13 posts were split to a new topic: Smb mount issues in ubuntu
Does anyone here have experience doing in-place upgrades from RHEL 6 to RHEL 7?
How often does it bork? Etc?
Upon further reading the process seems fairly straight forward?
We did a risk assessment today and I need to determine feasibility. I.E if its too tedious and prone to breaking then weâll just do a failover to an upgraded host instead of wasting our time. However, management doesnât want to front the full bill for a fail-over migration so we need to keep costs low which is why we were considering upgrades.
This sounds way better to me, but might be tedious depending on how many servers youâre dealing with.
over 430 el6 hosts
1 Like
So i juste received an mail âŚ
I hope you are well and staying safe. I'm a cybersecurity researcher and I had found few vulnerabilities on your domain/websites. Do you have any bug bounty or reward policy for reporting a vulnerability ethically to you? How do I report it?
With after that a pgp key and the name of a dude.
But that dude have like 3 twitter, all private, and 2 dead websiteâŚ
How do you react to mail like that ? how do you make sure itâs not some phishing scam ?
Edit: Also, if you have 0$ to give and wonât fix anything that doesnât put user data in danger because of a budget freeze ⌠do you still reply and make him loose time ?
You should consider it legitimate and see what they have to say. You should repond via encrypted PGP and ask for details and a proof-of-concept exploit if they have one. Most likely though itâs some super low impact vulnerability (XSS or missing HTTP security header) that they just found by running a scanner tool against your site. I do the security things at work, and we get at least one of these a week.
2 Likes
Iâd absolutely reply to him and be respectful. See the problem with this situation is that people are easily enticed to the dark side. I had this happen once, where they asked for responsible disclosure and bugbounty, and when we told them we didnât have bugbounty, but thanks for disclosing, they came back and said âwelp, weâve copied all your data, hereâs a sample, we demand X bitcoinâ
Oof., straight to blackmaiil. What did you end up doiing? Were you able to confirm they downloaded sensitive data via logs?
Well, they signed their name in the first email, so we just forwarded it to the FBI and washed our hands of the mess.
They got some data, but after investigation, they just pulled data from our open API.
This was a few years back, and there wasnât any sensitive data in it. Worst was usernames. All stuff that could have been scraped.
Nice. I mean, if theyâre using bitcoin, then they must be untraceable, right? 
1 Like
yeah. Exactly.
You would not believe the amount of reports we get for âenumeration of usersâ on our public WordPress site. Of course you can see the usernames, theyâre on the blog posts!
2 Likes
Hey Windows people, I have a question about licensingâŚ
I mostly admin Macs, but have some Windows PCs in the field. Was hoping to start consolidating the licenses under the Open Value program, but when I inquired about it, they said it was only for OEM Windows 7 upgrades.
I am looking for something I can use on repurposed servers and VMs. Other than Windows, I donât use anything in the Microsoft ecosystem (no Office 365, Azure AD, etc)⌠am I stuck buying a bunch of retail licenses? Is there any Small Business-scale licensing solution for me?
One of the things that pushed me away from Windows was, in fact, the lack of a licensing solution that fit in the small business area, particularly for companies where thereâs 5-35 machines that need licensing.
When I couldnât avoid setting up a client with Windows, I wound up just buying a license per computer.
If youâre closer to 100 machines, I would consider looking at volume licensing.
1 Like
How is the licensing supposed to work with VMs (outside of Azure)? I assume a retail license is fine for that, but all the business licenses look like theyâre tied to a person or oem hardware.
Iâm not sure, tbh. Iâll defer to others on this one.
I presume itâs the same as a normal license. I know thereâs something special for hyper-v.
1 Like
Yeah, I guess I meant outside of Azure and Hyperv. Is there an enterprise license that you can put in a qemu vm or vmware vm thatâs not connected to a user or hardware?
We had a black swan event today.
A hypervisor went down in OCI and took out a DenseIO VM with a pass-thru NVMe drive which just so happened to be a database host with a large account on it so 30 minutes into my shift the day started off contacting mission control and a 30+ zoom having to stop replication and re-seed a database which then in turn caused a doxxing of the internal Memcached services because there was a race condition because a database went out.
We conducted an RCA and passed it off to the developers. In the mean time we are increasing our Memcached threshold to account for this as a bandaid.
A cascade of shit.
3 Likes
What should have happened? Shouldnât the database have failed over?
Idk what DenseIO is if knowing that answers my questionâŚ
The default behavior is automatic failover but this is not possible on DenseIO because of the pass-through direct hardware.
What they do in these scenarios is that OCI will send out a notification with an intent to evacuate the virtual machine. Basically, all we have to do is make sure our data is backed up and then reboot the vm manually.
The issue was that the email went to the head of security for some reason instead of OPS and they did not let us know of such a thing so we got caught with out pants down.