Posts by Lee D

Re: Similar Story with FTP

Working for a school which was in "special measures" for student behaviour and it was in the process of being taken over by one of these superheads (the scam behind them is too big for a single Reg post).

Anyway, one of their first decrees - you will merge the IT department with 3 other sites, you'll buy what we tell you and you'll buy this "new" remote virtual workstation system.

After we saw them off on the merger bull (by being able to outperform their "experts" in literally every metric they could supply us), they made us trial this workstation thing.

Basically, an early Linux-based cloud virtual desktop. Unfortunately for them, I knew Linux inside out.

They were claiming that it would "run everything" (via Wine) and it would all work... INCLUDING our workstation security software. Yeah, that AD-integrated, Windows-specific, lock-down-your-logon-screen, impose permissions on Windows applications, etc. software is just going to run unmodified on Linux and push the same settings... sure... that's gonna happen.

Anyway, because I knew Linux far better than anyone else in the department I was asked to trial it and come up with a list of issues. Which I did. Including things like "You're illegally using the Microsoft Office icons to load OpenOffice applications" and all kinds of other problems.

But the biggest problem came to light when the company said that I hadn't supplied them with a list yet.

"Yes I have."

"No, we haven't got it."

"Okay, log into your Linux server that's running all this system. Go to your root home folder. Look in there".

Yep... the permissions on the LIVE SYSTEM (it wasn't a demo system, they'd created a user for us already on their live system that they were making a bunch of other schools use and pay for) were so lax that you could just get a terminal, cd up a few folders, see ALL their users at ALL their sites, and even pop into other school's folders, play with configurations, and... yes... put files into the root home folder.

I'd left a text file in there with a laundry list of about 120 items, including the above, that they'd need to fix before we'd even consider touching them.

Whoops.

The ultimate irony came when all that was shoved to one side and we were NEVER asked to deploy that software (gosh, the owner was... a golf buddy of the superhead... strange that), but they stole our kids for the day to take the system to BETT (a UK educational conference) and have them "demo" it by just sitting on it and playing it. Not only had the kids never seen it, but we were never going to deploy it at that school anyway and they didn't use it, but they were made to pretend to. Instead, the kids compromised it within an hour, and then they were all telling the people at the conference how crap it was.

Strangely, that company is dead now but I bet they made a lot of money from those kinds of deals before they went bust, and I bet the owners and shareholders (including the superhead) pulled out before it collapsed.

Re: Good grief!

Backhanders. Backhanders all the way.

Re: Rasp pi

The Foundation's resources are SHITE for teaching unless you're already an RPi (and other electronics) expert.

Sorry, but it's always been true.

25+ years working IT in education, and no matter how many times you give that stuff to even ICT teachers, they don't consider it of much value at all.

Re: See also XYZ..

Always been the case.

Though, to be absolutely fair, the licences permit that. So it's hard to say that the companies are doing anything wrong.

It's like putting out a sign that says "Help yourself! No charge!" and then getting annoyed that people just take things you put out there and ignore the little honesty-box that you put out there next to it.

"If half the world decide to pay for this product, it still won't break even" is a hell of a business plan to approve.

Mate, I have seen laptops with a higher uptime.

My personal (not professional) record is 1500 days (server obviously not public-facing at all).

And UK law, particularly, states that a customer should never pay more in interest in the entirety of such a finance contract as the original loan amount.

So once you'd paid enough months to have bought ANOTHER handset, they were breaking the law to keep applying that interest.

(Yes... if you're in debt... and you've paid 100% of the original cost out in interest again on that agreement... the loaner is required to cancel the debt.)

Re: Got an HR talking to...

My university back in the day had a leased line, while I was struggling along with a 56K modem at home (and they were only 33K upload, remember).

I used to go into university out of hours and at weekends sometimes, download everything I needed, and then bring it home on floppy disks (pkzip span commands are etched into my brain) and later ZIP disks (because the university computers all had ZIP drives for some reason).

This was fine but, increasingly, I was running out of storage and I would have to download things there and then, zip them up and then get them off my account. So I would spend far too much time out of hours trying to download what I needed just to take it home. What I wanted to do was download stuff throughout the week while I was already there, and then take them home the weekend. But...

After a while, a bunch of emails were sent out to students where they said they were monitoring disk usage to save costs (the implication was that there was a direct link between disk usage and people downloading, etc. too). I didn't want to get caught out by that, so I moved everything off my storage as soon as I could. The emails started to come every week and listed the top offenders, who would get spoken to. Then I noticed something. The warning emails were sent at a very particular time and included enough information to determine the time at which the scan had taken place.

So now I knew when NOT to have data sitting on my account. So I was able to ensure that I never had much space being used.

That worked well. But it was then that I got greedy. My elder brother had gone through the same university and had, at one point, been given larger allocations in anticipation of studying there further. But he didn't take it up. He told me his username password and... yes... I was able to FTP into his account. I have no idea why it was still allowed to be active, but it had unlimtied storage. So I added almost unlimited storage (at least, for back in the day) via that. It was still subject to the flagging, but I purged it before the scans took place each time too. But it meant I could spend all week downloading stuff, shoving it through my account and my brother's, and then on the evening/weekend come in and do NOTHING but copy it all and delete it.

I did that for the whole of the 3 years I was there. Was never once flagged. Must have used INORDINATE amounts of their resources for just one person. And I bet they were scratching their head where everything was. Management tools for networks weren't great back then and it would have been difficult to narrow down the networking usage, or analyse the traffic, and without knowing when/where to look, they wouldn't have seen the storage fluctuating, especially shared across two accounts.

Never got caught, and still have a huge binder full of CD-R and DVD-R's that I burned of everything I downloaded.

Re: Valgrind

"Necessary but not sufficient" is the phrase.

Re: EOL

Part of running an actual business is keeping your IT up-to-date.

There is not a single vendor which would ever recommend that you do not keep your IT up-to-date. There's a reason for that, and it's nothing to do with money.

It's the same beginning for the process. Everyone out.

But now, once you're "all" out, why would you NOT WANT TO CHECK EVERYONE GOT OUT SAFELY?

The only reason I can think of is that you want people to die.

Re: This is another example of why cyber so-called security is nigh on impossible for average Joe

Literally how I presented cybersecurity to a school's management, staff, etc.

We can't defend against it. We absolutely cannot. We can do some stuff but so much is just generic computing nowadays that I'm far more reliant on staff not clicking an email than Microsoft not screwing up the system. Our security is literally in the hands of untrained random people.

We can only hope to "outrun the other guy being chased by the bear". That's it.

If we were ever particularly targetted... we're dead in the water. Even our cyberinsurers agree on that. All we can do is hope to stay under the radar, not give off "we have dumb IT" vibes on our websites and services, and cross our fingers.

The only real solution is a return to actual, limited, permissioned IT. You want to add a student record? Press 1. You want to Edit? Press 2.

If you don't limit the interface, but instead every doughnut is running a full Windows OS with a thousand apps and programs, with access to huge Sharepoints and OneDrive and clicking on thousands of emails in a program that automatically opens them in whatever it feels like.. it's already game over.

The old terminal system I used in an international haulage firm 30+ years ago as part of my work experience was infinitely more secure than anything we have nowadays. You could only press certain buttons. You could only do certain things. You could only do that from certain locations. It worked. Everyone had what they needed and nothing more.

I remember them - at the time - trying to show off their new (Windows 95/98?) machine and how it was the future of their business and even as a geeky kid back then... I was thinking, that's not a great idea. So now everyone is "running as admin", everyone can modify all files on that drive, and it's full of nonsense like Active Desktop and loaded up with games, etc. I honestly had to do a kind of "Yeah, that sounds... interesting" thing when they kept crowing about how wonderful it all was that they would have different desktop backgrounds etc. And all I could think of was the number of times that my classmate and I had compromised my school's 3.1 / Netware / 95 network repeatedly with some stupendously simple things (literally "admin-rights" on Netware and complete control of the machines... I'm not joking).

Sorry, but general purpose computing and cloud computing too... they are basically just huge great bullseyes on all our backs. We're not going to get away from that. It's like trying to lock up a prisoner who is allowed to do anything they like, and roam anywhere they like, and interact with anyone they like, and bring in any visitor they like...

But apparently, I "don't know what I'm doing" and their "expert network team" were geniuses. The same geniuses who trashed our SAN in the middle of the day by stomping over IP addresses on a reserved subnet, the same geniuses who couldn't deploy a webfilter onto a Chromebook over WEEKS and said - quite literally - that it was impossible to do with the kit that THEY THEMSELVES had bought, and implied it wasn't possible with any kit. They said they'd never seen a project "so set up to fail" and basically accused me of sabotage (again!). (Presented with this fact by my boss, I took out a fresh Chromebook out and configured it in five minutes in front of the senior management and showed them that it was working... they took it away and confirmed it themselves and presented it to the MSP who were forced to admit they were wrong). The same geniuses, in fact, who remotely booted our in-house team out of remote desktop while we were working on the servers, logged in themselves as the user we'd given them, and for some insane reason decided to APPLY all checkpoints on the VM cluster. Not delete... not housekeeping... not tidying... they APPLIED them. Without warning, reason or permission. Rolling the entire network back months in the middle of the working day. Then denied it. By which point I was already on the phone to my boss telling them what I was watching happening as we spoke and they came and witnessed it. Restore from backup was required. Of the 2-node S2D cluster that they'd forced us to migrate to. Oh, with 1Gbit networking that was run off the motherboard network port, which then failed.

But apparently... little old me, with my strange ways, and my lack of certifications (just a degree and 25+ years experience) was the dumb one who just "didn't understand anything" and their "expert dedicated teams" for security, networking, servers, implementation, etc. did. I wasn't "trained" like their teams of experts. No.. I just built and ran the exact servers they were lecturing me on using, I just designed the network and told them exactly how and why it worked and watched them fail repeatedly. I just realised that if you have two paths to the Internet, then you need to cover both. And so on.

So after we'd dropped some £200k+ on these idiots, they were finally let go after an absolute screaming match where they decided it was a good idea to yell at our only senior management who understood IT and had been brought in specifically to mediate and clear up the confusion (i.e. me telling and demonstrating that these people were idiots, and the MSP playing their roles as idiots perfectly). He calmly replied things like "No, that's absolutely not true, though, is it? That's not how it works, or could ever work." (on technical matters) which basically convinced the entire senior team that actually I'd been right all along.

I asked for a reasonable raise. Was denied. Got a 20% raise elsewhere within HOURS. Went back to them. Nothing. Quit.

I hear they're now employing another MSP, under the charge of the senior manager who had a clue about IT. At significantly more cost than ever before. And they have had to seriously dial down their expectations of the network that were given them when I was running it. You think that a tiny team of in-house staff running EVERYTHING with response times in the minutes was your problem? Okay, see how you deal with an MSP with 40 staff that won't even respond to a ticket same-day most of the time, and who just pass stuff off or back saying it's not to do with them all the time.

Little ol' untrained me. Now working at a bigger place, earning more, actually working less (hours, holidays, systems that were budgeted for appropriately, etc.) and under comparatively zero pressure, with no sign of an MSP (and no intention to get one).

The primary reason to remove code is maintenance burden.

Every time you want to change some underlying API, or migrate to a new primitive, or introduce new locking, you have a bunch of old code that receives really quite devasting changes that can't be automated... and there's nobody using or maintaining that code to check it still works properly in all possible instances. Then some pillock boots it up on their NAS products as part of their natural firmware upgrades, and it starts trashing customer's NAS data because of some niche side-effect, and now you have a major NAS vendor telling its customers that Linux isn't reliable and just trashed all their customer's filesystems.

As soon as something falls out of active maintenance, it has to be marked for deprecation to let people know not to use it, and if nobody steps up to maintain it, it gets removed.

Lack of maintenance is literally the primary reason for code removal in the Linux kernel. Things that should have been removed decades ago were still actively maintained, so they were allowed to stick around until the last maintainers left (not the last users!). Similarly, things that were brand-new but didn't have adequate maintenance were removed and pushed back out of tree. In fact, one of the main reasons for being refused to be pulled in-tree is that someone then has to maintain it forever. And that's a huge burden for code they may not understand, so it can take DECADES to get code into mainline simply because you have to break it down and get every piece in and slip it past all the maintainers before you ever get close to actually merging the final product, and then you have to prove that enough people will use it so that enough people will be around to maintain it so that kernel maintainers aren't spending half their life trying to fix issues in other people's code that they don't understand.

And this severely affects security. One locking or permission change, and if you don't go updating all your code you are leaving security holes in the kernel. That can't be allowed. And if there's nobody around to say "Yeah, I've fixed bcachefs against this new novel attack that we're seeing throughout the kernel code" then it gets removed. Quite rightly.

People think it's personalities, or technicalities, or some desire to just move into every new thing and throw away every old thing (which is utter nonsense, Linux supports some ridiculously antique stuff still), it's not. It's about maintenance. The one thing Linux lacks is good maintainers with time on their hands to do that job, usually for free! Those are the most valuable and precious resources. And, as things like NTFS filesystem support *cough* Paragon *cough*, whole-kernel mass-patches that nobody is willing to break down (*cough* grsecurity *cough*) etc. have found out... it doesn't matter how great your code is, if people aren't willing to maintain it you have a decades-long uphill battle to get it into the kernel, let alone keep it there.

Nobody wants to babysit your code in perpetuity, especially if... when a new maintainer is required... not one competent, trusted person is willing to step up and say "I'll do that".

Re: Criminalize paying ransom

Paying ransom is prima facie money laundering.

Ask your auditors.

You're paying a unidentified 3rd party huge sums of money in order to appease a crime, with no record of the transaction's destination.

There is no way to distinguish "we were attacked and paid a ransom" from "hey, brother, I have a plan... you pretend to attack my company, I'll pay you the ransom via an anonymous payment method, then we split the proceeds 50-50 when the dust settles".

I bring this up regularly when my employers talk about potential responses to ransomware. Paying them is money laundering. Because I can't tell if I'm paying that money illicitly to the CEO's brother, or some guy in Russia. Any audited account should be all over that with flashing red alarm signals going off at the very mention of such.

It's already criminalised. We're just not enforcing that law. Another law isn't going to help.

Automation

I recently bought heatpumps, electric heaters and a towel rail and went for a smart model of each.

However, in each case I made a very big point of also making sure that I can:

- Operate the device without any subscription.

- Control all the useful functions from the bog-standard infrared remote control.

- Control all functions from the device itself.

Now, if I *want* my heating to come on at 2 in the afternoon... I can do that from work. Very useful. Especially when Octopus announce a free energy session.

But if it doesn't work, or the service disappears in ten years time, or I'm in the bathroom myself anyway... I can just press the button to do that same thing.

AI and "smart" stuff is just automation. That's all it is. I don't need automation of every possible conceivable scenario. As you point out... I tend to use one. My washing machine is "dumb" and has arrow stickers pointing to the only program I ever bother to use. My dishwasher is the same. My oven literally has a child-proof cover over the temperature gauge because I don't need to change it 99% of the time and I was tired of it moving just because I brushed past it. My heatpump operates - now that it's configured - in two modes. Heat and cool (aircon). That's it. That's all I need. It's useful to turn them on remotely occasionally (e.g. coming home to a toasty house on a winter's day), and things like schedules, but that's it.

My brother has just bought a smart washing machine. I really don't see the point in that. Because you have to load the washing machine anyway... so you have to physically be there and do something. Sure, you can schedule it for late and night and it can tell you when it's done but... you can do that with much simpler things than smart functionality (e.g. timer and beeping). It's not like it can unload itself when you're not there. A bit like "remote start" car engines. Literally the next thing I do is sit in the driver's seat, surely, so... what's the point (P.S. it's illegal in the UK to leave a running car engine unsupervised, so no, "pre-warming" the car isn't legal). Or remote unlocking. I've unlocked the car... the next thing I do is... approach the car anyway. What did I achieve? Nothing.

If you want to automate things, that's great. But smart/AI has so little role in anything I ever do that I can't fathom why I'd ever specify it or pay for it.

Re: The pickle-jam constellation

Only one man would dare raspberry me...

Re: How much?!

Quite.

I had to seriously sit and consider a £400 phone as a treat some years ago, but it was one of the best purchases I've ever made (Samsung XCover Pro... still have removable batteries, headphone sockets, dual-SIM, microSD slot, etc.).

I see kids with phones that cost twice as much and they don't do anything on them. And when they inevitably break them, they just buy another stupidly expensive on, on contract.

(P.S. I've never broken a phone. The only phone I ever "broke" was my XCover... I was sure that water had got into it - it's supposed to be waterproof - and the screen had a permanent water puddle inside it that didn't move. I tried drying it out, but it wouldn't go away and it was a mild annoyance at best because the screen still worked fine. I just assumed the water had got into the screen and damaged it. Turned out it wasn't broken at all. When the phone was taken to a warm climate for a day, the puddle disappeared. I've always used it in a steamy bathroom or while walking in intense rain with no problems at all, don't know what was different about that one time.)

There are a number of problems with it.

Phones in classrooms for one. Most schools have to make the exception that staff can have them out to use them for 2FA which can then lead to problems with "I just took a photo of the kids showing me their displays", etc. on a personal phone.

And you can't give a kid a 2FA device, they lose them and break them. They can't use their phones (same reason).

Biometrics suck for that age-group (every biometric supplier I consult ultimately confesses that below the ages of about 13, it just doesn't work reliably because of body changes - facial, fingerprint, etc.).

Even passwords are too difficult for the younger ones.

About the only thing you can do practically is something like a Yubikey or similar... but that's expensive to deploy site-wide.