Gabe,

I think the OSU proposal addresses your concerns (having people
volunteer redundant servers is also a great idea).  The machine that
was cracked hasn't bounced back quickly because I'm the only one with
physical access to it and I've been on vacation.  I'm back and waiting
now on getting an access pass (which should be assigned to me
tomorrow) so that I can get in and swap out the hard drive (with one
with a fresh OS)).  We have the backups from Anvil though so movement
to a new machine at OSU doesn't really need to wait on anvil at this
point.

Anvil really was never intended to be a production machine and having
Code4Lib hosted at OSU where there is a sysadmin attending to it (and
policies about access, what can be installed, etc.) seems to me like
it will solve the problems we've had in the past.  It was fine letting
Code4Lib grow a little in the anvil space, but I think the needs of
its community have outgrown anvil (and I think this was the general
consensus in the channel today).

Thanks to OSU for stepping up and giving us a viable alternative!  I
know we'll have at least two places willing to mirror the Code4Lib
site.  The more the merrier though!

Kevin


On 8/1/07, Gabriel Farrell <[log in to unmask]> wrote:
> I look forward to the proposal from OSU that should be mailed out to
> the list shortly.  The discussion that just took place in #code4lib
> got me thinking.
>
> As I see it, the issue here has two parts.  First, the machine was
> cracked, and, second, service hasn't been restored following the attack.
>
> The code4lib.org site and its various subdomains have served a community
> with a variety of needs, many of which require command line access and
> the ability to install programs and services.  Maybe some increased
> restriction as to who has this access and what may be done with it is
> called for, but even with greater restriction and more vigilant
> sysadmins it's likely that the machine will get cracked again at some
> point.
>
> While I hope we'll have a more secure box for code4lib in the future,
> I'm also excited about plans for a system that can bounce back quicker.
> In addition to local and remote backups, we could use full mirrors ready
> for a dns switch.  Several mirror host machines were even offered in the
> discussion.  Are there other strategies we might employ to make
> code4lib.org more resilient?
>
>
> On Fri, Jul 27, 2007 at 05:18:06PM -0400, Ed Summers wrote:
> > As you may have seen or experienced code4lib.org is down for the count
> > at the moment because of some hackers^w crackers who compromised anvil
> > and defaced various web content and otherwise messed with the
> > operating system. anvil is a machine that several people in the
> > code4lib community run and pay for themselves.
> >
> > Given that code4lib has grown into a serious little gathering, with
> > lots of effort being expended by the likes of Jeremy Frumkin and Brad
> > LaJenuesse to make things happen -- it seems a shame to let this sort
> > of thing happen. We don't have any evidence, but it seems that the
> > entry point was the fact that various software packages weren't kept
> > up to date.
> >
> > Anyhow, this is a long way of inviting you to a discussion Aug 1st
> > @7PM GMT in irc://chat.freenode.net/code4lib to see what steps need to
> > be taken to help prevent this from happening in the future.
> > Specifically we're going to be talking about moving some of the web
> > applications to institutions that are better set up to manage them.
> >
> > If this interests you at all try to attend!
> >
> > //Ed
> >
>