* Posts by PhilPotter

7 publicly visible posts • joined 24 Apr 2014

Misco UK chops majority of workforce, pulls down shutters

PhilPotter

Feel sorry for workforce

Our account manager Phil at Misco was a nice chap, always responded promptly and helped us out as well. Very efficient, and I feel sad that he and 300 others are out of a job personally :-( I loved the fact I could send him a list of stuff and he would go and source it for me - some of it fairly obscure too. I wish them the best of luck in finding new positions.

Linux kernel community tries to castrate GPL copyright troll

PhilPotter

Re: Non-GPL feature

You are correct that technically speaking, system calls etc. are a form of dynamic linking, in that any user space software must call upon the kernel (directly or otherwise) for certain services.

That said, I'm sure it is mentioned in the kernel sources that any software that communicates purely via the system call layer (and not by using proprietary modules or similar methods) is not considered a derived work, and therefore is not required to be covered by the same license as the kernel. This is how Android gets away with being mostly Apache 2.0 for example.

ZFS comes to Debian, thanks to licensing workaround

PhilPotter

Legality

GPL2 only covers distribution, not usage. This means it is perfectly legal to download the source of ZFS, and the Linux kernel, and compile them together for use on your machine. It would only become illegal if you were to then distribute the resulting binary work - and even then only if the ZFS kernel module could be judged to be a 'derivative work' of the kernel under copyright law (very much an open question at this point, as it was originally implemented on the Solaris kernel).

Windows' authentication 'flaw' exposed in detail

PhilPotter

Not as bad as it sounds surely?

If I'm reading the linked blog post correctly, this isn't as bad as it sounds surely? To get the krbtgt account password, you need admin level access to a DC, remotely or otherwise. Also, to read cached tickets of other users on same machine, you need admin level access again - local machine or otherwise.

Whilst a problem admittedly, in a network where there are only one or two admins anyway, then as long as their accounts are not compromised, this attack can't happen. Am I right?

Slow IPv6 adoption is a GOOD THING as IETF plans privacy boost

PhilPotter

Re: What IPV6 really needs

You are way off the bat here (sorry but it's true). NAT and firewalling are not the same thing, and a lot of people just genuinely don't seem to get this. The lack of encouraged/standardised NAT in IPv6 doesn't suddenly mean firewalls suddenly stop working.

You would not need to go around to each machine on your local network segment and set individual firewall rules up (although depending on OS a lot are on by default now) anymore than you would on IPv4 - the traffic still comes into your network via a router, and this is still where the firewall action happens. The only difference is that with v4 your local IP addresses are all non-routable and translated into one or more public IPs at this point too - this is not a security feature, it was designed so everyone could use the same address range at home, thus negating the need to hand out public IPs for every device and exhaust them even faster.

IPv6 devices being publicly routable does not suddenly mean anyone can log into them/ping them/whatever else, when a proper firewall is in place. Firewall != NAT.

DeSENSORtised: Why the 'Internet of Things' will FAIL without IPv6

PhilPotter

Re: To be perfectly frank...

In regards to local addresses, typically the ISP will give you a /64 block, which is around 18,446,744,073,709,551,615 addresses not taking into account the non-usable ones. This is handed out dynamically by your local router using either stateless addressing of DHCPv6 - neither of which involves the ISP. DNS typically uses the ISPs servers, and this is doled out automatically via RDNSS or DHCPv6 again. Most firewall configs would be quite simple - block everything incoming except related packets, and work from there - basically having the same effect as a NAT. Different yes, but people would get the hang of it.

PhilPotter

Re: Bridging IPv4 to IPv6

Facebook, Google, and countless others already offer native IPv6 to their services and have done for some time. I use them daily on AAISP without issue. For that matter, dual stack can and does work seamlessly if setup correctly.

Thinking in hex is not that difficult - if someone is bright enough to do subnet/netmask calculations with IPv4 then IPv6 will come fairly easily to them. Other than concepts like link-local addresses, the different packet structure, and no NAT, they are administered in virtually the same way from an end-user premises perspective - firewalling being part of any solution. My network has been native dual-stack for a good six months now, and had tunnelled v6 before that - the big boys like BT need to stop dragging their heels.

The biggest misconception I see is that publicly routable addresses are somehow wide open without NAT. The packets still have to pass through your router, and are therefore still subject to firewall rules. IPv6 is coming sooner or later, whether they like it or not. Might as well be ready :-)