Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:You are doing it wrong. (327 comments)

No, a firewall is an application, a process that brokers all incoming and outgoing communications and maintains a state table of those inbound and outbound connections. The key there is that it maintains a state table. TCPd is a shim process that acts between inetd and the actual application. It is not a firewall. It doesn't drop packets. It doesn't maintain a state table, so it can't, for instance, handle reflexive policies or tell whether or not a dialog has been established. It does handle access control for applications based on IP. However, there's a difference between a firewall saying "you aren't on my allowed hosts list, DROP" and inetd saying "packets accepted, looks like you want to launch application X, tcpd, is that cool? No? ok, sorry, not allowed. SIGTERM." In the end you get similar results, but they're significantly different processes.

This is why I strongly disagree with the idea that firewalls are always needed. They're just another tool, and there are other tools that do similar things.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:It depends (327 comments)

That I will certainly give you :) And we do have some workarounds - namely using hosts.allow and hosts.deny. It still functions essentially the same as a firewall, but it doesn't require the additional process that interferes with their software.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:You are doing it wrong. (327 comments)

I think you should read the oracle documentation I posted pointing out how oracle functions before you make assumptions about what we are doing (http://docs.oracle.com/cd/B28359_01/network.111/b28316/concepts.htm). We aren't using oracle by choice, it is bundled inside a vendor's application and configured as they need it configured. Hardware is based on their specs. Software is configured based on their specs to maintain support. We are blocking the ports at the network level using a firewall. We are also blocking the ports at a local level using hosts.allow and hosts.deny. You don't NEED to use a firewall process to block things. Tcpd reads hosts.allow/hosts.deny every time a connection comes in and determines whether or not a host is allowed, and also what services are allowed from that host.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:It depends (327 comments)

Right, we'll tell them and get told "hey, thanks, but Deutsch telekom doesn't want to change, so we're not implementing it." We've tried. We aren't their largest customer by a longshot, and so long as they are providing critical infrastructure for several governments, they're going to move to change things at glacial speeds.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:It depends (327 comments)

Or they are apps that have been around for 20+ years on solaris, predating stuff like SElinux. They've updated somewhat frequently, but a lot of core technology hasn't changed. Also, the move from unix to linux introduces some interesting issues that show linux's relative immaturity in comparison. For example, linux doesn't handle network multihoming very well in comparison. You can only stipulate a single default gateway normally - you have to set up a workaround by adding additional routing tables, bind each to an interface, create rule and route files, etc, which to my knowledge don't play nice with a number of linux security features. IPTables is notorious for having issues with multihomed linux servers. Point is, saying "you aren't using a firewall and that is wrong!" is a blanket statement that has many exceptions for different situations.

Given the vendor supports infrastructure for several national governments, I don't think they're likely to change very quickly. I actually just checked the vendor's website - as of release 20, they now support SElinux in permissive mode. Still not supported on enforcing mode.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:Its Fine. (327 comments)

Correct - for all of our telephony servers KSH is set to the default (some weird carry over from the way the vendor software reconfigures linux to act more like earlier solaris did). So, whenever users log in, they're using ksh. Usually folks use their own accounts thanks to centralized auth or they get nastygrams.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:Its Fine. - not (327 comments)

FYI, I looked at the 11g docs and you are correct, the default is now to use a shared instance. We are still using dedicated instances on our end. Section 3.4 covers it here: http://docs.oracle.com/cd/B283...

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re: Its Fine. (327 comments)

FYI, it depends if you're using a shared or dedicated server process. Shared uses a single interface, dedicated creates a new instance. We use dedicated in our environment. Check section 3.4.2 per the 11g docs: http://docs.oracle.com/cd/B283...

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:Its Fine. - not (327 comments)

This applies to all oracle installations, and from training, this is still the default (at least as late as 11g, I haven't tried 12 yet - again, that is per oracle training). We're running oracle grid with dataguard (4 separate 2-node clusters with failover sites) on RHEL5. It functions the exact same way. Shared socket works so long as you don't mind the bottleneck it creates. It's far easier to remove iptables from the picture, let oracle function as it is supposed to. Any sort of access control can be handled by using hosts.allow/hosts.deny and letting tcpd handle it instead of having a whole extra process in the picture.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:Its Fine. - not (327 comments)

Also, hosts.deny all:all and then adding the hosts you want to allow in hosts.allow works just as well as a firewall, without having an extra process running on your systems.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:Its Fine. - not (327 comments)

We're using Oracle Grid Infrastructure/Data guard on linux. Windows firewall doesn't apply.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:It depends (327 comments)

Reread the other comments - if you are in a situation where you have millions of users on a vendor-supported platform, you meet whatever requirements the vendor requires to continue receiving support as stipulated in their contract. If they say no application firewalls because they interfere with their application's functionality, it's not incompetence, it's a hoop you jump through to continue receiving support under your contract. Or, you get to explain why the vendor won't take the operations guys' calls at 4am in the morning when you've got 2 million customers without service.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:Its Fine. - not (327 comments)

For us, we control everything else using both hard firewalls and ACLs. Everything in those subnets purposefully needs to be able to talk to everything else. Plus, as mentioned elsewhere, we're beholden to the vendor whose application is running on those boxes, and their config requires iptables and selinux to be disabled on individual hosts. So, we control everything with network equipment above them. I think the only thing we are using IPTABLES for is mangling dscp markings.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:Its Fine. - not (327 comments)

Yup, this is our case. There's also a common misconception that with oracle you can just open port 1521 and everything works, but per oracle, that's only part of it. SQL*NET is weird software.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:Its Fine. - not (327 comments)

The actual training did "get into" why it works that way. See the above referenced article explaining how SQL*NET works. 1521 doesn't handle the actual sql query, it forks a new oracle process for that particular request which has a new socket associated with it.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:Its Fine. - not (327 comments)

FYI, oracle requires ports from 1024-65535 to be open for any client. 1521 is only used for initial setup dialog. This also forks a new oracle process, which gets its own socket. Afterwards, as stated above, this information is sent back to the client which reconnects on the new socket. This oracle doc explains what I am talking about: https://asktom.oracle.com/pls/...

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:It depends (327 comments)

I disagree. When we have 15 million customers on a 3rd party's platform, we can't suddenly turn around to that vendor and say "yeah, no, you're using SELinux no matter what." We either build things to their spec, or we lose support. Their spec stipulates disabling SELinux and iptables, so they get disabled. Case closed. So, while I agree in principle, I have to disagree that it's always possible.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:Its Fine. - not (327 comments)

After 4 weeks of oracle training, the advice from the oracle trainer was that oracle simply doesn't play well with firewalls. I'm not a DBA (thankfully), but that's from their actual instruction.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:Its Fine. (327 comments)

It's actually quite useful if you have something which monitors those files. No open CM ticket for a server, but you suddenly see someone logged in and making changes? Sound an alarm. .history shows you everything a user types as soon as they type it (even modifying the shell to keep 0 history would show up initially). We use splunk to monitor it, and also monitor /etc for any changes to system files. It's lightweight and has helped us find a number of issues before.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

scubamage Re:Its Fine. (327 comments)

This is true, however some databases simply aren't compatible with local firewalls. Oracle for instance requires your server to be more or less wide open (request comes in on one port, a response is sent back indicating the port to actually communicate on, then the client resends the query to that new port - so, more or less all ports have to be unblocked). This is where stuff like centralized authentication, nagios, monitoring of the /home/*/.history files, etc comes in useful. Sometimes local firewalls simply aren't an option.

yesterday

Submissions

top

Dogecoin Cryptocurrency raises $40,000 to provide fresh water Africa

scubamage scubamage writes  |  about 4 months ago

scubamage (727538) writes "TANA, Kenya — March 16, 2014 — Remote villages in Eastern Kenya may not be the first place you think about when it comes to the hot button topic of crypto-currencies but this past week investors and early adopters of Dogecoin used their "magical internet money" to help save lives in an area that suffers from seasonal drought and a lack of clean drinking water.

Over the past week the Dogecoin Foundation, a non-profit organization started by the founders of Dogecoin began accepting and collecting donations for their Doge4Water campaign to coincide with World Water Day on March 22nd. The foundation hoped to raise 40 million Dogecoins (est. $50,000 USD at current exchange rates) to be able to sponsor the Charity:Water initiative of constructing two hand-dug wells to provide access to clean water for the surrounding communities in the Tana River area of Eastern Kenya.

On Friday a generous benefactor who goes by the name of Hood (@savethemhood) helped achieve that goal by making a record tip of 14,000,000 Dogecoins via Twitter. With a tweet berating the wealthy for not doing enough, Hood summed up how he felt with this post, "It is astonishing that we have fellow humans on this planet without water. We have the wealth, but not the will. The greedy do nothing...." Users and foundation members alike were overwhelmed with an outpouring of gratitude on the /r/Dogecoin subreddit.

Since its beginning in early December the Dogecoin community has used their popularity and growing monetary value to help out several causes and charities. Donations from Dogecoin helped the Jamaican bobsled team to travel and compete in this year's Winter Olympics in Sochi, Russia as well as fostering a community based not so much on gaining wealth but on giving it away. Hundreds of thousands, if not millions of Dogecoins are given away through tips each day on Reddit, Twitter, Facebook and other social media platforms.

While cryptocurrency has been a high profile topic this past week as to whether it should be regulated, especially due to several well publicized thefts and losses, or as to who the inventor may or may not be, the one coin which seems to take itself a little less seriously than the others firmly made its case that alternative currency can change the world, and for the better.

"

Link to Original Source
top

Uber car attacked in Paris during Taxi Strike

scubamage scubamage writes  |  about 7 months ago

scubamage (727538) writes "A major protest by taxi drivers at Charles de Gaulle airport in Paris saw an improvised barricade force drivers single-file through a gauntlet of taxis, where Uber cars and other independent taxi vehicles were attacked. They had their windows busted, tires slashed, paint flung at them while taxi drivers attempted open doors and drag out passengers and drivers. Reports say that police were present, but did nothing to stop the attacks.
At least the downfall of traditional post to email has never seen people being beaten in the streets?"

Link to Original Source
top

University of Florida Cuts Computer Science, Ups Athletic Budget

scubamage scubamage writes  |  more than 2 years ago

scubamage writes "In an incredulous move, the University of Florida has cut its Computer Science and Engineering Department in an effort to save 1.7 million dollars a year. Yet at the same time, it has increased funding to its athletics department by more than 2 million dollars a year. The move has spurred criticism across the industry and academia, and caused the launch of a "Save the CS Department" website, and incited student protests. Ironically, all of this seems to be happening as Florida Governor Rick Scott is evangelizing a push towards STEM education (while cutting education budgets by more than 30%)."
Link to Original Source
top

Ask Slashdot: A cheap, DIY home security and surveillance system?

scubamage scubamage writes  |  more than 2 years ago

scubamage writes "Approximately 6 weeks ago, my home was broken into while my fiance and I were at work. Our neighborhood is essentially empty during the day because it's an upper middle class neighborhood. Two laptops were stolen, an iPad, a power brick, a safe (complete with several years worth of taxes, my birth certificate, and old copies of my driver's license), a digital SLR, several pieces of heirloom jewelry, a guitar, and a custom built saxophone. In total, we lost around $20-30,000 dollars that day. We are now dealing with an attorney because the homeowner's insurance is fighting us on a number of items and we're not backing down. It has been a nightmare. Now as we were hoping things were starting to calm down, we've noticed that someone has been visiting our house during the day. There has been garbage left sitting on our back porch table, so its unlikely to have blown there. We've also seen footprints in our garden that are not there in the morning. We want to know who is on our property while we're not, and maybe if we're really lucky reporting it to the police could recover some of our property. My fiance has asked me to assemble a home security system that is motion activated, and both notifies us of an entry, as well as records video or rapid HD stillframes when sensing motion. The goal is to do this cheaply and more effectively than going with a private security company like ADT (who, consequently, our police department told us to ignore due to the incredibly high rate of false alarms). Also, we already have gotten the dog and the gun, so we have those bases covered now. What suggestions do you have on setting up home security systems, and what have you done to build one in the past? Help me slashdot posters, I need your brain juices!"
top

Online Study for Masters/PhD in IT?

scubamage scubamage writes  |  more than 4 years ago

scubamage (727538) writes "After my housemate recently announced his intention to return to academics and pursue a master's degree, I have started pondering doing the same. I kind of hate knowing that I've put years into a degree (BA in Clinical Psychology) which currently does me no good. However, I can use it as a stepping stone towards a Master's Degree in my chosen field. I'm lucky to say that I enjoy IT, and I'd like the pay scale and management/job opportunities that a Master's degree would bring. However, given my work/oncall schedule, going to brick and mortar school is going to be highly difficult (irregular schedule, being on call a week at a time, etc). Online classes seem to be the right choice, but I know from speaking with numerous people in HR departments that online universities tend to be looked down upon in comparison to their traditional brethren. The best recommendation I've gotten was to pursue a traditional institution which offers online distance learning classes. I've looked at Drexel University's MSIS degree, but it seems to be more about software product development/analysis, and less about actual information systems and technology based on the curriculum they have listed. The curriculum I'd prefer to be studying is something similar to PSU Great Valley's MSIS Program(yes, I know the second one is brick and mortar). I know there have to be other options out there. Can you, the folks of slashdot, help shine some light on them? It would be greatly appreciated! Thank you!"
top

A Free/OSS Hardware Deployment Solution?

scubamage scubamage writes  |  about 5 years ago

scubamage (727538) writes "

I work for a small technology firm and am responsible for server/workstation builds, among other things. We deal with a number of different systems, but are mainly a HP shop. I am trying to find a solution for our deployments so that we can roll out system images to X number of servers/workstations, while also keeping an archive of the image for fast restoration if a customer/field technician has an issue.

So far every product we have found which addresses our issues has some major problems. Ghost by Symantec doesn't support RAIDs or Server OS's, so that option is down the tubes. Further, Sysprep is necessary to make a usable image. We also investigated Acronis Snap Deploy 3 which seemed perfect, however it wasn't until we had already purchased a few licenses that we discovered how prohibitive their licensing is (we had been told by their presales support that one license would be good for one concurrent imaging task; turns out that the licenses bind to the MAC Address of the chassis that you deploy to, so our one license was exhausted after the first successful test deployment, yay wasted money!). To keep using the software we would need to keep purchasing licenses which is not only an administrative nightmare, but it will quickly become prohibitively expensive — especially since the cost of server licenses is triple the workstation license price.

So, we are back at square one. We need software which can be used for deploying system images, is capable of recognizing and handling RAIDs, is compatible with both workstation and server OS's, and is relatively simple to use (we would like to use it in the field for our technicians off site, which means I have to be able to guide them through its usage). It would be a real boon if we could use the same image to deploy on to dissimilar hardware similar to acronis' Universal Deploy utility. It would be even better if we didn't need to resort to sysprep, though I'll live if we need to. So, I throw myself humbly at your feet /. — please help!

"
top

Monsanto backed bill could outlaw organic farming

scubamage scubamage writes  |  more than 5 years ago

scubamage (727538) writes "Congresswoman Rosa Delauro (D-CT) has introduced legislation which could potentially destroy both small and organic farming as we know it. The bill, HR 875, forces pesticides, herbicides, and any new chemicals developed to be used by all farmers in the name of "food safety and sanitation." It would also seek to outlaw seed banking, enforce mandatory GPS tracking of all livestock, and to create a new governing body to oversee food safety without any oversight. This includes warrantless searches of all food production facilities. Further, it would require such intense record keeping that it could quite literally strangle many small farmers out of business. It is also interesting to note that Ms. Delauro is married to Stanley Greenberg — a political strategist whose clients include none other than Monsanto: the world's largest producer of herbicides, pesticides, and genetically modified food products."
top

US Power Grid and other Infrastructure Breached

scubamage scubamage writes  |  more than 5 years ago

scubamage (727538) writes "According to this article in the Wall Street Journal, both Chinese and Russian agents have infiltrated US infrastructure systems in an attempt to map out their contents. So far intelligence officials believe the acts are solely for reconnaissance, but they have found that tools were left in place which could have been used to cause damage and disrupt the power grid. Officials warn that similar probes and attacks could be possible against sewage, and other utilities. Further, intelligence officials have noted that reported attacks are growing in number — more than tripling from 20,000 in 2006 to almost 70,000 in 2008. What I personally want to know is why these systems need to be publicly accessible at all? Do we need people at a nuclear power plant reading fark and slashdot all day? Why risk exposing such critical systems? Surely these companies can afford leased lines to keep a private network, well, private and well away from the public internet."
top

Tree-shrew is heavyweight boozer

scubamage scubamage writes  |  about 6 years ago

scubamage writes "According to BBC News, "A tiny tree-shrew that lives on alcoholic nectar could — pound for pound — drink the average human under the table, scientists have discovered." The shrew lives on fermented necter of an indigenous palm tree. Videos are included in the story. I want to party with this rodent!"
top

Google opens Philanthropy Branch

scubamage scubamage writes  |  more than 6 years ago

scubamage (727538) writes "This morning Google announced the opening of a new Philanthropic branch of their company, Google.org. Google has pledged 1% of all revenue to be devoted to their philanthropic interests which include five major focus areas: Predict and Prevent, Inform and Empower to Improve Public Services, Fuel the Growth of Small and Medium Enterprises, Develop a Renewable Energy Source Cheaper than Coal, and Accelerate the Adoption of Plug-In Vehicles. The effort is to make good on early company plans to use the corporate powerhouse's technology to improve the world around them. More information can be found here."
top

PA House Considering ban on online ordinations

scubamage scubamage writes  |  more than 6 years ago

scubamage (727538) writes "Many of you may be familiar with the Universal Life Church, a liberal online church who offers ordinations for any who seek them free of charge over the internet. While being completely allowed under the freedom of religion clause in the first amendment, the church recently suffered a blow when Judge Marcia Cook of York County annulled a marriage because it was solemnized by a ULC minister on the basis he had no physical church or congregation. Now, before the PA House of Representatives is Bill 1099, which seeks to invalidate all online ordinations in the state of Pennsylvania. Similar attempts have been made in other states but were later ruled unconstitutional. Should this bill pass it could have chilling constitutional consequences on how religion is practiced in the US by giving other states a boilerplate to work from in passing similar legislation."
top

scubamage scubamage writes  |  more than 7 years ago

scubamage writes "On the 14th of April, Stanford University scientists announced the completion of the experimental phase of Gravity Probe B, a test of Einstein's theory of relativity and gravity. To quote, "One way to think about space-time is as a large fishing net. Left unperturbed and stretched out flat, it is straight and regular. But the minute one puts a weight into the net, everything bends to support that weight. A weight that was spinning would wreak even more havoc with the net, twisting it as it spun. The mass-energy of the planet earth represents a "weight" in our net of space-time, and the daily revolutions of the earth, according to Einstein's theory, represent a twisting of local space-time. GP-B will search for this twisting effect, which has never before been measured." The tests so far have shown that Einstein was correct at least in the fact that there is a distortion. The actual drag created on time space is still being calculated. The stanford article can be found here. The official press release in PDF format can be found here."

Journals

scubamage has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>