1123 posts • joined 15 Aug 2009
$1.6bn - How many NHSweeks is that?
"This includes transitioning the delegation for management of .au to another provider if auDA is unable to achieve necessary outcomes."
This includes getting someone else to do it.
Re: OH dear....
"The supplier said the client was free to invoke them, but if they did, the supplier would be filling for bankruptcy as it could't afford to pay any.
The public body was stuck between a rock and a hard place."
.. and hopefully now understands the concept of "due diligence" (including insurance)
Re: So ElReg what are you reporting this crap for.
"The only VPN's of any value are the ones that you connect to at your place of Work or Home, if you can keep them secure, don't stuff up, leak your own addresses, crash, staff don't spy on your usage or just............"
So true and yet even the pros make mistakes. Take me for example. I look after quite a few networks, firewalls and the like. I have a newish laptop and decided to put my office OpenVPN connection on it. Fired it up, typed in "whats my ip" into Google and saw my IPv6 address staring back at me. Bollocks. Oh well I'll use the office WANs via the web proxy to get the job done.
I now need to fix up what happens with working IPv6 when connecting to our currently IPv4 only VPN. The assumed policy is that all traffic is gatewayed through the VPN and it isn't. I could simply change the policy I suppose.
Aircraft do not use Windows for critical systems.
Imagine being a pilot in a commercial jet on finals and being told that Windows Updates needs to do its thing due to an inadvertent miss configuration (ahem) and "making everything safe" before doing it.
IT exists ...
... to keep lawyers in business. I suppose it is one way to repatriate non trivial amounts of dosh to the US:
spend it on sharks.
Trebles all round for m'learned friends *chink*
"Such a shame the patch kills 2008R2 servers" and Windows 7 and possibly not just on VMware either. We also have several instances of wifi being disabled on Windows 7 on our helpdesk ...
"It's also worth looking for updates from vendors of third-party RDP clients, as they can also fall foul of this vulnerability."
It took nearly three whole days from patch Tuesday for a fix to arrive via pacman on my PC.
Re: Off the top of my head
"Now I haven't put much thought into this" - You sir win the internet for that comment.
"I personally use Open DNS" - they work very well for many use cases but is yours one of those? ODNS will always respond with an IP address for a request for an A record - their webby server. Is that what you want (unlikely)?
I'll recommend using 184.108.40.206 ie Quad9 for DNS instead. They will not respond with a default address on fail which is what should happen and easier to work with.
Hi, my name is Jon
I've been clean of Windows on my personal systems for over 10 years now ...
* wow* *well done* (etc ad nauseam)
... but the bigger boys ... they make me do it ... I can edit their docs and use their Exchange (Evolution with EWS) but I feel ashamed - I still can't open OneNotes ...
... I installed PS Core (from my package manager - not via a random download) Apparently it is normal to install any old stuff on a Windows box. I'll stick with curated by someone I've heard of on the end of a GPG sig.
I'm not cured - I like to fix broken AD's I can't help it, they are so sad. I see OpenDNS used for upstream DNS and other things (*).
(*) ODNS will always reply with a record but sadly it might not be the one you want or need
"RHEL at least costs a lot more to license in most cases than the equivalent Windows Server!"
That's nice AC! I'm sure it does but thankfully I have choice and I choose to exercise it. I run up Ubuntu LTS (Xenial for now) like they are going out of fashion for servers and use Arch for workstations and Arch and Gentoo for personal use. Not one - just to re-iterate - not one of those (and there are around 300 across the country that I look after) has skipped a beat that I didn't cause in some way.
I also look after quite a few other systems and I can't be so charitable about them. Recently Win 2008R2 and Win7 machines had wifi and ether snags (for VMs) after the latest batch of Windows Updates (funnily enough we'd already documented the fix years ago, nice to see it again). I'm also not close to being mentally scarred (but pissed off) by a recent AV n firewall etc upgrade for a customer on a system I've been a sysadmin for a time range that is near to decades - not just years.
Windows - you can stick it u *** bbbzzzt ***
Partnership requirement to read?
"In this case, neither Wikipedia nor the Wikimedia Foundation are part of a formal partnership with YouTube"
I'm not in a formal partnership with WP either. Do I need one to read it?
Re: SO what I'd like to know...
"Is how long this flaw has been around?"
Version 4 of Samba has been around for a while now: https://www.samba.org/samba/history/samba-4.0.0.html. Whilst surveying the view from your horse, you might note flaws have come to light in other systems (hardware and software) that are way older than that.
I have personally fixed a problem by having access to the source. Per system connection limits from a Samba box to another system (using CIFS/SMB ie for "drive mappings") were fixed to 256 by a constant in the code. I increased the value and re compiled. Problem fixed. That was with Samba 3 a long time ago but the point remains.
Agreed - that's a lot of colonies in one location. They may be breeding for sale or it could be insurance enhanced counting.
I had never realised (sic) that Canadians are illiterate(*) too... :-)
Canadians are likely to be keen on French style spellings, for some reason that escapes me. Anyway, colour etc were the original spellings across the board until the US decided they were un-American a few years back.
Now I use spideroak. I pay 120$ a year for unlimited zero-knowledge encrypted storage. Currently using 9 TB. :)
I can't see that plan here: https://spideroak.com/one/ $279 for 5TB seems to be the top of the range. I do hope that zero knowledge is not simply a prescient comment on your future data availability.
Also, why is this needed for a zero knowledge data storage silo: https://spideroak.com/dmca-takedown-notice-submission/ ?
Disable the shell for operators
I've just read the vCentre 6.5 mitigation doc. It is to disable the shell on all non root accounts and disable the shell. Seems obvious really when you think about it and not such a bad idea.
Re: Got my copy!
"Anon because of admitting that."
Bloody browsers and their convenient auto login features or is the post anon tick box broken?
Re: Open source is leading to single source
"Free BSD exists, and I think it is vastly superior to the GNU/Linux family of distributions. You may disagree, that's fine, the point is there is competition, and there is a choice."
I've never seen FreeBSD with a space in it. However, I'm a fan too via pfSense - I look after rather a lot of them. Thankfully my Linux accent when speaking to the shell doesn't get in the way too much.
Your point about competition and choice is, in my opinion, the most important thing.
WE HAVE CHOICE - USE IT.
Black Dev Ops
Remember software development takes a while. If you are putting off patching Meltdown and Spectre because there are still no known nasties out there then you may be in for a nasty surprise soon enough.
As well as patching, why not use this a good time to check up on your backups, fix up the leaky firewall and push through a proper password policy. If you are particularly brave, why not see if you can scare the purse string holders into 2FA?
Re: OS vs. Directory Service
dsrepair -ot -xk3
Re: Possible word to wise...
"Yes, but El Reg is only noted with faint praise."
To be honest, all articles I read related to this mentioned el Reg as source, faint or otherwise. I think you'll find that el Reg is known around the place.
It's a bloody red top, for goodness sake. Who wouldn't take them seriously? ... tut ...
Re: I've asked before, but:
@Dave This may or may not help:
Configure a share on your NAS for backups with a new account that only has access to that share. Remove all access to that share from all other accounts. Use a backup program that allows you to use separate credentials. The purpose of this is to avoid a ransomware nasty deleting your backups.
Yes your backup program will backup whatever you tell it to, so you need to monitor your filesystems. To mitigate this I use several approaches. A script goes off daily that looks for file changes, counts them and emails me the result - I look out for a large number of changes and odd file extensions appearing. The second mitigation is to use a grandfather/father/son backup regime - so 4 quarterly, 12 monthly, 4 weekly and then the dailys or whatever you have space for on your NAS. Really important files get a one way mirror to a remote location (NextCloud, which is also backed up) By one way mirror I mean that deletions are not sync'd. If a ransomware thing goes off, then the original un-encrypted files are still there but one day they may leave the filename intact, so that may not work. However, NextCloud does versioning so an overwrite, even with the same name will leave the previous version available.
If you have a large setup then RTFM first before doing a major job
https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-65-upgrade-guide.pdf page 43, Important. That took one simple search ("vmware 6.5 upgrade guide") and a skim read to find.
Re: Samba is still relevant?
"So.. SMB is dead... ditch it, kill it, burn it."
RLY? You are obviously not daft but your experience is a bit lacking. SMB is used to throw a lot of data around the place and it has changed somewhat between 2000 and 2018. When you enable signing and encryption you get security and authenticity. Your comment alludes to it but I would humbly suggest that "tools for the job" is a bit shorter.
One Drive for Bus.: I own my business (we are an MS reseller as well) and I'll keep my data in the UK, on my gear, with NextCloud.
File shares do not have logs but systems do. Mine end up in a bloody great ES cluster with Graylog on the front.
Re: You do know that Moore’s law says nothing about speed?
"From what I remember, many of those dimensions are a wee bit small."
Something like 7 x 10^34 linguine.
Britain wasn't available when Sir Francis Bacon was alive. He was an English Elizabethan or as we like to say: Elizabethan.
When GDPR kicks in could they sue for 4% of UK GDP?
Re: Minor problem
This is the fault that is "leaked" to the press. We wont hear about the real snags that were found.
Re: I can save them $4,500 per month
It isn't rocket science. However I suspect that Japanese culture is a little different to ours (?)
Reading between the lines and some crazy 2+2 style reasoning leads me to conclude that someone is willing to blow $4,500 per month on an "innovative" solution to a non-problem (where I'm from - UK). However, I can imagine that I might come up with some pretty crazy sounding schemes if I had to attempt to break cultural norms. It would appear that in Japan that throwing technology - the brasher the better - is a good start to doing something pretty radical (breaking cultural norms). I've seen dafter from HR in the past 8)
This (Japan) is a land where it is apparently good form to fall asleep in a meeting, provided it is obvious that you have been burning the candle at both ends (for the firm). If that happens here, then the more humiliating the wake up, the better, is sometimes the rule. I'm not sure who is dafter ...
I can save them $4,500 per month
Managers. If they can't manage properly, then a little education followed by performance related HR procedures should get the job done. Drones in the office sounds a bit dangerous, no matter how well meaning. Besides, who is ensuring the operator (there is a human responsible for these things, I assume 8) is getting enough "life"?
I am, of course, attacking the problem from the perspective of a UK business owner. If renting drones to get people out the door at huge expense is a viable solution, then I think there is a bit of a culture difference.
Strangely enough I rarely have to boot someone out. It's not that my staff are lazy or not committed - they do go above and beyond as required and that is the key point - as required and not routinely. We are an IT firm and we've all had to pull all nighters or whatever to get someone out of the shit. We also strive to avoid the shit in the first place. We even have ISO 9000 etc to demonstrate as such. Sometimes reality matches our policies and processes ...
How bloody hard is it?
* Put a recurring entry in your financials
* Put a recurring appointment in your email client
* Use a monitoring system - the open monitoring plugins can do a check for pending expiry
* Check with your browser every now an again
* Don't ignore the tons of imminent expiry emails sent by vendors
Yes I do know why nearly all of those examples apart from a proper monitoring system will fail. Personal email address rather than a group one along with mail blindness will bugger several.
Laziness will account for most other failure modes.
You couldn't make this stuff up.
"You couldn't make this stuff up."
No you can't make it up. As it turns out, the software on your computer is bloody complicated and funnily enough it isn't perfect. I don't have MS' stats but I do know that the Linux kernel is roughly 70,000 files with rather a lot of LoC.
As it turns out, bugs happen.
Re: Still somone else's computer
"It's a fair bet that setting up a file sharing system with one of THOSE, even one that involves user names and passwords, wouldn't be all THAT hard..."
It's pretty easy - Nextcloud.
I run four of them. One of which has about 800 users. My wife's phone would have exploded long ago if I wasn't shipping photos and vids off it via Foldersync to my home instance.
I haven't had a Y Cam for a while now but: https://wiki.zoneminder.com/Y-Cam (I wrote a fair bit of it).
Because you can't be arsed
As it turns out: not everyone runs Windows. There are a few Unix styled boxes around, some are fruity but the rest are useful.
Bit of a pain
This little number is rather more nasty than every bug (with a funky name) that has been touted for years. This is *root* with no password. This is: I can ssh or RDP into your box with no password.
I don't have to mess about with anything fancy - your system has absolutely no protection against me: your root account has *****no fucking password *****.
I suggest you set one yourself. Apple seems to have let you down.
"The problem with "common sense" is that it's so often wrong"
Absolutely: you don't allow for error - navigation or mechanical.
"Do not use ".0" release. And if you do, you should know what you are doing. "
He's a Gentooer (like myself but far more knowledgeable). You don't run Gentoo and shy away from .0 software. To be honest you normally embrace pre-release, let alone released. That's how bugs get found.
You have to repair your systems from time to time in new and amusing ways but Gentoo is great fun. In winter it will even keep you warm when you do an update so you can turn down the heating.
Re: Does not work very well
$ dig @220.127.116.11 google.com A
;; ANSWER SECTION:
google.com. 11 IN A 18.104.22.168
;; Query time: 6 msec
;; SERVER: 22.214.171.124#53(126.96.36.199)
;; WHEN: Mon Nov 20 13:11:23 GMT 2017
6 milliseconds isn't too bad in my book. Bear in mind my PC has to traverse at least three switches, my office router/firewall cluster, my ISP and perhaps a fair bit of internet.
I'm a Barclays customer FWIW and I login to this: https://barclays.lifestylegroup.co.uk/auth
That gets an A+ at SSL Labs and supports HSTS and PFS.
Done before - to death
Years ago there was a toy that put your filesystem into Doom. You could run around it and shooting files ran rm.
Sailing not surfing
If you mess with <canvas> too much you will break the internet *sigh* as far as many users are concerned.
I can't see a decent way out of this tracking nonsense without a complete rewrite of how a browser uses a webserver. At the moment there is no direct analogy for websites and with the way eyeballs work. Eyeballs passively receive photons of light -> *stuff* -> image in head. Browsers don't do that, they connect, spew loads of details about themselves with each connect and run (nearly all) whatever code is sent back.
Metadata -> Data
So, assuming that agency X request details, only having metadata and approach A: Alice's IP connected to port 25 at Bob's IP and sent a stream of TLS encrypted stuff.
OK so port 25 should imply email (SMTP) and X gives a precise date and time and A keeps logs and mail archives and keeps precise time.
There are at least six assumptions in the above short paragraph, each of which needs to be proven to ensure that the data provided really matches the request. I can make the example really complicated without even sweating. I wonder why key escrow or (state sanctioned) direct cracking etc are considered more desirable as routine policy by .gov?
Re: Thats a plan...
Such a blacklist already exists. It's called: "Sure, here's my hourly rate."
That does work well until your SO casually recommends you to one of their mates/colleagues ...
Wondering what Expect-CT is? This bloke knows what he is on about:
Can you stop with the "super cali" stuff now? You'll never better the original Sun, and it's beginning to appear desperate.
True: you wont beat the Sun on this classic, given that one of their hacks created the original. However el Reg have managed some pretty decent riffs on it over the years. I don't see it as desperate but more as a nod or hat tip to a bloody good headline from long ago. Nowadays we kool kids - (I'm 47) call this sort of thing a "meme".
el Reg does "Super Cali" in the same way that Private Eye does "bloke with younger bird piccy". (My quotes).
Discover potholes in the information super-highway with this handy new tool (which itself just hit a roadblock)
Re: Time to update that certificate, but otherwise
Calendar? What, a recurring appointment style of thing? Madness.
For extra points make sure it is created by someone with their personal account rather than a shared one, who moves on a few weeks later ...