Posts by SVD_NL 387 publicly visible posts • joined 15 May 2022
Barracuda and Ivanti obviously are very small vendors who don't care about security, letting such an obvious bug slip by! I'm sure more mature products and platforms definitely didn;t overlook this very obvious and expected behavior and acted accordingly. /S
The production database stored medical data, personal information, and handled payments had no access controls," he told On Call. "It was configured 'ALL ALL ALL', so any user on any system could access any database as any user.
I had to stop and reflect on that one for a second.
But seeing how the vendor is behaving, it wouldn't surprise me if they suddenly scrambled and implemented access control, in the process of that they break the app, and silently patch their errors without having anyone know.
From my experience, memory compatibility isn't as finicky as it used to be (especially compared to 25 years ago). I'd attribute that mainly to memory controllers becoming a lot more resilient and flexible.
I've been using Kingston ram for the past 10-15 years, and it hasn't failed me yet. The only one that was possibly a bit iffy was a set of early hyperx ddr4, but it's more likely my motherboard was bad (it had some issues booting and died after 2 years or so).
Also a lot of memory expansions (hundreds of corporate devices) where the existing memory was different than the Kingston one. Mainly their "regular" lineup (starts with KCP-), occasional hyperx modules.
I also appreciate their clear naming scheme, you can identify the exact type of memory based on part number, so if you care about single vs double rank and those sorts of things, you can check that too.
This is mainly regular use corporate devices and personal workstations, server memory is a whole different beast of course. And i haven't had a lot of experience with their ddr5 stuff yet, but the 10 or so devices with their ddr5 memory haven't had issues yet.
What's worse is insisting that a user-level application or feature is so intrinsic to the OS that it cannot be removed.
What's even worse, like the IE situation mentioned in the article, is intentionally making an application intrinsic to the OS so you can later argue that it cannot be removed when people start asking questions about your abuse of market dominance.
Internet Explorer, Windows Defender (W10 onwards), Teams (at least early W11 versions), and now copilot. This shouldn't surprise anyone.
They also tried with the MS Store, which is nearly impossible to get rid of without breaking the OS (the latest 25H2 finally has a policy, but Enterprise only)
I notice my MS365 homepage having a bigger and bigger copilot textbox, and it's taking more and more clicks to get to the place i need.
My prediction? They'll make Copilot an integral part of the UI, argue they cannot remove it, and probably get away with it too.
Whenever something silly happens with computers, i try to take the skeuomorphisms1 literally.
In this case it means watching some madman running across aisles, sweeping everything into a shopping cart, preventing anyone else from buying books.
1 Whenever computer terms and elements reflect their real-world counterpart, e.g. your desktop and recycle bin, or floppy disks for saving files.
Well, lesson not entirely learned, because they're still a bit stuck in their own cryptology bubble. They could've looked at the world around them and realised that if you're doing an election with possible conflicts of interest you could just get an independent party to conduct the election and verify the results.
€0,25 per kWh, which amounts to approximately 600W constant usage to get to €100 a month. it's not quite there, my guess is that it's using 400-500W. with CPUs like that idle usage of 50-100W or so isn't unheard of, and it has quite a lot of spinning disks too. Add a bunch of RAM sticks and fans, and it's a pretty reasonable power consumption for a server like this.
Without knowing more about the situation, this sounds like a service that could potentially get a lot of spikes in activity. In those situations it might not be worth the investment to get servers to catch those spikes, while doing basically nothing most of the time.
Another consideration could be location, it may be beneficial that you're able to spin up an instance basically anywhere you want.
And don't forget power costs. I recently got two servers running proxmox (both dual-socket Xeon E5-2680 v3, not too old, somewhat beefy i guess), their average CPU usage is under 1% (one is running light workloads, the other is pretty spikey spinning up and shutting down windows VMs), and it's still adding almost €100 per month to the electricity bill!
Maybe updating OpenSSL included in various built-in apps and Office plugins would be a good start first, especially considering their own security solution detects the outdated binaries and tells me to do something about it!
I'd love to, but i don't think i can get the removal of the office suite through change management.
My university uses the Systems Approach book to teach networking! The specific study i was doing only did essentially a "networking 101" class, which wasn't much trouble for me as i'd been working as a network engineer for a few years at that point, but i really enjoyed being able to dig down into topics while bored during lectures.
For me personally, the high-level overview helps me more than anything else. Not just in networking, for any complex topic. This allows me to apply logic to new situations, slot it in to the mental model in my head, and work from there. This also helps slowly building up knowledge over time, it's all part of the model, it all makes sense, and it's all deductible. When misremembering something, it'll also set off alarms as it doesn't make sense in the mental model.
As humans our storage is limited and bit rot is a problem, we can't possibly expect to remember everything and also keep up with changes. We have to play to our strengths: Logic, reasoning, deduction.
The main problem with top 40 pop stations is the lack of variety. I generally don't mind most pop music, but it lacks the depth that makes me want to listen to the same song 4 times in a day.
I think metal isn't very niche these days? it can be a bit fragmented because of how many subgenres they come up with, but metal festivals and metal concerts are still very popular. I never really hear in on the radio though, i think a big part of that is that tracks are often too long for radio stations. It may be a bit "risky" to play metal, and they're scared of losing listeners (or not having anough time to blabber or run commercials). Recently Sleep Token was gaining some traction (progressive mix of metal/r&b with jazz and gospel influences, among other things), and BBC radio 1 was playing them... sort of. They butchered the song by making a radio edit and removing everything that made it special.
If you want to download the office suite through the MS365 portal now, the button says "installeer kantoor" (install office).
Seems reasonable right? Well, the product name is still "Microsoft Office" in Dutch, and the button will seemingly conjure up a physical office space...
The weird part is that this button used to be correctly localised, and that part of the portal hasn't really been changed as far as i can tell.
Another fun one is the "update information" button on the My Account page (referring to updating your security info, e.g. backup phone numbers and MFA methods). We need to direct users to click the "Informatie over de update" (Information about the update) link. This has been an issue for ages though.
Oh I remember many similar situations. Coverage for border areas was usually poor, making the problem worse.
Switzerland is a fun one too! IIRC they were quite expensive compared to some other EU countries, and it took a while for them to be included in the EU zone for roaming purposes. (As a side note, Switzerland is the main reason i know about all of the different European treaties and zones, because I need to check if rules apply to Switzerland before i travel there!)
Smart cards are used by the enterprise segment (almost) exclusively. Two things are true about them: 1. Their PCs will be managed and 2. They're likely to have systems that require very specific protocols/features.
Why the hell did they just disable it silently when it's apparently possible to toggle with a registry hack? Just put it in the security baseline, add a policy to lock this down, and communicate the risks. In a year you change the default to having this mitigation turned on, and sometime in the future when your vast amounts of telemetry tell you no one is using the mitigation, you remove the ability to turn off the mitigation altogether.
It's not that difficult...
I'm also wondering about the accelleration of this thing when it's fully loaded up. You generally want to be going very fast by the time you're in range of enemy radar/anti air, and if you're doing a vertical climb from a standstill that moment comes very soon. Considering they are advertising this for what is essentially front-line deployment, I'm a little sceptical.
That's not really a bug, just a missing feature/odd design decision.
Airdrop is a P2P connection using Apple Wireless Direct Link (AWDL), so it sets up a direct connection from a virtual network interface on the wifi modem (and on bluetooth). It doesn't use your actual network connection, but essentially a modified WiFi Direct connection.
I find this quite odd, considering AirPlay does work using both AWDL and regular networking (mDNS discovery, if i'm not mistaken).
It is an advantage that you don't need to be on the same network, but having the option to use your regular network would be a huge improvement.
More information can be found on the Open Wireless Link (OWL) Wiki, they reverse-engineered the AWDL protocol. In the table, the AP column also includes ethernet links if i'm not mistaken.
I wasn't around during that time, but i do remember reading plenty of horror stories surrounding those APC serial cables!
I believe something catastrophic could happen if you used a normal serial cable to link up UPS units?
Update: I read into it and apparently they still use these cables for backward compatibility?!?!?
Also, it seems like plugging in a regular serial cable will simply shut down/reset the UPS, which may or may not be catastrophic!
It's wild to me that the likely cause of outages was identified correctly, but no one bothered to find out when and how they occured!
Even if it was an issue with the grid, i'd personally have a chat with them about our power dropping for extended periods every weekend.
Must be nice to work at a company where issues are solved by throwing money at it.
Sounds like a bit of a red herring to me?
They are not distributing the copyrighted works, they are reselling the license codes which provide access to said works. (unless you deem license codes copyrightable, which opens a whole new can of worms...)
Also, isn't there existing case law for this? I'm fairly certain that you're allowed to resell (access to) copyrighted works like music and books as well in most (if not all) european countries, assuming you do not make copies or sell it multiple times.
I'm unsure about reselling individual licenses which are part of a volume licensing plan, there's a lot of variables there and i'm not a legal professional by a long shot.
Better safe than sorry. I always appreciate it when colleagues come up to me when they doubt the authenticity of certain messages, no matter how obvious.
And this is a senior exec in the 90's, likely aging him 60-80 years old now. From experience this is not that wild of a response for people that age.
I wonder how they'll prevent deposits from the water clogging up the channels. I reckon this requires very pure coolant, i.e. no microorganisms or minerals at all. They can't exactly shut down and drain the loops, so they'll need a filtration system to keep it that way.
This is relevant to any kind of liquid cooling solution, but having channels this thin sounds like a nightmare.
I'd love to see this in on-grid home batteries. I love the idea of the tech, and it would solve a lot of issues with current electrical infrastructure, but i've been super wary of having a huge Li-ion battery inside my home. If this tech gets reliable enough to catch most failures before they happen, it would come a long way to convince me to actually use this tech.
That's not entirely true, you can run it in replacement pc mode, depending on how many hours the display has been on that could be a fairly solid deal (and many of those things haven't been used all too often).
Although the 55" version is a bit dated (1080p is a bit low dpi these days), and the 4k version requires two dp inputs, which isn't too common on tiny PCs.
My experience is very different. I've been running 3 proxmox clusters on varying hardware (from repurposed laptops to Dell PowerEdge servers) and I've had 0 instability issues. Some of them use Ext4, others ZFS.
I've never felt the need to be super careful when running updates, except for major versions, and for those they provide good documentation.
For config changes i'm mainly very careful not to mess up my cluster communications, that can be a pain to restore (but usually sorted in less than an hour), but other than that i haven't had any issues. I do try to avoid editing the config files directly where possible, doing it that way takes away most guardrails. But sometimes i need to, and it's a nice feature that it uses native linux config files.
This is a huge issue for IT admins across the field (IMO).
We are generating so much data across our infrastructure, and most of these systems independently have their own severities and some default settings when to notify admins. Across the board they spam you until you're numb... Solutions like XDR in the case of cybersecurity can help, but in my experience companies rarely go through the effort of dialing it in to only generate relevant notifications. At least this means you get spammed from one consolidated platform!
I can imagine that all too well... not necessarily from the vendor side of things, but dealing with customers in general. Sometimes it's more about managing their internal narrative and adjusting their expectations than actually solving an issue.
It also boils my piss when requests start with "your product is shit and you are shit". 90% of the time the person sending that request is, in fact, shit, and failed to read the documentation or did something silly.
Just this week we got someone complaining that a SharePoint site didn't show up in their favorites, nothing had changed and it just suddenly happened. Turns out the very person complaining had actually deleted the entire SharePoint site himself!
Vendor: "I believe the issue is on your end".
Me: "Have you looked into it? I believe it may be on your end because of reason X and Y."
Vendor: "We will look into it if you 100% irrefutably prove it's not on your end"
I've had this discussion a thousand times... Bless vendor support that actually tries to cooperate.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
