* Posts by SJP

13 publicly visible posts • joined 23 Sep 2020

Fortinet says it’s all about the security ASICs

SJP

Love my FortiGates

I’ve been taking care of FortiGate firewalls for coming on 15 years and I love them.

Excellent value and the ASIC based models have been very high bandwidth and super low latency, compared with other vendors at similar price points.

Unlike other vendors which don’t use any ASIC or FPGA acceleration, enabling deep inspection even of encrypted traffic, for IPS and AV, does not punish us for performance.

The GUI is excellent now and the stability has been phenomenal for us.

New Linux kernel bolsters random number generation

SJP

Infinite states from a finite state machine?

“Generating truly random numbers in pure software is non-trivial.“

It’s more than non-trivial! It’s impossible!

A pure software implementation of a RNG will unavoidably be a PRNG, which will eventually repeat it’s sequence.

In addition to the output being deterministic with a known seed or internal state.

Both attributes which are very far from being truely random!

The moment the output is changed by a non-deterministic source outside of the PRNG, it’s not a purely software RNG anymore.

Malware monsters target Apple’s M1 silicon with ‘Silver Sparrow’

SJP

Re: Phoning home

Exactly. I’ve been taking care of enterprise netsec for about 17 years and so was able to witness more and more threats being clouded from cloud and CDN networks (and via SSL).

They certainly made my life more interesting! With SSL inspection and accelerated IPS.

Imagine my surprise when I first saw a user PC get malware infected from an advertisement hosted by Akamai, on a news article from a major newspaper.

SJP

Re: Obvious Target

Yeah, I bought my girlfriend and Mum each a MacBook Pro back in 2010, along with one for myself and after the initial, “How do I do?’, questions... the support requests completely stopped.

Have since upgraded to new Macs for them and that story continues. Reliable, easy to use and since they’re not local admins and I have AV software on them, easy days for me.

Microsoft will release a web browser for Linux next month. Repeat, Microsoft will release a browser for Linux – and it uses Google's technology

SJP

Re: I’m still waiting for Ubuntu hibernate

No, you seem to think that my sensibilities must follow yours.

They don't.

Hopefully you have NO binary blobs on any of your systems? Fully open source firmwares for your motherboards, network interfaces, video cards and any other DMA capable devices?

SJP

Re: I’m still waiting for Ubuntu hibernate

Mint is not Ubuntu. As you say, a derivative. Meanwhile, the official stance from Ubuntu, is that hibernate is not supported.

I know you can wrestle with Ubuntu to make it hibernate, but then you have a good chance at being confronted with a non-booting system after you perform a system update.

As it stands, I'm happy with RHEL8. Hibernate with FDE has been working just fine, including after performing numerous updates.

SJP

I’m still waiting for Ubuntu hibernate

Love Linux, been using it for 20+ years. But when is Ubuntu going to officially support hibernation?

Do we need an MS browser in Linux? I don’t.

I’d consider native MS Office for Linux though.

CD Projekt Red 'EPICALLY pwned': Cyberpunk 2077 dev publishes ransom note after company systems encrypted

SJP

Re: Air-gap

Oh, games developers like CD Projekt Red are in the business of providing their gaming customers with their SOURCE code? You are confused about what and how the air-gapping solution is used and what it protects.

SJP

Re: Air-gap

I see that you didn't get to the part where I said...

"But then... COVID-19 threw a massive spanner into the works."

SJP

Re: Air-gap

If you want to be pedantic about the term, "major company", it has nothing to do with number of employees. It's about revenue. On that basis, CD Projekt Red also would not be considered a major company, but I wasn't being pedantic with my use of that term.

Avoiding air-gapping even outside of a pandemic, does not refute the benefits of air-gapping. The point I raised about COVID-19 throwing a spanner in the works, is merely to say that a pandemic makes air-gapping essentially impossible to work with during that pandemic.

I've personally been involved with numerous air-gapped systems/data in corporate law. Where teams of people had access to systems and data which were physically and logically confined.

Air-gapping is a thing and it's not just used inside mountains by NORAD types. Other industries use air-gapping also. It's used for life critical systems, major infrastructure, finance and it is also used in software development.

The outcome here says it all though. If it is vital to your company that the Intellectual Property in your source code be kept secured, under normal circumstances air-gapping with minimum privs can be a viable option. It certainly is for some.

SJP

Air-gap

I want to say, “When will major companies learn!? Air-gap your most important Intellectual Property!”

Avoids theft and denial of access to it.

Closed source code crucial to the future of the company, should not be addressable outside of the company. And only key internal staff should have the physical and logical ability to create encrypted backups, as a part of their job requirements.

No Internet connected servers, no WiFi, no Bluetooth, no wireless keyboard or pointing devices, no USB access.

But then... COVID-19 threw a massive spanner into the works. :(

So the next best thing, NetSec with extensive defence-in-depth, minimum privs across the board, move fast on updates, encrypted data at rest and in flight, etc.

Watch this space: Apple offers free repairs for the self-bricking Apple Watch SE and Series 5 wearables

SJP

18 hours is Apple butt covering

I have a series 5 Apple Watch and found that if I disable all the features that I don’t use, I get 4 - 5 DAYS between charges.

Crooks social-engineer GoDaddy staff into handing over control of crypto-biz domain names

SJP

Not surprised

I lost access to my DNS records that were hosted by GoDaddy.

Reason was because they’d deprecated their vanity nameserver service and as such their DNS web management no longer recognised my name server addresses as being one of their DNS servers. Even though they resolved to GoDaddy IP’s, which then reverse resolved to GoDaddy nameserver names.

Support and supervisor insisted that they were not hosting my DNS records (when in fact they were!) and that they could not help me any further. And even offered to send me a basic primer on how the Internet works! Never mind that I've worked as a network engineer, starting with a ISP going back to 1991!

In the end, I moved all of my domains and those I was responsible for, away from GoDaddy. If their support staff are so inept as to not be able to recognise that they are even providing you a service and they actively refuse to escalate to someone competent, your service is at great risk.

They should not be in business.