Posts made by Carnival Boy

This was me at 17:

Youtube Video

I'm 46 now and still don't know what I want to do with my life.

Could you restore the backup on the new server whilst the old server is still live and after it is restored on the new server shut down live and do a differential backup and then restore the differential backup on the new server?

That would minimise downtime as the differential backup will be much smaller than the full 1TB backup. Although with 500gb of transaction logs, maybe not so much.

OK. I was only thinking in terms of the LAN and VPN authentication on the firewall, rather than just opening ports up on the firewall to let all traffic on those RDP ports through to the LAN.

Scott, in a previous thread you wrote "the general thinking in many cases is that you put a VPN aggregator at the edge and expose nothing else, only that. I'm not saying that's some magic answer, but it is the "LAN Security Model" that is why VPNs were really created."

Does that thinking apply here at all, or am I missing the point? Exposing an RDP port of a Windows Server directly to the internet - so there's no authentication at the perimeter? Why is that a good idea here? I accept that RDP is essentially the same as a VPN, but isn't the difference in where the authentication takes place rather than the model itself?

@scottalanmiller said in The Myth of RDP Insecurity:

I know the site there is this persistent myth that RDP is insecure and that the solution to its insecurity is to wrap it in a VPN. This seems very silly...
Azure itself exposes RDP directly because it is considered extremely secure.

The Azure portal says "RDP port 3389 is exposed to the Internet. This is only recommended for testing. For production environments, we recommend using a VPN or private connection."

I'm struggling to reconcile this statement with your post, unless I'm missing something?

@Jimmy9008 said in Pentest - Who would you recommend?:

Or does nowhere offer that?

Of course. I've already recommended one company that offers this.

That's not what I'm asking. I'm asking how does an assessment find out if your applications are vulnerable to SQL injection?

Literally, how, if not by pen testing them?

Ok, so how does an assessment find out if your applications are vulnerable to SQL injection (for example)?

@IRJ said in Pentest - Who would you recommend?:

You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

@Breffni-Potter said in Pentest - Who would you recommend?:

@Carnival-Boy The only issue with sec-1 is they are a Claranet company. Claranet...

They only bought them 3 weeks ago! But, yeah, one to keep an eye on, for sure.

I've never actually used them, but I've been to a couple of seminars by Sec-1 which were awesome. I really liked them. If I was going to do a pentest, I would want to use them. I recommend you go to one of their seminars as they're free and pretty intense and educational, and not salesy at all.

How do these compare with the EliteBooks and the Elite X2s (both of which I buy)? So many HP models, I can't keep up...

@Dashrender said in SMB vs Enterprise:

I don't know if this is true or not, but I'm hearing this is the case regarding Muslims in the UK. There are sections of the UK where the police don't even go because Sharia Law is taking over.

You need to stop following Donald Trump on Twitter

Loving the Marvin Gaye reference in the title.

They are. They're specialist shelf stackers. They'll be much better than you at stacking shelves because of their practice and experience. Their rate of dropping cans of beans will be much better than yours.

@John-Nicholson said in How Do You Evaluate IT Skills for Hiring:

My last 3 times getting hired...

1. Recruiter sets me up with a meeting with the CEO and IT Director. Talk to IT director for an hour, get an offer. No HR involvement.

2. Former Vendor who remembered having a good talk with me about VOIP and storage calls and asks me to go to coffee. Go to coffee with VP of company.

3. Chief Technologist for BU messages me on Twitter asking if I'd be interested in a roll. Makes sure I get an interview with Hiring manager. Recruiter involved, but more to see if I was interested and work out logistics for my flights.

I've had similar experiences. I'm interested, in those interviews was there anyone who was significantly better skilled in the role than you?

@John-Nicholson said in How Do You Evaluate IT Skills for Hiring:

@Carnival-Boy said in How Do You Evaluate IT Skills for Hiring:

@scottalanmiller said in How Do You Evaluate IT Skills for Hiring:

• You must have someone doing the hiring that is dramatically more skills and experienced than the person you are hiring. This is the case for all jobs, not just IT. If the person interviewing is confused because the interviewee knows way more than them, they will just as likely think that the person is an idiot as a genius because they don't know enough to know if the person is right or wrong (seen this a lot.)

How? Are you suggesting firms should employ you to do the hiring or something? That's not normally practical.

Cost to hire a bozo and not fire him for 90 days.

Use cut rate recruiter who charges 10% = $8K
20K Salary.
7K Benefits.
40K to operations being impacted (outages, work not getting done).

Cost to hire me to interview candidates and help you go thru resumes ($250HR, for 30 hours) ~$7500

One of these looks a HELL of a lot cheaper to me....

I'm an IT Manager and recruitment is a key part of my role. I've recruited loads of IT staff over the years and have yet to hire a bozo. Sometimes their character turns out to be wanting, or they can't fit in to the company culture, but that can be very hard to identify during recruitment. But technically they've all been fine.

In small firms where there is no in-house IT expertise and they're trying to recruit then employing you makes great sense. How else can they identify if the candidates no anything about IT? But as an IT Manager recruiting and running IT teams, if I had to pay you to identify competent staff over bozos then I'd have question why the hell I'm doing my job. That was the original point I was making.

@scottalanmiller said in How Do You Evaluate IT Skills for Hiring:

@Carnival-Boy said in How Do You Evaluate IT Skills for Hiring:

OK, so you're talking about employing someone, not a headhunter, to do the hiring. Someone who knows more about IT than the candidates. How do you employ that person? I could employ Jared. But how do I know if Jared is bluffing or is amazing? According to you I shouldn't be able to tell.

You can tell, because he's someone you can't hire. That's the handy part.

I know nothing about Jared's real-life circumstances. I used him as an example of someone who is able to answer my questions in a clear, logical and (to me) knowledgeable way. He could be on minimum wage for all I know.

I've worked for both and haven't really noticed a difference. An enterpirse is generally broken up into much smaller semi-autonomous units that often operate similar to an SMB anyway.

Generally the biggest influence is your boss. If your boss is an asshole, it doesn't matter so much if he's an enterprise asshole or an SMB asshole.

OK, so you're talking about employing someone, not a headhunter, to do the hiring. Someone who knows more about IT than the candidates. How do you employ that person? I could employ Jared. But how do I know if Jared is bluffing or is amazing? According to you I shouldn't be able to tell.