* Posts by DougMac

71 posts • joined 16 Jul 2013

Page:

PayPal reminds users: TLS 1.2 and HTTP/1.1 are no longer optional

DougMac

Re: TLS 1.1 is fine for PCI ?

Correct, TLS v1.1 is fine, but generally in practice, TLS 1.0 marks the dividing point between "legacy old systems" and stuff that supports it all.

If you can to TLS v1.1, generally you can do TLS v1.2, and you may as well get on that wagon while you are reconfiguring.

0
0

IPv6 growth is slowing and no one knows why. Let's see if El Reg can address what's going on

DougMac

> Personally I don't know whether this is a thing or not, but I've been hearing rumours about carrier-grade NAT and how it's going to be widely used by ISPs in the near future.

CGNAT is widely deployed, and customers typically have no clue it is in use, until of course things break and nobody can figure out what is going on. Every tech I've met has no idea why customer one has "public IP" 100.64.1.5 when customer two also has "public IP" 100.64.1.5 when they live in different states when they get allocated IP's out of RFC6598 space.

Of course I get brought in when everything is fubar. The ISPs doing CGNAT are doing heavy rate limiting to make sure their CGNAT gateways aren't overloaded, and doing dirty tricks like redirecting all speed test sites internal so they look like they have great speed, until of course you have to transit outside of their network and find that you have almost no bandwidth besides the tricked out ports the carriers play around with.

But IPv4 is "good enough", except when it isn't. IPv4 won't die until it is too painful to use. Too many techs are blind to the world outside what they know.

14
0

VMware to finally deliver full-function HTML5 vSphere client

DougMac

Re: Flash... ah!

> Now if they wouldn't mind taking the moron who made the decision to implement their last stab at the web client using Flash outside and summarily execute them for gross stupidity (followed by a fair trial).

At the time, Flash was very embedded and a safe choice with the only other choice being Java in the browser.

Java applets disappeared so much quicker than Flash has, so it was a better choice in hindsight.

The main choice was if they did a web based solution (to get more than just WIndows management) or stick with heavy clients needing to be installed. Flash or Java were the only technologies that could have done what they needed to at the time.

4
1

Single single-sign-on SNAFU threatens three Cisco products

DougMac

Re: Is it me...

Nothing new there, although it does seem to have accelerated some since the classic days.

0
0

OK, this time it's for real: The last available IPv4 address block has gone

DougMac

About the only one that hasn't figured out IPv6 are enterprise & SMB

The carriers have it all down pat, and 65-85% of residential users and wireless users are using IPv6 natively already. Mostly because the CPE can be remotely configured by the carriers to handle what they need.

But when techs have to go configure SMB firewall, they won't bother to learn how to do IPv6, and they only configure the IPv4 side (if their gear even supports dual stack).

Meanwhile, the residential and wireless users are driving most of the content so the content providers provide big fat pipes that can handle their needs.

4
12
DougMac

Re: Time to claw some back

> There are probably large blocks of unused IPv4 addresses out there, if only the IANA would get off it's bottom and reclaim them.

Nope, been already done. They got some /8's back, and reallocated them years ago.

The only "large companies" left are Apple, HPE & Ford and a couple others. If you go down the IANA list, almost everything is allocated to huge Tier1 carriers directly, or to a regional IRR.

15
1

Stanford brainiacs say they can predict Reddit raids

DougMac

Wow, they could have just dug up behaviorial studies of 2nd graders on the playground and be done and complete.

6
0

Rant launches Eric Raymond's next project: open-source the UPS

DougMac

>> It has been my impression that UPS's fail to "off"

The problem I've encountered is that for most of the small-ish UPSs, that when the batteries go past their useful life, the UPS starts cycling the power, even if the wall power has been steady on. APC is particularly nasty about this for certain models.

Battery past useful life is almost always only a light on the front, I can't tell you the last time I've looked at the front of my home UPS.

>> Why not allow us to rig ubiquitous car batteries..

It was covered later to be mostly size. Your UPS would be quite large and heavy. As it is, most small-ish UPSs now use motorcycle/lawn mower Lead-Acid batteries. So, same technology, just smaller package. Less capacity.

The UPSs I'm mainly interested in though have their own rooms. : - )

And they do typically use deep-cycle marine batteries. Just lots and lots of them.

5
1

DVLA denies driving licence processing site is a security 'car crash'

DougMac

Re: Certificate chain

"If there's a problem with the certificate chain how come only Firefox is complaining about it and not all browsers?"

Because every browser is different. Even different Chromium based browsers are different than Chrome itself.

Firefox is a very different beast than Chrome or from Safari. Firefox complains more about things like broken certificate chains vs. Chrome. Chrome complains different things like requiring SAN entries instead of depending on cn= in the X.509 cert.

Thus if you run a web app, best to check it in all the major browsers..

7
0

Judges dismisses majority of Cisco's 'insane' IP defence against Arista

DougMac

Re: F*ck Arista

Arista took a pretty different direction than Cisco at the time of founding.

I'd argue that they were innovative at a time where Cisco was stuck in the mud spinning their wheels.

Since then, Cisco has followed them, and that is why I think Cisco is flinging sue-balls at them.

11
0

From July, Chrome will name and shame insecure HTTP websites

DougMac

SSL is not all that common

Just because 81% of the top 100 sites have SSL, doesn't mean that follows for the remainder. There is a very long tail of websites out of the top 5000, or 10000 that are never going to get SSL that are now going to be penalized.

Lets Encrypt on windows is still slightly messy. Going through various load balancers are messy.

Very few customers not doing SSL today find even the little effort to do SSL to be worth the costs (money wise or technical wise).

This is definitely going to train normal users that it is "normal" to see the warnings and to ignore them.

4
0

Cops find ATM spewing cash, car with dodgy plates, stack of $20 bills and hacking kit inside

DougMac

COTS?

It blows me away that ATMs (and cash registers) are now COTS windows PC's, networked to the Internet with about as much firewalling as a typical enterprise has.

I would have thought that with all the engineering experience, that fairly custom extremely hardened designs would be de-rigor, especially now-a-days. No USB ports with auto-run on them behind some panel with virtually nothing to prevent intrusion.

I remember when the original crypto cards for ATM transactions came out, with all the layers of anti-tampering on them (eg. critical battery traces potted in above the data traces). But now-a-days, it seems like COTS wins the day, and instead of up front engineering, they just spend it on after-the-fact cover up and throw money at covering their loses instead of putting it up front.

The real scary attacks described on Krebs are the ones that infiltrate the whole bank's network, and can upload malware remotely, and have it jackpot any given ATM on demand.

4
0

STOP! It's dangerous to upgrade to VMware 6.5 alone. Read this

DougMac

Re: Too Naive

> Finally, we get the horrible mess of clients that VMWare has: The fat Windows client, the Flash web >interface and the newer HTML5 interface. No one interface can do everything. Nice one VMWare!

At least there is a path. eg. The C# client is dead now and has been for a year (if you are current on patching on the 6.5 track).

The HTML5 fling UI offers full usability, and they keep wrapping more and more of the HTML5 fling into 6.5 as it ships U updates.

Most of what I've encountered are VMware admins that are adament that they can never use anything but the C# client, even though it is dead, so they stick with the older things because they can't change.

1
7
DougMac

Re: Upgrading from 5.5

I know of nobody that has changed to Hyper-V and liked it.

Hyper-V has its own worms and problems.

Everywhere I've encountered it in production is in basic mode (eg. single hosts) because full-on clusters is unatainable for just about eveyone.

5
2

Oracle still silent on Meltdown, but lists patches for x86 servers among 233 new fixes

DougMac

SPARC doesn't seem to be affected..

Unofficially, some Oracle people have stated that since SPARC runs kernel and user address space completely separate as part of the design of their ABI, that the same sorts of issues can't crop up.

2
0

Happy New Year! Love, Microsoft: Price rises? Aw, you shouldn't have

DougMac

The article seems to state this is a UK only thing. Service provider partners in the US face the same 10% price hikes.

They also are saying another 10% for some of the same products in Jan 2019 as well.

2
0

Security pros' advice to consumers: 'We dunno, try 152 things'

DougMac

Re: "Don't use Java"

especially since so much software of enterprise and service provider realm is written in Java.

VMware is heavy on Java, all my storage systems management systems use Java on the backend for management and reporting (even if it is a web front end).

My PKI solution uses Java, I know at least two large SSL CA providers use Java systems.

My SIEM is written in Java.

Since .Net is just a copy of Java, does that equate to don't use .Net apps either?

I suspect the thought is don't use Java in your browser, which would be near impossible now-a-days anyway with all the roadblocks that everything throws up. But Java on the backend is extremely prevalent.

2
1

You're doing open source wrong, Microsoft tsk-tsk-tsks at Google: Chrome security fixes made public too early

DougMac

Re: They're right but it's a moot point

> but on the other hand a borked update can brick vast hoards

Sort of like the latest Flash build breaks anything VMware or other enterprise interfaces in Flash,

and Chrome updates keep removing the "buggy" old flash that still can run the only interface we have into vSphere?

8
0

AWS to Windows devs: Come out of the dark, into the Lightsail

DougMac

The "Cloud"

Just from the small base of my customer-set, at least 90% that are "in the cloud" are nothing more than a VPS or three or a dozen.

Well less than 10% do anything "cloud scale" that actually utilizes any sort of features beyond just having a VPS in the cloud.

I firmly believe that the current rush to "be in the cloud" results only from the desire not to have hardware onsite. Once people realize that their data and all they own are now tied up far beyond their control and they get cloud shock at sticker price, things will probably swing around again.

3
0

Internet-wide security update put on hold over fears 60 million people would be kicked offline

DougMac

Just look at IPv6?

> Just look at IPv6

I'm looking at IPv6. Mobile really made it a slam dunk use-case.

56-60% of all my email users come in over IPv6.

I'm not a large web content provider, so I can't show the same stats there, but I'd bet that Facebook is showing numbers equally impressive.

Look at the ISPs or companies like Facebook that are 100% IPv6 internal with only IPv4 gateways now.

Look at the IOC 2017 IPv6 report for more evidence of ISPs considering dropping IPv4 native in the next *handful* of years.

The one case where everybody is dragging their feet?

Enterprise.

Enterprise fears IPv6, buried their heads in the sand, even though they probably have significant IPv6 traffic internally traversing their network. They need to figure out that those OSs running internally are all doing IPv6 native now, and learn how to properly secure it (a single external breach could setup a IPv6 RA and proxy, and funnel all the Enterprise traffic out beyond the firewall in a heartbeat) and embrace it. IPv4 is going away, Enterprise needs to learn that.

1
0
DougMac

Re: Who does this really affect, its hard to tell....

> If you're using a forwarding server or cacheing server from your ISP (or 8.8.8.8 for google's DNS server) then I'd expect it to work just fine and not break anything.

Thats not right. If your ISP enabled DNSsec resolvers, and their system doesn't follow the automatic KSK addition mechanism that is required for the 2017 KSK key roll, *all* their lookups will fail when the old 2011 KSK stops signing the responses from '.'

The client doesn't request DNSsec (well, it could and check itself), but all the resolvers upstream need to be able to follow the KSK addition into their keystores via the proper method if they do DNSsec resolving themselves. (which most ISP servers do, unless your ISP is a small podunk one that doesn't follow current standards). All client lookups will fail of the ISP resolver is broken.

Since Government users typically demand that due to their standards they have to follow, most large ISPs have followed suit.

1
0

So. Should I upgrade to macOS High Sierra?

DougMac

Re: Backup server?

> Mac mini with an external tower... Seems perfectly reasonable to me.

FreeNAS mini would be an all-in-one. Works awesome for TimeMachine backups.

Or roll it out on your own hardware.

4
0
DougMac

> 2. I still have a 1tb TimeCrapsule, backs up the 3 macbooks no problem.

Wow, yours still works? I had all 4 of mine die on me.

Several got repaired under known issues. Others I didn't bother to fight them and replaced it with another solution, because Apple just doesn't care about anything released more than 6 months ago.

7
0

China to get its very own cut-price cut-down cut of vSphere

DougMac

Re: vmotion between versions

> When I upgraded 4.1 to 5.5 3 or 4 years ago I vmotioned VMs from hosts on 4.1 to hosts on 5.5. Sounds like what vmware is working on now?

That's always been a feature of VMware for upgrade paths. I've had VMs most likely start out life on 4.1, went to 5.5, 6.0 and to 6.5 on the same hardware without disruption. Just vmotion around the cluster as things went.

Most likely whatever was trying to be conveyed to the reporter got lost in translation, as there is nothing to "work on" for that feature, it has been a done deal for quite some time.

0
0

Red Hat banishes Btrfs from RHEL

DougMac

Re: People are still using btrfs?

> After the RAID5/6 issue which still isn't fixed a *year* later(!), people are still trusting their data to btrfs?

Umm, the RAID5 issue which isn't fixed correctly *since the beginning of the project*.

The devs have known of conditions which will corrupt RAID5 since the start, and while there was a promising bug fix a while ago, they then found it only fixed one of the bugs, but others are known.

The people doing btrfs have known about these issues for some time, and they never get properly fixed.

Most likely, that is why RH is dropping support for it.

4
0

If you love your email standards, SMTP your feet: 35 years later

DougMac

Re: user-whitelisting

>> 1) have an entire (sub)domain for yourself and set up a wildcard mailbox.

And then get hit by a dictionary spam attack and get a few thousand spam crap in your mailbox.

8
3

Marketing giant Marketo forgets to renew domain name. Hilarity ensues

DougMac

Re: Note to self

And the registered contact is a single person, long gone from the org, and nobody checks that mailbox. Nobody can figure out how to setup 'webmaster@' or something generic that everyone checks because it has to be that one guy doing it.

12
0

Solaris, Java have vulns that let users run riot

DougMac

> Hint - Android does not run Java.

Wha? Most Android Apps are written in Java, and the ADK has mostly Java interfaces, how does Android not run Java?

Perhaps you mean Java Applets which has long been a dead thing?

1
0

BOFH: That's right. Turn it off. Turn it on

DougMac

Re: The power of suggestion

Heaven help you if you have to teach a user how to type a tilde ~

Nobody knows what that is, while - has some passing familiarity.

20
0

Azure blues: Active Directory Connect has password reset vuln

DougMac

Well, duh

>When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts..

Because how to prevent that is missing in the docs altogether.

Microsoft tends to document sparsely, and only "ideal" setups, without telling you generally how to get to that "ideal" state. So generally only the Windows admins that are super-well versed/trained in the microsoft waydo things the way the Microsoft devs assume the rest of the world does, leaving everybody else floundering around.

1
0

Yes, this is our third Cisco story of the day. It's about 23 bugs you need to fix, stat

DougMac

Re: Wait - what?!

>> "Showing 1 - 50 of 2331"

For some reason, only going back the last 20 years, guess the first 13 or so years don't count, but still.

The first 60 vuln's listed are released this month alone.

There isn't anything compelling for me to run Cisco anything any longer, just seems like a big world of hurt for doing anything with them. (from somebody that has done Cisco since the days of the Gold and White boxes and them being cisco without the capital).

1
0

‪WannaCry‬pt ransomware note likely written by Google Translate-using Chinese speakers

DougMac

Re: More to the point

Chinese is not a homogenous single language. Different idioms, way of sentence structure (and not applicable here, but vocal patterns) and vocabulary differ highly from area to area, region to region.

(not even counting the dozens of different regional dialects).

Most of this is much more relevant to the spoken language, since the written is the same. Most likely what they analyzed given the areas noted is probably the writing looks like it was written by somebody that speaks Cantonese. Totally different language than Mandarin, but still uses the same written characters.

0
0

It's 2017 – and your Mac, iPad, iPhone can all be pwned by an e-book

DougMac

Re: So much for

And why does an eBook need to open a web page?

0
0

Apple squashes cert-handling bug affecting macOS and iOS

DougMac

Why won't Apple backport security?

And of course, no recourse for MacOS 10.11 users (assuming they are affected as well).

No security updates are dropped for 10.11.

And the bugs in 10.12 still prevent me from using my normal workflow.

Progress.

2
2

'Clearance sale' shows Apple's iPad is over. It's done

DougMac

Re: Chrome in US

No, Chromebooks are popular in the Education market because they are cheap, disposable terminals into Google Docs (and to a lesser extent the spreadsheet and presentation modules), and using them as a "computer" is never done.

You could replace 'chromebook' with anything that could get a web interface to Google Docs and the schools would be happy. Replace Google Docs with anything collaborative text editing and they'd be good, but nobody else has a realistic replacement. Maybe if Apple actually made firm their iCloud collaborative editing years ago instead of offering some different weak beta only to be ripped out and replaced every few years..

Unlike in the far past (ie. when I was in school), "educational software" aka games that teach something are long gone and not used hardly at all in any curriculum for my kids. That seemed to be the main reason for the large banks of Apple II's in schools in the past, plus teaching programming and hardware hacking, etc of years past don't seem to exist. I remember having classes on basic programming on Commodore and Apple II's in school, and interfaced hardware to science experiments, but my kids have none of those options. (One went to summer school to have a class on 'Sketch' but that is about the only offering).

My kids use the iPads in school mostly as a treat for downtime for the teacher. All the promised educational full-on multi-media immersive textbooks never materialized. Nor are there any good educational apps that augment what the teachers are looking for. There are plenty of web apps that do that job so much better. Which of course usually means flash..

4
0

FreeNAS sheds storage skin, tries on sexier hyperconverged garb

DougMac

Re: In what way is this "hyperconverged"?

The Hype of Hyperconverged in the market today is that you do storage and virtualization at the same time on the same box so you don't have to buy storage and hypervisor separately.

Although for the life of me, I haven't still figured out why you'd really want to starve a storage system's resources by running a hypervisor on top of it. If you are SOHO, or really tiny SMB, I can see not having the resources to run a real proper setup and get away on the cheap, but even tiny enterprise or mid-sized and up SMB are going to want to do things a bit more properly.

Previous FreeNAS systems did jails, and let you run VirtualBox inside a jail, which worked fairly well, but bhyve is really more a full on type 2 hypervisor.

3
0

Google Cloud to offer support as a service: Is accidental IT provider the new Microsoft?

DougMac

Re: If only

That's a bargain compared to AWS.

To get the same response rate there, you need to spend the greater of $15,000 a month or

10% of your monthly AWS usage up to the $150k/month tier, (then you start getting discounts)

in order to get Enterprise AWS Support plan.

2
1

Video intercom firm Doorbird wants $80 for device password resets

DougMac

Re: Somewhat different...

And my bank (although perhaps not all), would require me to go to a branch, talk to a branch manager, show my ID, prove who I am, in order to reset my PIN or online password.

They don't charge, but you can't just do it over the phone or email or twit or whatever.

2
0

You're Donald Trump's sysadmin. You've got data leaks coming out the *ss. What to do

DougMac

They have zero imagination. I think the only thing they can think of is what they already do. eg. there must be voter fraud, because their own people are registered to vote in 3 states. They look for the apps that they themselves use.

Have they ever heard of actually talking on the phone? Speaking in code? USB sticks? (Snowden got all his info out on USB sticks), burner phones?

The movie 'No Way Out' seems apropos here. But maybe they should actually watch Mr. Robot to learn some basics.

2
0

Team Trump snubs Big Internet oligarchs

DougMac

Reaganomics, here we go again.

How much deeper can we go into debt as a country, while lining the pockets of the 1%?

And the populist crowds handed it all to the 1%.

10
3

Lenovo: If you value your server, block Microsoft's November security update

DougMac

Re: Go ahead

> I don't know about Lync, but can you let me know how to stop Windows Servers from needing a reboot every month or from being the biggest target of malware?

How can we stop Linux from needing a reboot every two weeks due to kernel issues?

USN-3147-1: Linux kernel vulnerabilities - 30th November 2016

USN-3126-1: Linux kernel vulnerabilities - 11th November 2016

USN-3107-1: Linux kernel vulnerability - 19th October 2016

USN-3099-1: Linux kernel vulnerabilities - 11th October 2016

USN-3084-1: Linux kernel vulnerabilities - 19th September 2016

USN-3072-1: Linux kernel vulnerabilities - 29th August 2016

USN-3055-1: Linux kernel vulnerabilities - 10th August 2016

USN-3035-1: Linux kernel vulnerability - 14th July 2016

Every OS needs patches. You can elect not to patch any system, but standing up Linux as not needing patches and Windows does is pretty absurd.

16
4

VMware flings vCenter Server away from Windows, if you want

DougMac

Re: Update Manager

Or do host updates from the command line. So much quicker and easier than running VUM.

1
0

Let's Encrypt ups rate limits

DougMac

certbot really is simple to make automatic updates.

2
0

Seagate defrags 14% of workforce: 6,500 axed

DougMac

Quality went to crap

It couldn't be because Seagate decided to cheap out on everything, and make crappy drives that have the highest failure rate in the industry by far, such that they are banned from my datacenter?

Storage vendors noticed too, all replacements I get in are *never* Seagate drives, replacing the failed Seagate disks by the dozens.

8
0

Tivo's new owner ponders binning its own boxes

DougMac

Re: As usual

You could look back to DirecTV's reboot of their TiVo box offering after they had dropped it for some time in lieu of their own boxes. The TiVo option was never advertised or pushed, the installer that came out was unfamiliar with it, I was the only one that insisted on getting one and he never had done any others.

The box itself was brand new, but yet ran the many years previous TiVo software, with all the interesting services (ie. multi-room viewing) stripped out.

still-birth on delivery.

1
0

Hmmm, where should I dump those unencrypted password files? I know - OneDrive

DougMac

Re: BS!

Because some industries have regulations that require such things for servers and such, and the IT crowd likes it enough to extend it enterprise wide?

I've seen plenty of reports of scans of this nature.

1
0

VMware flushes Windows vSphere client and Adobe Flash

DougMac

Re: Hosts?

They already did a fling for an HTML 5 host interface for ESXi that is more functional than C# vSphere client direct to host ever was.

It already ships in ESXi 6.0U2 and most likely isn't leaving.

I think with its' success and after finding how rapid they can code with modern web setups instead of old legacy junk, they feel they can make the timetable countdown to VMworld work to ship a finished product (or at least announce and ship 60-90 days later which has been their typical timetable the last 2-3 times).

2
1

Vivaldi Jon: Mobile – yes. Feeds and an ad blocker… probably not

DougMac

Re: Until they find a way to approve exceptions to cert errors

I've got plenty of internal appliances that wouldn't work with LetsEncrypt. They aren't going to handle internal only domains either?

But I'd agree with putting proper certs on, with an Enterprise CA, and pushing out your trusted roots properly.

Don't get in the habit of clicking through errors all the time, you'll miss the time when you really needed to pay attention to that bad one.

3
0

SSL's DROWN not as bad as Heartbleed, still a security ship wreck

DougMac

Re: Is TLS vulnerable or not?

>> Solution: don't enable SSLv2, OpenSSL is helping you with this by switching it off in a default build

DROWN is worse than that. Unless your software is specifically configured to block SSLv2 ciphers, a bug in OpenSRS (up until the versions released a few days ago) will let the client still select SSLv2 ciphers and commence the attack.

So, just disabling SSLv2 isn't good enough. Your software needs to be configured to specifically reject all SSLv2 ciphers as well. (or patched within the last few days).

0
0

D&D geeks were right – their old rule books ARE worth something now

DougMac

Re: You what??

Sort of like Audubon was a massive hunter as well? He hunted and killed all his own birds at first in order to paint them, but then had to hire hunters to go out and get him a whole new brace every time he started up.

"I call birds few when I shoot less than one hundred per day."

0
0

Page:

Forums

Biting the hand that feeds IT © 1998–2018