Posts by Diginerd 52 publicly visible posts • joined 10 Aug 2011
Slide rulers & log tables...
Having both and knowing how to use them should be mandatory - they still work when there’s no power or internet.
Not sure if that’s why the VMS admin (yes, still a thing!) ad my old workplace had a 6’ slide rule in his office marked up with a label “Emergency backup CPU”, but it’ll still be usable long after everything else is landfill
@adam52 It’s (a bit) tricker than that...
Here’s the guidance we got (of course I would recommend you call the ICO’s anonymous info line to confirm this - be prepared for about an hour on hold, but they’re on the ball when you speak to someone).
Anyway..
To comply with the law and the data subject’s right to be forgotten you can’t simply store the deletion request as the request itself contains their PI...
Basically you need to store the GUID/Key value that points to the deleted PI on a “list of forgotten entries”
Should the data base be restored from backup run a job that checks that list and and deletes any matches in the restored data.
There’s other gotchas sureounding confirming the validity of the request in the first place (make sure you confirm who they are, as inappropriate LOSS of a data subject’s data is ALSO a violation)
TL;DR. Yes. Yes it is.
PS make sure you scrub ALL your databases - dev test too.
1) It must work.
...
Everything else is secondary.
There are no new Security Considerations created by RFC1925*.
However, it does make the point that the Fundamental Truths also apply to Security...
- A system evolves to become what its users deserve, and that's seldom the one they want.
*Recommend you go dig it up if you're not familiar with it. Clearly many folks aren't.
Look up "impi" for related server carnage.
Lots of work already done on this general topic.
Various KEYWORDs and info about capabilities public ally available too.
TL;DR the rabbit hole is very deep and it's going to be a problem for a long time.
Worked on this threat a few years back.
If you've got Cisco switches and don't use AMT it's pretty easy to defend against the "off box" vector (and other similar nasties) by using a VACL.
That way traffic is blocked before it can traverse to another port in the same VLAN. Applying a regular router/firewall packet filter ACL won't prevent an attacker pivoting through a compromised host on your LAN (hint look at your edge devices too;).
On the other hand switch based VACLs will drop attack traffic in hardware (no performance impact).
<rant>
For all the head in the sand folks - how secure are your printers, edge devices (cheesy botnet infected junk?) and security cameras? Are you sure you know EVERY device on EVERY port at ALL times?
Hopefully this gets more publiscised and the PHBs start to realize that checking off "PCs have a lol OS patches" and "Firewalls are audited" hasn't been a comprehensive security strategy for decades.
</rant>
I'd say they're pretty honest by industry standards!
Before the downvotes...
/sarcasm ;-)
They even have a couple of RFCs transparently explaining their NetOps.
"Congestion Management"
https://www.rfc-editor.org/rfc/rfc6057.txt
"ProActive Web Notification"
https://tools.ietf.org/rfc/rfc6108.txt
M'ok! (Not)
"much slower".
Remember my dad reminiscing about El Reg's other favorite "slow" naval aircraft - The Swordfish.
IIRC it did far better in ACTUAL combat Vs much faster and technically "Better" enemy aircraft in WWII. Something to do with the "bad guys" leading their targets too much as they were trained against "faster and better" aircraft.
Obsolete tech aside - something to be said for a Crack'ling rush vs far fewer, more capable, but more costly units.*
*StarCraft reference for those who haven't experienced the damage this kind of assault can deliver.
Getting slightly off original topic, but steering to an IT angle...
In Connecticut there's a similar law for cars (owned or leased - doesn't matter) - amount is payable to the city they're registered in. Don't pay, your registration gets suspended & driving it becomes a criminal matter.
They take it further for businesses: - ANNUAL property Tax is due on all the IT Assets / Office Equipment owned (or leased from a 3rd party).
1) Buy with cash / finance purchase with interest or lease expensive Gear & pay sales tax on it at time of purchase.
2) Depreciate value of said gear over 5 or 7 years (Typically).
3) Each year a % of the residual (undepreciated) amount is owed to state coffers.
If you're leasing the gear, YOU are responsible for the Property Tax (even though you don't own it)
Makes VAT (almost) seem reasonable.
TL;DR If possible, avoid building DataCenters or Trading Floors here unless you can negotiate tax breaks from the State Government prior to moving in and then threaten to take your toys (and jobs) to NY/NJ unless those breaks are renewed after expiry.
Unless you're Royal Bank of Scotland building a GLOBAL HQ in Stamford CT (UK Gov bailout stopped moving HQ, but the building went up) or UBS building what was once the worlds largest trading floor (now mostly empty) the only option is to accept ever increasing tax rates to fund the big guys sweetheart deals or GTFO and setup shop elsewhere.
Paranoia <= Practical Defense...
...Options :-
1) Open sketchy link in a disposable Sandbox VM
2) Open sketchy link on iPhone/iPad (That is then promptly restored from a backup if you're up to "TinFoil headware is actually not a bad idea" level of paranoia)
3) Point VirusTotal (https://www.virustotal.com) at the URL
4) Go full crazy and click the link trusting that RegCommentards may have some level of decency / accountability should "A bad thing" (tm) happen...
...because the business risk to the vendors is currently near zero and margins are paper thin.
Until the Status Quo changes tune, it falls to those in a position to mitigate vendor shortsightedness to take action.
For a concrete example of how ISP port blocking can turn a potentially deadly vendor screwup into a non-issue see Chris Miller's Defcon presentation on Chrysler Jeep hacking. Scary stuff with jaw-dropping incompetence on Chrysler's part making the PoC possible.
The obvious downsides to a strategy where ISPs take proactive defensive measures are:
1) Collectively rewarding the incompetence of said Vendors.
2) Creating hoops for competent users to jump through.
Given the circumstances it feels this is an acceptable compromise when the damage that vendor negligence can, and does, cause.
More than a few US ISPs catering to home users have T&Cs prohibiting them from "Hosting servers". They then filter traffic headed to their user subjects on mail, ftp and webserver ports along with outbound smtp traffic to off-net IPs.
If you buy "Business class" service from the same ISPs you get the same service as a home user with a 20-30% price hike plus the ability to host servers/send smtp mail anywhere. However, "business" users must request the port filters be removed and accept responsibility for server traffic.
Removing the filters takes about 5 minutes.
Practical upshot is this provides little impediment to responsible users and saves the rest of the world from millions of spam messages being sent by clueless users.
A decent step in the right direction would be for those ISPs to block telnet traffic by default too...
Ask them about the firmware and ask them to block the domains and IPs involved.
As an individual you likely won't get far, but if you run an enterprise account (Pretty sure more than one El Reg Comments reader does!) you might get some traction if more than a couple of folks make noise.
While we're at it, put 127.0.0.1 entries for the bogus domains and null route the parent IP ranges at the edge of the corporate network.
Sure, the above is not going to be close to 100% effective, but worth the effort to reduce the attack surface here.
/playing whackamole
Wow, how did I miss RFC1926? - it's a corker! Upvoted ;-)
Isn't it ironic (Don'tcha think?) - RFC1926 comes right after RFC1925...
For those reading this with a frown and a healthy dose of "WTF they talking about?"
RFC1925 is the first of the "Desert Island RFCs" ("DIR'). It SHOULD be manadory reading for everyone working in technology & failure to grok it is a common problem of startups...
Click bait (Fair warning - the rabbit hole is deep!) https://tools.ietf.org/html/rfc1925
Of course, the second DIR MUST be RFC1149 ;-)
Akin to Rule34, and verifying RFC1925, OP linked RFC1926. Nicely done sir!
Cheers!
WRB - IOOF
Rack & connect the new gear? If you buy the premium support they'll even copy config if needs be...
Unusually cheaper to have next day coverage, build a design that can survive for 24 hours with a box failure and have a support contract with a local tech firm to handle remote hands.
That's the thing about the ISR G3s (The 42xx/43xx boxen), the licenses look really expensive until you realize they're only moderately spendy because the limits are for throughput WITH ALL FEATURES ACTIVE.
The cool thing about these is the integration with APIC-EM - No console cables required.
Type 3 ICMP messages indicate a problem in the Forwarding Plane, and require a "Punt" up the stack to the device's processor to enable it to work out what to do as a result of the message.
RFC792 (From September 1981) covers ICMP in gory detail...
The challenge is when the RFC was written, NAT was barely a concept - much less a multi-billion dollar "Firewall Industry".
General blocking all ICMP frequently causes more problems than it solves. Not least, OSI networks (e.g. The Interwebz) rely on RFC conformance to operate "Correctly", so a more granular approach to risk is usually preferred.
The classic problem of path MTU was covered in the article, and crops up frequently when ICMP Type 3, Code 4 messages ("fragmentation needed and DF set") are dropped silently by an intermediate device. DON'T do this unless you REALLY know why you're doing it. Your users will thank you.
Networking is complex to do correctly, but it's essentially collection of interacting logic puzzles.
A cool sounding name doesn't make this sexy & don't expect huge vendor responses to something "Working as Intended". Mitigation here is a situation specific configuration issue.
Although it certainly looks like an insane amount of money to someone used to bashing together a PC from a box of parts.
On the other hand if you're a Pro make a living out of your Tools it's a much better option than an $8K PCIe card with 1/10 the power.
Anyone want to take a bet that if Steve's favorite line of "one More thing" gets used today we'll finally see some new MacPros announced today?
If not they have to be soon, but will be A LOT more than $4k when fully specced.
One of the better kept open secrets of open source virtualization is XCP, and it's new sibling Project Chronos (a full port available for Debian/Ubuntu using apt get). Both are essentially FOSS versions of the $pendy Citrix Censerver (Talking Enterprise/Platinum editions, not the freebie base edition.)
One of the cooler new features is a hybrid Storage Model, enabling a pool of servers to access shared storage, but have each host automatically replicate the virtual disks to local storage as they are accessed. The net result is local disk performance after the initial read from the remote SR.
Doubly cool if the local storage is SSD. :)
That patent's pointless...
Ignoring it being 5-15c to send a 163 byte "Packet" for many users ( may explain AT&T's mobile broadband pricing!)...
1) use UDP
2) use GRE to encapsulate "Traffic Contained Protocols"
3) use whatever error handling the "Traffic Contained Protocols" has built in to request retransmits and deal with the inevitable out of order packets that will be involved.
Profit.
Marketing spin dosen't constitute smackdown.
Truth is, despite the expense, CIO/CTOs love EMC because they know their jobs are safe buying storage from them. EMC gear breaks just like everyone else's, but the quality of their support and post install team is rivaled only by their sales team.
If you're building datacenters for Bulge bracket banks or the Government there's only 2 players in the game - and HP are struggling. At that level Nextenta are not even close for contention. It's not just about price, it's about knowing you've got a solid solution. Speaking of which I admire EMC's restraint for not lobbing the obvious brick back at Nextenta - so tell me about the impact of the Oracle aquistition on on the longevity of your core OS and plans to shift away deo
it.. Fugly!
At smaller sites the likes of Nextenta and my personal favorite QuantaStor (If you've never heard of them they're REALLY work a look) come into play.
Speaking of QuantaStor, they behave very much like a tiny EMC in terms of customer service and support. Their features are great an their pricing is good, and they know who their customers are and what they need.
Nextenta are using tennisballs to take in an armored division. Poor choice of strategy, even though they're using some sporty tennis balls!
Something I've been doing for years, and now the triple play CableCOs here in the USA have started to do too is use video overlay like this to flash up caller ID when the phone rings.
Works great, no need to interrupt the movie and go get the phone if it's a Telemarketer. Works even better if you mute the ringer before you sit dow. Now all you have is a couple of seconds of a name & number at the bottom of the screen.
The bugger is you need to be watching content from the STB. If you're watching a BluRay you're screwed. This device opens the door around that.
My dodge is averything goes through my HTPC, so I can overlay anything I like on the TV (Monitor really) before it gets onto the HDMI cable. Chumby makes the same thing practical for "The Consumer".
The only people who may have a case against it are Intel as they are picky about getting licencing fees for HDMI. That doesn't sound insurmountable.
Finally the NY Hall of Science is down the road from me, think I might go to the "Maker's Fair" sounds fun. Particularly if I wear my "I void Warranties" T-Shirt...
This brings back memories, awaesom game and truly addictive.
Having played for hours every day over a couple of months (Uni Student + summer break + no commitments = bliss), I reached the point where I struggling to find a way to improve my best score.
Then it happened... Got into fight with the (soon-to-be-ex) girlfriend, and next game went on a global rampage that would have made the real Mr Khan giggle like a scoolgirl. When I'd wiped out the last competing nation the game ended and I had beaten my previous high score by a factor of 5, and the game only lasted 2-3 hours.
Once the penny dropped that the utopian dream Sid Meyer was pushing didn't jive with the rewards of being a brutal dictator I got bored pretty quickly.
Was fun until then!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
