* Posts by Trixr

305 posts • joined 30 Jun 2009

Page:

'I crashed AOL for 19 hours and messed up global email for a week'

Trixr

Re: With hindsight

Correct - Exim was "experimental" for a fair few years. Postfix came out in 1998, but I didn't use it till v2.2.

smtpd_timeout was a lovely thing, not to mention all the smtp client timeouts going the other way (no waiting forever tying up a process waiting for a receiving MTA to respond).

0
0

Gmail is secure. Netflix is secure. Together they're a phishing threat

Trixr

Re: This has happened to me for years

I have to say that operating a catchall address in this day and age is really a liability and not an asset. Unless of course you're maintainer of some RBL.

If you want to know who's trying to spam you, you simply look at the mail log and the rejected messages.

If you're using it as a honeypot to construct some kind of home-baked RBL, then just subscribe to Spamhaus Zen. Their database is orders of magnitude bigger than anything a little home domain will encounter... and is therefore much more useful if some exploit is in the wild. It's free for a host processing less than 100,000 SMTP connections per day. I used it for my medium-sized organisation (5000 mailboxes) until they made us get crappy Ironport. Like any RBL, the rejected connections are clearly logged in the mail log.

If you're operating a catch-all to capture misspellings of your email address(es), simply set up a catch-all that's aliased only with the likely misspellings.

0
2

There's security – then there's barbed wire-laced pains in the arse

Trixr

Re: Conflicting Advice

That Schneier advice is now a decade old.

The common advice these days is long pass phrases that don't have to be changed too frequently, and 2FA

0
0
Trixr

It's uncanny - it's almost like she's worked at my organisation (down to the exec using Dropbox), and she would have been shown the door quick smart with sensible observations like those.

0
0

Azure needs extra security controls before it's fit for government use, says Australia

Trixr

Yeah, I don't mind El Reg going for the tabloidy headlines when it's amusing, but this really is a misleading spin on the situation.

Also, since I was at the presentation, MS clearly had a matrix of services that were going to be approved for Protected status (in conjunction with the appropriate controls as implemented by the relevant agency - they have responsibility too). There were at least a dozen or so services that were excluded.

1
1

Sysadmin shut down the wrong server, and with it all European operations

Trixr

If it's a Linuxy box, check out Fail2Ban. Dynamically creates iptables rules on receiving bad logon requests (or whatever other criteria you select in the sshd.log) at whatever frequency/time interval you choose.

I used it for Postfix, for dropping SMTP connections that were attempted more than three times in a row from hosts that were blacklisted in our RBL - those got banned for 6 hours. Also, hosts that attempted more than 20 messages in 5 mins to "unknown recipients" - they were dropped for 2 hours, I think - a cheap person's DHA throttle.

2
0
Trixr

DesktopInfo is a wonderful tool.

Just come up with a template INI file and stick it somewhere all RDP users can read it, create a shortcut in ProgramData...\Startup to launch desktopinfo.exe for all users, and bake that into your gold image. Easy to package and distribute as well.

Then you get the name of your system as big as you want on screen - colour code for prod/non-prod if you're fancy, and some cute at-a-glance statuses if you want those as well.

1
0

Patch LOSE-day: Microsoft secures servers of the world. By disconnecting them

Trixr

Re: Fix

Yes, of course you *hope* I test changes. I haven't even deployed these updates into our DEV environment yet. I always wait at least 3 days. Then there's at least 10 days before they go to Prod.

In my experience, we've been more affected and put more at risk by deploying crappy patches too fast than any runaway exploit.

2
0
Trixr

Re: Fix

Yeah, I'm sure going to love running around setting reg keys on 300+ servers. Thank god the yanks get to find out this crap before we do.

It would help if MS didn't screw up *any* part of the TCP/IP stack or network configuration with a bloody routine patch.

11
0

Samba 4.8 to squish scaling bug that Tridge himself coded in 2009

Trixr

Re: Samba is still relevant?

Dude, if you think Active Directory "is dead", you're having a laugh. I don't care where in the world you upload your crap, if there's any security on it, you're using authentication and authorisation services.

As it happens, the core of Azure is still based on AD technologies - yeah, sure, SAML wrappers etc, but what do you think is validating your claims?

Having directory services combined with Kerberos with minimal configuration required was a killer feature. I still don't think Samba has caught up with AD services, except for basic stuff, but there's nothing wrong with the LDAP + Kerberos stack.

As for SMB, I don't think it's that great myself, but it's a sh*tload better than SharePoint. Try storing multi-gigabyte binary files inside a SQL database and see what your DBAs say. Try storing 27 million files of 5-150 bytes in size in SharePoint (which exactly what is in a directory on one of our file servers right now ... and I *wish* they'd ingest those into a database!)

And if you want to store a bunch of docs and spreadsheets on a web server, SharePoint is still shite. A simple WebDAV is better. The only benefit I can think of with SharePoint is in a clustered instance, where you've got your stuff spread across a large farm. And that's only because of the clustering technology, not because it's a great way to store and retrieve files.

0
0

ServiceNow plans non-devs writing non-code for real enterprise apps

Trixr

Obviously I'm behind the times in thinking that a billion dollar business no longer qualifies as a "start-up".

0
0

Programming in the Middle Ages: Docker makes a lovely pair of trousers

Trixr

Re: Comma, please

Please read up on serial commas and the fact they are NOT required where you have a conjunction, depending on what writing STYLE you happen to have adopted.

If you have a preferred style, fine. The serial comma is common in the US (and Oxford, natch). There's nothing about an "and" that implies the entities are "a couple".

0
0

Linux-loving lecturer 'lost' email, was actually confused by Outlook

Trixr

Re: been there - seen that - never been shouted at to that extent (yet)

Sorry, why on earth would you allow a 500MB message size??????

Internally or externally.

I'm afraid that's the fault of the administrators, not the users exploiting the really stupid system.

0
1

Apache Foundation rebuffs allegation it allowed Equifax attack

Trixr

Re: Hang on...

Dude, no-one has confirmed whether that WAS the breach. Useless to speculate.

Yes, if Equifax were using Struts and didn't configure it according to best-practice, then sure, hang them out to dry.

0
0

User thanked IT department for fast new server, but it had never left its box

Trixr

I pretty much credit my IT career with my early understanding of the power of the placebo.

I worked in a law firm in the late 90s that had recently switched from Word Perfect to Word, complete with very gnarly macros. Often the Win 3.11 machines would virtually grind to a standstill, and the quickest way to free up the memory was a simple reboot.

Lots of the secretaries (and pretty much any user today, of course) would swear black and blue that they had already rebooted and it was "something else" causing the problem when their machine went to snail pace.

So my Advanced Desktop Support technique was to go to the affected machine, run up the command prompt, run a "dir /s" on the C:\ drive, make some muttering sounds as the output scrolled down, THEN do the reboot. Apparently I was the "best" desktop support person in the place because I "went the extra mile to *fix* the problem". Fast forward to being a shiny new NT administrator in the Ops area 6 months later.

2
0

Hell desk to user: 'I know you're wrong. I wrote the software. And the protocol it runs on'

Trixr

Sounds like the experience we had with the EMEA support branch of a well-known US computer manufacturer shortly after our boss signed us up for a "fully managed" hardware support service for our machines.

PSU blew in one workstation about a week after this arrangement came into play, we called, a package with the replacement PSU was couriered to us, and the tech followed to install it the day after. We were keen to experience the delights of this fully-managed service, so we were STRICTLY hands-off.

The package was festooned with obvious US-origin courier labels and in what was obviously the factory packaging. All three of us systems admins were gathered around the bench waiting for the MANUFACTURER tech to work his magic - poor dude.

So he opened the packaging, removed the nice, shiny, factory-new PSU, flipped it over without even glancing at the voltage selector switch, installed it, plugged in the box, powered on and BANG!

So yeah we got a new motherboard, new RAM and new CPU out of that little number. And a good laugh once the tech departed. We managed to restrain ourselves to a polite "whoops" when it blew up almost in his face.

I do not understand any tech anywhere in the world (maybe not the US itself, since they seemed to assume they were the default) not double-checking a PSU voltage selector in the late-90s - a very basic routine check.

I won't bother relating the story of the "hot-swappable" server SCSI hard drive on the student registration system that most certainly was not. Thank christ it wasn't just before (or DURING) enrolment time.

3
0

If you love your email standards, SMTP your feet: 35 years later

Trixr

I don't know why all the downvotes - are any of these from anyone who works with a substantial email environment? (Multiple enterprises, or even medium-large enterprises?)

I thought Google was on the right track with their Wave idea. Of course, their ramming it down everyone's throats and the fact Google were going to make it their proprietary thing meant its death-knell, deservedly so.

But the idea of moving seamlessly between a IM conversation style to a message delivery system in "offline" mode (if you like) was great. How the security and connection handshake could be handled with multiple providers is something else, because of course Google weren't designing for that either. Something like the messaging equivalent of Diaspora (the social media platform), where multiple nodes can intercommunicate, perhaps.

I know that some would say it'd be overly complicated, but if anyone thinks that pure SMTP is workable these days, they're dreaming. Multiple message formats, multiple mail access protocols, bolt-ons (and they ARE bolt-ons) like SPF, DKIM and DMARC, the gymnastics required to encrypt messages and the transport layer, SenderBase, RBLs, etc etc etc etc.

1
1

CMD.EXE gets first makeover in 20 years in new Windows 10 build

Trixr

Re: They are bonkers

I dunno, the first thing I do is change the RGB settings on that medium grey they use for the default text to something much lighter. Not having to do that on every new box I log on to would be nice.

0
0

Sysadmin jeered in staff cafeteria as he climbed ladder to fix PC

Trixr

Re: What is this ?

Similar issue I had in an academic institution in London, which had multiple buildings spread across Bloomsbury. The connector was seemingly the BEST thing to hang an academic's coat on, despite multiple reminders to the office occupant that it was not in fact its purpose.

Traipsing across half of the west end when it was hosing down was not my favourite activity.

2
0

BA's 'global IT system failure' was due to 'power surge'

Trixr

Re: Cynical Me

Yup, I know of an instance where a certain country's largest airport's ATC systems were literally two minutes away from a complete power failure. Mains power didn't come back after some issue with switching between that and the genny (I did hear the gory details, but my understanding of what's what was limited). The contract electrician (no more on-site sparkies after "efficiency" cuts) had to be called out from the other side of town (a town with awful road congestion at the best of times).

The only reason the whole lot didn't go down was due to the site manager and staff literally running around the ops building and tower powering down every single piece of electrical equipment that did not concern the tower cab's ATC display systems and nav aids. Was there any review in terms of obtaining another genny and/or onsite sparkie during operational hours? No.

6
0
Trixr

Re: "Tirelessly"?

I dunno, it's not a bank holiday in India, and they're probably flogging all the poor bastards to death over there.

13
0

Fat-thumbed dev slashes Samba security

Trixr

Re: Now if this was in windows

Totally agree. So far it's mostly "oops, here's a workaround, hope you guys fix it soon", rather than rants about "Linu$$$" and "Tridge-hell" and the like.

0
1

'Trash-80' escapes the dustbin of history with new TRS-80 emulator

Trixr

Re: good old days...

This schoolgirl did, although I didn't choose "BOLLOCKS" of my text of choice. :-)

1
0

Miss Misery on hacking Mr Robot and the Missing Sense of Fun

Trixr

And this is why they invented Dropbox (etc). That's where my book stash lives, as well as about three actual devices.

0
0

Green software blacked out Australian State

Trixr

Re: "it is not customary to study multiple faults"

They did.

The wankers running the gas-fired turbines said they didn't get 'enough warning' to spin them up. It was complete lies, since they were warned a few day in advance that the gas-fired capability would likely be required when the weather hit.

Of course the govt was at fault for not ringing them up first thing in the morning of the storms to ask "Are those #*@*% things on yet?"

2
1

User jams up PC. Literally. No, we don't know which flavour

Trixr

Re: Never underestimate the foolishness of the average user

If you're going to imitate a Mickey-Rooney-quality "Asian" accent, get your Rs and Ls right. The Chinese pronounce Ls, the Japanese pronounce Rs. So your "Chinaman" would be Japanese given that sample. But never let accuracy get in the way of an ethnic stereotype.

1
0
Trixr

Actually, for us non-American colonials (in NZ), "kindergarten" refers to pre-school for the ages of 3-4. We start at age 5.

2
0

Sysadmin's sole client was his wife – and she queried his bill

Trixr

Re: Re-booting windows

If you're running the Professional edition, just use GPEdit to stop it. There's plenty to google on using group policy to limit how Windows update works.

0
0

The Register's guide to protecting your data when visiting the US

Trixr

Re: Not right, but not that strange either

Yes. the profiling is so advanced that when my Buddhist Sri Lankan-born boss and her similarly-spec'd hubby travelled to the US during the Bush II years, on their Australian passports (being citizens for 30+ years), they were stopped and searched - at length, the "please step into this room" treatment - at every single US airport they transited through on their journey.

No criminal record, no military service in birth or residence countries, no visas to China, Russia, Cuba, Middle-East nations yadda yadda in their passports, no ticking luggage, and the purpose of their two-week visit was to attend an academic conference at Georgetown University and see family members in two other cities.

There may be things you could say about what Sri Lankans of the military persuasion do to Tamils in that country, but as far as I know, the yanks have never been that fussed about that. Buddhists aren't really that renowned for their suicide bombings or jihads at the best of times.

Of course, they did fit the advanced profile of being suspiciously brown in skin tone. And sure, it seems that the US border guards are improving their detection rate based on such techniques by exponential rates at present.

2
0

EU privacy gurus peer at Windows 10, still don't like what they see

Trixr

Re: What information does Win 10 slurp?

I have W10 Pro at home, and it's fine in terms of being able to be locked down. GPEdit is your friend.

And no, as far as I'm concerned, work kit remains just that. I'm not letting my personal data anywhere near it.

0
0

HPE blames solid state drive failure for outages at Australian Tax Office

Trixr

Er, how are the potential failures of MODERN SSD storage potentially any more risky than other storage devices? Bad firmware = bad firmware, no matter what the storage substrate.

I remember having to replace 300+ Hitachi drives in the early 2000s - good old spinning rust, manufacturing fault with the actuator or actuator arm, I can't remember which. Ok, most of that was preventative replacement, once Dell finally admitted the problem, but a 1/5 failure rate was pretty noticeable prior to that.

0
0

The last time El Reg covered IBM Domino we used a chisel

Trixr

I'm always feeling Sappic

Ugh. At least they have an API now, though. So pipe the data out of the crappy application and set up a decent one. As for the email functionality, at least no-one's trying to resurrect that (keeping it running in zombie mode is something else).

1
0

NHS reply-all meltdown swamped system with half a billion emails

Trixr

Are you serious?

In Exchange, you can lock down a list to only allow specified senders. It takes about 5 sec, via the GUI or Powershell. We generally control these via another group -e.g. $list-senders are the only ones allowed to send to specified list. Even if one of the permitted senders screws up, the Reply-Alls don't go far.

If you have any smarts, and you're actually allowing end-users to set up email lists, you'd run some kind of script on a schedule to check for email-enabled groups with (recursive!) members > $number and verify that all of those have sender restrictions on them.

For the NHS, the fact the storm went on for that long is appalling - it should have taken approx. 2 mins to lock the list (assuming someone had to logon to a box to set the restriction). Give it 15 mins for someone to verbally raise the alarm... (although, again, if end-users can set up the lists, you'd expect some pretty gnarly monitoring to be in place to actually raise an alert itself, even just seeing if the queues are filling up.)

0
0

Seven pet h8s: Verity is sorely vexed

Trixr

Re: I started laughing at the innocent youngster that wrote this article

+1

And from the sysadmin side, I am amazed anyone uses still Sendmail, for precisely that reason.

1
0

Super-cool sysadmin fixes PCs with gravity, or his fists

Trixr

Hitachi hardware expert repairer

In the early 2000s, Hitachi manufactured a whole run of HDDs for Dell computers, and lucky us, we decided to refresh hardware in two of our student labs while these units were still in active release.

One machine after another, disks would fail to spin on boot - not every time, but as time went on, the drive jamming got progressively worse. (I can't actually recall now what the real issue was - perhaps the actuator or spindle itself.)

As this went on, the boss jumped up and down at Dell, who *finally* found the problem with the Hitachi units and actually acknowledged, that yes, they (in fact the entire workstation) would be replaced under warranty. It took a while to arrange swapping out nearly 100 machines, so I could enjoy the googly-eye effect from bleary-eyed students in the lab as I went around thumpa-thumping the northeast corner of each box before lectures started/.

0
0

New Windows 10 privacy controls: Just a little snooping – or the max

Trixr

Re: Hmm

And has anyone requesting home support actually heard from a real engineer? Without paying loads of cashmoney up front?

My one and only consumer interaction with MS (the one-a-year freebie support) consisted of some purported "MVP" telling me the reason I had a niggly issue with Start Menu searches (in Win 7) was because of a virus. He didn't even attempt to ask me to rebuild the search cache, check the search location configuration, etc etc. No, it was a virus. Even when I told him I had done all the above steps, it was *still* a virus. My computers have not had a virus since circa 1990.

And no, he didn't want me to prove that wasn't the case by supplying a report from any AV he proposed. He "resolved" the case with the "solution provided". Even if it had been a virus, he actually hadn't provided a solution either. The thing that particularly grates my cheese is that there was no mechanism of providing feedback on the "support" I received from that moron.

My experience with Premier Support has been consistently great, so that was a rude shock.

2
0

Oz government on its Centrelink debacle: 'This is fine'

Trixr

Re: Communication

Except the purported "facts" are not actually facts, for many of the people who have received speculative invoices. Which, the last I heard, is illegal in this country.

Not to mention that the principle of the presumption of innocence (and thereby, the burden of proof residing with the accuser) is a legal principle going back to Roman law as codified by Justinian in the 6th century. Modern legislation and case law is based on this principle, with additional definitions around standards like "preponderance of evidence" or "more probable than not" required for civil cases.

The supposition that a yearly figure provided by the ATO equates to a fortnightly income spread equally across 26 fortnights over the year is patently false for probably most of us, including those of us who have never in their lives received a Centrelink payment. Nor can it be determined from the ATO data that anyone received X income in any specific fortnight over that period. It certainly doesn't meet a test of "more probable than not" that someone double-dipped during any fortnight they received payments.

Also, that supposition is known and has always been known to be false by staff on the ground, which is why the review process (once a (former) Centrelink client's income was flagged by matching with the ATO data) was manual prior to this govt's budget-boosting exercise based on entirely false figures.

11
0

NSW government drops a Catch: Bus Wi-Fi is a privacy nightmare

Trixr

Re: Is that even legal?

Privacy law downunder, compared to what EU regulation was even in the early 2000s (when I was living in the UK), is complete and utter shite.

My first IT jobs were in the UK, and I was trained on privacy stuff accordingly. Doing IT work in Oz and NZ still continues to gobsmack me with the breathtaking liberties organisations can take.

2
0

Australia: Stop blaming Centrelink debts on its IT systems

Trixr

Re: Garbage In → Garbage Out

A retired senior Centrelink worker wrote a post that says that the former process (after the data match) was manual precisely because they KNOW that tax figures are yearly, and their payments are fortnightly. And they did the work of following up with employers and so on - I sure as hell don't keep 6 years of my pay slips!

But you know, they save staff costs by scaring the sh*t out of people, and by ensuring people who are already "disempowered" in many ways (sorry for the wank word, but it's true - people who are on the dole often aren't the most technical, and the challenge process is online-only) are more likely to simply pay up rather than go through an opaque and challenging process. It's challenging even for people who have been in reasonably-skilled work for years and who have the pay records! (See The Guardian for the pieces written by the guy who started kicking up a fuss last month.)

Also, I don't actually believe the govt spin that 80% of the debts are genuine - I think it's 80% that haven't been challenged, which is something else.

Finally, from a technology point of view, there is some room for improvement. There is no means of recording a fortnightly breakdown of your earnings (assuming you have the proof) on the form that they've provided to challenge the debt.

3
0

Did webcam 'performer' offer support chap payment in kind?

Trixr

Re: Oops

People like to sh*t over Exchange for some reason (metaphorically speaking), but I have had plenty of cause to be grateful there's a single-line command that can yoink that kind of thing out of every mailbox in the organisation.

0
0

Sayonara North America: Insurance guy got your back when Office 365 doesn't?

Trixr

...AND the mitigating "technical solutions", as alluded to in the article. Such as the backup the vendor doesn't actually provide or charges several body parts for. Such as inter-site replication (if they offer it).

It all adds up, and frankly for apps that are used by all staff, such as email, particularly if there is a high service expectation, I don't think it makes sense once you get into medium-sized enterprises, unless you literally have no on-prem IT at all. Or if the on-prem IT is insecure and unreliable.

Sure, use the cloud to supplement your backup solution. Use it for apps that are not business-critical or have a small user base. For what remains, BE CAREFUL.

1
0

Itchy-fingered OnePlus presses refresh, out pops value champ 3T

Trixr

Would love to get one...

But unfortunately it (in any of the three variations) doesn't support the primary 4G bands used by the mobile services I'm on in Oz and NZ (two different providers).

I could live without the storage expansion, but having to use 4G bands with less coverage is a deal-breaker.

I think they cover the bands used by Voda, but I'd set my phone on fire rather than use them.

0
0

Lenovo: If you value your server, block Microsoft's November security update

Trixr

Re: Go ahead

Try and get that all up and running in a day, complete with robust HA. Exchange just works, for enterprises with more than a few dozen people.

1
4

Brit upstart releases free air traffic app for drone operators

Trixr

Yeah, thanks, whether or not a drone being ingested into an engine during a critical flight phase can cause a catastrophic failure - btw Concorde crashed because of a small strip of metal - frankly, as a passenger, I'd rather that pilots were entirely undistracted by things buzzing them outside the windshield while they're on final approach to an airport like LHR, FRA, LAX etc.

2
0

SQL Server on Linux: Runs well in spite of internal quirks. Why?

Trixr

Re: Exchange?

Bollocks. Sendmail isn't even the best MTA. I'd rather Postfix as my gateway x1000.

Exchange is frankly unrivalled in the enterprise for scheduling, shared mailboxes, general mailbox management, HA, etc etc etc. Set it and forget it.

8
0

Microsoft's cmd.exe deposed by PowerShell in Windows 10 preview

Trixr

Re: Well Done Microsoft

WIN+R > "cmd"?

That's the way I've accessed the command prompt for nearly 20 years. That's not going to change.

I mean, with all this screaming, you'd think that MS was doing away with it altogether, which is patently not the case. They're rejigging a couple of shortcuts, FFS.

0
0
Trixr

Re: Yet another Windows 10 annoyance

So they'll not "pry cmd.exe from my cold hands" and yet you use Cygwin anyway. Logic fail.

I detest Cygwin - back in the NT/early 2000s days, I installed Perl on servers to get away from the dreaded VBscript when you needed to chain a lot of stuff together or do heavy string manipulations.

But PS is even better than Perl in terms of Win systems management, and is pretty good with strings/regexes (although the -match syntax is odd). I just wish PS had an equivalent to DataDumper, which would help old batch scripters get used to what's going on inside arrays/hashtables (yes, you can do get-member, but that's not the same).

0
0
Trixr

Re: ksh or nothing, thank heavens for cygwin

I'm no Mac fangirl, but frankly, if you detest windows so much, why on earth aren't you running PS on a Mac?

It sounds like your environment is virtual, but there's workarounds for installing a Mac guest.

0
0

Three-commas Thiel expresses love for himself, Trump and downtrodden millionaires

Trixr

I can't believe he's gay

That is literally the worst haircut I've seen on a gay man. Although the "Trump junior comb-over" doesn't really favour anyone.

7
3

Boffin's anti-worm bot could silence epic Mirai DDoS attack army

Trixr

Re: "prompt the user to reboot"

Yeah, I don't know what the angst is, other than breaking laws. How many consumers are using telnet with these devices?

For those who are, you'd expect they'd be savvy enough to use another way to get in and reset their telnet environment, although then again, the apps that are supplied probably don't expose that configuration interface.

So, maybe an app update to allow that config to be exposed, assuming they're not using port 80 and no key exchange to do it.

SSH would be more of a conundrum, although I suppose if it's compromised, the same mitigations would apply.

0
0

Page:

Forums

Biting the hand that feeds IT © 1998–2018