1. IPV6 mandates *support* for ipsec. IPV4 also supports ipsec. 99% of communication will not use it anyway, and that which does could have done it with IPV4 anyway, so no difference there. 2. Mobility. Huh? Another solution waiting for a problem. I guess that all those laptops in starbucks *aren't* quite happy with the functionality of DHCP then. 3. First, that's not zeroconf. Go google what zeroconf is then come back. Also IPV6 does *not* remove the need for DHCP - it just has a different kind of server to hand out the (random) IP addresses it uses. You still need DHCP to hand out DNS, NTP, WINS, default domain and to handle dynamic DNS registration. 4. ISPs won't enable multicast on ipv6 either. Or they might, for a price... but probably not. 5. IPV4 autosenses the largest packets too.. has done for 20 years.. 6. Devices will continue to drop packets they don't understand. I'd consider that a basic function of a firewall - you don't want rogue data on your network.
Out of your list the only point that makes sense is it'll simplify the routing tables.. but I don't exactly see people screaming that their routers aren't powerful enough (and anyway processing power is many times what it was in 1996) so that's a non-problem anyway.
Which leaves us back with IPV6 having more addresses.
If as I think you're saying you use site local addressing to hide the structure.. that'll work but you still have to NAT it.
Internal machines within a company *must not* be directly addressable. It is a requirement that they do *not* have any kind of publically addressable IP. That's basic security 101.
That's why ipv6 NAT exists.. and even if they threw away ipv4 tomorrow there would still be almost as much NAT in use - because it's basic to network configuration.
There's no indication that it was meant to be funny - that's just the slashdot take on it.
It's also not a good article even as an introduction.. "addresses expected to run out in 2009" - that old chestnut has been going around since 'experts' claimed they'd all run out in 1997... the current 'expert' opinion is about 2012.. no idea where he got 2009 from. It's like the oil shortage.. we just keep finding more:) If he'd been doing a funny article he could have got some mileage with the doom predictions.. especially the out of date ones.
As for 'voip is not meant to work over ipv4' and 'p2p will be easier to use' - that's about on the level as 'running intel makes the internet go faster'... I mean I can't even find a refrerence that he could have got that from - seems like it came into his head and he wrote it because it sounded like good copy.
... which commonly don't have passphrases attached (and there's no way to verify whether they do either without getting hold of the private key). Whats more is you only have *one* private key so if it is compromised access to every server you use is wide open.
This makes them *less* secure in many cases - at least with passwords you can have a different password for each server.
BSG didn't invent that - I can remember it from my school days.. there was an old BBC Micro program where the character would should "FRAK!" when it died.. it was hillarious to me as a child:p
A server should *only* run what is required to run the apps on that server. Anything else is a security risk and a maintenence headache.
When an exploit is found in directx why should the servers need to be checked? And of course this being windows updating all this redundant crap requires a reboot - requiring scheduled downtime which means the server may be unupdated for several weeks (one place I worked at you had to get scheduled downtime cleared by the IT manager, who went to his weekly meetings with the board.. who often said no).
There's other reasons to have another OS at the base - stability, speed, available memory...
My VMs run on a debian install completely stripped of everything not required to run vmware itself. That means much less to go wrong, nothing eating up CPU cycles needed for the servers, and the OS itself takes up very little memory overhead.
You simply can't strip VirtualPC down that much - no matter what you're doing you still have the GUI, memory usage and hard disk usage, of a Windows OS which means the VMs have less to play with.
Why would you need more than one server on a big beefy server instead of running everything on one server? Different OSs or environments?
If you're selling app hosting to companies you don't want to be spending all that money on hardware.
I worked at a place were they actually used VMWare Workstation (and later GSX I think) for this - as many VMs as they could stuff onto each (fairly beefy) dell server - then you could sell the customers an app 'running on an xxxx dell server with 3GB or RAM' and not be lying at all... the fact that they were sharing that with half a dozen others is a detail.
Israel already has a good defense for that... just send in the tanks. Attack being the best form of defense (and if your enemies are all dead they can't hurt you).
Strangely, the US seems to approve of this policy...
It'd be really cool.. until el presidente ordered a missile strike against your country for 'harbouring terrorists' (wouldn't be worth trying in the US since you'd be bundled into a van and dumped in cage in gitmo before you'd even realized the hack had worked...)
I'm on stable now (which doesn't have the issue) after having too many issues with unstable, but they really need to fix it before it goes stable. The apt package itself should contain the keys, or they should be available from a verifiable source.
Xen can only run *modified* operating systems. That means ones you can get the source code for.
The claimed about a year ago to have got Windows XP to run, but have never managed to get it working properly because of course they don't have the Windows source code. Their own FAQ bears this out (oh and the 'we hope to have a version that does it' date keeps changing.. vapourware at its finest).
Quote: "Currently Xen supports Linux 2.4, 2.6, and NetBSD 2.0."
Sorry, to be a competitor to VMWare or VirtualPC it has to run a *lot* more operating systems than that. Hell, even FreeBSD would be a start. But as I said without Windows support it's in no way a competitor and never will be.
Xen cannot run Windows (and 'we swear someone did it in a lab but we can't prove it or tell you how to do it' doesn't count). That means it is *not* a competitor for either VMWare or VirtualPC. In fact there's nothing in the OSS space that is.
It depends which version... MS are slowly getting the 'secure by default' idea, and Win2003 is reasonably secure out of the box. It remains to be seen what happens with vista.. I suspect UAC will be weakened in the same way that NX was in XP, simply to 'improve the user experience'.
I have been in places where they have implemented "high security passwords" only to have the secretary simply write the thing down on a post-it and stick it to their monitor.
That's because so-called "high security passwords" are nothing of the sort - once you reach a certain level of complexity people will simply write them down.. a password that someone can remember is far more secure than a 'high security' one that has to be written down somewhere.
I suspect they only went that route because they were too cheap to buy securid.
By default vista doesn't ask for a password to do sysadmin things... it just pops up a box that says something wants to do something (usually rundll32 or similar) with an 'OK' button on it.
I dismiss those out of reflex now.. they're just annoying and popup for practically everything you want to do.
The largest supermarket, Tesco, has self-service checkout tills.
These have no security...
(a) they read the stripe, not the chip (you swipe the cards down the side of the checkout). (b) they don't ask for the pin. at all. Or check a signature.. or do anything to verify whou you are.
And this is the shop that has something like 60% of the UK grocery market.. so if someone cloned your card they could go for a *long* time before being caught.
Slashdot Mirror
Where do I start?
1. IPV6 mandates *support* for ipsec. IPV4 also supports ipsec. 99% of communication will not use it anyway, and that which does could have done it with IPV4 anyway, so no difference there.
2. Mobility. Huh? Another solution waiting for a problem. I guess that all those laptops in starbucks *aren't* quite happy with the functionality of DHCP then.
3. First, that's not zeroconf. Go google what zeroconf is then come back. Also IPV6 does *not* remove the need for DHCP - it just has a different kind of server to hand out the (random) IP addresses it uses. You still need DHCP to hand out DNS, NTP, WINS, default domain and to handle dynamic DNS registration.
4. ISPs won't enable multicast on ipv6 either. Or they might, for a price... but probably not.
5. IPV4 autosenses the largest packets too.. has done for 20 years..
6. Devices will continue to drop packets they don't understand. I'd consider that a basic function of a firewall - you don't want rogue data on your network.
Out of your list the only point that makes sense is it'll simplify the routing tables.. but I don't exactly see people screaming that their routers aren't powerful enough (and anyway processing power is many times what it was in 1996) so that's a non-problem anyway.
Which leaves us back with IPV6 having more addresses.
If as I think you're saying you use site local addressing to hide the structure.. that'll work but you still have to NAT it.
Internal machines within a company *must not* be directly addressable. It is a requirement that they do *not* have any kind of publically addressable IP. That's basic security 101.
That's why ipv6 NAT exists.. and even if they threw away ipv4 tomorrow there would still be almost as much NAT in use - because it's basic to network configuration.
MS have had a working ipv6 stack since 2000. So it actually took them 4 years. IE6 had support built in by 2001...
XP has it in the base install.. (annoyingly though the latest one creates 4 extra 'tunneling interfaces' which you can't switch off).
There's no indication that it was meant to be funny - that's just the slashdot take on it.
:) If he'd been doing a funny article he could have got some mileage with the doom predictions.. especially the out of date ones.
It's also not a good article even as an introduction.. "addresses expected to run out in 2009" - that old chestnut has been going around since 'experts' claimed they'd all run out in 1997... the current 'expert' opinion is about 2012.. no idea where he got 2009 from. It's like the oil shortage.. we just keep finding more
As for 'voip is not meant to work over ipv4' and 'p2p will be easier to use' - that's about on the level as 'running intel makes the internet go faster'... I mean I can't even find a refrerence that he could have got that from - seems like it came into his head and he wrote it because it sounded like good copy.
We had a policy... We won't stop you but if you screw it up we re-image the disk and you start all over again.
It worked...
As others have said, these things don't apply to CEOs.. that get local admin because.. well.. are you going to refuse someone who can fire your ass?
... which commonly don't have passphrases attached (and there's no way to verify whether they do either without getting hold of the private key). Whats more is you only have *one* private key so if it is compromised access to every server you use is wide open.
This makes them *less* secure in many cases - at least with passwords you can have a different password for each server.
..and the salts are stored in the password string.
salts don't do shit against that kind of attack. All they do is stop people trivially recognising that two people have the same password.
BSG didn't invent that - I can remember it from my school days.. there was an old BBC Micro program where the character would should "FRAK!" when it died.. it was hillarious to me as a child :p
It's not a silly little irrelevance.
A server should *only* run what is required to run the apps on that server. Anything else is a security risk and a maintenence headache.
When an exploit is found in directx why should the servers need to be checked? And of course this being windows updating all this redundant crap requires a reboot - requiring scheduled downtime which means the server may be unupdated for several weeks (one place I worked at you had to get scheduled downtime cleared by the IT manager, who went to his weekly meetings with the board.. who often said no).
This also means you can have a server running and shut down the GUI - even log out - and it'll keep running.
My Windows Media Centre install is such a beast...
There's other reasons to have another OS at the base - stability, speed, available memory...
My VMs run on a debian install completely stripped of everything not required to run vmware itself. That means much less to go wrong, nothing eating up CPU cycles needed for the servers, and the OS itself takes up very little memory overhead.
You simply can't strip VirtualPC down that much - no matter what you're doing you still have the GUI, memory usage and hard disk usage, of a Windows OS which means the VMs have less to play with.
Why would you need more than one server on a big beefy server instead of running everything on one server? Different OSs or environments?
If you're selling app hosting to companies you don't want to be spending all that money on hardware.
I worked at a place were they actually used VMWare Workstation (and later GSX I think) for this - as many VMs as they could stuff onto each (fairly beefy) dell server - then you could sell the customers an app 'running on an xxxx dell server with 3GB or RAM' and not be lying at all... the fact that they were sharing that with half a dozen others is a detail.
Israel already has a good defense for that... just send in the tanks. Attack being the best form of defense (and if your enemies are all dead they can't hurt you).
Strangely, the US seems to approve of this policy...
That's fine until they're all repainted with reflective paint.
Then your fancy lasers bounce and start hitting your own population...
Hell, why bother chucking expensive missiles - start chucking prisms.. fun ensues.
It'd be really cool.. until el presidente ordered a missile strike against your country for 'harbouring terrorists' (wouldn't be worth trying in the US since you'd be bundled into a van and dumped in cage in gitmo before you'd even realized the hack had worked...)
apt should be doing this automatically.
I'm on stable now (which doesn't have the issue) after having too many issues with unstable, but they really need to fix it before it goes stable. The apt package itself should contain the keys, or they should be available from a verifiable source.
Don't you think I did?
Xen can only run *modified* operating systems. That means ones you can get the source code for.
The claimed about a year ago to have got Windows XP to run, but have never managed to get it working properly because of course they don't have the Windows source code. Their own FAQ bears this out (oh and the 'we hope to have a version that does it' date keeps changing.. vapourware at its finest).
Quote: "Currently Xen supports Linux 2.4, 2.6, and NetBSD 2.0."
Sorry, to be a competitor to VMWare or VirtualPC it has to run a *lot* more operating systems than that. Hell, even FreeBSD would be a start. But as I said without Windows support it's in no way a competitor and never will be.
Well said.
Xen cannot run Windows (and 'we swear someone did it in a lab but we can't prove it or tell you how to do it' doesn't count). That means it is *not* a competitor for either VMWare or VirtualPC. In fact there's nothing in the OSS space that is.
It depends which version... MS are slowly getting the 'secure by default' idea, and Win2003 is reasonably secure out of the box. It remains to be seen what happens with vista.. I suspect UAC will be weakened in the same way that NX was in XP, simply to 'improve the user experience'.
I have been in places where they have implemented "high security passwords" only to have the secretary simply write the thing down on a post-it and stick it to their monitor.
That's because so-called "high security passwords" are nothing of the sort - once you reach a certain level of complexity people will simply write them down.. a password that someone can remember is far more secure than a 'high security' one that has to be written down somewhere.
I suspect they only went that route because they were too cheap to buy securid.
Users know nothing about encryption... it's too easy to spoof.
eg. There's a virus going around that reads "This is an encryted email from AOL.. click on the attachment to read it".
Telling users that encryption is somehow better is just going to leave them open to that kind of attack.
Damn. I'm sure there's a spaceballs joke there somewhere...
By default vista doesn't ask for a password to do sysadmin things... it just pops up a box that says something wants to do something (usually rundll32 or similar) with an 'OK' button on it.
I dismiss those out of reflex now.. they're just annoying and popup for practically everything you want to do.
In the UK you don't always need the Pin.
The largest supermarket, Tesco, has self-service checkout tills.
These have no security...
(a) they read the stripe, not the chip (you swipe the cards down the side of the checkout).
(b) they don't ask for the pin. at all. Or check a signature.. or do anything to verify whou you are.
And this is the shop that has something like 60% of the UK grocery market.. so if someone cloned your card they could go for a *long* time before being caught.
OK then.
'Identity copyright infringement'.
Happy now?