59 new of 128 responses total.
Regarding #67; Hey! I'm listed in there!
Yes. But I think that's opening up a whole other can of worms.
re #69 Eleven roots does seem pretty extravagant. re #68 I don't know squat about staff but as a user I would've guessed the root list would be: gelinas, janc, mcnally, remmers, steve, and spooked My assumption is based on visible participation of those folks on Grex. Even so, six roots almost seems excessive.
Don't discount srw in that list. He does a lot of down-and-dirty work supporting users who write asking for helps, and often needs root access to do that (fixing mangled dot files, and things like that).
re #73 I don't doubt there are other active roots. I was just relaying my impression based on the staff folks I see in bbs.
Oh, okay.
I guess I'll preach for a while. Does everyone remember from math that if a=b and b=c then a=c? On a UNIX like system such as Grex giving root access for a few seconds can result in myriad difficult to detect changes to the system. Some of these could be backdoor access, or data destruction. I must say again that these things can happen very quickly. Perhaps tiny fractions of a second. Among staff it is pretty well known that STeve is particularly expert and active with regard to security. Given the above I would expect STeve to react quickly with sufficient force to *ensure* reduction in security breach to any situation which seemed to be a breach, and then continue to act to investigate, clarify, gather evidence, and resolve the situation with coordination with other staff and the Board. As a Computer Security Specialist with clients that include Banks, Universities, accounting firms, and etc I'll tell you that these are the facts. Now come my opinions. STeve was correct with respect to his technical actions. Perhaps he was a little harsh with some of his words, but knowing what I know about staff procedures as a former staffer myself, and seeing the wording used in the discussion I see how in the situation STeve could have taken things to be 'playing dumb'. Not that I think that was happening, but that he could have. With the above foundation about computer security I think that STeve did things right. That he didn't make any mistakes. And that nearly all the posts in this and other items amount to political powerplaying to gather support for a position from people who have little to no understanding of the details and methods of systems management. The correct way to handle this would be between the parties concerned. That list would be: Board; Staff; Cross; Spooked. Any person schooled in leadership and management knows this. The motion to change the wording of the relevant policy is a separate issue that rightly belongs in COOP. Since some people have chosen to step outside normal management practices and engage in juvenile sympathy gathering I feel I can no longer keep quiet on this and must explain some of the normal practices for situations like this so that we might all behave with more professionalism next time something happens that needs resolving. Thank you STeve for trying so hard to keep Grex secure from all sorts of security threats be they real active situations, abstract potential eventualities, or possible vague incidents.
re #76: > On a UNIX like system such as Grex giving root access for a few > seconds can result in myriad difficult to detect changes to the > system. Some of these could be backdoor access, or data destruction. > I must say again that these things can happen very quickly. Perhaps > tiny fractions of a second. By that argument once cross had had root access it was much too late for STeve's revocation of root access to fix the problem. Your statement seems to me to be working at cross-purposes (no pun intended) to your argument. > Among staff it is pretty well known that STeve is particularly > expert and active with regard to security. It is? Without minimizing STeve's skills or his contributions to Grex, I'd have to say I'm not aware of any special expertise he has in this area. He has strongly- held opinions on the subject and has a considerable body of experience as a professional sysadmin, but I don't agree that that's the same as "particularly expert." I've had a rather busy and stressful couple of weeks and can't recall at the moment if I've previously made my opinion on this incident clear but in my opinion mic made a relatively minor error in judgment and STeve acted in a way that I think speaks volumes about his attitude towards grex and towards other staff members. While I don't doubt that his intentions were to protect Grex from what he perceived as a threat, I think his actions demonstrate a proprietary feeling towards Grex's admin privileges that I'm not entirely comfortable with.
STeve acted in response to an apparent security incident. This requires immediate and strong response. Dan et. al. did not. The two situations are completely different and not interchangeable. What you are saying is that if I gain root somehow and put my name in group wheel then it is too late for someone to revoke my new rights as a member of staff. How can so many people fail to understand the difference between system administration and security response. Again, system admin is a team effort and is not time critical. Security response is time critical beyond the limits of most people's imagination which necessarily makes it an individual effort.
re #78: > What you are saying is that if I gain root somehow and put my name > in group wheel then it is too late for someone to revoke my new rights > as a member of staff. If I cannot know for certain that your intentions are not malicious then it is, in fact, too late for someone to effectively re-secure the system simply by revoking your membership in the staff & wheel groups. That's one reason I'm kind of puzzled by STeve's reaction. On the one hand if he didn't believe that mic and cross were out to harm the system then his approach seems like a ham-handed overreaction. On the other hand if he did believe that mic and cross were a threat to the system then the steps he took to "secure" grex after discovering the situation (which wasn't particularly hidden to begin with) were totally inadequate. > How can so many people fail to understand the difference between system > administration and security response. Again, system admin is a team > effort and is not time critical. Security response is time critical > beyond the limits of most people's imagination which necessarily makes > it an individual effort. I've got an even worse problem -- I can't even understand what it is you're trying to say above. You appear to be arguing that in response to a security breach, immediate action is required to restore the security of the system and that STeve was therefore correct to act unilaterally without waiting for the board to sort things out. I don't particularly disagree with that if that's what you're saying, but frankly what STeve did really doesn't begin to come close to re-securing a breached system, about the only attackers it would actually be effective against were people who weren't attacking in the first place.
i'm with mike. re 76 You're acting as if this were a system where the board and staff total about a hundred different technicians who don't know themselves that well. GreX just isn't that. It's a community where a lot of the staffers happen to know each other in person.
A couple of things, there was no security threat -- any non-moron can see this. STeve's response was worse than my actions. It was inappropriate, and quite frankly rude! If I or Dan wanted to harm the system, it would have been done long ago. STeve's actions, and more important, his words - and lack there of - since the episode have hurt Grex much more than me taking an innocent initiative. Just my 2c.
I think arthurp is misapplying a legitimate point.
Regarding #82; I agree with Eric. Arthurp's argument doesn't fit this situation particularly well. And, with respect to #76; "juvenile sympathy gathering" - are you serious?
I don't know how it is on Grex, but on my Linux system in the
sudoers man page I found a few options that may be of help here.
To wit:
Defaults
--------
mail_always Send mail to the mailto user every time a users runs sudo.
This flag is off by default.
Turn it ON.
mailto Address to send warning and error mail to. The address
should be enclosed in double quotes (") to protect against
sudo interpreting the @ sign. Defaults to root.
This one should be set to a mailing *list*. The list should include
accounts held by all board and staff members on systems *other than
grex*. (I have a bunch of gmail invites if anybody needs some.) And for
good measure, add to the list an account on a machine on the same
network as the grex machine, in the same room, which is otherwise NOT
connected to the internet. (eg, you have to goto the Co-lo building and
sit down at it to login to it.)
logfile Path to the sudo log file (not the syslog log file). Set-
ting a path turns on logging to a file; negating this
option turns it off.
Send this one, also, to another machine, via NFS or similar network
file sharing. Said system will be charged with the task of backing this
file up every 5 seconds or whatever is appropriate, and|or otherwise
keeping it from being deleted or overwritten. (Allow append only.)
In this manner, a user in group wheel can still do anything he likes,
including install back doors, and even stop sudo from keeping such logs.
But by the time he does, if the logs and notices get sent offsystem, the
cat will be out of the bag, and everyone will know who to hold responsible.
Also, just for fun:
lecture This option controls when a short lecture will be printed
along with the password prompt. It has the following pos-
sible values:
never Never lecture the user.
once Only lecture the user the first time they run sudo.
always Always lecture the user.
If no value is specified, a value of once is implied.
Negating the option results in a value of never being used.
The default value is once.
lecture_file
Path to a file containing an alternate sudo lecture that
will be used in place of the standard lecture if the named
file exists.
And one that especially appeals to me:
insults If set, sudo will insult users when they enter an incorrect
password. This flag is off by default.
I hereby wish to resign, effective immediately, from Grex staff.
There are a few main reasons for my decision:
(1) Good judgement and initiative are discouraged. Autocratic, zealous,
egotistical behaviours are favoured.
(2) Very little good work is done by Grex staff, because of the
repercussions and discentive caused by (1).
(3) Grex (and particularly the one or two staff who spoil staff) are
backward thinking - exaggerating their own personal importance, and
having no vision or passion for a better Grex.
(4) I find the sheep on staff who follow the zealots on staff (because
they have no conviction or vision of their own) pathetic.
I will now remove myself from groups staff and wheel.
So who does that leave us with?
steVE. This is indeed sad news. It sucks that you've left, spooked.
Thanks for your time, spooked. I appreciate your and Mike's opinions and hope both of your opinions continue to be voiced.
Just to leave no doubt about my wording in (1) by zealous (being a zealot) I mean an extremist, a crank and a bigot (not to be confused with enthusiastic and positive visionary intent).
I think "discentive" was the clearest one word explanation. In a better world, the Board of Directors would recognize these gentlemen and give them a formal thank you up to and including a certificate of participation and thanks as well as an annual membership at no cost. I don't think I'm out of line at suggesting this.
disincentive -- better? Not sure what you mean in resp:90 Tod.
re #91 Well Mic, I'm referring to the recent events.
I don't think any money or free bonus should be given. It should and would be a pleasure working on staff if certain staffers wouldn't spoil it for everyone - current and wannabes.
re #93 Mic, I think everyone interested in Grex would probably like to see staff given a bit of recognition after volunteering for a period of time. I understand its not what motivates a person to be on staff (or I would hope that wouldn't be the case.)
Would an apology from a certain staffer help to persuade a couple of other staffers not to resign?
I think this is the sort of notable situation that requires Board involvement.
Two staff members resigning in a single day. Yeah, something is definitely rotten in the state of grex.
I feared an apology would be beyond the man - I said this way back. It has proven correct. Again, pompous - managerial smuck.
Although I think some things about the way staff works could be changed to help encourage more participation from other potential staff members and although I think the recent incident could have been handled much better, I do not feel personally offended by anything that happened and would not be moved to reconsider by an apology when no offense was offered me. Mic's entitled to feel differently, of course, and I expect he does -- his situation is totally different.. As for my own reasons -- I promise I'll try to explain them later, but right now my time is limited by circumstances in my personal life (which is, itself, one of my major reasons.) In the meantime I would appreciate it if people would not use my departure from staff as an extra club to beat up on STeve because although I disagree with him in some cases about how the system should be managed (as is only natural -- different people have different approaches..) my decision is not primarily motivated by those differences of opinion.
Well said Mike. Take your time, mate.
Fair enough.
Spooked, if enough of us ask you nicely would you reconsider resigning?
Thanks keesan... All I want is an apology. I'm a very stubborn person - when I have been treated poorly I don't ask much except for a 'sorry'.
I can understand how you would be reluctant to continue working with someone after being yelled at. Do you think an apology would make this sort of thing less likely to happen again? Probably STeve was under some sort of stress at the time, such as poor health, too much work, etc. Is it possible that you were partly at fault and could apologize for that first? (I did not really follow the whole case). Some people find it more difficult to apologize.
I don't think spooked needs to apologize for trying to update Grex's anciently obscure modules which had been hashed over in discussion in the garage conference amply beforehand. STeve just flipped out because spooked had cross (former staffer and considerably trustworthy) assisting with a root level capability. The truth is that there needs to be some sort of formal process to ensure other staff people are in the loop..and for that to happen (in a timely fashion) then some people are just going to miss the boat. It was assumed the garage conference was that venue but not according to STeve and others.
It would seem that we assumed incorrectly. Okay. Still, Steve's reaction and treatment of other parties could have been a little friendlier. I don't think that people should have to crawl around begging for apologies. If one cannot be had, and it was truly deserved then that tells you something about the nature of grex's staff. In this case, I do believe Mike deserves an apology. Even if Steve felt his actions were justified, I still think he was unjustifably caustic with his approach and subsequent lack of communication (though, to give the benefit of the doubt, maybe the latter is just due to lack of time). Moreover, apologizing for his demeanor wouldn't be invalidating his position, but rather just acknowledging that other parties were offended. It would just be saying, "Hey, I still think I was right, but sorry if the way I went about it offended you...." Probably, spooked resigning is a symptom of a larger problem (I haven't been on staff for a few months, so I don't *really* know). But if that were the case, instead of treating that symptom, one should look to treat the problem itself. Mike McNally said he had other reasons for resigning.
I wouldn't be surprised if Mike split from staff because everybody is squabbling and his heart just isn't in it. I'm sure there are schedule conflicts and other stuff, too..but I'm getting the vibe that something positive needs to happen with staff soon up to and including some leadership that isn't perceived as part of "the old guard."
I would not be surprised either if that's a big factor for Mike. Talking from how I feel personally... I want to be in a team that works AS A TEAM! When it feels more like a dictatorship - and, worse still, you are not respected and not given an apology (as Dan has said, an apology does not necessarily suggest one person was more right/wrong than anyone else) it is demoralising and counterproductive. I do not volunteer to staff for monetarily or status rewards!! I only ask for some decency and that includes basic human respect. I do not want to cause problems, and I do not believe I am radical -- or am I missing something?
eh, monetary
am I missing something? I think you pretty much said it.
If this were a Disney movie, shouldn't this be the part where the grumpy old junkyard owner takes pity on the poor little kid with the hard luck life and teaches that kid everything he knows about the junk business?
This is the part where Ben Vereen teaches Kunte the chicken dance.
I know all about a hard life. That's why I work when people sleep, so one day I may rest easier. However, regardless of where I end up, I'm very proud of the work I do and I enjoy it. And, I would never take a managerial position - I prefer earning my money.
i rather like sleeping through morning rush hour
I like writing policies, standards, protocols, and books. Not only does it allow me to meet interesting people but lunch is included.
Todd is all about the claimed-non-existant free lunch.
Policies, et. al - I produced a 340 page thesis so the next book I write will be more philosophical.
re #116 I also am kind of a sucker "for the good of the Order"
No, this is where Ben Vereen starts singing "Goodbye my life, goodbye." (All That Jazz)
Alright...so what's the story? Did steve apologize? Did cross ever get to complete his changes. Did spooked's resignation stick? *Note* Someone needs to update the web page because it looks like cross is on staff to me...
No, No, and Yes, respectively.
:( to all
The Stafflist isn't the only thing that needs updating, but it's as good a place as any to start, I guess.
Lots of things are out of date: /etc/group, for instance.
And password hashing...
Password hashing isn't "out of date," it's just "not standard."
I guess that depends on how you define ``out of date.'' Grex's password hash is based on SHA1, about which there is some speculation that it has ``interesting'' properties that would make the algorithm slightly dated.
Are we there yet?
You have several choices: