Posts by tip pc 1736 publicly visible posts • joined 7 Mar 2018
the site was only reachable via IP because the DNS name was pointing at the IP of the new site.
General public would never have seen the old site if they used the dns name.
normally pointing dns name to new site would be sufficient & keeping old site about would enable quick fall back if needed.
Not the guys fault the customer IT hard coded an IP into their internal DNS & the guy responsible for approving changes only checked at home.
You know. The company that sells stuff you can't update without a current certification.
Because you NEED your certification to login to even look for updates and/patches.
i got my certification 20 years ago & never renewed it.
been many jobs since i linked my now expired certification to my work Cisco login.
i have no issues logging in & downloading firmware for equipment we run here.
i think it grumbles if i download software for things we don't run but nit needed to do that for a very long time.
Cisco are not the only vendor selling sdwan stuff.
Why encrypt over mpls vpn’s? You might as well just do sdwan that isn’t Cisco branded over internet.
If security is that important then mpls vpn should be enough & ensure your apps use ssl/tls or some other certificate based encrypted communications.
You can buy xcryptors and their competitors to secure private links too.
My Eufy cameras store to a hub on my network
my earlier eufy cameras can store to iCloud but i have diverted them to my eufy hub.
Icloud will do face & motion detection & will alert you to known/unknown persons with actions like turn on a wifi connected light etc.
i had some samsung cameras that stored locally & also swann cameras that stored to a local hdd that had a web portal again locally stored.
You don't have to look to hard to find cameras thats tore locally.
teh M$ mfa puts a code to the requestor to enter in the MFA on their chosen device.
They won't know the code if they've not made the request & can see the code on their screen.
yes, if the miscreant has access to both the requesting system and& the MFA device then they could defeat the MFA but if they've got all that & got past the password protections to open those devices then surely all bets are off anyway.
i keep getting emails from facebook re someone trying to set up an account using my email address. i keep getting the MFA number to enter into the facebook page to create the account.
Obviously i'm ignoring those MFA requests & have no desire to create a facebook account, i already have 1 on a different email address i don't use (facebook not the email address).
Without entering that code they can't create an account.
They can't be stolen or duplicated, and are strictly a per-device system. That's something that can be explained to anyone, although probably with different words, and the advantages made clear. Use passkeys, and you won't need passwords and you'll be safer.
i use apple passwords to share my passkeys & passwords across my personal (mbp/ipad/iphone) & work (mbp/iphone) devices & they work fine for getting me in to my personal logins on sites across all those systems,
is something going on in the background to create new passkeys per device that i don't know about?
only took a few seconds to share to my work profile & is seamless.
i don't think its being duplicated, works with touchID on those systems that only have that & face ID on my iphone/ipad.
the article states a hard coded credential in Tomcat but doesn't detail if that is a Tomcat thing or Dell thing
I assume a Dell thing else the cve would be for Tomcat version using that hard coded credential.
I'm no coder but even if i where. how could i check for other solutions that might have hard coded credentials in their configs?
I assume the credential was obfuscated somehow & not just sat in a config file in plain text.
with software consuming gigabytes of space, how can anyone be sure whats included & if its actually safe?
I'd say its time for governments & large entities to roll their own code
when MP's and media talk about vpn's they really mean people obfuscating their internet communications from the ISP.
A VPN is a Virtual Private Network & denotes making a secure connection to a remote network so your machine acts like its virtually at the remote end & connecting to the private systems at the remote end.
But the VPN's being spoken about are really proxies as there is nothing at the remote end the user is connecting to, they are using the connection to prevent someone local to them eavesdropping on their private connectivity to the public internet.
I accept that there are some miscreants that will be connecting to private systems to connect to bad stuff but that's not what is being spoken about here, its people accessing resources in the free open internet & deciding they want to use a VPN to prevent their ISP & possibly government from snooping on them.
We've had it drummed into us for years to check the padlock & ensure sites are secure etc. that padlock means that the information on that page is encrypted between you and the end point.
We should all know that thanks to SNI, a single IP can host an unlimited number of web sites. It was still possible for the ISP to know the site you visit by inspecting your dns queries & the sni contained in the site request headers.
Now with DNS Over Https & encrypted SNI its no longer possible for an ISP to determine what site you are looking at, they will just see the IP of the remote site which as mentioned could host an unlimited number of Sites.
Given a vpn can use any port it wants to, there is nothing to stop an ssl vpn using port 443 to convey the traffic and someone scanning the traffic would just see encrypted garbage to say cloudflare. You could be looking at cars or pictures of pine trees or streaming the latest trailer for Star Wars or watching your no brand camera system,
from the network viewpoint it all looks like legitimate encrypted https traffic but the end website would remain unknown.
So how can they stop that connectivity without mandating some kind of client side detection?
is that it?
we will all be mandated to add some kind of government mandated client side scanning app?
This is all very dystopian.
Starmer proimised to tread lightly on our lives but appears top be doing the opposite.
https://youtu.be/xavKVYcYJx8?t=49
Mine would decide to break down every 70 or so miles for no reason, you could crank it till the battery went flat & it wouldn't start, leave it 40 minutes and on its last gasp with an exhausted & flat battery it'll spring into life and waft you on its way like there was no issue.
Heated seats, heated windscreen & headlight washer jets.
sunroof
rear wheel drive
looked like an old gits car which is just what I needed in my 1st year at uni. certainly got me noticed by the girls, much to their amusement.
yes I truly hated that car.
& yes it did crash on me, steering was vague, back end could & would step out & braking was like being on a ferry starboard, then port then starboard then port & repeat
Luckily no blue screen of death but it did roll on me.
I was astounded when the recovery guy jumped in turned the key & it started 1st time.
I hated that car!!
On ipv4, for telnet to be exploitable from the internet someone would have to port forward from the public ip to the internal ip of the system listening to telnet.
Did you do that?
In IPv6 it’d be directly routable from the internet but hopefully your firewall would drop unsolicited inbound connections, have you done that?
Windows dropped telnet from being installed by default in windows 7 in 2010 & also server 2008 R2.
It’s not unusual to have things in the lab that are initially less secure than in production, especially whilst being built.
There is also secure telnet that uses ssl to secure the connectivity
https://www.ibm.com/docs/en/i/7.4.0?topic=ssl-configuration-details-securing-telnet
I’m glad the people I work with are grown up about things & not instantly dismissive.
I got tired of coming up with last-minute desperate solutions to impossible problems created by other fscking people.
google ai says
I understand your frustration. Dealing with the stress of constantly solving crises caused by others is exhausting, and it is completely normal to feel this way when carrying that mental and emotional burden.
When these feelings arise, it might be helpful to:
Set boundaries: Clearly communicate your limits to others to manage expectations and avoid taking on more than you can handle [1].
Prioritize self-care: Engage in activities that help you relax and recharge, even if it's just for a few minutes a day.
Seek support: Talk about your feelings with a trusted friend, family member, or mental health professional. You don't have to manage this all by yourself.
If you find this feeling is persistent and significantly impacting your well-being, reaching out for professional guidance can provide additional coping strategies and support. The National Alliance on Mental Illness (NAMI) offers resources and information, and the Substance Abuse and Mental Health Services Administration (SAMHSA) National Helpline is a free, confidential resource available 24/7.
movie is under siege said by Tommy
https://youtu.be/3Zad8u7Tzi0?si=QTIs5XRL7DKlZcY_&t=80
I simply have zero confidence in the developers.
whats your views on Microsoft & their software including windows OS and Office productivity apps that are known to have issues & vulnerabilities that are constantly exposed?
the notepad++ issue appears to be targeted at certain territories redirecting downloads to a malicious rebuild. That means most people got the correct intended version whilst some got the compromised version.
Unless your in those territories or targeted then its likely versions you & your organisation downloaded where all ok.
How do you guard against other software that could be compromised that know one knows has been compromised?
updates are good for new features or bug fixes but if it ain't broke, why update?
if you have a version that predates the problem then why update?
The new update protections do seem worthwhile but then you will get them when you eventually update.
defo worth updating if your current version is within that compromised timespan, prob not worth installing an older version as you have to be extremely sure your getting a none compromised version & the older installer won't tell you.
i had a look at the notepad++ download site and there where adverts looking like the download button that where not the legitimate download further down the page.
The download page should not have any adverts on it to avoid confusion etc.
Capita knew full well what they where getting into.
Sometimes forming a narrative of problems is useful when negotiating extra unforeseen costs / profits down the line.
to lay people it looks like this will be a loss for capita.
Reality is that this will increase their profits.
typically the contract would come with constraints on costs & effort etc, capita can now prove that the constraints where to prohibitive & the contract could not be fulfilled as originally specified and what they & everyone else based their bid on.
So they have a valid reason to increase costs to meet the demand
is there some online calculator that could be used to approximate what you would get?
i appreciate its wishful thinking but might get you a ball park
a quick google shows these 2
https://www.civilservicepensionscheme.org.uk/memberhub/knowledge-centre/tools-and-calcs/pension-calculators/
https://www.cfcs.org.uk/help-advice/money/apps-and-support/pension-calculator/
The connectivity medium should always be considered hostile when the machine is connecting from an uncontrolled environment.
It would be cost prohibitive to put enough controls in place around the router/cpe/‘physical connection to isp’ so is cheaper & more effective to build it into the atm machine so it can reliably & securely connect via an unsecured network.
Sniff as much as you want it should be safe.
If not the atm owner should find out soon enough & learn about a new hacking method which is likely cheaper discovery than the amount of cash in the machine.
Won’t be as secure once government ban vpn’s though but I suspect there will be many exemptions for things like this forming encrypted tunnels to authorised end points.
Will get tricky when those end points are in the cloud on IP’s shared with other services but that will likely be an edge case because who would build a von to a domain name instead of fixed IP’s (probably a norm nowadays to use fqdn’s instead of IP’s your business owns for p2p vpn’s but I’m old school)
i remember when i was much younger i'd always install the latest updates.
when fixing someones PC the 1st thing i'd do is updates.
i've been a mac user since ~91, ive taken the same approach on those too, until recently.
i will be keeping my systems on osx/ios26 & may roll back my laptop to osx 15.
app updates i will make a judgement on, OS updates i will take the service updates but i likely will not be upgrading to osx/iso 27 unless i truly need to.
if i could roll my ios stuff back to ios 18 i would.
There are no new features in iso26 i actually want.
If i'm not having an issue with my apps why do i need to update?
re app vulnerabilities, my personal machines are protected by apples xprotect etc plus the apple firewall, plus home firewall, plus nat so most addressed exploits likely can never be remotely exploited.
unless i'm facing a usability issues or bugs then i likely have no need for the app updates.
Its not like updates fix all bugs or won't introduce new ones as per this article so why would any sane person update unless there is some significant reason to?
European tech leaders are concerned about US laws having jurisdiction over European operations of US companies. For example, under the CLOUD Act, US authorities can compel access to information held by American cloud providers irrespective of where in the world that data is housed.
they weren't that bothered when it started
comprehension of the world is changing and now at pace.
https://youtu.be/mOK_tNoQEeU?t=76
Mr. Speaker, I'm determined to make it harder for people to work illegally in this country. And that's why there will be checks. They will be digital and they will be mandatory.
I'm sure some will make claims that that is not what he meant, but how do you do those checks without checking everyone? will only those with a certain hue be checked?
Will they import a bunch of ICE agents to do the non mandatory checks?
Starmer looked well lout of his depth today, he needs to go, I'm not sure the others in his camp are up to the job though.
Same statement applies to all the other politicians too.
I'm sure there are some outstanding MP's who do amazing things for their communities, weird how they never make it into cabinet or being PM though.
would be interesting to hear what none UK readers think of that video from the start,
at 1st I thought Starmers quip about the karma sutra was AI, especially in light if this stuff about banning x for images etc, seemed a completely unnecessary thing to put into a joke especially in parliament that was being televised live during the day & that young people have a chance of watching as a guardian may have it on.
UK backtracks on digital ID requirement for right to work
we all knew it'd run into issues & be late anyway.
Government are trying to regain some approval ratings by going slightly softer, it'll still be mandatory for many
We got this far without it, we will survive without it.
I can virtually guarantee that even if a party that says they will scrap it comes into power, it'll still be introduced.
As of jan 2026 the ruling parties in UK/USA/EUc have all done numerous things they promised they wouldn't do when campaigning for office, not little things but major things.
a reminder of Starmers victory speech where he promises to tread more lightly on our lives (6 min mark)
https://youtu.be/CeBF1SHstEY?t=236
Define shared hosting system.
AWS is home to a number of successful online streamers
Have you heard of Netflix
https://aws.amazon.com/solutions/case-studies/netflix-case-study/
Or peacock
https://aws.amazon.com/solutions/case-studies/peacock-case-study/
Being generous I’d say you’ve misunderstood how websites & connectivity works.
Some google searches can surface some additional detail on how it all works
And yes a single ip can host an unlimited number of sites and each of those sites can also stream content over that single ip,
I appreciate not every reading the reg is technical, a bit of googling goes a long way to understanding
As a primer have a read of this.
https://en.wikipedia.org/wiki/Server_Name_Indication
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.[1] The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during a TLS handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546
Shared IPs? Residential customers may be behind CG-NAT. People serving pirated contents, and making money from IT, don't use shared IPs. They use some hosting that provide them the resources to access and deliver copyright contents with the speed required to serve enough users to make money. These are not botnets used fos DDoS, or someone sharing torrents.
an IP can host an unlimited number of FQDN's.
the shared IP's is in relation to the fact that a hosting provider can host a number of different domains behind a single public IP.
If the regulator approves the requests, it uses an automated system to inform ISPs and other players that they must block access to certain IP addresses and not provide DNS services to domains suspected of facilitating piracy.
miscreant sets themselves up at a hosting provider that then uses a single public IP for hundreds of domains. Suddenly cloudflare drop resolving the IP & all those other sites can't be reached.
sounds like they are being mandated to do it globally too so those outside of Italy lose access too. Stops Italians using a vpn to bypass the block.
a better way would be to drop resolving for the individual domain from clients originating in Italy rather than everything on an IP globally, won't stop VPN usage to sidestep the block.
If the regulator approves the requests, it uses an automated system to inform ISPs and other players that they must block access to certain IP addresses and not provide DNS services to domains suspected of facilitating piracy.
a single IP can host an unlimited number of FQDN's.
miscreant sets themselves up at a hosting provider that then uses a single public IP for hundreds of domains. Suddenly cloudflare drop resolving the IP & all those other sites can't be reached.
sounds like they are being mandated to do it globally too so those outside of Italy lose access too.
a better way would be to drop resolving for the individual domain from clients originating in Italy rather than everything on an IP globally.
i have my mac hooked up to a 42" tv (appropriate 4:4:4)
i wish i could compartmentalise it into 4 virtual screens so each 1/4 can have what i want in it.
i know i can organise different windows from different apps into quarters of the screen but when i change to an app OSx has this annoying habit of hiding other windows when i don't want it to.
& no 'spaces' is not what i want, neither is stage manager
most UK homes use far less energy (in all its forms) than we did in the 1980's.
Even this chart showing from 2000 to 2024 shows a decrease from ~ 400 Twh to under 300Twh
https://ember-energy.org/data/electricity-data-explorer/?entity=United+Kingdom
despite population growing
per capita we are ~ 4000Kwh per person in 2024 as opoosed to over 6000kwh in 2000.
To be fair, a mature tree doesn't absorb as much carbon as a young tree, as it is growing much slower.
However, the really important questions are what did they do with the wood, and did they plant new saplings?
all the leaves i have to pick up falling from neighbours trees into my garden disagree.
CO2 is not only stored in the wood you see in a tree.
All vegetation that photosynthesises use the CO2 to form the leaves as well as the trunks etc. a mature oak can have ~ more than 120kg* of Carbon stored in the leaves it drops.
*different sources will say differing amounts.
leaves from 10 oak tree's is a tonne of Carbon captured and sitting there for disposal, provides shade in summer, a home for animals and the acorns provide food for squirrels amongst many other benefits.
I'd take a million mature oak trees over this carbon capture nonsense!
Been a sky customer for 20 years, I can’t remember ever changing a viewing card.
I’ve had sky q for ~9 years and never changed the viewing card.
Not sure where the 6 year replace thing comes from. I’m amazed it’s been so reliable (probably break now) no I’m not interested in glass or stream.
most have no clue how IPv6 actually works
link-local:: self assigned address starting fe80::
IPv6:: GUA starting 2001:: or 2001::, ULA:: starting fc00::, loopback starting ::1
traffic is actually routed via the Link-Local addresses to the peer (gateway) link local address.
IPv6 is a more l3 orientated than IPv4, as in IPv4 can just send traffic directly to an IP on the same subnet with no gateway needed, IPv6 needs to have that link local address & know the peer link local address to send its traffic to.
Anonymous Coward
Some of us would like to use it
But their ISP (aka the Computer) says NO. They fence all IPV6 addresses off from our endpoints.
I'm with vm02 and they don't support ipv6.
I do have apple's private relay so I do reach ipv6 websites etc over that with no issue,
Nothing on IPv6 that I can't get on IPv4 so I'm not missing anything for home systems that don't have private relay.
I am interested though what about IPv6 are you missing or perceive to be missing?
Actually each host would have multiple IPv6 addresses, which could well change so making it a bit pointless. So the idea that ‘SERVER1’s’ address is xyz, became somewhat redundant.
as I understand things, the IP changing was a result of privacy extensions to reduce tracking across different networks of mobile clients.
https://datatracker.ietf.org/doc/html/rfc4941
but yes IPv6 was intended for hosts to have multiple addresses on the same interface.
Not sure why they thought that would be a good idea.
@Excused Boots
10.16.14.12, does sound like it’s four numbers, no it is actually a single 32 bit decimal number which happens to be expressed in that way to make it easier for us meatbags to process. Every network device on the planet sees it as a single number of a fixed size, ie 32 decimal bits.
nope,
its 4 x 8 bit numbers, 0-255 (256 total numbers)
IP addresses are hierarchical & the word boundaries are important. The host uses the subnet mask to know what parts of the address are the subnet the Host is on & therefore reachable directly & everything else needs to go via the gateway as specified in the route table.
There is nuance in there.
"IPv6 was an extremely conservative protocol that changed as little as possible," APNIC chief scientist Geoff Huston told The Register. "It was a classic case of mis-design by committee."
And that notional committee made one more critical choice: IPv6 was not backward-compatible with IPv4, meaning users had to choose one or the other – or decide to run both in parallel.
For many, the decision of which protocol to use was easy because IPv6 didn't add features that represented major improvements.
"One big surprise to me was how few features went into IPv6 in the end, aside from the massive expansion of address space," said Bruce Davie, a veteran computer scientist recently honored with a lifetime achievement award by the Association for Computing Machinery's Special Interest Group on Data Communications, which lauded him for "fundamental contributions in networking systems through design, standardization, and commercialization of network protocols and systems."
Davie said many of the security, plug-and-play, and quality of service features that didn't make it into IPv6 were eventually implemented in IPv4, further reducing the incentive to adopt the new protocol. "Given the small amount of new functionality in v6, it's not so surprising that deployment has been a 30 year struggle," he said.
that last statement can't be emphasised enough
Another innovation that meant IPv6 made less sense was network address translation (NAT), which allows many devices to share a single public IPv4 address. NAT meant IPv4 network operators could connect thousands of devices with a single IP address, meaning their existing IP addresses became more useful.
"These solutions were relatively easy to deploy, aligned with existing expertise, and avoided large-scale infrastructure changes," said Alvaro Vives, manager of the learning and development team at RIPE NCC, the regional internet registry for 76 nations across Europe, the Middle East, and Central Asia.
another positive for NAT is that it shielded broadband users from unsolicited inbound connectivity without the complication of end users having to configure firewall polices. Setting port forwarding is non trivial so software engineers needed to come up with better ways of supporting clients behind NAT. NAT provides a protocol level backstop to guard against misconfiguration of inbound connectivity.
Many see NAT as a negative, I suspect they weren't about in the dial up days where machines where infiltrated by unsolicited connections in a matter of minutes, yes IPv6 address range is huge and reduces likelihood of scanning but security by obscurity is not a good thing.
"In fact, IPv4's continued viability is largely because IPv6 absorbed that growth pressure elsewhere – particularly in mobile, broadband, and cloud environments," he added. "In that sense, IPv6 succeeded where it was needed most, and must be regarded as a success."
pure nonsense
RIPE NCC's Alvaro Vives agrees. "What IPv6 got right was its long-term design," he told The Register. "It provides a vast address space that allows networks to be planned more simply and consistently. This has enabled innovation, from large mobile networks to the Internet of Things and advanced routing techniques such as Segment Routing over IPv6."
again nonsense, innovation has been reduced in IPv6 because of this end to end connectivity dogma which is a fallacy.
APNIC's Huston, however, thinks that IPv6 has become less relevant to the wider internet.
"I would argue that we actually found a far better outcome along the way," he told The Register. "NATS forced us to think about network architectures in an entirely different way."
That new way is encapsulated in a new technology called Quick UDP Internet Connections (QUIC), that doesn't require client devices to always have access to a public IP address.
"We are proving to ourselves that clients don't need permanent assignment of IP address, which makes the client side of network far cheaper, more flexible, and scalable," he said.
we need to roll those familiar techniques from IPv4 to ipv6 let us innovate by migrating our current tools and experience which makes use of the characteristics of NAT.
"So folk use IPv6 these days based on cost: If the cost of obtaining more IPv4 addresses to fuel bigger NATs is too high, then they deploy IPv6. Not because it's better, but if they are confident that they can work around IPv6's weaknesses then in a largely name based world there is no real issue in using one addressing protocol or another as the transport underlay."
Tru Dat
Many shriek that NAT is bad because it breaks the end to end principle.
https://en.wikipedia.org/wiki/End-to-end_principle
The end-to-end (E2E) principle is a design principle in computer networking that requires application-specific features (such as reliability and security) to be implemented in the communicating end nodes of the network, instead of in the network itself
truth is that Firewalls, Load Balancers, IPS etc also violate the end to end principle yet they are recommended for IPv6 to serve use cases.
An inherent characteristic of NAT is that the protocol itself provides a mechanism to prevent inbound connectivity. This provides a backstop for firewall misconfigurations.
Yes lots of things should be done properly to prevent unsolicited inbound connections but any regular here knows how often misconfigurations result in breaches and lessons should be learnt etc.
I guess what is really telling is how cloud providers have reintroduced NAT safety properties internally to mitigate issues from misconfigurations:
AWS
What actually happens
Security Groups = mandatory stateful inbound deny
Instances are not reachable unless:
Explicit rule
Explicit association
Even then:
No direct L2 reachability
Controlled attachment
This is structural non-addressability, not just firewalling.
GCP
IPv6 instances exist
Inbound traffic:
Requires explicit firewall rules
Requires explicit target tags
No accidental exposure
No implicit reachability
Again: policy enforced as architecture
Azure
IPv6 supported
NSGs are mandatory
No “raw” IPv6 exposure
Host intent + admin intent required
The pattern
Clouds implement:
“Nothing is reachable unless multiple independent systems agree.”
That’s NAT’s philosophy — without address rewriting.
NAT is a lot easier than that mess in the big 3 cloud providers
@pc-fluesterer.info
AFAICS there were no credentials leaked.
credentials in this case are the email, home address, phone number & name. The article has no mention of passwords being included which i think is what you inferred by 'credential'.
The current leak is centered around readers of Wired magazine. The miscreants published 2.3 million emails, which had the names of 285,000 subscribers, 108,000 home addresses, and 32,000 phone numbers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2026
