nav search
Data Center Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

* Posts by gerdesj

1123 posts • joined 15 Aug 2009

Page:

Facebook puts 1.5bn users on a boat from Ireland to California

gerdesj
Silver badge
Paris Hilton

$1.6bn

$1.6bn - How many NHSweeks is that?

0
1

Millions of scraped public social net profiles left in open AWS S3 box

gerdesj
Silver badge

Re: S3?

https://haveibeenpwned.com/

3
0

Australia’s .au admins told to reform or get rooted

gerdesj
Silver badge

Bingo

"This includes transitioning the delegation for management of .au to another provider if auDA is unable to achieve necessary outcomes."

This includes getting someone else to do it.

3
0

Facebook faces foe formation in facial fingering fight

gerdesj
Silver badge

Re: OH dear....

"The supplier said the client was free to invoke them, but if they did, the supplier would be filling for bankruptcy as it could't afford to pay any.

The public body was stuck between a rock and a hard place."

.. and hopefully now understands the concept of "due diligence" (including insurance)

12
0

Why you shouldn't trust a stranger's VPN: Plenty leak your IP addresses

gerdesj
Silver badge

Re: So ElReg what are you reporting this crap for.

"The only VPN's of any value are the ones that you connect to at your place of Work or Home, if you can keep them secure, don't stuff up, leak your own addresses, crash, staff don't spy on your usage or just............"

So true and yet even the pros make mistakes. Take me for example. I look after quite a few networks, firewalls and the like. I have a newish laptop and decided to put my office OpenVPN connection on it. Fired it up, typed in "whats my ip" into Google and saw my IPv6 address staring back at me. Bollocks. Oh well I'll use the office WANs via the web proxy to get the job done.

I now need to fix up what happens with working IPv6 when connecting to our currently IPv4 only VPN. The assumed policy is that all traffic is gatewayed through the VPN and it isn't. I could simply change the policy I suppose.

4
0

It's baaack – WannaCry nasty soars through Boeing's computers

gerdesj
Silver badge

Aircraft do not use Windows for critical systems.

Imagine being a pilot in a commercial jet on finals and being told that Windows Updates needs to do its thing due to an inadvertent miss configuration (ahem) and "making everything safe" before doing it.

13
0

Java-aaaargh! Google faces $9bn copyright bill after Oracle scores 'fair use' court appeal win

gerdesj
Silver badge
Gimp

IT exists ...

... to keep lawyers in business. I suppose it is one way to repatriate non trivial amounts of dosh to the US:

spend it on sharks.

Trebles all round for m'learned friends *chink*

6
0

Microsoft to lock out Windows RDP clients if they are not patched against hijack bug

gerdesj
Silver badge

"Such a shame the patch kills 2008R2 servers" and Windows 7 and possibly not just on VMware either. We also have several instances of wifi being disabled on Windows 7 on our helpdesk ...

2
1
gerdesj
Silver badge
Linux

"It's also worth looking for updates from vendors of third-party RDP clients, as they can also fall foul of this vulnerability."

https://github.com/FreeRDP/FreeRDP/issues/4449

https://github.com/FreeRDP/FreeRDP/issues/4503

https://github.com/FreeRDP/FreeRDP/issues/4498

etc.

It took nearly three whole days from patch Tuesday for a fix to arrive via pacman on my PC.

4
1

Mozilla's opt-out Firefox DNS privacy test sparks, er, privacy outcry

gerdesj
Silver badge

Re: Off the top of my head

"Now I haven't put much thought into this" - You sir win the internet for that comment.

"I personally use Open DNS" - they work very well for many use cases but is yours one of those? ODNS will always respond with an IP address for a request for an A record - their webby server. Is that what you want (unlikely)?

I'll recommend using 9.9.9.9 ie Quad9 for DNS instead. They will not respond with a default address on fail which is what should happen and easier to work with.

7
1

Windows Server 2019 coming next year and the price is going up

gerdesj
Silver badge

Buggrit

Hi, my name is Jon

Hi Jon

I've been clean of Windows on my personal systems for over 10 years now ...

* wow* *well done* (etc ad nauseam)

... but the bigger boys ... they make me do it ... I can edit their docs and use their Exchange (Evolution with EWS) but I feel ashamed - I still can't open OneNotes ...

... I installed PS Core (from my package manager - not via a random download) Apparently it is normal to install any old stuff on a Windows box. I'll stick with curated by someone I've heard of on the end of a GPG sig.

I'm not cured - I like to fix broken AD's I can't help it, they are so sad. I see OpenDNS used for upstream DNS and other things (*).

Cheers

Jon

(*) ODNS will always reply with a record but sadly it might not be the one you want or need

3
7
gerdesj
Silver badge
Alien

"RHEL at least costs a lot more to license in most cases than the equivalent Windows Server!"

That's nice AC! I'm sure it does but thankfully I have choice and I choose to exercise it. I run up Ubuntu LTS (Xenial for now) like they are going out of fashion for servers and use Arch for workstations and Arch and Gentoo for personal use. Not one - just to re-iterate - not one of those (and there are around 300 across the country that I look after) has skipped a beat that I didn't cause in some way.

I also look after quite a few other systems and I can't be so charitable about them. Recently Win 2008R2 and Win7 machines had wifi and ether snags (for VMs) after the latest batch of Windows Updates (funnily enough we'd already documented the fix years ago, nice to see it again). I'm also not close to being mentally scarred (but pissed off) by a recent AV n firewall etc upgrade for a customer on a system I've been a sysadmin for a time range that is near to decades - not just years.

Windows - you can stick it u *** bbbzzzt ***

15
8

YouTube plan to use Wikipedia against crackpots hits snag

gerdesj
Silver badge

Partnership requirement to read?

"In this case, neither Wikipedia nor the Wikimedia Foundation are part of a formal partnership with YouTube"

I'm not in a formal partnership with WP either. Do I need one to read it?

8
10

Samba settings SNAFU lets any user change admin passwords

gerdesj
Silver badge

Re: SO what I'd like to know...

"Is how long this flaw has been around?"

Version 4 of Samba has been around for a while now: https://www.samba.org/samba/history/samba-4.0.0.html. Whilst surveying the view from your horse, you might note flaws have come to light in other systems (hardware and software) that are way older than that.

I have personally fixed a problem by having access to the source. Per system connection limits from a Samba box to another system (using CIFS/SMB ie for "drive mappings") were fixed to 256 by a constant in the code. I increased the value and re compiled. Problem fixed. That was with Samba 3 a long time ago but the point remains.

7
6

Oh honey! Oxfordshire abuzz with reports of a MEEELLION bees stolen

gerdesj
Silver badge

@Kugutsu

Agreed - that's a lot of colonies in one location. They may be breeding for sale or it could be insurance enhanced counting.

2
0

Intellisense was off and developer learned you can't code in Canadian

gerdesj
Silver badge

I had never realised (sic) that Canadians are illiterate(*) too... :-)

Canadians are likely to be keen on French style spellings, for some reason that escapes me. Anyway, colour etc were the original spellings across the board until the US decided they were un-American a few years back.

7
3

DropEverything! DropBox DropsDocs to DropStocks

gerdesj
Silver badge

Now I use spideroak. I pay 120$ a year for unlimited zero-knowledge encrypted storage. Currently using 9 TB. :)

I can't see that plan here: https://spideroak.com/one/ $279 for 5TB seems to be the top of the range. I do hope that zero knowledge is not simply a prescient comment on your future data availability.

Also, why is this needed for a zero knowledge data storage silo: https://spideroak.com/dmca-takedown-notice-submission/ ?

1
0

VMware sticks finger in Meltdown/Spectre dike for virtual appliances

gerdesj
Silver badge

Disable the shell for operators

I've just read the vCentre 6.5 mitigation doc. It is to disable the shell on all non root accounts and disable the shell. Seems obvious really when you think about it and not such a bad idea.

2
0

Apple's top-secret iBoot firmware source code spills onto GitHub for some insane reason

gerdesj
Silver badge

Re: Got my copy!

"Anon because of admitting that."

Bloody browsers and their convenient auto login features or is the post anon tick box broken?

9
0

MY GOD, IT'S FULL OF CARS: SpaceX parks a Tesla in orbit (just don't mention the barge)

gerdesj
Silver badge

Good skills.

4
0

Open source turns 20 years old, looks to attract normal people

gerdesj
Silver badge

Re: Open source is leading to single source

"Free BSD exists, and I think it is vastly superior to the GNU/Linux family of distributions. You may disagree, that's fine, the point is there is competition, and there is a choice."

I've never seen FreeBSD with a space in it. However, I'm a fan too via pfSense - I look after rather a lot of them. Thankfully my Linux accent when speaking to the shell doesn't get in the way too much.

Your point about competition and choice is, in my opinion, the most important thing.

WE HAVE CHOICE - USE IT.

10
1

Spectre shenanigans, Nork hackers upgrade, bad WD drives and more

gerdesj
Silver badge
Gimp

Black Dev Ops

Remember software development takes a while. If you are putting off patching Meltdown and Spectre because there are still no known nasties out there then you may be in for a nasty surprise soon enough.

As well as patching, why not use this a good time to check up on your backups, fix up the leaky firewall and push through a proper password policy. If you are particularly brave, why not see if you can scare the purse string holders into 2FA?

8
0

Maybe you should've stuck with NetWare: Hijackers can bypass Active Directory controls

gerdesj
Silver badge

Re: OS vs. Directory Service

dsrepair -ot -xk3

1
0

Intel alerted Chinese cloud giants 'before US govt' about CPU bugs

gerdesj
Silver badge

Re: Possible word to wise...

"Yes, but El Reg is only noted with faint praise."

To be honest, all articles I read related to this mentioned el Reg as source, faint or otherwise. I think you'll find that el Reg is known around the place.

It's a bloody red top, for goodness sake. Who wouldn't take them seriously? ... tut ...

3
0

Acronis: Ransomware protection! Get yer free ransomware protection!

gerdesj
Silver badge

Re: I've asked before, but:

@Dave This may or may not help:

Configure a share on your NAS for backups with a new account that only has access to that share. Remove all access to that share from all other accounts. Use a backup program that allows you to use separate credentials. The purpose of this is to avoid a ransomware nasty deleting your backups.

Yes your backup program will backup whatever you tell it to, so you need to monitor your filesystems. To mitigate this I use several approaches. A script goes off daily that looks for file changes, counts them and emails me the result - I look out for a large number of changes and odd file extensions appearing. The second mitigation is to use a grandfather/father/son backup regime - so 4 quarterly, 12 monthly, 4 weekly and then the dailys or whatever you have space for on your NAS. Really important files get a one way mirror to a remote location (NextCloud, which is also backed up) By one way mirror I mean that deletions are not sync'd. If a ransomware thing goes off, then the original un-encrypted files are still there but one day they may leave the filename intact, so that may not work. However, NextCloud does versioning so an overwrite, even with the same name will leave the previous version available.

10
0

STOP! It's dangerous to upgrade to VMware 6.5 alone. Read this

gerdesj
Silver badge

RTFM

If you have a large setup then RTFM first before doing a major job

https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-65-upgrade-guide.pdf page 43, Important. That took one simple search ("vmware 6.5 upgrade guide") and a skim read to find.

15
0

Samba 4.8 to squish scaling bug that Tridge himself coded in 2009

gerdesj
Silver badge

Re: Samba is still relevant?

"So.. SMB is dead... ditch it, kill it, burn it."

RLY? You are obviously not daft but your experience is a bit lacking. SMB is used to throw a lot of data around the place and it has changed somewhat between 2000 and 2018. When you enable signing and encryption you get security and authenticity. Your comment alludes to it but I would humbly suggest that "tools for the job" is a bit shorter.

One Drive for Bus.: I own my business (we are an MS reseller as well) and I'll keep my data in the UK, on my gear, with NextCloud.

File shares do not have logs but systems do. Mine end up in a bloody great ES cluster with Graylog on the front.

1
0

Death notice: Moore’s Law. 19 April 1965 – 2 January 2018

gerdesj
Silver badge

Re: You do know that Moore’s law says nothing about speed?

"From what I remember, many of those dimensions are a wee bit small."

Something like 7 x 10^34 linguine.

7
0

Unlocked: The hidden love note on the grave of America's first crypto power-couple

gerdesj
Silver badge

British Eizabethan

Britain wasn't available when Sir Francis Bacon was alive. He was an English Elizabethan or as we like to say: Elizabethan.

22
1

Home Office admits it sent asylum seeker’s personal info to the state he was fleeing

gerdesj
Silver badge
Joke

GDPR

When GDPR kicks in could they sue for 4% of UK GDP?

9
2

HMS Queen Elizabeth has sprung a leak and everyone's all a-tizzy

gerdesj
Silver badge

Re: Minor problem

This is the fault that is "leaked" to the press. We wont hear about the real snags that were found.

24
2

Japanese quadcopter makes overworked employees clock out

gerdesj
Silver badge

Re: I can save them $4,500 per month

It isn't rocket science. However I suspect that Japanese culture is a little different to ours (?)

Reading between the lines and some crazy 2+2 style reasoning leads me to conclude that someone is willing to blow $4,500 per month on an "innovative" solution to a non-problem (where I'm from - UK). However, I can imagine that I might come up with some pretty crazy sounding schemes if I had to attempt to break cultural norms. It would appear that in Japan that throwing technology - the brasher the better - is a good start to doing something pretty radical (breaking cultural norms). I've seen dafter from HR in the past 8)

This (Japan) is a land where it is apparently good form to fall asleep in a meeting, provided it is obvious that you have been burning the candle at both ends (for the firm). If that happens here, then the more humiliating the wake up, the better, is sometimes the rule. I'm not sure who is dafter ...

7
0
gerdesj
Silver badge
Alert

I can save them $4,500 per month

Managers. If they can't manage properly, then a little education followed by performance related HR procedures should get the job done. Drones in the office sounds a bit dangerous, no matter how well meaning. Besides, who is ensuring the operator (there is a human responsible for these things, I assume 8) is getting enough "life"?

I am, of course, attacking the problem from the perspective of a UK business owner. If renting drones to get people out the door at huge expense is a viable solution, then I think there is a bit of a culture difference.

Strangely enough I rarely have to boot someone out. It's not that my staff are lazy or not committed - they do go above and beyond as required and that is the key point - as required and not routinely. We are an IT firm and we've all had to pull all nighters or whatever to get someone out of the shit. We also strive to avoid the shit in the first place. We even have ISO 9000 etc to demonstrate as such. Sometimes reality matches our policies and processes ...

26
0

UK.gov law resources now untrustworthy, according to browsers

gerdesj
Silver badge
Childcatcher

How bloody hard is it?

* Put a recurring entry in your financials

* Put a recurring appointment in your email client

* Use a monitoring system - the open monitoring plugins can do a check for pending expiry

* Check with your browser every now an again

* Don't ignore the tons of imminent expiry emails sent by vendors

Yes I do know why nearly all of those examples apart from a proper monitoring system will fail. Personal email address rather than a group one along with mail blindness will bugger several.

Laziness will account for most other failure modes.

2
0

Microsoft emergency update: Malware Engine needs, erm, malware protection

gerdesj
Silver badge

You couldn't make this stuff up.

"You couldn't make this stuff up."

No you can't make it up. As it turns out, the software on your computer is bloody complicated and funnily enough it isn't perfect. I don't have MS' stats but I do know that the Linux kernel is roughly 70,000 files with rather a lot of LoC.

As it turns out, bugs happen.

19
19

OK Google: A stranger with stash of pirated films is spamming my Google Team Drive

gerdesj
Silver badge

Re: Still somone else's computer

"It's a fair bet that setting up a file sharing system with one of THOSE, even one that involves user names and passwords, wouldn't be all THAT hard..."

It's pretty easy - Nextcloud.

I run four of them. One of which has about 800 users. My wife's phone would have exploded long ago if I wasn't shipping photos and vids off it via Foldersync to my home instance.

5
0

Spy-on-your-home Y-Cam cameras removes free cloud storage bit

gerdesj
Silver badge

Zoneminder

I haven't had a Y Cam for a while now but: https://wiki.zoneminder.com/Y-Cam (I wrote a fair bit of it).

4
0

Hey girl, what's that behind your Windows task bar? Looks like a hidden crypto-miner...

gerdesj
Silver badge

Because you can't be arsed

As it turns out: not everyone runs Windows. There are a few Unix styled boxes around, some are fruity but the rest are useful.

11
68

As Apple fixes macOS root password hole, here's what went wrong

gerdesj
Silver badge
Stop

Bit of a pain

This little number is rather more nasty than every bug (with a funky name) that has been touted for years. This is *root* with no password. This is: I can ssh or RDP into your box with no password.

I don't have to mess about with anything fancy - your system has absolutely no protection against me: your root account has *****no fucking password *****.

I suggest you set one yourself. Apple seems to have let you down.

7
4

Thou shalt use our drone app, UK.gov to tell quadcopter pilots

gerdesj
Silver badge

"The problem with "common sense" is that it's so often wrong"

Absolutely: you don't allow for error - navigation or mechanical.

1
1

'Urgent data corruption issue' destroys filesystems in Linux 4.14

gerdesj
Silver badge
Linux

"Do not use ".0" release. And if you do, you should know what you are doing. "

He's a Gentooer (like myself but far more knowledgeable). You don't run Gentoo and shy away from .0 software. To be honest you normally embrace pre-release, let alone released. That's how bugs get found.

You have to repair your systems from time to time in new and amusing ways but Gentoo is great fun. In winter it will even keep you warm when you do an update so you can turn down the heating.

21
1

DNS resolver 9.9.9.9 will check requests against IBM threat database

gerdesj
Silver badge

Re: Does not work very well

$ dig @9.9.9.9 google.com A

;; ANSWER SECTION:

google.com. 11 IN A 216.58.213.78

;; Query time: 6 msec

;; SERVER: 9.9.9.9#53(9.9.9.9)

;; WHEN: Mon Nov 20 13:11:23 GMT 2017

6 milliseconds isn't too bad in my book. Bear in mind my PC has to traverse at least three switches, my office router/firewall cluster, my ISP and perhaps a fair bit of internet.

5
0

El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?

gerdesj
Silver badge
Childcatcher

Barclays

I'm a Barclays customer FWIW and I login to this: https://barclays.lifestylegroup.co.uk/auth

That gets an A+ at SSL Labs and supports HSTS and PFS.

0
0

VMware open sources VR overlay for vSphere

gerdesj
Silver badge

Done before - to death

Years ago there was a toy that put your filesystem into Doom. You could run around it and shooting files ran rm.

3
0

Tor blimey, guv'nor: Firefox to try on privacy tool's Canvas gloves to leave fewer fingerprints

gerdesj
Silver badge
Childcatcher

Sailing not surfing

If you mess with <canvas> too much you will break the internet *sigh* as far as many users are concerned.

I can't see a decent way out of this tracking nonsense without a complete rewrite of how a browser uses a webserver. At the moment there is no direct analogy for websites and with the way eyeballs work. Eyeballs passively receive photons of light -> *stuff* -> image in head. Browsers don't do that, they connect, spew loads of details about themselves with each connect and run (nearly all) whatever code is sent back.

1
3

Fine, OK, no backdoors, says Deputy AG. Just keep PLAINTEXT copies of everyone's messages

gerdesj
Silver badge
Childcatcher

Metadata -> Data

So, assuming that agency X request details, only having metadata and approach A: Alice's IP connected to port 25 at Bob's IP and sent a stream of TLS encrypted stuff.

OK so port 25 should imply email (SMTP) and X gives a precise date and time and A keeps logs and mail archives and keeps precise time.

There are at least six assumptions in the above short paragraph, each of which needs to be proven to ensure that the data provided really matches the request. I can make the example really complicated without even sweating. I wonder why key escrow or (state sanctioned) direct cracking etc are considered more desirable as routine policy by .gov?

5
0

Fake tech support 'scam' husband and wife banned FOR LIFE from computer repair world

gerdesj
Silver badge

Re: Thats a plan...

Such a blacklist already exists. It's called: "Sure, here's my hourly rate."

That does work well until your SO casually recommends you to one of their mates/colleagues ...

14
1

RIP HPKP: Google abandons public key pinning

gerdesj
Silver badge

Expect-CT

Wondering what Expect-CT is? This bloke knows what he is on about:

https://scotthelme.co.uk/a-new-security-header-expect-ct/

2
0

If you say it loud enough, Uber will sound atrocious: Super Cali juristic discrimination process

gerdesj
Silver badge

Can you stop with the "super cali" stuff now? You'll never better the original Sun, and it's beginning to appear desperate.

True: you wont beat the Sun on this classic, given that one of their hacks created the original. However el Reg have managed some pretty decent riffs on it over the years. I don't see it as desperate but more as a nod or hat tip to a bloody good headline from long ago. Nowadays we kool kids - (I'm 47) call this sort of thing a "meme".

el Reg does "Super Cali" in the same way that Private Eye does "bloke with younger bird piccy". (My quotes).

9
0

Discover potholes in the information super-highway with this handy new tool (which itself just hit a roadblock)

gerdesj
Silver badge

Re: Time to update that certificate, but otherwise

Calendar? What, a recurring appointment style of thing? Madness.

For extra points make sure it is created by someone with their personal account rather than a shared one, who moves on a few weeks later ...

3
0

Page:

The Register - Independent news and views for the tech community. Part of Situation Publishing