Posts by Nate Amsden

I like sysvinit

I had used Debian since v2.0 in 1998 and Slackware before that on my personal servers. Switched to Devuan on servers (Mint on my laptops since Ubuntu 10.04 went EOL) in the past year or two(fortunately a fairly seamless upgrade, no re-installs just apt-get upgraded to Devuan).

Most of my issues with systemd could be easily addressed if it would just co-exist nicely with init scripts. It sort of does, but not nearly far enough, I would be happy with systemd if it ran an init script that it just goes into "dumb" mode and run it like any other interactive script. Don't try to be smart, don't try to keep track of state, no timeouts, none of that stuff just run it.

I miss 4NT

and 4DOS as well.

Powershell seems so slow, I have seen it take 30+ seconds to launch or to execute a command (especially after initial login to a server). I'm sure Powershell is a real great tool, though as someone who grew up mostly on linux(since about 1996 anyway), I am more used to(and so prefer) shells/commands using strings rather than objects. With the registry and other things on windows I do realize that strings are harder to use with windows vs the text file config on linux.

I have used bash from cygwin using rxvt on windows for 15+ years now I think(still use it almost daily), unfortunately a few years ago the cygwin team retired the native rxvt that I rely on(had to go to the developers to figure out where it went as there was no mention of losing it at the time), so using old cygwin while I can (which probably doesn't work on the latest windows). The alternative from them was running the full X11 rxvt instead of the native one which isn't what I wanted.

turn off auto mms download

I did this after the first android media bug came out many years ago. There's been tons since and probably tons more in the future. Doesn't eliminate the vulnerability of course but allows you to ignore random mms from people you don't know which reduces the likelihood of getting hit probably by 99.999%.

Kind of shocked at this point there isn't more protection or sandbox or something around the messages app. It's probably been at least 4 to 5 years since that first one made big news.

they seem to say the old code is hard to maintain

But I just keep thinking that generic plain text ftp which is probably 99% of ftp sites out there hasn't changed much at all in probably 20+ years so there shouldn't really be much of anything to maintain.

I don't use ftp too often, and generally when I do I use ncftp.

Checking ncftp's changelog they released version 3.0.0 in March 2000, now they are at 3.2.6(from late 2016), for a dedicated ftp client just a point as to how little ftp has changed over the past 20 years.

huge blow?

unlikely.

I ran my Galaxy Note 3 up until less than a year ago(daily driver). Still on Android 4.4.x too (Android 5.x was a downgrade in my opinion). It was my first Android device, prior to that I used WebOS. VERY reluctantly switched to Galaxy S8 Active(still new) last summer as the phone I thought sucked "the least" of any phone on the market.

I have two Note 3s and one Note 4.

I'm taking every precaution I can to try to ensure it lasts as long as it can. Including having a backup phone, having replacement OEM batteries(though I dread the thought of having to get the battery replaced), and invested in two devices called "Chargies", which sync with bluetooth to my phone to ensure the device doesn't go beyond a given charge level (for me that level is 79%), provided it is connected to a charger with Chargie connected. Add Accubattery to that list as well.

I happily replaced the batteries in my Note 3s (one of which is still in daily use, though uses Android 5, it's really only used to view slack) every year because well it was easy. I never needed user replaceable batteries on a daily basis but being able to safely replace them myself annually was a big selling point(keeps things fresh).

Plastic back, wireless charging(I have been wirelessly charging since the original Palm Pre), flat screen were the biggest selling points for me on the S8 active. The bigger battery is nice too as that implies the life will be longer.

Currently on Android 9, which is a downgrade over 8, in fact at least for me every newer release of Android takes away more and more things and is a downgrade. If I wanted an iPhone I'd buy an iPhone.

Other than faster performance the S8 Active doesn't really do much that my Note 3 didn't do already(and in many cases better).

I'd happily drop $2k for an up to date Note 3 with plastic back, wireless charging, removable battery, flat screen, with Android 4.4.x look & feel & control.

I'd also happily pay a subscription fee to get those fancy security updates for the older OSs, so I'm not forced into upgrading to a major version of android to get fixes. But that isn't available either. I'll take no fixes and a more usable phone 100000000000000x more than the latest updates given the history of things. I am also careful about what I use my mobile devices for, no social media, no banking, and the only purchases I do are with virtual credit cards generated by my computer. Also have had the android auto download of MMS disabled for years, I do not open MMS from people I don't know (which isn't a guarantee on anything but goes some ways to improving security regarding the exploits in the android media framework). Not perfect, but at the same time I am not aware of any security incidents on my mobile devices ever (same goes for my desktop and laptop devices(mostly running linux).

Things I miss about note 3 include the stylus, user replaceable batteries, the IR blaster, Android 4.4 experience, having more control over the OS (e.g. can view cpu usage per task and kill stuff etc), MHL (not sure if the S8 active does that or not). IR blaster and MHL I only use while traveling, and I still bring at least 1 note 3 and 1 note 4 when I travel for connecting to hotel TVs for media viewing(they have big SD cards). I have yet to use the headphone jack on my S8 active, only time I've used my phone with headphones was when flying, and I used my Note3/Note4 for that. I do not own any bluetooth headphones.

I'm sure most of the android fans will hate this post so expecting lots of down votes. I prefer freedom myself, if you WANT the latest you should be able to get it, if you DON'T want it, it should not be forced on you. I can't put into words how mad I was when my S8 active upgraded to Android 9 from 8. I went to great lengths to prevent OS upgrades. I successfully blocked my Note 3 from upgrading to Android 5 for 3-4+ years. The AT&T website even specifically said you have to be connected to wifi to get the upgrade. I was traveling at the time, not connected to wifi and it downloaded the upgrade anyway somehow.. On my home wifi I have AT&T and Samsung servers blocked at the DNS level so any attempts to upgrade will fail instantly.

Hoping this S8 active lasts as long as the Note 3 did(it still works fine now just a bit slow).

unemployment systems overloaded

Keep reading reports about how the unemployment systems are overloaded so probably could of been much higher had they been able to process the volume of transactions. To me 19k seems way low I would of expected easily over 50k. Also find it pretty shocking how many companies are trying to self justify themselves as "essential" (Gamestop was one of the more talked about ones in tech anyway).

How can 5G be displaced so quickly

Doesn't make much sense to me outside of massive equipment failures, the tech is still so new. I also find it consistently sad that I see so many comments here touting Chinese for 5G(specifically for 5G infrastructure most often referring to European deployments) when you have two 5G companies in Europe(possibly more), would be nice if they saw (a lot) more local support.

never logged into samsung

My S8 active got it as well, noticed it at around 4am pacific time in California. My phone has never logged into Samsung's services, and their authentication systems are blocked at a DNS level(account.samsung.com), and I have verified find my phone was disabled as well(never have had it enabled on any device). So can only assume the phones themselves poll the servers occasionally for this kind of thing.

just another reminder the lack of control most users have over their own devices. IOS is worse regarding lack of control and Google is flying as fast as they can to mirror that experience on Android. For me, Android 4.x was the best(ran it for 6 years on a Note 3, my first android device before that I used WebOS).

Why did MS stop doing service packs?

I mean they still have them but they seem to be really rare(and serve more as feature packs). I remember back in the NT days a service pack was typically just a rolled up collection of fixes in one big file. I think you could even extract the big file into the individual fixes if you wanted(never tried that myself).

I know that a few years ago(?) MS changed their updating scheme to provide more roll up style patches where everything is included in one patch at least for that given patch cycle in theory.

Since Win7 went EOL recently, in the past week I have been going around my home windows systems and VMs that run windows 7 (which is 7 I believe, the only other windows OS I have is XP on a dual boot laptop for games that I haven't touched in 18 months). Most of these systems get very minimal use, and probably spend 90% of their time turned off, so they don't get patches often. Probably 2-3 hadn't seen a patch in over 2 years. I patched them all, but on at least one occasion I was quite surprised that the OS at one point felt it was up to date when I knew absolutely it was not. It said no updates to apply even after forcing it to check again. Only after I manually deployed that servicing stack update (from march 2019 I think), did the system then realize that hey there were more patches after all. There are other patches that fail to install if the servicing stack update is not applied(why the servicing stack update isn't applied automatically in advance, or included with the patches in question I don't know since they don't install without it). At the end of the day it didn't matter to me if these got their patches as the risk is so low (haven't had a known security incident on my home systems since maybe 1993). The "OCD" in me just wanted to get them their last patches.

I just feel it would of been nice for MS to release a service pack that one could download as one big EXE, that had EVERYTHING (for that OS). Something that could take a windows 7 system from any patch level to the most current. Maybe the patch would be 5GB in size I don't know. But it would be simple, wouldn't have to wait hours and hours sometimes for windows update to look for updates, or track down forum posts to try to figure out why a weird update error is occurring, or in some cases like above why the system says there are no updates when you know there are. Same of course goes for XP and all of their other OSs. Would be nice if there was just a service pack released every 6 months that had everything, then at the end of the life cycle release one more. Make the service pack easily searchable and downloadable from Microsoft's site.

Another thing this big service pack would eliminate is the need to install patches, then reboot, then look for new patches, install and reboot. I wish windows update would just download everything it needs in one go even if it requires multiple reboots to install. I did in fact see more than one windows 7 reboot twice during a patch upgrade so they have the ability to even do that, install everything at one go and just reboot as many times as it needs to get it all in one cycle.

In my recent patching I found it odd how windows update would say it wants to install for example April 2019 rollup security patch and then the next rollup it wants to install is Jan 2020. I saw that (month may of been off) on multiple occasions. Did it actually get all of the patches? It claims to have them all but I really don't know how to tell for sure.

Linux has been my desktop/server of choice for almost everything since 1997, so windows is of course not my primary OS but I do still use it daily(in VMs).

Not sure when I'll consider again moving to windows 10, I have no win10 systems today but have poked around with it a bit in the past. I'd be more open to win10 if I got a build that would just stay stable for 5 years(they have the long term support builds but as far as I know those aren't available for consumers).

not great but relieved it is not much worse

Hopefully this is the last major licensing cost change for at least 5 years or so. I would expect it anyway. Of course relieved it could of been a hell of a lot worse, actual per core licensing, or the "vRAM" episode they tried at one point, or even worse still perhaps per-VM pricing which I think some/many of their add-ons have as options anyway.

Of course they may jack up the prices again in general when the next vSphere comes out, perhaps in exchange for adding in a bunch of extra features (such as NSX) that you may not need or want.

My vSphere setups have always been basic vSphere(Ent+)+vCenter. I have looked at the add-ons every now and then and never saw anything that was worth the extra money for me anyway. I priced out the vRealize suite and the cost was high enough I could of purchased a half dozen extra hosts (I'll take the extra hosts in a heartbeat). The core products in my experience are rock solid stable (assuming you are on certified hardware anyway), I have generally filed less than 1 support ticket per year for an actual problem I need fixed over the past 9 years now. Currently running about 900 VMs.

The last Vmware product I was truly excited about was vSphere 4.0(just look how packed that release was https://www.vmware.com/support/vsphere4/doc/vsp_40_new_feat.html ), everything since has been smaller incremental updates, and literally the main thing driving my upgrades was simply for support purposes. I ran 4.1 past EOL, and ran 5.5 past EOL. vCenter 6.7 has a pretty decent HTML UI finally but I'd honestly take the older .NET client in a heartbeat (I say that as someone who passionately hated the .NET client in the early days as a Linux user(still am a linux user), but I changed my mind after I saw the flash and the html clients.

(vmware customer since 1999, ESX/i customer since 2006)

this is a good bug

I often comment about how I am not concerned about many of the bugs especially the Spectre type information leaking types as overblown because I believe in the vast majority of cases they are. This Citrix bug is good though. Too bad Citrix was not able to respond with a full fix quicker, I wonder if this bug is how Citrix themselves got hacked a while back. I have been using Netscalers since about 2011 (before that used F5 mainly), and was quick to get the workaround in and then patch the systems I have when the patch came out (using 11.1 code). That pulse secure bug last year was good too (affected by that as well).

confusing article

Been doing internet stuff for about 25 years now and this article is quite confusing. It sort of implies that Netgear is shipping a certificate authority and private key that is trusted by the browsers in their firmware which would be bad(I think that is unlikely).. but it also sort of implies it is simply shipping a regular (signed by a real CA not a self signed cert)SSL cert+key(because without the key the cert can't be used to serve data) that is valid for this "routerlogin" domain in their firmware. It's probably not the best idea but to me it's far from something to freak out about. I'd assume this cert is only valid for that "routerlogin" domain so in order to do something bad with it you'd need to trick your target into thinking your IP is for that domain somehow, in which case well you can use just about any domain or cert that's valid. I can certainly understand why they did it this way vs using a self signed cert to make it easier for the users.

I learned just a couple months ago that Chrome is even more picky about SSL. I have been self signing internal certs for 15 years now(I don't use chrome) and saw some screenshots from users recently showing Chrome flagging secure sites as "not secure", after investigating determined that Chrome wanted to see some extra fields populated (authorityKeyIdentifier, basicConstraints keyUsage, subjectAltName) in order for it to think it is "secure". Whatever.

Browsers are entirely too extreme with that kind of thing.

(for reference my home "router" is a PC Engines apu2 running OpenBSD. I have a Motorola cable modem in bridging mode, and my local wifi is provided by an Asus AP in "AP" mode hanging off one of the ports of my firewall I guess you could call it "DMZ" as it has no direct access to my internal network).

Whole single vendor thing was a scam from the beginning

That BS that the DOD couldn't manage multiple vendors for this project was so weak. The government should lead by example and worked with multiple providers to work together in a standards compliant way that would of been better for all. This whole "we have to be locked in or else we can't do it" is just crap. They have billions of dollars for this thing. They should be using multiple independent vendors for all layers of the system.

This whole JEDI idea should be canned.

Not that I am any fan of public cloud quite the opposite really. I've even hosted my own email and websites for the past ~22 years on hardware that I own currently in a co-lo in the bay area.

maybe fair?

Qualcomm tried to get in on the server CPU market only to throw in the towel shortly after making a big splash. Intel competitive pressures? Then Intel tries to get in on the modem market and I guess Qualcomm beat them back. What is sort of strange though is both companies have vast resources, they both gave up too easily. Both sides seemed to have fine working products even if they were not best in class.

makes sense

If you are super paranoid and wanting to be the most secure you can be. Security is like backups. You have to judge for yourself what you are protecting against, and how best to protect that. What are the risks vs costs of the mitigation? For me it's easy, I believe these side channel attacks are WAY overblown and as such have actively avoided firmware updates from my vendors to patch them. At some point I'll buy a new enough system that it will probably include some of those firmware fixes, but so far I have not.

But it's nice the firmware updates are there for those that want it.

I also don't run cloud stuff. I have hosted my own email on my own server for more than 20 years now(same with my websites). I have managed internet facing infrastructure (100s of systems) for more than 20 years without a single known security incident(I have been involved in other security incidents with things that were managed by other teams or people though). So my track record and confidence is high with that in mind. I also don't run things that I'd rate as high risks for attacks, so that factors in as well. I admit that my situation is far from common, but it does annoy me to see so many folks treat security as an absolute. It's either secure or it's not. That's not true at all because there will always be security patches and vulnerabilities. Just because they haven't been publicly disclosed doesn't mean they aren't there, and in many cases doesn't mean they aren't actively being(perhaps highly targeted) exploited. Goes back to risk again of course.

If you're one of those folks that doesn't feel secure unless they have the latest patch then well go do that, but security is a lot more than just making sure you have the latest patch (and in my opinion it's the other bits that count a lot more towards security than having the software up to the latest patch).

freeze credit?

The day the Equifax news broke I froze my credit on the 3 credit companies. I sent messages to folks I knew advising them to do the same but I don't think anyone did. I've temporarily unfrozen my credit twice since then(which I believe is 2 years now). The temporary unfreeze is automatic, you set the day to unfreeze and the day to re-freeze. Perhaps I'm wrong but I think freezing credit is preferable than relying on a credit reporting service? (maybe better to do both I suppose) Though I don't see many articles suggesting this, which I find strange. Unless you are someone that regularly performs tasks that accesses this data. For me, once a year it feels like a safer thing and there is no monthly or annual fees (though there was a one time fee with one or two of the companies, I think those fees were eliminated as a result of this breach though).

SM IPMI still terrible

Shouldn't be surprised I suppose.. my last SM IPMI update(~5 years ago) part of the instructions was to wipe the configuration, I suspected that included the network configuration meaning it would no longer be accessible on the network after rebooting. But I tried anyway just in case. And sure enough yes the IPMI went offline at that point and I didn't have connectivity to it again for another couple of years (next time I went on site, fortunately had no HW failures in the meantime). Add to that the terrible documentation SM has on when firmware is updated, what is fixed etc(release notes seem more common for them on their newest stuff from the looks of it).

I replaced my personal SM server (which otherwise worked OK as in no failures anyway, my SM experience goes back to about 2001) last year with a Dell R230. For work stuff historically I use (since ~2006 anyway) HP, but in this case HP didn't offer a configuration that I wanted so went with Dell. Has worked well so far anyway. My personal server is at a co-lo and runs a half dozen VMs, though maybe will add more VMs got tons of capacity now.

Back to SM..

Since this article mentioned "X10" I wanted to see what the current situation is, so I poked around for an X10 board with IPMI

first web hit was this board:

https://www.supermicro.com/en/products/motherboard/X10SLM-F

seems recent "Single socket H3 (LGA 1150) supports Intel® Xeon® E3-1200 v3/v4, 4th gen. "

downloaded the IPMI firmware package, and at least in this case they give release notes and a list of fixes, but in the "IPMI Firmware Update_NEW.doc" file they still say in big red letters(had higher hopes given the "NEW" in the name)

"NOTE !!! Uncheck preserve configuration box during flashing (very important step for FW to work properly). All settings will be reset to default."

I suppose if you are using Windows, DOS or Linux on the bare metal that may be ok, but for me anyways running vSphere there are (as far as I could tell anyway) no vSphere related tools for IPMI config on supermicro.

At a bare minimum there should be an option where you can at least populate some basic configuration such as network configuration so you can connect to the IPMI after it resets. Hard to believe this situation is unchanged years later. I have had seamless upgrades on HP iLO and Dell iDRAC (used Dell at a company back in 2009-2010 too) on every single attempt, not a single issue over the past ~13 years. Before that I was mostly a SM customer (had a few hundred systems at one point) and firmware updates were basically never applied as the process and documentation was quite scary(I believe often required DOS floppy disk on systems that had no floppy drives, and the remote KVM/virtual media abilities did not exist at the time), and SM themselves warn you not to upgrade anyway(still warn you even today). Their processes and documentation are only marginally better today.

A while back I looked at the IPMI update procedure for Citrix Netscaler, and it was just horrifying https://support.citrix.com/article/CTX137970 ), I believe Citrix uses Supermicro as well. I tried once getting IPMI working on Citrix but ran into a wall pretty quick(I think the certs were the same on every device which caused browsers to freak out, known issue at the time anyway), just use serial console and network PDU.