 Tripp Black | Tripp Black July 29 2013 12:34:47 PMFor the last maybe 8 to 10 years or so we have had the a type of field population for on the Domino server documents for non-admin access users to create replicas and templates on the server, but not copies of apps on the server. It has worked well until Domino R9. Basically the fields used to be: Create Databases: LocalDomainServers LocalDomainAdmins MyCompanyStaff Create Replicas: LocalDomainServers LocalDomainAdmins MyCompanyStaff MyCompanyUsers Create Master Templates: LocalDomainServers LocalDomainAdmins MyCompanyStaff MyCompanyUsers With this access settings, the user could do File --> New Replica to the server, but not File --> Application --> New Copy. With R9, this seems to have broken. The documentation does NOT mention the feature changing. However, one page does mention that replication field is subservient to the Create Databases field. " Controlling creation of database, replicas, and templates" - no mention that Create Replica field now sub-option to the Create Database field. " Rolling out a database" - no mention that Create Replica field now sub-option to the Create Database field. " Server document - Security tab" - confirms the new functionality and also confirms it's true of the Create Templates field, as well. Table section from the document w/in the IBM Administration Help documentation: | Create databases & templates | Enter the names of users, servers, and groups who are allowed to create new databases and create and update database templates on the server. | | Create new replicas | Enter the names of users, servers, and groups who are allowed to create new database replicas on the server. Note that servers, users, and groups who are not allowed to create new databases on the server (see above) cannot create replicas. | | Create master templates | Enter the names of users, servers, and groups who are allowed to create master database templates on the server. Note that servers, users, and groups who are not allowed to create new databases on the server (see above) cannot create master templates. | Comments Disabled Tripp Black April 30 2013 12:42:30 PMDomino 8.x / 8.5.x has two security issues w/both Domino 9 and 8.5.x. They are vulnerable to the BEAST vulnerability. In addition, to mitigate issues with the AES exploits, we all switched to RC4 last year. However, the best that a Domino server can get is a "B" at: https://www.ssllabs.com/ssltest/ A "B" won't pass a PII or PCI audit. Which means companies are getting black eyes and penalty fees, for not moving fast enough. Unfortunately, companies that rely on vendors, such as IBM, can only move as fast as IBM does. The solution in Domino 9, that I learned about in the 9 Beta is now here. Well sort-of. The solution is to put the most current Apache in front of Domino and use 1.2 TLS with GCM suites. Unfortunately, of the Domino distros, it appears this is ONLY possible in Windows, currently, as the Linux install does NOT have it at an option. We don't use Windows. We are a Mac and Linux shop. The only MS Windows machines are a legacy SharePoint/FrontPage VM and 3 other VMs for running software that won't run on Mac or Ubuntu workstation (e.g. Domino Designer and VMware VSphere client). The official answer from IBM is: "The last word on the request at this time is that more customer requests need to pour in for attention to a configuration for Linux. Some of the coding needs are pretty deep in the overall configuration precluding a hotfix even at this point. SPR PPET96VFQQ. "
Powell Pendergraft,
IBM Domino Web Server Support, iNotes, LDAP, DIIOP, and IBM SmartCloud Meetings
IBM Advanced Server Administration, Domino applications In addition, there is NO documentation for this. Domino admins just better know how to config for multiple domain names and SSL keys along with each SSL key IP address. Now you have to be an Apache admin, too. (Which in Tripp's option is not bad.) But documentation would be nice, not to mention helpful. This follows the last feedback from IBM a few months ago, that the SPR: "The SPR number for this Software Problem report is: #LMIL94ETBC. The APAR number is documented as: LO73694.
Our SPR team will triage the SPR through their normal channels and determine if this issue is to be fixed a future release of Domino.
At this point in time, I believe I have utilized all escalation levels to assist you with trying to determine why your server is failing the BEAST vulnerability scans. At this point in time, I am going to request we close this PMR. I am going to recommend reviewing any future SPR fix lists, which ship with every release of Domino to determine if your SPR is fixed in any future releases of Domino.
I can also set the SPR so I am notified of any updates made to the SPR and can contact you back if the SPR is either resolved or closed. "
-Lisa Michael,
IBM Software Support Team Besides run a hot-fix in 8.5.x, you have to disable SSL renegotiation, which "is a cruch, not a fix". https://community.qualys.com/blogs/securitylabs/2010/10/06/disabling-ssl-renegotiation-is-a-crutch-not-a-fix Worse, since RC4 is now 50% or more of web server traffic, we now have the wonderful problem that the "best" (aka common) RC4 have their own vunerabilities. To fix Domino users should go all the way from TLS 1.0 to 1.2 and switch to the newer GDM suites of encryption. https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what So, what's the end note, get Apache in front of Domino and configured there with all the web site and SSL configuration, and get IBM to take the hit seriously. They won't until we do, and we do because we are being hit with financial penalties by our PCI auditors. Comments Disabled Tripp Black April 17 2012 11:02:01 PMModern Christianity and Physics Don't Mix? Do you think that modern Christianity is intimidated by science's advances? I grew up seeing Christianity on the defensive with Science. My public schooling reinforced religion as archaic and pre-historic superstition. I was surprised when I found out as a young adult that our great scientists in history actually did not separate the universe from a creationism origin, they mixed the two freely believing there was one or more creators depending if the scientist was Greek or a Christian flavored one in the modern age. I also found it ironic that the Church was often threatened and called them heretics. With love like that it's amazing they did believe in God still. Only in the last couple hundred years have we seen the relationship of our DNA and structure to confirm that all life is basically evolved pond scum seeded by accident from an asteroid that somehow was seeded somewhere else brought base components of the amino acids and proteins to earth to get life kick started. Oh but wait, those right-wing nuts, aren't just stupid Neanderthals clinging to religion and guns, they got their own version of the everything theory. I'm looking forward to seeing if they mix again. A group of Christians start with light as particles and wavelengths are baseline of everything: http://www.youtube.com/watch?v=7-tYXUSVy64 The secular scientists seem have to broken down a bit but are still working on it approaching it from a dazzling myriad of directions: http://en.wikipedia.org/wiki/Theory_of_everything http://www.youtube.com/watch?feature=player_embedded&list=PLAC1BAA6A24BB758F&v=6jFSDp27xXo Why do I think this is important? Music is nothing but math combined with imagination and emotion. The only thing is that we derive emotion to such a point that we can have spiritual connections. Doesn't matter if you are New Age or pick any other religion. The music theory of everything will have to include the human soul and emotion. That will be very interesting indeed. So far the secular evolutionists seem to be behind, but they've only been doing it for say 200 years rather than 1000s of known history. Comments Disabled Tripp Black September 11 2011 10:07:58 AMIt was the day the earth stood still (at least the western hemisphere). I was hurriedly writing some code that was supposedly critical for one of my clients -- I remember which client client, but not the code. It was obviously not as important as we all thought. Nicki calls me and tells me to hurry and come. I walk into the living room to see reporters talking about an accident where a plane hit a building in NY. I was watching the screen when I saw the second one practically go through the second tower and even turn at the last minute to damage as many floors at once. The evil of hate was very apparent This doesn't matter so much if it's Islam or even Christianity, although Christ's only "violence" was driving evil "money changes" from the template and suffering ultimate violence on the cross. The hate cares none who it kills - Muslim, Christian, or agnostic. It only wants to kill and harm as many as possible. What was "good" from it was watching so many rally together to search for victims still alive, then their bodies, and then rebuild. The other "good" was watching for a few short weeks politics and pettiness put aside for all us to be U.S. Americans first. It was a good reminder that our differences make us unique, and the hate made us more united. It's a good day to remember that true love casts out fear and the ultimate love is to give oneself for another. Thanks again to all who served that day and the many months, and now years that's come, protecting and restoring America. Thanks to the families who have a member that's given ultimate love. Comments Disabled Tripp Black June 14 2011 12:47:37 PMWell they've got Skype barely a few weeks. They basically promised when buying it to leave Skypes services intact. They did leave it alone. But in the world of Microsoft, 2-3 weeks is ages ago and who expects such old promises now obsolete to be kept. No worries. They aren't breaking a promise. It just LOOKS like they are. They've already promised to support the next new open-source thing, no mind it's still in process and is just vaporware. I should be out and ready some day. Did I say no worries? Don't, because Microsoft has your salvation ready for you. So don't stress out. Microsoft has a great competitive product out just in time in July. So dump that Asterisk Skype configuration, and get on the MS bandwagon. I know it's looks like textbook conspiracy, but it's not. No worries, they'll treat you with love, and better yet, you can believe in them. This is just good business, savvy marketing. They are a company of their word. Oh, BTW, the new product you're going need to buy is the LUCS, or Lync on-line. So pull out your checkbook or credit card and keep adding those 0s. Feel loved yet? Source: http://www.zdnet.com/blog/networking/microsoft-skype-breaks-open-source-partnership/1111 Lucky for us, our Asterisk-based system isn't using the Skype service, although up to recently, it has been on the consider list if needed. Sigh of relief. Next month could have been unpleasant. Tripp Black June 12 2011 09:46:35 PMWell for the 3rd time in several months, my Windows 7 Explorer task bit the dust - starting hanging w/o saying this time that anything was even wrong. I did a repair from the install disk again, but it didn't work. Another day of work lost. I just wasn't up to yet another day and a half of reinstalling, loading drivers (which thankfully I have all saved now), and all my software again, and again just to have this happen again. It's much more stable than Vista, but it still stinks. So I put Ubuntu 10 on it for a couple days. Ran fine - no hardware compatibility. Upgraded it to the newest 11 release -- a really beautiful release BTW. The window transition and desktop Gnome effects are subtle eye candy, rather than the tacky brute force lens flares and flashes of Windows 7. Unlike Windows 7, Ubuntu didn't have to try to cool or sexy, it just was. Unfortunately, the cool OS isn't good enough by itself. I need Lotus Notes, Designer, a couple older Adobe products, and the VMware VI client. The best platform to get me the most of the way there (except Designer and VI) is Mac. So today I got a Mac mini. In one hour I had almost everything installed. It's running both my 20" monitors - aahhh, sweet. The long part tonight is building my XP VM inside my new version 3 VMware Fusion client. Gee, my progressed slowed when I hit Windows lots of waiting time and driver install time. If only IBM and VMware would get their full client software on Ubuntu or Mac. The really good news is that in NC our office has NO more Windows workstations. In fact, I'm the last running a VMware Fusion on a regular basis. We have about a half dozen Macs and 3 Ubuntu PCs. Only our account manager is still running a Windows PC tablet - she's in VA and if Apple sold one, we'd already have gotten it for her. She'll probably end up with a Mac mini and a touchscreen monitor. Tripp Black May 28 2011 08:44:28 PMIn the question of what would be the biggest surprise or thing some one would notice if they went backstage with the Rolling Stones during a practice, Chuck Leavell mentioned two things: 1. "It's a lot of work." (where he praised his team members for their creative work and work ethic as their key to success) and 2. "Most people just think you get up on stage and it's just lovely." (where he adds, that isn't the way it works). Excellent food for thought. From this, I'm gathering that, talent, although greatly involved, isn't what makes you great or longstanding. It's the quality of what you produce and how you do it. Source: Today, 8:45PM, Fox News Tripp Black May 23 2011 05:30:16 PMThe idea of setting Trim (or Gain) is simple. You want as much signal as possible, but without clipping - that static-like distorting noise. Trim too low and you have low signal to noise and no depth of sound. Too high and you have noise and/or clipping. Input signals with known volume ranges, that's easy. Input signals extremely and unpredictably dynamic, like a shared vocal mic or an electric guitarist with his/her own volume petal, that's harder. Either will keep your fingers busy on the board making adjustments. So, here's a few general tips in this area: 1. See the opening line. The highest trim is lowest piece of equipment's distortion point in your signal path. For example, if the digital board goes to +10 but your Avioms go to the traditional 0 before clipping, then stick with 0 or adjust the outgoing gain/trim back down in your sends to below 0 before they reach the Aviom. 2. Vocals tend to sing louder when they are actually performing then during practice. Be prepared to reduce the trim between practice and the live set. Experienced users will anticipate some re-mixing their in-ear or stage monitors during the first song. 3. What the electric guitarist is sending you, is often rarely all they have for volume. Unless you have a good relationship of mutual respect, they will tell you they've given you their "normal" and keep a large reserve for that kickin' solo. In reality, I tend to see only 30 - 50% of what I'll get sent later. If you are live mic'ing the amp, be prepared to adjust the trim for sure and possible the placement during the first sone. Wait until after their first guitar solo, to see what they are really going to send you. This can be a real problem for in-ear monitors of a lead guitar where the input volume fluctuates greatly. As an engineer, we also have to watch out for that 105% live solo. We don't want the in-ears to clip/distort, nor do we want one instrument to drown out the rest of the house or stage. This is a case where I tend to use a channel Trim as faders throughout the first song or two in the set, until the guitarist has used up their pedal breathing room. 4. Good trim should give good signals into the board on the channel pre-LEDs. Now for a simple example of what to do and not do . . .
Channel Trim Settings  This is an example of good trim. The vocals in the first few channels are similar but their gains/trim are set depending on the vocal strength and confidence of the individual vocalist. Good trim is not a "pretty pattern" and shouldn't be. Their whole point is to adjust each incoming signal to an even sweet mix. Beware of the "suggested list of starting trims" unless it's your band, and you've developed it with your team, and the team has discipline to always be playing the same instruments with same settings including volume, vocalists using same mics, having same distance to the mic, etc. Even with the same team on nice digital boards with snapshots, I load the snapshot and immediately start making small adjustments.
Faders/Sliders with Good Trim Settings  Notice in this image, the active channels are getting signal (1st led) and most are close or around 0 Db. Here the lead vocalist of Voc 2 is out front of the BGVs on Voc 3 and Voc 4. The acoustic guitar is rather hot/active, so its fader is lower, beneath the vocals. The moment of this image is during a bridge where the keys and the electric were having some fun, so I have those faders a little hotter to pick them up. The bass fader shows my personal preference for a good bottom end you can feel.
Faders/Sliders with Bad Trim Settings  This is the result of a mandated "trim settings" given to me a few weeks ago. I was told not to deviate from them, as they had been carefully set a few days before in a practice - the leader didn't want me messing up his mix. I was also told by one of the band members that there is "something wrong with the Avioms" especially for the vocals and drums. There was - lack of understanding and adherence to basic sound concepts and practice. Symptoms: Vocal 3, Vocal 4, and Vocal 1 both could not hear themselves. Everyone else complained of noise or low volume levels for other band members. Various patrons of the house complained they could hear -- muddy or the main singer was "so loud it gave me a headache". The image here was in the first set's song, and the electric guitarist hadn't used his petal yet. When he did, he moved from hear down to infinity. (He had a stage amp, that was so loud, guitar from the board was no longer needed in the space after he got going.) Let's review using the bad example: Q1: Vocal 1 obviously had plenty of signal. - Why could this leader not hear? - How to fix? Q2: Vocal 3 and to a lesser extent Vocal 4 had same issue. - Why could they nor their team members hear them in their in-ears or monitors? - How to fix? Q3: Supposedly, the sound issues were because of bad engineering at the desk and faulting equipment. - What was wrong with the Avioms? - What was wrong at the sound desk? __________________________ A1: Too much signal. The vocal was turning into digital noise which just made everyone's in-ears and/or monitors sound awful. Because V1 was just noise when he sang, the team couldn't hear as the noise ruined the rest of their in-ear mix. A2: V2 and V3 really did have too little signal. These two vocalists really couldn't hear themselves. Neither could the team. A3: Nothing was wrong with the Avioms. The issue was misuse of a set of tools and wondering why there's bad results. Tripp Black May 9 2011 12:54:56 AMMy Windows PC is basically useless. I had a good couple months w/o anything more than the once or twice at most reboot needed a week. I've skirted anything major somehow for the last year or so. That was until Wednesday morning when I found my machine had rebooted early Wednesday morning. Ever since, I have to wait 5-7 minutes for an application to actually start after double-clicking. Resource monitor shows a brief burst and then minimal activity over that 5 minutes or so. Then suddenly, each app just loads like normal - doesn't matter the app. Even the timeout logout/login screen takes about 5 minutes to come up and to then log me back in. Quite a productivity killer. So, to limp along I've left all my apps just running and I leave my little Mac up, for client calls and I needed something where I didn't have an app window already open. Some apps won't start. They give time-out errors. VMware client won't start. Photoshop won't start. Lotus Notes Standard Client and the Admin client starts. Designer won't start. I should have thought about that Tuesday/Wednesday morning update, but it's been a while since a Redmond hangover bit me this hard. Sure enough, the event logs showed an illuminating event message. After the standard messages of apps hard stopping/crashing when Windows Update force rebooted, with the other startup messages is a little message that says something like "Windows has determined that you have an incompatibility with your system firmware, and has disabled certain performance processor features. Visit your PC vendor to get updated BIOS firmware." I'd give you the exact message but it would take over 30 minutes for me to boot the PC and wait for my 5-7 tray icons to load (each taking 5 minutes) and another 5 to wait for Event Viewer to load. I checked my motherboard maker. The board is about 3 years old, so they don't have newer firmware than beginning of 2010. My motherboard and processor may only be 2.4 Ghz duel-core processor, but it was a very nice motherboard and processor when new. It's still fast enough, well until Wednesday it was. I tried my Ubuntu live CD and my machine loads Ubuntu apps just fine. Figures. So it's not a hardware issue. I was lucky to run Windows 7 for a year without having to reinstall. Most people I know w/7 had had multiple reinstalls. The difference is that I know better. With everything else going on right now, I just need a machine that "just works". I definitely don't have a 3-4 days to rebuild by Windows 7, apply patches, and all my apps again. I'm only running Windows as at all, because I have to do so for Lotus Designer. They don't have an Ubuntu/Linux or Mac version. I really have only two choices, install XP SP3 back on the machine, or go spend more money a new MB. I'd do the first option and just wait another year or two, except that I'm not sure if Lotus 9 will be supported on XP SP3. I'm thinking they will. IBM is great in this aspect. However, for the next few days though, I'll just leave the PC off and wish I'd turned off Windows Update in time . . . Tripp Black May 7 2011 05:56:15 PMI was recently given a list "starting settings" which included starting Trim (Gain) and EQ settings for the typically most used channels on a small 24 channel board. It also included drum EQ settings with the instructions to "do not touch" those settings from the Head of Sound. Great time had been spent tightening the drums and then setting the EQ on the board to just right. So obviously protection was desired for that time and the settings. So a couple days later, I got to try out the new settings my next time on the board, here's what fader levels I ended up using for the drums:  From Left: Snare - Tom - Lo Tom - Kick Although a picture doesn't normally let you hear a couple problems, but this time it can. (Despite the dark room and grainy picture.) Notice the input meter for the Kick is +5 to +10 dB. 0 dB is where you really should stop. An occasional blip into +5 is fine, but not a constant +5 and common blips into +10. Although this board is a nice board and doesn't clip till +10, it doesn't mean you need to run it that "hot", especially if you are sending an output to Avioms, which have a traditional 0 dB max before you get just a mass of loud "fuzz" or "static" - aka clipping. Normally, a quick fix would be in order to reduce the trim and or adjusting EQ. In this case, it didn't matter for the house mains, because of the fader levels. Since tightening, the drums do sound tight. In this relatively small space, they are also more pronouced and have more punch than ever. In this regard, the work on the drums may be successful. With the new tightened heads, no amplification was needed. Previously, I did use to bring up the faders to around -40 depending, and around -20 for the kick. Although, we got to hear the drums basically un-plugged, what can we say for the perfect EQ settings so important they carried a "no touch" command?. Unfortunately, most of the night the electric guitar had the same problem - careful massaged EQ settings on the board only to have the fader rarely leave infinity.The guitar's amp was on stage with a mic, but whose volume was up enough to also require no other house amplification. If there is any good news, my job was more turn-key, I had only keys, and acoustic and a few vocal tracks to manage as best I could within the baseline of the drums and electric. So in summary, if your faders are showing the symbol infinity (or nothing being sent), how much of that great EQ made it into the house? |
|