Re: [cobalt-users] Re: Let's get this over with...shooting from the hip

[Kris Dahl <krislists@xxxxxxxxxxxxx>]

on 9/1/00 6:34 PM, Jerry Pape at cobalt-lists@xxxxxxxx wrote:

> In response to Kris Dahl
> 
>> on 8/28/00 11:14 AM, Jerry Pape at jpape@xxxxxxxx wrote:
>> 
>>> All,
>>> 
>>> NEWSGROUPS and Categorical Web-Based HOW TOs are the next step...
>>> 
>>> Let me offer the flame-out option
>>> -----------------------------------
>>> Try searching for '~user' or any other common UNIX construction in the
>>> archives--you can't--instead you get hits on 'user' because the search
>>> engine ignores many specials. As I am sure you all know, there is an awfully
>>> large difference between '~user' and 'user'. This deficiency should alone
>>> be the death knell of ht:dig, the current engine.
>> 
>> ht:dig can probably be configured to do this 'properly'.  ht:dig, in my
>> opinion, is kick ass.
> 
> Then why, isn't it? Also, you should evaluate ht:dig's status as an
> exploitable service as indicated by SANS, the Network Security
> Institute.

It all depends on how you configure it.  I use ht:dig as a spider and search
engine--not an searching interface.  Meaning that the queries are passed to
the binary, and then parsed by my own scripts.  I am sure that makes it
significantly more difficult to exploit.

I only found 4 references to ht:dig on sans.org.  One of them is
acient--long since fixed.  The other three were a problem with 3.1.4.  The
latest version is 3.1.5--which has fixed these problems.   And the 'exploit'
is nothing more than an exploit that is potentially possible with *any*
world readable/executable script that reads off the file system. I quote:
"Any remote user can view arbitrary files on your system privileges of the
web user".  So if you are stupid enough to either a) run apache as root or
b) have your files readable as nobody you are going to be vulnerable.

Mind you this is not going to be a problem on the Cobalt machines.

Surely these aren't the what you are saying makes htdig an 'exploitable
service'!

>> But I would ascertain that the problem is rarely the search engine, rather
>> PEBKAC (problem exists between keyboard and chair).
> 
> A priori ignorance of all users, is a dreadful assumption. Systems
> behave according to developer's dictates. As such, it is perhaps
> safer to presume that the user's expectations were not met due to a
> lack of explanation or implementation by the developer as was clearly
> the case here.

I still maintain my position that the problem has <10% to do with the search
engine and >90% to do with the user.

> This use of "~user" has nothing to do with the UserDir directive
> because there is no user attached to a vsite in Cobalt. You have as
> completely missed the point. Cobalt provides linkage only to indiv.
> users' pages, but not the vsite itself. As virtually every major
> hosting operation in the world provides access via
> http://www.somedomain.com/~user with a direct vsite to username
> correspondence this is not only an important discrepancy, but one
> that would be searched for in precisely the syntax and context I
> indicated. Thus it might be suggested instead that you:
> 
> learn the lingo necessary to understand the question.

I don't think that you understand completely about why there is no 'user'
assigned to a 'vsite'.   The virtually every (unix) hosting operation
typically uses a single user for each site.  Hence use of the UserDir
directive to point to their virtualhost is valid and works.  The cobalt
solution allows you to set up a 'site' with web and sub users under the
site.  Its a different paradigm.  The original statement (which you trimmed)
is below:

> Try searching for '~user' or any other common UNIX construction in the
> archives--you can't--instead you get hits on 'user' because the search
> engine ignores many specials. As I am sure you all know, there is an awfully
> large difference between '~user' and 'user'. This deficiency should alone
> be the death knell of ht:dig, the current engine.

What makes you think that searching for ~user (say that the ~ was a
supported character) would pop up with the answer that you were looking
for?!  If I didn't know what you were talking about--an issue with the way
that cobalt machines are designed to operate, and not a UserDir issue)--how
could a search engine?

If you need to do something like that, you need ot know what the hell you
are dealing with.  That takes knowledge and a healthy dose of RTFM.
Apache.org has all the answers you are looking for.  Put '~user' in there
and see what it comes up with--I think you'll have a similar problem because
it issue, as I maintain, is not the engine but the question.  I would look
into ModRewrite or even setting up a ServerAlias for something like
site.myisp.com.


> That would put you in category #4--the helping category, as evidenced
> by your postings of today alone (at least if discouraging someone
> from buying and using Cobalt hardware because they might not "have
> the skills and the funding
> necessary to run a successful hosting company" can be considered
> helping ref: Re: [cobalt-users] [WANTED] RaQ2 Consulting From: Kris
> Dahl <krislists@xxxxxxxxxxxxx>).

I wasn't discouraging, only warning what you'd be getting into... in fact
IIRC I explicitly state that I do not want to be discouraging.

What would you rather have me do--say "Go for it, get a bunch of gray hairs,
spend way to much money, piss of a bunch of customers and THEN think about
weather you want to be in the business?

>> And it doesn't save much bandwidth--just moves it around.  Instead of having
>> all the users downloading the lists, we just have a gazillion news servers
>> doing it.  How can this possible provide a overall bandwidth savings?  And
>> what the hell is this about "wasteful of net bandwidth"?  The net isn't
>> really a non-renewable resource that is getting wasted--on the contrary--if
>> you *don't* use the bandwidth it gets wasted.  And besides this is the sort
>> of high-value content that 'deserves' the bandwidth... as even having
>> morally justify this is making me nauseous.
> 
> 
> Who said anything about "a gazillion news servers"? You don't read
> very well. The initial post specifically suggested "a private news
> server"--wouldn't be very private if it was propagated publicly now
> would it? Further, if any discussion of this nature provokes nausea,
> are you sure you haven't eaten something that disagrees with you. I
> find it hard to imagine that a discourse as tepid as this should
> result in stomach upset.

Then set it up!  Why are you even bothering to post to the list if that is
what you want to do.  I assumed you wanted to setup a network of news
servers or you would have just done it on your own.  Again, this would hurt
perceived performance, as the route to the 'private-public' news server
would be less than ideal for the majority of the users.

> The bottom line--It is a waste of bandwidth--80% of the posts are not
> relevant to any one user at any give time. Use newsgroups and lower
> bandwidth and unnecessary posting geometrically. Hundreds of  users
> pulling the XOVER headers twice a day costs an order of magnitude
> less than hundreds of users pulling the full content of 100-200
> messages daily, 80% of which don't apply them. Common sense dictates
> that less is more here.

Again, I maintain that you are just going to be moving the bandwidth from
the client to the servers.

I can't even believe that we are talking about bandwidth conservation.
Average post = 3k.  Messages a day = 125.  Subscribers ~300.  Total
bandwidth used < 1.5 gigs per day TOTAL.  Setting up several news servers
would put a minor dent in this total.  Downloading headers isn't that much
of a bandwidth savings.

>> While I am perfectly comfortable reading this message in a newsgroup type
>> setting, many users are just plain unfamiliar with it.  This would exclude
>> the exact people that you claim are not be effectively served by the methods
>> currently being implemented.
> 
> The ostensible purpose of either mechanism, is or should be to gather
> data for presentation on universally viewable categorical How-To web
> pages.
> 
> Furthermore, if an individual is busy mucking around at a shell
> prompt trying to reconfigure a Cobalt box or manage something like
> DNS, etc, then they are more than bright enough to comprehend and use
> newsgroups--if they can't they will have bigger problems than we can
> address here.
>
> Just look at the lists 80% of the questions require telnet/shell
> access and the execution of various Linux command that often require
> superuser status.
> 
> If you "su" you had best be able to understand basic NNTP clients.

Hey, preaching to the converted.  I say harder the better--cuts down on the
signal to noise ratio.  You're the one that insists that it must be
accessible.  I am just saying that you are inconsistent.  You want the
search engine to be easy yet you want people to understand how to go snag a
news client, configure it for a private server, etc--and you probably want
to have them sign up for logins/passwords in order to get access to the
server.  Makes it pretty easy.

I'm just saying that if you want it to be accessible, the mailing list is
the best method.

>> And even though I read usenet, I prefer this format anyway.
>> 
>>> 3) Look at this from the top down--the simple fact that every new
>>> Cobalt customer asks the same spectrum of questions (perms, cgiwrap,
>>> php, DNS, service mods [read--warranty violations], security
>>> concerns, updates, etc), runs the risk of igniting the wrath of the
>>> petty for some innocent netiquette faux pas, and still comes up
>>> empty-handed is a complete INDICTMENT of the current system.
>> 
>> What makes you think that by shifting to a newsgroup or whatever would cut
>> down on this?  By simply posting a FAQ every once in a while?  Hell, we can
>> do that NOW.  And we should.  But again, we'll be shifting the questions
>> from a mailing list to a newsgroup--a net effect of zero.
>> 
>> You are aware, of course, that there are gateways between mailman lists and
>> newsgroups--you can have your cake and eat it too.  If this is what you want
>> to do, by all means go ahead and do it.
> 
> 
> Why would I be doing it? The purpose of my postings is to gain
> support for a forum that will urge Cobalt to become the best provider
> of information about itself--as it should be.

Why?  Because you can!  If you want to have something done then do it.  If
you want Cobalt to offer these services than you have done an admirable job
voicing your opinion.  If I were you I would talk to your Cobalt Rep about
it and see what he/she can do.  But in the mean time if you want the service
set it up yourself--perhaps it will catch on.  You are empowered to do this
yourself.

>> This is the big problem and the main reason we haven't fragmented the lists:
>> most of the issues cover all products.  We would be required to read a
>> gazillion different lists (or per your proposal, newsgroups) to find a
>> solution.  Less than idea.
> 
> Why? If it applies to many platforms, then simply categorize it by
> service or common aspect. This method doesn't create any
> fragmentation.

So you are maintaining that there should also be a cobalt.common.apache,
cobalt.common.dns, etc.?  How can that be construed as anything BUT
fragmentation?

>> So instead of having a moderate volume list (where answers come quickly)
>> some people propose to break them up into several, less effective, very low
>> volume lists.  Good idea!  Then we deal with all the lamers who think
>> cross-posting is cool.  That will PO guys like me (and certainly Dom) more
>> than even the most atrocious offenders currently.
> 
> Who are you or Dom? Has you participation in the lists conferred
> special status upon you as arbiters of decorum? Is your personal
> mission with the lists somehow different than:

We are two of the people that have more answers to the questions than most
people.  You have to realize that there are about 10-15 core people that
answer 90% of the questions on here.  Dom and I are two of them.  I am a bit
surprised that you have noticed this in your 25 day tenure as a list member.

> I don't think that "the ability to categorize 'lamers' &
> 'cross-posters', or 'determine most atrocious offenders'" are in any
> way criteria for list participation.

I do.  Cross-posting, etc., severely undermines the effectiveness of the
list.  I don't want to make it easier for 'lamers' to offend.

> Did you somehow forget that this is a support list for a corporate entity?
> Perhaps it has escaped you that this is a democratic forum, that
> coping a 'tude of who is good or bad, proper or improper is
> inappropriate.
>
> These lists exist to give or receive assistance not to judge
> worthiness or mete punishment.

This is slightly off-topic, but you have *got* to be a member of the Green
Party.  :)  I am obviously (and this is true) a member of the Libertarian
Party.

This is a not a support list for a corporate entity.  It is a loosley
sponsored cobalt users list.  I have rarely if ever seen a cobalt employee
post officially.
 
> Gee, thank you for your appreciation of my "vastly superior
> presentation of the facts" that according to you are, "both illogical
> and inconclusive"--now go back and read this again, and this time
> don't letter your fingers run ahead of your mind.

Can't take a complement?  I was saying that most people just say: "We should
make this a newsgroup, not a mailing list."  And then people chat about it
for a day and then the consensus is 'no, it is better that it is a list'.
Nobody has ever posted a list of reasons.  Typically those are hashed out in
the next few dozen posts on the thread.  I am saying that you obviously
thought it out--albeit you were 100% wrong and I was 100% right! :)

-k