Proposal for WIRED internet interface/mail box Tom Jennings, tomj@wps.com voice 552-8156 revised 24 June 93 to: Louis Rossetto, louis@wired.com Will Kreth, will@wired.com This proposal covers specifying a computer for WIRED's own purchase (not resold through me), installation of the required basic software (Unix, etc) and customization to support WIRED's needs (below), and finally, documentation and complete "knowledge transfer" to WIRED employees so that WIRED can handle all routine maintanance and operation. What follows is an expansion of some detail, with prices, and a summary at the end. WIRED'S NEEDS: * A reliable link between the internet (via the little garden) and WIRED's internal network. * Adequate security to prevent cracking. (See note(1) below.) * A complete email (SMTP) setup with easily configurable aliases, mailing lists, etc. **** Interconnection to WIRED's existing LAN email software needs to be better defined; mainly I just don't know what it is. This proposal does NOT include time to port or interface to the existing mailer. It's probably not a Big Deal; we will just have to go over it separately. NOTES: (1) The specific services your provide (mail only, gopher, ftp, anonymous ftp, etc) directly affect the security setup. Fewer services, fewer hassles, fewer security holes, less setup work from me. I'll assume that you want gopher and anonymous ftp. I will also assume you want full anonymity for WIRED staff (eg. "editor@wired.com" can be pointed to any email address in an undetectable fashion.) Finger will be changed so that it will provide the user with a pre-determined text file, rather than a compromising security hole. HARDWARE: I realized your RFP specifically said not to spec hardware; however I take this to mean you want to avoid getting taken on twice-resold markups. The prices I quote below are "my cost" from Toptek (Taraval, San Francisco, 564-3500) and should be quite competitive. Toptek will exchange no-questions-asked on faulty hardware and have good support. While you should feel free to look at other hardware and prices, since the functions you want (email, gopher, etc) pretty much requires unix, and therefore affects the hardware, there is a strong interrelation between them. It looks like a 486-based pclone is the choice based upon both economics and performance. The following machine is more than adequate for your needs today (given above) allowing for expansion. If more resources are needed in a linear fashion, say disk or memory, they can be added to this box. If more functionality is needed, such as graphics, I'd strongly suggest obtaining another box tuned for this purpose; the mailbox machine should remain mostly user-free, as many people will be relying on it continuously and increasingly. Intel 80486, 50MHz 16 MB ram 540 mb SCSI disk Ethernet interface serial interface Adaptek SCSI adapter (the "good" adapter) VGA screen with white 14" monochrome adapter Keyboard, case, power supply, etc Total system cost: $2940 THIS DOES NOT INCLUDE: * SCSI tape backup system * SCSI CD-ROM drive (Tape system price: $~550) An adequate tape backup system is *required* for any reasonable system. If you don't have a SCSI tape of recent vintage (some older ones don't support modern SCSI commands, and other technical distractions) there are two choices -- get a new tape drive, or possibly hack the tape driver to accomodate the older drive. Likely it will work as-is. The CD-ROM drive is required only to read the unix distribution CD-ROM (I'm getting ahead of myself; see below). I have not priced CD-ROM drives with SCSI interfaces (1) hoping that you already have one and/or (2) the prices can be found from any issue of COMPUTER SHOPPER or equiv. I would strongly suggest 300 mb as the smallest usable disk; this would leave you 50 -- 100 mb disk space. 540 mb would leave you approx. 300 mb free. If later you needed much more (image libraries, whatever) you could add another disk drive internally. A 1.3 gb (1300 mb) drive costs about $1200 -- $1500 (seems to change daily :-). Adding this as a second drive is very feasable, for a total of ~1900 mb. While you could probably run adequately in 8 mb RAM, you will quickly outgrow it. This machine will be expandable to 32 mb RAM. 16 is "more than enough" for email, gopher, ftp, etc. Memory is about $40/mb today. Note that memory must be added in 2X increments; if you have 16 mb, you can add another 16 mb only, not 4 mb, etc. Lastly, a decent color monitor runs arund $400, while decent monochrone VGA about $150. There is no need for color on this machine, and will only invite extraneous use (see SOFTWARE, below). SYSTEM SOFTWARE I suggest BSDI (Berkeley unix 4.3 for the Intel x86 family). While 386BSD is "free", it is still hackish, and there is no support other than your local hacker (me :-). BSDI is reasonably priced, has good support and comes highly recommended from users that I know. Pricing is as follows: BSDI, complete will all sources: $995 BSDI, executables only: $495 Later upgrade, executables to sources: $600 Really, there's no great need for the sources here; in spite of current unix fashion, you want a turnkey box, free of extraneous hackery. While some specific things (such as drivers) might need recompilation, they can be dealt with easily and at no or very low cost one by one. Likely, none will be needed. BSDI comes on a CD-ROM, hence the need for the drive. It can also be obtained on 8mm or 1/4" tape. If you end up buying one of these, and don't have a CD-rom, this may be an option. Just fuel for the fire. I would suggest installing the "X" windowing package on this machine. While it loves to eat memory (hence the 16 mb suggested over 8 mb) the functionality is worth it. A major side effect of choosing a monochrome monitor over color is to discourage in-house fiddling on the pretty screen. This machine should be a boring, reliable workhorse. A monochrome bit-mapped "X" screen is more than adequate for maintenance and operation, but probably not snazzy enough to encourage the moving of various projects to, incrementally, over time... CUSTOMIZATION: Most of what I know you need, email setup, anonymous ftp, gopher, etc, can be done using very standard tools and very standard scripts and text files. I am quite a fanatic about using standard tools to do standard jobs, which avoids performance, documentation and relabiility problems, right from the start. ** The Internet/Little Garden link will be on this machine, hopefully using a Zyxel 1496-E modem. I will make this a reliable link with the following characteristics: * Link automatically reestablished in case of loss * The phone call is made from the Toad Hall end, to avoid the outgoing call business rate * Inability to establish link causes notification of selected people. ** While I will certainly document the details, and put commonly changed files like mailing-list list etc in places where they can be easily edited by Will, beyond this will require some basic Unix knowledge. ** There is an excellent "how to use" book on Unix written by O'Reilly & Associates. It assumes you are smart, know how to use some computer stuff, and covers basic unixisms but doesn't try to make a wizard out of you. Most of the security issues you have are not spectacular, and just require careful work. Some of the glaring holes such as the infamous "finger" command can be turned from liabilities into assets: for example, any 'finger' command to my host simply returns a canned text file, in which I put basic contact info, much like a business card. "For informatin on X, see Y..." etc. None of this "root idle for 10 minutes in directory /secrets" crap! Mail aliasing can be done with scripts to hide the aliased-to name, so that poking around in SMTP will not reveal the person under the post. Note that while it's reasonably straightforward to set up a secure system, maintaining it that way is the hard part. Changes made six months later need to adhere to the basic security guidelines set up originally. This is how most systems get screwed up. (Besides the obvious password problems.) ** Unix generates (and can be made to generate more) useful logging information; which if no one uses, is wasted, and possible problems will be missed until they turn into disasters. One solution I suggest which I use on my system is to daily email critical log files to the 'root' or whatever system-administrator user. It takes me almost no time (say 3 - 4 minutes) to read through the logs every day. Most errors are routine; some remote system down, so that an email message is deferred, etc. It turns a hated, put off and mind-numbing job into something you glance at in the "morning" to get started. ** I will also install the "TCPD wrapper" security device. This is a small program that is silently inserted "in front of" all outside-available services, and logs each access. For instance, I log all telnet, ftp and finger accesses. Sometimes I see surprising things. They add no overhead and consume no resources. I would suggest buying a bunch of the O'Reilly & Associates unix books. They run about $25 each. Since you'll have the damned box in your building you should have dox for it, even if you plan on using outside consultants for deep system work. MY LABOR: * Sit with WIRED staff and write down needs and specifications (2) * Install basic system software (6) * Standard customization (sic) of unix mail, etc (4) * Install and test reliable network modem link (6) * Additional customization: (6) * Added security wrapper * Clean, hidden aliasing * Setting up users * Documentation and familiarizing WIRED staff (4) with it's operation * 8 Hours of additional time in the month following (8) final acceptance. * Connection to existing email system not included so far. It may be a simple job, we just need to determine that. Assuming we end up working together, we need to predetermine how to handle contingencies. Tuning and such within the first month or so is likely; likely 8 hours is enough for this. Unless we work something else out, I propose that additional hours be billed at $35 per hour, two hour minimum unless otherwise arranged ahead of time. We can do this fixed-price or hourly. I estimate 36 hrs total work, including the additional 8 at the end. Here's my two offers: Fixed price: $1700 Hourly: $50/hour SUMMARY: HARDWARE: $2940 SYSTEM SOFTWARE: $495 Sales tacks: $291 ------- Total tangibles: $3726 LABOR: $1700 (fixed or estimate) ------- TOTAL: $5426 -- end