* Posts by DougMac

44 posts • joined 16 Jul 2013

Solaris, Java have vulns that let users run riot

DougMac

> Hint - Android does not run Java.

Wha? Most Android Apps are written in Java, and the ADK has mostly Java interfaces, how does Android not run Java?

Perhaps you mean Java Applets which has long been a dead thing?

1
0

BOFH: That's right. Turn it off. Turn it on

DougMac

Re: The power of suggestion

Heaven help you if you have to teach a user how to type a tilde ~

Nobody knows what that is, while - has some passing familiarity.

18
0

Azure blues: Active Directory Connect has password reset vuln

DougMac

Well, duh

>When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts..

Because how to prevent that is missing in the docs altogether.

Microsoft tends to document sparsely, and only "ideal" setups, without telling you generally how to get to that "ideal" state. So generally only the Windows admins that are super-well versed/trained in the microsoft waydo things the way the Microsoft devs assume the rest of the world does, leaving everybody else floundering around.

0
0

Yes, this is our third Cisco story of the day. It's about 23 bugs you need to fix, stat

DougMac

Re: Wait - what?!

>> "Showing 1 - 50 of 2331"

For some reason, only going back the last 20 years, guess the first 13 or so years don't count, but still.

The first 60 vuln's listed are released this month alone.

There isn't anything compelling for me to run Cisco anything any longer, just seems like a big world of hurt for doing anything with them. (from somebody that has done Cisco since the days of the Gold and White boxes and them being cisco without the capital).

1
0

‪WannaCry‬pt ransomware note likely written by Google Translate-using Chinese speakers

DougMac

Re: More to the point

Chinese is not a homogenous single language. Different idioms, way of sentence structure (and not applicable here, but vocal patterns) and vocabulary differ highly from area to area, region to region.

(not even counting the dozens of different regional dialects).

Most of this is much more relevant to the spoken language, since the written is the same. Most likely what they analyzed given the areas noted is probably the writing looks like it was written by somebody that speaks Cantonese. Totally different language than Mandarin, but still uses the same written characters.

0
0

It's 2017 – and your Mac, iPad, iPhone can all be pwned by an e-book

DougMac

Re: So much for

And why does an eBook need to open a web page?

0
0

Apple squashes cert-handling bug affecting macOS and iOS

DougMac

Why won't Apple backport security?

And of course, no recourse for MacOS 10.11 users (assuming they are affected as well).

No security updates are dropped for 10.11.

And the bugs in 10.12 still prevent me from using my normal workflow.

Progress.

2
2

'Clearance sale' shows Apple's iPad is over. It's done

DougMac

Re: Chrome in US

No, Chromebooks are popular in the Education market because they are cheap, disposable terminals into Google Docs (and to a lesser extent the spreadsheet and presentation modules), and using them as a "computer" is never done.

You could replace 'chromebook' with anything that could get a web interface to Google Docs and the schools would be happy. Replace Google Docs with anything collaborative text editing and they'd be good, but nobody else has a realistic replacement. Maybe if Apple actually made firm their iCloud collaborative editing years ago instead of offering some different weak beta only to be ripped out and replaced every few years..

Unlike in the far past (ie. when I was in school), "educational software" aka games that teach something are long gone and not used hardly at all in any curriculum for my kids. That seemed to be the main reason for the large banks of Apple II's in schools in the past, plus teaching programming and hardware hacking, etc of years past don't seem to exist. I remember having classes on basic programming on Commodore and Apple II's in school, and interfaced hardware to science experiments, but my kids have none of those options. (One went to summer school to have a class on 'Sketch' but that is about the only offering).

My kids use the iPads in school mostly as a treat for downtime for the teacher. All the promised educational full-on multi-media immersive textbooks never materialized. Nor are there any good educational apps that augment what the teachers are looking for. There are plenty of web apps that do that job so much better. Which of course usually means flash..

4
0

FreeNAS sheds storage skin, tries on sexier hyperconverged garb

DougMac

Re: In what way is this "hyperconverged"?

The Hype of Hyperconverged in the market today is that you do storage and virtualization at the same time on the same box so you don't have to buy storage and hypervisor separately.

Although for the life of me, I haven't still figured out why you'd really want to starve a storage system's resources by running a hypervisor on top of it. If you are SOHO, or really tiny SMB, I can see not having the resources to run a real proper setup and get away on the cheap, but even tiny enterprise or mid-sized and up SMB are going to want to do things a bit more properly.

Previous FreeNAS systems did jails, and let you run VirtualBox inside a jail, which worked fairly well, but bhyve is really more a full on type 2 hypervisor.

3
0

Google Cloud to offer support as a service: Is accidental IT provider the new Microsoft?

DougMac

Re: If only

That's a bargain compared to AWS.

To get the same response rate there, you need to spend the greater of $15,000 a month or

10% of your monthly AWS usage up to the $150k/month tier, (then you start getting discounts)

in order to get Enterprise AWS Support plan.

2
1

Video intercom firm Doorbird wants $80 for device password resets

DougMac

Re: Somewhat different...

And my bank (although perhaps not all), would require me to go to a branch, talk to a branch manager, show my ID, prove who I am, in order to reset my PIN or online password.

They don't charge, but you can't just do it over the phone or email or twit or whatever.

2
0

You're Donald Trump's sysadmin. You've got data leaks coming out the *ss. What to do

DougMac

They have zero imagination. I think the only thing they can think of is what they already do. eg. there must be voter fraud, because their own people are registered to vote in 3 states. They look for the apps that they themselves use.

Have they ever heard of actually talking on the phone? Speaking in code? USB sticks? (Snowden got all his info out on USB sticks), burner phones?

The movie 'No Way Out' seems apropos here. But maybe they should actually watch Mr. Robot to learn some basics.

2
0

Team Trump snubs Big Internet oligarchs

DougMac

Reaganomics, here we go again.

How much deeper can we go into debt as a country, while lining the pockets of the 1%?

And the populist crowds handed it all to the 1%.

10
3

Lenovo: If you value your server, block Microsoft's November security update

DougMac

Re: Go ahead

> I don't know about Lync, but can you let me know how to stop Windows Servers from needing a reboot every month or from being the biggest target of malware?

How can we stop Linux from needing a reboot every two weeks due to kernel issues?

USN-3147-1: Linux kernel vulnerabilities - 30th November 2016

USN-3126-1: Linux kernel vulnerabilities - 11th November 2016

USN-3107-1: Linux kernel vulnerability - 19th October 2016

USN-3099-1: Linux kernel vulnerabilities - 11th October 2016

USN-3084-1: Linux kernel vulnerabilities - 19th September 2016

USN-3072-1: Linux kernel vulnerabilities - 29th August 2016

USN-3055-1: Linux kernel vulnerabilities - 10th August 2016

USN-3035-1: Linux kernel vulnerability - 14th July 2016

Every OS needs patches. You can elect not to patch any system, but standing up Linux as not needing patches and Windows does is pretty absurd.

16
4

VMware flings vCenter Server away from Windows, if you want

DougMac

Re: Update Manager

Or do host updates from the command line. So much quicker and easier than running VUM.

1
0

Let's Encrypt ups rate limits

DougMac

certbot really is simple to make automatic updates.

2
0

Seagate defrags 14% of workforce: 6,500 axed

DougMac

Quality went to crap

It couldn't be because Seagate decided to cheap out on everything, and make crappy drives that have the highest failure rate in the industry by far, such that they are banned from my datacenter?

Storage vendors noticed too, all replacements I get in are *never* Seagate drives, replacing the failed Seagate disks by the dozens.

8
0

Tivo's new owner ponders binning its own boxes

DougMac

Re: As usual

You could look back to DirecTV's reboot of their TiVo box offering after they had dropped it for some time in lieu of their own boxes. The TiVo option was never advertised or pushed, the installer that came out was unfamiliar with it, I was the only one that insisted on getting one and he never had done any others.

The box itself was brand new, but yet ran the many years previous TiVo software, with all the interesting services (ie. multi-room viewing) stripped out.

still-birth on delivery.

1
0

Hmmm, where should I dump those unencrypted password files? I know - OneDrive

DougMac

Re: BS!

Because some industries have regulations that require such things for servers and such, and the IT crowd likes it enough to extend it enterprise wide?

I've seen plenty of reports of scans of this nature.

1
0

VMware flushes Windows vSphere client and Adobe Flash

DougMac

Re: Hosts?

They already did a fling for an HTML 5 host interface for ESXi that is more functional than C# vSphere client direct to host ever was.

It already ships in ESXi 6.0U2 and most likely isn't leaving.

I think with its' success and after finding how rapid they can code with modern web setups instead of old legacy junk, they feel they can make the timetable countdown to VMworld work to ship a finished product (or at least announce and ship 60-90 days later which has been their typical timetable the last 2-3 times).

2
1

Vivaldi Jon: Mobile – yes. Feeds and an ad blocker… probably not

DougMac

Re: Until they find a way to approve exceptions to cert errors

I've got plenty of internal appliances that wouldn't work with LetsEncrypt. They aren't going to handle internal only domains either?

But I'd agree with putting proper certs on, with an Enterprise CA, and pushing out your trusted roots properly.

Don't get in the habit of clicking through errors all the time, you'll miss the time when you really needed to pay attention to that bad one.

3
0

SSL's DROWN not as bad as Heartbleed, still a security ship wreck

DougMac

Re: Is TLS vulnerable or not?

>> Solution: don't enable SSLv2, OpenSSL is helping you with this by switching it off in a default build

DROWN is worse than that. Unless your software is specifically configured to block SSLv2 ciphers, a bug in OpenSRS (up until the versions released a few days ago) will let the client still select SSLv2 ciphers and commence the attack.

So, just disabling SSLv2 isn't good enough. Your software needs to be configured to specifically reject all SSLv2 ciphers as well. (or patched within the last few days).

0
0

D&D geeks were right – their old rule books ARE worth something now

DougMac

Re: You what??

Sort of like Audubon was a massive hunter as well? He hunted and killed all his own birds at first in order to paint them, but then had to hire hunters to go out and get him a whole new brace every time he started up.

"I call birds few when I shoot less than one hundred per day."

0
0

VMware, Xen issue urgent patches

DougMac

Re: as a happy vmware customer for 16 years

Although if you have windows vCenter, you already have Orchestrator pre-installed.

It just isn't enabled to run by default.

Imagine if it was though, and just because you didn't use it, doesn't mean it isn't there ready to cause a security problem..

0
0

Adobe: We locked our customers in the cloud and out poured money

DougMac

Helps the bottom line when they also take away all discounts

Prior to this year, it was fairly regular to have heavily discounted renew costs all the time.

This year they supposedly implemented a plan to never offer discounts again.

About that renewal you only paid half for last year. Yeah, its full price this year. So sorry your budget is blown out of the water.

1
0

Free HTTPS certs for all – Let's Encrypt opens doors to world+dog

DougMac

It is possible to run Exchange with 4 separate certs, instead of one cert with 3 SANs. You just have to make sure to load all certs and assign each cert to its own proper function. So much more work, but should be scriptable in ps.

Although I don't know lets encrypt schedule for windows client, I'm sure it is being worked on.

0
0

Rackspace looks to have bypassed vCloud Director upgrade

DougMac

VMware is purposely pushing partners away from vCD GUI..

VMware has publicly stated that vCD GUI is frozen and are well aware that it is barely functional.

Their main efforts with vCD is providing an API around the core functions of it, and all new features will be API only features.

They actively push partners to either write their own GUI around vCD APIs, or to AirVM or OnApp to provide a GUI.

VMware has no further interest in making vCD GUI work, as its biggest sin right now is a dependance on Flash & the depreciated NPAPI browser plugin framework. Since Chrome has disabled NPAPI in its current builds (but can be enabled to make vCD GUI work), but will be ripped out totally in the very near future, as well as Chrome will be making Flash a click to run feature, means vCD GUI won't be functional in Chrome at all without clicking to run, and even then you won't be able to upload/download OVAs or ISOs at all in any fashion without switching to a different browser (certainly not Edge either). I believe Firefox has NPAPI plugins disabled by default now too, although I don't know its' schedule to fully rip out NPAPI at this time, so that is out as well.

0
0

VMware flings out preview of new web management interface

DougMac

No, doesn't work with ESXi free license.

Since everything VMWare is API driven, when the APIs are turned off due to the license, those things won't work no matter what client pokes at them.

0
0
DougMac

FWIW: you can run vSphere Web Client 6.0 without NPAPI in Chrome, and use the HTML console to interact with the console screen. The big hangup is when you try to upload (or download) files into datastore, where you'll find things won't work at all. They also have the VMRC console, but on the Mac at least, that is a bit rough, but a bit more functional than the HTML5 console in 6.0

The most promising job for this fling is to control the host when vCenter is down (ie. to bring vCenter back up if you don't have a totally separate management cluster) without having to fall back to vSphere Thick Client. It is also light weight, only 2M! Quite a different direction than the VMWare Host Client that only existed in the first 6.0 Beta.

I think it is also a proof of concept that they don't need to use Flash and NPAPI to get the job done, hopefully pushing the vSphere Web Client team that direction before its too late and Flash and NPAPI are both banished from all browsers.

0
0

Why are there so many Windows Server 2003 stragglers?

DougMac

early ASP vastly different now

The main 2003 boxes we still run are because customers can't/won't upgrade their ancient ASP websites that depend on things that either no longer exist, or can't run on newer OS's.

They already know they are being cast to the wind to be hacked/folded and mutilated when 2003 comes end-of-maintenance, but many choose not to care.

Perhaps if Microsoft made an actual upgrade path instead of just putting the latest shiny out, and expect all their developers to jump to the new shiny and recode everything in the process, things could have been migrated and workable. But Microsoft has no care or desire to admit to past mistakes, it just gets swept under the carpet and leaves behind a certain set of apps/users that don't retool every two years per Microsoft's schedule.

1
0

MS Azure Stack. It's like Azure Pack but with even more cloudiness

DougMac

Although Hyper-V Server comes with no Virtualization License rights, so only really useful if you want to virtualize an OpenSource OS, as otherwise you'd have to license every copy of windows you'd virtualize on it, and Microsoft doesn't make it easy or cheap to license individual OSEs on a cluster. OOTH, DataCenter comes with unlimited Virtualization License rights, but costs quite a bit more, but if you do any significant windows virtualization, really becomes cost effective quite quickly.

2
0

4K refresh sees Blu-ray climb to 100GB, again

DougMac

Why?

Why have a nicely formatted paper book? Just a loose collection of dirty photocopy will do.

Why the expensive booze? This knock off brand is good enough.

19
0

Man trousers $15,000 domain name for $10.99 amid registry cockup

DougMac

Market value for domain

So what would the market value for a fluffed up useless new gTLD domain be?

$10?

One of the many 10000's of new domains people are hoping are worth more than pocket change in a year.

2
0

Cisco patches three-year-old remote code-execution hole

DougMac

Re: Encrypted Telnet?

Since about the year 2000, with RFC 2946.

*BSD are mainly the only ones that implemented it.

0
0

vSphere meets iCylinder in new VMware update

DougMac

Re: you can only virtualise OS X on Mac hardware

No trick required, this is a fully supported configuration.

Although Apple's bizarre licensing also says you can only run two virtualized instances of OS X on said hardware as well, which makes the MacPro a real expensive platform to virtualize if one would be following such licensing restrictions.

0
0

Oracle reveals 32-core, 10 BEEELLION-transistor SPARC M7

DougMac

Oracle just made sure to sift out anybody that wasn't willing to pay them billions and billions of $$.

Those that are still *heavily* invested in Solaris are still going strong on SPARC/Solaris, they just weeded out the small to mid-sized shops that weren't the kind to give Oracle billions of $$.

1
0

It's time for PGP to die, says ... no, not the NSA – a US crypto prof

DougMac

It isn't PGP that sucks..

But key management sucks.

Normal users totally don't get it, don't want to know, and don't want to think about it.

Unfortunately, they need to know and think about key management to make it work effectively.

The actual mechanics of PGP/GPG in email client integration is fairly simple, but man, having users type a passphrase, or making sure they are using the right key is a total nightmare.

0
0

Help. Mailing blacklists...

DougMac

Fixes

As others have said.

Absolute first step is to make sure it isn't happening still.

Almost *all* current used blacklists are age based, and older entries expire out over time.

If you keep leaking SPAM, you keep getting listed.

Second, as I said, almost all blacklists are age based, and you may just have to wait it out. Ie. Comcast, Yahoo run their own private ones that just take time to age out. Many of the large

ones have a try to get out of jail page, but it doesn't do much. Timing out is most likely the answer.

Besides Spamhaus (which takes an extraordinary level of SPAM and non-response to get on),

most "public" RBL lists aren't used all that widely. Most of the large email providers run their own private ones based on rate of sending of the server, and repudiation, and age out older entries.

That said, you could try to make sure you aren't listed on the remaining few public ones that might actually get use. Ie.

http://mxtoolbox.com/blacklists.aspx

lets you check many at once. About the only one left on this list I see in use is UCEPROTECT and BARACUDA.

But, almost anybody that is interesting you want to send to run their own private ones, and really, you may just have to wait for your bad entries to age out, and go on.

As you said, you'll want to implement your own rate limiting for sending (can't help you with that setup), although some of the large providers do have excellent heuristics and will be able to clamp down on your server with just a few hundred of SPAM leaking. If you run a mail server, you probably need to have monitoring and alerting enabled for any events outside of normal, so you can catch things as quickly as possible, so you can start the age-out timing process the quickest.

0
0

Target finally implements chip and PIN card protections

DougMac

Re: On another note...

Visa & MC have a October 2015 deadline to offer one form of the EMV cards anyway, so it isn't like this is a huge initiative from Target, they'd have had to do it anyway.

Although initially the chip & sign form is what is set to happen in the US, but this breech and others have people asking more about chip & pin EMV more often now.

0
0

VMware 5.5: Plenty that's new and exciting... but what about the obvious stuff?

DougMac

Not that I work for VMWare

But am heavily invested in it for work. There seems to be several inaccuracies..

RE: making up mind about web client.

The web client is a progression. It is a huge improvement over earlier web clients, and the products you cite (SRM & VUM) haven't had any updates yet to take advantage of the web client. There are alternatives to VUM that are much easier for the core functionality now (CLI esxi depot actions). They are working on getting everything working with the web client, but it takes time. There are so many 3rd party plugins that need to update as well.

RE: Mac client not working.

We are a pure Mac shop, and welcomed the web client working very well on Mac. We have no problems running the web client on Mac with full console on all products.

Needing the heavy client for individual machine interaction is required, but generally this is an extreme debugging situation, not required for any normal work flow?

RE: vCD

vCD has a huge learning curve, but then again, so does AWS. It has gotten a lot better in 5.5 vs. earlier versions. I'm not sure of the struggles with vClient vs. vCD. Once you launch things in vCD the vCenter client will tell you not to mess with those items that vCD is managing, so you would have had to press on ignoring the warnings to not mess with things and done so to make vCD angry about something. That said, you can do many normal operations to vCD objects in vCenter, I've never actually reached a state of vCD being angry about anything I did to its objects in vCenter???

That includes migrations, pushing in ISOs, etc. But, not messing with memory/cpu/disk/networks.

That is what vCD wants to manage, and all management should be done in vCD for those.

It seems integrated quite nicely to me, and vCenter will tell you not to mess where you shouldn't be.

There is a vCD appliance as well (for trials, not production class certified).

There are also puzzling remarks that makes me wonder how much experience your reviewer has.

Addition of native Active Directory.

Since vCenter was on Windows before, it had full Active Directory? This only relates to the vCenter appliance, and the first release version could do Active Directory via LDAP, while 5.5 added native AD. So you are talking about one product, one version that had to resort to LDAP..

Support for 62TB VMDKs.

I guess I don't see the need for this in regular enterprise work, anything larger than 2TB would have been a LUN off your enterprise storage anyway?

Hot-plug support for PCIe SSD devices.

How often does your review hot-add storage into PCIe cards? Seems like a very rare feature to me, I'm not sure in what circumstances I'd even be hot-adding SSDs modules into a PCIe card.

yes, VMWare sales and licensing have their issues, but overall, they are moving in the right direction, and progressively fixing many of the past transgressions.

5
1

VMware patches man-in-the-middle vSphere vuln

DougMac

Re: dear vmware

This can be done.

The latest code is a bit convoluted, so they released a tool to help you do it.

There is a blogger that also has done up a tool chain and his own detailed instructions for the last two versions.

Although I'm beginning to feel that just throwing it all behind a load balancer with SSL offload will be 100 times easier.

0
0

WHEW! OpenBSD won't CloseBSD (for now) after $100,000 cash windfall

DougMac

Re: Other possibilities for support

If you look at the picture of their build racks, almost all of the boxes there are not PCs, they build for many architectures...

alpha

amd64/i386

arm

HPPA

88k

PowerPC(Mac)

various 68k machines

sparc

sparc64

vax

etc. etc.

I'd imagine running all of that old crud at once is what their main crises is.

3
1

Give them a cold trouser blast and data centre bosses WILL dial up the juice

DougMac

Working as part of Data Center design..

Getting more power in usually isn't too bad cost wise.

But as to the 2nd half of the equation, redoing the cooling system beyond what load it is designed for can have astronomical costs. You can't just go stick more cooling units willy-nilly in. They take up lots of space that probably already have racks and servers in them. Assuming raised floor, underneath it is probably zoned already, and that would have to be all redone, and that glycol piping is messy to install, right above all the existing servers?

Essentially redoing cooling means rebuilding the data center from scratch.

Most of what people are bringing up are ways to more effectively use the cooling that is there, but ultimately you are stuck with xxx tons of cooling of the design, which can cool only yyy of MW of power.

0
0

How the clammy claws of Novell NetWare were torn from today's networks

DougMac

Exactly, the lack of forced licensing is the only reason Microsoft took off as the server OS.

Netware forced per-client licenses, if you ran out, you had to jump through hoops and negotiate new licenses, and customers *hated* doing this. They all figured that once they owned it, they never had to pay again (at least that was what 100% of my customer base thought).

Windows NT server didn't enforce their CALs, and back then, I didn't have a single customer who was actually correct on the number of CAL counts for their workstations. Customers loved just being able to hook in a new workstation and not have to license it or think about licensing, as it wasn't enforced.

When Netware 4.x came out, it was so buggy and unusable, almost everybody stuck with v3.12 until NT was stable enough. It was more the bugs in Netware 4.x that really missed the mark, but the per license cost is what did it in.

There were several other workgroup filer solutions based on Unix (ie. pre-linux). They worked very well, but again were generally licensed per workstation connecting to them, and the companies had to buy things like PC-NFS client software for their windows workstations. So they were too pricey for most of my customers as well.

3
1

Forums

Biting the hand that feeds IT © 1998–2017