3624 posts • joined 31 May 2010
Re: diurnal cycle
Actually, I have sleep phase disorder. Left to my own means, I naturally fall into sync of sleeping at 4am and waking at noon. It's certainlh timed to the passage of the evil daystar, but significantly offset from the middle of the bell curve.
The difference is price. The cost of this enterprise-standard tech has come down enough for there not to be an excuse for its inclusion in even the most basic of SMB gear. The tech is mature. The pricing is a transformative element enabling far wider adoption than was possible even two years before.
Re: another advert for supermicro?
Enterprise vendors have had this for ages, but lots of folks who make "whitebox" kit (ASUS, Gigabyte, Tyan) don't. Or if they do, it is often quite a pricy extra. We're finally at the point that SMBs and bulk-buy folks using whitebox servers can buy IPMI-equipped stuff without pushing virgins into volcanos. It's time we stopped buying the crap that doesn't have lights out management. Send a message to companies like ASUS that if you market a "server board", it isn't okay for it to lack IPMI.
About damn time.
My transformer is looking to be replaced in a year or two. Nice to know it will have a direct replacement. Keep Windows where it belongs: in a VM and away from children and the internet.
Re: Is this a marketing pitch?
They told me to be blunt and honest. I have no dollars in my pocket for marketing. And a list of experiences both good and bad with Office 365 as long as my arm. Seriously guys, when have you known me not to take the piss out of Microsoft when piss needs to be taken? I also give them an attaboy when they deserve it. *shrug*
Let's just say that Microsoft marketing and I don't exactly see eye to eye. It's not as bitter as the divide between Microsoft Licensing and I, but it's still a hell of a gulf to cross. Ask your questions; you'll get real answers.
Because the native WebDAV support is ass.
I use Netdrive to mount my WebDAV items. Works like a bloody charm. Look ma, my Synology is cloud storage now!
That is one potential variant of the attack, yes. It is not the only one. There are a few others too. Oh DDOSes, so many of you out there!
Network ingress filtering requires you be "part" of the wider internet, rather than merely the equivalent of a consumer with a fat pipe. We don't have access to BGP. We have no way of seeing, processing or acting upon the internet's wider routing table. Without this, the sort of ingress filtering duscussed in those documents simply isn't possible.
So what's left? Whitlisting systems manually that you want to connect to your DNS in iptables? How's that work when some of those units are mobile? Users with dynamic residential IPs, connecting from hotels or even over mobile links? What we really need is a DNS server and client infrastructure that allows for authentication of clients before they can look things up. DNS + TLS if you will. It might be time to start building something internally similar to opendns' infrastructure. I'll give it a thought.
Nope, you are 100% correct. If you are attacking properly that is exactly how you do it. (Actually, it is is the DNS for www.google.com you want to take down you attack with 1.www.google.com and 2.www.google.com etc.) That said, I was a little out in the weeds on describing the attack as is, and the sysadmin blogs are supposed to be 600 words. Had to leave out some details somewhere. :)
Re: "edge scrubber"?
Yes. A honeypot is indeed where you profile and catch attackers. Why are you hitting the honeypot machine if you aren't clicking on stupid things or are an attacker? They honeypot allows me to catch not only attackers but stupid users. I would say that "redirecting a user to a honeypot machine that displays an error or educational message when they try visiting a site on the list, then logs the thing so I can find and LART someone" counts as a honeypot.
As for edge scrubber, the system also does IDS and DPS. It scrubs my datastream. It leaves on the edge of my network. What the hell would you call it?
If it's a ship and it goes through the gate, you call it a gateship. You only call it a puddle jumper if you need something that sounds good on TV. It's an edge device, it scrubs my datatream. Should I call it a boysenberry?
The particular implementation of BIND + chroot utterly refused to look in the chroot directory for /etc/namedb, no matter how much tinkering I tried. I gave up eventually and left it. As for the shared virtual hosting and fail2ban comment, that is there because most of the "bugs in BIND" we might care about are exploits that work if you have manged to gain a remote console.
SSH on an alternate port + fail2ban + not actually giving the information to anyone and having a very small user footprint means your chances of getting into the system to exploit BIND in that fashion are hella slim. There is always the remote possibility that you could use some sort of remote attack against BIND like that, but the chances are even smaller. In terms of the risk posed, I think I can get away with not chrooting the thing for the 2-3 moths between initial roll out of the service and the replacement of the unit with a CentOS6 box.
At least on CentOS6 the bloody chroot works right and the malwaredomains zone works without post-processing the text file. I should also point out that the DNSSEC implementation set up in CentOS6 is actually pretty good.
So long as you have a good weekend, sir, then all is good. Cheers and beers!
If my blitherings are interesting then I fear a walkabout outside where the daystar is might be advisable. It seems you need some of those photons that the great big ball of fusion in the sky spits out to help you create some vitamin D and jumpstart the "removing crazy" subsystems. That or oh look it's beer o'clock on a long weekend, bye!
Re: Kessel Run?
13 hours and change. In my defence, I was asleep for most of it...
Re: Trevor, "I hate Windows/Java/Flash/PDF/QT/TheWorld," Pott
I calls things like I sees 'em. Good or bad. I don't hate any technology - except the things that let you robo call people in the middle of the night - but I do hate it when technology is badly implemented. A great example is saying "Trevor hates Windows.' I don't. Not even a little.
Oh, I hate lots of things about how Windows 8 and Server 2012 have been handled, but this doesn't mean I hate all of those operating systems. Nor does it mean I think they can never be made to not suck in future releases. I fact I have litterally begged Microsoft to make the relevant changes...because I think Windows is a useful tool.
I hate Microsoft's licensing department. I love Microsoft's storage team. I hate some of the very strict rules that Spiceworks has surrounding community interaction, but I love the opportunity it presents me to interact with other sysadmins and vendors.
You really, really, have to do an awful lot to get on my personal hate list. Even Oracle isn't on my "no buy, ever" list. And they take hostages! Sony, on the other hand, will not see a single dollar from me ever after that rootkit fiasco. That is how you make Trevor hate you. That right there.
Technology is a tool. Corporations are groups of people each with individual hopes, dreams, goals and ideals. If technology sucks then I'll pan it. If it's great, I'll praise it. If it's boring, I probably won't even write about it. I'm harsh. I'm honest. I'm as up front as I know how to be. That's my job after all...
...biting the hand that feeds IT.
Re: Trevor, "I hate Windows/Java/Flash/PDF/QT/TheWorld," Pott
Surely I'm not that negative! I like stuff that actually works just fine. I get tetchy when it doesn't do what it is supposed to. Or costs more than having a human do the same job. Or I haven't had coffee...
Re: never "forget" any edge system!
RHEL 5 is still under active support. There's nothing wrong with using it in live production. The system is updated religiously. The hardware refresh would have taken it to 6, but that got knocked back by about 6 months into April.
So while I may have forgotten which OS the little blighter was running (my mental filing system had ticked it over to "CentOS 6" already) it was still running a maintained, patched, and secure OS.
There are redundancies. It's actually a cluster of 2 devices. I didn't really want to get that deep into it though. I wanted to talk about the DNS not setting up a cluster in CentOS.
Re: You are right.. and wrong
Yeah. Actually, the "old one" is actually 2 Atoms. (The primary and the cold spare.) So I would have 2 spares on the shelf to back up the shiny. That said, it would cost far more if I were to try doing the exact same thing but with CISCO on the box...
Funny, I can't find a firmware upgrade for a single one of the routers I have (or have deployed) in the last 10 years. 95% of those units are still in service. Or, wait...are you advocating that myself and all of my clients rush out to replace perfectly functional equipment? Why? Why would you advocate that? Do you believe that IPv6 is somehow a Good Thing? Why?
What are the negatives of IPv6:
Network renumbering each time you switch ISPs. A real problem for consumers who actually care about their networks and change providers periodically to avoid getting raped by the local monopolies. It's also a massive pain for SMBs who change ISPs for the same reasons, but also tend to move more often. Their networks are larger than consumers and have even more reason to want to static address items on the network. Shockingly, you'll find that there are individuals out there who want control over their network that doesn't rely on DNS or other "dynamic" technologies which don't quite as well as advertised.
No multihoming or failover. Oh, you can multi-home or failover if you happen to have a router that speaks BGP and an ISP willing to provide the service. Most consumers and SMBs don't have such options. failover would mean renumbering the entire network. Multihoming is pretty much right out.
No host obfuscation; no privacy. NAT isn't security and certainly if you try hard enough you can profile networks through NAT. Still, even half-assed NATs of today (such as OpenWRT on a Netgear WNDR7200V2) can be easily configured to obfuscate the individual computers requesting resources enough that you would have to be a top 1% security researcher to profile the damned things. IPv6 tags each device with it's own external IP; every single thing that device does is traceable directly to it. IPv6 means privacy is finally and completely dead.
One simple mistake lets the internet attack your toaster. Stateful firewalls as are required to protect people using IPv6 from having the outside world directly address their device are complicated. Far more so than the simple NAT+Firewall devices of yore. They require more knowledge to operate and maintain if you are an individual of the belief that the internet should not be allowed to attack your toaster for fun. Firewalls on network edge devices are not remotely simple enough or powerful enough to properly replace NAT yet.
What are the benefits of IPv6
It makes the lives of programmers easier. Yes; programmers, those great big whiny babies of the world will finally be able to leave behind the programming techniques we've spent the past 15 years perfecting. They can assume that devices can speak to one another with nothing in between them (which isn't true, because a proper consumer firewall won't allow the internet to talk to your toaster, even in IPv6, but hey, let's keep beating the end-to-end drum, eh?) The end-to-end model makes life a small (probably single digit, given the libraries that exist for NAT traversal by now) bit easier. This minor convenience for the elite few, the developers, the worthy is worth making the lives of IT operations more difficult and telling the entire world they must buy new devices, even though no new devices exist which are actually ready to do the task in a simple, cheap and simultaneously secure fashion. Even if the devices did exist, you're asking the whole world to replace perfectly working equipment in order to benefit the whiny few.
We're going to run out of IPv4 addresses. Yep. This is a problem. Artificial scarcity is a bitch, ain't it? Fortunately, we can all break the rules when are forced to switch and simply implement NAT66 and keep all our shit working. I even get to listen to developers howl. It's awesome.
Break the rules
Well let me be the first to say: fuck those whiny bitches. If their applications from the whiny bitch department don't work, I'll get one from another developer that does. My network, my rules. I give zero fucks about making the lives of developers easier. You don't get to talk to my toaster, or my lightbulb, my furnace of my server unless I bloody say so. And no, I won't pay Cisco rates for the privilege of making the lives of some whiny bitch developers easier.
Either the upgrade provides me as a consumer and systems administrator with a return on investment or you can go straight to hell. In 15 years, when my routers die, I'll send them down there do join you. When I do replace them, they'll use NAT66 (available on things like pfsense) so that I can get the features that are of use to me. Until then, cheers mate.
Because the thing that we need is a lightbulb with an internet addressable IP address in a world where consumer/SMB router and firewall solutions either don't address IPv6 at all, are so clunky and inconvenient that you need to be a trained IT professional to use or are so expensive that nobody in the consumer/SMB space can afford it.
Let's do our furnaces and gas-powered fireplaces next. What's could possibly go wrong?
Re: Forget the Higher Levels
Re: Forget the Higher Levels
Correct horse battery staple!
Paragraph is from an older version; missed that when I added. Should read "Consider the shocking lack of support for DNSSEC, or the fact that amongst the mainstream browsers TLS 1.1 is only enabled by default in Safari and Chrome while TLS 1.2 is only enabled by default on iOS devices!" I am trying to get it changed...
Re: Where do draw the line?
Whether or not content marketing calls for truth in advertising is a hotly contested topic. Consider debates regarding the nomenclature of "cloud" an you have some appreciation for how this is perceived in the marketing community. My investigations say most feel content marketing must contain truth in advertising otherwise it is not content marketing. It is traditional marketing trying to look like content marketing.
"Keep the topic trending", however, is very much content marketing. What would separate this from traditional marketing (which tries to do the same thing) is that content marketing tries to keep it trending by providing useful information that the readers actually want to read. Traditional marketing doesn't care what tripe is written just so long as it makes the client in question look good.
The difference in these circumstances is almost one of attitude. Content marketing is about providing something in exchange for your time reading/watching/etc that you find to be of value. Traditional marketing is about "raising the profile" while "controlling the message." Traditional marketing treats people like robots to be programmed; content marketing treats people like individuals capable of making a rational assessment for products at hand.
Which is superior in the long run is the subject of great debate, however, I think that in IT circles at least, content marketing will be king.
Here ya go, mate: http://www.theregister.co.uk/2012/10/15/spiceworld/
Re: Where's "flood communities with paid commenters until everything else is drowned out?"
That would be traditional marketing. "Control the message."
Screw you, Nokia. Google isn't perfect, but increased options is demonstrably better for consumers. This reeks of Microsoft sticking to a competitor by proxy. It's sad, and it does nothing but lower my level of trust in both Nokia and - assuming they can be proven to be involved, which shouldn't take long - Microsoft.
Patents as a weapon to prevent competition on behalf of more moneyed masters. With the rest of your business model collapsing, Nokia, it looks like you have truly arrived at "patent troll" at last. How much was your pride worth, Nokia? That's the thing I really want to know.
I don't want to live on this planet anymore.
@NL13L5 Simple: Intel's storage guys have never done a damned thing for me, ever. In fact, outside of the network team - who got me some sample cards so I could write some reviews and test some things - Intel has generally been an impenetrable fortress of traumatizing marketing fluff that I have more or less avoided*.
I've been an AMD man for ages. Only recently have I had to start building servers without Opterons inside. When I bought - and wrote about! - SSDs for my own testlab, I bought Kingston Hyper-X based on a combination of price and the Kingston brand name. I think over the years of writing for The Register I've proven that I take the time - and put a fuckload of my own money - into testing products from a variety of manufacturers.
I'm a nasty, cynical, hard-to-please type that rarely has a nice thing to say about anyone. (Ask Microsoft.) I generally don't like whinging in public - unless I am really tweaked - and so I try hard to write articles about things I actually like. (Why tell the world "this sucks" when you could tell the world "this doesn't suck, use this!")
If you honestly think that I'm a shill for Intel you're a fool. I have a price - every man does - but that price is far higher than anyone has ever been willing to offer. Right now, I am on track to build a company with me at the head where I write about technology for a living, tell people how to run their companies and get paid for it, manage to pay off my debts in a reasonable period of time and even retire to write my book while I'm still young enough to remember it.
So tell me, dear N13L5, what possible reason could I have to be a shill for anyone? Do you think an SSD or a server, a phone of a software licence will buy me off? I get paid to troll people on the internets. That's the best job ever; the price to "buy" me out of that comfort zone is pretty damned high. Ambition is expensive and so am I.
*I once won a PC in a contest sponsored by Intel. However I can guarantee you that this didn't make me any more disposed to like them. The Badaxe motherboard in that PC was made of raw, elemental failure.
OCZ absolutely must do two things to survive:
1) Make products that don't suck
2) Convince the entire IT industry, all of whom have been badly burned by previous OCZ products that their extant line doesn't suck.
That means making a product line with a very low failure rate and seeding those drives amongst relevant businesses, tech journos, "thought influencers" (read: respected bloggers within their IT niches) and so forth. It means being able to explain what is different about this round than the last and it means publicly admitting they fucked up. Without the admission, we can't believe they've changed. Without solid, third-party verification that their stuff isn't absolute crap anymore, we won't even consider buying their stuff.
Sadly, based on my experience, the above is so completely against their corporate culture that these guys are just flat out doomed. Honesty and transparency are not their shtick. They would never back third-party analysis of their equipment when marketing and outright falsehoods could still be tried.
I have no officially had over 80% of all OCZ SSDs (400 some odd at last count) seen in the field die on me. Samsung sits at about 4% (of 2000ish) and Sandisk hasn't had a loss in the admittedly low sample of 3 disks. MY 8 Kingston Hyper-X SSDs continue to soak up every bit of punishment I can throw at them with no failures, but its early days yet.
But I have replaced one Intel drive out of over 8000 in the field. Intel 510s and 520s. 1 in over 8000. SSDs? Intel or bust, gentlemen. Intel or bust.
Re: So, what is MDM?
Wake up on the wrong side of the locker today, did you? Here, have a beer.
Yeah, noticed Zenprise, but they didn't pique my interest. I have a list of over 100 MDM companies. I had to cut it down to something readable. :/
I swear, it's a cult.
Re: So, what is MDM?
...really? This has to be explained? I mean, I realise that some of the newer terms and stuff have to be described while they are still relative unknowns...but...MDM? Do I also need a link for virtualisation? Or RAID? Genuinely curious here...I was under the impression MDM has been "a thing" for long enough that we all knew what it was...
Re: Great session...
I believe comments were moderated.
@Dale Re: Whoa - massive unsubstatiated assumption here
The issue there isn't technology nor the technology choice. It is people. If you have have people who work best when they are told what to do, how to do it, what to think and how to think it, then a company-mandated top-down approach to everything works best. Sadly, for shareholders everywhere, we're not all drones.
We cannot paint "BYOD" with a great big brush and make assumptions that apply to all (or most) companies. Each and ever company is going to be different based on the people, politics, extant infrastructure, finances available and yet more that is involved. What works for enterprises won't work for SMBs. For that matter, what works in the UK won't work in the US; the cultures are completely different!
Hell, I could give you some damned good educated guesses on why the cultural deltas between Edmonton and Toronto would affect the uptake and success of BYOD deployments to various sized businesses (and in which sectors.) You could provide some hard figures from your research. We both have dozens of anecdotes from sysadmins, end users and CIOs we've talked to. Me, mostly in North America. You, mostly in the UK.
What Tim and Phil really need to do is lock you and I in a room with a video camera, a case each of our favourite beer and let us go at it on this topic. We've had some epic debates on this, you and I, and the results from those conversations end up the same each time: it's the people, stupid.
"Are productivity benefits really a given with BYOD?" No.
By the same token: "Are productivity benefits really a given with any technology, ever, regardless of provenance?" No.
There is also a whole conversation to be had about "applies to some people" versus "applies to the majority." Just because BYOD doesn't make sense for some (or most) doesn't mean it doesn't make sense for others. This stupid internet thing and these stupid "actually capable consumer devices" are raising the expectations of the hoi polloi. "One single policy on endpoint technology applied indiscriminately to everyone from the stock picker to the IT staff to the field sales staff" just doesn't work in 2013. Not everywhere, anyways.
We need to start a BYOD fight club. :) Cheers and beers, good sir! Next round's on me!
Wish I could compare. The Fat Twin emphatically does not kick out a lot of heat. It is the most power-efficient gear I have ever used. I could see 4 racks of them being a problem whereas 4 racks of 5U servers is not, but then I would be running 320 2P servers instead of 32 2P servers in the same space. Mind you, living in Canada, that is probably only a issue 2 months out of the year...
I need to play with this some; sounds interesting.
I think different tiers of data can sustain different RPO. With something like Storage Profiles in VMware that can be made easy. I do not, for example, care overmuch if my webservers get reverted to yesterday; they grab their info from a centralized storage location with is disaggregated from the individual VMDK of the PaaS VM itself.
You just gave me a great idea for an article. Much appreciated.
Re: Great article
More than just flushes; serious, click the link on that. (Or rather, it is about flushes, but it really gets in to how ZFS does them and what mechanisms it can use if it "owns" the disk. Also how to configure ZFS so that the damned thing works. It's a truly great link.)
Also: I cannot claim complete credit on things like links. I have a great research team to back me up. It helps to have additional eyes to check things over.
Re: Great article
Re: in short..
Use the Queen's proper English, strong and free. Canadian, eh?
Re: Literally bulletproof storage
I didn't mention StoreVirtual because I have never had the opportunity to play with it or even see a demo. It's on my list.
Re: RAID 5 shouldn't even be named unless living under the bridge
Have a related SATA series all you want, but your SAS drives had damned well better be of superior quality to the SATA drives. If the SATA version of your SAS line is something you are only willing to cover with a 1 year guarantee then I do not have warm fuzzies about the non-marketing-bull MTBF on your SAS line...
+1 to marketing for the witty response. I'll check out the resources mentioned in the hopes they answer my question. I'm hoping we're not simply being asked to substitute one bottleneck for another...
RAM bandwidth. It was already a thing with virtualization at the levels we can get with today's servers. With this...? What is the memory controller made out of? Unicorns?
- Updated Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- FOUR DAYS: That's how long it took to crack Galaxy S5 fingerscanner
- Did a date calculation bug just cost hard-up Co-op Bank £110m?