2718.us blog » Networking http://2718.us/blog Miscellaneous Technological Geekery Tue, 18 May 2010 02:42:55 +0000 en hourly 1 http://wordpress.org/?v=3.0.4 IMAP, Hosted Email, imapfilter http://2718.us/blog/2009/09/23/imap-hosted-email-imapfilter/ http://2718.us/blog/2009/09/23/imap-hosted-email-imapfilter/#comments Wed, 23 Sep 2009 22:25:31 +0000 2718.us http://2718.us/blog/?p=184 Of all the various services that I use/host online, I consider email to be, by far, the most critical.  It’s been over 11 years since I registered my first domain name so as to have a permanent email address regardless of changes in educational institution or employer.  I’ve gone through a variety of email setups in that time.  I started with email included in a broader (web) hosting package, using POP (as I did throughout my time in school).  Later, I tried hosting my own mail server at home, paying for a backup/relay server since my connection was unreliable.

At some point, I came to my senses and moved to IMAP, simultaneously moving back to hosted email (because, really, hosting an email server on a home machine is a mess), but with a provider that only hosted email.  IMAP was, at that moment, the ultimate solution to my issues of email being out of sync between multiple computers.  On the other hand, with IMAP, all of my email lived on the hosting company’s servers, so having an email hosting company that knew what they were doing was important.

The other major issue in the move to IMAP was filtering.  I had well over 100 filter rules in Eudora when I stopped using POP.  With IMAP, I no longer had to have filtering rules on every instance of my mail client, but I had to set up the filter rules in the framework allowed by my email host.  (One provider had a Bayesian filter system that could be set to learn from every message move made via IMAP, which was cool, but slow to learn and not accurate enough.)  As time went on, and through changing email hosting providers, this became very cumbersome (especially compared to using procmail on a receiving account, which is how I selectively filter the email that goes to my Blackberry).

When I finally gave up on the hosting company’s email filters, I had nearly 150 filters and there were dozens more I wanted, but just couldn’t be bothered to set up.  With 150 filters and no simple way to group and arrange them, managing the filters was impossible.  If I wanted to rename a mailbox that was the destination for a filter, I had to hunt down the filter and change it, which meant digging through a massive webpage listing of 150 filters.  But using an email hosting provider was non-negotiable for me.

After much searching for ways to run procmail on a remote IMAP account and finding nothing, I finally settled on trying imapfilter.  At first, dealing with the Lua scripting language used to configure it was tedious, but it was easy to learn and thus wasn’t a problem for long.  Now, a week into using imapfilter, my config.lua file is 372 lines long–it’s doing all the filtering I’d been doing through the email hosting company interface, all the filtering I wanted to do, grabbing some spam that persistently evaded the spam filter system, and automatically taking messages that I put in my Junk folder and sending them back to the spam filter system’s reporting address.  I have imapfilter running on a VPS (which I use for a variety of utility things) via cron job every few minutes.  When I want to add a new filter or change the behavior of an existing filter, I can just fire up (Mac)Vim, open the remote file, and apply the power of Vim for quick and easy editing.

It’s the biggest difference in my email use since the move to IMAP.  If you’re using IMAP and you want more powerful/flexible filtering, you should definitely look into imapfilter.

]]>
http://2718.us/blog/2009/09/23/imap-hosted-email-imapfilter/feed/ 0
The Ups and Downs of Cheap VPSs http://2718.us/blog/2008/08/31/the-ups-and-downs-of-cheap-vpss/ http://2718.us/blog/2008/08/31/the-ups-and-downs-of-cheap-vpss/#comments Sun, 31 Aug 2008 06:49:30 +0000 2718.us http://2718.us/blog/?p=103 I’d written before about a really good VPS deal and how I was using it for additional secondary DNS.  Not entirely surprisingly, that provider seems to have entirely vanished shortly after sending me an email at the end of my 1-month account asking me to renew (hard to renew when their web site doesn’t exist anymore).  This has sent me looking for another deal, since I still think the premise is good.  The two providers I landed on are PTXL and Budget VPS Hosting/Web Wide Hosting.  While both seem decent on the face of it and while I don’t yet have enough experience with either to give a proper review, I can safely say that I’m becoming even more appreciative of RapidVPS, with whom I have my primary VPSs that do all my substantive serving.

My experience thusfar with PTXL is that while they sent me login info almost immediately upon registration yesterday, they didn’t actually activate that info until about 20 hours later, so I couldn’t even *buy* the thing until today.  Now, I go to buy it and find that I have to add the money to my account, then use it to buy and that I can only add money through PayPal and that they charge a fee to add money through PayPal.  This makes their advertised price deceptive, though their quarterly pricing, even with the PayPal fees, is still quite reasonable.  Once I navigated the payment mechanics, the VPS turnup was almost instant.

My experience with Budget VPS/Web Wide is a bit different.  While the Web Wide site refers you to the Budget VPS site, the Budget VPS site kicks you back to Web Wide to actually transact business.  Strange.  Account creation was essentially instant, payment via PayPal was simple (no extra fees), and almost immediately yesterday, a VPS appeared in my account panel with status “pending.”  After a few minutes of this, I went digging through their knowledge base and it was suggested that while turnup is generally quick, it may take up to 24 hours or longer and that if it’d be over 24 hours, they’d email.  I was not thrilled with this, but I’d already paid and I’m not in all that much of a rush.  I came home tonight, about 30 hours after creation, to find it still “pending” and no email from them, so I’ve filed a support ticket.

Just for comparison, RapidVPS charges what they say they charge, no extra fees, deals directly with payment, no PayPal, and account creation and turnup are both really instant, no messing around.  I’ve also been using them for a while and they don’t seem to be vanishing into the mist anytime soon.  Oh, and when I was just starting out and had a few total n00b questions, they were really nice and helpful (at no extra charge!).

]]>
http://2718.us/blog/2008/08/31/the-ups-and-downs-of-cheap-vpss/feed/ 2
OS X, Wake-on-LAN, and Passworded Screensavers http://2718.us/blog/2008/08/13/os-x-wake-on-lan-and-passworded-screensavers/ http://2718.us/blog/2008/08/13/os-x-wake-on-lan-and-passworded-screensavers/#comments Wed, 13 Aug 2008 20:35:04 +0000 2718.us http://2718.us/blog/?p=91 The other day, I realized while I was at work that I needed some files from my Mac desktop at home.  Normally, no problem, ssh into my firewall and open a tunnel to my desktop (this is better done with authpf, but that’s a post for another time), use sftp, and done.  The problem is that because of unexplained kernel panics (probably a bad RAM module), my desktop would crash hard if left on all day, so I’ve been putting it to sleep when I go to work.  Now, with my Mac set to wake for remote admin access, I ought to be able to run a wake-on-LAN utility to wake it up and be fine, except that I use a passworded screensaver.  With a passworded screensaver, waking the machine locally or remotely will give 30-60-second window during which the computer is awake and expecting a password to be entered at the physical machine; there doesn’t seem to be a way to do this remotely and unlike earlier versions of OS X, since 10.3 or 10.4 or so, you can’t just kill the screensaver process from the command line (i.e. by logging in with ssh).

On the other hand, ssh is a very robust protocol and somehow ssh sessions seem to readily survive disconnect/reconnect cycles. Making use of this, it is possible to get a workable, if slow, connection to a passworded-and-sleeping Mac.  On one connection to the firewall machine, run a loop of the wake-on-LAN command so that the magic packets that make the Mac wake are being sent every second or so.  Use another connection to ssh into the Mac and do whatever you need to do.  It helps to plan out what you need to do so that you can get the commands in fast, but even during the cycle where the Mac goes back to sleep and gets reawakened by the wake-on-LAN loop, you can type commands; they just won’t appear (not even echoed) until ssh recovers the connection.

While this is an annoying way to use a machine and it’s probably not good for the hardware to cycle in and out of sleep repeatedly in such a short time span, it does give a way to get at a passworded and sleeping Mac remotely.

]]>
http://2718.us/blog/2008/08/13/os-x-wake-on-lan-and-passworded-screensavers/feed/ 0
DNS, DDoS, and VPSes http://2718.us/blog/2008/07/24/dns-ddos-and-vpses/ http://2718.us/blog/2008/07/24/dns-ddos-and-vpses/#comments Thu, 24 Jul 2008 20:20:09 +0000 2718.us http://2718.us/blog/?p=66 For many years now, I’ve used WorldWideDNS.net for the bulk of my DNS hosting.  On Monday, they suffered a massive DDoS attack, taking out pretty much everything and making a few of my domains (including 2718.us) unavailable.  Now, personally, I consider this sort of attack and outtage at a service provider to be an inevitability, so from my perspective, it’s my own damn fault that my sites went down, since I failed to diversify their DNS across providers.  (Also, I have no intention of leaving WorldWideDNS over this—they have always been a great value and good provider from my perspective and a few hours of downtime in years of using them is insignificant to me.)

Over the past few years, as I’ve moved into VPS-based hosting, I’ve also started to use my VPSes as additional DNS servers, keeping the professional hosted-DNS for geographical and connectivity diversity.  As this incident has pushed me along in making sure that every domain I host has DNS from at least two different providers, I came to the conclusion that, given that I already have one commercial DNS host (giving me three nameservers), the best economics were for me to get a super-cheap VPS to run as only a nameserver.  While not the absolute cheapest, JustGotVPS.com is probably the best price-configuration balance, especially at their cheapest ($5/mo and $8/mo) plans, and they discount for longer-term prepayment.  There’s an entry for them, as well as numerous other VPS options around the $5/mo price point at lowendbox.com.

The tradeoff for this versus a commercial DNS host (since in both instances I’m paying about $60/year) is that the commercial host gives me three diverse nameservers but limits the domains, etc., whereas running my own VPS-based nameserver gives me only one host but substantially greater flexibility.  I would also note that I chose to get a cheap VPS box from some provider other than my primary VPS provider so that my new additional nameserver would not be in the same datacenter and on the same internet links.

I also have been using EveryDNS.com, a free DNS host, for additional backup (I’ve donated since I’m using them on several domains and they seem to provide a good service), but having used GraniteCanyon and others in the past, I don’t consider a free DNS host as a serious alternative to a commercially-provided option.

]]>
http://2718.us/blog/2008/07/24/dns-ddos-and-vpses/feed/ 3
Steps to “Unsling” the NSLU2 http://2718.us/blog/2008/07/13/steps-to-unsling-the-nslu2/ http://2718.us/blog/2008/07/13/steps-to-unsling-the-nslu2/#comments Mon, 14 Jul 2008 00:39:33 +0000 2718.us http://2718.us/blog/?p=52 Since I’m on my second of what will probably be 4 or 5 unslung NSLU2 “slug” units (with identical 1GB flash drives from eBay), I figured it was time to write down specific step-by-step directions, if perhaps only for my own use later.  (As an aside, having the two ethernet ports on my Mac Pro is really helpful at times like this when I’m monkeying around with some piece of hardware that doesn’t do DHCP out of the box, forcing me onto some specific subnet.)  CAUTION: I take absolutely no responsibility for what you may do to your hardware/software/life/etc. if you follow these directions.  You should read lots of other, more thorough instructions like the how-to’s at the Unslung HomePage.

  1. Verify that the slug can do Reset Button Upgrade Mode.
  2. Get the Unslug firmware.
  3. On the admin web page for the slug (default IP is 192.168.1.77), go to Administration > Advanced > Upgrade (default username/password is admin/admin), browse to the unslung firmware, and do the upgrade.  (This step takes a few minutes.)  Wait for the reboot.
  4. Verify that the admin web page now shows the unslung firmware version.
  5. Do any network config you need (set IP address, etc.)—avoid DHCP as it doesn’t seem to work (the slug does a DHCPDISCOVER, my server(s) do DHCPOFFER, but the exchange goes no further).
  6. Enable telnet access (Home > Manage Telnet).  Note that this must be done before any disks are connected.
  7. Telnet into the slug (username/password is root/uNSLUng).  Keep this session open through the next steps, so there’s guaranteed root access.
  8. Plug the 1GB flash drive into the upper USB port (closer to the ethernet jack).
  9. Once the slug recognizes the disk, go to Administration > Advanced > Disk and format the flash drive (Disk 2).  This again takes several minutes (especially with the cheapo slow 1GB flash drives I’m using).  When the page shows “Formatted (EXT3)” for Disk 2, it’s ready for the next step.
  10. In the telnet session from step 7, type “unsling disk2″.  Enter a new root password here.
  11. Reboot by typing “DO_Reboot” in the telnet session.  The device will beep when it’s fully booted.
  12. Go to the admin web page and verify that it says “uNSLUng status:   Unslung to disk2, /dev/sda1″ in the bottom blue bar.
  13. Enable telnet again and connect to the device again, verifying that the “NOTE: THIS SYSTEM IS CURRENTLY UNSLUNG” banner shows upon login.
  14. Run “touch /.ext3flash” so that (after the next boot) the OS will try not to thrash the flash drive.
  15. Verify internet connectivity (e.g. ping google.com).
  16. Run “ipkg update” to update the package system.
  17. Run “ipkg install openssh” so we can get to the slug without having to enable telnet.
  18. Verify that SSH works by logging into the slug over SSH.  Disable telnet.
  19. Run “ipkg install openssh-sftp-server” so we can use SFTP to edit files on the slug.
  20. Set the admin web page password (it is independent of the root password).

Other notes:

  • The MAC address label on the bottom of the device is the default device name and seems to be “LKG” + the latter half of the MAC address; it seems that the correct MAC address is found by replacing “LKG” with “00:18:39″.
]]>
http://2718.us/blog/2008/07/13/steps-to-unsling-the-nslu2/feed/ 3
SSH Tunneling on a Mac http://2718.us/blog/2008/06/13/ssh-tunneling-on-a-mac/ http://2718.us/blog/2008/06/13/ssh-tunneling-on-a-mac/#comments Fri, 13 Jun 2008 22:55:27 +0000 2718.us http://2718.us/blog/?p=45 Since my employer’s wireless network is unencrypted and since I use other open WiFi networks with some frequency, I’ve gotten in the habbit of tunneling everything through SSH, using the SOCKS5 proxy mechanism built in to SSH.  In WinXP, there’s a nice little program called Tunnelier that makes the setup of the tunnel simple and it reconnects automatically, so the tunneling part is virtually automatic (even though proxy setup is still tricky and/or annoying).

On the Mac, however, I have tried several programs and never really been happy.  So I wrote a little AppleScript that not only sets up the SSH tunnel, but also deals with switching my location to set the system’s network settings to use the proxy (the code is after the cut).  Combine this with System Proxy for Firefox and all my application traffic goes through the SSH tunnel.  Note also that if you’re using a SOCKS5 proxy with Firefox, you probably want to set it to do DNS lookups through the proxy.

This script also stores the info for creating the tunnel (server, login, pw) in the keychain.

Here’s the “library” script where I put the functions to do the underlying work (since I have various different tunnels I use):

  1. on startTunnel(targetServer) –returns PID of ssh for killing later
  2.  tell application "Keychain Scripting"
  3.  
  4.   set sshTunnelKeys to every Internet key of current keychain whose (name is "autoSSHTunnel") and (server is targetServer)
  5.  
  6.   if sshTunnelKeys is {} then
  7.    set sshKey to my makeSSHKeyWithServer(targetServer)
  8.   else
  9.    set sshKey to item 1 of sshTunnelKeys
  10.   end if
  11.   set user to account of sshKey
  12.   set passwd to password of sshKey as string
  13.   set sshHost to server of sshKey as string
  14.  end tell
  15.  
  16.  set sshCommand to "ssh -fND 9999 " & user & "@" & sshHost
  17.  
  18.  set expectScript to "spawn " & sshCommand & "
  19. expect assword
  20. send \"" & passwd & "\\n\"
  21. sleep 1"
  22.  
  23.  do shell script "/usr/bin/expect -c '" & expectScript & "' &>/dev/null &"
  24.  
  25.  set tries to 0
  26.  repeat
  27.   set tries to tries + 1
  28.   try
  29.    set sshPIDstring to (do shell script "sleep 1;bash -c 'ps ax -o pid,tt,command | grep \"??\" | grep \"" & sshCommand & "\" | grep -v grep | grep -v expect'")
  30.    set sshPID to first word of sshPIDstring
  31.    set gotPID to true
  32.   on error
  33.    set gotPID to false
  34.   end try
  35.   if gotPID then
  36.    exit repeat
  37.   end if
  38.   if tries > 10 then
  39.    exit repeat
  40.   end if
  41.  end repeat
  42.  if gotPID then
  43.   return sshPID
  44.  else
  45.   return false
  46.  end if
  47. end startTunnel
  48.  
  49. on setUseTunnel()
  50.  do shell script "scselect 'Use SOCKS5 Proxy on localhost:9999'"
  51. end setUseTunnel
  52.  
  53. on clearUseTunnel()
  54.  do shell script "scselect 'Automatic'"
  55. end clearUseTunnel
  56.  
  57. on stopTunnel(pid)
  58.  do shell script "kill " & pid
  59. end stopTunnel
  60.  
  61. on makeSSHKeyWithServer(targetServer)
  62.  tell application "Keychain Scripting"
  63.   repeat
  64.    set acctBox to display dialog "Enter your SSH login for host " & targetServer & ":" default answer "" buttons {"Cancel", "OK"} default button 2
  65.    set myAcct to the text returned of acctBox
  66.    set myButton to the button returned of acctBox
  67.    if myButton is "Cancel" then
  68.     –quit
  69.    else
  70.     if myAcct is not "" then
  71.      exit repeat
  72.     else
  73.      display dialog "bad login"
  74.     end if
  75.    end if
  76.   end repeat
  77.   repeat
  78.    set passBox to display dialog "Enter your password:" default answer "" buttons {"Cancel", "OK"} default button 2 with hidden answer
  79.    set myPass to the text returned of passBox
  80.    set myButton to the button returned of passBox
  81.    if myButton is "Cancel" then
  82.     –quit
  83.    else
  84.     if myPass is not "" then
  85.      exit repeat
  86.     else
  87.      display dialog "can't use blank passwd"
  88.     end if
  89.    end if
  90.   end repeat
  91.   set newSSHKey to make new Internet key with properties {name:"autoSSHTunnel", account:myAcct, password:myPass, server:targetServer, authentication:default, protocol:SSH}
  92.  end tell
  93.  return newSSHKey
  94. end makeSSHKeyWithServer

And here’s the actual script I run.

  1. property Lib : (path to scripts folder from user domain as text) & "Script Library:"
  2. property sshTunnelLib : load script Lib & "ssh_tunnel.scpt" as alias
  3.  
  4. sshTunnelLib's setUseTunnel()
  5.  
  6. set sshPID to sshTunnelLib's startTunnel("fqdn.of.your.server")
  7. if sshPID is not false then
  8.  set noPIDtxt to ""
  9.  set buttonTxt to "Kill SSH and Exit"
  10. else
  11.  set noPIDtxt to " (but couldn't get PID)"
  12.  set buttonTxt to "Exit"
  13. end if
  14.  
  15. display dialog "SSH-tunneled SOCKS5 proxy running on localhost:9999" & noPIDtxt buttons {buttonTxt}
  16.  
  17. if sshPID is not false then
  18.  sshTunnelLib's stopTunnel(sshPID)
  19. end if
  20.  
  21. sshTunnelLib's clearUseTunnel()
]]>
http://2718.us/blog/2008/06/13/ssh-tunneling-on-a-mac/feed/ 0
Pulsing the Alix LEDs http://2718.us/blog/2008/05/25/pulsing-the-alix-leds/ http://2718.us/blog/2008/05/25/pulsing-the-alix-leds/#comments Mon, 26 May 2008 01:11:07 +0000 2718.us http://2718.us/blog/?p=41 Now that all my traffic to and from the internet is running happily through my Alix box (and it had no trouble with a few hours of sustained maxing-out of my 6Mbps down/768kbps up DSL line in both directions), and since my first test unslung-NSLU2 “slug” seems to be stably doing its job as a backup DNS/DHCP server, it’s time to do the fun little things, like wonder, “Hey, the Alix has 3 LEDs on the front.  What could I do with those?”

Well, first I learned from a mailing list archive post that under OpenBSD, the LEDs are easily controlled with gpioctl (using 0 and 1 for off and on):

# one-time setup to get 0 and 1 to mean what we expect
  1. gpioctl -q -c 6 out iout
  2. gpioctl -q -c 25 out iout
  3. gpioctl -q -c 27 out iout
  4.  
  5. gpioctl -q 6 [0/1]    # for the left-most LED
  6. gpioctl -q 25 [0/1]   # for the middle LED
  7. gpioctl -q 27 [0/1]   # for the right-most LED

That’s pretty easy, but it’s just on and off (though it does require privileged access to control the GPIO pins).  Poking around on the web today, though, I found Jordan Sissel’s blog post on making the Soekris net4501′s LEDs do the Apple-style pulsing fade-in-outHis C program didn’t work straight away on my Alix, perhaps because he was working on FreeBSD and I’m using OpenBSD, but with a little digging in the OpenBSD source code for gpioctl, I was able to cobble together some C code to replace his “led” function that set the state of the LED as well as the device initialization.  With a little tweaking to make the code feel more like my own and to make the LED pulse just once (the original code pulsed indefinitely), I arrived at pulse_led2_once.c (which still must be run as root to work, since it uses the GPIO interface).

NOTE:  This file is provided “as is” and is not guaranteed to do anything at all, including not guaranteed to be safe to run.  It worked for me, YMMV.  I’ve posted my modifications having asked Jordan Sissel first; I’d appreciate it if you’d let me know if you wanted to post modifications to my code.  AFAIK, my inclusion of OpenBSD source was done in compliance with the copyright notice in their source file, reproduced as requested by the code I used.

]]>
http://2718.us/blog/2008/05/25/pulsing-the-alix-leds/feed/ 1
flashdist/OpenBSD “oh, duh” moment http://2718.us/blog/2008/05/22/flashdistopenbsd-oh-duh-moment/ http://2718.us/blog/2008/05/22/flashdistopenbsd-oh-duh-moment/#comments Fri, 23 May 2008 01:08:25 +0000 2718.us http://2718.us/blog/?p=39 My biggest problem with flashdist is just how little is included.  This is, of course, necessary for the primary goal of flashdist (working on really constrained machines) and since its goals generally align with my goals in using flashdist and since flashdist has those nice, simple, pre-built images, the fact that very little is included in the base distribution is worth trying to work around.

The “Oh, DUH!” moment came today when I realized (after much mucking about with pulling various programs I needed from other OpenBSD boxes with more complete installs and running into various issues with version differences) that I could just download base43.tgz from an OpenBSD ftp mirror onto my Mac, unzip it, and sftp what I needed over to the flashdist machine, no other OpenBSD box needed.  Once I’d copied ldd over to the flashdist machine, I could even find out what libs I needed to copy over, too.

This means, of course, that I now have dhcpd and BIND running on my Alix.

]]>
http://2718.us/blog/2008/05/22/flashdistopenbsd-oh-duh-moment/feed/ 0
Small *nix Devices http://2718.us/blog/2008/05/22/small-nix-devices/ http://2718.us/blog/2008/05/22/small-nix-devices/#comments Thu, 22 May 2008 07:35:22 +0000 2718.us http://2718.us/blog/?p=38 Today, not only did the NSLU2 that I bought on eBay arrive, but the red anodized aluminum case for my Alix arrived, too.  Getting the NSLU2 to run “unslung” from a 1GB flash drive was a royal pain.  If I do a second one, I’ll have to verify my technique, but it seems that the direction to format the drive before reflashing is just a mess (since it’s nearly impossible to get the Linksys firmware to format a flash drive), but once the firmware is reflashed to non-stock, it’s easy to format the flash drive, then run the script to move the boot stuffs off to the flash drive, where there’s room to install stuff.  The problem is that the device seems to be spending about 90% of its time completely hung and non-responsive (telnet and ssh freeze ior maybe just hang, web interface unresponsive, intermittent “thrashing,” if you can call it that, of the flash drive) for reasons I can’t quite figure out.  It may not turn out to be as useful as I’d hoped, but even if it doesn’t do what I want, it will have been an interesting experiment.  Plus, I realized it’s the only linux box i’ve got on hand (my other machines are various Macs and OpenBSD boxes and a few PCs).

Speaking of OpenBSD boxes, the Alix seems to be much closer to usable than I’d expected now, having restarted from a newer pre-built flashdist image.  The hokey thing I’d forgotten about is how few of the standard basic *nix command programs are in the base flashdist, so I end up copying over program after program from another running OpenBSD box.  I’m hoping to get BIND and dhcpd up and running soon, get pf all set up for router/NAT/firewall use, and try it out with a DSL modem before the weekend is up.

And, with a little luck, by the end of the weekend, all these various devices will be self-updating the various common config files (BIND zones, dhcpd.conf, etc.) from a common server.  I’ve already got a shell script that can check for an update to itself and replace itself with the newer version; I just have to make it check for and retrieve updates for the actual config files.

]]>
http://2718.us/blog/2008/05/22/small-nix-devices/feed/ 1
Since I already Mentioned OpenBSD for Routers… http://2718.us/blog/2008/05/18/since-i-already-mentioned-openbsd-for-routers/ http://2718.us/blog/2008/05/18/since-i-already-mentioned-openbsd-for-routers/#comments Sun, 18 May 2008 16:12:48 +0000 2718.us http://2718.us/blog/?p=36 I subscribe to a few security-alert email lists, most of which I skim and delete (since I already know that there are new fixes for multiple vulnerabilities in MS Windows and/or Office without being told and since I don’t care about issues with multi-thousand-dollar Oracle/Cisco/Sun products).  It’s rare that an alert really catches my eye the way the Debian/OpenSSL thing did.  I think the key thing to point out is that it seems that somewhere along the way someone in the Debian realm broke OpenSSL–that’s why this is a Debian-specific issue.  I’d also like to point out that this is why I use OpenBSD for high-security machines (i.e. router/firewall machines): careful, detailed security auditing.

security holes comic from xkcd

]]>
http://2718.us/blog/2008/05/18/since-i-already-mentioned-openbsd-for-routers/feed/ 0