I read because QNAP and the other mentioned models used BusyBox for their userland, and likely a vulnerable version. Synology uses discrete Linux binaries for its userland, so it wasn't vulnerable because of this.
I would say that Busybox is a good product, but there have been some CVEs last year which required updates.
Synology is a Taiwanese company, so I fear it less than a company on the mainland.
In my experience, a DC doesn't need that much once it is up and running. You need facilities people (HVAC, power, security, etc.), but that is for any building. For the servers themselves, you really just need a couple operators, at worst maybe on a 24 hour shift, but even 9-5 would be just fine.
With components like HDDs being replaced by SSDs that have a significantly larger MTBF, it really doesn't take that many people to man a DC.
If the server is sunk into the ocean, never to be used again, then it doesn't hurt to purge the air for nitrogen. This stops any corrosion from happening, makes fires impossible, keeps a lot of bacteria types from growing, and lots of other good things.
There are music studios which fill the mixing room full of nitrogen when it isn't in use, just so the contacts do not corrode.
Back in the 1990s, it was trivial to compromise a machine by having a tar file with absolute paths in it, so/etc/shadow got overwritten when the admin decided to untar a "sendmail patch" that he or she was given.
That attack is still valid today. Untar a file as root, there might be a good chance that an absolute path may be in that file.
True, but the place just waits 3-6 months, hands the bill to a debt collector who tacks a few thousand bucks of fees, and starts pestering your neighbors, your co-workers, and your boss at 2:00 AM about what you owe.
Thankfully it wasn't me, but it actually was a neighbor who couldn't cancel some stupid monthly payment, and the bill collector's MO was to call as many people who were related to the neighbor as possible. Since they were offshore, they didn't care about the Fair Debt Collections Act.
If the business couldn't get any real name or other info, those burnable cards would be worth it.
Or the software demands an account and your credit card, then charges you seven days later whether you like it or not. Even if you go to cancel, there is no way online you can do this. You have to fight a "customer retention" rep for 45 minutes, only to get hung up on. If you cancel your credit card so they stop charging, three months later, you find some bill collection agency calling your neighbors telling them you are a defaulting deadbeat, and your credit record got turned into shit.
A DFU restore? I wonder how this USB "locking" mechanism will deal with that. Maybe iBoot or the firmware will allow a firmware overwrite and erase, but not any ability to read.
You need both. Client side is for sanity checking, just so the obvious security issues don't make it to the server and take up server resources (bandwidth, etc.). For sense of security, everything needs to be checked at the server side, as -nothing- should be trusted. Sorry, Bobby Tables.
Reliability is one metric, but all car brands across the board are very reliable. From there, it is parts and service.
A good example of this is a Ford Transit versus a Mercedes Sprinter. The Sprinter is very reliable, but if something happens, you spend Mercedes prices for parts and service. For example, if you want an additional key, expect to pay $200, and $200 for someone to program it in at the dealership. The Transit key is $40 and you can program it in yourself.
What makes car parts so profitable is that there are so many varieties of components, and makes, models, years, and trim levels are all different, and the differences are usually relatively minor, usually some change in shape of the plastics, mounting holes, wiring placement, as opposed to essential functionality.
One thing to consider is types of cars when buying them. For example, on one older vehicle I have, the headlights were blurry. It was cheaper to replace the ABS plastic headlight lamps in the front with OEM spec parts than it was to buy that stuff sold that supposedly cleans them. Even light bulbs. For a few dollars, I upgraded the tail and marker lights from bulbs to LEDs.
Makes me wonder what automobile make is the best for TCO, over the long haul.
We do have laws, but with the ease of how easy it is to spoof VoIP, a firm can be well offshore and out of reach of enforcement and spam robocalls. Coupled with the fact that there is little to no interest in enforcing anything that protects consumers, and the result is usually 7-8 robocalls a day for the average person, perhaps a lot more.
Hard disks don't really care about pressure as much, unless it is so great that it pops the internal membrane, causing the helium or pure air inside to leak out. One rarely hears about a hard drive fail on a laptop on a plane. However, the noise is what kills them. This is such an issue, that some companies are doing a lot of work to re-engineer the gas nozzles to reduce the initial noise.
Yes, almost all cheap laptops will come with a 5400 RPM HDD if they don't use a 32GB eMMC card. Of course, swapping it out for a SSD is an option, but some laptops take a lot of digging, prying, and ungluing to reach the drive, risking damage.
I do know that when something like Halon or ECARO cylinders pop in a data center, that often causes hard drive failures due to the initial hissing sound, and there are advances to reduce that noise.
Ultimately, the best defense is moving to SSD, although with that form of media, there is the issue of archival life. Once those electrons escape the gate, they are gone for good.
I have uBlock Origin, SandboxIE, and virtualization. This has kept bad things at bay since the early 2000s. An ad blocker does more for security than most AV programs (which usually are good enough to catch older stuff, so better than nothing.) Of course, virtualization and sandboxing ensures that stuff that gets out is well contained.
Looks like Ubuntu 18.x doesn't offer user home directory encryption anymore. Not sure how good/bad/ugly this is, but I thought it to be a useful feature.
I don't know much about Keeper, but there are many better programs out there, so I have not bothered with it.
For a provider that provides its own cloud storage, LastPass has been good. They state their compliance measures, and have shown to be resilient, even when attacked. They offer 2FA, which is a must.
For a password utility that can sync to a cloud provider, I have used EnPass, Codebook, 1Password, and SafeInCloud. EnPass and Codebook are great. 1Password may require an account and a yearly fee for access to your own passwords. SafeInCloud is solid, but new. I used to recommend mSecure, but they seemed to have gone the route of requiring an account and subscription fees as well to access your own data.
For a password utility that doesn't sync, KeePass on Windows, and KeePassXZ on macOS or Linux.
Of course, you can always use a CSV file and store that on a TrueCrypt/VeraCrypt volume.
The best password manager solution is something that uses an existing cloud provider, like Box, Dropbox, GDrive, or maybe even the "big boys", like Amazon S3, Backblaze B2, Wasabi, Azure, Google Cloud Services, or other providers which have a laundry list of compliancy certifications. That way, it takes two companies to compromise before someone can get the passwords; the password manager and the cloud provider.
From what I've seen, LastPass has earned its bones, both in doing compliance regs, as well as mitigating attacks.
No security tool is a magic bullet. For most sites (everything but banking and other critical stuff), LastPass is good enough. For more critical things, KeePass or KeePassXC on local storage [1] is better.
[1]: There are decent hardware USB flash drives by iStorage and Aegis. They don't depend on the keyboard for PIN entry, so are immune to keyloggers. After a number of times (10, usually), they will erase the contents on the drive.
At a previous job, I was using a splunk app (hasn't been updated since 2014) to get hockey scores for my boss for his daily dashboard readout. Supposedly being able to write a bunch of stuff to throw people a report gleaned from Splunk or an ELK stack is big business. However, it is something a sysadmin winds up doing often, just as one does SQL stuff for reporting as well.
Same reason why facilities people put the building keys in a storage locker. For websites, it is a lot more secure to use something like Dashlane or LastPass secured with 2FA and a good password than to use the same password or variants of it.
For local passwords, KeePass can be significantly more secure. One can store their KeePass DB on a physically secure USB flash drive, and have it use a password and a keyfile, where an attacker, even if they managed to glean a password, would still have to obtain those. KeePass even allows for identify info from Windows to be used, ensuring that if the DB is copied off, it is not usable.
Slashdot Mirror
I read because QNAP and the other mentioned models used BusyBox for their userland, and likely a vulnerable version. Synology uses discrete Linux binaries for its userland, so it wasn't vulnerable because of this.
I would say that Busybox is a good product, but there have been some CVEs last year which required updates.
Synology is a Taiwanese company, so I fear it less than a company on the mainland.
In my experience, a DC doesn't need that much once it is up and running. You need facilities people (HVAC, power, security, etc.), but that is for any building. For the servers themselves, you really just need a couple operators, at worst maybe on a 24 hour shift, but even 9-5 would be just fine.
With components like HDDs being replaced by SSDs that have a significantly larger MTBF, it really doesn't take that many people to man a DC.
If the server is sunk into the ocean, never to be used again, then it doesn't hurt to purge the air for nitrogen. This stops any corrosion from happening, makes fires impossible, keeps a lot of bacteria types from growing, and lots of other good things.
There are music studios which fill the mixing room full of nitrogen when it isn't in use, just so the contacts do not corrode.
Back in the 1990s, it was trivial to compromise a machine by having a tar file with absolute paths in it, so /etc/shadow got overwritten when the admin decided to untar a "sendmail patch" that he or she was given.
That attack is still valid today. Untar a file as root, there might be a good chance that an absolute path may be in that file.
True, but the place just waits 3-6 months, hands the bill to a debt collector who tacks a few thousand bucks of fees, and starts pestering your neighbors, your co-workers, and your boss at 2:00 AM about what you owe.
Thankfully it wasn't me, but it actually was a neighbor who couldn't cancel some stupid monthly payment, and the bill collector's MO was to call as many people who were related to the neighbor as possible. Since they were offshore, they didn't care about the Fair Debt Collections Act.
If the business couldn't get any real name or other info, those burnable cards would be worth it.
Or the software demands an account and your credit card, then charges you seven days later whether you like it or not. Even if you go to cancel, there is no way online you can do this. You have to fight a "customer retention" rep for 45 minutes, only to get hung up on. If you cancel your credit card so they stop charging, three months later, you find some bill collection agency calling your neighbors telling them you are a defaulting deadbeat, and your credit record got turned into shit.
A DFU restore? I wonder how this USB "locking" mechanism will deal with that. Maybe iBoot or the firmware will allow a firmware overwrite and erase, but not any ability to read.
You need both. Client side is for sanity checking, just so the obvious security issues don't make it to the server and take up server resources (bandwidth, etc.). For sense of security, everything needs to be checked at the server side, as -nothing- should be trusted. Sorry, Bobby Tables.
Reliability is one metric, but all car brands across the board are very reliable. From there, it is parts and service.
A good example of this is a Ford Transit versus a Mercedes Sprinter. The Sprinter is very reliable, but if something happens, you spend Mercedes prices for parts and service. For example, if you want an additional key, expect to pay $200, and $200 for someone to program it in at the dealership. The Transit key is $40 and you can program it in yourself.
What makes car parts so profitable is that there are so many varieties of components, and makes, models, years, and trim levels are all different, and the differences are usually relatively minor, usually some change in shape of the plastics, mounting holes, wiring placement, as opposed to essential functionality.
One thing to consider is types of cars when buying them. For example, on one older vehicle I have, the headlights were blurry. It was cheaper to replace the ABS plastic headlight lamps in the front with OEM spec parts than it was to buy that stuff sold that supposedly cleans them. Even light bulbs. For a few dollars, I upgraded the tail and marker lights from bulbs to LEDs.
Makes me wonder what automobile make is the best for TCO, over the long haul.
There is always Amazon CodeCommit...
We do have laws, but with the ease of how easy it is to spoof VoIP, a firm can be well offshore and out of reach of enforcement and spam robocalls. Coupled with the fact that there is little to no interest in enforcing anything that protects consumers, and the result is usually 7-8 robocalls a day for the average person, perhaps a lot more.
If someone has a laptop they take around and use on Wi-Fi, this could be an issue.
Hard disks don't really care about pressure as much, unless it is so great that it pops the internal membrane, causing the helium or pure air inside to leak out. One rarely hears about a hard drive fail on a laptop on a plane. However, the noise is what kills them. This is such an issue, that some companies are doing a lot of work to re-engineer the gas nozzles to reduce the initial noise.
Yes, almost all cheap laptops will come with a 5400 RPM HDD if they don't use a 32GB eMMC card. Of course, swapping it out for a SSD is an option, but some laptops take a lot of digging, prying, and ungluing to reach the drive, risking damage.
I do know that when something like Halon or ECARO cylinders pop in a data center, that often causes hard drive failures due to the initial hissing sound, and there are advances to reduce that noise.
Ultimately, the best defense is moving to SSD, although with that form of media, there is the issue of archival life. Once those electrons escape the gate, they are gone for good.
It seems like finding something with an unlockable bootloader is virtually impossible these days.
What companies actually allow it still? HTC is the only one I know.
I have uBlock Origin, SandboxIE, and virtualization. This has kept bad things at bay since the early 2000s. An ad blocker does more for security than most AV programs (which usually are good enough to catch older stuff, so better than nothing.) Of course, virtualization and sandboxing ensures that stuff that gets out is well contained.
Very true. However, with 2FA, the password for my E-mail account won't give an attacker a free ticket in.
It depends on what you mean by sophisticated:
If you mean something that does a lot of functions, then I would probably propose Busybox or emacs.
If you mean something cleverly engineered to handle a lot of attacks, pgp, TrueCrypt, and VeraCrypt come to mind.
If you mean something that makes a framework, Kubernates can be considered there.
Then, there are hypervisors that wind up not just doing the functions of an operating system, but providing the same functions to an OS.
Looks like Ubuntu 18.x doesn't offer user home directory encryption anymore. Not sure how good/bad/ugly this is, but I thought it to be a useful feature.
I don't know much about Keeper, but there are many better programs out there, so I have not bothered with it.
For a provider that provides its own cloud storage, LastPass has been good. They state their compliance measures, and have shown to be resilient, even when attacked. They offer 2FA, which is a must.
For a password utility that can sync to a cloud provider, I have used EnPass, Codebook, 1Password, and SafeInCloud. EnPass and Codebook are great. 1Password may require an account and a yearly fee for access to your own passwords. SafeInCloud is solid, but new. I used to recommend mSecure, but they seemed to have gone the route of requiring an account and subscription fees as well to access your own data.
For a password utility that doesn't sync, KeePass on Windows, and KeePassXZ on macOS or Linux.
Of course, you can always use a CSV file and store that on a TrueCrypt/VeraCrypt volume.
The best password manager solution is something that uses an existing cloud provider, like Box, Dropbox, GDrive, or maybe even the "big boys", like Amazon S3, Backblaze B2, Wasabi, Azure, Google Cloud Services, or other providers which have a laundry list of compliancy certifications. That way, it takes two companies to compromise before someone can get the passwords; the password manager and the cloud provider.
From what I've seen, LastPass has earned its bones, both in doing compliance regs, as well as mitigating attacks.
No security tool is a magic bullet. For most sites (everything but banking and other critical stuff), LastPass is good enough. For more critical things, KeePass or KeePassXC on local storage [1] is better.
[1]: There are decent hardware USB flash drives by iStorage and Aegis. They don't depend on the keyboard for PIN entry, so are immune to keyloggers. After a number of times (10, usually), they will erase the contents on the drive.
At a previous job, I was using a splunk app (hasn't been updated since 2014) to get hockey scores for my boss for his daily dashboard readout. Supposedly being able to write a bunch of stuff to throw people a report gleaned from Splunk or an ELK stack is big business. However, it is something a sysadmin winds up doing often, just as one does SQL stuff for reporting as well.
Same reason why facilities people put the building keys in a storage locker. For websites, it is a lot more secure to use something like Dashlane or LastPass secured with 2FA and a good password than to use the same password or variants of it.
For local passwords, KeePass can be significantly more secure. One can store their KeePass DB on a physically secure USB flash drive, and have it use a password and a keyfile, where an attacker, even if they managed to glean a password, would still have to obtain those. KeePass even allows for identify info from Windows to be used, ensuring that if the DB is copied off, it is not usable.