@travisdh1 said in Miscellaneous Tech News:

OpenZFS data loss bug: https://www.theregister.com/2023/11/27/openzfs_2_2_0_data_corruption/

No surprise to anyone paying attention, and not a part of "The Cult of ZFS"

I've been dealing with a LOT of data loss from ZFS from what other companies implemented. What a nightmare, that's so easily avoided.

@gjacobse said in ChromeOS vs Linux:

Seems I need to know a different command base to perform things I already do in Linux on the x86 and ARM platforms

That's correct, the commands you use are based on your interface, not on your kernel.

@gjacobse said in ChromeOS vs Linux:

Have I managed to mislead myself in believing that the two - while different - are in a basic manner, the same

Basically, yes. In essence, the kernel provides basic compatibility and underlying behaviour (task switching, memory resource management) allowing you to gauge performance, security and application compatibility (that is for binaries.)

But NOTHING that people think of as a system is its kernel. If you put the GNU utils on top of Windows, literally no one can tell. Is it Linux? Nope, it's Windows!

Test this with the Ubuntu for Windows in the Windows 11 Store. It'll install Ubuntu for you to run on your Windows workstation. It will look and feel exactly like Ubuntu you are used to. It IS Ubuntu. What it is not, is Linux, at all. It's 100% Windows, just with the Ubuntu user interface on top, rather than the Windows Desktop interface.

There's no Linux, whatsoever. The Linux Subsystem for Windows is an API compatibility layer NOT an implementation of Linux.

@gjacobse said in ChromeOS vs Linux:

ommands I would expect to work in Linux are not the same in ChromeOS

That's because you are comparing common system applications. Linux itself doesn't have commands. Even the big shells, like BASH or ZSH don't have many commands.

There is a reason that people push for it to be called GNU/Linux. Because what you are thinking of as "Linux" is the GNU tools, not Linux at all. And on Chrome, it's not GNU/Linux but Chrome/Linux or something like that. So the Linux part is truly identical, but the commands you are familiar with are not.

I've been down with some congestion thing for two weeks. Been doing a lot of video gaming, trying to keep things simple and rest.

@gjacobse That's a seriously old tank!

@JasGot if they are different extensions, it'll act just like any normal pair of extensions

So this creates a very obvious attack vector for police departments (or members of the public.) Anyone can trivially create a DVD ISO image, put QBX files on it of appropriate size (they don't need to contain anything.) Put on a rootkit. Create a splash image of something that looks vaguely like a fifteen year old video player. And throw up some obscure, and fake, error.

What do you get? Root level remote access to police systems (or public systems, depending on to whom you send it) in such a way as that the police officers in one case, or computer owners in the other, authorize manually the running of the application under conditions where they have been conditioned to do so without thinking twice, and because these applications are fragile and generally unsupported and undocumented, without taking notice of the inability to decipher a fake error. It is an unremarkable and likely forgotten moment in a busy day, but one that easily opens access to spy, steal, or ransom public data held by the police - a very high profile target.

So I've just learned that it is standard practice for police departments to obfuscate dashcams and other recordings by using proprietary formats, like QBX (that is supposed to be a Quickbooks file, but there is a screen recording format for that too.) To make this functional, they burn the QBX file to an ISO image (or maybe an actual CD / DVD) and on the disk include an AutoRun configuration with a set of instructions to open the file, and an application to view the file.

So importantly, this process is used to make things difficult, but protects nothing. Anyone with physical access to the ISO (copy or whatever) can view the file, there's no security whatsoever. Anyone can open the AutoRun text file and see the necessary parameters (or alter them.) There's no encryption, no chain of custody stuff, no MD checksums to verify if things have been tampered with. Nothing here is for security. The only function seems to be to attempt to make it as difficult as possible for the public to obtain and use public records (which can then also make things difficult for the police departments, too, of course.)

But here are the real issues. Using a completely proprietary format (a format not even designed for this use case, it should be noted) causes a few key problems:

1. It forces people to download loads of data instead of just the video. It's an unnecessary waste of both police and public resources.
2. It forces everyone to view files only on Windows devices, the least secure option. You can secure Windows, but this is a situation where that would rarely happen.
3. It requires a relatively large amount of files, configuration and compatibility that is very easy to break and extremely easy to have become legacy and become unreadable over time. What works today doesn't necessarily work tomorrow.
4. It requires anyone that is going to use the video to run an unverified and absolutely untrustworthy application that cannot be tested or patched (which breaks many security rules.)

This means that by the use of this system both the police and the public (who have no choice) are forced into buying Windows systems just for this purpose and to run untrustworthy software on that Windows machine. This should break any number of fundamental security processes. No police officer should ever fall for a social engineering trick like this. This would be a very simple way to inject a root kit or trojan into the police department because they are running a completely unverified application. You could provide a download, or just hand out a DVD. The police (and the public) have been trained to blindly run the application on the DVD. They have to do it every day, so fundamental security that we trust that there will be in any government office is totally bypassed.

This is so blatantly impractical, serves no legitimate purpose, undermines basic security to a point that no one technical or not has a real excuse to fall for it, is a clear violation of public trust, and pushes the agenda of private companies at the expense of the public good and police efficiency that it is hard to see the use case as anything less than social engineering on a grand scale. How many police departments have been conditioned to accept something that is literally the textbook example of social engineering for installing a root kit? The police are promoting the very thing they are tasked with protecting us against.

Wayland remains a problem for remote access systems. Xorg is still required at this time, but the settings can be elusive. I have Mantic Minotaur working now and have the settings that are working for my systems. These did not work at first release but with subsequent patches, they are working now. So be aware that you need to be fully up to date.

The file that needs to be modified is /etc/gdm3/custom.conf

[daemon]
# Uncomment the line below to force the login screen to use Xorg
WaylandEnable=false

In past versions we've had to do many more steps. But you'll need to ensure that your system is fully up to date. Early Mantic Minotaur 23.10 releases didn't work until they were patched.

@StuartJordan said in What Are You Doing Right Now:

Site down for a few mins?

Yeah, we did an OS and application update.

We've updated to Ubuntu 23.10, the latest stable Node and the latest NodeBB platform. Check out all the new updates!

We have confirmed through testing that Intel VROC which is presented as "RAID on CPU", which would imply that it is hardware RAID that just uses the CPU for processing, is actually totally fake and is not RAID at all. If you have the "right" drivers, Intel VROC will appear as a true RAID system, but if those drivers are not loaded, are missing, or whatever there is no RAID layer between the OS and the drivers. So the OS sees the individual drives and not a RAID array. True RAID cannot be penetrated in this way, ever.

What this is is nothing more than a marketing gimmick. Just like Intel's older Intel RST FakeRAID product, the entire RAID system is just a software package that is designed to confuse the end user and obfuscate that the hardware is not doing the RAID function.

We determined this through testing, but you can also see it in the operating support list from Intel. True RAID has no need for compatibility lists, it is universally compatible by definition. Only software RAID has compatibility limitations. Not only does VROC have limited OS support and list no production deployment options, but with VMware it lists that only certain types of RAID configurations will work which is, again, an impossible limitation with true RAID.

Intel VROC is FakeRAID

What a crazy week! Bought another investment property, getting a new restaurant ready to open in under a month for the high season (high end smokehouse!!) and prepping for my first ever South American trip in just five days!!

@Obsolesce said in SSL Decryption of American K12 School in Connecticut: Legality?:

Here are some points to consider:

1. Consent and Notification: It's essential to have explicit consent from parents or legal guardians if students are minors. Even if students are not employees, they still have privacy rights. Proper notification to both students and parents is crucial.

2. FERPA Compliance: The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. Any monitoring should be in compliance with FERPA regulations to avoid violations.

3. Children's Online Privacy Protection Act (COPPA): If the school is providing online services or websites to students under the age of 13, COPPA may come into play. It requires obtaining parental consent for collecting personal information from children.

4. Vendor Liability: If a breach of student private communications occurs due to IT or vendor mistakes, there could be potential liability issues. Schools should have agreements in place with vendors that address data security and liability.

5. Local and State Laws: Laws regarding electronic surveillance, data privacy, and education can vary by state and locality. It's important to consult with legal experts who are knowledgeable about local regulations.

6. Balancing Security and Privacy: Schools must strike a balance between ensuring network security and respecting student privacy. An overly intrusive monitoring system could raise concerns.

Ultimately, it's crucial to consult with legal counsel who specializes in education law and data privacy to ensure that the school system's practices comply with all applicable laws and regulations. Additionally, a transparent and well-documented approach to monitoring, including clear notification to students and parents, can help mitigate potential legal risks.

This is good input. Ultimately liability is going to come down to primarily local laws and statutes and what the legal department of the district has done to ensure safety and indemnification, and of course what transparency, notification and consent has been granted. That students are required to attend school, are not employees or at will, and are minors make this not just different, but essentially the opposite, of an employment situation. Any breach of privacy (not meaning a breach of IT systems, but the IT systems themselves) could violate constitutional rights as well as international human rights...

From a law firm on US right to privacy... "The right to privacy is a fundamental human right, and it is recognized by international treaties and many countries’ Constitutions. The Universal Declaration of Human Rights recognizes the right to privacy in Article 12, and the International Covenant on Civil and Political Rights further elaborates on the right to privacy in Article 17.

At the same time, different countries have different laws and regulations when it comes to privacy. In the United States, for example, the Fourth Amendment to the Constitution protects citizens from unreasonable searches and seizures by the government. This has been interpreted by the courts to include the right to privacy."

Even if students are not minors, the question is whether this constitutes unreasonable search leading to violation of privacy. And of course if it puts minors at risk, that's an additional concern.

@travisdh1 said in Outsourced IT Helpdesk services for IT Providers?:

@JasGot said in Outsourced IT Helpdesk services for IT Providers?:

We have a customer that would like 24/7 helpdesk support. We are not able to provide this. Are there companies how offer helpdesk services as a reseller service?

NTG... @scottalanmiller You'd be the source for this, but sounds like it's something NTG would do.

We do

@dbeato said in What Are You Doing Right Now:

CloudFlare having issues this morning.

I've been so busy on so many calls, what kind of issues?

SEC files fraud charges against SolarWinds and its CISO...

https://www.helpnetsecurity.com/2023/10/31/sec-solarwinds-ciso-accused-fraud-control-failures/

@ElecEng easy to do with Postfix. But with Office 365 I don't know how that would be done.

Was supposed to be getting a vaccine for yellow fever in Managua today, but they don't do it on Fridays. So going Monday.