Posts by Lee D

Re: Interesting

I think it's more likely that they are reducing virtualisation costs.

Nobody can afford Datacentre, so you're paying for every VM, in effect, which means that converting your stuff to cloudy virtualised things means yet-more-Windows-licences.

Given that they want you to pay for Server, Server CAL's, SQL, SQL CAL's, this is a way to make the obvious "virtualise everything" progress cheaper for businesses. Just SQL and SQL CAL's to buy, in effect.

Windows is basically being given away.

Office isn't far behind (£5.99 a month for personal users, far from the £200-300 each year that it used to cost)

But they can do that because everything's ending up on the cloud for most users, and IT departments are doing that by virtualising what they already have, or buying in SaaS. Both of which benefit from not having to pay for a Windows licences for a virtual machine for every database server you want to run. And, let's face it, if the choice is more Server licenses and SQL on top, you're more likely to swallow the one-off transition costs for something major like a cloud-move and go elsewhere.

Offering SQL on Linux takes the sting out of that while still netting annual renewals.

(P.S. Running five instances of Datacenter in a school - we pay a pittance in comparison to full retail prices for the same. And on each of those we can run the entire school, in a pinch, by moving the VM's around. But we only have a single SQL server VM because of the extra cost).

So, surely it IS working exactly as described.

One of the roles of encrypted streams is to be indistinguishable from random noise. As more people use encryption - as they should - the more those using encryption slip into unrecognisable random noise.

P.S. likely for the last ten years, your email, banking, shopping, logins, software updates, and just about everything else have been encrypted. Quite how much do you think one encrypted stream is going to stand out.

And what you're suggesting is that encryption itself is not breakable, hence not useful to try to break, and so they rely on other metadata. The encryption did its job. You still don't know what was said. If you posted the encrypted message on a forum, you still don't know how the intended recipient was and only the recipient can understand the message. The encryption is doing everything it's designed to do.

The NSA are also presumably doing everything they were designed to do. But that should mean a lot more than "let's try to break encryption".

Encryption works exactly as intended as it's NOT designed to stop people knowing some data travelled from A to B. It's designed to make sure that data can never be accessed by unauthorised people and that the encryption data itself (not the format, carrier, connection, etc.) is indistinguishable from random noise. Job done.

That they did the equivalent of sending an encrypted message to "terrorist_cell_B@hotmail.com" is their own stupidity. The encryption still did its job, exactly as designed.

"We know this terrorist sent a message to this other terrorist at 9:26am".

"Okay. What was in the message?"

"No idea".

"So, absent any other significant correlation, it could have been a recipe for cookies?"

"Er..."

"And how 'rare' are encrypted messages nowadays, Mr Spy?"

"Well, we've been arguing for years that we can't crack people's Tesco's shopping..."

"Oh. Interesting. I move to dismiss, your honour."

Re: How is this progress?

FINGERPRINT SCANNERS ARE NOT FOR AUTHENTICATION.

How many times do you have to tell people this? You're leaving your fingerprint "password" ALL OVER your phone every time you use it.

And now you know that they've entered the space they weren't allowed to, and you invalidate all the passwords in that room...

Physical access is compromise.

I paid for Hotmail.

I paid for Opera (back in the day).

I paid for WinZIP.

I pay for any service I deem good.

When Hotmail went to Outlook, I stopped paying and threw it away. GMail was the answer, combined with my own server to manage email. Email actually comes to my GMail and my personal account at the same time. Downtime in the last 10 years? Zero, except scheduled reboots for kernel upgrades.

Yet, my workplaces (one of which was entirely Google Apps, another on-site Exchange AND Google) get downtime all the time. Literally, today, Google Drive threw a wobbly for a long time.

Cloud providers are third-parties. There's nothing wrong with remote servers. There's nothing wrong with hosting multiple servers in disparate geographic locations. There's nothing wrong with having virtualised servers or containers running on other's hardware.

But RELYING on them to always be up - as in this instance - is a nonsense. Deploy Outlook in-house AND in the cloud. And then at very least you can send / receive internal email and use your backup mail servers to send/receive email if you need to.

But putting your eggs into the hands of Microsoft, Google, Amazon or any other single entity to which you represent 0.00000000001% of their annual income is a stupid idea.

Oh, and for four years you couldn't log into Hotmail with a standards-compliant browser (Opera) when it was in its prime of development and had full support for all relevant standards. And the downtime on Hotmail once hit 20 days in one year. And I've seen Google downtimes in the days-per-year category too.

With those kinds of numbers, you're an idiot to rely on cloud alone without your backup MX / database replica being held in-house too. Because, you know what, my last workplace got 99.99% uptime. And we weren't even trying.

Re: Meanwhile, on BT Infinitesimal

+1 for Draytek. My three-year-old 2860VN+ is still getting firmware updates with major feature upgrades (they just added DNSSEC checking for the ISP DNS servers, for instance).

And if you buy the Vigor AP900 range of wireless points, it can be centrally managed from the Draytek router.

Never had a problem, upgrade it regularly with new stuff, handles all kind of stuff and has features that I've never seen on other routers in its price-class.

Have you ever tried to apply for a visa?

Last time I tried (for Australia, not the US), I had to be accredited, skills-tested (yes, Australia operate IT skills test in foreign territories), prove that my job involved the kinds of things they were looking for, and I had to be working in a profession which fitted their definition of an acceptable job for visa approval - which were all high-skill or high-level-of-management jobs.

In the end I applied for a Working Holiday visa instead, which was much less strict but only lasted a year and the idea was you could use that to later form the basis for a real visa.

I can't imagine that Australia has more tech people in the US such that their criteria have to be so much stricter. I imagine, in comparison, they are crying out for skilled people. But the fact is that the application process itself involves things akin to a CCNA / A+ (but industry certs don't directly qualify you for their test) as a base level of acceptable skill tells you just who they are interested in having and who they are not.

Re: Shonky speed illustrations

Gigabit network here - I could shift 7Gb in under a minute.

Admittedly, it's an internal network with well-specified hardware, but that's do-able.

Also, patch download times and Google load times? I question your network setup. INSTALLATION time is an entirely different matter and nothing to do with the Internet line, but download should be at line-speed from any Microsoft update server. And Google used to tell you the page generation times, but if it's not an instant-return, you need to fix your connection.

Although I agree in principle, a Gigabit line is enough to run a HUGE workplace from quite happily, and everyone to get something they consider blazing fast in terms of Internet. I'm in a school with a 100Mbps leased line (symmetric, but I'm automatically removing symmetric scenarios like uploading), and with proper management it's instant and fast and the only delay is actually our web filter (which downloads, interrogates, then relays, so it adds latency - but speed tests still return near-line-speed once the connection is downloading).

And although it's different on the ISP line, we've been handling Gigabit connections connected to a central location with hundreds of such connections for years. Admittedly it's Ethernet-backend but those kinds of connections are far from unusual and Gigabit-to-the-desktop has been my minimum spec for nearly a decade now. If a £20 switch from Amazon can handle it, I'm sure the expensive telco equipment can do too.

Now they have to push it through to a series of peering points, sure, and those are large, sure, but that's always been the case and it's basically the POINT of an ISP or telco to have that expensive gear and push it down to us. We've gone from 56K to 10Mbps being standard in a matter of two decades, and that's a 182-fold increase. In that time, the ISP backend must have increased at least 182-fold as well, and that's not something that's ever going to stop until we hit technical barriers (given that sub-ocean cables are capable of taking much more with no visible upper limit yet, we shouldn't need to worry about getting from BT headquarters to Telehouse Docklands, for example, for a long time yet).

Cost? Of course it's not going to be cheap. But that's the point - ISPs buy the big expensive pipes, and squeeze all their customers down it, and charge them a percentage. And I guarantee they still have plenty of room for profit, other services, installations, equipment upgrades, etc. by doing just that.

But Gigabit to the home is a reality in many countries, with comparable distances to cover and comparable peering arrangements, and they can even do it cheaper than BT can.

Past gigabit hasn't really been necessary or properly standardised yet, mostly because even most PC's can't do more than gigabit themselves, let alone home networking gear, but it's nowhere near being unachievable.

That it HASN'T been done in the UK is more a sign of profit-over-investment, and an incumbent telco, rather than physical capability.

Re: Fibreglass and cotton ...

Just open the doors and vent it into space. Fire out, smoke gone, problem solved... ;-)

I mean... you hope the crew managed to get somewhere else first, but they're expendable compared to a multi-billion dollar space station.

Re: Why does an ISP need access to your hardware

They already have access to, and can monitor your data.

All the data that's not encrypted anyway. You're not doing anything sensitive over unencrypted channels, are you? That's just idiotic.

And your ISP doesn't need to be in your router to monitor your data. By definition, they are providing that service to you anyway. They are in your router to monitor their equipment, upgrade it against firmware attacks like this for you, and tweak settings (i.e. upgrade your speed, upgrade the DOCSIS version compatibility, etc. etc.).

If you don't trust them on your network, change your router or put something between your ISP's router and your own. That's what modem mode is for, for instance, and I've been doing that for 20+ years.

But if you don't trust your ISP not to snoop, then you should be encrypting (you should be encrypting anyway, to be honest). And if you're encrypting then you don't need to trust your ISP - they can't snoop anything you're not sending them.

If, however, you've connected their router direct to your home network / wifi with no device of your own in-between, then - yes - they theoretically have access to your wireless clients and your network, same as being plugged into a local network cable. Shocking that. If you use a device given to you, and put a password into it and connect using that password and use it for all your Internet, and plug it into your wired network, that device can access your wireless clients and wired network. I'm SHOCKED at that. Honestly? If that's the kind of attack you're worried about, you deploy a firewall of your own inside your network. A £30 box from PC World, problem solved, and it can follow you to any ISP, any network, any country.

Hell, even in work, our leased lines, VDSL and ADSL come in to ISP-supplied routers, load-balancers switches, fibre converters, and then - guess what? They all go into an isolated, untrusted VLAN which only includes our gateway / firewall / router / IPS / IDS device. Guess how much snooping they can do over and above what we're sending them? Nothing. Guess how much they can get into our network? No more than anyone else with an Internet connection.

Re: So what are Oracle's plans for Dyn?

Same.

It's pay-for for anything interesting but if you had an account from back in the day and paid anything, you get a lot more benefits than you would now.

But, to be honest, I'm now just looking for something else because Oracle will ruin it like everything else they touch.

Worst case, I do some wasted research.

Best case, I've already gone elsewhere by the time it goes downhill.

Re: Outsourcing is meant to undermine, jobs, ideas, labour laws, something.

Absolutely.

My job is often no more than to get people running, get them stable, get it all documented, and then hand off to someone who - invariably - has less knowledge and just wants to run a working network that will tick along with minimal management from then on.

Until the next disaster.

And there's the problem - if you can do this kind of work, your unique skills are actually in demand once in a blue moon, and the rest is just day-to-day dross. If you're happy - or even struggling - with the day-to-day dross, you're unlikely to be able to go in and do the fix... especially with any kind of authority.

So the skilled(*) keep on moving around and the day-to-dayers are the normal hires who are out of their depth when things go wrong or actually need proper planning.

I also hold the thought that "Your boss should be able to do your job". Temporarily. To a certain extent but maybe not a complete replacement. But in your absence, there's no point having NOBODY around able to do things, make a decision or even hire the right person to replace you. I hold myself to the same (i.e. I need to be able to do the job of the guys underneath me at a moment's notice) and I can't see why it shouldn't propagate upwards. The people who hire me have to be able to know a) I'm not lying to them or making stuff up, b) I'm not wasting money on toys, c) I'm not doing things that are unnecessary, d) that they can ask for X to be done and the considerations they would make are automatically taken by those they've asked, too and - most importantly - e) how to know how to hire the correct person who can do all this and take it off them.

Unfortunately the Peter principle applies to IT too, but at least IT is so fast-moving and requires constant learning that such unsuitable people quickly falter or play little role in the overall system.

(*) I do not consider myself vastly skilled, by any means. I'm a programmer, a nerd, a tinkerer, a geek, but I manage networks for a living. I have no industry qualifications or training, my degree is technically in mathematics before it is computer science. I'm self-taught for the most part. I'm just good at certain things and know how things SHOULD be in order to work properly, whether that's jumping on the new technology or staying off it.

But I go to places and I am so disappointed at the quality of IT staff that it's shocking. Even in the biggest, most prestigious private schools, I've looked in disgust at how they operate day-to-day on the backend. It's nothing to do with snobbery, one-up-man-ship, or being a Linux geek (I am one, but Windows rules the commercial world, sorry). I've worked on zero budget as just me (literally "We paid you, you do what you can but we can't spend a penny more") to large budgets for departments. But I have stood in numerous IT departments and just thought - or actually said - "You honestly think this is good enough? That this is doing your job as [tech / manager / director / whatever]?". I've worked with "strategic IT consultants" who didn't know what a virtual machine is... but was selling their services on how to tell IT departments what they should be doing - including server deployment - at vastly inflated rates.

Though I don't consider myself anything particularly special, it appears that I'm a rarer beast than I give credit to myself for, which probably explains why people always said I was undercharging.

Agreed - you can go too far. But no restorable backup or independent architecture causing weeks of outage for a major university? You've not gone far enough, or you've gone too far in the wrong direction.

You "shaved probably a quarter of a million off their backup costs." by reducing the number of backups, ultimately. So long as the number of backups is still sufficient to withstand any reasonably-expected disaster, that's fine, and sensible, and practical.

But at the end of the day, backups and redundant servers, and redundant disks, and redundant storage, and redundant datacentres mean exactly what you would expect - paying for something that's probably never going to be called upon, to sit there and do nothing for most of its life, just in case you need it. And if the skill and time and effort and money invested in doing that is good, you'll quite possible literally NEVER need it.

However, that's not a reason to cull backups, or skimp on backup infrastructure, or get sloppy, or do things stupidly. Because that's the circumstance that logically leads to PRECISELY needing such things, and then they won't be in place.

It's like savings. The guy who carefully puts away a little here, a little there, constantly and doesn't touch it, probably doesn't need to worry even if he never gets to touch that money in his lifetime. But the guy who never puts away anything is only benefiting from his extra spending money until the first unexpected problem.

I've just moved my workplace to their own email server. Bear in mind that we send no spam whatsoever, nothing that can even be construed as spam - it's a school.

We have previously exhausted:

1&1 Internet - We host our domains with them, but they are terrible for email, always in the blacklists, they never do anything to resolve it, not enough backup servers or whatever, so your mail ends up being refused by the other end half the time. They operate a "smarthost" that's just useless half the time.

Virgin Media - Despite having a leased line, the number of emails you can send is limited and setting up things like reverse IP so you can run a mailserver is just unnecessary manual and complicated. I gave up. We tried to go out from our Exchange server via this direct and it's no good as most stuff just gets refused or limited.

Our VDSL ISP (unnamed because they are helpful) - no good because that's only a backup line for us and shouldn't be our primary outgoing. Also their SMTP smarthost occasionally ends up on a blocklist. and is only contactable over their connection (not our leased line).

In the end, I purchased a dedicated server with a datacentre host and we just relay all our email through it - incoming and outgoing. It lets me greylist, filter, anti-spam before it ends up on our local network, but then just passes email through to our Exchange server. Outgoing server is "always up", we control our own reverse DNS, SPF, DKIM, etc., it's only our own fault if it's ever blacklisted (hint: It's not), can store-and-forward on our policy rather than some random host's, and keeps the performance hit of the hundreds of thousands of spam, etc. connections off the local network. We're also pretty sure that we're talking to the endpoint mail server direct and have TLS where it's possible, rather than relying on some third-party to deliver our mail.

And the backup if that goes wrong is to fall back to some of the above.

But sending email reliably is unnecessarily complicated and in desperate need of a redesign. I still see people's mailservers who don't understand simple things like "try-again-later" responses and drop email.

As someone who manages Macs and hundreds of iPads and has Mac servers...

Any kind of useful administration tool is welcome.

MDM is a start, but it's bog-useless for anything compared to its rivals (Chromebook management is a breeze, iPad management is a pain in the arse and some things you JUST CANNOT MANAGE).

But Macs have next to nothing. Hodge-podge, this-and-that, scripted-together junk if you want to do anything vaguely interesting and authenticating against LDAP properly has only been available for a few years. Before that, it needed all kinds of Mac servers playing go-between.

I'd quite like Macs to just log you in (from any authenticated source), create a default profile, give the user mapped drives and printers, and configure settings to turn stuff on and off without having to jump through ENORMOUS hoops and then again for each time you deploy it. To do so takes approximately 10 times as long to set up from scratch as a Windows server to do the same for Windows clients.

Re: 20K+ 25K

Sure.

If you feel like waiting an hour for the first connection to a secure webpage (even if you could network the ZX Spectrum somehow to Ethernet - they only ever had the ZX Net thing that was rare and used only in schools).

Good luck standardising exclusively on something that almost every home ISP on the planet cannot yet support.

Sure, that's not an excuse. But there's no point making a standard that - as a percentage of Internet users - most people cannot use, wouldn't buy, or couldn't care about.

I blame the rubbish about "IPv6 must use an address per device on your network", when you really DON'T care about internal networks of people past the single address they use to the connect via their NAT router. IPv6 and NAT co-operate 100%, but some idiots pulled that out of the bag, scared people, and now nobody will touch it without thinking they have to renumber every device on their network, that they all have to support IPv6 (which isn't going to happen for everything for a long time yet), and that everything you do must be rejigged for IPv6.

Rather than just getting an IPv6 address, slapping that into your gateway device, and done.

IPv6 is in DOCSIS, it's in the 4G standards, it works for DNS, email, all sorts. Datacentre and server hosts all support it. It's in every major OS since XP. But it's rarely used because - well, I can name precisely on ISP, who are very expensive and technical, who actually support and advertise IPv6.

BT don't on their network.

Virgin Media don't on their network.

Bye-bye 99% of users who would use those services, whether they know it or not.

So you have to put IPv4 compatibility in anyway, which just pushes adoption dates even further back.

P.S. The Reg - remember our rule? You can do an IPv6 story when you publish an AAAA record, even on a test website. If I've got them on my website, you should have them on yours if you're going to mock people for not using it.

Re: The real reason

Best sign I ever saw was in the Canary Islands:

We only serve English food!

- Pizza

- Burgers

- Curry

I couldn't tell if they were being deliberately obtuse or not, but they were certainly busy.

Re: I'd recommend...

No need.

Almost anything can be compiled to target the JavaVM, even C code.

Simon Tatham's Portable Puzzle Collection uses, for example, NestedVM to run under Java, even though it's written in pure C.

Re: hint to Tesla owners

It does get me, the fuss had over electric cars as if they're something new, when I grew up in the 80's being woken by the sound of jingling bottles and an electric whine. And they were far from new even then.

Hint: If you have to subsidise free electricity for your users, and set up hundreds of roadside charging systems, and get them to install charging systems at home, and sell them replacement batteries, etc. maybe this tech isn't as profitable or renewable as anything since the 1960's milk floats first woke up spotty teenagers...

Re: Genuine curiosity...

For NCSI? Same way as on any previous version of Windows. Registry or group policy (local included).

Devices and printer images? Same.

CEIP? Same.

Windows Update? Same, or at the firewall as always.

Just because there's not a nice GUI interface doesn't mean you can't disable it. And it doesn't mean it's alone in that among the THOUSANDS of hidden Windows settings for everything else. If you've ever deployed GPO, you'll be amazed how much stuff there is you can turn off that you can't do other ways, and how much even GPO doesn't cover so you have to make your own Administrative Template to do it.

How do you disable the accessibility button on the login screen, which can be used to make the login screen almost unreadable and most people won't be able to put it back? Like everything Windows, the "official" way isn't a one-click setting in control panel, just like all the things you mentioned.

But they're all still there in the Registry, in the same places, available on freeware tweak utilities, etc.

Did you know that you can't add a keyboard language if you disable Windows Search service? Try it.

It doesn't mean 10 is any worse in this regard than ANY OTHER VERSION. Windows 7/8 does not have a settings box anywhere but the registry for NCSI, for instance. And if you want to enforce that settings, you're not going to rely on remembering to click a box, you'll enforce settings via GPO, a tweaker utility, or a bunch of Regedit scripts.

Just because it's not one-click doesn't mean you can't do it if you want to.

Glad it's not just me that picked up on that "astute" line.

From my experience, Mac users think they are invincible and don't even understand that opening unwarranted attachments is a dangerous thing on any OS.

I still hear the "don't get viruses on Mac / Linux" lines and I cannot resist correcting them. I'm a MASSIVE Linux fan. I hate Mac. But they are both general purpose operating systems that, along with Windows, have all kinds of vulnerabilities that can be exploited if any user is lax in how they manage incoming data.

It doesn't matter the patch-level, the OS revision or the OS type itself, they are all vulnerable. Thinking otherwise is like trying to convince yourself that just because you live in a nice area, or have a lock on your door, that you won't get burgled.