* Posts by Trixr

619 publicly visible posts • joined 30 Jun 2009


Microsoft fixes the fix for the Windows Server 2019 NTLM problem


I'm positive they're relying on their Insider (whatever it's called) program in lieu of regression testing. I wonder how many orgs outside the US run the preview patches on their production kit, or have such an extensive test environment they can be sure to expose any issues (apparently not even in the US, given the original bug).

What strange beauty is this? Microsoft commits to two more non-subscription Office editions


Re: Trying To Stem The Tide Of Defections To LibreOffice

I found Scribus to be fine despite its horrible UI - at least it's not quite as horrible as classic GIMP. And you can import Publisher files in there without too much hassle.

Canva is also surprisingly OK, once you enable the option to view print bleed and realise the option to add crop marks is in the print dialogue.

Dave's not here, man. But this mind-blowingly huge server just, like, arrived


Re: So, he was just fired ?

I reported someone for kiddie porn on their office laptop in a slightly earlier time period - circa 2000 - and he was allowed to "retire", no cops invited. This was a senior partner at one of the "Magic Circle" law firms in London, but one must keep up appearances, don't you know, old chap?


Re: Jazz Cabbage

Oooh, that sounds nice, since I am one of those with the "coriander = tastes like stink bugs" genes

Curious tale of broken VPNs, the Year 2038, and certs that expired 100 years ago


Re: Bad NTP setup

If you're in a Windows domain, you should use Group Policy to ensure the current PDCE is configured with a reliable upstream NTP source, and a policy for the rest of the domain members to use the default domain hierarchy for Windows Time. That is, the non-PDCE domain controllers will sync with the PDCE and announce themselves as timesources, and the remaining domain clients will sync time with domain controller during auth.

Dumping us into ad tier of Prime Video when we paid for ad-free is 'unfair' – lawsuit


Whereas I'm in the opposite boat - in the antipodes, there's no such thing as "next day" shipping for Amazon Prime, not that I've ever bought anything from Amazon that would warrant it. I just want some TV shows and the occasional movie - including some of their originals. If they separated their streaming business from their marketplace, I'd be all for it, since I'm currently paying for a "benefit" I have no use for. I absolutely do not want the ads.

Meta says risk of account theft after phone number recycling isn't its problem to solve


Thanks Meta

I'm just glad my mother knows absolutely zilch re social networking, after some jumped-up little scrote at H*rv*y N*rm*n in NZ told her that it was "impossible" to transfer her phone number to a new phone he inveigled her into buying (despite local legislation mandating that it must be be done on demand, free of charge). The first I heard about it was when she called me to tell me her number of over a decade had been changed.

She had enough hassle updating it with various govt entities - I hate to think of the effects if she'd been using it to sign onto internet-facing services.

Raspberry Pi Pico cracks BitLocker in under a minute


LUKS is available with most Linux distros and you can encrypt the disk during setup. Or later, of course - it'll work with passphrases, TPM chips, smart card etc. https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup

dm-crypt is the underlying disk encryption kernel module that LUKS and there are other methods/products for leveraging dm-crypt, including the very much now-deprecated TrueCrypt. VeraCrypt was originally a fork of TrueCrypt and is still maintained, but doesn't integrate with TPM and stores keys in RAM, so it doesn't operate in the same kind of way as Bitlocker.

If you use AI to teach you how to code, remember you still need to think for yourself


Nice use of creepy AI-generated tickler image

[see title]

YouTube video lag wrongly blamed on its ad-blocking animus


Re: Lucky you.

Maybe some extension you're using. I have a few dozen tabs open, typically, incl youtube videos, and have zero issues with hangs. Might be worth disabling all of them (although uBlock is definitely fine) and seeing if it's more stable.

Then again, I shutdown my machine each night - call me old-fashioned, but a cold start cures a lot of woes still. I don't care about waiting a minute for it to boot up each day.

The 'nothing-happened' Y2K bug – how the IT industry worked overtime to save world's computers


Re: Late Updates

We took the decision - especially in those days of rare zero day exploits and no internet-facing Windows systems - to simply wait till well into the new year to apply 6a. I think it was end of Feb in the end. It helped we weren't experiencing any showstopping bugs that would have required us to apply it asap.

Since my entire IT career came about because I was hired to do sysadmin work while anyone with the slightest dev background was doing fixes in advance of the date, I have to say I've done pretty well out of Y2K too, lo these 26.5 years.

Windows Server 2022 patch is breaking apps for some users


Re: Registry editing

It still requires change control palaver in most enterprises - it's not like you can just jump into an operational server and tweak away without warning in larger environments.


Re: Using a browser vs browsing

While I totally agree with your main point - we have such products too with a web front-end - and I know this is a losing battle, but can we (soooo many techs) please say we "administer" our systems rather than "administrate"? The proper verb has been around for a very long time and is actually quicker to type/write.

Why do IT projects like the UK's scandal-hit Post Office Horizon end in disaster?


Re: Someone could write a book

That's positively ancient in IT terms. In fact, it almost predates my own IT career. Time for a vastly updated edition - the examples in the original are still sadly relevant, but could definitely be expanded upon with contemporary examples.


Yes, the problem wasn't that the software had flaws - it was that there was no apparent attempt to review its outputs when there were discrepancies, no right of review for staff fired purely because of a piece of software (maybe not apparent initially, but there should have been proper investigation of incomings and outgoings as part of the disciplinary/legal proceedings, the lack of coordination or records-keeping or whatever it is that would have identified a pattern in these events, the vendor misleading and covering up issues with the software, the PO executives doing the same. Even the lack of enquiry further up the chain - did the ministerial office think that firing 1000s of people for fraud over time made sense? Presumably people who'd be well-vetted prior to their being hired in these highly-trusted roles?

We can get this kind of thing happening with purportedly "well-managed" software - god help us when AI really gets its claws in. Of course there will be crap like this going on all the time right now - AI-driven or not - here's hoping the fuss raises some kind of awareness of creating software with results that can't be human-audited.

While we fire the boss, can you lock him out of the network?


Re: employee of the year

Yeah, that kind of narrative annoys me, because it's never so "impossible" to fire someone as is stated. It can certainly be a right royal pain in the ars3 with all the "counselling" and "training opportunities" and "performance plans" that might be required as evidence to get rid of someone. But a year of that is better than multiple years with a useless employee.

Also, that kind of attitude about its impossibility leads to the increasing reliance on so-called "contract" employees working permanent jobs, essentially. But at least you have the opportunity to get rid of them within 6 months/a year if they turn out to be useless. That just outsources the stress of employee management to the employee themselves. Fine if you like being a contractor and having the stress of renegotiating your employment at $interval, but I could personally do without it.

Employers could make more use of trial periods as well, But big companies love the leverage that workforce casualisation gives them, even if the quality goes down with the constant churn.

The Register's 2023 in gaming had one final boss: Baldur's Gate 3


Somehow missed the redone PC port of TLOA last year so I'll be glad to finally give it a run.

Thanks for the summary, nearly all games I'm interested in but haven't played, and it's reminded me I need to actually finish playing the first Subnautica!

New year, new bug – rivalry between devs led to a deep-code disaster


What a royal pr*ck of a colleague, though. No-one you work with should make you jump through those hoops, unless you're known to be completely incompetent. Especially something they could have replicated themselves with a test account in conjunction with your initial observations of the problem. Or maybe he was just lazy.

Thankfully I've only encountered one or two colleagues like that in my career. One demanded full logging of a particular problem to "prove" it was not our config (a simple STMP delivery issue where the destination was rejecting our messages due to policy) - never heard anything else after I provided all 10GB of text message log files for that day.

Three Chinese balloons float near Taiwanese airbase


Nena has it covered

Ein und ein und ein Luftballons

Auf ihrem Weg zum Horizont...

NAT, ATM, decentralized search – and other outrageous opinions from the 1990s


Re: Year End Reminiscing

Products like Teams, Webex etc do in fact have a "preview" feature - it's a test channel you can call up and talk to, then it'll play back your recorded audio.

Superuser mostly helped IT, until a BSOD saw him invent a farcical fix


Having worked in a university in the late 90s, if a student had a "private network space", then it would have been backed up. While getting it out of Temp probably retrieved more of the doco's recent edits, calling on the student support helpdesk would probably have resulted in a restore from backup, at least from the previous night.

Women in IT are on a 283-year march to parity, BCS warns


That tracks with where I'm working now (and all my previous jobs, except one, where they retrained a secretarial pool as desktop support staff, who were great) - 3 of us out of a team of 60-odd in the ops areas. I think there may be one or two in the dev areas. A bunch more in servicedesk/level 1 support.

Microsoft floats bringing a text editor back to the CLI


You can still launch notepad.exe in Server Core. But I'd rather have Edit anyway, thanks very much.


It's painful not having one if you just want to remote into a server via WinRM and tickle a config or two. Sure, if SMB is open between the servers, you can do it in the GUI, but a 30 sec job turns into a 5 minute one.

Google Groups ditches links to Usenet, the OG social network


Re: Good

But they can spam enough to make it functionally useless - excepting the miniscule number of newsgroups that have active moderation.

Mozilla tells extension developers to get ready to finally go mobile


Re: What % of mobile users actually use Firefox?

Atlas Browser used to have that on Android - an excellent browser that sadly stopped being developed and is now obsolete. I still miss it. One-click disablement of Javascript from the main screen being a leading feature, along with the built-in adblock.

uBlock on FF Android is ok, as is the Crystal adblock on the Samsung browser, which I actually like too. However, only FF seems to still allow YouTube streaming with the screen locked.

One door opens, another one closes, and this one kills a mainframe



I don't know re Multics leftovers, but I am delighted to know the origins of "gecos", which has made it into the Active Directory user attribute set.

Fittingly, we use it as an alternate ID field where I work (pure serendipity for the choice on my part - it was unused on all 20K+ user accounts and is the appropriate data type).

I'll see your data loss and raise you a security policy violation


Re: Outlook...

...Until your file server runs out of work queues and silently grinds to a halt. It might be fine if you are in a relatively small org where it's just a few dozen employees that have PST files permanently open for write. Not great if you have 1000s accessing the same storage volumes.

Also, the way those things get corrupted if you just look at them sideways. No thanks.

Techie's quick cure for a curious conflict caused a huge headache


I am *currently* working in an organisation (also in Australia, ironically) where the default server build - deployed as the baseline on every server - included IIS until literally this year. I had kicked up a fuss about it for at least 2-3 years until I finally convinced the sec team to take an interest.

Of course, nothing has been done about the 100s of existing servers still running IIS services for no reason.

Microsoft promises it's made Teams less confusing and resource hungry


Re: An unpopular opinion

Discord is great. Not perfect, but way better than Teams. Unless you love "quick links" to stupid apps that you can easily reach via the taskbar or quick-launch anyway. And of course Teams is integrated into the Office apps - some people apparently like Sharepoint. I don't. If you want an actual messaging client, rather than a messaging bolt-on to SPO, that's where Discord is powerful.

Slack is good if it's extended with the tons of add-ons that are available. Remember, Teams' ethos was basically to copy Slack and slap it on top of Sharepoint + Skype/Lync and now jam in Yammer. Also, in Slack, message search actually works - you get the results AND you can click on a message and be taken to the actual position in the thread. Same with Discord, of course.


Re: Teams will be less like WhatsApp, more like Facebook

Yeah, they're trying to position it to shoehorn Yammer back in, that PoS.

The UI actually looks better to my eyes (the current one is just shite), and the search is somewhat more responsive.

BUT, there is still no convenient way to search your own messages (you still have to type "from: [your.full.email]", and even worse, you STILL can't click on a search result and be taken to the message position, if it's more than a couple of "pages" of messages away. Useless.

Just 22% of techies in UK aged 50 or older, says Chartered Institute for IT


And also how it's only been in relatively recent years that IT has broadened out so much in terms of specialities. A lot of people in their 50s and up would have gotten into the profession when you had four people (max) running the main university server farm, plus maybe a couple of people doing student support. Maybe one or two running per-department servers. Try doing that with less than several dozen staff now.

There really weren't that many jobs - I certainly didn't think of it as an option in my late teens/early 20s. People that did were heavily into maths, EE, or had a family member into computing. The whole focus of computing degrees was on programming or low-level hardware stuff.


Re: Less qualified?

Nope, I'm 54, and there was no such thing as an IT degree when I first started uni. There was "Computer Science" as part of the Mathematics department, but since I hadn't done any advanced maths at high school, it didn't even cross my mind.

I didn't get into IT until I got made redundant from my first career, late 90s. Still don't have an IT-related degree (some professional certifications, sure).

Exchange Online and Microsoft Teams went down in APAC because Microsoft broke itself


Re: "Legacy"

I am very very prepared to bet that it was something to do with basic auth, which they recently deprecated with extreme prejudice. If so, the irony is rich.


Co-signed. Exchange 2010 was fine, and 2016 was when everything you wanted in terms of HA and so on worked very nicely. I had more uptime over my 16 years managing Exchange on-prem than MSFT has managed to achieve for one calendar year in the APAC region.

I had one server stop delivering mail for about 6 hours - small region, about 10% of the user base (fixed with a stinking reboot, after exhausting every other troubleshooting option). And that is literally all, other than dodgy CUs, as you say.

Microsoft's attempts to harden Kerberos authentication broke it on Windows Servers


Re: Another brilliant demonstration of Borkzilla testing procedures

No, I'm sorry, Kerberos is a core technology in the AD stack. While MSFT making moves to tighten up their entire auth structure is commendable, it is only in the last year - in fact, since November last year - that they have released so many updates that have screwed up one or other component of AD auth (NTLM/Kerberos - LDAP stuff has been fine).

This is *entirely* due to whatever testing model they have implemented most recently, which I understand is essentially relying on the Insider program for "regression testing".

I expect some pain while we ensure that legacy accounts get remediated prior to force-deprecating RC4, and the documented staged approach to do that via these updates is fine. But you cannot break core services simply because you can't be bothered regression-testing - it is not a new concept, and nor is it an obsolete one.

AD security has always been highly complex and has undergone significant changes in the last 20 years, mostly without too much disruption. But this past year has been more like the mid-90s days of bad NT4 service packs. It's really not acceptable, unless you subscribe to the view that this is a deliberate ploy to force everyone into cloud, which frankly seems increasingly likely to me.

Of course, debacles like these mean that our clients are even more reluctant to do even basic timely updates, let alone migrate if it makes sense for their workloads (which, frankly, it doesn't always).


Re: Embrace ... Extend ...

Really. I don't see in the Kerberos v5 spec where it states the 300s clock skew is MS-specific: https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Clock-Skew.html. Also, like other OSes, the acceptable skew for Kerberos auth is customisable in Windows, down to 60s.

And I don't care what OS you're running; you're not configuring a Kerberos environment correctly if you're not using an NTP service to coordinate your system times. As MSFT doco specifically states should be done when setting up an AD environment, complete with a time service embedded into all Active Directory implementations that all clients will synchronise to by default.

Up until Win 6.3, the acceptable time drift on clients was not defined. In practice, it was up to a couple of seconds (you could install third-party higher-precision NTP clients). More recent versions of Windows allow you to specify max time drift from 1s down to 1ms (the latter with expected constraints - no more than 4 hops and 0.1ms network latency between client and stratum 4 or higher time source, avg daily CPU time <80%)

In any case, if you have Windows machines in a domain hierarchy getting time from VM hosts, you've done it wrong. I totally accept that Windows/AD is not perfect, but if you're going to snipe at it, at least get your facts correct.


Re: It's a part of Microsoft's Azure/Microsoft 365 only stance...

We didn't see any Azure-related errors in our environments - we got the known error Event ID 14 in System log on DCs that had been patched without the fix yet and a problem account:

"While processing an AS request for target service krbtgt, the account [ACCOUNT] did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 17 23 24 -135 3. The accounts available etypes : 23 18 17. Changing or resetting the password of [ACCOUNT] will generate a proper key.

This was a service account where the "This account supports AES-256 encryption" option had been set. So I unchecked the option on the account and made sure that msDS-SupportedEncryptionTypes was set to 0. That fixed the problem for that account while we applied fixes to the DCs.

If you're getting Event 42 errors, that needs the KRBTGT password to be reset: https://dirteam.com/sander/2022/11/09/knowledgebase-you-experience-errors-with-event-id-42-and-source-kdcsvc-on-domain-controllers/

And don't worry, I too feel like this is part of MSFT's ongoing campaign to stealth-deprecate on-prem AD, but I wish they'd just accept that in the real world, some of us don't want to put ALL our eggs in the cloud basket. Especially if you're running critical public infrastructure.

This kind of thing makes it more difficult for IT teams to convince the nervous that no, we DO need to apply security updates regularly, and yes, we DO need to update these 20-year-old systems before they fall over, since no-one is supporting either the hardware or OS.


Re: Worse than failure

We don't patch production till 2 weeks after patch release, and I'm personally very glad for it. I had to push the fixes semi-manually through Dev/Test, but we've got them ready to go in our prod SCCM deployments.

Black Helicopters

Re: Word to the wise

Don't worry, my actual theory is they're screwing up these updates the same way they "systematically" screwed up Exchange CUs for years, so everyone pretty much gave up and went the EXO route.


Word to the wise

Also time to change your KRBTGT password (twice, after allowing replication time to all DCs or 10 hours to be safe (krb token expiry interval)) if it hasn't been done since Server 2008 DCs were introduced in the environment. Helpful hint: the WhenCreated date of the "Read-only Domain Controllers" group tells you when. Otherwise KRBTGT won't have AES crypto keys.

The domain needs to be at least the 2008 DFL first. The safest method is to use the New-KrbtgtKeys.ps1 script by Microsoft, available on Github, since it does a single-item replication to all DCs that finishes in seconds in our environment.

Any other accounts (i.e. service accounts) with passwords that haven't been changed since then need to be rotated too. Yes, I got an unfortunate surprise when I queried our domains for the number of active accounts in that boat.

The whole mission of these updates is to deprecate RC4, eventually. It'd be nice if MSFT didn't screw up any further updates, like they seem to have with every single Kerb/NTLM update since late last year.

Job 1: Get the boss on the network. Job 2: Figure out why Job 1 broke the network for everyone else


Re: Banyan Vins network

I'll raise your mid-90s Vines with the fact I recently found a bunch of 2019 servers running the computer! browser! service in our AD. Some numpty had enabled SMB1 in the build, and by default, it enables Computer Browser. The legacy build procedure that disabled it was not applied to the newer boxes.

I noticed because I was idling through the SMB audit logs and found a load of servers yelling at each other for network browser elections.

Data loss prevention emergency tactic: keep your finger on the power button for the foreseeable future


Re: The "half click" and related moves

I'm old enough that I grew up with stones for a while, and I still need to mentally convert people's heights, but honestly, I barely know stones equate to anymore (it's a bit over 6kg, fwiw). At least with pounds, you can divide by 2 and knock off 20%-ish for a rough idea.

The thing that really gets up my nose with Brits and their "revolutionary times measurements" snarks at the Americans is their insistence on imperial measurements for road distances!! It drove me nuts (literally) when I lived there, and all their feeble BS about it "costs too much" to change road signs etc is just that, BS. All their former colonies managed it in the 60s/70s. India, being a large country both in area and population, made the full metric transition in 5 years.

I'm sure the only reason car manufacturers aren't jumping up and down about having to provide speedos and odometers etc in miles is because of the American market enabling it. So really, the Brits should be grateful to them.

No, I will not pay the bill. Why? Because we pay you to fix things, not break them


So WHERE is anyone saying Christmas Day needs to be renamed? Where? Come on, where?

Not here; "holiday season" means all those end-of-year holidays, INCLUDING Christmas. Isn't inclusion nice and all?


Guy Fawkes Day?

This fake outrage about "holidays" not just being Christmas is just getting very, very, very tedious. I've worked more xmases than not, because neither I nor my family are Christians - we're "nothing at all".

"Holiday season" implies all the holidays around the end of the year, such as New Year's Day (even if you're so bigoted as to believe the other religious solstice-ish holidays don't "count"). It's disingenuous to pretend it doesn't - it's been common usage since before all this BS about "PC language" hit the Daily Fail and its like.

If you only count Xmas Day/Boxing Day as holidays - no "season" for you - and you don't take New Year's Day off, oh well, your loss.

RIP: Kathleen Booth, the inventor of assembly language


Oh no, this is sad news. I first heard about the Booths when I worked at Birkbeck College around the turn of the millennium, and they created a small but mighty computer science department there in the 1950s (to go with the small but mighty College).

As the only female sysadmin working there at the time and one of very few at the University of London in general, she was an inspirational figure. She built those early machines (with her colleages), plus all those other achievements in programming.

Senior engineer reported to management for failing to fix a stapler


Anytime you interview at a company and they say, "we're all just like family here!", run for the hills.

Fixing an upside-down USB plug: A case of supporting the insupportable


Or when a tech in the UK removes the shrink-wrap from a replacement PSU freshly-shipped from the US (yes, I'm that old, basic parts were still sometimes manufactured there at the time) and installs it into the PC without checking the voltage switch is set to 240V. (And yes, it wasn't a nominal 230V at the time either.)

Poor guy was the first tech on site after the workplace had negotiated new kit from a large US-based vendor, with full hardware support. Previously we'd done "return to base" for the really gnarly faults in equipment supplied by the previous UK-based manufacturer. It probably didn't help there were at least four of us standing around observing the new support arrangement in operation.

To give us credit, none of us laughed out loud at the loud BANG! and resultant billow of Magic Smoke. I think one of us gently suggested the voltage switch as the probable root cause while he looked on in shock. Motherboard, CPU and memory plus PSU were duly replaced with no further excitement a day later, ISTR.


Re: Can't put my finger on it

*Citation needed.

Just because they put "socialist" in the name of the Nazi party, it didn't mean that they were considered to be socialist**.

**Although I'm sure some of the punters were sucked in initially because of the branding.

If someone weaponizes our robots, we'll be really, really sad, says Boston Dynamics


Re: Aren't Drones just simple robots ?

Yes, the message I was getting loud and strong was that "bad actors" is probably not going to apply to any country's duly-appointed military. Maybe not even to military forces engaged by the "right" nationstates - mercs, sorry, "contractors", are hired by various governments all the time.

And that wasn't the only prevaricating phrase in that statement.