Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Comment Re:Except Microsoft DID cause the underlying issue (Score 1) 166

You need to know about about kernel development.

When you work in the kernel at ring 0 there are no safety nets the only sane thing to do to avoid data corruption is to panic. This is true across all operating systems.

The problem here is Crowdstrike flagged the driver as required for boot.

You can't have it both ways if a driver is required you can't expect to OS to start deciding which drivers not to load. I'm not even sure it would be inherently apparent to the kernel which driver is causing the problem. It wouldn't be an immediate crash on load.

The only thing I might give a bit of blame to Microsoft is that they certified a driver that essentially downloads and executes updates that bypass the usual certification an testing process. The problem is that if Microsoft didn't allow this all the 3rd party AV/SEC vendors would be screaming antitrust.

Microsoft had build APIs to provide the required functionality without requiring a kernel driver but the EU required it to be removed due to Antitrust reasons. If anyone deserves the blame besides crowdstrike it's the EU.

The thing that made it really bad is that a lot of the same companies that have Crowdsrike also use bitlocker. Again, the only improvement I can see here is having a Safemode that prompts for the bitlocker keys rather than requiring an external USB but that would likely decrease the effectiveness of FDE but I'm not all that familiar with bitlocker.

*sigh* Can't believe I'm defending Microsoft.

Comment Re:Fingers be flying! (Score 1) 166

Do you understand what happened?

I'm not a Microsoft proponent by any means and openly mock people for using Windows servers but I cannot see how this is a Microsoft problem.

Crowdstrike operates as a kernel mode device driver which on ANY of the current major OS will result in the same thing if the code crashes. Crowdstrike is incompetent and when the driver read a malformed definition file it resulted in a null pointer dereference. The kernel has to panic game over. Crowdstrike lists the driver as boot critical so on reboot you get a BSOD.

Microsoft even built APIs to put safety rails around the required functionality but the EU cried Antitrust.

Comment Re: Any time soon? (Score 1) 69

I think the problem is that most people think let the speed of light is fast. Sure it's incredibly fast in terms of what humans typically think of as speed but if you want to get practically anywhere interesting the speed of light is incredibly slow.

That said being able to move at say even 0.5c and not having to deal with acceleration would still be fairly interesting for exploring the solar system.

Comment Re:Do these benchmarks even matter? (Score 1) 40

It wasn't marketing that made me switch from Firefox to Chrome it was their abysmal performance and pointless UI fuckery.

This was forever ago but Firefox was eating up so much memory that it was unusable. Chrome handled the same workload with 1/4 of the memory and no performance issues.

I didn't want to switch. I wanted to support an OSS product. They forced me out.

Crowing about better performance on a 10-year-old Javascript test that's irrelevant confirms they still are in desperate need of better leadership.

Comment Re: Let me see if I've got this right... (Score 5, Interesting) 139

I've run ISPs.

This goes fundamentally against how the internet works. Customers pay for internet access and that includes access to anything on the internet no matter who provides it. That is the fucking point.

It's not Netflix's problem that they failed upgrade their networks. Netflix already goes out of their way with their cashing boxes to mitigate the stress on the ISPs networks.

Allowing them to get away with this would ruin the internet. Telcos are far more despicable than Netflix or Amazon in their practices and behavior don't let your bias against these companies cloud your judgment.

What's your suggesting with ultimately turn the internet into a broken form of cable tv.

Comment Re: Has to be a lot better than BGP (Score 1) 97

In order for hosts to autoconfigure Local IPv6 addresses, routers
      have to be configured to advertise Local IPv6 /64 prefixes in router
      advertisements, or a DHCPv6 server must have been configured to
      assign them. In order for a node to learn the Local IPv6 address of
      another node, the Local IPv6 address must have been installed in a
      naming system (e.g., DNS, proprietary naming system, etc.) For these
      reasons, controlling their usage in a site is straightforward.

      To limit the use of Local IPv6 addresses the following guidelines
      apply:

            - Nodes that are to only be reachable inside of a site: The local
                DNS should be configured to only include the Local IPv6
                addresses of these nodes. Nodes with only Local IPv6 addresses
                must not be installed in the global DNS.

            - Nodes that are to be limited to only communicate with other
                nodes in the site: These nodes should be set to only
                autoconfigure Local IPv6 addresses via [ADDAUTO] or to only
                receive Local IPv6 addresses via [DHCP6]. Note: For the case
                where both global and Local IPv6 prefixes are being advertised
                on a subnet, this will require a switch in the devices to only
                autoconfigure Local IPv6 addresses.

            - Nodes that are to be reachable from inside of the site and from
                outside of the site: The DNS should be configured to include
                the global addresses of these nodes. The local DNS may be
                configured to also include the Local IPv6 addresses of these
                nodes.

            - Nodes that can communicate with other nodes inside of the site
                and outside of the site: These nodes should autoconfigure global
                addresses via [ADDAUTO] or receive global address via [DHCP6].

                They may also obtain Local IPv6 addresses via the same
                mechanisms.

While it doesn't come straight out and say it I'd argue the wording implies that nodes that need access to the Internet should have a second globally scoped address.

Demonstrably false.
Few protocols leak those, and generally require helpers.

Just to name a few FTP,SIP,STUN,ICE. With a bit of java script your browser can be tricked into accessing internal hosts on your LAN.

There is no moder day distinction between NAT and PAT.

I use PAT to be specific.

Your opinion is noted, as stupid as it is.
Signed, an industry expert and veteran.

And now we are reduced to name-calling and appeals to authority.

Comment Re: Has to be a lot better than BGP (Score 1) 97

Non-globally routable networks that still need a way out have very real utility.
The fact that you *can* used globally scoped addresses in IPv6 due to the abundance of space doesn't mean the necessity is gone.
In IPv6, we have RFC4193 ULA addresses for that purpose, which are the same thing: Non-globally scoped address space. If you wish to give a ULA-only network internet access, you use NAT.

No, this is an abuse of ULA. The whole point of ULA is to ensure they never are reachable externally.

If you must have limited Internet connectivity best practice would be to use global space behind stateful inspection that only permits establishing traffic to a restricted subset of services.

If you want similar functionality you can simply deny any inbound traffic without a valid state. It's the exact same "security" function IPV4 nat provides without the additional step of mangling the tcp/udp headers.

Almost. It provides the same connection-tracked forwarding security that NAT provides.

It does not, however, provide the 1:N network obfuscation that NAT provides, and that does have real utility in the real world.

Which is practically useless. Nearly all protocols leak the local addresses anyway. If you are worried about the mac address inclusion using stateless auto-configuration you can use RFC4941.

If you are worried about statically assigned servers you can at assignment time obfusticate the IP address. I'd argue, by your measure, that NAT provides significantly less "security" as PAT only has an address space of 2^16 whereas a single /64 has an address space of 2^32. If you really wanted to be paranoid you could assign a /64 per server and randomize the address.

NAT66 provides no value and would bring along all the breakage and stupidity that comes from NAT44.

Comment Re: Has to be a lot better than BGP (Score 1) 97

That's just fud.

You can easily request and receive a /48 from your RIR and those numbers are officially assigned to you and only you so long as you pay a small fee.

That is control.

NAT is a hack to work around the limitations of IPV4 and breaks a lot of things.

If you want similar functionality you can simply deny any inbound traffic without valid state. It's the exact same "security" function IPV4 nat provides without the additional step of mangling the tcp/udp headers.

I suggest you take some time to learn about how this works before you continue perpetuating this myth.

Slashdot Top Deals

Hokey religions and ancient weapons are no substitute for a good blaster at your side. - Han Solo

Working...