Yes, all those Windows supercomputers in the Top500 sure are impressive!
31 posts • joined 11 Feb 2016
Microsoft reveals terrible trio of bugs that knocked out Azure, Office 362.5 multi-factor auth logins for 14 hours
Just get a 10 tonne or higher hydraulic press from a DIY/Car repair retailer. Much cheaper and essentially the same thing. Manual 10 tonne presses are probably $300-400.
They will easily crack the cases of any drive, bend the platters to hell and strip the hub from the middle. With glass platters you get a satisfying crunch and tinkle as they shatter!
@Charles9 One of the commentards was talking about a Home/SOHO router. You have to assume in this case that most devices behind it will be trying to talk to something on the outside (looking for updates, phoning home, checking for mail/tweets etc). And if nothing is connecting in or out you'd not really need any NAT awyway!
Thanks for your support Chronos. Unfortunately it seems stating facts is not a way to popularity. Perhaps it was the wording "with no NAT", which I should have phrased as "no requirement for NAT".
Having end-to-end addressing is also vastly more convenient for difficult protocols like SIP/RTP, IPSec, FTP and so on, without having to work around endless brain-dead ALGs and helpers that never work properly.
With /horrible/ things like uPNP on consumer routers (which more often than not implement it and other things badly or incorrectly), it's not NAT that really provides the real security, it's the firewall (which on every consumer router I've seen in the last decade is turned on by default).
And just to reiterate, at no point did I claim that NAT is not possible with IPv6. It's just not necessary.
NAT is *not* a security feature! Firewall policies and rules are applicable to IPv6 in the same way as IPv4. Eg in shorewall, a policy for a simple two-interface firewall looks like:
#SOURCE #DEST #POLICY #LOG LEVEL
int net ACCEPT
fw net ACCEPT
all all DROP info
works equally well for both - accept outbound connections from the internal network and the firewall, drop and log everything else. It's really not that complicated, and with no NAT way more flexible (no more port-forwarding!)
Re: obvious solution ...
The closest you could probably get is a set of separate VLANs for medical devices with NAC and a heavily locked down layer2 firewall. Given that WannaCry by all accounts only affected admin functions this may already be the case. However you still have to protect the admin network otherwise patients don't get their ops/scans etc.
It seems like it was the admin net that was the source and the major victim in this case - and that matches the experience when my SO had a serious illness - the medical side was fine, but the admin was so woeful and creaky at the hospital she was diagnosed (to the extent that had to *fax* critical docs between departments on the same site, and managed to lose her entire case history) that we demanded she was moved to another (UCH) which was vastly better.
NHS has amazing staff and medical expertise but the inconsistency of admin procedures, tools and more importantly investment across the estate seems to be the major breaking point.
Re: DrayTek routers are considered high end in the UK
They suck far, far, less than Zyxel. Or Netgear. The same features on Cisco you'd pay £600+. Only D-Link seems to come close in this price range.
I think most of the problem is a complex interface but most competent admins (who understand SIP especially) can negotiate it. Have one in my work basement that uses a VoIP account over an IPSEC VPN logged into our PBX. The only time it's not worked is when the bloody BMS management people have unplugged it.
IMHO they are really good for SIP but you need to know what you are doing to get them to work.
The Zyxels we had that preceded these would drop ADSL, VPN, or VoIP maybe 3-4 times a week. Draytek maybe once a month, and always sync/line issues.
"stopping inbound and outbound SMB connections at the network border by blocking ports 445/tcp, 137/tcp, 139/tcp, as well as 137/udp and 139/udp."
Pretty much any home ISP connection will block those anyway. Any corporate that's allowing those ports freely out to (or worse, in from) the general internet needs a serious clue-by-four application. I continually am flabbergasted in this day and age when we see stories of, eg, NoSQL servers being attacked from the internet. Who the hell configures a firewall that's not "block everything by default"? This is kindergarten level stuff...
New Year's Eve
I'm keeping my fingers crossed for this year. Last year was a disaster. At about 3pm on NYE, some alerts were raised by our ISP. Trying to get in to have a look I found a number of machines strangely non-reponsive (including our main monitoring server). Thinking the worst, I had a look at the UPS logs which showed the output had gone down for a few seconds. I managed to reboot a number of machines via remote PDUs and get to a more-or less working state.
15 minutes later *everything* went dark, so I was off to the DC. When I got there, I was greeted by silence for the racks and a 160kVA UPS festooned with red lights. One phase of input was gone and the UPS was in shutdown. Managed to get hold of an electrician and on-call UPS engineer. The sparky arrived first and found a blown 300A fuse in the UPS feed. We searched in vain for spares but managed to come up with a 200A in the same size which would do at a pinch. I went back up to the DC and via the radio asked the sparky to switch the breaker back on. I was confronted by a 6 foot fountain of sparks leaping from the front of one of the redundant UPS rack units and a very loud bang indeed. If I'd been standing in front of it it would not have been pretty.
Not too long after the UPS guy arrived with the smell of smoke still heavy in the air. The scorched unit was opened up, revealing a main board covered in soot and the input wires from the rectifiers melted back by over half an inch from where they had been soldered into the board, blobs of molten metal scattered around. The UPS chap although rather surprised checked all the contacts in the frame, which had luckily survived and set off back to base to get a replacement unit.
At about 5am he returned, new unit in hand. We had to replace all 3 phase fuses and then where was a very tense moment as the breaker was thrown again. Luckily power was finally restored. Thankfully due to the way the days fell we had two more days to recover everything. I called in the rest of the team and managed to get 3 people to help me sequencing the power-on (about 120 physical machines and a few hundred VMs). I left exhausted by 7pm (but still was connected at home) and by 11pm on the 1st we had all the servers up, with the application guys in Melbourne finishing up on the holiday Monday.
Ruined New Years for a good few of us that year. And we only got 1.5 TOIL/OT from it - but at least the "right" people remembered what we did and thanked us just a few days ago. Fingers crossed for this year.
Postscript: An IGBT had cracked open in the UPS module, had never been seen before by the engineers. One 300A fuse and 4 more 200A blown...
Had a couple of Alcatel "soap bar" style feature phones
IMHO they were really nice. Simple interface, great voice quality, no bother at all. They were emergency burners for DR/BCP, and we never had a problem when we handed them out.
The orange-coloured display made them really nice at night too.
I think they were almost a part of Lucent back then though...
Supermicro boxes are generally:
b) rock solid reliability. I've only had one or two server failures in about 10 years where I've had to invoke RMA or warranty.
c) free IPMI with all features included, eg KVM and remote media
d) easily available with practically any combination of drives, backplanes, PSUs, and other accessories. I've got a couple of 1U boxes that even have 3 PCIe x16 slots available. Getting even vaguely custom builds out of HP has been way harder for us as an SMB. With SM vendors, no problem.
e) lots of warranty options
f) OEM front panel/bezel service available.
I think these are the reason that HCIA vendors' products seem to be largely based on OEM's SM boxes.
I am not affiliated with Supermicro in any way, just a very happy customer.
They are in no way "almost as bad as the real thing". All the so-called "studies" that have reached that conclusion have been thoroughly debunked.
Nicotine is not a carcinogen and never has been. In fact it can be beneficial *without* all the deadly tar produced by cigarettes.
It's crap like this that has distorted the picture so badly - and this is clearly the intent of its backers.
Again, citations please
You need to at least provide a temperature at which this happens. E-cigs only need to heat the liquid up to about 140-200C in a matter of milliseconds. Can you provide evidence that levels of TSNAs higher than or similar to lit tobacco products in use are present in e-cig/cigar/pipe devices?
Re: As a former train driver....
Doesn't the sanding equipment on modern trains mitigate the lack of contact point friction somewhat? Or does it only work for acceleration?
I have to say on my line (GN Hertford branch) I've *never* seen any sand coming out of the units on our Class 313s.
Nice to see a rail veteran on here. I was a "spotter" too (Midlands area), my favourites were the Devon/Cornwall Class 50s, from New Street (great sound), Class 45's (had a brilliant visit to Tinsley Depot before they all went), Paired 20s, 56s and 58s at Bescot and watching coal trains and HSTs at Water Orton, and of course the amazingly reliable 37s. Also once saw a 31-hauled nuclear flask train on the Cross-City line at University station. The "new" 60s looked fantastic in the grey+logo departmental livery IMHO.
Really miss the variety of locos we had back then, they all seem to look very US-type these days.
Wow, just nerd-outed myself in a big way!
Re: The systems and the service companies...
Ah, but then the landlord will insist it belongs to them, and then alone, and why should the tenant have any say in it? After all, we just sit in the building and supply them with rent....
As for cobbled software... after 3 suppliers' sales teams managed to bamboozle our HR department for a simple personnel management system (ie £10k for something that an NVQ student could have come up with in an hour or two), the powers that be finally let us write our own. Now I get paid the right amount on the right day and don't get phone calls asking why I'm not in 5 days into a holiday in the Med...
The systems and the service companies...
have little understanding of security. I've worked on a BMS (maintained by an external contractor) that had a "log in" pane in the gui with a list of users. If you clicked a username, you got a password prompt. But if you didn't bother clicking a username, you could still access the entire system at a full admin level! It would be possible to turn on all the boilers and thermostats to full blast if you so desired. I've even sure it would be possible to cause physical damage, eg by closing valves on the output of running water pumps.
The contractor wanted to gain remote access by simply plonking a DSL router in front and port-forwarding RDP to the PC. RDP, unencrypted, to a local admin account where the password hint *was* the password. I instead insisted on a VPN (using a decent Draytek router which had the benefit of providing a VoIP phone in the plant room), changing the password and hints and removing the local admin.
When the contractor changed I had to go through all of this again. This one wanted to put in an ISDN dialup line, which I was sure would be make the BMS ownable just by knowing the phone number. Grrr.
GlusterFS is *not* a block-capable product. It's file only. IMHO it's also about the slowest for mixed data. And I'd not trust any really valuable data to anything other than RedHat's supported version (RedHat Storage Server).
For filesystems, you've got many more choices, including BeeGFS, MooseFS, RozoFS and more (OSS or semi-open development model) or Exablox, Isilon, Hitachi, HP StoreAll (proprietary).