* Posts by Recluse

23 posts • joined 22 Jan 2020

BOFH: You. Wouldn't. Put. A. Test. Machine. Into. Production. Without. Telling. Us.

Recluse

Re: The guy's here...

Many years ago, on logging onto a website and being advised that I was required to change my password (and as a recent convert to the joys of the password database) I rather smugly decided to update my password to a super secure (so I thought) 30 digit one (system specified a minimum length of 10 characters).

Auto generated new password and cut/pasted into requisite field, which was duly accepted and confirmed updated. Completed my business on site and logged out and happily went on my way.

Next time I came to logon my password was rejected as invalid - impossible I thought as its recorded in a database and was copied/pasted.

So I used the reset password link and updated my password once again, however next time I came to logon again history was repeated - updated password invalid.

It was only much later I discovered that said system not only had a minimum length but also a maximum field length ... which I consistently exceeded, presumably it arbitrarily shortening my input.

That will teach me to be smug (would still wish to shoot the developer - where was the error checking?)

Remember the bloke who was told by Zen Internet to contact his MP about crap service? Yeah, it's still not fixed

Recluse

He needs to migrate to Andrews and Arnold (AAISP)

Seems a classic case to let AAISP loose on BT Openreach

More here https://www.aa.net.uk/broadband/we-will-fix-your-line/

Microsoft releases Windows 11 Insider Preview, attempts to defend labyrinth of hardware requirements

Recluse

Re: Check out Pi-Hole - run on a VM if necessary

I basically block anything Microsoft related at my pfsense firewall until such time as I need to update my Windows VM at which point I temporarily enable access.

Note there are wider implications in blocking Microsoft eg Azure hosted websites etc. This can be overcome by segmenting your network devices into access lists - appreciate I am a bit of a tin foil hat in this regard. Unfortunately privacy requires some effort (and occasional inconvenience).

ASN numbers listed for Microsoft shown here

https://whois.arin.net/rest/org/MSFT/asns

If you are using pfsense firewall this article describes how to block ASN numbers

https://dannyda.com/2021/04/22/how-to-block-asn-autonomous-system-number-with-pfsense-firewall-how-to-block-an-organization-using-pfsense/

Recluse

Re: Check out Pi-Hole - run on a VM if necessary

I run a Windows 10 VM (to cater for a few necessary programs - e.g. Microsoft Money) within a Linux Mint desktop. I also run pfsense with the pfblockerNG add on - this provides a DNS sink hole capability as well as IP blocking.

Originally I just added every combination of Microsoft DNS associated names to the sink hole, but still there appeared to be a lot of data being extracted.

I eventually (as far as I can tell) blocked this by adding every Microsoft ASN number I could find (currently 29 in my list) to the IP blocker within pfblockerNG.

Every time I boot the VM my firewall logs fill up with attempted connections to Microsoft allocated IP addresses.

Moral if story - if you want to block Microsoft do it at the IP level

Nominet ignores advice, rejects serious change despite losing CEO, chair, half its board in membership vote

Recluse

Drain the swamp ...

As my eyes descended through Kieren's latest update the more my eyebrows rose ... shortly thereafter my jaw joined in and descended, ultimately hitting the floor when I reached the bit about Eleanor Bradley (recently been removed from the board) now being appointed as interim CEO. Talk about waving two fingers at the membership!

I wonder if this might act as a catalyst for EGM number 2 (similar to the way the shutdown of the Nominet forum during the AGM seemed to have been the final straw last time)

Of course where money is involved those currently in control are unlikely to depart voluntarily ... I fear this may be a long slog to drain the swamp, let us hope Public Benefit are up for a further fight

As battle for future of .UK's Nominet draws closer, non-exec director hits a nerve with for-profit proposal

Recluse

Re: To: support@ionos.co.uk

An alternative registrar ?

Mythic Beasts - see here https://www.mythic-beasts.com/domains

(and as an added bonus in the forthcoming vote, they have already declared to oust the current Nominet squatters)

What's CNAME of your game? This DNS-based tracking defies your browser privacy defenses

Recluse

Re: Smug bastard is smug.

Or indeed pfblockerNG on pfsense (which IMHO. is a pihole on steroids)

See here (article is a couple of years old)

https://linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/

Angry 123-Reg customers in the UK wake up to another day where hosted mail doesn't get through to users on Microsoft email accounts

Recluse

Re: Recommendations please

Yes likewise - highly recommend Mythic Beasts as well

Microsoft accused of sharing data of Office 365 business subscribers with Facebook and its app devs

Recluse

ASN blocking, not individual IP, is the way to go

@Binraider

If I have understood your intentions correctly, I think that blocking individual Microsoft IP addresses will be akin to "wack a mole" much better to block at the ASN level.

As indicated in my original post one of the third party packages I use in pfsense is called pfblockerNG (pfBlockerNG-devel v2.2.5_33) which allows DNS and ASN blocking. Amongst its killer features is it will automatically check and update ASN lists so as additional subnets are added/removed from an ASN it will update the firewall block lists without any further intervention.

Looking at my firewall logs this morning (post Windows 10 VM boot) I can see the following IP addresses (all Microshaft) on port 443 blocked

52.114.75.79

13.69.68.25

13.80.7.77

52.114.132.73

These are different from those I listed yesterdays and would not be blocked via DNS (no entries listed for IP's)

Personally, if you can, I would recommend switching to pfsense full stop. It is very sophisticated and also free open source software! While pi-hole is good (and has a very low hardware requirement) pfsense is IMHO streets ahead in functionality.

For pfsense higher specification hardware will be required but its still relatively modest. I use an Intel NUC (see here https://www.mini-itx.com/~JBC313) which is powered by a 36w supply. Whatever hardware you use for pfsense its strongly recommended that it has Intel NIC’s and AES-NI on the chipset.

Frankly (whilst I am only a home user) I would feel naked without pfsense. Its also excellent for configuring VPN inbound/outbound connections.

Recluse

Blocking Microshaft - that's what you think

Going off at a tangent - I run a Windows 10 Pro (2004) VM on my Linux Mint desktop. I also run a pfsense firewall with the pfblockerNG package installed.

Obviously I have blocked Microsoft at a DNS level but have also blocked all Microsoft ASN I can find (25 so far). I will allow access to Microshaft but only when I decide its appropriate (eg Windows update check) otherwise the VM Win 10 client is blocked.

As soon as I booted the Windows 10 VM this afternoon pfsense reported that it tried to establish a connection (443) to these IP's

52.114.128.43

52.114.77.33

Whois shows they are both Microshaft

NetRange: 52.96.0.0 - 52.115.255.255

CIDR: 52.96.0.0/12, 52.112.0.0/14

NetName: MSFT

NetHandle: NET-52-96-0-0-1

Parent: NET52 (NET-52-0-0-0-0)

NetType: Direct Assignment

OriginAS:

Organization: Microsoft Corporation (MSFT)

RegDate: 2015-11-24

Updated: 2015-11-24

Ref: https://rdap.arin.net/registry/ip/52.96.0.0

Conclusion

You may block Microsfaft at an DNS level but it appears to have some hard coding for IP addresses to circumvent this.

As I am somewhat neurotic I operate a similar ASN policy for Facebook. Google, Oracle, Adobe, Yahoo. Twitter, Telegram and Amazon. It can be a bit wearing at times but at least I decide who has access to what.

Whilst I am only a home user I also operate a default block outbound policy on pfsense - stops any IOT devices phoning home unless specifically authorised.

Think I'll go for a lie down now ....

Macs, iPhones, iPads to get encrypted DNS – how'd you like them Apples?

Recluse

Re: Good & Bad

Interesting article entitled “ A New Needle and Haystack: Detecting DNS over HTTPS Usage“ on the SANS Institute here

https://www.sans.org/reading-room/whitepapers/dns/needle-haystack-detecting-dns-https-usage-39160

IMHO for those who like to see what’s going through their networks and the security conscious, it does not make for happy reading ...

Recluse

Re: Better late than bleeding edge?

Going "off topic" if you are already using pfsense, I would highly recommend that you investigate using its inbuilt DNS server (DNS Resolver) along with a superb third party add on package (installed from its package manager) called pfBlockerNG-devel (current version 2.2.5_33) which has massively more functionality than PiHole eg can also block IP's by ASN (auto updating).

Handy when you block certain domains, the owners of which then hard code IP's in their code to circumvent DNS blocking - yes Microshaft I am looking at you

Whose side you on, Nominet? Registry floods .co.uk owners with begging emails to renew unwanted .uk domains

Recluse

We aim to lose by the smallest margin ...

I recently disposed of my longstanding .com domain of 20 years standing and moved to a .uk domain on the basis of its much cheaper annual charge (£6 v £12). Then there is 20 % VAT on top as well which is not insignificant. As I recall when I started with the .com it was £4.50 pa.

There way I see it the wider trend is for domain registration to be monetised, hence the only way is up. On acquiring my .uk for this very reason I paid 10 years up front.

As an aside I was originally with 123reg.co.uk registrar, but IMHO found their behaviour unethical. Their hard sell of the associated .uk domain to match my (then) .co.uk was the final straw. Have been much happier since I migrated out to my new registrar. I hope the reader will forgive a personal recommendation for a private company run by proper techs - yes I’m talking about you https://www.mythic-beasts.com/article/about

Logitech Zone Wireless: Swanky headset means business, but that also means it comes with a hefty price tag

Recluse

Re: Not been a fan of Logitech for some years.

Whilst I do not disagree with the sentiments of the previous poster, to provide some balance, at least as regards Logitech Media Server, I would observe that they still maintain the infrastructure to support the associated mysqueezebox.com

Also (as I understand it) on discontinuing their hardware products they released the Logitech Media Server (aka Slimserver) software under a GNU Public Licence. Then of course we still have the indefatigable support of Logitech developer Michael Herger in their forums, who also works on the open source side as well.

Logitech Media Server software IMHO is a peach of a product. The outcome could have been worse ... and all is not bad as regards Logitech

Openreach tells El Reg it'll kill off copper sales in 118 UK locations next year

Recluse

Just to clarify (in case anyone is looking for “Gattacre” in the BT bumph) Mr Norton has spelled Gateacre as it as it is pronounced locally in Liverpool).

Ooh, watch out Google. You've got competition. Verizon has a new 'privacy-focused' search engine

Recluse

Startpage tarnished ?

Worried about your privacy ? there are suggestions that Startpage is no longer "clean ... sort of gamekeeper turned poacher.

"Recently there has been lots of talk about Startpage being acquired (or at least partially acquired) by a US company called Privacy One Group, which is a division of System1, a “data science” company that specializes in targeted advertising"

More here

https://restoreprivacy.com/startpage-system1-privacy-one-group/ and here https://blog.privacytools.io/delisting-startpage/

Remember that Sonos speaker you bought a few years back that works perfectly? It's about to be screwed for... reasons

Recluse

Re: Makes logitech look like....

When there are excellent open source solutions available, I have always struggled to see what was the attraction for Sonos equipment (beyond its supposed plug-n-play setup) but that is unlikely to be a concern for the techies here. An earlier poster has commented about the continuing availability of the excellent Squeezeserver (aka Logitech Media Server) and I would likewise highly recommend the software and its underlying ecosystem.

My home music system runs on multiple Raspberry Pi 3 Model B's with added combined DAC/AMP HAT running PiCorePlayer OS with Logitech Media Server on my NAS. Add in iPeng running on any Apple Device (and a set of loudspeakers) and you have a fully functional system that can play synchronised music across my whole house.

Added hi-lights

Multiple plugins available for added functionality eg Tidal, BBC iPlayer, Spotify etc ...

Active and incredibly responsive developers (donating their time free)

For anyone interested in exploring further I have posted some links below to various sites (this is only really scratching the surface as the possibilities are almost infinite)

(A) Logitech Media Server (LMS) https://forums.slimdevices.com/forumdisplay.php?27-Logitech-Media-Server

(B) LMS Plugins https://forums.slimdevices.com/forumdisplay.php?4-3rd-Party-Software - a particular shout out for Micheal Herger (LMS & Spotify) and BPA (BBCiPlayer and iPlayExtra)

(C) PiCore Player OS download https://www.picoreplayer.org/ plus wider explanation of your multiple options

(D) PiCore Player support https://forums.slimdevices.com/forumdisplay.php?3-Linux-Unix

(E) iPeng http://penguinlovesmusic.de/ipeng-8/ (check out iPeng support thread within forum link B above (This is NOT free but well worth the modest charge - my only connection is as a happy user)

(F) DAC and AMP HAT http://iqaudio.co.uk/hats/9-pi-digiamp.html (other suppliers are available eg https://www.hifiberry.com/shop/)

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2022