Planet SysAdmin

Links for 2008-11-19 [del.icio.us]

2008-11-20T06:00:00+00:00

Debugging Tools for Windows - Overview

Links for 2008-11-19 [del.icio.us]

2008-11-20T06:00:00+00:00

QualysGuard PCI Pass/Fail Status Criteria - Qualys
Press Releases - November 11, 2008 - Q1 Labs
free, downloadable, log management and compliance product that provides organizations with visibility across their networks, data centers, and infrastructures
Healthy Paranoia: Top 50 Internet Security Blogs by The Daily Netizen
GOVCERT.NL Symposium 2008
Looking for Trouble - WSJ.com
ClearNet Security : It’s hard to build a smart SIEM
If you find yourself evaluating SIEM products, dig in and investigate how each works - you don’t want yesterday’s product.
PCI Perspectives by Dave Taylor
Lehman Bros 'killed by complexity' (physicsworld.com Blog) - physicsworld.com

Bailouts

2008-11-20T04:57:35+00:00

Does anybody else think we’re living in Atlas Shrugged?

When can I get bailed out? I’ve made several bad decisions in my life and I’d like to be compensated for them. And by “compensated” I mean “massively compensated, like dump trucks full of cash.” After all, why should I be responsible for my own actions and decisions?

If I were Honda or Toyota I’d be getting my lawyers ready to sue a lot of people.

A growing realization about `tcpdump` and reading IP traffic

2008-11-20T04:42:17+00:00

A growing realization about `tcpdump` and reading IP traffic

Here is a gotcha about reading tcpdump output that recent events have been tattooing on my forehead:

The only sure way to tell whether a packet is going to your gateway or to something on the local network is to look at the destination Ethernet address.

To put it another way: a packet being sent to your network's gateway does not have the gateway's IP address in it. Thus, reading tcpdump output without Ethernet addresses is not really telling you whether a packet was really sent to your gateway or whether it was just floating by on the network. Similarly if you are reading tcpdump output on the sending machine; until you look at the destination MAC, you don't actually know where the machine is sending the packets, you just think you know.

This is obvious once you think about it (assuming that you know enough about how IP works), as is its interaction with tcpdump being promiscuous and how switches can flood traffic through your network. But you do have to think about it, and not doing so has tripped me up at least twice now. It's certainly not intuitive that more or less the only thing your machine's IP stack does with your gateway's IP address is to ARP for its Ethernet address.

(I think one reason that this is so easy to overlook is that it feels like a layering violation. It's rational to think that the use of an IP gateway should be visible in the IP headers of a packet, instead of only showing up one lever lower.)

HomePlug revival continues with new Netgear Powerline gear

2008-11-19T21:38:13+00:00

This is a guest post from Sean Portnoy of TechRepublic’s sister site ZDNet. You can follow Sean on his ZDNet blog SoHo Networking, or subscribe to the RSS feed.

————————————————————————————————————-

Remember when, not so long ago, home networking using power lines seemed down for the count due to slow throughput rates, especially as Draft N wireless devices entered the market? Thanks to improved technology, the HomePlug standard is staging a comeback, with big-name brands like Linksys releasing new kits using the updated HomePlug Turbo and HomePlug AV flavors. Netgear is now upgrading its offerings as well, finally releasing the new Powerline HD Plus Ethernet Adapter Kit (HDXB111) and Powerline AV Ethernet Adapter Kit (XAVB101) (which were first shown at CES in January).

Both kits come with two adapters that use a Powerline HD interface that is rated at 200Mbps maximum throughput, though Netgear is emphasizing the Quality of Service features of the HDXB111 that will prioritize video, gaming, and VoIP traffic. The HDXB111 adapters also come with built-in AC outlets, so you can plug in other devices while the adapter is plugged into the wall outlet. If you can live without those features, the XAVB101 will be a little cheaper ($149.99 versus $169.99 for the HDXB111).

As its name suggests, the HDXB111 is being touted for its ability to stream high-def content with minimal hiccups. We’ll have to see some reviews before we can be assured this is the case, but it’s encouraging to see that the convenience that power line networking offers hasn’t been tossed on the dustbin of history just yet.

So that's where they're keeping it

2008-11-19T21:15:21+00:00

I've since found a great deal more about multipath in Linux:

The trick was to search for "multipath" and "fstab".

Also, I contacted the installer from Sun who worked on our new machines, and he told me that the multipath driver download was lost during an upgrade of the download page; they're working on it, but in the meantime he's sent me a copy of the driver. Sweet!

I love working at UBC

2008-11-19T17:15:28+00:00

Just now from the window, over the sound of a stupid high-pressure washer, I heard a Canadian goose fly by, honking its head off.

links for 2008-11-19

2008-11-19T16:00:12+00:00

jwz - Apple 0wns j00

This HDCP crap on laptops sucks. Nice job, Apple, making it impossible to play video on nearly every projector on Earth.
Foreclosure | Stuck In Customs

Great shot.
The Risks Digest Volume 25: Issue 44

"In the November 2008 issue of *BoatU.S.* magazine, there's a reference to a new GPS satellite being switched on. It uses the identifier "PRN 32", which causes some [...] Northstar GPS units to become confused and shut down." This smells like a fixed-sized, 32-element array. Dear programmers, stop doing that.

ISC Releases BIND 9.4.3

2008-11-19T15:11:43+00:00

After almost a year of development, the Internet Software Consortium (ISC) announced the newest release of their Domain Name System (DNS) server, BIND 9.4.3, today. This release includes over 140 fixes over BIND 9.4.2.

Although this maintenance release is mainly focused on bug fixes, it does include the following four security related updates:

inet_network() buffer overflow. CVE-2008-0122.
Fully randomize UDP query ports to improve forgery resilience. [RT #17949]
Additional support for query port randomization (change #2375) including performance improvement and port range specification. [RT #17949, #18098]
win32: UDP client handler can be shutdown. [RT #18576]

Related Posts (Automatically Generated)

My Last Logging Interview?

2008-11-19T15:57:57+00:00

While at GOVCERT.NL 2008, I gave this fun interview.... check it out.

As you can guess, I talk about logs. BTW, while you are at that link, check out other fun interviews; at least, check out David Rice's.

Debian /etc/cron.d/ gotcha

2008-11-19T14:57:53+00:00

I typically use /etc/cron.d to store all of my system crontabs. I recently ran into an issue that I had either not run into before, or fixed and paid no attention to. Files stored in /etc/cron.d/ or any /etc/cron.* directory need to adhear to the run-parts Debian cron script namespace which consists is

(^[a-z0-9][a-z0-9-]*$)

for the regex impared this does not include the dot character. If you have a file in /etc/cron.d/ that has a dot in it it will not be evaluated by cron. I have seen mention of underscore not being valid but in my testing underscore was not an issue, only dots.

A Fun List of Security Blogs

2008-11-19T15:40:17+00:00

Check your RSS readers.... got all of them? :-)

Darn Good Idea ... If Done Well

2008-11-19T15:33:49+00:00

"A free, downloadable, log management and compliance product that provides organizations with visibility across their networks, data centers, and infrastructures?" (here)

Somebody, somewhere is thinking ...

In any case, "free is in" :-) Look at all the announcements (NetWitness, Mandiant, this) as well as "the original free."

MS AV Out and Free ... Uh-Oh

2008-11-19T15:29:26+00:00

With headlines like "MS Destroys the Consumer AV Market," the news hit ... well, hit the fan like the proverbial... well, you know what :-)

Is it really "Good-bye Big Yellow and Little Red?" Probably not, as this new offering is aimed at consumers and lower-end SMBs; large orgs will still pay ransom ... eh, subscription fees for their AV. It was also interesting to read some of the comments, like "OMG, I so hate paying for AV... and now I won't have to." If such sentiment is indeed widespread, maybe MS choose a really, really good moment to come out with this!

The most fun comments are found on the OneCare team blog here. Esp. see this one: "a majority of consumers around the world do not have up-to-date antivirus, antispyware and antimalware protection" (now they will, thanks to MS! :-)) and "this new offering will focus on getting the majority of consumers the essential protection they need by providing comprehensive, real-time anti-malware protection, covering such threats as viruses, spyware, rootkits, trojans, and other emerging threats, in a single [FREE!], focused solution."

You don’t have to wait to deploy DNSSEC

2008-11-19T12:00:13+00:00

A look at DNS security with a high-level examination of DNSSEC, why DNSSEC is still not globally deployed, and some things you can do to improve DNS transaction integrity until it is.

——————————————————————————————————————-

In my last post, I reviewed how DNS works and summarized some security vulnerabilities inherent in this critical network/Internet service. In this post, we conclude our look at DNS security with a high-level examination of DNSSEC, why DNSSEC is still not globally deployed, and some things you can do to improve DNS transaction integrity until it is.

Although DNSSEC supports both individual name resolution and zone transfer transactions, I focus on the former in this article.

Overview of DNSSEC

DNSSEC (Domain Name System Security Extensions) is a suite of specifications which implement record signing to ensure the integrity of certain types of transactions. It uses both asymmetric and symmetric cryptography for RR (Resource Record) or zone transfer transactions, respectively. To ensure the authenticity of information received by a resolver, DNSSEC provides the following (Wikipedia.org):

Origin authentication of DNS data
Data integrity
Authenticated denial of existence

These capabilities are added to the existing DNS framework by using a new set of resource record (RR) types, including (nominet.org.uk):

DNSKEY contains the public key used to sign the data in a secure zone.
NSEC shows the interval between names in the zone. These are used in DNSSEC for ‘authenticated denial of existence’ of an address.
RRSIG contains the signature of other RR types in the zone, including DNSKEY and NSEC. For each set of RRs for which the zone is authoritative, there exists a corresponding RRSIG RR. (An RR set, or RRSet, consists of RRs with the same name, type, and class values. All records in an RRSet are signed with the same signature.)
DS (Designated Signer) RRs contain hashes of the keys of child zones. They’re used to build the chain of trust central to DNSSEC integrity protection.

Figure 1 shows a DNS host RR with its associated signature. When a resolver using DNSSEC receives this information in response to a name resolution query, it uses information contained in the RRSIG RR (contents of Key Tag and Signer’s Name fields) and the sender’s public key to validate the signature.

Figure 1
(nominet.org.uk)

Securing DNS with DNSSEC begins with establishing a chain of trust. Resolvers use ‘anchor keys’ to verify parent domains, beginning with the trust anchor. The trust anchor is the foundation of any chain of trust.

The public key (of the Trust Anchor) is used to verify digital signatures and the associated data. Furthermore, the public key is used to constrain the types of information for which the Trust Anchor is authoritative.

A relying party uses Trust Anchors to determine if a digitally signed object is valid by verifying a digital signature using the trust anchor’s public key, and by enforcing the constraints expressed in the associated data for the trust anchor. (Wikipedia.org)

In an ideal world, the DNS trust anchor for the Internet consists of the root name servers. However, there are issues.

DNSSEC Challenges

There are two categories of challenges when trying to design and implement global DNSSEC security. The first consists of technical and security issues, including (Wikipedia.org & ISC):

There is a problem with DNSSEC’s reporting of names not present in a signed zone via the NSEC RR. It allows enumeration of zone contents. However, NSEC3 is expected to resolve this issue.
An effective method of dealing with trust anchor key rollover has not been defined.
Earlier versions of DNSSEC had issues. This adversely affected confidence in the ability of DNSSEC to improve DNS integrity without introducing other, potentially worse, problems.
DNSSEC will increase DNS traffic with more requests and larger responses. Domains with high volume traffic should prepare for increased bandwidth needs.
DNSSEC is more sensitive to time issues than standard DNS. System clocks must be reasonably accurate.

Although these five problems are important, they are minor when compared to the second set of challenges, challenges related to political posturing and mistrust, including (Wikipedia.org):

The U.S. wants to control the trust anchor keys for the root name servers. Other countries are concerned this would give the U.S. too much control over the Internet. Centralized control by any one country is probably not acceptable to many nations.
It’s unclear how ICANN would handle delegation of names to TLDs managed by entities with which it has no formal agreement, such as .ca.
Some governments are encryption averse. Will they try to ban DNSSEC-backed encryption key distribution?

Some security and Internet professionals are using these challenges as a reason to not implement DNSSEC. The assumption is that it can’t be used without global acceptance. But global acceptance is not necessary to begin making DNS more reliable.

Islands of trust

Even without global implementation, DNSSEC implementation can incrementally improve DNS transaction integrity through the use of islands of trust. See Figure 2.

Figure 2
(nominet.org.uk)

Instead of the trust anchor being a root name server, it is the uk-DNSSEC domain. This could represent something as restricted as a corporate domain with internal child domains. As other levels in the DNS hierarchy transition to DNSSEC, these islands can easily establish a trust relationship with them by exchanging keys, as shown in Figure 3.

Figure 3
(SP800-81, NIST)

Note that in this example, the .com TLD does not have a trust relationship with root. However, this would not prevent all domains under .com from building chains of trust up to the .com trust anchor.

The final word

DNSSEC is not a DNS panacea, and it doesn’t encrypt data. It only signs RRs. However, it promises to establish a level of authenticity in DNS transactions. Overcoming challenges preventing global acceptance might take years. However, several country TLDs already support DNSSEC, making national islands of trust possible. Incremental steps like these will help make DNS, and the Internet, safer. They should not be ignored.

DNSSEC is a complex topic. See the following documents for detailed analysis, design and deployment:

Unix Rosetta Stone

2008-11-19T12:30:00+00:00

I just found the Unix Rosetta Stone which seems simplified, but still probably handy if you've got a really heterogeneous network, or if an AIX machine should suddenly spring up in the middle of the server room.

Judging from the number of Delicious bookmarks it has, it's pretty well know, but I figured that I couldn't be the only person in the dark, and I figured someone might get some info from it.

Getting ready for WordPress 2.7

2008-11-19T10:00:15+00:00

WordPress 2.7 beta3 was just released and probably we will see the final release very soon. In the meantime, here is a great article outlining the changes this version will bring (a complete rewrite of the admin interface): 10 Things You Need to Know about WordPress 2.7, by Aaron Brazell.

ps. if you are using svn for your installation and want to test this release, you need to update to the trunk version:
svn sw http://svn.automattic.com/wordpress/trunk/

Wacky SSH Authorized Keys Tricks

2008-11-19T09:30:00+00:00

You may have caught my blog post last week about setting up host to host ssh keys.

What you might not have caught was in the comments, where Ben Cotton mentioned a trick I hadn't heard of, namely specifying the allowed remote commands in the authorized_keys line. He said there were even more features available, just waiting on the manpage. I replied that if he wrote it, I'd link to it.

Well, Ben put his money where his mouth is. He goes into nice detail and provides some good links and suggestions. This is really fascinating stuff, and I'm looking forward to using it in my own organization.

Therek over at Unix Sysadmin jumped in the fray, too. He's got three neat tricks for your ssh needs that you should really check out. I had no idea SSH key auth could be bent in these directions!

I've said it before, but I'll keep saying it. I love having visitors to my blog who enjoy what I write, and it really brings it home to interact with everyone like this. I couldn't ask for a better bunch of readers, though to be honest, I'm worried about Ben's longevity. I can't imagine what his cholesterol level must be ;-)

Ben, Therek, thank you both very much! I know my readers will really enjoy these articles. And as for everyone else, the same offer goes for you. If you've got something to share, let me know, I'll be happy to link to your blog entry or host it here if you've got the urge to write.

BitTorrent's file fragmentation problem

2008-11-19T06:28:43+00:00

BitTorrent's file fragmentation problem

When BitTorrent receives a file, it gets the various chunks out of order, generally in a completely random one. This presents the client with the problem of putting them in order and in place.

I believe that historically there have been three approaches to deal with this. The very first BitTorrent clients did it the simple way: they put every received block in its correct place by seeking to that spot and writing the block out. The problem with this was horrible file fragmentation (resulting in terrible sequential read performance); because the blocks were written in random order they were generally allocated randomly around the disk, instead of nicely sequential.

Next came the approach of always growing the file in order, and reordering blocks inside the file. When the client got block N, it initially wrote it at the current end of file; when the file grew to be more than N blocks long, block N finally could be swapped into its correct location in exchange for whatever was already there. This avoids file fragmentation (the client is always expanding the file sequentially), but at at the cost of an increasing amount of file IO to shuffle blocks into their correct places.

(This file IO does not matter all that much for typical clients, which have much more disk bandwidth than network bandwidth, but it can be a significant issue if you are running BitTorrent on fast networks, especially since disks are seek limited.)

The final approach is for the client to pre-write the file (with empty contents) before it starts receiving anything, and then to directly write received blocks into their correct locations. Pre-writing the file forces sequential allocation (possibly better than growing the file does), and rewriting parts of it later generally doesn't change this. The cost of this approach is a potentially significant startup delay, as the client writes what may be several gigabytes to disk.

(Note that many of these sequential allocation assumptions break down if you are using a log-structured filesystem such as ZFS. Copying the file again after you've received it may be the only good solution.)

I wish I could tell you that BitTorrent has solved this problem, but as far as I know it hasn't; you just get to pick which drawback you want. I believe that most BitTorrent clients today default to the second approach but give you an option to do the third.

(One comment.)

Links for 2008-11-18 [del.icio.us]

2008-11-19T06:00:00+00:00

Emacs: Dired Directory Management - journal

This is The Working Hour; we are paid by those who learn by our mistakes

2008-11-19T04:30:21+00:00

I'm in the process of setting up a bunch of new servers for $job_2. All but one are CentOS 5.2, kickstart installed and managed with cfengine. This is the third time I've goen thorugh a cfengine setup, and it always feels like starting from scratch each time. It seems — and I'm not at all sure this is fair or accurate — that each time I set up one of these systems, there's a lot that I've lost from the last time and have to relearn. I'm fortunate this time that I can refer to $job_1's setup to see how I did things last time, but if I didn't have that I'd be significantly further behind than I am.

I'm not sure what the solution is. Part of me thinks I should just be more aggressive about taking notes, or committing stuff to a private repository, or writing it down here more; part of me thinks that this might be a clue that cfengine is too low-level for my head. It feels like when I was trying to learn C, and couldn't believe that I had to remember all this stuff just to print something, or read a file, or connect to another machine over the Internet. By contrast, Perl (or any other scripted language) was such a relief…just print, or open, or use the Net::Telnet module, or whatever. The details are there and they are important, sometimes very much so; that doesn't mean I want to learn more metallurgy every time I need a fork. (No, I don't think that metaphor's tortured; why do you ask?)

Another thing is that I'm trying to get multipath connections working for the first time. We've got two database servers, each of which is connected via dual SAS HBAs to outboard disk arrays. (I don't think anyone else calls them "outboard", but I like the sound of it. See this hard drive? It's outboard, baby!) The arrays are from Sun and come with drivers, but the documentation is confusing: it says it's available for RHEL 5 (aka CentOS 5), but the actual download says it's only for RHEL 4.

As a temporary respite, I'm trying to see if I can get these workign using Linux's own multipath daemon, and it's also confusing. The documentation for it is tough to track down, and I just don't understand the different device names: am I meant to put /dev/dm-2 in fstab, or /dev/mpath/mpath2p1? If the latter, why does the name sometimes change to the WWUID (/dev/mpath/$(cat /dev/random)) when I restart multipathd? (use_friendly_names is uncommented in the config file.) If the whole point of multipath is failover, why does this sequence:

touch /mnt/1
remove first cable
rm /mnt/1
replace first cable
touch /mnt/2
remove second cable
rm /mnt/2
replace second cable

(where /mnt is where I've got this array mounted, obvs) sometimes work, and sometimes end with "I/O error" being logged, and the filesystem being read-only? Is this the sort of thing that the Sun driver will fix? I can't find anything about this.

And I mentioned electrical problems. When we got our servers installed, the Sun guys told us they'd tripped breakers on the PDU and/or breakers in the room's electrical cabinet. Since it had a sign on it saying "100A", I figured we might be running up against power limtis — either in the room as a whole, if my figures were 'way out, or on individual PDUs. Turns out I was probably wrong: I missed the bit on the sign that said 3-phase, which means (deep breath) we probably have 3 x 100A power available (I think).

It's more complicated than that, because some of it is in 120V, some of it is in twist-lock 220V 30A circuits, and so on. But I should've checked before emailing the faculty member who, in a year or two, will be going into this room (we're there as guests of the department) and happens to sit on the facilities committee. He had asked how we were doing, so I sent him an email — nice, polite, and including a bit about how grateful we were for the room and the help of the local sysadmins (all of which is true).

I was under the impression that he was asking for info now, so that he could bring it up for action in a few months when we were out. Instead, two hours later when I'm swearing at multipath, in come the facilities manager and one of the sysadmins I was dealing with, looking to find out just how much power we were using anyhow. I apologized profusely, and they were very cool about it. But when the committee guy asks questions, people jump. I had not anticipated this. Welcome to University Politics 101. I emailed again and explained my mistake.

There are lots of remedial courses I could take. However, today I would most like to take "Electricity and wiring for sysadmins".

And on another note: Ack! My laptop's home partition is 93% full! How the hell did that happen?

And again: How did I not know about apt-file? This is perfect!

(Touch o' the hat to Tears For Fears and Steve Kemp; I'm moving closer every day to switching to Chronicle.)

Meltdown

2008-11-19T03:46:57+00:00

It's been quite a long time since I've posted anything. I just didn't seem to have any energy to do so after the brain meltdown of my job caused me to revert mentally to two years of age and start to loudly demand biscuits and my stuffed elephant. You'll be glad to hear that I'm better now. I have medication. The very patient staff at the asylum have even managed to teach me to read and write again.

I also have a new job, much to the disgust of Roy who I left behind at the old employer cleaning up after me.

In the interview for the new position, they seemed a little vague on what my duties would actually be. This didn't unduly concern me given that my interview was informal to say the least. A pair of technicians were interviewing me and seemed a little hazy on what they were supposed to ask. I probably though should have paid a little more attention at the time to the only other member of the team I was to be joining. He looked as though he hadn't slept in a month.

On my first day, I was introduced to The System. It seems I hadn't really been hired to be a UNIX Systems Administrator in any sense of the word I understood. I had been hired to look after The System.

The System is a sprawling catacomb of home-built perl that acts as a tool to perform monitoring, configuration management, customer relationship management, documentation, change control, trouble ticketing and making toast. It has a PHP front-end that I'm told only works for the simplest of tasks – anything even vaguely complicated and I'll need to write SQL to poke my commands straight into the database.

It seems the parent company have been trying in vain to get my department to replace The System with an off-the-shelf product for years, but that my department believe The System is a far better solution. 'This way' the architect beamed, 'we can just make it do anything we want instead of being forced into someone else's idea of management!'

I was supposed to have my first training session in using The System yesterday afternoon – unfortunately my mentor was called away abruptly. It seems The System has had a bit of a hiccup ... for about six months ... and hasn't been monitoring some systems it should have been. My mentor, who actually seems like quite a nice guy, informed me wryly that this has happened before.

Afternoon of day two, and I'm still sitting here sipping chilled water and flicking through engadget waiting for that first lesson. I can't wait.

Vendors Who Don’t Realize Virtualization Is Here To Stay

2008-11-19T01:38:46+00:00

I second the vinternals commentary on Symantec. The security software vendor joins the ranks of the clueless with their wonderful support document:

Question/Issue:
Is ESX server VMotion supported with SAV and SEP?

Solution:
Symantec does not support ESX server VMotion at this time.

Vendors are shameless. They charge you a ton for support, then they’ll do whatever they can to point the finger at somebody else when you call. It’s one thing to put a disclaimer in for performance issues. Virtualization sometimes exposes weird performance issues, and if it’s a performance issue you’re having you might need to do some work to troubleshoot it on your own if it isn’t a blatant, completely reproduceable problem with the vendor’s software (like CPU-sucking spin locks).

It’s another thing to say that their software isn’t supported at all, or to say that a problem must be reproduced on physical hardware. Most of the problems I’ve ever called a vendor about are explicit functionality problems (bugs). Physical hardware, virtual hardware, it doesn’t matter: their software just doesn’t do what it’s supposed to. A vendor’s support staff should be competent enough, and professional enough, to sort out a bug report from a performance problem and act accordingly.

Oracle doesn’t support anything in VMs (as per an Oracle employee last week to me). Lyris doesn’t support anything in VMs (last time I checked, a few months ago). Symantec doesn’t support anything in VMs (technically they said VMotion, but for an enterprise VMotion goes hand in hand with VMs). What other vendors are as clueless as these three? I think I’m going to start making a list.

Amazon announces its own content delivery network: CloudFront

2008-11-18T22:30:20+00:00

Today Amazon announced the public beta of Amazon CloudFront, their AWS service for content delivery. This is the service that many users of Amazon S3 (Simple Storage Service) have been waiting for a long time. Even if S3 was never a ‘real’ CDN (content delivery network) it was used by many sites to serve static content. The main limitation of this approach was that it had no geographical awareness as content delivery networks usually have; the fact that S3 is highly scalable and well priced made this solution acceptable on S3.

CloudFront is the answer to all users’ requests about using S3 as a CDN, delivering the content using a global network of 14 edge locations. CloudFront uses S3 to store the original file, and caches copies of the content close to end users locations, lowering latency when they download the objects.

Amazon CloudFront uses the following edge locations:
United States
* Ashburn, VA
* Dallas/Fort Worth, TX
* Los Angeles, CA
* Miami, FL
* Newark, NJ
* Palo Alto, CA
* Seattle, WA
* St. Louis, MO
Europe
* Amsterdam
* Dublin
* Frankfurt
* London
Asia
* Hong Kong
* Tokyo

CloudFront advantages:

simple to implement; uses S3 as a ‘backend’;
cost effective - pay only for what you use; priced very well just as S3 with prices starting at $0.170 per GB for content delivered in the US and Europe, and $0.210 per GB for content delivered in Asia;
reliable - even though this is launched as beta and there is no SLA, we can expect to have a very reliable service from Amazon built on the experiences of s3 and ec2.

CloudFront disadvantages:

this is a http only service; if you will need https for ex. you will not be able to do that.
no control over caching; CloudFront will cache the file from your S3 bucket and serve it based on the closest dns location; this cache can expire in case of infrequent used files.
no stats (besides the aws bill of course ).
this is not trying to compete with the big CDN solutions out there, as it will be hard to match their features, but to provide a simple and cost effective solution that everybody can use.

In conclusion, this is great news from Amazon, and I am sure that even as I am writing this, many users that are serving their content from S3 have just finished switching over to CloudFront. For more details about CloudFront check out the AWS CloudFront page.

Tech Messages | 2008-11-18

2008-11-18T22:00:33+00:00

A special extended edition of Tech Messages for 2008-11-11 through 2008-11-18:

MDS Fabric and Blade Switches May Reload After 497 Days of Uptime
After 497 days of uptime the switch may restart due to a software defect. This problem is intermittent and may not happen every time. If the switch is running SAN-OS 3.3(2), NX-OS 4.1(1b) or above software, the switch is not vulnerable to this issue. (CCO login required)
FielCisco Clean Access New CCA Server Cannot Be Added to CCA Manager and CCA Manager Cannot Get Updates if the OS Detection Fingerprint Version on CCA Manager is 7
OSDF version 7 has a software defect that may result in a loss of service for NAC Servers (Clean Access Servers). This version has been removed from the update server. (CCO login required.)
MCS-78xx-H3 and MCS78xxH3 - Some Servers Have an Incorrect MAC Address Label
Between April 2008 and August 2008, some MAC Address Labels that HP placed on Cisco-Branded HP servers did not match the actual MAC Address of the Network Interface Card. (CCO login required.)

Related Posts (Automatically Generated)

MySQL Problem and Solution Posts: r0ck.

2008-11-18T21:30:50+00:00

Taming MySQL is… challenging. Especially in very large, fast-growth, ‘always-on’ environments. It’s one of those things where you seemingly can never know all there is to know about it. That’s why I really like coming across posts like this one from FreshBooks that describes a very real problem that was affecting their users, how they dealt with it, why *that* failed, and what the final fix was. Post a link to your favorite MySQL Problem and Solution post in the comments (oh yeah, and “subscribe to comments” should be working now!)

No such thing as effective license enforcement

2008-11-18T21:29:13+00:00

License security is not the same as software security. In fact, sometimes they are at odds with one another.

A year and a day ago, in the article Radiohead knows more than Microsoft about security, I pointed out the failings of DRM and the licensing based business model. On the third of this month, TR regular Oz_Media made the point that:

MS can’t even secure their licensing system, yet alone the software that uses it.

In truth, the fact Microsoft is increasingly unable to secure its software license enforcement against circumvention isn’t really Microsoft’s fault. It’s out of the corporation’s hands, for all intents and purposes. Microsoft’s real failure is in failing to read the writing on the wall, and make plans that don’t require trying to secure the unsecurable.

The business model Microsoft uses for software like MS Windows and MS Office is, officially, dependent upon the assumption that the corporation can prevent people from using the software without explicit permission from Microsoft or one of its agents or partners. Ultimately, what this means for Microsoft’s current business model is that it relies on the assumption that it can somehow both provide customers with everything needed to run the software and, at the same time, prevent people from using the software for reasons that are not specific to any given copy of the software.

This approach mandates the use of what amounts to DRM software. In this case, because the “content” the vendor wishes to “protect” is itself software, the DRM is integrated with the content itself. There are some minor advantages to this approach over that employed by distributors of non-software content, such as music distributors:

Because the DRM is integrated with the software, and because of the way people view software differently from music and other entertainment content, it is more acceptable to provide access keys separately from the content and DRM code itself. As a result, copies of the “protected” content do not actually contain the key needed to bypass protection.
When dealing with a closed source software vendor like Microsoft, it has come to be an expected fact of life that one will end up with stuff installed on the system with which the user is not familiar, and that the user did not explicitly approve, even months after the software was initially installed. Software updates such as those provided by Microsoft Windows Update often make undeclared changes to the system, and people have grown used to assuming they’re wanted and needed changes — or, at least, unavoidable. When DRM software for something like a CD full of music does something like that, however, people recognize it for what it is.
Because the “protected” content itself is software, the annoyance of having to install and run software that enforces that protection is not so great; users were planning to run software anyway.
Content, in the non-software sense, is expected to be portable. Software itself is not. This is a somewhat reasonable expectation, because that content is simply data, and software is meant to parse and interpret that data to render it in a form that is meaningful to the user. The software itself, however, must be compatible with the foundation on which it is built, starting at the hardware level, moving up through the OS, and so on. Tying such content to a piece of DRM software ties that content to the DRM software’s compatibility limitations, which tends to annoy people who aren’t using the specific software foundations (i.e., the “platform”) assumed by the creators of the DRM software. This can make DRM functionality less acceptable for that content.

Just like more obvious uses of DRM, however, basing one’s business model off assumptions of the inviolability of DRM code embedded in “protected” software is a losing proposition. Even though your license key for MS Windows is printed on a piece of paper rather than embedded in the software, even though it is expected and generally accepted that a closed source commercial OS will install things on your computer without your explicit permission or knowledge and will probably “phone home” occasionally, even though there is no additional software installation step distinct from access to the “content” you want, and even though the portability expectations are lower, you still have the basic problem that it’s difficult to keep people from “misusing” the license key system.

Inviolable technological enforcement is essentially impossible, in fact, because to allow a user to get access to your software, you have to give that user the means to access it. If that user, either deliberately or without understanding what he or she is doing, decides to violate license terms, that means of access — in the case of how Microsoft implements enforcement, a license key — is no longer restricted to the authorized user. If your intent is also to keep the user from using the software in particular, unauthorized ways, your problem is compounded, because everything needed to violate such restrictions is in the user’s hands. If it wasn’t, he or she wouldn’t even be able to use it the way you intended it to be used in the first place, and you’d have a very difficult time selling software.

Software can be kept secure, but the definition of “secure” in each case must essentially be the definition selected by the software’s administrative user. Unless Microsoft gives up any pretense of selling software to consumers, and starts merely renting out or selling user accounts on software Microsoft employees will manage as administrative users, there is simply no way for Microsoft to achieve inviolable technological license enforcement. If it does so, it will only have the behavior of its employees to police (and, of course, vulnerabilities in the software itself).

The upshot is that license security is simply not enforceable the same way software security is. As a result, the fact Microsoft cannot keep its licensing model secure does not necessarily reflect poorly on its ability to secure its software. If there is blame to be laid at Microsoft’s feet for poor software security related to poor licensing security, it is because Microsoft diverts resources from ensuring software security (an important goal) to chase after license security (an impossible goal).

Of course, it may be that inviolable technological license enforcement is not what Microsoft really wants at this time. Many have hypothesized that piracy is an integral part of Microsoft’s marketing plan, dominating much of the market by any means necessary and trying to maximize revenue once the market is sewn up by selectively enforcing licensing via legal, rather than technological, means. That, however, is a discussion for another day.

On Remote Workers and Working Remotely

2008-11-18T18:39:49+00:00

I’ve been on both sides of the remote worker relationship. On the manager side, I’ve managed some good-sized projects using an all-remote work force. Indeed, I’ve hired, managed, fired, and promoted workers without ever knowing what they look like. On the worker side, I do most of my work remotely, and I have for some time now. Judging by the amount of repeat business I get, I’d say that I’m more than acceptably productive working remotely.

In dealing with various clients, recruiters, prospective employers, business owners, and talking to friends who manage people for a living, I’ve heard pretty much every excuse/reason there is for not wanting to deal with a remote work force. I’ve heard and experienced successes with remote workers as well, and they all have a few key things in common, which are missing from the stories of failure. I’ll talk about them in a minute.

I first want to just say that I’m not some kind of fanboy who thinks remote workers are the answer to every problem. There are valid reasons for not having remote workers. For example, it’d be hard to build cars with a remote work force. Some things (some!) just require a physical presence. Whoever maintains the printers at your company really has to be around to change out ink cartridges and stuff like that.

There are certain classes of jobs, though, that are well-suited to working remotely. There are even classes of jobs that are necessarily performed remotely to some degree (field sales and support technicians for example), that could be made 100% remote with the proper tools and processes in place.

So what makes a remote worker success story different from a story of failure?

Always be prepared…

The number one difference I’ve seen between success and failure in managing a remote work force is that successful managers spent the time to prepare the managers, the team, the department, the organization, and the remote workers themselves to work remotely.

If you don’t prepare for a remote work force, you will fail miserably. As a result, I’m a big advocate of treating “Let’s go remote!” as an internal project with goals and milestones just like any other project. Preparing an organization to manage a remote work force takes a good deal of forethought, with a focus on communication and collaboration tools, reporting, accountability, scheduling, etc. In addition, you have to prepare the remote workers themselves, to insure they know what’s expected of them in terms of reporting their status, scheduling, communication, etc. They also need to know *about*, and *how to use* the tools they’ll be expected to use from home.

You have to plan this. You have to prepare, or you’re going to be like the HR manager who told me their company no longer allows for remote workers because “we tried it once and the guy made a complete mess of things”. When I asked the HR manager why he attributed that to the geographic location of the worker, he said “good point, he could just as well have made a mess here in the office”. You need good workers no matter where they’re going to work. The workers need expectations and goals from the manager, and the manager needs feedback and communication (and results!) from the worker. Tools help to facilitate these things. This is already a long post, so I’ll probably make a tools list in another post.

Communicate, and set expectations

Before the tools come other higher-level decisions and communication. For example, one problem I’ve heard more than once about remote workers is “we can’t hire a remote worker full-time, because then everyone will want to work from home”. As if they didn’t already all want to work from home! Everyone would love to have the option! Even if they didn’t take advantage of it, they’d consider it a really cool perk! They’d tell all of their friends about it, because it would make them jealous, and guess who their friends will contact first when they start to look for other opportunities?

You have to start somewhere, and you can’t just swing the barn doors open and let everyone go their own way on day 1. If you have an existing corporate structure in place with assets and services and regular meetings and the like, then you have to decide who can make the most benefit from a remote situation the soonest, make them the pilot group, and manage the expectations of the rest of the organization while the pilot group prepares to move to a remote workspace.

1, 10, 100, 1000

A common software application rollout strategy is to make it accessible to 1 user, then 10, then 100, then 1000, then… move up from there. In preparing your organization or department, you might consider a similar strategy.

I work for a client right now where I’m the “1″. If I can work effectively with the rest of the team (in the office), if I can produce results, remain accessible as-needed during working hours, manage the expectations of my team with regards to my presence (appointments happen), and overall be an asset to the team, then the management may decide that it can work on some larger scale - even if ‘larger’ means 2 instead of 1. It might also be useful to do a ‘remote rotation’ so that glitches can be caught early before making a physical presence in the office optional.

Success, of course, means getting together with the team and figuring out what tools will be used to best emulate an office working environment. We use IRC for 99% of our communication, falling back to email when we need to cc managers, we have a wiki for documentation and status updates, we have a trouble ticket system, everyone has everyone else’s phone number, blackberry PIN, or whatever. We’re a technical group doing system administration. It’s working wonderfully.

“But if the sysadmins work from home, the developers will want to work from home!” Maybe so. That’s where you have to manage expectations, and communicate with your workers to let them know that the company’s ‘office optional’ project is in an early alpha stage, that it’s being tested on the group most familiar with the technologies involved, and most capable of exploiting those technologies successfully to produce results. Once the geeks work out the shortcomings, and management is able to evaluate the effectiveness of the plan, the tests will become more widespread.

Really, it’s not a whole lot different from doing anything else that affects the whole company: changing payroll providers, healthcare options, software and desktop hardware upgrades and replacements… it just takes communication. The process has to be managed, just like every other process.

There’s more than one way to do it!

There’s no one solution out there. When I joined php|architect Magazine in 2003, it was run by Marco Tabini, and I was a remote editor. A couple of months after joining, I became editor in chief, and was in charge of remotely managing the magazine. I did it differently from Marco, but he still remained involved and engaged through good communication.

Python Magazine was created and managed by me, and for the entire lifespan of the magazine, I have not seen anyone else involved in its production in person. Ever. Design, production, web site admin, executive administration, tech editors, authors, accountants… time lines, budgets and planning documents… all remote, and mostly delegated. I started the magazine with the thought that at some point someone more engaged in the community and with Python should take charge — I was just a “temp” to get the vision off the ground. Sure enough, when I handed the magazine over to Doug Hellmann, he did things differently from me, and it’s working out wonderfully for him as well!

Everyone has their own management style. Don’t think that just because your management style is a little unique you can’t handle remote workers. Good managers are creative, and aren’t afraid to execute on creative solutions.

How handy is that? I mean, are those?

2008-11-18T18:30:28+00:00

DNS and Emacs:

M-x dns-mode
M-x dig
dig-browser.el (Can't find a proper web page for it)

Scalability Perspectives #2: Van Jacobson – Content-Centric Networking

2008-11-18T18:27:01+00:00

Scalability Perspectives is a series of posts that highlights the ideas that will shape the next decade of IT architecture. Each post is dedicated to a thought leader of the information age and his vision of the future. Be warned though – the journey into the minds and perspectives of these people requires an open mind.

Van Jacobson

Van Jacobson is a Research Fellow at PARC. Prior to that he was Chief Scientist and co-founder of Packet Design. Prior to that he was Chief Scientist at Cisco. Prior to that he was head of the Network Research group at Lawrence Berkeley National Laboratory. He's been studying networking since 1969. He still hopes that someday something will start to make sense.

Scaling the Internet – Does the Net needs an upgrade?

As the Internet is being overrun with video traffic, many wonder if it can survive. With challenges being thrown down over the imbalances that have been created and their impact on the viability of monopolistic business models, the Internet is under constant scrutiny. Will it survive? Or will it succumb to the burden of the billion plus community that is constantly demanding more and more?

Does the Net Need an Upgrade? To answer this question a distinguished panel of Van Jacobson, Rick Hutley, Norman Lewis, David S. Isenberg has discussed the issue on the Supernova conference. In this compelling debate available on IT Conversations, the panel addresses the question and provides some differing perspectives. One of the perspectives is Content-based networking described by Van Jacobson.

Mamma.com: Insider trading and XSS

2008-11-18T17:55:00+00:00

Mamma.com's got issues other than Mark Cuban's insider trading allegations. As a point of reference for this conversation, Mamma.com is ranked 4064 on Alexa as of today.
I won't profess to following Mr. Cuban's public life and the occasional antics. Obviously, he's a colorful and popular figure; certainly in Dallas, if not nationally.
What follows is not a judgment of Mr. Cuban or his pending legal challenges. I'm sure the process will play itself out accordingly.
A quick summary and some reference material:
The SEC has filed insider trading charges against Mr. Cuban. "According to the SEC, Cuban dumped 600,000 shares, or all of his 6.3% stake, in the search engine Mamma.com (The Mother of All Search Engines), in June 2004 after learning about private financing that the company was proposing. By selling, he avoided losing $750,000, the SEC alleges."
The whole issue for Mr. Cuban was PIPE financing because it's "dilutive to existing shareholders’ stakes."
That's the long and the short of the current issue, and again, not my real interest here, with the exception of the bet I made with myself regarding the probable web application security posture of mamma.com.
All this talk about a popular site immediately sets off the little bell in my head (I hear it a lot).
"What's wrong with the site?" is always the first question I ask myself.

I was not disappointed.

Mamma.com exhibits the following issues:
1) XSS vulnerability in the utfout variable.

2) XSS vulnerability in the qtype variable.

3) XSS vulnerability in their Mammajobs site at the pid variable. This one's weirder still; if you drop an IFRAME in, it simply redirects to any URL you include in the IFRAME string.

4) The prospect of CSRF (rather pointless here given that its just a search engine, but but still defies best practices) appears likely given that mamma.com blindly accepts updates via GET and POST with no sign of a formkey (canary) in sight.

I figured it best to stop there, and have submitted all these to Copernic (the Momma parent company).
I am however truly disappointed that an enterprise as ambitious and motivated as Momma/Copernic seems to have thrown the baby out with the bath water when it comes to web application security.
With regard to Mark Cuban dumping his shares: maybe he was afraid of getting pwned. ;-) All kidding aside, it's a shame that the whimsical and pessimistic thoughts regarding web site security that bounce around in my head inevitably bear themselves out.

del.icio.us | digg | Submit to Slashdot

Funny video: The Matrix Runs on Windows

2008-11-18T16:59:24+00:00

See more funny videos and funny pictures at CollegeHumor.

Playing with OpenSSH public keys

2008-11-18T16:25:17+00:00

Three neat OpenSSH tricks I think worth mentioning. They all revolve around the authorized_keys files.

links for 2008-11-18

2008-11-18T16:00:13+00:00

ATT-ab9791303777839bd9f2b524bc8e98b8.jpg - (37signals)

"All I want in life sometimes is for AT&T to say, 'Sarah, you have accumulated so many unused minutes and texts that your next bill is free, since we realize ‘rollover’ means nothing to you. Have a nice day.' Me, too. My phone bill looks surprisingly like hers. I hate talking on the phone.
jwz - parking haiku

LOL.
Fire hydrant - Wikipedia, the free encyclopedia

"Class AA hydrants (>1500gpm) should have their nozzle caps and bonnet colored light blue." I knew the new paint on the hydrant outside my house was related to flow, but I didn't realize how much. 1500 GPM is a lot.
Modeling Compound | Play-Doh | Walgreens

"Molded results vary depending on child's age and level of skill." DUH. (hat tip to Raymond Chen & his blog, Old New Thing)
Food: Your TiVo Now Places Orders for Domino's Pizza On-Demand

"You got 30 minutes" — nice English, Dominos marketing idiots. If only my most favorite pizza place in the world, Mama's Pizza in St. Paul, could deliver to Madison…
Second Life affair ends in divorce - CNN.com

"Taylor is now in a new relationship with a man she met in the online roleplaying game World of Warcraft." So many comments, so little time.

Planet SysAdmin

Links for 2008-11-19 [del.icio.us]

Links for 2008-11-19 [del.icio.us]

Bailouts

A growing realization about tcpdump and reading IP traffic

A growing realization about tcpdump and reading IP traffic

HomePlug revival continues with new Netgear Powerline gear

So that's where they're keeping it

I love working at UBC

links for 2008-11-19

ISC Releases BIND 9.4.3

My Last Logging Interview?

Debian /etc/cron.d/ gotcha

A Fun List of Security Blogs

Darn Good Idea ... If Done Well

MS AV Out and Free ... Uh-Oh

You don’t have to wait to deploy DNSSEC

Overview of DNSSEC

DNSSEC Challenges

Islands of trust

The final word

Unix Rosetta Stone

Getting ready for WordPress 2.7

Wacky SSH Authorized Keys Tricks

BitTorrent's file fragmentation problem

BitTorrent's file fragmentation problem

Links for 2008-11-18 [del.icio.us]

This is The Working Hour; we are paid by those who learn by our mistakes

Meltdown

Vendors Who Don’t Realize Virtualization Is Here To Stay

Amazon announces its own content delivery network: CloudFront

Tech Messages | 2008-11-18

MySQL Problem and Solution Posts: r0ck.

No such thing as effective license enforcement

On Remote Workers and Working Remotely

Always be prepared…

Communicate, and set expectations

1, 10, 100, 1000

There’s more than one way to do it!

How handy is *that*? I mean, are *those*?

Scalability Perspectives #2: Van Jacobson – Content-Centric Networking

Van Jacobson

Scaling the Internet – Does the Net needs an upgrade?

Mamma.com: Insider trading and XSS

Funny video: The Matrix Runs on Windows

Playing with OpenSSH public keys

links for 2008-11-18

A growing realization about `tcpdump` and reading IP traffic

A growing realization about `tcpdump` and reading IP traffic

How handy is that? I mean, are those?