* Posts by Joe Montana

818 publicly visible posts • joined 12 Mar 2007

Virgin Media? More like Virgin Meltdown: Brit broadband ISP falls over amid power drama

Joe Montana

Reliable internet

If you depend on the internet, especially for your business then you should have backups... I work from home, and i have 2 lines (cable through virgin and a separate adsl over bt infrastructure), i also have 4g tethering available if necessary. I also have battery powered devices (laptop, phone) which can continue service for a while in the event of a power outage.

Home internet connections are designed to be affordable and for casual use, where it's only a minor inconvenience if it goes down.

Powerful forces, bodily fluids – it's all in a day's work

Joe Montana

Re: Monitor

"Big firms pay peanuts for monkeys who's only technical abilities are turn it off and on again and if that fails re-image the boot drive (which is great when it takes a day and a half to install all the tools needed to do your job)"

There are millions of firms out there who need support, but far less people who are actually capable of providing it. Often the monkeys are all you can find, and some of them aren't even cheap.

And then you have the problem of microsoft constantly pushing their products as "easy to use", despite the fact that to actually use and manage them properly requires more knowledge and skill than even the supposedly "hard to use" products theyre competing with. This marketing then convinces companies that hiring the cheap monkeys is perfectly ok, and that hiring properly competent people would be a waste of money.

The end result is instability and security breaches.

Microsoft Windows 10 October update giving HP users BSOD

Joe Montana

Re: The above is all well and good if you're running a business

"Not all businesses have on staff IT people"

And that is the problem, if you are going to operate a complex machine you need to hire experts who know how to properly maintain it.

Despite what microsoft claim, windows is simply not suitable for non technical users - keeping it running reliably and securely is extremely difficult and requires highly skilled (ie expensive) people to do so.

Brit mobe operator O2 asks cut-off customers: Have you tried turning it on and off again?

Joe Montana

Typical...

Even when the provider knows there's a problem, they prefer to keep you performing troubleshooting activities in the hope that the problem will get resolved in the backend before you've finished. That way it looks like there never was a network problem, and the 10th restart of your handset or router reboot somehow fixed it.

ISPs have been doing this for years.

Apple forgot to lock Intel Management Engine in laptops, so get patching

Joe Montana

Obscurity location

There's a difference between obscurity provided by the manufacturer which is common across all users, and obscurity provided by the user which is unique to that user.

If the obscurity is provided by the manufacturer, i can buy the same system myself and investigate it. The system can be reverse engineered and the obscurity uncovered and exploited.

If the obscurity is provided by the user, i can't buy the same system off the shelf and discover the passwords or keys of some arbitrary user since they won't be present.

'Desperate' North Korea turns to bank hacking sprees to rake in much-needed dosh

Joe Montana

Who?

False flag operations are also very easy to conduct, and it's easy to blame north korea, or russia, or china, or whoever else is enemy of the day.

Economic sanctions don't generally hurt a regime, they hurt the innocent people. There will always be black markets willing to sell goods for them, but keeping the country cut off from the world is actually doing the regime a favour. Their local propaganda can blame sanctions for hurting the country and its people and the sanctions themselves restrict the flow of any information which might contradict the official line of the regime.

Your specialist subject? The bleedin' obvious... Feds warn of RDP woe

Joe Montana

Re: Hard not to agree...

A client machine can be dangerous too...

There are many ways that even a hardened client image can be leveraged to gain further access, especially when that client machine is part of a domain.

Linux kernel 'give me root, now' security hole sighted, dubbed 'Mutagen Astronomy'

Joe Montana

Re: Thanks for clarifying.

"I think that is the fault of General Protection."

It's not his fault, he passed orders down the chain to Colonel Panic.

Some credential-stuffing botnets don't care about being noticed any more

Joe Montana

Abolish crap passwords?

Abolishing crap passwords won't help when the source of the passwords is a breach from another location... Doesn't matter how strong a password is if it's getting leaked from somewhere that doesnt store it securely.

Blocking based on IP is also pointless due to the excessive use of NAT these days, blocking a single address often results in millions of innocent users being blocked simply because they use the same provider as a single compromised user.

Also most of these "attacks" are not actually perpetrated by anyone even remotely related to the source address. Attacks frequently come from chinese addresses because china is full of cracked software which never receives updates (updating often overwrites the cracked binaries), so their machines are easy targets. The same is true of many other countries, but china just has a greater volume of users.

In a race to 5G, Trump has stuck a ball-and-chain on America's leg

Joe Montana

Re: THz broadband

Shorter than cat6, but cheaper to deploy because it involves less digging up of the street...

Ofcourse it's still worse than fixed lines, you can always add more physical cables to handle greater traffic or greater numbers of users in the same area. You can't increase the available wireless spectrum within a given area, and the actual service area is smaller than the area in which the spectrum is used.

Wireless should only be used when wired isn't available, the aim should always be to deploy wired services wherever possible...

Lots of places are pushing wireless services, and they work great initially but once lots of users get on board the service becomes unusable with poor throughput and unpredictable latency spikes.

You can add more physical cables, but you can't create additional wireless spectrum.

Dead retailer's 'customer data' turns up on seized kit, unencrypted and very much for sale

Joe Montana

Full disk encryption?

These machines were servers, if you enable disk encryption then you have to have a way to get the decryption key onto the box...

Either you store it on the box, which defeats the purpose of encryption... Or you have to enter it in order to boot the box, which makes maintenance and recovering from failures (eg power) more difficult.

Plus, encryption incurs a performance hit, which usually isnt wanted on a production server, and will increase costs.

On the other hand, during normal operation only trusted IT staff will have physical access to these hosts, and those staff usually have administrative privileges anyway so the risk of them taking data directly from the drives is very low.

The problem here is how the assets were disposed of when the company was liquidated.

Also this happens all the time, its just that in most cases those acquiring the hardware either don't care about the data (ie they just wipe and reinstall the drives for their own use), or they do care about the data and don't want to draw attention to their nefarious activities with it.

Watt the heck is this? A 32-core 3.3GHz Arm server CPU shipping? Yes, says Ampere

Joe Montana

Drivers?

"The bigger problem that has held ARM back in data centre is about drivers"

It's nothing to do with drivers, an ARM server will have drivers for the hardware fitted in it, and it's rare that a server will have anything else installed into it that would require drivers. The number of servers having nonstandard cards installed is very small. In fact, even on x86 servers all i ever see in the expansion slots are vendor-supplied storage and network cards.

The problem is application code, and specifically closed source applications. Linux has supported ARM for a long time, and the vast majority of open source code has already been compiled for ARM by various distributions.

Running Linux and open source apps on ARM is just as easy as x86, and has been for a long time. Many people are running applications on raspberry pi and other similar boards, the only thing missing is higher end ARM hardware aimed at datacentres.

Microsoft pulls plug on IPv6-only Wi-Fi network over borked VPN fears

Joe Montana

Nothing to connect to?

I have dual stack here and i'm seeing about 50% of traffic going out via ipv6, mostly to google, facebook and office365...

Also our VPN went ipv6-only a few years ago (inside the vpn, the endpoint you connect to is still dual stack) - this solved a lot of problems, not least of all the frequent address conflicts when users were trying to connect from networks which used the same internal ipv4 ranges.

Seagate passes gassy 14TB whopper: He He He, one for each of you

Joe Montana

"IronWolf Pro, supporting up to 24-bay NAS enclosures, capacity ranges from 2TB to 14B"

I can see a 2 terabyte drive being useful, but the 14 byte version seems pretty useless to me...

Strewth! Aussie ISP gets eye-watering IPv4 bill, shifts to IPv6 addresses

Joe Montana

Re: Another IPV6 article which exposes issues with IPV6

Well cgnat will be slower, and more open to abuse (thousands of users behind the same address making it very hard to block abusive or compromised hosts)...

ISPs will also have to log every outbound connection made or udp packet sent in order to track any kind of illegal or otherwise unwelcome activity, as simply knowing the ip address and timestamp will no longer be sufficient to identify a user.

Joe Montana

Re: Has anyone truly made the switch?

You will end up with heavily NAT'd ipv4, and have to use ipv6 if you want any inbound or p2p connectivity...

There needs to be more incentive for end users and corporates to enable ipv6, or it will never happen. A lot of ISPs don't provide ipv6 at all, and the vast majority of corporate networks don't use it even if their isps support it.

IPv6: It's only NAT-ural that network nerds are dragging their feet...

Joe Montana

Glorified proxy

A few years ago you had ISPs which advertised that you were "part of the internet" because you got a dedicated ipv4 address, as opposed to some lesser providers which put you behind some kind of proxy service...

There are plenty of routers that work fine with ipv6, providers like sky and bt are now providing ipv6 by default with the routers they supply for instance, most users don't notice the difference.

What will spur ipv6 adoption is creating demand for it - offer services that either require ipv6, or work better with it. Microsoft do this to some degree with the xbox one which declares that it works better if it has ipv6 connectivity, but providers could do more to encourage this. Many providers offer beta access to various services to a limited audience for instance, why not provide these services only over ipv6 for the beta phase?

Microsoft's cheapo Surface: Like a netbook you can't upgrade

Joe Montana

Re: Linx 12x64

If you're just using it for browsing and some simple editing, you'd be better off getting a cheap android tablet...

If you install gentoo on it, then it should run quite well after everything has finished compiling, assuming you configure it right... Even the actual compilation won't take that long as you let it run overnight unattended.

Alaskan borough dusts off the typewriters after ransomware crims pwn entire network

Joe Montana

Domain admin

Hardening active directory to make attacks like this difficult (not impossible) requires significant investment, you need third party tools, and highly competent (ie expensive) staff. Chances are this organisation didn't have the budget required to hire such staff, or do so in sufficient numbers to manage and monitor a network of this size.

If not suitably hardened, active directory is extremely easy to compromise and since it's often tied into everything - that means you now have control of the entire organisation and are extremely difficult to remove.

2FA? We've heard of it: White hats weirded out by lack of account security in enterprise

Joe Montana

Re: Depends entirely on the risk

Actually there are many ways that an attacker with a tiny foothold on the network could use that foothold to elevate their privileges and gain access to far more resources.

Joe Montana

SMB

But does it apply to SMB logins over the network?

People implement all kinds of extra security on interactive logins, but forget that you can still connect and execute code over SMB among other things, authenticating using just the hash and bypassing any smartcard or 2fa setup.

Joe Montana

Account lockouts?

Why would you implement account lockouts? that's a monumentally stupid idea...

Usernames are often predictable, and frequently not even secret at all. An attacker can work out all your usernames and then intentionally get all the accounts locked, irrespective of how good those user's passwords were.

Similarly even if you lock accounts after say 5 attempts, that means an attacker can still perform 4 attempts per user - if you have many users, at least some of them will have common passwords like Password1 or Welcome1 etc.

A network based brute force is slow and will only ever succeed against extremely weak passwords anyway, so long as you have a half decent password policy no such attempts will succeed. And you should have half decent monitoring too, so you notice attacks. Simply relying on account lockouts is stupid.

Which? calls for compensation for users hit by Windows 10 woes

Joe Montana

Re: Where's the problem?

If you need to do maintenance yourself then it's not suitable for the typical user, who has no idea how to perform these maintenance tasks. People complain about linux, but windows is actually worse in this respect - more maintenence required, and more difficult to fix anything that breaks. The typical windows workarounds posted on forums involve registry edits and powershell scripts, which is just as difficult for non technical users as shell commands if not more so.

US regains supercomputer crown from Chinese, for now

Joe Montana

Downloading porn...

Most of these research institutes have extremely fast internet connections, so yes it can download porn faster than your desktop...

Have to use SMB 1.0? Windows 10 April 2018 Update says NO

Joe Montana

Re: So for a while now...

Ditto, as someone who rarely uses windows but has been using linux and unix for years i've rarely seen kernel panics, and those i have seen were usually down to either hardware faults or me testing/writing experimental kernel patches.

The few times i've used windows, or seen someone else using it, i always wonder how they put up with it. Just last week a friend of mine was unable to connect to wifi and had to reboot before it would work, and after rebooting the system was sluggish for several minutes and inundated with focus-stealing popups.

Joe Montana

Re: FFS microsoft

Well perhaps someone should have thought about that before implementing a critical system using such a poorly designed protocol...

Really the problem is that SMBv1 was so badly designed in the first place that it needs to be turned off for security reasons. There are plenty of other protocols that are old and still in use and also still widely supported by backwards compatibility even when newer versions also exist.. SMTP/ESMTP, HTTP 1.0, DNS etc.

Joe Montana

Why?

What exactly is wrong with smbv1 thats fixed in newer versions?

I still use NFS, sometimes NFSv2 or v3 depending on the use case - i'm aware it lacks security features present in newer versions, but in many cases those features are not necessary. I have a readonly share full of videos and music for instance which is shared by multiple clients in my house, including linux based media centre boxes. I don't care if someone gains access to that data, and i'm not aware of any vulnerabilities in the server software itself.

Pwn goal: Hackers used the username root, password root for botnet control database login

Joe Montana

Hacked box

Chances are they deployed the C&C on a compromised box, and root/root is probably how they themselves got access to it in the first place.

Whois? Whowas. So what's next for ICANN and its vast database of domain-name owners?

Joe Montana

Personal vs business

Nominet at least makes a distinction between personal and business registrations, with the latter detailing information about the business.

Having full contact information about a business is extremely useful and desirable, you want to be able to contact a business and a legitimate business wants to be contacted and for its companies to know it truly exists and isnt a scam etc.

Also in the case of a genuine business, all of the information is already going to be available publicly anyway.

Doesn't the GDPR require companies to declare what they collect and what they do with it? If they're up front that your details will be collected and published on the internet then whats the problem? You have the choice not to use the service, or to use an anonymising service etc. The GDPR is supposed to give users control over how their data is handled, it shouldn't prevent someone from publishing their own data if that's what they choose to do.

Arm emits Cortex-A76 – its first 64-bit-only CPU core (in kernel mode)

Joe Montana

Other processors

Intel and AMD have a lot more legacy 32bit (and even 16bit) code hanging around, removing 32bit support would cause a lot of headaches. ARM chips are usually used in embedded devices which are typically designed together with the software they will run so there's far less problem.

There have already been pure 64bit chips with no 32bit mode, such as Alpha...

Interestingly while ARM64 is quite new, their primary competitor in the embedded space is MIPS, and MIPS64 has been around since the early 90s, but they failed to capitalise on their lead over ARM.

Samsung escapes obligation to keep old phones patched

Joe Montana

Phone contracts

A lot of phones are purchased on 2 year contracts, so at the very least the manufacturer should be required to support the phone for the duration of any such contracts.

Internet engineers tear into United Nations' plan to move us all to IPv6

Joe Montana

Re: Mapping plan

You may have missed the bit about developing countries...

They have slower connections, which don't need these new expensive routers, so they buy older routers that providers in developed countries have discarded, which is part of the problem as many are using equipment which doesn't support ipv6 or incurs significant performance penalties when doing so (eg ipv4 in hardware, ipv6 in software on a slow cpu).

Joe Montana

Re: Mapping plan

There is already a mapping from ipv4 to ipv6 - the 6to4 address space:

https://en.wikipedia.org/wiki/6to4

Every routable ipv4 address has a /64 of ipv6 space in this way.

The way to encourage ipv6 adoption is to make it a desirable feature that users demand from their ISPs... Microsoft do this to a small degree by stating that the xbox one works better with ipv6, but more is needed.

If big services like google and facebook start promoting ipv6, and making new desirable features available on ipv6 first then people will start asking their isps for ipv6, and are more likely to favour providers that are offering it. ISPs don't bother at the moment because its a cost, if they start to lose customers due to lack of ipv6 then they will take action.

It's World (Terrible) Password (Advice) Day!

Joe Montana

Account lockouts = stupid

Account lockouts do very little to stop brute force, an attacker isn't going to try thousands of passwords against a single account - they're going to try "Password1" against thousands of accounts as this has a far greater chance of success, and systems which lock based on account will do nothing to stop this attack despite the fact that thousands of attempts to login to different accounts is clearly a malicious activity that should be detected.

Not only that, but locking accounts makes it very easy for someone malicious to intentionally lock accounts, causing severe inconvenience and disruption.

You need to develop a sensible strategy like exponential backoff and detecting anomalous behaviour like the above, not just blindly lock accounts.

UK gov grilled over massive exposure to struggling outsourcer Capita

Joe Montana

No new contracts?

If they cancel any existing plans they might have had for new contracts, that will only hasten the demise of capita...

There is ALWAYS a risk of suppliers failing, and a sensible exit strategy should be a standard requirement for any contract or procurement... Sadly this is almost never the case, as suppliers want to keep their customers locked in - not make it easy to migrate.

OK, this time it's for real: The last available IPv4 address block has gone

Joe Montana

Incentives / Demand

Currently there is very little reason for users to demand ipv6, about the only vendor doing anything positive is microsoft who publish documentation for the xbox one which encourages you to use ipv6 for a better experience. Users are not asking for ipv6, so providers don't bother offering it.

If users were demanding ipv6, isps would start providing it or lose customers, and sites would start offering dual stack at least.

A lot of US government sites are available over ipv6, because the government demanded it... In the UK, there are no government sites available over ipv6 that i'm aware of, even the relatively new gov.uk site is ipv4-only.

Even when everything supports ipv6, many people will not bother to configure it or even explicitly disable it.

One approach would be for the likes of google and facebook (who both already fully support ipv6) to start offering new (ie beta) features over ipv6 first, and displaying warnings to users accessing services without ipv6. Having beta services available over ipv6 would result in better beta testers in the short term (people with ipv6 now are more likely to be tech savvy), and result in more users demanding ipv6 from their isp.

Microsoft Office 365 and Azure Active Directory go TITSUP*

Joe Montana

Re: How can we learn from this?

The problem is that the people making the purchasing decisions don't understand technology at all, so they don't question what sales people or random websites are telling them.

Most such purchasing decisions are not made by the IT department, but even the IT dept often don't have much of a clue either. The requirement for staff increased much more quickly than the availability of skilled staff, so companies have to take whatever they can get - including people who don't have much of a clue.

Joe Montana

Re: Why???

The keyword is "resilient", but the frequency of outage reports posted here seems to suggest that it isn't really very resilient at all...

Running an unreliable isn't very expensive or difficult.

'Every little helps'... unless you want email: Tesco to kill free service

Joe Montana

Own domain

If email is important to you, then you should always own your own domain. Then it's under your control, and so long as you keep paying the registration fees every year it won't be taken away.

If you're using someone else's domain not only do you usually end up with a stupid username because everything sensible will already be taken, but you also are subject to the whims of the provider who could at any time decide to shut off the service.

If you own your own domain then its portable between providers, or you can even host your own - a cheap virtual server or a raspberry pi running at home (assuming you have a home internet service with static ip) will be more than adequate for personal email hosting.

Perhaps someone should sell PIs preconfigured for this purpose.

Law's changed, now cough up: Uncle Sam serves Microsoft fresh warrant for Irish emails

Joe Montana

Re: Violation of national sovereignty

They're not claiming rights over another nation, they are claiming rights over data which is privately held by a subsidiary of a US corporation that just happens to be located in another country.

If the data was held on a server belonging to an Irish company then the US would have no way to demand the data, and would need to apply for an order through the Irish court system.

The fact is while Microsoft employees in Ireland are not directly answerable to the US government, they are answerable to senior Microsoft employees based in the US who in turn are answerable to the US government.

Employees working for an entirely Irish owned company with no US parent company would not be answerable to the US government at all, and could only be compelled to perform any action by Irish or EU governments and courts.

If you're concerned about foreign governments interfering in your business, then support local businesses and only worry about your own government (which you cant avoid anyway, and theoretically have some control over).

Developers dread Visual Basic 6, IBM Db2, SharePoint - survey

Joe Montana

Diversity?

The poll was of developers, the fact that the majority of those answering the poll were straight white men means the poll was aimed at the target audience as the vast majority of developers are straight white men.

Diversity should never be a priority, the top priority should be hiring the best talent irrespective of who they happen to be. It's not the fault of employers that the majority of those who studied for development roles are straight white men, there is nothing stopping anyone else from learning how to develop software, they simply chose not to.

Full shift to electric vans would melt Royal Mail's London hub, MPs told

Joe Montana

Re: Hmmm

"Or stopped if necessary"...

So you leave your car to charge overnight, and it may or may not do so... When you wake up for work in the morning the car might not move, that's not really usable.

Fun fact: US Customs slaps eyeglass taxes on optical networking gear

Joe Montana

Photoshop cloud

"The optical signals acted upon by these products are never visible, and therefore the subject merchandise is never used to create or enhance visible images."

But with things like photoshop moving to being cloud based, you could argue that all networking gear is used to enhance visible images...

Symantec ends cheap Norton offer to NRA members

Joe Montana

Age limit?

If someone is underage, or cannot legally buy a gun for whatever other reason, but wants to use one for some kind of illegal activity then they're going to acquire one illegally on the black market or steal one.

If acquiring a gun is too difficult then they will use whatever else they can get their hands on which might be a knife, a bomb or even a car. The fact is crazy people will do crazy things, using whatever tools are available to them, and focusing on guns just distracts from the actual problem.

Windows slithers on to Arm, legless?

Joe Montana

Re: Going from 32 to 64 bit was so simple nobody really noticed it happened

NTVDM uses vm86 mode on 32bit x86, but on other architectures (mips, ppc, alpha) it would emulate the cpu... There's no reason they couldn't use an emulation mode for 64bit x86 too, dosbox works fine like that.

Joe Montana

Re: "Windows NT has historically supported five different platforms "

MIPS is still competing in the embedded space, although they are way behind ARM, and really missed their chance to get ahead of ARM in the transition to 64bit.

MIPS had a 64bit variant *long* before ARM, it's been around since the early 90s and has mature compiler support, as well as hardware available easily and cheaply. ARM64 was only announced in 2011, and took a while to get OS and compiler support.

Joe Montana

Re: "However it is really difficult for them to change"

Binary backward compatibility on unix is excellent too at the kernel level, the problems people encounter are due to distros not shipping the expected old versions of libraries but there is nothing stopping you adding those libs and having everything work...

Microsoft ship with mountains of backwards compatibility libs, linux generally doesn't because 99% of applications come with source and can thus be recompiled against the newer libs.

Joe Montana

Re: Wedded to Intel

Chicken and egg... Vendors won't port to a platform with no users, and users won't buy a platform with no software.

The unix world was always different, you had several large well established vendors each with their own OS and later their own processor architecture (many started off on m68k before developing their own). Developers of software for windows on the other hand have never really had to deal with portability, they typically never considered processors with a different byte order or pointer size.

Then there is the open source nature of many unix systems, especially today. Not only is most software portable, anyone can recompile it for a different architecture. You don't get the chicken and egg problem, as the vast majority of software is a recompile away once you have a unix-like kernel and gcc ported to the new architecture.

Hyperoptic's overkill 10Gbps fibre trial 'more than a clever PR stunt'

Joe Montana

Chipsets

A lot of cheaper chipsets are capable of connecting to a gigabit ethernet connection, but not actually transferring data at the full rate...

Aside from the chipset, it also depends on your (pci/e/x/etc) bus, memory, processor, and if your downloading data - the disk onto which the data is being written.

There have been gigabit ethernet nics for nearly 20 years, some are better than others.

IT 'heroes' saved Maersk from NotPetya with ten-day reinstallation blitz

Joe Montana

Firewall rules

If you allow rules for AD, then you allow the very ports that most of this malware uses to propagate.