Posts by Lee D

Re: Sausages

Absolutely.

As someone who has spent a period of their life doing things like rummaging down the back of the sofa (and hanging around in order to pick up pennies in the street) just to afford the cheapest loaf of bread possible, the scale of buying "cheap" properly is one of the killers. It's also that horrible scenario of "We'll have the money for all this next week", "So what are we going to eat until then?" which can actually end up costing you MORE and putting you back in the falling-short-of-food category the same time the next month through no real fault of your own.

And then you get the "Well, you can't be short of money because you just spent £100 at Costco" idiots. Well, yes. But that lot will feed us for two months. Maybe not fully, we might need to buy 16p loafs of bread here and there but that's purely because they just don't fit in the freezer with all the other stuff. Reduce our electricity bill? Sure, I'll pull the plug on the freezer and we can sit in the dark, and cold, AND have no food by the end of the week too.

Some "big" items are necessary to make the small savings cost-effective. Fridges and freezers are one. Dishwashers you can live without, however. Even an oven/microwave (preferably only one of the two). But a freezer costing £40 from the local secondhand dealer will save you more than it costs in a year - including electricity - from food that would otherwise be lost or the cost of buying everything fresh. Hell, we used to buy potatoes by the sack, make one large batch soup, freeze it down, and live off it for weeks on end.

The problem with "saving money", and especially things like Jamie Oliver's tips (where the "1p because we only used 5ml of tomato ketchup" thing is rife) is that they aren't actually doing this with a hard limit. If you don't physically have the ability to produce that extra penny when required, you can't have it. That's it. And few people understand that. And to "get" that penny somehow means calling in friend's favours (which are too precious to lose over a borrowed tenner), losing some valued asset of some kind (did an awful lot of eBaying of assets at cut-prices during those years), or having to pay back twice as much tomorrow and being in a worse position.

However, it has to be said: If you're in this kind of position, and you have shiny new appliances, or the latest smartphone, etc. then you're cheating yourselves and others. I'd allow a cheap, second-hand computer. My ex- and I used to enter competitions online of an evening and that was our entertainment. We often won for no "cost" but our time. We used to get all kind of online discounts and vouchers and hints on how to save money and what offers were accepted where. She used to do online mystery shopping jobs and we often had to turn down retail mystery shopping jobs because we couldn't afford the £10 to buy an Argos Value kettle, return it the next day for refund, and comment on the service received (even if the company GUARANTEED repayment of expenses and costs, whether the refund was given or not). We didn't have a TV licence but we would have BBC iPlayer'd if it was around back then. The cost of a cheap throwaway machine saved you money. I was actually using an IBM Thinkpad 360 (with floppy and Windows 95) years after it was bin-fodder just to keep something in the house that could dial-up (local call rates with UK2.net and later as a backup to our cheap-as-chips PAYG broadband) and pay a bill online more cheaply, etc.

It's the people who literally start from zero that I worry about and would help out if I knew someone like that. But those who have a 4x4 SUV on the front lawn while moaning they can't afford a takeaway until the next benefits cheque? Zero sympathy. Stop having takeaways (except rarely when you've EARNED them as a treat), sell the car and buy something older and cheaper to run, and get on websites and start using your spare time to earn some money - or you'll be in that "hole" forever.

Re: They are computers

My non-gaming but not-cheap but certainly-no-longer-top-of-the-line laptop laughed at GTA V in it's native LCD resolution. Have you seen that game, it's gorgeous?

If a laptop with a 90W power supply (which isn't fully used, and yet the laptop has two spinning disks, screen, USB peripherals, wireless, bluetooth, fan, GPU, multi-core CPU, etc.) can do it, a huge desktop machine shouldn't be nearly 5 times as bad (the base gaming PSU is considered to be around 450-500W. Some of the graphics cards on PC's take MORE than my entire laptop sucks. And the performance advantage is no longer that huge.

And my laptop is a model several years old already. God knows what top-of-the-line gets you on laptops nowadays. I'm scared to imagine. The 1000 games on my Steam account "just work" and the laptop is on almost 24 hours a day even when I'm on holiday for work, leisure, browsing, gaming, travel, etc..

Re: Discovery

I stopped using powershell the moment I realised that a simple AD command to do something (I think it was related to promotion of a certain role, but can't remember off-hand) had gone from an 8-character name to something so long and unguessable that - even with autocomplete - there were ten similarly named, stupidly long, easy to confuse commands and that in any tutorial they had to be written out correctly and not jump off the sides of the screen when you typed them because otherwise it was too easy to hit the alternates.

That's not what you want when you're playing with AD in a Powershell box.

Re: I agree

It's virtualised. You have hassle, you put it back on a real machine and/or stick them on any machine and run the virtualised image from it.

The beauty of a virtualised image is that you can do this. Going from physical to virtual, however, is more tricky.

Yeah, surely if the coil is slightly nearer one edge of the card, turning it over will increase the chances of it working? Certainly with fobs this is the case.

However, what "non-IT" people don't realise is that just holding it ON the RFID reader does nothing. It has to be moving in order to induce the current to power the radio circuit inside it.

Re: Cloud?

I work in schools. I've done their IT for something like 15 years now.

The schools won't care about client storage. You either store on a server, or you store in the cloud nowadays. And you're hardly storing anything anyway. The sum total work of a YEAR of kids will likely be a few Gigabyte unless you're storing lots of video - and the video you store will be all the intermediate work and not their final product.

The magic words are "VLE". Everything is done with web interfaces and portals anyway, interfacing into user areas. Other schools use Google Apps for Education (which gives you UNLIMITED online storage for email and for Drive if you're a school). Most schools will have redundant broadband as an absolute minimum and leased line as standard. A lot of them host their own website in-house, for services like the VLE, OWA, etc.

Yeah, sure, the net goes down sometimes, but it's not "business-critical" in that sense. You can do a few days without it just by saving locally, using the VLE internally, etc. but some of your outside services might suffer. And on leased line, a couple of days is the only outage you really see and you'll have broadband (or even 4G) backup for that. I've run a private school with 100s of machines, tablets and users from a bunch of 4G SIMs when our dual-ADSL2+ broadband contract was severed against our will. We got in another broadband line within the week and leased line in replacement within a couple of months.

You know all those "bring your iPads to school" kind of places? How do you think they are operating? The cheap Wifi-only iPads (don't want to give the KIDS 3G because it has no decent filtering) are 16Gb and most of that can be used up with apps and the OS upgrades. They use the cloud offerings and the VLE etc.

Your ability to teach is not hampered while the internal network keeps running. Your external services (submitting homework via Google Drive, or downloading the question sheet from your VLE) may be somewhat hampered but it doesn't take a lot to make them accessible from the world in an emergency.

Hell, most places use software like ClarionCall (web-based messaging service for emergency emails/texts or even just sending the newsletter home), some use Office 365, a lot use Google Drive, remote-desktop, VPN, etc. It's not actually that crucial at all to have local storage.

In fact, my deployment image - with every piece of software and every driver for every PC and laptop in school - is about 45Gb. And on most clients most of that is unused. The biggest things you'll ever deal with are roaming profiles but if you're deploying Surfaces and Chromebooks, etc. they have an entirely different use case anyway.

There's no reason to need a lot of local storage in a school, or even a lot of RAM. The last year of so is the first school I've worked at that guaranteed 4Gb of RAM in every PC. And we run Windows 8. Properly managed, it's just not a problem even with a "login surge" every hour as one class logs out of every PC and the next class comes in and logs into every PC.

And the amount of stuff you have to actually keep? Well, you submit that to the VLE from your Google Docs or whatever, and it gets stored in the server and backed up with your normal file storage. You aren't losing anything and don't need independent storage for everything.

In fact, in my school, my first action was to ban USB keys. Rarely used, unreliable when heavily bashed about, a virus- and data-transferrence risk, and the cloud offerings we have do a better job for zero cost (I'm not issuing encrypted USB sticks to every member of staff just so they can take work home, and certainly not to every pupil).

In computing everything comes in cycles, thin-client, fat-client, centralised, decentralised, etc. At the end of the day you use both and all in everything you do. Thin-clients logging into VM's or using cloud offerings alongside fat clients for "real" work with access to the same data.

Site-wide wireless is the norm.

Tons of on-site servers, storage and services is the norm.

Redundant / resilient / leased lines are the norm.

VoIP and even SIP is the norm.

Cloud / Private Cloud (VLE) accounts are the norm.

The pupils are more than welcome to take their own backups but, you know what, when all your stuff is mirrored to all the possibilities anyway, they never need to. Google Apps for Educations offers not only AD authentication sync but even storage sync and EU-data protection guarantees (a billion times more than Apple does). And if you think on that as "working" space, but then have an official portal to submit "recorded" work (homework, coursework, etc.) it really doesn't matter if the cloud goes down or the Internet goes off.

"An Eu based employee can't be ordered to break eu law - but a US employee at head office can be ordered to remote in and copy the data."

The EU employees who provide that facility are, by definition, breaking EU data protection law.

It's against that law to provide access to someone who does not require it for their job, and also to allow that data to cross international borders. The courts interpret this to the extreme that even PROVIDING A POTENTIAL ABILITY to do such things is punishable (and, lately, with personal responsibility not just corporate!).

If you don't know this, and you work in IT in the EU, you really need to go read up on the EU law and case law.

Re: Forestry != woodland

If they could put some fecking finger-holes in their packaging, that would be great too.

I've unpacked many iPad Minis for work and there are no fingerholes to grip the internal box when you want to separate the top from bottom. As such you either a) tear said upper box or b) end up dropping the bottom box on the floor/desk as you shake it free.

Because of the wonderful "design" of these boxes, the iPad is also loose on top, glass upwards, without protection so the first thing to break if the box does open is the iPad itself. Then underneath that (again, no fingerholes so you have to "tip" the iPad into your other hand), there's a USB cable and plug which are sitting on the bottom of a big empty gap that would be perfect for, say, protecting the top of the iPad instead.

Everyone keeps telling me that Apple is all about the design and usability. I've yet to witness it in anything from the OS to the machines to the packaging.

Re: Is this a problem?

As SteamID's follow a predictable pattern, and free accounts cost nothing but an email address to set up, and spamming a thousand users can be automated using Steam's WebAPI, yes... it's a problem. Maybe they haven't got to you but I've had a dozen or so and two just this week.

The hope is that you'll add them as a friend, then they send you an IM with a link. That link - if you're daft enough to click on it - goes to a credential-stealing page and - again, if you're daft enough - if you log into "Steam" on that website it gains access to your account. From there, it has another account that it can quickly (and probably automatically) spread from, can steal all your in-game items, stored inventory games, Steam Wallet cash, etc. and pass it off - again, automatically - to some central accounts that someone can flog all the gear from on the market and get payback instantly.

By the time Steam catch up, thousands of items are involved, there's thousands of transactions to revert, etc. and they may never know which ones were genuine and which were just people selling on that item they traded for. The big-name games have been stripped out of people's inventories and sold on (possibly even for real cash, Paypal, etc.), they have enough junk to craft expensive items via an automated API, and sell those one to unsuspecting users. You can even go to other markets (e.g. TF2WH, etc.) and trade things across different games etc. until you find something that people will pay cash for.

Given the setup, if you can eventually get even a couple of hundred quid, you've paid for all the infrastructure, steam accounts, programming (more likely script-kiddie downloads), etc. and if you're malicious maybe even cheated and got the accounts VAC-banned.

And all by just running a program that creates free accounts, automates some chats, trades and sales, and a weblink with some dodgy Javascript on it that plugs captured details back into the program.

Re: Can't wait for... @AC

If it's an ordinary arrest, then terrorist stuff is irrelevant.

If terrorist stuff is relevant, then the COURT still gets to see the police footage.

If the courts still fail to convict police officers in the wrong, or convict innocent civilians with proof they are in the right, you have a problem that no amount of tech can solve anyway.

Everyone can moan, but police footage is a forward-step. The police footage of the recent murder-by-cop in America was released by the police themselves, and if they'd had body-cams, that would have been an invaluable instant-proof of what actually happened.

And if you claim police brutality and JUST at the moment that would prove your case the footage cuts out? That should be no different to concealing or destroying evidence in other ways. No reported problems but they ONLY happened when the prisoner was walking down the stairs to the cells, and then worked immediately afterwards on inspection by the tech support? Yeah, a court cannot ignore that without being - in itself - corrupt and able to ignore whatever it likes anyway.

There's a million reasons to have cameras and none not to. Put them on. If there's a sudden spate of cameras going off only at critical moments, then it's easy to spot the pattern and discipline the officer. In the same way, if their ID isn't valid, their car isn't roadworthy or their uniform not compliant, the officers in question will be asked to return to the station to pick up a replacement immediately and anything that "may have happened" in between will be heavily scrutinised.

Put bodycams on. Make them work in pairs, if necessary. So *BOTH* of your cameras both stopped filming at a critical moment just before? Mmm. Yeah, a court and your lawyer won't see through that.

This solves the problem with the trust in the police. It doesn't solve the problem of trust in the courts or other parts of the justice system. But it's the police that always get the rap from the public when the CPS decides they don't have evidence to prosecute etc. so that isn't a situation you can fix.

Restore trust in the police, though, and suddenly the public have a much better reason to trust them. Bodycams are essential in this, in this day and age.

Re: LeNOvo

Your OEM licence from MS explicitly gives you the right to wipe and reinstall a clean OS.

Maybe you can't with the restore disks supplied, but anyone with a brain enough to know about the Lenovo debacle and be worried about it can easily do a clean install of Windows on their fresh machine with the same licence.

Re: Don't like IIS?

A remote-root / DoS exploit in Apache that can take down your system? Those are so few and far between they are news items.

Heartbleed etc. is an information disclosure attack. It doesn't crash your servers. It doesn't provide remote-root. It doesn't take the server down to the point that NOTHING else works until someone comes along and manually intervenes.

Nobody is saying port all your IIS to Apache. What we're saying is: this is the cost of quick-and-dirty solutions. The licensing for your server, plus IIS, plus whatever web app you had developed? Probably could argue that it would have been better to stick on a "free" system and spend the money securing it instead. Hindsight and all that, but nobody's suggesting up-and-leaving IIS.

And though bugs exist in all software, this is a design bug. You put HTTP parsing into the kernel. That's just STUPID. If you'd asked me ten years ago about that, I'd have said it's stupid. You don't want the MACHINE crashing on a kernel level, taking every other service with it instantly, potentially losing data irretrievably, just because someone sent you a rogue packet. We changed the design of TCP stacks etc. years ago to get rid of junk like that, and the days of things like the Xmas Tree packets, smurf-attacks, fraggle-packets etc. are long gone.

I see any monoculture as a problem for a business, personally. If your app only works on Linux or only works on Windows, you have a problem. But reality steps in often and people don't care or realise about it. That doesn't mean that's the "right" answer. It just means that we make sacrifices from an ideal system to meet budget or time constraints.

However, it may well be worth investigating the budget/time implications of something like a simple script-kiddie attack on your server - almost identical to a decades-old Apache bug that never caused more than a service DoS on that software - taking down all your services in the hardest way possible (possibly inducing data loss) until you can patch against it.

Nobody have perfect home security. No business has the perfect lock on the door. But when you've been broken into a number of times by kids with lolly sticks, you might well be justified in thinking about upgrading, hardening or look more favourably on an alternative supplier next time.

Re: @ AC

As others have pointed out, I have used. I've deployed several hundreds of the damn things, if not an order of magnitude more.

If anything, that's even more damning when I then say I've never bought one for myself.

Did you know that OS X can decide it just won't update on a Mac and pop up invisible dialogs on a black reboot screen that you can't get rid out without plugging in / unplugging a physical keyboard? My in-house Mac expert also tells me that they have to have official Apple wired keyboards when the servers are caught-short and boot into safe-mode as without them you can't confirm to boot back into the server (we've tried with ordinary keyboards, doesn't work). We have several hundred iPads on-site at the moment, and do you think I can stop kids from changing the name of the device to "Fred sucks... ha ha ha ... lol... ".

How about that when the iCloud went down the other week, all our iPads went into an infinite loop of asking for passwords every 10 seconds with NO way to turn it off? No "No to All" or "Don't bother me again"? iOS 8.3 fixed it this week but probably because they only realised that was what happens after the iCloud had gone down.

Apple have some redeeming features, but they do not balance out the negatives, by a long shot.

And managing a device will show you hundred times more things to hate than just "using" a device. Because managing implies usage also, but on an epic scale for testing purposes under a variety of situations and configurations and problems.

It wasn't until I started managing Windows devices that I realised a) why they basically own the majority of business networks worldwide but also b) why network administrators curse MS on a regular basis. When it's one device, for one user, and you can ignore a quirk, or set things up once the way you want for you, then life is easy.

Re: Opt Out?

That's not a problem.

Use one-time email addresses at your domains.

When they distribute your address against your will, you file a claim against them for damages.

I once had a company contact me to sell a very specific product. The email they sent to was one I'd only EVER given to a company selling that product, but both were completely different companies.

When I dug deeper, I got a very embarassed managing director admit to me that they'd "had an employee" take the customer database of the other company when they left them, they joined the new company, and they'd just spammed everyone in that database for custom.

I just passed it off to the ICO at that point.

Re: @1980...

Not being funny but does Windows do any of that either?

I've never seen options in the Windows install process for screen-reading drivers or for even text-to-speech. Maybe if you bought it pre-set up, with JAWS, but otherwise how do you go about installing Windows like that? That's hardly a fair comparison.

And last I checked, Slackware had a particular install kernel and build just for screen-readers/text-to-speech and is (not entirely, but primarily) a CLI-based system. It appears that in 14.1 Speakup is part of the mainline kernel so it's not even a different kernel any more. If Slackware has it, I'm damn sure some of the more friendly distros must have options too.

But quite how often is a blind person going to be installing the OS from scratch on a computer they can't see? I wouldn't even like to try to get through initial Windows setup after a sysprepped install to a desktop they can start to install JAWS from, to be honest.

I'm sorry, but it's a very niche usage case and as such sees very niche usage and expensive equipment or not a lot of deployment and testing. How many blind people open up a DAB radio and can just get started, no problems? How many blind people can set up online banking for themselves without problems (with the key-code generators etc. nowadays)? I'm sure there are ways and means of doing those things that almost entirely consist of "let's avoid this and do it another way" or "let's get someone sighted in to do this".

Much as I might champion your independence, some things are just not built with you in mind and move too fast to always include and consider a niche usage.

Tell me when they give controlled, as a authorised, enrolled, supervised access with profiles and MDM's for the damn basics.

For iPads, you cannot stop people putting a passcode on (e.g. kids in schools using iPads) and nor can you stop someone with the passcode from changing it. But resetting the passcode is a faff if you don't know what it is.

You cannot automatically install apps from your MDM without having the "install apps" permission. That gives anyone the right to install apps. Your only restriction is age-related, but most of the VPN apps advertised to "bypass all filters" are rated as 4+ and Apple refuse to deal with the problem (I have the email if you would like to see it). So basically any idiot can bypass your entire filtering with a free app.

You cannot prevent people changing the name of the device, removing or changing wireless network details (there are tricks with profiles and device "supervision" but they can all be got around), and a whole host of other features that have been there for years and which can wreak havoc on any managed device. For a while, there was nothing stopping someone setting web restrictions and then "failing" the login for several dozen tries until the "next attempt" you were allowed was sometime next month. Now they have an option for "on/off" but still no way to override it or clear it if it does get turned on (short of resetting and reinstalling the entire iPad).

And why? Because all the MDM manufacturers can ever do is what's specified in the MDM API and it doesn't let you do half the stuff you want to do. And when it does, it only does so in such a way that there are myriad knock-on effects from assigning that permission. And usually it involves putting supervision on and off which requires physical USB connection to a particular nominated Apple server.

It's like group policy, but from back in the 90's when group policy barely let you change any options you needed to and so you ended up with logon scripts and third party utils. Except you can't put on any login scripts or third party utils that change those settings - at least not in a way that they can't be removed or reset or otherwise cleared off.

Apple devices are not fit for use for many of the jobs they are sold for. Things like the email client are chicken feed in comparison to the time and effort wasted trying to stop users turning on simple options. But, hey, we can have Family Sharing which we'll prompt you for every so often until you turn it on with no way to turn the prompt off until someone agrees to set it up.

I'm a firm believer in "If it ain't broke."

The problem comes from any sort of contingency plans, however. You always have to think "What happens if?". The scope of that varies based on the need and criticality of the system, but that often involves the question "What if everything goes and we have to start again from bare data?" If the only answer is "We have to rebuild it exactly as was", then that's a risk. The chances are you may not be ABLE to do that in the future, even on an existing supported system.

It's not a lack of skills, necessarily (though I've witnessed that too, and been brought to workplaces where nobody virtualised because nobody knew it was possible!), but a lack of foresight.

The problem also comes from "migration". That suggests, in computer terminology, a "move". Removing what you have, putting it elsewhere, losing the original. That's a STUPID migration strategy.

But there's nothing stopping a co-existence between the systems while wrinkles are ironed out. That's the PROPER way to do anything. Run both systems in tandem, actually feed the live data into both even if only one actually gives the outputs to other working systems. Check that both systems handle the same things in the same way within the same timeframe and are equally reliable before you THINK about switching the old one off. In that circumstance, there's no reason to avoid such migration.

However, virtualisation has its advantages to virtually (sorry!) every user. It's just a matter of getting there. I've yet to see somewhere that wouldn't benefit from virtualisation, to be honest. They may not want it, it may not be justified cost-wise against their existing systems, but its incredibly hard to find somewhere that wouldn't see the benefits.

And, sorry, but IT moves fast. Although I'm a stalwart and constantly get ribbed for holding back on new technologies, both personally and professionally, you do have to move on at some point. And it's at that point that you'll wish you'd virtualised years ago. Virtualisation is as old as the hills, itself, precisely because it's such a wonderful and established technology.

Migrating a large physical system is a scary prospect, but it's like emulation - we do this to preserve the system, to provide rollback, reproducibility, guaranteed knowledge that it's a working system once we get it up, and that we can get it up on any hardware that passes our way. The move from physical to virtual is horrendous, scary, prone to error, etc. But you never hear of people going back from virtual to physical systems, or struggling to move or upgrade their virtual systems around once they are there.

Virtualisation is a technology that won't die yet, and for good reason. Stay on your old systems as long as you like. They'll work. But run them on modern, supported, warranted hardware that you can get hold of in a jiffy and doesn't cost a fortune to support. And then when you want to upgrade, you can, safe in the knowledge that the old system is only a rollback/checkpoint away - exactly as you'd left it. Hell, even exactly as you left it the last day it was a physical system, if need be.

It might get individual attackers but entire botnets? No.

I've seen co-ordinated attacks from botnets where hundreds of separate and geographically-disparate systems will coordinate on the same username list to brute force the password.

For my systems, SSH is administrative use only, so it got put behind port-knocking. Mail collection from that machine is administrative only, so it got put behind port-knocking. Users who need it can be bundled with a port-knocking utility that runs on logon quite easily.

I'm not suggesting it for mass-email servers, but those should be managed properly anyway. However, for all those other servers that are offering SSH for administrative purposes, hiding them behind either a different port number or port knocking cuts out brute-force attempts immediately.

Your solution relies a single attacker only ever coming from a single IP. Even with your rate-limiting, a botnet of anywhere near decent size could still perform several million attempts a day just by handing off portions of a brute force task to a few thousands of its machines. And the chances of you picking up on it are even less, and the chances of blocking it (without affecting legitimate users) are near-zero.

I'm fast moving all external provided services to be behind the VPN for known users. There are few devices these days that can't handle VPN'ing in to get a job done. For public-facing services (website HTTP, SMTP) rate-limiting is all you have and only keeps the most stupid of brute-forcing idiots away. However, for my use (where my personal server is only logged into by me, but potentially from multiple locations unknown beforehand) I find port-knocking the middle-ground that stops all brute-forcing while allowing me - with one extra click - to get everything I need access to. At work, anything critical is behind the VPN and the VPN is certificate-managed and rate-limited.

Re: re: Lee d

You don't.

An unencrypted (passphrase-less) or well-known-passphrase network is inherently susceptible to SSID duplication attacks. You just set up an SSID with the same name and same passphrase and people will join it unless they happen to know the original BSSID (which nobody publishes or takes any note of).

This is why PSK is pretty insecure for such things and why ALL public wifi with well-known passphrases is just basically an open connection that should be firewalled off, VPN'd through or limited to SSL-based usage only (even there, there's the possibility of DNS-spoofing until we get DNSSEC and SSL is heavily tied into DNS being authoritative).

But that's not the point. Not only are you joining a wifi network, you are then accepting a pushed profile onto your machine. This is akin to installing a piece of software - it's like going on Starbuck's wifi and then your browser is replacing your page with a downloaded executable that you then blindly run.

1) Stop using public wifi as any type of trusted network. If you have the passphrase, so does everyone else, and they can spoof the network and/or decrypt your communication anyway. Public wifi is untrusted, hostile, Internet. That's all. No matter what else they tell you. Until they start issuing proper signed certificates etc. to prove they are the original network (which is a nightmare for client installation), they aren't secure. And the closest "security" they can have is to tell the owners (if they bother to look) that there's a identically named network with the same passphrase nearby. In very expensive Cisco Meraki networks that are deployed in such places, you get an email alert as an administrator and you can try to "contain" the network (which means blast it off the airwaves with client disassociation messages, as far as I can tell).

2) Don't install things that just pop up unexpected. Profile installation is a system-level action on Apple devices, and profiles are capable of installing any amount and severity of settings. You cannot install one "accidentally" without clicking through a lot of scary dialogues.

This isn't a "stupid-Apple" attack (and I am quite happy to jump on those normally, as I hate all Apple products with a vengeance and have NEVER owned a single one). This is a "stupid-user" attack. If you perform similar actions on any other OS, the same problem with occur, vulnerability or not. You're taking incredibly stupid and high-end actions on your system based on something random and untrusted popping up on your screen despite lots of large scary warnings.

Re: So just what does 'charges in minutes' mean?

"Quick charging" claims are always bogus.

The only way to manage that is to have incredibly high voltages involved, which become a danger themselves as that allows them to arc more easily. So you'd need something like a 400V battery to make it sensible, and step-down circuitry in a mobile phone to get it back to sensible levels.

And the batteries we use everyday, worldwide, tend to be thoroughly in the stupidly-low-voltage ranges. 12v is common, 24v is around but less common, anything higher is considered "specialist" and usually purely to avoid high currents as you specify (most larger home solar installations are 24v purely because it then halves the current so you can still use the same cables/charge controllers without having to upgrade - in some models, the charge controller and cables are identical between kits and you just change the batteries for 24v batteries as you expand the system capacity).

Your house probably only has 100A incoming at most. You're basically saying that you're going to deliver enough current - for a short time - to power your entire house. You're talking bomb-level energies here if that goes wrong.

There's a reason that even electric car chargers are still basically 240v (or even 400v) and HOURS of charging. I have a 32A commando connector (building site 220v connector) on the side of my house. It powers a 20A electric kiln to 1600 degrees. It's a scary amount of energy, and a scarily thick cable to do so safely, and cable thickness is related only to current, not voltage - I^2 * R. I could charge an electric car with it and it would still take hours. And, yes, that's 240v but the reason we use 240v is PURELY to decrease the current-carrying-copper-thickness required for currents (at 12v AC with the same power, we'd be pushing 20 times the current, up to 260A, just for a normal 13A appliance - and 260A requires something ludicrous like a 30mm-thick conductor for each part of the cable).

What they are suggesting is that your mobile phone charger would somehow build up that amount of current (I assume it would build it up over time and then deliver it in one quick charge, like electric welding kit, as otherwise it would just fuse your house) down a tiny cable into a tiny battery, and get the charging time EXACTLY right and be able to detect faults quick enough to stop before the battery blows.

It's ALL a nonsense.

Quick charging won't happen until we have high-voltage batteries, chargers and convertors small enough to put in the devices in question. We haven't bothered to do that for electric cars yet, so fast-charging of mobile phones or AA's is still a nonsense. There's a reason your laptop batteries are 19v, because that keeps the amps down (2-3 in your average laptop?). At 12v, the same power would draw up to 5A, which needs thicker conductors throughout.

Increased power = increased current or increased voltage.

increased current = thicker cables

increased voltages = more difficult voltage step-downs, less common hardware, greater arcing distance, etc.

There's no way around it.

"Alarm"

"BT outage"

Join the dots.

Have always done this.

As far as I'm concerned, a modem or cable router or ADSL router is just a modem. It's also the "hostile" side of the network. Invariably I then plug it into a real router/firewall that I have control over. Historically, for both work and personal, that's been everything from a Freesco single-floppy-linux router, to Slackware distributions, to WRT54G's with custom firmware, you name it.

Currently my Virgin Superhub is in modem-only mode and goes to a proper firewall. Even then, doing something like DMZ'ing my machine to the world would trigger the software firewall on the individual clients too (not to mention the IPS on the firewall). Hell, for many years I used to VPN across my internal home wireless network because WEP couldn't be trusted and WPA2 was too expensive to deploy. And I'm a gamer and it barely added 1ms to my gaming pings, even over wireless, even with all the house machines doing the same (so there's really NO excuse).

Sure, you might get into my modem, but the modem isn't party to anything SSL-encrypted anyway, and all unencrypted stuff I assume is perfectly sniffable by anyone else on the net - if they are in my modem or not! And trying to get into the local net from there will be blocked just as any other malicious traffic coming from the Internet.

I deploy work and home networks this way precisely because of problems like this. You can't trust the cheap routers you're given by your ISP and you can't even go out and buy a decent home router and trust that alone.

At my previous workplace there was still a pile of untouched BT ADSL2 routers in their boxes and wrapping because we never used them. Their replacements were pure modems that didn't try to offer their own wireless / BTOpenZone, etc. that went into a Linux router with multiple Ethernet cards, which secured the 500 users behind it and load-balanced the connections.

At this workplace - same thing, but with a set of Cisco routers doing HSRP failover in between so the Linux machines doesn't have to.

Even bridging / modem mode, however, is not a defence in itself - in the same way that it's possible for YOU to turn it back into a router with DMZ to the network, it's possible (theoretically) for an attacker to do the same. Virgin SuperHubs still offer a web interface on 192.168.100.1, I believe, that lets you turn modem mode off and the firmware auto-updates. One slip in that configuration and you have a modem that's working against you.

Always put something in front of it, even just for one machine. And if WPA2 is ever weakened, investigate putting VPN over local wireless links. It costs nothing with OpenVPN, IPSec functionality in Windows, etc. And when, as often happens for me in work, you come up against odd traffic flows you have a machine on the border already that you can analyse traffic from without needing to port-mirror or use DMZ etc. to diagnose it.

Re: Old lady rolling backward

"And you can keep repeating that to yourself as you admire the lovely dent she's made in your nice radiator, while she drives off having not noticed the impact. Personally I'd prefer she (and everybody else) has the electronic handbrake."

1) I don't drive any car that I would care about a dent in.

2) I have a £30 dash-cam that operates even when the car is off.

3) Personally, I'd prefer that we got those users off the roads rather than give them gadgets they're reliant on to do something as basic and in-your-driving-test as a hill start. A good way to do this is to show the police footage of them hitting your car, not noticing a collision involving damage / injury, and driving off without exchanging insurance details - because that's basically their licence gone in one fell swoop and a massive wake-up-call if not.

Let's stop compensating for idiots, and get them off the road. (And, yes, despite not caring about my car, if you hit it and drove off without so much as putting a note on my windscreen, I'd prosecute).

Re: Second server room

As someone who is in their current job because the previous guy did not backup (yes, you may now pass out in disbelief!) and their RAID5 went screwy and they lost almost everything (literally, all they had was what came back from data recovery and what could be recovered from client PC's roaming profile caches!):

I'm with you.

I work for a school. My "prime directive" when I was hired is to ensure that kind of data situation can never happen again. By the time I came in, they'd got some data back and got as far as throwing some storage onto the network to get operational, and backing up to that every day but my remit was to just do what was necessary to ensure business continuity if the worst happened again.

So, although we don't have two sites, we are one LARGE site separated into many buildings. Which are all joined together with fibre. So why are we messing about? Stole a cupboard. Slapped a rack full of server blades into it, replicated everything across. That's our "Whoops, a cable has been cut" live copy. Always available, always idle, does nothing but replicate the main servers. Don't fall into the trap of USING those severs to do things because they are idle - they are THERE to do nothing at all until needed, and you don't want to find out that you don't have room/memory/capacity to spin up your secondaries because all the other junk you loaded is taking precedence!

We already had a backup NAS device, so we bought five more. One pair go off site. Now you have daily, weekly and monthly too, and offsite. Now we're in negotiations with other schools to mirror VM across to entirely separate locations so long as we provide in kind too. With encryption, VLANning, VPN, etc. there's no reason not to. And I'm still considering a "cloud" backup provider as another fallback. Yeah, it may take days to get my data back from them. But knowing it's there is invaluable.

The one thing that's absent? Tape. We don't use it. I'm not sure I understand it's purpose in a modern system, to be honest. As you state, so long as the version control is available (even if that's by rotating a pair of monthly offsite disks and PHYSICALLY TAKING THEM OFFLINE), there's little to use tape for.

Cloud is just "remote servers". If that's your own remote servers on someone else's network, that's still the same - whether that network is another site, another company, or a datacentre that you host with. So long as you have other backups, and access to those backups somehow, it's just another part in the same plan.

Backup strategies are a product of multiple tiers of speed, latency, and network "distance". You have things you can get backups from in a second, and others that might take a few days. You have things that are only 15 minutes "latent" compared to your system, and things that are months or even years latent in case you need to go back that far. And you have things that are on-hand with multi-gigabit connections, and things that are on the other side of the world/country/city with slower connections.

Mix and match to get one of everything and you have a backup system.

So long as it's as properly managed as any other, there's really no need for cloud, or (similarly) to dismiss it.

Re: Methanol

Though you can certainly "point" a radio telescope, that's like "pointing" your wifi - you'll see more signal from that direction but you'll still collect from a complete sphere of emissions near you too.

Question: Why does the Roomba need fixed beacons, and why do they have to be radio, and why can't they operate in unlicensed frequencies (I know the answer to the last one - because then anyone could make a cheap Roomba beacon...)?

"So hi-tech, you need to stake out the garden with radio kit so it doesn't bump into stuff"