* Posts by Andrew van der Stock

11 posts • joined 21 Oct 2007

Lenovo's 2017 X1 Carbon is a mixed bag

Andrew van der Stock

Lenovo power management is the reason for the slow wake up

By default, Lenovo's recent power management has two inter-linked features - Easy Resume and "30 day suspend". If you constantly wake the system up, like it sounds like you do, go to Lenovo Settings, click on the Battery, and turn "30 day standby" off and "Easy Resume" on.

4 new twists that push the hacker attack on millions of US govt workers into WTF land

Andrew van der Stock

The stupid thing is...

As part of the Five Eyes agreement, I'm sure the US has access to the publicly available Australian Signals Directorate's Top 35 Strategic Mitigations. You can even Google it. If they'd just followed the Top 4 items (application white-listing, patch your damn apps, patch your damn OS, and limited administration rights even for administrators), I bet the APT would have been either detected, blocked. The Top 4 are mandatory for all Australian government agencies and departments, so if anyone says that a large government bureaucracy can't use white listing, patching apps and OS, and has limited administrators, they haven't looked very far. In my view, not doing the Top 4 is tantamount to actual negligence.

Carry On Computing: Ten stylish laptop bags for him

Andrew van der Stock

Where is Tom Bihn or Crumpler?

I can't believe that any article like this doesn't have at least one of those two brands. I have the Tom Bihn Airport Flyer, and it's the best laptop bag full stop end of story. My Crumpler messenger bag, which looks a lot better than all of these bags, is no match for the Tom Bihn or the incredible comfy strap. They don't sell the Airport Flyer any more, so it's eBay for a replacement if my current one dies.

How do you solve a problem like Willowra?

Andrew van der Stock

If you decide to go the WSUS route, get it fully populated before sending it out. Updating via slow satellite versus city network connection would kill the satellite connection for weeks.

If you're not planning on managing the rest of the computers at the remote location, pfSense + squid hack to handle Windows Update (and iOS updates and MacOS updates) is a better choice that can be remotely managed and you don't need to pre-populate the cache on the off chance that someone is still running 64 bit Vista.

I think pfSense (which is web based) + squid as a local web cache is a much better remote managed solution that will give you the local caching and DNS caching that will make the Internet connection work better than trying to do tricks like compressing or optimising the satellite link a la Riverbeds. Obviously if you have Riverbeds as well, it might be even better.

Reg Oz chaps plot deep desert comms upgrade

Andrew van der Stock

You should check out what the OLPC folks have done in similar (or worse) circumstances. I know some of the folks involved in that effort, and get you in touch.

I'm unsure of why you have filtering mandated. I'd feel a bit miffed if I was a local being told what I can look at and what I can't look at, but I'll assume you're in parts of the NT where the Intervention is taking place.

I'd move the proxy, a caching DNS server, and filtering to be local, using something that can be managed remotely as required, preferably via secure web site and SSH as these don't suffer from latency issues as badly as VNC or RDP sessions.

Looking up a DNS request over a 300 ms link can be hugely latency inducing if it can be satisfied by a locally cached DNS entry (<1 ms). Modern websites, such as Facebook look up over 40-50 DNS names for all the third party advertising and analytics and games, etc.

The other thing you can do is tweak the local cache to cache very big objects, as well as setting up a local patch management solution for the most common platforms in use by the locals. That way patches and iOS updates don't chew huge bandwidth.

Using Riverbeds is a good idea as long as most traffic is unencrypted, but as things move to HTTPS by default (e.g. Facebook, all of Google), you will get less bang for your buck. The main thing you could have a look at is to use QoS to prioritise certain traffic over other traffic. Get this wrong and you have entirely new problem of your own making. I've seen some terribly managed QoS policies that made things far, far worse. That said, unless you can get the Riverbeds for a good price (and it does require two of them), you'd be better off investing that money in a fatter pipe.

systemd row ends with Debian getting forked

Andrew van der Stock

Re: Init freedom

I think you might want to spend a bit of time looking at what systemd *does*, and *how it does that* before saying these things.

For a start, it's a collection of modular things that do their own little thing, but require cooperation in modern systems. For just one example, power management are absolutely critical for servers, particularly virtualized processes.

Systemd enforces a security model, again critical for servers, that supplements (or outright replaces) the hopelessly complicated SELinux with something that is even simpler to get going than chroot jails on *BSD. As the ultimate parent process, this is the best place to do it, particularly when you take into account its lightweight containerization capabilities.

Systemd's modular security architecture provides separation of duties, so a compromise of one module doesn't imply a compromise of the entire system. It's early days yet, so I bet there's a few sandbox bugs to work out, but this sort of sandboxing is absolutely critical for Internet facing servers.

Systemd has lightweight containerization, which is critical to servers, particularly cloud based servers. You can boot a new environment with a single command without a lot of setup. Like any init process, it knows how to start, stop, suspend, or provide services to it.

Systemd has a completely orthagonal administration model, which eliminates guesswork. This is critical for servers and reduces the chances of admins stuffing it up.

Systemd boots in a fraction of the time taken by any init. This is critical for servers where taking a 4 minute reboot holiday basically means losing any chance of 99.99% uptime that year.

Please, please, please, don't let facts get in the way of your emotions. It's just new, which means you should learn about it. It's actually quite good. I was sceptical at first, but now, I can't imagine returning to the old way.

Even 'Your computer has a virus' cold-call gits are migrating off XP

Andrew van der Stock

What are LogMeIn doing to make these scams easier to report and block?

In my view, LogMeIn (and all remote access tools, really) should have a warning users have to read and acknowledge on the login screen with a big red button users can easily click to report and block the six digit code immediately that terminates the connection to your computer immediately. LogMeIn should make note of the IP addresses of the originating end, and block the source IP AS netblock from making any new LogMeIn connections until the parent ISP clears their customer off the Internet. LogMeIn should donate any payments from fraudulent scams to Indian charities, particularly charities with programs like ethics for kids to prevent new recruits. As the scammers have to install an agent on their computers, it would also be nice if the LogMeIn code locks the scammer workstation hard and sounds a very loud siren noise and flashing lights with a notice of the nearest police station's address, so they can go hand themselves in, and send out a IP trace locator to the local authorities so the scammers can be arrested and prosecuted.

Or am I just dreaming, and Logmein is profiting from this awful trade?

Linux backdoor squirts code into SSH to keep its badness buried

Andrew van der Stock

Someone saw Metlstorm's talk

Finally seeing bad guys using the techniques detailed in Metlstorm's talk from linux.conf.au earlier this year. He claimed that most of these techniques are 10+ years old (and in fact, some of his tools, like ssh-jack, he demos don't work on modern Linux AFAIK).

Search for the video of his talk "Ain't no party like a Unix party". Well worth 45m of anyone's time. You can probably find his 2005 Black Hat talk on ssh-jack around the traps as well.

Great speaker, great guy - if only more in infosec were like him.

Greenland ice did not melt in baking +8°C era 120k years ago

Andrew van der Stock

Is there a way I can filter out crap posts?

I'm sick of Lewis Page's articles. Deliberately, trollingly, click baitingly, presenting wholly factually inaccurate or misrepresentative quotes and factoids. These "articles" would make Faux News blush, and indeed I suggest Lewis look there for his kind if he needs new employers.

I don't mind it when new data or research comes to light that shows us how to improve our models or understanding of how things work. That's science. But to wilfully and continuously disparage the scientific method, 99.98% of all qualified climate scientists, and 50+ years of research with a wide range of funding sources and tenure beggars belief. What is Lewis' qualification to write these articles? If it's a B.A. in journalism, then none. He is not a climate scientist. The Register, must not take the easy path of bashing science.

Governments would LOVE climate science to be fake. Governments would love to continue growth at all costs and continue business as usual. The fact that all major governments of all stripes have stopped feigning ignorance and starting to move on this should speak volumes to the doubters. It's not rocket science to work out what's happening - it's now CHEAPER to do something than to do nothing. It really is that simple.

The scientific question has moved from "the climate might be changing" to the "climate is changing pretty darn fast especially compared to the many historical records we have". We have hydrologists who run flood models to determine what is going to go under with varying levels of increase. We have economists who work out roughly how much it will cost, and it's a terrible, terrible cost. Plus we're crapping where we sleep. Even if it's not right, surely you want to have clean air and environment? We have tropical islands like Kiribati already essentially flooded and unproductive as they have no fresh water table.

The economic and political has become "how much will that cost in human life, treasure, and war" and "what can we do about it to minimize the misery?" Doing nothing is not an option, and keeping that position deals you out of any solution. If you hate how you feel dealt out of the mainstream today, wait for another 30-40 years.

If The Register is not going to present alternative solutions to mainstream thought (which I disagree with, ETS are cheap for governments, but ineffective at creating necessary change), then get someone else to write a 99 times more articles than Lewis to balance out "articles" such as this waste of electrons. I don't come to The Register for factual inaccuracy, I come for funny and moderately unbalanced tech editorial, based largely in fact. These articles are siding with the folks at World Nut Daily in a way that does not reflect well on the Register.

My question stands to the moderators: until Lewis moves on or decides to post what he'd like to see change instead of the "Don't panic, it's fine to carry on defecating all over our planet and please feel free to turn up the aircon", is there a way I can block these ridiculous articles from appearing in my logged in version of the Register?

TiVo hits pause button in Australia

Andrew van der Stock

Too few features, EPG work of fiction

I've owned three Oztivo's, of which two are still in use today. That allowed me to record Foxtel, and was easily the best way to deal with Foxtel's utterly broken UI.

In the US, our two series 2 Tivo's could record four Direct TV shows at once between them. With US stations ALWAYS starting and finishing on time, you could guarantee a show would be recorded. Made dealing with the 500+ channels of crap much easier.

Coming back to Australia, we bought the new Tivo, but it's nearly impossible to make work due to the incorrigible fiction of Channel 9 schedules. So we don't watch Channel 9 any more. Channel 7 is not much better - they can't seem to work out how long 30 minutes is in their newslots and this hampers both start and finish times, even though they are the official Tivo partner in Australia.

Tivo downloadable content is a joke. In the US, we could get ANYTHING from Amazon at Amazon prices. Here? Not so much.

Coupled with the inability to record off our Foxtel satellite dish, the Tivo is in our bedroom. The Foxtel IQ2 in our loungeroom is atrocious. It's like Foxtel heard about Tivo from a drunk technophobe, and tried their best with Elbonian developers, and failed. One example - the IQ2 can only search two days ahead. That's it. For months, that didn't work either. The EPG is six and bit days ahead, and still can't cope with Channel 9's outrageous fibbing. If only the Tivo could record Foxtel.

A great system stymied by crap scheduling, lack of truth in EPG, and no access to iView / watch it again type of things from the FTA and Foxtel.

Comcast busted for bagging BitTorrents (again)

Andrew van der Stock

As a Comcast subscriber... please continue

I'm extremely satisfied that leeches are not robbing *my* share of bandwidth just so they can illegally download (and very occasionally share) copyrighted works.

I like the bandwidth I have available most nights (500-600 kB/s are typical rates to east coast sites like SourceForge). To contrast, I stay at many hotels which do not shape or euphemistically "manage" P2P traffic, and I'm lucky to get 1 kB/s most nights. You can't do squat with that amount of bandwidth.

I might care more if there was more legal P2P stuff going on, but there's not. For every legit Suse 10 download, there's 18 gazillion illegal CDs and DVDs being stolen by folks who will never listen to watch even 1% of the stuff they download.

This has NOTHING to do with censorship. I fight against censorship. I've sent my MP copies of 1984. I have personally spoken to my senator about freedom of speech and Internet issues for more than half an hour. I've engineered the technical security of DNS in Australia to protect privacy. I've helped the EFA. Have any of you "this is censorship" commenters done any of that? I doubt it. Go destroy your Torrent client and get out there - help Electronic Frontiers or Amnesty International and do something for folks who actually are hurting.

This has everything to do with making legitimate customers like me happy, and annoying the 1-2% of leeches who will not be satisfied with even a free dedicated 1 Gbps fibre to the door. They can go get stuffed.

Comcast - don't stop now. Also, when you have a second, please block port 25 outbound.



Biting the hand that feeds IT © 1998–2022