I use PGP on most days to send encrypted and digitally signed email to external clients. However, an increasing number of my clients are using the S/MIME standard to encrypt external email instead.

Since my company uses Lotus Notes, I went through the process of figuring out how to get Lotus Notes to send S/MIME encrypted or signed email (supported in recent versions - these screenshots are from Notes 6.5.3).

First of all, you will need to get an X.509 email certificate. You can get these for free from Thawte, or you can pay to get them from Verisign. The example I am going to use is Thawte. For this example, I am assuming you have already requested the certificate using Internet Explorer, and you have already downloaded the certificate into IE. The guidance on the Thawte site should be able to get you to that point.

Firstly, for those not familiar with exporting certificates, you need to go to Tools -> Internet Options -> Content, and click on the Certificates button in the middle :-

You should then be presented with a screen as below where you can export the certificates installed. If you don’t see a certificate issued by Thawte at this point, you haven’t got the certificate installed in IE correctly.

At this point we click “Export” to start the export wizard - make sure that we export the private key, and use PKCS #12 format (a .pfx file). You will be required to pick a password - this is used to provide some security over the key, especially useful as we have the private key in the file.

At this point we can import the key into Lotus Notes. This is done using the File -> Security -> User Security menu. In the “Your Identity” section there is a subsection titled “Your Certificates”. If you click on this subsection, you should get a screen similar to this one :-

If you click on “Get Certificates”, and select “Import Internet Certificates”, you should be prompted to select the PKCS #12 file created when the certificates were exported from IE. Select that file, enter the password you specified before, and you should see a screen similar to this :-

Click “Accept All”, and you should be finished.

Note that in order to sign or encrypt email you will need to specify this in the delivery options for each message, or change your user options to automatically sign/encrypt all messages.

In order to import X509 certificates from people who have sent you signed messages, you will need to add them to your address book using Tools -> Add Sender to Address Book, making sure that on the Advanced tab, “Include X509 certificates when encountered” is checked.

Related link: http://del.icio.us/anton18

I recently started using (or “playing with”?) del.icio.us site, a “social bookmark manager”. Feel free to check out my page; there I post more of the security links that I enjoyed.

Related link: http://spiresecurity.typepad.com/spire_security_viewpoint/2005/08/adjective_comp…

Here is a creative and humorous spoof on worm- and virus- related press releases called “[Adjective] Computer Worm [verb] Internet”. It made me laugh, so I am posting it here. It was written in 2003, which makes it even funnier :-)

Have you ever posted an image to a blog or a web forum, and then found out what you submitted was not the image that showed up in the posting? I found an interesting example of this on a popular news blogging site.

The comment had an image from a third party server. This third party server was configured to substitute images if the original file was being inlined from another web site. Most web servers, like Apache, can be configured to change the image based on the value of the Referer HTTP header.

Instead of the image you’re expecting to see, you’ll see a low resolution image with text saying something like, “Please visit my site”, or “You’re stealing my bandwidth”. I’ll refer to these images as nag images.

But in this case, the replaced image had no words or warnings. It simply showed a naked man and a parakeet, perched in a place where most people wouldn’t perch a parakeet.

The posting was deleted by moderators, but not before people freaked out about seeing a “Not Safe For Work” image. One user discovered that this was a nag image. By viewing the image without a Referer header at all, the image was completely different.

Nag images may work with other websites, but they don’t work with blogs. People commenting in blogs may not have the ability to retract or edit their comments once they are submitted. So once the image is posted, it’s stuck there until an administrator can delete the posting.

To make matters worse, people posting to the blog may not even see the nag image in Preview mode. If the image is cached in the browser, it will appear to be just fine, becase the web server’s Referer check was never made.

Now if you happen to be an author that writes blogging software, there is a way that you can prevent these nag images from showing up in your site.

If any site user makes a posting that inlines images from a third party server, the editing software should retrieve the image twice using the HTTP HEAD method. For the first retrieval, don’t pass a Referer header. For the second retrieval, set a Referer header that would reference the full URL of the page that would eventually load the image.

For both requests, the HTTP server headers Content-Length and ETag should return identical values. If they don’t, that means the web server is sending out different files. Make sure the comment poster is aware of this, and give them the opportunity to correct the problem.

Related link: http://www.networkworld.com/columnists/2005/081505faceoffno.html

I’ve been meaning to blog about the Jericho Forum for some time. This article finally did it. To disclose, in general I am very skeptical about the “pay per play” industry groups, especially those charging multiple thousands for a chance to voice your opinion on whatever security topic. So many of them failed miserably to achieve anything, but a chance for CXOs to expense trips to exotic locations.

Jericho seems full of ideas, but so far it is not clear ‘what is new’ and ‘how it will work’. Sure, firewalls are not the only defense most people need. Clearly, the nature and role of network perimeter is changing. Yes, defense in depth is a sound strategy (as have been known for quite some time).

This article summarizes it nicely: “large and architecturally elegant ideas die an ugly, lingering and expensive death. What works is step-wise refinement, the method of successive approximation and the brutal invisible hand of the marketplace.”

What I think will happen is that the evolution process will march on towards “de-peremetrization”, with or without Jericho on board. Thus, go book those trips now :-)

Related link: http://www.computerworld.com/securitytopics/security/story/0,10801,104011,00.htm…

First, let me explain that an “IP” in the title is “intellectual property”, not an “Internet protocol”. So, many folks promptly discount an IP leakage problem as unsolvable anywhere outside of a secure government facility run by a police state :-) (and some doubt even that :-)). So, how one can try to tackle this challenge?

This article nicely summarizes two currently known approaches: network- and host-level monitoring and document-level enforcement (aka DRM), and, not surprisingly, advocates a combination of them.

Will it work for “Mattias Thurman”? Let’s hope so, but don’t bet too much on it - the problem is a one tough nut to crack…

Related link: http://www.computerworld.com/securitytopics/security/story/0,10801,104069,00.htm…

This piece, while far from eye-opening, inidicates an ongoing industry confusion about who is responsible for the losses caused by the raging worms of the day. Three common choices are: OS/application developers who code crude, technology end users who don’t patch (and never harden) or hackers who create worms.

The author of this paper fires his broadside at the OS developer (”Isn’t it time for Microsoft to stop selling operating systems with buffer overflow security holes?”). As I note above, this is only one of the three possibilities…

Related link: http://search.cpan.org/~btrott/Crypt-OpenPGP-1.03/

There are a few perl modules and tools out there that can be used to encrypt data using PGP or GPG. Most of them require that the end user have an actual pgp or gpg executable program that can be accessed by a system call or an IPC pipeline. But there is one module that stands out from the rest.

Crypt::OpenPGP is a pure perl implementation of the OpenPGP standard. It can support different versions of PGP and GPG encryption. Using this distribution will not require a command line program for a back-end.

Here’s a short example of sending an outgoing message that will be signed using an existing GPG key.

#!/usr/local/bin/perl

#
# Includes
use Mail::Internet;
use Crypt::OpenPGP;

our $headers=[
     "From: admin@example.com",
     "To: enduser@example.com",
];

our $msg=<<EOM
Thank you for filling out our survey.
We will be emailing you shortly.

EOM
;

our $openpgp=Crypt::OpenPGP->new(Compat => "GnuPG");

our $sig=$openpgp->sign( Data => $msg,
        KeyID => "4FCA4C4D",
        Passphrase => "testphrase1",
        Armour => 1);

$msg.=$sig;

our $mailer=Mail::Internet->new($headers);
$mailer->body($msg);

$mailer->smtpsend();

exit 0;

One disadvantage of this method is that it requires about 15 dependency modules to be installed. There isn’t a Bundle class to make the installation easy, but you can still get Crypt::OpenPGP up and running within an hour.

Related link: http://www.realmeme.com/Main/miner.jsp

I tend to blog about security things, but this amazing online tool can be used for other purposes as well. It checks for whatever keywords in web pages and outputs the data in the form of a trend graph, that can be used to see what is “being talked about”. Sometimes, it appears, one can actually predict the future pretty well with it…

Related link: http://www.insecuremagazine.com/INSECURE-Mag-3.pdf

INSECURE is a fun [relatively] new security magazine, distributed as PDF. I found some interesting bits in the latest - 3rd - issue, that just came out. Those include articles on extending nmap service detection as well as some higher-level pieces.

I find it curious that the magazine manages to pack good articles for very different types of people, from CISOs to “real” practitioners :-)

Related link: http://www.betanews.com/article/Verizon_Glitch_Exposes_Customer_Data/1123859876

In case there is a website application developer who hasn’t gotten the message, I’ll say it loud and clear: Never trust the client application.

Johnathan Zdziarski only wanted to create a simple way to find out his cell phone account balance. The article doesn’t mention if he was trying to create a widget application, a perl command line client, or even a Javascript bookmarklet. It only mentions that he learned about a problem during the development of his code. By substiting his phone number with someone else’s he could see the account details for that number.

I’m not criticizing Verizon, because this actually happens to a lot of websites. There are too many web applications that put their faith in session based URLs, Javascript field validation, or cookies that are set, but never verified. Those techniques may have worked fine with actual web browsers. But you can’t be sure anymore that anyone using your site is using a traditional browser.

The Apple website lists over 1000 custom widgets for their Dashboard applicaiton. The Konfabulator website lists over 800 widgets for their environment. Now add to that all of the tiny command line scripts that have been around for years. There’s a chance if you have a really popular or useful website, somebody out there may have created a script that interacts with your site.

That’s probably not a bad thing, unless your script is an old copy of FormMail. A widget can create another method to make your website more useful to people’s needs. Either you can buckle down and create your own, somebody else might create one for you. Keep in mind that there could be widgets out there that you may not even be aware of, especially if the client is pretending to be Internet Explorer, or another browser.

If there are no widgets for your site, at least make sure your server applications are better prepared for them. They should be able to gracefully handle missing or invalid input. They should also have strict security checks in place when the client is requesting sensitive data.

I find myself looking at swag I have collected from conferences recently - both swag my company has given away and swag collected from other conferences…. and I find myself asking - what is the coolest thing people have ever got as swag from a conference?

On my desk and in my computer bag I have the following:

• Wind-up network cable with adapters for telephone use, from Bindview, Blackhat 2004 I think

• 4 port USB hub (USB 1.1 not 2.0 unfortunately), my company, Blackhat 2004 I think
• USB light, from Sophos, InfoSec 2005 in the UK
• USB flash drives in various small sizes (32M, 64M), various (including my company), various conferences
• Glowing pen (lame but amusing), my company, various conferences

Out of all of these, the USB light is probably the coolest, and the wind-up cable is probably the most useful.

What’s in your bag that came from conferences?

From the comments so far you guys must go to better conferences than I do ;-)

Related link: http://www.sitetronics.com/wordpress/?p=17

I wrote earlier today about Pair Networks’ donation to FreeBSD development. I dropped them a quick note to thank them using their general contact form and received the following response within a few hours:

Subject: Re: [O7J5J4Q] General Inquiry

Hello,

You’re welcome ;)

We rely on FreeBSD and we will continue to support its development in the future.

I’ve also come across Devon O’Dell’s blog on OSCON which includes pictures, including Beastie on a Segway and Beastie with Jordan Hubbard.

Enjoy.

Related link: http://lists.freebsd.org/pipermail/freebsd-advocacy/2005-August/002488.html

You may or may not be aware that Pair Networks is a big supporter of FreeBSD. Take their Datacenter Tour and you’ll see their network contains over a 1000 hardened and fully patched FreeBSD servers.

Not only that, they put their money where there mouth is. Remember last year when Poul-Henning Kamp asked for donations to fund his work on the FreeBSD filesystem and disk-I/O subsystems? In a gutsy yet successful move, a new funding strategy was born which many insiders now refer to as “pulling a PHK”. Well, Poul’s biggest donation came from, you guessed it, Pair Networks at just over 25,000 USD.

It turns out that another FreeBSD developer has pulled his own PHK in order to fund the optimization and cleanup of the current FreeBSD TCP/IP code. In under two weeks he made his target financial goal with a huge boost from Pair Networks who donated 14,000 USD.

A big thankyou to Pair Networks for providing such donations. An equally big thankyou to all of the other people who donate–your contributions provide visibility to a userbase who cares about FreeBSD and the developers who contribute to the FreeBSD project.

Related link: http://conferences.oreillynet.com/os2005/

On Friday, I actually had a chance to attend some sessions.
The first was on women in Open Source. It was chaired by Danese Cooper whom I met at the Ottawa Open Source Weekend a few years back. I hadn’t realized she had left Sun for Intel this past March.

This was an interesting panel of 6 senior women in Open Source as well as a male research associate whose thesis is on this topic. The reasons for the low percentage of women in Open Source projects were explored and included the educational/cultural bias against young girls in math and harrassment by male peers. It was also noted that women are involved in Open Source, but rarely as developers (which until recently have received most of the spotlight). Instead, they’re involved in education, documentation and managerial roles, meaning they’re much more visible in a corporate environment. Even in the panel of 6 women, over half had engineering degrees and had started out as coders but only one still coded for a living–the rest had moved on to managerial roles. It was suspected that this hidden element of involved women would become much more visible as Open Source continues to integrate into the mainstream corporate environment.

The next session was led by 3 people deeply involved in the European Software Patents issue. It was interesting to hear an inside view regarding the politics, mini-defeats and mini-victories over this issue. Here’s a summary of the current situation in Europe. As Michael Tiemann noted, even when it looks like you didn’t get what you wanted, you still have an impact.

For the final session, Nat Torkington gave away several prizes (including a Gibson guitar) and even managed to bonk a few people in the head as he threw (much lighter) swag into the audience. This was followed by Miguel de Icaza’s demonstration of the features in the upcoming release of Suse as well as the now-leaked OpenSuse.

Probably the coolest feature was the ability to rotate between desktops. Visualize your desktops as a cube and the ability to use your mouse to rotate to the desired part of the cube.

So, now I’m all jazzed up for next year’s OSCON and will do things a bit differently. For one, I’ll leave much earlier–probably Sunday morning–and I’ll go straight to Vancouver and bypass Toronto. Second, I’ll attend as many sessions as I can on the non-exhibit hall days as well as give the tutorials a try. And, yes, I hope to have another BSD booth next year.

Related link: http://conferences.oreillynet.com/os2005/

Thursday was a busy day in the Exhibit Hall so I’ll just jot down the highlights as I remember them.

The BSD booth was well manned and I had the chance to meet the people behind the email addresses I had corresponded with in the past. Devon O’Dell and Seth Kingsley were kept busy creating live “live” CDs to give away. Aaron Grier demonstrated NetBSD on his SGI and DEC Alpha boxes. Matt Olander did an amazing job engaging probably every person in the hall in conversation. I was pleasantly surprised at the number of people who use BSD both casually and full-time. Even the few who did not would think for a minute and say something like “isn’t our firewall running BSD?” or “we have a BSD server in the back room someplace”.

Once Jason Dixon was finished his talk, he setup his network of OpenBSD systems to demonstrate CARP failover. If you haven’t seen this in action yet, you have to check it out. Jason started a ssh session, a ping and a large file transfer. He then physically disconnected the master firewall. There was a slight increase in latency in one ping packet as the backup firewall assumed master duties. No loss of either the ssh session or the file transfer. He’d then reconnect the original master and you could see both firewalls resume their initial positions. All without affecting the network traffic.

Beastie again made an appearance, this time on a segway. I’m still awaiting those pics, but I do have these ones of Beastie hanging out at the BSD booth:

From left to right in this one you can see Jason Dixon looking at his CARP demo, Seth Kingsley burning CDs, myself, Beastie and Matt Olander.

Here we actually stopped for a moment to pose. From left to right is Seth, Jason, myself, Beastie and Matt.

There were many other interesting booths in the Exhibit Hall. The Portland area is very progressive and a hub of Open Source activity. The Personal Telco Project provides free wireless access points throughout the city. (Portland airport, by the way, is the only one I’ve been through yet that provides free wireless access.) Oregon State University also has an Open Source Lab. I’ll definitely be taking a closer look at their site once I’m caught up. OSDL is also in the Portland area. I guess Linus was at OSCON, but no, I didn’t see him.

I had a chance to meet some people I’ve worked with remotely. My editor, chromatic, and O’Reilly’s user group manager Marsee Henon. I also met Bill Pollock from No Starch Press. And the entire SRA America crew as well as Bruce Momjian from the PostgreSQL project.

I had a lengthy conversation with the developers of ThoutReader and will be writing more about this later. This project integrates existing documentation with books from IT publishers into a personalized and fully searchable reader. As their button says, “you can’t grep a dead tree”. The reader itself is impressive: you can search by text, table and figures. The copyrighted material is protected from copying, yet the code snippets are cut and pastable–which saves you downloading these from the publisher’s website. I was very happy that there was a prominent BSD section. So, as an example, if I had a question on BSD, I could type in my search phrase and it would search all available documentation and books. That is invaluable. Sure, I may already have the books on my bookshelf, but rather than pulling 3 or 4 of them down looking for a particular phrase, I can have the answer available in a matter of seconds.

The ThoutReader has arrangements with publishers such as O’Reilly, No Starch Press, Pearson, and Wiley, meaning the author continues to get paid according to his contract. Better yet, the author can negotiate to have a portion of the proceeds from the book “sale” go to the Open Source project of his choice. They are also looking at implementing an affiliate program where, for example, every time someone downloads the FreeBSD handbook, a small donation goes to the FreeBSD project.

Besides existing documentation and books, they also have a program for an author to self-publish. Here, the author sets the price, how much of it he wishes to receive as a royalty and if any of the proceeds should go towards the author’s favourite Open Source project. Contact either Mark or Gary (contact info on the Info Center tab of the OSoft website) if you’d like more information regarding this project.

I’ll be contacting O’Reilly to get BSD Hacks added to ThoutReader. Mark and Gary were also highly receptive to the idea of creating internationalized versions of the reader. This would be a fantastic idea. Imagine having all of the Brazilian Portuguese, Polish or Simplified Chinese IT documentation available in one searchable location.

Finally, I was able to get commitments for several whitepapers on both the technical aspects of BSD as well as showcasing companies using BSD. I’ll let you know when the whitepapers are available. While on the road, someone emailed me with a question on a recent whitepaper I had written, for lo and behold, it had been published.

All in all, the second day of the Exhibit Hall was very productive. I met a lot of interesting people and made some good contacts for BSD advocacy.

Related link: http://conferences.oreillynet.com/os2005/

I had hoped to have a full report regarding the first day of OSCON’s Exhibit Hall, but alas I missed it. My trip from Ottawa to Portland started Tuesday at 9 AM PST, but due to weather and an exploding plane in Toronto (fortunately, not mine) I was still on standby in Ottawa Wednesday morning thinking I was going to miss OSCON entirely. The ticket agent had told me that I had about a snowball’s chance in hell in actually getting a seat on that first flight to Vancouver and that there weren’t any other available seats til Friday…

Somehow I made it on that plane and had hopes of making Portland by noon. However, the plane left late meaning I missed the 11 AM connection to Portland but I did manage to get standby for the 3 PM flight. In the lounge were several other OSCON attendees hoping to catch the conference, including Jason van Zyl who was giving the Maven BOF that evening and had paid a ridiculously high fare on an alternate carrier just in case standby didn’t pan out. Just as well as noone on standby made that flight…

So, I kissed the thought goodbye of helping to man the BSD booth that day and attending the author session. Finally made it to the Conference Center just before 8 PM, just in time to watch the last of the attendees straggle out.

I did get a chance to catch up with the guys from Offmyserver who had manned the booth that day. They had brought Beastie with them as well as a healthy supply of custom FreeBSD live CDs. Those, as well as the PC-BSD CDs, had proven very popular and the BSD booth had seen a lot of traffic. They had also given out several hundred pamphlets on BSD Certification, BSD Success Stories and BSDCan 2006.

I was disappointed to hear that Kris Moore, the PC-BSD developer, had only been available for Wednesday and I’d have to meet him in person another time. Once I was caught up, I stumbled to my hotel only to find that despite several phone calls and reassurances that the room would be held til I arrived, that it had not. After another ride on Portland’s impressive light rail system and a walk up an amazingly long hill dragging the belongings I had been dragging with me since Tuesday, I settled in for a few hours sleep.

On this final day of OSCON, the only thing I well and truly wanted to see — and had all week — was Brian Aker’s “How To Hack Your Home Phone System” presentation.

I’d certainly heard rumors about Aker’s experimentation with Asterisk at home.. how if you dial “#666″ you will transfer the current caller to the sound of screaming monkeys (and put their telephone number in a telemarketer blacklist so they can never ring through again)… how if you aren’t on a pre-set list of phone numbers, there’s absolutely no way you can make his phone ring from 11 p.m. to 7 a.m.

Of course, those are certainly some of the cool features, but it does not come without its price. Brian’s experimentations and configurations of Asterisk have been very much “shiny thing” driven, and have often left his wife understandably annoyed at how come the home phone system doesn’t actually, say, work. (It was a steady part of the talk for him to point out “She uses her cell phone nowadays,” and to point out that the subtitle of the talk was “50 Ways to Piss Off Your Lover.”)

But the reality shone through: If you had the time to do it right, and were not prone to screwing around with it right before you left for five weeks of travel, a person could quite cheaply install a phone system in their home that rivaled the power of the average commercial enterprise’s PBX system.

As I get ready to fly home tomorrow (and begin the process of moving into my girlfriend’s house), I start to think “I wonder if when I transfer my line into the house, I should start to build something like this.” Certainly by abusing my phone number instead of hers, I can avoid the “wrath of the significant other” while it’s in the infant stages.. and when it’s done, I can add her number to the system as well — which would be good, since she runs a small business out of her home and the automated system would lend her an increased air of commercial street-cred.

I’m looking forward to my future forays into the world of VoIP hacking.

Any suggestions for things to do and not to do besides what Aker pointed out?

Related link: http://dban.sourceforge.net/

I’m working with a cabinet full of leased servers that need to be returned to their original owners in a few days. I don’t want to risk having data exposed to whoever might use the equipment next, so I’m scrubbing the hard drives.

Scrubbing is a process of writing data to a hard drive repeatedly in order to erase the original files. Other methods like deleting files, or removing partition tables is no guarantee that somebody wouldn’t be able to recover old data, especially if they have physical access to the hard drive. In fact, it’s pretty easy to reconstruct deleted files if they haven’t been overwritten.

The only real way to be 100% effective is to physically destroy the drive using a blow torch, freon, sledgehammer, or similar methods. Using a scrubbing program works for most situations, and it leaves the hardware intact for later reuse.

The primary tool I’m using is called Darik’s Boot and Nuke, which boots from a cd-rom or floppy, and totally overwrites the hard drive with pre-programmed patterns of data. A disk can be zimple overwritten with zeros, or it can was use an industry standard scrubbing method like the Gutman Wipe, DoD 5220-22.M, or RCMP TSSIT OPS-II.

Gutman, 5220-22.M, and TSSIT are all different standards on how to overwrite data. Each one specifies a number of passes to write over a drive, and what data to write (all zeros, all ones, or random bits). The more passes you make, the longer it will take for the drive to be scrubbed. DBAN also allows you to repeat the entire process multiple times, if you want to try and be more effective.

Once you configure your parameters, just let the program run, and go home for the day. It’ll be at least 3 hours for a scrub to complete, depending on the size of your media. For more extreme cases, it will take over one day.

The one downside is the program isn’t configured for headless operation. I need to answer a couple of prompts before it will start the wiping process. It would be nice if I could just boot from the CD, and have it immediately start scrubbing, but that would be a dangerous CD to leave around. According to the documentation, I can probably change the default behavior if I open the disk image and edit the syslinux.cfg file.

Another downside is it took me quite a while to actually find this tool. My first Google search term was “disk scrubbing”, which sounds kind of obvious, but the term appears nowhere on the DBAN homepage.

While searching for tools like DBAN, I found two other open source programs that are also useful for destroying both individual files or hard drives.

Shred is a program in the GNU File Utilities bundle. Scrub is a program similar to Shred, developed by Laurence Livermore National Laboratory.

Both Shred and Scrub are useful if you need to destroy a specific disk, disk partition, or individual file from a running system. They can be run from the command line of the running host, and there are different options available on the method used to overwrite the data.

I work at a moderately sized private college in the Hudson Valley region of New York State. We’ve got a potpourri of systems, including some Red Hat servers, some Solaris servers, a couple Windows servers, some Mac servers, but predominantly, our needs are met by our old standby - Debian.

We have a lot of servers. Not a lot as might be defined by a former employer of mine, but certainly in terms of data, there’s a lot. We back up a couple terabytes of data every week.

We’ve cobbled together this backup system over the years (and by “we” I mean the college and my predecessors). It works great, but it’s definitely sub-optimal, requiring loving care and attention, which is something you really don’t want from your backup system. You want your backup system to just work (and of course, you schedule random tests of your backup system to assure that this is the case).

But we started to need some features we couldn’t cobble together any more, like NDMP support, and so we started looking for alternative solutions. Things more sophisticated than a collection of Perl and Bash scripts.

So I went to yesterday afternoon’s “Open Source Backups” session with a lot of hope. I hoped I’d find something that would meet our organization’s needs. They’re not that complicated — back up the various servers to our TonsO’Disk^® servers. Archive that disk storage to tape for offsite vaulting. Then back up our (separate) NetApps to tape using NDMP, and offsite those tapes. That’s not that hard, I wouldn’t think. Day-to-day restores come from the local disk backups, and the tapes are strictly for DR purposes.

Except, of course, that there’s no open source product that does these things. Bacula doesn’t support backing up to disk(?!?). (Updated: OK, it does support backing up to disk, it’s just not really in an intuitive place in the manual so I didn’t see it.) Amanda does, but it does so in such a kludgy fashion that I wouldn’t even consider it. Oh, and Amanda likes to think it knows better than I do when it should be doing full backups instead of incrementals, etc. Because why should I know better than it does when the system is under lower demand, or when the disk isn’t being hammered by other tasks, I’m only the SysAdmin after all.

But worst of all these crimes against humanity is that neither of them supports NDMP. There’s an open standard out there — and one that’s been around for quite some time — and neither of the open source products supports it. If I want support for the open standard, I have to used closed-source software. Where’s the logic of that?

Sure, the standard mantra of the Open Source community is “patches welcome”, but what that really means is “unless you’ve got programmers on staff who can make this work for you, you’re going to send money off to (Veritas,IBM,CA)[rand] and pay them to do it for you, and get something that’s going to make management more warm and fuzzy than the Open Source solution was going to, anyway.”

Because, sadly, that’s what I have to do when I go back to work next week - find which closed-source company I plan to give money to.

What’s a poor sysadmin to do?

I have a deadly fear of public speaking. I like to think I’m a pretty decent writer, but when it comes to getting up in front of people and talking, I just don’t feel like I’ve got the chops for it. (Which is amusing, because in small settings, I’m told people would like me to just shut the hell up after a while).

I went to Conway’s talk, dubbed “Presentation Aikido”, with only sort of a vague idea what he had in mind for the talk. And that’s important, actually, as he pointed out within 15 minutes of the beginning of the talk. The title evoked a feeling of mystery in me, and I just *had* to see and hear what came from it.

He went through all sorts of examples, both good and bad. The good examples you recognized as good examples. In some cases, the bad examples, well, you thought maybe you knew exactly who he was talking about in a couple of those cases.

Because in the end, let’s face it, we all wish every presenter was as engaging and interesting as Damian Conway is. This was Damian sharing the magic beans, so to speak, saying “If you want your talks to be as engaging and interesting as mine are, it’s not hard, here’s all you have to do.”

And it really is just that simple. There’s the common mistakes we see every year — slides where the color contrast sucks… people who are trying to squeeze a 90 minute talk into 45… speakers who are more hung up on their own achievements than on the information they’re trying to pass on to the attendee… slides with god-awful templates that include a logo pasted on every single page (yeah, that means your standard slide templates, too, O’Reilly! *grin*) … the guy who reads his talk from the paper … the woman with slides that are so full of stuff that you can’t read them … the demos that don’t work … the annoying powerpoint “effects” … on and on and on

We all recognize all of those flaws, having sat through them at some point in time…. A little part of us winces in pain every time we sit through them (and the level of pain is exponentially related to how many of them are combined into a single talk).

The reality is, it doesn’t have to be like that, and all it takes is a simple edict:

“Go to Conway’s talk. Listen. Know it. Live it.”

I say in all seriousness that O’Reilly should pay Damian to give this talk again next year, free of charge, to any potential speakers who want to attend, and that in 2007, or whenever, it should be made a requirement. You *must* have gone to this talk in order to be a speaker, because it really is both that good and that important. OSCON gets a lot of quality speakers, but it also gets its share of, well, to be blunt, not-so-quality speakers. Being a brilliant technical mind does not necessarily correlate with being a great public speaker, so that’s no slight on anyone. At least if those sorts of people have been made to sit down and attend this beforehand, they might avoid some of the pitfalls that cause the rest of us attendees so much consternation.

Am I right? Am I wrong? What do you think?

Related link: http://online.securityfocus.com/news/11263

I am sure by now everybody has heard about the Lynn debacle, but here is a nice piece summarizing what is going on. Enjoy!