2200 posts • joined Monday 31st May 2010 16:59 GMT
Re: @Trev - IPMI?
Yeah; I'd have to agree. My gripe with Supermicro's IPMI is that the KVM client runs on Java...but otherwise, solid stuff. There's a look into it here: http://www.theregister.co.uk/2013/04/22/dont_buy_without_ipmi/
Re: Like for like comparison required
Derp; I meant 64-bit ARM.
Re: Like for like comparison required
If and when a 64-bit Afom falls into my lap...
Re: Still prefer a HP 54L
Uh...the Centerton has two hyperthreaded cores...
But for tossing a few Linux VMs that just wake up, respond to something and go back to sleep it's not a bad little box. It's a lot less of a pain than trying to build some Raspberry-pi-alike box for each function then lashing the lot of them to a pole. Standard software, standard management tools, etc.
It's "good enough" for a lot of things that might have driven me to ARM. Which, really, is the only reason the thing exists in the first place, so it's doing it's job, I suppose...
Re: Elephant time again
This is addressed in a future article.
Re: Good article, but...
I've evaluated about 8 different levels of subscription. Most of the articles you'll read are Enterprise E3 based subscriptions, simply because when you spin up a trial that's the version you get. If you have questions about other subscription levels, let'er rip; I've probably used them at some point...
Re: Self Inflicted
Ah, the cryptonomnomnom. One of my favourite books; and lo: this past month I've taken up with a gaggle of folks who are displeased by "cloud + patriot act" symptom combo. They're building a datahaven: life imitates fiction once more.
Beer, because it's the closest thing to melted gold.
Re: Self Inflicted
I want you to listen very carefully here. This is important: if Microsoft is a marketing company then they are the worst marketing company on Earth.. I say that as someone who owns a marketing company! They possess no clues. None of them. None of the goddamned clues.
"Stop picking on us."
I believe my bare minimum requirements for Microsoft to start earning back my trust were quite clear. They are here.
I'll not hold my breath.
I can not adequately express my sorrow that we share a common genetic heritage.
But I was daft to speak out against all this, eh? To the nether hells of the dark Ribbon Squared Boxed 33/66 Metro canyon for you lot, then!
Re: Good guys?
Except it is under you control. So much for your righteous anger!
Re: Smart $hilling, Mr Pott
Hi frankg. 2000 called and it wants its understanding of the NT kernel and base operating system elements back. Thanks.
If you'd actually READ my post, you'll note that I discuss that fact that there are tons of features in the OS that are NOT MANDATORY and I even tell you why. I also said that making them mandatory would make a much more secure operating system. Microsoft even makes it; I even discussed why.
The sandboxing you discuss exists. ASLR and about a dozen other technologies exist. The issue - and it's huge - is that they don't make using such technologies mandatory, which is what allows flash to get out. It isn't because the mechanisms to make a damned fine secure OS aren't there. It is because they made a BUSINESS decision not to cut all old software (and thus their entire paying customer base) off at the knees.
Take a Microsoft operating system which has been configured to require all of the security technologies as mandatory for every single application and I would be willing to put that up against anything else out there except possibly Wind River's stuff.
Your willing ignorance to suit your own prejudices not only does you a disservice, it brings a bad name to all who practice the IT arts. There are plenty of damned good reasons to piss on Microsoft's good name. This isn't one of them. Quit fighting battles from a decade ago; you're distracting from the battles that need to be fought here and now.
One of which is to get them to make the very technologies under discussion mandatory, but it is not remotely the only battle that needs fighting. We not need pissing and moaning about how "Insecure" Microsoft's technology is. That war was fought. We won. Can we please get you on the front lines where it counts?
Re: What a joke
Bürger nicht verdient Privatsphäre oder Freiheit, sondern sie existieren, um die Ziele des Staates zu fördern!
Re: El Reg Hack - Trevor Pott
I am not the man. I don't think I can be the man. If I was the man who would I have to rage against?
Re: Fireworks Anyone
Let him. When greed + copyright clashes with privacy + information security, I vote that greed + copyright shouldn't be the one to win. Those who would blithely sacrifice the freedoms of others whilst diminishing the security of all in order to eek out a few fractions of a point of margin should be tarred, feathered and run into the oceans their brethren polluted beyond usefulness.
The viruses and other malware are the raw, unfiltered sewage. Firewalls are needed only because apps/operating systems aren't particularly secure...excepting that of late they've been a hell of a lot more secure than Adobe and Oracle's products.
In case you missed it, Windows et. al - while by no means perfect - aren't exactly swiss cheese anymore. Microsoft in particular has done a damn fine job of securing their operating system. Without Flash and Java installed, I'd cheerfully browse the net with a plugin-less Firefox on a Windows without anti-malware.
The issue is these vulnerable plugins that live in our browser and allow execution of code with elevated privileges when compromised. In fact, if they would code the damned things according to Microsoft's spec, this wouldn't even be possible to have happen.
The reason that the operating system allows Bad Things to happen is because it needs to maintain a level of backwards compatibility. The reason it needs to maintain a level of backwards compatibility is because fuckwads like Adobe and Oracle refuse to write applications that comply with modern design and security standards. The reason we're all vulnerable is because these same applications don't comply with modern design and security standards. They are the screen doors letting in the internet's filth.
MIcrosoft could make an operating system that had no backwards compatibility. Where you must comply with modern security and design principles. Then we collectively would freak out and wail that the insecure applications we are so very reliant on don't work.
Indeed, Microsoft did make such an operating system. It's called Windows RT. Frankly, given the raft of compromises on OSX lately, and the shocking number of Linux (or SSHd/HTTPd/BIND/etc, if you want to be an anal-retentive prick and try to say that "Linux is only the kernel, not the Distro") major vulnerabilities in the past several months, Windows RT is looking more and more like one of the most secure operating systems ever developed.
We still collectively don't use the damned thing for one simple reason: the shit we actually need to use doesn't run on Windows RT. And the shit we need to use is all broken, insecure and otherwise the cause of our woes.
Adobe and Oracle are like the worst kind of candy pimps. They keep you addicted to their crack so you can't go far, but they beat you senseless and refuse to change their ways, meaning you do nothing but dream of escape. I'm not saying Microsoft's been all that much better; Metro's "Fuck You, power users and people who require actual productivity" interface, that goddamned fucking ribbon, "Always On," Office 365 subscription bullying, licensing shenanigans and even DRM bullshit like "plays for sure" all come to mind. Microsoft is no saint, and I'll not defend the bastards on the whole.
But don't blame the OS. That's the part of this that actually works securely, assuming you are willing to configure it to be secure-only, and live without your self-harming crack.
Since you aren't - and I'm not either - why don't I leave you some resources that (while a little old) might prove valuable?
I hope that helps you maintain your poor security habits with minimal damage to yourself and the rest of the internet. Cheers!
So they've discovered Google FS? I thought that was an off-the-shelf thing at this point. The only real difference is that a proper P2P network would have a distributed "name node" structure (think Nutanix here) instead of the single-point-of-failure so common to the earlier implementations of things like Hadoop.
We're just talking about turning an ISP's last-mile network into a giagantic Hadoop cluster which then connects via a Fat Link to some other gigangtic Hadoop Cluster on some other ISP's last mile. (Well, not actually Hadoop, but you get the idea.)
That's (maybe) okay if you are talking about a "mostly isolated network" like xDSL, but this would play merry hob with DOCSIS-based (cable) modems and infrastructure. Google Fibre as the base? Maybe. But when you're at a Google Fibre level of "to the premises," are you really putting much compute/storage/etc in the individual house? If you were sitting on a pipe the size of the Mississippi, then you'd be a perfect candidate for "as a service" streaming and storage of all your data. Once you've that kind of bandwidth, by $deity's sake, toss your non-unique data into the cloud and let someone else deal with the headache of managing and maintaining it.
I am not against fundamental research, but this does seem as though it won't be a "peer to peer" network in the traditional sense. Interesting theoreticals on a CDN, though.
Part of a larger play
This is part of a much larger play in a long-term strategic marketing war against Google. The goal here is to gain some insight in to the best buttons to push when trying to paint Google as a privacy-violating cyber-fiend out to stomp on your puppies and steal your wife. When you can't market on merit, viciously attack the other guy with as many falsities and carefully manipulated half-truths as possible!
How very...American. Next up: did you know that the Sentaor for Internetistan is SOFT ON CRIME? It's true, they voted down this bill that would have STOPPED CRIMINALS COLD. Can you afford to elect them? Vote Douchebagus Maximus for cyber-overlord today!
Would have stripped everyone of anything resembling civil liberties, but ignore that he's SOFT ON CRIME.
It isn't the end of the world if you bork a node in a cluster. But in the past three years of updates remotely, I've had 100% success on over 250 flashes. Good enough for me to consider it solid for most use cases.
Re: Badly Designed Server = Server running Windows
The IPKVM image shows a server running ESXi...
Re: But security?!
Remote gatekeeper = router /w VPN. Repair for router = PDU with network port on main network. Worst case: someone can reboot the management network router at will. Problem solved.
Re: diurnal cycle
Actually, I have sleep phase disorder. Left to my own means, I naturally fall into sync of sleeping at 4am and waking at noon. It's certainlh timed to the passage of the evil daystar, but significantly offset from the middle of the bell curve.
The difference is price. The cost of this enterprise-standard tech has come down enough for there not to be an excuse for its inclusion in even the most basic of SMB gear. The tech is mature. The pricing is a transformative element enabling far wider adoption than was possible even two years before.
Re: another advert for supermicro?
Enterprise vendors have had this for ages, but lots of folks who make "whitebox" kit (ASUS, Gigabyte, Tyan) don't. Or if they do, it is often quite a pricy extra. We're finally at the point that SMBs and bulk-buy folks using whitebox servers can buy IPMI-equipped stuff without pushing virgins into volcanos. It's time we stopped buying the crap that doesn't have lights out management. Send a message to companies like ASUS that if you market a "server board", it isn't okay for it to lack IPMI.
About damn time.
My transformer is looking to be replaced in a year or two. Nice to know it will have a direct replacement. Keep Windows where it belongs: in a VM and away from children and the internet.
Re: Is this a marketing pitch?
They told me to be blunt and honest. I have no dollars in my pocket for marketing. And a list of experiences both good and bad with Office 365 as long as my arm. Seriously guys, when have you known me not to take the piss out of Microsoft when piss needs to be taken? I also give them an attaboy when they deserve it. *shrug*
Let's just say that Microsoft marketing and I don't exactly see eye to eye. It's not as bitter as the divide between Microsoft Licensing and I, but it's still a hell of a gulf to cross. Ask your questions; you'll get real answers.
Because the native WebDAV support is ass.
I use Netdrive to mount my WebDAV items. Works like a bloody charm. Look ma, my Synology is cloud storage now!
That is one potential variant of the attack, yes. It is not the only one. There are a few others too. Oh DDOSes, so many of you out there!
Funny, I can't find a firmware upgrade for a single one of the routers I have (or have deployed) in the last 10 years. 95% of those units are still in service. Or, wait...are you advocating that myself and all of my clients rush out to replace perfectly functional equipment? Why? Why would you advocate that? Do you believe that IPv6 is somehow a Good Thing? Why?
What are the negatives of IPv6:
Network renumbering each time you switch ISPs. A real problem for consumers who actually care about their networks and change providers periodically to avoid getting raped by the local monopolies. It's also a massive pain for SMBs who change ISPs for the same reasons, but also tend to move more often. Their networks are larger than consumers and have even more reason to want to static address items on the network. Shockingly, you'll find that there are individuals out there who want control over their network that doesn't rely on DNS or other "dynamic" technologies which don't quite as well as advertised.
No multihoming or failover. Oh, you can multi-home or failover if you happen to have a router that speaks BGP and an ISP willing to provide the service. Most consumers and SMBs don't have such options. failover would mean renumbering the entire network. Multihoming is pretty much right out.
No host obfuscation; no privacy. NAT isn't security and certainly if you try hard enough you can profile networks through NAT. Still, even half-assed NATs of today (such as OpenWRT on a Netgear WNDR7200V2) can be easily configured to obfuscate the individual computers requesting resources enough that you would have to be a top 1% security researcher to profile the damned things. IPv6 tags each device with it's own external IP; every single thing that device does is traceable directly to it. IPv6 means privacy is finally and completely dead.
One simple mistake lets the internet attack your toaster. Stateful firewalls as are required to protect people using IPv6 from having the outside world directly address their device are complicated. Far more so than the simple NAT+Firewall devices of yore. They require more knowledge to operate and maintain if you are an individual of the belief that the internet should not be allowed to attack your toaster for fun. Firewalls on network edge devices are not remotely simple enough or powerful enough to properly replace NAT yet.
What are the benefits of IPv6
It makes the lives of programmers easier. Yes; programmers, those great big whiny babies of the world will finally be able to leave behind the programming techniques we've spent the past 15 years perfecting. They can assume that devices can speak to one another with nothing in between them (which isn't true, because a proper consumer firewall won't allow the internet to talk to your toaster, even in IPv6, but hey, let's keep beating the end-to-end drum, eh?) The end-to-end model makes life a small (probably single digit, given the libraries that exist for NAT traversal by now) bit easier. This minor convenience for the elite few, the developers, the worthy is worth making the lives of IT operations more difficult and telling the entire world they must buy new devices, even though no new devices exist which are actually ready to do the task in a simple, cheap and simultaneously secure fashion. Even if the devices did exist, you're asking the whole world to replace perfectly working equipment in order to benefit the whiny few.
We're going to run out of IPv4 addresses. Yep. This is a problem. Artificial scarcity is a bitch, ain't it? Fortunately, we can all break the rules when are forced to switch and simply implement NAT66 and keep all our shit working. I even get to listen to developers howl. It's awesome.
Break the rules
Well let me be the first to say: fuck those whiny bitches. If their applications from the whiny bitch department don't work, I'll get one from another developer that does. My network, my rules. I give zero fucks about making the lives of developers easier. You don't get to talk to my toaster, or my lightbulb, my furnace of my server unless I bloody say so. And no, I won't pay Cisco rates for the privilege of making the lives of some whiny bitch developers easier.
Either the upgrade provides me as a consumer and systems administrator with a return on investment or you can go straight to hell. In 15 years, when my routers die, I'll send them down there do join you. When I do replace them, they'll use NAT66 (available on things like pfsense) so that I can get the features that are of use to me. Until then, cheers mate.
Re: I shall have to demoralize you...
Far more tragic would be the digital death of our beloved Playmonaut; a tragedy of intertubes proportions which would cause Register readers to rise up in droves against the evil aggressor.
Because the thing that we need is a lightbulb with an internet addressable IP address in a world where consumer/SMB router and firewall solutions either don't address IPv6 at all, are so clunky and inconvenient that you need to be a trained IT professional to use or are so expensive that nobody in the consumer/SMB space can afford it.
Let's do our furnaces and gas-powered fireplaces next. What's could possibly go wrong?
Network ingress filtering requires you be "part" of the wider internet, rather than merely the equivalent of a consumer with a fat pipe. We don't have access to BGP. We have no way of seeing, processing or acting upon the internet's wider routing table. Without this, the sort of ingress filtering duscussed in those documents simply isn't possible.
So what's left? Whitlisting systems manually that you want to connect to your DNS in iptables? How's that work when some of those units are mobile? Users with dynamic residential IPs, connecting from hotels or even over mobile links? What we really need is a DNS server and client infrastructure that allows for authentication of clients before they can look things up. DNS + TLS if you will. It might be time to start building something internally similar to opendns' infrastructure. I'll give it a thought.
Nope, you are 100% correct. If you are attacking properly that is exactly how you do it. (Actually, it is is the DNS for www.google.com you want to take down you attack with 1.www.google.com and 2.www.google.com etc.) That said, I was a little out in the weeds on describing the attack as is, and the sysadmin blogs are supposed to be 600 words. Had to leave out some details somewhere. :)
Re: "edge scrubber"?
Yes. A honeypot is indeed where you profile and catch attackers. Why are you hitting the honeypot machine if you aren't clicking on stupid things or are an attacker? They honeypot allows me to catch not only attackers but stupid users. I would say that "redirecting a user to a honeypot machine that displays an error or educational message when they try visiting a site on the list, then logs the thing so I can find and LART someone" counts as a honeypot.
As for edge scrubber, the system also does IDS and DPS. It scrubs my datastream. It leaves on the edge of my network. What the hell would you call it?
If it's a ship and it goes through the gate, you call it a gateship. You only call it a puddle jumper if you need something that sounds good on TV. It's an edge device, it scrubs my datatream. Should I call it a boysenberry?
The particular implementation of BIND + chroot utterly refused to look in the chroot directory for /etc/namedb, no matter how much tinkering I tried. I gave up eventually and left it. As for the shared virtual hosting and fail2ban comment, that is there because most of the "bugs in BIND" we might care about are exploits that work if you have manged to gain a remote console.
SSH on an alternate port + fail2ban + not actually giving the information to anyone and having a very small user footprint means your chances of getting into the system to exploit BIND in that fashion are hella slim. There is always the remote possibility that you could use some sort of remote attack against BIND like that, but the chances are even smaller. In terms of the risk posed, I think I can get away with not chrooting the thing for the 2-3 moths between initial roll out of the service and the replacement of the unit with a CentOS6 box.
At least on CentOS6 the bloody chroot works right and the malwaredomains zone works without post-processing the text file. I should also point out that the DNSSEC implementation set up in CentOS6 is actually pretty good.
So long as you have a good weekend, sir, then all is good. Cheers and beers!
If my blitherings are interesting then I fear a walkabout outside where the daystar is might be advisable. It seems you need some of those photons that the great big ball of fusion in the sky spits out to help you create some vitamin D and jumpstart the "removing crazy" subsystems. That or oh look it's beer o'clock on a long weekend, bye!
Re: Kessel Run?
13 hours and change. In my defence, I was asleep for most of it...
Re: Trevor, "I hate Windows/Java/Flash/PDF/QT/TheWorld," Pott
I calls things like I sees 'em. Good or bad. I don't hate any technology - except the things that let you robo call people in the middle of the night - but I do hate it when technology is badly implemented. A great example is saying "Trevor hates Windows.' I don't. Not even a little.
Oh, I hate lots of things about how Windows 8 and Server 2012 have been handled, but this doesn't mean I hate all of those operating systems. Nor does it mean I think they can never be made to not suck in future releases. I fact I have litterally begged Microsoft to make the relevant changes...because I think Windows is a useful tool.
I hate Microsoft's licensing department. I love Microsoft's storage team. I hate some of the very strict rules that Spiceworks has surrounding community interaction, but I love the opportunity it presents me to interact with other sysadmins and vendors.
You really, really, have to do an awful lot to get on my personal hate list. Even Oracle isn't on my "no buy, ever" list. And they take hostages! Sony, on the other hand, will not see a single dollar from me ever after that rootkit fiasco. That is how you make Trevor hate you. That right there.
Technology is a tool. Corporations are groups of people each with individual hopes, dreams, goals and ideals. If technology sucks then I'll pan it. If it's great, I'll praise it. If it's boring, I probably won't even write about it. I'm harsh. I'm honest. I'm as up front as I know how to be. That's my job after all...
...biting the hand that feeds IT.
Re: Trevor, "I hate Windows/Java/Flash/PDF/QT/TheWorld," Pott
Surely I'm not that negative! I like stuff that actually works just fine. I get tetchy when it doesn't do what it is supposed to. Or costs more than having a human do the same job. Or I haven't had coffee...
Re: never "forget" any edge system!
RHEL 5 is still under active support. There's nothing wrong with using it in live production. The system is updated religiously. The hardware refresh would have taken it to 6, but that got knocked back by about 6 months into April.
So while I may have forgotten which OS the little blighter was running (my mental filing system had ticked it over to "CentOS 6" already) it was still running a maintained, patched, and secure OS.
There are redundancies. It's actually a cluster of 2 devices. I didn't really want to get that deep into it though. I wanted to talk about the DNS not setting up a cluster in CentOS.
Re: You are right.. and wrong
Yeah. Actually, the "old one" is actually 2 Atoms. (The primary and the cold spare.) So I would have 2 spares on the shelf to back up the shiny. That said, it would cost far more if I were to try doing the exact same thing but with CISCO on the box...
- Geek's Guide to Britain INSIDE GCHQ: Welcome to Cheltenham's cottage industry
- 'Catastrophic failure' of 3D-printed gun in Oz Police test
- Game Theory Is the next-gen console war already One?
- BBC suspends CTO after it wastes £100m on doomed IT system
- Peak Facebook: British users lose their Liking for Zuck's ad empire