Forgot your password?
typodupeerror
The Internet

Interview: Queen Elizabeth II's Webmaster Answers 95

Posted by Roblimo
from the server-wisdom-from-the-front-lines dept.
Great answers to this week's interview questions. Mick Morgan, of the UK's CCTA [Central Computer and Telecommunications Agency] has turned this Q&A session into a truly detailed primer on how to choose the hardware and operating system behind a high-profile Web site - and has dispelled quite a few myths in the process. You'll want to read this interview even if you're not into server mechanics. It contains enough personal insight and wit to be of interest even to Slashdot's least-technical readers. (Click below to see what we mean!)

fprintf asks:
Seems like a simple question, but why Linux? It seems like all the other high powered sites are using BSD of one variant or another.

...and...

Raul Acevedo asks:
In the original Sunday Times article, you are quoted as saying:

"... you can't beat them [Linux on Intel] in the bangs for your buck department. It blows Sun out of the water..."

Could you elaborate on how Linux compares to Solaris? Did you mean that Linux blows Sun out of the water in terms of price/performance (which is obvious since Linux is free), or just in general for your particular needs?

I'd be curious to hear your thoughts on Linux vs. Solaris, not just in terms of price, but overall performance, reliability, maintainability, and ease of use. As a developer, I'm seeing Linux considered as an alternative to Solaris in many places, but there's little factual (or even anecdotal) information comparing the two.

ANSWER:

I'll take these two together since the answers overlap.

In retrospect, I wish I /had/ chosen OpenBSD ;-)

And I would certainly choose OpenBSD over GNU/Linux if I were building a firewall, or an intrusion detection system (based on say, Marcus Ranum's NFR) where packet capture at wire speed was important. (No - that tells you nothing about CCTA's network architecture....)

The choice of GNU/Linux seems to have caused all sorts of interest (witness this interview itself) when a *BSD may not have been so "controversial". Frankly I'm a little surprised at the reaction the choice seems to have generated. After all, we are just talking about web servers here. Many ISPs choose GNU/Linux on Intel for exactly the same reasons I have done - best value for money for the task in hand.

Let's put this into perspective first though - and dispel a few myths which seem to have cropped up in the press. I have emphatically /not/ ditched Solaris in favour of GNU/Linux. I still have 14 operational Solaris boxes running on the network. I have GNU/Linux running on 5 Dell Poweredge 2300s (with half a gig of RAM each - the Times article suffered from poor editing). I also run GNU/Linux on my desktop in the office, on my laptop and desktop machine at home and on a couple of internal servers handling DNS and proxy services for CCTA.

The GNU/Linux choice came about for two reasons:

  • - I had operational experience of GNU/Linux on a day to day basis.
  • - I was faced with replacing life expired Sun hardware (including a SPARC 1000E and a couple of Sparc 20s) as part of the normal process of hardware/maintenance/upgrade.
Having bought a Redhat distribution for my laptop, whenever I needed a quick solution to problem that would normally involve buying another box (such as building a secondary internal DNS server, or a local SMB server) I could simply recycle an old desktop PC with GNU/linux at practically zero cost.

On the second point. When the usual business planning round came up and I had to make decisions about hardware replacement for some of the older servers, it was obvious GNU/Linux on Intel could be a much cheaper option than simple replacement of the Sun hardware. Consider: a Dual 450MHz Pentium II, with 27 gig of disk, internal DDS3 and CDROM and half a gig of RAM costs less than £5000; a dual 300MHz UltraSPARC 2 with similar configuration costs around three times that. Question. Do I need to spend that kind of money simply to run a Web server? So I ran some tests and concluded that - no I didn't need to spend that kind of money (taxpayers money I should add) and plumped for the GNU/Linux on Intel combination on the purely pragmatic grounds of best value for money for the job in hand.

For the purpose of testing I took as a benchmark the maximum real life hit rate I had ever seen on one of the Solaris servers - around 1.5-2 million hits in a day. (By hit, I mean http GET or POST request). Then I doubled that as working assumption of a realistic maximum load in my environment.

For testing I took a fairly standard, but reasonably specced PC (a single Pentium 450MHz processor, 256Mb ECC SDRAM, single 18Gb LVD 10,000 RPM SCSI disk) and loaded Redhat Linux 5.2 running Apache 1.3.3. (Because that was what I had to hand). Apart from the Web server, I turned off all other daemons. I then loaded that server with a complete copy of my main www.open.gov.uk web.

In order to simulate a real life load, I had to find some way of grabbing a randomised list of URLS from the server which reflected the real world as closely as possible. After some testing with a variety of home spun scripts and commmand line web testers (such as webgrab) it quickly became clear that I would bog down the clients long before I made any real demands on the server. Some searching around and questions of colleagues lead me to http://alumni.caltech.edu/~dank/fixing-overloaded-web-server.html which is a useful site pointing to benchmarks and tools. This pointed me to http_load at http://www.acme.com/software/http_load/ which turned out to be pretty nifty since it runs in a single process. And of course, being OSS, I could tweak the code slightly to match my requirements. Thus armed I built some lists of URLs which were deliberately chosen to represent small text/HTML files, medium sized gif/jpeg files and large PDFs since this is the real life world on the public web servers. In load testing the server I then fired up just three client machines (one SPARC 5 running Solaris and two low end Pentiums running GNU/Linux since that was all I had to hand).

In peak load testing over a sustained 4 hour period I managed to get the server to deliver over 13,000 Mbytes in just under 500,000 HTTP transfers. During that period, CPU utilisation never went above 10%, and was usually around the 5% mark. Disk utilisation was minimal. The network connection rate was much higher than anything I'd seen in real life on the existing external servers (some 500 established connections during snapshots on the load testing period). Also during the test, Apache complained that it had reached the MaxClients setting (then 150) with no adverse effects.

Given that such a reasonably low end server handled most of what I could throw at it in my test environment, I concluded that GNU/Linux on only slightly beefier hardware made eminent sense.

----------

anthonyclark asks:
Do you get many cracker/script kiddie attacks on the various web sites you run?

ANSWER:

Yes ;-)

Any high profile site is going to attract unwelcome visitors. My job is made harder, and more stressful, by such attention - but that is what I am paid for. My friends know that I have nightmares about waking up to find graffiti (which is all it is) on one of my customers sites.

Like any other conscientious sysadmin I take a personal interest in the security of my servers. Naturally I will use all the tools at my disposal to minimise the vulnerabilities. But of course I get unwelcome attention.

A plea to the community if I may. And here I can do no better than quote from Fyodor's article in Phrack Volume 8 issue 54 where he discusses remote OS fingerprinting:

"A worse possibility is someone scanning 500,000 hosts in advance to see what OS is running and what ports are open. Then when someone posts (say) a root hole in Sun's comsat daemon, our little cracker could grep his list for 'UDP/512' and 'Solaris 2.6' and he immediately has pages and pages of rootable boxes. It should be noted that this is SCRIPT KIDDIE behavior. You have demonstrated no skill and nobody is even remotely impressed that you were able to find some vulnerable .edu that had not patched the hole in time. Also, people will be even _less_ impressed if you use your newfound access to deface the department's web site with a self-aggrandizing rant about how damn good you are and how stupid the sysadmins must be."
Sysadmins are not stupid. They are simply usually overworked and have to balance the need to provide services to their customer base with the need to minimise the risks to those services. Attacking public servers (whoever owns them) merely serves to irritate sysadmins, and usually nobody else.

I was not overjoyed to notice comments on /. of the form "whoo, so the Royal Web site has moved to Linux. I've got a rootkit with your name on it" (you know who you are). Consider. I have just moved some high profile web sites to the OS of choice to you readers. You want to see that OS taken seriously. Scribbling graffiti all over such a web site would have all sorts of negative impacts on the perceptions of people who matter.

Besides, you'd upset me.

----------

chromatic asks:
If you could add or change three things about Linux to make your job easier or more enjoyable, what would they be?

ANSWER:

1. The ability to read BUGTRAQ, evaluate the threat, consider vulnerability to that threat and auto patch or upgrade accordingly. It should then email me saying "I'm OK now, you can go back to reading /.".

2. An artificial intelligence based real time log watcher and network daemon which could learn network connect patterns and modify either the stack or the services running accordingly. The system should be capable of real-time blocking (a la portsentry) of "hostile" connects, co-operation with external IDS systems and firewalls, real-time reconfiguration of external security components, real-time alerts to other hosts on the lines of "hey guys, I'm being hit by X, watch it." It should then email me saying "I'm OK now, you can go back to reading /." :-)

3. An ASCII character based version of rogue. I miss it.

----------

Ryandav asks:
What kind of redundancy do you build into the server system for such a large and important site, ie. round-robin style servers or large, beefy superboxes, etc...

ANSWER:

You can see from answer above that I do not use "large, beefy superboxes". Frankly you don't need to to run a Web server. Nor do I use round robin DNS or other load balancing such as CISCO local director. In my experience of the sites I run, I don't need to do so. None of the sites gets hit hard enough to warrant the additional complexity of mirrored, load balanced servers. Our most popular site by far is the Royal Household site. That takes around 2-2.5 million hits per week (though I expect that to go up slightly now). The highest consistent hit rate I have seen is around 1.5-2 million hits per day. Any of the servers I have could cope with that. The redundancy we build in is in having backup hardware ready to run.

----------

wowbagger asks:
To what extent is the Royal Family involved with the site (e.g. content creation)?

ANSWER:

The Royal Family take an active interest in both of the royal web sites (one of which is hosted by the Press Association - www.royalinsight.gov.uk -). This interest includes both the current content of the sites, as well as future developments. The Queen herself launched royal.gov.uk in March 1997.

jd asks:
What's the official reaction to these sites running Linux? Assuming the British Government, and Her Majesty, are aware that their public image on the Internet is being presented via software that is non-traditional and non-commercial, what do they think of it all?

ANSWER:

The priority for the heavily visited royal web site is accessibility, balanced of course by reliability and security. These are the important issues, rather than the nature of the server operating system.

----------

Dicky asks:
What is your background? Are you a techie, an admin person, or an other? Do you use Linux personally? If so, did you come from a Unix, Windows or other background?

ANSWER:

I am a techie (though some of my friends and colleagues are a little less complimentary than that). My background is in Unix sysadmin and network management. I joined CCTA in 1993 from the UK Treasury where I was responsible for their Unix based OA system. Prior to that I was responsible for IT security in the Treasury. I have done some small systems development work in the past on MS/DOS machines (way before windows really took off) and CP/M micros. Most of my early career was in specialist support areas such as statistics, though I did a short stint in policy for a while in the mid to late 80's - didn't like it much.

Yes, I use GNU/Linux personally. It is my preferred platform for home use.

Dicky also asks:
And a related question: What is the primary system around your department?

ANSWER:

Depends what you mean by my department. In my area of responsibility the main systems are all *nix based. But the corporate desktop is NT4.

----------

Brian Knotts asks:
The obvious question: Does the Queen read Slashdot? :-/

ANSWER:

No. The Queen's interest in Internet matters is non-technical, although she sees on her visits to a wide variety of organisations the increasingly imaginative uses for the Internet.

----------

Simon Brooke asks: I've been very pleased lately to see Open.Gov's clear policy statement on the use of open standards. I'm personally involved in working with some large UK companies on their own Web standards policies, and having this to point to has been extremely useful to me. How difficult was it to get buy in to these standards by all the people who 'own' different Government sites, and how difficult is it to enforce?

I notice, for example, that the Scottish Parliament's web site, and my local Council's Web site, do not yet conform. Without wishing to point fingers at specific organisations, is it your intention to cajole all sites within .gov.uk to conform to these standards? Is it appropriate for members of the public to draw administrators of these sites attention to these standards?

ANSWER:

CCTA has long been a standards based organisation. My colleague Neil Pawley is CCTA's representative to W3C. Neil is also lead designer on the open.gov.uk site. Since CCTA is a member of W3C it is entirely appropriate that we should take a lead in using standards set by that organisation. Using HTML4, CSS2 and XHML1 for example on a real life server gives us valuable information on usability issues such as browser compatibility. Much of the feedback we have received has been very positive. On occasion we have had to deviate slightly from the standards where their use causes our public difficulty because of some incompatibility with a particular client setup. That experience itself is very helpful, since it allows us to feed back into the standards making process.

CCTA has an advisory role on best practice in the use of IS/IT in the UK Public sector. We have no authority to mandate particular standards, nor would we seek to do so. If the use of standards is to be effective in any way, it is because the standards themselves make sense in the real world (witness the growth in the use of the TCP/IP protocol set at the expense of the OSI standards).

Simon Brooke adds... Oh, and, by the way, keep up the good work!

We intend to.

Thanks for your interest. It has been educational for me.

-- Mick Morgan

-- end --

Next week: John Vranesevich of AntiOnline.

This discussion has been archived. No new comments can be posted.

Interview: Queen Elizabeth II's Webmaster Answers

Comments Filter:
  • I would like to commend Slashdot for asking Mick about his reasons for choosing Linux and not *BSD. It has been suggested that such a question was just a troll or flamebait.

    I'd like to thank Mick for answering all these questions in such a way that non-technical readers of this forum (there are a few of us, it seems) can actually understand why you chose Linux.
  • Or better yet, just not interview the real troll from AntiOnline.

  • Let's see the theoretical load limit, with this setup. 2 million hits per day, doubled = 4 million hits. This load never put the processor above 5%. If you assume linear scaling, this means 80 million hits per day, on a single processor, low-end pentium box, with no further tuning.

    That's one hell of a throughput, for a single box that size!

    These are static pages, so you can use an accelerator, such as Squid. This might easily bump the number of access up by an order of magnitude, taking you to 800 million hits per day. Not far from that billion you mention. :) And we're -still- talking about a meagre low-end Pentium!

    It would seem kind-of silly to talk about anything higher-end than this setup, but I might as well, just for amusement.

    Throw in PGCC, and you're going to increase performance by perhaps as much as 20%. Let's use that figure, as a plausable guesstimate. We're now up to 960 million.

    Linux is scalable to at least 2 processors, so let's say we do that. It's approximately linear, to 2, bringing us to 1,920 million.

    Now, let's upgrade that natty old Pentium, and install K6's or P3's instead. The impact of this is harder to guesstimate, but let's say that you can squeeze a doubling in performance from such an upgrade. The maximum capacity now stands at 3,840 million hits.

    This, then, is a first guess at the theoretical maximum load you can get out of Linux and Apache - close to 4 US Billion hits per day! (Probably slightly over, for *BSD and Apache)

    This doesn't knock what this guy's done, in the least! On the contrary, it shows that what he's achieved is a staggering feat, AND that he can keep making staggering achievements for a long time to come.

  • but he has a keen mastery of the English language!

    Ain't it wild? They still teach that stuff over there!

    I also like how he comes across as strong, but not threatening when talking about "script kiddies" and other such matters.

    Ahh yes, the "Enlightened Sense of Humor". Subscribers to which, in the US, are often hunted for sport.
  • I hope you get major Karma for correcting these URLs! Thanks!!!!!
  • Reasonable, yes. I like the article, and I like the facts and figures. Truth is that with static pages the bottlenect is going to be on your connection, as well as the theoretical maximum of the protocol. It is a fact that one box with one IP address cannot saturate a T3 because the protocol only allows for so many packets in transit.

    It's also a fact that a 486DX2/66 with a good ethernet card and 64 MB of ram can saturate a T1.

    I think your extrapolation is flawed, but with this being a theoretical extrapolation, it's value is increased if put into perspective, but diminished if left alone.

    I hope this adds perspective, and value.
  • Hack was always the most humor-oriented of the rogues, perhaps for some at the expence of serious roleplaying.

    Hack is bar far my favorite, allthough I have a soft spot for Larn, and the "mission to save your daughter". It was such a cute little game. There was some interesting playing techniques that could really abuse the game. We had a student who really mastered them, and used them to tease another player from the datacenter. Each time the datacenter guy made a new highscore, the student beat it (just a little), but with negative game time. Nice to know that he had the medicine ready even before his daughter went sick ;-)
  • There is no shortage of character-based Rogue-like games for Linux (or other UNIX). My personal favorite is Angband, which you can get here:

    http://www.phial.com/angband/

    However, there are plenty of others, including Nethack, Moria, and Omega. (Not to mention all the Angband variations!) I once got a copy of the original Rogue, but I don't seem to have it around any more - I'm sure someone on rec.games.roguelike.misc would know.

    And for what it's worth, those of you that haven't played these games (Angband in particular) - give it a try. Angband has consumed more time than all the commercial games I've ever played put together, and that's saying quite a bit.
  • Half the fun of a text based roguelike is hacking the source and sharing your enhancements. ADOM is not free software, and thus no fun.
  • First, I'd like to join the chorus of those commenting on what a fine read this was. Thanks, Mick!

    Second, I'd like to call attention to this casually mentioned statement:

    > The GNU/Linux choice came about for two reasons... [1] I had operational experience of GNU/Linux on a day to day basis. [2]...

    Wow. Linuxers in decision-making positions. Brace yourself, O World.

    --
    It's October 6th. Where's W2K? Over the horizon again, eh?
  • ...the Queen, Linus Torvalds, official purveyor of Operating Systems to Her Majesty's Household.


  • Well he certainly had 25 crashes and 17 cracks since he installed linux ;-)).

    No, read on and you'll see
    The choice of GNU/Linux seems to have caused all sorts of interest (witness this interview itself) when a *BSD may not have been so "controversial". Frankly I'm a little surprised at the reaction the choice seems to have generated. After all, we are just talking about web servers here. Many ISPs choose GNU/Linux on Intel for exactly the same reasons I have done - best value for money for the task in hand.
    He also stated he wanted to dispell some myths and made it very clear what he thinks about every cheesy computer newssite/paper riding on fact they choose linux. That's the argument.
  • by jimiZ (42759)
    Great article. I am however interested in the reasons for wanting to oust Linux for *BSD. After reading such a valiant argument for Linux I almost forgot *BSD existed.


  • Agreed. The response was very well done, as well as encouraging and helpful in it's clarity.
  • Each hour I spend on security is an hour I don't spend improving the content of my site - and that content benefits a lot of people.

    Why shouldn't I be complacent about security? Why should I waste my time downloading patches, installing new stuff, and so on?

    I suppose if there was top-secret information on my systems, I'd think otherwise, but the only really valuable stuff on my sites is what's already exposed to the public.

    To me, script kiddies are evil, and the whole idea of breaking into other people's systems for a thrill is childish.

    I think there should be extremely stiff penalties for being a script kiddie, and they should be enforced. People should go to jail for invading systems -- that would stop it right proper. It's no different morally than breaking into someone's house and burning it down.

    D

    ----
  • Neither, I think. It's moderated down, but it really is rather funny. Satire is a wonderful thing, research it.

    He does manage to capture the advokiddie essence quite well, and I commend him for his efforts.

    :)

    Regards,
    -efisher
    ---
  • >Angband, seems to have had problems with curses linking, but I have just been told that this has been fixed in the latest version.

    For reference, info and source for angband and about 10^3 variants can be found at thangorodrim.angband.org [angband.org].

  • by Anonymous Coward
    Well, Slashdot won't have proven they can get an interview with everyone until they get a interview with the creator of the Internet, Al Gore.
  • We are probably better off if I don't get any points for that... Just imagine: not only would we have people trying to get first post, but karma-seekers would also be posting First Correction!!! messages...

    But to get back on topic, I'm glad this was here today. Although I use RedHat at home and at work, I've been debating what to put on the web server that I am in the process of building. I've still got that idea in my head that the BSD IP stack is better. After reading this, I am going to just go with my gut and put Linux on my web server, too.

  • >He had some pretty good responses. And I hope, those of you that are script kiddies take heed of his request. Discovering a security hole
    >and reporting it is respectable, but taking a reported security hole and exploiting it is despicable.

    I wouldn't say "despicable"... maybe "pathetic".

    Wonderful peek into the life of a fellow sysadmin. True, script kiddies are annoying, but they're just that - annoying. Not dangerous, or threatening. In my experience, it's the PHBs that scream bloody murder when they find out we get routinely probed every day.

    This is why web page defacements are more irritating that root break-ins - because the former makes the PHBs take notice, even though the latter takes a LOT more work to clean up. I'd prefer to deal with a machine than a few irate VPs.

    Funny, though. The few script kiddies I've actually taken the time to talk to all tell me they dream of getting hired by some company on the basis of their 'leet skills. Heh. Just goes to show you how much they know about our jobs.
  • Hear Ye, Hear Ye, citizens of the world, be it known to all present, Her Majesty's System Administrator has spoken - Free *nix is hereby declared the "Better Value Proposition"(tm); therefore and forthwith, let all who would misrepresent for greedy promulgation of false doctrine and profit thereby on the unsuspecting, henceforth be quiet and quit their arrogant boasting of the inferior OS and seek instead to improve upon their products untill it should be of goodly quality, and then return to the arena of competition.

    Sir Chuck
  • "Over there" being the rest of the world ?
  • If you would use PGCC on a live server, you certainly would be allowed to touch one of mine. The author of PGCC is on the egcs (err.. gcc 3.0) team; all "safe" optimizations are rolled into gcc. PGCC is mostly an experimental playground for new ideas. Using it on a production server is insanity. Are you running 2.3.35 on your production boxes? Why not, its faster!
  • Actually, web service is a very light load on a system. If your system can't handle web service, it means your system can't do very much at all. If it can handle web service, it means it can handle a light workout. Nothing more
  • If everyone is going to start talking about security and Linux. I think you should all consider a few points first.

    Many people say that Linux is less secure than any *BSD. This is really a half-truth. Yes, you will probably find more security holes in a Linux system then say an OpenBSD system. Why? Well, isn't Linux a bleeding edge operating system.
    Infact I bet the majority of you are using a distrobution that has many packages that were in beta or developement when they were burnt on that cdrom. Infact it's hard to find a distro now a days that doesn't come with over half the software being the developement version and not the stable one.

    And if a recall correctly isn't OpenBSD a bit more strict about what it bundles? And when I mean strict, I mean strict in a *BSD sense. If you want a little more bleeding edge you may want to try FreeBSD.

    The point is that Linux only seems insecure because of the wide practice in using developement packages and not stable ones. Also Linux/OpenSource developement is starting to become so wide that of course with more software people are going to find more bugs. This is a good thing.

    And the last point should be that with the Linux vs. Windows battle. Every trip-up that Linux has, is going to make HEADLINES. Just consider this part of the price of taking on the top dog.
  • by Filgy (2588)
    Ohh, cool. I would personally like to know how he went about bribing Rob and Jeff to have them promote such a crook.
  • If you want to push that up even further, add stuff like the khhtpd server (blazingly fast on static content) a couple gigabit ethernet cards, 4-way smp 800 mhz K7s (i hear AMD is stockpiling them right now), and a massive scsi raid-5 system. Compile with GCC 2.95.1 and -O9. Heck, one of those things could run /.!
  • Personally, I prefer nethack, but here are a few rogues (all character-based)

    ftp://metalab.unc.edu/pub/Linux/games/dungeon/
  • Good article for Guy Fawkes day.

    Conscience is the inner voice which warns us that someone may be looking.

  • by Anonymous Coward
    If you're reading this, Mick, you can grab the Linux port of Rogue from http://www.win.tue.nl/games/roguelike/rogue/index. html

    Top regards!
  • by NME (36282)
    Very interesting from a technical and non-tchnical standpoint. I like to see Sys Admins getting their $0.02 in, especially when they seem to be reasonable people. I know a lot of admins who are hard-headed and brash, without being correct very often.

    -nme!

    PS I'm extremely curious to see how the AntiOnline interview goes. I expect a lot of vitriol and flames. How about you?
  • by Tet (2721)
    An ASCII character based version of rogue. I miss it.

    I have the source somewhere. I'll see if I can dig it out. From what I remember, though, it's not freely distributable. Other than that, you may want to check out zangband. It's an enhancement of angband, which in itself is an enhanced version of moria, a rogue-like game. Yes, it has graphics if you want them, but I always compile it without them. Nothing like the good-old text based interface. More details at http://thangorodrim.angband.org [angband.org].

  • Personally, I prefer nethack

    For some reason I've always hated hack (and later, nethack). I've loved pretty much every other game of the genre: rogue, larn, moria, angband, even omega (although it was a bit too slow and too buggy for my tastes). Somehow, though, {,net}hack just never felt right...

  • I just wanted to say thanks to all the Slashdot editors and readers. I find it extremely amazing that Slashdot now has the weight (readership, etc.) behind to be able to interview just about anybody it wants. I mean, we just got an interview from a guy who is in charge of systems for the the UK government? I've never seen an article like that in any computer magazine. Thanks for the great article. I bet pretty soon people are going to be lining up to be interviewed on Slashdot.

    Matt
  • On the response of

    In retrospect, I wish I /had/ chosen OpenBSD ;-)

    I would probably agree. Although I use GNU/Linux for my personal web page, OpenBSD has been know for its security. A homogeneous solution is usually a bad one. This is my main argument against Microsoft. My experience with Unix is that, although not completely compatible, they all work well together. At work I use Solaris, AIX and Linux. Each with a separate duty. I'll probably start using *BSD OS soon too. Linux I feel is probably the best for interface and General setup. I'm looking at BSD for firewalls and some servers. Unix works because all of them try to follow standards. Again, Microsoft tries to implement their own "better" standards. I've been to two microsoft presentations, and both times they touted their proprietry solutions as the best thing out their. Unfortunately, their presentations are good, and they easily convince the higher ups. I wouldn't mind MS so much if they try to get along with other OS's instead of dominating them.

    He had some pretty good responses. And I hope, those of you that are script kiddies take heed of his request. Discovering a security hole and reporting it is respectable, but taking a reported security hole and exploiting it is despicable.

    Steven Rostedt
  • Perhaps the Queen should, in light of the favour which the Royal Webmaster extends to Linux, decree that the OS of the land shall be Linux! :)

    _____________
  • by RNG (35225) on Friday November 05, 1999 @06:20AM (#1560779) Homepage
    This is a very nice and balanced story; the kind of story you can show to prospective customers when you're trying to convice them to use Linux. This story is good for Linux for the following reasons:
    • It's a high profile site
    • It's a rational discussion about the relative merits of Linux
    • It specifically adresses the validity of the Mindcraft benchmark (ie: you don't need huge boxes to serve static pages and you're not going to get billions of hits/day)

    To paraphrase Frank Drebin (from the Naked Gun movies): No matter how silly we find the idea of having a queen, we'll make her feel at home :-) Lets be glad that they're using Linux rather than NT ...
  • Or alternatively try angband, a rogue derivative,
    at http://thangorodrim.angband.org , or one of its variants.. (there's a lot of them, I can personally recommend ZAngband)

    //rdj
  • by omarius (52253)
    That was one of the best interviews I've read on slashdot. This is one of the best and wisest descriptions I've read about what it means to be a sysadmin since I pored through the O'R books when I first became interested in UNIX. It's good to see this kind of sysadmin -- one that is level headed, honest, knowledgeable, and chooses the right tools for the job without blind brand loyalty or bias.

    Because, if all sysadmins were like that, and had the power to choose, we'd see more Linux systems, and more Linux development.

    -Omar

  • They keep us on our toes. If they did not exist, sysadmins could become very complacent.

    But fear over web page defacement leads to (hopefully) more updating of systems for bugfixes, and more secure against real threats.
  • He may have volunteered to be interviewed, apparently he does read slashdot.

    In his answer to features wanted for Linux, he mentions polling Bugtraq, and then responding:

    "I'm OK now, you can go back to reading /.".

    I put an offer in to slashdot to be interviewed, "man refreshes slashdot dozens of times an hour in quest for karma and on-topic first post", I expect to hear from Rob real soon now.

    George
  • Omega was, IMHO, the most sophisticated, in a lot of ways, but you're right about the bugs! That thing was -crawling- with them! To make things worse, it's not been maintained for a loooong time.

    I've been meaning, for a long time, to sit down, disembowel Omega, and write a bug-free clone. Care to help?

  • > I put an offer in to slashdot to be interviewed, "man refreshes slashdot dozens of times an hour in quest for karma and on-topic first post", I expect to hear from Rob real soon now.

    But you need something to make yourself stand out from 10K other people doing the same thing!

    --
    It's October 6th. Where's W2K? Over the horizon again, eh?
  • Yes. I too, wondered exactly what he meant by that statement. Was he saying that he wished he had chosen OpenBSD in retrospect because:
    1. He is under attack from script kiddies and thinks he might be more secure with OpenBSD, or
    2. He is getting tired of all the people asking him why he didn't choose OpenBSD
    BTW, if you're already using Linux, and want to increase security at the kernel level, you might want to look at Secure-Linux [openwall.com], a kernel patch which adds some nice security options to the Linux kernel.

    --
    Interested in XFMail? New XFMail home page [slappy.org]
  • Looks like several people had the same idea try: http://www.win.tue.nl/games/roguelike/
  • Good, nay, very good article. Nice to see such technical competance, smooth prose and consistent usage of "GNU/Linux". Now... off to the fireworks!
  • I think he means, that /. covers more than just GNU/Linux, but other things like nifty gadgets, other OSes, etc..
  • Ancient Domains of Mystery [www.adom.de] is defintly the best roguelike ever. The plot, gimmicks and programming are so imaginative. A dungeon with a frictionless surface? Fluff balls, when watered, mutate into gremlins?! Amazing. And, of course, it runs on linux.
  • Yes. I too, wondered exactly what he meant by that statement. Was he saying that he wished he had chosen OpenBSD in retrospect because:

    Read it again. He wishes he chose BSD because the Linux choice has attracted too much pointless attention. If he had chosen BSD, he wouldn't have been mentioned on ./ or interviewed here, for example. With Linux come the groupies :)

  • I should add that I installed the Secure-Linux patch on one of my Linux boxes, and then temporarily installed ProFTPd 1.2.0pre1 (a known vulnerable version) on it. I tested it with one of the exploits that we know works, and with Secure-Linux, the exploit failed. Pretty neat.

    Secure-Linux won't necessarily keep you safe from every potential exploit, but if you keep up to date, it will at least lessen your chances of getting bit by a heretofore-unknown exploit.

    --
    Interested in XFMail? New XFMail home page [slappy.org]

  • 8)

    Ok, step 2:

    Repeat after me:
    *BSD is your friend!
  • by Ledge Kindred (82988) on Friday November 05, 1999 @07:56AM (#1560795)
    Why does this interview (which I enjoyed very much, thank you) remind me of that Monty Python episode.... everything gets all wavy and misty, this is obviously an imaginative day-dream sequence.

    In recognition of Her loyal subject's being interviewed on Slashdot, Her Royal Highness the Queen has decided to surf the 'web today. If she should show up here in Slashdot, we would like to request that all our readers please stand out of respect for HRH. You will be notified when she is visiting.

    {a few minutes later}

    We understand that HRH is currently reading something on C|Net. More information when we have it.

    {A couple minutes later, a MIDI of God Save The Queen begins to play, then is cut off quickly}

    We thought for a moment that she was going to click on a link Slashdot, but she decided to read NTKNow first.

    {A couple minutes later, the MIDI starts to play again and a little Javascript "Alert" box pops up to all /. readers saying:}

    We understand that HRH Queen Elizabeth II is now reading articles on Slashdot. If you would please stand to show your respect.

    .... and all across the world, random geeks in offices, cubicles, living rooms, and dens stand up, looking a bit embarrassed and uncomfortable because everyone's looking at them as they stand at attention with a tinny little MIDI coming from their computer.

    Everything gets all wavy and misty again, indicating the end of the day-dream sequence.

    -=-=-=-=-

  • My favorite part was:

    "Sysadmins are not stupid. They are simply usually overworked and have to balance the need to provide services to their customer base with the need to minimise the risks to those services. Attacking public servers (whoever owns them) merely serves to irritate sysadmins, and usually nobody else."


    I had a coworker that accidentally left a public ftp directory world-writable. The warez kiddies found it in about a week, but I didn't notice until the day after when the network load ramped up. Of course, I moved the warez out of sight and tightened the system up at once. But the fun had just begun. There were a number of systems running poorly written scripts which would connect, and, not finding the files/directories they were sent to pull, would just freeze until they timed out. So I spent a wonderful Saturday writing scripts to kick these off, adding the worst offenders to tcpwrappers, and finally scripting a once-a-minute kick in the seat to inetd so that it would realize that it actually *could* open another socket.

    Waste of a good Saturday, that. Oh, well, I don't work there anymore....
  • you might also want to try RSBAC or ruleset based access control.
  • Well, I think the same of "real" crackers too, to tell the truth. But "real" crackers are out challenging prominent sites that have administrative staffs who can take the heat.

    I, well, I'm just me. I'm easy prey for script kiddies, because for the most part I don't care whether someone breaks into my system or not. But one of them did, and hacked PS. Since I need a working PS, I need to install Linux all over again, and frankly, I really don't have the time.

    Script kiddies love people like me because we don't present a significant challenge. Crackers don't care because we present no challenge.

    So script kiddies make me more upset than hackers because they're the only people who'd feel there's any point in cracking my system.

    Anyone have a recommendation for a "secure out of the box" Linux distribution I could use? One that wouldn't prevent telnet, because unfortunately I have to get to my system from windows boxes that don't have stuff like ssh?

    D

    ----
  • You could also try using StackGuard [ogi.edu] to make your daemons more secure; it looks quite cool.
  • Slashdot has quite a bit of weight these days. The rest of us UK Govt webmasters are actually rather envious of Mick having been interviewed - Slashdot's reference to him as "Queen Elizabeth II's Webmaster" has a nice ring about it...

    (Excellent interview too; kudos to Mick).

    Chris Owen
    Webmaster,
    Ministry of Defence

  • It helps if the interviewee reads /. and thinks it's cool :-)
  • Angband and moria both compile under Linux. I have had to make certain changes though, on compiling these on occassion:

    With moria, prscore doesn't compile, you don't need it, edit the Makefile and you'll be OK.

    Angband, seems to have had problems with curses linking, but I have just been told that this has been fixed in the latest version.

    Here's the link [sunsite.org.uk] which should be OK, Imperial College Sunsite Mirror in London.

    And hey - has someone ported rogue to this directory as well?
  • A question shoulda been, "France is considering making Open Source mandatory for its government's use. Does that make it less desirable for the UK ?
  • by crisco (4669) on Friday November 05, 1999 @06:47AM (#1560808) Homepage
    Great answers to some good questions. The article left me with one question about the following statement:

    In retrospect, I wish I /had/ chosen OpenBSD ;-)

    Why is that? I mean, I know most of the standard arguments for BSD over Linux but why would you, a Linux user even at home, now make that statement? The standard security reasons? Was there a specific incident (that you can talk about) that triggered that statement? Had you later tested the BSD / Apache combination and achieved better performance?

  • by tweek (18111) on Friday November 05, 1999 @06:48AM (#1560809) Homepage Journal
    I think the is the best interview I've read in a long time. Here is the key that jumped out at me.

    This is a real world HIGH end test of linux in the server arena. No 8 way procs boxen running the web site. Not even load balancing. Look how it handles under the load. Wonderfully. This is what I want to see more of when people mention benchmarks. I want High profile real world examples. Thank you for a great interview and the positive support of GNU/Linux
    "We hope you find fun and laughter in the new millenium" - Top half of fastfood gamepiece
  • by Royster (16042)
    Repeat after me: *BSD is not an enemy.
  • By "trolls" I hope you are referring to JP himself and not the people who have to deal with his unique take on computer "Security".


    -sirket
  • I actually found it a bit annoying. It just has never sounded right to me. I was using Linux long before I ever heard it refered to as GNU/Linux, so I doubt it will ever sound right. I don't really have a problem with those who prefer to call it that, though I do tend to roll my eyes whenever I hear it. Those who insist it should be called GNU/Linux do tend to bug me quite a bit though.
  • Yeah, I got a few choice words for him. Like why did he take down PSS and how does he feel now that its been reincarnated. I'll stop there for now. I don't want to get sued or anything.
  • I don't see these posted yet, so here they are:

    The benchmarking tools can be found here [caltech.edu].

    Http_load can be found here [acme.com].

  • I put an offer in to slashdot to be interviewed, "man refreshes slashdot dozens of times an hour in quest for karma and on-topic first post", I expect to hear from Rob real soon now.

    But you need something to make yourself stand out from 10K other people doing the same thing!


    You mean I'm not the only one?

    George
  • Note to all OSS supporters... do not sink to this level and post a personal attack against anybody...
    We should be bigger than that.
  • Darn, my moderator points expired before I could give it a +1, underrated, o well.
  • by Anonymous Coward

    Well rogue is part of the NetBSD and distribution (and probably FreeBSD and OpenBSD as well) so source should be available from ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src /games/rogue/

    I would hope its not to difficult to port to Linux.

  • I've been meaning, for a long time, to sit down, disembowel Omega, and write a bug-free clone. Care to help?

    Actually, Omega is now under the maintainership of William Tanksley. Unfortunately, William hasn't released a stable version yet, and he doesn't have a permanent Omega web site yet.

    You can visit the official Omega site [alcyone.com], though. Or check the rec.games.roguelike.misc [roguelike.misc] newsgroup.

    I know that William sometimes reads /., so maybe he can give us some updates....

    • I find it extremely amazing that Slashdot now has the weight (readership, etc.) behind to be able to interview just about anybody it wants
    Interview: Bill Gates Answers

    Now that's a slashdot interview I'd like to see. I just think that we would need more moderation points. A lot more.
  • by Otto (17870) on Friday November 05, 1999 @06:57AM (#1560824) Homepage Journal
    I was not overjoyed to notice comments on /. of the form "whoo, so the Royal Web site has moved to Linux. I've got a rootkit with your name on it" (you know who you are). Consider. I have just moved some high profile web sites to the OS of choice to you readers. You want to see that OS taken seriously.

    Hey, script kiddies read /. too. You don't think all these "First Post!" morons actually have a clue do you?

    I just wanted to exonerate the Linux-lovin' /. crowd and point out that not everyone who is a /. fan is a open-source/linux fan.

    /. is bigger than that.



    ---
  • Any chance to extend your interview to cover this question?
  • I just wanted to exonerate the Linux-lovin' /. crowd and point out that not everyone who is a /. fan is a open-source/linux fan. /. is bigger than that.

    If the (last occurrance of the) word that in the above paragraph refers to OSS/Linux, then I think you are really mistaken ... OSS/Linux has changed (and is still chaning) the computing landscape (hopefully) forever. I like ./ quite a bit, but compared to OSS/Linux, it's puny ... ./ is (to some degree) the communities mouthpiece, but the only reason there is a community is due to the fact that we have OSS/Linux, not the other way around ...
  • Thanks, BillH. I'm changing those URLs now. The original ones worked fine when I tested them last night. (sigh)

    - Robin

FORTRAN is for pipe stress freaks and crystallography weenies.

Working...