An international incident or just some finger trouble at the console? Welcome to an edition of Who, Me? where some configuration confusion left an entire nation cast adrift. Today's story is set in the early 2000s and comes from a reader Regomized as "Mikael" who was gainfully employed at a European ISP. The company had customers in multiple countries and Mikael's team was responsible for the …
DOOM was the game of choice among networked computer users of the time. The unimaginative used it as a template for almost everything. Was a bloody boring time for a couple years ... everything was DOOM related. Worse even than everyone and the dog attempting to get the first bloody obvious reference to Red Dwarf ot HHGTTG in before everyone else does ...
No, Cisco didn't semi-officially ever call a router that. They sure had some other good names for them, though ... some were even repeatable in mixed company.
reference to Red Dwarf ot HHGTTG
Slightly less common but just as geeky would be to use the names of, or similar to Iain M. Banks's Minds.
M.
You neglected to mention my favourite .... from the Ratchet & Clank franchise. Their version of the BFG (from Doom) was called the RYNO, which stood for Rip Ya a New One!
They were also great for the names they gave their games: Going Commando, Up Your Arsenal, Tools of Destruction, Quest for Booty, Size Matters, Full Frontal Assault!
I've always been shocked that they never came out with a game called Shoot Your Load!
What the bad guys look like when introduced to the RYNO! --------->
If you knew where to look the BFR name existed for a long time on some of the circuit boards of the GSRs line cards.
That approach was repeated. The CRS-1 running IOS XR was developed as the HFR running IOX before the marking department got to it.
Think I might still have my training manual for IOX 2 on the HFR from a pre-release course in San Jose.
HFR being Huge Fast Router of course.
This post has been deleted by its author
It became an XR12K or similar I think if you ran IOS XR on it.
Cisco developed a lot of the IOS XR code on the GSR hardware before the HFR/CRS-1 hardware was ready hence it working well on it.
I think one of our teams did use XR on the GSR we stuck with IOS on our network and IOS XR on the CRS-1, CRS-3 and ASR9ks.
... but in the early days of the spam wars, I very intentionally dropped two /8s on the floor. Twice. At the time, they needed killing. I also dropped several other smaller, but still largish blocks. I even intentionally dropped entire countries more than a handful of times ... A couple of those blocks and countries are still in my personal blackhole list (probably only used by ~2 million seats these days ... was considerably more back then).
A distant 'friend' who worked for a TLA admitted that they disconnected unfriendly countries to see what the response time was, and whether they noticed if their traffic was being re-routed through a five-eyes friendly network. That was back before DNS poisoning was a 'thing'. He know writes techno thrillers...
I was on site where other people were trying to get a connection going. The remote end had configured the long random string password, and raised a ticket, so our end could set the password on our end.
They guys cut and pasted it, and it didn't work. Eventually they said, let's type it in. So one guy read it out, the other guy typed it. When they got to "O" the typist said is that an Oh or a zero? They picked Oh and it didn't work - they repeated it with zero an it worked.
The ticket raiser has typed the wrong password in.
From this I learned that every change should be cut and paste, and not typed.
a) It saves time (you do not have to think)
b) You can test it before doing it in production and be sure that what you are doing has been tested.
c) You have an audit trail.
Well ... if I had a beer for every tme someone copied/pasted something that didnt work because they accindetally copied (pick your choice), the enclosing quotes, the pre or post whitespace, the punctuation mark, the ALL CAPITALS that followed the 4 character queue they had to type in.
Heck, they at least once managed to include the next line after I'd helpfully put the magic word on a single line by itself to prevent all of the above .....
In the bad old days (I think it was the 2003 version) outlook would sanitise certain typed input but not if it was copy&pasted.
We had a client pasting something into the subject of an email and sending it out. Outlook did as it was commanded, including the new-line characters that was pasted at the end of the subject field immediately before appending the end-of-header CRLF. Naturally the receiving end followed the RFC(2)822 email format and split the header/body at that point and displayed the rest of the 'headers' in the body.
We taught her to be more careful with what she was copying until Microsoft updated their software to better sanitise the input.
I learnt a long while ago that when setting pseudo-random user passwords it's a good idea to try typing them into the system at least once instead of just copy and paste. We had one generated password that, for some reason, was almost impossible to enter correctly no matter how you tried.
I stick to random lower case letters, and spaces, which I can input without substitution. I suspect, I don't know, that some of our past or present systems translate one password differently from different input interfaces.
I don't escape your point that if the outcome is setting your password to "nrealy egnilsh wrods" then your fingers are still going to not want to type it correctly.
Cutting and pasting is not the panacea we would hope. Especially when copying from any Office documents because they tended to include whatever formatting was in or around the selected text (whether obviously or not).
And that's not even including the issues raised by Microsoft's ever so user friendly non-utf8 compatible character sets......
(I genuinely thought all that horror was behind me...... but no..... have just discovered, on a Sunday evening no less, that one of our recently updated dbs seems to have an issue of a very similar style....)
Whenever I'm balancing my accounts I copy from the bank's web pages to a blank Excel sheet, sort by the date column, then copy and paste into a text editor (EmEditor is my personal preference) and tidy up the columns before typing the lines into another Excel sheet in the right order.
'Paste into Notepad'. Seconded.
Works for other operations too, like grabbing XML Schemas from a shite PDF document presented by a shite PDF reader.
I actually stopped here to say +1 for the Notepad thing, but that, for Windows use, I find Notepad++ easier, as you don't have to worry about loosing something if you close one of the plethora of open notepad docs (Now, what was that I just closed....damn..).
yep if you're going to copy and paste notepad is your friend. Once wasted ages trying to work out why a proxy address setting pasted in to a GPO wasn't working and browsers weren't going via the proxy as everything looked spot on. The address was copied and pasted straight from a webpage so included a load of formatting but this wasn't visible in the field on the GPO, copy and paste in to notepad then in to the GPO and everything was working.
To paste, it first has to be in the cut buffer ... or, in *nix terms when you select something, it shows up in X Selections (items hilighted, before you copy or cut them). This is available to anyone who has access to that session. If you make the option unavailable to the rubes, they won't be tempted to expose themselves ... or advocate that others do so, as is happening here in this thread.
Votes don't affect me one way or the other.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so." — Anon.
A password manager is the perfect tool to collect all the passwords of the weak minded.
Instead you should use a 32digit password for all accounts using upper and lower case,numbers and symbols from at least 2 different eldritch rune alphabets.
You should also change them monthly and never reuse any.
Of course you can memorize your simple generic passwords.
Mine are usually of this style (the "can still type it" variant):
jj0Sf0!BE7fy5m!k=@*5
C5OFkjwmXRB2SJiym(:H
1vn_sQ;feB3C-R)mIy0a
XI.Zp%ni@)A)tM!/JHKW
r=S)S%tGH/3IZ$w77MGX
:qZ2ktL2lso0ryFbP.X_
fBbY!?sOVG9x:Xp;@Mr!
2T0.ID!wfJ-e,r5aT.LD
h,UOjaIEOxr*C803nyyQ
T1b8ZVRltId2tIPhgP@!
3=huXEt.8VgNXvS/qsuT
(Y/gSJbnAi%CY?p2vvr$
ZO.iTEckF?:0:ZOPsLxn
=;-Rq0s3qUKJk1YX2a0n
jaqXy,IkH5hSzVuWQ+S4
q7cQMai-0kG;M@SXXyR:
UASn7gGT()uUQ09eFT?O
628w(dNw8_7mMjs)Ao?g
l$l$kHHnlN+N:95i7rQR
,JH-kvVpHUP)6ABDEy+K
;RG!=Z=6*X_bow,t.eeU
f;ELuLkbZ0T4xSGKHWFu
Q/Wf!*gaPWzaKLOcRJk3
w+if24ZnM;-kb)cpF(ak
hn!$Mz0ysyjgMnwV2KCM
)AQEW6fxqe,A;UNUhx6I
WNnBpnBM3wuUN8?w_ag;
)c=s$d/(Yt8+UhqGWSrp
*--x-uQVGFK*s_T,wSAe
sAh*PpvH8*SZcAlzMf70
iD=:Rm8Kg@J?ZvO_klff
EgzbxDkpR:kDWnV-3OUX
Vid6!dvGePwD9sM1tNz:
E+f*bF5lCBeiTXQVOU3w
m)1K6k/-z7(b(S!z3o)m
hsVYjQFI:10v3EteG,Nl
W.j(lc.Cz+UyYmv3.Jx=
Hoo,siPgMNfpelZ:RET2
cU(RKCz3NWlOA$Jea$+R
o(qUOR=W,Dw1xJ*-qTXD
a(SegbGC(PSwupulvA9d
5pis$yWUgO5:Im+h:P;B
?_,Xlty:+T%t.=o$2dte
Qas!j=m-cnDsdi7JlZ?Q
You memorized them? Oh, you are a special one!
The password would be vulnerable in the buffer, but malware that is scraping that can use various other tactics to scrape it as it's typed as well. If you have malware that can read your input, then that's the larger problem and needs sorting first.
As for password managers, they allow you to have much longer and truly random passwords when you have lots of services to log into, which is often the case. When the choice is between a password manager with a single, good, long encryption password and using the same password on everything, the password manager is better. Remembering unique random passwords would be superior, but I know a lot of people who don't have the memory or patience for that approach.
'A password entry box should never accept copy/paste. It's a security thing.
Seriously. Think about it.'
I'm thinking.......
Still thinking....... ah no need - he's unleashed the wisdom, let's see what the reason is...
'in the cut buffer ... or, in *nix terms when you select something, it shows up in X Selections (items hilighted, before you copy or cut them). This is available to anyone who has access to that session.'.....
Oh.... OK. This is about the silliest security advice I have ever read. There are SO many things wrong with your sage-like cogitations that it would take me hours to do them justice. So I'll just state the most obvious.
There are only two fundamental reasons for someone else having access to your session. One is that you share sessions or your credentials with other people. The other is that your security policies and procedures or system design and admin are so inadequate that they provide other people, unbeknownst to you, with the freedom to access systems with your credentials. To allow either scenario to arise takes some pretty serious negligence or ignorance. Take my advice, if anyone is able to access your session, the very least thing you should be concerned with is that they might see what you copy pasted earlier.
I agree. However, as a guy who gets paid to do pen testing of various kinds, I can't tell you how many times I've pulled passwords out of the cut buffer of unlocked workstations in supposed "secure" areas. And (my favorite) off the PEE CEEs of the C* set ... It takes mere seconds, and is easy to do if they turn their back. (I generally ask if they'd be kind enough to get me a bottle of water or a cup of coffee. Works every time.)
It is a very real security problem, and pervasive.
Removing this ability is simple, effective, and does literally no harm. Frankly, I'm absolutely flabbergasted that so many ElReg commentards seem to think it's a bad idea.
This is the same thinking behind LUKS disabling the light on the caps-lock key because "it would make it easier for someone stood nearby to learn your password".
Technically correct, but it ignores that if someone is watching you type a password (or has access to your copy/paste buffer), then you have bigger problems.
That said, some password managers wipe the paste buffer after X seconds, so your password isn't there for a long time.
It was only France, so no great loss...?
(Bad memories of hatchet-faced stern French teachers at school, tend to make one think that Nelson and Wellington had the right idea......) Also worked for a company that had several offices in different countries - lost our Xmas bonus one year because the French office moved and went over budget.
Also had to speak to one of them about a technical question (the resident French speaker was out) and so the call was passed to me -
French lady - "Sorry, I don't speak English)
Me - "Dacord, je ne parle pas Franchsay" *
* english phonetic spelling, don't make me look up the proper words, just imagine it spoken by Inspector Clouseau (Peter Sellers, not Steve Martin)
One of our NI friends was in the greenfinches - women special constables t(hink PCSO with a smart green uniform). One day she was on duty with a patrol in Lisburn, our local town*, when they encountered an unoccupied car in a control zone, i.e. an area where it was forbidden to leave a vehicle unattended. A group of French visitors emerged from a nearby shop. They deployed the "No spik Eenglish" tactic & were allowed to get away with it. If I'd been passing I might have suggested, within earshot, getting the bomb squad in to carry out a controlled explosion, just to see if that prompted a rapid language acquisition.
* Yes, it's a city but I could never view it as an extremely pleasant small town.
I might have suggested, within earshot, getting the bomb squad in
We were returning to the office after a bomb scare, past the bulging and glassless remains of a car (parked in a Belfast Control Zone) which had received the tender attentions of the bomb squad. As we passed we distinctly heard the woman being interviewed by a policeman saying, in an accent from south of the border, "but what am I going to tell my husband? It's his car".
On a project I did, we used to have conference calls with French, Spanish and Portuguese teams. The call where to be held in English as,supposedly, it was the common spoken language.
I ended translating everything between languages, as it was the only way to have any meaningful conversations.
Spanglish, Franglish and Portuglish are definitively not the same language :)
I was once on a support trip in Toulouse (lovely city, wonderful people!) with folks from another US company supporting the same project. We went to lunch at an outdoor cafe; none of us spoke any French, but I speak German and a teeny bit of Dutch, and I wound up translating the menu (by guessing the ingredients from the closest English, German or Dutch cognates) and placing our order. Worked out amazingly well.
Languages skills rock.
(So does learning at least the basic hello/please/thank you in the local language; show folks that you respect their language and culture, and they'll generally be very helpful.)
My father tells the story of a coworker visiting Belgium and went to a restaurant. The menu was in Flemish. He timidly asked the server, "Do you speak English?" The server responded with a chuckle, "Yes, lucky for you."
My mother was likewise visiting Belgium and went to a restaurant. The server spoke broken English. Pointing to an item on the menu, she asked "What is this?" The server replied "Biff." "Biff?" "Yes, biff." "Beef?" "Ah, yes, biff. Little biff." "Ground beef?" "Yes. On bread." "No thank you, I didn't come all the way to Belgium for a hamburger..."
I was in a hotel in the Netherlands, the waitress apologised for not having an English menu (why should they?) and offered to translate.
She starts going down the menu...
Waitress: "That is baa baa"
Me: "Ah, lamb?"
Waitress: "Yes, lamb!"
It took us a while but the food was excellent when it arrived.
Firstly, I am _amazed_ you managed to find a Dutch person who didn't speak excellent English - usually they are only to be found in pre-school.
Secondly, a Dutch restaurant needs an English menu to give to the German, French, Danish, Spanish, Italian, Polish, etc speakers who come in and can't read Dutch.
I was on holiday with my parents, returning from Germany along the Belgian Autosnelweg (motorway). We suffered a blowout in one tyre of the caravan, so called in to a local town to buy a new one. Much arm waving and fractured French ensued, and then the manager sauntered up and said, in a perfect cockney drawl, "Oh!, so you want a tyre,eh?". Turned out that he had a tyre fitting business in east London and was expanding his empire into Belgium because it was cheaper for him to buy a van load of new tyres there and ship them back to London than it would have been to buy them in England.
Downvote was a bit harsh, not from me. I suspect the commentard from the foremast [1] was conflating the Internet with the World-Wide Web, especially in the context of 'looking something up".
[1] We number the masts from the bow backwards, right? Probably the bowsprit is Mast0.
Just a kid or two who doesn't know history. Doesn't bother me any if they refuse to learn from their elders. Their loss, not mine.
The bowsprit is not considered a mast[0]. Masts are perpendicular(ish) to the water. The mast nearest to the bow is called the foremast.
[0] Just to confuse things, there is/was sometimes a small "mast" at the end of the bowsprit, called the sprit topmast ... but it was not counted when calling out a three-masted vessel, four masted vessel, etc., nor was it ever called the foremast.
We were using the term "internetworking", and calling what we were building "the internet" long before TCP/IP went live. There is a direct line of progression from the first two connected & talking IMPs and the 1822 protocol in 1969 to every one of today's pointy-clicky TCP/IP driven intrawebtube delights.
I always do the secondary first,
i never rely on the name to know which is which, i always do the command so the machine tells me which is the secondary.
if for some reason the device that should be secondary, is primary for the thing i'm working on i then need to think about the bigger picture, what will i take out if this thing i'm doing doesn't go right and impacts the rest of what ever is running through this box.
Active-Active can be a nightmare, balancing active/standby across multiple devices can end up causing you more issues than if everything is Active on 1 & standby on the other.
We have a script on all our testing and live systems - "wai", short for "who am I". It reports current user (root if using su), hostname, and current directory. It's extremely good practice to run this and examine the output carefully before running any sensitive command, like shutdown.
In *nix systems, most folk have their console command prompts set up to report username and host, and to have different input prompt symbols for unprivileged users and for root. If I'm really taking care, I might change the colour of my bash prompt based on whoami.
This is controlled (in bash, at least), by the environment variables PS1...PS4, initialized in ~/.bashrc.
I quite often go one stage further when using systems via a GUI, and have root sessions change their background to firebrickred1, which is quite a nice deep red colour, to differentiate from the normal blue background I have for my normal sessions. When working purely over X, I use Xresources to do this, which work across system boundaries.
Mind you, the fact that so many Linux systems have colour aware ls and vim (and other) commands really screws me up, because they always seem to assume that the background colour is either white or black, which means I often get blue-on-blue and red-on-firebrickred1, both of which are unusable.
I know you can change it, but it's a real pain to do it on every blooming system I use! I often just revert to monochrome mode, by lying about the terminal type (although you have to be careful about when an xterm is not an xterm, let alone all the distro-specific terminal programs). I view it as yet another instance of the arrogance of some GNU/Linux software writers.
Depends what you’re doing.
If you’re updating a pair that does failover and there’s a bug in the new version, if you’ve updated the primary first then you’ll see the bug and you can failover to the secondary that’s still running the old code.
Whereas if you updated the secondary first you now have two broken boxes.
C'mon, spanning tree loops are fun!
*eye twitches*
Had a vendor that provided all their own stuff, all they wanted from us was a total of four network connections (two for the interwebbernets, two for the administrative network) and swore up, down, left AND right that they would be connected directly to their firewalls.
Connection day arrives, and I get a frantic set of text messages and phone calls about "IT'S NOT WORKING!!!111ONEONEONEONEoneoneone"
Turns out that they were using an edge switch (just like us!) and had plugged two of the connections into the edge switch instead of directly into their firewalls, and since both switches were cisco, Good ol spanning tree detection error-down'd the lot of them.
We were.... NOT pleased.
I remember a Cisco rep telling me that they had a lot of problems selling their current switches at the time - this was in the Cat 2950/3550 days. What they'd do is they'd send a couple demo units to prospective customers to try out in a lab setting. Ninety-nine times out of ten those customers would complain about how their office network went down when they (in violation of the conditions for the loan) had tried connecting the demo switches to the live environment.
The low OUI (the first 24 bits of system base MAC address) on these models meant that the newly connected switch would more often than not become the spanning-tree root bridge and would, if you were unlucky enough to have other Ciscos in your network, insist on pushing its VTP database as the master, effectively deleting all the VLAN configuration from your production environment.
I can see how that would... dissuade customers.
We worked on the software for the Australian VFT (Very Fast Train). We joked that the second generation would be called the FFT...
What was actually interesting was the press conference for the release of the train, a colleague who was there reported it thus:
Reporter: What happens, when the train hits a kangaroo at over 100mph?
<combined team look at each other, strange facial expressions and shrugs>
Press officer: Er, we turn on the wipers?
Like the story that George Stephenson was asked by a Parliamentary committee in 1825, "Suppose, now, one of these engines to be going along a railroad at the rate of nine or ten miles an hour, and that a cow were to stray upon the line and get in the way of the engine; would not that, think you, be a very awkward circumstance?" "Yes," replied the witness, with a twinkle in his eye, "very awkward -for the cow."
https://www.gracesguide.co.uk/Lives_of_George_and_Robert_Stephenson_by_Samuel_Smiles:_Part_2:_Chapter_10
On a very old system (a MUD), I briefly considered writing a password module that would compare what was typed in to the stored password, and accept anything over 85% correct.
A very sensible thing to do would be, if a password was rejected as wrong, reattempt it after reinterpreting it as if capslock was on. (Change all uppercase to lower and vice versa.)
of RS232...........
Had someone do the "pull cable instead of plug" to remove cable.... why he was removing it remains a mystery as the machine was bolted to the floor and the cable very firmly tied to conduit..some people... sheesh anyway
I knew the colour coding and a swift dab with the soldering iron had everything back together, and its test time.
Guy in the office says "its all set.. send something......... nope getting anything"
I check my plug... still nothing.. still nothing.... ok wheres my loopback connector and put it on the other end of the cable thats in the selector box above the office... test cable perfect.
Hmm
Try sending again and still nothing.. walk in the office to check the PC setting.... and that machine is the 3rd one down on the row of 'select a machine' buttons...... and my assistant has been using the top button all the time....... Hahah how I laughed.
My assistant then fled the office and hid somewhere... sometimes I still wonder where.....
"Right... See, I added it on RC-02, as we always start with the nominal backup device to see that things work fine so as not to break too much."
This was a very careless and avoidable mistake. Was just a matter of announcing which device they both were on, in order to have confirmation, rather than assuming ...
Hopefully, this lot has never approached any satellite control system, otherwise, some big shit would have happened.
Imagine them correcting the orbit of JWST ! "oooops, sorry, we were not on the right device, our sat is just gonna leave us for good, now ..."
Back in the days I was working on France Telecom (now Orange) international backbone called Opentransit. My colleague who came from Cisco world and who at the time was new to Juniper world accidentally injected full BGP table into IS-IS (obviously trying to do the opposite), which pretty much isolated big piece of France. For few hours people in France were not able to buy TGV tickets. They wrote about it in french newspapers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
