Posts by Nate Amsden

Re: Quality control - yes we’ve heard of it

doubtful so many computers will go to landfill immediately following win10's expiration(non LTSC). Many will just continue to use their OS without new patches for a while. Most software will continue to get updates and probably the most important of which is the browser. Chrome stopped supporting win7 about 3 years past EOL. I think firefox supported Win7 through Firefox ESR for at least another year so 4 years past EOL. Steam stopped Win7 early 2024 looks like it. I suspect Win10 will have an extended life much like Win7 did. I know some more resourceful folks got extra updates out of Win7 by changing to embedded license or something (I never tried that).

While not used for anything too serious I still have at least 4 or 5 systems at home that run Win7, and yes I do do internet things on them occasionally. Most of the time they are off as I don't need them often. I actually bought licenses for Bitdefender earlier this year to install on a couple of Win7 systems for retro gaming(mainly paranoid about "no CD/DVD" cracks of games I own, also used virustotal to scan those).

my main daily driver system of course is Linux and has been since 1998.

Don't forget Red hat Linux is IBM

Though I haven't used Red Hat since RHEL 2.1

I looked up Azure hybrid benefit (using Bing..) and the first hit was MS which says

"Azure Hybrid Benefit is an Azure offer that helps organizations reduce expenses during their migration to the cloud. By providing Azure discounts on Windows and SQL Server licenses, and Linux subscriptions, it supports infrastructure modernization and a cloud-first strategy."

(key point is providing discounts, which is what my assumption was originally)

They also mention discounts for Red Hat Linux, SuSE Linux, and Nutanix, none of which of course are MS products.

I dug up the SQL server 2019 licensing doc (the version my org uses), and on page 30 it seems to indicate what I expected, specifically mentions non Azure clouds.

"In the case where you are using AHB to license your primary database running on shared hardware in the non-Azure cloud, you may run the two passive SQL Server instances (one for HA and one for DR) in a separate OSE running in the cloud on shared hardware to support failover events."

They have a chart showing 36 total cores, 12 are "active" and 24 are standby, only 12 cores are needed to be licensed. I don't know what "AHB" is that is the only mention of that term in the document. Though the version of the doc I have is copyright 2019, I found a newer version copyright 2022(page 26 on the newer doc) which changes the language for this section to be Azure cloud, but the below section remains the same.

Then below that they have another scenario with 24 cores in use, 12 active, 12 in a non Azure cloud. Only have to pay for 12 licenses.

"Primary server licenses covered with SA include support for one Disaster Recovery secondary server only (outside Azure), and any additional secondary Disaster Recovery servers must be licensed for SQL Server. Note: The rights to run a passive instance of SQL Server for failover support are not transferable to other licensed servers for purposes of providing multiple passive secondary servers to a single primary server" (which seems reasonable to me)

Pretty confusing I guess in any case..keep it simple & on prem is my strategy(though I deal with windows maybe 10% of the time) which seems to be the most cost effective/most reliable for me. Moved out of cloud in 2012 and have never looked back.(though that hasn't stopped others in the orgs from trying but then they give up when they see how much more expensive it is).

Oracle is certainly tricky to deal with too, haven't had to deal with them in a while. I do remember educating the sales/audit team back in 2007 about their own CPU licensing (specifically Standard edition had no limit on cores/socket at the time anyway which they didn't know) when the org I was at at the time was undergoing another Oracle audit.

Re: Yeah but most of that is trivial.

perhaps for larger scale orgs. I don't do windows stuff, mainly Linux. No company I've ever worked for had windows staff manage SSL anything(they were always fine with all self signed device certs/default certs - or in the case of anything using LDAP they just used plaintext LDAP not LDAPS), they've never had CAs. Maybe it's easy to set that stuff up I'm not sure.

Only reason I did it like that is because if I didn't do it, it wouldn't get done. I'm not about to touch anything with domain policies/GPO or anything.

Re: Unbelievable

I'm assuming this is one of Google's own cloud data centers and not a 3rd party colo they are using.. but cloud data centers are generally built less reliable to save costs, and you get the redundancy by having systems in multiple zones/regions rather than higher availability in a single facility. The article makes it sound like just a single zone went down in the affected region?

I'm not sure how a battery failure would not take anything down if there was no other form of power at the time. Utility power was gone(perhaps connected to only a single source of power), and it seems likely they just have a single bank of UPS(s) that failed. Reason could be anything including not replacing the batteries when they expired.

Better engineered facilities would fare much better but also cost quite a bit more. Too many people assume just because it's cloud that everything from the ground up is designed/deployed as well as robust as more traditional facilities/systems.

The facility where I host my personal equipment is old, I think from the 90s, single power feed, single UPS system(as far as I know), no redundant power anywhere in the facility. They have had quite a few power outages over the past decade(more than my home) though none in the last 3 years. It's good enough and pretty cheap so not a big deal to me...

The facility where I've hosted the gear for the orgs I have worked for over the past decade plus is by contrast far better with N+1 everything, they do tons of regular testing, have at least two power feeds to the facility, I can only recall one occasion where they went on generator power. Though have seen several notifications around UPS failures here and there, though since everything is N+1 redundancy was never impacted. Never so much as a blip in power feeds distributed to the racks themselves.

There is a facility that my previous org hosted stuff in Europe, I hated that place so much. At one point they needed to make some change to their power systems, and to do that they had to take half of their power offline for several hours, then a few days later did the same process on the other half. Obviously no N+1 there, as we did lose power on each of our circuit pairs during the maintenance. Though no real impact to us as everything was redundant(did lose a couple of single power supply devices during the outage but there was other units that took over automatically). So many problems with that facility and their staff & policies was so happy to move out.

Back in mid 2000s I was hired at a company that had stuff hosted in a facility that suffered the most outages of any I've ever seen, and the only other full facility power outages, bad power system design. Power outage causes included dead UPS batteries that were not replaced and UPSs failed when the power cut, as well as a customer at one point intentionally pressed the "emergency power off" button to kill power to the whole facility because they were curious. After that 2nd event all customers had to go through "training" about that button and sign off on getting that training. There was probably 3 power outages in less than 1 year at that facility and by the time the 3rd one happened I was ready to move out just needed VP approvals and the approval came fast when that 3rd outage hit. The facility later suffered an electrical fire a few years later and was completely down for about 40ish hours, till they got generator trucks on site to power back up, took them probably 6 months to repair the damage to the power system. Bad design...though I recall that facility being highly touted as a great place to be during the dot com era..

By contrast I recall reading a news article around that same time about another facility, that was designed properly, had a similar electrical fire on their power system, and it had zero impact to customers. Part of their power system went down but due to the proper redundancy, everything stayed online. I recall a comment where they said often times a fire department would require full shutdown to safely fight the fire, but they were able to demonstrate they had isolated that part of the system so they were not required to power down.

On that note I'd never host in a facility that uses flywheel UPS, and/or who doesn't have tech staff on site 24/7 to handle basic issues during a power outage (like the automatic switch to generators not working). Flywheel UPSs don't give enough time(usually less than 1 minute) for a human to respond. Would like to see at least 10-15mins of battery runtime capacity(hopefully only need less than a minute for generators to start).

same for me too, 6.7U2, Dell R630, also have a Dell R640 with the same (though I think it can run newer) to keep it consistent. Have them in a colo, no power outages in 1366 days(no redundant power at the facility my personal gear is at). Have an older Intel NUC NUC8i7BEH running 6.7U2 too there as well, which run my only windows VMs, also up for 1366 days. Been impressed with how stable the NUC has been, only issue is the SNMP service seems to hang a few times a year, then LibreNMS starts complaining, till I restart the service.

Since I saw this news on esxi being free again a few days ago I was wondering how software updates may be handled, if any updates are provided at all given they are behind a support contract wall at this point. Maybe they haven't decided on that bit yet.

Re: On the 72 core minimum..

also wouldn't surprise me if the 72 core minumum turns out to be per socket, I wouldn't be too surprised to see AMD and/or Intel release 72-core CPUs(since there would be a huge demand for that to maximize license utilization, though broadcom would have to demonstrate that they won't change the rule to 73 cores a year later). I think similar things have been done in the past at least regarding Oracle DB licensing on one or more occasions.

Re: The easy way out

It someone has that level of access to AD, vpn logins are pretty low on the concern list at that point to me.

Re: Yet another reason not to enable automatic updates

This same kind of thing happened to Sonicwall a few years ago, and I was pretty shocked to get hit by it on firewalls that didn't even have that feature licensed.. I think the impact was limited to Gen7 firewalls, of which I only had 1 pair at the time, all of the important stuff was/is on Gen6.

Re: SonicWall is still a thing?

I've been using Sonicwall as basically L4 firewalls and site to site VPN since early 2012 without much issue. Current firewalls go EOL next year that would make about 8 years of service for those Gen 6 units. I think their SSL VPN on the firewalls is no good (though usable for the most basic use cases). I remember evaluating their SMA SSL appliances many years ago and ruled them out right away as they lacked the ability to do full duo prompt integration (Sonicwall firewalls can't either). Their early Gen7 stuff was pretty buggy though seems better now. Gen5 was ok for me as well (my first exposure to Sonicwall).

For me initially Sonicwall was only going to be used as a site to site VPN, and speaking of marketing, the VAR I was working with at the time (knowing my use case of IPSec VPN ONLY) was trying to push Palo Alto firewalls to me at probably 4-6x the cost. PAN is a fine product but super overkill for only site to site VPN(and the suggested model had a fraction of the IPSec throughput of Sonicwall). I have since expanded use cases to layer 4 edge firewalls as well and they work fine in that regard, very few issues. I haven't touched their layer 7 stuff, assuming there are more bugs there.

As for long TCP timeouts, all depends on how long you want.. I don't think I've ever needed to set something for longer than an hour or two. I did work at one place where the network engineer set their Cisco ASAs to have ~1 week timeouts then struggled with semi quarterly firewall outages where they had to power cycle both firewalls to get them working again. Neither they, nor Cisco support were smart enough to do something as simple as check the state table, then realize hey those 500k entries are the limit of the hardware, then check the timeouts... after I joined and saw that happen I had him fix it, and started monitoring it, states never went above about ~2000 after that, and nobody complained that I recall. The original reason for the 1 week timeouts he said was people were complaining their sessions were being killed.

Re: unpatched zero-day?????

Seems you are ?

From what I can see their advisory was posted today, yet the article talks about systems being compromised last month.

It is interesting to note that apparently only their 7.0 build is affected they seem to have several other 7.x branches that are not.

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

I recall reading comments on several occasions (few years back at least) where seemingly experienced network engineers would comment on Fortinet

"find a stable firmware version and don't upgrade" on a fairly regular basis, same folks often touted Fortinet as a good solution lower

cost than Palo Alto(which they ranked #1), but with the big caveat that their software wasn't that great(unless you happened to land on a

good build of it).

Re: Starter for Ten

There have been stats passed around for years that suggest a large number of intrusions take upwards of 6 months to detect on average. Unless the attackers resort to destructive things right away following intrusion.

Re: "if you're a regular customer, check any credit cards"

Lock your credit reports.

I did that the day Equifax was hacked. Looks like in 2017. It's not perfect but goes a long way towards making yourself a less easy target. I've had to unlock my credit reports on just a few occasions in the years since and I believe all 3 major credit reporting companies systems are setup so you can unlock for a short period of time then auto lock again. There is no cost for this service, but in trying to find the service (for free anyway) you'll probably have to navigate past their advertising for their subscription services.

Random thought...

Maybe if Intel didn't make itanium and drive the alpha processors out of business, thus driving many(?) alpha engineers to AMD they wouldn't of come up with the amd64 instructions? Seems a lot of similar technologies in the amd design that came from alpha. I'm not an expert, maybe just coincidence....

I went through one upgrade on a HA pair of Palo Alto 3000 series firewalls that I briefly inherited at my last company i think probably in 2019. This had to go through two version jumps.

I had zero PAN experience so I opened a support ticket to verify the process. They were very helpful. They pointed me to their best practice guide which ended up being completely WRONG. They had a support person on the line in case I had a problem and said their guide was right. That person went off shift and said everything is going ok, so if I need help just call back in.

I followed the process till I got to the point where I had to fail over and the firewalls refused. Called support, waiting for an hour(thought it'd be faster). Told them what was going on and at that point they admitted the best practice guide was wrong. The guide specifically said fully upgrade the first firewall then fail over. I didn't think that sounded right so before I did that I asked them and they said the guide was right. Ok. Well ended up having to yank the HA cables out and force things to fail over, then upgrade the other unit and do the same again. What a mess. Fortunately the outages weren't an issue and I was physically on site.

I was kind and pushed Palo Alto to fix their guide, took them about a year to do so. Even then it really wasn't to my satisfaction, they could of made it more clear but at that point I stopped caring.

Fortunately nothing else broke that I recall. Their firewall config was pretty basic no SSL interception, but they were using BGP. The impression I got was the IT network engineer didn't touch them since they were installed years earlier by a 3rd party. Same person also did not apply updates to their ASA firewalls which had over 100 vulnerabilities by the time I took over, and they were EOL and Cisco refused to let me buy a support contract to simply download the latest code. I have read some stories about PAN upgrades breaking a bunch of stuff, so it's not uncommon to not upgrade frequently, especially if the customer relies on 3rd party hourly support for day to day maintenance.

Most of my commercial firewall experience over past 15 years is Sonicwall. Just layer 4 and site to site vpn. Never touched their layer 7 stuff and their end user ssl vpn sucks(but it is cheap, I wouldn't use it though). Never had a major issue with upgrades but again config is simple. Despite that I am somewhat terrified to upgrade my external firewalls at my main remote colo because if something goes wrong I lose all connectivity to the site. If we were a significantly larger company it would be easier to justify a back door setup.

Originally that site had a stack of 4 switches that ran everything. I did the stack just to keep it simple for others and it was small. I never had to roll back a switch OS update in the prior 7 years. I needed to upgrade but wasn't going to do it from 2000 miles away. So I went on site and decided to do it from my hotel room about 20min from data center. Just so happen that the upgrade broke compatibly with the vendor SFPs that I was using for the internet uplinks. So when I upgraded I lost all connectivity and had to drive on site to figure it out. Ended up rolling back and vendor later acknowledged the compatibility issue. I later changed architecture with the switches so the setup was more robust at the cost of complexity. Still simpler than other vendors though.

Moral perhaps don't take updates lightly especially on systems that provide core connectivity.

Re: "amid growing adoption of competing architectures"

I think the future is ARM for those that are vertically integrated, for the rest, not so much at least in the server space. Very few can afford to be vertically integrated to that level, perhaps at this point that is mostly companies with trillion dollar market caps for the most part. I wouldn't be surprised if in a decade or so RISC-V takes over from ARM as these vertically integrated companies go to take another layer out of the supply chain.

Re: Evidence?

Along those lines I don't recall ever seeing news reports of ssl cert hijacking. I have seen reports of CAs improperly issuing certs but of course that is an unrelated issue.

I don't doubt ssl cert hijacking as an issue exists, but it doesn't seem to be prevalent to the point where reducing time to expire as being a useful tool.

Most surprised that Apple of all companies seems to be behind it, as they were behind the last round of reductions.

And I guess everyone gave up on revocation, nice idea in theory but guess almost never gets used.

Also curious if anyone had had experience with ssl cert expiration issues with non web systems. Take email for example, haven't heard of any email clients enforcing such limits on certs, also take server side apps talking to other apps over https. I'm guessing the ssl libraries don't care either, as I've never heard of someone complain about such things.

I'd bd happy to go back to 3 years myself. I've only been on the Internet since 1994, and running Internet facing servers since 1996, so what do I know, apparently nothing. Sigh

https://www.theverge.com/2021/7/2/22560435/microsoft-printnightmare-windows-print-spooler-service-vulnerability-exploit-0-day

(note: from 2021)

"Microsoft is warning Windows users about an unpatched critical flaw in the Windows Print Spooler service. The vulnerability, dubbed PrintNightmare, was uncovered earlier this week after security researchers accidentally published a proof-of-concept (PoC) exploit. While Microsoft hasn’t rated the vulnerability, it allows attackers to remotely execute code with system-level privileges, which is as critical and problematic as you can get in Windows."

this CUPS thing is a joke. Here I was worried about things like network switches, storage arrays, firewalls, web servers. My local linux laptop runs cups (though I have no printers), I manage roughly 800 other linux systems at work and not one of them has ever had CUPS installed.

Re: Open source replacements not good enough ?

An easy way around this is just to adopt a new stack that is based on OSS tech even if it is "commercial". Proxmox is mentioned often, can pay them for their services, they appear to have a lot of open source stuff, and I assume they probably contribute upstream to projects. Same for Red Hat's Enterprise Virtualization, and I suspect HPE's latest hypervisor is similar. Maybe even Nutanix contributes upstream too for their AHV. (disclaimer I've never used any of these products)

Re: Lack of Nvdia 390 and 470 support is a problem - but solutions abound

Fortunately for more experienced users, the linux kernel is fairly divorced from the distro. You can run older kernels on newer distros without much of an issue in most cases. With debian/dpkg it's easy to flag a package to "hold" so you don't get the new kernel. On my previous laptop I held my kernel for probably 3 years as I got tired of every 2nd or 3rd kernel update breaking the sound on the laptop in some way.

So worst case, you can probably run the 6.8 or whatever is being shipped now probably for the next 5+ years if you REALLY wanted to and continue to update your distro in other ways and keep your old Nvidia card running(assuming you care about using the proprietary drivers). Of course if there is some super critical security thing that comes out then you may want to consider that, but for most people, the only such situations I'd be concerned with is with remote exploits (such as bugs related to handling malformed network packets which could lead to a crash etc which are super rare).