Posts by The Original Steve

Re: FAIL $5 million for criminals

I agree with a lot of what you said, but trying to blame a vendor - mainly (based on your post) about the size of their patches - is the one thing I would disagree with.

A well designed architecture builds into the design that layers are not infaliable and can / will be compromised. This could be the fleshy bit behind the keyboard, an explot in the OS or an application, the network itself, something server/side, or even operations / processes (e.g. social engineering).

Security works best in tiers. Would I use Windows on a SCADA system. Sure, why not? Embedded Windows works fine, is easy to manage and can be just as secure as anything else given the right configuration. A poorly configured *BSD or Linux appliance will be more insecure than a well configured Windows device.

Personally I think the OS should be chosen based on compatibility, configuration management, support and total cost. If my team and suppliers only know Windows then shoving in another platform maybe "more secure" (in your opinion) out of the box, but as we wouldn't have the appropiate configuration management and monitoring tools nor the expertise and skills then over time it would almost certainly end up being less secure than a Windows based platform.

Air-gapping (doesn't even need to be literal, but severely limited network access such as totally seperate networking with network based security services, blocking all ports in/outbound, proxying), SIEM that's actually used, end user education, security reviews including pen-testing, well configured firewalls, IDPS, endpoint protection, extremely robust backup and DR processes (as with other posters, I'm still a big fan of using tape for critical workloads), MFA and good credential management policies / proceses, attack surface reduction, disk encryption, honeypots, web and email filtering, many small subnets as a security perimeter, physical security and.... patching.

I'm sure that if we could have our way, we would make it physically impossible for a single packet to get from anything into the SCADA network - but security is always a usability trade off. We can protest as much as we want, but pragmatically in this modern world it's unlikely we can have all the security we would want to have such as real air gapping - so as with so much in the security sphere we need to implement a comprehensive, tiered security and recovery strategy.

If you can only provide good security because of your OS choice I'm not sure I'd personally want to be hiring you for your security skills.

Re: Stop me from buying a car? Probably not.

Personally I find the following chip-based technology useful in my BMW 435d:

1. Heads up display

2. Sat Nav

3. Traction control

4. Stability control

5. Cruise control

6. Electric memory seats

7. Keyless start

8. Climate control

9. Tyre pressure monitor

10. Intelligent 4WD

That's without the more engine-based chippery benefits whcih help with economical driving. (E.g. computer based fuel injection, computer-driven gear selection based on driving mode and GPS location including upcoming road gradient, digital range display, coasting whilst driving with an automatic gearbox).

There's a lot of junk in modern cars, including my own (why would I want to display the news on the iDrive?), but there's also a lot of advanced features which may not make the car itself "better" in terms of getting from A to B, but it makes it safer, quicker, and far more comfortable and efficent compared to older vehicles.

Re: I did it Huawei

@AC

Totally agree. My Mate 20 Pro is out of contract as of last week after 2 years of solid service and I'm thinking of just going SIM free. Sincerely miss my Lumia 950 XL too.

Real shame about the P40 Pro being sans GMS, if only for a few key banking apps.

TalkTalk are dire (as most consumer ISP's tend to be) with their customer service, and of course their security (or lack of it) is what they are most famous for.

However, that's not to knock their network itself. I was a very happy customer of their FTTC product until their "mega hack" a few years back. I left out of principle rather than due to their network performance which I always found to be rather good for a LLU FTTC product.

Crap customer service, horrific security and an utter lack of respect for their customers - but personally (and from what I've seen / been told from other geeks who were using the same TT LLU FTTC service as me) the product itself was nearly as good as you could get.

Remember that pretty much every location in the UK has a ton of ISP's reselling BT Wholesale IPStream, and then most have a few LLU providers such as TalkTalk and Sky. For me, my choices in my market town are some resold BT IPStream service, Sky and TalkTalk (no VM here) in terms of companies with their own fibre plumbed into the phone exchange data racks.

Not interested in a BT Wholesale product, and TalkTalk were the cheapest at the time and during my 3 years or so of being a customer their network performance was quite frankly great. BT, TT and Sky all have awful customer service. Along with thousands others, I left TT purely due to their disregard of my personal data and I'm now a happy Sky customer. Whilst there's not much in it, I'd even go as far as to say that TT may even have a slight edge in terms of performance.

Re: Serious question - usability?

Agree with everything you've written - although I'm fairly sure Excel Online (inc O365 etc) allows for co-editing spreadsheets, at least to the workbook level (although not the individual cell if I recall).

Re: It's more than a SmartNIC

It does sound truly ground-breaking.

I mean, a processing unit that does compression for storage, encryption for networking, running virtualisation for compute.

Who knows, in 10 years they may even combine them into a single, super-chip. Maybe call it something more generic like a central processing unit?

/stop sarcasm && stop snark

Re: Why offices?

I'm sure I'm in the minority, but I really, really miss it.

I usually work from a client's site Mon - Thu, staying overnight 3 nights a week in hotels, WFH on a Friday. I miss the diversity, engaging face to face with clients and colleagues and I actually miss the commute believe it or not. Time to ramp up for work or to unwind before seeing SWMBO and the kids is something I sorely miss to be honest. Actually making time to listen to a podcast or a radio show just doesn't seem possible to me when working from home like I am currently - I'm only using my ears so it's the perfect driving / commute task to do. I can't bring myself to sit away from the family for an hour or two just to listen to the radio.

I recently joined an existing project that's been ongoing for over a year, and trying to get up to speed remotely has been a real struggle. The obvious social interactions such as a drink after work is one thing, but just spending 10 minutes by the water cooler / coffee machine / outside having a smoke can be surprisingly productive both directly and indirectly.

Think I probably had the best of both worlds as the nature of the role means it's very diverse anyway, so there's a lot of getting up to speed on the latest project and meeting new clients - both of which are made easier face to face. Combined with a very small commute to/from a hotel and working from home on a Friday does make me somewhat more bias that most I guess.

Re: Obvious

"2.7 million people isn’t that many for a country of 60 million"

It's 8.18% of the workforce based according to the ONS.

Source: https://www.ons.gov.uk/employmentandlabourmarket/peopleinwork/employmentandemployeetypes/bulletins/uklabourmarket/march2020#employment

Re: Advertent FUD

I use both a water jug with a Britta filter and also a kettle (well, hot water dispenser) with a built in Britta filter. I do by 3rd party (Amazon own-brand) filters though as the cost is ridiculous for the branded ones.

I'm not clued up at a technical / chemical level, but I live in a very hard water area and find the use of the Britta filters soften the water dramatically which results in next to zero limescale in my kettle as well as removing unpalatable tastes and scents which is ideal for light teas.

I'd rather like it if I could filter the washing machine, dishwasher and shower, but that's purely to reduce the limescale and thus prolong the life of the goods. Although I believe dishwasher salt is mean to do that for me.

I wouldn't bother with a filter for the taste alone, but 6 years on the same kettle without needing to descale it at all is something of a miracle given I had to do it every few months pre-filter.

My other half moved to Scotland the end of last year near Dumfries. Every chip shop we've been to has had deep fried Mars bars on the menus, as well as haggis and even deep fried pizza.

Re: A historic day in every way.

There's been two referendums on our membership of what we now call the EU. One a couple of years after we joined, and the other in 2016. Basically a generation between them.

And 1.4 million people in a population (not electorate!) of 65 million is only a rounding error if you didn't like the result.

Finally, whilst the the British often demanded exceptions and different treatment / opt-outs (Euro, Shengan etc) we're famous for sticking to the rules that were agreed. Unlike certain other countries I can think of... The nation of queuers will stick to all rules no matter now ridiculous they may seem. Not sure why us attempting to negotiate opt-outs and exceptions when the rules are made is a bad thing in your eyes.

"It is 2020, what was the customer data and critical systems doing on Windows boxes, rather than Linux with a snapshotted file system underpinning the storage?"

If you think you are safe from attacks, viruses and malware just because of a particular technology choice, then you're both sorely mistaken and I wouldn't be surprised if you've already been done over without knowing it.

Security isn't actually a technical issue per se, it's cultural. As posted above, a properly configured Windows Server is more secure than a poorly configured <insert OS of choice> server.

End user education, tiered security, least user access, well trained administrators and strong processes including the assumption you WILL be compromised (and thus have a strong, tested, offline backup) are SOME of the measures to help mitigate security issues.

Changing an OS is like changing the brand of car you drive. How you drive and maintenance of the vehicle make far more difference to how likely you'll be involved in a collision.

Re: DJI Database

DJI sell products that's literally detect all DJI products (and I think other 3rd party ones too) to airports and other government and related organisations.

DJI drones literally broadcast their location and serial number in real time which their AeroScope product picks up.

https://www.dji.com/uk/mobile/aeroscope

Re: Please not the old Southampton chestnut...

An interesting article which gives a good comment and counter argument.

Although I did raise an eyebrow at the way some facts were worded. Stating 70% of UK made cars are exported and half of those are sent to the EU somehow seems rather more alarming (given we're meant to be leaving the EU) compared to saying that less that 40% of UK made cars go to the continent. Personally if less that 50% to the EU markets then arguable would it not make more sense to be outside of it and take the hit whilst securing FTA's with the majority of the customers of the cars we make? Purely econmically speaking.

Although when going to the website home page it kind of lost it's credibility. 5 seconds on the home page suggests it's a counter to the rabid nonsense sprouted by the Daily Mail. Whilst that's not in itself a bad thing, it does somewhat water down decent articles like the one you linked too as it's clearly just as biased as the pro-Brexit lot.

Re: Who needs a vacuum cleaner on wheels with E 0.62 / L in the land of president Trump.

Couldn't care less about the HP - it's the speed and handling.I'd take a BMW M2 CS over your American motor any day of the week. That's faster 0-60 than your "most powerful car made in Fords history" and can take a corner too.

The CS model is also a bit cheaper, although I'd probably opt for the non-CS M2 Competition instead which is considerably cheaper and 0.5 seconds slower on paper.

Amazing you can honestly write on a public forum that American cars are somehow a better choice. Build quality alone is a different level, then handling. Sure, raw HP numbers the other side of pond wins hands down. Getting from A - B or on a track however and you'll be eating those numbers whilst suffering crappier build quality, worse handling and you'll be paying more for the privllage.

A very satisfied BMW 435D owner. (That's the bi-turbo, 6-cylinder, 4WD, diesel coupe)

Re: Depends if decent efforts at data security made by Morrisons

No ability to launch any executable other than the application required (SAP or similar) on a device without Internet access and someone from IT babysitting you whilst you are on the device.

Your move.

Re: It slows down considerably once you get to multi GB mail storage

Not disagreeing with your headline point about TB being less susceptible to corruption than Outlook.

But...

1. PST files are a PERSONAL export of mailbox content. Outlook uses an OST file as an offline cache, but it doesn't use PST files for anything unless you export content from your mailbox to a PST you create. PST's are really only a thing for end users to do their own, manual archiving and is not recommended in enterprise scenarios.

2. Exchange uses a relational DB for its mailbox store. A cut of what was the JET database. Last 4 or so releases of Exchange have been very reliable in terms of mail store.

3. As PST's aren't used, corruption claims don't apply. Should your OST become corrupt, simply delete it. Only your offline cache, it'll get automatically rebuilt.

4. Both Exchange on premise and Exchange Online have an archive feature, which essentially adds another mailbox for each user for archive purposes. Users can simply drag and drop content from primary to archive, or admins can create rules.

YMMV, and I wish you luck with TB, but personally I'd take Outlook as a heavy duty mail client in an enterprise over TV any day of the week.

Re: Any decent AV?

I replaced Kaspersky with Webroot across 70 clients, 4000 odd endpoints and everyone loved it.

Saying that, if you're on Windows 10 and not an MSP, I find Windows Defender managed with InTune to be excellent.

Re: No thanks

Putting to one side questioning my storage knowledge simply because I advocate using native OS for storage subsystems rather than expensive appliances, I take issue with the general point you raise.

Whilst you are right that SMB support on non-Windows devices is still (amazingly) bloody awful, if you don't mind me saying so it sounds as if you misunderstand Storage Spaces Direct (S2D). S2D is the storage subsystem, not the presentation layer. You can of course deploy scale out file servers that sit on top of your S2D to present SMB, but in this context and in the majority of deployments you use S2D as the storage subsystem for your VM's to reside on, not for the OS/apps inside of a Linux VM to connect to.

Therefore you can quite easily and happily use what MS now call "Azure Stack HCI" (S2D + Hyper-V) and run Linux VM's on top, with the VHDX files living on a ReFS S2D volume. Linux VM's wouldn't even need to have SAMBA installed.

I'd much, much rather use SMB 3.02 over iSCSI as it's demonstrably better performing, easier to setup and administer and better resilience. Feel free to search for references, but if you're stuck I'll point you in the right direction.

The only time your concern would be valid in my view is if you are running a heterogeneous environment where your hypervisor is Linux based and you were running S2D as your backend storage subsystem for your VM's, which would be nuts. Might as well use the equivalent of S2D on your Linux distro of choice, either converged or hyperconverged.

Of course let's not forget that you could use the above model (S2D storage and KVM / Xen for the hypervisor), and simply present the S2D storage via NFS which Windows Server fully supports. That might be a goer if you have separate storage and compute teams, but generally speaking if I'm using Windows or Linux for the hypervisor for ease of use I'd likely use the same OS type for the storage layer too.

I despise the overly complex way MS are handling Windows and the updates.

But my (possibly incorrect) understanding is that Windows is similar to Ubuntu as you describe. LTSC every 5 years (I think, maybe 3), for servers or you could go with the 6 monthly releases for the latest features. Regardless of which one, there's monthly security patches too.

LTSC is also available for the client too, although I know MS highly discourage use of it for normal desktop usage. (In the past at least Office literally wouldn't install if you were using LTSC on Windows 10 which is fucking mental, but since when were MS sensible in that regard?!)

Re: Lifetime warranty

Been a big fan of ProCurve switching for years and years. Must have deployed a few hundred of them across multiple clients.

I've found them to be very reliable, but I've called on their Lifetime warranty twice and both times had the same experience as you. Free, fast and hassle free.

Shame pretty much everything else HP/HPE is utter dog shite.

Actually found Edge (ducks for cover) to be very battery friendly and it allows for ad blockers. Can't remember what one I've used but can't recall the last time I saw an ad on my droid (in the browser at least).

Genuinely worth a go.

Re: Follow the money

Whilst these tools are good for the most common use case scenarios, there's often very many other scenarios that aren't covered. And if I need to remember to do my Exchange, Skype for Business, IIS servers with multiple and complex cert bindings and other servers, the piss easy vanilla IIS boxes are hardly any bother to add to the list.

Tools to renew certs are all well and good, but generally they only renew the cert in the OS cert store and maybe IIS binding too. They are the vanilla and super easy ones.

Not forgetting certs that aren't issued by public CA's and devices that don't use Linux and Windows such as iLO/iDRAC, routers/firewalls etc.

When I was the Infrastructure Architect at a MSP a year or so back where everything was Windows based for our clients (at least that was critical in terms of certs) I ensured that we raised an automated alert when a cert on a box has less than 2 weeks left before it expires.

Helped prevent certs expiring and also caught the lazy engineers who never deleted the expired one post-renewal too.

Re: Paranoid much

Say that to the Ashleigh Maddison users

Nailed the final episode about 20 mins ago (I'm in hotels most nights and I don't enjoy free labour) - outstanding I thought

Re: Queen of the Streams?

On an actress of a particularly niche, adult sub-genre...

Re: It also refers to its employees as "cpeeps".

I read it as creeps!

Re: Customer service?

You can do that yourself for half the price of one Audi-flip. Buy an ODBII connector from Amazon and the appropriate app.