* Posts by DougMac

85 posts • joined 16 Jul 2013


Disk drives suck less than they did a couple of years ago. Which is nice


Any single disk setup is asking for trouble. If you need to stay up and working, RAID. If you need your data, backup, backup, backup, backup, backup.

Everything can fail (as I'm looking at the 2nd SSD failure on my laptop), average time to fail = 1.5 years.


Re: Ah...

Not true, for a while there, almost all Seagate drives (even enterprise ones) were pretty shit.

I had many a NetApp/EMC, etc. etc. that came packed to the gills with Seagate drives, that started regularly failing on a very regular schedule starting just about half a year before the normal warantee period on those drives. I had a Sun Thor (48 SATA 1TB Seagate drives) that probably had lost 70% of its original drives.

The replacements started coming back with Seagate drives, that failed again after replacement.

Pretty soon the replacements starting came back with HGST or sometime Toshiba, and those disks never had to be replaced again.

Domain name 'admin' role eyed up as latest victim of Whois system's GDPRmeggdon


Just Admin Contact?

Aren't all the contact data fields of questionable value? None of my customers care what goes in there, It could be all folded down to one contact (with mostly fake info) in all cases.

There, I just saved a "committee" months of "work".

How an over-zealous yank took down the trading floor of a US bank


Sun IPX "server"?

The Sun IPX was never meant to be a server, but a tiny workstation. Typical configuration was something like 40MHz CPU, and 16MB or 32MB of RAM. It came in a tiny "lunchbox" case. (about 1 foot by 1 foot by 8 inches tall).

I doubt a PC era hardware was more powerful, but almost certainly, SunOS was 1000 times more stable and capable then anything running on a PC at the time.


Re: Unplugging the keyboard = kernel panic ?

It wasn't a kernel panic, but the Sun machines had a tough time differentiating between Stop-A and the keyboard being unplugged. Stop-A was a means to break out into the rommon to debug the kernel, and was reasonably difficult to preform, and was introduced into an era when machines were built to be serviced by kernel systems programmers to find kernel bugs. Then continued on long past the day when this was useful.

It was just unfortunate that the Stop-A procedure was confused a bunch by the keyboard being unplugged too.

Dead retailer's 'customer data' turns up on seized kit, unencrypted and very much for sale


How's this different than normal?

By the time a company is liquidated, anybody left there gives zero ***cks to what happens to anything left over, data, sensitive info, etc?

I've cleaned out offices with tax forms, W-2's, etc. all left behind. This is normal.

I've also bought 2nd hand filers from liquidated companies with full data still left on them. Source code, CAD drawings, records, etc. etc. Bought network gear with full configs (SNMP communities are always fun) still left on them, etc.

Not many liquidators would have the means, knowledge or time to make sure things are securely wiped, and if it has come down to the end, its doubtful anybody still left at a company does either. They are the cleanup crew, get it out, get it gone. who cares.

DNSSEC in a click: Cloudflare tries to crack uptake inertia


Re: El Reg writes "In some respects it is like IPv6...."

Yeah, but with the consolidation in the industry, there's less than a handful of large players, and the small players are probably going to all die off sooner than later. The CAA record seems less useful if its between a choice of 3 or 4.

Microsoft sharpens its claws to cut Outlook UI excess, snip Ribbon


UI revamp

The next UI revamp for Office 2020, we'll get rid of the toolbar, and invent the new latest k00l toy, the menubar! Everyone must conform to the new UI standard.

Welcome! Mimecast finds interesting door policies on email filters


Re: A study?

Mimecast has been around a lot longer than Microsoft has been a mail provider.

Sysadmin sank IBM mainframe by going one VM too deep


"Incidentally, since we call it a hash in the UK, but the Americans call it a pound.."

That usage in the US has gone away decades ago. It was current when typewriters were a thing and was used then, but since computers came around, nobody abbreviates pound as #.

People hate hot-desking. Google thinks they’ll love hot-Chromebooking



"So users are having to replace their Chromebooks over three times a year due to failure?"

Lets do the math. Lets settle on the $300 chromebook. 3.3 chromebooks per user per year.

At 3 years out, the company has spent $2970 for chromebooks vs. an assigned laptop.

Wow, what a cost savings.

Fix this faxing hell! NHS told to stop hanging onto archaic tech


Not being in the industry, but interested observer, I think the reason FAXs are so prevalent in the health industry is because printed documents transferred in "modern" protocols fall within HIPPA, and FAX's are preexisting tech and don't have all those silly data protection rules attached.

I've heard of medical billing outfits in the US that emulate 1,000's of concurrent online FAXs machines at a time so all those medical billings can go back and forth on paper, bypassing HIPPA rules.

I've had so many of my customers that have to process PHI billing just how they can do email with PHI and still be HIPPA. My answer of you can't just pissed them off all to no end. I think this is the industry's end-run to still have paper record shuffle.

Boffin botheration as IET lifts axe on 20-year-old email alias service


Email forwarding services are passé

Due to technical measures such as SPF/DKIM, most email forwarding services have extremely poor forwarding rates.

The users of this service are probably missing most of their forwarded email anyway due to SPF filters (which Google encourages all domains to setup, by dumping more and more non-SPF setup domains right into the gmail recipients SPAM buckets).

Mailling lists also encountered this, but most adapted by rewriting the sender address, which probably would not go over well with just an email forwarder service, if the recipients couldn't reply back to the sender. Suddenly the email forwarder service has to be running a full on mail server, keeping track of all rewritten senders and expanding them back and forward.

A total mess technology wise.

When Google's robots give your business the death sentence – who you gonna call?


Re: Google 'support'

No MSP will trust Google Apps with their customer's email setup. Support and response to problems is just too messed up. One reason Office365 took off so much.

PayPal reminds users: TLS 1.2 and HTTP/1.1 are no longer optional


Re: TLS 1.1 is fine for PCI ?

Correct, TLS v1.1 is fine, but generally in practice, TLS 1.0 marks the dividing point between "legacy old systems" and stuff that supports it all.

If you can to TLS v1.1, generally you can do TLS v1.2, and you may as well get on that wagon while you are reconfiguring.

IPv6 growth is slowing and no one knows why. Let's see if El Reg can address what's going on


> Personally I don't know whether this is a thing or not, but I've been hearing rumours about carrier-grade NAT and how it's going to be widely used by ISPs in the near future.

CGNAT is widely deployed, and customers typically have no clue it is in use, until of course things break and nobody can figure out what is going on. Every tech I've met has no idea why customer one has "public IP" when customer two also has "public IP" when they live in different states when they get allocated IP's out of RFC6598 space.

Of course I get brought in when everything is fubar. The ISPs doing CGNAT are doing heavy rate limiting to make sure their CGNAT gateways aren't overloaded, and doing dirty tricks like redirecting all speed test sites internal so they look like they have great speed, until of course you have to transit outside of their network and find that you have almost no bandwidth besides the tricked out ports the carriers play around with.

But IPv4 is "good enough", except when it isn't. IPv4 won't die until it is too painful to use. Too many techs are blind to the world outside what they know.

VMware to finally deliver full-function HTML5 vSphere client


Re: Flash... ah!

> Now if they wouldn't mind taking the moron who made the decision to implement their last stab at the web client using Flash outside and summarily execute them for gross stupidity (followed by a fair trial).

At the time, Flash was very embedded and a safe choice with the only other choice being Java in the browser.

Java applets disappeared so much quicker than Flash has, so it was a better choice in hindsight.

The main choice was if they did a web based solution (to get more than just WIndows management) or stick with heavy clients needing to be installed. Flash or Java were the only technologies that could have done what they needed to at the time.

Single single-sign-on SNAFU threatens three Cisco products


Re: Is it me...

Nothing new there, although it does seem to have accelerated some since the classic days.

OK, this time it's for real: The last available IPv4 address block has gone


About the only one that hasn't figured out IPv6 are enterprise & SMB

The carriers have it all down pat, and 65-85% of residential users and wireless users are using IPv6 natively already. Mostly because the CPE can be remotely configured by the carriers to handle what they need.

But when techs have to go configure SMB firewall, they won't bother to learn how to do IPv6, and they only configure the IPv4 side (if their gear even supports dual stack).

Meanwhile, the residential and wireless users are driving most of the content so the content providers provide big fat pipes that can handle their needs.


Re: Time to claw some back

> There are probably large blocks of unused IPv4 addresses out there, if only the IANA would get off it's bottom and reclaim them.

Nope, been already done. They got some /8's back, and reallocated them years ago.

The only "large companies" left are Apple, HPE & Ford and a couple others. If you go down the IANA list, almost everything is allocated to huge Tier1 carriers directly, or to a regional IRR.

Stanford brainiacs say they can predict Reddit raids


Wow, they could have just dug up behaviorial studies of 2nd graders on the playground and be done and complete.

Rant launches Eric Raymond's next project: open-source the UPS


>> It has been my impression that UPS's fail to "off"

The problem I've encountered is that for most of the small-ish UPSs, that when the batteries go past their useful life, the UPS starts cycling the power, even if the wall power has been steady on. APC is particularly nasty about this for certain models.

Battery past useful life is almost always only a light on the front, I can't tell you the last time I've looked at the front of my home UPS.

>> Why not allow us to rig ubiquitous car batteries..

It was covered later to be mostly size. Your UPS would be quite large and heavy. As it is, most small-ish UPSs now use motorcycle/lawn mower Lead-Acid batteries. So, same technology, just smaller package. Less capacity.

The UPSs I'm mainly interested in though have their own rooms. : - )

And they do typically use deep-cycle marine batteries. Just lots and lots of them.

DVLA denies driving licence processing site is a security 'car crash'


Re: Certificate chain

"If there's a problem with the certificate chain how come only Firefox is complaining about it and not all browsers?"

Because every browser is different. Even different Chromium based browsers are different than Chrome itself.

Firefox is a very different beast than Chrome or from Safari. Firefox complains more about things like broken certificate chains vs. Chrome. Chrome complains different things like requiring SAN entries instead of depending on cn= in the X.509 cert.

Thus if you run a web app, best to check it in all the major browsers..

Judges dismisses majority of Cisco's 'insane' IP defence against Arista


Re: F*ck Arista

Arista took a pretty different direction than Cisco at the time of founding.

I'd argue that they were innovative at a time where Cisco was stuck in the mud spinning their wheels.

Since then, Cisco has followed them, and that is why I think Cisco is flinging sue-balls at them.

From July, Chrome will name and shame insecure HTTP websites


SSL is not all that common

Just because 81% of the top 100 sites have SSL, doesn't mean that follows for the remainder. There is a very long tail of websites out of the top 5000, or 10000 that are never going to get SSL that are now going to be penalized.

Lets Encrypt on windows is still slightly messy. Going through various load balancers are messy.

Very few customers not doing SSL today find even the little effort to do SSL to be worth the costs (money wise or technical wise).

This is definitely going to train normal users that it is "normal" to see the warnings and to ignore them.

Cops find ATM spewing cash, car with dodgy plates, stack of $20 bills and hacking kit inside



It blows me away that ATMs (and cash registers) are now COTS windows PC's, networked to the Internet with about as much firewalling as a typical enterprise has.

I would have thought that with all the engineering experience, that fairly custom extremely hardened designs would be de-rigor, especially now-a-days. No USB ports with auto-run on them behind some panel with virtually nothing to prevent intrusion.

I remember when the original crypto cards for ATM transactions came out, with all the layers of anti-tampering on them (eg. critical battery traces potted in above the data traces). But now-a-days, it seems like COTS wins the day, and instead of up front engineering, they just spend it on after-the-fact cover up and throw money at covering their loses instead of putting it up front.

The real scary attacks described on Krebs are the ones that infiltrate the whole bank's network, and can upload malware remotely, and have it jackpot any given ATM on demand.

STOP! It's dangerous to upgrade to VMware 6.5 alone. Read this


Re: Too Naive

> Finally, we get the horrible mess of clients that VMWare has: The fat Windows client, the Flash web >interface and the newer HTML5 interface. No one interface can do everything. Nice one VMWare!

At least there is a path. eg. The C# client is dead now and has been for a year (if you are current on patching on the 6.5 track).

The HTML5 fling UI offers full usability, and they keep wrapping more and more of the HTML5 fling into 6.5 as it ships U updates.

Most of what I've encountered are VMware admins that are adament that they can never use anything but the C# client, even though it is dead, so they stick with the older things because they can't change.


Re: Upgrading from 5.5

I know of nobody that has changed to Hyper-V and liked it.

Hyper-V has its own worms and problems.

Everywhere I've encountered it in production is in basic mode (eg. single hosts) because full-on clusters is unatainable for just about eveyone.

Oracle still silent on Meltdown, but lists patches for x86 servers among 233 new fixes


SPARC doesn't seem to be affected..

Unofficially, some Oracle people have stated that since SPARC runs kernel and user address space completely separate as part of the design of their ABI, that the same sorts of issues can't crop up.

Happy New Year! Love, Microsoft: Price rises? Aw, you shouldn't have


The article seems to state this is a UK only thing. Service provider partners in the US face the same 10% price hikes.

They also are saying another 10% for some of the same products in Jan 2019 as well.

Security pros' advice to consumers: 'We dunno, try 152 things'


Re: "Don't use Java"

especially since so much software of enterprise and service provider realm is written in Java.

VMware is heavy on Java, all my storage systems management systems use Java on the backend for management and reporting (even if it is a web front end).

My PKI solution uses Java, I know at least two large SSL CA providers use Java systems.

My SIEM is written in Java.

Since .Net is just a copy of Java, does that equate to don't use .Net apps either?

I suspect the thought is don't use Java in your browser, which would be near impossible now-a-days anyway with all the roadblocks that everything throws up. But Java on the backend is extremely prevalent.

You're doing open source wrong, Microsoft tsk-tsk-tsks at Google: Chrome security fixes made public too early


Re: They're right but it's a moot point

> but on the other hand a borked update can brick vast hoards

Sort of like the latest Flash build breaks anything VMware or other enterprise interfaces in Flash,

and Chrome updates keep removing the "buggy" old flash that still can run the only interface we have into vSphere?

AWS to Windows devs: Come out of the dark, into the Lightsail


The "Cloud"

Just from the small base of my customer-set, at least 90% that are "in the cloud" are nothing more than a VPS or three or a dozen.

Well less than 10% do anything "cloud scale" that actually utilizes any sort of features beyond just having a VPS in the cloud.

I firmly believe that the current rush to "be in the cloud" results only from the desire not to have hardware onsite. Once people realize that their data and all they own are now tied up far beyond their control and they get cloud shock at sticker price, things will probably swing around again.

Internet-wide security update put on hold over fears 60 million people would be kicked offline


Just look at IPv6?

> Just look at IPv6

I'm looking at IPv6. Mobile really made it a slam dunk use-case.

56-60% of all my email users come in over IPv6.

I'm not a large web content provider, so I can't show the same stats there, but I'd bet that Facebook is showing numbers equally impressive.

Look at the ISPs or companies like Facebook that are 100% IPv6 internal with only IPv4 gateways now.

Look at the IOC 2017 IPv6 report for more evidence of ISPs considering dropping IPv4 native in the next *handful* of years.

The one case where everybody is dragging their feet?


Enterprise fears IPv6, buried their heads in the sand, even though they probably have significant IPv6 traffic internally traversing their network. They need to figure out that those OSs running internally are all doing IPv6 native now, and learn how to properly secure it (a single external breach could setup a IPv6 RA and proxy, and funnel all the Enterprise traffic out beyond the firewall in a heartbeat) and embrace it. IPv4 is going away, Enterprise needs to learn that.


Re: Who does this really affect, its hard to tell....

> If you're using a forwarding server or cacheing server from your ISP (or for google's DNS server) then I'd expect it to work just fine and not break anything.

Thats not right. If your ISP enabled DNSsec resolvers, and their system doesn't follow the automatic KSK addition mechanism that is required for the 2017 KSK key roll, *all* their lookups will fail when the old 2011 KSK stops signing the responses from '.'

The client doesn't request DNSsec (well, it could and check itself), but all the resolvers upstream need to be able to follow the KSK addition into their keystores via the proper method if they do DNSsec resolving themselves. (which most ISP servers do, unless your ISP is a small podunk one that doesn't follow current standards). All client lookups will fail of the ISP resolver is broken.

Since Government users typically demand that due to their standards they have to follow, most large ISPs have followed suit.

So. Should I upgrade to macOS High Sierra?


Re: Backup server?

> Mac mini with an external tower... Seems perfectly reasonable to me.

FreeNAS mini would be an all-in-one. Works awesome for TimeMachine backups.

Or roll it out on your own hardware.


> 2. I still have a 1tb TimeCrapsule, backs up the 3 macbooks no problem.

Wow, yours still works? I had all 4 of mine die on me.

Several got repaired under known issues. Others I didn't bother to fight them and replaced it with another solution, because Apple just doesn't care about anything released more than 6 months ago.

China to get its very own cut-price cut-down cut of vSphere


Re: vmotion between versions

> When I upgraded 4.1 to 5.5 3 or 4 years ago I vmotioned VMs from hosts on 4.1 to hosts on 5.5. Sounds like what vmware is working on now?

That's always been a feature of VMware for upgrade paths. I've had VMs most likely start out life on 4.1, went to 5.5, 6.0 and to 6.5 on the same hardware without disruption. Just vmotion around the cluster as things went.

Most likely whatever was trying to be conveyed to the reporter got lost in translation, as there is nothing to "work on" for that feature, it has been a done deal for quite some time.

Red Hat banishes Btrfs from RHEL


Re: People are still using btrfs?

> After the RAID5/6 issue which still isn't fixed a *year* later(!), people are still trusting their data to btrfs?

Umm, the RAID5 issue which isn't fixed correctly *since the beginning of the project*.

The devs have known of conditions which will corrupt RAID5 since the start, and while there was a promising bug fix a while ago, they then found it only fixed one of the bugs, but others are known.

The people doing btrfs have known about these issues for some time, and they never get properly fixed.

Most likely, that is why RH is dropping support for it.

If you love your email standards, SMTP your feet: 35 years later


Re: user-whitelisting

>> 1) have an entire (sub)domain for yourself and set up a wildcard mailbox.

And then get hit by a dictionary spam attack and get a few thousand spam crap in your mailbox.

Marketing giant Marketo forgets to renew domain name. Hilarity ensues


Re: Note to self

And the registered contact is a single person, long gone from the org, and nobody checks that mailbox. Nobody can figure out how to setup 'webmaster@' or something generic that everyone checks because it has to be that one guy doing it.

Solaris, Java have vulns that let users run riot


> Hint - Android does not run Java.

Wha? Most Android Apps are written in Java, and the ADK has mostly Java interfaces, how does Android not run Java?

Perhaps you mean Java Applets which has long been a dead thing?

BOFH: That's right. Turn it off. Turn it on


Re: The power of suggestion

Heaven help you if you have to teach a user how to type a tilde ~

Nobody knows what that is, while - has some passing familiarity.

Azure blues: Active Directory Connect has password reset vuln


Well, duh

>When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts..

Because how to prevent that is missing in the docs altogether.

Microsoft tends to document sparsely, and only "ideal" setups, without telling you generally how to get to that "ideal" state. So generally only the Windows admins that are super-well versed/trained in the microsoft waydo things the way the Microsoft devs assume the rest of the world does, leaving everybody else floundering around.

Yes, this is our third Cisco story of the day. It's about 23 bugs you need to fix, stat


Re: Wait - what?!

>> "Showing 1 - 50 of 2331"

For some reason, only going back the last 20 years, guess the first 13 or so years don't count, but still.

The first 60 vuln's listed are released this month alone.

There isn't anything compelling for me to run Cisco anything any longer, just seems like a big world of hurt for doing anything with them. (from somebody that has done Cisco since the days of the Gold and White boxes and them being cisco without the capital).

‪WannaCry‬pt ransomware note likely written by Google Translate-using Chinese speakers


Re: More to the point

Chinese is not a homogenous single language. Different idioms, way of sentence structure (and not applicable here, but vocal patterns) and vocabulary differ highly from area to area, region to region.

(not even counting the dozens of different regional dialects).

Most of this is much more relevant to the spoken language, since the written is the same. Most likely what they analyzed given the areas noted is probably the writing looks like it was written by somebody that speaks Cantonese. Totally different language than Mandarin, but still uses the same written characters.

It's 2017 – and your Mac, iPad, iPhone can all be pwned by an e-book


Re: So much for

And why does an eBook need to open a web page?

Apple squashes cert-handling bug affecting macOS and iOS


Why won't Apple backport security?

And of course, no recourse for MacOS 10.11 users (assuming they are affected as well).

No security updates are dropped for 10.11.

And the bugs in 10.12 still prevent me from using my normal workflow.


'Clearance sale' shows Apple's iPad is over. It's done


Re: Chrome in US

No, Chromebooks are popular in the Education market because they are cheap, disposable terminals into Google Docs (and to a lesser extent the spreadsheet and presentation modules), and using them as a "computer" is never done.

You could replace 'chromebook' with anything that could get a web interface to Google Docs and the schools would be happy. Replace Google Docs with anything collaborative text editing and they'd be good, but nobody else has a realistic replacement. Maybe if Apple actually made firm their iCloud collaborative editing years ago instead of offering some different weak beta only to be ripped out and replaced every few years..

Unlike in the far past (ie. when I was in school), "educational software" aka games that teach something are long gone and not used hardly at all in any curriculum for my kids. That seemed to be the main reason for the large banks of Apple II's in schools in the past, plus teaching programming and hardware hacking, etc of years past don't seem to exist. I remember having classes on basic programming on Commodore and Apple II's in school, and interfaced hardware to science experiments, but my kids have none of those options. (One went to summer school to have a class on 'Sketch' but that is about the only offering).

My kids use the iPads in school mostly as a treat for downtime for the teacher. All the promised educational full-on multi-media immersive textbooks never materialized. Nor are there any good educational apps that augment what the teachers are looking for. There are plenty of web apps that do that job so much better. Which of course usually means flash..

FreeNAS sheds storage skin, tries on sexier hyperconverged garb


Re: In what way is this "hyperconverged"?

The Hype of Hyperconverged in the market today is that you do storage and virtualization at the same time on the same box so you don't have to buy storage and hypervisor separately.

Although for the life of me, I haven't still figured out why you'd really want to starve a storage system's resources by running a hypervisor on top of it. If you are SOHO, or really tiny SMB, I can see not having the resources to run a real proper setup and get away on the cheap, but even tiny enterprise or mid-sized and up SMB are going to want to do things a bit more properly.

Previous FreeNAS systems did jails, and let you run VirtualBox inside a jail, which worked fairly well, but bhyve is really more a full on type 2 hypervisor.


Biting the hand that feeds IT © 1998–2019