Re: these are all a bit weak
@bexley
do you work for IBM?
there's certainly some mind melting levels of incompetence going on there over the last few years.
430 publicly visible posts • joined 14 Sep 2016
@LDS
IOS is derived from Unix / Linux, also they have this thing called IOU, which is IOS On Unix. Cisco are effectively moving their IOS to UNIX where they can, i guess to have a common platform like Juniper does. Its effectively a Unix OS that runs IOS so the original comment wasn't totally wrong, just not all Cisco systems run Unix but it does look like there intention is that all will.
https://learningnetwork.cisco.com/blogs/vip-perspectives/2011/04/12/cisco-ios-on-unix-labs-are-available-now
the code is not proxy aware and the kill switch would not work in well structured environments where the only access to the net is via a configured non transparent proxy.
Enterprises will need to think a bit harder about how they ensure the kill switch is effective this time. The miscreants wont make this same mistake next time.
Talking about the kill switch is good, wouldn't have taken the miscreants long to work out something was not right anyway.
Unified Comms anyone? No handsets just a headset attached to the computer via USB or Bluetooth for the execs.
What could possibly go wrong?
Maybe critical infrastructures should use a separate dedicated network for voice using non compatible with tcp / ip protocols to connect handsets to hardened gateways that can then connect to a providers phone network, but crucially using the same physical connections as the data network.
Maybe that's too radical an idea?
@Tom
Nothing wrong with using routable addressing internally.
Easily blockable at the border especially when those addresses need NAT to get out.
Route those addresses from internet perspective to null anywhere on the net other than the site that the addresses are used at and your golden, the internet will then never be able to reach those hosts as they won't exist where the net thinks they do.
Explain that to the people who regard the fact it uses some form of encryption as proof it's safe to go on the net.
Also re hard coded passwords, what about Windows service accounts who's passwords never change or passwords of last resort that never change (only useable once central authentication system is unreachable) there are some use cases where hard coded password is the only option, but admin process should change that password on regular basis.
@Norman Nescio
Don't forget the government sold all those assets to the public when it floated BT on the stock market.
The public purse initially purchased the assets but they where then sold.
I guess you are suggesting the assets where sold off too cheaply? to understand that you will also need to account for the additional taxes BT paid since privatisation as they became more profitable and expanded into things like mobile and BB.
I'm well aware of the costs of leased lines and hassle of way leaves. It's expensive for a reason. You can get any speed you want anywhere you want so long as you can afford to pay for the connection. The connection being the physical fibre, civils, lawyers, and active kit at each end plus the staff to hook it all up and do meaningful stuff.
Ofcom are ploughing on regardless of the actual costs of connecting domestic households with proper connections that'll last the next hundred years of more. The altnets are paying lip service to connectivity doing it as cheaply as possible, almost surface ducting etc.
The future is wireless. FTTP is an expensive side show. If you want FTTP do it properly and robustly and hopefully with more than 1 provider doing lastmile. Beating up the incumbent, lowering prices reducing the incentive for others to compete is nonsensical. Third party BB over OR provides next to no reason for OR to improve. Third parties able to choose OR or Virgin incentiveces OR to improve their offering and will keep prices competitive.
Not missing the fact about openreach' ducts at all. The point Is to encourage an alternate last mile like Virgins. Virgin won't build unless they know they can convert homes passed into customers. Haveing more ISP's selling will encourage wholesale uptake hence opening up Virgin and alt nets to third parties will convert more homes passed into active usage therefore spurring more competition in the access market. That's the point.
The best way to get ubiquitous cheap fibre everywhere is to force Virgin and the altcomms to also allow third parties on their network ala openreach with xdsl etc. Virgin will soon get greater take up in over built areas forcing BT to go fibre there to maintain market share. Altcomms will then be like Kelly comms is to openreach, and will be spurred on to build out fibre to meet the demand of the big isp's like talk talk and sky customers.
Drumming away at BT making fibre cheaper will not encourage others into the markets as the returns keeep getting diminished by ofcom policy.
@jmch
"Cloud" done properly means data and processing are both shared across multiple data centres, and replicated on 'disaster recovery' data centres.
and just who is interested in doing cloud properly?
people (especially management types & aspirational techies) who hear cloud expect their single instance running in a single region to be instantly immune from any outage whether that be network outage or service failure without understanding it takes a lot more than just hosting in app in a cloud DC for the app to be resiliently available.
"This isn't an old client-server environment where the server fails and everything goes down"
client-server is easy to make highly available and resilient, make it session less, put some load balancers in, get creative with DNS. have the same solution running in multiple geographically diverse DC's, replicating the data and then give methodology a catchy title, so those above can sell the spend, like "cloud".
I'm sure Baidu know what they are talking about, not sure others do.
"But the vast majority of visa holders are no more skilled than US workers and are being hired solely because they will work harder for less."
These people need to work smarter not harder. That's the problem with outsourcing when you have no clue on what it takes for the work to actually get done.
The outsourcers will just up their charges if H1-B gets more expensive. No one will bother to higher local instead because the confirmed story/perception is that there is no local talent.
Most people moaning about the take up rate for IPv6 do not have a clue about how organisations use IPv4 and the challenges they have moving. It's not all about connecting to Facebook or google.
When your business systems have been built on IPv4, the designers, architects and programmers long gone, your locked into legacy systems that barely function on IPv4 without an array of cludges, it's impossible to migrate that mess to IPv6. It needs a rebuild and no one wants to spend the money rebuilding something that works reliably. Permitting the public IPv6 access to your website is trivial in comparison and I imagine reverse proxies are already in place providing invisible translation.
IPv6 has many many flaws, many of which could have been designed out if they bothered to learn IPv4's lessons or if it was developed later. The design of IPv6 looks like Ethernet protocol engineers took umbrage at tcp/ip and tried to make a better l3 that could replace l2, the original intent of course for IPv6 to use the interface MAC address for the last part of its l3 addressing. The anti NAT posture was relevant in the 90's but we have all moved on now and NAT is a valid mechanism for obfuscation and preventing unsolicited access across routed domains. Don't fall into the trap believing a firewall is the great saviour. Firewalls protect badly configured systems from unwittingly exposing vulnerable connection sockets. If the application had proper security controls there would be no need for a separate system to protect it. A firewall configured to allow access will not prevent a vulnerable app from being compromised, fixing the buggy software does that. Hundreds of millions of phones and tablets that are used to process and store sensitive information are on the internet right now with no firewall and have not caused a huge security incident as they have not been compromised.
We need a better IPv6 or IPv8 or whatever, one that is backward compatible so the many thousands of internal legacy systems still work and takes into account the many lessons learnt in IPv4 that won't or can't be incorporated in IPv6, proper one to one NAT being the most obvious missing piece. Proper NAT goes a long way to migrating to a new system.
We are not terrified. We just want a better solution. IPv6 is broken, introduces security issues resolved years ago in IPv4, adds additional complexity (how many IP's per host and when you have 2 or more on a subnet how do you tell which one is sending traffic when your a hop away & the hosts are continually changing IP??)
IPv4 is structured and ordered, IPv6 is expansive and determined to be borderless and boundless, which makes security accountability and auditing difficult for professionals with thousands of £$ of tools and near impossible for the typical home user.
there are not enough AutoBots to save us from the Decepticons come IPv6 judgement day.
"Within the scope of this paper, a covert channel is under- stood as “a network connection that disguises its byte stream as normal traffic” [33]. Protocol steganography [34] for hiding and side-channeling data in unused fields or encoding data in existing field values can be considered a valid technique for covert information exfiltration. However, for newly-developed tool implementations described in this paper, exfiltrated data is directly stored in the protocol payload. This being done in order to test and verify the developed techniques in principle without using additional obfuscation approaches,......,"
Why rule out encryption and how do you inspect IPSec encrypted traffic across anything including GRE?
Bollocks indeed.
One of the principles of IPv6 is IPSec encryption. Tunnelling IPv4 over end to end IPSec encryption precludes inspection. Are you suggesting Man In the Middle IPSec encryption ala Bluecoat with https?
Despite its age IPv6 implementations have a long way to go to reach the maturity of IPv4.
Maturity brings security (due to problems being overcome understood and mitigated).
They probably got the info some other way. Perhaps someone in cbp had a chat with someone in nsa or cia or fbi or some other tla we know nothing about as yet. The person behind the account may need to think carefully about what gets tweeted next. It may well be their last, unless of course some other tla is running the account putting out miss information like in homeland.
If they don't market their product how am i meant to know about it and include them in my purchasing decision.
If i'm looking at phones in apples price range why would i buy some phone from a manufacturer i've never heard off & don't know anyone that's ever used one. If celebs are using the brand its likely to be in the press, on tv and people are likely to be talking about it. If i've heard about the brand, seen people using it and its in the shop when i go for an iPhone i'm likely to take a look. That's why marketing is needed. the sooner Mr Ren gets it the better for Who Are We or WahWe or whatever.
How bad is the special build for china in the privacy department
if its better, can the rest of the world also use the chinese win10 edition?
on a related note it looks like the spooks have found away to spy on the world and get the public to pay for it. Google web searches show them what we look for, Amazon echo listens to our conversations and now windows PC's give them every thing we are doing with our machines.
i guess they will noble future processors so they will only run current (as of future then) versions of windows and people will choose to run spy on you by design windows as only terrorists will install an alternative like Linux, or only rich people can afford to buy non spy on you os's like Mac OS.
people need to start voteing with their wallets and let M$ & the TLA's know they can't get away with this.
As i've written plenty of times, you need to understand routing in order to understand this.
https://tools.ietf.org/html/rfc1918
page 5
Because private addresses have no global meaning, routing information
about private networks shall not be propagated on inter-enterprise
links, and packets with private source or destination addresses
should not be forwarded across such links.
Routers in networks not using private address space, especially those of Internet service
providers, are expected to be configured to reject (filter out)
routing information about private networks. If such a router receives
such information the rejection shall not be treated as a routing
protocol error.
most routing is destination routing & doesn't look at the source ip. While ISP's should drop traffic with rfc 1918 source ip's its a SHOULD rather than a MUST. if you had a basic understanding of routing you'd understand why you see rfc 1918 addresses hitting your public IP, regardless of what the ISP's should or shouldn't be doing.
Like I've written countless times, it's ROUTING!
The traffic is routed to your destination wan ip regardless of its source ip. ISP's should drop it as no one can route back to the rfc 1918 addressing. It was more of an issue when bandwidth was low but now not so much. When troubleshooting and checking logs It's useful to know traffic is routing through but the NAT isn't configured properly. The destination would send the syn ack but the source will never receive it. Any way all the destinations in your logs are your wan ip, non will be your lan ip's as the Internet can't route to rfc 1918.
You've obviously got some deep rooted wrong paranoid ideas about how this works. Maybe learn how basic routing works and especially the basic mechanics of routing.
So you don't understand routing. You route to the destination. When you route your not so fussed aboyt the source, just get the packet to the destination. There is no way to route back to an rfc 1918 address across the internet without NAT or a vpn. If you think your isp is colluding with law enforcement to infiltrate your LAN your either stupid or up to no good, either way a firewall, vpn or encryption won't stop them from getting access to your stuff. For everyone else that accepts that the authorities will make life very difficult for you in their pursuit for data, NAT is effective against opportunist hackers happening across their WAN ip.
IOS devices have no firewall yet we don't hear of them getting hacked across the internet. (Yes they have a reduced attack surface)
http://apple.stackexchange.com/questions/48060/does-ios-have-a-firewall
as the Charles 9 said "You can't fix Stupid."
that is very true, god knows i've tried but you just won't understand.
you lack an understanding of what NAT is, what routing is and what a firewall is. RFC 1918 addresses can't route to anything on the internet without NAT, the Internet can't route to RFC 1918 without NAT. If you run NAT on your LAN someone not directly connected to your LAN can't connect to your internal systems without esoteric cooperation from your ISP regardless if you have a correctly configured firewall or not. NAT can't connect to a session that does not exist.
if your worried about law enforcement getting your isp to route to your NAT'd addressing you seriously have other issues a firewall, vpn or whatever you can think off wont help with. If you don't want an opportunist hacker scanning random ip ranges deciding to hack your home NAT will fully protect you against that.
"The seats were thin and uncomfortable; and they cranked the heating up, which made it an unpleasant sweaty experience."
hot planes remind me of a horror Air India 747 flight from Mumbai to LHR. the plane looked like it had never had a refit, still had the old projectors stuck to the ceiling, broken of course. more crew than passengers and had a fault resulting in 4 hours of delay and multiple returns to the gate before they decided to just get on with it. It was roasting on the plane all flight. so glad to have gotton off that thing.
i prefer a cool temperature, makes me feel less claustrophobic. If its cold wrap up in a blanket rather than make everyone else hot, uncomfortable and bothered.
What a great way to encourage others into the market by regulating down the wholesale cost of the incumbent monopoly. Anyone with any plans doing last mile now have to contend with their bigger, more resourceed rival becoming cheaper.
Well done OFCOM.
This news would be welcome in the energy market though. OFCOM & OFGEN should switch roles.
The problem is that the older wiser sales guy will likely sell you the right solution the first time. That robs big blue from earning through the customers mistakes misunderstanding the deliberately misleding information presented by a fresh eager to impress highly certified but no experience youngster. IBM's competitors (& internal devisions) especially in government accounts have shown the way in this regard and the customer rewards them with money.
You might not have got fired for buying IBM, but IBM was loosing potential sales.
we used to believe that only oppressive regimes like North Korea, China and Russia behaved in this way.
Seems the tables are now turned and the USofA are the ones micromanaging their citizens to extent they are listening in on their conversations and observing their unguarded behaviour.
no outside remote access for the admins yet the hackers had complete remote control. The inference is that the systems where public facing, so we have a super secure DC that's open to the internet with no remote admin access requiring a techie to get on a plane and console into a system to access the cli and do stuff to it. if that was the scenario in the finance (PCI/DSS) or gov't (IL3) places i've worked in people would be fired and changes made. No remote admin access would fail the accreditation.
to the chap from Norwich, surely riding a bus across town is quicker than going to the airport and catching a flight?
re $TLA's i'm sure multiple redundant systems would ensure waiting for a tech to arrive was part of the plan but i'm also sure services where not left vulnerable to exploit awaiting a techie to fix something.
Technical accuracy???
who gets on a private plane to fly to a remote lights out DC and fiddle with some servers that are being hacked? if its that important either have remote kvm access, out of band access even if its by dial up, or have someone at the DC that can either turn something off or is skilled enough to stop the attack. Its cheaper and quicker than driving to an airport, getting on a private plane and then getting to the DC at the other side. even with dial up out of band i'd be able to sort a remote server or network device quicker than the drive to an airport from an office.
i struggled to watch the show as its full of other inaccuracies. never made it past (i think) episode 4.
Same story at any largish company in any company.
Take the NHS, some utterly incompetent downright dangerous hollyer than thou god syndrome fuckwits interspersed with some genuinely saintly amazing experienced individuals that can save your life just by chance over hearing a conversation about your symptoms whilst rushing down a corridor to save some else's life (like house, but for real & without all the nonsense & theatrical performance ).
You always want more of the great but I guess you need the terrible ones to fill in the gaps and bump up the costs.