* Posts by storner

68 posts • joined 25 May 2011

Page:

Schneier: Don't expect Uncle Sam to guard your web privacy – it's Europe riding to the rescue

storner
Big Brother

Re: One niggle

As seen from this (eastern) side of the pond, it is not only the US politicians who are clueless. The general population know even less about how surveillance capitalism work, and will happily divulge any and all personal details if only there's a chance of winning a free doughnut.

It really is the same thing in Europe, we are just lucky that our politicians - miraculously, I have no idea how it came to be! - implemented reasonable privacy measures with the GDPR.

The Large Hadron Collider is small beer. Give us billions more for bigger kit, say boffins

storner
Holmes

Re: New name needed

Since there is always going to be one more accelerator, we need something that extends into infinity. Like numbers.

So I suggest "Particle Coliider 0", "Particle Collider 1" etc. Abbreviated PC1, PC2 ...

Dozens of .gov HTTPS certs expire, webpages offline, FBI on ice, IT security slows... Yup, it's day 20 of Trump's govt shutdown

storner
Stop

Re: Operational Incompetence

Indeed you can, that is common sense practice. The remaining days are usually added to the new certificates lifetime.

You were told to clean up our systems, not delete 8,000 crucial files

storner
FAIL

Backups

Sounds like backing up those harddisks were not on Sam's agenda. Considering the reliability of harddisks back then, maybe it should have been.

The Palm Palm: The Derringer of smartphones

storner

I'll take the revived Nokia 3310 instead, thank you

Granted, it is 2 cm longer, and weighs 18 grams more.

But it only costs 1/10'th of this little critter.

Expired cert... Really? #O2down meltdown shows we should fear bungles and bugs more than hackers

storner
Unhappy

Because certificates typically expire after 2-3 years - beancounters and bosses cannot see that far ahead (except when pulling "strategies" out of various orifices).

Even the IT monkeys doing the renewals have moved to new offices at least 3 times, so that two your old calendar with the post-it notes? Noone remembers what it was for, so it goes down the bin.

Microsoft promises a fix for Windows 10 zip file woes. In November

storner
Devil

'Users will be relieved to know that the team is indeed actually looking at feedback, even if it seems to be skipping the “stop the thing deleting my stuff” entries in favour of “make search a bit faster.”'

You don't seem to understand that these two work together. With all user files deleted, there is a lot less to index. Hence search runs faster.

What a crane in the ass: Bug leaves construction machinery vulnerable to evil command injection

storner
Facepalm

Re: Never should be remotely controllable in the first place

"Heavy machinery, especially something that if mishandled can kill hundreds, is not something that should be fully-controlled by software."

In that case, most commercial airplanes would have to stay on the ground.

UK cyber security boffins dispense Ubuntu 18.04 wisdom

storner
Boffin

Re: Good idea.

As others have mentioned, sudo gives you much more fine-grained control over who is allowed to do what. But there are other advantages over plain su:

- You have an audit trail of who ran which admin command when. For some of us, that is a compliance requirement.

- Communicating a shared password is difficult. Tends to happen via e-mail which is NOT secure.

- When you have 20+ servers, changing the administrator password because Joe Admin left the company is not so simple.

- Passwords can be cracked or leaked, so a security compromise of one server quickly becomes a site-wide problem (unless you use unique passwords, which complicates the distribution issue further).

I try to avoid passwords as much as possible, to the extent that my personal servers do not have passwords (a '!' for the password field in /etc/shadow). Logins can only happen via ssh using SSH keys or certificates, and sudo is setup to require a one-time password or physical token (Yubikey). If you must use passwords, at least make sure you keep them centralized (ldap directory or similar).

In other words, think about how you implement security instead of just bashing some random tool based on a 7 year old forum post.

Rowhammer returns, Spectre fix unfixed, Wireguard makes a new friend, and much more

storner
Boffin

Re: What's wrong with OpenVPN?

As you said, OpenVPN does what it claims to do - nothing wrong with that. But Wireguard does have some things going for it:

1) It doesn't rely on OpenSSL for encryption, so there is a whole lot less code to audit if you want to check for security problems

2) It is a kernel module implementation (at least on Linux), so the processing overhead is much smaller and it should be able to scale to wirespeed while handling multiple connections. It also means that it works like any other network interface, so the usual configuration files and network scripts will take care of running your VPN.

3) Authentication and setup is much simpler, since it is a trust-on-first-use so no need for setting up your own CA.

Have a look at it, it does work quite well.

Sysadmin hailed as hero for deleting data from the wrong disk drive

storner
Facepalm

Oracle too ...

Had a database server bickering about being short of disk space. Without knowing much of Oracle internals, I found some very large *.log files lying around and promptly deleted them - I mean, there's no need to keep those old system logs, right?

So I learned the hard way what database transaction logs are. And how to convince Oracle to create a new set of transaction log files when starting up.

Fortunately, it was a very quiet database.

Huawei Honor 10: At £399, plenty of bang for buck – it's a pity about the snaps

storner
Holmes

Just leveling the power balance. Trump gets my data from Google, Xi gets it from Huawei. Let them fight over it ...

BOFH: Give me a lever long enough and a fool, I mean a fulcrum and ....

storner
Trollface

Whatever ...

Friend of mine called a support droid about some problem. "Do you have an Iphone or a smartphone"?

Somehow that does kind of make sense...

Until last week, you could pwn KDE Linux desktop with a USB stick

storner
Alien

Re: I'm going to name all my USB sticks:

Because it won't work. You need "rm --no-preserve-root -rf /" if you really want that, which is longer than will fit in a VFAT volume label.

Who can save us? It's 2018 and some email is still sent as cleartext

storner
Trollface

Re: Port 465

What you need to do ... may I suggest using an MTA with a sensible configuration language?

Sysadmin jeered in staff cafeteria as he climbed ladder to fix PC

storner

Re: What is this ?

Since it was in the Windows for Workgroups days, TCP/IP was most likely not used. Just some random address assigned by the NIC and running Netbios, IPX or some other abominable protocol.

Personally, I would have made the PC speaker start screaming at the user with a NSFW vocabulary. Guaranteed results much quicker.

Flash... Nu-uh! Tech folk champing at the bit to switch off life support

storner
Boffin

https://www.gnu.org/software/gnash/

Judge used personal email to send out details of sensitive case

storner
Unhappy

Re: An idea

They were called "secretaries" in the good old days. They are all gone now, thanks to the beancounters and efficiency experts.

NASA: Bring on the asteroid, so we can chuck a fridge at it

storner
Trollface

Re: Time to go PaddyPower

7. The fridge, being an intelligent IoT device, will notice that it needs to stock up on fresh milk, but since there is no Wifi connection in the asteroid belt it will fail to connect to Walmart and subsequently the control system crashes with an unexpected error. The thrusters therefore fail to fire, and the fridge crashes back to Earth.

US visitors must hand over Twitter, Facebook handles by law – newbie Rep starts ball rolling

storner
Boffin

Re: But

No lube, makes the "pain" part easier.

Super-cool sysadmin fixes PCs with gravity, or his fists

storner

Re: Makes me wonder

Consider that a bonus, since it would hopefully mean upgrading from the old MFM based disks to something modern and up-to-data, like PATA

2017 is already fail: Let’s try a Chinese reboot

storner
Boffin

Re: And one more thing...

Depends on how you managed the leap second...

Windows 10 networking bug derails Microsoft's own IPv6 rollout

storner

Remembering IP's

is about as quaint as remembering phone numbers.

Face it - one of the goals of ANY new IP version is to extend the address range. So no matter how you design the protocol, you end up with more numbers per address. Saying that it is easier to remember 172.217.22.174 than 2a00:1450:400f:802::200e just does not make sense. What you CAN remember is "google.com".

Which is why we invented DNS.

It's not just your browser: Your machine can be fingerprinted easily

storner
Big Brother

Re: Mine doesn't give that data.

Your browser identifying as "Links" is enough to fingerprint you with 99.24% accuracy ...

2016 just got a tiny bit longer. Gee, thanks, time lords

storner
Pint

It's the IERS who determines such things ...

not the NPL. You got it right when it was first reported: http://www.theregister.co.uk/2016/10/10/2016_leap_second/

But hey, it's Christmas and beer o'clock so who cares if they are reusing old news. Cheers, have en eggnog on me!

Firewalls snuffed by 'BlackNurse' Ping of Death attack

storner
Childcatcher

I agree with the "(most) pen tests are crap" statement, but you should still consider disabling ping responses. It is trivial to spoof the source of a ping request, so pulling off a DDoS with your host (and many others) being used to flood someone else with ping responses is simple.

Same reason you don't respond when someone sends a packet for a closed/non-existing service, but just drop it with no response.

Britain must send its F-35s to Italy for heavy overhauls, decrees US

storner
Mushroom

Repairs? Ha! - we don't even have spare parts

One of the news stories here in Denmark this week (apart from Donald) was that we must buy spare parts for our F-35's now, because production of spare parts for our version of the F-35 will stop in a couple of years.

Oh, and our F-35's haven't arrived yet, it will be some years before they touch down here.

EU turns screws on Android – report

storner
Facepalm

Re: Typical EU

"go after anyone but Apple" sounds a bit hilarious considering this: http://www.theregister.co.uk/2016/08/30/eu_commission_rules_on_apple_ireland_tax_sweetheart_deal/

Not an EU or Apple fan myself, but fair is fair...

A USB stick as a file server? We've done it!

storner
Boffin

Slow campfire

Definitely no speed daemon. There are a couple of this kind of devices around, for the latest holidays I brought along a WDC My Passport Wireless which has the same features except it uses 1 (or 2) TB rotating rust storage. Just did a simple speed test, which gave me 60 seconds for uploading a 100 MB file, and 25 seconds for downloading the same.

Bought it for backing up the SD cards from the digital cameras while on-the-go (my S.O. is an ex-photographer, so a couple of hundred snaps per day is not uncommon). Works quite well.

But yes - these micro-reviews are nice.

Das ist empörend: Microsoft slams umlaut for email depth charge

storner

Totally agree. Codepage 865 (the danish one, in case you didn't recognize it) had some of the special danish letters mixed up with the symbols for cent and Yen. I still see the occasional bill printed by an cash register running some ancient software with the company name printed as "s<yen>n" instead of "søn".

It was "fixed" by switching to codepage 850, meaning lots of fun when trying to figure out why pc's set for one codepage would print *almost* correctly on printers set for the other ....

UK's climate change dept abolished, but 'smart meters and all our policies strong as ever'

storner
Trollface

"all households and businesses should be offered a smart meter by 2020"

Offered? So we can say "no, thanks"?

You know how that data breach happened? Three words: eBay, hard drives

storner
Boffin

Encrypt it

Easiest solution is to just encrypt whatever data you put on the disk. dm-crypt/LUKS on Linux boxes, and I'm sure MS has something similar (the name escapes my mind).

It also works if the hard disk is stolen or goes AWOL in the back of taxi.

Sure, it nips a couple of cpu cycles from your system, but most boxes have plenty of idle cycles to spare while waiting for the spinning rust to settle.

Mushroom farm PC left in the dark and fed … you know the rest

storner

Shrimps

The company I worked for did some custom applications development for a company based in Greenland, who - amongst other things - exported a lot of shrimp which all ended up in a warehouse in Copenhagen. A new release had to be installed right around beer'o'clock on a Friday, and of course it didn't work. Debugging and fixing other peoples code has to be done right there and then, but I got it working. On the way out, the customer thanked me for getting things working and sent me home with 2 kg (about 4 lbs) of frozen shrimps "so I had something for dinner".

Pretty good shrimp, though.

Xen says new patch is 'simple and crude' and warns against using it

storner
FAIL

Bah!

Any admin worth his pay puts logfiles on a separate filesystem. Filling that should not cause a DoS of the whole system, only loss of logging (which may be unfortunate, but it will also point a thick finger at which of your VM's has been pwned).

TLS proxies: Insecure by design, say boffins

storner
Facepalm

Re: The only use for SSL/TLS inspection

"1) I can see what sensitive corporate data such as, I dunno, customer database Employee X has uploaded to their HotGmahoo! webmail account and sent to Competitor Y."

Sure, that's what Employee X would do. Copying it to a USB stick and bring it home? Nah ... no way.

Ex-HP boss Carly Fiorina sacked one week into new job

storner
Flame

Re: Same old, same old

I think it was good ol' Winston who said: "You can always trust the Americans to do the right thing ... once they have tried all the other options".

Ad-blocker blocking websites face legal peril at hands of privacy bods

storner
Thumb Up

Re: Publishers could simply

Couldn't agree more. When I stumble across a site that seems interesting, I am quite willing to pay them for their efforts - but in return, I expect them to stop forcing ads down my pipe. Or at least give me the option to turn off the darned noise.

But expecting to get intelligent writings for free is naïve.

BOFH: Thermo-electric funeral

storner
Angel

Not just the Boss'es that do this

Had a similar experience only a couple of weeks ago. A matcbox-sized, USB-connected *harddisk* sporting a full 2.2 GB, bought at the Copenhagen equivalent of Tesco's went tits-up. Only one problem: It belonged to my SO, not the Boss ... so the usual BOFH remedies for "fixing" it could not be applied.

Thanks to Linux and ddrescue, I managed to salvage the important bits.

(Peltier elements?!? Nice ...)

Read America's insane draft crypto-borking law that no one's willing to admit they wrote

storner
FAIL

Well, what did you expect -

from the Senate INTELLIGENCE Committee.

Sheesh...

Oracle v Google: Big Red wants $9.3bn in Java copyright damages

storner
Flame

"Greed is good" ...

Larry and Gordon must be related.

Wait... who broke that? Things you need to do to make your world diagnosable

storner
Meh

Re: What about...

What about it? In the words of Mahatma Gandhi (when asked about western civilzation): "I think It would be a good idea".

He wasn't impressed. Me neither.

Change management usually means that updates are slow to trickle out. Just ain't gonna fly these days with developer teams rolling out hourly software updates and managers screaming to get the hottest new whizbang thing on the production systems. So it gets overridden by some PHB ("it's just a small UI change!") and things break.

The article is about cleaning up when things go bad, not preventing them (save for the post-mortem analysis). For that it is a pretty nice list, although I think most experienced sysadmins could write it in about 10 minutes.

FreeBSD crushes system-crashing bug

storner
WTF?

Out-of-order execution perhaps?

a means for local unprivileged attackers to crash the system before executing arbitrary code

Me thinks crashing the system would prevent any code - arbitrary or not - from running, no?

Google adds worldwide HTTPS info to transparency report

storner
Boffin

Re: date format?

You cannot. You must visit https://www.google.com/transparencyreport/https/ct/?hl=da#domain=www.abc.net.au&incl_exp=false&incl_sub=false to look up the details.

/me wonders why they haven't been replacing it yet ... 22nd March isn't too far away.

$17 smartwatch sends something to random Chinese IP address

storner
Boffin

Why not just geoblock anything in China? No big loss here.

No, HMG, bulk data surveillance is NOT inevitable

storner

"the Danes – well, they introduced something very similar to the Home Office’s proposed ICRs only to ditch it a few years later because it proved to be useless, and just meant their police force was drowning in data."

Unfortunately our dear politicians have learned nothing from their previous failure, so they are at it again: http://www.dr.dk/nyheder/politik/pind-om-internetovervaagning-ny-tid-kraever-nye-regler (in danish, I'm afraid).

Let Europeans sue America for slurping their data – US Senate

storner
Big Brother

Re: Feed Our Lawyers

And under whose jurisdiction does this fall? If europeans must file suit in an american court, presided over by american judges, interpreting an american law ... well, let's just say my expectations of a fair trial are pretty dim.

Ban internet anonymity – says US Homeland Security official

storner
Boffin

So? Make IPv6 mandatory!

Linode: Back at last after ten days of hell

storner
Boffin

Re: How much does it cost an attacker these days to launch a large-scale attack?

I'd recommend "PasswordAuthentication no" in sshd_config on ANY system, especially those that can be reached from the outside.

Add Google authenticator for 2FA if you are on the paranoid side (like me).

Penny wise and pound foolish: Server hoarders are energy wasters

storner

How about 30 cents/kWh

which is what us crazy danes pay, because converting to "green energy" requires massive subsidies for putting up windmills.

The last post: Building your own mail server, part 1

storner

I'd recommend using a test domain first

Having mail thrown away by accident is really annoying, especially when you only have yourself to blame. So if you are new to this, get yourself a domain to play with, and set everything up the way it should be. And test it properly. Domain prices vary a lot between the TLD's, but the .info domains appear to be cheap at the moment (29 kroner = ~3£ for a year at my local dns shop).

Having done this for 20+ years, my experience is that you shouldn't try this on a home connection. Too much hassle with ISP filtering ports, home DSL IP's being blacklisted etc. etc. And if you end up providing mail service to friends&family (and believe me, it will happen ...) then your home server suddenly needs to be up and running 24/7 - including power and Internet connection.

Much easier with a VPS somehwere, and it is cheaper on the power bill.

My own setup is based on https://workaround.org/ispmail/ - is uses Postfix and Dovecot on Linux. Sendmail? No way I'm gonna do another sendmail.cf voodoo dance again. QMail? Been there, done that - for 10+ years, actually, but it is definitely showing its age now, getting it to do spam filtering and avoiding backscatter mails was just too big a hassle.

Page:

Biting the hand that feeds IT © 1998–2019