If they want to indescriminantly block bittorrent, that's QOS.
Not unless they're equally blocking ALL other P2P protocols, including those used by major companies...
What if they were blocking SIP (Vonage, et al.), but giving a high priority to their own company's proprietary, non-SIP, VoIP protocol? Gee, if you'd just license the technology from them, you too can get high-priority on your traffic...
it still seems like a virtualized system would be much more secure that a non-virtualized system, if only because the increased level of knowledge involved means a smaller number of hackers capable of exploiting both layers. What am I missing?
#1) The simple fact that the alternative to virtualization is separate physical hardware, where NO amount of knowledge can allow you to break-out of the hardware, and gain control of the 10 other systems.
#2) Reality really isn't nearly that tidy. Anyone who is skilled enough to know how to do one of those, is going to have no trouble with the second. This excludes script kiddies, of course, but you really shouldn't be designing security systems that will only stop them... In your scenario, it's not security, but one level of obscurity, which also cause a big performance hit for nothing.
I fail to see why you have a problem with that statement. It's true that softdeps has better performance than journaling, both in theory, and in practice. You need only look at FreeBSD.
FreeBSD and Linux both have support for kqemu and Linux and Windows both have support for VMWare, Virtualbox and kqemu.
kqemu is borderline useless on FreeBSD. I don't notice any performance difference with or without it. So OpenBSD is on pretty much equal footing. Not to mention that Windows support for kqemu is a very recent development, and it's predecessor ('vm86' or something) was pretty lousy.
I don't see why you have an obsession with "native" either... OpenBSD is perfectly capable of running Linux binaries, including VMWare (in ports).
OpenBSD can't even offer a modern version of WINE in their ports
There's a big difference between "doesn't" and "can't". I guess OpenBSDers just aren't big on running Windows binaries.
So instead of fixing OpenBSD so that it has native support for running some sort of native virtualisation scheme,
What needs to be "fixed"? Is every single application that isn't available a "bug"?
Theo does what he usually does -bitches, whines and blames the technology for the flaws in his OS.
I must have missed that part... you'll have to point it out for me. His point was that virtualization isn't a method that improves security, and there, he certainly does have a valid point. He's certainly not the only one saying so. Everyone just likes to pick on Theo's inflammatory comments. See Henning Brauer's e-mails from that thread instead if you like.
Tiny laptops have never caught on in the US, although they've been around for years.
I'd love to get one... if they weren't always at least 4X as expensive as larger, heavier laptops.
I've got a tiny Psion 5MX I still use plenty, which works great for typing notes, appointments, and even pretty well as an RS-232 terminal, but unfortunately I often need much higher-end capabilities it just doesn't have.
I haven't had the heart to get rid of my small 7" Compaq 486, even though it's so slow I generally can't use it anymore (boot-up takes minutes, using SSH is frustrating, etc.).
Why don't you just get a hosting account at Dreamhost for like $10 a month? They give you some godawful amount of storage like 500GB
A good idea, but 500GBs is anything but "godawful." I'd run up against the limit immediately, even without multiple snapshots. And their policy toward over 500...
I also have to wonder if they'll actually be able to keep those rates low, when lots more people have extremely high-speed connections all actually get close to using their full capacity...
And it's also very useful having physical access to the backup machine in question, rather than being forced to download everything after an outage, though for the price I might be willing to put up with it.
This is extremely impressive, and may well be a game-changer...
When Verizon finally rolls-out FIOS here (they've said it's coming "soon" for a couple years), I'll probably sign-up for TWO connections... One for my home, and the other for a family member (within driving distance) or perhaps a friend. In exchange for free ultra-high-speed internet access, all they have to do is leave my back-up server running. rsync will finish pretty damn fast over a 20Mbps connection...
This really opens the possibility of a lot of online file-hosting services going out of business... It's no longer special that they have high-speed upstream, so why pay so much for an over-priced, terribly-limited, managed file hosting service?
Now if somebody could just convince Verizon to enable multicast on all their routers...
There is no fucking way any business that requires VPN is going to give every Comcast user access to their VPN link. It's crazy.
Comcast doesn't want to get access to your VPN. They want you to be unable to use your VPN AT ALL, on their lowest-priced account, and force you to upgrade to "pro" or some "business" account.
Do you have any idea how much this costs in terms of hardware? I can't even imagine how much it would cost to proxy all that traffic. Millions certainly.
Very, very little. Many ISPs already run HTTP proxies, for the benefits of caching. An SSL/TLS proxy merely requires they buy a $100 encryption acceleration card for each proxy server. Operating costs are negligible, far more-so than a normal HTTP proxy, since only a tiny fraction of web traffic is ever encrypted.
Unless they're insisting every site on internet re-encrypt to their cert they have no fucking way of knowing what's in the packets.
Not true in the slightest. The SSL/TLS proxy accepts whatever cert and encryption level the website is using, decrypts it for inspection, then re-encrypts it (with Comcast's cert) and sends it to your browser. There are SSL/TLS proxies already available, so I don't understand how you can claim it's impossible.
I am guessing that the implications of them eavesdropping on all encrypted traffic, including online banking, web shopping, and corporate VPNs would pretty much end in disaster for them.
What percentage of the general public is smart enough to understand that this is happening, and care enough to do anything more than complain about it?
Also, VPNs don't really use SSL/TLS, so the idea is going to be blocking them, rather than eavesdropping on them. Several ISPs already tell you that their lowest-priced accounts are not to be used for VPNs at all.
In Jindabyne and Adaminaby they have fire days AND snow days
That's true in much of California as well. Lots of mountain ranges. Right now, Arrowhead is burning. They get plenty of snow. Last year, maybe it was Big Bear (lots of snow). Maybe next year it'll be Silverwood. All three mountains, right next to each other, at the very North-end of the L.A. Basin.
Comcast can't currently afford to intercept all SSL connections, inspect the certificate to see if they can forge it, and proxy the connection just to do packet inspection.
No need for that:
Require all users to add and authorize Comcast's cert. Proxy all SSL/TLS connections. Block all other encrypted traffic.
Even if comcast tries to join the network to disrupt it, they can't disrupt communication between nodes when the chain-of-authority does not use their keys,
What? Why would they need to "join" bittorrent in order to disrupt it?
See encrypted traffic using lots of bandwidth? Send forged TCP RST packets to source and destination. Disconnected.
Standard (host-to-host) encryption can't do anything to prevent such man-in-the-middle DoS tricks. Full-fledged IPv6 does, but that's another story.
when they just start wiping out encrypted packets next ? One cable started throttling encrypted traffic as well and basically killed vpn for every one.
Everyone using SSH and P2P will switch to using port 443. If they block that, none of their customers will be able to shop online, and they will get up and leave, en masse.
These kinds of practices serve only to make things worse for the ISPs in the end. The bandwidth throttling arms race will do no good. Every step they take to try and control users only leads us all one step closer to all internet traffic being encrypted, embedded into HTTP commands, and spit out over port 80. Then it's just MORE bandwidth from each user for them to deliver, slower performance for everyone, high delays for important traffic, and many unhappy people.
One of the major internet authorities needs to step-in and forbid this kind of behavior, before these ISPs cause existing internet standards to become unusable. Use a big stick... Forbid Comcast from registering any new domain names, getting more IP addresses, peering with others, etc.
The guy is literally running for his life to escape wildfires, yet has the brass balls to 'fire blog'. If that's not worthy of a nomination to Geek of the Year, I dunno what is.
Bah! You clearly don't know California. Evacuating your home due to wild fires here is a lot like a road closure elsewhere... a minor annoyance you have to put up with for a few days, every couple years. Where your schools might close for "snow days", we have "fire days". Blogging about it is the most natural thing in the world... You have lots of time to kill.
But to state that they are better at flying airplanes than I am at driving my car is just, how do I put it... silly.
Statistics state otherwise. You just happen to be delusional enough to think you are the exception to the rule (just like everyone else).
And don't tell me that in an airplane, when things go wrong, they go wrong SLOWLY.
Yes, they do... Except right after take-off and landings.
From 30,000 feet, you have at minimum a full couple minutes to try and resolve whatever critical problem caused you to lose control, before it's too late. In a car, when your steering linkage breaks at 80MPH, you have a fraction of a second to live.
Ultrasound equipment is necessary because planes are so much more complex than cars. You forgot to take that little variable into equation.
A chunk of metal in an airplane is no more "complex" than a chunk of metal in your car. Either one failing will kill you.
if the weather conditions don't suit me, if I feel it is unsafe, I can pull to an exit and park somewhere. Try doing that with a plane.
Planes can turn around, go to higher or lower altitudes, fly many hundreds of miles out of their way, go to their alternate airport, etc.
If you're trained in proper falling you can jump off a car at 35mph with merely a scratch to show for it.
Cars don't travel cross country at 35MPH. And jumping out of a car is very likely to get you run over by the car behind you.
When it comes to options... a lot of things ARE under your control in a car.
Many of the things that can kill you are not, and when they go wrong, they go wrong very, very suddenly. In an airplane, similar things are under the pilots' control, and they are far better trained and equipped to deal with them than you are.
I don't think that these are really meant to be lain pizza box style on a desk
I don't think you took a good look at the pictures.
I had a couple of old Alphas which were similarly shaped, and similarly quite tiny. If you didn't stand them up on their side they would overheat in about 15 minutes, if you stood them on their sides, the lasted about an hour in a small poorly ventilated room.
Yes, the Multia specifically had openings in the side, NOT the top, so you either had to upgrade the single 60mm fan, or you had to stand it vertically. The DTX prototype, however, CLEARLY has the entire top of the case made of swiss-cheese metal, so passive airflow will likely be BETTER when laid flat.
Personally, that is the single aspect of it that I HATE! With a solid case, and forced convection, you can make sure the airflow goes over the hottest components, and is pretty efficiently routes out of the case.
Here, you can't develop any pressure difference in the case. Any rear exhaust fan will mostly pull ambient air into the case an directly in-front of the fan, then blow it out again, doing NOTHING to cool the system. That has always been the biggest problem with ATX... You have individual fans on hot components, that just blow air in random directions, disrupting the direction of air flow. Companies have tried to fix it with some ducting here and there, but then they only do it for the CPU, and leave the rest to fight it out for airflow.
DEC, at least, had it all figured out 15 years ago, 3 zones, each pulling air directly from the front, over all hot components, and directly out the back again. HP, Compaq, etc. also got pretty close with some of their (non-ATX) workstations, but unfortunately none of the designers ever took the cue, and standardized something like it for PCs. Rack-mount servers are getting close, also, but it's still much of a free-for-all, with poor design being made-up for with louder and more powerful fans. I really wish somebody would wake up.
the lack of a good suround sound card [...] I need a 7.1 sound card with digital IO
Haha!
If you want digital I/O, the cheapest piece of crap built-in sound card will do just as well as anything else you can buy... It's digital, the AC3/DTS/LPCM sound is transferred completely unchanged, no matter what.
and often, there is not enough room on the board for a tv tuner and a good video card.
The DTX prototype has room for two half-height cards. Hauppauge PVR-150 or similar should be perfect for TV capture. I don't know about video cards, but I'm willing to bet there's one or two good half-height options out there.
Such a board would be cheaper, faster, smaller, less power hungry, and less complex than today's boards.
Such a board would be nominally cheaper (if at all), no smaller, no less power hungry, and nominally less complex. THAT is why the ports are still there. Unless space is a big issues (as in notebooks) there's absolutely no reason to remove the legacy ports.
My expensive keyboard, IDE drives, CRT, Parallel and Serial devices (et al.), aren't going away, and I'm sure not going to get a $5 cheaper motherboard that requires me to buy a $100 USB Parallel/Serial/PS2 port replicator, SATA to IDE adapters, etc. to use it. If there's enough people that feel the same, economies of scale on that board go away, and it ends up costing more money than a similar one with the legacy ports.
If you took that form factor and put it in a case that you could open up w/o wrecking it you would have a great standard small formal machine.
You'd have a system that was as expensive as high-end (mini) notebooks, requires notebook components rather than much cheaper and higher-end desktop components, and can only support a very, very low level of heat/power consumption.
Fine if you want a very expensive, very low-end system in a tiny package that isn't practically expandable, but that's not what DTX is supposed to be.
No, cost of bandwidth is still going to go down... Just (according to him) not as fast as it has in the past.
Not unless they're equally blocking ALL other P2P protocols, including those used by major companies...
What if they were blocking SIP (Vonage, et al.), but giving a high priority to their own company's proprietary, non-SIP, VoIP protocol? Gee, if you'd just license the technology from them, you too can get high-priority on your traffic...
#1) The simple fact that the alternative to virtualization is separate physical hardware, where NO amount of knowledge can allow you to break-out of the hardware, and gain control of the 10 other systems.
#2) Reality really isn't nearly that tidy. Anyone who is skilled enough to know how to do one of those, is going to have no trouble with the second. This excludes script kiddies, of course, but you really shouldn't be designing security systems that will only stop them... In your scenario, it's not security, but one level of obscurity, which also cause a big performance hit for nothing.
I fail to see why you have a problem with that statement. It's true that softdeps has better performance than journaling, both in theory, and in practice. You need only look at FreeBSD.
kqemu is borderline useless on FreeBSD. I don't notice any performance difference with or without it. So OpenBSD is on pretty much equal footing. Not to mention that Windows support for kqemu is a very recent development, and it's predecessor ('vm86' or something) was pretty lousy.
I don't see why you have an obsession with "native" either... OpenBSD is perfectly capable of running Linux binaries, including VMWare (in ports).
There's a big difference between "doesn't" and "can't". I guess OpenBSDers just aren't big on running Windows binaries.
What needs to be "fixed"? Is every single application that isn't available a "bug"?
I must have missed that part... you'll have to point it out for me. His point was that virtualization isn't a method that improves security, and there, he certainly does have a valid point. He's certainly not the only one saying so. Everyone just likes to pick on Theo's inflammatory comments. See Henning Brauer's e-mails from that thread instead if you like.
I'd love to get one... if they weren't always at least 4X as expensive as larger, heavier laptops.
I've got a tiny Psion 5MX I still use plenty, which works great for typing notes, appointments, and even pretty well as an RS-232 terminal, but unfortunately I often need much higher-end capabilities it just doesn't have.
I haven't had the heart to get rid of my small 7" Compaq 486, even though it's so slow I generally can't use it anymore (boot-up takes minutes, using SSH is frustrating, etc.).
Damn Mozilla! That was supposed to read:
And their policy towards overages is beyond ridiculous: $100 per month for every GB over 500!
A good idea, but 500GBs is anything but "godawful." I'd run up against the limit immediately, even without multiple snapshots. And their policy toward over 500...
I also have to wonder if they'll actually be able to keep those rates low, when lots more people have extremely high-speed connections all actually get close to using their full capacity...
And it's also very useful having physical access to the backup machine in question, rather than being forced to download everything after an outage, though for the price I might be willing to put up with it.
This is extremely impressive, and may well be a game-changer...
When Verizon finally rolls-out FIOS here (they've said it's coming "soon" for a couple years), I'll probably sign-up for TWO connections... One for my home, and the other for a family member (within driving distance) or perhaps a friend. In exchange for free ultra-high-speed internet access, all they have to do is leave my back-up server running. rsync will finish pretty damn fast over a 20Mbps connection...
This really opens the possibility of a lot of online file-hosting services going out of business... It's no longer special that they have high-speed upstream, so why pay so much for an over-priced, terribly-limited, managed file hosting service?
Now if somebody could just convince Verizon to enable multicast on all their routers...
"Require all users to add and authorize Comcast's cert."
http://slashdot.org/comments.pl?sid=336771&threshold=3&commentsort=1&mode=nested&cid=21086889
You're wrong on every other point too, if that helps.
Which is why STEP #1 was to add (and trust) Comcast's certificate.
I suggest you try it out.
Comcast doesn't want to get access to your VPN. They want you to be unable to use your VPN AT ALL, on their lowest-priced account, and force you to upgrade to "pro" or some "business" account.
Very, very little. Many ISPs already run HTTP proxies, for the benefits of caching. An SSL/TLS proxy merely requires they buy a $100 encryption acceleration card for each proxy server. Operating costs are negligible, far more-so than a normal HTTP proxy, since only a tiny fraction of web traffic is ever encrypted.
Not true in the slightest. The SSL/TLS proxy accepts whatever cert and encryption level the website is using, decrypts it for inspection, then re-encrypts it (with Comcast's cert) and sends it to your browser. There are SSL/TLS proxies already available, so I don't understand how you can claim it's impossible.
What percentage of the general public is smart enough to understand that this is happening, and care enough to do anything more than complain about it?
Also, VPNs don't really use SSL/TLS, so the idea is going to be blocking them, rather than eavesdropping on them. Several ISPs already tell you that their lowest-priced accounts are not to be used for VPNs at all.
That's true in much of California as well. Lots of mountain ranges. Right now, Arrowhead is burning. They get plenty of snow. Last year, maybe it was Big Bear (lots of snow). Maybe next year it'll be Silverwood. All three mountains, right next to each other, at the very North-end of the L.A. Basin.
NEVER use technical specs offered from a (paraphrased) press release...
No need for that:
Require all users to add and authorize Comcast's cert.
Proxy all SSL/TLS connections.
Block all other encrypted traffic.
What? Why would they need to "join" bittorrent in order to disrupt it?
See encrypted traffic using lots of bandwidth? Send forged TCP RST packets to source and destination. Disconnected.
Standard (host-to-host) encryption can't do anything to prevent such man-in-the-middle DoS tricks. Full-fledged IPv6 does, but that's another story.
Everyone using SSH and P2P will switch to using port 443. If they block that, none of their customers will be able to shop online, and they will get up and leave, en masse.
These kinds of practices serve only to make things worse for the ISPs in the end. The bandwidth throttling arms race will do no good. Every step they take to try and control users only leads us all one step closer to all internet traffic being encrypted, embedded into HTTP commands, and spit out over port 80. Then it's just MORE bandwidth from each user for them to deliver, slower performance for everyone, high delays for important traffic, and many unhappy people.
One of the major internet authorities needs to step-in and forbid this kind of behavior, before these ISPs cause existing internet standards to become unusable. Use a big stick... Forbid Comcast from registering any new domain names, getting more IP addresses, peering with others, etc.
Bah! You clearly don't know California. Evacuating your home due to wild fires here is a lot like a road closure elsewhere... a minor annoyance you have to put up with for a few days, every couple years. Where your schools might close for "snow days", we have "fire days". Blogging about it is the most natural thing in the world... You have lots of time to kill.
Statistics state otherwise. You just happen to be delusional enough to think you are the exception to the rule (just like everyone else).
Yes, they do... Except right after take-off and landings.
From 30,000 feet, you have at minimum a full couple minutes to try and resolve whatever critical problem caused you to lose control, before it's too late. In a car, when your steering linkage breaks at 80MPH, you have a fraction of a second to live.
I know plenty that specifically look for systems that are less noisy. In fact that seems to be a much wider trend.
With so many manufacturers trying to make profits in a commodity market, extra cooling and less noise is a very strong value-added point.
A chunk of metal in an airplane is no more "complex" than a chunk of metal in your car. Either one failing will kill you.
Planes can turn around, go to higher or lower altitudes, fly many hundreds of miles out of their way, go to their alternate airport, etc.
Cars don't travel cross country at 35MPH. And jumping out of a car is very likely to get you run over by the car behind you.
Many of the things that can kill you are not, and when they go wrong, they go wrong very, very suddenly. In an airplane, similar things are under the pilots' control, and they are far better trained and equipped to deal with them than you are.
I don't think you took a good look at the pictures.
Yes, the Multia specifically had openings in the side, NOT the top, so you either had to upgrade the single 60mm fan, or you had to stand it vertically. The DTX prototype, however, CLEARLY has the entire top of the case made of swiss-cheese metal, so passive airflow will likely be BETTER when laid flat.
Personally, that is the single aspect of it that I HATE! With a solid case, and forced convection, you can make sure the airflow goes over the hottest components, and is pretty efficiently routes out of the case.
Here, you can't develop any pressure difference in the case. Any rear exhaust fan will mostly pull ambient air into the case an directly in-front of the fan, then blow it out again, doing NOTHING to cool the system. That has always been the biggest problem with ATX... You have individual fans on hot components, that just blow air in random directions, disrupting the direction of air flow. Companies have tried to fix it with some ducting here and there, but then they only do it for the CPU, and leave the rest to fight it out for airflow.
DEC, at least, had it all figured out 15 years ago, 3 zones, each pulling air directly from the front, over all hot components, and directly out the back again. HP, Compaq, etc. also got pretty close with some of their (non-ATX) workstations, but unfortunately none of the designers ever took the cue, and standardized something like it for PCs. Rack-mount servers are getting close, also, but it's still much of a free-for-all, with poor design being made-up for with louder and more powerful fans. I really wish somebody would wake up.
Oh, so you love this DTX prototype then, since it's entirely compatible with ATX?
Your first sentence had me confused...
Haha!
If you want digital I/O, the cheapest piece of crap built-in sound card will do just as well as anything else you can buy... It's digital, the AC3/DTS/LPCM sound is transferred completely unchanged, no matter what.
The DTX prototype has room for two half-height cards. Hauppauge PVR-150 or similar should be perfect for TV capture. I don't know about video cards, but I'm willing to bet there's one or two good half-height options out there.
Such a board would be nominally cheaper (if at all), no smaller, no less power hungry, and nominally less complex. THAT is why the ports are still there. Unless space is a big issues (as in notebooks) there's absolutely no reason to remove the legacy ports.
My expensive keyboard, IDE drives, CRT, Parallel and Serial devices (et al.), aren't going away, and I'm sure not going to get a $5 cheaper motherboard that requires me to buy a $100 USB Parallel/Serial/PS2 port replicator, SATA to IDE adapters, etc. to use it. If there's enough people that feel the same, economies of scale on that board go away, and it ends up costing more money than a similar one with the legacy ports.
You'd have a system that was as expensive as high-end (mini) notebooks, requires notebook components rather than much cheaper and higher-end desktop components, and can only support a very, very low level of heat/power consumption.
Fine if you want a very expensive, very low-end system in a tiny package that isn't practically expandable, but that's not what DTX is supposed to be.