All the King's horses ...
"The miscreants called AT&T, and claimed to be Terpin with a new phone."
... and that is where it all unwound rather nastily. Security isn't easy.
1198 posts • joined 15 Aug 2009
"sharing a database engine is why Small Business Server died"
I do not think that is the reason that it died - there are far better reasons. Customers bought it once and then stuck with it for many years without upgrading (often out of fear) - not enough built in obsolescence. It was too hard to upgrade from. I recently did one and getting to Exch 2016 from 2007 involved an intermediate migration to 2010 and the full horror of each step. Took ages.
I deployed a chain saw to fix my home Free Sat reception. The prevailing wind eventually managed to push a bit of a fir tree in the way. It was felled at 2230ish and slightly annoyed my neighbours (I couldn't hear much through my ear defenders and was only mildly inconvenienced.)
Bad move. Mondelez is probably going to have to prove that the US is actually at war with whomever delivered NotPetya (NP). NP might well have been developed for the Russian state or not (who cares - its still nasty) but that does not constitute war.
The US and Russia are not at war: there is no merit in trying to claim otherwise. It might be considered inflammatory and perhaps reckless to imply a state of war might exist.
"Conversely do not use a defibrillator on a pc."
I once used a PC as a defib (well I passed the mains across my heart via both arms), luckily I was in my early 20s at the time and was able to shake it off. On the other hand I was in my early 20s and stupid enough to not treat electricity with due respect.
"I'm guessing we'll need "who monitors the monitors" in Latin now to make it sound impressive in reports, it's no longer about the watchers."
What you asked for is "quis custodiet ipsos custodes" what you will get in return from Equifax is "futue te ipsum et caballum tuum".
"How exactly does the Linux malware get onto the Linux system in the first place, without the user downloading and running the malware and providing the root password?"
Sadly many installers these days consist of something like this:
# curl https://bit.ly/script.sh | /bin/bash
Not everyone downloads the script first and analyses it before running it. To be fair it is no more dangerous than installing *anything* off say Tucows on a Windows box.
This is a proper nerdy article which has slithered onto el Reg. Me: I absolutely love it. You can try and use terms like "Linux supremo" to try and sound a little bit user friendly but in the end this is a complex subject that will have many readers glazing over before line three. STIBP THBIS NONBSEPNSE is close to genius (OK: I spat wine on my screen!) Well researched and documented article - thanks.
Now as to the meat: Spectre and Meltdown have yet to really *be* compromises as far as most of us civilians are concerned. We don't yet hear of any S&M compromises but they surely exist and will be deployed by the clever mob. The not so clever mob (the usual non govt haaxxor nob ends) will eventually come up with something and become a pain.
Keep patching, kids.
"Setting up your own VPN might look like a great solution but it is not as clear cut. For a start you probably end up renting a "machine" somewhere for always-on connectivity and a fixed IP address which will cost more and/or also have the question of who has physical access to it."
For starters you may already have a router capable of being a VPN concentrator already. If not then DD-WRT, Tomato, pfSense, Netgear, Draytek and many others can. You do not need a static IP either - there are loads of dynamic DNS operators available. Most routers will have a built in client for DDNS as well.
So, no: don't think you should rent a machine in the cloud unless you know what you are doing. Subscribe to /r/homenetworking on Reddit or the pfSense forums or whatever and find out how to get your home network in shape first. The only reason I can think of to not host your own VPN at home is if your ISP blocks all inbound access.
"After all, most people in the UK who want to look like they're connecting from the US"
Why on earth would I want to appear to be from the US? My use case is to appear to be from the UK when I am abroad so that iPlayer works and I can be confident that I am not being MitMd.
My OpenVPN relies on *my* CA trust working and if it refuses to connect then I reach for Wireshark to find out why not. If the "free" wifi is being naughty and doling out certs and intercepting TLS it soon becomes obvious.
"Now excuse me while I go and reboot my IOT immersion heater controller with which I replaced the old electrical timer switch that worked perfectly. I'm not joking either, I'm a moron. It must have been a pissed Amazon purchase but I can't remember."
What?? You haven't wired up an ESP8266 based thingie to it for that very purpose. Obvs, you'll need another one to restart the first and then its ESP8266s all the way down ...
We are all morons. You should see what I've done to my U/F heating. I nearly cooked the dog.
"The two features I buy Windows Pro for are the ability to join a domain, and RDP"
Well then we have you covered: Join the domain with winbind (Samba) and use xfreerdp - many GUIs available. I have Kerberized everything on this laptop I am using right now. I get my files by accessing folders in my home dir that magically mount shares via autofs. Libre Office for office stuff. email from Exchange through Evolution. Printing via CUPs. Teamviewer works for providing remote support. KeePass native for password management.
Quite right and go a bit further. Engineers should design against failure and not consider it a bit of a downside.
I am still putting together my IoT stuff at home and one of my requirements is that everything fails safe and has a manual control. So, for example, my home's underfloor heating is controllable via Home Assistant and via the thingies on the wall.
According to McAfee, the average business uses around 1,900 cloud instances, but most of the companies they surveyed only thought they used around 30.
Define average. I suspect that the word instance here is suffering from a severe case of mission creep to assist headline generation. If nothing else I bet that the thing that instance refers to in "1900 cloud instances" is not the same thing as the 30 instances that the companies know about.
"for anyone even daring to think about using IoT for this sort of thing."
Depends on how you do your IoT. I am spending months deploying IoT at home, each step building on the last and tested. My "hub" is Home Assistant running on a Lenovo Thinkcentre (which is properly designed to live in harsh environments). It is backed up and is on a UPS and ethernet connected. I also have a standby VM, just in case. https with a Lets Encrypt cert. and HA Proxy on the front (pfSense router). I have multiple VLANs, host firewalls deployed etc. I maintain my home network to as near to PCI DSS as is possible (yes, really! I'm CREST accredited and do ISO 9001 and 27001 at work) One other design requirement is that everything fails safe and/or has a manual control where applicable.
This lot has to be signed off by wifey ...
1/2 a trillion years?
I think you'll find that is 1/2 a treellion years (and could probably do with a few more eeeees). It is a staggeringly long time ago. In the age quoted (558 million years) even the least significant bit is rather a long time: eight million years. Start breaking down the timescales into bits and it all gets a bit overwhelming.
"I recently acquired a sexy new Dell laptop."
Me too. I got Arch on it without even having to accept any unwanted license agreements. Being able to update the BIOS from the EFI partition is a welcome change to the contortions Linux users have often suffered in the past (eg convert swap partition to a fat32 f/s so that FreeDOS can run a DOS only updater)
You might consider NextCloud. Mine is open to the world but securing IT stuff is my day job. If you are not sure then start with getting a VPN running for remote access to home. OpenVPN listening on 443/tcp looks very like a https website which can work nicely on many sites and you can even drill it through many web proxies if needed.
You are probably unaware of their ePO product and the other big outfit stuff they do. McAfee has a rather better name in corp circles than you might think. To be honest, their enterprise stuff is massive and sometime quite bewildering (I've been "doing it" for about 10 years now). I run Arch on this laptop and my office workstation and can install Gentoo without bothering to refer to a manual but sometimes an ePO can stump me for a while but not for lack of functionality 8)
I am a dyed in the wool sysadmin that owns my own company (MD). I only have around 10 Windows and 20 odd Linux servers to worry about on a VMware cluster with a slack handful of SANs, switches etc and pfSense routers.
I can't manage to patch that lot to Cyber Essentials standard all the time because CE mandates patches applied within two weeks of release. That's a laudable aim and one to work towards but the real world has a nasty habit of intruding.
For example, recently (last two months) Mr MS unfortunately released a right old bugger's muddle of updates that broke Exchange a bit (ooh me Transport Service has died) and broke older and weirder SharePoints, and screwed Azure Sync (and the rest). I have also had RDP die on 2008R2 servers until I fix certificate perms and even which one to use. I really picked the wrong time to start restricting schannel stuff and enable other MS patches via registry keys.
I *am* the pointy haired boss and have absolute power (until my office manager kicks me into touch) and know what I am doing. I'm CREST accredited and can throw together a Gentoo box without bothering with docs. There are not enough hours in the day to patch things anymore.
I have a few customers to worry about and a few PCs as well
To be honest it depends on how the 2032 thing pans out.
For me 1999 was the first year of the Linux desktop. OK, year of the Linux console - it took me a while to configure XFree86 and work out how to get a window manager together. God it looked crap compared to what I'm typing this on: sysadmins should not have to work with typeface choices and anti aliasing was not exactly a thing.
Look, if you are going to do IoT you need: A network technician, a sysadmin, multiple sites, the mind set of a proper engineer and a lot of time to experiment and test. You'll need a safety first mentality and a few other skills.
I have most of the above, including a lot of tape. I am starting with ESP8266s and simple circuits, Mosquitto and Home Assistant. My VMs live on a proper SAN and VMware cluster. I start with multiple segregated VLANs and firewalls (including hosts). All comms including MQTT are TLS 1.2 or similar. Web apps live behind HA Proxy etc etc. If anything fails, it is designed to fail to manual operation rather than fucked.
Oh and the wife is the customer.
He is next door to Harrods and on a residential(ish) street with a *lot* of APs nearby. At least one of those will be running WEP or have a PSK of "Password1" or "hanscrescent" or something equally stupid. If he does not have internet access, then I'd be quite surprised.
He's here (Google Maps, Street View) That droopy flag is Ecuadorean and those green boxes to the right of the iron railings are BT jobbies. Yes he has the internet rather close by.
Biting the hand that feeds IT © 1998–2019