Berkeley CSUA MOTD:2003:March:04 Tuesday <Monday, Wednesday>
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2003/3/4 [Uncategorized] UID:27590 Activity:nil
3/4     I've got absolutely nothing interesting to say this morning.  Just
        wanted to let you know.  Thanks!
2003/3/4 [Computer/SW/OS/Linux] UID:27591 Activity:low
03/03   Novice question again:  I have notice that we have rpm installed.
        I thought RPM is redhat/linux thingy.  how come it is avaliable
        for BSD?  Also... can normal monkeys (i.e. non-root) install rpm
        packages in their own directories?
        \_RPM is just a package format. You can conceivably RPM any type of
        binary, but I am assuming that Sloda is running Linux binaries in
        binary compatibility mode or whater. Just know that
        Net/Free/FooBSD can also run Linux binaries.
        You can't typically install an RPM unless you have the right
        permissions to read/write to /var and /usr/local.
        \_ RPM is just a package format. You can conceivably RPM any type
           of binary, but I am assuming that Sloda is running Linux binaries
           in binary compatibility mode or whater. Just know that *BSD can
           also run Linux binaries. You can't typically install an RPM unless
           you have the right permissions to read/write to /var and /usr/local.
        \_ RPM works on many platforms (I've seen it run on *BSD, Solaris,
           Linux and MacOS X) but it is most popular on RH based systems.
           If you have relocatable rpms and you can create your own
           rpm db in ~me/var/lib/rpm it is possible to get this to
           work. Most rpms aren't relocatable so in reality using
           rpm as a not root user isn't terribly useful.
2003/3/4-6 [Computer/SW/Mail] UID:27592 Activity:very high
3/3     There's a new sendmail root-exploit out there.  Time to patch/upgrade.
        (soda isn't vulnerable, but anyone running versions below 8.12 are)
        \_ Incorrect.  Every version since 5.19 or something is vulnerable
           up to and including 8.12.7.  Looks like soda still needs to be
           upgraded.  There's a patch out from FreeBSD, plus patches and
           8.12.8 distributions at http://sendmail.org.  Please correct your
           misinformation.  -- randal <rand@sendmail.com>
           \_ soda was patched with a 8.12.6 patch.
        \_ Email to root.
        \_ So what? Sendmail is so buggy wrt security that it might as well
           have been written by M$ code monkeys. If you want a secure mail
           server try postfix or qmail.
                \_ yeah, that's what, the second root hole in the past 3
                   years! what a piece of shit!
                   \_ yes. use qmail.
                        \_ you're deluding yourself if you think that qmail
                           wouldn't have just as many security problems if
                           it were as widely used as sendmail.  Reference:
                           Theo and openssh.  -tom
                           \_ Meaning what?  That as openssh became more
                              popular more holes were discovered or that theo
                              is a jerk so we should all not like openssh?
                              \_ Theo is specifically a jerk who used to
                                 crow all the time about how secure his
                                 software was, then when it became more
                                 popular more holes were discovered.  The
                                 exact same thing would happen with qmail
                                 if djb ever tried to make it into a
                                 generally useful program.  -tom
                                 \_ So exactly how many remote root holes
                                    have been discovered in OpenSSH in
                                    the default config? Exactly 1. How
                                    many in OpenBSD's 7 yr history?
                                    Exactly 1. Theo might be an ass but
                                    his software is secure. Same for DJB.
                                    Coding secure software requires a
                                    particular mindset that the people
                                    working on Sendmail (and Bind) don't
                                    have.
                                    \_ since November 2001, there have been
                                       three remote root and two local root
                                       holes found in openssh--that's far
                                       worse than sendmail over the same
                                       period.  -tom
                \_ tom, you make somewhat of a valid point, but i'm not talking
                   about theo here, i'm talking about djb. qmail is the #2 MTA.
                   how many qmail exploits have there been? besides, even if
                   you are right, in practice it is still less vulnerable bc
                   it is less targeted. the way i see it:
                   unix is to windows as qmail is to sendmail.
                   windows is more targeted, dumber people use windows, and
                   windows is generally easier to find holes in.
                   \_ I'm sure qmail is not the #2 MTA--#1 and #2 have to be
                      sendmail and Exchange.  In any case, it may be true that
                      qmail is inherently more secure than sendmail, but if so,
                      it's at least partly because of design decisions which
                      make qmail difficult to use in the real world. -tom
                      \_ Exchange?  I guess technically it's an MTA but using
                         Exchange in the same sentence as "security" seems
                         pointless.  Anyway, I agree qmail sucks to use in the
                         real world.  Actually it more than sucks.
                         \_ Qmail doesn't suck any worse than sendmail.
                            People are just so used to the pointless
                            complexity of sendmail that they don't really
                            notice it. Has anyone written a 500 page book
                            on how to use qmail? No. This is because it is
                            not as hard to use. -ausman
                            \_ don't be silly--qmail's configuration is
                               simpler than sendmail's, but it doesn't
                               support anything near the same level of
                               configurability.  -tom
                                \_ And for most folks a standard install of
                                   sendmail works fine, btw.  qmail requires
                                   all sorts of tedious bullshit.  So although
                                   making any serious changes to sendmail can
                                   be nearly impossible, most people won't need
                                   to anyway.
                                   \_ installing qmail is a breeze. the
                                      only tedious bullshit here is your
                                      comment. --aaron
                            \_ Having used both extensively I'll simply
                               disagree as a matter of personal choice.
                               Sendmail is bad but qmail is worse.
2003/3/4 [Reference/Tax, Industry/Jobs] UID:27593 Activity:high
3/3     I have been searching Google and also contacting some friends regarding
        the going rate for a 3 month contracting position that might become
        full time at a big internet company in Mountain View.  The duties
        consist of works for a backend Java and Java-related technologies
        developer.  I have about 5 years of working experience with about 2
        years of Java and Java-related technologies working experience.  I have
        a BS in EECS from Cal.  However, I have never done any contracting work
        before, but have a very broad set of skills, very capable, and very
        fast learner.  The numbers that I found seem a bit high for the current
        market; $100-$200/hr DOE.  Will anyone here point me to some recent
        surveys (2003 or late 2002) and/or provide some comments based on their
        own (or people that know) experiences and also how to best negotiate
        while keeping the door open for the full time conversion?  Thanks!!
        \_ holy sh*t that's a lot of money
           \_ no it isnt.
        \_ DOE is the key.  A fresh-out-of-college type should be happy with
           $40/hr.  A senior with a decade of seasoning and reasonably
           being a contractor so they *have* to charge what looks like an
           obscene amount of money to make it worth it.  The guy I replaced
           was making $300/hr but by in the last few months he was only doing
           an hour or two a day.  Sometimes none.  His only duty was doing
           interviews to repalce himself.  My salary?  20% of his rate plus
           some minor benefits.  If they like you and need you, they'll convert
           your expensive contractor ass as fast as possible, so don't worry
           about that part.  See if you can get them to blink first by making
           an offer or stating a range or something.  If not, then say that
           you'd like $X (I suggest $200/hr) but that the rate really isn't
           the issue since your goal is to convert to FTE after a reasonably
           short time period.
           agressive skills maintainance can expect substantially more.
           Generally we take the FTE equivalent and multiply by 0.75 to get
           a reasonable rate for short term contractors.
                \_ that assumes full time employee
        \_ here's why: contractors get screwed on taxes and benefits and are
           the first to go when heads roll and a bunch of other badness about
           \_ screwed on benefits: true.  screwed on head roll: true
              screwed on taxes, not even close.  Self employment tax comes
              out exactly the same as regular exempt employees making the
              same amount of $$$.
           \_ They suggested a range of $60-$65/hr.  They are really
              low-balling me then? -op
              \_ I've read $1/hour for every $1K/year you'd make on salary.
                 \_ Industry standard is 0.6 to 0.75 these days. -hiring mgr
                \_ As a contractor, you need to cover your own benefits and
                   unemployment insurance (i.e., savings).
                   $1.5-$2/hour for every $1k/year is where I start.
                   \_ assuming you contract for 2k hours per year, this works
                      out to 3 to 4x regular salary for a contract.  i did 3x
                      in '98 '99, and i was close to 4x '00 '01.  i'm down to
                      hmmm 2.5x now.  where are you getting contracts today
                      that are in the 3 to 4x range?
              \_  $60-$65/hour seems really fair now adays.  I've seen rates
                  as low as $40/hour for some senior level contract gigs.
                  Email me if you wanna take it offline --chris
              \_ That's really low for contracting.  I suggest you ask them
                 flat out when/IF you'd convert to FTE and what the salary
                 would be.  If you like the final salary, get them to put it
                 in writing that after X months (I suggest 2-3 max) at their
                 super low-ball rate, they convert you to FTE at the previously
                 agreed upon salary.  If they'll do that and you're happy with
                 the FTE, then consider the contract rate as a sort of
                 probationary period and just do it at whatever rate.  If they
                 won't do that, then your odds of converting are near zero and
                 you should ask for more.  --same long winded person from above
                 \_ This is a silly idea.  If they were willing to commit to
                    a full time hire, they wouldn't be using a contractor
                    probation period in the first place.
                    \_ C2H is pretty common.  I'd be surprised if less than
                       a majority lead to conversion, or end if you suck.
                 \_ Only if you're looking for FTE....
              \_ The big hit is self-employment tax. Basically, you pay your
                 own payroll tax. Plus paying for benes. And you're only
                 paid after you bill. Overhead costs (not including time to
                 do your own paperwork) is easily 30%, less if you want to
                 skimp on benes (ie. covered by spouse insurance, etc.). So
                 $60/hr contract -> $42/hr FTE -> $80K yearly + minor benes.
                 \_ Wrong!  Most bene packages are only worth about $10k/year
                    or less (usually a lot less).
                    \_ Cost to employer is on order of 30% of salary - this
                       includes benefits, sick/vacation/holiday, 401k match
                       if present, and their share of the employment tax.
                       Also, no one is listing 1099 vs W2 contracting.
        \_ Is anyone even able to get a contract job in the past few years?
                -ax
           \_  They are popping up more often now.  I've still got a few
               friends recruiting and that's what I'm seeing/hearing.  --chris
           \_ I just updated my job search profile for the first time in 18
              months and got my first set of new job emails this morning.  It
              looks like 1998 out there for full timers!
2003/3/4 [Transportation/Bicycle] UID:27594 Activity:low
3/3     Ok I'm considering one of the two options on my bike:
        http://www.hyperlites.com
        http://www.riderstation.com
        Which one would you guys recommend?
        \_ I'm not so sure that having flashing lights on the back of your
           bike would be legal, but then again, I'm not the one considering
           doing this.  Make sure it's legal first.
        \_ I think the flash 5 secs then solid would be legal, but not
           the continuous mode.  I'm not sure either is a good idea -
           distracting drivers may not be fully effective.
        \_ i just bought lifebrites, cheaper than hyperlites for universal use.
        also be sure you can be seen from the front, too.
           \_ where'd you mount them, on the side of the plates?
2003/3/4-5 [Uncategorized] UID:27595 Activity:moderate
3/3     Formula for interpreting contractor salary vs FTE.

        X = $/hr FT contract;  Y k$/yr FTE
        Y = X*2 - benefit allowance - instability margin

        benefit allowance is a constant around $5000(bachelor)-$10000(family4)

        instability margin is an allowance for the time you will spend
        finding a new job after your contract expires (season to taste)
        \_Reality check: charge as much as you can get away with.
        No, the world doesn't work according to arbitrary formulas, son...
        \_ It's better than nothing. Thanks!
2003/3/4 [Politics/Foreign/Europe] UID:27596 Activity:very high
3/4     Umberto Eco on the US, France, and Iraq:
        http://csua.org/u/a2c
        (from http://Haaretz.com)
        \_ I like that. "We should let evil assert itself fully
           before we do anything about it." Apparently nobody
           informed the UN that an ounce of prevention is worth
           a pound of cure.
           \_ you're an idiot.
              \_ I admire your intellectual prowess and quick wit!
                 You've completely won me over to your point of view
                 with a clever sense of the moment intertwined with
                 a rich philosophy of the state of mankind.
                 \_ How 'bout this.  The sentiment expressed above is
                    exactly what Mr. Eco is talking about.  And if you
                    weren't blinded (deafened?) by sabre rattling, you
                    might be able to see that.  A first-strike aggression
                    is not "an ounce of prevention."  --scotsman
                    \_ First strike is prevention. Waiting them to
                       strike is like waiting for Hilter to invade
                       Poland before taking him out.
                    \_ Just because Umberto Eco wrote it, it's true?
                       Besides, he was saying that it is prevention,
                       he was just saying that prevention is not
                       necessarily prudent. And his main point had
                       nothing to do with that anyways.  -mlee
                       \_ Mike, you're talking over yourself. (pronoun trouble)
                          What comments are you disputing? --scotsman
                          \_ The first line was a rhetorical question so "it"
                             clearly refers to anything that Eco may write.
                             The "it" in the second line refers to
                             first-strike aggression.  Eco was writing more to
                             the effect of how improper emotional responses
                             can be--especially in these times--regardless of
                             whether they are emotional pro-war or anti-war
                             sentiments, much like the sentiment you wrote
                             in response to the op.  -mlee
                             \_ I was actually referring to the plethora of
                                "he"'s, but I see what you're getting at.
                                Mine was less of an emotional response than
                                the "op"'s [sic].  His is a fear based response.
                                I believe calling for measured response based
                                on a multilateral platform is far less
                                emotional than saying "bomb them before they
                                bomb us" --scotsman
                                \_ True.  op was emotional.  But we should
                                   bomb them--so that our bombs don't rust.
                                        -mlee
        \_ why isn't this 'intellectual' protesting the invasion of Ivory
           Coast by France?
           Coast by France?  And he states 'as the Western democracies
           eventually managed to eliminate the Soviet dictatorship
           without launching atomic weapons.'  Sorry Eco, you are
           wrong- it was overwhelmingly the UNITED STATES, with the
           help of Koreans, Vietnamese, etc.  that defeated the Soviets.
           The US taxpayer payed for it and the US soldier died for it.
           France tried to play the Soviets against the US, all the
           while secure under the US nuclear umbrella.  All of Europe
           treaded towards massive socialist behemoths, all subsidized
           by Uncle Sam.  Exactly how are France and Germany able to conduct
           billions of dollars of business in Iraq with 17 UN sanctions
           in place.  Sorry, this article is trash.
           \_ You should learn history before spouting. Korea? Vietnam?
              Chinese supplied. They're still around. How many left-wing
              terrorists were there in the US during the Cold War? Europe
              took the brunt of that. And the US has companies that have
              bypassed the sanctions too. See Dick Cheney? He partnered up
              with Haliburton and helped Iraq out. There are 6000 pages of
              the report given by Iraq about who supplied them with their
              suspected WoMD. US, France, Germany, Britain, and Russia have
              had the UN censor them out so the companies listed aren't
              exposed. Viva Capitalism! Viva Free Market!
                \_ Umm yea, a country who finished one civil war,
                   and in which 10-20 million died in the Cultural Revolution,
                   provided the material support for the Cold War - please.
                   My point was both the Koreans and the Vietnamese suffered
                   large casualties.  The same can not be said of any European
                   country.  France turned tail and ran after Bien Dien Phu.
                   I did not deny US businesses have operated in Iraq - however
                   this activity is not a full-scale blatant ignoring
                   UN sanctions as is for Germany and France.
                   this activity is not a full-scale, government sanctioned
                   flagrant disregard for the UN sanctions in place,
                   as is for Germany and France.
                   The point is thugs need to be removed once they exhaust
                   their usefulness.  Also, I'd be very interested in
                   what 'brunt' Europe endured - it would be very
                   enlightining.
                   \_ So it was the Soviets that fought in Korea and Vietnam?
                      And those 30+ million who died in the Soviet Union during
                      WWII made them helpless? And if the US didn't give the
                      okay to ship stuff from US to Iraq who did? During the
                      Cold War, Europe endured ongoing assasinations, terrorist
                      bombings and actual invasion threats by the USSR.
           \_ Regardless of who footed the bill, "the Western Democracies
              eventually managed to eliminate the Soviet dictatorship
              without launching atomic weapons."  His argument stands.
                \_ I find your cavalier attitude about 100,000 + dead
                   US troops and several trillion US taxpayer dollars
                   pathetic.
2003/3/4-5 [Computer/Networking] UID:27597 Activity:kinda low
3/4     Anybody gotten telemarketing calls from ATT broadband telling you to
        switch from DSL to cable internet.  And when you talk to them some
        more they tell you that it's not available in your area yet?  WTF?
        \_ maybe they're researching the feasibility of brining the service
           to your area.
        \_ No.  !!!
2003/3/4 [Uncategorized] UID:27598 Activity:nil
3/4     G-Spot rocks the G-Spot!
2003/3/4-5 [Computer/SW/Languages/Perl] UID:27599 Activity:moderate
3/4     perl god, I want to match AAA but not AAAA, so I tried
        perl -ne 'print if /A{3}/'
        How come it still matches both AAA and AAAA?  - perl tyro
        \_ /(?<!A)A{3}(?!A)/
        \_ try /[^A]A{3}[^A]/ (edited)
           your syntax matches AAAA because AAA is within AAAA (ie, it could
           be AAA or AAAA or AAAAA or sdfAAAsdfa, and it'd match). This syntax
           says after the 3 A's, match any character that's NOT A.
           \_ you probably want something like
              /^(.*[^A])?A{3}([^A].*)?$/
              (otherwise you won't match "AAAfgdsfg" or "dsgffdsAAA") -alexf
              \_ This won't match multiple AAA's on the same line, will it?
                 (i'm still a grade schooler in regexp foo)
                 \_ Yes, it will match the first set, so that's still a match.
                    But it makes assumptions about lines and so forth.
Berkeley CSUA MOTD:2003:March:04 Tuesday <Monday, Wednesday>