Please just stop. You're coming off like a 7th grader trying to fake an understanding of neurosurgery after spending 5 minutes googling stuff.
FDE encryption takes place beneath the file layer, at the block level (it's far more effective and secure than file level encryption could ever be.) XTS doesn't split anything. XTS is essentially an improved version CBC (which is to say block chaining) made necessary by modern large storage devices.
I hope you didn't stumble across one of those anti XTS articles that are still floating around and take it at its word because it sounded technical. Those have been soundly and repeatedly refuted and trashed by those who actually know what they're talking about.
A little googling, in the wrong hands, can be a dangerous thing. OTOH this is slashdot, so you're right at home.
The parent poster didn't say anything about whether it's per-file or block level encryption.
And he's right about XTS keys, to get 128 bit AES, you need a 256 bit XTS key:
XTS makes use of two different keys, usually generated by splitting the supplied block cipher's key in half, without adding any additional security, but complicating the process.[13] According to this source, the reason for this seems to be rooted in a misinterpretation of the original XEX-paper.[7] Because of the splitting, users wanting AES 256 and AES 128 encryption will need to choose key sizes of 512 bits and 256 bits respectively.
I can imagine that the waiver would also talk abut the content. Although they will try to be carefull, it could still mean that the post-it note with the password you need gets destroyed.
Surprisingly, they said that they'd get the content out unscathed -- they said they use the torch to cut open the outer shell, then chisel/scrape out all of the fire protective materials (it's a lot like concrete), then use a combination of an angle grinder and a reciprocating saw to get through the inner shell. Labor intensive and noisy and requires ventilation vans, but they said they get called out about once a year to break into once of their safes. Sometimes they can pry them off the floor with a hydraulic jack and take them to their shop, which makes it much easier for everyone.
They reiterated that a safe isn't meant to stop a thief, just slow him down and attract enough attention that he gets caught before he has time to break in. Ours was a TRTL-30 rated safe, they said they *could* break into it in 30 minutes if they didn't guarantee that the contents would be safe and didn't care about collateral damage to the room where the safe was, but it'd normally take them 6 -8 hours from start to finish to break it open.
2. That really shouldn't be that difficult for the company that manufactured the thing.
Would you expect a safe manufacturer to be able to easily crack open a random safe they manufactured? If so, why? If not, why do you think encryption for a mobile device should be any different?
The company that installed our safe said they could open it when we asked what would happen if we lost the combination. They said "No problem, we'll just bring in a cutting torch and grinder and a few hours later we'll have it open. You'll need to sign a waiver first absolving us of any damage to the room."
Pretty sad that HIPPA has less security requirements and teeth than PCI.
Even sadder if a hospital is counting on HIPAA guidelines to secure their network. "Great, we've done the minimum required by HIPAA, a data privacy standard', so surely that means our network is safe!"
No they don't. The reason that we don't patch as much as we should is crappy programming on the vendor's part. Half the systems crash at various patch levels.
Then stop buying the crap - the only reason vendors can get away with selling crap software is because hospitals are buying it. Someone has to step up and say "We're not buying unsupportable crap, either support your software through operating system upgrades, or we're not buying it".
Are you willing to spend a couple hundred bucks per printer plus the man-hours to firewall it off and maintain access lists? Even if you are, any competent business manager would decline that request. Some risks should be accepted after cost-benefit have been weighed. The unlucky ones make the news but the other 99.9% stay within budget.
Just supplying a port to the printer costs more that that in any b cigompany, so yeah, spend a few bucks to put it on its own isolated VLAN that only the print servers can talk to. No modern IT department should let their printers on the same subnet as their office computers because there are tons of vulnerabilities in them. We're a pretty small shop (~100 users) and our printers are on their own VLAN because it only took us 10 minutes to do so.
Isn't this what backups are for? Wipe the infected computers and restore from backup. A few days of lost data seems less disruptive than weeks of no computers at all.
You also have to consider that its not just workstations that are infected. A server is often just as easily infected once the ransomware is in the domain.
If this reaches the database, and ends up encrypting database files, you could very well be hooped. Its not easy restoring a database at a hospital, when all your backups are connected to the same system that is infected, and thus potentially vulnerable and/or infected already.
Why is restoring a database backup any harder at a hospital compared to any other site? I can restore my SqlServer and Oracle DB's to any point in time from 6 months ago to 6 seconds ago. I can also restore from up to 3 years back, but older backups are meant as point-in-time snapshots and aren't guaranteed to have transaction log chains to bring them up to the current date. Those backups are stored on a mix of on-prem storage (with NAS enforced snapshot that Malware can't touch unless it hacks the NAS), cloud based off-site storage (write-only), and off-site tape rotation.
Its also easy to underestimate the scope of remediation - an entire hospital network might consist of hundreds of workstations that may or may not have up to date or adequate backup systems.
They've already shut down their network, sounds like they have all the time they need.
Most of the time, sys admins at hospitals have very little budget to do things properly, as the scope of applications they must maintain and the number of systems they must be maintained on is astronomical.
Then the hospital administrators should be fired and/or fined for not protecting their data. Missing or corrupt data can cost lives so should be treated as such.
Backups are easier today than ever and there's no excuse for not having them, if you don't want to build your own backup infrastructure then use a cloud service (and yes, with encryption and proper controls even PHI data can be backed up to the cloud under HIPAA)
If you don't have the list of softwarekeys, or the licenses, to reinstall from scratch, and if you don't have the staff with the tools to re-image systems swiftly, rebuilding the systems from scratch is a herculean job and you *wiall* lose vital patient data. If you don't have the tools, the systems *will* get re-infected while you're reinstalling them. Been there, done that, it's why i never,run the basic backup systems on Windows.
It's not really a backup if it can't be used to restore what needs to be restored. I should hope that a hospital is not relying on the backup backup systems of Windows. Data Protection Manager is a bear to set up and configure, but once it's running, they should be able to do bare metal restores without losing anything. The only thing more expensive than an enterprise backup system is not having backups when you need them.
And even if they do lose vital patient data in the restore, they've *already* lost vital patient data because it's locked up with ransomware so it hardly sounds worse than the alternative of pissing around millions of dollars in ransom with no assurance that they'll get all (or even any) of their data back.
Isn't this what backups are for? Wipe the infected computers and restore from backup. A few days of lost data seems less disruptive than weeks of no computers at all.
Who bothers with DVDs anymore? Unless your tastes are way off the beaten track, everything you might want is available for streaming anyway.
There are still many DVD's that I can buy used cheaper than the "own it on streaming" price, *and* the DVD is really mine, so I can rip it to multiple formats for playing on a TV of mobile device. It's not like a streaming move that I "own" where the streaming provider decides where I can watch it, and can lock me out of my owned movie for any reason, including bankruptcy.
Though as people move towards streaming, there are fewer deals to be had on used DVD's.
The pfsense C2758 Appliance supports2 x 10GigE interfaces: https://www.pfsense.org/hardwa... Model C2758 Max Active Connections 8,000,000 Network Interfaces 4x Intel 1GbE Network Expansion 2x Chelsio 10GbE
Supporting 10 gig interfaces is not the same as being able to filter 10 gig -- the specs on that box top out around 960Mbit (150mbit VPN) while the standard ASA 5500 line tops out around 4 gbit/second (700mbit VPN).
The 5585-X model line with the dedicated security processor will do up to 80Gbit of inspection and 5 Gbit of VPN. But that performance doesn't come cheap, you'll pay around $150K for each one.
"viewing inside ssl encrypted transactions (which should be illegal but hey)"
So it has a convenient interface for MITMing SSL sessions... Ugh.
Shit like this is why I'm going to have to nuke my existing public keys & re-exchange them between boxes via sneakernet at some point. Inasfar as it's possible, of course. I can't exactly mail a usb key to the GitHub building with new keys & instructions, can I?
Why?
Unless you think someone is MiMT'ing all of your pathways to the internet, just validate your keys from more than one place - even if your employer managed to manipulate your key when you connect through their internet connection, when you try to use the key (or look at the key fingerprint) from your home internet connection, you'll see that it doesn't match your private key.
Or, when you're uploading keys, don't trust an SSL connection from someone else's computer (even your employers) since the only way they can MiTM SSL is to put their own root cert on your computer.
You explicitly said log in and click. That is indicative of not being able to cron or run a script remotely. Either your writing is bad or your understanding is bad. Why should I trust the rest of what you have said?
That was my advice to him -- the guy that is using a consumer grade 5505 to protect his office, let his maintenance subscription lapse and the firmware is 2 years out of date.
Being able to log in and click on something is no indicator of whether or not it can be scripted. There are many many tools and products that provide both a GUI and a rich API.
But hey, I'm not trying to sell you anything -- if you can't figure out on your own if a product supports any scripting or remote management, then that's probably a good sign that it's not the right fit for you. But don't try to blame someone else for your own shortcomings when you somehow assume that a 100 word Slashdot post is a complete feature description and that it will describe your own (unstated) use case.
They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.
Logging in and clicking? No thanks. I'm not dealing with dozens of remote devices that way. If it can't be automated it is just a hobbyist product.
You're not a Linux (or BSD, or other unix like OS) admin are you? Everything can be automated.
You can automate it if you trust updates not to break connectivity. Most people would rather be there when it updates so they don't get locked out of their VPN on a long holiday weekend.
I've never had a pfSense update break anything, but I still don't trust it to do unattended upgrades.
If you've got a validation lab where you can test out upgrades before you push them out to remote sites, then you can have it do unattended upgrades automatically.
Just providing another opinion on why someone would choose cisco over free alternatives.
Yes, there are valid reasons to buy an ASA or other Cisco device, but I don't think that anyone with an ASA 5505 with lapsed maintenance that's 2 years out of date bought it for any of those reasons.
Many people buy the low-end Cisco devices because "Hey, it's Cisco, it must be super secure", then they plut it in and put in the corner under a desk and forget about it for years, never looking at it or applying updates until it fails. They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.
As much as I love my pfsense box, I'm not sure you're going to be able to build one that's a good replacement for a Cisco ASA with multiple 10GBps+ interaces
And how many 10 gig interfaces can you put into an ASA 5505?
The reason that people use things like Cisco, is that the integration is easier.
The other reason is that they are supposed to be secure. But if you let your SMARTNet subscription lapse and stop applying updates, that's no longer the case. If you're not going to pay for updates for your security device, then use something that will give you free updates.
In our branch office we have two ASA 5505 devices (the small blue boxes), with software versions dating back a couple of years because of 'no support contract with Cisco'. I have been trying, literally for days, to get a quote for a sw upgrade license, to no avail.
You can not buy it online. You can not but it from Cisco, you have to go through a reseller. Resellers simply do not answer any requests for a quote for a single license, because it is not worth their time...
I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version. The price point is not astronomical.
How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???
Replace your ASA's with pfSense boxes (buy them pre-made or make your own). Lifetime updates for free, no support contract needed, and no hidden backdoors, the code is open for inspection. You can buy support if you want it.
The shove to park normally works. There's an "easy" press up and a "hard" press up. The problem is if you do it a little softly you go into neutral instead.... I had it happen to me once when I went to open the door and the car started rolling... It is very easy to drive this car if you pay attention and it took no special instruction during the test drive or for relatives.
You just gave us special instruction to push more firmly into Park, and said that when you didn't follow those special instructions yourself, you accidentally left the car in neutral -- had you been parked on a hill, you may have lost control of the car. Why wouldn't you tell relatives about it before they drive the car? Don't you like them?
Sounds like it *does* need special instruction and without that instruction, it's a hazard to those that aren't familiar with it.
Yet every new Prius driver I know of (including myself) spends the first 10 minutes trying to figure out how to make it work. One neighbour got it into reverse and then backed it down the street one inch at a time while trying to figure out how to go forward again. Once learnt it is simple and intuitive and obvious but not at the beginning. Which of course means it is not intuitive and obvious at all - just simple.
The PRNDL shifter isn't intuitive either -- why do you pull it backwards to go forwards, and push it forwards to go backwards? It's just so ubiquitous that everyone knows how it works.
And if you're never allowed to move their cheese, you could never effect "progress" could you. Sometimes you have to move their cheese, and sometimes you have to let "this kind of stuff" happen. Sometimes you even have to do it with very small incremental changes. Since you used the helpdesk reference, perhaps just like the small incremental changes in every iterations of Windows.
You can move the cheese, but don't replace it with a box of poison that looks just like the cheese.
If they want to change the UI for a shifter, they should make it completely different, not make something that looks, and superficially feels the same while in actuality it's quite different. What they did is akin to wanting to have a joy-stick instead of a steering wheel, but instead of just putting in an obvious joystick, they made it look just like a steering wheel.
I only started using ad-blocker when ads became a draw on performance.
Me too, the straw that broke the camels back for me was a website that started up a full page interstitial ad a few seconds after reaching the site - I'd start reading the article, then have to wait for an animated interstitial to load... then about half the time, I'd click on the tiny close box in the corner, but would miss it and the advertiser's site would load. That's when I turned on Adblock.
I kept the "allow unobtrusive ads" box checked with adblock, so I still see some limited set of ads (though I think Google is the only place I see those ads).
There's no way I'm paying $52/year to read Wired when I only go there a half dozen times a year. What I would be willing to do is fund a micropayment account, and then pay sites a few cents per page view to replace the revenue they'd get from ads.
Sounds a lot like what happened to the company that tried to run ferry service between the islands, the government supported the company and helped them start up, 2 years (and several lawsuits) later a judge shut them down because whatever law was passed by the government was against Hawaii's constitution.
In December 2008, environmental groups and the company returned to court for an appeal of the previous ruling. On March 16, 2009 the Hawaii Supreme Court ruled that allowing the Superferry to operate prior to completion of the environmental study was unconstitutional.[37] The company immediately suspended service and laid off its 236 employees.
Hundreds of jobs and hundreds of millions of dollars of investment lost.... and probably hundreds of millions of future investments lost because investors won't invest in infrastructure when they have no assurance that when the government says "we need this, do it", that they really mean it.
I actually had tickets to ride the boat, but the company had already shut down before my trip.
Current doesn't kill silicon, voltage does. Example, you take an LED. It's a red one that runs at 2V. You can probably dump 3-4x that voltage through it without a resistor, and it won't care as long as the polarity is correct and it has adequate heat sinking. Now, this same LED has a reverse breakdown voltage. Many LEDs now days have native protection about double their nominal operative voltage. So for this LED, it can take upwards of ~4V reverse polarity. You give it 5V or higher in reverse, you will destroy the p-n junction.
This knowledge is what is used to design LED arrays which can run natively off wall power without any power driver circuitry.
V+ and GND are power supply rails, are you claiming that an external device can overdrive the computer (or USB chipset's) power supply without sending enough excess current through it that would trip the fuse?
Slashdot Mirror
Please just stop. You're coming off like a 7th grader trying to fake an understanding of neurosurgery after spending 5 minutes googling stuff.
FDE encryption takes place beneath the file layer, at the block level (it's far more effective and secure than file level encryption could ever be.)
XTS doesn't split anything. XTS is essentially an improved version CBC (which is to say block chaining) made necessary by modern large storage devices.
I hope you didn't stumble across one of those anti XTS articles that are still floating around and take it at its word because it sounded technical. Those have been soundly and repeatedly refuted and trashed by those who actually know what they're talking about.
A little googling, in the wrong hands, can be a dangerous thing. OTOH this is slashdot, so you're right at home.
The parent poster didn't say anything about whether it's per-file or block level encryption.
And he's right about XTS keys, to get 128 bit AES, you need a 256 bit XTS key:
https://en.wikipedia.org/wiki/...
XTS makes use of two different keys, usually generated by splitting the supplied block cipher's key in half, without adding any additional security, but complicating the process.[13] According to this source, the reason for this seems to be rooted in a misinterpretation of the original XEX-paper.[7] Because of the splitting, users wanting AES 256 and AES 128 encryption will need to choose key sizes of 512 bits and 256 bits respectively.
I can imagine that the waiver would also talk abut the content. Although they will try to be carefull, it could still mean that the post-it note with the password you need gets destroyed.
Surprisingly, they said that they'd get the content out unscathed -- they said they use the torch to cut open the outer shell, then chisel/scrape out all of the fire protective materials (it's a lot like concrete), then use a combination of an angle grinder and a reciprocating saw to get through the inner shell. Labor intensive and noisy and requires ventilation vans, but they said they get called out about once a year to break into once of their safes. Sometimes they can pry them off the floor with a hydraulic jack and take them to their shop, which makes it much easier for everyone.
They reiterated that a safe isn't meant to stop a thief, just slow him down and attract enough attention that he gets caught before he has time to break in. Ours was a TRTL-30 rated safe, they said they *could* break into it in 30 minutes if they didn't guarantee that the contents would be safe and didn't care about collateral damage to the room where the safe was, but it'd normally take them 6 -8 hours from start to finish to break it open.
2. That really shouldn't be that difficult for the company that manufactured the thing.
Would you expect a safe manufacturer to be able to easily crack open a random safe they manufactured? If so, why? If not, why do you think encryption for a mobile device should be any different?
The company that installed our safe said they could open it when we asked what would happen if we lost the combination. They said "No problem, we'll just bring in a cutting torch and grinder and a few hours later we'll have it open. You'll need to sign a waiver first absolving us of any damage to the room."
Pretty sad that HIPPA has less security requirements and teeth than PCI.
Even sadder if a hospital is counting on HIPAA guidelines to secure their network. "Great, we've done the minimum required by HIPAA, a data privacy standard', so surely that means our network is safe!"
No they don't. The reason that we don't patch as much as we should is crappy programming on the vendor's part. Half the systems crash at various patch levels.
Then stop buying the crap - the only reason vendors can get away with selling crap software is because hospitals are buying it. Someone has to step up and say "We're not buying unsupportable crap, either support your software through operating system upgrades, or we're not buying it".
Are you willing to spend a couple hundred bucks per printer plus the man-hours to firewall it off and maintain access lists? Even if you are, any competent business manager would decline that request. Some risks should be accepted after cost-benefit have been weighed. The unlucky ones make the news but the other 99.9% stay within budget.
Just supplying a port to the printer costs more that that in any b cigompany, so yeah, spend a few bucks to put it on its own isolated VLAN that only the print servers can talk to. No modern IT department should let their printers on the same subnet as their office computers because there are tons of vulnerabilities in them. We're a pretty small shop (~100 users) and our printers are on their own VLAN because it only took us 10 minutes to do so.
Isn't this what backups are for? Wipe the infected computers and restore from backup. A few days of lost data seems less disruptive than weeks of no computers at all.
You also have to consider that its not just workstations that are infected. A server is often just as easily infected once the ransomware is in the domain.
If this reaches the database, and ends up encrypting database files, you could very well be hooped. Its not easy restoring a database at a hospital, when all your backups are connected to the same system that is infected, and thus potentially vulnerable and/or infected already.
Why is restoring a database backup any harder at a hospital compared to any other site? I can restore my SqlServer and Oracle DB's to any point in time from 6 months ago to 6 seconds ago. I can also restore from up to 3 years back, but older backups are meant as point-in-time snapshots and aren't guaranteed to have transaction log chains to bring them up to the current date. Those backups are stored on a mix of on-prem storage (with NAS enforced snapshot that Malware can't touch unless it hacks the NAS), cloud based off-site storage (write-only), and off-site tape rotation.
Its also easy to underestimate the scope of remediation - an entire hospital network might consist of hundreds of workstations that may or may not have up to date or adequate backup systems.
They've already shut down their network, sounds like they have all the time they need.
Most of the time, sys admins at hospitals have very little budget to do things properly, as the scope of applications they must maintain and the number of systems they must be maintained on is astronomical.
Then the hospital administrators should be fired and/or fined for not protecting their data. Missing or corrupt data can cost lives so should be treated as such.
Backups are easier today than ever and there's no excuse for not having them, if you don't want to build your own backup infrastructure then use a cloud service (and yes, with encryption and proper controls even PHI data can be backed up to the cloud under HIPAA)
If you don't have the list of softwarekeys, or the licenses, to reinstall from scratch, and if you don't have the staff with the tools to re-image systems swiftly, rebuilding the systems from scratch is a herculean job and you *wiall* lose vital patient data. If you don't have the tools, the systems *will* get re-infected while you're reinstalling them. Been there, done that, it's why i never,run the basic backup systems on Windows.
It's not really a backup if it can't be used to restore what needs to be restored. I should hope that a hospital is not relying on the backup backup systems of Windows. Data Protection Manager is a bear to set up and configure, but once it's running, they should be able to do bare metal restores without losing anything. The only thing more expensive than an enterprise backup system is not having backups when you need them.
And even if they do lose vital patient data in the restore, they've *already* lost vital patient data because it's locked up with ransomware so it hardly sounds worse than the alternative of pissing around millions of dollars in ransom with no assurance that they'll get all (or even any) of their data back.
Isn't this what backups are for? Wipe the infected computers and restore from backup. A few days of lost data seems less disruptive than weeks of no computers at all.
Who bothers with DVDs anymore? Unless your tastes are way off the beaten track, everything you might want is available for streaming anyway.
There are still many DVD's that I can buy used cheaper than the "own it on streaming" price, *and* the DVD is really mine, so I can rip it to multiple formats for playing on a TV of mobile device. It's not like a streaming move that I "own" where the streaming provider decides where I can watch it, and can lock me out of my owned movie for any reason, including bankruptcy.
Though as people move towards streaming, there are fewer deals to be had on used DVD's.
The pfsense C2758 Appliance supports2 x 10GigE interfaces:
https://www.pfsense.org/hardwa...
Model C2758
Max Active Connections 8,000,000
Network Interfaces 4x Intel 1GbE
Network Expansion 2x Chelsio 10GbE
Supporting 10 gig interfaces is not the same as being able to filter 10 gig -- the specs on that box top out around 960Mbit (150mbit VPN) while the standard ASA 5500 line tops out around 4 gbit/second (700mbit VPN).
The 5585-X model line with the dedicated security processor will do up to 80Gbit of inspection and 5 Gbit of VPN. But that performance doesn't come cheap, you'll pay around $150K for each one.
"viewing inside ssl encrypted transactions (which should be illegal but hey)"
So it has a convenient interface for MITMing SSL sessions... Ugh.
Shit like this is why I'm going to have to nuke my existing public keys & re-exchange them between boxes via sneakernet at some point. Inasfar as it's possible, of course. I can't exactly mail a usb key to the GitHub building with new keys & instructions, can I?
Why?
Unless you think someone is MiMT'ing all of your pathways to the internet, just validate your keys from more than one place - even if your employer managed to manipulate your key when you connect through their internet connection, when you try to use the key (or look at the key fingerprint) from your home internet connection, you'll see that it doesn't match your private key.
Or, when you're uploading keys, don't trust an SSL connection from someone else's computer (even your employers) since the only way they can MiTM SSL is to put their own root cert on your computer.
You explicitly said log in and click. That is indicative of not being able to cron or run a script remotely. Either your writing is bad or your understanding is bad. Why should I trust the rest of what you have said?
That was my advice to him -- the guy that is using a consumer grade 5505 to protect his office, let his maintenance subscription lapse and the firmware is 2 years out of date.
Being able to log in and click on something is no indicator of whether or not it can be scripted. There are many many tools and products that provide both a GUI and a rich API.
But hey, I'm not trying to sell you anything -- if you can't figure out on your own if a product supports any scripting or remote management, then that's probably a good sign that it's not the right fit for you. But don't try to blame someone else for your own shortcomings when you somehow assume that a 100 word Slashdot post is a complete feature description and that it will describe your own (unstated) use case.
They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.
Logging in and clicking? No thanks. I'm not dealing with dozens of remote devices that way. If it can't be automated it is just a hobbyist product.
You're not a Linux (or BSD, or other unix like OS) admin are you? Everything can be automated.
You can automate it if you trust updates not to break connectivity. Most people would rather be there when it updates so they don't get locked out of their VPN on a long holiday weekend.
I've never had a pfSense update break anything, but I still don't trust it to do unattended upgrades.
If you've got a validation lab where you can test out upgrades before you push them out to remote sites, then you can have it do unattended upgrades automatically.
Just providing another opinion on why someone would choose cisco over free alternatives.
Yes, there are valid reasons to buy an ASA or other Cisco device, but I don't think that anyone with an ASA 5505 with lapsed maintenance that's 2 years out of date bought it for any of those reasons.
Many people buy the low-end Cisco devices because "Hey, it's Cisco, it must be super secure", then they plut it in and put in the corner under a desk and forget about it for years, never looking at it or applying updates until it fails. They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.
As much as I love my pfsense box, I'm not sure you're going to be able to build one that's a good replacement for a Cisco ASA with multiple 10GBps+ interaces
And how many 10 gig interfaces can you put into an ASA 5505?
The reason that people use things like Cisco, is that the integration is easier.
The other reason is that they are supposed to be secure. But if you let your SMARTNet subscription lapse and stop applying updates, that's no longer the case. If you're not going to pay for updates for your security device, then use something that will give you free updates.
In our branch office we have two ASA 5505 devices (the small blue boxes), with software versions dating back a couple of years because of 'no support contract with Cisco'.
I have been trying, literally for days, to get a quote for a sw upgrade license, to no avail.
You can not buy it online.
You can not but it from Cisco, you have to go through a reseller.
Resellers simply do not answer any requests for a quote for a single license, because it is not worth their time...
I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version. The price point is not astronomical.
How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???
Replace your ASA's with pfSense boxes (buy them pre-made or make your own). Lifetime updates for free, no support contract needed, and no hidden backdoors, the code is open for inspection. You can buy support if you want it.
The shove to park normally works. There's an "easy" press up and a "hard" press up. The problem is if you do it a little softly you go into neutral instead.... I had it happen to me once when I went to open the door and the car started rolling... It is very easy to drive this car if you pay attention and it took no special instruction during the test drive or for relatives.
You just gave us special instruction to push more firmly into Park, and said that when you didn't follow those special instructions yourself, you accidentally left the car in neutral -- had you been parked on a hill, you may have lost control of the car. Why wouldn't you tell relatives about it before they drive the car? Don't you like them?
Sounds like it *does* need special instruction and without that instruction, it's a hazard to those that aren't familiar with it.
Yet every new Prius driver I know of (including myself) spends the first 10 minutes trying to figure out how to make it work.
One neighbour got it into reverse and then backed it down the street one inch at a time while trying to figure out how to go forward again.
Once learnt it is simple and intuitive and obvious but not at the beginning.
Which of course means it is not intuitive and obvious at all - just simple.
The PRNDL shifter isn't intuitive either -- why do you pull it backwards to go forwards, and push it forwards to go backwards? It's just so ubiquitous that everyone knows how it works.
And if you're never allowed to move their cheese, you could never effect "progress" could you. Sometimes you have to move their cheese, and sometimes you have to let "this kind of stuff" happen. Sometimes you even have to do it with very small incremental changes. Since you used the helpdesk reference, perhaps just like the small incremental changes in every iterations of Windows.
You can move the cheese, but don't replace it with a box of poison that looks just like the cheese.
If they want to change the UI for a shifter, they should make it completely different, not make something that looks, and superficially feels the same while in actuality it's quite different. What they did is akin to wanting to have a joy-stick instead of a steering wheel, but instead of just putting in an obvious joystick, they made it look just like a steering wheel.
Fourth option: have lightweight unobtrusive ads.
I only started using ad-blocker when ads became a draw on performance.
Me too, the straw that broke the camels back for me was a website that started up a full page interstitial ad a few seconds after reaching the site - I'd start reading the article, then have to wait for an animated interstitial to load... then about half the time, I'd click on the tiny close box in the corner, but would miss it and the advertiser's site would load. That's when I turned on Adblock.
I kept the "allow unobtrusive ads" box checked with adblock, so I still see some limited set of ads (though I think Google is the only place I see those ads).
There's no way I'm paying $52/year to read Wired when I only go there a half dozen times a year. What I would be willing to do is fund a micropayment account, and then pay sites a few cents per page view to replace the revenue they'd get from ads.
Sounds a lot like what happened to the company that tried to run ferry service between the islands, the government supported the company and helped them start up, 2 years (and several lawsuits) later a judge shut them down because whatever law was passed by the government was against Hawaii's constitution.
https://en.wikipedia.org/wiki/...
In December 2008, environmental groups and the company returned to court for an appeal of the previous ruling. On March 16, 2009 the Hawaii Supreme Court ruled that allowing the Superferry to operate prior to completion of the environmental study was unconstitutional.[37] The company immediately suspended service and laid off its 236 employees.
Hundreds of jobs and hundreds of millions of dollars of investment lost.... and probably hundreds of millions of future investments lost because investors won't invest in infrastructure when they have no assurance that when the government says "we need this, do it", that they really mean it.
I actually had tickets to ride the boat, but the company had already shut down before my trip.
Current doesn't kill silicon, voltage does. Example, you take an LED. It's a red one that runs at 2V. You can probably dump 3-4x that voltage through it without a resistor, and it won't care as long as the polarity is correct and it has adequate heat sinking. Now, this same LED has a reverse breakdown voltage. Many LEDs now days have native protection about double their nominal operative voltage. So for this LED, it can take upwards of ~4V reverse polarity. You give it 5V or higher in reverse, you will destroy the p-n junction.
This knowledge is what is used to design LED arrays which can run natively off wall power without any power driver circuitry.
V+ and GND are power supply rails, are you claiming that an external device can overdrive the computer (or USB chipset's) power supply without sending enough excess current through it that would trip the fuse?
we're not talking about over current, we're talking about simple wrong polarity.
If reversed polarity doesn't lead to over current, then what happens that makes it so bad?