Last week I was involved in a brutal massacre. A total of 10 innocuous work shirts were killed off (alright, taken to the local charity shop). In view of the fact that some of us in IT aren’t going back into the office anytime soon – if ever – it made absolutely no sense keeping the offending unoffenders only to take up the wardrobe space. Give everything a purpose right? They have therefore been retired. Forcibly.
Le Victims
What’s next for workplace fashion you ask? No idea to be honest. Polos, T-shirts, jeans, hoodies, everything I never thought I could get away with now all normal work attire. Just as long as you’re presentable on video calls you can do it. The dream has be realised. Irons and ironing boards everywhere quake in fear of what happens next.
This week’s big release has been Ubuntu 21.10 codenamed Impish Indri. This is an interim release with 9 months of support from Canonical.
Very impish, very indri.
There are lots of changes to talk about here. This release brings Linux Kernel 5.13, Firefox as a snap by default, GNOME 40 with horizontal workspaces as well as tweaks to the UI, touchpad gestures and zip password support in Nautilus as a few examples.
I’ve installed this to my Dell XPS 9360 this week. So far I’m really liking the horizontal workspace change. It’s admittedly a feature I’ve never got used to working with for Ubuntu and Windows alike but I’ve decided to give it another go.
The change to Firefox as a Snap app is a controversial choice given the reception of snaps. Personally I’m not noticing much of a difference and so long as security updates come in on time I don’t think I’ll be too bothered about it.
You can upgrade your existing Ubuntu distribution to 21.10 now but if you haven’t tried Ubuntu now’s a really good time to Download Ubuntu 21.10 and see it for yourself. As before if you get the torrents I’ll be pleased to serve you the bits.
Microsoft will be releasing Windows 11 on October 5th 2021. The anticipated OS will bring a fresh look and core improvements to the operating system.
I have not yet used Windows 11 myself however initial impressions are that the revised user interface looks smart and overall more cohesive than before. I also hope that the vision for the development of the OS is more complete. I felt that Windows 10 ended up more of an “us too!” project following trends set out by other OSes instead of focused goal to improve the OS that we all work and play on. Let’s not forget release 1803.
This will be the first Windows OS since Windows Vista that I’ve not upgraded to on release. This is regrettable however it’s down to the fact that I’ve not upgraded hardware due to Spectre & Meltdown and then the COVID-19 pandemic and thus have no hardware that can support it. For all the controversy over the TPM and processor requirements I think these are becoming overblown. TPM should be available as part of any recent PC or easily obtainable through an add-on module. The processor requirements increasingly look like it’s a performance question when virtualisation based security is active. Older devices have to emulate the CPU instructions that HVCI needs thus incurring a performance penalty. It is absolutely the wrong timing for Microsoft to push steeper requirements. It’s absolutely not the best time to be adding to e-waste issues by encouraging users to throw out hardware. Fortunately Windows 10 will still be available and supported.
I really do feel that we’re in a different world now. Mine and your primary computer are arguably no longer a Windows machine but the phone that you’ve got in your hand. For that reason I won’t be chasing the latest and greatest Windows release.
Canonical have today released Ubuntu 21.04 dubbed Hirsute Hippo (apparently that means “hairy”). This is a short-term support release with 9 months of updates to be had.
Hairy Indeed
There are a number of changes including support for joining Microsoft Active Directory, support for the Wayland server by default and a visual refresh among other things. Of course you’ll also be getting a more recent version of the Linux Kernel specifically number 5.11.
I have yet to get my trusty XPS 13 out to commence an update but if you get the torrents you’ll be served by yours truly from my NAS whilst I go visit the pub for the first time in about 5 months.
We’re probably all aware by now of a certain fruity tech company has decided to jump the Intel ship for their laptop and desktop lines after pleasing results in the phone and tablet markets. Mac fans, reviewers and interested tech peeps have been receiving the first machines powered by the M1 chip and the initial reviews have been intriguing to say the least.
Remember this?
There was a lot of hype around the Apple event on November 10th, 2020 and then a lot of scepticism around the performance claims. Performance numbers were missing and comparisons were made to older Mac hardware running previous generation Intel processors. When the store went live the concern was voiced regarding memory topping out at 16GB. I understand you creative types need a lot of it. The memory and storage upgrade prices are also absolutely appalling to my delicate Wintel eyes. It costs £200 to double the storage from 256GB to 512MB or 512GB to 1TB. 2TB will set you back £800. Not a completely fair comparison but you could have yourself two 2TB NVMe SSDs for that price.
Initial reviews suggest that the hype is actually real. I’ve been skim reading reviews and Apple has apparently delivered. This news has made me happy for a number of reasons. The PC market needs a shake up and the Wintel stranglehold in both the PC and server market needs challenging. But there’s also another nostalgic reason I’m reminiscing about.
Some of you may remember the old Acorn computers at school. Back in my day we had one Acorn computer per class of around 30 kids. I don’t exactly remember what model of Acorn they were but it was the first computer I got to use. There were many crude drawings made in the paint program and there was a cool game about setting sail as Christopher Columbus to try and find America which nobody beat mostly due to crew mutinies and inclement weather leading to a sinking (should anyone remember the name of the game and have a link please comment as I would love to play it again).
Eventually by the time I reached year six (age 10) someone found some spare pennies in the budget and so the venerable Acorns were replaced by Intel powered Windows 98 machines at my school. Acorn computers eventually disappeared from the market but their ARM Holdings subsidiary lived on to become the dominant designer of CPU architectures in the world. Although not owned by a UK shareholder any more I am thrilled that a home grown company has reached the top in the tech world.
The long term question will be how this affects the PC from this week. I have had doubts about the Microsoft ecosystem both consumer and business when it became apparent that the mobile strategy was being abandoned and eventually when the “next” Windows (i.e: Windows 10) was sold to the market as a service and not a product. There doesn’t seem to be much interest in the store and UWP is met with arguable hostility as well. Microsoft’s focus under Satya Nadella has been cloud and Windows is looking very much vulnerable to a changing world. People’s main drivers aren’t their PCs or laptops any longer. It’s their phones and Microsoft decided to abandon that race long ago.
I was considering a new Ryzen based PC build to replace my ageing Intel Core i7 6800K, GeForce GTX 1080 Founders Edition, 32GB DDR4-2400 RAM, 1.75TB SATA SSD system but current events conspire against me as things seem to be in short supply. With Apple bringing ARMageddon (sorry) however what does that mean for PC Gaming builds anyway? There’s a cool video been posted* with someone testing editing a 144 track Billie Ellish song in Logic Pro fully loaded with plug-ins on both a basic M1 Mac Mini with 8GB RAM and a 10-core i9 iMac with 64GB RAM. I don’t fully understand what I’m looking at but apparently it’s surprising that the M1 Mac Mini can handle it at all. If Apple gear can also deliver similar value for gaming well what do I need this tower for?
There’s not a lot of sense in jumping to conclusions about all this yet but the shake-up appears to have happened and it would appear that Acorn is going to win the PC war after all.
*I won’t post the link as it’s hosted by a company I don’t like for tax evasion, privacy, lobbying and many other reasons.
I’m going to let the whole thing settle down before I jump to any conclusions because let’s face it that’s as much exercise as some armchair political pundits have had for the whole crisis. I’ve also just had to peel myself from the ceiling reading a Reddit comment describing databases as “one of the lowest forms of computing”.
Take a deep breath. The UK.gov failed to disclose circa 16,000 cases of COVID-19 allegedly because of a technical problem that turned out to be the Excel spreadsheet they were using surpassed the 1,048,576 row limit in Excel.
No I don’t know either.
I usually steer clear of politics but seen as we have spent around £11 million quid on the initial contact tracing app which didn’t even work I feel like it’s all becoming a bit of a farce over there. Thank goodness Dido Harding is at the head of the new alphabet soup in charge of public health in England otherwise we’d be really in dire straits now.
Like I said before I’m absolutely not jumping to conclusions. I’m getting my exercise elsewhere and I’m coming on leaps and bounds with my sarcasm problem.
From time to time we have to be the family’s IT support. It comes with the profession. Today I had work to do for Mum and Dad. The CCTV just wasn’t working. They were going on holiday, hadn’t checked the cameras in a while but they weren’t accessible from their phones. They really wanted them back before they went away.
The tell tale signs quickly came apparent after I logged in to the NVR (Network Video Recorder) which is a Dahua model. The camera list read “HACKED”, “CHANGE”, “FIRMWARE”. The issue with the device falling off the network turned out to be that a deliberately faulty IPv6 address had been set which also knocked out IPv4 communication.
Best I can tell they had fallen victim to an attack that appeared back in 2017. The default super user account for this NVR is ‘88888888’ and the default password is ‘888888’. Last time I’d checked out the CCTV I noticed this was in place and I really should have changed this. On Dahua NVRs this super user account should not be accessible from remote. The system should check if the access request had been made from local or remote and – in case of the latter – deny access accordingly. The flaw apparently is that this check isn’t properly done. The article linked also references a Facebook post which suggests that using Dahua’s DDNS also made it easy for the attackers to identify and target vulnerable devices. My parents were indeed using Dahua’s DDNS.
In other words the system was a sitting duck on the internet.
I can only assume someone out there has written a script to look for vulnerable Dahua devices exposed to the internet, log in via the admin account using default or easy to guess passwords and then apply setting changes to forcibly remove these devices off the internet. Malicious but also a public service. The device runs an embedded version of Linux and could have easily ended up part of a botnet if hacked firmware was uploaded.
To resolve the attack I reset the unit to factory defaults, uploaded new firmware to both NVR and cameras then set accounts with strong passwords using the XKCD method. I do not have a high trust of IoT devices but not being particularly happy about going up a ladder to replace the cameras this was the best I could do.
It should be noted that Dahua’s website is diabolical for finding firmware updates. You cannot just search a model number to find the device and associated firmware. I needed to check a load of firmware releases to see which ones were pertinent. I had a few attempts with what I thought was correct firmware but apparently wasn’t. I am thankful that the devices can do checks of the firmware to be installed because the risk of bricking the devices in this scenario is real.
In the industry we all know the lessons and we all recognise when a chain of events start happening and not get stopped then the results can be catastrophic. In the case of my parents I assume someone’s shut off network access deliberately but the reality is that someone could’ve used the CCTV access to determine that nobody was in the house. The cameras point to the drive where their cars are parked after all.
Let’s conclude it by reiterating the standard points:
Default passwords (and arguably account names) aren’t acceptable for an internet facing device. I had an opportunity to change it and I didn’t. Whilst the admin account should not have been accessible remotely it was thanks to a firmware flaw. Changing that password could’ve stopped this attack in progress.
Firmware updates need to be done as often as they become available. Security issues happen. Pobody’s nerfect right? As soon as those vulnerabilities and fixes become apparent they need to be tested and deployed.
Trust is a weakness and no trust is owed to the average IoT device. The industry is notorious for bad security practices and abandoning devices within a short lifecycle. Ideally these devices shouldn’t be left open on the internet but placed behind a VPN where the access can be defended slightly better. That’s not a practical solution for most home networks so there must be an accepted risk.
I will reserve judgement on using a DDNS. The CCTV was registered with a *.dahuaddns.com address which I suppose makes it pretty easy to focus an attack if you can narrow it down to specific devices or a single manufacturer. I would suggest using a static IP instead but my parent’s ISP does not offer this. Comment below if you have anything to offer on this as I don’t know how much safer you are with a custom DNS.
We’ve been really busy in the office recently doing many installations and upgrades for a whole host of cool customers. Not so much to post on SQL recently (learning Data Warehousing) so instead here’s the software championships…
LastPass – Like all peeps in the consultancy game I’ve got a zillion passwords to remember. Keeping them all in a secure vault I can get anywhere saves a massive amount of time and frustration. Give it a try on me. Notepad++ –. Venerable text editor fluent in a million languages and talented in many life skills. Can confirm the Compare plugin is a must. SumatraPDF – You wouldn’t read documentation with Adobe Reader now would you? This one is lightweight so it launches fast. Microsoft OneNote – Searching emails for crucial information is so 00s. It’s also the leading cause of bleeding eyes and crushed souls. Be a hero: put your notes in a modern notebook (and search later!) 7-zip – Zip it. Ship it. Some bugs were fixed.
Email thread gone out of control because someone spun it off? Long email trail forwarded from a colleague with the words “see below” and nothing else right at the top? A colleague asking for help because they have 100 folders, can’t find an email and can’t use search? I’ve even suffered reading through a LinkedIn article discussing best ways of signing off an email (apparently just use “Best”). Been there, done that, clicked the unsubscribe link at the bottom. The question really is not when can we replace email? more “how long is it actually going to take for us to make it happen?”.
Email really adds to people’s day. Email inboxes end up becoming a vastly over/under organized trove of information. Most of it pointless but some of it potentially treasure.
Office Communication – My office uses Skype a lot because we can work anywhere, share desktops, make it a video call. Otherwise we go and talk to each other (but not before asking if the other person is busy). There’s also the phone system your office has had around since the 80s but you need to work out how to dial it first.
Client Communication – Skype. Just do it. Video call people and watch their facial expressions as you let them down (gently). Phone them if you must but NEVER use email to arrange a call. It’s sad. So very sad.
Knowledge – Nobody should be using email as an authoritative store of information. Full stop. It was never built for such a purpose. Deploy a Wiki, use Evernote or OneNote, find yourself a document management solution or make a network share to store stuff if you have to. Watch mishaps & misinformation fall and knowledge be recorded forever (or at least until ransomware nabs it).
File Sharing – I get it. You need to send that critical file to colleagues before you send to the client. Or upload it to OneDrive and work on it together. Accept no print outs.
Credential Sharing – IF YOU DO THIS PREPARE TO BE BOARDED BY PIRATES. Phone exchange works best but some SIP systems send traffic unsecured (!!!).
To summarise: you can make your life and others a lot easier just by ditching your 100 a day email habit. Let’s all get cracking before Inbox Zero makes a return.
Last week I was at a customer site when NotPetya hit. I was working in the company’s IT Ops room when news broke. All of a sudden people went from worrying about an AD user surname change to contemplating moving their patch schedule forward.
Toward the weekend I tried and failed to help another customer who had been hit by the ransomware. Somehow the application server had become infected. In the end there was no other option except to reinstall the application. Thankfully the databases were safe and the customer is back to running.
NotPetya targets vulnerabilities in the ancient SMB1 protocol. I recently disabled SMB1 on my desktop PC at home. Save for not seeing my NAS and Router appear as objects in Windows File Explorer there were no adverse affects. Microsoft have recently announced that future Windows 10 builds will not have SMB1 installed by default. The IT community should really be working on consigning SMB1 to the bin alongside SSL 3.0.
Speaking of which years ago when the Heartbleed vulnerability broke out I ran a test in production: I disabled SSL 3.0 without telling anyone that I’d done it. The only known site that broke was – very shockingly – a major UK bank partly owned by UK.gov. Why is there such inertia behind retiring old and broken protocols?
