|
mewse posted:I'm a shoretel admin (kill me) I work on Fonality PBX's every now and then. A system got hacked (unauthorized root access) and while looking into how it seems all the Fonality deployments have a user for Polycom set with a default password (22222 iirc) and read/write/execute permissions. The default iptables does not lock down shell access either so yay.
|
# ? Jan 5, 2018 16:14 |
|
|
# ? Jun 5, 2024 04:22 |
|
quote:BlueCat has become aware of the “Spectre” and “Meltdown” vulnerabilities. The description of these vulnerabilities are as follows: Well there's all my DNS infrastructure...
|
# ? Jan 5, 2018 16:40 |
Yeah, just another reminder that Spectre and Meltdown are privilege escalation attacks on the physical hardware. Unless the attacker is already capable of executing code on the same hardware as the target, there is no danger. So private hosted servers where all software is trusted, on all VM's, from hypervisor down to services, are no concern if there aren't other remote code execution attacks possible. (Unless the normal operation of the service involves downloading and executing untrusted code.) Be concerned about services on public shared hosting/public clouds, and about clients running web browsers visiting untrusted sites. That's my take on the security implications.
|
|
# ? Jan 5, 2018 17:26 |
|
nielsm posted:Yeah, just another reminder that Spectre and Meltdown are privilege escalation attacks on the physical hardware. Unless the attacker is already capable of executing code on the same hardware as the target, there is no danger. So private hosted servers where all software is trusted, on all VM's, from hypervisor down to services, are no concern if there aren't other remote code execution attacks possible. (Unless the normal operation of the service involves downloading and executing untrusted code.) But attacks through JavaScript are possible (Edge/Explorer, FireFox, Safari and Chrome are all being updated to make this harder), so any computer used to browse the web is currently vulnerable.
|
# ? Jan 5, 2018 17:40 |
|
Don’t forget that these exploits also apply to workstations, and there is a PoC that demonstrates harvesting passwords in Firefox. E: beaten
|
# ? Jan 5, 2018 17:45 |
chin up everything sucks posted:But attacks through JavaScript are possible (Edge/Explorer, FireFox, Safari and Chrome are all being updated to make this harder), so any computer used to browse the web is currently vulnerable. Yes, I did write "clients running web browsers". My point is more that you probably don't need to patch the bare-metal DNS server sitting in closet, at least not right away.
|
|
# ? Jan 5, 2018 17:47 |
|
Ars has the best average-level-nerd summary of the CPU stuff I've found: https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/
|
# ? Jan 5, 2018 21:44 |
Raspberry Pi Foundation has a remarkably good explanation too.
|
|
# ? Jan 5, 2018 22:54 |
|
Dick Trauma posted:I would like to see an office cubicle farm where all the walls are only knee height. I will not take a picture of my "pod" for you.
|
# ? Jan 6, 2018 01:05 |
|
Bob Morales posted:When we first got them, we were breaking the internal storage because we had logging turned on, so we switched over to Foritcloud after they realized that was hapening to people (took them two months) and pushed out some updates. All UTM boxes are poo poo, they're just all poo poo in different ways.
|
# ? Jan 6, 2018 01:09 |
|
FungiCap posted:Glad to see nothing has changed with Fortinet since I stopped working for a company that used quite a few of them. I can't tell you how many times the web daemon would crash for the Fortigates (in HA pairs no less) and other unexplainable poo poo like the NTP server feature ceasing to function randomly (which was a big deal for us). Shame because I actually like the feature-set and how things are organized for FortiGate's but their reliability is so poo poo I would never put them in production again as a network engineer if I had the option. We rarely have problems with them at this point, though we did just turn up a new customer site with an HA pair of 100Es on 5.4.7 code, and random failovers have happened 4-5 times in 3 months. After the second time it happened I opened a ticket, the engineer thought it was dropped packet on the cable between the pair, swapped that, then it happens twice more, deal with support again, it gets escalated because I want an RCA at this point by someone that knows this poo poo. As soon as the T2 engineer started looking at it, he was like yeahhh this version has a bug in HA that can cause this exact problem... Where The gently caress Do You Inform People Of This You Dicks. Otherwise we have zero reliability issues with the devices, but we learned early about the logging issue Bob ran into and threw up a FAZ. The FMG is loving dog poo poo other than pushing out scripts to affect all devices with the same changes, restoring an RMA'd device from it is so god drat stupid, I have to configure the new device enough that it can get on the internet and then I have to attach it to FMG and push the old config to it, why the gently caress can't I download the config and slap it on there directly (I can KIND of, but I have to delete a bunch of poo poo then manually config the poo poo I deleted like SSL certs, passwords and a bunch of other garbage anyway). *edit* Also their T1 support is hit and miss, most of the US support is good (though I've had 1 or 2 bad dudes), their off-shore support is about 50/50, I've had guys that really knew their poo poo and should probably be T2 techs, but some that probably know less than I do. MF_James fucked around with this message at 01:32 on Jan 6, 2018 |
# ? Jan 6, 2018 01:20 |
|
I pushed out the Windows patch. May God have mercy on our souls.
|
# ? Jan 6, 2018 01:26 |
|
Pretty sure this patch is a good sign God hates us all
|
# ? Jan 6, 2018 02:31 |
|
Tickets came in. One was about tablets we use for checking in vehicles and equipment. I had called and talked to the guys because they don’t respond to tickets unless they have something lovely to say. One ticket was “re-opened” because our ever wonderful manager over there decided the world was coming to an end and the tablets (which were still working) “were all down”. The final admonition was “you need to note everything in the tickets before you close them. Good advice you say? I would agree if the other ticket didn’t come in. Another sky-is-falling Manager giving us a ticket from September saying it still wasn’t fixed. Even though literally in the ticket the user replied that it was fixed. When I’m the only person in the office and am just trying to keep up with the avalanche of poo poo that you just keep throwing at me, don’t bitch at me for not noting “user has non-functional brain” when that’s very obviously the problem and you don’t give a gently caress what the notes say anyway. Ugato fucked around with this message at 03:52 on Jan 6, 2018 |
# ? Jan 6, 2018 03:45 |
|
I'm worried. The police department wants to use the house wireless network for uploading their body cam footage. We have nice stuff ( Extreme wireless 3825 and 3965's, about 100 in total ) but I'm genuinely worried about overall performance when 5 or 6 of them pull up to a fire station, hook into the outdoor AP's and start pushing gigs upon gigs of video across it, especially considering the fact that a lot of the outlying areas have older switches that can only support 1 gig SFP's in addition to saturating the shared bandwidth of the radios, then throw in a full conversion to VOIP this year. This will also throw the wireless, which is generally considered a luxury now, into a public safety issue if something goes awry. Apparently using their air cards is cost prohibitive
|
# ? Jan 6, 2018 16:07 |
|
Farking Bastage posted:I'm worried. The police department wants to use the house wireless network for uploading their body cam footage. We have nice stuff ( Extreme wireless 3825 and 3965's, about 100 in total ) but I'm genuinely worried about overall performance when 5 or 6 of them pull up to a fire station, hook into the outdoor AP's and start pushing gigs upon gigs of video across it, especially considering the fact that a lot of the outlying areas have older switches that can only support 1 gig SFP's in addition to saturating the shared bandwidth of the radios, then throw in a full conversion to VOIP this year. This will also throw the wireless, which is generally considered a luxury now, into a public safety issue if something goes awry. Apparently using their air cards is cost prohibitive Police murdered 5 puppies...footage was unrecoverable due to 'technical issues'
|
# ? Jan 6, 2018 18:01 |
|
Farking Bastage posted:I'm worried. The police department wants to use the house wireless network for uploading their body cam footage. We have nice stuff ( Extreme wireless 3825 and 3965's, about 100 in total ) but I'm genuinely worried about overall performance when 5 or 6 of them pull up to a fire station, hook into the outdoor AP's and start pushing gigs upon gigs of video across it, especially considering the fact that a lot of the outlying areas have older switches that can only support 1 gig SFP's in addition to saturating the shared bandwidth of the radios, then throw in a full conversion to VOIP this year. This will also throw the wireless, which is generally considered a luxury now, into a public safety issue if something goes awry. Apparently using their air cards is cost prohibitive QoS that traffic to the lowest priority throughout the entire network. It will eat up idle bandwidth without running everything else.
|
# ? Jan 6, 2018 20:55 |
|
Judge Schnoopy posted:QoS that traffic to the lowest priority throughout the entire network. It will eat up idle bandwidth without running everything else. 100% this. You might give it more access during later hours if you get complaints and just have them leave their cams to upload overnight. This might be a KISS situation though
|
# ? Jan 6, 2018 22:07 |
|
Pretty much. ^^. Another thought I’ve had is to transition to a cloud/local hybrid controller configuration for known upload spots pop an AP behind a Comcast modem and keep as much as possible off the house network. The video will be going offsite as of the last meeting about it.
|
# ? Jan 7, 2018 15:58 |
|
You could also set up an access point or two specifically for just the body cams, shove them on their own vlan and set the radios to whatever frequency you aren't using for your main network and let them have at.
|
# ? Jan 7, 2018 23:07 |
|
Methylethylaldehyde posted:You could also set up an access point or two specifically for just the body cams, shove them on their own vlan and set the radios to whatever frequency you aren't using for your main network and let them have at. This! Bonus if they support 5GHz.
|
# ? Jan 7, 2018 23:25 |
|
Dick Trauma posted:I pushed out the Windows patch. May God have mercy on our souls. I believe the correct version for incoming fire is "For what we are about to receive, dear Lord make us thankful." Zamboni Apocalypse fucked around with this message at 19:15 on Jan 8, 2018 |
# ? Jan 8, 2018 19:13 |
|
Dick Trauma posted:I pushed out the Windows patch. May God have mercy on our souls. Gods speed
|
# ? Jan 8, 2018 19:15 |
|
Proteus Jones posted:When they're working, they hum along with nary a complaint. Until they don't and all hell breaks loose. It’s the same for me with Sonicwall. I have three units that are utterly bombproof and have been running for over a decade. And a fourth that I keep as a backup because it’s stability is poo poo. Once upon a time I tried out a pair of Fortinet devices in a satellite office and they sucked so hard I tossed them for a PfSense PC until I had the funds for a sonicwall. Funny how people get lucky with a brand and stick with it when in actuality all products are equally lovely. It simply depends on if your work style and support style are compatible with a particular set of shittiness. Also: I love handholding customers through their grief when I tell them that they will have to patch and reboot fleets of EC2 instances immediatelynownownow. At least I have the comfort of knowing that Azure is going through the same pain...
|
# ? Jan 8, 2018 22:33 |
|
I have an Adtran in my server rack, just waiting to be plugged back in when the Fartinet craps out.
|
# ? Jan 8, 2018 22:36 |
|
My experience with Sonicwall has been terrible. We got onto the Gen6 train far too early (had no option though unless we wanted to buy old hardware) and it was a complete shitshow for a very long time. I still would try and avoid having things like a VLAN-tagged WAN interface because so much stuff just flat-out broke the last time I tried it. I have a Fortigate E-series running 5.6 and it's nice but the UI tries to be too friendly. The amount of poo poo you can't edit once it's in use is infuriating as well, and the CLI is pretty horrific. In short: all SMB UTM type appliances are pieces of poo poo in their own ways. Thanks Ants fucked around with this message at 22:48 on Jan 8, 2018 |
# ? Jan 8, 2018 22:45 |
|
Agrikk posted:It�s the same for me with Sonicwall. I have three units that are utterly bombproof and have been running for over a decade. And a fourth that I keep as a backup because it�s stability is poo poo. I really wanted to like SonicWall, I did. I was given one by a friend after a local doctor's office closed up shop. Trying to get it registered and working was impossible.
|
# ? Jan 8, 2018 22:47 |
|
A ticket came in... The licenses have expired. 1/7/2018. I've been HOUNDING 4 different departments since November about the fact that they need to renew their Adobe CC subscriptions. Not a single loving response to any of it. The licenses expired on sunday and today has been an absolute shitstorm of "OH MY GOD MY PHOTOSHOP. I CAN'T WORK!" Good. gently caress you.
|
# ? Jan 8, 2018 22:58 |
|
GnarlyCharlie4u posted:A ticket came in... I'm confused, why are you in charge of notifying for 4 different dept renewals? Why don't you just renew it all and charge back the dept?
|
# ? Jan 8, 2018 23:13 |
|
incoherent posted:I'm confused, why are you in charge of notifying for 4 different dept renewals? Why don't you just renew it all and charge back the dept? This seems like a disingenuous question.
|
# ? Jan 8, 2018 23:27 |
|
GnarlyCharlie4u posted:A ticket came in... My Adobe CC renewal was in August. I didn't ask anyone anything. I generated a report that broke out each subscription by department/user and sent it to our AP department. About a week later I got a notification that it was paid.
|
# ? Jan 8, 2018 23:36 |
|
The Fool posted:My Adobe CC renewal was in August. I didn't ask anyone anything. I generated a report that broke out each subscription by department/user and sent it to our AP department. About a week later I got a notification that it was paid. I can't even begin to explain how jealous I am. I tried that last year and it didn't go so well. Each department still has to get a PO signed and completed and sent in to procure the software licenses and for some loving reason it still has to go through IT to actually place the order. On top of that, last year I proactively got separate renewal quotes for each department, created the PO's for them, Next year I'm taking the fuckit approach. "Sorry we don't do renewals. If you want a license, you can send us a ticket."
|
# ? Jan 9, 2018 00:45 |
|
Are you not on CC Teams? For us, it's just one PO for every subscription, AP gets each departments billing code after I send the report that breaks out who uses what, and we cut a check.
|
# ? Jan 9, 2018 00:52 |
|
The Fool posted:Are you not on CC Teams? We are. Our finance department "doesn't feel like doing all that." And for some reason putting separate line items on a single PO is "heresy of the highest order!" Even though we do that for like a million other things. I'm not sure if I posted the saga of our new Xerox contract or not but it's been like 3 years and that whole rats nest is still hosed. We went 12 loving months without paying a single bill for absolutely no reason other than, Finance didn't feel like doing their jobs.
|
# ? Jan 9, 2018 01:00 |
|
the saga
|
# ? Jan 9, 2018 01:30 |
|
I can tell you that the expensive firewalls have quirks of their own. 15 minutes before quitting time today, something went wonky with our *VERY* expensive Checkpoint 15000 HA pair. We pushed an application rule to block snapchat and something glitched. The primary poo poo itself completely, but not in such a way that the HA backup would sense it and take over. Forced a failover to the secondary, but it still didn't want to work right. We ended up having to revert the config on the primary, fail it back over then revert the secondary. I'll be on the phone with someone in Israel a lot tomorrow looks like
|
# ? Jan 9, 2018 01:33 |
|
Farking Bastage posted:I can tell you that the expensive firewalls have quirks of their own. 15 minutes before quitting time today, something went wonky with our *VERY* expensive Checkpoint 15000 HA pair. We pushed an application rule to block snapchat and something glitched. The primary poo poo itself completely, but not in such a way that the HA backup would sense it and take over. Forced a failover to the secondary, but it still didn't want to work right. We ended up having to revert the config on the primary, fail it back over then revert the secondary. I'll be on the phone with someone in Israel a lot tomorrow looks like That’s a lot of effort to stop dick pics, just saying.
|
# ? Jan 9, 2018 01:37 |
|
movax posted:That’s a lot of effort to stop dick pics, just saying. Hahahaha. Tell me about it. The request came from the 911 dispatch management... makes ya wonder.
|
# ? Jan 9, 2018 02:10 |
|
Farking Bastage posted:Hahahaha. Tell me about it. The request came from the 911 dispatch management... makes ya wonder. "911, what's your emergency?" "Does this look infected to you? *sends dick pic with dog filter*"
|
# ? Jan 9, 2018 02:28 |
|
|
# ? Jun 5, 2024 04:22 |
|
Farking Bastage posted:I can tell you that the expensive firewalls have quirks of their own. 15 minutes before quitting time today, something went wonky with our *VERY* expensive Checkpoint 15000 HA pair. We pushed an application rule to block snapchat and something glitched. The primary poo poo itself completely, but not in such a way that the HA backup would sense it and take over. Forced a failover to the secondary, but it still didn't want to work right. After about two trips in the cold and snow I bought a UPS with a web interface for the power outlets
|
# ? Jan 9, 2018 02:59 |