People’s front of Judea..?
72 posts • joined 12 Jun 2009
Let's Encrypt is a superb service. And one which is very necessary to help drive a more secure web.
I realise SSL in and of itself is not an overriding solution to web security but it is a linchpin. For a company to FREELY offer a way for you to add this layer of security to your websites is a big deal. At the least it removes the "I can't afford it" excuse.
It's young, yes and as such can be a bit labour intensive to set up but is actually very simple to implement, even on semi-unsupported platforms such as macOS.
So I echo the authors's sentiments; I use it and you should too.
I have 2 of them from 2 different last mile providers (same ISP) coming into the building from different directions. I wanted them coming into different ends of the building but that'd have cost me £50k in construction, so that got nixed.
It's not perfect, but it's better than many people I know.
I am currently in the process of ripping out my entire network and getting a new one installed. Part of the UAT I specified was that I'd go around randomly unplugging things and see at what point it fails. It's a genuinely valid methodology for testing (given you think about what you actually want to test for, of course) IMO.
I think a lot of management types forget, overlook or just plain don't understand 2 very good points also raised by this article.
1. IT types generally learn by doing (I sure as hell do)
2. Having IT types who have learned - and know what's what - is extremely good for your business in the long term.
Sadly, this is overlooked in the name of economy (of the false kind) and efficiency (of the false kind). I mean; who wants to waste money and time letting your own people learn by doing when you can get a consultant in and not have to waste a minute or a penny?
A fantastic article, thank you.
[edit for spelling]
My wife bought me a Speedmaster for my 40th. I saw one at Cape Canaveral in the late 70s and wanted one for the following 30 years. I also have a limited edition Sturmanskie of the type (allegedly, who knows) used by Comrade Gagarin.
Fair to say I like space watches, now I have to raise a meelion dollars?
OK, so I have to admit this is what I have. Virgin 120mb/s with their box in modem mode and another router/firewall doing the heavy lifting. I also have my own DNS (& DHCP) server for resolving some stuff on the local network and pointing at Google for the rest of it. Hence I've never been subjected to Virgin's DNS issues (as far as I'm aware).
The reason I asked the question as to whether TalkTalk intercepted outgoing port 53/DNS traffic and re-routed it to their own servers is that I see that breaking a lot of things quite badly. It's bad enough not returning NXDomain when you should if someone is using your DNS servers but to intercept traffic destined for someone else's DNS servers and munging it is unforgivable.
I sincerely hope this is NOT what's happening. (I accept that it likely is not)
The reason for not having a Target Monitor mode is down to the fact it requires DisplayPort 1.3 to drive it and Thunderbolt 2 only supports DisplayPort 1.2. Something to do with the sheer amount of bandwidth the display needs to move all those pixels.
"...Pushing this many pixels requires more bandwidth than DisplayPort 1.2 offers, which is what Thunderbolt 2 ports use for outputting video signals. (I wrote about this a few times.) Doing it right will require waiting until DisplayPort 1.3 in Thunderbolt 3 on Broadwell’s successor, Skylake, which isn’t supposed to come out for at least another year — and Intel is even worse at estimating ship dates than I am, so it’s likely to be longer..."
I don't think the story is "Upcoming operating system may have copied features from a rival operating system!" I think it's far more "World's most prevalent Operating System finally gets feature everyone else has had the advantage of for a very long time, what took them so long?"
These are all good questions which can be summarised by the question: "What is your aim?"
Do you want the info for troubleshooting? Compliance reasons? To catch someone you suspect of doing something naughty? How you answer these should dictate how much importance you put on each aspect of the task.
For instance if you're trying to understand who is using the most bandwidth and which sites they're using then it MIGHT be a better solution to upgrade to a router/firewall that can gather these statistics for you if you don't have one already (I haven't read the other article yet). Most home routers these days and certainly the lower cost 'business' routers seem to have this functionality.
You might find that your firewall/router also has the ability to do more detailed log capture/packet analysis and send the results to a log server which could be one of the internal PCs which you SSH into and SCP the files from OR you could get it to log to YOUR server, wherever that might be.
There are many options. And the more I think of it the more I can come up with but the key question remains: "What is your aim?"
I know you said "...Installing a server to do the sniffing probably isn't an option..." so I'm going to take the 'probably' bit and run with it. Also, in the time it takes me to type this up ninety-eleven other people are bound to have said the same thing.
I think this is probably exactly the kind of thing a Raspberry Pi running Wireshark would excel at. It'd allow you to SSH in to SCP the dump files for analysis, it's small with low power requirements and importantly it's very low cost.
It's true though that if you wanted to capture ALL traffic on the local layer 2 segment then you'd have to have (as I understand it) a switch that can mirror traffic from other ports to the one the Pi is attached to otherwise all you'll be able to pick up is broadcast traffic. Also, with regard to inbound and outbound traffic you'd need to find a way to use the Pi as a router and pass the out/in bound traffic over NICs attached to it which would mean using a USB to Ethernet adapter and I have no experience using one of them with a Pi.
I used to do some IT support for the boffins at NPL (and I'd like to take the opportunity to say what a fantastic bunch of chaps and chapesses they are!) and the one thing that I found amazing was they could - and WOULD - measure anything.
I think the story goes like this (I heard it Nth hand): One of the boffins asked one of the designers how long a brochure or leaflet or somesuch would take to complete "Oh, well, how long is a piece of string?" came the reply. About a week later a small wooden box was delivered to the head of the design department containing a piece of string and an official certificate saying something along the lines of "A piece of string. Length: 97.914mm" and a typed note saying "So, how long until I get my brochure?"
The story may well be apocryphal but I have a photo of the piece of string in its box and the certificate somewhere. (Though I may have misremembered the exact length, it was to 3 decimal places!)
What a wonderful bunch!
Listen up, this is IMPORTANT people. What you need to do is disable Mission Control's use of f12 to bring up the Dashboard. SO pop on over to System Preferences>Mission Control and from the popup menu next to 'Show Dashboard' choose the -
Then, to load the disk you've selected in the emulator press - by default- [shift]-[fn]-[f12] OR if you've selected 'Use all F1, F2, etc. keys as standard function keys' in System Preferences>Keyboard, you can leave out the [fn] key press.
I'm no expert but...
On a cursory read-through it does seem to me that they're not normalising (or whatever you want to call it, I did say I'm not an expert) their data before doing an analysis of it. This is bound to throw the numbers off somewhat.
Also, what others said above me, the duty cycle and usage hasn't really been taken into consideration.
I tend to tell people that if they want me to stop/change subjects to tell me firmly that 'That's enough of that subject". I'm not going to be offended as I KNOW I go on but you have to be clear about it and say what you mean as if you use a euphemism or just hint at it I'm really unlikely to notice.
After 40 years of not quite getting 'life' I was finally diagnosed with Asperger's last year. And was promptly sacked when I told my employer. (that's dealt with, amicably).
So now I'm back to square one with '...[he has] no valid excuse for his behaviour and actions other than being a bloody minded, stubborn hellion of a child who will find no place at this school or in society if he doesn't buck his ideas up very quickly indeed..." as one teacher so eloquently put it when I was 7.
It's too hot for a coat, I'll just go, then, shall I?
That disk failure can cause such a problem. Do you not make sure that your data is replicated across multiple storage devices/sites/tapes/whatever? You might call it backup, archiving or simply 'making a copy' but don't these people think in terms of full redundancy of complete datasets?
Yes, I know the bean counters don't like it, but isn't being laughed out of the business worse than spending the money to ensure you have a stable platform on which to offer your services?
I often think in cases like this it must be much more than a failed disk or 3.
At the end of line 10 and instead of it printing:
All in a single column you'd get a screenful of:
BOLLOCKS BOLLOCKS BOLLOCKS BOLLO
CKS BOLLOCKS BOLLOCKS BOLLOCKS B
OLLOCKS BOLLOCKS BOLLOCKS BOLLOC
KS BOLLOCKS BOLLOCKS BOLLOCKS BO
LLOCKS BOLLOCKS BOLLOCKS BOLLOCK
S BOLLOCKS BOLLOCKS BOLLOCKS BOL
(at least BBC Basic did and I think the Speccy was the same)
I'd guess two things factor in that. 1) Cost and 2) Licensing.
Running a bunch of caching servers and the associated storage 'locally' on their network will mean they have to pay for the kit, pay to put it somewhere, pay to power it and pay someone to keep it ticking over. Not a small undertaking.
As for licensing, I'm sure that there's some legal gubbins to be sorted out when copying and storing that much copyrighted (copywritten?) material. Virgin being a big telly provider may well have the legals sorted out in the same way they do for providing the 'live' BBC telly stream.
I understand that from a business perspective the exact reasons for the titsup may not be good to disclose. Companies automatically go into face-save mode and make statements and quote statistics proving how rare such things are etc.
The problem I see with that is the lack of information sharing. They use off the shelf products in a configuration probably quite similar to other people. If they were to say "Hey guys, we had X and Y in Z config but when X did A and Y did B then Z went pop!" then we all could learn about nasty gotchas.
Yes, I know the problems with that include, but are not limited to; Trade Secrets or maybe having a stupid setup you don't want to admit to.
Oh, OK. I'm just a dreamer who lives in a fantasy world of people helping each other out.
My wife's company and my friend's company. Also some users I know in continental Europe and South Africa.
Not that EVERY problem is necessarily related to the current issue bit I think it's quite widespread.
"Microsoft buys Skype and it all goes tits-up". Truth is it may have nothing to do with Microsoft at all, but it's what we're all thinking, isn't it?
...She wouldn't have laughed seeing someone else doing the same thing?
Anyway, she got up immediately and walked away as if nothing had happened. Why would security have to go and check on her? It's not as if they left her floating face down in the fountain for those 20 minutes. To me she was demonstrably OK, she showed no signs of distress, just mild embarrassment.
Why do people seem to be unable to take responsibility for their own actions?
Biting the hand that feeds IT © 1998–2020