Forgot your password?

Comment: Re: Good...? (Score 1) 279

by buchanmilne (#46253263) Attached to: Ubuntu To Switch To systemd

1) You can use a different logger with systemd
2)To watch log messages with journal, journalctl -f

There are still some things I don't like about the journal (I haven't seen how to specify different retention rules for logs of different applications), but then I've only spent a few minutes actively using it.

Maybe the thing that irritates me about journal is I don't know what previously unsolved problem it is trying to solve, while making some log processing difficult.

Comment: Re: Probably for bootable CDs (Score 3, Insightful) 232

But, if you are booting from CDs, and the CD has the rest of the media, why do you need the utility for verifying signatures on the boot media (1.44MB image)? Bootstrap the installation image from the iso9660 part of the CD (or network in the case if a network install)? and have that contain the signature verification utility.

Hint: RPM-baswd distro have been doing this since rpm 3.x, or about 1999.

Really, who uses floppies for installation these days? Sure, maybe floppy emulation on a DRAC or iLO or ILOM, but they all
-support CDROM or DVD emulation
-PXE boot (with relatively large images possible via TFTP)

If none of these are options, just write the whole (hybrid) ISO image to a 4GB USB flash disk and be done with it.

I personally haven't used an actual CD-RW or DVD to install a syatem in about 5 years. Either network install booted via PXE for servers, or USB flash disk for laptops.

Comment: Re:From a comment there (Score 1) 341

by buchanmilne (#45835529) Attached to: Linux Distributions Storing Wi-Fi Passwords In Plain Text

c) full-disk encryption can be tricky to do right on laptops, which are the main user of WiFi.


I have been using full (or, full enough, /boot isn't encrypted) disk encryption on my laptops for years. Since my only non-laptop is a workstation in a secure facility, I only did full disk encryption on that a few months after first doing it on my laptop (which is a much bigger security risk than my workstation).

Comment: Re:KNetworkManager (Score 1) 341

by buchanmilne (#45835415) Attached to: Linux Distributions Storing Wi-Fi Passwords In Plain Text

I have used KDE for a long time. My laptop has an embedded 3G card that works better / more easily with NetworkManager/ModemManager than with more traditional (e.g. pppd, wvdial etc.) setups. Thus, I tried KNetworkManager.

However, I use WiFi networks with both WPA2 Personal, and WPA2 Enterprise, security. I don't mind my WiFi keys for the WPA2 Personal networks being stored somewhere, but I don't want my passwords for WPA2 Enterprise networks stored *anywhere*. Before trying NetworkManager/KNetworkManager, I would have all the WiFi configuration in /etc/wpa_supplicant.conf except the username and password, and run wpa_gui. The first time a specific instance of wpa_supplicant connected to said WiFi network, wpa_gui would pop up a dialog prompting for username and password, and I wouldn't need to enter the same credentials for the lifetime of that wpa_supplicant process (typically longer than the lifetime of the password).

However, with KNetworkManager, my options are:
-Always Ask

In the 'Store' case, due to my KDE Wallet settings (including 'close when screensaver starts'), now every time I resume my laptop, I will be prompted to enter my KDE wallet password (longer/more complex than the WPA Enterprise password).

In the 'Always Ask' case, I am required to enter my password *every* *time* I associate to the the SSID.

So, maybe it is better than nm-applet (I haven't used nm-applet *that* much) or the Gnome 3 integration (which I only see when trying to help a colleague), but it most definitely isn't better than the old /etc/sysconfig/network-scripts in conjunction with wpa_supplicant approach that I have been using for the past 7 years. On Mandriva (and Mageia), the net_applet tool can do all that configuration anyway, so there really doesn't seem to be any benefit. Of course, systemd will most likely require NetworkManager only at some point. I hope someone fixes NetworkManager to be more sane before then.

At present, I don't care about having a WiFi network connected before a user is logged in. Surely on a typical laptop, that occurs once a month or so? We have network authentication with cached crendentials, and I can kinit after logging in anyway. If this is really a requirement, using TPM (with all of its failings) would probably be a better approach.

Comment: Missing option - I work for an ISP implementing ru (Score 1) 290

by buchanmilne (#44683567) Attached to: My ISP...

I thought this was a tech site.

Surely one of the obvious answers options should be for someone who implements the rules to ensure that bandwidth hungry users don't kill the experience for all the others (as evidenced by other answer options and numerous comments).

Remember that to make a service affordable (while ensuring some kind of return on investment) all consumer internet access networks are designed with contention ratios. Managing users who try and get as much as possible is an obvious requirement if you don't want all users to have a crappy experience

Comment: Re: Oh please (Score 1) 146

by buchanmilne (#44512127) Attached to: MS: Windows Phone 8 Wi-Fi Vulnerable, Cannot Be Patched

And all platforms that support EAP support PEAP with MSCHAPv2.

Any network that does PEAP with MSCHAPv2 using credentials thay are usee dor any other service is vulnerable, unless the clients will require certificates signed by a trusted CS cert.

Android authenticating via FreeRADIUS to Samba password hashes to allow access to an AP running OpenWRY would be vulnerable by default.

Comment: Re: Why can't it be patched? (Score 1) 146

by buchanmilne (#44512061) Attached to: MS: Windows Phone 8 Wi-Fi Vulnerable, Cannot Be Patched

EAP is performed when the EAP client is trying to establish layer 2 connectivity, before IP address aasignment can happed. Since there is no IP, there is no way to do a DNS lookup, and nothing to validate the subject cn against.

If certificate validation against CA certificates is disabled by default ( which is the case on Android as well), certificate validation collapses to whether the cert has expired.

I am only aware of 2 mobile platforms that do this better, iOS which prompts on a new EAP certificate, and Symbian, which didn't allow connecting to EAP networks with certs not signed by a trusted cert.

  The recent 'it just works' race to the least secure is not going to end well.

Comment: Give the buyer something of value (Score 1) 684

by buchanmilne (#43572707) Attached to: Ask Slashdot: Are There <em>Any</em> Good Reasons For DRM?

How would those who are opposed to DRM ensure that artists will get just compensation for their works if there are no mechanisms to prevent someone from simply digitally copying a work (be it music, movie or book) and giving it away to anyone who wants it?

If it were me, I would:

  • Give the people who pay for a legitimate license for the work something that is of value to them, but costs you nothing.
  • Don't artificially increase the cost of distributing works.
  • Allow people to copy the work, and reward them for licensing it
  • Ensure that nothing besides access to the file storing the content is required for enjoying the work.
  • Build in some features to validate the authenticity of the work.
  • Allow the user to backup just the signatures

For example, in a container format that supports separate streams and meta-data, store an x.509 certificate or PGP signature by a licensing representative of the artist of the content's digest/hash and the customer's details (e.g. name).

Have playback/display software show the content that has such a signature differently, e.g. a badge with the customer's details from the signature.

Allow a user who has copied the content from someone else to buy just a license for the content, and all you need to do is:

  • Vlidate the hash of the content to ensure they have the copy you want them to have
  • Issue a new cert/signature

Of course, some changes to media consumption software would be required to support this model.

I would definitely be motivated to license more of the works I have copied if it was easy, didn't require downloading new versions, and had something more attractive to me. There is currently almost nothing to distinguish works I have paid for from ones I haven't (except that I store them separately). For most users, the only distinguishing factor is that the one they haven't paid for is easier to use.

Comment: Re:Maybe they should look at FreeIPA & SSSD (Score 1) 35

by buchanmilne (#43420565) Attached to: Draft IETF Standard for SSH Key Management Released

Cluebats welcome.

I'm wondering what's wrong with "scp -rp ~/.ssh user@host:~/" (assuming pword auth can be enabled momentarily).

1)PasswordAuthentication no

(One of the reasons to use keys is to avoid password cracking, and/or enforce two-factor/multi-factor authentication/authorizaion in conjunction with sudo or a VPN or similar)

2)AuthorizedKeysFile /etc/ssh/keys/

(Many security frameworks don't allow non-administrative users to have full control over keys, as this can lead to abuse, such as a member of the dba group, who can run certain commands as the oracle user with auditing, giving him/herself unrestricted/unaudited access to the oracle user account. Another example is if there are restrictions in the aurhorized keys entry, such as forced command, or sources that can use the key via 'from', 'no-port-forwarding', etc. etc. that should not be under the user's control )

We have historically used the LPK patch to OpenSSH, and we are transitioning to the AuthorizedKeysCommand feature, and have the two configurations above on all our production servers. Before the LPK patch, it was a non-trivial effort to add new users. I guess these days, puppet or chef would be other options too.

Comment: Re:Maybe they should look at FreeIPA & SSSD (Score 1) 35

by buchanmilne (#43420523) Attached to: Draft IETF Standard for SSH Key Management Released

FreeIPA and SSSD are not required.

Just OpenSSH with either the LPK patch, or the AuthorizedKeysCommand patch, or OpenSSH 6.2 or later.

I have been using ssh keys in LDAP since 2004, with OpenLDAP. FreeIPA, and its dependency on 389/RHDS (specific, non-standard features of 389/RHDS have been built into IPA, whereas many other web interfaces for LDAP have solutions to the same problems which don't rely on proprietary RHDS features) is unnecessary.

Comment: Re:Great! Another mobile OS! (Score 1) 74

That's just what I was looking for! Now if I want to write a cross-platform application I not only need to develop for OS X, Windows XP/Vista/7 and Windows 8/Metro, GNU/Linux and the mobile OSes iOS, Android, and Windows RT, I also should develop my apps for ChromeOS, FirefoxOS, WebOS, and last but not least "Jolla."

You can develop for all of those platforms with the toolkit that is native to Jolla, Qt.

You'll still have issues with app stores though.

I took a fish head to the movies and I didn't have to pay. -- Fish Heads, Saturday Night Live, 1977.