Netstatz Web Log

April 28, 2004 - Domain Locking

Does your registry provide a domain locking mechanism (an exit strategy)? Are your updates to root servers performed in batch? The team at Register4Less have the answers and are also part of the BBBOnline reliability program.

In the Debian security arena, the security team has released 26 security updated packages in the first twenty-six days of April. If tools are finding the majority of security problems in code, then system_securing_speed depends on package distribution in addition to package quality. The Debian i386 kernel security package listed below should be added to the time line shown in the log entry dated Jan 03, 2004 (Updates to other Debian architectures and Linux distributions are listed for reference. Sparc hardware is inherently secure. Distributions based on RPMs have dependency instructions and require testing.

April 14th, 2004 - Debian Security Manual

Security manuals are great for helping with the creation of a team's security checklist. For solutions that have services (non-desktop), suid paranoia should be eliminated. If a service is created from a tar source or does not have secure package dependencies, consider the equivalent Netstatz solution running on Debian. Even secure servers benefit from monitoring to initiate an immediate incident response.

April 5th, 2004 - Debian Security Advisories are CVE-Compatible

The Debian Security Team now issues CVE compatible security advisories. CVE is the largest database of known common vulnerabilities and provides a quick association between problems on multiple architectures. Check out the Debian security advisory cross reference that was a requirement for the CVE Capabilities questionnaire. Clients interested in fibre upgrades can now get quotes on Ebay.

Mar 22nd, 2004 - OpenNMS on Debian Woody HOWTO v2.0

We have release v2.0 of the OpenNMS on Debian Woody HOWTO. This version is a major rewrite and should be a refreshing update to readers of the v1.X series. For more information on what to expect in future versions in addition to sneak previews of the next version, please checkhere.

Mar 3rd, 2004 - Linux 2.6 WOLK and XFree86 4.4

The WOLK project has picked up the Linux 2.6 kernel tree with the first release this week. A few of our servers have been using the 2.6 kernel since 2.6.2 with much success. A recent article describes some of the new features, and indicates overall performance increases of 30-70% with standard daemons like Apache and Mysql. The continued success of Linux and open license structures is starting to attract attention to certain authors seeking more recognition. Sharing in one domain, is often theft or lack of recognition in another. Fortunately for the community, the term code fork can be used to scare individuals back into the limelight, as there are so many potential authors out there waiting for someone to slip up on their licensing practices and open the door for a new hero. A recent example of this is XFree86 4.4's license change that is forcing all the major distributions to drop XFree86 4.4.

Feb 19th, 2004 - Woody VLC box

One of our full-time servers, the ever-so-cheap 1.4Celeron with 256MB is now OpenNMS+VLC. Local clients and QoS at the gateway can probably be integrated into a single ONMS/Streaming RRD report. OpenNMS and VLC black box solutions powered by maintenance scripts are possible resource/fabric building blocks for a Debian-based grid-architecture network. A recent Economist.com article describes how the network has become the computer, and through simplifying management (reducing complexity) enables grid computing. It does not specifically mention Linux, however it does mention Sun Microsystems, which are capable of running the Debian package management system more securely than some architectures due to their memory access methods.

Built on cheap parts, and easily deployed on any architecture, Netstatz solutions may become more grid focused where our mail, dns, firewall, database, streaming video, voip gatekeeping, vpn concentrating, as bgp routing, load balancing, file sharing, and network monitoring servers work together with common protocols. Most importantly, they can all be maintained with a set of simple perl based apt scripts and a little knowledge.

Jan 19th, 2004 - Which compression is best?

2004 dates appear correctly now. Two separate projects, one in Video storage, the other in Video streaming, arrived at a cross-roads as to which codecs will provide the greatest future value for current raw data. Several avenues of Internet research seemed to be linked with Xiph.org. Ogg Theora seems like a likely candidate for both. Implementation documentation suggests that these codecs may just be moving from Bleeding-Edge to Cutting-Edge in the patent-free encoding arena. A stream with QoS tags based on an input buffer at the encoder could be implemented (idea). i.e. A special packet header indicating faster motion is coming down the pipe could be used to reserve increased variable bandwidth for itermediate routers. Rather than a handshake, two potential quality sets (criteria) are described in this header, neither of which must be met/obtained by any intermediate router. These two sets of tags describing future video and sound could be embedded in each packet. The lower quality set would be chosen when the higher quality set could not be maintained. The intermediate routers would choose the QoS set from the embedded tags based on its available resources. Early routers would rewrite both tag sets with the lower value if they have a load to avoid an upstream router from chosing the high bandwith quality set from the header.

Jan 06th, 2004- Media is in motion

KnoppMyth 5 has been delayed as the team ramps up for further integration with the Hauppauge PVR-350's they received. mysettopbox.tv will take IP based communications to every capable i386 based PC that wants a GPL'd solution. This ISO has the ability to auto upgrade making an older cd as useful as a newer version once the packages are downloaded. This type of package management (Debian) would have allowed older AOL installation disks to instantly bring themselves to the current new and improved version xx upon deployment.

There may also be a gaming evolution from IP based communications that may merge where Xbox controllers (in the 2.6 kernel via USB) and DVD payload graphics and sound, entertain the high resolutions found on the average Desktop monitor.

Jan 03rd, 2004 - Happy New Year!

Uptime has once again been reset thanks to Linux 2.4.23. Our last upgrade to 2.4.22+Execshield allowed us to test some reassignment of resources and has increased our UPS uptime for core services to a few hours. The HP LS4 servers (and their hard,async nfs mounts) are no longer on UPS (power hogs). All our non-Sparc servers have been updated with kernel 2.4.23 to resolve known root exploits with i386 memory architecture. The Debian team demonstrated a level of disclosure that should be available from any security team or system administrator. The Debian.org security breach was a kernel breach and notably not Debian specific. The specifics are here. It is clear from the time line that regular kernel maintenance is key to preventing package security updates from being mute. The pre2.4.23 exploit demonstrates that -rc (release candidate) kernels that contain security related patches can be mandatory, and that security goes well beyond package management (apt-get upgrade). An interesting note is how the following time line affected different networks based on their maintenance routines:

Has kernel development become as mature as the three tiered Debian distribution where -pre represents cutting edge, -rc represents new but well tested and the final release represents stable? If so, could -pre, -rc and final be integrated into the unstable, testing and stable package management system. Perhaps soon, admins would be able to keep a stable core with upgradable modules from newer kernel versions, each with their own base kernel dependencies. apt-get install kernel-src Unfortunately the kernel is too complicated, and easily made system specific and efficient using a custom .config. This, combined with the ability of a poorly made kernel to render a system useless due to such a variety of hardware, still leaves considerable risk. Integration of a make menuconfig interface that would allow you to select Mac, G4 Powerbook once and then apt-get upgrade with the community that maintains the kernel for that known hardware combination might work. Custom systems would still require custom kernels, however a maintainer for a specific hardware combination could allow common custom kernels to be apt-get upgradeable too. The WOLK kernel series might benefit from this type of package management as its development can be stalled resolving untested combinations of hardware with a kernel. As hardware is static relative to most software, kernel dependecies and fault prediction may be simplier and more reliable than standard package builds.

Dec 18th, 2003 - Thanksgiving to Christmas or Fall-Winter (Oct-Dec)

Some refer to this period of the year as a time when people are busy. A few security related docs, reborn focus on VoIP technology and great improvements to many packages are just a few very interesting things going on at Netstatz. As Knoppix has ended their strike, Knoppix.net web access to the lastest great Knoppix CD (V3.3-2003-11-19) is now available. Also of interest is the KnoppMyth distribution that provides an instant Linux-based media PC. How about KnoppONMS, or Knoppo-n-m-s. It is nice to know that continued development of the Knoppix distribution is based on intelligent discussion regarding software patents. Information on this can be found at the Software Patent News.

Dec 02nd, 2003 - Security and Tool explosion

Oct 28th, 2003 - Netstatz Services

Sept 19, 2003 - OpenNMS 1.1.2 Server

Our 1.4Celeron eMachines box is going to be the lucky first for OpenNMS 1.1.2 packages.

apt-get install opennms

This will demonstrate enterprise tools running on practically free (~$100) hardware. Toss in software raid and a journaling file system (Maybe play with Kernel SNMP ALG, IPTABLES FW and FreeS/Wan VPN) and now you have a real network appliance.

Related, and somewhat interesting was a list of comments for a Slashdot article titled When Does Website Monitoring Go Too Far? This article suggests the question How often do companies not understand what is going on with their network? Compare this to a more common example, How many people do not understand their car mechanic's work?. We suggest you get your own tools, and work in your own shop so that you never have to ask silly people silly questions. Get OpenNMS if you have a situation remotely close to those described in this Slashdot article. Now if your shop already has OpenNMS...that is a different situation. In that case you are already ahead of the curve.

Free Enterprise Tools and Change Management. Try that combination.

Sept 04, 2003 - BLOGing Away

It has been some time since the site received a new dose of TLC. IE-Mac users will enjoy slight differences between Safari and IE with our menu backgrounds. It is worth mentioning that we are no longer approaching a year of uptime on this box due to a historical power failure. Next Year.

There is no doubt that the power failure of the Eastern seaboard is a great opportunity for a new kernel. With something like 2.4.22, this will be an easy year if our hard drives can take it. Perhaps we will let 2.4.20WOLK have a go at this one and save some compile time and possibly receive webmail a little faster.

In other news an interesting set of messages occurred with my .NET account - msn@ianbmaconald.com. Here's a slow highdef screen capture. A security issue with no CERT advisory?

Knoppix has caught our interest recently. If you would like to watch a powerful operating system boot from a CD-ROM without installation, detect your multimedia and memory hardware, connect you to your DHCP server, and give you access to local files then give Knoppix a go. It makes no modifications to your system and is fully functional. Knoppix v3.2 uses the KDE3 (~Windows) rather than the Gnome2 (~Mac) desktop interface. You can even have the Nessus security scanner identify a vulnerability here (and at your site). Knoppix is a very powerful teaching, diagnostic and demonstration tool.

iMac - Netstatz

July 29, 2003 - Silly Licensing Costs != fair prices

History has shown that one of the best deterrents to pirated product is providing legitimate product at appropriate prices. In the music industry, we have already seen that people will gladly pay fair prices for legally-produced product even when it can be easily reproduced and unlawful copies can be easily acquired.
Michael Eisner - Disney

While reading Slashdot's Most Visited Story (366074 visits) I linked to a DMCA Analysis that contained this quote which highlights a common theory in our newer industry. It also reminds me that musicians do not have to pay a licensing cost each time they strum their LesPaul Custom guitar. Here at Netstatz, we like to think of a solution in this manner: We have lots of instruments (tools) and can make music (solutions), so perhaps you would like to purchase some front row seats to our performance. We can show you how to tune your guitar (Sparc, i386, arm, etc.) too.

iMac - Netstatz

July 28, 2003 - Time for the magic mantra

While making some adjustments to Netstatz, the definition of Mantra came to light. Dictionary.com has a Mantra quote by Clifford Stoll: Today's edutainment software comes shrinkwrapped in the magic mantra: "makes learning fun". Well, Netstatz solutions come shrinkwrapped in the same Mantra.

iMac - Netstatz

July 15, 2003 - Which edge are we on?

Today, after discussing some technology with a friend, I realized the defined difference between bleeding-edge and cutting-edge technology. Bleeding-edge infers an untested technology or technology so new that it's ramifications on the stability of a system or business has not yet been determined. Cutting-edge is the position of greatest advancement or importance; the forefront. Two things come to mind.

  1. Perhaps the term bleeding-edge is too often associated with tools that are in fact cutting-edge considering today's development standards.
  2. The Debian GNU/Linux - Unstable distribution seems to constantly move with tools from the bleeding-edge to Debian GNU/Linux - Stable where they become cutting-edge . A positive perspective might be that using a tool through its' bleeding-edge to cutting-edge transition helps to prepare you for anything unexpected as it becomes established.

    What is your desktop teaching you?

iMac - Netstatz

July 10, 2003 - Netstatz has changed!

In an effort to streamline the site with newer, simpler and more effective web technology, we have started from scratch. All the frames and tables (for standards-compliant browsers) have been removed, and a CSS2 template now generates all of our pages. There may be some temporary compatibility issues with some less common browsers until we complete all our testing and fully integrate intelligence like phpSniff. Our PDA and Print stylesheets are not operational.

The navigation on the site is still fairly simple. Users with good CSS2 support will enjoy PNG alpha transparency as text scrolls beneath our menus and logo, as well as the CSS :hover tag that reduces the plain text's background transparency as you move the mouse over your selections. Alpha transparent images moving over other images (very cool) is exclusively restricted to browsers that support DIV CSS2 and PNG. Gecko-based browsers will look the best until we implement backwards compatible TABLE, LAYER and IFRAME code for other browsers.

Your patience is appreciated and we hope you have a positive experience here at Netstatz.

iMac - Netstatz

Copyright © 2003 Netstatz