Posts by Lee D 4634 publicly visible posts • joined 14 Feb 2013
Certainly don't host your content on them.
Host it somewhere else under your control and link it in, then you never lose anything but exposure.
All the companies I know that do social networking post to one place that is sucked in via RSS to all their Facebook, Twitter, etc. and usually just links with shortlink to their "official" website.
That way you can be "removed" but not silenced.
Hashes have many uses, some of which have no security impact at all.
Consider data integrity hashes on your own stored data. If a malicious agent could get access to your backups and their hashes, that's game over anyway. But if a hash differs on one of your backups to the others, you know there must be data corruption or loss somewhere.
It doesn't render MD5 useless, just insecure. There's a difference.
I put in the MD5 routines into the game OpenTTD, for instance (the code has long since changed, I believe). It checks that you have a copy of the original GRF (graphics data) files from the original game and whether you have the demo or full-version, and DOS or Windows palettes for them based on the hash. Unknown hashes flag up a warning. Someone who WANTS to feed in a fake GRF would be pointless.
But we found a lot of people who had corrupt copies of the original GRF's from their old backups that were generating support tickets that nobody could fathom. For most, it meant that they then knew they'd got dodgy backups and they just replaced it with the originals. For others, it meant they'd been modifying the GRF's and so generating tickets because of their own mistakes. Despite their arguments, when they are the only ones on the planet with the GRF files corresponding to the hashes they posted, you know immediately they are either using a corrupt or edited GRF rather than the supported original GRF's.
Obviously, if they wanted to fake a support ticket, they could just say that the program never warned them, in the same way someone could edit a kernel log to remove references to the taint flags. It's not "secure". But it is useful.
The days of someone owning the .com and wildly guessing that to be so are long gone. You google them, nowadays. I remember when novatech.com was actually a military supplier whereas novatech.co.uk was the company that sells computer stuff. After the third time you do that, you no longer assume and you Google or remember the domain.
Hell, people don't even know how to type in addresses any more, they just google them - I'm not joking. People will Google "GMail" and then click the link they know works.
Domains are dead. Certainly owning the .com for a brand is not guaranteed by a long shot. And the home idiots are googling what they want, rather than typing in the address anyway.
In that climate, there's absolutely no need whatsoever for a domain name besides vanity. Let's call these what they are - vanity domains. And bought by the same people that want to own B1TCH as a number plate.
I can't remember the last time I actually bothered to type in an address that wasn't written down exactly (e.g. in an advert), or well-known to me. Nobody takes a stab at .com addresses "just in case". That's a perfect way to end up on a scam site.
What teething problems? We've had several IPv6 days. Every server OS and service you can think of support IPv6 out of the box.
And if there's a problem moving a service to IPv6 - that's what IPv4 is still around for. Nothing stops that working, but IPv6 just gives you another new avenue to try out.
Honestly, the teething troubles are long gone. People just need to start turning it on. Your mobile phone already uses IPv6 if it's anywhere near modern. Unfortunately, some places - like this very website - can't be bothered to add IPv6 to the list of modules and reboot their servers.
If you're installing such systems, at least one lock should be fail-open, rather than fail-shut. Otherwise what happens if you get a fire in your electrical cupboard?
But the cheap solution is even more simple - buy the cheapest, junkiest UPS you can buy. At access-control wattages it'll probably do 8-10 hours, if not a lot more. That's why your burglar alarm has one inbuilt - it can still go off up to 24 hours after the power goes out, and attract attention or phone you.
Honestly, if you have even a CCTV DVR or an access control system, £50 for a UPS that runs them all is a drop in the ocean. And handily will give you a serial-cable notification of the power going out so you could, for example,instruct it to unlock the doors in an hour's time if you're not home when it happens but will need to get back in.
Extended blackouts are one of the high factors that attract opportunist crime. Just keeping the little blinky lights on your alarm at that moment would be enough to deter most such opportunism. You don't pick the house with the big noisy alarm and flashing lights when everyone else's house is in pitch black and dead silence because everyone else is waiting for the power to come back on.
Keys, as an access mechanism, have sufficed for thousands of years.
However, they require physical conferral of the device in question, which is a security risk. Note the numerous mentions of house guests, parcel deliveries etc.
It's useful to have a way to allow a random person in, on your authorisation. You can tell someone a PIN over the phone, you can't give someone a key.
And 3D-printing may well make keys dangerous. A quick photo or even video of your average key, let alone a few seconds of physical access, will give you enough information to make a viable copy, and lock-bumping basically makes 90% of the locks out there key-less with about an hour's practice on a box of old locks. There's also a reason you should change your locks after you've misplaced a key, whether it's returned to you or not.
I'd rather have electronic access. But this is too much. And, yes, at least one of my doors would be accessible by an old fashioned unpowered lock, in the case of an emergency. Though I'd make it the one that requires the greatest faffing to get to, i.e. jumping the fence etc.
If you buy cheap junk, yes.
There's nothing stopping you fitting some serious hardware around even the cheapest of locks to hold it in though. London bars etc. can be adapted to strengthen even the crappiest of locks and, don't forget, your hinge is probably the weak point by that time anyway (especially if you have only two, one top, one bottom, leaving the point of greatest leverage unbolstered).
Personally, I'm quite impressed at basic locks. Even mag-locks are now quite serious. £20 can get you a 500kg holding force mag-lock that put a handful of watts. That's pretty impressive. And, yes, I have hung off one fitted to a metal gate at work to see if it was true. And, no, I don't think you'd open it short of cutting the power which generally requires cutting through an armoured cable or steel fence post anyway.
The problem with security, as always, is not to make the door unkickable, but to make it the least likely alternative. Anybody wanting in will get in, through a window, or just bringing a sledgehammer and making a hole in your side-alley (you could kick any half-decent brick wall down if you tried and had good boots). It's not about absolute security, it's about the effort and sometimes noise/suspicion required to do so. And, like car security, how long you'd be there trying to do it.
I doubt most people even have a front door that would stand up to a few good kicks anyway. The point is that doing that is risky, noisy, obvious and attention-attracting and might still leave you with an aching leg or splinters in your thigh. And so smashing a window is an easier way in.
There's a reason the police have those door-opening battering rams that can be operated from a standing position in one hit. But it's not because that's the best way to gain entry. It's because it gets entry into almost every house and can be repaired quite easily afterwards and there's much less chance of showering someone in glass shards.
Overpriced junk.
I can buy a whole-house access control system based on business use for that price. Maglocks on the doors, control units, RFID readers, PIN-pad entry, the works.
Even on a cobble-together budget with those products you're looking at over a grand before you even start fitting.
Get a couple of mag-locks for your gates, and the various entry locks (they normally just replace the lock on the door-frame side of the lock) for the house, and a simple controller (there's a PIN-pad and RFID - in whatever combination you like - one on Amazon for £10 with 12V relay control...). You've already had to build a Fritzbox and run a relay cable to remote control it, so you haven't lost any functionality.
And, my biggest question about doing all this (as I have the parts and the know-how and have considered doing it on my house) is what about the insurance? House insurance typically demands a certain standard of lock and access control does confuse things on non-business premises.
Hell, I had SMS / telephone-controlled relays rebooting the ADSL modems at my previous employer - one 3G stick, a pre-pay SIM, one physical "button", one Velleman K8055, an old car relay and anything you can be bothered to put on the other side of it. My employer used to be able to reboot the modems with a text message (with customisable PIN, or other commands!) from anywhere in the when the VPN fell over.
Either cobble-together cheap components, or buy an expensive all-in-one solution. Don't cobble together expensive components.
OpenReach failing?
Not got anything to do with the leased fibre line my employer bought through them, which they spent six months doing nothing about. Then turned up on site with two men who drilled a hole. Literally one hole. Even phoning their boss to check that was correct. The next guy ran a fibre tubing following the existing telegraph lines and left it dangling on the first building it hit, some dozens of metres from the point of actual installation.
Then a month of shouting later another guy came and ran some fibre tubing but only brought half as much as was needed. So left three hodge-podge parts of tubing he had leftover in the van to try to get to where they needed to go. Then a month later another guy came, looked at it, and realised they weren't able to join it back on the main street anyway. Then the re were promises, promises, promises and arguments and before long our November order which had become an April install was into September with nothing more than a piece of plastic tubing and a hole to show for it, with promises it might be ready for the next November.
At that point, we phoned up and cancelled the order. The next week an OpenReach guy was asking for access to the site. We told them where to go.
Their competitors? Currently digging a 200m trench to get to us, with guaranteed December delivery, faster speeds, cheaper prices and constant contact.
I wouldn't mind but I work for private schools. I can't imagine that's a bad class of customer to have for an always-on Internet connection - several hundred high-paying pupils all wanting to show video online, totally dead connections overnight, and a gigabit fibre that we can ramp up the speed on any time we have the money.
OpenReach was a farce. It cost them a couple of other school's too as we spread the word. A year taken to drill a hole and push a pipe through it, and they didn't realise they never had space enough to fit the fibre anyway.
Mine's in an under-stairs cupboard. The cupboard is used for routing my cables through. I predict that a fair amount of Cat6 cable in there is likely to interfere with anything trying to get out wirelessly, as I already struggle to grab a mobile signal in the house, let alone in those dark depths in the middle of the house.
And I was originally intending to put my Wifi in there - it seemed nice and central - but the signal was atrocious before I started putting cables through it.
I'm not saying I'd go out of my way to make it not work, but I think they'll struggle to make it work even so. And, sorry, but you're not going to relocate my meter just on the basis of that. The meter's been there for decades and the house designed around that and I'll be damned to have something hanging off an exterior wall and blocking my side-alley.
Cyber-warfare is being used as the next excuse for real warfare.
It's incredibly easy to "blame" the Russians or the Chinese or whoever the flavour of the moment is for such attacks. It would also be incredibly easy for any nation state to fake or proxy such an attack coming from the country of their choice. To say that any one nation is responsible should be taken as seriously as saying that they put spies in the White House, or something similar. It's a serious accusation that needs serious proof to back it up. Saying the packets were traced to China, or hinting that you think the Russians don't like you at the moment is not proof.
And there have been several statements from representatives of large nations drawing a parallel between a cyber-attack and a real one and offering retaliation in non-digital forms. This is a slippery slope.
Now imagine there's a world leader who WANTS to start a war. What excuse do they now need past getting some Chinese spam on their systems or some script-kiddies proxying from China? It's dangerous.
If your network is THAT BAD that you can't work out who's attacking it or stop them attacking it after three weeks (classified or not), then the problem is yours. You can't go mentioning nations that you don't like and blaming them for it, or even hinting they could be behind it, until you can prove that. Which, generally speaking, you can't.
Stop trying to create an excuse for a real war from an handful of bits coming to your computer.
Cheap labour is cheap labour, and the going rate is at that price because it still gets the applications in. You and I know that it means you hire a lot of monkeys, but IT is so flooded in "I know a bit about computers" people that the rates plummet.
I don't think in my last 8 years of jobs have I been paid the advertised wage for very long. The rate at hiring was either more than the advert, or it was re-negotiated soon after. Get them to want you, then talk money. You'll be surprised how flexible they'll be at that point - they've already committed to you in their heads and will take (and expect!) a few grand hit to actually getting the candidate they want.
Last place I went to asked me what I wanted. I hate that. I always undersell myself. But got previous wage + promised (but undelivered) raises at old workplace + 20% as the starting salary.
The problem you have is that it's not a problem you can solve. If people are willing to pay 18k for a permanent member of IT staff, they know what they are getting or will soon find out. If everyone is doing that, there's a reason - it's good enough for them in the long run. Hence, there's little point challenging it. The job market is just flooded in people who will do that job, to a similar standard, for those prices. If you can differentiate yourself, then moving to a tighter job market is the only other solution.
However 1300 applications is incredible. There's something wrong there. I left my last employer back last September. I immediately applied to a temping agency and started looking around for jobs. I had applied to two by the time I'd been offered a permanent position (it didn't start immediately, but the paperwork was there and ready to go). I spent six months temping, and never had a day out. I bounced from one place to another while the agency found me something, and ended up staying at the last for five months. Hell, they gave me a leaving present when I went. Sure, it was temp work, and it was several grades below my normal level, but it was enough to be getting on with.
I can only imagine that your expertise is quite specialist, or that you lived in an area devoid of all work (not just IT).
I don't think the job market is any worse than it ever was. People say that, but the previous generation had worse trouble and got through it. I just think that schools are giving unrealistic expectations and not enough realistic training. The people you can pluck at even minimum wage and who'll do a good job and progress are few and far between. And a lot of them aren't even worth minimum wage (I agree with the concept of minimum wage entirely, I mean that they don't step up to justify even paying them minimum wage compared to others being paid the same).
IT definitely has a lot of paid monkeys, that's for sure. But I'm not sure it's as cataclysmic as it's made out to be - or employers would actually be paying more.
I would judge that person more than someone who's not had any IT work at all in their lives.
With VM's, tech previews, evaluations and a ton more, I would worry about someone who's not only allowed themselves to get stuck in a rut and can't poke their head above, but also complains about lack of training when they aren't doing stuff themselves. And when you get into stuff like Linux, free Hyper-V hypervisors, etc. there's really no excuse for not having tinkered with something. That your employer didn't want to actually deploy it is neither here nor there.
I'm not saying that's you, I'm blowing up one comment to become a persona here, but I worked as a "roaming tech" (I hate the word consultant) for many years - zero equipment beyond what the place had already, no budget to get new stuff, emergency cases in dire situations, stuff I've never had to deal with before and need to learn "on the job", and then "oh, can you just make it do this" and I came through without any "training" of any kind. In fact, where offered I actively refused because it was unsuitable and/or only trained me on what I already do day-in, day-out.
I never expect anyone to have used a particular product, or feature, but I expect them to have an outline of what it is, have played with similar features and - even if it means clarification like "Hyper-V is a virtualisation hypervisor" - that they can then pick up on it and go "Oh, right, well, I've played about with some of the ESX / VMWare stuff and I've done a bit of Xen for my own stuff but I haven't touched Hyper-V personally".
The answer "Nope, I've never deployed it outside my personal test environments, but I think I have a grasp of what's involved because I've done a lot of tinkering on my personal test network at home" is actually VASTLY informative to an employer. It means you're happy to admit holes in your knowledge, happy to play and tinker, able to do these things off your own back, have some experience of the concept, have taken the time to learn on your own time, and are not scared to say "Never done it 'for real' but I'll have a go if you're okay with that".
I have to agree with your last paragraph. But if you've been in a position for 3 years and not progressed in some way, I judge that person just as much for not having stretched themselves, done things on their own time, etc. I'm not a "management" sort, except in job-title. I'm purely functional and hands-on. But I worry about people who need "training" to have booted up something in VMWare and played about with the new features. Hell, when a new OS comes out, I pretty much compete with those around me to find the holes and the problems in it as soon as the first public preview is available.
The best teams I've worked on, are basically competition over who's deployed some new technology before. Then you become the "virtualisation guru" of the team because you've done it a bit at home. Then someone else starts putting in some HA functions into your hypervisors to beef them up and "beats you" because they read something on Google and try it on the test network. I've had competitions over who could deploy a PHP-enabled web server first back when PHP was new to us, and one of us did it on Linux and one of us heard it was possible on Windows. The thing never went into service, but the curiosity was there.
Sure there are some dead-end jobs, but the point of IT is that like most other professions (as opposed to just "jobs") you HAVE to keep on top of it. A doctor who doesn't research a strange condition he comes across or a lawyer who doesn't bother to read the new legislations would be out of a job soon too. Or stuck doing only the stuff people tell them to do.
Please note, I have no industry certifications. I have a degree in mathematics. But I have had a career exclusively in IT for a decade and a half. Because when someone says "Our servers are a little overworked, there's a bottleneck here, what can we do?", I go research the answer.
Don't expect training in IT. It doesn't happen. Because those who need it you won't want to give it to them (a little knowledge is dangerous) and those who you might want to give it to don't need it.
Training?
What's that?
You mean when my employer pays thousands for me to sit in a conference hall listening to waffle, while some old guys drag the session back to basics and I'm led through a click-through tutorial of what menus I need to click on in the new versions of Windows?
I'll stick to the "We need this" - "Right, we'll need to set up DFS, install new hypervisors, we should look into failover clustering, this 2012R2 feature looks nice, wonder how well that integrates with Windows 10, we need to work all this out by the end of the month so we can start deploying" method of training, thanks. Seems to have served me well for over 15 years.
There's a reason that I don't automatically sign up to certain things just because I've bought a new phone and they look "cool".
I think about the consequences if it goes wrong. Not deliberate or malicious attacks, just what could happen if a server somewhere decides to go muppet and link my ID to someone else's or something.
When I bought myself and my girlfriend an S4 mini each the other month (having given it sufficient time to bed-in as a cheap stable device), I went through all the options, turned off or "skipped" anything that I could see going wrong. I have to say, reliance on outside servers features heavily. There are still half-a-dozen apps that prompt me every time I do an "Update All" because I don't agree with their permissioning and don't even want them anyway.
Linking in the Samsung Account - never even did it. Find My Phone was pointless against the in-built Google one (and I do have a Google Account, and did see value in putting it on the phone). However, even there I disabled the remote-wipe / remote-lock features while still retaining the phone-tracking (lost my phone the other day - if the battery hadn't been completely dead, it would have been very handy - as it's proved itself when I've lost it in the past).
The Samsung stuff is just junk. All the Samsung apps I've hidden or just completely uninstalled. About the only one I ever used on a previous phone was the Memo app but that's complete junk and over-complicated now, especially compared to Google Keep.
There are reasons that I just don't turn on this kind of stuff, and lock down the settings so only I can use the device anyway. This kind of vendor-reliant junk is not only open to attack, but just open to cock-up too. I'm not saying that I'm immune, but these features are really just a problem waiting to happen.
Internet-activated remote-wipe. God. I can see the use in business, where anything critical is backed up, all the devices are passcoded and encrypted, and when something goes missing you KNOW it's gone missing, can wipe and rebuild in a few moments if it's brought back. But for your own mobile? No. Not nowadays. Just encrypt. Without the encryption key, nobody can do anything with it. Inform your telco and get the IMEI blocked and forget about it unless you want to go and hunt it down.
I think the news is not that people who haven't updated bash are vulnerable. That much is obvious.
The news is that there's another major sector of programs handing off to bash in order to do the simplest of things (read the mutt post above). While that appears fine, it's something that not many are aware of, and means pulling in a huge codebase into the path of your external network functions that just increases the attack vector and makes it harder to effectively audit the code.
The problem, ironically, is systematic - not bash - in that we're relying on the shell to do far too much. The "one tool for the job" mentality of UNIX is falling apart where we've done this, and nobody noticed for quite a while. I wasn't aware that mutt or Apache were pulling in full bash shells to set environment variables, were you? It would have rung alarm bells for me if I'd known that, even on a casual, personal-use basis.
Where else are we pulling in unnecessarily powerful tools to do simple jobs that might be better achieved somehow else? Are those places vulnerable to outside attack? Have they been audited? Are people aware of the possibility? And, most importantly, someone somewhere must have known about these things - imagine the SELinux people, for example. They are generating signatures of exactly what a program needs to operate, including if it executes other programs, and either allowing or disallowing it. But yet nobody noticed that there might be a problem existing in bash for DECADES if it's used in this way.
I love Linux, but we seem to have strayed from the UNIX philosophies too far - we shouldn't be allowing software to pull in entire other programs to do simple tasks. Hell, why is there not just a "set" program that we can pull in when we need to set environment variables and that's ALL it can do? Why are we using full bash from our web servers which gives us the potential to embed (and successfully execute) a ping command, or any other, from a remote HTTP request?
The bash patch is just the sticking plaster over the wound. But we've been doing dangerous things for too long, and we need to look and change. It's not just a matter of "update bash", we're finding that this affects almost every remote service we offer and is a gaping security hole - and it's time we looked into what the security distros are doing in allowing it, and what we can do to make sure that the mutt author, for example, doesn't feel the need to pull in the full bash just to set an email address into an environment variable.
Kinda puts into context those plans about moving to another solar system.
It took two years to get to Jupiter.
30+ years later, it's still not hit one light-DAY away from us.
And the nearest star is, what, eight light-YEARS or something?
So it would be 365 * 8 * 30 years = 87,600 years before Voyager gets there with it's headstart.
Sure, it's not got a huge propulsion, but it makes you wonder how you intend to keep something powered and propulsive for decades or even centuries.
Honestly, we're kind trapped in the solar system. And we're even kind trapped on one planet at the moment. About time we took care of it, or started to get ways off it...
I think it's not just "bulb" LED's that are the problem here.
LED TV's haven't taken off.
OLED's have died a death.
And traditional LED's (such as the superbrights, RGB LED's, SMD5050, etc.) are so cheap and mass-market now as to make virtually no profit at all, I imagine.
I've worked in a few schools that went all-LED for their Sports Hall lighting and things like that. Very impressive and bright, but you don't actually save all that much once you get into the long run, plus the initial cost.
I think, as a whole, the entire LED segment of electronics is on a spiral to the cheapest possible way to do things, and that doesn't generate a lot of profit for anybody.
I agree that a SIM in an embedded device is probably on the way out. They serve little purpose now and there's no reason we can't replicate what they do in software or some embedded chip. We don't even bother trying to save our numbers to them any more, instead using cloud services and the phone storage themselves which are infinitely more useful in what / how much they can store.
The problem is that I imagine when SIMs start to go "soft", the EU etc. will step in to make sure that they offer the same service as before - i.e. being able to block SIMs and being able to move your SIM between carriers easily. And, like the USB-charging debacle, Apple will no doubt try to wheedle it's way out again.
Losing the SIM card in GPS trackers, home alarms, phones etc. is no loss. In fact, SIMs are so ubiquitous that it tells you that yourself. I got at least 8 from giffgaff after I signed up the girlfriend and myself and they still keep sending more when we get rid of those to friends and family. And bootsales, newsagents, etc. are full of free ones. At this point, carriers are throwing a ton of money at printing millions of the things and then most of them never get used, so they're probably quite glad to go to a soft-SIM.
The problem I see? A soft-SIM will be even more hackable, to those interested in playing with them. But at least you might be able to have a dual-SIM phone without having to buy some stupidly expensive foreign piece of junk to do so.
Stop using landlines.
There's no reason to, nowadays. Businesses should be on VoIP / SIP / etc. and the filtering there is trivial. Home users are guaranteed to have more mobiles than landlines near them. And most smartphones nowadays have Caller-ID by default (no extra charge), allow you to block unknown numbers, and allow you to blacklist individual numbers.
The landline companies honestly don't care. That's why they charge extra for those services. They couldn't give a toss until you pay them to care, and then they make no guarantees whatsoever. And enforcing valid Caller ID even internationally, and penalising companies that do not pass valid Caller ID through properly (by removing their ability to dial your numbers) is the only sensible solution. And it's not happened and we've had Caller ID for, what, 20+ years?
Nobody cares. So stop using their spammy products.
SSL* by default is inevitable.
Though this is a good first step (well done CloudFlare!), eventually these base SSL certificates will be so cheap as to be ridiculous. Hell, I bought 5 years of SSL certificate for my domain for something like $50. If you have any reason to have SSL, even a popular forum requiring login, then SSL is a drop in the ocean against hosting, bandwidth and even just simple management costs.
The certification authorities wouldn't allow this (specifically the wildcard domains) without knowing that the money they get from them is going to plummet soon anyway. That's pretty much why they want to push EV and like it when Chrome drops support for 1024-bit, etc. They can give the old stuff away for free while pushing the stuff that won't be warning in your browser next year.
And there are already "free" SSL certificates out there on this level, you just have to dig for them.
And, to be honest, where we need to worry is things like SSL on email, etc. which is disgustingly easy to configure nowadays if you own any domain SSL certificate (or even a self-signed one). I'm pretty sure my SSL cert is running not only my domains, but my email, DKIM signature and things like SSH etc. (with different passphrases in some instances, granted).
(*Please replace SSL throughout with TLS etc. as I'm pretty sure my servers don't accept SSL 2.0, 3.0 or anything else nowadays).
And if MS in the EU complies with the US demands without due EU process, they will be in court in the EU.
Given that the EU is actually larger than their US market, it will hurt.
It's not a question of what MS (US) wants to do, or gets told to do. To comply, someone in the EU has to be complicit - either by doing it themselves, or knowingly allowing it (which is a failure of Data Protection obligations).
The US can order what they like. The guy in the EU who provides the facility or does it for MS (US) will be up before an EU court from the second he does it (or allows it).
Ignorance of the law is no excuse, and allowing the US arm of a company to access EU-stored personal data is illegal. It's considered export of that data. And if MS (EU) are asked to do something on the order of a US court, they are legally obliged to ignore it.
It's not as big, or as rare, an issue as some places like to make out. Such orders happen. And then they are ignored. SpamHaus was one particular example where they stupidly responded in the positive to a US court order (initially, at least), but still they got out of actually having to do anything about it as it was outside the US jurisdiction. US courts issue orders that are unenforcable all the time. The actual fact is that if they want them to be legal, there is a process - apply to the EU court to enforce the US court order. That happens too. And when that happens, the EU law is read and applies and it's then legal to do so.
It's not legal for anyone to have any part in letting EU data go out of the EU without suitable data protection. Even the air-travel data sharing scheme fell apart as soon as the EU was no longer co-operative because - by default - it's not legal.
That's not saying it couldn't happen. But Microsoft (US) can tell Microsoft (EU) whatever it likes. If Microsoft (EU) complies or allows it, it's potentially broken EU law. The consequences otherwise don't bear thinking about (e.g. Apple applying US consumer law to other countries, etc. and getting out of their two-year required warranty program...)
All the smart lawyers in the world can't make US law apply anywhere else without breaking the law in "anywhere else". That's part of the reason why Assange is still on UK soil, and why Apple are selling useless "extended" support warranties in the EU.
"allowed to get away" is exactly the problem though. They are allowed, officially, because the law says they aren't doing anything wrong. If the laws were worded differently, they wouldn't be able to do it. Literally, these companies can be audited en-masse, brought to court, and still be found compliant.
That's the problem. Not whether Mr Plod gets suspicious or not. It's that, by the word of the law, these companies are NOT doing anything illegal and yet still paying zero tax. How they report the income, or misreport it, is a matter of law. If they are able to misreport it, it means that the law allows that.
"You must pay X% of your UK business income to the UK government." - seems pretty simple to me. I'm sure there are side-issues and corner cases but quite what's difficult about legislating that with enough clarifications to make what you mean by "UK business income" explicit?
Google have had something similar for their Google Apps products for years, I believe.
The problem is not that you couldn't do this yourself. It's that you wouldn't want to be handing off AD traffic outside your own controlled networks. And certainly not handing Amazon (or some Amazon-hosted Internet-based outside machine) some AD credentials enough to log into your network and join domains etc.
VPN's have existed for years, and Samba is more than able to do anything you might reasonably want on the client side (I've been using Samba SSO for years with my Linux-based helpdesks, fax-to-email, web filters and other stuff on Windows networks). But running samba on something openly sitting on the net? Eek. The scary side of the cloud. Hell, I don't even trust Terminal Services further than I can throw it.
If you're worried about security, it wouldn't matter that you use pagers. You just wouldn't be transmitting any data that made sense to anyone. Whether through obscurity (i.e. "the guest has landed", or codebook numbers) or encryption, it wouldn't be any use to an outsider with hostile intent.
That we're still using pagers, I find amusing, but it's more about WHAT you send, not how you send it. The number of people I meet that think that email is "confidential"... shocking news when their email server will happily send in plaintext still.
We don't need technology updates or end-to-end encryption (which, actually, makes us more lazy and slack with the data we spew). We just need simple data management. Don't send anything that you wouldn't want others to know.
Highly doubtful... Windows' internal numbering is very different to what you or I might call a Windows version number, and any software relying on that would never be looking for a "9" back in the 95/98 era (when it was still Windows 6.0.0000? Maybe even 5.0.0000).
More likely, "nein" is no in German, and apparently it's quite insulting in Japanese too. Rather than set themselves up for the "Windows No" jokes over in Germany and Japan, they've skipped a number.
Hell, think yourself lucky they didn't go back to Windows 2015 or "hemi-deci-millenium" or something.
"Small" business messing about with 60 LTO tapes? It's hard to imagine.
And I was of the opinion that tape is pretty much dead. I'm sure the end-run of backups is a tape in a safe somewhere, but 60 tapes in an active device, presumably cycled and moved off-site or into secure storage? Doesn't seem worth the effort.
The last time I had to RESTORE from tape (i.e. where all other methods have failed, and not for test purposes) was... god knows. Back in the 90's. Keep some spinning rust going, it's cheaper than a handful of tapes, provides much quicker restore even if it's not a guaranteed backup solution on it's own, and grabbing one file off it takes seconds. And it doesn't really care if you keep it in a slightly damp/cold room.
Seriously, what class of small business has a guy cycling 60+ tapes throughout the week as just their last-ditch backup, not counting all the other IT management?
Clearing the spool on a mailserver that receives any significant amount of traffic can take, literally days.
It's like the old newsgroup servers. Even today, it can take several weeks to catch up if they go offline for a short period.
If your email server isn't handling a fair amount of traffic all day constantly - why not? What's the point of having it?
If your email server IS then getting 6 days behind and being asked to catch up WHILE also handling the normal traffic you always used to handle is a LOT to ask. Not to mention the number of test emails people will fire and the pings people will do to "see if it's up yet". It could take 6 days to get back up.
That said, there is NO excuse for not being able to provide basic MX service in the meantime while you clear the spool in the background (there are companies that you could set up in seconds and just point your MX records at until everything died down). Unless, of course, you actually lost data. In which case, good luck continuing to host people's email...
Yeah, there's a reason I like to run my own servers and just have domains "point" at a particular server, and not rely on any one provider to receive my email. I managed to switch from Hotmail to self-hosted to GMail to GMail forwarding from self-hosted and nobody who emails me was ever aware.
6 days is too much - you will have lost that email forever and the sender will likely never know, now. I'd pull my domains from them after 24 hours - forcibly if necessary.
This is why I quite like domain hosts that let you change DNS (MX specifically but sometimes even nameserver) settings yourself on an automated interface - putting in a couple of backup MX's is no hassle and even changing them in an emergency is pretty do-able. But the MX pointing only to the people who host the domain for a couple of quid a month? No thanks.
Sure, it's no guarantee to even do that, if the domain-holder or nameserver goes offline, but then you are quite literally into "tear the domain back from them" Nominet territory. The last time I had someone had troubles with my domain was... er... never... and I'm able to repoint everything to a new VPS in a matter of minutes (plus 24 hours for DNS propagation, but even that's a lot quicker nowadays).
Stop hosting email with cheap junky outfits. There's no excuse that they can't provide a skeleton email service in the meantime (even if it means routing their MX to a third-party that they hire) while they fix their mail-servers and catch up with lost email. 24 hours and out. Hell, I get a little jumpy every time I have to change MX or other DNS settings or even just wait for a ten-minute outage to catch back up. Six days is inexcusable.
Hell, buy yourself one of the many backup MX services in future for your domain - god knows why this place can't do exactly that for you while you wait.
Sorry, I work in schools. Linux has a bad reputation, not because of the lead developer (who nobody has heard of), mailing list flamewars (which nobody has witnessed) or anything else.
It's people who throw it in because "it's free" and expect it to do the same job without the same amount of management that they'd give a Windows machine in a similar position.
I've done it. I've put Linux in schools. Several times. And I've also taken it back out again. Because the primary problem is not "Linux community is unfriendly" (it's NEVER been mentioned). It's actually "Linux isn't Windows and doesn't run Windows binaries, and isn't supported by the people selling us Windows on commission". And pretty much no other reason.
And you'll find that almost every school in the country has a Linux box or two, anyway. Espresso and Knowledgebox are two HUGE content providers who put Linux Apache/Squid proxies for their content into school networks. Almost every primary school has one. And most schools (primary and secondary) have Smoothwall controlling their front line - a Linux box in a 19" rackmount. And let's not even get into their access control, CCTV, or other systems.
Linux isn't in certain places, not because of anything to do with attitudes or personalities (because even Linux experts don't deal with people like Linux or Lennart), but because "it's not Windows". It's not even Linux's fault, that. And it's unsolveable while people are blinkered. It's pretty much the same reason that almost every Mac I've ever seen in a school is Windows in some way (dual boot / boot camp) and sees ten times more use as Windows than as Mac.
Speed is not the only factor.
They are a storage device. Given that EVERY hard drive I've ever owned has ended up full to the brim (and, no, not with trash, but with work, programs, and data I've made), it's not a consideration of speed if they don't start in the Terabyte range at least.
And now my primary machine is a laptop (which can run all the 800+ games on my Steam account quite happily, as well as browse website while I'm abroad), I don't have many choices and I don't have any possibility of putting in one TINY drive and running that for everything. Fortunately, my laptop does indeed have two SATA ports for 2.5" drives and there's a cheap gadget you can get to turn the Blu-Ray slot into a hard drive bay (which would actually make more sense for me). But, still, I'd expect 2Tb of total storage in the machine at minimum, which is what I have with HDD at the moment.
That said, the Samsung EVO 840 1Tb is actually on my wishlist. Just needs to come down in price, just a smidge. Then I can replace the first Windows / data drive with an SSD and keep the other 1Tb for long-term data that only gets read occasionally (in comparison).
But not everything is about speed. I'd much rather have a first-gen SSD speed on a 2Tb drive than have to pay through the nose to get 1Tb at this-gen speeds, or even just £50 for tiny storage at this-gen speeds. Hard disks are primarily STORAGE devices. Sure, it's nice if they go faster, but it's not speed that is the primary concern of most people who want them.
Surely, with Hyper-V clusters, you've always had that kind of capability?
Move VM's off one server. Migrate. Slowly move them back. Migrate the other servers. Job done?
I'm not in an industry where I see many highly-available clusters of a significant size but isn't the new capability really just a more-risky in-place upgrade that relies on everything working with no way back?
Had the reminder through LAST WEEK.
Renewed... LAST WEEK.
Pressed the buttons, typed in the card, done. No problems.
They obviously can't scale but NOTHING works on day one. Even Steam haven't managed to stay up through the first days of their big sales after many years of trying and substantial cloud-backed wallop on everything they touch.
Reminds me of the tax-deadline when online filing came in. Everyone tried to do it on the last day. Don't. Do it before that. Your teacher wouldn't have accepted the excuse back in school.
That said, technology fail - if you're going to move government services, they have to work. Whatever. Or at least go to a page with a phone number where you can have a human do it for you. You do NOT want to get in the situation where people can't legally drive because you can't take their money.
1, 2, 3, 3.1, 3.11, 3.11 for workgroups, 95, 95 OSR2, 98, 98 Second Edition, XP, Millenium Edition, 2000, Vista, Server 2003, Server 2008, Windows 7, Server 2012, Windows 8, Server 2012R2, Windows 8.1 (possibly not in that order).
Damn, it could be ANYTHING. Going from history:
There's a good chance it's going to have a number. There's half a chance it'll be consecutive and half not. There's a small chance it'll have a point number. There's a fair chance it'll carry some moniker or tag on the end of it, even with a number.
I'll go for "Windows 9.0 for Metro Server Groups". Think I covered most angles there.
What scares me most is the continued use of bash in remotely-callable scripts. I honestly thought we'd stopped doing things that way years before Perl went out of fashion and we moved to some real CGI and web security because we realised we had malicious people around.
I get having bash wrappers to, say, start services, collate and rotate logs, etc. but bash called remotely to do things like set environment variables (especially for CGI scripts, even if that was the "standard") seems dangerous from the very mention, before you even think there could be a vulnerability in bash. It's just an unsuitable tool - an entire shell, being executed by a remote user, whatever the actual context, to set some text into an environment variable.
Let me try an experiment - Windows Server, IIS, have your apps wrapped in a DOS batch file. Nobody else just as worried as I would be? ((The Windows equivalent of this bug would be, as far as I can tell, IIS being asked to retrieve a page with a request header and in doing so executing CMD with an arbitrary unchecked string taken straight from the request header to set, say, the PATH variable, or lots of other CGI-required variables, but not distinguishing between some plain environment variable content and ANY valid command. It seems... far too obvious and dangerous to have lingered in web circles for 25 years if ANYONE had been watching out for security problems)).
Bash scripts are useful but we should have stopped using them on anything remotely accessible decades ago. The only times I've ever seen it done deliberately was in a "single-floppy router" Linux distribution where literally every byte was precious and they were squeezing 2.4 kernels and full routing functionality into a 1.44Mb bootable disk (used Freesco for 8 years, I think, running my local network off dial-up and then ADSL). Even there, the use was internal, to provide things like statistics and internal configuration over a shell CGI script that obviously only had one dependency and little security (assuming no malicious local users, basically). Hell, I have had networks where the logon etc. scripts performed all kinds of miracles but - the point was - you needed to be a local user, already logged for, and they merely automated processes you were already allowed to do.
To have bash be able to be executed in the context of a remote user's HTTP request to bring in - of all things - environment variables (the bug is really that function definitions are to be in those environment variables allowed too, but even running of bash to set a string into the environment is worrying me), and have the power to run any internal bash command or - critically - any available command that the web-user can access, seems incredibly stupid to have been lain open for any length of time.
What with this and Heartbleed, someone - and I'm specifically looking at the "security" distros here - needs to go back to first principles and find stupid things that we're doing. Even if we've done them for 20 years without problem. We need to say... that's stupid. Why are we still doing that? If there's a problem in software/function X, we are fully compromised. And start to revoke trust in large corporations and organisations that have looked into these things and never spotted that running a full bash on EVERY CGI environment variable handed to you by a remote user is just an incredibly stupid thing to do, vulnerability or not.
And, of course, there's probably nothing that things like SELinux can do because - well, the user obviously INTENDED bash to act on this information because it wouldn't work otherwise.
PoE can do 30W over Cat5 cable, with only a 5 degree C raise in temperature.
Don't see what's so impossible about 100W over a USB cable which, in my experience, can be as much as 2-3 times thicker than some of the Cat5 that I manually crimp and patch.
If PoE isn't dangerous, then 100W over this USB connector probably isn't either. And I assume that someone has sat down and worked out the numbers before releasing millions of devices to the public that might get hot.
To be honest, I bet your cable heats up more just from sheer conductivity from that huge TV...
Given the existence (and therefore presumably profitability) of at least 8 different betting shops in one street in my town, common sense does appear to be in short supply among the general populous.
Owning a phone for "only" £30 a month is, thus, tempting to those people whether or not they are tied into a contract.
Personally, I put off smartphone use until 2 years ago - my girlfriend had done the same and follows what I tell her to do, tech-wise at least. Then we bought a Galaxy Ace each because it was the cheapest phone that we could own outright. Over time we ditched Virgin contract (my girlfriend makes lots of foreign calls and it worked out well) for Virgin SIM-only (with a Tesco Calling Card for international call), for giff-gaff SIM-only (cheaper international calls than even the calling card).
Just this month, we ditched the phones and moved to S4 mini's because - again - we could own those outright without having to worry about contracts and suppliers. It took about ten minutes to change onto the new phones and a day for our original numbers to come across onto a clean mini-SIM. The old phones will go to family in Italy who still haven't caught up with the smartphone era for precisely these reasons (and data packages over there are prohibitive).
So technically - over 2 years - we're both on unlocked S4 mini's, with 4G-capable SIMs that have cheaper international calls than most international call providers, and we aren't on a binding contract but pay ~£10 a month for the connection (and basically zero over that except for her phone's international calls separately at literally pence per minute) and have two spare unlocked Galaxy Ace's for when foreigners come to stay that can run our sat-nav programs and speak Italian to them..
Not everyone will go through that hassle, not everyone will know those paths exist, not everyone will be bothered to do that every year and evaluate their choices - especially when they can just walk into a shop, pay £35 and walk out with a top-end phone. The fact that over the initial year, on a contract, you could have bought my phone outright, have it be unlocked all the time, never get tied into a contract, get comparable voice / data packages, etc. is invisible to most people - and chances are they're in at least a 18 / 24 month contract.
I had the same thing with my mum about twenty years ago. We stopped renting a TV from what was Radio Rentals. We did the maths and worked out that we could have had a new TV every year for ten years and still not paid the same amount of money. And we'd have had all the old TV's to sell / give away / use around the house.
Given the sheer amount of possibilities in anything but the most trivial of games, this is likely to not help very much.
Think about it - with mouse-movement and a forward key, just how many different places can you end up in within even 100ms? And how many of those would let you die or give you a near-miss if you were to fire / someone was to fire at you? We're talking vast amounts of calculations for something which is literally down-to-the-pixel at affecting the next few hundred milliseconds of the game (and if you weren't alive, but shot, you have to predict the rest of the gamefield based on both a bullet here, there, over there and nowhere at all, all at the same time, before the player's "real" input comes in over the wire.
Can't imagine it will help except in the contrived games (something like Bomberman?) or consoles (where input ranges are limited and stepped).
- Build excellent product.
- Give away for free.
- Become the "de facto" tool that experts recommend. Get thousands of subscribers just from the quality of your free tool.
- Wait a year.
- Spam the hell out of your users, force upgrades to ad-filled versions, bundle spyware, try to trick them into installing the pay-for version, hide the free version on your site so deep that the experts have to dig it out for users.
If this was Slashdot, I'd add...
- ????
- Profit.
But, as noted above, all that happens is people soon forget about you and say "Ah, yeah, AVG. Was great until they bogged it down in junk."
I'd rate "Internet connection prospects" better than most things mentioned on that page.
But, of course, location, location, location (which in turn gives you some guarantees on schools, nightlife, chances of some bloke pilfering your car, etc.).
Pick a nice area. Then make sure you've got Internet. Because that's one thing you won't be able to "fix" yourself. Mobile signal? If your internet is good enough, get your own personal picocell. But chances are that if you're in a nice, internet-connected area, there's going to be mobile signal anyway.
InI did exactly this several years ago now.
Never had a problem.
Inherited 2003 DC's, put on a single 2012R2 DC, moved all the config, files, services, etc. over and slowly converted each 2003 machine to 2012R2.
Did it half-live, half-not (school system, summer holidays) - never saw this problem. I'm guessing it relates to some obscure configuration or even just an hotfix gone bad.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
