I'm getting ridiculously pissed off at Intel's Management Engine (etc.), yet again. I'm learning new terrifying things it does, and about more exploits. Anything this nefarious and overreaching and untouchable is evil by its very nature.

(tl;dr at the bottom.)

I also learned that -- as I suspected -- AMD has their own version of the bloody thing. Apparently theirs is a bit less scary than Intel's since you can ostensibly disable it, but i don't believe that because spy agencies exist and people are power-hungry and corrupt as hell when they get it.

For those who don't know what the IME is, it's hardware godmode. It's a black box running obfuscated code on a coprocessor that's built into Intel cpus (all Intell cpus from 2008 on). It runs code continuously, even when the system is in S3 mode or powered off. As long as the psu is supplying current, it's running. It has its own mac and IP address, transmits out-of-band (so the OS can't see its traffic), some chips can even communicate via 3g, and it can accept remote commands, too. It has complete and unfettered access to everything, completely invisible to the OS. It can turn your computer on or off, use all hardware, access and change all data in ram and storage, etc. And all of this is completely transparent: when the IME interrupts, the cpu stores its state, pauses, runs the SMM (system management mode) code, restores the state, and resumes normal operation. Its memory always returns 0xff when read by the os, and all writes fail. So everything about it is completely hidden from the OS, though the OS can trigger the IME/SMM to run various functions through interrupts, too. But this system is also required for the CPU to even function, so killing it bricks your CPU. Which, ofc, you can do via exploits. Or install ring-2 keyloggers. or do fucking anything else you want to.

tl;dr IME is a hardware godmode, and if someone compromises this (and there have been many exploits), their code runs at ring-2 permissions (above kernel (0), above hypervisor (-1)). They can do anything and everything on/to your system, completely invisibly, and can even install persistent malware that lives inside your bloody cpu. And guess who has keys for this? Go on, guess. you're probably right. Are they completely trustworthy? No? You're probably right again.

There is absolutely no reason for this sort of thing to exist, and its existence can only makes things worse. It enables spying of literally all kinds, it enables cpu-resident malware, bricking your physical cpu, reading/modifying anything anywhere, taking control of your hardware, etc. Literal godmode. and some of it cannot be patched, meaning more than a few exploits require replacing your cpu to protect against.

And why does this exist?
Ostensibly to allow sysadmins to remote-manage fleets of computers, which it does. But it allows fucking everything else, too. and keys to it exist. and people are absolutely not trustworthy. especially those in power -- who are most likely to have access to said keys.

The only reason this exists is because fucking power-hungry doucherockets exist.

"Hey can you add (feature) on this backend"

> Looks at backend

> api.py

> 4K+ Lines

uhhh... is it me or our entire production is held by this single Python backend....?

This thing is running our hypervisor platform... Our IaaS platform... and it's one file....

WHAT THE FUCK

HR logic: You know how to write simple bash scripts and you have "expertise" in programming = You are our next kernel/hypervisor developer!

Girl, I do not even know what a hypervisor is.

"Suggest an AV/AM product, Avast refuses to install."

I do malware research as a hobby and have for a while, so I can generally spot when something's up before I even run a program. If i'm unsure about it (or know something's up and wanna see its effects for S&Gs) I throw it into one of a variety of VMs, each with a prepped, clean, standardized "testing" state.

I see no point to AV/AM products, especially as they annoy me more than anything since they can't be told not to reach into and protect VMs (thereby dirtying up my VM state, my research, crashing the VM hypervisor and generally being *really* annoying) and they like to erase samples from a *read-only, MOUNTED* VHDX.

However, normal people need them, so I usually suggest this list:
• MBAM is good and has a (relatively) low memory footprint, but doesn't have free realtime protection.
• Avast is very good as it picks up a lot, but it eats a FUCKTON of resources. It also *really* likes to crash VM hypervisors if it sees anything odd in them.
• AVG is garbage. Kill it with fire.
• Using Windows Defender is like trying to block the rain with an umbrella made of 1-ply toilet paper.
• herdProtect is amazing as it's basically a VirusTotal client but it's web-based and not currently available to be downloaded. (Existing copies still work!)
• Kaspersky. Yes, it spied on US gov't workers. No, they don't care about anyone BUT US gov't workers. Yes, it's pretty good.
• BitDefender: *sees steam game* "Is this ransomware?"

hope this helps

My hands started shaking today when I was about to resize a partition on a live, production hypervisor.

Who came up with the idea that the only way to *inflate* a partition was to fricking delete it and recreate it again?!

I know that as long as I keep its start at the same disk sector and only increase the partition size, not decrease it, its gonna be fine. Still. Deleting stuff on a live system makes me nervous.

fuck oracle. fuck my company.

Using Oracle VM Manager/Servers to host Oracle Phone transfer solution without support coverage from Oracle.

Requiring Unix sysadmins to update to latest release and not telling that we do not have coverage from Oracle if anything goes wrong.

Gues what.. We've updated to Oracle VM Manager/Server 3.4.5 which was released this year and it uses fucking XEN hypervisor version 4.4.4 which has been deprecated and dead since who knows when. Latest release of XEN is 4.11. But that is not an issue, whatever, enterprise, legacy software, etc.

This fucking update introduced memory leak on the hypervisor which has been reported as per xen 4.4.4 history. Furthermore, we have no support from Oracle which means that I have to dig through mailing lists and limited information on the net since oracle has freakin support wall on nearly each of the major bugs found on that shitty software.

I have no idea whether any newer version of xen will work with that old Oracle Linux kernel or not.

Furthermore, Oracle provided great documentation on how to rollback the fcking update. Reinstall the hypervisor. Riiiight. XEN does not have export/import feature.

eh

>Discovers a new low level profiling tool that could help us at work with stuck process debugging and gets all hyped
>Installs on test machine, tool doesn't work
>Wonders why. Oh. Needs a kernel module to work, compiled and loaded
>"Well, its my test machine... Guess that's no problem..." but... my hype died down a bit. Kernel module installation just for a new tool that aggregates all other commonly used tools? eh... Maybe it will blow me out of my shoes still

>Installs and loads the module
>Tool works. Turns out its just a htop-like tool, with shortcuts to launch specific other profiling tools like strace/ltrace/lsof/netstat/ss etc...
"Oh... That's boring. Maybe it has all those tools built in at least?"
>Tries to run ltrace - tool exits as ltrace is not installed

Lol
>Installs ltrace and launches tool again. Tries to ltrace a process and
>Nothing. Nothing happens. For seconds... Then kicks me off of SSH
WTF?
>Tries to ping machine... silence
Did... our net go down again? (Having issues due to a storm going over our area these few days)
>Pings google and... gets instant reply
More wtf
>Pings the hypervisor the machine was running on
Works like normal

Oh... Oh no. Please tell me it didn't!
>Logs into the hypervisor UI, checks machine state
Running OK
>Opens machine console aaaaand... Yep. Stacktrace as well as a lot of kernel mumbo-jumbo... It took the machine down to kernel panic.

I never went so quick from "We need this tool deployed everywhere" to "Omg I need to get rid of this crap as soon as possible" lol.

And just for those wondering, it was sysdig.

TLDR: I need advice on reasonable salary expectations for sysadmin work in the rural United States.

I need some community advice. I’m the sysadmin at a small (35 employee) credit card processing company. I began as an intern and have now become their full time sysadmin/networking specialist. Since I was hired in January I have:

-migrated their 2007 Exchange server to Office 365

-Upgraded their ailing Windows server 2003 based architecture to 2012R2

-Licensed their unlicensed VMware ESXi servers (which they had already paid for license keys for!!!) and then upgraded them to 6.5 while preventing downtime on hosted VMs using tricky transfers and deployments (without vMotion!)

-Deployed a vCenter server to manage said ESXi servers easier

-Fixed a three month gap in their backups by implementing Veeam, and verifying its functionality

-Migrated a ‘no downtime’ fileserver to a new hypervisor host, implemented a ‘hot standby’ server as a backup kept up to date by the minute with DFS replication.

-Replaced failing hard drives in a RAID array underlying their one ‘business critical’ fileserver, which had no backups for 3 months at that time

-Reorganized Active Directory and Group Policy deployment from a nightmare spiderweb of OUs and duplicate policies

-Documented the entire old network and now the new one as I’ve been upgrading this

-Audited the developers AWS instances and removed redundant machines, optimized load balancing on front end Nginx servers, joined developer run Fedora workstations to the AD domain and implemented centralized syslog monitoring on them.

-Performed network scans and rewrote firewall exceptions to tighten security

There’s more, but you get the idea. I’ve now been tasked with taking point on an upcoming PCI audit which will be my first.

I’m being paid $16/hr US, with marginal health benefits. This is roughly $32,000 a year, before taxes.

I have two years previous work experience managing a third party Apple repair facility (SimplyMac) and every Apple certification for warranty repair and software troubleshooting. I have a two year degree in general sciences, with about 4 years of college credit (Two years of a physics education and two years of computer science after I switched focus) I’m actively pursuing a CCNA and MCSA server 2016 with exams paid for and scheduled.

I’m going into a salary negotiation in two months. What is a reasonable salary to request, from your perspective, for someone in my position?

Thanks in advance!

!rant

At the datacenter jamming out to music while installing hypervisor servers.

Yes.

Woke up yesterday to find the OS drive failed in my hypervisor.

24 hours later and amazon prime have delivered a new SSD to get back on track.

Thank god for backups, probably going to setup HA now aswell, but great end to a week :(

Is it doable to install macOS on a hypervisor on aws/google/azure and use it via VNC screensharing?

Hey devs or sysadmin here in devRant I wanna know what hypervisor are you using in production or dev environment??

I will annex the hypervisor that I know and I work on, but are free to add more.

Vote with a "++" in the hypervisors that you use.

Recent VM/Emulation Adventures:

The goal was to get TCP/IP and SSH running on whatever weird VM/emulated machine, and connect to the chatroom at chat.tcp.direct successfully.

Longhorn, somewhere late pre-reset: Crashes right after installer begins "Starting Windows", 0x7b from sum-match ISO. Fail.

TempleOS (well, Shrine, but y'know): Dear god. No. No, I am not writing SSH in HolyC myself *fuck that,* fail.

Slackware: oh ffs i gotta use fdisk to partition this damn thing? and it's not even the good fdisk? Oh, wait... it hangs. Fail.

WinME: shockingly, was *fairly* stable... until it hung up WASAPI and the hypervisor two frames into desktop rendering. Fail.

Mac OS 7: First-boot after install, immediate unknown trap. Just works, eh? Fail.

Amiga: After about 85 resets and 7 hours of constant fighting with WinUAE, I finally got TCP/IP working. (Required 10MB of total RAM and an FPU to connect.) Success!

Win98FE: just... PuTTY and done. Easy. (This was the warmup.) Success...

Other people's achievements so far:

- Minecraft using the new QEMU interface mod thing.
- Hacked smart fridge.
- iPhone, from custom initramfs.

how is it that the android emulator in android studio runs buttery smooth on my up-to-date linux ryzen setup with just few terminal commands to set up, while my up-to-date windows version has some bullshit problem with virtualization, even with SVM on, Hypervisor all good, and yet crashes with a WHPX(?) error?
i mean ok i don't have an intel at hand but still the problem should be fixed by now according to google docs. even the fixes provided by the internet didn't help. this twist between windows and linux is very weird on my machine.

Currently thinking of changing my dual boot setup on my desktop for ESXi with Windows (with GPU passthrough) and Ubuntu as second VM...
What do you think?

Nix vs. Win
Dual boot vs. virtualization (VirtBox vs Xen)

(TLDR at the end)
- gaming laptop ("when you student but gamer")
- "Nix nono like gaming laptops"
- currently dual boot Win10/Debian
- Debian almost breaking apart
- only xfce because nVidia
- intel-virtual-output^2
- Atheros drivers sometimes freeze whole sys
- MiXeD SoUrCeS
- **Stretch Buster Kali enters the chat**

As you can see after 2 years I have come to the point of redoing everything, wanted to ask any tips on how to setup win and any nix enviroment, win just to play some games and sometimes to reverse win specific CTFs.

Main plan was to have my lovely debian as the only system and run win10 in virtualbox - problem: windows don't like virtuals(?) and it's probably going to be unusable for games.
Also running Kali as separate virtual (why the hell I didn't do that in first place ?)

Xen is the other interesting way but I am not experienced with hypervisors.

TLDR: Would running Win10 as virtual in or alongside(hypervisor) Debian be better/same as having them separated - dual booting?

Starting to wonder why I tend to like our QA people so much: they often seem so much saner. Yes, sometimes they quibble as with the complaints about a page that is hidden from the user anyway, but they would usually not creep to deep into the hole creating most unintuitive workflows and abysmal logic.
Disclaimer: We're more like backend devs, but we had to do a UI which was beautifully slaughtered by the CEO messing with it - guess what's happening with the new one - and because of that... thing I already nearly smashed my Mac because stupid entered credentials for updating software would only be applied if you defocused once out of the password entry box. Fucked up stuff like this, which devs meddle with, give up, just shrug it off and dump it on the (l)user.

Or a more recent example: So PM wanted a stupid "Apply to all" buttons on a list that can be filtered. Guess to which items the actions should be applied if you filtered it and you currently only see a small selection in your window! Yes, of course it still applies to all items in the universe. QA guy who's just trying the buttons comes to me: "Hey, you sure this "apply all"-stuff supposed to work like that?"

Third example to end this long QA-praise: So there is this virtual appliance we build and we should support another stupid hypervisor.. and he found the kernel modules I have to activate additionally so we can just convert the existing image without having to create a new build system.

I had this dell server lying around and finally got to make a virtualisation server out of it.

It is now running xcp-ng as its hypervisor, with a CoreOS VM in it, containing a docker container serving xen-orchestra for managing the server.

Enterprise grade hardware really is a thing of its own. Also sysadmin type of stuff is quite fun. I look forward to be playing with it some more. :)

I wanna know who use xenserver and why??

Currently am using xenserver 6.5 in a production environment and today i start to test xenserver 7.

I love the concept of hypervisors.
Even the name, pure awesomeness!

Any one played around with type one hypervisor booting multiple OS , what is the performance hit ( it has to be lower, right ? As compared to native boot)