YWAM Information Technology - Networking - Comments

Leopard

R.Blevins — Tue, 06 May 2008 14:12:57 +0100

About Leopard only seeing Leopard and Tiger...I don't have any problems on my Leopard machine seeing windows 'puters. Maybe you have to enable Windows filesharing first in the control panel before it will even see windows machines. Not sure about that though. Just a thought.

I can help a bit more

KevinColyer — Fri, 22 Feb 2008 20:05:36 +0000

Dear James,

The site seems to be having difficulties. Can you email me kevin AT ywambrussels DOT be and I can help you direct. I thought I would try again as comments spam seems to get through but my comments were not!

Cheers,

Kevin

networking different OS == tough job

neo — Sat, 09 Feb 2008 16:47:38 +0000

Hi,
sounds like a somewhat tough job to get all these together on a network. The probably best suggestion I have for is, be patient.

I'm working in an office with mainly Macs (OSX 10.2, 10.3, 10.4, 10.5 & a couple Media 100 with OS9.2) plus my Linux machine and every once in a while a Windows XP is around. So far I have never been able to connect from any of the Macs to an WinXP, but I think they all have been Home edition.
If I'm not mistaken than XP Home only connects to max 4 other machines at any given time. I dunno how it is with W2k Home vs. Pro. Although I must say that I never had trouble connecting a Mac to my W2K Pro, when it was still alive (God bless this faithful machine which is in computer heaven now). I never figured out how to do it the other way round. You didn't mention whether the W2K's are Home or Pro. But this could be something worth to investigate how that really is with the Home vs. Pro. You also mention 1 desktop with WinXP, I'm assuming this is Home since you specified the laptops and the server as XP Pro.

I don't think that all these computer belong to YWAM, right? So, something to start with would be to make sure that all settings on all machines are correct. Changing a setting on ones personal computer might cause trouble with the networking on your base. With this particular machine, at least.

Before you throw out anything maybe, first of all, we can evaluate what you need and what your options are.
You have 15 W2k for data entry. What sort of data, does that depend on Windows in general and/or an old version of a program that does not run on anything newer (I hope this isn't the case)? Or are they there because you had them and they simply do what they are needed for? Is that data local or in a shared directory on the server or is that a database on the server??
In other words, could these machines replaced with something else? What is YWAM and what is private owned, anyways?

Which leads me to the question which programs you need. Mainly I mean YWAM owned computers, since what people load on their personal is basically their own choice according to their needs. You didn't say anything about email server, etc. So, I assume you don't depend on any service like this on the server, really just and only file and printer sharing.

Another question that comes to my mind is, what about backup? Do you have backup, is everything from a local computer on the file server as well? That would mean there is some sort of serious HDD space available which probably could not simply be put on one of the G4's.

Possible solutions.
Get a Windows Server. By this I really mean a server version of Windows. This, for sure, requires new hardware for the server. But that should work "out of the box" (correct configuration assumed) with all your Windows machines plus the Macs can connect via a Remote Desktop. However, every computer that connects to the server needs a client license which cost real money and I don't think the base will pay for those who use a personal Mac and want to connect to Outlook or whatever.
All in all, this is a rather pricey option.
If you think that is too expensive than don't even look at a Apple server. Besides that I don't know how they network with Windows, anyways. A big advantage here is that no one needs to adjust to anything new really. Windows is still Windows, on a local computer or on a server doesn't matter.

Another option would be to go Linux. Ya, I know that would add another OS but let us take a closer look. First of all Linux has a piece of software called Samba. With that almost every OS can access the server for file sharing.
The next thing that comes to mind is your W2k machines. Unless you have a special service contract with MS the OS is no longer supported. Means, no more bug fix, etc. You are stuck in case of security issues, you depend on the programs that are (still) available and supported for W2k. Sooner or later you will be stuck with old versions of programs. If you can update all these machines? I dunno, but to get 15 WinXP Pro licenses is somewhat pricey, anyways. From that point of view it might be worth thinking about to better go with a Windows server if the programs are Windows dependent.
If, however, the programs can be replaced with Linux available stuff you could install Linux and have up-to-date programs and OS. If, of course, the machines are powerful enough for an up-to-date Linux. But you also could set up a remote desktop connection to a Linux server or get rid of W2k all together and install a Linux Terminal Server (LTSP). In case of Linux you only have to pay for the hardware. I believe Kevin can give you some insight about the LTSP, the needed hardware, etc. Other computer then can still access shared folder(s) on the server.
So, with Linux you can have a "simply" file sharing machine (even without a desktop environment which will save some hardware resources), you can set it up for remote connections or you can have LTSP. All at no extra cost. Also, if you get a computer donated that someone just wants to throw out because it's too freaking old a new client cost you exactly as much as it cost you to pick up this computer. You connect to your LTSP, no extra client license needed.

Of course all that depends on your needs.

Without knowing what HD space you need. But if you decide to get a "ordinary" desktop and use it as server, you can get one with SATAII HDs. With that you can put 6 drives in your machine @ 1TB each at the moment. That gives you a theoretical 6TB storage. Minus OS etc of course. In that case it would be wise though to set up a RAID and add some redundancy. Depending on your needs you can have 2x3 drives mirrored and there you have a backup right in the machine with ~3TB storage. Broken HDs need to be replaced immediately, I guess that should not be necessary to mention. You also could then, when this system is up and running give your old server the same amount of HD space and mirror the 2 computers every night.

Well, as I said, things depend on your needs but also on your budget.
But I must say that so far my best experience is with Linux. If I only would have one OS (exact same version!) then I probably would stay with exactly that. But in a mixed environment... I never had trouble to get any machine at least in a terminal to connect to Linux, pretty much works out-of-the-box. But I had trouble connecting Macs with Macs, actually even with the same OS version, not to speak of mixed environments. So much for the "simply works" adds. What ever way you go, be patient and expect some work that needs to be done. I never had a "simply works" experience. If it just works, great, if not you work to make it work. That's just how it is.

I know, that was not exactly the info you were asking for, I guess. But maybe there are a few ideas that help you get going.
Ah ya, before I forget. Keep your hair right where they are. Better throw the computers out. In fact, I dispose them for you for free. ;)

Greetings from the MatriX,
neo

More info

jferrett — Thu, 07 Feb 2008 20:48:14 +0000

I'm not sure I can give you everything you want but I will try.

We use a TrendNet (TEW-633GR) Router which then runs into a 2-Wire DSL Modem/Router (though the router functions are turned off)
We have a number of HP Laserjet Printers with Fix IP Addresses (Laserjet 4 & 5's) all with Jet Direct Cards.
All the other Machines are set to get their IP addresses automatically from the Router.

The IP range is 192.168.10.* with the router set to 192.168.10.2, the printers are set to 192.168.10.200 to 210 and the rest of the computers seems to end up on 214 and above.

We have the following:
15 Desktops running Win 2000 (Data Entry Machines)
1 Desktop Running Win XP
3 Laptops Running Win Vista
3 Laptops Running Win XP Pro
1 Laptop Running Win XP Home
1 "Server" Running Win XP Pro
2 PowerMacs with OSX Tiger
1 MacBook with OSX Tiger
2 MacBooks with OSX Leopard
1 iMac Running OSX Tiger

The "Server" is really just an XP machine with Shared Printers and Shared Folders on it.

I would like to setup one of the G4's as the temporary file server as the current one needs either rebuilding or throwing away.

Can you tell us more?

KevinColyer — Thu, 07 Feb 2008 19:12:36 +0000

What fun!

We can help more if we know what your network is like and what your goals are... I am guessing you want to use the Windows file server to share files with the others (one big public folder). And probably a print server too?

I would recommend starting at a low level making sure the machines can talk OK before getting the services to work on top. What IP address range are you using? What IP address network does each machine think it wants? Do you have a DHCP server that gives out IP addresses?

My first point would be to set one machine (and only one!) as the DHCP (Dynamic Host Control Protocol) server (the fileserver would be a good bet as it needs to be on all the time). Alternatively you could use the router that provides your link from internal network to the internet but if you don't you must turn its DHCP service off.

It sounds like you have a mixture of static IP addresses and a couple of competing DHCP servers to me. If you can make a list of the machines, their OS and what they think their network settings are that would help anyone here to better help you.

Cheers,

Kevin

thanks for the video

neo — Sat, 27 Oct 2007 17:56:42 +0100

That made my day. 2 thumbs up.

Greetings from the MatriX,
neo

paranoid or realistic?

neo — Sun, 30 Sep 2007 16:02:38 +0100

Hi.
So, what am I, paranoid or realistic? Probably something in between, a paranoid realist, haha ;)
But yes, you are right. We are above average computer users with probably above average knowledge. But that doesn't really help in any way to have someone like us on base if we don't act. It's more like that, we have more responsibility to teach and train those who might need to know because of their travelling destinations or what ever other reason. Because someone's computer skills are close to zero doesn't help when the computer got stolen or confiscated with a ton of "hot" information on it. At the end of the day the thief/investigator is not trying to hack the computer with the skill of the owner....
Well, besides the fact that there is no need to hack a computer anyway. HD in external case, connect to other computer, no password required, fire. If there is no encrypted drive or HD password then all the data is right there.

A few months ago we had an incident in a Muslim country, very unfortunate and very unexpected. But through this the police got a booklet with information about our base, pictures, names, phone numbers, locations, etc. Luckily this country is not totally anti Christian. At the end it had no consequences for our ongoing work but it could have very well happened in another country. The thing is that security is a pain. It's work, it requires learning, it probably takes a bit more time for certain tasks, it might even slow down a whole process, etc. But honestly I don't want to wait until something happens. We use this technology, we have to deal with it. With every aspect.
The more I think about it the more comes to my mind how much "interesting" information is on my laptop. I don't want to think about how much more is on the laptops of leaders around me. I don't want to be the moral apostle here but I think that a car needs breaks. And the faster the car can go and/or the heavier the car is the better the breaks need to be. And when I'm not able to maintain them then I need to give my car into the hands of someone who can do that for me. There are just some things we can't ignore. Whether we are in a half-/closed country or not. One day we might travel/teach there or we might send a (school) team there.

However, I agree with you that we need to be careful how to communicate with others. Also, it's good that we discuss it here in detail, not in staff meetings or around lunch tables. But sometimes I think we can not be paranoid enough. I heard once of a YWAM team that is operating in a closed country. They invited people on a website to come and visit them because there is a great outreach opportunity.
Another example, someone in Australia got a visa denied just because of what was written on this persons website. Just by describing, in christianese, the general everyday work. Nothing about "spiritual warefare" or anything else that could have been an obvious fret. The christian terms simply didn't fit the non-christian / government categories. It was obviously miss-interpreted but still now 6 months later this person (from the US!!) has trouble getting a visa for Australia because of this.
So, where does security start? Where does it end? But again, I don't want to be the moral apostle and I want to quote my self here:

Some things are more sensitive than others and some are easier protected than others.
...
Maybe ... we also need to think about different levels of information / sensitivity / security and how this is best protected.

Not everything applies to everyone. But if we never discuss the things we never do something about it. So, don't look at me as a over paranoid person. I just want to dig deeper before something happens. I want to know that the breaks are working before I go full speed on a race track.
Even if I still can count my years in YWAM with one hand I have seen and heard enough to fill a book with. It's not my intention to write up a list with 100 action points that everyone has to go through, no matter what. But I think we need to be careful not to be too sluggish or over-reacting towards on of the extremes. That is not protected at all and care- and clueless or wanna-be-250%-over-protected and totally paranoid. But in discussing this topic we will hit both ends. The worst-case-scenario and the 100% total locked down solution.

Greetings from the MatriX,
neo

Hmmm....

R.Blevins — Sun, 30 Sep 2007 09:16:53 +0100

Well, in reading your list, I can't help but wonder if this is a little too paranoid for most users.

Okay, if you're working in closed or half-closed countries, then no, it's not paranoid, but when I think about the base here, of all 90 staff members only about 3 or 4 people really need to worry about points 5, 6, 10 and 11. Let's keep in mind that we're all above-average computer users here, but the majority of people on our bases or locations are not. I can only picture the kind of mayhem I would create amongst some of the more "timid" computer users at my base (you know the kind who have just gotten over their fear of using a computer) and even amongst some of the less "timid" users if I brought them a list like this one above.

So, all I'm saying is this: it's good to discuss these things in detail here, but let's be careful how we communicate it with the average users on our base.

I agree

alex.costa — Wed, 26 Sep 2007 20:59:40 +0100

Thanks for you comment. I do agree that for the OS security, Windows is a bigger target and known to be less secure and users know that. Windows is always a concern, so that's part of life for me, but the not so secure behavior I've seen in some "new migrants" to Mac nation have worried me. I'm tempted to run some security tests on our network, AKA friendly hacking.

sensitive data

neo — Wed, 26 Sep 2007 14:46:56 +0100

I take over ;) In addition to Kevins list....

1. Bank accounts and passwords
2. Passwords to YWAM websites [not only YWAM Websites, since many ppl are just using one password for everything like Personal / YWAM Website, MySpace, FaceBook, Blog, Forum, Second Life, etc. - even the same password as the login for the computer itself....]
3. Confidential information about members of YWAM (Beliefs, Health etc) [YWAM and other organisations and churches we partner with]
4. Reports about meetings (potential to reveal Names, Locations, Contact Details, Future Plans, etc.)
5. Projects / Outreach Plans (General Information)
6. Project Partner / Outreach Partner (Names, Locations, Contact Details, etc.)
7. Email communication (reveals Names, Email Addresses, Information, etc.) & user names / passwords for email accounts
8. Address Book(s) for obvious reasons
9. Email Attachments
10. Browser Bookmarks can reveal interesting information as well as the Browsers History. Remember, Google, MS and others claim that they can find out if a person is male or female, age, hobbies, approx wages and other information just by logging the browsing habits.
11. Pictures can reveal a big deal. We just had that at the UofN conferences. There was a person present whos image should not be published on websites or what ever other publications. It got specifically announced....

Some things are more sensitive than others and some are easier protected than others. But most of it fits in both categories Kevin mentioned and for many things it's even hard to put them 100% into only one category. Many of our co-workers are also our friends. Means we communicate with them on a personal as well as business basis. Then, of course, we have our family and supporters we communicate with. And how easy can slip a little piece of information in there that might reveal something that just helps for someone to get a bigger picture....
Maybe, besides the 2 categories (personal and YWAM), we also need to think about different levels of information / sensitivity / security and how this is best protected. Because in that case that a computer gets confiscated we obviously need to reveal some sort of information so that other stuff can be hidden and no one will suspect that there is more "interesting" stuff to find on that machine.

Over to the next person to add to the list.... ;)

Greetings from the MatriX,
neo

Just what is sensitive?

KevinColyer — Wed, 26 Sep 2007 13:08:12 +0100

Nice to be quoted by you Alex!

I have been pondering just what we ought to consider as sensitive information...

If we take as a starting point that we have two categories:

1. Personal information (That is information that belongs to us only)
2. YWAM information (Information that belongs to YWAM only)

What sensitive information falls into the second category? What should we be concerned that our colleagues should keep secure?

OK. Here is a start.
1. Bank accounts and passwords
2. Passwords to YWAM websites
3. Confidential information about members of YWAM (Beliefs, Health etc)

Over to you!

No password?

R.Blevins — Wed, 26 Sep 2007 11:43:14 +0100

When you say "Power User" do you mean the Admin account? It's hard for me to believe that when running through the setup process that the user would have been allowed to leave the password field blank. Macs are usually pretty secure from outside attacks, but if there's no password set, then it's really a cinch to get in.

Since it's been a long time since I setup a new mac, I just went through the motions of setting up a new (administrator) account. You can indeed leave the password field blank, but when you click ok, you will hear an error sound and get the following error message:

You did not enter a password for this user. Are you sure you want to do this?
Because you have not entered a password for this user account, anyone can log in to your computer. To enter a password, type it in the Password and Verify text boxes.

If you hit enter, the default is cancel, but if you click okay, it will let you create an admin account with no password. This seems like a bad oversight on Apple's part, but at least it reminds you to enter a password. Mind you, on a mac you have to enable root before you can even use it and set a password for it so that's pretty secure and things like (windows) file sharing, ssh, and web server are all disabled by default.

I just read through an article on Apple's website about windows file sharing and I'm relieved to see that you are required to provide a password before you can even activate windows file sharing for the first time.

Here is a another good article about Choosing good passwords in Mac OS X, although I can't imagine why they wouldn't work for other OSes as well.

I recently saw another article about the dangers of using open wireless networks that I'll have to track down.

passwords on a mac

neo — Wed, 26 Sep 2007 03:51:44 +0100

Hi.
I'm not a Mac power user by any means. But from what I understand when setting up a Mac it's asking for a password. I'm not sure whether it's possible to leave that empty or not. But on the other hand on Linux it's possible to leave the password empty for the root user. THE one user who can do anything....

Anyways, if you have a password on a Mac it's just like leaving it empty (well, almost) since with a Mac user account, when you do something that needs administrative rights, you just type in your password again and all is fine. Just like "sudo". I never tried it on a console though.
By default, if you only have one user set up, the computer always boots without asking for a password, whether you have one or not. So, watching someone (airport etc) who is not typing in a password doesn't say anything. You can change that though, as far as I know.
When you try to connect to a Mac via a network it's always asking for a user name and password, no matter if that's empty or not. Obviously if you try to hack into a Mac you can try leaving the password blank.

So, it's not that Macs are open to anyone by default. A open share on MS is more likely open to anyone and easy to find. And even if you have not setup a share on Windows, there are backdoors which I haven't yet figured out how to get rid of. You can access any drive on Windows with $[letter_of_the_drive], like $C. I know that I can get rid of the share but after reboot it's there again....

After all, I just can agree that we need to instruct ppl about security, using strong passwords, not carrying with them (files, back up devices, etc) what is not needed and it seems that encryption becomes more and more necessary for many ppl. Specially for those who have to carry around sensitive data. No matter if that is personal or office data since personal data can as well reveal a lot of names.

Greetings from the MatriX,
neo

Upload requirements GENESIS IP

Mike — Sun, 26 Feb 2006 00:30:22 +0000

In reality (with today's equipment) running GENESIS over IP on the public internet should have at least 256kbps down and upstream. The very new gear that supports H264, MPEG4 and QOS can handle lower speeds better but the equipment in Latvia (just 2 years old) is limited to H263 video and has no QOS.
GENESIS sends highly compressed video for full screen projection in full duplex mode. (using industry standard videoconferencing equipment).
Last week we had excellent links between Sweden and Brazil, Switzerland, Colorado Springs and Alaska. All these were 256k and higher on IP. We also had slower links with Ukraine on ISDN and Colombia on IP at 128Kbps. Those were all on H264 compliant gear. Our links with Latvia were less successful with serious video degradation.

I have been amazed at the rapid developments in the videoconference industry and the big difference H.264 makes on slow links. It is like double the video quality in the same space.

Blessings

Mike Stevens
YWAM Dalarna, Sweden

GENESIS Global Development

4 ip's is something different than 4 lines

JJzD — Sat, 25 Feb 2006 17:57:15 +0000

The speed of your DSL is measured in total. The IP's is just about how many computers can be seen from the outside. (I would recommend that to be one btw)

You can compare it with a car. The whole car can go 120 km/h, but has 4 seats. It does not mean that if you fill up the four seats the car can go 480 km/h.

:)
(And are you sure that 128 kbps is too slow? Because ISDN has only 64 kbps. It should be possible too downgrade the stream a bit? But I am not in Genesis so I don';t know :))