What in particular about Microsoft's response to vulnerability notices do you object to? They can be a bit slow to respond sometimes - they're pretty busy - but they've never seemed either prideful or moronic to me. (Well, OK, once; but on that occasion even I had to admit it was a borderline case.)
The problem is that not everybody follows the latest security news, or is capable of implementing workarounds, so releasing information that can be used in mass attacks will inevitably lead to unnecessary compromises.
If there is evidence that the hackers already know about the vulnerability, fair enough. But in most cases the odds of black hats independently discovering a particular flaw during the period between when a researcher discovers it and when it can be properly fixed are probably quite low.
In the Tavis Ormandy case, he seemed so sure that the black hats already had information about this vulnerability that I had to wonder if he knew something about it he wasn't telling us!
For any particular issue, discovered by a security researcher, it doesn't seem particularly likely that the hackers already know about it. If they did, they'd be using it already.
Sixty days isn't all that long. It doesn't surprise me at all that Microsoft were unwilling to commit to a sixty-day deadline, particularly when they hadn't even had a chance to analyse the bug yet.
"Only about 3.17 percent of the domain names matched," Ristic said. "So we have about 22 million SSL servers with certificates that are completely invalid because they do not match the domain name on which they reside."
If you think about it, though, all he really knows is that the certificate does not match the domain name he used to connect to the server, which may not be the domain name which is meant to be used. The obvious next step would be to attempt to connect to the name given by the certificate, which might well point to the same actual site. Of course, it might be a name that is only valid for an internal network, not on the internet as a whole.
There are also lots of contexts in which a web server includes a default (usually self-signed) certificate with a generic name out of the box - typically web servers used for management of a software or hardware device. If the users don't need SSL, there's no reason for a "valid" certificate to be installed.
In short, he's using the phrase "in use" poorly; the fact that a server responds to an SSL request with a particular certificate does not mean that the certificate is "in use" in any meaningful way.
(These figures might be more meaningful if he had excluded self-signed and locally-signed certificates, looking only at those generated by a known certificate provider. Because they cost money, the latter are more likely to have been intended for actual use, although the actual use still might use a different URL than the one you are scanning.)
Offhand, this doesn't seem like a very robust result - we're only talking about a single observation, after all. Does the equipment allow them to determine the source of the observed tau neutrino? How can they be sure that it came from the muon neutrino stream from CERN rather than being random background?
There's also no mention of a control, e.g., another tau neutrino detector close to the same muon neutrino source. Even if there was, is a single detection versus no detections statistically significant?
"the company is concerned about the cost to maintain its broadband network"
"Rising use, in turn, requires the company to continue to invest to expand its capacity."
As for putting words in someone's mouth, where in the article does it say that their profitability is increasing? Nor does it say that they are not concerned about future profitability - he avoids the issue entirely, which is telling in itself.
I was really only thinking about the last three or four years, since internet video went mainstream. Don't forget we've already seen prices fall a lot since DSL first appeared on the scene - well, we have, anyway, I don't know about Canada or the US.
Last-mile bandwidth is probably a red herring, since even nowadays few people come anywhere close to saturating it, averaged over time. I'd expect the cost of the last mile to be covered by the minimum access charges.
I suspect (and I may be wrong) that the municipalities you're thinking of were mainly in the US, and served by more or less non-regulated businesses who nonetheless had effective monopolies, making this an apples and oranges comparison; on the other hand, my mental model of internet economics is based on New Zealand providers, which (to extend the metaphor) are bananas.:-)
I dunno. At the end of the day I guess I just figure with the number of miles the average packet has to travel, and the number of switches and routers it passes through, the overall cost isn't going to be something that can be ignored. I can't justify that with actual figures, except to point out that costs - and data usage issues - don't seem to be all that much different even where non-profits, effective regulation, or real market competition is involved.
Are you arguing that the recent development of widespread video streaming and peer-to-peer downloading hasn't significantly increased the traffic demand? I'm not claiming a figure of 100% per year is anything but a wild guess, but it seems to me to be a reasonable one.
On the other hand, since neither of our opinions matter to Bell or to the regulators, or anyone else for that matter, it would seem further debate is pointless. Under the circumstances, I'm willing to concede. Free by next year it is.
OK, so that's a factor of 10 over ten years, or 26% growth in capacity (per unit cost) per year. I'd hazard a guess that growth in demand has been on the order of 100% per year lately. So we should expect cost per consumer to increase about 60% per year.
(Of course, that's not 60% of a consumer's bill, only that fraction of it due to WAN/upstream. But still.)
Having re-read this, I think you've misinterpreted my post. I can see that, taken out of context, it might look as if I was arguing against ISPs having minimum access fees. This wasn't my intent - rather, I'm arguing that both access fees and data charges (or caps) may be necessary.
As always, it depends on the numbers. In some situations, data charges aren't necessary. In some situations, access fees aren't necessary.
It depends on the numbers. If a small increase, say $10/month, in per-user flat-rate cost is enough to fund the necessary capacity increase, then that solution clearly makes sense. On the other hand, if you would need to increase the flat-rate charge by, say, 500%, then that clearly isn't going to work.
My guesstimate of how much average consumption is increasing suggests to me that the costs would be closer to the latter than the former, but I'm prepared to change my opinion if presented with figures from credible sources.
Well then you'd better complain to every single utility company in the world, because that is exaclt how billing for electricity, water and gas are billed w.r.t. "access fees".
Access fees, however, aren't the end of the story for gas and electricity. You also get charged for the amount you actually use, just as (in New Zealand) we get charged for the amount of data you actually receive. The access fees, typically, are the smaller part of the bill.
Water, in parts of the world, isn't billed by volume. However, it isn't billed based on the assumption that you're going to have all your taps on full volume 24/7, either.
Reason: even if you used the maximum rate for just a few minutes one time in the whole month, the service provider has to provide infrastructure capable of delivering that data rate the entire month so it is there for you to use--they cannot exactly swap in an upgraded router and string a temporary fibre line to your home for a few minutes so you can view the latest cat video on youtube in highest HD quality without skipping or excessive buffering times.
The service provider has to provide infrastructure capable of delivering that data rate down the last mile to your home on a 24/7 basis, yes; that's why you need to pay a minimum monthly fee even if you use very little data. But they don't have to have WAN infrastructure and upstream connectivity capable of delivering that data rate to all of their customers simultaneously - just as the water infrastructure doesn't have enough capacity to cope if everybody turned all their taps on full bore and left them there. (Water's a bit different because it is stockpiled, but in the long run it works out the same.)
ISPs need to charge access fees, yes; but they also need to charge data fees, except when the costs involved are low enough that they can roll them into the access fees without making them too expensive.
The costs of internal bandwidth are going down, sure, but are they going down as quickly as the demand for bandwidth is going up? Remember that not so long ago the average consumer would use only a tiny tiny fraction of his bandwidth (on average).
As for upstream bandwidth: where do you get that figure from? Frankly, I don't believe it.
I think you are seriously overestimating Telecom's profit margins. Internet just isn't as cheap to provide as you seem to think it is. It's worse for us, because the data has to travel thousands of kilometers underwater, but even in the rest of the world flat rate charging simply isn't going to be sustainable indefinitely.
One day, if the technology continues to get cheaper, and the average bandwidth per-user flattens out, flat-rate may become practicable again. But I don't see this happening in the next few decades.
Well, what's the alternative? They have to pay for their costs somehow, so sooner or later you have to have (a) caps; (b) metered charging; (c) unlimited contention bringing actual speeds to a crawl; (d) rates nobody can afford; or (e) bankrupt ISPs and no internet at all.
For my part, I'm happy to go with (a).
(Oh, by the way, that's "hobbit-loving Kiwis". Get it right.)
That doesn't really make sense on the modern internet, because most of the traffic is what you download - be it web pages, JPGs, MPGs, or streamed video. From a technical standpoint this is being sent to you, but (in general) at your request.
Also, a system where every website in the world gets billed by every ISP in the world would be an administrative nightmare.
But surely the telephone poles and wiring conduits would also be owned by the company that put them there? Also I imagine much of the cost is the process of stringing the wires and any digging and refilling.
If you are suggesting that local government could provide the poles and conduits, is there any reason they shouldn't also provide the lines?
Certainly they need to advertise any applicable data charges or limits. But why would you want a burst line instead of a data limit? I don't see the advantage, at least not for normal usage patterns. What most people want is full speed when they are using the internet, without being charged for full speed 24/7.
Theoretically I suppose if you were sent unsolicited packets this would run up your meter, but AFAIK this has never become a problem in New Zealand.
Of course, most people don't want to risk being faced with an unexpectedly large bill, which is why most ISPs in New Zealand offer capped plans: instead of paying extra when you hit your limit, your bandwidth gets cut down.
Slashdot Mirror
Unfortunately, nobody knows how to write code that doesn't have any bugs in it. Microsoft put a lot more effort into this than most developers do.
What in particular about Microsoft's response to vulnerability notices do you object to? They can be a bit slow to respond sometimes - they're pretty busy - but they've never seemed either prideful or moronic to me. (Well, OK, once; but on that occasion even I had to admit it was a borderline case.)
The problem is that not everybody follows the latest security news, or is capable of implementing workarounds, so releasing information that can be used in mass attacks will inevitably lead to unnecessary compromises.
If there is evidence that the hackers already know about the vulnerability, fair enough. But in most cases the odds of black hats independently discovering a particular flaw during the period between when a researcher discovers it and when it can be properly fixed are probably quite low.
In the Tavis Ormandy case, he seemed so sure that the black hats already had information about this vulnerability that I had to wonder if he knew something about it he wasn't telling us!
For any particular issue, discovered by a security researcher, it doesn't seem particularly likely that the hackers already know about it. If they did, they'd be using it already.
Being notified of vulnerabilities doesn't make you any more secure if (as in this case) there isn't anything you can actually do about it.
Sixty days isn't all that long. It doesn't surprise me at all that Microsoft were unwilling to commit to a sixty-day deadline, particularly when they hadn't even had a chance to analyse the bug yet.
"Only about 3.17 percent of the domain names matched," Ristic said. "So we have about 22 million SSL servers with certificates that are completely invalid because they do not match the domain name on which they reside."
If you think about it, though, all he really knows is that the certificate does not match the domain name he used to connect to the server, which may not be the domain name which is meant to be used. The obvious next step would be to attempt to connect to the name given by the certificate, which might well point to the same actual site. Of course, it might be a name that is only valid for an internal network, not on the internet as a whole.
There are also lots of contexts in which a web server includes a default (usually self-signed) certificate with a generic name out of the box - typically web servers used for management of a software or hardware device. If the users don't need SSL, there's no reason for a "valid" certificate to be installed.
In short, he's using the phrase "in use" poorly; the fact that a server responds to an SSL request with a particular certificate does not mean that the certificate is "in use" in any meaningful way.
(These figures might be more meaningful if he had excluded self-signed and locally-signed certificates, looking only at those generated by a known certificate provider. Because they cost money, the latter are more likely to have been intended for actual use, although the actual use still might use a different URL than the one you are scanning.)
Not exactly on topic, but there's a few questions about Ms. Thomas that have been bugging me and I'm hoping someone will know the answers.
1) How do you pronounce Jammie? Is it like Jammy, or Jamie, or some third option?
2) Is that a traditional name for some ethnic group (and if so, who) or just bad spelling?
But has the background actually been measured? Or is this an assumption based on theoretical grounds?
Offhand, this doesn't seem like a very robust result - we're only talking about a single observation, after all. Does the equipment allow them to determine the source of the observed tau neutrino? How can they be sure that it came from the muon neutrino stream from CERN rather than being random background?
There's also no mention of a control, e.g., another tau neutrino detector close to the same muon neutrino source. Even if there was, is a single detection versus no detections statistically significant?
Be aware that the end-of-support for SP2 isn't actually news. The date has been known ever since SP3 was released.
The 64-bit version of Windows XP is based on Windows 2003, so it receives service packs when Windows 2003 does.
The end of support for Windows XP SP2 does not apply to the 64-bit version.
Nonsense. From the article:
"the company is concerned about the cost to maintain its broadband network"
"Rising use, in turn, requires the company to continue to invest to expand its capacity."
As for putting words in someone's mouth, where in the article does it say that their profitability is increasing? Nor does it say that they are not concerned about future profitability - he avoids the issue entirely, which is telling in itself.
I was really only thinking about the last three or four years, since internet video went mainstream. Don't forget we've already seen prices fall a lot since DSL first appeared on the scene - well, we have, anyway, I don't know about Canada or the US.
Last-mile bandwidth is probably a red herring, since even nowadays few people come anywhere close to saturating it, averaged over time. I'd expect the cost of the last mile to be covered by the minimum access charges.
I suspect (and I may be wrong) that the municipalities you're thinking of were mainly in the US, and served by more or less non-regulated businesses who nonetheless had effective monopolies, making this an apples and oranges comparison; on the other hand, my mental model of internet economics is based on New Zealand providers, which (to extend the metaphor) are bananas. :-)
I dunno. At the end of the day I guess I just figure with the number of miles the average packet has to travel, and the number of switches and routers it passes through, the overall cost isn't going to be something that can be ignored. I can't justify that with actual figures, except to point out that costs - and data usage issues - don't seem to be all that much different even where non-profits, effective regulation, or real market competition is involved.
It'll sort itself out in the long run.
Are you arguing that the recent development of widespread video streaming and peer-to-peer downloading hasn't significantly increased the traffic demand? I'm not claiming a figure of 100% per year is anything but a wild guess, but it seems to me to be a reasonable one.
On the other hand, since neither of our opinions matter to Bell or to the regulators, or anyone else for that matter, it would seem further debate is pointless. Under the circumstances, I'm willing to concede. Free by next year it is.
OK, so that's a factor of 10 over ten years, or 26% growth in capacity (per unit cost) per year. I'd hazard a guess that growth in demand has been on the order of 100% per year lately. So we should expect cost per consumer to increase about 60% per year.
(Of course, that's not 60% of a consumer's bill, only that fraction of it due to WAN/upstream. But still.)
Having re-read this, I think you've misinterpreted my post. I can see that, taken out of context, it might look as if I was arguing against ISPs having minimum access fees. This wasn't my intent - rather, I'm arguing that both access fees and data charges (or caps) may be necessary.
As always, it depends on the numbers. In some situations, data charges aren't necessary. In some situations, access fees aren't necessary.
Harry.
It depends on the numbers. If a small increase, say $10/month, in per-user flat-rate cost is enough to fund the necessary capacity increase, then that solution clearly makes sense. On the other hand, if you would need to increase the flat-rate charge by, say, 500%, then that clearly isn't going to work.
My guesstimate of how much average consumption is increasing suggests to me that the costs would be closer to the latter than the former, but I'm prepared to change my opinion if presented with figures from credible sources.
Well then you'd better complain to every single utility company in the world, because that is exaclt how billing for electricity, water and gas are billed w.r.t. "access fees".
Access fees, however, aren't the end of the story for gas and electricity. You also get charged for the amount you actually use, just as (in New Zealand) we get charged for the amount of data you actually receive. The access fees, typically, are the smaller part of the bill.
Water, in parts of the world, isn't billed by volume. However, it isn't billed based on the assumption that you're going to have all your taps on full volume 24/7, either.
Reason: even if you used the maximum rate for just a few minutes one time in the whole month, the service provider has to provide infrastructure capable of delivering that data rate the entire month so it is there for you to use--they cannot exactly swap in an upgraded router and string a temporary fibre line to your home for a few minutes so you can view the latest cat video on youtube in highest HD quality without skipping or excessive buffering times.
The service provider has to provide infrastructure capable of delivering that data rate down the last mile to your home on a 24/7 basis, yes; that's why you need to pay a minimum monthly fee even if you use very little data. But they don't have to have WAN infrastructure and upstream connectivity capable of delivering that data rate to all of their customers simultaneously - just as the water infrastructure doesn't have enough capacity to cope if everybody turned all their taps on full bore and left them there. (Water's a bit different because it is stockpiled, but in the long run it works out the same.)
ISPs need to charge access fees, yes; but they also need to charge data fees, except when the costs involved are low enough that they can roll them into the access fees without making them too expensive.
The costs of internal bandwidth are going down, sure, but are they going down as quickly as the demand for bandwidth is going up? Remember that not so long ago the average consumer would use only a tiny tiny fraction of his bandwidth (on average).
As for upstream bandwidth: where do you get that figure from? Frankly, I don't believe it.
I think you are seriously overestimating Telecom's profit margins. Internet just isn't as cheap to provide as you seem to think it is. It's worse for us, because the data has to travel thousands of kilometers underwater, but even in the rest of the world flat rate charging simply isn't going to be sustainable indefinitely.
One day, if the technology continues to get cheaper, and the average bandwidth per-user flattens out, flat-rate may become practicable again. But I don't see this happening in the next few decades.
Well, what's the alternative? They have to pay for their costs somehow, so sooner or later you have to have (a) caps; (b) metered charging; (c) unlimited contention bringing actual speeds to a crawl; (d) rates nobody can afford; or (e) bankrupt ISPs and no internet at all.
For my part, I'm happy to go with (a).
(Oh, by the way, that's "hobbit-loving Kiwis". Get it right.)
That doesn't really make sense on the modern internet, because most of the traffic is what you download - be it web pages, JPGs, MPGs, or streamed video. From a technical standpoint this is being sent to you, but (in general) at your request.
Also, a system where every website in the world gets billed by every ISP in the world would be an administrative nightmare.
But surely the telephone poles and wiring conduits would also be owned by the company that put them there? Also I imagine much of the cost is the process of stringing the wires and any digging and refilling.
If you are suggesting that local government could provide the poles and conduits, is there any reason they shouldn't also provide the lines?
Certainly they need to advertise any applicable data charges or limits. But why would you want a burst line instead of a data limit? I don't see the advantage, at least not for normal usage patterns. What most people want is full speed when they are using the internet, without being charged for full speed 24/7.
Theoretically I suppose if you were sent unsolicited packets this would run up your meter, but AFAIK this has never become a problem in New Zealand.
Of course, most people don't want to risk being faced with an unexpectedly large bill, which is why most ISPs in New Zealand offer capped plans: instead of paying extra when you hit your limit, your bandwidth gets cut down.