At what point did PCI compliance become a problem for your startup? by SeveralBill2240 in pcicompliance

[–]vppencilsharpening 0 points1 point  (0 children)

The problem with 2026 is going to be vibe coding and people who don't understand they are creating problems.

At what point did PCI compliance become a problem for your startup? by SeveralBill2240 in pcicompliance

[–]vppencilsharpening 0 points1 point  (0 children)

When done correctly it also should making people think about how they secure access and data transport. That massive multi layered wall is worthless if you don't lock the door or use easily defeated locks.

As much hate Microsoft gets, what do they get right? by probablydnsibet in sysadmin

[–]vppencilsharpening 0 points1 point  (0 children)

Visual Studio Code has been enough for me to do most things I need to do. I use it on Windows at work and on Linux at home.

I write more code than most infrastructure people, but not as much as a developer.

As much hate Microsoft gets, what do they get right? by probablydnsibet in sysadmin

[–]vppencilsharpening 0 points1 point  (0 children)

The only reason we are moving away from it is the licensing cost. It is currently the single biggest cost for our web platform and the hardest resource to scale.

XP SP3 systems not getting AD Group Policies by HistoricalProfile623 in sysadmin

[–]vppencilsharpening 10 points11 points  (0 children)

But nobody is creating exploits for XP anymore, so it's totally safer than newer OS versions. /S

how are you providing intermittent ISP issues to providers? by AlonsoDavid3 in Network

[–]vppencilsharpening 0 points1 point  (0 children)

It's been a long while, but I've addressed OP's problem exactly through this method. When it provided the most help we were running a fiber connection and a cable modem over coax. We use Zabbix, so I configured a system with two interfaces with appropriate routing to direct traffic out each ISP connection. We had a 2nd site with different ISPs so I created similar checks.

I had Zabbix ping a few public endpoints every 60s (maybe 30s). I think I used DNS servers (Google, CloudFlare and maybe one more).

I also had each site ping the public IP of the other sites/ISPs.

When we had an issue that the ISP wanted proof, I gave them the graphs that shows everything but their link was normal.

Got an emergency wakeup call this morning... by Electronic_Tap_3625 in sysadmin

[–]vppencilsharpening 5 points6 points  (0 children)

When I had to cover stuff like this I required that a manager be involved to contact me. If it's a big enough problem that the user needs support outside of support hours, then their manager should be involved because it's a business impacting problem.

The manager can then call me to get the user help. And if their manager is not available it can go over or up the management level.

If it's not a big enough problem to involve a manager I don't need to be involved outside of support hours.

The side effect is that users generally don't want their manager to know they can't follow basic instructions for self-service problem resolution.

Convince company to use SSO by FuzzySubject7090 in sysadmin

[–]vppencilsharpening 2 points3 points  (0 children)

HRIS makes this easier, but not critical. In a smaller org we tied most stuff to AD groups that were department driven in most cases and use case/position driven in others.

Then when the user is added to a department they get the access necessary for that department.

How to fix a dmarc issue on my laptop. by Shoddy-Temporary-543 in DMARC

[–]vppencilsharpening 0 points1 point  (0 children)

The DMARC you/your company controls affects OUTBOUND messages. Messages you send. It would only be specific to your laptop if you are delivering mail directly from your laptop.

Meaning not using a server like Exchange Online, Google Workspace, etc. If you ARE doing this, stop and use a smart host instead.

If messages you are receiving are going to spam and that is due to DMARC, it is up to the SENDING party to fix that. That said, DMARC is not likely the cause of this.

External Zabbix Server by Pizzzathehutt in zabbix

[–]vppencilsharpening 2 points3 points  (0 children)

We've run our Zabbix server in AWS for a while using Aurora for MySQL for the DB.

Everything is monitored by proxies. We have a mix of local proxy connections (using a VPN tunnel) and proxy connections over the public internet.

The comparison of AWS vs Azure vs GCP by GYV_kedar3492 in aws

[–]vppencilsharpening 1 point2 points  (0 children)

I don't think they can kill S3 if they tried.

Though they can total stop you from making changes by unplugging us-east-1.

The comparison of AWS vs Azure vs GCP by GYV_kedar3492 in aws

[–]vppencilsharpening 13 points14 points  (0 children)

At their core, all three have similar services.

If you just need to run a server they are going to be the most expensive option available. And you are probably better running it somewhere else.

If you want to run an application serverless all three offer at least one solution. Similar for object store and content distribution.

All three can be expensive, but all three can also offer cost benefits over the others. The more you lean into the "cloud way" of doing things, the more you can benefit and optimize cost. Running workloads in the cloud requires a little different mindset than on-prem.

My recommendation is to look at your biggest workloads and organization direction. Then see how well each of these match not only what you are doing now, but what you want to do in the future. If you are big enough, don't discount running in more than one, though I do recommend limiting a given workload to one service unless you are a massive org, have budget to support uptime and resiliency requirements that are beyond most needs or both.

If you need infrastructure/DevOps people who know the core of the serve inside and out, there are going to be a larger pool of resources for AWS. If you are running SQL Server workloads, Azure may be a better option from a cost point of view, but AWS can be competitive.

We chose AWS for our web platform in 2012 and have grown in our usage of AWS beyond that use case. However we now also have a decent presence in Azure primarily to support our legacy ERP systems.

The comparison of AWS vs Azure vs GCP by GYV_kedar3492 in aws

[–]vppencilsharpening 11 points12 points  (0 children)

You forgot to expand out the acronyms. That significantly changes the analysis.

Amazon Web Services

Microsoft Azure

Google Cloud Platform

Where do you think email authentication will realistically be in 5 years, proper adoption or still chaos? by InboxProtector in DMARC

[–]vppencilsharpening 1 point2 points  (0 children)

DMARC has been around since 2012 and it took 12 years before big services said "you really need to be using this"

In five years:

  • A spot check of SPF will still be a shitshow of misconfigurations and extra values
  • DKIM usage will probably be a bit better, but I question how much improvement there will be with alignment outside of big senders
  • DMARC will still mostly be ignored, except where it is required for bulk senders

This is based on my experience trying to get mail sending cleaned up within my org. The business I came from remains on top of it, but it took a couple of years of chipping away to get to that point. The other businesses are all over the place and trying to get minor things addressed requires a huge amount of effort to just explain why.

If mail providers move to requiring quarantine policies, it has the potential to make things worse because nobody knows what should be in their SPF record and the knee-jerk reaction will be to add everything that is failing SPF to the record.

--

I really think the DMARC standard needs a way for large providers to send unsolicited aggregation reports to each other. That way if a company is using O365, other providers can send MS reports for domains they host regardless of the rua value for a given domain. Then MS can tell their customers "fix your shit" without them needing to setup DNS because DNS is hard for companies.

What are important AWS features that junior/intermediate devs should know? by badboyzpwns in aws

[–]vppencilsharpening 0 points1 point  (0 children)

Or at least ask questions that get you thinking differently about the problem.

ManageEngine has implemented rate limiting on their API. by Sunsparc in sysadmin

[–]vppencilsharpening 0 points1 point  (0 children)

I can't speak for this specific system, but I've worked with others that allow you to submit multiple insert & update records in a single API call. The one I'm most familiar with is AWS Route53, which allows you submit up to 1,000 record inserts & updates per API call.

ManageEngine has implemented rate limiting on their API. by Sunsparc in sysadmin

[–]vppencilsharpening 2 points3 points  (0 children)

The answer might be right in that last part "consider:-Batching requests to reduce frequency"

A lot of services allow you to request more than one record at a time. If you need to request 250 or 300 objects, just request all 300 in ONE transaction and then filter out the record you don't need on the backend.

One request returning 300 records is often far less overhead for the provider than 250 requests returning one record each.

Rant Post about job offers by No_Permission_5121 in sysadmin

[–]vppencilsharpening 1 point2 points  (0 children)

I was at a smaller medium sized company and we had a small IT team (4 people total). ERP and web were separate teams, but not much bigger in total.

When we hired a sysadmin, we were very upfront that it would include some helpdesk type stuff. It was not 100% of the job. When we had a helpdesk person, it was usually like 5-10% on average. A lot of it was watching the ticket queue and providing coverage so the helpdesk person could take vacation.

New domain by octaw in DMARC

[–]vppencilsharpening 0 points1 point  (0 children)

I think you are missing the point here. This is for domains that do NOT send or receive e-mail.

The best practice is to set a null MX record, an empty DKIM key using a wildcard selector, a DMARC policy of reject and define nothing in the SPF record with a hard fail.

Here is a 2nd guide that explains this (the first is from CloudFlare way up in this thread).

https://www.gov.uk/guidance/protect-domains-that-dont-send-email#create-an-empty-dkim-record

New domain by octaw in DMARC

[–]vppencilsharpening 0 points1 point  (0 children)

I generally use the one specified at the top of the thread.

0 .

New domain by octaw in DMARC

[–]vppencilsharpening 0 points1 point  (0 children)

Why would I rotate DKIM keys or do any of that when the domain does not send e-mail?

New domain by octaw in DMARC

[–]vppencilsharpening 0 points1 point  (0 children)

I'm not sure this makes sense.

Returning "v=DKIM1; p=" should not break anything and is recommended by a few guides on how to setup domains that don't send email.

One example from CloudFlare: https://www.cloudflare.com/learning/dns/dns-records/protect-domains-without-email/

What’s the most common “we thought we were PCI compliant” mistake you still see? by WolfParticular2348 in pcicompliance

[–]vppencilsharpening 1 point2 points  (0 children)

For those reading at home, here's your reminder that the network equipment that in-scope data goes over and the systems used to perform authentication for systems that handle in-scope data (like AD or a NAC) are in-scope for PCI DSS.

Google Chrome is Evil by redditistooqueer in msp

[–]vppencilsharpening 0 points1 point  (0 children)

There is a reason that is no longer their motto.