* Posts by HighTension

31 posts • joined 11 Feb 2016

Microsoft reveals terrible trio of bugs that knocked out Azure, Office 362.5 multi-factor auth logins for 14 hours

HighTension

Yes, all those Windows supercomputers in the Top500 sure are impressive!

Official: IBM to gobble Red Hat for $34bn – yes, the enterprise Linux biz

HighTension

Re: And no mention of JBoss?

Perfectly forkable, However RH do produce the only vaguely reliable version of GlusterFS (I've tried the community version more than enough times, thanks very much!).

Blueprint of modern construction can be found in a tech cluster... of 19th century England

HighTension

And Shropshire and the Marches have some fantastic pubs!

Dead retailer's 'customer data' turns up on seized kit, unencrypted and very much for sale

HighTension

Re: QED

Someone seems to be randomly downvoting completely innocuous posts here. Can't fathom what they are getting out of it...

HighTension

Re: QED

Just get a 10 tonne or higher hydraulic press from a DIY/Car repair retailer. Much cheaper and essentially the same thing. Manual 10 tonne presses are probably $300-400.

They will easily crack the cases of any drive, bend the platters to hell and strip the hub from the middle. With glass platters you get a satisfying crunch and tinkle as they shatter!

Sitting pretty in IPv4 land? Look, you're gonna have to talk to IPv6 at some stage

HighTension

Re: Never!

@Charles9 One of the commentards was talking about a Home/SOHO router. You have to assume in this case that most devices behind it will be trying to talk to something on the outside (looking for updates, phoning home, checking for mail/tweets etc). And if nothing is connecting in or out you'd not really need any NAT awyway!

HighTension

Re: Never!

Because, in the absence of a firewall, they can probe all ports on the public IP, and if they find any open, one or more of those could be the open external port of a NATed session. If they connect to said IP/port, they can reach the device behind the NAT.

HighTension

Re: Never!

Thanks for your support Chronos. Unfortunately it seems stating facts is not a way to popularity. Perhaps it was the wording "with no NAT", which I should have phrased as "no requirement for NAT".

Having end-to-end addressing is also vastly more convenient for difficult protocols like SIP/RTP, IPSec, FTP and so on, without having to work around endless brain-dead ALGs and helpers that never work properly.

HighTension

Re: Never!

With /horrible/ things like uPNP on consumer routers (which more often than not implement it and other things badly or incorrectly), it's not NAT that really provides the real security, it's the firewall (which on every consumer router I've seen in the last decade is turned on by default).

And just to reiterate, at no point did I claim that NAT is not possible with IPv6. It's just not necessary.

HighTension

Re: Never!

Can you point out exactly where I said that? All I was trying to point out is that you don't really /need/ NAT for IPv6 and it certainly doesn't automatically mean any real loss of security. I see I know have ten thumbs down for a technically correct post!

HighTension

Re: Never!

Wow, two thumbs down for that! Some real IPv6 loathing on here!

HighTension

Re: Never!

NAT is *not* a security feature! Firewall policies and rules are applicable to IPv6 in the same way as IPv4. Eg in shorewall, a policy for a simple two-interface firewall looks like:

#SOURCE #DEST #POLICY #LOG LEVEL

int net ACCEPT

fw net ACCEPT

all all DROP info

works equally well for both - accept outbound connections from the internal network and the firewall, drop and log everything else. It's really not that complicated, and with no NAT way more flexible (no more port-forwarding!)

Um, excuse me. Do you have clearance to patch that MRI scanner?

HighTension

Re: obvious solution ...

The closest you could probably get is a set of separate VLANs for medical devices with NAC and a heavily locked down layer2 firewall. Given that WannaCry by all accounts only affected admin functions this may already be the case. However you still have to protect the admin network otherwise patients don't get their ops/scans etc.

It seems like it was the admin net that was the source and the major victim in this case - and that matches the experience when my SO had a serious illness - the medical side was fine, but the admin was so woeful and creaky at the hospital she was diagnosed (to the extent that had to *fax* critical docs between departments on the same site, and managed to lose her entire case history) that we demanded she was moved to another (UCH) which was vastly better.

NHS has amazing staff and medical expertise but the inconsistency of admin procedures, tools and more importantly investment across the estate seems to be the major breaking point.

High-end router flinger DrayTek admits to zero day in bunch of Vigor kit

HighTension

Re: DrayTek routers are considered high end in the UK

They suck far, far, less than Zyxel. Or Netgear. The same features on Cisco you'd pay £600+. Only D-Link seems to come close in this price range.

I think most of the problem is a complex interface but most competent admins (who understand SIP especially) can negotiate it. Have one in my work basement that uses a VoIP account over an IPSEC VPN logged into our PBX. The only time it's not worked is when the bloody BMS management people have unplugged it.

IMHO they are really good for SIP but you need to know what you are doing to get them to work.

The Zyxels we had that preceded these would drop ADSL, VPN, or VoIP maybe 3-4 times a week. Draytek maybe once a month, and always sync/line issues.

OK, this time it's for real: The last available IPv4 address block has gone

HighTension

Re: Compatibility

So what is a legacy IPv4 stack going to do when it receives one of these hypothetical "IPv8" packets? It's just going to puke on a corrupted header. So you'll still have to rip and replace the stack in every device!

Using Outlook? You should probably do some patching

HighTension

"stopping inbound and outbound SMB connections at the network border by blocking ports 445/tcp, 137/tcp, 139/tcp, as well as 137/udp and 139/udp."

Pretty much any home ISP connection will block those anyway. Any corporate that's allowing those ports freely out to (or worse, in from) the general internet needs a serious clue-by-four application. I continually am flabbergasted in this day and age when we see stories of, eg, NoSQL servers being attacked from the internet. Who the hell configures a firewall that's not "block everything by default"? This is kindergarten level stuff...

'Disappearing' data under ZFS on Linux sparks small swift tweak

HighTension

I don't think this bug is as really that terrible. At least it exposes an error when it happens - there's no silent data loss or corruption thank god...

Long haul flights on a one-aisle plane? Airbus thinks you’re up for it

HighTension

Re: The Golden Age of flying is over

Love the Saab 2000s from London City to the Isle of Man. Especially the emergency exit seats - one reason to wake up early the day before to book them...

I've twice had two breakfasts on the way out on that trip - very quiet for a turboprop.

Openreach ups investment plans: Will shoot out full fibre to 3 million premises

HighTension

There is a difference - at least with FTTP you have the chance of reaching full speed. With copper if you're too far away you'll have to suffer with your 500k down and 50 up (if you're lucky and it's not raining).

'Twas the night before Y2K and a grinch stole the IT department's overtime payout

HighTension

New Year's Eve

I'm keeping my fingers crossed for this year. Last year was a disaster. At about 3pm on NYE, some alerts were raised by our ISP. Trying to get in to have a look I found a number of machines strangely non-reponsive (including our main monitoring server). Thinking the worst, I had a look at the UPS logs which showed the output had gone down for a few seconds. I managed to reboot a number of machines via remote PDUs and get to a more-or less working state.

15 minutes later *everything* went dark, so I was off to the DC. When I got there, I was greeted by silence for the racks and a 160kVA UPS festooned with red lights. One phase of input was gone and the UPS was in shutdown. Managed to get hold of an electrician and on-call UPS engineer. The sparky arrived first and found a blown 300A fuse in the UPS feed. We searched in vain for spares but managed to come up with a 200A in the same size which would do at a pinch. I went back up to the DC and via the radio asked the sparky to switch the breaker back on. I was confronted by a 6 foot fountain of sparks leaping from the front of one of the redundant UPS rack units and a very loud bang indeed. If I'd been standing in front of it it would not have been pretty.

Not too long after the UPS guy arrived with the smell of smoke still heavy in the air. The scorched unit was opened up, revealing a main board covered in soot and the input wires from the rectifiers melted back by over half an inch from where they had been soldered into the board, blobs of molten metal scattered around. The UPS chap although rather surprised checked all the contacts in the frame, which had luckily survived and set off back to base to get a replacement unit.

At about 5am he returned, new unit in hand. We had to replace all 3 phase fuses and then where was a very tense moment as the breaker was thrown again. Luckily power was finally restored. Thankfully due to the way the days fell we had two more days to recover everything. I called in the rest of the team and managed to get 3 people to help me sequencing the power-on (about 120 physical machines and a few hundred VMs). I left exhausted by 7pm (but still was connected at home) and by 11pm on the 1st we had all the servers up, with the application guys in Melbourne finishing up on the holiday Monday.

Ruined New Years for a good few of us that year. And we only got 1.5 TOIL/OT from it - but at least the "right" people remembered what we did and thanked us just a few days ago. Fingers crossed for this year.

Postscript: An IGBT had cracked open in the UPS module, had never been seen before by the engineers. One 300A fuse and 4 more 200A blown...

Alcatel wants to be Android, but different – and another crack at the Windows market

HighTension

Had a couple of Alcatel "soap bar" style feature phones

IMHO they were really nice. Simple interface, great voice quality, no bother at all. They were emergency burners for DR/BCP, and we never had a problem when we handed them out.

The orange-coloured display made them really nice at night too.

I think they were almost a part of Lucent back then though...

Fancy a wee quasi-DRAM? Supermicro bulks up server memory

HighTension

Re: 2TB?

Supermicro boxes are generally:

a) cheap

b) rock solid reliability. I've only had one or two server failures in about 10 years where I've had to invoke RMA or warranty.

c) free IPMI with all features included, eg KVM and remote media

d) easily available with practically any combination of drives, backplanes, PSUs, and other accessories. I've got a couple of 1U boxes that even have 3 PCIe x16 slots available. Getting even vaguely custom builds out of HP has been way harder for us as an SMB. With SM vendors, no problem.

e) lots of warranty options

f) OEM front panel/bezel service available.

I think these are the reason that HCIA vendors' products seem to be largely based on OEM's SM boxes.

I am not affiliated with Supermicro in any way, just a very happy customer.

;-)

Excel abuse hits new heights as dev uses VBA to code spreadsheet messaging app

HighTension

Re: And why not...

I did a disassembler in 6502 assembly (BBC B) because the one I wrote in BASIC was too damn slow, and the curses-like hex editor I'd just done wasn't difficult enough. Fun days!

Peer tables motion to kill vaping rules

HighTension
WTF?

Re: madness

They are in no way "almost as bad as the real thing". All the so-called "studies" that have reached that conclusion have been thoroughly debunked.

Nicotine is not a carcinogen and never has been. In fact it can be beneficial *without* all the deadly tar produced by cigarettes.

It's crap like this that has distorted the picture so badly - and this is clearly the intent of its backers.

Big Pharma wrote EU anti-vaping diktat, claims Tory ex-MEP

HighTension

Again, citations please

You need to at least provide a temperature at which this happens. E-cigs only need to heat the liquid up to about 140-200C in a matter of milliseconds. Can you provide evidence that levels of TSNAs higher than or similar to lit tobacco products in use are present in e-cig/cigar/pipe devices?

HighTension

@Brian Allan 1

I enjoyed smoking. I now enjoy vaping. Yes, I'm probably addicted to nicotine, in the same way that I am addicted to caffeine. Thankfully now I'm much healthier and don't stink like a damp bonfire.

I don't listen to busybodies who cast judgement on my life choices.

Flying Scotsman attacked by drone

HighTension

Re: As a former train driver....

Doesn't the sanding equipment on modern trains mitigate the lack of contact point friction somewhat? Or does it only work for acceleration?

I have to say on my line (GN Hertford branch) I've *never* seen any sand coming out of the units on our Class 313s.

Nice to see a rail veteran on here. I was a "spotter" too (Midlands area), my favourites were the Devon/Cornwall Class 50s, from New Street (great sound), Class 45's (had a brilliant visit to Tinsley Depot before they all went), Paired 20s, 56s and 58s at Bescot and watching coal trains and HSTs at Water Orton, and of course the amazingly reliable 37s. Also once saw a 31-hauled nuclear flask train on the Cross-City line at University station. The "new" 60s looked fantastic in the grey+logo departmental livery IMHO.

Really miss the variety of locos we had back then, they all seem to look very US-type these days.

Wow, just nerd-outed myself in a big way!

Building automation systems are so bad IBM hacked one for free

HighTension

Re: The systems and the service companies...

Ah, but then the landlord will insist it belongs to them, and then alone, and why should the tenant have any say in it? After all, we just sit in the building and supply them with rent....

As for cobbled software... after 3 suppliers' sales teams managed to bamboozle our HR department for a simple personnel management system (ie £10k for something that an NVQ student could have come up with in an hour or two), the powers that be finally let us write our own. Now I get paid the right amount on the right day and don't get phone calls asking why I'm not in 5 days into a holiday in the Med...

Sigh...

HighTension

The systems and the service companies...

have little understanding of security. I've worked on a BMS (maintained by an external contractor) that had a "log in" pane in the gui with a list of users. If you clicked a username, you got a password prompt. But if you didn't bother clicking a username, you could still access the entire system at a full admin level! It would be possible to turn on all the boilers and thermostats to full blast if you so desired. I've even sure it would be possible to cause physical damage, eg by closing valves on the output of running water pumps.

The contractor wanted to gain remote access by simply plonking a DSL router in front and port-forwarding RDP to the PC. RDP, unencrypted, to a local admin account where the password hint *was* the password. I instead insisted on a VPN (using a decent Draytek router which had the benefit of providing a VoIP phone in the plant room), changing the password and hints and removing the local admin.

When the contractor changed I had to go through all of this again. This one wanted to put in an ISDN dialup line, which I was sure would be make the BMS ownable just by knowing the phone number. Grrr.

Scale-out storage: Proprietary? Commodity? Or both?

HighTension

GlusterFS is *not* a block-capable product. It's file only. IMHO it's also about the slowest for mixed data. And I'd not trust any really valuable data to anything other than RedHat's supported version (RedHat Storage Server).

For filesystems, you've got many more choices, including BeeGFS, MooseFS, RozoFS and more (OSS or semi-open development model) or Exablox, Isilon, Hitachi, HP StoreAll (proprietary).

Biting the hand that feeds IT © 1998–2019