Re: Yes, sadly
V3 if you must....
50 posts • joined 10 Aug 2011
V3 if you must....
/muttersdarkly about stupid dyslexiz.
Ty for catch
Look up "impi" for related server carnage.
Lots of work already done on this general topic.
Various KEYWORDs and info about capabilities public ally available too.
TL;DR the rabbit hole is very deep and it's going to be a problem for a long time.
See Atwood's law.
Worked on this threat a few years back.
If you've got Cisco switches and don't use AMT it's pretty easy to defend against the "off box" vector (and other similar nasties) by using a VACL.
That way traffic is blocked before it can traverse to another port in the same VLAN. Applying a regular router/firewall packet filter ACL won't prevent an attacker pivoting through a compromised host on your LAN (hint look at your edge devices too;).
On the other hand switch based VACLs will drop attack traffic in hardware (no performance impact).
For all the head in the sand folks - how secure are your printers, edge devices (cheesy botnet infected junk?) and security cameras? Are you sure you know EVERY device on EVERY port at ALL times?
Hopefully this gets more publiscised and the PHBs start to realize that checking off "PCs have a lol OS patches" and "Firewalls are audited" hasn't been a comprehensive security strategy for decades.
...great support too.
Bad news is it gets "speedy" past the lower tiers.
Worth a look though, nice management/performance for smb / home lab.
Hope they survive.
Just remember folks, Time = Money
Defraud a bank and you go to jail.
A bank defrauds you and the execs get bonuses.
Props to the team that wrote it.*
It's far from perfect, but it's a solid start.
If you haven't, it's worth a read.
*Clearly not POTUS or TheFormerMayorOfNYC!
I'd say they're pretty honest by industry standards!
Before the downvotes...
They even have a couple of RFCs transparently explaining their NetOps.
"ProActive Web Notification"
Remember my dad reminiscing about El Reg's other favorite "slow" naval aircraft - The Swordfish.
IIRC it did far better in ACTUAL combat Vs much faster and technically "Better" enemy aircraft in WWII. Something to do with the "bad guys" leading their targets too much as they were trained against "faster and better" aircraft.
Obsolete tech aside - something to be said for a Crack'ling rush vs far fewer, more capable, but more costly units.*
*StarCraft reference for those who haven't experienced the damage this kind of assault can deliver.
In transit and at rest.
The contents are reachable via RH Decryption. :-(
Hazard a guess?
Hint - A public post is not private, and there's a thing called inductive argument..
I'm NOt the OP ;-)
Paraphrasing - "Seldom reason to suspect a conspiracy if incompetence will produce the same result".
Blocking entry out of fear of a forged passport is one thing - blocking lawful permanent residents from returning home to the USA calls into question how good the (already very stringent) green card process is. Purely a Fed problem (if it exists).
1oz of prevention > 1lb of cure.
Testing [RECOVERY] in production is like parachuting without a safety chute...
..,if things go truly pear shaped you're only gonna do it once.
This little guy will suffice as the adult in the room. ;-)
"Mountain Gravity waves"?
Surely you're not asking if James Cameron's groundbreaking creative vision and nuanced story telling was actually a documentary?
Jokes aside - WTF? Something very odd going on here.
Alert Dan Dare!
*No hook here, but trolls like phish too. Caveat Emptor!
Getting slightly off original topic, but steering to an IT angle...
In Connecticut there's a similar law for cars (owned or leased - doesn't matter) - amount is payable to the city they're registered in. Don't pay, your registration gets suspended & driving it becomes a criminal matter.
They take it further for businesses: - ANNUAL property Tax is due on all the IT Assets / Office Equipment owned (or leased from a 3rd party).
1) Buy with cash / finance purchase with interest or lease expensive Gear & pay sales tax on it at time of purchase.
2) Depreciate value of said gear over 5 or 7 years (Typically).
3) Each year a % of the residual (undepreciated) amount is owed to state coffers.
If you're leasing the gear, YOU are responsible for the Property Tax (even though you don't own it)
Makes VAT (almost) seem reasonable.
TL;DR If possible, avoid building DataCenters or Trading Floors here unless you can negotiate tax breaks from the State Government prior to moving in and then threaten to take your toys (and jobs) to NY/NJ unless those breaks are renewed after expiry.
Unless you're Royal Bank of Scotland building a GLOBAL HQ in Stamford CT (UK Gov bailout stopped moving HQ, but the building went up) or UBS building what was once the worlds largest trading floor (now mostly empty) the only option is to accept ever increasing tax rates to fund the big guys sweetheart deals or GTFO and setup shop elsewhere.
Shurley that should be SEMANTIC...
...Coat, I'll get it. :-)
Queen or Twisted Sister?*
* /me dusts off VHS copy of "Iron Eagle"
Paranoia <= Practical Defense...
1) Open sketchy link in a disposable Sandbox VM
2) Open sketchy link on iPhone/iPad (That is then promptly restored from a backup if you're up to "TinFoil headware is actually not a bad idea" level of paranoia)
3) Point VirusTotal (https://www.virustotal.com) at the URL
4) Go full crazy and click the link trusting that RegCommentards may have some level of decency / accountability should "A bad thing" (tm) happen...
I'll get me coat...
Respect - you are sorely missed.
Eliza is smarter than your average starlet...
Blue sky & no cloud!
- Xposted from other thread
^... SHOULD read RFC2549 ("IP over Avian Carriers with Quality of Service").
"Unintentional encapsulation in hawks has been known to occur, with decapsulation being messy and the packets mangled."
More pigeon carnage here: - https://tools.ietf.org/html/rfc2549
Blue sky & no cloud!
...because the business risk to the vendors is currently near zero and margins are paper thin.
Until the Status Quo changes tune, it falls to those in a position to mitigate vendor shortsightedness to take action.
For a concrete example of how ISP port blocking can turn a potentially deadly vendor screwup into a non-issue see Chris Miller's Defcon presentation on Chrysler Jeep hacking. Scary stuff with jaw-dropping incompetence on Chrysler's part making the PoC possible.
The obvious downsides to a strategy where ISPs take proactive defensive measures are:
1) Collectively rewarding the incompetence of said Vendors.
2) Creating hoops for competent users to jump through.
Given the circumstances it feels this is an acceptable compromise when the damage that vendor negligence can, and does, cause.
I for one welcome our robot overlords (aka "auto-correct").
All jokes about draconian ISP policies aside, "Subjects" in post above should read "SUBNET"s.
More than a few US ISPs catering to home users have T&Cs prohibiting them from "Hosting servers". They then filter traffic headed to their user subjects on mail, ftp and webserver ports along with outbound smtp traffic to off-net IPs.
If you buy "Business class" service from the same ISPs you get the same service as a home user with a 20-30% price hike plus the ability to host servers/send smtp mail anywhere. However, "business" users must request the port filters be removed and accept responsibility for server traffic.
Removing the filters takes about 5 minutes.
Practical upshot is this provides little impediment to responsible users and saves the rest of the world from millions of spam messages being sent by clueless users.
A decent step in the right direction would be for those ISPs to block telnet traffic by default too...
Please do! Likewise here if anything is seen.
Anyone else feeling like chipping in too would be appreciated.
Spirit of cooperation in a comment thread? Here's hoping.
It's not that hard... See above + a working knowledge of "Old News" about capability ;-)
Ask them about the firmware and ask them to block the domains and IPs involved.
As an individual you likely won't get far, but if you run an enterprise account (Pretty sure more than one El Reg Comments reader does!) you might get some traction if more than a couple of folks make noise.
While we're at it, put 127.0.0.1 entries for the bogus domains and null route the parent IP ranges at the edge of the corporate network.
Sure, the above is not going to be close to 100% effective, but worth the effort to reduce the attack surface here.
...doesn't sanitize inputs, isn't (somewhat) liberal in what is accepted and conservative in what is sent?!
Wow, how did I miss RFC1926? - it's a corker! Upvoted ;-)
Isn't it ironic (Don'tcha think?) - RFC1926 comes right after RFC1925...
For those reading this with a frown and a healthy dose of "WTF they talking about?"
RFC1925 is the first of the "Desert Island RFCs" ("DIR'). It SHOULD be manadory reading for everyone working in technology & failure to grok it is a common problem of startups...
Click bait (Fair warning - the rabbit hole is deep!) https://tools.ietf.org/html/rfc1925
Of course, the second DIR MUST be RFC1149 ;-)
Akin to Rule34, and verifying RFC1925, OP linked RFC1926. Nicely done sir!
WRB - IOOF
Rack & connect the new gear? If you buy the premium support they'll even copy config if needs be...
Unusually cheaper to have next day coverage, build a design that can survive for 24 hours with a box failure and have a support contract with a local tech firm to handle remote hands.
That's the thing about the ISR G3s (The 42xx/43xx boxen), the licenses look really expensive until you realize they're only moderately spendy because the limits are for throughput WITH ALL FEATURES ACTIVE.
The cool thing about these is the integration with APIC-EM - No console cables required.
Type 3 ICMP messages indicate a problem in the Forwarding Plane, and require a "Punt" up the stack to the device's processor to enable it to work out what to do as a result of the message.
RFC792 (From September 1981) covers ICMP in gory detail...
The challenge is when the RFC was written, NAT was barely a concept - much less a multi-billion dollar "Firewall Industry".
General blocking all ICMP frequently causes more problems than it solves. Not least, OSI networks (e.g. The Interwebz) rely on RFC conformance to operate "Correctly", so a more granular approach to risk is usually preferred.
The classic problem of path MTU was covered in the article, and crops up frequently when ICMP Type 3, Code 4 messages ("fragmentation needed and DF set") are dropped silently by an intermediate device. DON'T do this unless you REALLY know why you're doing it. Your users will thank you.
Networking is complex to do correctly, but it's essentially collection of interacting logic puzzles.
A cool sounding name doesn't make this sexy & don't expect huge vendor responses to something "Working as Intended". Mitigation here is a situation specific configuration issue.
Arguably one of the most insightful software patent posts ever.
(The post is required, and must contain letters.)
Although it certainly looks like an insane amount of money to someone used to bashing together a PC from a box of parts.
On the other hand if you're a Pro make a living out of your Tools it's a much better option than an $8K PCIe card with 1/10 the power.
Anyone want to take a bet that if Steve's favorite line of "one More thing" gets used today we'll finally see some new MacPros announced today?
If not they have to be soon, but will be A LOT more than $4k when fully specced.
One of the better kept open secrets of open source virtualization is XCP, and it's new sibling Project Chronos (a full port available for Debian/Ubuntu using apt get). Both are essentially FOSS versions of the $pendy Citrix Censerver (Talking Enterprise/Platinum editions, not the freebie base edition.)
One of the cooler new features is a hybrid Storage Model, enabling a pool of servers to access shared storage, but have each host automatically replicate the virtual disks to local storage as they are accessed. The net result is local disk performance after the initial read from the remote SR.
Doubly cool if the local storage is SSD. :)
That patent's pointless...
Ignoring it being 5-15c to send a 163 byte "Packet" for many users ( may explain AT&T's mobile broadband pricing!)...
1) use UDP
2) use GRE to encapsulate "Traffic Contained Protocols"
3) use whatever error handling the "Traffic Contained Protocols" has built in to request retransmits and deal with the inevitable out of order packets that will be involved.
Marketing spin dosen't constitute smackdown.
Truth is, despite the expense, CIO/CTOs love EMC because they know their jobs are safe buying storage from them. EMC gear breaks just like everyone else's, but the quality of their support and post install team is rivaled only by their sales team.
If you're building datacenters for Bulge bracket banks or the Government there's only 2 players in the game - and HP are struggling. At that level Nextenta are not even close for contention. It's not just about price, it's about knowing you've got a solid solution. Speaking of which I admire EMC's restraint for not lobbing the obvious brick back at Nextenta - so tell me about the impact of the Oracle aquistition on on the longevity of your core OS and plans to shift away deo
At smaller sites the likes of Nextenta and my personal favorite QuantaStor (If you've never heard of them they're REALLY work a look) come into play.
Speaking of QuantaStor, they behave very much like a tiny EMC in terms of customer service and support. Their features are great an their pricing is good, and they know who their customers are and what they need.
Nextenta are using tennisballs to take in an armored division. Poor choice of strategy, even though they're using some sporty tennis balls!
Something I've been doing for years, and now the triple play CableCOs here in the USA have started to do too is use video overlay like this to flash up caller ID when the phone rings.
Works great, no need to interrupt the movie and go get the phone if it's a Telemarketer. Works even better if you mute the ringer before you sit dow. Now all you have is a couple of seconds of a name & number at the bottom of the screen.
The bugger is you need to be watching content from the STB. If you're watching a BluRay you're screwed. This device opens the door around that.
My dodge is averything goes through my HTPC, so I can overlay anything I like on the TV (Monitor really) before it gets onto the HDMI cable. Chumby makes the same thing practical for "The Consumer".
The only people who may have a case against it are Intel as they are picky about getting licencing fees for HDMI. That doesn't sound insurmountable.
Finally the NY Hall of Science is down the road from me, think I might go to the "Maker's Fair" sounds fun. Particularly if I wear my "I void Warranties" T-Shirt...
This brings back memories, awaesom game and truly addictive.
Having played for hours every day over a couple of months (Uni Student + summer break + no commitments = bliss), I reached the point where I struggling to find a way to improve my best score.
Then it happened... Got into fight with the (soon-to-be-ex) girlfriend, and next game went on a global rampage that would have made the real Mr Khan giggle like a scoolgirl. When I'd wiped out the last competing nation the game ended and I had beaten my previous high score by a factor of 5, and the game only lasted 2-3 hours.
Once the penny dropped that the utopian dream Sid Meyer was pushing didn't jive with the rewards of being a brutal dictator I got bored pretty quickly.
Was fun until then!
Which is "interesting" given what it's core is capable of.
At first glance it looks like yet another media center app, and a somewhat clunky ui.
Under the covers it's very nifty and flexible.
Think of it as all the best bits of XBMC (sage's default Ui is based on an xbmc theme, has the library functions, and very similar approach overall), MythTV (many front ends hanging from a backed), TiVO (intelligent recording / predictive recording if disk is free and nothing is explicitly scheduled), recording HDTV and streaming it to "clients" (1080i/720p), Place Shifting (thin clients on mobile devices to your own private system), and a whole bunch more.
sageTV is also very DVB friendly and multi lingual support is excellent thanks to a strong following outside us borders.
No idea wtf The Cf is planning on doing with it though as it's not very "Cloudy"
Vengeance may sound good but only makes matters worse. The core problems are a lack of employment and respect for how cushy life in the UK is. No matter how squalid and impoverished. A more creative approach would be sentencing rioting looters to MANDATORY employment. Community service with a twist- a few months / years helping to rebuild <insert name of country> after a recent war and atrocities (or natural disaster) will provide material overseas aid, and teach the lesson that helping others in greater need than yourself is better than mindless violence fueled by materialistic greed. Maybe a few would apply those lessons when they come home and contribute to society. Finally, it would make one hell of a deterrent with a low number of reoffenders... Free suntan or not.
Biting the hand that feeds IT © 1998–2017