Re: [techtalk] .htaccess problem
Almut Behrens wrote: > > ... not meant to be a RTFM (M = message, here ;), but what's the > error_log saying? It says: /usr/local/httpd/htdocs/.htaccess: AuthName not allowed here I tried moving the .htaccess file into a subdirectory - still get same error on that directory. > > At first sight, I can't see anything being wrong with your configuration. > > Usual stupid question: have you checked file permissions? (need to be > at least readable by UID webserver is running under) yes, they are -rw-r--r-- > > Two more notes: > > (1) are you sure you really want an .htaccess file here -- putting the > respective auth-directives in would work too. Does > the access/authentication need to be run-time configurable? > (This is a performance aspect only -- things do work with .htaccess > equally) I'm not sure I understand - do you mean: AuthName "Page page" AuthType Basic AuthUserFile /home/ev/public_html/.htpassword order allow,deny Allow from all require valid-user satisfy any --- This had no effect - no error message, no request for password, just the webpage. > > (2) -- cut 'n pasted from the manual: > "Security: make sure that the AuthUserFile is stored outside the > document tree of the web-server; do not put it in the directory that it > protects. Otherwise, clients will be able to download the AuthUserFile." > (reason is the same that shadow passwords were invented for *nix) > > - Almut Config file says the following, but yes, I meant to move it once I got it working - I wanted to be sure it was finding the file. Got a little frustrated and started trying random stuff, I guess. # The following lines prevent .htaccess files from being viewed by # Web clients. Since .htaccess files often contain authorization # information, access is disallowed for security reasons. Comment # these lines out if you want Web visitors to see the contents of # .htaccess files. If you change the AccessFileName directive above, # be sure to make the corresponding changes here. # # Also, folks tend to use names such as .htpasswd for password # files, so this will protect those as well. # Order allow,deny Deny from all > > ___ > techtalk mailing list > [EMAIL PROTECTED] > http://www.linux.org.uk/mailman/listinfo/techtalk ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Sick of surf and porn addicts
On Fri, May 25, 2001 at 10:57:21AM -0700 or so it is rumoured hereabouts, Kai MacTane thought: > >help here: if you do have a lot of mail traffic, attachments are probably > >a large part of that. Check first, though: do your users NEED attachments > >for anything? If so, you'll need to make some arrangement for that. > >Perhaps block only .EXE files and other "suspect" material? > > .vbs, .com, .bat > > Unfortunately, you probably can't get all your business partners to send > you .rtf instead of .doc. (But if you could, it would really cut down on > Word macro viruses!) Check out procmail sanitiser which can do lots of stuff with email attachments (for example, stripping attachments, saving them on a server adn requiring users to go to the company vice-president to retrieve their attachments (That'd cut down the email porn pretty quickly!)) http://www.impsec.org/email-tools/procmail-security.html Conor -- Conor Daly <[EMAIL PROTECTED]> Domestic Sysadmin :-) - Faenor.cod.ie 12:16am up 6 days, 12:24, 0 users, load average: 0.08, 0.02, 0.01 Hobbiton.cod.ie 12:18am up 5 days, 13:19, 1 user, load average: 0.00, 0.00, 0.00 ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Delurk/Getting started
On Wed, May 23, 2001 at 05:21:46AM -0400 or so it is rumoured hereabouts, Ruhiel thought: > > Thank you again for the info :) We actually have bits and pieces for a > linux box, but I think i'd rather run it from this machine. It saves > desk space. :) I did find a handy page: > http://enterprise.powerup.com.au/~squadron/ Won't be long before you put those bits together to run a full-time linux box. At that point, a couple of network cards and a KVM (Keyboard, Video, Mouse) switch gets handy. At this stage, I have 4 boxes, all running linix (one of them dual boots though rarely now), a hub, one keyboard, one mouse, one monitor and a 4-port KVM switch. The whole rig, including the printer and scanner fits into two PC desks. Conor -- Conor Daly <[EMAIL PROTECTED]> Domestic Sysadmin :-) - Faenor.cod.ie 12:28am up 6 days, 12:36, 0 users, load average: 0.00, 0.00, 0.00 Hobbiton.cod.ie 12:30am up 5 days, 13:31, 2 users, load average: 0.01, 0.06, 0.03 ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Re: rpms r bad? (was Linux-Mandrake)
On Fri, May 25, 2001 at 05:42:41PM -0400 or thereabouts, coldfire wrote: > > > Two things, for me. One is that when you compile from source, you > > > can set compile-time options, change the default install directory, > > > things like that. With an RPM, all of that gets decided for you. > > > > I actually LIKE using RPMS. But when I do have problems with them, which > > isn't uncommon, it's because of the above. > > i favor compiling from source ... you can modify the source, of coure the > compile time options, and it's a MUCH more custom tailored feeling when > you're done ... > > however, if you're working on a 50 computer network and they all need a > new version of , then rpms make it MUCH easier to do. I combine the pair. I can't program, but I very often want the source around. (There have been times when badly-spelt dialogue messages have made me recompile the entire damn thing after correcting them. Childish, maybe, but it keeps me happy. I think the first of my very few patches was corrections to typos in a config file :)) So I get the source rpm and compile it after tweaking stuff, adding patches, or altering compile time options. An example is mutt. There was a time when it couldn't be exported from the US if it had the crypto hooks in. I had built the tarballs, with the crypto bits and some compile option I forget but which I wanted. but I wanted to be able to uninstall and/or upgrade it neatly, which is easier with rpms than with tarballs. So I unpacked the source rpm, went to poke at the specfiles... ..and good heavens, all the stuff to build the crypto bits was there, just commented out :) Thank you, RH :) I just had to grab the relevant patches and put them into the directory the spec file expected, add a patch line, and change the compile time option I wanted on. Then rebuild it and I had a nice easy-to-remove/upgrade rpm. (Of course, as most European users knew, RH had all the crypto stuff available on its redhat.de site, but this happens to be a good example.) $ wget http://some.site/foo.src.rpm $ rpm -K foo.src.rpm $ su # rpm --install foo.src.rpm # cd /usr/src/$VENDOR/SPECS/ # rpm -bp foo.spec (edit edit edit) # rpm -ba foo.spec # rpm --install ../RPMS/foo.ix86.rpm Telsa ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Sick of surf and porn addicts
On Sat, May 26, 2001 at 03:13:53PM +1200 or so it is rumoured hereabouts, Penguina thought: > > Why not write a script to put each users' web access cache list > (from the squid cache) up on an intranet web site--viewable by > their line supervisor--you know, the one who approved the account > in the first place. Viewable by all! Only problem is the privacy issue. She may not be *allowed* to do that. > Then leave it up to them to figure out what to do. Conor -- Conor Daly <[EMAIL PROTECTED]> Domestic Sysadmin :-) - Faenor.cod.ie 10:14am up 6 days, 22:23, 0 users, load average: 0.08, 0.12, 0.10 Hobbiton.cod.ie 10:17am up 5 days, 23:17, 2 users, load average: 0.48, 0.11, 0.03 ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Re: rpms r not-so-good and Linux-Mandrake
On Fri, May 25, 2001 at 10:04:28PM -0700 or thereabouts, Stacy Brock wrote: > > Methinks there is a significant amount of > > Debian snobbishness floating around, not too unlike > > the Gnome vs. KDE desktop wars. Why a distro has to > > be un-user friendly to be cool is beyond me, and that > > certainly is Debian's reputation. > > Oooh, I just have to jump into the thread on this one. > ;) Please send comments to me, or post them to issues, > as I'm skirting the Line of OT-ness. issues is more for women and IT/Linux/etc, so I'm sticking to techtalk. > I'm a relative Linux newbie (I've been running Linux > solely on my main box for about 6 months now). I also > use Debian. > > Guess what? Even for this newbie, the install was NOT as > difficult as everyone makes it out to be. The Ncurses > GUI installer may not have the pretty penguin pictures > that Mandrake 7 and 8 has, but it works. Since Debian's > installer now uses "make menuconfig" instead of "make > config"...setup is fairly straightforward. What other OSes had you had experience of, though? Had you installed those before? Are you happy adding stuff to your box? There's a lot of people for whom "I got more memory" means "and now I have to take it down to the shop and pay someone to put it in for me". If you know that your mouse is a USB mouse, then you're one ahead already :) I am very used to RH and only a little used to Debian, and I had less trouble than I expected installing, but then, I read the docs, and I knew what most of the packages were. Also, I had heard so much about "dselect hell" that I was prepared for a long haul. > I've heard a saying among Debian users that goes like > this: "If you can't install it [Debian], you shouldn't > be using it." If you call that snobbishness, I can't > help you. I do find the statement "if you can't install foo, you shouldn't use it" faintly snobbish, I must admit. I am not stupid and I do read docs. When there are none, I write the things. But then, I have been -using- Linux for a very long time: my husband was the one who installed it originally. Should I have avoided it until I was able to install it? I only learned the things I needed to know to install by using the thing in the first place. > However, I think that the saying really means > this: "If you aren't patient enough to RTFM, you > shouldn't be using it [Debian]." > And I think that applies to Linux as a whole as well. :) I have to throw in a comment that is not original to me here. It comes from Jon Lasser's "Think Unix" book, which I heartily recommend to anyone. It's short but very sweet. He begins by telling people how to get the most out of man pages and other sources of documentation, which is a sensible approach. His exercises at the back of each chapter had me realising how much I did or didn't know and what I had been missing. The footnote for a particular example: Actually I was rather disturbed to find that the Linux man page for logout is totally useless for normal people and that Irix doesn't even have a man page for this. Of course, there's a perfectly logical deep technical reason for this, but it's still a bad idea. Shame on all you developers. And another example that happened to me yesterday. I wanted a quick way to convert between binary, "normal" numbers, and hex. At first I thought 'od' might help, and failing that, I thought 'dc'. 'od' didn't help, and with a sigh I turned to 'man dc'. I couldn't find anything remotely helpful. Then a friend on IRC told me how to do this: 2o[number]p for "turn [number] into binary". I went back to the man page and found "o - Pops the value off the top of the stack and uses it to set the output radix". Of course. How could I have seen 'output radix' and failed to realise this meant "base" and that popping the value of the top of the stack was exactly what I wanted to do? (Note, I dropped maths at 16, and my limited language knowledge gave me the idea that radix meant root :)) Then there is the man page for CVS. All I wanted was "how do I get a list of all the modules in this CVS tree?" After a friend told me about "cvs checkout -c" I was able to find the one sentence in the very long page which explained it, but what I really learned was "how the cvs man page describes what anyone else would call 'getting a list of the modules available'". So yes, reading the documentation helps, but it takes a lot of practice to understand it. Telsa ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Re: Linux-Mandrake
On Fri, May 25, 2001 at 08:54:22AM -0500 or thereabouts, piglet wrote: > > I notice that no one ever mentions Corel as a newbie distroI'm > surrounded by RH folks, and I work on RH boxen at work, but it's always been > confusing to me. Now that I'm running linux on my normal workbox, I opted > to go with Corel because it seemed to be particularly user-friendly, > installs like a dream, and is Debian based, so that it *seems* to me that > when I outgrow Corel, shifting to straight Debian shouldn't be a drastic > move, perceptually. Just as well. I thought that Corel Linux had gone under? :) > Then again, I admit up front to being fairly clueless. Paah. Personal bugbear. Being a newbie does not imply you're clueless :) Telsa ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Sick of surf and porn addicts
On Sat, 26 May 2001, Penguina wrote: > Why not write a script to put each users' web access cache list > (from the squid cache) up on an intranet web site--viewable by > their line supervisor--you know, the one who approved the account > in the first place. Liese said in her e-mail she couldn't do that: it would be an unlawful violation of the employees' privacy. I wouldn't expect my employer to post transcripts of my 'phone calls on the intranet - so why should the content of my TCP sessions be any different? Frankly, if my employer pulled a stunt like that, I'd take the first alternative job to come along, and make sure none of my friends considered working there until they change their attitude. > Then leave it up to them to figure out what to do. > > In one place I can remember, the problem went almost all the way > to the top. In another place, it DID go all the way to the top. Liese wasn't explicit about which she regarded as a problem, but she did complain about the volume of e-mail due to "viruses, jokes and other shit", so I suspect the problem she's attacking is the VOLUME of traffic, not the content. At which point, filtering would be difficult, so some sort of QOS traffic management makes more sense. > And they can run their own bloody servers as a result. Any other employer providing Net access to staff is likely to have the same problems - unless it's an ISP, in which case they can probably afford the bandwidth :-) James. ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Re: rpms r bad?
On Fri, May 25, 2001 at 05:31:00PM -0400 or so it is rumoured hereabouts, [EMAIL PROTECTED] thought: > I understand some of the problems that can lead to "RPM hell", mainly > because Red Hat has changed the rpm database structure over time. Also, it > is entirely possible to get effectively conflicting dependency problems, > which force you to use the --nodeps or --force options, in which case you > really do have to understand the consequences of what you are doing, which > most newbies don't. I can probably list a bunch of other issues I have run > into, but for the most part rpm works very well and makes keeping track of > what version you are running and what packages you have pretty easy. The thing that gets me with rpm is the way I cannot query an uninstalled package to see what's there. For example, I wanted to install xanim the other day. Gnome's gmc has associations made for .avi to xanim but it ain't there on my system. So I go looking. I mount the rh7.0 CD, cd to the RPMS directory, scan through an ls looking for likely packages, find one that looks likesy and isn't installed, do an rpm -ql package-0.1.3.9-i386.rpm and I get back "pagkage is not installed" I KNOW it's not installed, that's why I'm trying to look inside for the proggie I need. If I could do that, I could do an rpm -ql * | grep xanim and figure out which rpm I need to start with! ARRGHH! Conor (Who tried to view the .avi in Windoze on vmware and got 10% of the audio!) -- Conor Daly <[EMAIL PROTECTED]> Domestic Sysadmin :-) - Faenor.cod.ie 10:16am up 6 days, 22:25, 0 users, load average: 0.09, 0.09, 0.09 Hobbiton.cod.ie 10:19am up 5 days, 23:19, 2 users, load average: 0.07, 0.08, 0.03 ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] .htaccess problem
On Sat, May 26, 2001 at 01:07:47AM -0700, terry wrote: > Almut Behrens wrote: > > ... not meant to be a RTFM (M = message, here ;), but what's the > > error_log saying? > > It says: > /usr/local/httpd/htdocs/.htaccess: AuthName not allowed here hmm, this is strange -- I thought you had "AllowOverride AuthConfig" specified for that directory. Well, let me know if you want to use the .htaccess file mode. Then we can take another look at that issue. Else, I think we should leave it as it is for the time being... > > (1) are you sure you really want an .htaccess file here -- putting the > > respective auth-directives in would work too. Does > > the access/authentication need to be run-time configurable? > > (This is a performance aspect only -- things do work with .htaccess > > equally) > > I'm not sure I understand - do you mean: > > > > AuthName "Page page" > > AuthType Basic > AuthUserFile /home/ev/public_html/.htpassword > order allow,deny > Allow from all > > require valid-user > satisfy any Exactly. The problem is the "satisfy ANY" -- if you have "Allow from all" you need "satisfy all", otherwise access will be granted via host based access control, which is always true when it's "from all"... > > (2) -- cut 'n pasted from the manual: > > "Security: make sure that the AuthUserFile is stored outside the > > document tree of the web-server; do not put it in the directory that it > > protects. Otherwise, clients will be able to download the AuthUserFile." > > (reason is the same that shadow passwords were invented for *nix) > > Config file says the following, but yes, I meant to move it > once I got it working - I wanted to be sure it was finding the file. > Got a little frustrated and started trying random stuff, I guess. no need to justify yourself :) -- not a big issue anyway. I didn't intend to make you look stupid. And sorry, if it sounded a bit snooty. - Almut ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Re: rpms r bad?
On Sat, May 26, 2001 at 10:24:40AM +0100 or thereabouts, Conor Daly wrote: > The thing that gets me with rpm is the way I cannot query an uninstalled > package to see what's there... > isn't installed, do an rpm -ql package-0.1.3.9-i386.rpm and I get back > "pagkage is not installed" I KNOW it's not installed, that's why I'm > trying to look inside for the proggie I need. rpm -qlp /mnt/cdrom/whatever/.../package-0.1.3.9-i306.rpm ^ | the rpm -q[il]p combination is very useful. rpm --help | more -q, --query - query mode Package specification options: -a, --all - query all packages -f + - query package owning -p + - query (uninstalled) package --triggeredby - query packages triggered by --whatprovides - query packages which provide capability --whatrequires - query packages which require capability There is also some package on powertools which you can install which has all the data so you can do it without the p or something. I always forget its name and have never used it so I don't know how useful it is. Telsa ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Sick of surf and porn addicts
- Original Message - From: "James Sutherland" <[EMAIL PROTECTED]> To: "Penguina" <[EMAIL PROTECTED]> Cc: "Liese" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Saturday, May 26, 2001 9:09 PM Subject: Re: [techtalk] Sick of surf and porn addicts > On Sat, 26 May 2001, Penguina wrote: > > > Why not write a script to put each users' web access cache list > > (from the squid cache) up on an intranet web site--viewable by > > their line supervisor--you know, the one who approved the account > > in the first place. > > Liese said in her e-mail she couldn't do that: it would be an unlawful > violation of the employees' privacy. I wouldn't expect my employer to post > transcripts of my 'phone calls on the intranet - so why should the content > of my TCP sessions be any different? Actually, James, the squid cache is very different from the content of any sessions, it's merely a list of the sites visited. Many ISPs harvest the top count cache hits and list them as points which may be of interest to others. At work, we have had to provide squid caches for court cases in regard to porn, as these are the only items that you can generally harvest WITHOUT perfoming unlawful privacy breaches. The industries that our customers are in ensure that we do not skirt the edges of lawfullness, we cleave wholly to the letter of the law, even if it were our inclination to do otherwise. It is actually a good practice to do what Penguina suggested, it keeps employees away from inappropriate ( or even illegal ) porn etc sites, as they know that they are accountable for where they go. I would be VERY surprised if the conditions of net access in any business didn't include a prohibitation against accessing inapporopriate sites. If people want to wallow in smut, they can do it at home, and pay for the access themselves ( if they have to buy the magazines, they can buy the rest of their smut as well ( that's my view anyway ) ). Even if Liese's problem is primarily bandwidth, creating a situation whereby people refrain from accessing porn, games or whatever sites all day from work would have the effect of dramatically reducing the bandwidth usage, legitimate usage rarely sucks as much bandwidth as downloading pictures or games from the net. As for leaving a company that imposes restrictions such as this, within a very short time, this will seriously restrict your choice of campanies, as businesses are being forced to go this way, to reduce their own liability in harassment cases etc. If a business cannot show that employees were formally advised that such material is inapproprite and forbidden, and that they have taken some measures to prevent the use of their facilities to obtain same, they may be ( and some companies have been ) held liable in cases where offensive material is transmitted or displayed so as to be held as harassment by individuals. It's an unfortunate fact of life that some people need external controls to ensure proper behaviour, and displaying a record of accesses is one such form of control. Anyway, as noted above, in my view people should be getting access to such things from home, not from work. Sorry to ramble on so much, but this is a subject that I've dealt with a great deal at work. Neale ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Sick of surf and porn addicts
On Sat, 26 May 2001, Neale Green wrote: > From: "James Sutherland" <[EMAIL PROTECTED]> > > On Sat, 26 May 2001, Penguina wrote: > > > > > Why not write a script to put each users' web access cache list > > > (from the squid cache) up on an intranet web site--viewable by > > > their line supervisor--you know, the one who approved the account > > > in the first place. > > > > Liese said in her e-mail she couldn't do that: it would be an unlawful > > violation of the employees' privacy. I wouldn't expect my employer to post > > transcripts of my 'phone calls on the intranet - so why should the content > > of my TCP sessions be any different? > > Actually, James, the squid cache is very different from the content of any > sessions, it's merely a list of the sites visited. The squid CACHE is a great deal more than that; it actually contains a copy of most of what was downloaded. Presumably you're talking about the log files, which list every single URL (not just the site), and the size and nature of every object retrieved. Depending on the configuration, they could also log usernames and passwords for remote sites such as Hotmail. > Many ISPs harvest the top count cache hits and list them as points > which may be of interest to others. Yes, they'll list the popularity of sites - they will NOT provide a list of which URLs a specific customer accessed! (Except obviously with a court order or similar reason, and then only to the appropriate authority.) Phone calls from an office are obviously logged for billing purposes, but would you want your call logs published or supplied to anyone other than a relevant legal authority? I wouldn't - that's an invasion of privacy. I don't have anything to hide, but I don't support the canard that "if you have nothing to hide, why do you care about privacy"! > At work, we have had to provide squid caches for court cases in regard to > porn, There's rather a big difference between supplying subpoenaed evidence in a court case and giving arbitrary individuals access to private information. The former is legal, the latter (in Europe at least) is not. > as these are the only items that you can generally harvest WITHOUT > perfoming unlawful privacy breaches. Here, the Data Protection Act imposes strict limitations on what you may do with personal information like that. You cannot, for example, transfer it to external agencies without the person's prior written authorisation - and that includes sending data to an overseas division of the same company. > The industries that our customers are in ensure that we do not skirt > the edges of lawfullness, we cleave wholly to the letter of the law, > even if it were our inclination to do otherwise. I don't know where you live, but here the letter and spirit of the law protect the privacy of individuals. A few quotes from our code of practice: * analysing web logs to see who is accessing the site is not permitted unless the web site gives notice of this (i.e. the data is 'fairly obtained') * logs may be used to gather statistics Even the administrator of a WWW site is not permitted access to the access logs. Only the server administrator has such access, and is not permitted to disclose that information to others. Basically, personal information may not be disclosed to ANYONE without a court order. Most of this is a legal requirement, rather than departmental policy. > As for leaving a company that imposes restrictions such as this, within a > very short time, this will seriously restrict your choice of campanies, as In the UK (and presumably the rest of the EU, since this is EU-derived legislation), "any company which doesn't break the law" would fit the bill. Which country are you in, and what privacy legislation do you have? Presumably a great deal weaker than ours? > businesses are being forced to go this way, to reduce their own liability in > harassment cases etc. If a business cannot show that employees were formally > advised that such material is inapproprite and forbidden, and that they have > taken some measures to prevent the use of their facilities to obtain same, > they may be ( and some companies have been ) held liable in cases where > offensive material is transmitted or displayed so as to be held as > harassment by individuals. What I do in private cannot reasonably be held as harassment by anyone: by definition, they aren't involved. If anyone is offended by the contents of my PC, the only person liable for anything is that person: they are criminally liable for unauthorised access to my data. > It's an unfortunate fact of life that some people need external > controls to ensure proper behaviour, and displaying a record of > accesses is one such form of control. Anyway, as noted above, in my > view people should be getting access to such things from home, not > from work. Agreed - it's a misuse of company resources, after all - but enforcing draconian rules is a case of the "cure" being worse tha
Re: [techtalk] Sick of surf and porn addicts
> > Actually, James, the squid cache is very different from the content of any sessions, it's merely a list of the sites visited. > > The squid CACHE is a great deal more than that; it actually contains a copy of most of what was downloaded. Presumably you're talking about the log files, which list every single URL (not just the site), and the size and nature of every object retrieved. Depending on the configuration, they could also log usernames and passwords for remote sites such as Hotmail. OK, should have said what I meant properly, that the EXTRACT can be a list of the sites. > > > Many ISPs harvest the top count cache hits and list them as points which may be of interest to others. > > Yes, they'll list the popularity of sites - they will NOT provide a list of which URLs a specific customer accessed! (Except obviously with a court > order or similar reason, and then only to the appropriate authority.) Actually, I've seen lists of popular URLs listed by ISPs, generated from the Squid Cache. Destinations aren't held to be private information here. > > At work, we have had to provide squid caches for court cases in regard to porn, > > There's rather a big difference between supplying subpoenaed evidence in a court case and giving arbitrary individuals access to private information. The former is legal, the latter (in Europe at least) is not. > > > as these are the only items that you can generally harvest WITHOUT perfoming unlawful privacy breaches. > > Here, the Data Protection Act imposes strict limitations on what you may do with personal information like that. You cannot, for example, transfer it to external agencies without the person's prior written authorisation - and that includes sending data to an overseas division of the same company. It all depends on the "personal information" concerned, content, personal details etc are all deemed personal information, URLs visited are not, this is what I, at least, was referring to. > > > The industries that our customers are in ensure that we do not skirt the edges of lawfullness, we cleave wholly to the letter of the law, even if it were our inclination to do otherwise. > > I don't know where you live, but here the letter and spirit of the law protect the privacy of individuals. I'm in Australia, the privacy laws do protect the privacy of individuals, but locations visited is not deemed to be personal information, laws require us to formally advise people that the locations visited may be monitored, and thereafter legal action is allowed against them, if they are found to be utilising resources to access inappropriate, or illegal, sites. Hence, I am liable for legal action if it can be shown, from logs of my net accesses, that I have accesses inappropriate or illegal sites, there wasa a case last year where a number of personnel were legally dismissed from one company as a result of this. > > A few quotes from our code of practice: Are you talking about UK law. or "code of practice", these are two very different things. > > * analysing web logs to see who is accessing the site is not permitted unless the web site gives notice of this (i.e. the data is 'fairly obtained') > * logs may be used to gather statistics > > Even the administrator of a WWW site is not permitted access to the access > logs. Only the server administrator has such access, and is not permitted > to disclose that information to others. > > Basically, personal information may not be disclosed to ANYONE without a court order. Most of this is a legal requirement, rather than departmental policy. As noted above, the definition of "personal information" is where the boundaries may, or may not, differ. What I look at in a given location would be personal, by my reading of the laws, the fact that I've visited the location, however, would not, as it would not require access to any private content on my part. > > > As for leaving a company that imposes restrictions such as this, within a very short time, this will seriously restrict your choice of campanies, as > > In the UK (and presumably the rest of the EU, since this is EU-derived legislation), "any company which doesn't break the law" would fit the > bill. Which country are you in, and what privacy legislation do you have? Presumably a great deal weaker than ours? As noted above, Australia, I question the definition of privacy legislation being "weaker", though, the privacy laws protect the private details of individuals, including, but not restricted to, content of private Emails, documents etc. If you are quoting exact extracts of the law in the UK, they appear to be written without consideration of the boundaries and nature of ownership of personal information. > > > businesses are being forced to go this way, to reduce their own liability in harassment cases etc. If a business cannot show that employees were formally advised that such material is inapproprite and forbidden, and that they have taken some measur
Re: [techtalk] yellow dog linux
I'm not sure about yellowdog's distro but mac/linux dual boot can definetely be done. I was a total virgin to linux on a mac before i bought my titanium, and I thought osx was a little limiting. Additionally I didn't want to lose the functionality of the dvd player (can't get this to work with xine yet). I'm dual booting linuxppc and mac os9. linuxppc is rpm based, i'm more of an apt-get/.deb girl myself but it'll keep me happy until i am a little more comfortable with mac's fs types, partitioning software. Then i can switch to debian's ppc port! go to these docs as quickly as you can! they were really helpful. http://linuxppc.org/home/megabight/TiLinux/ -Jen On Thu, 24 May 2001, Amanda Yee wrote: > > has anyone ever had experience with yellow dog linux (apple/macintosh)? i > am getting ready to buy a titanium g4 laptop and have a dual boot mac os x > and yellow dog. i've been told it can be done. > > > > ___ > techtalk mailing list > [EMAIL PROTECTED] > http://www.linux.org.uk/mailman/listinfo/techtalk > x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x [EMAIL PROTECTED] x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] Bad surfing habbits part two
Hi, Thanks to everybody for your replies. I've bundled some of the things, but its still long.. sorry for that.. Mark wrote : "Get each user to read, and sign, a computer usage agreement contract. This says that work facilities will only be used for work purposes, and though reasonable allowances will be made, downloading of objectionable material is strictly prohibited and suitable warnings, followed by dismissal, will be the result of a breach of this contract." We did this but some people simply refused and we had no support from upper management so we cant *make* people. We also found out that such a document is - legally i mean - worthless. It does not give us the right to check surfing (and email) habbits, it doesnt even give us the right to fire someone when they ignore it. "a possiblity also includes suspension of internet access; if this makes the users job impossible to perform, thats a fairly good motivator to not break the rules / risk being sacked for inability to complete their jobs" Once again no support from upper management. If we lock down internet access the user complains to his boss, his boss complains to mine and I am told to enable it again because this users cant work without. Paul wrote : "Not really wanting to plug any commercial products but it does sound like the only way would be to stick in some sort of filtering proxy that uses content-based filtering.. " I have been thinking about this too.. However, surfing is only one part of the problem, email is another. But I'll look into "surfcontrol"it sounds interesting. Keith wrote : "Privacy concerns aside, if the Company owns the System, then System Rules should not fall under the section of Law concerning privacy." Ah, but they do. As far as i understand it we are alowed to keep track of how many mails a user sends or receives, but we are not allowed to keep logs of who the mail is from/to and what is in the body. However, it is very hard to check if a mail is work related without checking out the body. The same with sites, we are alowed to track which sites are visited and how many times, but we are not allowed to track which users visits which sites. James wrote : "If I understand you correctly, the problem is not the content they are downloading, but the fact they're using a large amount of bandwidth to do it?" Actualy its both and none. :) What I mean is : i dont really mind that users sometimes surf a little or send some emails with funny pictures in. I dont mind that some people cant start a working day without seeing some "meat". People are people and we spend enough time at our job as it is. What bothers me is that some users don't know the limit and what really bothers me is that uppermanagement AND the government take way any power you might need to keep those users in line. And leave you with nothing to defend your system with. And valuable resources like bandwidth, diskspace, my time (keeping track of it all), their time (the work isnt getting done whilst surfing) , the pc support team's time ( because they have to fix the consequences : virusses, crashed computers, ...), security, ... are wasted. "So if you can't filter effectively, what should you do? I'd look into Squid's "delay pools" facility: this will allow you to restrict user bandwidth quite effectively, allowing fast "bursts" but throttling big downloads to conserve bandwidth for other users, and other useful things." Thx, ill check this out.. "Setting your mail server to block some or all attachments could be a big help here: if you do have a lot of mail traffic, attachments are probably a large part of that. " We do that allready, its part of our anti virus policy (and it has saved us from morevirusses then our AV software). We block exe, com, bat, cmd, scr, vbs, avb, html, xhtml, ... But we cant block jpg, gif, zip because some people need this. :( "Beware of driving your users to using a webmail service, though; if you stop them using your mail system, they could switch to Hotmail or similar." I have disabled Hotmail (and others) on our proxy server. This has saved us huge amount of surfing time.. :) Really, some users were on this site for more then 200 hours a month, refreshing often. Walt wrote : "How about a mass deleting of people's archives of non-work-related content followed by a note that says " Actualy we do that, attachments older then three weeks are automaticly deleted and once a month my coworker runs a check on the attachmentsfolder from all the computers from the netwerk and deletes "unnecessary" items. But this is a slow manual labour which cannot be automated. (Files on the c-drive are not backed up and so just deleting them would also delete important fiels) Anyway, I am glad that i am not the only one with this problem. I do feel better.. After hearing some of your replies is is obvious that current laws are not sufficient to deal with these issues, and not only in my
Re: [techtalk] Sick of surf and porn addicts
> > What I do in private cannot reasonably be held as harassment by anyone: by >definition, they aren't involved. If anyone is offended by the contents of >my PC, the only person liable for anything is that person: they are >criminally liable for unauthorised access to my data. I don't agree with this. When there is a problem with a computer, it is my job to fix it. Which means finding out what the problem is. If, at that time, i get exposed to porn-related material this offends me. It is belittleing (right word?) to me as a woman, it is rude and is it obscene. But my access is not unauthorised. Just thought this might help.. ;) grtz/liese ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Re: rpms r bad?
On Sat, May 26, 2001 at 01:45:09PM +0100 or so it is rumoured hereabouts, Telsa Gwynne thought: > On Sat, May 26, 2001 at 10:24:40AM +0100 or thereabouts, Conor Daly wrote: > > The thing that gets me with rpm is the way I cannot query an uninstalled > > package to see what's there... > > > isn't installed, do an rpm -ql package-0.1.3.9-i386.rpm and I get back > > "pagkage is not installed" I KNOW it's not installed, that's why I'm > > trying to look inside for the proggie I need. > > rpm -qlp /mnt/cdrom/whatever/.../package-0.1.3.9-i306.rpm >^ >| > > the rpm -q[il]p combination is very useful. > > rpm --help | more >-q, --query - query mode > Package specification options: > -a, --all - query all packages > -f + - query package owning > -p + - query (uninstalled) package I don't know *how* many times I've read through rpm --help without spotting that! Thanks Telsa. Conor -- Conor Daly <[EMAIL PROTECTED]> Domestic Sysadmin :-) - Faenor.cod.ie 8:30pm up 7 days, 8:39, 0 users, load average: 0.19, 0.19, 0.08 Hobbiton.cod.ie 8:33pm up 6 days, 9:34, 2 users, load average: 0.04, 0.03, 0.01 ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Sick of surf and porn addicts
Hi Liese, On Fri, 25 May 2001, Liese wrote: [...] > And thats just http. Include email in the picture and it will become > apparent how desperate i really am.. The shit that is send by email is > unbelievable. Porn, jokes, virusses, hoaxes, ... Hm, well, you don't have a limitation regarding the size of e-mail messages? > We send mails, put up notices, warn people, ask people, beg people but > nothing helps. Not an unusual problem. > And we are not allowed to step up to a user and say "hey, our logs show > that last month you've been surfing porn sites for over 20 hours, you must > stop this", or "We've noticed you have about 100MB of pornography > attachments on your drive, you are wasting important bandwidth". This is > against the law because it is a violation of privacy ( i live in > belgium/europe) Hm, I (living in Germany) had an employer who actually did so ... I'm not quite sure whether you may do so, if people are warned by an announcement. > Is there anybody who has been in the same position and found a way to > control it better, the legal way.. I could press charges, saying that i - > as a woman - feel sexualy offended by some of the things i come across when > fixing some of the computerproblems. I wouldn't say anything. I stumbled upon some files on a user's hard drive some weeks ago, when I had to solve a problem (this user btw is an expert for Internet affairs and copyright). It makes me sick to think of that, but I don't like to show weak spots. -- Anne (working in user support) _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Sick of surf and porn addicts
On Sat, 26 May 2001, Penguina wrote: > Why not write a script to put each users' web access cache list > (from the squid cache) up on an intranet web site--viewable by > their line supervisor--you know, the one who approved the account > in the first place. > > Then leave it up to them to figure out what to do. Hm. I wouldn't publish the report to the whole company. It may be of interest for your CEO -- but that depends on the company's policy regarding personal data. -- Anne _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Re: rpms r bad?
Conor wrote: >I don't know *how* many times I've read through rpm --help without >spotting that! > >Thanks Telsa. Dittos, indeed: that really is a useful tip! Walt -~ The only purpose for which power can be rightfully exercised over any member of a civilized community, against his will, is to prevent harm to others. His own good, either physical or moral, is not a sufficient warrant. John Stuart Mill "On Liberty" ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] hardening firewalls (was Re: hdparm and DMA "not permitted")
On Thu, May 24, 2001 at 09:22:11AM +1200 or so it is rumoured hereabouts, Penguina thought: > > > On Wed, 23 May 2001, Conor Daly wrote: > > Sure thing, glad to help. Now I just gotta go install 2.4 in place of the > > 2.2.16 that's currently running. RH7.1 time? > > > > Conor > > You might give SuSE 7.1 a whirl...cheaper and imho more complete. The > pro distribution has thousands of packages (notably Zope, Squid, Python > and Postgresql) and is far cheaper than the personal version of RH 7.x > (if you want to be the first kid on your block to own the new dist and > don't have the bandwidth to download it in a reasonable amount of time). Oh, I have RH7.1 already. Some members of our local LUG (www.linux.ie) have a nice fat pipe down which theu suck the latest ISOs of almost everything. New distros for the price of the CDR or for Beer! :-) Must look at some other distros though. I've been an RH user pretty much steadily since that's what we have at work (Though my first linux install (in fact, my first intro to linux at all) was slackware 3.1 *and* I got X working!) > For a firewall/server, a 'minimal' install and running hardsuse, then > applying the patches and tweaking the various configurations is a fairly > reasonable way to go (and even if it's for home use, security is impt-- > you really don't want some kiddie using your home machine as a > waystation for illegal activities, since it could be your door the > cops show up at first!) Heh! I'm running a fairly hard firewall on a dedicated 486 at present. It's an area I haven't paid *too* much attention to, apart from creating a firewall that is. I'm not as yet on a 24/7 connection and am on a dynamic dialup but I'm planning to set up some vpn style stuff and I'd like to harden up security if I open my HAN to external logins. At present I've got the browsing / ftp / email ports open and little else. > I'd avoid some of the SuSE configuration scripts and default configs. > Apache is configured to run as a SuSE help server in a way that is > extremely insecure by default, and sendmail configuration is a lot > easier from the MH macros that come with the latest from sendmail.org I'd be inclined myself to strip the firewall of everything but essential services (there isn't even a compiler on there, new kernels get done on another box), lock it down tight and then not need to worry so hard about the other boxes inside. One caveat though, is a 486/66 DX fast enough to handle the crypto stuff required for ssh over the internet? I'm not sure whether to forward port 22 to the server and have it do the ssh for the VPN or whether to do it on the firewall. If I forward the port, do I have to start hardening up the server also? Conor (off to read Jenn's security for newbies stuff) -- Conor Daly <[EMAIL PROTECTED]> Domestic Sysadmin :-) - Faenor.cod.ie 9:40pm up 7 days, 9:48, 0 users, load average: 0.00, 0.00, 0.00 Hobbiton.cod.ie 9:42pm up 6 days, 10:43, 2 users, load average: 0.00, 0.01, 0.00 ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Sick of surf and porn addicts
On Sat, May 26, 2001 at 06:51:19PM +0200 or so it is rumoured hereabouts, Liese thought: > > > > What I do in private cannot reasonably be held as harassment by anyone: by > >definition, they aren't involved. If anyone is offended by the contents of > >my PC, the only person liable for anything is that person: they are > >criminally liable for unauthorised access to my data. > > I don't agree with this. When there is a problem with a computer, it is my > job to fix it. Which means finding out what the problem is. If, at that > time, i get exposed to porn-related material this offends me. It is > belittleing (right word?) to me as a woman, it is rude and is it obscene. > But my access is not unauthorised. Or if I'm working in the same office and offensive material is on display on someone else's PC, I'm not involved in any "unauthorised access" but I could be the object of harassment dur to the display of such material. Conor (Who harasses the NT admin by hanging up Tux and userfriendly.org posters :-) -- Conor Daly <[EMAIL PROTECTED]> Domestic Sysadmin :-) - Faenor.cod.ie 10:06pm up 7 days, 10:15, 0 users, load average: 0.00, 0.00, 0.00 Hobbiton.cod.ie 10:09pm up 6 days, 11:10, 2 users, load average: 0.00, 0.00, 0.00 ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] .htaccess problem
Thank you Almut and Elizabeth - You got me to thinking and I discovered that my mistake was one of those really dumb, right under your nose kind of things. I was not restarting the webserver, so the changes to httpd.conf were having no effect. Reminds me of programming - "I've tried A! I've tried B! I've tried C! and my program is still giving me the exact same output! Oops, I forgot to save the changes before recompiling." Thanks again for your replies. > > Almut Behrens wrote: > > > > > ... not meant to be a RTFM (M = message, here ;), but what's the > > error_log saying? ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Sick of surf and porn addicts
On Sat, 26 May 2001, Conor Daly wrote: > On Sat, May 26, 2001 at 03:13:53PM +1200 or so it is rumoured hereabouts, > Penguina thought: > > > > Why not write a script to put each users' web access cache list > > (from the squid cache) up on an intranet web site--viewable by > > their line supervisor--you know, the one who approved the account > > in the first place. > > Viewable by all! Only problem is the privacy issue. She may not be > *allowed* to do that. Just put it in a passworded area (see the .htaccess thread) and only give the password to the responsible people. Anyone who thinks this is invasive, try keeping a company of your own afloat with employees who surf and do private email on company time -- then get back to me. penguina ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
