Posts by Alan Brown 16473 publicly visible posts • joined 8 Feb 2008
"The aim is to replace them with less qualified people on 'cheaper' contracts"
Hence why BT is taking on hundreds of ex-squaddies as contractors. It's not about giving them jobs, although that makes a nice soundbite. They'll be out on their collective ear as soon as their purpose is served.(*)
(*) It's trivial to get rid of contractors, which is why they're setup like that instead of as employees.
The very first thing taught in law courses is that what is in place is a LEGAL system and it is not a JUSTICE system in any way shape or form.
Calling it a "ministry of justice" is no different to the newspeak which renamed a certain govt department to the "Ministry of Defence". Calling it a ministry of "law and order" would be far more accurate (department of Law and Order for the USAians here)
Once you understand that, a lot of the other pieces fall into place. Just because legal system decisions usually result in justice being done is no guarantee this will always happen - or that it is required in the current scheme of things.
These days "new and interesting" tends to mean "smaller and more exactly targetted"
Eg: Why drop a 20 ton bomb on a bunker when a 1kg UAV might be able to fly in the air ducts and deliver the payload exactly next to $BADGUY? Especially when $BADGUY hides his bunker under a civilian air raid shelter packed with 200-500 bystanders. Even military bods understand bad publicity.
"As for 'tracing' calls, all digital calls for over 15-20 years include all information needed including the call originator."
Yes, but..... the SS7 system assumes that everyone along the chain is trustworthy. There's even less concept of security in the world's phone switching network than there is in BGP. It only takes one bad actor to screw things up - and it's pretty clear there is way more than one bad actor with access to international routing systems.
Your best bet is to complain to the ASA then.
They seem to be taking an interest in this very issue (they've already nailed a bunch of ads on "no buffering", "unlimited internet" and other claims). Just be very clear on the issues that you're raising with them and nominate a couple of advertisers whose advertising is misleading.
They're also very big on stompig on practices where the large print giveth and the small print taketh away - they've forced a nuimber of ads to be rewritten so that tiny fast scrolling stuff is made more visible for those without 100/20 vision and a 1000wpm reading speed.
All the spoofing in the world won't help attackers much if you simply use the allow-query{} directive in your bond9 config file
in options.conf - allowquery{localnets;}; (add networks which should be making recursive requests to this entry)
For each zone you serve (ie, are authoritative for), add "allow-query{any;};" in the zonefile.
Problem solved - The great unwashed can't use your DNS server as a resolver, EXCEPT for domains you want to make available.
Other DNS servers exist and they all have variants of allow-query. You should also lock down allow-transfer, but that's already been done as part of general security locksdowns, hasn't it?
Not at all. For starters, you need something to recover when one of the lusers types "rm -rf /path/to/dir/ *" - which happens depressingly often, leaving them wondering where all that source code went.
You can mitigate this by keeping rolling snapshots over the last few hours/days or use a VMS style FS (which requires an explicit purge) but users will still find ways of losig data or not realise they needed it until the snapsots have expired.
"Cluster file systems are very specialized, and there are only 3 real cluster file systems out there with any traction: GFS, OCFS, and VCFS."
Having used GFS extensively, I'd say that for more than a small cluster/a couple of TB, you're better off running Gluster on top of ZFS. We've wasted several man-years of effort trying to keep GFS clusters together and come to the conclusoin that it's the part of our "Highly-available" setup which torpedoes the "highly available" part.
Can't speak for the other FSes, but experience on several sites with multiple vendors shows that clustered setups have a helluva difficulty scaling under serious load - things work ok when testing but tend to break when you want them to do serious work, or when the serious work gets beyond N size and X requests. There's a reason why noone's managed to recreate the reliability of TruCluster (which got killed off by HP) and it comes down to "it's bloody hard to make things all work in sync"
if you don't enable deduplication then the memory requirements aren't anywhere near as heavy - and for a lot of loads deduping isn't needed (eg, anything already compressed, images, mp3s, movie files and astrophysics data) .
In any case, needing 8Gb ram isn't a big deal wioth today's ram prices (Not that my setup uses anything like that much for 32Tb of storage - and bearing in mind that the rule of thumb for ext4 on fileservers is 1Gb per Tb of storage)
Amen. That's why I stopped using XFS
BTRFS may be lots of things, but it's not particularly robust. That's why I stopped using it.
ZFS (so far) has been bulletproof. As for Linux versions, it's available for Debian/Ubuntu and Redhat/clones
If you want a commercially supported version, there's Nexenta.
They all work - and ZFS is the only FS for linux which can detect and repair disk ECC failures (others can detect, but not repair)
Yes they are. Wide open is the default setting for Bind. Even DJB and MS wwere wide open last time I looked.
It's the same mentality which STILL defines any DNS entries in zonefiles with zero padding as octal, despite the RFC explicitly stating that IPv4 addresses are dotted decimals. I got royally flamed when I pointed that particular "issue" out 18 years ago and asked that the RFC or the software be altered for consistency (given they were written by the same person, it didn't seem to be an unreasonable request). Not long after that, spammers started using dotted and long hex/binary/octal/decimal URLs in spam (It took filter authors to nail that down. Bind is still open to that abuse)
The "fix" is easy.
in general options you set "allow query {localnets;}" (and any networks you think should be allowed to make general recursive queries)
Then in each zone file you add "allow query {any;}"
Porblem solved. You won't send answers for domains you're not authoritative for, except to explicitly defined networks
It's not fucking rocket science, it's not hard and above all, it was what I was recommending 15 years ago to keep leeches off of DNS servers. You don't need DNSSEC or any of the other bullshit to reduce the nuisance factor of an open DNS server.
Additional hacks to rate limit responses have been published. These and DNSSEC help a bit, but not as much as the simple (in most cases 1 line) config change above.
"Uniloc's patent describes a process where you round the numbers first and then do the arithmetic"
Doing that in solar system simulations has planets flying wildly - space:1999 style - in short order.
That notwithstanding, you'd be surprised how many astrophysicists attempt to do things in that order and wonder why the results don't look like real life.
It's been just over a decade since I gave up trying to get ISPs and NSPs to filter "wrong" packets from egressing their networks (or ingressing from customer ones)
The uniform response was "our routers can't handle the load"
I understand (from those still carrying the torch) that's still the uniform response.
Companies have zero concience. They don't care if their customers are abusing the networks, as long as they get paid - and the only way to make them care is to make it hurt - a lot. In that respect it's actually easier to train an amoeba. At least those have some semblence of "memory"
There's a school of thought that says it may be used as stegenographic cover for various activities.
This usually comes from the same school of thought whih suggests Robert McNamara, Alex Plutonium and Serdar Argic's(*) rant-filled missives may have contained coded messages to intelligence operatives.
And which also suggests that all those pictures of Claudia Schiffer in alt.binaries.pictures.erotica contained encrypted text files detailing a lot of nazi-linked information the West German government would have preferred wasn't public.
(*)It's been a couple of decades. I may have mixed the names up.
"Thought you had to have control of your own DNS server to pull off this type of amplification attack"
Nope. Just send requests.
Ir should be mentioned that running open DNS servers has been regarded as bad practice for as long as running open mail relays has. I locked mine down nearly 20 years ago when I found an organisation leeching off 'em instead of running their own one.
"And it points out the flaws in using a 30+ year old network protocol no matter who well designed it was originally. Still the successor is big pile of shit in many ways imho."
As with ICMP attacks this can be mitigated by incorporating throttling into the NS server code. No legit IP wil be making more than 1 request per second for the same information for starters, and very few will be making hundreds of requests per second, thanks to long-established caching algorithms.
The hard part is getting people to actually implement fixes/tweaks.
AIUI the ASA was referring to peak traffic management. If they actually meant that it's OK to cap a user for going over an arbitrary level on an "unlimited" account then they need a rocket under 'em.
It's worth noting a few things:
1: The ASA actually did something. Ofcom and OFT have both been studiously ignoring complaints about "unlimited, oh not really" shit since time immemorial.
2: The ASA is a trade association. Ofcom and OFT are govt departments
3: Ofcom (in particular) is full of people marking tim until they nove onto jobs in Telco/ISP management. Make of that what you will.
"They are a phone and communications company whose complaints department will only allow themselves to be contacted by a PO box number, this should be fair warning in itself."
They're not exactly the only one of the sorry bunch in the "most complained about" league who pull that stunt.
And yes, it should be fair warning.
Isn't the FTTC boxes.
K&C NIMBYs have been on a jihad for years to keep "eeeevil" mobile phone masts from radiating their childrens' brains. Once objections to the poles (usually modfied lamposts for urban in-fill work) started being struck down they started objecting to the cabinets on visual grounds.
(Twits don't understand inverse square laws, or how having a nearby base station reduces the mobile's transmit power, so they'll happily let kids play with wifi kit or carry mobile phones)
If they started objecting to one type of cabinet and not another, all objections would collapse. Hopefully the idiocy is now over and the vast majority of K&C residents can get decent broadband AND mobile signals.
This has as much to do with councillers that blocking the boxes could result in losing their seats as it does with anything else (including the issue that planning committee members can be found personally responsible for legal costs associated with politically motivated planning decisions)
NIMBYs are a very small group in K&C, even if they're exceedingly vocal. They're even louder when they get overruled.
"I used to build computers and sell parts. I don't anymore.
People call me up on the phone or ask me questions about all manner of hardware and ssoftware issues."
You were in the wrong business. GIviong advise is called consultancy and is a nice earner for those who do it. :)
"I can't speak for Oz but it was noticeable in NZ before xmas that gluten free stuff and options were much more common than they are here in Blighty."
A large proportion of NZers have irish-derived ancestry and the coeliac rate in that country is the highest in the world. NZ isn't far behind, but awareness has only really been spreading in the last 15 years.
In the 1990s it wasn't that uncommon for companies selling foodstuffs to substitute wheatflour for cornflour if they were caught short - without changing the labelling. In extreme cases that can put people in hospital (one of my schoolfriends is an extreme case. Coeliac cost him a lot of bone damage and all his teeth
Ironically, given dairy products are the single largest export from NZ, it has one of the world's highest awarenesses of lactose intolerance. (it was research there which gave the realisation that lactose tolerance in adults is the mutation, not the norm).
Or more likely they'll simply refuse to buy anything with packaging showing that the stackers routinely let the frozens thaw.
Actually for simple over/under temperature and shock indication there are already one-shot devices available and cheap enough to be used on consumer packaging. The fact that they're not routinely used says a lot about the supply chain.
BUT..... they'll replace a crap IT system with a crap IT system - because doing otherwise will result in the civil service being more efficient and shedding staff (Bloated departments full of civil serviants shifting paperwork is just another way of hiding real unemployment figures)
Revenue and customs is even worse than the UKBA. Computerisation is supposed to reduce manual requirements, not increase them by 400%
Isn't such a "pollutant" as an unused resource. There's a reason they're looking at thorium for energy.
WRT labour costs - as soon as it gets high enough that automation is a viable alternative, you can move manufacturing/assembly anywhere on the planet.
Robots cost the same everywhere, plus or minus energy costs. They don't strike, don't need shift breaks and they don't need accomodation blocks. There are other issues (such as having paying customers to buy the products) which were raised 40 years ago by Alvin Toffler et al, but societies have proven remarkably resiliant to changes over the last few decades and will be in future once economists get weaned off the idea that growth (economic and population) must be endless.
"How often have you signed up for a year at one price only to have a price increase imposed after a month or two"
AIUI when this happens you have the option of walking away from the contract, penalty-free.
As others have pointed out, contracts have to have 2 parties in agreement.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2026
