* Posts by Diginerd

52 publicly visible posts • joined 10 Aug 2011

Page:

Das blinkenlights are back thanks to RPi revival of the PDP-11

Diginerd

Re: How noisy are the cooling fans?

Slide rulers & log tables...

Having both and knowing how to use them should be mandatory - they still work when there’s no power or internet.

Not sure if that’s why the VMS admin (yes, still a thing!) ad my old workplace had a 6’ slide rule in his office marked up with a label “Emergency backup CPU”, but it’ll still be usable long after everything else is landfill

Domain name sellers rub ICANN's face in sticky mess of Europe's GDPR

Diginerd

Re: How about Companies House?

@adam52 It’s (a bit) tricker than that...

Here’s the guidance we got (of course I would recommend you call the ICO’s anonymous info line to confirm this - be prepared for about an hour on hold, but they’re on the ball when you speak to someone).

Anyway..

To comply with the law and the data subject’s right to be forgotten you can’t simply store the deletion request as the request itself contains their PI...

Basically you need to store the GUID/Key value that points to the deleted PI on a “list of forgotten entries”

Should the data base be restored from backup run a job that checks that list and and deletes any matches in the restored data.

There’s other gotchas sureounding confirming the validity of the request in the first place (make sure you confirm who they are, as inappropriate LOSS of a data subject’s data is ALSO a violation)

TL;DR. Yes. Yes it is.

PS make sure you scrub ALL your databases - dev test too.

Linus Torvalds on security: 'Do no harm, don't break users'

Diginerd

RFC1925 Truth #1 Applies here

1) It must work.

...

Everything else is secondary.

There are no new Security Considerations created by RFC1925*.

However, it does make the point that the Fundamental Truths also apply to Security...

- A system evolves to become what its users deserve, and that's seldom the one they want.

*Recommend you go dig it up if you're not familiar with it. Clearly many folks aren't.

Cisco patches switch hijacking hole – the one exploited by the CIA

Diginerd

Re: Yes, sadly

V3 if you must....

Red alert! Intel patches remote execution hole that's been hidden in chips since 2010

Diginerd

Re: What does this vulnerability actually enable?

Yes. *Blush*

/muttersdarkly about stupid dyslexiz.

Ty for catch

Diginerd

Re: What does this vulnerability actually enable?

Look up "impi" for related server carnage.

Lots of work already done on this general topic.

Various KEYWORDs and info about capabilities public ally available too.

TL;DR the rabbit hole is very deep and it's going to be a problem for a long time.

Diginerd

Re: Presumably,

Yes.

See Atwood's law.

Diginerd

Active Network Defense for this...

Worked on this threat a few years back.

If you've got Cisco switches and don't use AMT it's pretty easy to defend against the "off box" vector (and other similar nasties) by using a VACL.

That way traffic is blocked before it can traverse to another port in the same VLAN. Applying a regular router/firewall packet filter ACL won't prevent an attacker pivoting through a compromised host on your LAN (hint look at your edge devices too;).

On the other hand switch based VACLs will drop attack traffic in hardware (no performance impact).

<rant>

For all the head in the sand folks - how secure are your printers, edge devices (cheesy botnet infected junk?) and security cameras? Are you sure you know EVERY device on EVERY port at ALL times?

Hopefully this gets more publiscised and the PHBs start to realize that checking off "PCs have a lol OS patches" and "Firewalls are audited" hasn't been a comprehensive security strategy for decades.

</rant>

Storage startup detaches field sales force from its nexus

Diginerd

Pretty decent product...

...great support too.

Bad news is it gets "speedy" past the lower tiers.

Worth a look though, nice management/performance for smb / home lab.

Hope they survive.

Crims in £160m broadband scam facing 44 years of porridge

Diginerd

Literal Prisoner's Dilemma

P,P,P,P

Just remember folks, Time = Money

Defraud a bank and you go to jail.

A bank defrauds you and the execs get bonuses.

Trump cybersecurity order morphs into 2,200-plus-word extravaganza

Diginerd

WTF? Coherent and even sensible...

Wow.

Props to the team that wrote it.*

It's far from perfect, but it's a solid start.

If you haven't, it's worth a read.

*Clearly not POTUS or TheFormerMayorOfNYC!

Comcast lied and now it must STFU: Its cable broadband is not 'the fastest' in the US

Diginerd
Trollface

Cut them some slack!

I'd say they're pretty honest by industry standards!

Before the downvotes...

/sarcasm ;-)

They even have a couple of RFCs transparently explaining their NetOps.

"Congestion Management"

https://www.rfc-editor.org/rfc/rfc6057.txt

"ProActive Web Notification"

https://tools.ietf.org/rfc/rfc6108.txt

M'ok! (Not)

USMC: We want more F-35s per year than you Limeys will get in half a decade

Diginerd

Re: Irrational

"much slower".

Remember my dad reminiscing about El Reg's other favorite "slow" naval aircraft - The Swordfish.

IIRC it did far better in ACTUAL combat Vs much faster and technically "Better" enemy aircraft in WWII. Something to do with the "bad guys" leading their targets too much as they were trained against "faster and better" aircraft.

Obsolete tech aside - something to be said for a Crack'ling rush vs far fewer, more capable, but more costly units.*

*StarCraft reference for those who haven't experienced the damage this kind of assault can deliver.

Feds snooping on your email without a warrant? US lawmakers are on a war path to stop that

Diginerd

Re: Email is not private

In transit and at rest.

The contents are reachable via RH Decryption. :-(

Diginerd

Re: Privacy is only in your head.

Hazard a guess?

Hint - A public post is not private, and there's a thing called inductive argument..

I'm NOt the OP ;-)

GitLab.com melts down after wrong directory deleted, backups fail

Diginerd

Re: Two Words - CHAOS MONKEY

1oz of prevention > 1lb of cure.

Diginerd
Alert

Two Words - CHAOS MONKEY

https://github.com/Netflix/SimianArmy/wiki/Chaos-Monkey

Testing [RECOVERY] in production is like parachuting without a safety chute...

..,if things go truly pear shaped you're only gonna do it once.

This little guy will suffice as the adult in the room. ;-)

Boffins link ALIEN STRUCTURE ON VENUS to Solar System's biggest ever grav wave

Diginerd

Re: Will nobody think of the tax payers?

"Mountain Gravity waves"?

Surely you're not asking if James Cameron's groundbreaking creative vision and nuanced story telling was actually a documentary?

Jokes aside - WTF? Something very odd going on here.

Diginerd

Alert Dan Dare!

Mr Angry pays taxman with five wheelbarrows worth of loose change

Diginerd
Trollface

Teach a troll to fish*...

http://lmgtfy.com/?q=YMMV

*No hook here, but trolls like phish too. Caveat Emptor!

Diginerd

Re: El Reg, missed the point...

Getting slightly off original topic, but steering to an IT angle...

In Connecticut there's a similar law for cars (owned or leased - doesn't matter) - amount is payable to the city they're registered in. Don't pay, your registration gets suspended & driving it becomes a criminal matter.

They take it further for businesses: - ANNUAL property Tax is due on all the IT Assets / Office Equipment owned (or leased from a 3rd party).

1) Buy with cash / finance purchase with interest or lease expensive Gear & pay sales tax on it at time of purchase.

2) Depreciate value of said gear over 5 or 7 years (Typically).

3) Each year a % of the residual (undepreciated) amount is owed to state coffers.

If you're leasing the gear, YOU are responsible for the Property Tax (even though you don't own it)

Makes VAT (almost) seem reasonable.

TL;DR If possible, avoid building DataCenters or Trading Floors here unless you can negotiate tax breaks from the State Government prior to moving in and then threaten to take your toys (and jobs) to NY/NJ unless those breaks are renewed after expiry.

Unless you're Royal Bank of Scotland building a GLOBAL HQ in Stamford CT (UK Gov bailout stopped moving HQ, but the building went up) or UBS building what was once the worlds largest trading floor (now mostly empty) the only option is to accept ever increasing tax rates to fund the big guys sweetheart deals or GTFO and setup shop elsewhere.

Promising compsci student sold key-logger, infects 16,000 machines, pleads guilty, faces jail

Diginerd
Coat

Re: Reverse nominative determinism

Shurley that should be SEMANTIC...

...Coat, I'll get it. :-)

Stop us if you've heard this one before: Seamen spread over California

Diginerd
Coat

Re: Swarms of weaponized suicide drones

Queen or Twisted Sister?*

* /me dusts off VHS copy of "Iron Eagle"

Binary star bash-up should add new light to Northern Cross in 2022

Diginerd

...because SCIENCE!

EoM!

Insane blackhats behind world's most expensive ransomware 'forget' to backup crypto keys

Diginerd

Re: Google docs spreadsheet with Ransomware info

Paranoia <= Practical Defense...

...Options :-

1) Open sketchy link in a disposable Sandbox VM

2) Open sketchy link on iPhone/iPad (That is then promptly restored from a backup if you're up to "TinFoil headware is actually not a bad idea" level of paranoia)

3) Point VirusTotal (https://www.virustotal.com) at the URL

4) Go full crazy and click the link trusting that RegCommentards may have some level of decency / accountability should "A bad thing" (tm) happen...

The Life and Times of Lester Haines

Diginerd

IT?

I'll get me coat...

Respect - you are sorely missed.

Big Music goes mad for chat bots and AI

Diginerd

Re: "Most chatbots aren’t really artificial intelligence"

Eliza is smarter than your average starlet...

Outlook outage outrage

Diginerd
FAIL

Azure... Aptly named

Blue sky & no cloud!

- Xposted from other thread

Diginerd
Coat

Re: Pigeons

^... SHOULD read RFC2549 ("IP over Avian Carriers with Quality of Service").

"Unintentional encapsulation in hawks has been known to occur, with decapsulation being messy and the packets mangled."

More pigeon carnage here: - https://tools.ietf.org/html/rfc2549

Microsoft still working to fix Outlook sync issues

Diginerd
FAIL

Azure... Aptly named

Blue sky & no cloud!

Surveillance camera compromised in 98 seconds

Diginerd

Re: Why is this still a problem?

...because the business risk to the vendors is currently near zero and margins are paper thin.

Until the Status Quo changes tune, it falls to those in a position to mitigate vendor shortsightedness to take action.

For a concrete example of how ISP port blocking can turn a potentially deadly vendor screwup into a non-issue see Chris Miller's Defcon presentation on Chrysler Jeep hacking. Scary stuff with jaw-dropping incompetence on Chrysler's part making the PoC possible.

The obvious downsides to a strategy where ISPs take proactive defensive measures are:

1) Collectively rewarding the incompetence of said Vendors.

2) Creating hoops for competent users to jump through.

Given the circumstances it feels this is an acceptable compromise when the damage that vendor negligence can, and does, cause.

Diginerd

Re: One for the ISPs...

I for one welcome our robot overlords (aka "auto-correct").

All jokes about draconian ISP policies aside, "Subjects" in post above should read "SUBNET"s.

Oops

Diginerd

One for the ISPs...

More than a few US ISPs catering to home users have T&Cs prohibiting them from "Hosting servers". They then filter traffic headed to their user subjects on mail, ftp and webserver ports along with outbound smtp traffic to off-net IPs.

If you buy "Business class" service from the same ISPs you get the same service as a home user with a 20-30% price hike plus the ability to host servers/send smtp mail anywhere. However, "business" users must request the port filters be removed and accept responsibility for server traffic.

Removing the filters takes about 5 minutes.

Practical upshot is this provides little impediment to responsible users and saves the rest of the world from millions of spam messages being sent by clueless users.

A decent step in the right direction would be for those ISPs to block telnet traffic by default too...

Security bods find Android phoning home. Home being China

Diginerd

Re: And here I was expecting 99 comments to be a detailed technical discussion

Please do! Likewise here if anything is seen.

Anyone else feeling like chipping in too would be appreciated.

Spirit of cooperation in a comment thread? Here's hoping.

Diginerd

Re: the discovery of the firmware is being taken very seriously by US government officials

It's not that hard... See above + a working knowledge of "Old News" about capability ;-)

Diginerd

Open tickets with your Cellphone provider...

Ask them about the firmware and ask them to block the domains and IPs involved.

As an individual you likely won't get far, but if you run an enterprise account (Pretty sure more than one El Reg Comments reader does!) you might get some traction if more than a couple of folks make noise.

While we're at it, put 127.0.0.1 entries for the bogus domains and null route the parent IP ranges at the edge of the corporate network.

Sure, the above is not going to be close to 100% effective, but worth the effort to reduce the attack surface here.

/playing whackamole

Forget razors and blades, APIs are the new gotcha

Diginerd
Coat

Speiling. You're doing it wrong if your API...

...doesn't sanitize inputs, isn't (somewhat) liberal in what is accepted and conservative in what is sent?!

Chirp! Let's hear it for data over audio

Diginerd

Re: Standards

Wow, how did I miss RFC1926? - it's a corker! Upvoted ;-)

Isn't it ironic (Don'tcha think?) - RFC1926 comes right after RFC1925...

For those reading this with a frown and a healthy dose of "WTF they talking about?"

RFC1925 is the first of the "Desert Island RFCs" ("DIR'). It SHOULD be manadory reading for everyone working in technology & failure to grok it is a common problem of startups...

Click bait (Fair warning - the rabbit hole is deep!) https://tools.ietf.org/html/rfc1925

Of course, the second DIR MUST be RFC1149 ;-)

Akin to Rule34, and verifying RFC1925, OP linked RFC1926. Nicely done sir!

Cheers!

WRB - IOOF

Cisco emits new branch box

Diginerd

Re: Sales pitch

Rack & connect the new gear? If you buy the premium support they'll even copy config if needs be...

Unusually cheaper to have next day coverage, build a design that can survive for 24 hours with a box failure and have a support contract with a local tech firm to handle remote hands.

Diginerd

Re: Sales pitch

That's the thing about the ISR G3s (The 42xx/43xx boxen), the licenses look really expensive until you realize they're only moderately spendy because the limits are for throughput WITH ALL FEATURES ACTIVE.

The cool thing about these is the integration with APIC-EM - No console cables required.

Firewalls snuffed by 'BlackNurse' Ping of Death attack

Diginerd

Read the Farkin' RFCs - This is "Normal"

Type 3 ICMP messages indicate a problem in the Forwarding Plane, and require a "Punt" up the stack to the device's processor to enable it to work out what to do as a result of the message.

RFC792 (From September 1981) covers ICMP in gory detail...

The challenge is when the RFC was written, NAT was barely a concept - much less a multi-billion dollar "Firewall Industry".

General blocking all ICMP frequently causes more problems than it solves. Not least, OSI networks (e.g. The Interwebz) rely on RFC conformance to operate "Correctly", so a more granular approach to risk is usually preferred.

The classic problem of path MTU was covered in the article, and crops up frequently when ICMP Type 3, Code 4 messages ("fragmentation needed and DF set") are dropped silently by an intermediate device. DON'T do this unless you REALLY know why you're doing it. Your users will thank you.

Networking is complex to do correctly, but it's essentially collection of interacting logic puzzles.

A cool sounding name doesn't make this sexy & don't expect huge vendor responses to something "Working as Intended". Mitigation here is a situation specific configuration issue.

Microsoft withdraws software silos from Germany in patent war

Diginerd
Thumb Up

Re: I wonder...

Arguably one of the most insightful software patent posts ever.

Thanks!

Blizzard ponders World of Warcraft for iPad

Diginerd
Thumb Up

Re: Class selection

+1

(The post is required, and must contain letters.)

Intel Xeon E5s pruned for single-socket workstations

Diginerd
Coat

$4k for 2 CPUs sounds pretty reasonable...

Although it certainly looks like an insane amount of money to someone used to bashing together a PC from a box of parts.

On the other hand if you're a Pro make a living out of your Tools it's a much better option than an $8K PCIe card with 1/10 the power.

Anyone want to take a bet that if Steve's favorite line of "one More thing" gets used today we'll finally see some new MacPros announced today?

If not they have to be soon, but will be A LOT more than $4k when fully specced.

Server virtualisation: How to pick the right model

Diginerd

XCP

One of the better kept open secrets of open source virtualization is XCP, and it's new sibling Project Chronos (a full port available for Debian/Ubuntu using apt get). Both are essentially FOSS versions of the $pendy Citrix Censerver (Talking Enterprise/Platinum editions, not the freebie base edition.)

One of the cooler new features is a hybrid Storage Model, enabling a pool of servers to access shared storage, but have each host automatically replicate the virtual disks to local storage as they are accessed. The net result is local disk performance after the initial read from the remote SR.

Doubly cool if the local storage is SSD. :)

FCC's net-neut rules now official

Diginerd
WTF?

@FFS

That patent's pointless...

Ignoring it being 5-15c to send a 163 byte "Packet" for many users ( may explain AT&T's mobile broadband pricing!)...

1) use UDP

2) use GRE to encapsulate "Traffic Contained Protocols"

3) use whatever error handling the "Traffic Contained Protocols" has built in to request retransmits and deal with the inevitable out of order packets that will be involved.

Profit.

EMC exec flames El Reg

Diginerd
FAIL

Fact - EMC are Bloody Expensive

Marketing spin dosen't constitute smackdown.

Truth is, despite the expense, CIO/CTOs love EMC because they know their jobs are safe buying storage from them. EMC gear breaks just like everyone else's, but the quality of their support and post install team is rivaled only by their sales team.

If you're building datacenters for Bulge bracket banks or the Government there's only 2 players in the game - and HP are struggling. At that level Nextenta are not even close for contention. It's not just about price, it's about knowing you've got a solid solution. Speaking of which I admire EMC's restraint for not lobbing the obvious brick back at Nextenta - so tell me about the impact of the Oracle aquistition on on the longevity of your core OS and plans to shift away deo

it.. Fugly!

At smaller sites the likes of Nextenta and my personal favorite QuantaStor (If you've never heard of them they're REALLY work a look) come into play.

Speaking of QuantaStor, they behave very much like a tiny EMC in terms of customer service and support. Their features are great an their pricing is good, and they know who their customers are and what they need.

Nextenta are using tennisballs to take in an armored division. Poor choice of strategy, even though they're using some sporty tennis balls!

How gizmo maker's hack outflanked copyright trolls

Diginerd
Thumb Up

There's a lot more to this than tweets

Something I've been doing for years, and now the triple play CableCOs here in the USA have started to do too is use video overlay like this to flash up caller ID when the phone rings.

Works great, no need to interrupt the movie and go get the phone if it's a Telemarketer. Works even better if you mute the ringer before you sit dow. Now all you have is a couple of seconds of a name & number at the bottom of the screen.

The bugger is you need to be watching content from the STB. If you're watching a BluRay you're screwed. This device opens the door around that.

My dodge is averything goes through my HTPC, so I can overlay anything I like on the TV (Monitor really) before it gets onto the HDMI cable. Chumby makes the same thing practical for "The Consumer".

The only people who may have a case against it are Intel as they are picky about getting licencing fees for HDMI. That doesn't sound insurmountable.

Finally the NY Hall of Science is down the road from me, think I might go to the "Maker's Fair" sounds fun. Particularly if I wear my "I void Warranties" T-Shirt...

Sid Meier's Civilization

Diginerd
Thumb Up

Loses it's charm abruptly...

This brings back memories, awaesom game and truly addictive.

Having played for hours every day over a couple of months (Uni Student + summer break + no commitments = bliss), I reached the point where I struggling to find a way to improve my best score.

Then it happened... Got into fight with the (soon-to-be-ex) girlfriend, and next game went on a global rampage that would have made the real Mr Khan giggle like a scoolgirl. When I'd wiped out the last competing nation the game ended and I had beaten my previous high score by a factor of 5, and the game only lasted 2-3 hours.

Once the penny dropped that the utopian dream Sid Meyer was pushing didn't jive with the rewards of being a brutal dictator I got bored pretty quickly.

Was fun until then!

Page: