Call me old-fashioned
...but I'd rather have quality updates rather than updates released for the sake of some marketing cadence.
312 posts • joined 30 Jun 2009
...but I'd rather have quality updates rather than updates released for the sake of some marketing cadence.
Belatedly, but whoever made the decision that Linux should simply restart with no prompt if CTRL-ALT-DEL is done in a console session should be shot. It's not as if Windows hadn't been around a fair while when Linux actually became more than a bare kernel.
With 100 PCs, you'd hope they'd be be sending their jobs to a print server, not individually straight to the device.
You can use the GUI or NET PRINT commands to target a specific queue (naturally your print server will generally be used for multiple printers), or stopping/restarting the spooler (after a pause) is normally sufficient to clear the whole server without having to delete SPL/SHD files (some might be left hanging around if they were corrupt).
I worked with a moderately psycho telephone engineer who thought it was a great laugh to include a similar mass of wires, relays and the like in my luggage when I was stupid enough to leave it unattended in our office before flying overseas that evening.
I got all the way from the UK to NZ without it raising any flags (that I know of), and you will just to have to imagine the air turning blue, with thunderbolts, when I finally opened my luggage and discovered his "present".
This was in 2002, when everyone was still feeling very delicate about 9/11, security at Heathrow was obtrusive and paranoid, and they took those questions about "did you pack your own luggage" etc very seriously.
He's fortunate I didn't take out an HR complaint on him, but I got a job while I was in NZ and only returned for as long as it took me to wind up my old job.
This was not long after he'd had a spitting screaming rant at us sysadmins for having the termerity to have two pints one lunchtime around the holidays. So it wasn't just "harmless fun" - he was a nut bag, but not stupid, and had to have realised his "present" could have caused me a fair amount of trouble during my travels.
...I thought that "insert disk 2 of 6" on top of disk 1 of 6 *already* in the drive was an urban myth until I saw it multiple times at a university I worked at. Ah, students.
Yup, me too.
Exactly the same thing happened to a Dell tech a decade later at a place I was working at in the UK. We'd just gone to a new service contract where us admins were to be "hands-off" the hardware. PSU died in a server, Dell shipped a new one from the US, followed by a shiny new tech to install it.
We all stood around watching the new support arrangement in action... and managed not to giggle aloud when he unwrapped the PSU and installed it without the merest glance at the voltage switch position (poor dude was a bit nervous with the entire systems admin team "observing").
After a nice bang! and the magic smoke escaping, we ended up getting a brand new CPU, memory, motherboard AND PSU.
I don't think it was *you* who somehow screwed it up. Almost exactly the same thing happened to me updating the Nvidia driver on the Solus distro. A distro that purports to seamlessly deal with graphics driver updates.
For me, I didn't bother with recovery after I saw the grub rescue - I just wiped the Solus off my dual-boot laptop and reinstated the Windows bootloader. Yet another Linux distro that bit the dust for me. I get really sick of how fragile Grub is.
Correct - Exim was "experimental" for a fair few years. Postfix came out in 1998, but I didn't use it till v2.2.
smtpd_timeout was a lovely thing, not to mention all the smtp client timeouts going the other way (no waiting forever tying up a process waiting for a receiving MTA to respond).
I have to say that operating a catchall address in this day and age is really a liability and not an asset. Unless of course you're maintainer of some RBL.
If you want to know who's trying to spam you, you simply look at the mail log and the rejected messages.
If you're using it as a honeypot to construct some kind of home-baked RBL, then just subscribe to Spamhaus Zen. Their database is orders of magnitude bigger than anything a little home domain will encounter... and is therefore much more useful if some exploit is in the wild. It's free for a host processing less than 100,000 SMTP connections per day. I used it for my medium-sized organisation (5000 mailboxes) until they made us get crappy Ironport. Like any RBL, the rejected connections are clearly logged in the mail log.
If you're operating a catch-all to capture misspellings of your email address(es), simply set up a catch-all that's aliased only with the likely misspellings.
That Schneier advice is now a decade old.
The common advice these days is long pass phrases that don't have to be changed too frequently, and 2FA
It's uncanny - it's almost like she's worked at my organisation (down to the exec using Dropbox), and she would have been shown the door quick smart with sensible observations like those.
Yeah, I don't mind El Reg going for the tabloidy headlines when it's amusing, but this really is a misleading spin on the situation.
Also, since I was at the presentation, MS clearly had a matrix of services that were going to be approved for Protected status (in conjunction with the appropriate controls as implemented by the relevant agency - they have responsibility too). There were at least a dozen or so services that were excluded.
If it's a Linuxy box, check out Fail2Ban. Dynamically creates iptables rules on receiving bad logon requests (or whatever other criteria you select in the sshd.log) at whatever frequency/time interval you choose.
I used it for Postfix, for dropping SMTP connections that were attempted more than three times in a row from hosts that were blacklisted in our RBL - those got banned for 6 hours. Also, hosts that attempted more than 20 messages in 5 mins to "unknown recipients" - they were dropped for 2 hours, I think - a cheap person's DHA throttle.
DesktopInfo is a wonderful tool.
Just come up with a template INI file and stick it somewhere all RDP users can read it, create a shortcut in ProgramData...\Startup to launch desktopinfo.exe for all users, and bake that into your gold image. Easy to package and distribute as well.
Then you get the name of your system as big as you want on screen - colour code for prod/non-prod if you're fancy, and some cute at-a-glance statuses if you want those as well.
Yes, of course you *hope* I test changes. I haven't even deployed these updates into our DEV environment yet. I always wait at least 3 days. Then there's at least 10 days before they go to Prod.
In my experience, we've been more affected and put more at risk by deploying crappy patches too fast than any runaway exploit.
Yeah, I'm sure going to love running around setting reg keys on 300+ servers. Thank god the yanks get to find out this crap before we do.
It would help if MS didn't screw up *any* part of the TCP/IP stack or network configuration with a bloody routine patch.
Dude, if you think Active Directory "is dead", you're having a laugh. I don't care where in the world you upload your crap, if there's any security on it, you're using authentication and authorisation services.
As it happens, the core of Azure is still based on AD technologies - yeah, sure, SAML wrappers etc, but what do you think is validating your claims?
Having directory services combined with Kerberos with minimal configuration required was a killer feature. I still don't think Samba has caught up with AD services, except for basic stuff, but there's nothing wrong with the LDAP + Kerberos stack.
As for SMB, I don't think it's that great myself, but it's a sh*tload better than SharePoint. Try storing multi-gigabyte binary files inside a SQL database and see what your DBAs say. Try storing 27 million files of 5-150 bytes in size in SharePoint (which exactly what is in a directory on one of our file servers right now ... and I *wish* they'd ingest those into a database!)
And if you want to store a bunch of docs and spreadsheets on a web server, SharePoint is still shite. A simple WebDAV is better. The only benefit I can think of with SharePoint is in a clustered instance, where you've got your stuff spread across a large farm. And that's only because of the clustering technology, not because it's a great way to store and retrieve files.
Obviously I'm behind the times in thinking that a billion dollar business no longer qualifies as a "start-up".
Please read up on serial commas and the fact they are NOT required where you have a conjunction, depending on what writing STYLE you happen to have adopted.
If you have a preferred style, fine. The serial comma is common in the US (and Oxford, natch). There's nothing about an "and" that implies the entities are "a couple".
Sorry, why on earth would you allow a 500MB message size??????
Internally or externally.
I'm afraid that's the fault of the administrators, not the users exploiting the really stupid system.
Dude, no-one has confirmed whether that WAS the breach. Useless to speculate.
Yes, if Equifax were using Struts and didn't configure it according to best-practice, then sure, hang them out to dry.
I pretty much credit my IT career with my early understanding of the power of the placebo.
I worked in a law firm in the late 90s that had recently switched from Word Perfect to Word, complete with very gnarly macros. Often the Win 3.11 machines would virtually grind to a standstill, and the quickest way to free up the memory was a simple reboot.
Lots of the secretaries (and pretty much any user today, of course) would swear black and blue that they had already rebooted and it was "something else" causing the problem when their machine went to snail pace.
So my Advanced Desktop Support technique was to go to the affected machine, run up the command prompt, run a "dir /s" on the C:\ drive, make some muttering sounds as the output scrolled down, THEN do the reboot. Apparently I was the "best" desktop support person in the place because I "went the extra mile to *fix* the problem". Fast forward to being a shiny new NT administrator in the Ops area 6 months later.
Sounds like the experience we had with the EMEA support branch of a well-known US computer manufacturer shortly after our boss signed us up for a "fully managed" hardware support service for our machines.
PSU blew in one workstation about a week after this arrangement came into play, we called, a package with the replacement PSU was couriered to us, and the tech followed to install it the day after. We were keen to experience the delights of this fully-managed service, so we were STRICTLY hands-off.
The package was festooned with obvious US-origin courier labels and in what was obviously the factory packaging. All three of us systems admins were gathered around the bench waiting for the MANUFACTURER tech to work his magic - poor dude.
So he opened the packaging, removed the nice, shiny, factory-new PSU, flipped it over without even glancing at the voltage selector switch, installed it, plugged in the box, powered on and BANG!
So yeah we got a new motherboard, new RAM and new CPU out of that little number. And a good laugh once the tech departed. We managed to restrain ourselves to a polite "whoops" when it blew up almost in his face.
I do not understand any tech anywhere in the world (maybe not the US itself, since they seemed to assume they were the default) not double-checking a PSU voltage selector in the late-90s - a very basic routine check.
I won't bother relating the story of the "hot-swappable" server SCSI hard drive on the student registration system that most certainly was not. Thank christ it wasn't just before (or DURING) enrolment time.
I don't know why all the downvotes - are any of these from anyone who works with a substantial email environment? (Multiple enterprises, or even medium-large enterprises?)
I thought Google was on the right track with their Wave idea. Of course, their ramming it down everyone's throats and the fact Google were going to make it their proprietary thing meant its death-knell, deservedly so.
But the idea of moving seamlessly between a IM conversation style to a message delivery system in "offline" mode (if you like) was great. How the security and connection handshake could be handled with multiple providers is something else, because of course Google weren't designing for that either. Something like the messaging equivalent of Diaspora (the social media platform), where multiple nodes can intercommunicate, perhaps.
I know that some would say it'd be overly complicated, but if anyone thinks that pure SMTP is workable these days, they're dreaming. Multiple message formats, multiple mail access protocols, bolt-ons (and they ARE bolt-ons) like SPF, DKIM and DMARC, the gymnastics required to encrypt messages and the transport layer, SenderBase, RBLs, etc etc etc etc.
I dunno, the first thing I do is change the RGB settings on that medium grey they use for the default text to something much lighter. Not having to do that on every new box I log on to would be nice.
Similar issue I had in an academic institution in London, which had multiple buildings spread across Bloomsbury. The connector was seemingly the BEST thing to hang an academic's coat on, despite multiple reminders to the office occupant that it was not in fact its purpose.
Traipsing across half of the west end when it was hosing down was not my favourite activity.
Yup, I know of an instance where a certain country's largest airport's ATC systems were literally two minutes away from a complete power failure. Mains power didn't come back after some issue with switching between that and the genny (I did hear the gory details, but my understanding of what's what was limited). The contract electrician (no more on-site sparkies after "efficiency" cuts) had to be called out from the other side of town (a town with awful road congestion at the best of times).
The only reason the whole lot didn't go down was due to the site manager and staff literally running around the ops building and tower powering down every single piece of electrical equipment that did not concern the tower cab's ATC display systems and nav aids. Was there any review in terms of obtaining another genny and/or onsite sparkie during operational hours? No.
I dunno, it's not a bank holiday in India, and they're probably flogging all the poor bastards to death over there.
Totally agree. So far it's mostly "oops, here's a workaround, hope you guys fix it soon", rather than rants about "Linu$$$" and "Tridge-hell" and the like.
This schoolgirl did, although I didn't choose "BOLLOCKS" of my text of choice. :-)
And this is why they invented Dropbox (etc). That's where my book stash lives, as well as about three actual devices.
The wankers running the gas-fired turbines said they didn't get 'enough warning' to spin them up. It was complete lies, since they were warned a few day in advance that the gas-fired capability would likely be required when the weather hit.
Of course the govt was at fault for not ringing them up first thing in the morning of the storms to ask "Are those #*@*% things on yet?"
If you're going to imitate a Mickey-Rooney-quality "Asian" accent, get your Rs and Ls right. The Chinese pronounce Ls, the Japanese pronounce Rs. So your "Chinaman" would be Japanese given that sample. But never let accuracy get in the way of an ethnic stereotype.
Actually, for us non-American colonials (in NZ), "kindergarten" refers to pre-school for the ages of 3-4. We start at age 5.
If you're running the Professional edition, just use GPEdit to stop it. There's plenty to google on using group policy to limit how Windows update works.
Yes. the profiling is so advanced that when my Buddhist Sri Lankan-born boss and her similarly-spec'd hubby travelled to the US during the Bush II years, on their Australian passports (being citizens for 30+ years), they were stopped and searched - at length, the "please step into this room" treatment - at every single US airport they transited through on their journey.
No criminal record, no military service in birth or residence countries, no visas to China, Russia, Cuba, Middle-East nations yadda yadda in their passports, no ticking luggage, and the purpose of their two-week visit was to attend an academic conference at Georgetown University and see family members in two other cities.
There may be things you could say about what Sri Lankans of the military persuasion do to Tamils in that country, but as far as I know, the yanks have never been that fussed about that. Buddhists aren't really that renowned for their suicide bombings or jihads at the best of times.
Of course, they did fit the advanced profile of being suspiciously brown in skin tone. And sure, it seems that the US border guards are improving their detection rate based on such techniques by exponential rates at present.
I have W10 Pro at home, and it's fine in terms of being able to be locked down. GPEdit is your friend.
And no, as far as I'm concerned, work kit remains just that. I'm not letting my personal data anywhere near it.
Er, how are the potential failures of MODERN SSD storage potentially any more risky than other storage devices? Bad firmware = bad firmware, no matter what the storage substrate.
I remember having to replace 300+ Hitachi drives in the early 2000s - good old spinning rust, manufacturing fault with the actuator or actuator arm, I can't remember which. Ok, most of that was preventative replacement, once Dell finally admitted the problem, but a 1/5 failure rate was pretty noticeable prior to that.
Ugh. At least they have an API now, though. So pipe the data out of the crappy application and set up a decent one. As for the email functionality, at least no-one's trying to resurrect that (keeping it running in zombie mode is something else).
Are you serious?
In Exchange, you can lock down a list to only allow specified senders. It takes about 5 sec, via the GUI or Powershell. We generally control these via another group -e.g. $list-senders are the only ones allowed to send to specified list. Even if one of the permitted senders screws up, the Reply-Alls don't go far.
If you have any smarts, and you're actually allowing end-users to set up email lists, you'd run some kind of script on a schedule to check for email-enabled groups with (recursive!) members > $number and verify that all of those have sender restrictions on them.
For the NHS, the fact the storm went on for that long is appalling - it should have taken approx. 2 mins to lock the list (assuming someone had to logon to a box to set the restriction). Give it 15 mins for someone to verbally raise the alarm... (although, again, if end-users can set up the lists, you'd expect some pretty gnarly monitoring to be in place to actually raise an alert itself, even just seeing if the queues are filling up.)
And from the sysadmin side, I am amazed anyone uses still Sendmail, for precisely that reason.
In the early 2000s, Hitachi manufactured a whole run of HDDs for Dell computers, and lucky us, we decided to refresh hardware in two of our student labs while these units were still in active release.
One machine after another, disks would fail to spin on boot - not every time, but as time went on, the drive jamming got progressively worse. (I can't actually recall now what the real issue was - perhaps the actuator or spindle itself.)
As this went on, the boss jumped up and down at Dell, who *finally* found the problem with the Hitachi units and actually acknowledged, that yes, they (in fact the entire workstation) would be replaced under warranty. It took a while to arrange swapping out nearly 100 machines, so I could enjoy the googly-eye effect from bleary-eyed students in the lab as I went around thumpa-thumping the northeast corner of each box before lectures started/.
And has anyone requesting home support actually heard from a real engineer? Without paying loads of cashmoney up front?
My one and only consumer interaction with MS (the one-a-year freebie support) consisted of some purported "MVP" telling me the reason I had a niggly issue with Start Menu searches (in Win 7) was because of a virus. He didn't even attempt to ask me to rebuild the search cache, check the search location configuration, etc etc. No, it was a virus. Even when I told him I had done all the above steps, it was *still* a virus. My computers have not had a virus since circa 1990.
And no, he didn't want me to prove that wasn't the case by supplying a report from any AV he proposed. He "resolved" the case with the "solution provided". Even if it had been a virus, he actually hadn't provided a solution either. The thing that particularly grates my cheese is that there was no mechanism of providing feedback on the "support" I received from that moron.
My experience with Premier Support has been consistently great, so that was a rude shock.
Except the purported "facts" are not actually facts, for many of the people who have received speculative invoices. Which, the last I heard, is illegal in this country.
Not to mention that the principle of the presumption of innocence (and thereby, the burden of proof residing with the accuser) is a legal principle going back to Roman law as codified by Justinian in the 6th century. Modern legislation and case law is based on this principle, with additional definitions around standards like "preponderance of evidence" or "more probable than not" required for civil cases.
The supposition that a yearly figure provided by the ATO equates to a fortnightly income spread equally across 26 fortnights over the year is patently false for probably most of us, including those of us who have never in their lives received a Centrelink payment. Nor can it be determined from the ATO data that anyone received X income in any specific fortnight over that period. It certainly doesn't meet a test of "more probable than not" that someone double-dipped during any fortnight they received payments.
Also, that supposition is known and has always been known to be false by staff on the ground, which is why the review process (once a (former) Centrelink client's income was flagged by matching with the ATO data) was manual prior to this govt's budget-boosting exercise based on entirely false figures.
Privacy law downunder, compared to what EU regulation was even in the early 2000s (when I was living in the UK), is complete and utter shite.
My first IT jobs were in the UK, and I was trained on privacy stuff accordingly. Doing IT work in Oz and NZ still continues to gobsmack me with the breathtaking liberties organisations can take.
A retired senior Centrelink worker wrote a post that says that the former process (after the data match) was manual precisely because they KNOW that tax figures are yearly, and their payments are fortnightly. And they did the work of following up with employers and so on - I sure as hell don't keep 6 years of my pay slips!
But you know, they save staff costs by scaring the sh*t out of people, and by ensuring people who are already "disempowered" in many ways (sorry for the wank word, but it's true - people who are on the dole often aren't the most technical, and the challenge process is online-only) are more likely to simply pay up rather than go through an opaque and challenging process. It's challenging even for people who have been in reasonably-skilled work for years and who have the pay records! (See The Guardian for the pieces written by the guy who started kicking up a fuss last month.)
Also, I don't actually believe the govt spin that 80% of the debts are genuine - I think it's 80% that haven't been challenged, which is something else.
Finally, from a technology point of view, there is some room for improvement. There is no means of recording a fortnightly breakdown of your earnings (assuming you have the proof) on the form that they've provided to challenge the debt.
People like to sh*t over Exchange for some reason (metaphorically speaking), but I have had plenty of cause to be grateful there's a single-line command that can yoink that kind of thing out of every mailbox in the organisation.
...AND the mitigating "technical solutions", as alluded to in the article. Such as the backup the vendor doesn't actually provide or charges several body parts for. Such as inter-site replication (if they offer it).
It all adds up, and frankly for apps that are used by all staff, such as email, particularly if there is a high service expectation, I don't think it makes sense once you get into medium-sized enterprises, unless you literally have no on-prem IT at all. Or if the on-prem IT is insecure and unreliable.
Sure, use the cloud to supplement your backup solution. Use it for apps that are not business-critical or have a small user base. For what remains, BE CAREFUL.
But unfortunately it (in any of the three variations) doesn't support the primary 4G bands used by the mobile services I'm on in Oz and NZ (two different providers).
I could live without the storage expansion, but having to use 4G bands with less coverage is a deal-breaker.
I think they cover the bands used by Voda, but I'd set my phone on fire rather than use them.
Try and get that all up and running in a day, complete with robust HA. Exchange just works, for enterprises with more than a few dozen people.
Biting the hand that feeds IT © 1998–2018