Mar 2009 17:48:07 -0400 From: Chris Hoogendyk User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: John LLOYD References: <57F67688A8D72449AC80164DA982083104D8CDB8@VMXYVR1.ds.mda.ca> In-Reply-To: <57F67688A8D72449AC80164DA982083104D8CDB8@VMXYVR1.ds.mda.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (marlin.bio.umass.edu [128.119.55.19]); Wed, 11 Mar 2009 17:48:07 -0400 (EDT) X-Scanned-By: MIMEDefang 2.54 on 128.119.55.19 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: Sage Members Subject: Re: [SAGE] Sun/Storagetek StoreEdge 2530 SAS RAID X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 21:48:14 -0000 John LLOYD wrote: > We have a requirement for a few TB of disk for a Sun M2200M2. One > vendor came back with a quote for this, basically 12x450GB and a model > 2530 RAID controller for SAS disks, 512MB cache, etc. check out http://www.sun.com/storage/disk_systems/expansion/4200/specs.xml -- these are what they are putting on their 7xxx series storage servers. The Jxxx boxes look similar to the 2530, but they are jbod. SAS hookups both internal and external. You need a SAS HBA in your server. But, then, the setup is a whole 'nother picture from the 2530. -- --------------- Chris Hoogendyk - O__ ---- Systems Administrator c/ /'_ --- Biology & Geology Departments (*) \(*) -- 140 Morrill Science Center ~~~~~~~~~~ - University of Massachusetts, Amherst --------------- Erdös 4 From seph@directionless.org Wed Mar 11 14:52:04 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2BLq4RD027288 for ; Wed, 11 Mar 2009 14:52:04 -0700 (PDT) (envelope-from seph@directionless.org) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2BLq1DT003338 for ; Wed, 11 Mar 2009 14:52:04 -0700 (PDT) Received: from compute2.internal (compute2.internal [10.202.2.42]) by out1.messagingengine.com (Postfix) with ESMTP id 30A872ED184; Wed, 11 Mar 2009 17:45:01 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute2.internal (MEProxy); Wed, 11 Mar 2009 17:45:01 -0400 X-Sasl-enc: yopymSyeXj8jLjWS9G6zXzZ5o41bDYK717uYhAslf6JU 1236807899 Received: from bastion.directionless.org (c-98-216-105-238.hsd1.ma.comcast.net [98.216.105.238]) by mail.messagingengine.com (Postfix) with ESMTPSA id D2C8839BBC; Wed, 11 Mar 2009 17:44:59 -0400 (EDT) Received: by bastion.directionless.org (sSMTP sendmail emulation); Wed, 11 Mar 2009 17:44:59 -0400 From: seph To: "John LLOYD" References: <57F67688A8D72449AC80164DA982083104D8CDB8@VMXYVR1.ds.mda.ca> Date: Wed, 11 Mar 2009 17:44:59 -0400 In-Reply-To: <57F67688A8D72449AC80164DA982083104D8CDB8@VMXYVR1.ds.mda.ca> (John LLOYD's message of "Wed, 11 Mar 2009 14:04:52 -0700") Message-ID: User-Agent: Gnus/5.110008 (No Gnus v0.8) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=23% Cc: Sage Members Subject: Re: [SAGE] Sun/Storagetek StoreEdge 2530 SAS RAID X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 21:52:05 -0000 "John LLOYD" writes: > Does anybody have experience, good or bad, with this unit? I have one, and the experience is *awful*. The unit must be managed with CAM, which requires a solaris server to sit on. Otherwise, you get no interface to the unit. No snmp, no alerts, no nothing. The CAM software doesn't work with zones; may or may not work with opensolaris; has a bunch of dependencies; is badly packaged; and isn't well supported by sun. There are these weird little bugs, like the "this disk is safe to remove" light not being turned off after disk swapping. Or how occasionally I just need to reboot the management server since the software gets wedged that badly. There are bigger bugs like my not being able to update firmware. "unknown error type 81" And even bigger bugs like how when I try to run the diagnostics, the management interface crashes. Not to mention the general immaturity of the solaris sas support. I hear sun's new fishwrap stuff might be better, but I haven't gotten any solid indication it's not just layered over this crap. I feel very down about sun's storage these days. seph From dmagda@ee.ryerson.ca Wed Mar 11 17:02:39 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2C02d2m030379 for ; Wed, 11 Mar 2009 17:02:39 -0700 (PDT) (envelope-from dmagda@ee.ryerson.ca) Received: from toq7-srv.bellnexxia.net (wynq.bellnexxia.net [209.226.175.203]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2C02Zjx005646 for ; Wed, 11 Mar 2009 17:02:38 -0700 (PDT) Received: from toip3.srvr.bell.ca ([209.226.175.86]) by tomts20-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with ESMTP id <20090311235216.JSSM1552.tomts20-srv.bellnexxia.net@toip3.srvr.bell.ca> for ; Wed, 11 Mar 2009 19:52:16 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ag8BAL/nt0lMRCV4/2dsb2JhbAAI0WaEDQaGeA Received: from bas1-toronto09-1279534456.dsl.bell.ca (HELO [192.168.1.103]) ([76.68.37.120]) by toip3.srvr.bell.ca with ESMTP; 11 Mar 2009 19:46:27 -0400 Message-Id: <3F0AE522-A516-4A89-80B6-FD496D95519F@ee.ryerson.ca> From: David Magda To: Chris Hoogendyk In-Reply-To: <49B83197.8080605@bio.umass.edu> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Wed, 11 Mar 2009 19:52:16 -0400 References: <57F67688A8D72449AC80164DA982083104D8CDB8@VMXYVR1.ds.mda.ca> <49B83197.8080605@bio.umass.edu> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 Cc: John LLOYD , Sage Members Subject: Re: [SAGE] Sun/Storagetek StoreEdge 2530 SAS RAID X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 00:02:40 -0000 On Mar 11, 2009, at 17:48, Chris Hoogendyk wrote: > The Jxxx boxes look similar to the 2530, but they are jbod. SAS > hookups both internal and external. You need a SAS HBA in your > server. But, then, the setup is a whole 'nother picture from the 2530. If they're running Solaris, the OP may also want to check out ZFS and just skip the hardware RAID. Sun just announced SSD support today for regular servers, so if you throw your ZIL on that performance should fly even if you only use SATAs. From dmagda@ee.ryerson.ca Wed Mar 11 17:33:38 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2C0Xchp031438 for ; Wed, 11 Mar 2009 17:33:38 -0700 (PDT) (envelope-from dmagda@ee.ryerson.ca) Received: from toq9-srv.bellnexxia.net (toq9-srv.bellnexxia.net [209.226.175.116]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2C0XY5U005976 for ; Wed, 11 Mar 2009 17:33:37 -0700 (PDT) Received: from toip4.srvr.bell.ca ([209.226.175.87]) by tomts10-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with ESMTP id <20090312000734.HGNF1703.tomts10-srv.bellnexxia.net@toip4.srvr.bell.ca> for ; Wed, 11 Mar 2009 20:07:34 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ag8BAJrtt0lMRCV4/2dsb2JhbAAI0U2EDQY Received: from bas1-toronto09-1279534456.dsl.bell.ca (HELO [192.168.1.103]) ([76.68.37.120]) by toip4.srvr.bell.ca with ESMTP; 11 Mar 2009 20:18:18 -0400 From: David Magda To: trey@treyka.net In-Reply-To: X-Priority: 3 (Normal) References: Message-Id: <523B24A1-EEF8-4F4B-971B-F09A8F8AE48E@ee.ryerson.ca> Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Wed, 11 Mar 2009 20:07:33 -0400 X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=5% Cc: discuss@lopsa.org, sage-members@sage.org Subject: Re: [SAGE] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 00:33:38 -0000 On Mar 11, 2009, at 04:16, Trey Darley wrote: > I've looked at what's on sans.org - wondering what kind of juice y'all > might have. Any input or pointers would be much appreciated. 10 Immutable Laws of Security Law 6. A computer is only as secure as the administrator is trustworthy http://technet.microsoft.com/en-ca/library/cc722487.aspx From hyc@symas.com Wed Mar 11 21:48:18 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2C4mIfq035773 for ; Wed, 11 Mar 2009 21:48:18 -0700 (PDT) (envelope-from hyc@symas.com) Received: from lirone.symas.net (lirone.symas.net [64.71.152.235]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2C4mFuS007949 for ; Wed, 11 Mar 2009 21:48:18 -0700 (PDT) Received: from [76.91.220.157] (helo=[192.168.1.20]) by lirone.symas.net with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Lhcq4-0004ld-NV; Wed, 11 Mar 2009 21:48:12 -0700 Message-ID: <49B89406.3010307@symas.com> Date: Wed, 11 Mar 2009 21:48:06 -0700 From: Howard Chu User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b3pre) Gecko/20090227 SeaMonkey/2.0a1pre Firefox/3.0.3 MIME-Version: 1.0 To: David Magda References: <523B24A1-EEF8-4F4B-971B-F09A8F8AE48E@ee.ryerson.ca> In-Reply-To: <523B24A1-EEF8-4F4B-971B-F09A8F8AE48E@ee.ryerson.ca> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: discuss@lopsa.org, sage-members@sage.org Subject: Re: [SAGE] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 04:48:19 -0000 David Magda wrote: > On Mar 11, 2009, at 04:16, Trey Darley wrote: > >> I've looked at what's on sans.org - wondering what kind of juice y'all >> might have. Any input or pointers would be much appreciated. > > > 10 Immutable Laws of Security > Law 6. A computer is only as secure as the administrator is trustworthy Pretty much, yes. A long time ago I worked on a product called AutoSecure ACX (which was formerly known as SeOS). It was a heavily-invasive set of kernel modules and daemons to monitor and control access to POSIX systems. Of course, anyone who thinks about it recognizes your Law 6 above; all of these systems are inherently exercises in futility. I generally stayed out of the ACX code but got dragged in from time to time when the regular team couldn't make particular modules work. Ultimately somebody has to have the privilege to turn this thing on and turn it off. Ultimately some human has privileged access to the central machine where all your audit logs reside. Etc... At my current company I developed an IP access control module for Windows and Solaris that controlled outbound access based on the current userID/group memberships. As usual, anyone with privilege to activate the module also had sufficient privilege to deactivate it. But I at least rigged the code such that once it was activated, deactivating it would render the socket subsystem unusable until the next reboot. Still, any admin could simply come along and zero out the ACL list if they wanted to. I think that's all a diversion from the original topic though - they're not asking about security software, they're talking about policies concerning trusted users. That's a completely different conversation from anything related to software, and one that probably gets far less attention than it deserves. (Yeah, your OS is C2 secure, so what, your backups are run by a night operator who makes minimum wage. etc...) This is more of a human resources issue - you have to identify the resources each admin is responsible for, and assess how important they are to the enterprise. When you figure out how much of your company's well-being you've actually entrusted to them, then you can decide how much you need to protect yourself from them, and how that protection should be embodied. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From ajr@trinity.fluff.org Thu Mar 12 06:07:04 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CD73kc044926 for ; Thu, 12 Mar 2009 06:07:04 -0700 (PDT) (envelope-from ajr@trinity.fluff.org) Received: from trinity.fluff.org (trinity.fluff.org [89.16.178.74]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CD70u6028041 for ; Thu, 12 Mar 2009 06:07:03 -0700 (PDT) Received: from ajr by trinity.fluff.org with local (Exim 4.63) (envelope-from ) id 1Lhk96-0007wk-JW for sage-members@sage.org; Thu, 12 Mar 2009 12:36:20 +0000 Date: Thu, 12 Mar 2009 12:36:20 +0000 From: Adrian Rixon To: Sage Members Message-ID: <20090312123620.GC17724@trinity.fluff.org> Mail-Followup-To: Sage Members References: <57F67688A8D72449AC80164DA982083104D8CDB8@VMXYVR1.ds.mda.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Home-Page: http://www.big-bubbles.fluff.org/ X-PGP-Key: http://www.big-bubbles.fluff.org/pubkey.asc User-Agent: Mutt/1.5.13 (2006-08-11) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 X-Mailman-Approved-At: Thu, 12 Mar 2009 06:13:57 -0700 Subject: Re: [SAGE] Sun/Storagetek StoreEdge 2530 SAS RAID X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: ade.rixon@big-bubbles.fluff.org List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 13:07:07 -0000 11 Mar 05:44:59 PM: Meanwhile in the Sheraton, seph wrote: > The unit must be managed with CAM, which requires a solaris server to > sit on. CAM is a Java app, which can also run on Windows and Linux. We've run v6.1 on Solaris 10 and Windows 2003 without any software problems. http://www.sun.com/storagetek/management_software/resource_management/cam/ That said, it does rather feel like yesterday's product next to the shiny goodness of Sun's ZFS-based OpenStorage technologies. Ade_ / From robert@timetraveller.org Thu Mar 12 09:04:50 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CG4nDP049181 for ; Thu, 12 Mar 2009 09:04:49 -0700 (PDT) (envelope-from robert@timetraveller.org) Received: from capella.opentrend.net (capella.opentrend.net [64.22.125.103]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CG4k3o000339 for ; Thu, 12 Mar 2009 09:04:49 -0700 (PDT) Received: by capella.opentrend.net (Postfix, from userid 1004) id 5B571DD65; Thu, 12 Mar 2009 11:31:55 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 3.1.7-deb3 (2006-10-05) on capella.opentrend.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.7-deb3 Received: from castor.opentrend.net (unknown [192.168.120.16]) by capella.opentrend.net (Postfix) with ESMTP id 7CA7BDD62; Thu, 12 Mar 2009 11:31:54 -0400 (EDT) Received: by castor.opentrend.net (Postfix, from userid 1000) id 48A1670247FB; Thu, 12 Mar 2009 11:31:54 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by castor.opentrend.net (Postfix) with ESMTP id 3842431A84DA; Thu, 12 Mar 2009 11:31:54 -0400 (EDT) Date: Thu, 12 Mar 2009 11:31:54 -0400 (EDT) From: Robert Brockway X-X-Sender: robert@castor.opentrend.net To: LOPSA Discuss List , sage-members@sage.org In-Reply-To: <49B7CF85.4000903@shub-internet.org> Message-ID: References: <49B7CF85.4000903@shub-internet.org> User-Agent: Alpine 1.10 (DEB 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 16:04:50 -0000 On Wed, 11 Mar 2009, Brad Knowles wrote: > Here at UT Austin, we have something called a "Position of Special Trust", > see and > . > > This helps us meet state laws regarding individuals with access to sensitive > information, as well as state-wide UT Systems policies (i.e., all the dozens > of universities in the state that are part of the UT System umbrella), and > UT Austin policies. That's great to see. Most organisations and jurisdictions seem to fail to understand the problems associated with elevated privileges or simply decide to ignore them. One of the main reasons I encourage sysadmins to join organisations like SAGE & LOPSA is so that they will become aware of the ethical responsibilities of system administration. I predict that within 50 years (and probably a lot less) sysadmins will require formal training and government registration. In a society so dependent on computers how can we afford to do any less? The exact nature of the training and registration remains to be seen. It might be like the process to become a doctor, lawyer or electrician. Cheers, Rob -- I tried to change the world but they had a no-return policy From robert@opentrend.net Thu Mar 12 09:28:28 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CGSR1H049495 for ; Thu, 12 Mar 2009 09:28:28 -0700 (PDT) (envelope-from robert@opentrend.net) Received: from capella.opentrend.net (capella.opentrend.net [64.22.125.103]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CGSPYA000795 for ; Thu, 12 Mar 2009 09:28:27 -0700 (PDT) Received: by capella.opentrend.net (Postfix, from userid 1004) id 9FC24DD65; Thu, 12 Mar 2009 12:28:19 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 3.1.7-deb3 (2006-10-05) on capella.opentrend.net X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.1.7-deb3 Received: from castor.opentrend.net (unknown [192.168.120.16]) by capella.opentrend.net (Postfix) with ESMTP id DDB03DD62 for ; Thu, 12 Mar 2009 12:28:18 -0400 (EDT) Received: by castor.opentrend.net (Postfix, from userid 1000) id B369E70247FB; Thu, 12 Mar 2009 12:28:18 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by castor.opentrend.net (Postfix) with ESMTP id A16C631A84DA for ; Thu, 12 Mar 2009 12:28:18 -0400 (EDT) Date: Thu, 12 Mar 2009 12:28:18 -0400 (EDT) From: Robert Brockway To: SAGE Members List Message-ID: User-Agent: Alpine 1.10 (DEB 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 X-Mailman-Approved-At: Thu, 12 Mar 2009 09:31:38 -0700 Subject: Re: [SAGE] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 16:28:28 -0000 On Wed, 11 Mar 2009, Brad Knowles wrote: > Here at UT Austin, we have something called a "Position of Special Trust", > see and > . > > This helps us meet state laws regarding individuals with access to sensitive > information, as well as state-wide UT Systems policies (i.e., all the dozens > of universities in the state that are part of the UT System umbrella), and > UT Austin policies. That's great to see. Most organisations and jurisdictions seem to fail to understand the problems associated with elevated privileges or simply decide to ignore them. One of the main reasons I encourage sysadmins to join organisations like SAGE & LOPSA is so that they will become aware of the ethical responsibilities of system administration. I predict that within 50 years (and probably a lot less) sysadmins will require formal training and government registration. In a society so dependent on computers how can we afford to do any less? The exact nature of the training and registration remains to be seen. It might be like the process to become a doctor, lawyer or electrician. Cheers, Rob -- I tried to change the world but they had a no-return policy From dpuryear@puryear-it.com Thu Mar 12 09:53:45 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CGrjvH049788 for ; Thu, 12 Mar 2009 09:53:45 -0700 (PDT) (envelope-from dpuryear@puryear-it.com) Received: from mail.puryear-it.com (wsip-70-183-217-104.br.br.cox.net [70.183.217.104]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CGrfFo001487 for ; Thu, 12 Mar 2009 09:53:44 -0700 (PDT) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Date: Thu, 12 Mar 2009 11:53:32 -0600 Message-ID: <43452C495F09D048BF7CE9F96B65688E05FD11@sbs.Puryear-IT.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [SAGE] IBM DS3200 SAN and Red Hat - SCSI reservation conflict Thread-Index: AcmiY0b7ONsd6Qj0TDu82iD2Ez22RQAz7vGA From: "Dustin Puryear" To: X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n2CGrjvH049788 Subject: Re: [SAGE] IBM DS3200 SAN and Red Hat - SCSI reservation conflict X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 16:53:45 -0000 Resolution: A previous owner of this LUN had a SCSI reservation on it. Cleared with sg_persist. -----Original Message----- From: sage-members-bounces@mailman.sage.org [mailto:sage-members-bounces@mailman.sage.org] On Behalf Of Dustin Puryear Sent: Wednesday, March 11, 2009 12:06 PM To: sage-members@sage.org Subject: [SAGE] IBM DS3200 SAN and Red Hat - SCSI reservation conflict Hey guys- I'm hoping someone can shed some light on an issue we are having. We have an IBM DS3200 SAN with Qlogic FC (qla2400). We have several LUNs exported, including one that attaches to /dev/sdd1. Everything works just fine except for /dev/sdd1, which goes corrupt randomly. Quick review of our setup: Blade1 = IBM blade with FC card and RHES4.7 Blade2 = IBM blade with FC card and RHES4.7 We are using the latest Qlogic drivers and the IBM RDAC download. The goal is to setup Blade1 and Blade with Oracle and use SteelEye for failover. Both blade1 and blade2 are given the same LUNs from the SAN, but only one will ever mount a filesystem from the SAN at a time. Well, this works great except for /dev/sdd1, which keeps going corrupt. I verified that blade2 is not trying to mount anything, only blade1 right now. And, in fact, we have uninstalled SteelEye for now so someone would have to manually mount /dev/sdb1, /dev/sdd1, /dev/sde1, etc., on blade2 instead of the default of blade1. /dev/sdb1, /dev/sde1, etc are fine. Only /dev/sdd1 gets corrupted. Also, /dev/sdd1 is the only one that gets "reservation conflict" error messages in dmesg. Some info: qla2400 0000:08:01.0: Found an ISP2422, irq 209, iobase 0xffffff0000002000 qla2400 0000:08:01.0: Configuring PCI space... qla2400 0000:08:01.0: Configure NVRAM parameters... qla2400 0000:08:01.0: Verifying loaded RISC code... qla2400 0000:08:01.0: Allocated (64 KB) for EFT... qla2400 0000:08:01.0: Allocated (1413 KB) for firmware dump... qla2400 0000:08:01.0: Waiting for LIP to complete... qla2400 0000:08:01.0: LIP reset occured (f7f7). qla2400 0000:08:01.0: LIP occured (f7f7). qla2400 0000:08:01.0: LOOP UP detected (4 Gbps). qla2400 0000:08:01.0: Topology - (FL_Port), Host Loop address 0x0 scsi3 : qla2xxx qla2400 0000:08:01.0: QLogic Fibre Channel HBA Driver: 8.01.07.15 QLogic QMC2462S - IBM eServer BC 4Gb FC Expansion Card SFF ISP2422: PCI-X Mode 1 (133 MHz) @ 0000:08:01.0 hdma+, host#=3, fw=4.00.26 [IP] Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:0:10): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:0:11): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:0:12): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:0:13): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:0:14): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:1:10): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:1:11): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:1:12): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 qla2400 0000:08:01.0: scsi(3:0:1:13): Enabled tagged queuing, queue depth 32. Vendor: IBM Model: 1814 FAStT Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 The errors: SCSI device sdb: 209715200 512-byte hdwr sectors (107374 MB) SCSI device sdb: drive cache: write back SCSI device sdb: 209715200 512-byte hdwr sectors (107374 MB) SCSI device sdb: drive cache: write back sdb: sdb1 Attached scsi disk sdb at scsi5, channel 0, id 0, lun 10 Attached scsi generic sg1 at scsi5, channel 0, id 0, lun 10, type 0 Vendor: IBM Model: VirtualDisk Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 scsi(5:0:0:11): Enabled tagged queuing, queue depth 30. SCSI device sdc: 209715200 512-byte hdwr sectors (107374 MB) SCSI device sdc: drive cache: write back SCSI device sdc: 209715200 512-byte hdwr sectors (107374 MB) SCSI device sdc: drive cache: write back sdc: sdc1 Attached scsi disk sdc at scsi5, channel 0, id 0, lun 11 Attached scsi generic sg2 at scsi5, channel 0, id 0, lun 11, type 0 Vendor: IBM Model: VirtualDisk Rev: 0916 Type: Direct-Access ANSI SCSI revision: 05 scsi(5:0:0:12): Enabled tagged queuing, queue depth 30. 470 [RAIDarray.mpp]XXXX_Production_DS4700:0/1:any:12: mppVhba command 0 failure - RESERVATION CONFLICT. vcmnd SN 1317 scsi5 (0,0,12) : reservation conflict 470 [RAIDarray.mpp]XXXX_Production_DS4700:0/1:any:12: mppVhba command 0 failure - RESERVATION CONFLICT. vcmnd SN 1319 scsi5 (0,0,12) : reservation conflict 470 [RAIDarray.mpp]XXXX_Production_DS4700:0/1:any:12: mppVhba command 0 failure - RESERVATION CONFLICT. vcmnd SN 1321 scsi5 (0,0,12) : reservation conflict sdd: Unit Not Ready, error = 0x18 470 [RAIDarray.mpp]XXXX_Production_DS4700:0/1:any:12: mppVhba command 25 failure - RESERVATION CONFLICT. vcmnd SN 1323 scsi5 (0,0,12) : reservation conflict 470 [RAIDarray.mpp]XXXX_Production_DS4700:0/1:any:12: mppVhba command 25 failure - RESERVATION CONFLICT. vcmnd SN 1325 scsi5 (0,0,12) : reservation conflict 470 [RAIDarray.mpp]XXXX_Production_DS4700:0/1:any:12: mppVhba command 25 failure - RESERVATION CONFLICT. vcmnd SN 1327 scsi5 (0,0,12) : reservation conflict sdd : READ CAPACITY failed. sdd : status=c, message=00, host=0, driver=00 sdd : sense not available. SCSI device sdd: drive cache: write back 470 [RAIDarray.mpp]XXXX_Production_DS4700:0/1:any:12: mppVhba command 0 failure - RESERVATION CONFLICT. vcmnd SN 1333 scsi5 (0,0,12) : reservation conflict ... ... ... Buffer I/O error on device sdd1, logical block 39321056 Buffer I/O error on device sdd1, logical block 39321057 Buffer I/O error on device sdd1, logical block 39321058 Buffer I/O error on device sdd1, logical block 39321059 Buffer I/O error on device sdd1, logical block 39321060 Buffer I/O error on device sdd1, logical block 39321061 Buffer I/O error on device sdd1, logical block 39321062 Buffer I/O error on device sdd1, logical block 39321063 Buffer I/O error on device sdd1, logical block 39321064 Buffer I/O error on device sdd1, logical block 39321065 Thoughts? -- Dustin Puryear President and Sr. Consultant Puryear Information Technology, LLC 225-706-8414 x112 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices/ _______________________________________________ sage-members mailing list sage-members@mailman.sage.org http://mailman.sage.org/mailman/listinfo/sage-members -- This message was scanned by ESVA and is believed to be clean. Click here to report this message as spam. http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id= From jal@mdacorporation.com Thu Mar 12 09:58:45 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CGwiHZ049853 for ; Thu, 12 Mar 2009 09:58:44 -0700 (PDT) (envelope-from jal@mdacorporation.com) Received: from MSXYVR1.ds.mda.ca (mail.mda.ca [142.73.64.14]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CGwemc001593 for ; Thu, 12 Mar 2009 09:58:43 -0700 (PDT) Received: from VMXYVR1.ds.mda.ca ([142.73.129.70]) by MSXYVR1.ds.mda.ca with Microsoft SMTPSVC(6.0.3790.3959); Thu, 12 Mar 2009 09:58:40 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 12 Mar 2009 09:58:40 -0700 Message-ID: <57F67688A8D72449AC80164DA982083104D8CF9C@VMXYVR1.ds.mda.ca> In-Reply-To: <20090312123620.GC17724@trinity.fluff.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [SAGE] Sun/Storagetek StoreEdge 2530 SAS RAID Thread-Index: AcmjFUiqDYKSW0GoQz6y/XAvIOLOywAHkWgQ References: <57F67688A8D72449AC80164DA982083104D8CDB8@VMXYVR1.ds.mda.ca> <20090312123620.GC17724@trinity.fluff.org> From: "John LLOYD" To: , "Sage Members" X-OriginalArrivalTime: 12 Mar 2009 16:58:40.0236 (UTC) FILETIME=[CB11A2C0:01C9A333] X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n2CGwiHZ049853 Subject: Re: [SAGE] Sun/Storagetek StoreEdge 2530 SAS RAID X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 16:58:45 -0000 > That said, it does rather feel like yesterday's product next > to the shiny > goodness of Sun's ZFS-based OpenStorage technologies. > I'll be running RedHat on the server, so, no ZFS. I've asked Dell if they'll support PERC on a Sun. That at least has a native command-line interface (plus a web interface for us memory-challenged.) --John From kurt.buff@gmail.com Thu Mar 12 10:33:22 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CHXMZH050296 for ; Thu, 12 Mar 2009 10:33:22 -0700 (PDT) (envelope-from kurt.buff@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CHXIJt002322 for ; Thu, 12 Mar 2009 10:33:21 -0700 (PDT) Received: by qw-out-2122.google.com with SMTP id 3so811331qwe.59 for ; Thu, 12 Mar 2009 10:33:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=isfVmEfrCyn9awI0cl1IyhL5lyYZHG5P1h7VoNfwh+4=; b=vzOjWjWs5VuzX/L23ZE2Ri7MA8Tv1j7Vq950xQEz5J7j7vCz4Tcsi+gQlQEsFR0QQ8 VtFPAJyGMm2QipZtZllT7ajJFGpAzbH/eYShFzGMytXSB47pI7/uUS03Tav8oKP/0TEb OVRMkCZiOOHqgX+Wu97p2MPWCgh89UDiZhjz8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Ot/x9V5rxfGGl16Mxxcm2Gp7gAm4S/HfOA7aRokZGXtEotX7kn/k3+Kd2bnKAsnbrg nXMSmF3ncBppC0/arBbp1ynJrClZgVeHt7hFW/FT7e4ZzzN7+XHXtJMjXkUy8xM9ED8H 2tCUXDNCzUjpH0PtyupTRnqq68f03c7YEBgoo= MIME-Version: 1.0 Received: by 10.142.125.4 with SMTP id x4mr25992wfc.75.1236875842516; Thu, 12 Mar 2009 09:37:22 -0700 (PDT) In-Reply-To: References: <49B7CF85.4000903@shub-internet.org> Date: Thu, 12 Mar 2009 09:37:22 -0700 Message-ID: From: Kurt Buff To: Robert Brockway Content-Type: text/plain; charset=UTF-8 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=9% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n2CHXMZH050296 Cc: sage-members@sage.org Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 17:33:23 -0000 On Thu, Mar 12, 2009 at 08:31, Robert Brockway wrote: > On Wed, 11 Mar 2009, Brad Knowles wrote: > >> Here at UT Austin, we have something called a "Position of Special Trust", >> see and >> . >> >> This helps us meet state laws regarding individuals with access to >> sensitive >> information, as well as state-wide UT Systems policies (i.e., all the >> dozens >> of universities in the state that are part of the UT System umbrella), and >> UT Austin policies. > > That's great to see.  Most organisations and jurisdictions seem to fail to > understand the problems associated with elevated privileges or simply decide > to ignore them. > > One of the main reasons I encourage sysadmins to join organisations like > SAGE & LOPSA is so that they will become aware of the ethical > responsibilities of system administration. > > I predict that within 50 years (and probably a lot less) sysadmins will > require formal training and government registration.  In a society so > dependent on computers how can we afford to do any less? > > The exact nature of the training and registration remains to be seen.  It > might be like the process to become a doctor, lawyer or electrician. Thank the gods that I'll be dead by then. Rampant credentialism is killing competition, driving up prices, and making the world a worse place to live. Just say no to licensing. Kurt From robert@timetraveller.org Thu Mar 12 10:49:37 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CHnaXt050380 for ; Thu, 12 Mar 2009 10:49:36 -0700 (PDT) (envelope-from robert@timetraveller.org) Received: from capella.opentrend.net (capella.opentrend.net [64.22.125.103]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CHnXqT002620 for ; Thu, 12 Mar 2009 10:49:36 -0700 (PDT) Received: by capella.opentrend.net (Postfix, from userid 1004) id A1354DD65; Thu, 12 Mar 2009 13:49:28 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 3.1.7-deb3 (2006-10-05) on capella.opentrend.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.7-deb3 Received: from castor.opentrend.net (unknown [192.168.120.16]) by capella.opentrend.net (Postfix) with ESMTP id D989CDD62 for ; Thu, 12 Mar 2009 13:49:27 -0400 (EDT) Received: by castor.opentrend.net (Postfix, from userid 1000) id 78EB770247FB; Thu, 12 Mar 2009 13:49:27 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by castor.opentrend.net (Postfix) with ESMTP id 6E24331A84DA for ; Thu, 12 Mar 2009 13:49:27 -0400 (EDT) Date: Thu, 12 Mar 2009 13:49:27 -0400 (EDT) From: Robert Brockway X-X-Sender: robert@castor.opentrend.net To: sage-members@sage.org In-Reply-To: Message-ID: References: <49B7CF85.4000903@shub-internet.org> User-Agent: Alpine 1.10 (DEB 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 17:49:37 -0000 On Thu, 12 Mar 2009, Kurt Buff wrote: > Thank the gods that I'll be dead by then. Rampant credentialism is > killing competition, driving up prices, and making the world a worse > place to live. Hi Kurt. Do you think we are worse off because doctors require externally verified training and registration? I'm sure it does drive the cost of medical services up but I'm happier this way. The certification gives me more confidence that the doctor I'm going to has a clue and will make things better not worse. Similarly I'm glad that electricians are required to receive specific training and pass certification courses before they are allowed to go out and wire houses and buildings. We're all safer thanks to these requirements. Think about the damage a sysadmin in the right position can do right now. In general the sysadmin can alter or read any information on any system they control and can do so in a manner which is undectable. Yes there are ways to tackle this problem but none of them are great and few organisations even try. Here we have a group of people who collectively have a lot of power at their fingertips. Will society stand for this power being unchecked? I doubt it. We've recently seen some high profile examples of disgruntled sysadmins coming close to deleting all the data on all the systems of a large organisation (eg banks). In each case I've looked at they failed because they made stupid or trivial errors. Some people have succeeded in doing this of course but mostly with smaller organisations. All it will take is a disgruntled sysadmin to inconvenience a large portion of the community and the government will start looking very closely at this issue. Perhaps it will be a problem with the water supply, or the sewerage system or maybe the traffic lights in a city will go down. Eventually something will trigger a response. Cheers, Rob -- I tried to change the world but they had a no-return policy From gary.studwell@gmail.com Thu Mar 12 11:18:54 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CIIs7V050746 for ; Thu, 12 Mar 2009 11:18:54 -0700 (PDT) (envelope-from gary.studwell@gmail.com) Received: from mail-qy0-f106.google.com (mail-qy0-f106.google.com [209.85.221.106]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CIIpfp003127 for ; Thu, 12 Mar 2009 11:18:54 -0700 (PDT) Received: by qyk4 with SMTP id 4so2169733qyk.31 for ; Thu, 12 Mar 2009 11:18:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=brhrg1ozF4bX4sKETQ1WpqPBkqxK4c6v3Xnn7/AGQjo=; b=A8wOc1rda3I+RTOlEck3Aux00UsiWrTVxml6Yo+bhMCyc5AxrNK8mBzN4KaSWV7It0 0n18rbNBY2oLODFIUfnHUUhCzL6UbL2bideC0nPtr5yzLiXNvOJdCX0vutl4uN9q9CNe brxWyCdQ9CNQTr6Q6ZNXwpafZ4sOCZBqvUhIw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=FCUvDli+WaWfl2HGDYUF5buaMOJamJN4GcVXSb5frPD4T1YQ/e2ljcLl9Ek7gsPSFf mTsGrB38tLpAuiVRnPrTiWvFBxyf7HqmpzbVVqQMI2aBvmXmbzST6+LWzCZWtCOBBA/H Td8yr9vpNPCtrec9pKU7JR+UQq3qF/gtIPM3E= MIME-Version: 1.0 Received: by 10.143.40.5 with SMTP id s5mr98828wfj.282.1236881490324; Thu, 12 Mar 2009 11:11:30 -0700 (PDT) In-Reply-To: <57F67688A8D72449AC80164DA982083104D8CDB8@VMXYVR1.ds.mda.ca> References: <57F67688A8D72449AC80164DA982083104D8CDB8@VMXYVR1.ds.mda.ca> Date: Thu, 12 Mar 2009 12:11:30 -0600 Message-ID: From: Gary Studwell To: John LLOYD Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=4% Cc: Sage Members Subject: Re: [SAGE] Sun/Storagetek StoreEdge 2530 SAS RAID X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 18:18:55 -0000 On Wed, Mar 11, 2009 at 3:04 PM, John LLOYD wrote: > We have a requirement for a few TB of disk for a Sun M2200M2. One > vendor came back with a quote for this, basically 12x450GB and a model > 2530 RAID controller for SAS disks, 512MB cache, etc. > > Some reviews look pretty bad -- > > Reviews such as > > http://www.sun.com/storage/disk_systems/workgroup/2530/customer-reviews. > xml > > or > > http://blogs.smugmug.com/don/2007/05/16/sun-honeymoon-update-storage/ > > > > Does anybody have experience, good or bad, with this unit? > > > --John > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > Hi John, No experience with this unit, but one of the reviews from April 2008 mentions a 1.9TB volume size limit. I ran into that issue with a Sun 6140 array last summer. Sun came to $WORK with bleedingly new versions of CAM and firmware. It was an adventure. Apparently we were the first in our state to get the update, but no problems since. Hopefully this is no longer a problem with new units. Details - this problem was first reported in 2006. It turned out that the problem wasn't really a bug so much as conservative coding in part of the SCSI specification of Command Descriptor Block in the firmware. That was o.k. for smaller storage units, but became a problem with larger capacities. 6140's (and I guess some other arrays) firmware had never been revised for that. It used 12-byte CDBs, which creates the 1.9TB limit. I was told the new firmware raised that to 16-bytes. Our array was shipped with version 6 of the firmware and had to be bumped up to version 7. Version 7 hadn't been released at the time the arrays shipped, although that doesn't seem a reasonable excuse considering the length of time that the problem was known. CAM had let me create the volumes, but it was frustrating to only be able to use 1.988TB of a volume. Fortunately the new versions took care of all that. I don't run CAM on Solaris and have had no problems, but really haven't had to use it much. Gary From jfoutz@gmail.com Thu Mar 12 12:07:19 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CJ7JTA051450 for ; Thu, 12 Mar 2009 12:07:19 -0700 (PDT) (envelope-from jfoutz@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.28]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CJ7FNm004251 for ; Thu, 12 Mar 2009 12:07:18 -0700 (PDT) Received: by yx-out-2324.google.com with SMTP id 8so735499yxb.29 for ; Thu, 12 Mar 2009 12:07:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:cc:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=9NKWHmeaZqSeMqJaHg2WZPhj1a8qWkZqEiBfmCLKP+0=; b=VT9GwYnQA3Nwk6Iy6QsDQevi0siIV5xUmfqYl2xR+XXG4h+iaoGdJgkruieSMXDCzl I/VUGYIPoVB367HD5aZTNnD8IE01T44xhQQgTTymaWFDn/+dNJ4hjiHhUaNSfSvrxJoM GA/F9ObSAb4jndpn+ppFDCmGxIcq+pgZWEW+I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=X+T+xCiufo4enk1z6v/XU8NSHOB7TYFFuDjBDoSLXgeaSlmCQU0AkCrkrA9HDVqIK3 8UJ0fJcMHYVb692ghusX+Na3f0F2PX1aG0hGAQUy+mkHT9Z8kQLR/+1LcAu2e+t3dHvQ EoC4sSGPQglmhe1sXBaxl3E/bjwG9PE3t4Dg0= Received: by 10.142.180.20 with SMTP id c20mr80892wff.66.1236882843038; Thu, 12 Mar 2009 11:34:03 -0700 (PDT) Received: from ?192.168.1.3? (c-68-35-125-67.hsd1.nm.comcast.net [68.35.125.67]) by mx.google.com with ESMTPS id 32sm1875378wfa.0.2009.03.12.11.34.01 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 12 Mar 2009 11:34:02 -0700 (PDT) Message-Id: From: Jason Foutz To: Robert Brockway In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Thu, 12 Mar 2009 12:33:58 -0600 References: <49B7CF85.4000903@shub-internet.org> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=9% Cc: sage-members@sage.org Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 19:07:19 -0000 I think you're mixing technical competence and ethics. Every certification I'm aware of is a measure of technical knowledge. I know doctors are expected to follow a code of ethics. I don't believe they're formally tested for comprehensive knowledge of the ethics code. We put a lot of power in different people's hands. Mortgage brokers are a reasonable example of a profession where some members betrayed society's trust. Society marches on. Disgruntled sysadmins that destroy property they don't own, are felons. To be clear, I think certifications are a great way to get your foot in the door at a new job. Certifications do absolutely nothing to prevent malicious data loss. Jason On Mar 12, 2009, at 11:49 AM, Robert Brockway wrote: > On Thu, 12 Mar 2009, Kurt Buff wrote: > >> Thank the gods that I'll be dead by then. Rampant credentialism is >> killing competition, driving up prices, and making the world a worse >> place to live. > > Hi Kurt. Do you think we are worse off because doctors require > externally verified training and registration? I'm sure it does > drive the cost of medical services up but I'm happier this way. The > certification gives me more confidence that the doctor I'm going to > has a clue and will make things better not worse. > > Similarly I'm glad that electricians are required to receive > specific training and pass certification courses before they are > allowed to go out and wire houses and buildings. We're all safer > thanks to these requirements. > > Think about the damage a sysadmin in the right position can do right > now. > > In general the sysadmin can alter or read any information on any > system they control and can do so in a manner which is undectable. > Yes there are ways to tackle this problem but none of them are great > and few organisations even try. > > Here we have a group of people who collectively have a lot of power > at their fingertips. Will society stand for this power being > unchecked? I doubt it. > > We've recently seen some high profile examples of disgruntled > sysadmins coming close to deleting all the data on all the systems > of a large organisation (eg banks). In each case I've looked at > they failed because they made stupid or trivial errors. Some people > have succeeded in doing this of course but mostly with smaller > organisations. > > All it will take is a disgruntled sysadmin to inconvenience a large > portion of the community and the government will start looking very > closely at this issue. Perhaps it will be a problem with the water > supply, or the sewerage system or maybe the traffic lights in a city > will go down. Eventually something will trigger a response. > > Cheers, > > Rob > > -- > I tried to change the world but they had a no-return policy > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members From robert@timetraveller.org Thu Mar 12 12:10:17 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CJAHoC051503 for ; Thu, 12 Mar 2009 12:10:17 -0700 (PDT) (envelope-from robert@timetraveller.org) Received: from capella.opentrend.net (capella.opentrend.net [64.22.125.103]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CJAElW004306 for ; Thu, 12 Mar 2009 12:10:16 -0700 (PDT) Received: by capella.opentrend.net (Postfix, from userid 1004) id AD0E0DD65; Thu, 12 Mar 2009 15:10:08 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 3.1.7-deb3 (2006-10-05) on capella.opentrend.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.7-deb3 Received: from castor.opentrend.net (unknown [192.168.120.16]) by capella.opentrend.net (Postfix) with ESMTP id EE7E4DD62 for ; Thu, 12 Mar 2009 15:10:06 -0400 (EDT) Received: by castor.opentrend.net (Postfix, from userid 1000) id 79C3470247FB; Thu, 12 Mar 2009 15:10:06 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by castor.opentrend.net (Postfix) with ESMTP id 5A43731A84DA for ; Thu, 12 Mar 2009 15:10:06 -0400 (EDT) Date: Thu, 12 Mar 2009 15:10:06 -0400 (EDT) From: Robert Brockway X-X-Sender: robert@castor.opentrend.net To: sage-members@sage.org In-Reply-To: Message-ID: References: <49B7CF85.4000903@shub-internet.org> User-Agent: Alpine 1.10 (DEB 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 19:10:17 -0000 On Thu, 12 Mar 2009, Jason Foutz wrote: > I think you're mixing technical competence and ethics. Every certification Hi Jason. I'm not mixing them up although reading over my last email I can see how you might have got that impression. I probably should have seperate the two aspects more. I see both aspects emerging: Formal technical training _and_ background checks as part of the government certification process. There is simply no way to completely eliminate the risk of a bad guy slipping through (or becoming corrupt later) but it is possible to greatly reduce their numbers. Various private and public organisations have developed fairly effective methods of doing this. Imagine positive vetting for sysadmins :) I'm not proposing it will go quite that far but I think we will end up with some sort of mandated certification which has knowledge and background components. > We put a lot of power in different people's hands. Mortgage brokers are a > reasonable example of a profession where some members betrayed society's > trust. Society marches on. They can't do widespread infrastructure damage without warning. > Disgruntled sysadmins that destroy property they don't own, are felons. Of course they are, and a few are already behind bars. > To be clear, I think certifications are a great way to get your foot in the > door at a new job. Certifications do absolutely nothing to prevent malicious > data loss. The certifications of today have nothing in common with what I'm saying will come to pass. I was trying to avoid using that term vis-a-vis sysadmins to avoid exactly this sort of confusion. Hmm looks like I did use the term certification once but it was in reference to doctors :) Cheers, Rob -- I tried to change the world but they had a no-return policy From kurt.buff@gmail.com Thu Mar 12 12:16:11 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CJGBGR051618 for ; Thu, 12 Mar 2009 12:16:11 -0700 (PDT) (envelope-from kurt.buff@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.172]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CJG8Gk004470 for ; Thu, 12 Mar 2009 12:16:10 -0700 (PDT) Received: by wf-out-1314.google.com with SMTP id 23so1237870wfg.26 for ; Thu, 12 Mar 2009 12:16:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=meYJ/SpiLdqrEvHyslzOYe1AIt5d0bGXPUzg2xg8IpI=; b=adTfQ3gD8FnPZd5AAdCTC3bF8PStQAue66ai02YlfPiiZpiYpCS4L9su4TnQBYC/DS dwf34YDoe8Y6TAmiDfxCrzxK67HBlHPcyIcKroLGPtv39UDtD038IROZgeJpBqrcpWHj Ahq7RblljHNLRwvDj6UUjxj6JDNvfbtc6tB6Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=hSzka0y9vCi4IdsDr6CGc0CtZFkpB+KjGHEb2bBgld5YMhunRueHv0+5VZ5MegrPUl QjQntFgeUxn+vSMop2+ahMFD/bLP0RdM+CsW8dWidVFJzwkSptDtZKEmpukcRi88O104 ddLqukfPZLN0v+aafyVBDNazsEGIzMewgAkek= MIME-Version: 1.0 Received: by 10.142.186.15 with SMTP id j15mr131231wff.271.1236885367976; Thu, 12 Mar 2009 12:16:07 -0700 (PDT) In-Reply-To: References: <49B7CF85.4000903@shub-internet.org> Date: Thu, 12 Mar 2009 12:16:07 -0700 Message-ID: From: Kurt Buff To: Robert Brockway Content-Type: text/plain; charset=UTF-8 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=8% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n2CJGBGR051618 Cc: sage-members@sage.org Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 19:16:11 -0000 On Thu, Mar 12, 2009 at 10:49, Robert Brockway wrote: > On Thu, 12 Mar 2009, Kurt Buff wrote: > >> Thank the gods that I'll be dead by then. Rampant credentialism is >> killing competition, driving up prices, and making the world a worse >> place to live. > > Hi Kurt.  Do you think we are worse off because doctors require externally > verified training and registration? Yes. > I'm sure it does drive the cost of > medical services up but I'm happier this way.  The certification gives me > more confidence that the doctor I'm going to has a clue and will make things > better not worse. Q: What do you call someone who graduated last in their class in medical school? A: Doctor > Similarly I'm glad that electricians are required to receive specific > training and pass certification courses before they are allowed to go out > and wire houses and buildings.  We're all safer thanks to these > requirements. See above Q&A. Consider also that just because someone is certified doesn't mean that they're accountable, reasonable or innocent. It's merely a barrier to entry into the profession. > Think about the damage a sysadmin in the right position can do right now. > > In general the sysadmin can alter or read any information on any system they > control and can do so in a manner which is undectable.  Yes there are ways > to tackle this problem but none of them are great and few organisations even > try. I do think about it - a lot. I try to hire only reliable, honest, trustworthy people. That means references and work history, not certifications. Promotions depend on good work. I have no college degree and no certification. I've been working in IT (well, they called it data processing when/where I started), for over 20 years, and I came on board with no particular experience, just a burning desire to "work with computers". > Here we have a group of people who collectively have a lot of power at their > fingertips.  Will society stand for this power being unchecked?  I doubt it. I know - they're ignorant and fearful, because those who are supposed to have knowledge have been bleating about "threats to our security" and "it's for the children" and "if it only saves one life it'll be worth it", and people have come to the point that they don't like or trust their own freedom. Pity that. > We've recently seen some high profile examples of disgruntled sysadmins > coming close to deleting all the data on all the systems of a large > organisation (eg banks).  In each case I've looked at they failed because > they made stupid or trivial errors.  Some people have succeeded in doing > this of course but mostly with smaller organisations. And how will certification stop any of this? Does certification make people more honest? > All it will take is a disgruntled sysadmin to inconvenience a large portion > of the community and the government will start looking very closely at this > issue.  Perhaps it will be a problem with the water supply, or the sewerage > system or maybe the traffic lights in a city will go down.  Eventually > something will trigger a response. Indeed. If it saves just one child from acne, I'm sure we'll sacrifice nearly anything. Kurt From lindsey@acm.org Thu Mar 12 12:43:23 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CJhNMM052168 for ; Thu, 12 Mar 2009 12:43:23 -0700 (PDT) (envelope-from lindsey@acm.org) Received: from e-c-group.com (mail.ispsouth.com [216.128.192.248]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CJhKNX005026 for ; Thu, 12 Mar 2009 12:43:23 -0700 (PDT) Received: from [24.172.251.165] (account lindsey HELO [172.24.127.62]) by e-c-group.com (CommuniGate Pro SMTP 5.0.13) with ESMTPSA id 120675716; Thu, 12 Mar 2009 14:43:18 -0500 Message-Id: From: "Mark R. Lindsey" To: Jason Foutz In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Thu, 12 Mar 2009 15:43:30 -0400 References: <49B7CF85.4000903@shub-internet.org> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 19:43:24 -0000 On Mar 12, 2009, at 2:33 PM, Jason Foutz wrote: > To be clear, I think certifications are a great way to get your foot > in the door at a new job. Certifications do absolutely nothing to > prevent malicious data loss. A better-trained admin should know how to destroy data even more effectively and secretly than a poorly-trained admin. From doug@will.to Thu Mar 12 12:56:58 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CJuw5P052468 for ; Thu, 12 Mar 2009 12:56:58 -0700 (PDT) (envelope-from doug@will.to) Received: from will.to (mailman.will.to [68.164.136.125]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CJusxY005376 for ; Thu, 12 Mar 2009 12:56:57 -0700 (PDT) Received: from [149.77.212.99] (psistorm.nyc.deshaw.com [149.77.212.99]) (authenticated bits=0) by will.to (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id n2CJS7Dn030331 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 12 Mar 2009 15:28:08 -0400 Message-ID: <49B96902.7010008@will.to> Date: Thu, 12 Mar 2009 15:56:50 -0400 From: Doug Hughes User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Kurt Buff References: <49B7CF85.4000903@shub-internet.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0rc3 (will.to [68.164.136.125]); Thu, 12 Mar 2009 15:28:08 -0400 (EDT) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 19:56:59 -0000 Kurt Buff wrote: > On Thu, Mar 12, 2009 at 10:49, Robert Brockway wrote: > >> On Thu, 12 Mar 2009, Kurt Buff wrote: >> >> >>> Thank the gods that I'll be dead by then. Rampant credentialism is >>> killing competition, driving up prices, and making the world a worse >>> place to live. >>> >> Hi Kurt. Do you think we are worse off because doctors require externally >> verified training and registration? >> > > Yes. > > >> I'm sure it does drive the cost of >> medical services up but I'm happier this way. The certification gives me >> more confidence that the doctor I'm going to has a clue and will make things >> better not worse. >> > > Q: What do you call someone who graduated last in their class in medical school? > > A: Doctor > > this may be unnecessarily pejorative. Somebody has to graduate last just as somebody has to graduate first, that's the nature of rankings. Ranking last doesn't necessarily mean somebody is terrible. Similarly, ranking first doesn't necessarily mean somebody is fantastic (or even good). There are a lot who fail/drop out of medical school, as well as law school, engineering school, and any other school. From tytso@mit.edu Thu Mar 12 13:01:06 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CK16Yg052530 for ; Thu, 12 Mar 2009 13:01:06 -0700 (PDT) (envelope-from tytso@mit.edu) Received: from thunker.thunk.org (thunk.org [69.25.196.29]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CK138B005501 for ; Thu, 12 Mar 2009 13:01:05 -0700 (PDT) Received: from root (helo=closure.thunk.org) by thunker.thunk.org with local-esmtp (Exim 4.50 #1 (Debian)) id 1Lhr5M-0003KG-SG; Thu, 12 Mar 2009 16:00:57 -0400 Received: from tytso by closure.thunk.org with local (Exim 4.69) (envelope-from ) id 1Lhr5L-0004v6-Kq; Thu, 12 Mar 2009 16:00:55 -0400 Date: Thu, 12 Mar 2009 16:00:55 -0400 From: Theodore Tso To: Robert Brockway Message-ID: <20090312200055.GF17104@mit.edu> References: <49B7CF85.4000903@shub-internet.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@mit.edu X-SA-Exim-Scanned: No (on thunker.thunk.org); SAEximRunCond expanded to false X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 20:01:06 -0000 On Thu, Mar 12, 2009 at 01:49:27PM -0400, Robert Brockway wrote: > Hi Kurt. Do you think we are worse off because doctors require > externally verified training and registration? I'm sure it does drive > the cost of medical services up but I'm happier this way. The > certification gives me more confidence that the doctor I'm going to has a > clue and will make things better not worse. You can create a training and certification program that verifies a professional's *competence*. But this is very different from verifying their *ethics*. > We've recently seen some high profile examples of disgruntled sysadmins > coming close to deleting all the data on all the systems of a large > organisation (eg banks). In each case I've looked at they failed because > they made stupid or trivial errors. Some people have succeeded in doing > this of course but mostly with smaller organisations. It's not at all clear how a certification program would be able to detect whether or not a system administrator will do something anti-social if they were to become disgruntled.... one could just as easily ask how a certification program might be able to detect whether or not hedge fund manager is prone to start running a Ponzi scheme. - Ted From brent@netomata.com Thu Mar 12 13:04:33 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CK4Wp9052608 for ; Thu, 12 Mar 2009 13:04:32 -0700 (PDT) (envelope-from brent@netomata.com) Received: from mail-qy0-f106.google.com (mail-qy0-f106.google.com [209.85.221.106]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CK4Tuc005606 for ; Thu, 12 Mar 2009 13:04:32 -0700 (PDT) Received: by qyk4 with SMTP id 4so2360525qyk.31 for ; Thu, 12 Mar 2009 13:04:24 -0700 (PDT) MIME-Version: 1.0 Received: by 10.142.12.14 with SMTP id 14mr120488wfl.54.1236888263395; Thu, 12 Mar 2009 13:04:23 -0700 (PDT) In-Reply-To: References: <49B7CF85.4000903@shub-internet.org> Date: Thu, 12 Mar 2009 13:04:23 -0700 Message-ID: From: Brent Chapman To: sage-members@sage.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=4% Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 20:04:33 -0000 I _know_ I'm eventually going to regret prolonging this discussion, but here we go... On Thu, Mar 12, 2009 at 12:16 PM, Kurt Buff wrote: > And how will certification stop any of this? Does certification make > people more honest? If you view it as "certification" (i.e., has person W been tested in some way to determine that they know facts X, Y, and Z?), then no... However, if you view it as "credentialing", and if credentials are something that are both necessary to get a job in the profession and that can be taken away for misconduct, then I'd say it's a powerful incentive for folks to be honest and law-abiding. For example, to practice law as an attorney in the US, you have to do 2 things: 1) Pass the bar exam for your state (this is the "certification") 2) Be admitted by the bar association, which is a professional organization with legal backing from the state (this is the "credentialing") If you pass the bar exam, they can't take that away from you (short of demonstrating that you cheated, for instance by paying somebody else to take the exam in your place). You passed; it's a fact. However, if you get thrown out of the bar association (or never get admitted to it in the first place), the fact that you've passed the bar exam doesn't really matter in a career sense. Without being a member of the relevant bar association, you are generally prohibited from practicing law in most jurisdictions. You may know a lot more about the law than the average citizen (which you demonstrated by passing the bar exam), but you still can't practice as a lawyer. So, if you want to encourage ethical/moral/legal behavior through a "certification" or "credentialing" system, then the certification/credential has to be something that can be withheld or revoked for "bad behavior" (however that's defined), and the lack of which certification/credential has significant professional consequences (up to and including prohibiting you from practicing the profession). -Brent -- Brent Chapman Founder and CEO // Netomata, Inc. // www.netomata.com Making networks more reliable and flexible by automating network configuration From plathrop@tertiusfamily.net Thu Mar 12 13:21:00 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CKL0Xb052788 for ; Thu, 12 Mar 2009 13:21:00 -0700 (PDT) (envelope-from plathrop@tertiusfamily.net) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CKKvQF005916 for ; Thu, 12 Mar 2009 13:21:00 -0700 (PDT) Received: by yx-out-2324.google.com with SMTP id 8so772194yxb.29 for ; Thu, 12 Mar 2009 13:20:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.14.10 with SMTP id 10mr361335ann.152.1236888952925; Thu, 12 Mar 2009 13:15:52 -0700 (PDT) In-Reply-To: References: <49B7CF85.4000903@shub-internet.org> Date: Thu, 12 Mar 2009 13:15:52 -0700 Message-ID: From: Paul Lathrop To: Brent Chapman Content-Type: text/plain; charset=UTF-8 X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=9% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n2CKL0Xb052788 Cc: sage-members@sage.org Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 20:21:01 -0000 On Thu, Mar 12, 2009 at 1:04 PM, Brent Chapman wrote: > I _know_ I'm eventually going to regret prolonging this discussion, > but here we go... Heh. Me too. > However, if you get thrown out of the bar association (or never get > admitted to it in the first place), the fact that you've passed the > bar exam doesn't really matter in a career sense.  Without being a > member of the relevant bar association, you are generally prohibited > from practicing law in most jurisdictions.  You may know a lot more > about the law than the average citizen (which you demonstrated by > passing the bar exam), but you still can't practice as a lawyer. You are making the assumption that the only way to get thrown out of the bar association is by engaging in unethical/illegal behavior. This is a fallacy. Let's look at another example, a former lawyer I am acquainted with. This person was in a consensual open relationship. Their behavior was ethical and legal, and also had no bearing on their practice of law. All the same, one of their colleagues discovered this relationship and, because the relationship offended their sensibilities, campaigned to have my acquaintance disbarred. This campaign was successful. > So, if you want to encourage ethical/moral/legal behavior through a > "certification" or "credentialing" system, then the > certification/credential has to be something that can be withheld or > revoked for "bad behavior" (however that's defined), and the lack of > which certification/credential has significant professional > consequences (up to and including prohibiting you from practicing the > profession). Who watches the watchmen? Who keeps these credentials from being revoked from perfectly ethical, talented individuals who practice their profession with integrity and skill, due to unrelated politics? Certification / credentialing are not a solution. --Paul Lathrop From kurt.buff@gmail.com Thu Mar 12 13:43:27 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CKhRxt053070 for ; Thu, 12 Mar 2009 13:43:27 -0700 (PDT) (envelope-from kurt.buff@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.25]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CKhN18006280 for ; Thu, 12 Mar 2009 13:43:26 -0700 (PDT) Received: by qw-out-2122.google.com with SMTP id 3so957271qwe.59 for ; Thu, 12 Mar 2009 13:43:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=oOBvrKvZtf8/eGokC8b+k+W35m6vWTvGDYchVijKWN8=; b=UBYSe5M0haW7/6RqY5rGo4s7fgZHwy5yMM4AJhjoQXea+tWqIA1T06SV8zqEGAl5zo QugloIMNhfVus3dV7XnrUsCZ9XSgIVuna7lZDQsABSMyGdaV5cKTa1DW/nKLJXHxClKL AFwncCTaz+B3tPeilCwh2WgrA61/OkQ3dS8Co= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=ZKENsWOTMzJARUpA9RwEv7dWW63UESsV9l0f76yyIieL0kANToIGndRPpyrGZVJ2wC LJMHEv/5Wj1i1Qll4rRJuskc8fmUxibgKyE/MpTU9o0tLjMR1wv5y4w5moKV9LGWDo9J bwnRNSFfBhDbuIPHkr3Exr/oejYg+F0ELP3PU= MIME-Version: 1.0 Received: by 10.142.180.20 with SMTP id c20mr177377wff.129.1236890191746; Thu, 12 Mar 2009 13:36:31 -0700 (PDT) In-Reply-To: References: <49B7CF85.4000903@shub-internet.org> Date: Thu, 12 Mar 2009 13:36:31 -0700 Message-ID: From: Kurt Buff To: sage-members@sage.org Content-Type: text/plain; charset=UTF-8 X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=8% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n2CKhRxt053070 Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 20:43:28 -0000 On Thu, Mar 12, 2009 at 13:04, Brent Chapman wrote: > I _know_ I'm eventually going to regret prolonging this discussion, > but here we go... > > On Thu, Mar 12, 2009 at 12:16 PM, Kurt Buff wrote: >> And how will certification stop any of this? Does certification make >> people more honest? > > If you view it as "certification" (i.e., has person W been tested in > some way to determine that they know facts X, Y, and Z?), then no... > > However, if you view it as "credentialing", and if credentials are > something that are both necessary to get a job in the profession and > that can be taken away for misconduct, then I'd say it's a powerful > incentive for folks to be honest and law-abiding. > > For example, to practice law as an attorney in the US, you have to do 2 things: > > 1) Pass the bar exam for your state (this is the "certification") > 2) Be admitted by the bar association, which is a professional > organization with legal backing from the state (this is the > "credentialing") > > If you pass the bar exam, they can't take that away from you (short of > demonstrating that you cheated, for instance by paying somebody else > to take the exam in your place).  You passed; it's a fact. > > However, if you get thrown out of the bar association (or never get > admitted to it in the first place), the fact that you've passed the > bar exam doesn't really matter in a career sense.  Without being a > member of the relevant bar association, you are generally prohibited > from practicing law in most jurisdictions.  You may know a lot more > about the law than the average citizen (which you demonstrated by > passing the bar exam), but you still can't practice as a lawyer. > > So, if you want to encourage ethical/moral/legal behavior through a > "certification" or "credentialing" system, then the > certification/credential has to be something that can be withheld or > revoked for "bad behavior" (however that's defined), and the lack of > which certification/credential has significant professional > consequences (up to and including prohibiting you from practicing the > profession). IMNHO, these credentialing bodies are government unions, no more, no less. They have been used for economic advantage, and have hindered progress at far too many points. Case in point: the recent apology by the AMA to blacks - many years late. That they once in a while kick out a bad egg is pretty funny - given how many they don't kick out for conduct that a layman would consider criminally egregious. I'm not buying your argument one little bit. Kurt From robert@timetraveller.org Thu Mar 12 13:46:14 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CKkE7b053206 for ; Thu, 12 Mar 2009 13:46:14 -0700 (PDT) (envelope-from robert@timetraveller.org) Received: from capella.opentrend.net (capella.opentrend.net [64.22.125.103]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CKkBgd006326 for ; Thu, 12 Mar 2009 13:46:13 -0700 (PDT) Received: by capella.opentrend.net (Postfix, from userid 1004) id ACEBEDD65; Thu, 12 Mar 2009 16:46:05 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 3.1.7-deb3 (2006-10-05) on capella.opentrend.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.7-deb3 Received: from castor.opentrend.net (unknown [192.168.120.16]) by capella.opentrend.net (Postfix) with ESMTP id D892CDD62 for ; Thu, 12 Mar 2009 16:46:04 -0400 (EDT) Received: by castor.opentrend.net (Postfix, from userid 1000) id 8F41770247FB; Thu, 12 Mar 2009 16:46:04 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by castor.opentrend.net (Postfix) with ESMTP id 8C14131A84DA for ; Thu, 12 Mar 2009 16:46:04 -0400 (EDT) Date: Thu, 12 Mar 2009 16:46:04 -0400 (EDT) From: Robert Brockway X-X-Sender: robert@castor.opentrend.net To: sage-members@sage.org In-Reply-To: Message-ID: References: <49B7CF85.4000903@shub-internet.org> User-Agent: Alpine 1.10 (DEB 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 20:46:14 -0000 On Thu, 12 Mar 2009, Paul Lathrop wrote: > On Thu, Mar 12, 2009 at 1:04 PM, Brent Chapman wrote: >> I _know_ I'm eventually going to regret prolonging this discussion, >> but here we go... > > Heh. Me too. You both are :) Brent's post encapsulated what I was trying to say much better than I had managed to do in either of my posts. Well done Brent. > You are making the assumption that the only way to get thrown out of > the bar association is by engaging in unethical/illegal behavior. This > is a fallacy. Let's look at another example, a former lawyer I am > acquainted with. This person was in a consensual open relationship. > Their behavior was ethical and legal, and also had no bearing on their > practice of law. All the same, one of their colleagues discovered this > relationship and, because the relationship offended their > sensibilities, campaigned to have my acquaintance disbarred. This > campaign was successful. This sort of thing is very sad. I don't see it so much as a problem with credentialing[1] itself as the implementation. [1] A new word but it serves the purpose :) > Who watches the watchmen? Who keeps these credentials from being > revoked from perfectly ethical, talented individuals who practice > their profession with integrity and skill, due to unrelated politics? These are completely valid concerns. I wonder how electricians, doctors and lawyers handle this (the story above not withstanding)? I'm going to research this more. > Certification / credentialing are not a solution. Then what is? This is a serious question. I'm always open to new ideas. For all the problems I think credentialing may be the best available solution. I see a parrellel with government here: In some ways democracy completely sucks but all the other systems seem to be even worse. Rob -- I tried to change the world but they had a no-return policy From allbery@ece.cmu.edu Thu Mar 12 14:52:36 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CLqas7054139 for ; Thu, 12 Mar 2009 14:52:36 -0700 (PDT) (envelope-from allbery@ece.cmu.edu) Received: from bache.ece.cmu.edu (BACHE.ECE.CMU.EDU [128.2.129.23]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CLqXp3007441 for ; Thu, 12 Mar 2009 14:52:36 -0700 (PDT) Received: from mress.kf8nh.com (static-72-77-17-40.pitbpa.fios.verizon.net [72.77.17.40]) (Authenticated sender: allbery@ECE.CMU.EDU) by bache.ece.cmu.edu (Postfix) with ESMTP id E42C1B6; Thu, 12 Mar 2009 17:52:31 -0400 (EDT) Message-Id: From: "Brandon S. Allbery KF8NH" To: Jason Foutz In-Reply-To: Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-1-889496953" Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Thu, 12 Mar 2009 17:52:14 -0400 References: <49B7CF85.4000903@shub-internet.org> X-Pgp-Agent: GPGMail 1.2.0 (v56) X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: LOPSA Discuss List , SAGE mailing list Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 21:52:37 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-1-889496953 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit On 2009 Mar 12, at 14:33, Jason Foutz wrote: > I think you're mixing technical competence and ethics. Every > certification I'm aware of is a measure of technical knowledge. I > know doctors are expected to follow a code of ethics. I don't > believe they're formally tested for comprehensive knowledge of the > ethics code. Ethics is covered in medical school; the degree should indicate knowledge of the ethics code. Of course, knowledge doesn't necessarily imply commitment to it. One thing to keep in mind about professional organizations is that they're also about self-protection; if you are accused of an ethics violation you have some recourse. The flip side of which is that they should also be self-policing: I've found myself wondering if our advertising a Code of Ethics has any legal implications in that regard. -- brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu electrical and computer engineering, carnegie mellon university KF8NH --Apple-Mail-1-889496953 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) iEYEARECAAYFAkm5hBgACgkQIn7hlCsL25UXTwCfT64P9I5/AchLaQfHK3uyj7Jg zAMAn0Og4ID6LpcR8E5W6+BshmDu3Tb7 =lFcv -----END PGP SIGNATURE----- --Apple-Mail-1-889496953-- From robert@timetraveller.org Thu Mar 12 15:18:41 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CMIf4w054477 for ; Thu, 12 Mar 2009 15:18:41 -0700 (PDT) (envelope-from robert@timetraveller.org) Received: from capella.opentrend.net (capella.opentrend.net [64.22.125.103]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CMIckA007917 for ; Thu, 12 Mar 2009 15:18:41 -0700 (PDT) Received: by capella.opentrend.net (Postfix, from userid 1004) id F3053DD65; Thu, 12 Mar 2009 18:18:32 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 3.1.7-deb3 (2006-10-05) on capella.opentrend.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.7-deb3 Received: from castor.opentrend.net (unknown [192.168.120.16]) by capella.opentrend.net (Postfix) with ESMTP id 63DE1DD62 for ; Thu, 12 Mar 2009 18:18:32 -0400 (EDT) Received: by castor.opentrend.net (Postfix, from userid 1000) id 2EFD570247FB; Thu, 12 Mar 2009 18:18:32 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by castor.opentrend.net (Postfix) with ESMTP id 2594231A84DA for ; Thu, 12 Mar 2009 18:18:32 -0400 (EDT) Date: Thu, 12 Mar 2009 18:18:32 -0400 (EDT) From: Robert Brockway X-X-Sender: robert@castor.opentrend.net To: sage-members@sage.org In-Reply-To: Message-ID: References: <49B7CF85.4000903@shub-internet.org> User-Agent: Alpine 1.10 (DEB 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 22:18:43 -0000 On Thu, 12 Mar 2009, Paul Lathrop wrote: > The answer is there is no easy, pithy solution that works for > everyone, everywhere. Fact: if you hire a sysadmin who lacks Hi Paul. I don't believe anyone at any point in this discussion presumed the answer would be easy. The solution I've proposed (and believe will come to pass whether I want it to or not) certanly won't be easy. Rob -- I tried to change the world but they had a no-return policy From cmc@math.hmc.edu Thu Mar 12 16:07:01 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2CN70Zw055133 for ; Thu, 12 Mar 2009 16:07:00 -0700 (PDT) (envelope-from cmc@math.hmc.edu) Received: from esme.math.hmc.edu (esme.Math.HMC.Edu [134.173.34.194]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2CN6vhb008771 for ; Thu, 12 Mar 2009 16:07:00 -0700 (PDT) Received: from vosill.math.hmc.edu (vosill.math.hmc.edu [134.173.34.88]) by esme.math.hmc.edu (8.12.11.20060308/8.12.11) with ESMTP id n2CN6oYc002064 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Mar 2009 16:06:50 -0700 Received: from vosill.math.hmc.edu (localhost.localdomain [127.0.0.1]) by vosill.math.hmc.edu (8.13.1/8.12.11) with ESMTP id n2CN6o7S005880; Thu, 12 Mar 2009 16:06:50 -0700 From: "C.M. Connelly" Organization: Harvey Mudd College, Department of Mathematics To: Kurt Buff In-reply-to: References: <49B7CF85.4000903@shub-internet.org> Comments: In-reply-to message from Kurt Buff dated "Thu, 12 Mar 2009 13:36:31 -0700." X-Mailer: MH-E 8.1; nmh 1.3; GNU Emacs 22.1.1 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Date: Thu, 12 Mar 2009 16:06:50 -0700 Message-ID: <5879.1236899210@vosill.math.hmc.edu> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: "C.M. Connelly" List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 23:07:01 -0000 --=-=-= The AMA doesn't do licensing -- you don't have to be a member of the AMA (technically of a county or state medical association) to be a doctor. Licensing is done by state medical boards (in California, it's the Medical Board of California, which is part of the state government). The AMA and its state and local chapters basically exist to do two things: (1) lobby governments to push laws in directions that the members want (e.g., stopping pharmacists from offering medical advice); and (2) provide educational and other benefits to member doctors (e.g., advice on running a medical business; health insurance and discount programs; and several medical-practice quality programs, which include offering and tracking credits for continuing medical education programs, being involved in accreditation of review boards, and doing a variety of surveys). Seems like SAGE and LOPSA fall into roughly the same category. Claire ObDisclosure: I used to work for the California Medical Association (as a sysadmin). *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Claire Connelly cmc@math.hmc.edu Systems Administrator (909) 621-8754 Department of Mathematics Harvey Mudd College *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFJuZWJB0pE8d7vd8wRAnEnAJ41BZbyJCGeOil9hNX4leEe4+q3+gCfXVYe ZnB8J26OjR9tY4N0nFK3wIc= =OvPm -----END PGP SIGNATURE----- --=-=-=-- From plathrop@tertiusfamily.net Thu Mar 12 18:32:33 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2D1WXVr057585 for ; Thu, 12 Mar 2009 18:32:33 -0700 (PDT) (envelope-from plathrop@tertiusfamily.net) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.231]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2D1WUWk014541 for ; Thu, 12 Mar 2009 18:32:33 -0700 (PDT) Received: by rv-out-0506.google.com with SMTP id g9so279399rvb.7 for ; Thu, 12 Mar 2009 18:32:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.136.5 with SMTP id j5mr198983rvd.281.1236895667127; Thu, 12 Mar 2009 15:07:47 -0700 (PDT) In-Reply-To: References: <49B7CF85.4000903@shub-internet.org> Date: Thu, 12 Mar 2009 15:07:47 -0700 Message-ID: From: Paul Lathrop To: Robert Brockway Content-Type: text/plain; charset=UTF-8 X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=6% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n2D1WXVr057585 Cc: sage-members@sage.org Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2009 01:32:34 -0000 On Thu, Mar 12, 2009 at 1:46 PM, Robert Brockway wrote: >> Certification / credentialing are not a solution. > > Then what is?  This is a serious question.  I'm always open to new ideas. The answer is there is no easy, pithy solution that works for everyone, everywhere. Fact: if you hire a sysadmin who lacks integrity, then s/he can very likely cause you problems. My advice is, do your best to hire trustworthy people, understand that all life is risk, and mitigate risks as appropriate for your situation. (Keeping your sysadmins happy might be a good idea too!) Credentialing invites you to pretend like someone else has already mitigated your risks, when it doesn't actually do anything of the sort. It's like the security theater at the airports these days; demonstrably ineffective except at making people feel better and allowing them to blame someone else when bad things happen. --Paul Lathrop From john@stoffel.org Thu Mar 12 18:46:06 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2D1k6C8058024 for ; Thu, 12 Mar 2009 18:46:06 -0700 (PDT) (envelope-from john@stoffel.org) Received: from Mycroft.westnet.com (Mycroft.westnet.com [216.187.52.7]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2D1k3gF020433 for ; Thu, 12 Mar 2009 18:46:06 -0700 (PDT) Received: from jfsnew.stoffel.org (68-116-202-213.dhcp.oxfr.ma.charter.com [68.116.202.213]) (authenticated bits=0) by Mycroft.westnet.com (8.14.0/8.14.0) with ESMTP id n2D1jvYj005759 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Mar 2009 21:45:58 -0400 (EDT) Received: by jfsnew.stoffel.org (Postfix, from userid 1000) id 70A345AC96; Thu, 12 Mar 2009 21:45:57 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <18873.47829.328357.776745@stoffel.org> Date: Thu, 12 Mar 2009 21:45:57 -0400 From: "John Stoffel" To: "Mark R. Lindsey" In-Reply-To: References: <49B7CF85.4000903@shub-internet.org> X-Mailer: VM 8.0.9 under Emacs 22.2.1 (i486-pc-linux-gnu) X-Virus-Scanned: ClamAV 0.94.2/9102/Thu Mar 12 16:54:00 2009 on Mycroft.westnet.com X-Virus-Status: Clean X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2009 01:46:06 -0000 Mark> On Mar 12, 2009, at 2:33 PM, Jason Foutz wrote: >> To be clear, I think certifications are a great way to get your foot >> in the door at a new job. Certifications do absolutely nothing to >> prevent malicious data loss. Mark> A better-trained admin should know how to destroy data even more Mark> effectively and secretly than a poorly-trained admin. Just the point I was going to make! From dan@geer.org Thu Mar 12 19:23:57 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2D2Nu9l058967 for ; Thu, 12 Mar 2009 19:23:56 -0700 (PDT) (envelope-from dan@geer.org) Received: from absinthe.tinho.net (absinthe.tinho.net [166.84.5.228]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2D2Nrc0006067 for ; Thu, 12 Mar 2009 19:23:56 -0700 (PDT) Received: by absinthe.tinho.net (Postfix, from userid 126) id A287A33C82; Thu, 12 Mar 2009 22:23:47 -0400 (EDT) Received: from absinthe.tinho.net (localhost [127.0.0.1]) by absinthe.tinho.net (Postfix) with ESMTP id A0C5233C64; Thu, 12 Mar 2009 22:23:47 -0400 (EDT) From: dan@geer.org To: Kurt Buff In-Reply-To: Your message of "Thu, 12 Mar 2009 12:16:07 PDT." Date: Thu, 12 Mar 2009 22:23:47 -0400 Message-Id: <20090313022347.A287A33C82@absinthe.tinho.net> X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: sage-members@sage.org Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2009 02:23:57 -0000 Kurt, I'm with you, Sir. Creeping crediantialism benefits no one but the plaintiff's bar. --dan The great distinction: A conservative is a socialist who worships order. A liberal is a socialist who worships safety. -- Victor Milan', 1999 From dave@compata.com Thu Mar 12 20:06:05 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2D365Yn059891 for ; Thu, 12 Mar 2009 20:06:05 -0700 (PDT) (envelope-from dave@compata.com) Received: from compata.com (compata.com [66.92.38.163]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2D361xi016440 for ; Thu, 12 Mar 2009 20:06:03 -0700 (PDT) Received: from aopen.compata.com (aopen [192.168.44.9]) by compata.com (8.12.11/8.12.11) with ESMTP id n2D360Sw025702 for ; Thu, 12 Mar 2009 20:06:00 -0700 Received: from localhost by aopen.compata.com (Linux 2.6) with ESMTP (8.14.1/8.14.1) id n2D3608C027080 for ; Thu, 12 Mar 2009 20:06:00 -0700 Message-Id: <200903130306.n2D3608C027080@aopen.compata.com> X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.1 To: sage-members@sage.org In-reply-to: Your message of "Thu, 12 Mar 2009 13:49:27 EDT." References: <49B7CF85.4000903@shub-internet.org> From: Dave Close X-message-flag: If MS Outlook let's me put up this note, think what else it allows incoming messages to do to your computer! X-Face: $?&5f7w4GjUJOb-[FmngebA}V`5Dv)QEdHg|d%mytVRm]'o}*{J6:PP%(LfN LmOcb#>"^wDF*|ZzuS??S*vLH[.miV( List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2009 03:06:05 -0000 Robert Brockway wrote: >Hi Kurt. Do you think we are worse off because doctors require externally >verified training and registration? I'm sure it does drive the cost of >medical services up but I'm happier this way. The certification gives me >more confidence that the doctor I'm going to has a clue and will make >things better not worse. > >Similarly I'm glad that electricians are required to receive specific >training and pass certification courses before they are allowed to go out >and wire houses and buildings. We're all safer thanks to these >requirements. You're only somewhat better protected against violations by sole practioners. And even then, only if you actually check the license. Without licensing, you could hold the employer liable. Most doctors and electricians are employees today. Those employers are happy to shift the burden of liability to the government. And don't think about suing the government if they make a mistake (they don't do that, do they?). >Think about the damage a sysadmin in the right position can do right now. And you think a license or certification would prevent that? -- Dave Close, Compata, Costa Mesa CA +1 714 434 7359 dave@compata.com dhclose@alumni.caltech.edu "Words are too fragile to carry ideas." -- Dick Boyd From trey@treyka.net Fri Mar 13 01:32:09 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2D8W9Gt065113 for ; Fri, 13 Mar 2009 01:32:09 -0700 (PDT) (envelope-from trey@treyka.net) Received: from mail.kingfisherops.com (mail.treyka.net [64.22.71.37]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2D8W6cD002851 for ; Fri, 13 Mar 2009 01:32:08 -0700 (PDT) Received: from treyka.net (localhost [127.0.0.1]) by mail.kingfisherops.com (Postfix) with ESMTP id B2CF1DD93; Fri, 13 Mar 2009 09:31:59 +0100 (CET) Received: from 192.101.252.156 (SquirrelMail authenticated user trey@treyka.net) by treyka.net with HTTP; Fri, 13 Mar 2009 09:32:00 +0100 (CET) Message-ID: In-Reply-To: References: Date: Fri, 13 Mar 2009 09:32:00 +0100 (CET) From: "Trey Darley" To: trey@treyka.net User-Agent: SquirrelMail/1.4.15 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: discuss@lopsa.org, sage-members@sage.org Subject: Re: [SAGE] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: trey@treyka.net List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2009 08:32:09 -0000 Y'all - This discussion has degenerated^H^H^H^H^H^H^H^H^H^H^Hevolved into a rehash of the perennial licensing debate. So far Brad Knowles is the only person who has been able to provide an example of how their org deals with trusted insiders on a *policy* level. I realize that alot of orgs have implicitly dealt with this through their HIPAA / Sarbox / etc compliance processes. I'm curious how orgs that *aren't* bound by such legislation have confronted the problem on a policy level. Cheers, --Trey > Greetings & salutations - > > I've looked at what's on sans.org - wondering what kind of juice y'all > might have. Any input or pointers would be much appreciated. > > Cheers, > --Trey > From robert@timetraveller.org Fri Mar 13 06:33:50 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2DDXo05071495 for ; Fri, 13 Mar 2009 06:33:50 -0700 (PDT) (envelope-from robert@timetraveller.org) Received: from capella.opentrend.net (capella.opentrend.net [64.22.125.103]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2DDXlhC006184 for ; Fri, 13 Mar 2009 06:33:49 -0700 (PDT) Received: by capella.opentrend.net (Postfix, from userid 1004) id 9D2EADD65; Fri, 13 Mar 2009 09:33:41 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 3.1.7-deb3 (2006-10-05) on capella.opentrend.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.7-deb3 Received: from castor.opentrend.net (unknown [192.168.120.16]) by capella.opentrend.net (Postfix) with ESMTP id 260C4DD62 for ; Fri, 13 Mar 2009 09:33:41 -0400 (EDT) Received: by castor.opentrend.net (Postfix, from userid 1000) id 109A27025B60; Fri, 13 Mar 2009 09:33:41 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by castor.opentrend.net (Postfix) with ESMTP id 042DD31A84DB for ; Fri, 13 Mar 2009 09:33:41 -0400 (EDT) Date: Fri, 13 Mar 2009 09:33:41 -0400 (EDT) From: Robert Brockway X-X-Sender: robert@castor.opentrend.net To: sage-members@sage.org In-Reply-To: <200903130306.n2D3608C027080@aopen.compata.com> Message-ID: References: <49B7CF85.4000903@shub-internet.org> <200903130306.n2D3608C027080@aopen.compata.com> User-Agent: Alpine 1.10 (DEB 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2009 13:33:50 -0000 On Thu, 12 Mar 2009, Dave Close wrote: >> Think about the damage a sysadmin in the right position can do right now. > > And you think a license or certification would prevent that? Prevent? Of course not. I think everyone in the discussion is sensible enough to realise nothing will prevent these problems. Reduce? Yes I believe it would. Just as I believe that licencing of doctors reduces incidents of fakers peddling medical or surgical services. Rob -- I tried to change the world but they had a no-return policy From irilyth@swarpa.net Fri Mar 13 06:57:16 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2DDvG8G071954 for ; Fri, 13 Mar 2009 06:57:16 -0700 (PDT) (envelope-from irilyth@swarpa.net) Received: from smtp.swarpa.net (melfpelt.swarpa.net [70.84.200.162]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2DDvDkI006482 for ; Fri, 13 Mar 2009 06:57:16 -0700 (PDT) Received: by smtp.swarpa.net (Postfix, from userid 500) id 13415124443; Fri, 13 Mar 2009 09:57:13 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <18874.26168.209015.41637@melfpelt.swarpa.net> Date: Fri, 13 Mar 2009 09:57:12 -0400 To: sage-members@sage.org In-Reply-To: References: <49B7CF85.4000903@shub-internet.org> <200903130306.n2D3608C027080@aopen.compata.com> X-Mailer: VM 7.17 under 21.4 (patch 15) "Security Through Obscurity" XEmacs Lucid From: Josh Smift X-Attribution: JBS Organization: Evil Geniuses For A Better Tomorrow X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2009 13:57:17 -0000 RB == Robert Brockway RB> I believe that licencing of doctors reduces incidents of fakers RB> peddling medical or surgical services. What you're essentially saying here, though, is that the problem of fakers is a bigger problem than the problem of preventing honest and talented people, who don't (for whatever reason) want to become licensed, practicing good honest medicine. This may not be a big problem in medicine, but it is a problem in many other fields, where honest and talented people are forced to go through an onerous licensing process, with the net effect of artificially reducing the supply of people who can legally practice in that field. I posted these links to some stories about licensing being used to stifle competition in various fields, to another list; here they are on this one: * Computer repair: http://www.ij.org/index.php?option=com_content&task=view&id=2189&Itemid=129 * Interior design (in various states): http://www.ij.org/index.php?option=com_content&task=view&id=1240&Itemid=165 http://www.ij.org/index.php?option=com_content&task=view&id=2359&Itemid=165 http://www.ij.org/index.php?option=com_content&task=view&id=2383&Itemid=165 http://www.ij.org/index.php?option=com_content&task=view&id=717&Itemid=165 * Funeral homes: http://www.ij.org/index.php?option=com_content&task=view&id=681&Itemid=165 * Equine dentistry: http://www.ij.org/index.php?option=com_content&task=view&id=651&Itemid=165 * Hair braiding (in various states): http://www.ij.org/index.php?option=com_content&task=view&id=2212&Itemid=165 http://www.ij.org/index.php?option=com_content&task=view&id=851&Itemid=165 http://www.ij.org/index.php?option=com_content&task=view&id=836&Itemid=165 http://www.ij.org/index.php?option=com_content&task=view&id=830&Itemid=165 http://www.ij.org/index.php?option=com_content&task=view&id=797&Itemid=165 http://www.ij.org/index.php?option=com_content&task=view&id=791&Itemid=165 * Pest contro: http://www.ij.org/index.php?option=com_content&task=view&id=865&Itemid=165 There are plenty more. All of these are situations where someone is claiming that we need to fight against the danger of unlicensed practitioners, at the expense of forcing honest people out of their chosen career. You can argue that this is a worthwhile tradeoff, but you have to watch both sides of the trade, and not focus on the benefits to insiders while ignoring the costs to everyone else. -Josh (irilyth@infersys.com) From irilyth@swarpa.net Fri Mar 13 07:11:11 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2DEBBlh072188 for ; Fri, 13 Mar 2009 07:11:11 -0700 (PDT) (envelope-from irilyth@swarpa.net) Received: from smtp.swarpa.net (melfpelt.swarpa.net [70.84.200.162]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2DEB8jq006669 for ; Fri, 13 Mar 2009 07:11:11 -0700 (PDT) Received: by smtp.swarpa.net (Postfix, from userid 500) id 1E9F0124443; Fri, 13 Mar 2009 10:11:08 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <18874.27003.768952.551261@melfpelt.swarpa.net> Date: Fri, 13 Mar 2009 10:11:07 -0400 To: sage-members@sage.org In-Reply-To: <18874.26168.209015.41637@melfpelt.swarpa.net> References: <49B7CF85.4000903@shub-internet.org> <200903130306.n2D3608C027080@aopen.compata.com> <18874.26168.209015.41637@melfpelt.swarpa.net> X-Mailer: VM 7.17 under 21.4 (patch 15) "Security Through Obscurity" XEmacs Lucid From: Josh Smift X-Attribution: JBS Organization: Evil Geniuses For A Better Tomorrow X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2009 14:11:11 -0000 JBS> You can argue that this is a worthwhile tradeoff, but you have to JBS> watch both sides of the trade, and not focus on the benefits to JBS> insiders while ignoring the costs to everyone else. You may also, of course, have principled reasons for arguing either side too (like "economic freedom is in general a morally good thing that produces good results"), but that's surely beyond the scope of this list; all I wanted to chime in about here is that are significant practical drawbacks if you legally prevent unlicensed people from working in a field. -Josh (irilyth@infersys.com) From jfoutz@gmail.com Fri Mar 13 08:24:34 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2DFOYr5073545 for ; Fri, 13 Mar 2009 08:24:34 -0700 (PDT) (envelope-from jfoutz@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.245]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2DFOUvj007638 for ; Fri, 13 Mar 2009 08:24:33 -0700 (PDT) Received: by an-out-0708.google.com with SMTP id d14so1028538and.29 for ; Fri, 13 Mar 2009 08:24:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:cc:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=q7ZEMnQmg4w6qVFD0gWLe94wtHRPog9zi6dRViiYcTo=; b=OlHdJs9MuVn4d9UPPzQkDU1HlHErBrG6SxOD1k3/WhW+bK4yxKxSVr+TLCRXaeh+Kg DrcI0wdpRNEP99ipDwJvl+VskkFYH1lcPPxqbl6fwk2CjRDU+Er3P3qFljlDKutFHueQ KRf7PqmJGO8vaLqeYFsrw2rqAKxnOMClpF0EE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=aR3pTaCOwV6C29S1fYpEdsatkMJKgDzzy8VKEjiDdgsCRfCRbrP3w+KQgot80Bt155 rMlKltCAmsvjTa32pzvCh1L1Cb1nB7uOmcoj+hJjgTAYCh5tO3+yqwViDDlZ3qfG5Lwq Q5YorrVOcTUUOTBlG5Pn0cLwh1BTSP/6CRm2U= Received: by 10.143.6.19 with SMTP id j19mr640006wfi.128.1236956234743; Fri, 13 Mar 2009 07:57:14 -0700 (PDT) Received: from ?192.168.1.3? (c-68-35-125-67.hsd1.nm.comcast.net [68.35.125.67]) by mx.google.com with ESMTPS id k37sm3540064rvb.1.2009.03.13.07.57.12 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 13 Mar 2009 07:57:13 -0700 (PDT) Message-Id: <16DDCCAD-690D-4AAA-BDA9-191E99C393EC@gmail.com> From: Jason Foutz To: Robert Brockway In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Fri, 13 Mar 2009 08:57:10 -0600 References: <49B7CF85.4000903@shub-internet.org> X-Mailer: Apple Mail (2.930.3) X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=12% Cc: sage-members@sage.org Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2009 15:24:34 -0000 Thanks for the very clear response, I want to revise my opinion. I thought of three fairly effective ways to trust the system, though not necessarily the admin. First, time. Admins get limited access, with more access over time. Say, 5 years for full access. This is not a trivial thing, and over the years you need to evaluate their attitude toward the organization. I think people have used this system since the dawn of time. I'll give you a little power, if you don't abuse it, I'll give you a little more... forever. At the least, this helps with the industrial spy kind of abuse. If they had to fight for every layer off access, I think they would be less likely to abuse that power out of boredom. Second, audits. Hire two sets of staff. one set does the work, another set reviews the work. You can dial up paranioia settings from occasionally reading transcripts to having cameras watch the person's screen and hands as they type. Third, compartmentalization. Does the guy in charge of the web farm really need access to the mail servers? Picking a good set of sudo commands could go a long way toward tightening up security. The extreme version of this is a no root access (for anybody) on production machines policy. Build them right, get your automation in place to build them quick. It would be a pain, but certainly doable. The big worry is still disgruntled employee. Talking to a psychologist is probably the best way to develop a good policy for keeping morale high. I do have a few random ideas though. Hire a psychologist to interview the staff on a regular basis. Hire a PI to watch out for "bad behavior". Do continuous background checks. Do continuous credit rating checks. I think you have to be up front about doing all of this stuff. I think the key thing, most of these suggestions are expensive. a hundred dollar lock on a 10 dollar bicycle is a huge waste of money. If you took every computer in the building, and set it on fire, how long would it take to get back up and running? how much would it cost? If you're thinking of spending more than 10% of that... you're probably on the wrong track. A pristine monitoring, backup and deployment system would handle a lot of the problems that a malicious employee could create, and a bunch more to boot. Thanks again, Jason On Mar 12, 2009, at 1:10 PM, Robert Brockway wrote: > On Thu, 12 Mar 2009, Jason Foutz wrote: > >> I think you're mixing technical competence and ethics. Every >> certification > > Hi Jason. I'm not mixing them up although reading over my last > email I can see how you might have got that impression. I probably > should have seperate the two aspects more. > > I see both aspects emerging: Formal technical training _and_ > background checks as part of the government certification process. > > There is simply no way to completely eliminate the risk of a bad guy > slipping through (or becoming corrupt later) but it is possible to > greatly reduce their numbers. Various private and public > organisations have developed fairly effective methods of doing this. > > Imagine positive vetting for sysadmins :) I'm not proposing it will > go quite that far but I think we will end up with some sort of > mandated certification which has knowledge and background components. > >> We put a lot of power in different people's hands. Mortgage brokers >> are a reasonable example of a profession where some members >> betrayed society's trust. Society marches on. > > They can't do widespread infrastructure damage without warning. > >> Disgruntled sysadmins that destroy property they don't own, are >> felons. > > Of course they are, and a few are already behind bars. > >> To be clear, I think certifications are a great way to get your >> foot in the door at a new job. Certifications do absolutely nothing >> to prevent malicious data loss. > > The certifications of today have nothing in common with what I'm > saying will come to pass. I was trying to avoid using that term vis- > a-vis sysadmins to avoid exactly this sort of confusion. > > Hmm looks like I did use the term certification once but it was in > reference to doctors :) > > Cheers, > > Rob > > -- > I tried to change the world but they had a no-return policy > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members From nbrockne@hamilton.edu Fri Mar 13 11:55:15 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2DItEFV078059 for ; Fri, 13 Mar 2009 11:55:15 -0700 (PDT) (envelope-from nbrockne@hamilton.edu) Received: from mailer1.hamilton.edu (mailer1.hamilton.edu [150.209.8.96]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2DItBTX011983 for ; Fri, 13 Mar 2009 11:55:14 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from pmxchannel-daemon.mail.hamilton.edu by mail.hamilton.edu (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) id <0KGG00H0MKJT4R00@mail.hamilton.edu> for sage-members@sage.org; Fri, 13 Mar 2009 14:55:05 -0400 (EDT) Received: from [150.209.7.146] (its-150-209-7-146.hamilton.edu [150.209.7.146]) by mail.hamilton.edu (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPA id <0KGG00B8UKJ8UY40@mail.hamilton.edu> for sage-members@sage.org; Fri, 13 Mar 2009 14:54:44 -0400 (EDT) Date: Fri, 13 Mar 2009 14:54:44 -0400 From: Nicholas Brockner In-reply-to: Sender: nbrockne@hamilton.edu To: SAGE mailing list Message-id: <49BAABF4.6010806@hamilton.edu> References: <49B7CF85.4000903@shub-internet.org> User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] [lopsa-discuss] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2009 18:55:15 -0000 I agree with what Brandon has to say here, and also would like to point out a corrupt MD as an example. One who was motivated/intelligent enough to obtain an MD, but lacks ethics, so does things like prescribing narcotics for kickbacks. It happens all the time in all areas. I still don't like the idea of rootkitting (sp?) for data security, but then, in *very sensitive* situations I don't have a better idea. -Nick Brandon S. Allbery KF8NH wrote: > On 2009 Mar 12, at 14:33, Jason Foutz wrote: >> I think you're mixing technical competence and ethics. Every >> certification I'm aware of is a measure of technical knowledge. I >> know doctors are expected to follow a code of ethics. I don't believe >> they're formally tested for comprehensive knowledge of the ethics code. > > Ethics is covered in medical school; the degree should indicate > knowledge of the ethics code. Of course, knowledge doesn't > necessarily imply commitment to it. > > One thing to keep in mind about professional organizations is that > they're also about self-protection; if you are accused of an ethics > violation you have some recourse. The flip side of which is that they > should also be self-policing: I've found myself wondering if our > advertising a Code of Ethics has any legal implications in that regard. > > ------------------------------------------------------------------------ > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From ismedsta@broadpark.no Mon Mar 16 03:18:20 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2GAIKoC065191 for ; Mon, 16 Mar 2009 03:18:20 -0700 (PDT) (envelope-from ismedsta@broadpark.no) Received: from bgo1smout1.broadpark.no (bgo1smout1.broadpark.no [217.13.4.94]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2GAIGgR002909 for ; Mon, 16 Mar 2009 03:18:19 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-disposition: inline Content-type: text/plain; charset=us-ascii Received: from bgo1sminn1.broadpark.no ([217.13.4.93]) by bgo1smout1.broadpark.no (Sun Java(tm) System Messaging Server 6.3-3.01 (built Jul 12 2007; 32bit)) with ESMTP id <0KGL00MNBDTAFW90@bgo1smout1.broadpark.no> for sage-members@sage.org; Mon, 16 Mar 2009 10:17:34 +0100 (CET) Received: from broadpark.no ([217.13.4.91]) by bgo1sminn1.broadpark.no (Sun Java(tm) System Messaging Server 6.3-3.01 (built Jul 12 2007; 32bit)) with ESMTPA id <0KGL00JBLDTAIU00@bgo1sminn1.broadpark.no> for sage-members@sage.org; Mon, 16 Mar 2009 10:17:34 +0100 (CET) Received: from [217.13.4.91] (Forwarded-For: 10.163.163.93, 10.163.165.53) by bgo1mux1.broadpark.no (mshttpd); Mon, 16 Mar 2009 10:17:34 +0100 From: Ingar Smedstad To: sage-members@sage.org Message-id: Date: Mon, 16 Mar 2009 10:17:34 +0100 X-Mailer: Sun Java(tm) System Messenger Express 6.3-6.03 (built Mar 14 2008; 32bit) Content-language: en X-Accept-Language: en Priority: normal In-reply-to: References: X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=13% Cc: discuss@lopsa.org Subject: Re: [SAGE] Looking for examples of policies concerning trusted insiders (aka, sysadmins) X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Mar 2009 10:18:21 -0000 > Greetings & salutations - > > I've looked at what's on sans.org - wondering what kind of juice y'all > might have. Any input or pointers would be much appreciated. > > Cheers, > --Trey Bruce Schneier has an excellent essay on this in The Wall Street Journal: http://online.wsj.com/article/SB123447990459779609.html I would also like to add one more thing one should do: Keep your employees happy and content. Work hard to maintain a good work environment where people like to be. In short make sure your trusted insiders enjoy their work. And in the event someone has to be laid off, use quarantine: give them three months or so paid quarantine and remove their access immediately. Oh, and keep you fingers crossed :) Ingar From philiph@pobox.com Mon Mar 16 10:43:34 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2GHhYOX076668 for ; Mon, 16 Mar 2009 10:43:34 -0700 (PDT) (envelope-from philiph@pobox.com) Received: from sasl.smtp.pobox.com (a-sasl-fastnet.sasl.smtp.pobox.com [207.106.133.19]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2GHhVaf009686 for ; Mon, 16 Mar 2009 10:43:34 -0700 (PDT) Received: from localhost.localdomain (unknown [127.0.0.1]) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTP id 8BE17A2568 for ; Mon, 16 Mar 2009 13:43:25 -0400 (EDT) Received: from wlan-c-215-242.corp.yahoo.com (unknown [209.131.62.115]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTPSA id 3D1FEA2567 for ; Mon, 16 Mar 2009 13:43:24 -0400 (EDT) Message-Id: <78D11D04-AF38-4B1C-A48D-0CE089C9727C@pobox.com> From: "Philip J. Hollenback" To: SAGE Members Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Mon, 16 Mar 2009 10:43:20 -0700 X-Mailer: Apple Mail (2.930.3) X-Pobox-Relay-ID: F38DBC4C-1251-11DE-B71B-CFA5EBB1AA3C-80990599!a-sasl-fastnet.pobox.com X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=24% Subject: [SAGE] renewal time... X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Mar 2009 17:43:35 -0000 So my SAGE / USENIX membership is up for renewal and my current employer doesn't cover it. USENIX + SAGE now costs $170 according to the renewal web page. On the other hand, LOPSA costs $50. The two things that I utilize the most from USENIX & SAGE are ;login: and the SAGE mailing list. I won't be going to USENIX this year either (again mostly because my employer isn't going to cover it). Given the current economic climate, how do I justify paying 3X for SAGE vs. LOPSA? I definitely want to belong to at least one professional organization. I'm not trying to start another flame war, just trying to come to some logical conclusions. Anyone have any good ideas? Thanks, P. -- Philip J. Hollenback philiph@pobox.com From philiph@pobox.com Tue Mar 17 10:52:00 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2HHq0hq003828 for ; Tue, 17 Mar 2009 10:52:00 -0700 (PDT) (envelope-from philiph@pobox.com) Received: from sasl.smtp.pobox.com (a-sasl-fastnet.sasl.smtp.pobox.com [207.106.133.19]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2HHpuFp018476 for ; Tue, 17 Mar 2009 10:51:59 -0700 (PDT) Received: from localhost.localdomain (unknown [127.0.0.1]) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTP id 2A634A26A1; Tue, 17 Mar 2009 13:51:51 -0400 (EDT) Received: from ourtownadd-lm.corp.yahoo.com (unknown [209.131.62.113]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTPSA id 7E6CFA26A0; Tue, 17 Mar 2009 13:51:49 -0400 (EDT) Message-Id: From: "Philip J. Hollenback" To: Ted Cabeen In-Reply-To: <4952641F.6020408@cabeen.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Tue, 17 Mar 2009 10:51:47 -0700 References: <89DBC913-382C-4ED2-8177-9F2E92EEE8ED@pobox.com> <4952641F.6020408@cabeen.org> X-Mailer: Apple Mail (2.930.3) X-Pobox-Relay-ID: 4B53F5DE-131C-11DE-8D69-CFA5EBB1AA3C-80990599!a-sasl-fastnet.pobox.com X-DCC-Usenix-Metrics: voyager 1010; bulk rep Body=many Fuz1=1 Fuz2=1 rep=24% Cc: SAGE Members Subject: Re: [SAGE] moving from amanda tape backup to external disk backup X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2009 17:52:02 -0000 On Dec 24, 2008, at 8:32 AM, Ted Cabeen wrote: > Philip J. Hollenback wrote: >> I realize I could integrate this in to the existing amanda setup >> but I am wondering if the simplicity of just synchronizing the >> filesystems (probably with rsync) would be worth the tradeoff of >> losing incremental backups. In this setup I would probably still >> have to do something to back up the separate system drive but that >> might be as simple as saving a copy of /etc since bare-metal >> restores are not really a requirement here. Another consideration >> is that the people actually in physical contact with this system in >> a small office need the simplest possible backup and restore >> mechanism. And as usual, this needs to be done as inexpensively as >> possible. :) > > rsnapshot will give you incremental > backups, while still giving you the benefits of rsync. Ted I just wanted to say thanks for that tip, I ended up using two external usb drives in rotation and rsnapshot. Works very well and users love the fact that snapshot backups are so easy to retrieve. I think the two external drives + mirrored software raid is a pretty reasonable backup solution for small businesses. I don't see much justification for tape in that environment any more. Thanks, P. -- Philip J. Hollenback philiph@pobox.com From philiph@pobox.com Wed Mar 18 15:06:24 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2IM6MH1039788 for ; Wed, 18 Mar 2009 15:06:24 -0700 (PDT) (envelope-from philiph@pobox.com) Received: from sasl.smtp.pobox.com (a-sasl-quonix.sasl.smtp.pobox.com [208.72.237.25]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2IM6IIQ029818 for ; Wed, 18 Mar 2009 15:06:21 -0700 (PDT) Received: from localhost.localdomain (unknown [127.0.0.1]) by a-sasl-quonix.sasl.smtp.pobox.com (Postfix) with ESMTP id 99D147D81 for ; Wed, 18 Mar 2009 18:06:17 -0400 (EDT) Received: from ourtownadd-lm.corp.yahoo.com (unknown [209.131.62.113]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by a-sasl-quonix.sasl.smtp.pobox.com (Postfix) with ESMTPSA id 414CE7D80 for ; Wed, 18 Mar 2009 18:06:17 -0400 (EDT) Message-Id: From: "Philip J. Hollenback" To: SAGE Members In-Reply-To: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Wed, 18 Mar 2009 15:06:15 -0700 References: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> X-Mailer: Apple Mail (2.930.3) X-Pobox-Relay-ID: 0144393E-1409-11DE-8D32-C5D912508E2D-80990599!a-sasl-quonix.pobox.com X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=4% Subject: Re: [SAGE] Secure and simple remote mail access? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Mar 2009 22:06:25 -0000 Following up to my own post to add my findings to the archive... On Feb 13, 2009, at 10:54 PM, Philip J. Hollenback wrote: > I've got two CentOS machines set up at a site. One is directly > connected to the dsl router and serves as the gateway/firewall for > the site. Behind that is a server that acts as the gateway/firewall > to the inside network. So basically this is a traditional DMZ > configuration (although there's no longer any other machines in the > DMZ). > > The inside server is the internal mail server using dovecot for pop > and imap. It also does imap to the external gateway/firewall > machine to run squirrelmail. That way users can access their work > mail from home via the squirrelmail web interface on the outside > machine. > > Now a number of users are dissatisfied with squirrelmail and would > like to use some other mechanism to access their mail remotely. > I've looked at other webmail interfaces and some of them have some > fancy features but nothing looks compellingly better than > squirrelmail. > > Thus I'm interested in setting up something else, like direct access > to secure imap from the outside. The simplest way to do this seems > to be to adjust the outside machine firewall to NAT imaps > connections to the inside machine. And of course I would need to > allow secure sendmail from the outside too so uses could send mail. > > So my question is, does anyone have any ideas on a better way to do > this? I don't particularly want to open a hole directly to the > inside machine for imaps but at the same time I don't want to force > users to do anything complicated like set up ssh tunnels. Most of > these users aren't terribly sophisticated so setting up thunderbird > for a direct connection would probably be the best and simplest way > to go. I ended up using a firewall tunneled port for external imaps access - e.g. when a remote client connects to port 993 on the external firewall machine that gets redirected to port 993 (imap with ssl) on the real internal imap server. Works just fine. Initially I set up port 587 on the external firewall machine for secure smtp (with tls) since all the external clients are thunderbird or mac mail. Apparently some versions of outlook prefer port 465 with ssl but we don't have to support that. The external firewall machine is also the primary mail sever (MX record for the domain) so that just entailed adding a few entries to sendmail.mc and rebuilding. However a complication with this setup is that most users don't have accounts on the firewall machine and there is no account synchronization between hosts. Thus there are extra accounts to manage. Because of this we are probably going to add a firewall tunnel for port 587 external to connect to port 587 on the internal machine to match the imap setup. That way we don't have to maintain separate user accounts. Obviously this convenience comes at a slight loss of security but in this setup I think it is acceptable. One big annoyance with all of this is that tweaking all the thunderbird settings is needlessly complex. It sure would be nice if thunderbird could attempt to auto-configure a lot of these settings (like port and security protocol). Failing that it would be nice if the account wizard could do this. Unfortunately the account wizard just does non-secure setup and then you have to go in to the thunderbird settings and adjust several things manually. Annoying. P. -- Philip J. Hollenback philiph@pobox.com From doug@will.to Wed Mar 18 16:38:05 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2INc4Nj042213 for ; Wed, 18 Mar 2009 16:38:05 -0700 (PDT) (envelope-from doug@will.to) Received: from will.to (mailman.will.to [68.164.136.125]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2INc1kI001245 for ; Wed, 18 Mar 2009 16:38:04 -0700 (PDT) Received: from [75.195.226.159] (159.sub-75-195-226.myvzw.com [75.195.226.159]) (authenticated bits=0) by will.to (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id n2IN8OaL010385 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 18 Mar 2009 19:08:33 -0400 Message-ID: <49C185C7.8020001@will.to> Date: Wed, 18 Mar 2009 19:37:43 -0400 From: Doug Hughes User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: "Philip J. Hollenback" References: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0rc3 (will.to [68.164.136.125]); Wed, 18 Mar 2009 19:08:37 -0400 (EDT) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE Members Subject: Re: [SAGE] Secure and simple remote mail access? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Mar 2009 23:38:06 -0000 Philip J. Hollenback wrote: > > > One big annoyance with all of this is that tweaking all the > thunderbird settings is needlessly complex. It sure would be nice if > thunderbird could attempt to auto-configure a lot of these settings > (like port and security protocol). Failing that it would be nice if > the account wizard could do this. Unfortunately the account wizard > just does non-secure setup and then you have to go in to the > thunderbird settings and adjust several things manually. Annoying. > you could automate on windows with some sort of run-once policy setting (tested very, very thoroughly). unix/linux could be automated through other more obvious means. regarding 465 - you shouldn't have any loss in security,. You can (should?) also enable auth for sending that happens once per client startup to use the mail server using SASL or equivalent through the SSL session that is established. It should be able to auth via your normal auth mechanism just like POP or IMAP. From hyc@symas.com Wed Mar 18 17:17:33 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2J0HXhr043034 for ; Wed, 18 Mar 2009 17:17:33 -0700 (PDT) (envelope-from hyc@symas.com) Received: from lirone.symas.net (lirone.symas.net [64.71.152.235]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2J0HUlI001703 for ; Wed, 18 Mar 2009 17:17:33 -0700 (PDT) Received: from [76.91.220.157] (helo=[192.168.1.20]) by lirone.symas.net with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Lk5ws-0007HH-Mf; Wed, 18 Mar 2009 17:17:26 -0700 Message-ID: <49C18F0F.5000301@symas.com> Date: Wed, 18 Mar 2009 17:17:19 -0700 From: Howard Chu User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b3pre) Gecko/20090317 SeaMonkey/2.0a1pre Firefox/3.0.3 MIME-Version: 1.0 To: Doug Hughes References: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> <49C185C7.8020001@will.to> In-Reply-To: <49C185C7.8020001@will.to> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE Members Subject: Re: [SAGE] Secure and simple remote mail access? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2009 00:17:34 -0000 Doug Hughes wrote: > Philip J. Hollenback wrote: >> One big annoyance with all of this is that tweaking all the >> thunderbird settings is needlessly complex. It sure would be nice if >> thunderbird could attempt to auto-configure a lot of these settings >> (like port and security protocol). Failing that it would be nice if >> the account wizard could do this. Unfortunately the account wizard >> just does non-secure setup and then you have to go in to the >> thunderbird settings and adjust several things manually. Annoying. > you could automate on windows with some sort of run-once policy setting > (tested very, very thoroughly). unix/linux could be automated through > other more obvious means. > regarding 465 - you shouldn't have any loss in security,. You can > (should?) also enable auth for sending that happens once per client > startup to use the mail server using SASL or equivalent through the SSL > session that is established. It should be able to auth via your normal > auth mechanism just like POP or IMAP. > But note this bug... https://bugzilla.mozilla.org/show_bug.cgi?id=136871 Authenticated SMTP with Thunderbird is a real pig. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From doug@will.to Wed Mar 18 19:28:46 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2J2SjU6045814 for ; Wed, 18 Mar 2009 19:28:45 -0700 (PDT) (envelope-from doug@will.to) Received: from will.to (mailman.will.to [68.164.136.125]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2J2SgNA002586 for ; Wed, 18 Mar 2009 19:28:45 -0700 (PDT) Received: from [75.222.30.218] (218.sub-75-222-30.myvzw.com [75.222.30.218]) (authenticated bits=0) by will.to (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id n2J1x0OW013229 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 18 Mar 2009 21:59:02 -0400 Message-ID: <49C1ADC7.5080009@will.to> Date: Wed, 18 Mar 2009 22:28:23 -0400 From: Doug Hughes User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Howard Chu References: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> <49C185C7.8020001@will.to> <49C18F0F.5000301@symas.com> In-Reply-To: <49C18F0F.5000301@symas.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0rc3 (will.to [68.164.136.125]); Wed, 18 Mar 2009 21:59:03 -0400 (EDT) X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE Members Subject: Re: [SAGE] Secure and simple remote mail access? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2009 02:28:48 -0000 Howard Chu wrote: > Doug Hughes wrote: >> Philip J. Hollenback wrote: >>> One big annoyance with all of this is that tweaking all the >>> thunderbird settings is needlessly complex. It sure would be nice if >>> thunderbird could attempt to auto-configure a lot of these settings >>> (like port and security protocol). Failing that it would be nice if >>> the account wizard could do this. Unfortunately the account wizard >>> just does non-secure setup and then you have to go in to the >>> thunderbird settings and adjust several things manually. Annoying. > >> you could automate on windows with some sort of run-once policy setting >> (tested very, very thoroughly). unix/linux could be automated through >> other more obvious means. > >> regarding 465 - you shouldn't have any loss in security,. You can >> (should?) also enable auth for sending that happens once per client >> startup to use the mail server using SASL or equivalent through the SSL >> session that is established. It should be able to auth via your normal >> auth mechanism just like POP or IMAP. >> > But note this bug... > https://bugzilla.mozilla.org/show_bug.cgi?id=136871 > > Authenticated SMTP with Thunderbird is a real pig. Wow... that *is* pathetic.. I've been using thunderbird as mail client for years and never noticed this. (Why on earth a mail server should require 4 seconds to auth is another issue...) From hyc@symas.com Wed Mar 18 19:50:16 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2J2oFSJ046171 for ; Wed, 18 Mar 2009 19:50:16 -0700 (PDT) (envelope-from hyc@symas.com) Received: from lirone.symas.net (lirone.symas.net [64.71.152.235]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2J2oDQO002732 for ; Wed, 18 Mar 2009 19:50:15 -0700 (PDT) Received: from [76.91.220.157] (helo=[192.168.1.20]) by lirone.symas.net with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Lk8Kg-0007f8-Bb; Wed, 18 Mar 2009 19:50:10 -0700 Message-ID: <49C1B2DA.400@symas.com> Date: Wed, 18 Mar 2009 19:50:02 -0700 From: Howard Chu User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b3pre) Gecko/20090317 SeaMonkey/2.0a1pre Firefox/3.0.3 MIME-Version: 1.0 To: Doug Hughes References: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> <49C185C7.8020001@will.to> <49C18F0F.5000301@symas.com> <49C1ADC7.5080009@will.to> In-Reply-To: <49C1ADC7.5080009@will.to> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Cc: SAGE Members Subject: Re: [SAGE] Secure and simple remote mail access? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2009 02:50:16 -0000 Doug Hughes wrote: > Howard Chu wrote: >> Doug Hughes wrote: >>> Philip J. Hollenback wrote: >>>> One big annoyance with all of this is that tweaking all the >>>> thunderbird settings is needlessly complex. It sure would be nice if >>>> thunderbird could attempt to auto-configure a lot of these settings >>>> (like port and security protocol). Failing that it would be nice if >>>> the account wizard could do this. Unfortunately the account wizard >>>> just does non-secure setup and then you have to go in to the >>>> thunderbird settings and adjust several things manually. Annoying. >> >>> you could automate on windows with some sort of run-once policy setting >>> (tested very, very thoroughly). unix/linux could be automated through >>> other more obvious means. >> >>> regarding 465 - you shouldn't have any loss in security,. You can >>> (should?) also enable auth for sending that happens once per client >>> startup to use the mail server using SASL or equivalent through the SSL >>> session that is established. It should be able to auth via your normal >>> auth mechanism just like POP or IMAP. >>> >> But note this bug... >> https://bugzilla.mozilla.org/show_bug.cgi?id=136871 >> >> Authenticated SMTP with Thunderbird is a real pig. > Wow... that *is* pathetic.. I've been using thunderbird as mail client > for years and never noticed this. (Why on earth a mail server should > require 4 seconds to auth is another issue...) On my laptop I now run a copy of stunnel, configured to connect to port 465 on my SMTP server, and point my Seamonkey client at that for outbound SMTP. That way I at least get SSL session caching. I suppose the next step would be to write a dumb SMTP proxy so that it can fake out the QUIT command and initial 220 response, to force a single connection to be reused. (And as awkward as that sounds, trust me, this is a lot easier than writing a patch for Mozilla and getting it integrated.) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From mbarr@mbarr.net Wed Mar 18 20:06:52 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2J36qIn046551 for ; Wed, 18 Mar 2009 20:06:52 -0700 (PDT) (envelope-from mbarr@mbarr.net) Received: from scotch.datalyte.com (postfix@scotch.datalyte.com [69.31.85.242]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2J36nTF002854 for ; Wed, 18 Mar 2009 20:06:52 -0700 (PDT) X-SMTP-Auth: no Received: from localhost (localhost [127.0.0.1]) by scotch.datalyte.com (Postfix) with ESMTP id 96A90137FD; Wed, 18 Mar 2009 23:07:02 -0400 (EDT) Received: from scotch.datalyte.com ([127.0.0.1]) by localhost (scotch.datalyte.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14307-08; Wed, 18 Mar 2009 23:06:41 -0400 (EDT) Received: from [192.168.0.102] (user-160vuda.cable.mindspring.com [76.15.249.170]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by scotch.datalyte.com (Postfix) with ESMTP id 5B8ED137E2; Wed, 18 Mar 2009 23:06:41 -0400 (EDT) Message-Id: From: Matthew Barr To: "Philip J.Hollenback" In-Reply-To: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Wed, 18 Mar 2009 23:06:26 -0400 References: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> X-Mailer: Apple Mail (2.930.3) X-Virus-Scanned: Maia Mailguard 1.0.1 X-DCC-Usenix-Metrics: voyager; whitelist Cc: SAGE Members Subject: Re: [SAGE] Secure and simple remote mail access? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2009 03:06:53 -0000 On Feb 14, 2009, at 1:54 AM, Philip J. Hollenback wrote: > > Now a number of users are dissatisfied with squirrelmail and would > like to use some other mechanism to access their mail remotely. > I've looked at other webmail interfaces and some of them have some > fancy features but nothing looks compellingly better than > squirrelmail. I can't argue w/ direct access to IMAP, but one thing you may want to look at is Roundcube . It's a bit slow on the development, in that it's been usable in production systems for a year or more, but is only on .21 Most people would probably just call this version more like 1.5. It's pretty good. I haven't looked at SquirelMail lately, but it was showing it's age 2 years ago. Take a peek if you still need webmail. It's not a substitute for IMAP, but it's helpful to have a decent one. Matthew Matthew Barr mbarr@mbarr.net cell: 646-765-6878 From philiph@pobox.com Wed Mar 18 23:22:56 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2J6MtDe050251 for ; Wed, 18 Mar 2009 23:22:56 -0700 (PDT) (envelope-from philiph@pobox.com) Received: from sasl.smtp.pobox.com (a-sasl-quonix.sasl.smtp.pobox.com [208.72.237.25]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2J6MqJQ003981 for ; Wed, 18 Mar 2009 23:22:55 -0700 (PDT) Received: from localhost.localdomain (unknown [127.0.0.1]) by a-sasl-quonix.sasl.smtp.pobox.com (Postfix) with ESMTP id E695479DC; Thu, 19 Mar 2009 02:22:51 -0400 (EDT) Received: from [192.168.210.111] (unknown [209.131.62.115]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by a-sasl-quonix.sasl.smtp.pobox.com (Postfix) with ESMTPSA id 552FE79DA; Thu, 19 Mar 2009 02:22:50 -0400 (EDT) Message-Id: <03ED7F8E-B8EE-43AA-9007-8D019F21B43F@pobox.com> From: "Philip J. Hollenback" To: Matthew Barr In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Wed, 18 Mar 2009 23:22:36 -0700 References: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> X-Mailer: Apple Mail (2.930.3) X-Pobox-Relay-ID: 600FD67C-144E-11DE-B9C9-C5D912508E2D-80990599!a-sasl-quonix.pobox.com X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=4% Cc: SAGE Members Subject: Re: [SAGE] Secure and simple remote mail access? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2009 06:22:57 -0000 On Mar 18, 2009, at 8:06 PM, Matthew Barr wrote: > On Feb 14, 2009, at 1:54 AM, Philip J. Hollenback wrote: >> >> Now a number of users are dissatisfied with squirrelmail and would >> like to use some other mechanism to access their mail remotely. >> I've looked at other webmail interfaces and some of them have some >> fancy features but nothing looks compellingly better than >> squirrelmail. > > I can't argue w/ direct access to IMAP, but one thing you may want > to look at is Roundcube . It's a bit slow > on the development, in that it's been usable in production systems > for a year or more, but is only on .21 Most people would probably > just call this version more like 1.5. > > It's pretty good. I haven't looked at SquirelMail lately, but it > was showing it's age 2 years ago. Take a peek if you still need > webmail. It's not a substitute for IMAP, but it's helpful to have a > decent one. I checked out roundcube about a year ago and it seemed a little shaky so it's good to know it has matured. However my gut feeling is it probably isn't enough better than squirrelmail to justify converting and annoying all the users. I think light users are fine with squirrelmail and people who want more power want a 'real' imap client. P. -- Philip J. Hollenback philiph@pobox.com From philiph@pobox.com Wed Mar 18 23:25:23 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2J6PNw8050307 for ; Wed, 18 Mar 2009 23:25:23 -0700 (PDT) (envelope-from philiph@pobox.com) Received: from sasl.smtp.pobox.com (a-sasl-quonix.sasl.smtp.pobox.com [208.72.237.25]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2J6PK5O004002 for ; Wed, 18 Mar 2009 23:25:23 -0700 (PDT) Received: from localhost.localdomain (unknown [127.0.0.1]) by a-sasl-quonix.sasl.smtp.pobox.com (Postfix) with ESMTP id 5B96C7A04; Thu, 19 Mar 2009 02:25:20 -0400 (EDT) Received: from [192.168.210.111] (unknown [209.131.62.115]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by a-sasl-quonix.sasl.smtp.pobox.com (Postfix) with ESMTPSA id A09D77A03; Thu, 19 Mar 2009 02:25:18 -0400 (EDT) Message-Id: <21FB24AD-885B-4BA3-A701-9A5E24FA35DC@pobox.com> From: "Philip J. Hollenback" To: Doug Hughes In-Reply-To: <49C185C7.8020001@will.to> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Wed, 18 Mar 2009 23:25:01 -0700 References: <92157C91-A73E-4C42-84DD-ABF097FC27BF@pobox.com> <49C185C7.8020001@will.to> X-Mailer: Apple Mail (2.930.3) X-Pobox-Relay-ID: B8889CDA-144E-11DE-A5B7-C5D912508E2D-80990599!a-sasl-quonix.pobox.com X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=4% Cc: SAGE Members Subject: Re: [SAGE] Secure and simple remote mail access? X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2009 06:25:26 -0000 On Mar 18, 2009, at 4:37 PM, Doug Hughes wrote: > Philip J. Hollenback wrote: >> >> >> One big annoyance with all of this is that tweaking all the >> thunderbird settings is needlessly complex. It sure would be nice >> if thunderbird could attempt to auto-configure a lot of these >> settings (like port and security protocol). Failing that it would >> be nice if the account wizard could do this. Unfortunately the >> account wizard just does non-secure setup and then you have to go >> in to the thunderbird settings and adjust several things manually. >> Annoying. >> > you could automate on windows with some sort of run-once policy > setting (tested very, very thoroughly). unix/linux could be > automated through other more obvious means. Yeah but this is a small office so it's not really worth the effort to automate everything for perhaps 20 users at the absolute most. I was just complaining about thunderbird a little bit. :) I notice that the mail clients on blackberries and windows mobile phones tend to detect all these settings automatically fairly well so I am unsure why tbird can't do it. P. -- Philip J. Hollenback philiph@pobox.com From adamm@menlo.com Fri Mar 20 08:29:44 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2KFTffB093894 for ; Fri, 20 Mar 2009 08:29:44 -0700 (PDT) (envelope-from adamm@menlo.com) Received: from cakewalk.menlo.com (cakewalk.menlo.com [166.84.7.104]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2KFTcaJ021521 for ; Fri, 20 Mar 2009 08:29:41 -0700 (PDT) Received: by cakewalk.menlo.com (Postfix, from userid 1001) id 9D6FF16FEC7; Fri, 20 Mar 2009 11:29:38 -0400 (EDT) Date: Fri, 20 Mar 2009 11:29:38 -0400 From: Adam Moskowitz To: sage-members@usenix.org Message-ID: <20090320152938.GA5677@cakewalk.menlo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.2i X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: [SAGE] Please submit a paper to LISA '09 X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Mar 2009 15:29:44 -0000 In case you don't already know, the deadline to submit refereed papers for LISA '09 is just over a month away (April 30, 2009). If you want to submit something, you should probably have started writing it by now. We welcome submissions on any topic related to system administration, whether theoretical or practical. You can write about a solution to a new or previously-unsolved problem, a new solution to an old problem, a comparison of existing solutions, or anything else you think will be of interest to your fellow system administrators. One thing to note, though: Papers need to do more than describe something you did. At a minimum, papers need to include a statement of the problem, a discussion of why existing solutions couldn't be used, a description of the work, results (improvements over the previous solution, data proving the problem was solved or showing by how much the problem was reduced,, etc.), comparison to existing solutions, references, and a conclusion (what was learned from the work and, if possible, why other sysadmins should care about what was learned). Papers should be 8 - 18 pages long, including all diagrams, charts, references, etc. Only draft full papers will be accepted this year; extended abstracts are no longer sufficient. The full set of guidelines can be found here: http://www.usenix.org/lisa09/cfp/ "Pre-shepherding" is available: Submit an idea or an outline and get feedback before writing the full paper. This is perfect for those who are looking to submit for the first time or are unsure if their ideas really merit a full paper. But, you have to act NOW to take advantage of this service. Questions? Send 'em to me! Comments? Send them, too. Adam Moskowitz, SiCortex, Inc. LISA '09 Program Chair lisa09chair@usenix.org From kacoroski@gmail.com Mon Mar 23 23:15:28 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2O6FSbM095479 for ; Mon, 23 Mar 2009 23:15:28 -0700 (PDT) (envelope-from kacoroski@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.236]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2O6FPvs018576 for ; Mon, 23 Mar 2009 23:15:27 -0700 (PDT) Received: by rv-out-0506.google.com with SMTP id f6so2323498rvb.59 for ; Mon, 23 Mar 2009 23:15:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:reply-to:to :content-type:date:message-id:mime-version:x-mailer :content-transfer-encoding; bh=Nd9+RSS+gHCIn+3jJwcnzcibX9vkGFzTT360iQU20hc=; b=aw30xIzes7MmZgMptzma7U9mVJVBLTtLERb3ZTLqCuHgGFFm/rnrlP+IkZCh9eOUwH 6livIRyUkFUmNcd2fLAaOeVqGAAgEg97eTvOu2I7ZeNKez2qNXfOXvS30VYhywBqxrJV OErwaQQNyocxr/sYz/PxrL66T4Om5wQHp97Jk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:reply-to:to:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; b=lZELpd4rdBz+aweT97RTKmm5KLhIkvNYliM7Tc4bH+HJrsVoS5VVCuSYuIKXDKN1Wv 1XQPjQvohkWrCxGz2xUBaVDjK9rDoWUrx2pcQTpBhiJ+qH1cpX9iPLTyMSbLMqu7g1Pv E+yJjlUDDT1zdEtjZ72xG7YWZAVfWBAA6JxIU= Received: by 10.114.137.2 with SMTP id k2mr5364303wad.130.1237874897404; Mon, 23 Mar 2009 23:08:17 -0700 (PDT) Received: from ?192.168.1.33? (pool-71-112-107-254.sttlwa.dsl-w.verizon.net [71.112.107.254]) by mx.google.com with ESMTPS id v9sm6034393wah.60.2009.03.23.23.08.16 (version=SSLv3 cipher=RC4-MD5); Mon, 23 Mar 2009 23:08:16 -0700 (PDT) From: Ski Kacoroski To: sage-members@sage.org, tech@lopsa.org Content-Type: text/plain Date: Mon, 23 Mar 2009 23:08:15 -0700 Message-Id: <1237874895.7519.12.camel@cherry> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=6% Subject: [SAGE] Help setting OSX wireless password programmatically X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: kacoroski@gmail.com List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 06:15:29 -0000 Hi, This should be a simple thing, but I keep running into walls. We need to change the wireless password on one of our schools network (WPA2 encryption) and move another network into production. The server side is easy. The problem I have is that I cannot figure out a way to add a wireless network and change a wireless network password on OSX without using the GUI as the local user (and I really do not want to touch 6000 workstations by hand). I can use the networksetup and airport commands to set it temporarily, but once the machine reboots the changes are lost. I can create passwords in the system keychain as root, but not in the user's login keychain and for some reason, the network chooser requires an entry in the user's login keychain. Any ideas or hints on how other people manage wireless passwords on OSX are most appreciated. cheers, ski -- "When we try to pick out anything by itself, we find it connected to the entire universe" John Muir Chris "Ski" Kacoroski, kacoroski@gmail.com, 206-501-9803 or ski98033 on most IM services From netfortius@gmail.com Tue Mar 24 05:37:00 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2OCb0LV003359 for ; Tue, 24 Mar 2009 05:37:00 -0700 (PDT) (envelope-from netfortius@gmail.com) Received: from mail-gx0-f159.google.com (mail-gx0-f159.google.com [209.85.217.159]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2OCavtQ016605 for ; Tue, 24 Mar 2009 05:36:59 -0700 (PDT) Received: by gxk3 with SMTP id 3so318474gxk.23 for ; Tue, 24 Mar 2009 05:36:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=OYyTl9ZCmoWmHjqPDPWVBVbJ0vJUmtaWZvjLR6ILJ7Y=; b=WWUrcPMpv/YxllfXHt72RcFgPQ0fg97qruWOBFFKfl386xF+bmVtW62QL8SAZNXhEP wKrdUOrZ1bLumC3EYJv+5tczCwQ9r/JzJ1bTOKhTDijo6OKiznrQfsk26V/xvrpk2tZT BUFQr7teL8RvQxEsL60XYYJbOg3SI/5wZJEwY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=FHB5lfrJ98G8rOzmObguaADDytV/zKGnM4bRdOGSI2u4FMueIcwXo2+dDWzuGP8kOh Fws0r9ozc2Cr3jeFqpLPKbE1pOukTfP9H6DEMTfjUmbILgLlWmHgFCO3fSzhb6gYX0+w vDzg84Lu7/anSLeIlKTDeuWUCKfRT9SeRjrT4= MIME-Version: 1.0 Received: by 10.150.202.8 with SMTP id z8mr14906001ybf.134.1237897785768; Tue, 24 Mar 2009 05:29:45 -0700 (PDT) In-Reply-To: <1237874895.7519.12.camel@cherry> References: <1237874895.7519.12.camel@cherry> Date: Tue, 24 Mar 2009 07:29:45 -0500 Message-ID: From: Stefan To: sage-members@sage.org, tech@lopsa.org Content-Type: text/plain; charset=ISO-8859-1 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=16% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n2OCb0LV003359 Subject: Re: [SAGE] [lopsa-tech] Help setting OSX wireless password programmatically X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 12:37:00 -0000 see if: $man networksetup reveals anything of use ... Stefan On Tue, Mar 24, 2009 at 1:08 AM, Ski Kacoroski wrote: > Hi, > > This should be a simple thing, but I keep running into walls.  We need > to change the wireless password on one of our schools network (WPA2 > encryption) and move another network into production.  The server side > is easy.  The problem I have is that I cannot figure out a way to add a > wireless network and change a wireless network password on OSX without > using the GUI as the local user (and I really do not want to touch 6000 > workstations by hand). > > I can use the networksetup and airport commands to set it temporarily, > but once the machine reboots the changes are lost.  I can create > passwords in the system keychain as root, but not in the user's login > keychain and for some reason, the network chooser requires an entry in > the user's login keychain. > > Any ideas or hints on how other people manage wireless passwords on OSX > are most appreciated. > > cheers, > > ski > > -- > "When we try to pick out anything by itself, we find it >  connected to the entire universe"            John Muir > > Chris "Ski" Kacoroski, kacoroski@gmail.com, 206-501-9803 > or ski98033 on most IM services > > > _______________________________________________ > Tech mailing list > Tech@lopsa.org > http://lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators >  http://lopsa.org/ > From kacoroski@gmail.com Tue Mar 24 09:12:44 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2OGCi8H008500 for ; Tue, 24 Mar 2009 09:12:44 -0700 (PDT) (envelope-from kacoroski@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.175]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2OGCf3L020044 for ; Tue, 24 Mar 2009 09:12:43 -0700 (PDT) Received: by wf-out-1314.google.com with SMTP id 28so3400476wfc.26 for ; Tue, 24 Mar 2009 09:12:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:reply-to:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=XubyySx8sWVYvh8Yz/oESLMKhaemu8YILSLPcu4YOL4=; b=jRhjOZ9oCLqXYW/D6+0s8n+DlEWEc0KVAVzBpLhZBiFeNIHhlbWMTfUiTDnDxs9u5I smUtANP3wWGv6E6dB96WnwUkPCoGpxnrigLUBFg0IyKeLX5iFTPopOnd8A3QubGnXanz J8TPFtDNwcqWM2ATtaNa4a9OX727Ox7SvsuVc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:reply-to:to:cc:in-reply-to:references:content-type :date:message-id:mime-version:x-mailer:content-transfer-encoding; b=TyHi/ugxJ4HA70/gJhSqgWtE6e39LWkaSmRNheYcmbfIs8uNCopV8mFs4U5/f4nrp/ 2QAJ7Ohz8hw6HSFWfgrQArm02MQPoDj78M4wrH0Lh+rZuSNV76h/jeR+XjpwiG0uu9Ah QRvaAYjMkb0K1p8ZVy4bgIIJt/rgKuzFdO7sg= Received: by 10.114.24.1 with SMTP id 1mr5629762wax.179.1237904108032; Tue, 24 Mar 2009 07:15:08 -0700 (PDT) Received: from ?10.2.9.12? ([152.157.64.243]) by mx.google.com with ESMTPS id v32sm6420431wah.52.2009.03.24.07.15.07 (version=SSLv3 cipher=RC4-MD5); Tue, 24 Mar 2009 07:15:07 -0700 (PDT) From: Ski Kacoroski To: Stefan In-Reply-To: References: <1237874895.7519.12.camel@cherry> Content-Type: text/plain Date: Tue, 24 Mar 2009 07:15:06 -0700 Message-Id: <1237904106.7626.0.camel@cherry> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 Content-Transfer-Encoding: 7bit X-DCC-Usenix-Metrics: voyager 1010; Body=2 Fuz1=2 Fuz2=2 rep=7% Cc: tech@lopsa.org, sage-members@sage.org Subject: Re: [SAGE] [lopsa-tech] Help setting OSX wireless password programmatically X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: kacoroski@gmail.com List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 16:12:44 -0000 Stefan, No luck. All changes are lost on a reboot. ski On Tue, 2009-03-24 at 07:29 -0500, Stefan wrote: > see if: > > $man networksetup > > reveals anything of use ... > > Stefan > > On Tue, Mar 24, 2009 at 1:08 AM, Ski Kacoroski wrote: > > Hi, > > > > This should be a simple thing, but I keep running into walls. We need > > to change the wireless password on one of our schools network (WPA2 > > encryption) and move another network into production. The server side > > is easy. The problem I have is that I cannot figure out a way to add a > > wireless network and change a wireless network password on OSX without > > using the GUI as the local user (and I really do not want to touch 6000 > > workstations by hand). > > > > I can use the networksetup and airport commands to set it temporarily, > > but once the machine reboots the changes are lost. I can create > > passwords in the system keychain as root, but not in the user's login > > keychain and for some reason, the network chooser requires an entry in > > the user's login keychain. > > > > Any ideas or hints on how other people manage wireless passwords on OSX > > are most appreciated. > > > > cheers, > > > > ski > > > > -- > > "When we try to pick out anything by itself, we find it > > connected to the entire universe" John Muir > > > > Chris "Ski" Kacoroski, kacoroski@gmail.com, 206-501-9803 > > or ski98033 on most IM services > > > > > > _______________________________________________ > > Tech mailing list > > Tech@lopsa.org > > http://lopsa.org/cgi-bin/mailman/listinfo/tech > > This list provided by the League of Professional System Administrators > > http://lopsa.org/ > > > > _______________________________________________ > Tech mailing list > Tech@lopsa.org > http://lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ -- "When we try to pick out anything by itself, we find it connected to the entire universe" John Muir Chris "Ski" Kacoroski, kacoroski@gmail.com, 206-501-9803 or ski98033 on most IM services From lobo@mental.com Tue Mar 24 09:37:33 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2OGbXZR008973 for ; Tue, 24 Mar 2009 09:37:33 -0700 (PDT) (envelope-from lobo@mental.com) Received: from g2.mental.com (root@entrance.mental.com [192.31.14.10]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2OGbTBX020569 for ; Tue, 24 Mar 2009 09:37:32 -0700 (PDT) Received: from mental.com (root@twen.mi [172.16.0.5]) by g2.mental.com (8.13.7/8.13.7/mental-080502) with ESMTP id n2OGa8FP004145; Tue, 24 Mar 2009 17:36:08 +0100 (CET) Received: from mental.com (lobo@localhost [127.0.0.1]) by mental.com (8.13.7/8.13.7/mental-070305) with ESMTP id n2OGa8qv013101; Tue, 24 Mar 2009 17:36:08 +0100 (MET) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: sage-members@sage.org, tech@lopsa.org In-reply-to: Ski Kacoroski's message of Mon, 23 Mar 2009 23:08:15 MST <1237874895.7519.12.camel@cherry> Organization: mental images GmbH, Berlin, Germany Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 24 Mar 2009 17:36:08 +0100 Message-ID: <13100.1237912568@mental.com> From: Alexander Lobodzinski X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 Subject: Re: [SAGE] [lopsa-tech] Help setting OSX wireless password programmatically X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 16:37:33 -0000 () I can use the networksetup and airport commands to set it temporarily, () but once the machine reboots the changes are lost. I'd try on an idle machine: touch foobar do the GUI things you know are persistent find / -newer foobar Maybe this turns up something that leads you to a solution... Good luck! Ciao, Lobo From gilbert@watchhouse.org Tue Mar 24 10:17:35 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2OHHYs8009882 for ; Tue, 24 Mar 2009 10:17:35 -0700 (PDT) (envelope-from gilbert@watchhouse.org) Received: from mail-qy0-f126.google.com (mail-qy0-f126.google.com [209.85.221.126]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2OHHV1E021221 for ; Tue, 24 Mar 2009 10:17:34 -0700 (PDT) Received: by qyk32 with SMTP id 32so3313278qyk.31 for ; Tue, 24 Mar 2009 10:17:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.96.142 with SMTP id h14mr3657514qcn.99.1237915045829; Tue, 24 Mar 2009 10:17:25 -0700 (PDT) In-Reply-To: References: <1237874895.7519.12.camel@cherry> Date: Tue, 24 Mar 2009 13:17:25 -0400 Message-ID: From: Gilbert Wilson To: Stefan Content-Type: text/plain; charset=ISO-8859-1 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=8% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n2OHHYs8009882 Cc: tech@lopsa.org, sage-members@sage.org Subject: Re: [SAGE] [lopsa-tech] Help setting OSX wireless password programmatically X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 17:17:35 -0000 You can use Applescript to create a Keychain entry for the wireless network. To find the relevant commands specific to the task, in script editor go to: File -> Open Dictionary -> Keychain Scripting All you need to do is get your head around the mindblowingly awful syntax and grammar of Applescript. :) Gil On Tue, Mar 24, 2009 at 8:29 AM, Stefan wrote: > see if: > > $man networksetup > > reveals anything of use ... > > Stefan > > On Tue, Mar 24, 2009 at 1:08 AM, Ski Kacoroski wrote: >> Hi, >> >> This should be a simple thing, but I keep running into walls.  We need >> to change the wireless password on one of our schools network (WPA2 >> encryption) and move another network into production.  The server side >> is easy.  The problem I have is that I cannot figure out a way to add a >> wireless network and change a wireless network password on OSX without >> using the GUI as the local user (and I really do not want to touch 6000 >> workstations by hand). >> >> I can use the networksetup and airport commands to set it temporarily, >> but once the machine reboots the changes are lost.  I can create >> passwords in the system keychain as root, but not in the user's login >> keychain and for some reason, the network chooser requires an entry in >> the user's login keychain. >> >> Any ideas or hints on how other people manage wireless passwords on OSX >> are most appreciated. >> >> cheers, >> >> ski >> >> -- >> "When we try to pick out anything by itself, we find it >>  connected to the entire universe"            John Muir >> >> Chris "Ski" Kacoroski, kacoroski@gmail.com, 206-501-9803 >> or ski98033 on most IM services >> >> >> _______________________________________________ >> Tech mailing list >> Tech@lopsa.org >> http://lopsa.org/cgi-bin/mailman/listinfo/tech >> This list provided by the League of Professional System Administrators >>  http://lopsa.org/ >> > > _______________________________________________ > sage-members mailing list > sage-members@mailman.sage.org > http://mailman.sage.org/mailman/listinfo/sage-members > From gilbert@watchhouse.org Tue Mar 24 10:26:55 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2OHQt2Q010030 for ; Tue, 24 Mar 2009 10:26:55 -0700 (PDT) (envelope-from gilbert@watchhouse.org) Received: from mail-qy0-f126.google.com (mail-qy0-f126.google.com [209.85.221.126]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2OHQphC021356 for ; Tue, 24 Mar 2009 10:26:54 -0700 (PDT) Received: by qyk32 with SMTP id 32so3322671qyk.31 for ; Tue, 24 Mar 2009 10:26:46 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.81.129 with SMTP id x1mr3779878qck.16.1237915605828; Tue, 24 Mar 2009 10:26:45 -0700 (PDT) In-Reply-To: References: <1237874895.7519.12.camel@cherry> Date: Tue, 24 Mar 2009 13:26:45 -0400 Message-ID: From: Gilbert Wilson To: Stefan Content-Type: text/plain; charset=ISO-8859-1 X-DCC-Usenix-Metrics: voyager 1010; Body=1 Fuz1=1 Fuz2=1 rep=8% Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hoshi.usenix.org id n2OHQt2Q010030 Cc: tech@lopsa.org, sage-members@sage.org Subject: Re: [SAGE] [lopsa-tech] Help setting OSX wireless password programmatically X-BeenThere: sage-members@mailman.sage.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: "To discuss any issues of interest to SAGE members." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 17:26:55 -0000 On second thought, man security Will probably get you farther and cause less head trauma. Gil On Tue, Mar 24, 2009 at 1:17 PM, Gilbert Wilson wrote: > You can use Applescript to create a Keychain entry for the wireless > network.  To find the relevant commands specific to the task, in > script editor go to: > > File -> Open Dictionary -> Keychain Scripting > > All you need to do is get your head around the mindblowingly awful > syntax and grammar of Applescript. :) > > Gil > > On Tue, Mar 24, 2009 at 8:29 AM, Stefan wrote: >> see if: >> >> $man networksetup >> >> reveals anything of use ... >> >> Stefan >> >> On Tue, Mar 24, 2009 at 1:08 AM, Ski Kacoroski wrote: >>> Hi, >>> >>> This should be a simple thing, but I keep running into walls.  We need >>> to change the wireless password on one of our schools network (WPA2 >>> encryption) and move another network into production.  The server side >>> is easy.  The problem I have is that I cannot figure out a way to add a >>> wireless network and change a wireless network password on OSX without >>> using the GUI as the local user (and I really do not want to touch 6000 >>> workstations by hand). >>> >>> I can use the networksetup and airport commands to set it temporarily, >>> but once the machine reboots the changes are lost.  I can create >>> passwords in the system keychain as root, but not in the user's login >>> keychain and for some reason, the network chooser requires an entry in >>> the user's login keychain. >>> >>> Any ideas or hints on how other people manage wireless passwords on OSX >>> are most appreciated. >>> >>> cheers, >>> >>> ski >>> >>> -- >>> "When we try to pick out anything by itself, we find it >>>  connected to the entire universe"            John Muir >>> >>> Chris "Ski" Kacoroski, kacoroski@gmail.com, 206-501-9803 >>> or ski98033 on most IM services >>> >>> >>> _______________________________________________ >>> Tech mailing list >>> Tech@lopsa.org >>> http://lopsa.org/cgi-bin/mailman/listinfo/tech >>> This list provided by the League of Professional System Administrators >>>  http://lopsa.org/ >>> >> >> _______________________________________________ >> sage-members mailing list >> sage-members@mailman.sage.org >> http://mailman.sage.org/mailman/listinfo/sage-members >> > From kacoroski@gmail.com Tue Mar 24 13:42:29 2009 Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hoshi.usenix.org (8.13.3/8.13.3) with ESMTP id n2OKgTdF014494 for ; Tue, 24 Mar 2009 13:42:29 -0700 (PDT) (envelope-from kacoroski@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.169]) by usenix.org (8.13.6/8.13.6) with ESMTP id n2OKgQJ7025116 for ; Tue, 24 Mar 2009 13:42:29 -0700 (PDT) Received: by wf-out-1314.google.com with SMTP id 28so3508327wfc.26 for ; Tue, 24 Mar 2009 13:42:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:reply-to:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=w26kKLOwoV7OboyK9VpAVapoCpYduTiFpykV2JTJbhg=; b=R6pIWqCoRAGYPEM6GrzPiTw+IKu8mCNd/XRxu0Ngv3i2pTCPKTFIuR/dctKhKeDYDq MjOYDNcb3iCvIY8qXNIKXQzYdriWICyHx+nPfvw52TXSj4fpYa4EgiWOV6SDQaQlYeMH 8sdCVynSQ6ytYRqUVexcJJRNwtnr8J4Ygn0KQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:reply-to:to:cc:in-reply-to:references:content-type :date:message-id:mime-version:x-mailer:content-transfer-encoding; b=wBYQBI5idhvJ83olXbYjJyz23rL94Lq3FckL+9bbdn/1SKezQBQTp2kGrwv5L+uxcd LceT8ZM3UzqzPqHldAB6N1Vg+SkxXBQBR3hFIoBZTRnymZzYpvB3kvMJKCSmMxJdcf+J dcj5tzLk1cYYK9B6XxHDx/hjeJG2IT19jyW0s= Received: by 10.114.179.1 with SMTP id b1mr5893266waf.70.1237927346108; Tue, 24 Mar 2009 13:42:26 -0700 (PDT) Received: from ?10.2.9.12? ([152.157.64.243]) by mx.google.com with ESMTPS id k37sm6617207waf.42.2009.03.24.13.42.25 (version=SSLv3 cipher=RC4-MD5); Tue, 24 Mar 2009 13:42:25 -0700 (PDT) From: Ski Kacoroski To: Gilbert Wilson In-Reply-To: References: <1237874895.7519.12.camel@cherry>