[rescue] SMP on intel wasteful?

Brian Hechinger wonko at 4amlunch.net
Mon Jun 24 22:29:03 CDT 2002


On Mon, Jun 24, 2002 at 11:13:29PM -0400, Loomis, Rip wrote:
> 
> Wrong.  If I want a *really* locked down system for a well-
> defined set of uses, then I might be able to do it in 5 minutes,
> or I could (in many cases) use a default OpenBSD install.  If
> I wanted to have a "rather" well-secured system for a
> "nebulous" (had to use the word) set of uses for a customer,
> then I might take much longer to "secure" the system.  The
> bottom line is that the process of locking down and tightening
> security is not one-size-fits-all.  The more secure/reliable
> the default config is, though, generally means less time and
> effort required to produce a secure installation.

ok, while i do somewhat agree with you, having done solaris as long as
i have, it takes me 5 minutes to quickly lock it down.  but to really
secure a solaris box may only take another 10-20 minutes.  when you
are intamately familiar with an OS, it is not very time consuming.

i'm not against OpenBSD, but i *AM* against the false sense of security
it leaves people with since it is "secure out of the box" which in my not
so humble opinion is BS.

also keep in mind that a majority of what i do involves large sun boxes that
are never directly connected to the internet, so there is not as much of a
need to really lock them down tight, since more often than not it's not only
a waste of time, but reduces the machines usefulness.

in most cases the applications that run on these boxes are the security
weakspots anyway, so no amount of system lockdown will make the machine
secure if you have to leave this giant gaping hole open.  god i hate the
stupid business decisions people make sometime, but excuse me, i digress.

> The two choices that Sun and SGI (among others) made a while
> back that continue to hurt them in this area were 1.  Have an
> install that by default is *very* open and 2.  Don't change
> the default install, since everyone "expects" it to be open
> at this point.  Off-the-record discussions with Sun and SGI
> folks indicate that even within the companies there's a large
> contingent which wants a more secure default install.

so it takes an extra 20-60 minutes to setup a box.  a box that i'm setting
up to run for YEARS on end without stopping.  that's an hour i'm willing to
spend.

again, i'm not against OpenBSD, but it's not the end-all to security, you
know?

> I'm not Brian, but since SGI trusts us to do a security eval
> of IRIX/TRIX under contract I'll take a stab...

then that makes you substantially more qualified than me.  ;)

> >> what what is this /usr/src/sys/xfs directory in my OpenBSD
> >> 3.1 source tree?  is this something other that the "real"
> >> XFS?  i don't need it for these two machines i'm building,
> >> but i'm very curious.
> Unrelated to my knowledge.  SGI released significant details
> of their XFS as part of their move to support linux (oss.sgi.com)
> but that XFS in the OpenBSD source is still (to my knowledge) 
> actually related to AFS and is useless to most anyone *not*
> in an AFS environment.  I haven't verified this recently, tho.

oh well, i don't need it, but it woulda been cool to know it existed. ;)

> OpenBSD is my preferred solution for low/no-cost packet
> mangling on x86 and SPARC.  Even the new pf, while it doesn't
> have as much mileage as ipf, has in my experience been
> very reliable.

the only brownie points it wins with me is the transparent bridging packet
filter stuff.  that's just cool.

> You don't need the Cray...just "the little machine that goes
> *ping*".  I've seriously considered trying to find a 2U
> rackmount that I could drill for LED holes in the front, and
> just run it as a spectrum analyzer off MP3s or something.
> Our network/telco room is too boring and needs more
> blinkenlights.

ObOldMemoriesBeingDisturbed:  A friend of mine had a recording studio in his
basement.  he made a spectrum analyser out of those tiny little christmas tree
lights (this was back before LEDs were affordable) that took up an entire 15
foot long 6 foot high wall.  it was GLORIOUS.  i wish i could find my pictures
of it, even though they don't do it justice.  he has since moved and has had to
take it down, and hasn't been motivated to put it back up (it took a LONG time
to put up the first time, and we weren't smart enough to make it modular and
easy to take apart. ;)

-brian
-- 
"I mean Twinkies are good but getting shot really hurts."
				-- http://www.thisisatastyburger.com/ --



More information about the rescue mailing list