* Posts by DougMac

56 posts • joined 16 Jul 2013

Page:

Happy New Year! Love, Microsoft: Price rises? Aw, you shouldn't have

DougMac

The article seems to state this is a UK only thing. Service provider partners in the US face the same 10% price hikes.

They also are saying another 10% for some of the same products in Jan 2019 as well.

2
0

Security pros' advice to consumers: 'We dunno, try 152 things'

DougMac

Re: "Don't use Java"

especially since so much software of enterprise and service provider realm is written in Java.

VMware is heavy on Java, all my storage systems management systems use Java on the backend for management and reporting (even if it is a web front end).

My PKI solution uses Java, I know at least two large SSL CA providers use Java systems.

My SIEM is written in Java.

Since .Net is just a copy of Java, does that equate to don't use .Net apps either?

I suspect the thought is don't use Java in your browser, which would be near impossible now-a-days anyway with all the roadblocks that everything throws up. But Java on the backend is extremely prevalent.

2
1

You're doing open source wrong, Microsoft tsk-tsk-tsks at Google: Chrome security fixes made public too early

DougMac

Re: They're right but it's a moot point

> but on the other hand a borked update can brick vast hoards

Sort of like the latest Flash build breaks anything VMware or other enterprise interfaces in Flash,

and Chrome updates keep removing the "buggy" old flash that still can run the only interface we have into vSphere?

8
0

AWS to Windows devs: Come out of the dark, into the Lightsail

DougMac

The "Cloud"

Just from the small base of my customer-set, at least 90% that are "in the cloud" are nothing more than a VPS or three or a dozen.

Well less than 10% do anything "cloud scale" that actually utilizes any sort of features beyond just having a VPS in the cloud.

I firmly believe that the current rush to "be in the cloud" results only from the desire not to have hardware onsite. Once people realize that their data and all they own are now tied up far beyond their control and they get cloud shock at sticker price, things will probably swing around again.

3
0

Internet-wide security update put on hold over fears 60 million people would be kicked offline

DougMac

Just look at IPv6?

> Just look at IPv6

I'm looking at IPv6. Mobile really made it a slam dunk use-case.

56-60% of all my email users come in over IPv6.

I'm not a large web content provider, so I can't show the same stats there, but I'd bet that Facebook is showing numbers equally impressive.

Look at the ISPs or companies like Facebook that are 100% IPv6 internal with only IPv4 gateways now.

Look at the IOC 2017 IPv6 report for more evidence of ISPs considering dropping IPv4 native in the next *handful* of years.

The one case where everybody is dragging their feet?

Enterprise.

Enterprise fears IPv6, buried their heads in the sand, even though they probably have significant IPv6 traffic internally traversing their network. They need to figure out that those OSs running internally are all doing IPv6 native now, and learn how to properly secure it (a single external breach could setup a IPv6 RA and proxy, and funnel all the Enterprise traffic out beyond the firewall in a heartbeat) and embrace it. IPv4 is going away, Enterprise needs to learn that.

1
0
DougMac

Re: Who does this really affect, its hard to tell....

> If you're using a forwarding server or cacheing server from your ISP (or 8.8.8.8 for google's DNS server) then I'd expect it to work just fine and not break anything.

Thats not right. If your ISP enabled DNSsec resolvers, and their system doesn't follow the automatic KSK addition mechanism that is required for the 2017 KSK key roll, *all* their lookups will fail when the old 2011 KSK stops signing the responses from '.'

The client doesn't request DNSsec (well, it could and check itself), but all the resolvers upstream need to be able to follow the KSK addition into their keystores via the proper method if they do DNSsec resolving themselves. (which most ISP servers do, unless your ISP is a small podunk one that doesn't follow current standards). All client lookups will fail of the ISP resolver is broken.

Since Government users typically demand that due to their standards they have to follow, most large ISPs have followed suit.

1
0

So. Should I upgrade to macOS High Sierra?

DougMac

Re: Backup server?

> Mac mini with an external tower... Seems perfectly reasonable to me.

FreeNAS mini would be an all-in-one. Works awesome for TimeMachine backups.

Or roll it out on your own hardware.

4
0
DougMac

> 2. I still have a 1tb TimeCrapsule, backs up the 3 macbooks no problem.

Wow, yours still works? I had all 4 of mine die on me.

Several got repaired under known issues. Others I didn't bother to fight them and replaced it with another solution, because Apple just doesn't care about anything released more than 6 months ago.

7
0

China to get its very own cut-price cut-down cut of vSphere

DougMac

Re: vmotion between versions

> When I upgraded 4.1 to 5.5 3 or 4 years ago I vmotioned VMs from hosts on 4.1 to hosts on 5.5. Sounds like what vmware is working on now?

That's always been a feature of VMware for upgrade paths. I've had VMs most likely start out life on 4.1, went to 5.5, 6.0 and to 6.5 on the same hardware without disruption. Just vmotion around the cluster as things went.

Most likely whatever was trying to be conveyed to the reporter got lost in translation, as there is nothing to "work on" for that feature, it has been a done deal for quite some time.

0
0

Red Hat banishes Btrfs from RHEL

DougMac

Re: People are still using btrfs?

> After the RAID5/6 issue which still isn't fixed a *year* later(!), people are still trusting their data to btrfs?

Umm, the RAID5 issue which isn't fixed correctly *since the beginning of the project*.

The devs have known of conditions which will corrupt RAID5 since the start, and while there was a promising bug fix a while ago, they then found it only fixed one of the bugs, but others are known.

The people doing btrfs have known about these issues for some time, and they never get properly fixed.

Most likely, that is why RH is dropping support for it.

4
0

If you love your email standards, SMTP your feet: 35 years later

DougMac

Re: user-whitelisting

>> 1) have an entire (sub)domain for yourself and set up a wildcard mailbox.

And then get hit by a dictionary spam attack and get a few thousand spam crap in your mailbox.

8
3

Marketing giant Marketo forgets to renew domain name. Hilarity ensues

DougMac

Re: Note to self

And the registered contact is a single person, long gone from the org, and nobody checks that mailbox. Nobody can figure out how to setup 'webmaster@' or something generic that everyone checks because it has to be that one guy doing it.

12
0

Solaris, Java have vulns that let users run riot

DougMac

> Hint - Android does not run Java.

Wha? Most Android Apps are written in Java, and the ADK has mostly Java interfaces, how does Android not run Java?

Perhaps you mean Java Applets which has long been a dead thing?

1
0

BOFH: That's right. Turn it off. Turn it on

DougMac

Re: The power of suggestion

Heaven help you if you have to teach a user how to type a tilde ~

Nobody knows what that is, while - has some passing familiarity.

20
0

Azure blues: Active Directory Connect has password reset vuln

DougMac

Well, duh

>When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts..

Because how to prevent that is missing in the docs altogether.

Microsoft tends to document sparsely, and only "ideal" setups, without telling you generally how to get to that "ideal" state. So generally only the Windows admins that are super-well versed/trained in the microsoft waydo things the way the Microsoft devs assume the rest of the world does, leaving everybody else floundering around.

0
0

Yes, this is our third Cisco story of the day. It's about 23 bugs you need to fix, stat

DougMac

Re: Wait - what?!

>> "Showing 1 - 50 of 2331"

For some reason, only going back the last 20 years, guess the first 13 or so years don't count, but still.

The first 60 vuln's listed are released this month alone.

There isn't anything compelling for me to run Cisco anything any longer, just seems like a big world of hurt for doing anything with them. (from somebody that has done Cisco since the days of the Gold and White boxes and them being cisco without the capital).

1
0

‪WannaCry‬pt ransomware note likely written by Google Translate-using Chinese speakers

DougMac

Re: More to the point

Chinese is not a homogenous single language. Different idioms, way of sentence structure (and not applicable here, but vocal patterns) and vocabulary differ highly from area to area, region to region.

(not even counting the dozens of different regional dialects).

Most of this is much more relevant to the spoken language, since the written is the same. Most likely what they analyzed given the areas noted is probably the writing looks like it was written by somebody that speaks Cantonese. Totally different language than Mandarin, but still uses the same written characters.

0
0

It's 2017 – and your Mac, iPad, iPhone can all be pwned by an e-book

DougMac

Re: So much for

And why does an eBook need to open a web page?

0
0

Apple squashes cert-handling bug affecting macOS and iOS

DougMac

Why won't Apple backport security?

And of course, no recourse for MacOS 10.11 users (assuming they are affected as well).

No security updates are dropped for 10.11.

And the bugs in 10.12 still prevent me from using my normal workflow.

Progress.

2
2

'Clearance sale' shows Apple's iPad is over. It's done

DougMac

Re: Chrome in US

No, Chromebooks are popular in the Education market because they are cheap, disposable terminals into Google Docs (and to a lesser extent the spreadsheet and presentation modules), and using them as a "computer" is never done.

You could replace 'chromebook' with anything that could get a web interface to Google Docs and the schools would be happy. Replace Google Docs with anything collaborative text editing and they'd be good, but nobody else has a realistic replacement. Maybe if Apple actually made firm their iCloud collaborative editing years ago instead of offering some different weak beta only to be ripped out and replaced every few years..

Unlike in the far past (ie. when I was in school), "educational software" aka games that teach something are long gone and not used hardly at all in any curriculum for my kids. That seemed to be the main reason for the large banks of Apple II's in schools in the past, plus teaching programming and hardware hacking, etc of years past don't seem to exist. I remember having classes on basic programming on Commodore and Apple II's in school, and interfaced hardware to science experiments, but my kids have none of those options. (One went to summer school to have a class on 'Sketch' but that is about the only offering).

My kids use the iPads in school mostly as a treat for downtime for the teacher. All the promised educational full-on multi-media immersive textbooks never materialized. Nor are there any good educational apps that augment what the teachers are looking for. There are plenty of web apps that do that job so much better. Which of course usually means flash..

4
0

FreeNAS sheds storage skin, tries on sexier hyperconverged garb

DougMac

Re: In what way is this "hyperconverged"?

The Hype of Hyperconverged in the market today is that you do storage and virtualization at the same time on the same box so you don't have to buy storage and hypervisor separately.

Although for the life of me, I haven't still figured out why you'd really want to starve a storage system's resources by running a hypervisor on top of it. If you are SOHO, or really tiny SMB, I can see not having the resources to run a real proper setup and get away on the cheap, but even tiny enterprise or mid-sized and up SMB are going to want to do things a bit more properly.

Previous FreeNAS systems did jails, and let you run VirtualBox inside a jail, which worked fairly well, but bhyve is really more a full on type 2 hypervisor.

3
0

Google Cloud to offer support as a service: Is accidental IT provider the new Microsoft?

DougMac

Re: If only

That's a bargain compared to AWS.

To get the same response rate there, you need to spend the greater of $15,000 a month or

10% of your monthly AWS usage up to the $150k/month tier, (then you start getting discounts)

in order to get Enterprise AWS Support plan.

2
1

Video intercom firm Doorbird wants $80 for device password resets

DougMac

Re: Somewhat different...

And my bank (although perhaps not all), would require me to go to a branch, talk to a branch manager, show my ID, prove who I am, in order to reset my PIN or online password.

They don't charge, but you can't just do it over the phone or email or twit or whatever.

2
0

You're Donald Trump's sysadmin. You've got data leaks coming out the *ss. What to do

DougMac

They have zero imagination. I think the only thing they can think of is what they already do. eg. there must be voter fraud, because their own people are registered to vote in 3 states. They look for the apps that they themselves use.

Have they ever heard of actually talking on the phone? Speaking in code? USB sticks? (Snowden got all his info out on USB sticks), burner phones?

The movie 'No Way Out' seems apropos here. But maybe they should actually watch Mr. Robot to learn some basics.

2
0

Team Trump snubs Big Internet oligarchs

DougMac

Reaganomics, here we go again.

How much deeper can we go into debt as a country, while lining the pockets of the 1%?

And the populist crowds handed it all to the 1%.

10
3

Lenovo: If you value your server, block Microsoft's November security update

DougMac

Re: Go ahead

> I don't know about Lync, but can you let me know how to stop Windows Servers from needing a reboot every month or from being the biggest target of malware?

How can we stop Linux from needing a reboot every two weeks due to kernel issues?

USN-3147-1: Linux kernel vulnerabilities - 30th November 2016

USN-3126-1: Linux kernel vulnerabilities - 11th November 2016

USN-3107-1: Linux kernel vulnerability - 19th October 2016

USN-3099-1: Linux kernel vulnerabilities - 11th October 2016

USN-3084-1: Linux kernel vulnerabilities - 19th September 2016

USN-3072-1: Linux kernel vulnerabilities - 29th August 2016

USN-3055-1: Linux kernel vulnerabilities - 10th August 2016

USN-3035-1: Linux kernel vulnerability - 14th July 2016

Every OS needs patches. You can elect not to patch any system, but standing up Linux as not needing patches and Windows does is pretty absurd.

16
4

VMware flings vCenter Server away from Windows, if you want

DougMac

Re: Update Manager

Or do host updates from the command line. So much quicker and easier than running VUM.

1
0

Let's Encrypt ups rate limits

DougMac

certbot really is simple to make automatic updates.

2
0

Seagate defrags 14% of workforce: 6,500 axed

DougMac

Quality went to crap

It couldn't be because Seagate decided to cheap out on everything, and make crappy drives that have the highest failure rate in the industry by far, such that they are banned from my datacenter?

Storage vendors noticed too, all replacements I get in are *never* Seagate drives, replacing the failed Seagate disks by the dozens.

8
0

Tivo's new owner ponders binning its own boxes

DougMac

Re: As usual

You could look back to DirecTV's reboot of their TiVo box offering after they had dropped it for some time in lieu of their own boxes. The TiVo option was never advertised or pushed, the installer that came out was unfamiliar with it, I was the only one that insisted on getting one and he never had done any others.

The box itself was brand new, but yet ran the many years previous TiVo software, with all the interesting services (ie. multi-room viewing) stripped out.

still-birth on delivery.

1
0

Hmmm, where should I dump those unencrypted password files? I know - OneDrive

DougMac

Re: BS!

Because some industries have regulations that require such things for servers and such, and the IT crowd likes it enough to extend it enterprise wide?

I've seen plenty of reports of scans of this nature.

1
0

VMware flushes Windows vSphere client and Adobe Flash

DougMac

Re: Hosts?

They already did a fling for an HTML 5 host interface for ESXi that is more functional than C# vSphere client direct to host ever was.

It already ships in ESXi 6.0U2 and most likely isn't leaving.

I think with its' success and after finding how rapid they can code with modern web setups instead of old legacy junk, they feel they can make the timetable countdown to VMworld work to ship a finished product (or at least announce and ship 60-90 days later which has been their typical timetable the last 2-3 times).

2
1

Vivaldi Jon: Mobile – yes. Feeds and an ad blocker… probably not

DougMac

Re: Until they find a way to approve exceptions to cert errors

I've got plenty of internal appliances that wouldn't work with LetsEncrypt. They aren't going to handle internal only domains either?

But I'd agree with putting proper certs on, with an Enterprise CA, and pushing out your trusted roots properly.

Don't get in the habit of clicking through errors all the time, you'll miss the time when you really needed to pay attention to that bad one.

3
0

SSL's DROWN not as bad as Heartbleed, still a security ship wreck

DougMac

Re: Is TLS vulnerable or not?

>> Solution: don't enable SSLv2, OpenSSL is helping you with this by switching it off in a default build

DROWN is worse than that. Unless your software is specifically configured to block SSLv2 ciphers, a bug in OpenSRS (up until the versions released a few days ago) will let the client still select SSLv2 ciphers and commence the attack.

So, just disabling SSLv2 isn't good enough. Your software needs to be configured to specifically reject all SSLv2 ciphers as well. (or patched within the last few days).

0
0

D&D geeks were right – their old rule books ARE worth something now

DougMac

Re: You what??

Sort of like Audubon was a massive hunter as well? He hunted and killed all his own birds at first in order to paint them, but then had to hire hunters to go out and get him a whole new brace every time he started up.

"I call birds few when I shoot less than one hundred per day."

0
0

VMware, Xen issue urgent patches

DougMac

Re: as a happy vmware customer for 16 years

Although if you have windows vCenter, you already have Orchestrator pre-installed.

It just isn't enabled to run by default.

Imagine if it was though, and just because you didn't use it, doesn't mean it isn't there ready to cause a security problem..

0
0

Adobe: We locked our customers in the cloud and out poured money

DougMac

Helps the bottom line when they also take away all discounts

Prior to this year, it was fairly regular to have heavily discounted renew costs all the time.

This year they supposedly implemented a plan to never offer discounts again.

About that renewal you only paid half for last year. Yeah, its full price this year. So sorry your budget is blown out of the water.

1
0

Free HTTPS certs for all – Let's Encrypt opens doors to world+dog

DougMac

It is possible to run Exchange with 4 separate certs, instead of one cert with 3 SANs. You just have to make sure to load all certs and assign each cert to its own proper function. So much more work, but should be scriptable in ps.

Although I don't know lets encrypt schedule for windows client, I'm sure it is being worked on.

0
0

Rackspace looks to have bypassed vCloud Director upgrade

DougMac

VMware is purposely pushing partners away from vCD GUI..

VMware has publicly stated that vCD GUI is frozen and are well aware that it is barely functional.

Their main efforts with vCD is providing an API around the core functions of it, and all new features will be API only features.

They actively push partners to either write their own GUI around vCD APIs, or to AirVM or OnApp to provide a GUI.

VMware has no further interest in making vCD GUI work, as its biggest sin right now is a dependance on Flash & the depreciated NPAPI browser plugin framework. Since Chrome has disabled NPAPI in its current builds (but can be enabled to make vCD GUI work), but will be ripped out totally in the very near future, as well as Chrome will be making Flash a click to run feature, means vCD GUI won't be functional in Chrome at all without clicking to run, and even then you won't be able to upload/download OVAs or ISOs at all in any fashion without switching to a different browser (certainly not Edge either). I believe Firefox has NPAPI plugins disabled by default now too, although I don't know its' schedule to fully rip out NPAPI at this time, so that is out as well.

0
0

VMware flings out preview of new web management interface

DougMac

No, doesn't work with ESXi free license.

Since everything VMWare is API driven, when the APIs are turned off due to the license, those things won't work no matter what client pokes at them.

0
0
DougMac

FWIW: you can run vSphere Web Client 6.0 without NPAPI in Chrome, and use the HTML console to interact with the console screen. The big hangup is when you try to upload (or download) files into datastore, where you'll find things won't work at all. They also have the VMRC console, but on the Mac at least, that is a bit rough, but a bit more functional than the HTML5 console in 6.0

The most promising job for this fling is to control the host when vCenter is down (ie. to bring vCenter back up if you don't have a totally separate management cluster) without having to fall back to vSphere Thick Client. It is also light weight, only 2M! Quite a different direction than the VMWare Host Client that only existed in the first 6.0 Beta.

I think it is also a proof of concept that they don't need to use Flash and NPAPI to get the job done, hopefully pushing the vSphere Web Client team that direction before its too late and Flash and NPAPI are both banished from all browsers.

0
0

Why are there so many Windows Server 2003 stragglers?

DougMac

early ASP vastly different now

The main 2003 boxes we still run are because customers can't/won't upgrade their ancient ASP websites that depend on things that either no longer exist, or can't run on newer OS's.

They already know they are being cast to the wind to be hacked/folded and mutilated when 2003 comes end-of-maintenance, but many choose not to care.

Perhaps if Microsoft made an actual upgrade path instead of just putting the latest shiny out, and expect all their developers to jump to the new shiny and recode everything in the process, things could have been migrated and workable. But Microsoft has no care or desire to admit to past mistakes, it just gets swept under the carpet and leaves behind a certain set of apps/users that don't retool every two years per Microsoft's schedule.

1
0

MS Azure Stack. It's like Azure Pack but with even more cloudiness

DougMac

Although Hyper-V Server comes with no Virtualization License rights, so only really useful if you want to virtualize an OpenSource OS, as otherwise you'd have to license every copy of windows you'd virtualize on it, and Microsoft doesn't make it easy or cheap to license individual OSEs on a cluster. OOTH, DataCenter comes with unlimited Virtualization License rights, but costs quite a bit more, but if you do any significant windows virtualization, really becomes cost effective quite quickly.

2
0

4K refresh sees Blu-ray climb to 100GB, again

DougMac

Why?

Why have a nicely formatted paper book? Just a loose collection of dirty photocopy will do.

Why the expensive booze? This knock off brand is good enough.

19
0

Man trousers $15,000 domain name for $10.99 amid registry cockup

DougMac

Market value for domain

So what would the market value for a fluffed up useless new gTLD domain be?

$10?

One of the many 10000's of new domains people are hoping are worth more than pocket change in a year.

2
0

Cisco patches three-year-old remote code-execution hole

DougMac

Re: Encrypted Telnet?

Since about the year 2000, with RFC 2946.

*BSD are mainly the only ones that implemented it.

0
0

vSphere meets iCylinder in new VMware update

DougMac

Re: you can only virtualise OS X on Mac hardware

No trick required, this is a fully supported configuration.

Although Apple's bizarre licensing also says you can only run two virtualized instances of OS X on said hardware as well, which makes the MacPro a real expensive platform to virtualize if one would be following such licensing restrictions.

0
0

Oracle reveals 32-core, 10 BEEELLION-transistor SPARC M7

DougMac

Oracle just made sure to sift out anybody that wasn't willing to pay them billions and billions of $$.

Those that are still *heavily* invested in Solaris are still going strong on SPARC/Solaris, they just weeded out the small to mid-sized shops that weren't the kind to give Oracle billions of $$.

1
0

It's time for PGP to die, says ... no, not the NSA – a US crypto prof

DougMac

It isn't PGP that sucks..

But key management sucks.

Normal users totally don't get it, don't want to know, and don't want to think about it.

Unfortunately, they need to know and think about key management to make it work effectively.

The actual mechanics of PGP/GPG in email client integration is fairly simple, but man, having users type a passphrase, or making sure they are using the right key is a total nightmare.

0
0

Help. Mailing blacklists...

DougMac

Fixes

As others have said.

Absolute first step is to make sure it isn't happening still.

Almost *all* current used blacklists are age based, and older entries expire out over time.

If you keep leaking SPAM, you keep getting listed.

Second, as I said, almost all blacklists are age based, and you may just have to wait it out. Ie. Comcast, Yahoo run their own private ones that just take time to age out. Many of the large

ones have a try to get out of jail page, but it doesn't do much. Timing out is most likely the answer.

Besides Spamhaus (which takes an extraordinary level of SPAM and non-response to get on),

most "public" RBL lists aren't used all that widely. Most of the large email providers run their own private ones based on rate of sending of the server, and repudiation, and age out older entries.

That said, you could try to make sure you aren't listed on the remaining few public ones that might actually get use. Ie.

http://mxtoolbox.com/blacklists.aspx

lets you check many at once. About the only one left on this list I see in use is UCEPROTECT and BARACUDA.

But, almost anybody that is interesting you want to send to run their own private ones, and really, you may just have to wait for your bad entries to age out, and go on.

As you said, you'll want to implement your own rate limiting for sending (can't help you with that setup), although some of the large providers do have excellent heuristics and will be able to clamp down on your server with just a few hundred of SPAM leaking. If you run a mail server, you probably need to have monitoring and alerting enabled for any events outside of normal, so you can catch things as quickly as possible, so you can start the age-out timing process the quickest.

0
0

Page:

Forums

Biting the hand that feeds IT © 1998–2017