Hacker Newsnew | past | comments | ask | show | jobs | submit | voxio's commentslogin

I'm a bloodhound PMC member by way of working at the company that initially sponsored development. Unfortunately that project is pretty much dead.


I'd love to know which logging server they had exposed to the internet. Putting all infrastructure on a private network is security 101.


That is my question too - how was an internal logging server not set for restricted login only from the internal subnet?

Also - they mentioned the perp got in via a compromised employee login. No clarification if it was a former disgruntled employee, or that a current employee had a weak password, or was social engineered into divulging it.

In any case, it points to bad internal policies and procedures around isolating servers and employee password management.


Especially ironic since they do "Identity Management as a Service": https://www.onelogin.com/why-onelogin/strengthen-security


If it was a compromised employee login it could have been an indirect path to the log server. E.g. ssh or "Go to My PC" to employee workstation, or log in to company VPN, from there to internal hosts.

Not that employee workstations should have access to production machines ideally, but it is commonplace at small companies (and big ones too).


Personally I just integrate these checks into existing monitoring systems. For example, for sensu I use: https://github.com/sensu-plugins/sensu-plugins-ssl

Domain expiry is also another one people sometimes miss that should be integrated into existing monitoring.


I got quoted 200$/mo with 7U and 2Amps (100Mb bandwidth) directly from HE.net which I found strange since the next power jump goes up to 600$/mo. This seems like a pretty good deal.


As far as I know, the current he.net prices are $400/month for a full rack with 15a power... and another $100/month for 100Mbps bandwidth.

If you can buy in those quantities, we resellers can't beat the price. But from what I've seen, resellers quite often can beat he.net's partial rack prices.


Git is clearly the superior VCS, how dare he!


Rent a VPS or dedicated server outside china and use an SSH proxy.

Linux: http://ubuntu-tutorials.com/2008/06/18/tunnel-web-and-dns-tr... Windows: http://www.dotcomunderground.com/blogs/2008/12/11/putty-ssh-...


Expect everything going through the great firewall to be slow. Also I wonder if they will allow encrypted connections over a longer period at all if they already run a app firewall.


That's what I'm doing, it's not very slow (or at least I don't really feel the difference)...

I don't think they'll ever block encrypted connections because that would deal a major blow to the foreign companies working here.


My Blackberry and iPhone let me know when I have appointments.


That solves your appointment problem, but it does not solve your salon's appointment problem, because your salon cannot buy their entire clientele an iPhone. They can, however, rely on their entire clientele already having voice service.

This is why Twilio (and related technologies) are so awesome: it turns the humblest cell phone in Africa into something which, for all practical purposes, speaks HTTP.


No company worth their weight should be using off the shelf shared hosting.


Are there any free OpenLDAP alternatives out there worth mentioning?


Although not used myself, Suns OpenDS: http://www.opends.org/

Just for reference, other directories:

  IBM Tivoli
  Microsoft Active Directory
  Novell eDirectory
  Red Hat Directory Server
  Critical Path Directory Server


Fedora DS is an open source fork of Netscape 5.1. RHDS is basically the same product. High-performance -- if you need tens of thousands of accounts, hundreds or thousands of simultaneous queries, a netscape derivative is what you want.

Sun ONE DS is free-as-in-beer. It's a newer derivative of the same codebase (Netscape) that became FDS.

Apache DS is something I've been experimenting with. Java-based. Easy to get up and running, comes with a really great default schema.

Sun OpenDS looked cool, but since the oracle acquisition, I can't bring myself to be interested in it.


Also: http://directory.apache.org/


I don't think anything is wrong with the regular SVN releases but I think this allows them to put out patches quickly to their customers.

The version of SVN in the regular repositories for the Linux distributions is also generally quite far behind. They are distributing the latest version.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: