* Posts by Trevor_Pott

6991 publicly visible posts • joined 31 May 2010

A lightbulb that does IPv6: You know you want it

Trevor_Pott Gold badge
Pint

@Len

Funny, I can't find a firmware upgrade for a single one of the routers I have (or have deployed) in the last 10 years. 95% of those units are still in service. Or, wait...are you advocating that myself and all of my clients rush out to replace perfectly functional equipment? Why? Why would you advocate that? Do you believe that IPv6 is somehow a Good Thing? Why?

What are the negatives of IPv6:

Network renumbering each time you switch ISPs. A real problem for consumers who actually care about their networks and change providers periodically to avoid getting raped by the local monopolies. It's also a massive pain for SMBs who change ISPs for the same reasons, but also tend to move more often. Their networks are larger than consumers and have even more reason to want to static address items on the network. Shockingly, you'll find that there are individuals out there who want control over their network that doesn't rely on DNS or other "dynamic" technologies which don't quite as well as advertised.

No multihoming or failover. Oh, you can multi-home or failover if you happen to have a router that speaks BGP and an ISP willing to provide the service. Most consumers and SMBs don't have such options. failover would mean renumbering the entire network. Multihoming is pretty much right out.

No host obfuscation; no privacy. NAT isn't security and certainly if you try hard enough you can profile networks through NAT. Still, even half-assed NATs of today (such as OpenWRT on a Netgear WNDR7200V2) can be easily configured to obfuscate the individual computers requesting resources enough that you would have to be a top 1% security researcher to profile the damned things. IPv6 tags each device with it's own external IP; every single thing that device does is traceable directly to it. IPv6 means privacy is finally and completely dead.

One simple mistake lets the internet attack your toaster. Stateful firewalls as are required to protect people using IPv6 from having the outside world directly address their device are complicated. Far more so than the simple NAT+Firewall devices of yore. They require more knowledge to operate and maintain if you are an individual of the belief that the internet should not be allowed to attack your toaster for fun. Firewalls on network edge devices are not remotely simple enough or powerful enough to properly replace NAT yet.

What are the benefits of IPv6

It makes the lives of programmers easier. Yes; programmers, those great big whiny babies of the world will finally be able to leave behind the programming techniques we've spent the past 15 years perfecting. They can assume that devices can speak to one another with nothing in between them (which isn't true, because a proper consumer firewall won't allow the internet to talk to your toaster, even in IPv6, but hey, let's keep beating the end-to-end drum, eh?) The end-to-end model makes life a small (probably single digit, given the libraries that exist for NAT traversal by now) bit easier. This minor convenience for the elite few, the developers, the worthy is worth making the lives of IT operations more difficult and telling the entire world they must buy new devices, even though no new devices exist which are actually ready to do the task in a simple, cheap and simultaneously secure fashion. Even if the devices did exist, you're asking the whole world to replace perfectly working equipment in order to benefit the whiny few.

We're going to run out of IPv4 addresses. Yep. This is a problem. Artificial scarcity is a bitch, ain't it? Fortunately, we can all break the rules when are forced to switch and simply implement NAT66 and keep all our shit working. I even get to listen to developers howl. It's awesome.

Break the rules

Well let me be the first to say: fuck those whiny bitches. If their applications from the whiny bitch department don't work, I'll get one from another developer that does. My network, my rules. I give zero fucks about making the lives of developers easier. You don't get to talk to my toaster, or my lightbulb, my furnace of my server unless I bloody say so. And no, I won't pay Cisco rates for the privilege of making the lives of some whiny bitch developers easier.

Either the upgrade provides me as a consumer and systems administrator with a return on investment or you can go straight to hell. In 15 years, when my routers die, I'll send them down there do join you. When I do replace them, they'll use NAT66 (available on things like pfsense) so that I can get the features that are of use to me. Until then, cheers mate.

Trevor_Pott Gold badge

Because the thing that we need is a lightbulb with an internet addressable IP address in a world where consumer/SMB router and firewall solutions either don't address IPv6 at all, are so clunky and inconvenient that you need to be a trained IT professional to use or are so expensive that nobody in the consumer/SMB space can afford it.

Let's do our furnaces and gas-powered fireplaces next. What's could possibly go wrong?

IT Pro confession: How I helped in the BIGGEST DDoS OF ALL TIME

Trevor_Pott Gold badge
Pint

Re: I shall have to demoralize you...

Far more tragic would be the digital death of our beloved Playmonaut; a tragedy of intertubes proportions which would cause Register readers to rise up in droves against the evil aggressor.

R.I.P. Playmonaut.

Trevor_Pott Gold badge

Re: Caching?

Network ingress filtering requires you be "part" of the wider internet, rather than merely the equivalent of a consumer with a fat pipe. We don't have access to BGP. We have no way of seeing, processing or acting upon the internet's wider routing table. Without this, the sort of ingress filtering duscussed in those documents simply isn't possible.

So what's left? Whitlisting systems manually that you want to connect to your DNS in iptables? How's that work when some of those units are mobile? Users with dynamic residential IPs, connecting from hotels or even over mobile links? What we really need is a DNS server and client infrastructure that allows for authentication of clients before they can look things up. DNS + TLS if you will. It might be time to start building something internally similar to opendns' infrastructure. I'll give it a thought.

Trevor_Pott Gold badge

Re: Caching?

Nope, you are 100% correct. If you are attacking properly that is exactly how you do it. (Actually, it is is the DNS for www.google.com you want to take down you attack with 1.www.google.com and 2.www.google.com etc.) That said, I was a little out in the weeds on describing the attack as is, and the sysadmin blogs are supposed to be 600 words. Had to leave out some details somewhere. :)

Trevor_Pott Gold badge

Re: "edge scrubber"?

Yes. A honeypot is indeed where you profile and catch attackers. Why are you hitting the honeypot machine if you aren't clicking on stupid things or are an attacker? They honeypot allows me to catch not only attackers but stupid users. I would say that "redirecting a user to a honeypot machine that displays an error or educational message when they try visiting a site on the list, then logs the thing so I can find and LART someone" counts as a honeypot.

As for edge scrubber, the system also does IDS and DPS. It scrubs my datastream. It leaves on the edge of my network. What the hell would you call it?

If it's a ship and it goes through the gate, you call it a gateship. You only call it a puddle jumper if you need something that sounds good on TV. It's an edge device, it scrubs my datatream. Should I call it a boysenberry?

Trevor_Pott Gold badge

The particular implementation of BIND + chroot utterly refused to look in the chroot directory for /etc/namedb, no matter how much tinkering I tried. I gave up eventually and left it. As for the shared virtual hosting and fail2ban comment, that is there because most of the "bugs in BIND" we might care about are exploits that work if you have manged to gain a remote console.

SSH on an alternate port + fail2ban + not actually giving the information to anyone and having a very small user footprint means your chances of getting into the system to exploit BIND in that fashion are hella slim. There is always the remote possibility that you could use some sort of remote attack against BIND like that, but the chances are even smaller. In terms of the risk posed, I think I can get away with not chrooting the thing for the 2-3 moths between initial roll out of the service and the replacement of the unit with a CentOS6 box.

At least on CentOS6 the bloody chroot works right and the malwaredomains zone works without post-processing the text file. I should also point out that the DNSSEC implementation set up in CentOS6 is actually pretty good.

Trevor_Pott Gold badge
Pint

Re: @GregC

So long as you have a good weekend, sir, then all is good. Cheers and beers!

Trevor_Pott Gold badge
Pint

@GregC

If my blitherings are interesting then I fear a walkabout outside where the daystar is might be advisable. It seems you need some of those photons that the great big ball of fusion in the sky spits out to help you create some vitamin D and jumpstart the "removing crazy" subsystems. That or oh look it's beer o'clock on a long weekend, bye!

Trevor_Pott Gold badge

Re: Kessel Run?

13 hours and change. In my defence, I was asleep for most of it...

Trevor_Pott Gold badge

Re: Trevor, "I hate Windows/Java/Flash/PDF/QT/TheWorld," Pott

I calls things like I sees 'em. Good or bad. I don't hate any technology - except the things that let you robo call people in the middle of the night - but I do hate it when technology is badly implemented. A great example is saying "Trevor hates Windows.' I don't. Not even a little.

Oh, I hate lots of things about how Windows 8 and Server 2012 have been handled, but this doesn't mean I hate all of those operating systems. Nor does it mean I think they can never be made to not suck in future releases. I fact I have litterally begged Microsoft to make the relevant changes...because I think Windows is a useful tool.

I hate Microsoft's licensing department. I love Microsoft's storage team. I hate some of the very strict rules that Spiceworks has surrounding community interaction, but I love the opportunity it presents me to interact with other sysadmins and vendors.

You really, really, have to do an awful lot to get on my personal hate list. Even Oracle isn't on my "no buy, ever" list. And they take hostages! Sony, on the other hand, will not see a single dollar from me ever after that rootkit fiasco. That is how you make Trevor hate you. That right there.

Technology is a tool. Corporations are groups of people each with individual hopes, dreams, goals and ideals. If technology sucks then I'll pan it. If it's great, I'll praise it. If it's boring, I probably won't even write about it. I'm harsh. I'm honest. I'm as up front as I know how to be. That's my job after all...

...biting the hand that feeds IT.

Trevor_Pott Gold badge

Re: Trevor, "I hate Windows/Java/Flash/PDF/QT/TheWorld," Pott

Surely I'm not that negative! I like stuff that actually works just fine. I get tetchy when it doesn't do what it is supposed to. Or costs more than having a human do the same job. Or I haven't had coffee...

Trevor_Pott Gold badge

Re: never "forget" any edge system!

RHEL 5 is still under active support. There's nothing wrong with using it in live production. The system is updated religiously. The hardware refresh would have taken it to 6, but that got knocked back by about 6 months into April.

So while I may have forgotten which OS the little blighter was running (my mental filing system had ticked it over to "CentOS 6" already) it was still running a maintained, patched, and secure OS.

Trevor_Pott Gold badge

Re: Wait...

There are redundancies. It's actually a cluster of 2 devices. I didn't really want to get that deep into it though. I wanted to talk about the DNS not setting up a cluster in CentOS.

Trevor_Pott Gold badge

Re: You are right.. and wrong

Yeah. Actually, the "old one" is actually 2 Atoms. (The primary and the cold spare.) So I would have 2 spares on the shelf to back up the shiny. That said, it would cost far more if I were to try doing the exact same thing but with CISCO on the box...

Trevor_Pott Gold badge

Re: You are right.. and wrong

Network edge is getting upgraded. Have you seen these? I think I'm in love.

Security damn well IS a dirty word, actually

Trevor_Pott Gold badge

Re: Forget the Higher Levels

MATT DAMON

Trevor_Pott Gold badge

Re: Forget the Higher Levels

Correct horse battery staple!

Trevor_Pott Gold badge

Paragraph is from an older version; missed that when I added. Should read "Consider the shocking lack of support for DNSSEC, or the fact that amongst the mainstream browsers TLS 1.1 is only enabled by default in Safari and Chrome while TLS 1.2 is only enabled by default on iOS devices!" I am trying to get it changed...

New-age tech marketing secrets REVEALED

Trevor_Pott Gold badge

Re: Where do draw the line?

Whether or not content marketing calls for truth in advertising is a hotly contested topic. Consider debates regarding the nomenclature of "cloud" an you have some appreciation for how this is perceived in the marketing community. My investigations say most feel content marketing must contain truth in advertising otherwise it is not content marketing. It is traditional marketing trying to look like content marketing.

"Keep the topic trending", however, is very much content marketing. What would separate this from traditional marketing (which tries to do the same thing) is that content marketing tries to keep it trending by providing useful information that the readers actually want to read. Traditional marketing doesn't care what tripe is written just so long as it makes the client in question look good.

The difference in these circumstances is almost one of attitude. Content marketing is about providing something in exchange for your time reading/watching/etc that you find to be of value. Traditional marketing is about "raising the profile" while "controlling the message." Traditional marketing treats people like robots to be programmed; content marketing treats people like individuals capable of making a rational assessment for products at hand.

Which is superior in the long run is the subject of great debate, however, I think that in IT circles at least, content marketing will be king.

Trevor_Pott Gold badge
Trevor_Pott Gold badge

Re: Where's "flood communities with paid commenters until everything else is drowned out?"

That would be traditional marketing. "Control the message."

Nokia deflates Google's video codec thought bubble

Trevor_Pott Gold badge

Screw you, Nokia. Google isn't perfect, but increased options is demonstrably better for consumers. This reeks of Microsoft sticking to a competitor by proxy. It's sad, and it does nothing but lower my level of trust in both Nokia and - assuming they can be proven to be involved, which shouldn't take long - Microsoft.

Patents as a weapon to prevent competition on behalf of more moneyed masters. With the rest of your business model collapsing, Nokia, it looks like you have truly arrived at "patent troll" at last. How much was your pride worth, Nokia? That's the thing I really want to know.

Movie, TV ads annoying? You ain't seen nothin' yet

Trevor_Pott Gold badge
Unhappy

I don't want to live on this planet anymore.

Foundering OCZ snatches megabuck lifeline in white-knuckled grip

Trevor_Pott Gold badge

@NL13L5 Simple: Intel's storage guys have never done a damned thing for me, ever. In fact, outside of the network team - who got me some sample cards so I could write some reviews and test some things - Intel has generally been an impenetrable fortress of traumatizing marketing fluff that I have more or less avoided*.

I've been an AMD man for ages. Only recently have I had to start building servers without Opterons inside. When I bought - and wrote about! - SSDs for my own testlab, I bought Kingston Hyper-X based on a combination of price and the Kingston brand name. I think over the years of writing for The Register I've proven that I take the time - and put a fuckload of my own money - into testing products from a variety of manufacturers.

I'm a nasty, cynical, hard-to-please type that rarely has a nice thing to say about anyone. (Ask Microsoft.) I generally don't like whinging in public - unless I am really tweaked - and so I try hard to write articles about things I actually like. (Why tell the world "this sucks" when you could tell the world "this doesn't suck, use this!")

If you honestly think that I'm a shill for Intel you're a fool. I have a price - every man does - but that price is far higher than anyone has ever been willing to offer. Right now, I am on track to build a company with me at the head where I write about technology for a living, tell people how to run their companies and get paid for it, manage to pay off my debts in a reasonable period of time and even retire to write my book while I'm still young enough to remember it.

So tell me, dear N13L5, what possible reason could I have to be a shill for anyone? Do you think an SSD or a server, a phone of a software licence will buy me off? I get paid to troll people on the internets. That's the best job ever; the price to "buy" me out of that comfort zone is pretty damned high. Ambition is expensive and so am I.

*I once won a PC in a contest sponsored by Intel. However I can guarantee you that this didn't make me any more disposed to like them. The Badaxe motherboard in that PC was made of raw, elemental failure.

Trevor_Pott Gold badge

OCZ absolutely must do two things to survive:

1) Make products that don't suck

2) Convince the entire IT industry, all of whom have been badly burned by previous OCZ products that their extant line doesn't suck.

That means making a product line with a very low failure rate and seeding those drives amongst relevant businesses, tech journos, "thought influencers" (read: respected bloggers within their IT niches) and so forth. It means being able to explain what is different about this round than the last and it means publicly admitting they fucked up. Without the admission, we can't believe they've changed. Without solid, third-party verification that their stuff isn't absolute crap anymore, we won't even consider buying their stuff.

Sadly, based on my experience, the above is so completely against their corporate culture that these guys are just flat out doomed. Honesty and transparency are not their shtick. They would never back third-party analysis of their equipment when marketing and outright falsehoods could still be tried.

I have no officially had over 80% of all OCZ SSDs (400 some odd at last count) seen in the field die on me. Samsung sits at about 4% (of 2000ish) and Sandisk hasn't had a loss in the admittedly low sample of 3 disks. MY 8 Kingston Hyper-X SSDs continue to soak up every bit of punishment I can throw at them with no failures, but its early days yet.

But I have replaced one Intel drive out of over 8000 in the field. Intel 510s and 520s. 1 in over 8000. SSDs? Intel or bust, gentlemen. Intel or bust.

These mobile devices just aren't going away. What'll we do, Trevor?

Trevor_Pott Gold badge
Pint

Re: So, what is MDM?

Wake up on the wrong side of the locker today, did you? Here, have a beer.

Trevor_Pott Gold badge

Re: Consolidation

Yeah, noticed Zenprise, but they didn't pique my interest. I have a list of over 100 MDM companies. I had to cut it down to something readable. :/

Trevor_Pott Gold badge

Meraki

I swear, it's a cult.

Trevor_Pott Gold badge

Re: So, what is MDM?

...really? This has to be explained? I mean, I realise that some of the newer terms and stuff have to be described while they are still relative unknowns...but...MDM? Do I also need a link for virtualisation? Or RAID? Genuinely curious here...I was under the impression MDM has been "a thing" for long enough that we all knew what it was...

BYOD: Bring Your Own Device - or Bring Your Own Disaster?

Trevor_Pott Gold badge

Re: Great session...

I believe comments were moderated.

Trevor_Pott Gold badge
Pint

@Dale Re: Whoa - massive unsubstatiated assumption here

The issue there isn't technology nor the technology choice. It is people. If you have have people who work best when they are told what to do, how to do it, what to think and how to think it, then a company-mandated top-down approach to everything works best. Sadly, for shareholders everywhere, we're not all drones.

We cannot paint "BYOD" with a great big brush and make assumptions that apply to all (or most) companies. Each and ever company is going to be different based on the people, politics, extant infrastructure, finances available and yet more that is involved. What works for enterprises won't work for SMBs. For that matter, what works in the UK won't work in the US; the cultures are completely different!

Hell, I could give you some damned good educated guesses on why the cultural deltas between Edmonton and Toronto would affect the uptake and success of BYOD deployments to various sized businesses (and in which sectors.) You could provide some hard figures from your research. We both have dozens of anecdotes from sysadmins, end users and CIOs we've talked to. Me, mostly in North America. You, mostly in the UK.

What Tim and Phil really need to do is lock you and I in a room with a video camera, a case each of our favourite beer and let us go at it on this topic. We've had some epic debates on this, you and I, and the results from those conversations end up the same each time: it's the people, stupid.

"Are productivity benefits really a given with BYOD?" No.

By the same token: "Are productivity benefits really a given with any technology, ever, regardless of provenance?" No.

There is also a whole conversation to be had about "applies to some people" versus "applies to the majority." Just because BYOD doesn't make sense for some (or most) doesn't mean it doesn't make sense for others. This stupid internet thing and these stupid "actually capable consumer devices" are raising the expectations of the hoi polloi. "One single policy on endpoint technology applied indiscriminately to everyone from the stock picker to the IT staff to the field sales staff" just doesn't work in 2013. Not everywhere, anyways.

We need to start a BYOD fight club. :) Cheers and beers, good sir! Next round's on me!

Review: Supermicro FatTwin

Trevor_Pott Gold badge

Wish I could compare. The Fat Twin emphatically does not kick out a lot of heat. It is the most power-efficient gear I have ever used. I could see 4 racks of them being a problem whereas 4 racks of 5U servers is not, but then I would be running 320 2P servers instead of 32 2P servers in the same space. Mind you, living in Canada, that is probably only a issue 2 months out of the year...

Trevor_Pott Gold badge

Re: Not worth the power they use?

Fairly simple; I may possess the hardware for these other servers outright, however, they are expensive to power. FLOPS/watt on them versus the Fat Twin units means that were I to go out and buy a Fat Twin to replace the three racks of older gear that I have I would pay for the faster and more capable Fat Twin in less than 6 months simply out of the power savings.

To me, that means the older systems aren't worth the power they use.

Trevor_Pott Gold badge

Re: Virtualization?

Haven't tried Eucalyptus. VMware ESXi 5.1 works like a hot damn. Openstack too. Server 2012 works as well.

Trevor_Pott Gold badge

Funny you should ask that. The reason this took so long to come together was that Dell was originally supposed to ship me a C6220 to test. We were going to to a head-to-head; showcase each unit it isn't own article and then really tear into each of them with an array of tests. Dell backed out at the last minute and so I was down to testing the Supermicro against the rest of my lab.

Kind of sucks; Dell's switch was quite a nice piece of gear. Supermicro and Dell went pretty head-to-head on that, hard to say one was a clear winner. I would have been interested to see Dell's C6220 in action, especially when it came to the resilience of the power plane and its thermal responsiveness. So I sadly cannot answer you regarding the C6220. It looks nice on paper; but we all know how misleading that can be.

What I can say is that Supermicro's stuff has come a long way in the past 10 years. More critically, they seem to be putting a lot more time and effort into making their units able to withstand high temperatures (so that you can run your datacenter hotter, thus saving rather a lot of money) and into completely over-engineered power systems. Not only are the power planes resilient, but Supermicro makes their own PSUs; and they are crazy efficient.

If and when I get equipment from other vendors, you know I'll run it through the wringer. From server stacks like the Fat Twin to the humble USB stick; I've got a test lab, let's break this stuff!

Bromium launches security-through-virtualisation tech in the UK

Trevor_Pott Gold badge

Ooooo

I need to play with this some; sounds interesting.

Perish the fault! Can your storage array take a bullet AND LIVE?

Trevor_Pott Gold badge

I think different tiers of data can sustain different RPO. With something like Storage Profiles in VMware that can be made easy. I do not, for example, care overmuch if my webservers get reverted to yesterday; they grab their info from a centralized storage location with is disaggregated from the individual VMDK of the PaaS VM itself.

You just gave me a great idea for an article. Much appreciated.

Trevor_Pott Gold badge

Re: Great article

More than just flushes; serious, click the link on that. (Or rather, it is about flushes, but it really gets in to how ZFS does them and what mechanisms it can use if it "owns" the disk. Also how to configure ZFS so that the damned thing works. It's a truly great link.)

Also: I cannot claim complete credit on things like links. I have a great research team to back me up. It helps to have additional eyes to check things over.

Trevor_Pott Gold badge
Pint

Re: Great article

\o/

Trevor_Pott Gold badge

Re: in short..

Use the Queen's proper English, strong and free. Canadian, eh?

Trevor_Pott Gold badge

Re: Literally bulletproof storage

I didn't mention StoreVirtual because I have never had the opportunity to play with it or even see a demo. It's on my list.

Trevor_Pott Gold badge

Re: RAID 5 shouldn't even be named unless living under the bridge

Have a related SATA series all you want, but your SAS drives had damned well better be of superior quality to the SATA drives. If the SATA version of your SAS line is something you are only willing to cover with a 1 year guarantee then I do not have warm fuzzies about the non-marketing-bull MTBF on your SAS line...

Feeling lucky, punk? Storage biz crams virty PCs into RAM

Trevor_Pott Gold badge

+1 to marketing for the witty response. I'll check out the resources mentioned in the hopes they answer my question. I'm hoping we're not simply being asked to substitute one bottleneck for another...

Trevor_Pott Gold badge

RAM bandwidth. It was already a thing with virtualization at the levels we can get with today's servers. With this...? What is the memory controller made out of? Unicorns?

VMware vSphere Enterprise Plus: An El Reg deep dive

Trevor_Pott Gold badge

Re: Profile Driven Storage

Sir, SSO backs on to AD if you should choose. Works like a charm.

Trevor_Pott Gold badge

Re: Fault Tolerance

Stratus bought Marathon

Trevor_Pott Gold badge

Re: too complicated for small to mid size businesses

I deploy VMware Essentials Plus kits to all my SMBs. A separate feature, looking at VMware for the SMB market is currently under construction.

Trevor_Pott Gold badge

You are 100% correct. I sincerely apologize for the screw-up. The hell of it is, I even knew that, and had it flagged for change, but missed it in the final version. 15 lashes with a wet noodle have been applied and the change made.

Cheers.

Mmmm, TOE jam: Trev shoves Intel's NICs in his bonkers test lab

Trevor_Pott Gold badge

Re: Terrible review

And you're wrong. Any network card for which you have good, low-level access can be reconfigured to send non-standard Ethernet frames. It takes a little bit of bit-bashing on the driver creator's part, but you can turn a regular old network card into something that will make FCoE frames.

What you cannot do is send those frames over a standard ethernet network unless you have similarly updated your switch. To be clear: you are not going to be getting firmware from D-link to this, but you can usually get your higher-end Cisco stuff upgraded to handle the non-standard frames. This means that you can do FCoE point-to-point only unless you invest in the right infrastructure (which should include CNAs, make no mistake) but that you can make a NIC speak FCoE frames if you tinker with it enough. (Nobody does it because what would be the point?)

The fact that you've never rewritten a firmware or driver (or done any real bit-banging) doesn't mean others haven't. Please bear that in mind the next time you wander around accusing people of things.

You'll also note that while I said that a regular network card could be made to speak either protocol, I only discussed iSCSI as being in in sort of practical use without a CNA. And now we've had this little conversation in the comments so there is even more information available. Internet!