Internal network management group who refuse to open an SSL port so we can upload some stinking files from internal windows host to a perimeter web server?
Just a random example that sprung to mind.
510 posts • joined 30 Jun 2009
I wonder how "unintentional" it was and how much it was due to a manufacturer trying to save a few cents per unit on an underspecced part.
It's amazing how even a top-class vendor like HP can _mistakenly_ misassemble enterprise-class servers that have been specified down to each part number.
Actually, I don't really think HP do such idiocies deliberately, but I wouldn't necessarily say the same about all points of their supply chain, or their resellers, or that of any major vendors. Smaller vendors, well, who knows. And in the past, things were often more dodgy.
Then you have outright major fraud, such as the huge problem that was uncovered with fake "certified" aircraft parts a number of years ago (which is still a lingering problem in the industry).
Yep, when we were first trialling site-based hardware support for Dells and sat there eyeballing the first poor tech that turned up to replace a PSU (still in the shipped-from-US packaging) and forgot to check the voltage selector switch, the big bang was a bang all right, but what made the fireworks was a very brief burst of flame.
here's an experiment for you - stick a Windows VM (nothing installed beyond the OS and a decent Administrator password) on an internet-exposed network. Add a firewall rule that blocks everything except a whitelist of your control IP and the well-known address IP blocks for the Russian Federation - a list is here: https://lite.ip2location.com/russian-federation-ip-address-ranges. That whitelist should have an ALLOW ALL rule (all ports).
Make sure the machine is logging all connection attempts in the firewall logs. Have something running elsewhere that regularly scrapes/uploads that log (e.g. at 5 min intervals) so you can ensure that's not interfered with.
Then see how long it takes: a) for the machine to receive inbound network connections beyond ping, DNS, and if you're generous, http(s); b) until the machine is compromised and is running all kinds of interesting things. With any luck, you'll get a good selection of ripped TV shows/movies/music showing up in the file system.
Of course the more sophisticated hackers/malware purveyors will be running their stuff from some CDN and not the main RU IP blocks anyway. But if you can run it for a week without anything you didn't put there showing up or your still having control of the machine, I'll be genuinely surprised. I'd be willing to bet Linux wouldn't last either.
Yep, Perl has Net::DNS. Allow your admin workstation IPs do dynamic DNS registrations in bind, then use Net::DNS::Update to do 99% of what you need. Which is typically just adding or deleting the same old handful of RR types.
Since you're sending/receiving actual DNS packets on the protocol layer, you don't get syntax problems in your hosts file - a "bad" record simply won't get committed. If it's successful, you get a reply packet you can (should) check for. The zone gets incremented etc just like any other dynamic DNS registration.
Obviously you can write script wrappers to do your typical things, like do a bit of syntax-checking of the input. Or create a PTR every time you create an A record in [zone], as long as a PTR doesn't already exist. Or, if there is a PTR, display what's there, prompt for a change, etc etc. If you have a split-brain zone or multiple name servers, a script can update them all at the same time.
The rest of Net::DNS will do general DNS stuff like various RR queries (with a baked-in method of sorting multiple results if you choose, sensibly according to RR type or a custom sort), zone increment, zone transfer, and so on.
Saved my bacon from the late 90s up until less than a decade ago, when I stopped working with bind, across multiple orgs and countries. I think I directly edited a zone file less than half a dozen times (after configuring the environment so I could use my scripts) during that time.
One place in particular could take days to turn around DNS updates (very complex environment) and had errors on at least a monthly basis - with decent scripts, all those problems went away. Certainly no more "fat finger" incidents corrupting the zone files.
Incorrect records being added/deleted, well, you can't entirely fix the GIGO problem - but throwing errors if some idiot tried to enter an IP for an invalid range was certainly helpful.
So Mr Zoom Marketing says there is no evidence of a breach of confidential data, whereas Traver tested 170 records and had an 80% strike rate.
So were those particular records disclosed as being tested to Zoom Marketing and is the plonker excluding them in his report of "no breach"? Because if it were me, I would be very careful to state, "Other than the 136 records accessed by Travers between $DateTimeA and $DateTimeB, we found no evidence of any other PII breach via this route."
Because if the specific records weren't disclosed, they didn't do a very good job of reviewing their logs (assuming they had them).
It's not just Lion, there's a whole raft of govt agencies - local and federal - and businesses that are being targeted in Oz at the moment.
And yes, none of the methods are particularly sophisticated, but they're getting in via unpatched SharePoint, IIS, and Telerik products as well as spearphishing emails
All agreed. I actually like Teams better than Skype slightly, because I never liked Skype that much, but all those complaints you have are the same as mine.
Other than the window chrome being in line with the more "modern" apps (whatever you call them), but I wish they'd settle down on that front as well
Yeah, we don't let any old Tom Dick and Harry create their own teams either - because if it's open slather, you get a whole bunch of crappy little teams people use for 2 days, then abandon. Then we need to spend significant time/expense tracking the owners down and ask them if they still want their crappy data.
And of course they can add random people as members, and I can tell you that people get pretty shitty when they start getting pinged with random crap.
Or, if you're wanting to allow "agility" in more open environments, fine, you want nice short expiry times, like 3 months. The owner gets a nag to see if they're still using it. If no reply, then off it goes.
A hybrid approach is creating a group of people who can set up teams ad-hoc, e.g. managers.
As for adding externals as guests, how good are your controls re information segregation? Do you know how many have .gov.uk identities? Many 100s of thousands. What happens when some numpty decides to "share" highly private patient information with some inspector at the MOT? If you're operating in a regulatory environment, you need to be very careful about what you're able to share and with whom. It's not your family shopping list or gaming mates' bitching channel.
And guess what, not many public sector enterprises, have the funding to do proper analysis and configuration of this stuff. Easiest just to lock it all down.
It should be locked down by default first, the analysis done, governance and controls in place, THEN you can allow info sharing with the appropriate constraints. If you want to just do chat, fine, but someone has to set up the policies and ensure stuff can't leak easily. Therefore $$$. Esp when you use a 3rd party tool like Avepoint to help with the governance part - that costs as well.
If "everything in *nix is a file*, I don't know how you can say it's "pretty much useless". I can think of plenty of ways to operate a mail/dns/web server using PS as it is on Linux.
But honestly, don't use it if you're a pure *nix admin. It's fine, no use for you? Don't use it. If anyone builds a distro that has it baked in, don't use that distro. It's not hard.
Shame that his later years were somewhat less sparkling regarding his confusing and well-promoted views on climate change - a classic example of poorly informed opinions co-opted by those whose agendas the confusion supported.
But it still doesn't overshadow the amazing contributions he made to mathematics and physics for many decades.
Same re PVE vs PVP. I simply don't have the time to spend to skill up on being any good at PVP, unlike dudebros who can spend 10+ hrs a day just playing games. I have that problem with multiplayer in general, to be honest.
Also, for a game that is about "realism" and survival, sitting in a nest all day long and sniping everything in sight is unrealistic, unless you're a sociopath. There's no way people will survive that kind of scenario without teaming up and not shooting possible allies/trading partners on sight. I'd think more of this kind of PVP if there were debuffs for killing players who have showed no threat to you. (Maybe this game has that kind of system - this article is the first I've heard of the game.)
If you only suffer from mild eyerolls at the mid-90s cyberpunk flourishes ("the hacker tourist"), Neal Stephenson's article at Wired (when Wired was still publishing good longform stuffg) is still the best on undersea cables: https://www.wired.com/1996/12/ffglass/
1. I think you missed the word *require* in that statement, which is borne out in the original "request".
2. The request also specifies "men" and "women", and some people don't feel they're either.
(TBF, if I was NB, I'd be fine with that and just rock up in whatever. "Sorry, boss, the memo just specified boys and girls".)
3. If you're a woman, apparently you have to wear a skirt. A short one. I don't even OWN a skirt and haven't for, oh, 40 years.
Re your statements specifically:
4. Women are nerds too, but apparently not in your taxonomy. I'm not sure what us nerds who aren't red-blooded men actually are, please explain. (Actually, please don't.)
5. Also, are gay men "red-blooded men"? I'm sure pretty much all of them are, actually. Or perhaps they all have anemia from looking at insufficient numbers of sexy women. Perhaps someone should reveal this scientific insight to the world.
7. I don't look at my colleagues as sexy anythings (unless we are actually in a relationship outside of work), but maybe "sexy women" don't count as colleagues?
8. I'm sure I won't qualify as a "sexy" woman on your scale, but if I did for any of my colleagues, if they didn't leave off the staring very frigging fast, well, they wouldn't be feeling very red-blooded "male" either for a while after that. Since, you know, I'd be there for the event, not someone's leering eye candy. (Since we've already determined women aren't nerds, I wouldn't be worried about any leering from them.)
9. Finally, I like looking at sexy women too. (Not at work events.) So am I a "red-blooded male" after all and allowed to wear trousers?
Obviously spoken as someone who has no idea of how to secure a modern Windows OS on a server. No, it's not perfect, but no OS is.
In terms of assumptions about Windows, the most harmful one is that "it's simple" and "anyone can manage it". Well, anyone actually can't in an enterprise, securely, but when bosses insist on paying for new graduates rather than people with actual experience and preferably proper security experts to come up with proper hardening practices, and NOT paying for the remediation that needs to happen to deal with the stupid insecure practices they've been perpetuating for many years that MSFT themselves have often been deprecating for literally decades... Not to mention fellow techs who whinge about not getting domain admin or other global and highly-privileged rights when they don't actually need them.
Which, by the way, many *nix-based vendors have perpetuated - how many SAN or printer or xyz manufacturers have SMB1-only baked into their firmwares until recently (or still)? One large printer manufacturer I dealt with literally only began supporting SMB2+ in a firmware release 2 years ago. It's been deprecated for over a decade. Yes, businesses do in fact buy printers for "scan to network" features, and yes, they will chose devices that offer that vs those that don't.
Not to mention the vendors who also perpetuate the problems by saying that the current version of their product will only be supported on SQL 2008, for example, because it hasn't been "validated" on a newer SQL version. In the instances they want a crappy old version of SQL, it's because the product itself has been written to use some horrible insecure "sa" logon or something similar. Try telling a hospital they can't use the software that runs their MRI. Or tell a public health service they have to spend multi-millions on an upgrade once the vendor finally gets around to updating their garbage, ahem, software. Which often entails a significant version jump and expense and risk since no-one's done such a thing since it's been installed, and it can't be handled by the usual support staff (at least not without a lot of testing and training, and perhaps training the users, if the version upgrade has also bundled in significant UI changes etc etc etc etc).
Then you have vendors saying their software requires domain admin rights - thank you, Commvault - and many other similar idiocies, because they can get away with it, and there are not sufficient numbers of people with the expertise to question these blanket statements. I wish MSFT would slap down these "partner" software vendors and make them provide better information to their customers.
That's exactly the reason. It's even - gasp! - irony. Like "they couldn't care less" so much that they couldn't be bothered with the "-n't".
People criticising slang idioms in different versions of English is tedious in the extreme. FWIW, Americans use both, and there are plenty of Americans who also criticise the "could care less" version among their own. Again, slang, who cares?
If you see it in formal writing, sure, get up on your hind legs then (but make sure it's not a perfectly acceptable variation in their English first).
I'm far from puritan, but some dude grabbing my arse would find his balls up around my ears. And it was the case back then too, actually, except that women were mostly expected to put up with it, or get hubby to defend his property.
At best, you hear most women of that era say "you put up with it". It's a vanishingly small number who enjoyed it. And even then, what you enjoy from someone you actually find attractive vs someone you don't can be quite different.
As for reputation, maybe he had that reputation among men in his social circle, and the women he targeted, but it's really unlikely that women in general would have been in on the loop unless they were very close to it. Your random female fan in those relatively sheltered days would probably not be expecting the famous author Dr Asimov to be playing grab-arse with them.
I was a PFY at one place and found that the grizzled old walrus-moustached network guys were editing BIND zone files manually on multiple servers in a very complex environment with multiple zones combined with an AD environment, and a split namespace for internal and external-facing hosts.
There were a LOT of typos and errors due to the manual process - forgetting to increment the zone file serial number, forgetting a reverse entry for new host records, forgetting to restart bind after a change, never running named-checkzone and introducting syntax errors, etc etc, some of which affected the AD domain that was using BIND as its forwarders.
In my previous job, I'd created a suite of Perl scripts to manage named/bind, and passed these on in the new job after one too many screw-ups. The heavy lifting was done by configuring Bind to allow dynamic updates to the zones from specified hosts/admin workstations, and then mostly using Net::DNS::Update to add standard record types in an easy interface. Under the hood, the "add-rr" script would send any updates to all the required zone masters and create PTRs (for A records) etc without manual intervention. Other scripts did some basic maintenance tasks by typing a couple of words.
Obviously the scripts were throughly vetted and kept simple and crystal clear as to their function. Lots of comments to indicate where to add details for new name servers etc in the event of any infrastructure changes. Since 90% of the job was adding A, PTR and CNAMEs (and other basic RRs like SRVs and MXes from time to time), the scripts stopped nearly all the "fat-finger" incidents - all that had been really needed was to ensure consistency.
Cut to last year, when I heard from a former colleague that these scripts - customised for the environment in 2005 - are still in use today, through multiple name server refreshes. Very flattering.
Eh, I haven't played a game in the last decade on PC that wasn't perfectly playable out of the box in decent quality. What I generally *prefer* to do is tweak the settings up from their defaults. Such as, for some reason, FarCry 5 starting up in 1600×900 and everything on "medium"
so if you created your OS structure like LDAP (including its API), you satisfy exactly that kind of "richer abstraction". Your heirarchy, a well-defined location for everything, and, with the objects and their classes, various attributes that define the methods used for accessing them.
LDAP isn't a file system, obviously, it's a protocol. I can certainly imagine a low level OS protocol that acts as the "directory" for all the other OS protocols. I mean, they specifically reference EHCI for USB devices.
And for everyone bleating on that they're saying this OS will be "fileless", I don't know where they're getting that from. It wasn't implied. It said that file system methods would not be used to access system resources unless they are of type "file".
Not to be *that* person, but this is the wording in the piece:
" The wearing of glasses (or indeed hats, false moustaches or Ziggy Stardust makeup) in passport photos is forbidden and so the recognition systems struggle if you fail to remove them during checks."
So, as written, it's not correct.
But yes, of course, if you have your pic taken with or without glasses and then present yourself to the scanners in the opposite state, they will struggle.
(I've just realised I've rececent got myself very different frames to the specs I was wearing in my last passport photos, and now I'm kicking myself)
If you think people make purchasing choices solely on price/fitness for purpose, you should become an economist, because that is precisely the kool-aid they like to drink.
Yes, for many of us, those criteria are indeed the most important.
For others, it's only price, or only features (you will pay whatever it takes), or the logo on it, or because some vacuous celeb endorsed it, or your football team gets their kit off them, or it was the last ad you saw on TV....
Refusing to buy goods on ethical grounds has been around since boycotts and picket lines were invented, so let's not pretend it's anything new.
Yes, as a queer person, I would rather do without than pay money to COMPANIES who use their profits to contribute to organisations or political campaigns that "don't believe" in my equal rights. For the individuals who work at those companies, I don't care what they do with their money, although some people are so loathsome I don't particularly want to contribute to their personal income either (Larry*cough*Ellison).
For some goods/services, there may literally be no alternative, although I can't see that happening very often. So infrequently, actually, that your false dichotomy was instantly eye-roll-inducing.
If there aren't any ethical criteria you care about, fine, buy what the hell you like. If you choose to publicise what you buy and if it is indeed distasteful - toothpicks made from Amazonian rainforest timber or whatever - then sure, be prepared to be criticised for it. But if you legitmately don't care what "snowflakes" think of your purchasing choices, why would such criticism bother you?
But let's not pretend that any of us are public figures - if I knew you personally, I might well judge you, but again, so what? The judgements would be flowing both ways in that instance and would have zero impact on your life.
And yes, the judgements do flow both ways. We've just had a sports star bleating on about how the massive fires in Australia are the "fault" of us dirty queers. That's been going on a lot longer than a bit of wondering about why people choose to fund organisations that actively disparage whole sectors of the population.
An anonymous micropayment system is a good idea, but I'd rather be able to choose which sites I'd be making payment to, and it not be based on cryptocurrencies (because a lot of people I'd want to pay wouldn't want to use a casino-like function like a cryptocurrency, and nor do I).
Something you can fund with cash-purchased vouchers and/or directly via credit card/Paypal and/or your cryptocurrency stuff would be the best of all worlds.
Especially where the backend could rate-limit and apply an upper threshold to the quantity and size of payments to any individual recipient or in toto in any 24-hr period to avoid money laundering etc.
...and you don't think that a mega-slab won't be one of the offerings in this kind of product line in due course?
I mean, as a manufacturer, you'd be pretty stupid making your first release a huge piece of kit that already has somwhat less of a customer base and significantly more hardware expense.
I want a folding tablet too one day, but this looks like a good start.
Also, anyone who thinks cloud is always cheaper for provisioning steady-state infrastructure is an utter moron. Scale-out and dynamic loads, maybe, depending on if you do your sums and plan it properly.
Otherwise, if you don't have the capacity/real estate to locate your servers on-site, renting space in a bit-barn near your premises is generally much more cost-effective.
Yeah, I wouldn't want your Windows XP box on my network, frankly. But having a crossover cable or switch between the equipment and the XP box, and a siimilar link between the XP box and the rest of the network, firewalled to only permit outbound port 21 or (preferably) 22. And maybe a little SSH script on the XP box to upload data using Putty to a destination share... Naturally, the XP machine wouldn't be domain-joined and would need a local account for logging on (if you bother with an account), but for something that is literally used to extract data from some equipment, who cares?
Or, if you've got someone bright enough to write a HID emulator and use a more secure OS to talk to your equipment, great! One less unsupported malware vector on the network.
A bunch of silicon transistors and traces of metal wrapped in plastic are not exactly "hard" in the same sense as a chunk of aluminium or glass coated in iron oxide, if you choose to ignore the well-established conventions for referring to these things.
Me, I simply stick to "storage" when describing that component.
Someone changed the MOTD on the VMS mid-90s-ish to something "cheeky" re the CEO (not obscene, salacious or abusive, from what I understand) and it turned out that he did not have a sense of humour about it. The 4 staff members who could have done it were interviewed, at length, but they held ranks and no-one fessed up. So in the end, none were fired, and to this day, no-one official knows who it was.
This was retold to me more than a decade later as a tale about the sadly-departed CEO - I can't recall the message as it seemed relatively innocuous to me. And it would not have been visible to members of the public. Honestly, anything beyond a bit of "career counselling" to the 20-something-year-old guys at the time and perhaps an email to all staff saying the thing wasn't appropriate and "steps have been taken" would have been more than enough. Most of the staff were engineering or technical and they would have gotten a good laugh out of it, I'm sure.
I detest SAP and all its works, but in that instance, some numpty doesn't know about multiple unit items. It's not even rocket science to set it up.
Definitely an ID10T error for the systems integrator there rather than the actual product (for a change).
Ah yes, I worked for a REinsurer's company up the road from the Lloyds building in the City around the turn of the millennium and mentioned to the Finance Director that we needed a new server to migrate file shares to as the main workhorse was running out of space. Our total server fleet was 4 x 5U HPs and something else (maybe a Dell), and the Wang that did all the financials.
Cut to around 3 weeks later, when an entire rack of 6 IBM-badged servers in deep charcoal shades that would admirably suit Hotblack Desiato's decor is wheeled into the server room.
I go to the boss and say "so what are these for?" New fancy database? Some clustered app?
"Oh," he says. "I was chatting to the IBM rep and he said we could get a deal on all 6 plus the rack. I thought it'd be nice if all the servers matched. You can migrate everything onto those - there should be enough room now for the extra storage."
I don't recall what the "deal" was but I do recall it was multiples of my annual pay at the time. Given the ridiculously overspecced nature of the new units, we could have migrated the contents of the current 4 servers and provisioned the extra capacity we needed onto precisely two of the Black Beasts.
Since I'd been hired as a contractor in the first place to effectively play "telephone" between the IT manager and the lead tech (1), I should not have been surprised that throwing money away on matching boxes was not even worthy of comment. If anyone was wondering why their insurance premiums jumped circa 1999, there you go.
(1) Said lead tech was vastly more experienced than me, but he and the IT manager literally did not speak to each other. IT manager had been chucked in the deep end knowing very little about IT ops, but was willing to authorise work if you explained things in teeny-tiny words. Lead tech had had the shts with thick-headed manager and was basically on a "work-to-rule" system, but was happy to load me up with the donkey work. I was hired "because" I had an MCSE (whoopdedoo) and he, having loads of experience, hadn't bothered. But as I say, my job was really to ask him what needed to be done and then butter up the manager for authorisation. Lead tech had also been overloaded with grunt work, and I was happy to help him out (I knew I needed training!), say things like "wow, I really like the way you set up blah blah, that's so nice to manage compared to the usual way" and listen to his fulsome rants about the Hammers every Monday morning. So everyone was content.
Biting the hand that feeds IT © 1998–2021