Head in the sand again
They were told of the insecure Pulse VPN servers and ignored the warning. But I'm sure the execs will get off scot-free.
173 publicly visible posts • joined 17 Jul 2008
To those suggesting using a dns server which blocks domains, this will likely also be subverted in the future as browsers implement DNS-over-HTTPS which bypass your DNS server altogether. Whilst you have control over it today, I would not be suprised if Google forces Chrome to use its own DoH servers in the future.
This is why I am building my home automation so that I am in complete control. At the coal face are simple sensors and relays with arduino and rs485, and I plan to use the open source Mycroft to replace Amazon Echo. I will probably write the software myself or use something existing like home assistant.
I am not a proponent of DNS-over-HTTPS, but on the other hand it is just another application that runs using the internet as transport. Users are free to use it if they want to, and it is not for network backbones to pick and choose what to allow. This is sadly why new protocols like SCTP have not been able to gain traction, because a lot of operators just block them. At the end of the day no one person or organization can make the decision for the rest of the internet. Every day I get more and more surprised it still works at all.
One concept Microsoft (afaik) came up with is that of a RID master. It gives out blocks of numbers to other servers upon request. When the server passes the watermark it will preemptively request a new block. In the case of a loss of connectivity, it can still create new objects until the block is exhausted. I thought this could well be applied to database replication.
It's not ideal but perhaps this could be solved using an external service riser, just for fibre-optic cables. Alternatively, the floors could be configured in a bus with active equipment or taps from top to bottom.
Right now the only options for MFA are OTP-SMS or TOTP with the Microsoft app, so either you hand over your phone number, or you install a Microsoft app on your phone. I would much prefer using FIDO U2F keys where the key is generated and stored on the key, and cannot be copied. It is as good as a physical key, without which the lock is nigh on impossible to pick. Unlike FIDO2/WebAuth the key is write-once and in my view more secure. For instance, if I generate a key on my computer and install it on the phone, it is possible for the key to be copied, which is "not possible" with a FIDO U2F key.
Edit, el reg does not handle unicode very well...
"The post contains some characters we can’t support"
The original was, as unicode codepoints: U+00F6 U+00BB U+0182 U+0236 U+00AE U+0130 U+014B U+01EC U+1F61B U+0116 U+1F63C U+2601 U+1F633 U+262D U+263E U+0147 U+2628 U+1F62A U+022B U+262C U+2649 U+1F63D U+00CF U+0137
Or in HTML escaped: ö»Ƃȶ®İŋǬ😛Ė😼☁😳☭☾Ň☨😪ȫ☬♉😽Ïķ
Still no support for dynamic discovery of web servers which would make sense by putting in the top level domain, and has the added benefit of fall back servers and non standard ports. For example example.com -> NAPTR E2U+https _https._srv.example.com -> [2001:22:33:44::385]:5443, 12.34.56.78:8443
Surprise surprise Openreach is going down the PON route so it maintains control of the physical layer (as opposed to PTP fibre where ISP's can deliver their own wavelengths to customers). I would like to see more smaller companies, maybe even community non-profits laying the fibre to stir up more competition.