* Posts by JEF_UK

26 posts • joined 1 Sep 2015

Windows 10 Pro Anniversary Update tweaked to stop you disabling app promos

JEF_UK

Feel Smug in...

Oh; I'm All ready smug!

Told you so.

:p

My Gaming PC stayed on 7.

I bet the ability to turn off CEIP will be next to go.

Sick of storage vendors? Me too. Let's build the darn stuff ourselves

JEF_UK

Re: No one said it was easy but...

So the VM host process can write to two SANS simultaneously? That would be a cool feature and simplify things.

A quick google finds this for VMware:

https://www.vmware.com/pdf/esx_san_cfg_technote.pdf

page 13

"Mirroring

Protection against LUN failure allows applications to survive storage access faults. Mirroring can accomplish that protection. Mirroring designates a second non‐addressable LUN that captures all write operations to the primary LUN. Mirroring provides fault tolerance at the LUN level. LUN mirroring can be implemented at the server, SAN switch, or storage array level."

Everyday is a school day

JEF_UK

No one said it was easy but...

ZFS depends on how you arrange the disks and what your use case is. A single process writing tiny files to a good disk subsystem with good amounts of RAM and a sensible application of compression(yes/no) or de-dupe(yes/no) will suck.

Give it a different task with multiple processes and large reads/Writes and it can shine as It can then leverage all the spindles and break down the writes in to segments and span them.

Its too easy to think "I'll add de-dupe, compression and an L2ARC to make it faster" when in reality you don't have the RAM to store the de-dupe or the meta data. That results in limiting the RAM to not caching but to holding the map for the SSD/de-dupe.

Re article:

About 3 years ago I built a Debian+ZFS+SCST SAN and export LUNS over fibre channel to my VM host and desktop and iSCSI for my living room PVR. All for home.

I've considered a few HA versions of it for it's replacement.

I would need to set-up replication of the files system below SCST and be able to "shoot the other node in the head" I could use CEPH for the replication between nodes with direct infini-band connections.

Then one node would be the primary and one a slave. Using NPIV on the switch to hide this from the clients.

At home I would probably not to duplicate all my disks so would use a shelf with two controllers connected to both fie system heads and import with the F (force) command if a node when down.

As for backup I have another HP micro server with big disks that runs Bacula but to backup the data on my VMs not the SAN.

To do this commercial ask your self.

1. Am I trying to save money?

____To do this well will require good kit and more than one.

2. How long can a recovery of a file system node take/ what is my down time limit.

____Build your solution around this time limit. 0 down time can be done but only with sufficient replicas. Have spares. Use good resilient hardware (dual PSUs hot swap fans) Keep spares. Have a care agreement. That all will impact 1.

Britain is sending a huge nuclear waste shipment to America. Why?

JEF_UK

Probably the most polarizing thing ever.

I think the Government should pay for run/operate and maintain/decommission nuclear sites.

Keep the lights on and use up the plutonium/ H.E.U.

Nvidia's Tesla P100 has 15 billion transistors, 21TFLOPS

JEF_UK

Re: how big a psu would one of these need?

Tesla product line is like a quadro with no display output, for the data center.

The Titan is a big geforce, for gaming.

Expect power envelopes to be similar to the last generation, HBM saves power. That means more can be dissipated by the GPU/Core.

I'm Hopping for some Geforce pascal news

edit: apparently the TDP is 300W for the P100

Windows 7's grip on the enterprise desktop is loosening

JEF_UK

El Reg stats

Can El Reg show us the statistics of the devices that visit you? I expect we are a divers bunch. It would be interesting.

X-ray scanners, CCTV cams, hefty machinery ... let's play: VNC Roulette!

JEF_UK

IPMI/Lights-Out + UPNP??

A large number of these are IPMI type devices I think, When combined with a UPNP router I think they are opening ports.

Clear April 12: Windows, Samba to splat curious 'crucial' Badlock bug

JEF_UK

Re: About that name thing.

You missed Apples release yesterday?

How Microsoft copied malware techniques to make Get Windows 10 the world's PC pest

JEF_UK

Tip of the Ice burg

There are also a host of other updates that worry me, which introduce some extra telemetry points. Of course in a business with group policy the telemetry/CIEP can be disabled but I've skipped the updates.Then I'm not sure if its the patches mentions or others that create additional scheduled "phone home" tasks.

Personally I don’t like any of that.

Amazon crafts two more voice-controlled gizmos in its Echo chamber

JEF_UK

Creepy Tech

I kind of think any "thing" that’s listening to me is creepy....

Unrelated

I have at home some OM2Ps; they are cloud managed Wi-Fi and are OK enough. They have creepy also, they VPN back to base so they can be fixed.

They run on a separate VLAN, with the TV and Blue-ray, and ALCs prohibit them communicating with my desktops etc.

CREEPY....

Baby Ubuntus toddle forth into the big scary world of beta

JEF_UK

I’ve found the Intel wireless in my vostro 1500 (aka old) works fine with Intel's firmware added.

Nvidia legacy driver was needed to support my GPU. I did not realise that first time and installed the new one, GRR.

Since I came to Debian from Servers with no GUI I was not hard to grep the faulting module, apt-get purge it and then get the correct one.

I'm going to say I was quite impressed with how much worked on my laptop out the box. Yes OK it's old.

My HP Pro 400 was easy to add, juts add the IP to the printer software and select driver from the list. Yes OK its an expensive printer and works well.

What bugs me? CPU power management and scaling.

Its a PITA to set up and you cannot do it with out being technical.

Institute of Directors: Make broadband speeds 1000x faster than today's puny 2020 target

JEF_UK

No

DDR 266 for example know as 2100

"Mhz" 266 x 8 byte = 2128 MB/s

You need to multiply by 64 bits to get Bit rate (speed) in Bits

266 x 64 = 17024 Mbits aka 17 Gb/s

Reminder: How to get a grip on your files, data that Windows 10 phones home to Microsoft

JEF_UK
Big Brother

Re: Windows 7 now just as bad!

I'm on 172.16.18.0/24, 172.16.28.0/24 and 172.16.38.0/24 I'm just monitoring your 10.10.3.0/24 :P

JEF_UK

Windows 7 now just as bad!

Un-used, idle Windows 7 with all new telemetry talks back 4 times per hour.

NOT F**** ACCEPTABLE!

Snort Logs following some of the vortex and settings IPs

Date Pri Proto Class Source SPort Destination DPort SID Description

02/24/16

10:41:45 2 TCP Potentially Bad Traffic 10.10.3.1 5969 191.232.139.253 443 136:1 . (spp_reputation) packets blacklisted

02/24/16

10:41:42 2 TCP Potentially Bad Traffic 10.10.3.1 5968 191.232.139.254 443 136:1 . (spp_reputation) packets blacklisted

02/24/16

10:11:39 2 TCP Potentially Bad Traffic 10.10.3.1 5964 191.232.139.253 443 136:1 . (spp_reputation) packets blacklisted

02/24/16

10:11:36 2 TCP Potentially Bad Traffic 10.10.3.1 5963 191.232.139.254 443 136:1 . (spp_reputation) packets blacklisted

02/24/16

09:26:44 2 TCP Potentially Bad Traffic 10.10.3.1 5934 191.232.139.253 443 136:1 . (spp_reputation) packets blacklisted

02/24/16

09:26:41 2 TCP Potentially Bad Traffic 10.10.3.1 5933 65.55.44.109 443 136:1 . (spp_reputation) packets blacklisted

02/24/16

08:41:43 2 TCP Potentially Bad Traffic 10.10.3.1 5674 191.232.139.253 443 136:1 . (spp_reputation) packets blacklisted

02/24/16

08:41:41 2 TCP Potentially Bad Traffic 10.10.3.1 5673 191.232.139.254 443 136:1 . (spp_reputation) packets blacklisted

02/24/16

08:11:43 2 TCP Potentially Bad Traffic 10.10.3.1 5634 191.232.139.253 443 136:1 . (spp_reputation) packets blacklisted

SNIP

02:11:37 2 TCP Potentially Bad Traffic 10.10.3.1 5471 65.55.44.109 443 136:1 . (spp_reputation) packets blacklisted

02/24/16

01:41:34 2 TCP Potentially Bad Traffic 10.10.3.1 5280 191.232.139.253 443 136:1 . (spp_reputation) packets blacklisted

02/24/16

01:41:32 2 TCP Potentially Bad Traffic 10.10.3.1 5279 191.232.139.254 443 136:1 . (spp_reputation) packets blacklisted

02/24/16

00:56:39 2 TCP Potentially Bad Traffic 10.10.3.1 5209 191.232.139.253 443 136:1 . (spp_reputation) packets blacklisted

Patch ASAP: Tons of Linux apps can be hijacked by evil DNS servers, man-in-the-middle miscreants

JEF_UK

Question:

Question:

Can vulnerable systems which query a patched system by exploited remotely?

https://www.debian.org/security/2016/dsa-3481

"While it is only necessary to ensure that all processes are not using the old glibc anymore, it is recommended to reboot the machines after applying the security upgrade."

I don't want to reboot one system just yet.

US government's $6bn super firewall doesn't even monitor web traffic

JEF_UK
WTF?

SNORT?

Isn't there a CAPEX rule that says

"Is there a COTS solution?"

Hasn't this been done?

I mean; "Really" done?

I mean; Have I been hallucinating?

Perhaps this http://archive.oreilly.com/pub/h/1393 page does not exist and I've not made my own rules?

It's a bit harder to have a good fully working SSL bump to get all HTML but really just buy some pfSense boxes and be done with it.

Pay for the support too. They will need it.

still have change for a Mars base...

It's 50/50 FAIL/WTF

How to help a user who can't find the Start button or the keyboard?

JEF_UK

Clue-less

I've had similar calls at my last job which usually started with me yelling at my "team" to answer the F-ing phones, I pick up the phone and deal with an irate customer, in one extreme case about there "internet" not working on the PC but OK on "eye-patch".

I ask why they are calling from a mobile, with bad signal....

Turns out the ipad has 3G and they canceled there phone line.

There is no excuse for being this utterly clueless in 2015.

No escape: Microsoft injects 'Get Windows 10' nagware into biz PCs

JEF_UK

"number of lookup"

1 day.

It varies by about 5 each way

JEF_UK

I'm monitoring a patched win 7 machine in my malware environment.

This is windows 7 not 10, is not being used; Just sitting idle.

Domain name--------------------------number of lookup

settings-win.data.microsoft.com ______ 76

vortex-win.data.microsoft.com ________62

telecommand.telemetry.microsoft.com __ 4

It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.

Facebook wants a kinder, gentler end for SHA-1

JEF_UK

Poodle-like down-grade attack?

Poodle-like down-grade attack?

Could this approach allow for a MITM to "interfere"* with the HTTP header and pretend to be a lesser browser?

Force the client to a less secure encryption that could be broken?

* ala I.P. bill

Cryptowall 4.0: Update makes world's worst ransomware worse still

JEF_UK

Backups? Check them!

Where I worked I saw similar/v3? on two networks at companies. ( + many home users)

Any suspect PC was formatted server in to ours ( in same town.) blast away "Data" partition;

Restore backup; Server back on site at 8 am next day.

I get paid and paid again to implement what I had advised.

Some one will say "you cant take a server out how can anyone work!"

Eh.... no one could work?

One company had not had any backup 2 months prior when i started their IT support.They swapped the USB disk... both were dead.

How do you prevent this? Policies!

I'm blocking PE files at the perimeter to most desktops. I'm SSL bumping EXCLUDING the bank(s) used. scanning all with inline AV. Email goes through "cloud" spam/virus service, on box AV before getting to an exchange server with suitable AV and policy's. User gets a email (normally they don't understand) and call up

"You revived an attachment from 'blod@place.com' the attachment was rejected, they have been contacted automatically but you are advised to contact this person.

The original email is attached."

Email servers can exclude zip and EVERY vector I'v seen has been in a zip. Yeah its a bit of a pain what IS worse?

Also only PCs I have seen any crypto ransom-ware on run "not an AV" MSE. That's a swear word.

Licence to snoop: Ipso facto, crypto embargo? Draft Investigatory Powers bill lands

JEF_UK
Black Helicopters

DNS Encryption / Won't someone think of the children / My own logs

Withdrawn and reposted because grammar is the difference between knowing your shit and knowing you're shit!

If you encrypt DNS (DNSCrypt) but don't VPN "they" can still log IP source and destination running through the {compromised} network.

As a result you visit a website called 'totally-nice-nothing-bad-here.net' to look nice pictures of spring; or do something agreeable capitalist; which is hosted on the same server/IP as 'dirty-goat-fielder.xxx'.

They log the IP and arrest you?

But OpenDNS/Cisco will cooperate with the authorities and get you off?

Or you're a nasty young-goat-fiddler and deserve it?

Personaly

I'm not sure I care but I'm going to dam make sure I can keep my own logs.

I'm already blocking lots of junk by sink-holing DNS on my own server.

I'm already running SSL_Bump interception and proxy; Snort with IDS/IPS Capabilities and ICAP/AV

I'm already able to log all DNS requests.

Now I need to ensure I can prove logs are not doctored. ZFS and snap shots? I've 24 TB

Windows 10 growth stalls during October

JEF_UK
Trollface

stats :(

Having Sink-Holed DNS and Fire-Walled most tracking junk on the internet at the perimeter I don't show on their statistics (lies for short) I would expect many other techies know more than me.

(real) Techies use Linux

Therefore Linux usage is in fact much higher than all windows combined.

posting from a Windows 7 PC

AdBlock blocker biz bought

JEF_UK

I paid for AB!

I paid for Add Block, I've oped out of acceptable.

I have a 30GB limit on my joke "broadband"( 2Mbs^-1) so I'm intolerant of junk. Even here and your probably one of the places I might consider white-listing.

I've been building up DNS list for the things that got through AB for a while, Been using OpenDNS (now Cisco ( ugh?* ) for years as I expect most of you use the reliable 8.8.8.8 for more than just a ping test...

https://xkcd.com/1361/

*as the ugh implies it may be time to look and see if the openNIC DNS servers can do what I want https://www.opennicproject.org/ I.E. Block things at the DNS level.

Alternative is to create my own. I've ran a DNS server for <2000 domains as part of our Linux hosting.

Create zone&entry in zones.master for DNS record/zone I want to block and point it at a blocked message page so I don't have to wait for time outs.

Then use root hints for anything 'I'm not_"Authoritative" ;)' for.

Next when they are wise to that I guess we start to see add servers lined by IP, then I have to use either routes or ACLs and wait for the time outs.

Microsoft backports data slurp to Windows 7 and 8 via patches

JEF_UK

This is frankly unacceptable.

Put Linux on the laptop at the weekend. Previously just on servers...

Off to turn off all auto approval on my WSUS.

Thanks for increasing my work MS.

Biting the hand that feeds IT © 1998–2019