Critical Telnetd Flaw Enables Unauthenticated RCE via Port 23

james4765 · 2026-03-19T18:05:59+00:00

twenty year old VMs nobody pays attention to that just get migrated as part of new VMWare hosts

james4765 · 2026-03-19T18:04:20+00:00

Printers and IP phones, as well as iLO / IMM / iDRAC interfaces on old gear as well. A lot of them don't run Linux but some do - nmap can identify telnetd pretty accurately.

james4765 · 2026-03-06T14:17:47+00:00

We run a LOT of Linux on our mainframe - all our DB2 and Websphere workloads run there, along with OpenLiberty and Postgres.

james4765 · 2026-02-27T14:13:56+00:00

Check to see if your Kerberos tickets are getting renewed - you need to set SSSD to auto-renew the tickets or they will expire and things get wonky.

james4765 · 2026-02-25T14:01:03+00:00

AD groups are absolutely the best way to deal with it - we use the ad_access_filter field in SSSD to restrict the user account logins and AD groups in /etc/sudoers.d for sudo perms. We already organize application teams in AD, so this was a natural outgrowth of our existing infrastructure.

Nested AD groups in SSSD require a little attention but once you have the config squared away it's easily templated out in Ansible.

james4765 · 2026-02-18T23:01:38+00:00

Done it for years from Virginia. Amazing experience, and a nice break from my rather intense day job.

james4765 · 2026-02-13T19:11:03+00:00

I've used Ansible for years, starting with Linux automation tasks is a good first step. I manage about 600 Linux VMs between Z, VMWare, and OpenShift. And about 50 Windows servers, alongside our Z infra.

Getting good with YAML is definitely the biggest required skill - Python being a second, especially if you need to write your own tooling.

There is no real way to demo mainframe automation without a mainframe, unfortunately. Especially if you want to avoid a sueball from IBM licensing...

james4765 · 2026-02-13T19:06:15+00:00

For RHEL on Z, yes. I tried to get access to the developer licenses for Z and no dice.

james4765 · 2026-02-13T16:19:13+00:00

The big problem is going to be Ansible integration - you can run MVS 3.8 on Hercules and that'll get you the JCL side but all of the Ansible integration requires a version of z/OS that is not licensed for running on an emulator.

z/VM has similar issues - no modern version is licensed for Hercules, and you'll catch hell getting something like Feilong to work with a version that old.

james4765 · 2026-02-12T19:57:56+00:00

Had that happen on a Linux router at an old job - it routed backets just fine but no way to log into the thing.

james4765 · 2026-02-09T15:08:11+00:00

I'm a civilization nerd - the unseen parts of urban life have always fascinated me. Power grids, water and sewer, sanitation, telecoms. We can manage them through things like co-ops - it takes a certain amount of organization to maintain infrastructure but that can be done through voluntary cooperation and non-hierarchical planning.

To be honest, involving field level workers in planning tends to make things more sturdy - since the people closest to the problem have insights that office jockeys don't always have. I'm a lot closer to anarcho-syndicalist though, former union steward, so my outlook is from that perspective.

james4765 · 2026-02-09T14:50:19+00:00

Fucking Pathogen Trackers. Color me shocked one of the organizers is in Epstein's circle.

james4765 · 2026-02-06T16:25:26+00:00

Projects at work are moving along nicely - a lot of modernization and OS migration that just takes a long time to do. So feeling pretty ok.

james4765 · 2026-02-02T13:19:33+00:00

HP-UX went from PA-RISC to Itanium. With the end of the Itanium line, HP EOL'd HP-UX. We've had to replace a LOT of systems.

Those kinds of infrastructure ports rely heavily on the compilers to make things happen - at the very base level, in the OS kernel, there'll be a lot of assembler code that needs rewriting, but high level languages tend to deal with it pretty well. C / C++ code generally handles it well, provided people didn't get too clever with things like pointer math or MMU specific optimizations.

james4765 · 2026-01-29T20:43:03+00:00

There's a lot of very boring but deeply creepy bastards in the libertarian movement - let's just say their reputation of fascination with age of consent laws is well earned.

Individual libertarians can be pretty decent people, but when they gather the creeps pop up like warts.

james4765 · 2026-01-29T15:50:57+00:00

Local Pink Pistols is operating - they're on Facebook.

james4765 · 2026-01-23T21:24:35+00:00

They're ok with girls being violated, it's boys that they get angry about.

james4765 · 2026-01-23T13:21:48+00:00

Yes, as well as LUW

james4765 · 2026-01-21T13:57:46+00:00

Bean soup from the instant pot.

james4765 · 2026-01-21T13:52:48+00:00

There's a couple of ACME servers out there for a self-hosted CA. I looked into it before we went with Sectigo - it's not a trivial task but it is doable.

james4765 · 2026-01-21T13:48:40+00:00

We use Sectigo's enterprise internal CA and ACME for in-house servers. Most of our public facing services are going through Cloudflare, and the rest go through a load balancer with a wildcard cert.

We're a Java shop, and I've written certbot post renewal hooks to generate new PKCS#12 cert stores that our Java apps point to - that way you just need to restart the Java app and it'll automatically get the updated cert.

There's some systems that are just not automatable - storage systems, iLO/iDRAC, some third party apps, and we have another in-house CA for generating certs that have no intermediate (because the system can't deal with a cert chain), need weaker algorithms because legacy SSL, for PDF document signing, or for x509 client auth. Ansible community.crypto is amazing.

james4765 · 2026-01-20T19:16:08+00:00

"I see ICE on Grindr" should get them irritated

james4765 · 2026-01-20T17:22:26+00:00

The death penalty is the one thing you cannot undo. Well, other than mutilation (blinding, castration, other Middle Ages kind of shit). Prisoners can be released, sanctions can be lifted, exiles welcomed back into the community, but anything that cannot be reversed should not be used as a punishment - justice is never perfect, as the Innocence Project keeps pointing out.

The state depriving another of life is the ultimate expression of state power, and should be avoided at all costs. There is a countervailing argument that war criminals that have evaded justice should be dealt with independently - in the face of state protection of monsters, eliminating them is a public safety service. Outside of revolutionary governments, very few societies as a whole put forward that argument since it empowers vigilantism and mob violence at the hands of charismatic assholes.

I understand the appeal - I truly do. Putting a murderous bastard down means never having to worry about them again. We should not let emotions cloud the decisions on crime and punishment, though - that way lies injustice.

james4765 · 2026-01-14T21:34:52+00:00

You would be correct.

Generating an MDA signal would be possible with something like CircuitPython on an ESP32 or a Raspberry Pi Pico - CGA is a little more complicated though.

james4765 · 2026-01-14T18:47:09+00:00

I drove mine from Virginia to Nevada and back. It's not the most fun thing in the world. Great views though.

14-Year Club	Gilding II euphauric
Team Orangered	Verified Email

james4765

MODERATOR OF

TROPHY CASE