Firstly ipv4 addresses are *not* running out in the next 5 years. Last year ipv4 usage *dropped* and there's still huge wastage within companies like DEC and IBM (they got a few million each) that can be sorted.
Maybe 10 years, maybe 15.. maybe never. Not 5 years.
Secondly, you need a dhcp server with ipv6 anyway. You need to give other information than the ip addresses - dns addresses, router addresses, domain names, wins servers, ntp servers, tftp servers, etc. dhcp isn't going anywhere. All stateless autoconfig gives you is an ipv6 address that's (reasonably) stable so you can reach the box easier.
NAT is an ugly hack already. If we try to extend it, it's not going to get prettier:). NAT also causes problems for applications and general connectivity. I like to run my own mail server. If I'm doing NAT and I want to have a mail server inside the NAT'd network (I use a public address though), I can poke a hole with a port forward. What do you think will happen if the ISP is giving me a NAT'd address instead? Widescale NAT means no servers for anyone, or makes having a server of some kind very difficult.
I often hear that.. what's so ugly? NAT only causes problems for applications that would have a devil of a job getting through a firewall anyway - if a stateful firewall can handle it it can NAT it. If it can't, well ipv6 or even static ipv4 isn't going to help it... the app is broken by design.
Of course in the server case you want public IPs but you're far from the majority - joe sixpack just wants to browse the web and pick up email. He couldn't care less whether his IP was public or not. We're a long way from that though - ipv4 shortage just isn't that acute yet.
IPv6 will definitely help here. Also, try merging two corporate networks that use the same private (NAT, rfc1918, whatever) address space. Eek.
Change a line or two in dhcp server. Wait 24 hours (do this over the weekend). Job done.
Alternatively, if the admin didn't use dhcp... fire admin, hire new one, get him to do it.
Given that they're still giving away IP addresses freely (my ISP threw in 16 even though I only wanted 8, 'just in case') I don't think there's much push for it. NAT has basically made one IP per household (so the old bugaboo of IP enabled toasters eating all the space has gone away).
The US alone holds 57% of the allocated space so there's *huge* scope for releasing more space - the rest of the world seems to have no problems with its much smaller usage.
It may never be adopted at all. It's been going for 20 years now.. and total ipv6 usage? Well let's look at the router stats of a large ipv6 tunnel broker: http://www.sixxs.net/misc/traffic/
Their most popular pop (bebru01) averaged 4mbps each way. That means their most busy ipv6 interlink could be hosted by someone with a cable modem.
My own humble network has more throughput than that - for *one house* let alone an entire country.
Actually he has a point, in a way. Firewalls don't in general support ipv6, and until that happens (and it is easy to setup eg. cisco routers support an ipv6 firewall but you have to get down and dirty with the ios command line to even know it's there) then corporate adoption of ipv6 will be precisely zero.
ipv6 NAT is around but is a bitch to setup.. similarly that needs to be easier.
They're not ipv6 ready no matter how many vista deployments there are.
You have to use the new sockets/winsock functions to be ipv6 enabled for a start.. and most apps aren't (including things like Active Directory, which is a biggie.).
I've got a vista installation here.. it's running a whole heap of stuff.. the total list of listening ports from ipv6 capable apps is: 135,445 (SMB.. pity the domain controllers can't respond.. heh.). 3389 (TS), 5357 (No idea). Compared to a list of ipv4 listening ports about 3 pages long. All of those would need to be converted.
You have to use ipv6 capable routers. Almost none are. The only one I'm aware of ipv6 out of the box is the cisco 800 series. None of the netgear/linksys/etc routers are able to route it.
You have to find an ipv6 capable ISP. They're as rare as hens teeth. Or a tunnel broker - those are getting rarer by the day as they were mostly experimental services that are shutting down. Or you could try 192.88.99.1 - if your ISP routes it (many don't) and if it routes to anything nearby (it's not uncommon for it to be 200-300ms away which makes your latency suck hard).
If someone can provide a business case for ipv6 (never heard one yet) then still it's years off. I'm thinking at this point it'll be superceded by something else that's more ipv4 compatible.
I already have trojan scans of ipv6 address space & they're hitting valid addresses with about 95% accuracy. Don't know how they're getting the info (probably sniffing packets from owned machines) but any idea that more IPs means less bots is just security through obscurity and is just plain rubbish.
(otoh the vista machine here has no problem with anything to do with ipv6 - this article is just incorrect.. the poster is blaming vista/ipv6 for shitty printer drivers).
Virtualisation - dual and quad core doesn't really cut it for massive levels of virtualisation.. you want to reserve at least a core for your host OS, then you've got to divvy up the rest. With dual core that means you're down to having no smp in your vm's (sucks if they're compile boxes), with quad core that's only 3... get 20-30 machines in there and it's starting to look shaky. 80 cores would scale to hundreds of virtual machines without any particular slowdow.
Robbery would be case A where the chance of being caught are high and the payoff is low.
Deterrence works well in that case. OTOH we still have robberies.. because A doesn't apply in all cases - firstly because the odds change.. stealing a million dollars worth of diamonds using a well planned robbery can seem like a good idea - and also there's the cases of faulty risk assessment (in the case of drug addicts etc.).
If you think of something like smoking cannabis, which has a low (nearly zero) risk of being caught and no consequences (worst case is the police take your stuff and you have to buy more, at least around here)... they can pass laws all they like and it won't make a difference.
All the opponent has to do is to point out that if she hadn't been browsing porn/warez sites in the first place she wouldn't have got a trojan on her computer.
Oh and connecting a laptop into the internal coroprate net? In a lot of companies people would get fired on the spot for that, never mind waiting for the next election. Laptops should be *outside* the firewall not inside it.
News to me.. I've logged into administrator hundreds of times on vista and never changed anything.
Oh and administrator does have UAC. I only wish it didn't.. it's a royal pain in the ass trying to get anything done until I've created a privileged cmd.exe shortcut (itself a pain in the ass as they've blocked the name cmd.exe from elevating, you have to create a renamed copy).
Great - until the apps won't run, which in my experience is most of them. Oh and a least privileged account should *only* be able to write into their own home directory. Listing what they can't do is backwards - assume deny by default and allow a limited set of actions.
MS could have sorted the mess out by locking down vista by default, instead they bottled it and introduced all sorts of shadow directories so the apps still think they have write access to program files and the system registry... and they allowed any app to request administrator rights instead of leaving that to be specifically enabled by the administrator.. so you have all sorts of programs declaring they are 'vista compatible' when all they've done is added a manifest to their old broken code.
Show me the OS that can protect itself against a user with administrative privileges installing bad software. Unless you can do that, it really is disingenuous to demand that Windows should be able to do it.
Linux (with selinux enabled) can be configured to do that.
You miss the point though. A *user* with administrative privilege. That's the problem with Windows. The only person with admin rights should be the admin. Hopefully someone with enough clue to know what they're installing.
Oh and you need to fire your solaris admin. You don't *need* root to install any app in Unix. You can choose to install systemwide that often needs it (unless you've setup a nonprivileged account for the task).. but how many apps truly need that?
Following on your analogy, userland firewalls are like posting a separate security guard in each of the rooms of the building, and leaving the main entrance unlocked. The apparent effect in security in the same but walking between separate rooms has just become a major hassle.
Nobody's bitching - their anti spyware app sucks, hard. I've had to sort out three trojanned vista boxes now (don't know anyone else running it) - all running 'microsoft anti spyware' which declared there was no spyware on the machine, even as porn popups appeared on the desktop..
That's not entirely true - when the license comes up for renewal do you think they'd get much sympathy if they'd spent the whole year producing quality german opera?
They have to appeal to their audience and produce things that are going to be popular.. it's just that they don't have to worry too much about day to day ratings as there are no advertisers to keep happy, so they can take more risks.
Scifi channel generally sucks, but they do occasionally show some decent stuff.
Re:Dynamic DNS
on
DNS Complexity
·
· Score: 1, Informative
It quite possibly would - dynamic dns domains have expiry times in the minute or even second range, making caching them impractical. A true domain expires in 24-36 hours.
TBH I'd rather dynamic dns went away.. it's a hack from the dialup days when people got dynamic IP addresses. Everyone's 'always on' now so dynamic IP is pointless.
Re:Public DNS is corrupt, but Private DNS is subli
on
DNS Complexity
·
· Score: 1
It is technical actually - the TLD server has to respond all of the time, every time, even when millions of people want it... caching reduces the load but doesn't eliminate it by any means.
If a domain goes down it affects one company. If a TLD goes down it affects thousands, perhaps millions (if.com failed for example).
You could argue that one server == one TLD is a bad model and I wouldn't disagree.. there's no reason for one of the TLD companies to start a couple of hundred of the things - but then can you imagine what the likes of Verisign would do to that? Would it get cheaper? Hell no. They'd charge through the nose for it.
Managers manage. They run the company, talk to other managers in other companies to get some idea of specs, balance the books, negotiate with the developers to set deadlines (ideally.. the bad ones just set deadlines). They in general know nothing about IT and have business degrees. You can spot a manager because they're always in a suit and say things like 'paradigm'.
Developers design the product, work out technical specifications and implement them. Being creative they're often in jeans and T shirts, have flexible (well, random) working hours.
Then there's marketing. Nobody knows what they're for but they get paid a lot, wear loud suits and drive expensive cars.
A manager trying to develop is a recipe for disaster.. I've seen it in some companies - some overpaid suit thinks he's gods gift to IT and 3-4 real developers having to work full time to sort out the mess. Leave them to their business lunches and foreign trips.. keeps them out of the way.
In Microsoft parlance, a "Program Manager" isn't a person who works in the "management" sense of the business or people. They have other people for that. Program Managers are responsible for writing technical specifications, co-ordinating development activities (e.g. who works on what piece), and making sure the developers are clear of distractions to get their job done. They're the ones that have to deal with finding out what the business requirements are and translating that into development activity.
In other words, they're managers.
The worst kind too.. the kind that tell the developers what to do instead of letting them get on with their damned jobs. It sounds like MS have basically degraded the developers job to that of a menial code monkey.
Slashdot Mirror
Firstly ipv4 addresses are *not* running out in the next 5 years. Last year ipv4 usage *dropped* and there's still huge wastage within companies like DEC and IBM (they got a few million each) that can be sorted.
Maybe 10 years, maybe 15.. maybe never. Not 5 years.
Secondly, you need a dhcp server with ipv6 anyway. You need to give other information than the ip addresses - dns addresses, router addresses, domain names, wins servers, ntp servers, tftp servers, etc. dhcp isn't going anywhere. All stateless autoconfig gives you is an ipv6 address that's (reasonably) stable so you can reach the box easier.
NAT is an ugly hack already. If we try to extend it, it's not going to get prettier :). NAT also causes problems for applications and general connectivity. I like to run my own mail server. If I'm doing NAT and I want to have a mail server inside the NAT'd network (I use a public address though), I can poke a hole with a port forward. What do you think will happen if the ISP is giving me a NAT'd address instead? Widescale NAT means no servers for anyone, or makes having a server of some kind very difficult.
I often hear that.. what's so ugly? NAT only causes problems for applications that would have a devil of a job getting through a firewall anyway - if a stateful firewall can handle it it can NAT it. If it can't, well ipv6 or even static ipv4 isn't going to help it... the app is broken by design.
Of course in the server case you want public IPs but you're far from the majority - joe sixpack just wants to browse the web and pick up email. He couldn't care less whether his IP was public or not. We're a long way from that though - ipv4 shortage just isn't that acute yet.
IPv6 will definitely help here. Also, try merging two corporate networks that use the same private (NAT, rfc1918, whatever) address space. Eek.
Change a line or two in dhcp server. Wait 24 hours (do this over the weekend). Job done.
Alternatively, if the admin didn't use dhcp... fire admin, hire new one, get him to do it.
Given that they're still giving away IP addresses freely (my ISP threw in 16 even though I only wanted 8, 'just in case') I don't think there's much push for it. NAT has basically made one IP per household (so the old bugaboo of IP enabled toasters eating all the space has gone away).
w g/2007/msg00001.html)
As of Jan 2007 about 35% of the total ipv4 address space is still unallocated (source: http://www.ripe.net/ripe/maillists/archives/ipv6-
The US alone holds 57% of the allocated space so there's *huge* scope for releasing more space - the rest of the world seems to have no problems with its much smaller usage.
It may never be adopted at all. It's been going for 20 years now.. and total ipv6 usage? Well let's look at the router stats of a large ipv6 tunnel broker: http://www.sixxs.net/misc/traffic/
Their most popular pop (bebru01) averaged 4mbps each way. That means their most busy ipv6 interlink could be hosted by someone with a cable modem.
My own humble network has more throughput than that - for *one house* let alone an entire country.
That's broken DNS - your DNS isn't providing (lack of, since almost no public websites have them) AAAA records in a timely fashion.
Actually he has a point, in a way. Firewalls don't in general support ipv6, and until that happens (and it is easy to setup eg. cisco routers support an ipv6 firewall but you have to get down and dirty with the ios command line to even know it's there) then corporate adoption of ipv6 will be precisely zero.
ipv6 NAT is around but is a bitch to setup.. similarly that needs to be easier.
They're not ipv6 ready no matter how many vista deployments there are.
You have to use the new sockets/winsock functions to be ipv6 enabled for a start.. and most apps aren't (including things like Active Directory, which is a biggie.).
I've got a vista installation here.. it's running a whole heap of stuff.. the total list of listening ports from ipv6 capable apps is: 135,445 (SMB.. pity the domain controllers can't respond.. heh.). 3389 (TS), 5357 (No idea). Compared to a list of ipv4 listening ports about 3 pages long. All of those would need to be converted.
You have to use ipv6 capable routers. Almost none are. The only one I'm aware of ipv6 out of the box is the cisco 800 series. None of the netgear/linksys/etc routers are able to route it.
You have to find an ipv6 capable ISP. They're as rare as hens teeth. Or a tunnel broker - those are getting rarer by the day as they were mostly experimental services that are shutting down. Or you could try 192.88.99.1 - if your ISP routes it (many don't) and if it routes to anything nearby (it's not uncommon for it to be 200-300ms away which makes your latency suck hard).
If someone can provide a business case for ipv6 (never heard one yet) then still it's years off. I'm thinking at this point it'll be superceded by something else that's more ipv4 compatible.
So someone has shitty printer drivers (let me guess.. HP right??) and suddently it's vista's fault.
I bet they'd get exactly the same if they installed ipv6 under xp too.
I already have trojan scans of ipv6 address space & they're hitting valid addresses with about 95% accuracy. Don't know how they're getting the info (probably sniffing packets from owned machines) but any idea that more IPs means less bots is just security through obscurity and is just plain rubbish.
(otoh the vista machine here has no problem with anything to do with ipv6 - this article is just incorrect.. the poster is blaming vista/ipv6 for shitty printer drivers).
Virtualisation - dual and quad core doesn't really cut it for massive levels of virtualisation.. you want to reserve at least a core for your host OS, then you've got to divvy up the rest. With dual core that means you're down to having no smp in your vm's (sucks if they're compile boxes), with quad core that's only 3... get 20-30 machines in there and it's starting to look shaky. 80 cores would scale to hundreds of virtual machines without any particular slowdow.
Coming soon...
Fusion Turbo
Fusion Power
Fusion Power Turbo
Then we start all over again with 10 blades or something, ~doubling the price at each iteration.
Those aren't straight rips - 720p on a DVD5? They must have compressed the crap out of it.
If you're gonna get pirate stuff at least get the good stuff - the original material is 1080p/24 and takes up a few GB.
Robbery would be case A where the chance of being caught are high and the payoff is low.
Deterrence works well in that case. OTOH we still have robberies.. because A doesn't apply in all cases - firstly because the odds change.. stealing a million dollars worth of diamonds using a well planned robbery can seem like a good idea - and also there's the cases of faulty risk assessment (in the case of drug addicts etc.).
If you think of something like smoking cannabis, which has a low (nearly zero) risk of being caught and no consequences (worst case is the police take your stuff and you have to buy more, at least around here)... they can pass laws all they like and it won't make a difference.
So now laws by themselves do not stop crime.
All the opponent has to do is to point out that if she hadn't been browsing porn/warez sites in the first place she wouldn't have got a trojan on her computer.
Oh and connecting a laptop into the internal coroprate net? In a lot of companies people would get fired on the spot for that, never mind waiting for the next election. Laptops should be *outside* the firewall not inside it.
News to me.. I've logged into administrator hundreds of times on vista and never changed anything.
Oh and administrator does have UAC. I only wish it didn't.. it's a royal pain in the ass trying to get anything done until I've created a privileged cmd.exe shortcut (itself a pain in the ass as they've blocked the name cmd.exe from elevating, you have to create a renamed copy).
Great - until the apps won't run, which in my experience is most of them. Oh and a least privileged account should *only* be able to write into their own home directory. Listing what they can't do is backwards - assume deny by default and allow a limited set of actions.
MS could have sorted the mess out by locking down vista by default, instead they bottled it and introduced all sorts of shadow directories so the apps still think they have write access to program files and the system registry... and they allowed any app to request administrator rights instead of leaving that to be specifically enabled by the administrator.. so you have all sorts of programs declaring they are 'vista compatible' when all they've done is added a manifest to their old broken code.
Show me the OS that can protect itself against a user with administrative privileges installing bad software. Unless you can do that, it really is disingenuous to demand that Windows should be able to do it.
Linux (with selinux enabled) can be configured to do that.
You miss the point though. A *user* with administrative privilege. That's the problem with Windows. The only person with admin rights should be the admin. Hopefully someone with enough clue to know what they're installing.
Oh and you need to fire your solaris admin. You don't *need* root to install any app in Unix. You can choose to install systemwide that often needs it (unless you've setup a nonprivileged account for the task).. but how many apps truly need that?
Following on your analogy, userland firewalls are like posting a separate security guard in each of the rooms of the building, and leaving the main entrance unlocked. The apparent effect in security in the same but walking between separate rooms has just become a major hassle.
Nobody's bitching - their anti spyware app sucks, hard. I've had to sort out three trojanned vista boxes now (don't know anyone else running it) - all running 'microsoft anti spyware' which declared there was no spyware on the machine, even as porn popups appeared on the desktop..
That's not entirely true - when the license comes up for renewal do you think they'd get much sympathy if they'd spent the whole year producing quality german opera?
They have to appeal to their audience and produce things that are going to be popular.. it's just that they don't have to worry too much about day to day ratings as there are no advertisers to keep happy, so they can take more risks.
Even Heroes?
Scifi channel generally sucks, but they do occasionally show some decent stuff.
It quite possibly would - dynamic dns domains have expiry times in the minute or even second range, making caching them impractical. A true domain expires in 24-36 hours.
TBH I'd rather dynamic dns went away.. it's a hack from the dialup days when people got dynamic IP addresses. Everyone's 'always on' now so dynamic IP is pointless.
It is technical actually - the TLD server has to respond all of the time, every time, even when millions of people want it... caching reduces the load but doesn't eliminate it by any means.
.com failed for example).
If a domain goes down it affects one company. If a TLD goes down it affects thousands, perhaps millions (if
You could argue that one server == one TLD is a bad model and I wouldn't disagree.. there's no reason for one of the TLD companies to start a couple of hundred of the things - but then can you imagine what the likes of Verisign would do to that? Would it get cheaper? Hell no. They'd charge through the nose for it.
Different tasks.
Managers manage. They run the company, talk to other managers in other companies to get some idea of specs, balance the books, negotiate with the developers to set deadlines (ideally.. the bad ones just set deadlines). They in general know nothing about IT and have business degrees. You can spot a manager because they're always in a suit and say things like 'paradigm'.
Developers design the product, work out technical specifications and implement them. Being creative they're often in jeans and T shirts, have flexible (well, random) working hours.
Then there's marketing. Nobody knows what they're for but they get paid a lot, wear loud suits and drive expensive cars.
A manager trying to develop is a recipe for disaster.. I've seen it in some companies - some overpaid suit thinks he's gods gift to IT and 3-4 real developers having to work full time to sort out the mess. Leave them to their business lunches and foreign trips.. keeps them out of the way.
In Microsoft parlance, a "Program Manager" isn't a person who works in the "management" sense of the business or people. They have other people for that. Program Managers are responsible for writing technical specifications, co-ordinating development activities (e.g. who works on what piece), and making sure the developers are clear of distractions to get their job done. They're the ones that have to deal with finding out what the business requirements are and translating that into development activity.
In other words, they're managers.
The worst kind too.. the kind that tell the developers what to do instead of letting them get on with their damned jobs. It sounds like MS have basically degraded the developers job to that of a menial code monkey.