With all this CPU/hardware mess, any advice on what to use for an organization?

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

With all this CPU/hardware mess, any advice on what to use for an organization?

Chris Bennett-4
I am almost certainly going to be replacing with a new server for an
organization I am a member of.
With all of this mess with Meltdown, Spectre, insecure motherboard
chips,etc.
I am pretty clueless on exactly what is going to be a secure set of
server hardware.
Intel, well no.
AMD? I have read about problems with non-CPU chips being compromised.
Another architecture? I have never used anything other than Intel/AMD.

The server will run httpd, mailserver, PostgreSQL and somehow a good way
for well encrypted messaging at times.
It is very likely to run out of Austin, Texas.
I think that having a direct connection would be best, but would a
proper setup make collocation OK?

This isn't going to be my server, I will just be in charge. That's
completely new for me.
Any advice is really welcome, everywhere I read anything, hardware seems
broken and insecure.

Thanks a bunch for any help,
Chris Bennett


Reply | Threaded
Open this post in threaded view
|

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

Nick Holland
On 11/20/18 11:43, Chris Bennett wrote:

> I am almost certainly going to be replacing with a new server for an
> organization I am a member of.
> With all of this mess with Meltdown, Spectre, insecure motherboard
> chips,etc.
> I am pretty clueless on exactly what is going to be a secure set of
> server hardware.
> Intel, well no.
> AMD? I have read about problems with non-CPU chips being compromised.
> Another architecture? I have never used anything other than Intel/AMD.
>
> The server will run httpd, mailserver, PostgreSQL and somehow a good way
> for well encrypted messaging at times.

all on one server?

And as someone who has run a number of mail servers for a number of
companies ... don't.  Just don't.  Running your own mail server is a
good way to accomplish nothing except wasting a lot of time and making
people hate you.

> It is very likely to run out of Austin, Texas.
> I think that having a direct connection would be best, but would a
> proper setup make collocation OK?

You are using poorly defined buzzwords.  What you mean by a "direct
connection", "proper setup", "collocation" and what I mean are likely
very different.

> This isn't going to be my server, I will just be in charge. That's
> completely new for me.
> Any advice is really welcome, everywhere I read anything, hardware seems
> broken and insecure.

Pretty much all new HW is optimized in ways that we are now learning
(and has been known for a long time) introduce security problems.
However, most of the problems boil down to having malicious software
running in the control of someone else on the same physical machine YOUR
code is running on.

In short: No news.  Really.

If someone that wanted to do you evil lived in the same house as you,
you would not be comfortable, right?  What if you put up walls
(virtualization) that have proven to to be about as robust as paper?
That make you feel any better?  Probably not.  Virtualization has been
proven -- over and over -- not terribly secure.  Now we got
cross-virtualization platforms ways of stealing data from other
processes.  Important? yes.  But in the big picture, it's similar to Yet
Another buffer overflow.

So...split your tasks on different physical systems as much as possible.
 If your webserver is serving static pages, it's probably pretty robust.
 If it's running Wordpress or any other "any idiot can manage the web
page" apps or dynamic web pages for other reasons, it should be a
machine of its own and have no other important data on it.
Your primary goal should be to keep the bad guys off your computer in
every sense.  And again...nothing new here.

But if security is your concern, you want real hw you control in every
sense.

Unfortunately, if you have performance requirements, your choices are
AMD and Intel.  Older Intel and AMD chips aren't getting any support to
deal with these problems, so your choices are incredibly old chips which
are probably not in the most reliable hardware, and a whole bunch of
other old, unreliable, and slow hardware platforms.  But be realistic.
Your bosses will probably mandate a VM on someone else's hw, a wordpress
website, one box for everything, and that you give him the root password
which he'll e-mail to himself to keep it "secure".  Your most likely
breach points will be an easily guessed password (usually, a manager's),
a bug in a web content management system, or someone believing that
"secure e-mail" is a thing.  In other words, Same Old Shit.  It probably
won't be breached by a Spectre or Meltdown-like attack.  But it MIGHT
be.  Obsessing about them is generally missing the real day-to-day risks.

Nick.

Reply | Threaded
Open this post in threaded view
|

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

Chris Bennett-4
On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote:

> On 11/20/18 11:43, Chris Bennett wrote:
> > I am almost certainly going to be replacing with a new server for an
> > organization I am a member of.
> > With all of this mess with Meltdown, Spectre, insecure motherboard
> > chips,etc.
> > I am pretty clueless on exactly what is going to be a secure set of
> > server hardware.
> > Intel, well no.
> > AMD? I have read about problems with non-CPU chips being compromised.
> > Another architecture? I have never used anything other than Intel/AMD.
> >
> > The server will run httpd, mailserver, PostgreSQL and somehow a good way
> > for well encrypted messaging at times.
>
> all on one server?
>
> And as someone who has run a number of mail servers for a number of
> companies ... don't.  Just don't.  Running your own mail server is a
> good way to accomplish nothing except wasting a lot of time and making
> people hate you.
>

The mail server is ONLY intended for members of the organization.
You would have me use gmail or yahoo?
The organization is suing another group for slander.

> > It is very likely to run out of Austin, Texas.
> > I think that having a direct connection would be best, but would a
> > proper setup make collocation OK?
>
> You are using poorly defined buzzwords.  What you mean by a "direct
> connection", "proper setup", "collocation" and what I mean are likely
> very different.
>

Well, then tell me some useful information. Correct my idiotic
buzzwords. There was carefully noted in my message that I am facing new
territory and need some advice.


> > This isn't going to be my server, I will just be in charge. That's
> > completely new for me.
> > Any advice is really welcome, everywhere I read anything, hardware seems
> > broken and insecure.
>
> Pretty much all new HW is optimized in ways that we are now learning
> (and has been known for a long time) introduce security problems.
> However, most of the problems boil down to having malicious software
> running in the control of someone else on the same physical machine YOUR
> code is running on.
>
> In short: No news.  Really.
>
> If someone that wanted to do you evil lived in the same house as you,
> you would not be comfortable, right?  What if you put up walls
> (virtualization) that have proven to to be about as robust as paper?
> That make you feel any better?  Probably not.  Virtualization has been
> proven -- over and over -- not terribly secure.  Now we got
> cross-virtualization platforms ways of stealing data from other
> processes.  Important? yes.  But in the big picture, it's similar to Yet
> Another buffer overflow.
>

To be quite frank, and I don't mean anything negative to others using
virtualization, you couldn't pay me to even consider using something
that idiotic for trying to make a "secure" setup. And using the "clouds"
, to me, is getting just a little bit too "high".

> So...split your tasks on different physical systems as much as possible.
>  If your webserver is serving static pages, it's probably pretty robust.
>  If it's running Wordpress or any other "any idiot can manage the web
> page" apps or dynamic web pages for other reasons, it should be a
> machine of its own and have no other important data on it.

Yes, using that idiotic Wordpress crap is exactly one of many problems I
am going to immediately fix. Whoever is in charge can't even make that
work!

> Your primary goal should be to keep the bad guys off your computer in
> every sense.  And again...nothing new here.
>
> But if security is your concern, you want real hw you control in every
> sense.
>

Which is exactly what my silly buzzwords was trying to get a point of
view on. I already assumed that having sole physical control was
essential. But questions not asked are never answered.

> Unfortunately, if you have performance requirements, your choices are
> AMD and Intel.  Older Intel and AMD chips aren't getting any support to
> deal with these problems, so your choices are incredibly old chips which
> are probably not in the most reliable hardware, and a whole bunch of
> other old, unreliable, and slow hardware platforms.  But be realistic.
> Your bosses will probably mandate a VM on someone else's hw, a wordpress
> website, one box for everything, and that you give him the root password
> which he'll e-mail to himself to keep it "secure".  Your most likely
> breach points will be an easily guessed password (usually, a manager's),
> a bug in a web content management system, or someone believing that
> "secure e-mail" is a thing.  In other words, Same Old Shit.  It probably
> won't be breached by a Spectre or Meltdown-like attack.  But it MIGHT
> be.  Obsessing about them is generally missing the real day-to-day risks.
>

Does no one at all use OpenBSD for anything but making money or looking
cool?
Does no one at all do any kind of work for charity?
Is there some virus going around that makes everyone so hostile?

Why assume that I have some idiotic boss that wants to fuck things up?
Did it ever occur to you that I might be doing this work for free?
Did it ever occur to you that the organization might be doing major
disaster relief from all of the recent hurricanes devastating the
Southern US. That they might be helping to protect first responders
doing wellness checks on homes? That they might be stopping homes and
businesses from being looted?
That the primary members of the organization are law enforcement,
paramedics and veterans?

But hey, if I can't fill up my bank account, I guess the usage of
OpenBSD is discouraged.


Reply | Threaded
Open this post in threaded view
|

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

Kaya Saman-2

On 11/20/18 8:11 PM, Chris Bennett wrote:

> On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote:
>> On 11/20/18 11:43, Chris Bennett wrote:
>> <snip>
>> Unfortunately, if you have performance requirements, your choices are
>> AMD and Intel.  Older Intel and AMD chips aren't getting any support to
>> deal with these problems, so your choices are incredibly old chips which
>> are probably not in the most reliable hardware, and a whole bunch of
>> other old, unreliable, and slow hardware platforms.  But be realistic.
>> Your bosses will probably mandate a VM on someone else's hw, a wordpress
>> website, one box for everything, and that you give him the root password
>> which he'll e-mail to himself to keep it "secure".  Your most likely
>> breach points will be an easily guessed password (usually, a manager's),
>> a bug in a web content management system, or someone believing that
>> "secure e-mail" is a thing.  In other words, Same Old Shit.  It probably
>> won't be breached by a Spectre or Meltdown-like attack.  But it MIGHT
>> be.  Obsessing about them is generally missing the real day-to-day risks.
>>
> Does no one at all use OpenBSD for anything but making money or looking
> cool?
> Does no one at all do any kind of work for charity?
> Is there some virus going around that makes everyone so hostile?
>
> Why assume that I have some idiotic boss that wants to fuck things up?
> Did it ever occur to you that I might be doing this work for free?
> Did it ever occur to you that the organization might be doing major
> disaster relief from all of the recent hurricanes devastating the
> Southern US. That they might be helping to protect first responders
> doing wellness checks on homes? That they might be stopping homes and
> businesses from being looted?
> That the primary members of the organization are law enforcement,
> paramedics and veterans?
>
> But hey, if I can't fill up my bank account, I guess the usage of
> OpenBSD is discouraged.
>
>

I don't think the response was assumed as such. It just is that there
are so many issues with corporate politics and higher ups thinking they
know things that gives OpenSource software a bad rep! Even once people
didn't understand what OpenSource was and asked me what I did while
'working at OpenSource' lol


As to different H/W yes there are still some different systems around...
like IBM PowerPC P-series based systems, Oracle SPARC, I think HP's own
UX capable machines are dead now; though my info could be several years
out of date as I haven't dealt with this type of system in a long time.


Agreed that Cloud is a lot of corporate hype in many aspects as to lower
expenditure.


Will you be building just the mail server or the whole infrastructure??


Virtually what you want to do is a good firewall protecting everything.
OpenBSD excels at security so definitely recommended. As to mail server,
I really think you need to research the different components first that
make up the system.

Firstly for power reasons what type of usage do you estimate?

Will you be needing a separate external mail gateway?

Does your ISP offer Reverse DNS?


After that the best thing to do would be to setup a small lab with a
test machine and try different setups out. Like say using Sendmail,
Postfix etc.... for SMTP. Many people here have different opinions and
takes on this but really it is up to you to decide what you like best
and also what you need it to do - you can only find that out by testing
out different things.

Then how your users will connect... IMAP, POP, HTTP?? In todays day and
age IMAP is the preferred protocol but there of course are others -
please do not ever mention M$ Exchange as it should be obliterated!


Once you understand the core components necessary then you will start to
formulate specific questions of how/why is (x) needed etc... then
answers can be more specific too but for now read a lot and test out
different things to see which one fits you best :-)


Regards,


Kaya


Reply | Threaded
Open this post in threaded view
|

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

Chris Bennett-4
On Tue, Nov 20, 2018 at 08:31:14PM +0000, Kaya Saman wrote:

> I don't think the response was assumed as such. It just is that there are so
> many issues with corporate politics and higher ups thinking they know things
> that gives OpenSource software a bad rep! Even once people didn't understand
> what OpenSource was and asked me what I did while 'working at OpenSource'
> lol
>
>
> As to different H/W yes there are still some different systems around...
> like IBM PowerPC P-series based systems, Oracle SPARC, I think HP's own UX
> capable machines are dead now; though my info could be several years out of
> date as I haven't dealt with this type of system in a long time.
>
>
> Agreed that Cloud is a lot of corporate hype in many aspects as to lower
> expenditure.
>
>
> Will you be building just the mail server or the whole infrastructure??
>

As of right now, I will have to take on everything, which is an
extremely daunting task. There have been three times in the past year
that staff and volunteers either left on their own or a few were found
to be more troublesome than helpful.
Things are a real mess right now, so my first task is just to get the
website, which right now is a disaster, working good enough to keep both
members and volunteers communicating and an inflow of donations coming
in.

WordPress was an awful decision made right before I joined.
But it's hard to select the right software. Having a forum is a must,
and due to both trolls and crazy people deliberately making destructive
types of posts, the forum has now been removed to members only to allow
for reasonable and private discussions.

The website is dead slow right now and that has to be fixed quickly.
I don't have all the details of exactly what is or isn't installed yet.
A board meeting is about to happen and then I should be able to check
out the mess.

I'm planning on moving to just delivering the content and who cares if
it's pretty or not. As long as it's much faster.

I just need some guidance along the way.
RTFM these 250 manual pages is the right way, except that actions need to
happen fast. This really is a case of do things sorta the wrong way and
fix it ASAP, or don't do anything and then the SHTF.

I want everything done in the end really well and secure, but no
donations, no volunteers and no new members or no renewing members
equals no organization. That's bad.

Thanks for your suggestions. I didn't think other architectures would be
suitable, but it was worth asking.

Chris Bennett




>
> Virtually what you want to do is a good firewall protecting everything.
> OpenBSD excels at security so definitely recommended. As to mail server, I
> really think you need to research the different components first that make
> up the system.
>
> Firstly for power reasons what type of usage do you estimate?
>
> Will you be needing a separate external mail gateway?
>
> Does your ISP offer Reverse DNS?
>
>
> After that the best thing to do would be to setup a small lab with a test
> machine and try different setups out. Like say using Sendmail, Postfix
> etc.... for SMTP. Many people here have different opinions and takes on this
> but really it is up to you to decide what you like best and also what you
> need it to do - you can only find that out by testing out different things.
>
> Then how your users will connect... IMAP, POP, HTTP?? In todays day and age
> IMAP is the preferred protocol but there of course are others - please do
> not ever mention M$ Exchange as it should be obliterated!
>
>
> Once you understand the core components necessary then you will start to
> formulate specific questions of how/why is (x) needed etc... then answers
> can be more specific too but for now read a lot and test out different
> things to see which one fits you best :-)
>
>
> Regards,
>
>
> Kaya
>
>

Reply | Threaded
Open this post in threaded view
|

I love your Emails. This one made my day!

Josh Grosse-3
In reply to this post by Nick Holland
Thank you!

On November 20, 2018 2:24:55 PM EST, Nick Holland <[hidden email]> wrote:

>On 11/20/18 11:43, Chris Bennett wrote:
>> I am almost certainly going to be replacing with a new server for an
>> organization I am a member of.
>> With all of this mess with Meltdown, Spectre, insecure motherboard
>> chips,etc.
>> I am pretty clueless on exactly what is going to be a secure set of
>> server hardware.
>> Intel, well no.
>> AMD? I have read about problems with non-CPU chips being compromised.
>> Another architecture? I have never used anything other than
>Intel/AMD.
>>
>> The server will run httpd, mailserver, PostgreSQL and somehow a good
>way
>> for well encrypted messaging at times.
>
>all on one server?
>
>And as someone who has run a number of mail servers for a number of
>companies ... don't.  Just don't.  Running your own mail server is a
>good way to accomplish nothing except wasting a lot of time and making
>people hate you.
>
>> It is very likely to run out of Austin, Texas.
>> I think that having a direct connection would be best, but would a
>> proper setup make collocation OK?
>
>You are using poorly defined buzzwords.  What you mean by a "direct
>connection", "proper setup", "collocation" and what I mean are likely
>very different.
>
>> This isn't going to be my server, I will just be in charge. That's
>> completely new for me.
>> Any advice is really welcome, everywhere I read anything, hardware
>seems
>> broken and insecure.
>
>Pretty much all new HW is optimized in ways that we are now learning
>(and has been known for a long time) introduce security problems.
>However, most of the problems boil down to having malicious software
>running in the control of someone else on the same physical machine
>YOUR
>code is running on.
>
>In short: No news.  Really.
>
>If someone that wanted to do you evil lived in the same house as you,
>you would not be comfortable, right?  What if you put up walls
>(virtualization) that have proven to to be about as robust as paper?
>That make you feel any better?  Probably not.  Virtualization has been
>proven -- over and over -- not terribly secure.  Now we got
>cross-virtualization platforms ways of stealing data from other
>processes.  Important? yes.  But in the big picture, it's similar to
>Yet
>Another buffer overflow.
>
>So...split your tasks on different physical systems as much as
>possible.
>If your webserver is serving static pages, it's probably pretty robust.
> If it's running Wordpress or any other "any idiot can manage the web
>page" apps or dynamic web pages for other reasons, it should be a
>machine of its own and have no other important data on it.
>Your primary goal should be to keep the bad guys off your computer in
>every sense.  And again...nothing new here.
>
>But if security is your concern, you want real hw you control in every
>sense.
>
>Unfortunately, if you have performance requirements, your choices are
>AMD and Intel.  Older Intel and AMD chips aren't getting any support to
>deal with these problems, so your choices are incredibly old chips
>which
>are probably not in the most reliable hardware, and a whole bunch of
>other old, unreliable, and slow hardware platforms.  But be realistic.
>Your bosses will probably mandate a VM on someone else's hw, a
>wordpress
>website, one box for everything, and that you give him the root
>password
>which he'll e-mail to himself to keep it "secure".  Your most likely
>breach points will be an easily guessed password (usually, a
>manager's),
>a bug in a web content management system, or someone believing that
>"secure e-mail" is a thing.  In other words, Same Old Shit.  It
>probably
>won't be breached by a Spectre or Meltdown-like attack.  But it MIGHT
>be.  Obsessing about them is generally missing the real day-to-day
>risks.
>
>Nick.

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Reply | Threaded
Open this post in threaded view
|

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

OpenBSD lists
In reply to this post by Chris Bennett-4
On 11/20/2018 8:43 AM, Chris Bennett wrote:

> I am almost certainly going to be replacing with a new server for an
> organization I am a member of.
> With all of this mess with Meltdown, Spectre, insecure motherboard
> chips,etc.
> I am pretty clueless on exactly what is going to be a secure set of
> server hardware.
> Intel, well no.
> AMD? I have read about problems with non-CPU chips being compromised.
> Another architecture? I have never used anything other than Intel/AMD.
>
> The server will run httpd, mailserver, PostgreSQL and somehow a good way
> for well encrypted messaging at times.
> It is very likely to run out of Austin, Texas.
> I think that having a direct connection would be best, but would a
> proper setup make collocation OK?
>
> This isn't going to be my server, I will just be in charge. That's
> completely new for me.
> Any advice is really welcome, everywhere I read anything, hardware seems
> broken and insecure.
>
> Thanks a bunch for any help,
> Chris Bennett
>
>

Personally, I'd go with a couple of Sun T-1000s, a pair of managed
switches and some Cyclades (or similar) serial port servers and cram
them into a half cabinet rented from a CoLo.  2 to run as firewalls, 2
for httpd, 2 for your database, and 2 to run Dovecot for your mail
(Assuming just IMAP is fine for your users).  You'd probably be looking
at about $10,000 in hardware and a few hundred a month for renting the
rack space.  Although with some frugal ebay'ing, you can probably bring
that hardware cost down quite a bit.  But you'll get some decent
hardware, and SSH-based remote access to the OOB ALOM ports of the systems.

I have a similar, but much larger scale, setup sitting in an Equinix
Datacenter over in San Jose.

Reply | Threaded
Open this post in threaded view
|

Re: I love your Emails. This one made my day!

Rudy Baker
In reply to this post by Josh Grosse-3
I like turtles

On Tue, Nov 20, 2018, 5:40 PM Josh Grosse <[hidden email] wrote:

> Thank you!
>
> On November 20, 2018 2:24:55 PM EST, Nick Holland <
> [hidden email]> wrote:
> >On 11/20/18 11:43, Chris Bennett wrote:
> >> I am almost certainly going to be replacing with a new server for an
> >> organization I am a member of.
> >> With all of this mess with Meltdown, Spectre, insecure motherboard
> >> chips,etc.
> >> I am pretty clueless on exactly what is going to be a secure set of
> >> server hardware.
> >> Intel, well no.
> >> AMD? I have read about problems with non-CPU chips being compromised.
> >> Another architecture? I have never used anything other than
> >Intel/AMD.
> >>
> >> The server will run httpd, mailserver, PostgreSQL and somehow a good
> >way
> >> for well encrypted messaging at times.
> >
> >all on one server?
> >
> >And as someone who has run a number of mail servers for a number of
> >companies ... don't.  Just don't.  Running your own mail server is a
> >good way to accomplish nothing except wasting a lot of time and making
> >people hate you.
> >
> >> It is very likely to run out of Austin, Texas.
> >> I think that having a direct connection would be best, but would a
> >> proper setup make collocation OK?
> >
> >You are using poorly defined buzzwords.  What you mean by a "direct
> >connection", "proper setup", "collocation" and what I mean are likely
> >very different.
> >
> >> This isn't going to be my server, I will just be in charge. That's
> >> completely new for me.
> >> Any advice is really welcome, everywhere I read anything, hardware
> >seems
> >> broken and insecure.
> >
> >Pretty much all new HW is optimized in ways that we are now learning
> >(and has been known for a long time) introduce security problems.
> >However, most of the problems boil down to having malicious software
> >running in the control of someone else on the same physical machine
> >YOUR
> >code is running on.
> >
> >In short: No news.  Really.
> >
> >If someone that wanted to do you evil lived in the same house as you,
> >you would not be comfortable, right?  What if you put up walls
> >(virtualization) that have proven to to be about as robust as paper?
> >That make you feel any better?  Probably not.  Virtualization has been
> >proven -- over and over -- not terribly secure.  Now we got
> >cross-virtualization platforms ways of stealing data from other
> >processes.  Important? yes.  But in the big picture, it's similar to
> >Yet
> >Another buffer overflow.
> >
> >So...split your tasks on different physical systems as much as
> >possible.
> >If your webserver is serving static pages, it's probably pretty robust.
> > If it's running Wordpress or any other "any idiot can manage the web
> >page" apps or dynamic web pages for other reasons, it should be a
> >machine of its own and have no other important data on it.
> >Your primary goal should be to keep the bad guys off your computer in
> >every sense.  And again...nothing new here.
> >
> >But if security is your concern, you want real hw you control in every
> >sense.
> >
> >Unfortunately, if you have performance requirements, your choices are
> >AMD and Intel.  Older Intel and AMD chips aren't getting any support to
> >deal with these problems, so your choices are incredibly old chips
> >which
> >are probably not in the most reliable hardware, and a whole bunch of
> >other old, unreliable, and slow hardware platforms.  But be realistic.
> >Your bosses will probably mandate a VM on someone else's hw, a
> >wordpress
> >website, one box for everything, and that you give him the root
> >password
> >which he'll e-mail to himself to keep it "secure".  Your most likely
> >breach points will be an easily guessed password (usually, a
> >manager's),
> >a bug in a web content management system, or someone believing that
> >"secure e-mail" is a thing.  In other words, Same Old Shit.  It
> >probably
> >won't be breached by a Spectre or Meltdown-like attack.  But it MIGHT
> >be.  Obsessing about them is generally missing the real day-to-day
> >risks.
> >
> >Nick.
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
Reply | Threaded
Open this post in threaded view
|

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

Kevin Chadwick-4
In reply to this post by Chris Bennett-4
On 11/20/18 4:43 PM, Chris Bennett wrote:
> AMD? I have read about problems with non-CPU chips being compromised.
> Another architecture? I have never used anything other than Intel/AMD.

I can't comment on SUN etc. but AMD would be the way to go if you can.

Theo has said in a recent presentation something along the lines of that AMD are
far more considerate and apply the security checks first whereas Intel do so at
the end!!

Many modern UEFI (bios) have very limited configuration enabled, however the
configs the OEM has access to enable are larger than ever. It would be better if
the functionality that caused them were not there by default but you may find
these chip attacks can be mitigated for your scenario, quite easily with the
right Vendor/OEM board?? Incidentally the Intel usb debug access has been there
for years but it was a physical motherboard access only scenario until recently.

I can't help with a good vendor unfortunately. I have no fairly new, off the
shelf commercial HW to inspect the BIOS of.

Reply | Threaded
Open this post in threaded view
|

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

Boris Goldberg-2
In reply to this post by Chris Bennett-4
Hello Chris,

  There is something extremely weird going on around lately. People are
easily take offense where no offense where intended (and hard to find
anyway). Nick was just telling you that (in his expert opinion) you
shouldn't worry much about "Meltdown, Spectre, insecure motherboard chips",
but concentrate on the real security instead. Unfortunately the real
security takes years of learning and experience, and can't be "advised" in
a couple of emails, but he provided a lot of valuable (and valid)
information (which you where not ready to digest, I guess).
  If you are allowing to run an arbitrary code on you server you are
screwed with or without Spectre, otherwise there is nothing to spy on you
on that server (even if it's technically possible).
  If (any) government agency really want to access you server, you are
writing to the wrong list, otherwise government installed spying chips (if
any) wont really hurt you. On the other hand, crapware (like Superfish)
might.

BTW, your boss doesn't need to be stupid to compromise your password (or
keys), just a "normal" human. Security isn't grokkable by "normal" people.


Tuesday, November 20, 2018, 2:11:52 PM, you wrote:

CB> On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote:

>> On 11/20/18 11:43, Chris Bennett wrote:
>> > I am almost certainly going to be replacing with a new server for an
>> > organization I am a member of.
>> > With all of this mess with Meltdown, Spectre, insecure motherboard
>> > chips,etc.
>> > I am pretty clueless on exactly what is going to be a secure set of
>> > server hardware.
>> > Intel, well no.
>> > AMD? I have read about problems with non-CPU chips being compromised.
>> > Another architecture? I have never used anything other than Intel/AMD.
>> >
>> > The server will run httpd, mailserver, PostgreSQL and somehow a good way
>> > for well encrypted messaging at times.
>>
>> all on one server?
>>
>> And as someone who has run a number of mail servers for a number of
>> companies ... don't.  Just don't.  Running your own mail server is a
>> good way to accomplish nothing except wasting a lot of time and making
>> people hate you.
>>

CB> The mail server is ONLY intended for members of the organization.
CB> You would have me use gmail or yahoo?
CB> The organization is suing another group for slander.

>> > It is very likely to run out of Austin, Texas.
>> > I think that having a direct connection would be best, but would a
>> > proper setup make collocation OK?
>>
>> You are using poorly defined buzzwords.  What you mean by a "direct
>> connection", "proper setup", "collocation" and what I mean are likely
>> very different.
>>

CB> Well, then tell me some useful information. Correct my idiotic
CB> buzzwords. There was carefully noted in my message that I am facing new
CB> territory and need some advice.


>> > This isn't going to be my server, I will just be in charge. That's
>> > completely new for me.
>> > Any advice is really welcome, everywhere I read anything, hardware seems
>> > broken and insecure.
>>
>> Pretty much all new HW is optimized in ways that we are now learning
>> (and has been known for a long time) introduce security problems.
>> However, most of the problems boil down to having malicious software
>> running in the control of someone else on the same physical machine YOUR
>> code is running on.
>>
>> In short: No news.  Really.
>>
>> If someone that wanted to do you evil lived in the same house as you,
>> you would not be comfortable, right?  What if you put up walls
>> (virtualization) that have proven to to be about as robust as paper?
>> That make you feel any better?  Probably not.  Virtualization has been
>> proven -- over and over -- not terribly secure.  Now we got
>> cross-virtualization platforms ways of stealing data from other
>> processes.  Important? yes.  But in the big picture, it's similar to Yet
>> Another buffer overflow.
>>

CB> To be quite frank, and I don't mean anything negative to others using
CB> virtualization, you couldn't pay me to even consider using something
CB> that idiotic for trying to make a "secure" setup. And using the "clouds"
CB> , to me, is getting just a little bit too "high".

>> So...split your tasks on different physical systems as much as possible.
>>  If your webserver is serving static pages, it's probably pretty robust.
>>  If it's running Wordpress or any other "any idiot can manage the web
>> page" apps or dynamic web pages for other reasons, it should be a
>> machine of its own and have no other important data on it.

CB> Yes, using that idiotic Wordpress crap is exactly one of many problems I
CB> am going to immediately fix. Whoever is in charge can't even make that
CB> work!

>> Your primary goal should be to keep the bad guys off your computer in
>> every sense.  And again...nothing new here.
>>
>> But if security is your concern, you want real hw you control in every
>> sense.
>>

CB> Which is exactly what my silly buzzwords was trying to get a point of
CB> view on. I already assumed that having sole physical control was
CB> essential. But questions not asked are never answered.

>> Unfortunately, if you have performance requirements, your choices are
>> AMD and Intel.  Older Intel and AMD chips aren't getting any support to
>> deal with these problems, so your choices are incredibly old chips which
>> are probably not in the most reliable hardware, and a whole bunch of
>> other old, unreliable, and slow hardware platforms.  But be realistic.
>> Your bosses will probably mandate a VM on someone else's hw, a wordpress
>> website, one box for everything, and that you give him the root password
>> which he'll e-mail to himself to keep it "secure".  Your most likely
>> breach points will be an easily guessed password (usually, a manager's),
>> a bug in a web content management system, or someone believing that
>> "secure e-mail" is a thing.  In other words, Same Old Shit.  It probably
>> won't be breached by a Spectre or Meltdown-like attack.  But it MIGHT
>> be.  Obsessing about them is generally missing the real day-to-day risks.
>>

CB> Does no one at all use OpenBSD for anything but making money or looking
CB> cool?
CB> Does no one at all do any kind of work for charity?
CB> Is there some virus going around that makes everyone so hostile?

CB> Why assume that I have some idiotic boss that wants to fuck things up?
CB> Did it ever occur to you that I might be doing this work for free?
CB> Did it ever occur to you that the organization might be doing major
CB> disaster relief from all of the recent hurricanes devastating the
CB> Southern US. That they might be helping to protect first responders
CB> doing wellness checks on homes? That they might be stopping homes and
CB> businesses from being looted?
CB> That the primary members of the organization are law enforcement,
CB> paramedics and veterans?

CB> But hey, if I can't fill up my bank account, I guess the usage of
CB> OpenBSD is discouraged.

--
Best regards,
 Boris                            mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

Chris Bennett-4
In reply to this post by Kevin Chadwick-4
On Thu, Nov 22, 2018 at 10:50:38AM +0000, Kevin Chadwick wrote:

> On 11/20/18 4:43 PM, Chris Bennett wrote:
> > AMD? I have read about problems with non-CPU chips being compromised.
> > Another architecture? I have never used anything other than Intel/AMD.
>
> I can't comment on SUN etc. but AMD would be the way to go if you can.
>
> Theo has said in a recent presentation something along the lines of that AMD are
> far more considerate and apply the security checks first whereas Intel do so at
> the end!!
>
> Many modern UEFI (bios) have very limited configuration enabled, however the
> configs the OEM has access to enable are larger than ever. It would be better if
> the functionality that caused them were not there by default but you may find
> these chip attacks can be mitigated for your scenario, quite easily with the
> right Vendor/OEM board?? Incidentally the Intel usb debug access has been there
> for years but it was a physical motherboard access only scenario until recently.
>
> I can't help with a good vendor unfortunately. I have no fairly new, off the
> shelf commercial HW to inspect the BIOS of.
>

Thanks.

After digging into many pages source and I use NoScript, which has an
irritating side effect of actually hiding some of the JavaScript
present, I now see that they are using cloud hosting and some naughty
Google stuff. So I will get much more information about everything
probably next week since this is Thanksgiving weekend here.

So I will be having to select hardware to purchase.
I was assuming that AMD was the right choice, but I wanted to be sure.
I saw the presentation about Intel and AMD on the website. Intel's
behaviour was surprisingly terrible.

I'm not sure exactly what load of users I will have to deal with.
A ton of long-time members have been furious about the WordPress mess
that got put up. As in most forums, more people just read than post.

I'm not at all concerned about govt. snooping. Politics and groups have
gotten extraordinarily weird, odd and even violent in the US.
Their previous setup (before this current one) was hacked at least once.

I'm completely open to any suggestions. I just don't have a budget or a
for sure location to work from yet.
Things are bad enough that anything I do can only be helpful.
So that's pretty bad! :-{
I also want to hear any don't do this or work with this ISP, etc.

Thanks,
Chris Bennett


Reply | Threaded
Open this post in threaded view
|

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

Chris Bennett-4
In reply to this post by Boris Goldberg-2
On Thu, Nov 22, 2018 at 09:55:35AM -0600, Boris Goldberg wrote:

> Hello Chris,
>
>   There is something extremely weird going on around lately. People are
> easily take offense where no offense where intended (and hard to find
> anyway). Nick was just telling you that (in his expert opinion) you
> shouldn't worry much about "Meltdown, Spectre, insecure motherboard chips",
> but concentrate on the real security instead. Unfortunately the real
> security takes years of learning and experience, and can't be "advised" in
> a couple of emails, but he provided a lot of valuable (and valid)
> information (which you where not ready to digest, I guess).
>   If you are allowing to run an arbitrary code on you server you are
> screwed with or without Spectre, otherwise there is nothing to spy on you
> on that server (even if it's technically possible).
>   If (any) government agency really want to access you server, you are
> writing to the wrong list, otherwise government installed spying chips (if
> any) wont really hurt you. On the other hand, crapware (like Superfish)
> might.
>
> BTW, your boss doesn't need to be stupid to compromise your password (or
> keys), just a "normal" human. Security isn't grokkable by "normal" people.

I'm actually sorry, Nick.
I've got a personal situation that has me very touchy right now.
But that's another issue completely.

Since there is a forum, and one has to stay, I have a few questions.
I looked over a lot of forums, both for features and security.
I realized that I couldn't properly judge security.
If a forum has a lot of security patches, does that mean that problems
are being swiftly dealt with or that the forum has serious problems?
If a forum doesn't have reported security patches, does that mean that
it is good or just not maintained? I never thought about this before.

It seems to me that a login username should not be allowed to be the
displayed forum username. The real username is also used for purchases,
membership activities, etc.


I also think that passwords need to be enforced to be changed
occasionally. What sort of timing delay is okay with users?
Nobody really likes changing passwords, but since so many people use the
same one all over the place, it seems like a good idea since they would
then be forced to have a different one from the rest.


There is a need for pretty secure stuff, like the forum and membership,
purchases, etc.
But also very secure activities. Seems to me that 2 servers (or more)
would be best to accomplish this. Any disagreement or other suggestions?
The main website is probably the most important objective right now.
It's what the public sees. And if (which means when, not if) I make a
mistake, the world won't come tumbling down.

Thanks all,
Chris Bennett


Reply | Threaded
Open this post in threaded view
|

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

Chris Bennett-4
In reply to this post by Nick Holland
On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote:
>
> all on one server?
>
> And as someone who has run a number of mail servers for a number of
> companies ... don't.  Just don't.  Running your own mail server is a
> good way to accomplish nothing except wasting a lot of time and making
> people hate you.
>

I got mad before thinking. Bad habit I need to break.
You are right.

We wouldn't want any of the "evil empires" for that.
That is a set policy already. So no Gmail, Yahoo, Microsoft, etc.
Can't control where the mail goes to however.

Outbound mail is going to be from forum topics, which I will change to
only reference the post, no content.
Requests for donations and about upcoming events.
Asking for immediate help when disasters or other events occur.
News topics.

How do I pick some company to do this?
I'll start looking up information now. Hadn't even occurred to me.
But exactly how does that work from our servers to theirs and back?

Thank you,
Chris Bennett


Reply | Threaded
Open this post in threaded view
|

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

OpenBSD lists
In reply to this post by Chris Bennett-4
On 11/22/2018 12:56 PM, Chris Bennett wrote:

> On Thu, Nov 22, 2018 at 09:55:35AM -0600, Boris Goldberg wrote:
>> Hello Chris,
>>
>>    There is something extremely weird going on around lately. People are
>> easily take offense where no offense where intended (and hard to find
>> anyway). Nick was just telling you that (in his expert opinion) you
>> shouldn't worry much about "Meltdown, Spectre, insecure motherboard chips",
>> but concentrate on the real security instead. Unfortunately the real
>> security takes years of learning and experience, and can't be "advised" in
>> a couple of emails, but he provided a lot of valuable (and valid)
>> information (which you where not ready to digest, I guess).
>>    If you are allowing to run an arbitrary code on you server you are
>> screwed with or without Spectre, otherwise there is nothing to spy on you
>> on that server (even if it's technically possible).
>>    If (any) government agency really want to access you server, you are
>> writing to the wrong list, otherwise government installed spying chips (if
>> any) wont really hurt you. On the other hand, crapware (like Superfish)
>> might.
>>
>> BTW, your boss doesn't need to be stupid to compromise your password (or
>> keys), just a "normal" human. Security isn't grokkable by "normal" people.
>
> I'm actually sorry, Nick.
> I've got a personal situation that has me very touchy right now.
> But that's another issue completely.
>
> Since there is a forum, and one has to stay, I have a few questions.
> I looked over a lot of forums, both for features and security.
> I realized that I couldn't properly judge security.
> If a forum has a lot of security patches, does that mean that problems
> are being swiftly dealt with or that the forum has serious problems?
> If a forum doesn't have reported security patches, does that mean that
> it is good or just not maintained? I never thought about this before.
>
> It seems to me that a login username should not be allowed to be the
> displayed forum username. The real username is also used for purchases,
> membership activities, etc.
>
>
> I also think that passwords need to be enforced to be changed
> occasionally. What sort of timing delay is okay with users?
> Nobody really likes changing passwords, but since so many people use the
> same one all over the place, it seems like a good idea since they would
> then be forced to have a different one from the rest.
>
>
> There is a need for pretty secure stuff, like the forum and membership,
> purchases, etc.
> But also very secure activities. Seems to me that 2 servers (or more)
> would be best to accomplish this. Any disagreement or other suggestions?
> The main website is probably the most important objective right now.
> It's what the public sees. And if (which means when, not if) I make a
> mistake, the world won't come tumbling down.
>
> Thanks all,
> Chris Bennett
>
>
I'd look for software that has bug bounties.  I'd also look at the CVEs
for each product and compare with the patch history.  The delay between
a flaw being reported versus patched is going to be a much better
indicator than rate of patches.  I'd also consider the seriousness of
the flaw being patched as well, like if it is due to a widespread issue
(EG, Metldown, heartbleed, etc) or if it is due to some basic
programming error (Apple's "enter a blank password for root enough times
and you'll get root" or Microsoft's "patching Windows 10 will obliterate
your install because of a typo in the patch code that is supposed to
leave c:\users\ alone").

Also, look for something that could support external authentication,
especially something industry standard like LDAP, so you can use the
authentication database all your service can use while not relying on
whoever wrote the individual bits of software to have written something
that doesn't suck.  Also look for something that will allow the admin
pages to be hosted on a different url from the user accessible stuff.

If you are handling payment or financial information, outsource it to
something like paypal or another well-known payment processor.  While
they aren't very secure, they are insured, so if they fuck something up,
you aren't holding the bag and are very unlikely to be blamed for it by
your users.

As for number of servers, more than one is going to be the better way.
If something has a port accessible by any old rando, you shouldn't be
storing anything secure on it.  Especially if the server also stores
something the user can craft (EG, photos from the forum, arbitrary text,
etc).

As for ISPs, just assume they are all total shit (Most of them are
anyway) and treat them like you would an open wireless network.  Don't
use their DNS and encrypt everything you can.  Use static IPs if you
can.  Don't allow passwords for ssh on anything public facing.  Only
allow admin pages to be accessible from a private network (So that you'd
need to use an ssh tunnel to get to it remotely)

-CA

Reply | Threaded
Open this post in threaded view
|

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

Chris Bennett-4
On Thu, Nov 22, 2018 at 02:21:41PM -0800, Misc User wrote:
> I'd look for software that has bug bounties.  I'd also look at the CVEs for
> each product and compare with the patch history.  The delay between a flaw
> being reported versus patched is going to be a much better indicator than

Yes, that would be very true. Too slow could mean it's not being taken
seriously enough. Which could mean the same for known, but unreported
flaws. Good advice.

> rate of patches.  I'd also consider the seriousness of the flaw being
> patched as well, like if it is due to a widespread issue (EG, Metldown,
> heartbleed, etc) or if it is due to some basic programming error (Apple's
> "enter a blank password for root enough times and you'll get root" or
> Microsoft's "patching Windows 10 will obliterate your install because of a
> typo in the patch code that is supposed to leave c:\users\ alone").
>

Yes, Windows 10 got wiped out the first try after seeing three of their
6 month updates needing to try about 8 times eating up about days of
time I wanted to use.

> Also, look for something that could support external authentication,
> especially something industry standard like LDAP, so you can use the
> authentication database all your service can use while not relying on
> whoever wrote the individual bits of software to have written something that
> doesn't suck.

Yeah, good plan.
I've written fair amount of software that worked, but sucked.

>Also look for something that will allow the admin pages to be
> hosted on a different url from the user accessible stuff.
>
> If you are handling payment or financial information, outsource it to
> something like paypal or another well-known payment processor.  While they
> aren't very secure, they are insured, so if they fuck something up, you
> aren't holding the bag and are very unlikely to be blamed for it by your
> users.
>

Yes, I have used PayPal for my business. Not very active now, but I
really liked not being directly in the middle. "You are now being
directed to PayPal, we do not ever have any of your credit card info."
was very nice to say.
Yes, they do fuck things up. Got me once when they just decided to
change the phone number formatting without announcing it.

> As for number of servers, more than one is going to be the better way. If
> something has a port accessible by any old rando, you shouldn't be storing
> anything secure on it.  Especially if the server also stores something the
> user can craft (EG, photos from the forum, arbitrary text, etc).
>

Dealing with that has had me really concerned. People really want to
upload all kinds of stuff. That's a good idea.

> As for ISPs, just assume they are all total shit (Most of them are anyway)
> and treat them like you would an open wireless network.  Don't use their DNS
> and encrypt everything you can.  Use static IPs if you can.  Don't allow
> passwords for ssh on anything public facing.  Only allow admin pages to be
> accessible from a private network (So that you'd need to use an ssh tunnel
> to get to it remotely)

Alright. Thanks.
This is helpful. Someone suggested off-list that I make up a flow chart
to plan out each step that needs to be taken. I'm getting good advice
now to help me start that. It's tough to pull this off.
But then, when is easy ever any real fun! :-}

Chris Bennett


Reply | Threaded
Open this post in threaded view
|

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

Stuart Henderson
In reply to this post by Chris Bennett-4
On 2018-11-22, Chris Bennett <[hidden email]> wrote:

> After digging into many pages source and I use NoScript, which has an
> irritating side effect of actually hiding some of the JavaScript
> present, I now see that they are using cloud hosting and some naughty
> Google stuff. So I will get much more information about everything
> probably next week since this is Thanksgiving weekend here.
>
> So I will be having to select hardware to purchase.
> I was assuming that AMD was the right choice, but I wanted to be sure.
> I saw the presentation about Intel and AMD on the website. Intel's
> behaviour was surprisingly terrible.

For what you're talking about running, bugs in the web application are
a far higher risk than cpu bugs.

You are going to have a bunch more time/hassle getting a less-common
arch (e.g. sparc64) doing what you need if you're not already familiar
with it.

Pragmatically if you're looking at cost-effective hardware you are going
to be paying a bunch more and have a lot less choice with AMD-based servers.
(And at least Intel are making microcode updates easily available which
AFAIK AMD aren't doing..)

I would probably be looking at a refurb couple-of-year-old poweredge or
similar server for this (running amd64 not i386 of course). Spend the
time thinking about what you *need* to run and how to best secure it,
rather than worrying about things which already require a way into
running code on the physical hardware to exploit.