Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
Alighieri
Dec 10, 2005


:dukedog:

mewse posted:

I'm a shoretel admin (kill me)

Configuration and call records are stored in mysql databases that have default usernames and passwords and aren't limited to connections from localhost.

User account passwords are hashed with non-salted MD5.

There's more but I don't want to think about it right now.

I work on Fonality PBX's every now and then. A system got hacked (unauthorized root access) and while looking into how it seems all the Fonality deployments have a user for Polycom set with a default password (22222 iirc) and read/write/execute permissions. The default iptables does not lock down shell access either so yay.

Adbot
ADBOT LOVES YOU

Farking Bastage
Sep 22, 2007

Who dey think gonna beat dem Bengos!

quote:

BlueCat has become aware of the “Spectre” and “Meltdown” vulnerabilities. The description of these vulnerabilities are as follows:

CVE-2017-5715 (Spectre): Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

CVE-2017-5753 (Spectre): Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

CVE-2017-5754 (Meltdown): Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

BlueCat has assessed the vulnerabilities and all supported versions of Address Manager and DNS/DHCP Server are affected. Exploiting these vulnerabilities requires local access to the Address Manager and DNS/DHCP Server appliances. In virtual environments, these vulnerabilities can be exploited through local access or as a result of data breach between virtual machines.

BlueCat recommends customers running Address Manager and DNS/DHCP Server in virtual environments to contact their hypervisor vendors to ensure that their environments are also patched.

BlueCat is currently working on patches for all supported releases and will provide an update when it is available.

Well there's all my DNS infrastructure...

nielsm
Jun 1, 2009



Yeah, just another reminder that Spectre and Meltdown are privilege escalation attacks on the physical hardware. Unless the attacker is already capable of executing code on the same hardware as the target, there is no danger. So private hosted servers where all software is trusted, on all VM's, from hypervisor down to services, are no concern if there aren't other remote code execution attacks possible. (Unless the normal operation of the service involves downloading and executing untrusted code.)
Be concerned about services on public shared hosting/public clouds, and about clients running web browsers visiting untrusted sites.

That's my take on the security implications.

chin up everything sucks
Jan 29, 2012

nielsm posted:

Yeah, just another reminder that Spectre and Meltdown are privilege escalation attacks on the physical hardware. Unless the attacker is already capable of executing code on the same hardware as the target, there is no danger. So private hosted servers where all software is trusted, on all VM's, from hypervisor down to services, are no concern if there aren't other remote code execution attacks possible. (Unless the normal operation of the service involves downloading and executing untrusted code.)
Be concerned about services on public shared hosting/public clouds, and about clients running web browsers visiting untrusted sites.

That's my take on the security implications.

But attacks through JavaScript are possible (Edge/Explorer, FireFox, Safari and Chrome are all being updated to make this harder), so any computer used to browse the web is currently vulnerable.

The Fool
Oct 16, 2003


Don’t forget that these exploits also apply to workstations, and there is a PoC that demonstrates harvesting passwords in Firefox.

E: beaten

nielsm
Jun 1, 2009



chin up everything sucks posted:

But attacks through JavaScript are possible (Edge/Explorer, FireFox, Safari and Chrome are all being updated to make this harder), so any computer used to browse the web is currently vulnerable.

Yes, I did write "clients running web browsers".
My point is more that you probably don't need to patch the bare-metal DNS server sitting in closet, at least not right away.

Knormal
Nov 11, 2001

Ars has the best average-level-nerd summary of the CPU stuff I've found: https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/

BlankSystemDaemon
Mar 13, 2009



Raspberry Pi Foundation has a remarkably good explanation too.

Grassy Knowles
Apr 4, 2003

"The original Terminator was a gritty fucking AMAZING piece of sci-fi. Gritty fucking rock-hard MURDER!"

Dick Trauma posted:

I would like to see an office cubicle farm where all the walls are only knee height.

I will not take a picture of my "pod" for you.

Thanks Ants
May 21, 2004

#essereFerrari


Bob Morales posted:

When we first got them, we were breaking the internal storage because we had logging turned on, so we switched over to Foritcloud after they realized that was hapening to people (took them two months) and pushed out some updates.

I also just racked a couple of those for my old employer, they switched to Fortigate company-wide....ugh

All UTM boxes are poo poo, they're just all poo poo in different ways.

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE

FungiCap posted:

Glad to see nothing has changed with Fortinet since I stopped working for a company that used quite a few of them. I can't tell you how many times the web daemon would crash for the Fortigates (in HA pairs no less) and other unexplainable poo poo like the NTP server feature ceasing to function randomly (which was a big deal for us). Shame because I actually like the feature-set and how things are organized for FortiGate's but their reliability is so poo poo I would never put them in production again as a network engineer if I had the option.

We rarely have problems with them at this point, though we did just turn up a new customer site with an HA pair of 100Es on 5.4.7 code, and random failovers have happened 4-5 times in 3 months. After the second time it happened I opened a ticket, the engineer thought it was dropped packet on the cable between the pair, swapped that, then it happens twice more, deal with support again, it gets escalated because I want an RCA at this point by someone that knows this poo poo. As soon as the T2 engineer started looking at it, he was like yeahhh this version has a bug in HA that can cause this exact problem... Where The gently caress Do You Inform People Of This You Dicks.

Otherwise we have zero reliability issues with the devices, but we learned early about the logging issue Bob ran into and threw up a FAZ. The FMG is loving dog poo poo other than pushing out scripts to affect all devices with the same changes, restoring an RMA'd device from it is so god drat stupid, I have to configure the new device enough that it can get on the internet and then I have to attach it to FMG and push the old config to it, why the gently caress can't I download the config and slap it on there directly (I can KIND of, but I have to delete a bunch of poo poo then manually config the poo poo I deleted like SSL certs, passwords and a bunch of other garbage anyway).

*edit*
Also their T1 support is hit and miss, most of the US support is good (though I've had 1 or 2 bad dudes), their off-shore support is about 50/50, I've had guys that really knew their poo poo and should probably be T2 techs, but some that probably know less than I do.

MF_James fucked around with this message at 01:32 on Jan 6, 2018

Dick Trauma
Nov 30, 2007

God damn it, you've got to be kind.
I pushed out the Windows patch. May God have mercy on our souls.

LethalGeek
Nov 4, 2009

Pretty sure this patch is a good sign God hates us all

Ugato
Apr 9, 2009

We're not?
Tickets came in. One was about tablets we use for checking in vehicles and equipment. I had called and talked to the guys because they don’t respond to tickets unless they have something lovely to say. One ticket was “re-opened” because our ever wonderful manager over there decided the world was coming to an end and the tablets (which were still working) “were all down”.

The final admonition was “you need to note everything in the tickets before you close them.

Good advice you say? I would agree if the other ticket didn’t come in. Another sky-is-falling Manager giving us a ticket from September saying it still wasn’t fixed. Even though literally in the ticket the user replied that it was fixed.

When I’m the only person in the office and am just trying to keep up with the avalanche of poo poo that you just keep throwing at me, don’t bitch at me for not noting “user has non-functional brain” when that’s very obviously the problem and you don’t give a gently caress what the notes say anyway.

Ugato fucked around with this message at 03:52 on Jan 6, 2018

Farking Bastage
Sep 22, 2007

Who dey think gonna beat dem Bengos!
I'm worried. The police department wants to use the house wireless network for uploading their body cam footage. We have nice stuff ( Extreme wireless 3825 and 3965's, about 100 in total ) but I'm genuinely worried about overall performance when 5 or 6 of them pull up to a fire station, hook into the outdoor AP's and start pushing gigs upon gigs of video across it, especially considering the fact that a lot of the outlying areas have older switches that can only support 1 gig SFP's in addition to saturating the shared bandwidth of the radios, then throw in a full conversion to VOIP this year. This will also throw the wireless, which is generally considered a luxury now, into a public safety issue if something goes awry. Apparently using their air cards is cost prohibitive :(

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

Farking Bastage posted:

I'm worried. The police department wants to use the house wireless network for uploading their body cam footage. We have nice stuff ( Extreme wireless 3825 and 3965's, about 100 in total ) but I'm genuinely worried about overall performance when 5 or 6 of them pull up to a fire station, hook into the outdoor AP's and start pushing gigs upon gigs of video across it, especially considering the fact that a lot of the outlying areas have older switches that can only support 1 gig SFP's in addition to saturating the shared bandwidth of the radios, then throw in a full conversion to VOIP this year. This will also throw the wireless, which is generally considered a luxury now, into a public safety issue if something goes awry. Apparently using their air cards is cost prohibitive :(

Police murdered 5 puppies...footage was unrecoverable due to 'technical issues'

Judge Schnoopy
Nov 2, 2005

dont even TRY it, pal

Farking Bastage posted:

I'm worried. The police department wants to use the house wireless network for uploading their body cam footage. We have nice stuff ( Extreme wireless 3825 and 3965's, about 100 in total ) but I'm genuinely worried about overall performance when 5 or 6 of them pull up to a fire station, hook into the outdoor AP's and start pushing gigs upon gigs of video across it, especially considering the fact that a lot of the outlying areas have older switches that can only support 1 gig SFP's in addition to saturating the shared bandwidth of the radios, then throw in a full conversion to VOIP this year. This will also throw the wireless, which is generally considered a luxury now, into a public safety issue if something goes awry. Apparently using their air cards is cost prohibitive :(

QoS that traffic to the lowest priority throughout the entire network. It will eat up idle bandwidth without running everything else.

Virigoth
Apr 28, 2009

Corona rules everything around me
C.R.E.A.M. get the virus
In the ICU y'all......



Judge Schnoopy posted:

QoS that traffic to the lowest priority throughout the entire network. It will eat up idle bandwidth without running everything else.

100% this. You might give it more access during later hours if you get complaints and just have them leave their cams to upload overnight. This might be a KISS situation though

Farking Bastage
Sep 22, 2007

Who dey think gonna beat dem Bengos!
Pretty much. ^^. Another thought I’ve had is to transition to a cloud/local hybrid controller configuration for known upload spots pop an AP behind a Comcast modem and keep as much as possible off the house network. The video will be going offsite as of the last meeting about it.

Methylethylaldehyde
Oct 23, 2004

BAKA BAKA
You could also set up an access point or two specifically for just the body cams, shove them on their own vlan and set the radios to whatever frequency you aren't using for your main network and let them have at.

Wibla
Feb 16, 2011

Methylethylaldehyde posted:

You could also set up an access point or two specifically for just the body cams, shove them on their own vlan and set the radios to whatever frequency you aren't using for your main network and let them have at.

This! Bonus if they support 5GHz.

Zamboni Apocalypse
Dec 29, 2009

Dick Trauma posted:

I pushed out the Windows patch. May God have mercy on our souls.

I believe the correct version for incoming fire is "For what we are about to receive, dear Lord make us thankful."

Zamboni Apocalypse fucked around with this message at 19:15 on Jan 8, 2018

iospace
Jan 19, 2038


Dick Trauma posted:

I pushed out the Windows patch. May God have mercy on our souls.

Gods speed :patriot:

Agrikk
Oct 17, 2003

Take care with that! We have not fully ascertained its function, and the ticking is accelerating.

Proteus Jones posted:

When they're working, they hum along with nary a complaint. Until they don't and all hell breaks loose.

That's what's so frustrating about about Fortigate. All this potential, right there lying just beyond my fingertips because I can't count on it for the long term.

It’s the same for me with Sonicwall. I have three units that are utterly bombproof and have been running for over a decade. And a fourth that I keep as a backup because it’s stability is poo poo.

Once upon a time I tried out a pair of Fortinet devices in a satellite office and they sucked so hard I tossed them for a PfSense PC until I had the funds for a sonicwall.

Funny how people get lucky with a brand and stick with it when in actuality all products are equally lovely. It simply depends on if your work style and support style are compatible with a particular set of shittiness.


Also: I love handholding customers through their grief when I tell them that they will have to patch and reboot fleets of EC2 instances immediatelynownownow. At least I have the comfort of knowing that Azure is going through the same pain...

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

I have an Adtran in my server rack, just waiting to be plugged back in when the Fartinet craps out.

Thanks Ants
May 21, 2004

#essereFerrari


My experience with Sonicwall has been terrible. We got onto the Gen6 train far too early (had no option though unless we wanted to buy old hardware) and it was a complete shitshow for a very long time. I still would try and avoid having things like a VLAN-tagged WAN interface because so much stuff just flat-out broke the last time I tried it.

I have a Fortigate E-series running 5.6 and it's nice but the UI tries to be too friendly. The amount of poo poo you can't edit once it's in use is infuriating as well, and the CLI is pretty horrific.

In short: all SMB UTM type appliances are pieces of poo poo in their own ways.

Thanks Ants fucked around with this message at 22:48 on Jan 8, 2018

Samizdata
May 14, 2007

Agrikk posted:

It�s the same for me with Sonicwall. I have three units that are utterly bombproof and have been running for over a decade. And a fourth that I keep as a backup because it�s stability is poo poo.

Once upon a time I tried out a pair of Fortinet devices in a satellite office and they sucked so hard I tossed them for a PfSense PC until I had the funds for a sonicwall.

Funny how people get lucky with a brand and stick with it when in actuality all products are equally lovely. It simply depends on if your work style and support style are compatible with a particular set of shittiness.


Also: I love handholding customers through their grief when I tell them that they will have to patch and reboot fleets of EC2 instances immediatelynownownow. At least I have the comfort of knowing that Azure is going through the same pain...

I really wanted to like SonicWall, I did. I was given one by a friend after a local doctor's office closed up shop. Trying to get it registered and working was impossible.

GnarlyCharlie4u
Sep 23, 2007

I have an unhealthy obsession with motorcycles.

Proof
A ticket came in...

The licenses have expired. 1/7/2018.

I've been HOUNDING 4 different departments since November about the fact that they need to renew their Adobe CC subscriptions.
Not a single loving response to any of it.

The licenses expired on sunday and today has been an absolute shitstorm of "OH MY GOD MY PHOTOSHOP. I CAN'T WORK!"





Good. gently caress you.

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010

GnarlyCharlie4u posted:

A ticket came in...

The licenses have expired. 1/7/2018.

I've been HOUNDING 4 different departments since November about the fact that they need to renew their Adobe CC subscriptions.
Not a single loving response to any of it.

The licenses expired on sunday and today has been an absolute shitstorm of "OH MY GOD MY PHOTOSHOP. I CAN'T WORK!"

Good. gently caress you.

I'm confused, why are you in charge of notifying for 4 different dept renewals? Why don't you just renew it all and charge back the dept?

Jaded Burnout
Jul 10, 2004


incoherent posted:

I'm confused, why are you in charge of notifying for 4 different dept renewals? Why don't you just renew it all and charge back the dept?

This seems like a disingenuous question.

The Fool
Oct 16, 2003


GnarlyCharlie4u posted:

A ticket came in...

The licenses have expired. 1/7/2018.

I've been HOUNDING 4 different departments since November about the fact that they need to renew their Adobe CC subscriptions.
Not a single loving response to any of it.

The licenses expired on sunday and today has been an absolute shitstorm of "OH MY GOD MY PHOTOSHOP. I CAN'T WORK!"





Good. gently caress you.

My Adobe CC renewal was in August. I didn't ask anyone anything. I generated a report that broke out each subscription by department/user and sent it to our AP department. About a week later I got a notification that it was paid.

GnarlyCharlie4u
Sep 23, 2007

I have an unhealthy obsession with motorcycles.

Proof

The Fool posted:

My Adobe CC renewal was in August. I didn't ask anyone anything. I generated a report that broke out each subscription by department/user and sent it to our AP department. About a week later I got a notification that it was paid.

I can't even begin to explain how jealous I am.
I tried that last year and it didn't go so well. Each department still has to get a PO signed and completed and sent in to procure the software licenses and for some loving reason it still has to go through IT to actually place the order. On top of that, last year I proactively got separate renewal quotes for each department, created the PO's for them, literally handed them everything they needed on a silver plate (okay it was in several emails and then an envelope placed directly in their hands) and they still couldn't be bothered to just sign the loving thing right there and give it back to me. Then in May (5 months after they expired) I get an angry email from DepartmentDirector about how we are slacking and not doing our jobs in IT and how dare we just let important things like license renewals slip through the cracks "PEOPLE LITERALLY CAN'T DO THEIR JOBS!"

Next year I'm taking the fuckit approach. "Sorry we don't do renewals. If you want a license, you can send us a ticket."

The Fool
Oct 16, 2003


Are you not on CC Teams?

For us, it's just one PO for every subscription, AP gets each departments billing code after I send the report that breaks out who uses what, and we cut a check.

GnarlyCharlie4u
Sep 23, 2007

I have an unhealthy obsession with motorcycles.

Proof

The Fool posted:

Are you not on CC Teams?

For us, it's just one PO for every subscription, AP gets each departments billing code after I send the report that breaks out who uses what, and we cut a check.

We are.
Our finance department "doesn't feel like doing all that." And for some reason putting separate line items on a single PO is "heresy of the highest order!" Even though we do that for like a million other things.

I'm not sure if I posted the saga of our new Xerox contract or not but it's been like 3 years and that whole rats nest is still hosed.
We went 12 loving months without paying a single bill for absolutely no reason other than, Finance didn't feel like doing their jobs.

iospace
Jan 19, 2038


:justpost: the saga

Farking Bastage
Sep 22, 2007

Who dey think gonna beat dem Bengos!
I can tell you that the expensive firewalls have quirks of their own. 15 minutes before quitting time today, something went wonky with our *VERY* expensive Checkpoint 15000 HA pair. We pushed an application rule to block snapchat and something glitched. The primary poo poo itself completely, but not in such a way that the HA backup would sense it and take over. Forced a failover to the secondary, but it still didn't want to work right. We ended up having to revert the config on the primary, fail it back over then revert the secondary. I'll be on the phone with someone in Israel a lot tomorrow looks like :(

movax
Aug 30, 2008

Farking Bastage posted:

I can tell you that the expensive firewalls have quirks of their own. 15 minutes before quitting time today, something went wonky with our *VERY* expensive Checkpoint 15000 HA pair. We pushed an application rule to block snapchat and something glitched. The primary poo poo itself completely, but not in such a way that the HA backup would sense it and take over. Forced a failover to the secondary, but it still didn't want to work right. We ended up having to revert the config on the primary, fail it back over then revert the secondary. I'll be on the phone with someone in Israel a lot tomorrow looks like :(

That’s a lot of effort to stop dick pics, just saying.

Farking Bastage
Sep 22, 2007

Who dey think gonna beat dem Bengos!

movax posted:

That’s a lot of effort to stop dick pics, just saying.

Hahahaha. Tell me about it. The request came from the 911 dispatch management... makes ya wonder.

nexxai
Jul 17, 2002

quack quack bjork
Fun Shoe

Farking Bastage posted:

Hahahaha. Tell me about it. The request came from the 911 dispatch management... makes ya wonder.

"911, what's your emergency?"

"Does this look infected to you? *sends dick pic with dog filter*"

Adbot
ADBOT LOVES YOU

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

Farking Bastage posted:

I can tell you that the expensive firewalls have quirks of their own. 15 minutes before quitting time today, something went wonky with our *VERY* expensive Checkpoint 15000 HA pair. We pushed an application rule to block snapchat and something glitched. The primary poo poo itself completely, but not in such a way that the HA backup would sense it and take over. Forced a failover to the secondary, but it still didn't want to work right.
Long time ago we had a HA checkpoint setup that never failed over right. Spent like $10k in the licenses and installation and servers to run it on...our switch did something goofy with ports and caching Mac addresses so it never saw the failover switch, boss wouldn't spend $400 on a new switch so we had to walk across the street to power it down manually each time one failed.

After about two trips in the cold and snow I bought a UPS with a web interface for the power outlets :effort:

  • 1
  • 2
  • 3
  • 4
  • 5