I believe the original question was about ISP's filtering any packets whose source address doesn't match the customers range. In the case of a core router, this task is impossible. If a router is truely a core transit router, (almost) any source address it sees is a valid address. The place for these filters is on the links from individual customers or ISP's. Having a router that's fast enough to filter your customers connections is just a cost of doing business in my opinion.
I think it's only a matter of time before an ISP gets sued out of business for allowing forged packets onto the network. If I'm the victim of a DoS attack whose source addresses at least belongs to the true originating ISP, I can probably get things cleaned up in less than an hour. If the source is forged, it might take me days. Do the math on a busy ecommerce site being down for days instead of hours.
No matter what excuses people make, the only beneficiary of allowing forged source addresses onto the net are crackers and script kiddies. If your router can't handle the load, buy a bigger one.
Eh? I don't think this is why they run PPPoE. It's easy enough to set up DSL so that each user is bridged in and gets a single IP address. However, this approach has some security drawbacks. One is that it's hard to keep people from hooking up more than one computer, and grabbing more than one real IP address (or a whole ton of IP addresses.) It's also pretty hard to track down who did what when without PPPoE. If the evil hax0r kiddie changes his MAC address, steals an IP (instead of going thru the DHCP server), starts his DoS attack, and then puts his MAC back to normal and DHCP's an address, the ISP is going to have a hell of a time figuring out which user that traffic came from. They will have an IP address, but it was never assigned. If they happen to have an arp entry, they may have a MAC address. But, it's a MAC that isn't on the network anywhere. They could keep a log of every change in the bridging tables, but I'm not sure how realistic that is. Even then, and "smart" kiddie will change his MAC address to one used by a legit user, so when the ISP starts looking around they will track the traffic down to the wrong house.
On the other hand, getting an IP address from PPPoE requires you to login. So, any traffic from that address is provably from that user. All neat and tidy. Any reasonable PPP server will easily log each login session. Much easier from an ISP's point of view than dealing with the limitless ways a customer can screw with a plain old DSL line (or a cable modem. Most of the problems I mentioned apply to them both.)
Someone should really patent this, it sounds like wonderful technology. Maybe when I get thru with my WOM (Write Only Memory) patent (I can acheive memory densities that are beyond your imagination!!!) I'll work on this one.
The sad part is, with the current state of the PTO, you probably could patent both of these if you wanted to spend the time and money.
I can't believe the number of posters who are worrying that this company is somehow scanning their networks or invading their privacy. Numerous posts refer to port scanning, despite the fact that the article neither states nor implies that they are doing any such thing. Numerous comparisons are made to walking down a street trying all the doorknobs looking for unlocked doors. This is a completely unfounded comparison.
Yes, running a portscan of a host is a lot like checking to see if any windows or doors are unlocked. However, pinging hosts is not like trying doors. It's not even like knocking on doors. It like driving down a street and taking note of which lots have houses on them. Having somebody ping your host has zero negative impact on your performance, and the only security related information it reveals is whether or not the address is in use at all.
Traceroute is the same way. It's not revealing anything personal, private, or security related to the person running traceroute. It's most akin to somebody driving around your neighborhood building a map of the streets. Thank god the paranoids around here aren't making up the laws in meat space. They would make it illegal to drive into a neighborhood and even look at the houses without being escorted by a resident. After all, if a person doesn't live in your neighborhood, they don't have any business there, right? And everyone knows that criminals drive around looking at the houses trying to figure out which one to rob, right? So lets make it illegal to drive thru any neighborhood without the permission of the residents. Never mind that on the Internet, there is no zoning and there is no way to distinguish "residential" addresses from "business" addresses.
And I could care less if some of you get paged when these folks ping your network. That's your problem, that you let something this innocuous interrupt your life. You could have your pager go off every time time_t takes on a prime value, also. That doesn't make prime numbers evil.
What? Where does stuff like this come from? Most states have laws that require that when a private citizens records their own phone conversations the recorder should beep periodically to remind the other party that they are being taped. However, no such requirement exists for a law enforcement wiretap. I don't think the FBI would worry about wiretaps very much if they had to announce them in advance to the suspects. I can't imagine that they would be very effective if they told the crooks when they were tapping them. Crooks may not be the smartest bunch, but they are able to function at some level.
Now, there are requirements that they inform people after the fact that they have been recorded by a wiretap. But, this can happen many months after the call itself. I don't know how careful they are about actually doing this, however. After all, if you didn't know you were tapped in the first place, you wouldn't know that you hadn't been informed.
I have to correct myself. I haven't tested it personally, but according to my trusty copy of the IEEE 802.11 Handbook, FHSS devices should be interoperable with 11Mbps DSSS devices. Given that, $78 is a pretty good deal for a PCMCIA wireless card. I would still recommend an Airport for an access point, however.
Um, exactly how an AirPort, which is 802.11b compatable, can run at 11Mbps, includes a NAT/DHCP server, a modem/PPP client, can be configured from Linux, and priced at $280 is somehow "overpriced crapola" compared to an access point which runs 802.11 at 2Mbps for $360. But whatever.
Their PCMCIA cards are attractvely priced at $78, however. Too bad most of the 802.11 manufactures have moved to DSSS instead of FHSS so that they can run at 11Mbps, so the Webgear stuff won't work with most new equipment.
This will start happening pretty fast. With Apple AirPort's going for $280.00 at PCConnection which can be configured under Linux with a Java management client, the other folks won't have a choice but to drop prices.
kinnunen wrote: So being a vegetarian is Ok, but if a person is a vegan it makes makes him an asshole who should kill himself. I see. I am not a vegan, nor am I a vegetarian - I enjoy a good burger every now and then (in McDonalds). I may not agree with the PETA ideals (or methods), but I sure as hell don't condem a group of people for having a very high respect for life.
What was the point of the message that you replied to? Think really hard.
I think you missed a certain level of sarcasm in my post, along with a heathy dose of reductio ad absurdam argument. My point being, that if you think that your life is worth the same as any other living being on the planet, the only logical conclusion is to kill yourself. Why? Because it is simply not possible for a human to live their life without destroying millions if not billions of "innocent" lifeforms in the process. Is my life worth the same as another humans? Sure. Is my life worth the same as a cat or dog? Debatable. Is my life worth the same as a worm? No. Anybody who really believes so really has no logical option but to kill themselves.
This does not mean that I think that vegan's are necessarily assholes? (your word, not mine.) Nor does it mean that I condemn people for having a high respect for life. I condemn them for having a set of beliefs which is directly at odds with their own voluntary choice to continue their life at all. People whose beliefs don't take into account that their own life by necessity continues only at the cost of other beings lives are hypocrites whose beliefs are just so much touchy feely nonsense.
There's nothing wrong with being vegetarian. I don't happen to be, but there are valid reasons for it. Peta, however, is a pretty radical organization in my opinion. I can see not wanting to harm mammals, which do a pretty good job of acting like sentient beings. But, they go far beyond wanting to help cute bunnies and friendly cows.
Take a look here for example. Not only should you give up beef to save the cows, but you should give up honey to save bees and give up silk to save worms! This is what lost the last shred of credibility I had for PETA. I mean, insects? By this logic it's immoral for me to rid my house of termites because I would be cruelly murdering thousands or millions of innocent, sentient, insects for my own financial well-being. Whatever. By this definition of moral behavior, it is virtually impossible to live your life at all. My recommendation for all PETA members is to save the planet: kill yourself. Except that that would deprive all the innocent E. Coli in your guts a home. Oh well. At least the rest of us will be rid or your misguided guilt about your own existence.
Here is why you can't reuse your pad, even to send the next pad. In this case, we will assume that you encrypt your data using XOR with the pad. We will have the following variables: O1 and O2 = OTP one and two. P1 and P2 = Plaintext one and two C1, C2, and C3 = the three ciphertexts.
Send the first encrypted message: C1 = P1 XOR O1
Send the first pad encrypted with the second pad: C2 = O1 XOR O2
Send the second encrypted message: C3 = P2 XOR O2
Your opponent has C1,C2,C3, since that's what you transmitted.
So, your opponent performs the following: C1 XOR C2 XOR C3 = (P1 XOR O1) XOR (O1 XOR O2) XOR (P2 XOR O2) The way XOR works, duplicated variables cancel out, so the above is equal to: P1 XOR P2 because the two O1's and the two O2's each cancel out. Now, your opponent has your two plaintexts XOR'd with each other, which is easily solvable. You may as well use ROT13.
Undoubtedly, it will. Why? It absolutely has to. All of these schemes such as typing rhythm, retina scan, fingerprint, are all nothing but disguised password schemes. It doesn't matter if your password is the word "secret", your credit card number, your SSN, a vector of your typing speed, or a GIF of your finger. In ALL cases, a program on the client gets the "password" and sends it to the server. In ALL cases, the client software has to be "trusted" by the server. In other words, any kind of open source is completely out of the question. Otherwise, the server can't stop someone from putting together a version of the program that reads it's input from a file instead of from the "legit" source. And how are you going to know whether or not the client is saving your ID to a file? Actually, you can't stop them even with a binary-only solution. It's just security thru obscurity.
What's worse, is that all of these schemes rely on you giving the server all the information the server needs to impersonate you every time you sign in. What if your bank and your favorite pr0n site both use a fingerprint scan to ID you? Congratulations, the only thing keeping your pr0n dealer out of your bank account is their skill with a debugger! It's just like the crappy security on credit cards. Every single vendor you do business with has all the information they need to impersonate you. It's a testament to how honest the majority of people are that the entire industry hasn't gone belly up.
But the biometrics are the absolute worst, since you can't change your password. At least you can close a credit card account and get a new one. I don't know where to buy new fingers or retina's, however. The only long term solution will be based on some sort of public-key algorithm. Anything else is just a scam. Actually, the one place where a fingerprint scanner might be handy is to authenticate you to a hardware smart-card that does your public key for you. Since the whole thing is built by a single vendor in hardware, it could be made pretty secure. At a minimum, a crook would have to steal the card and have a fair amount of hardware skill to get anything useful out of it. But this whole idea of using biometrics over the internet is just a bunch of snake oil. And poisonous snake oil at that. You're better off sticking with what you have now, at least then you can be concious of that fact that your security sucks.
I looked over InterNAP's web site, and I fail to see how they are doing anything special. It appears that they simply want to run the large access points. However, changing the legal structure of the access points doesn't imply any real change from a technical standpoint.
What's really needed are simply more peering points. If InterNAP can help throw a few more into the mix, that's great. But I don't think they are doing anything special from networking point of view. When you get down to it, peering points are difficult to get started. It costs a backbone provider real resources in terms of cost, equipment, and time to drop a connection into a peering point. Unless it's already a popular point, why bother? I mean, who wants to be the first one into a peering point, right?
It's also important to keep in mind that there are a lot more peering points than just the MAE's. Some are big, some are small. Some are popular, others are pretty much failures. Sometimes big backbone companies peer with each other multiple times all over the country. Other times, there are egregious failures of companies to peer. My favorite example is USWest and Qwest, which are in the process of merging and both have HQ's literally within blocks of each other in Devner, but don't peer!
So while peering can definitely use some improvement, I don't think it's all that bad. In fact, I would hazard a random guess that most slowdowns are due to the smaller ISP and web sites on the edge of the net. A lot of ISP's grossly oversubscribe to make ends meet. A lot of smaller web sites can't afford the bandwidth they really need if they get popular or a flash-crowd hits. Actually, a lot of days I'm amazed that this thing still works at all.
You know, I've heard this spin before, and I feel the need to debunk it. What the carriers are doing is exactly what they should be doing with the information they have. As you put it, What the big guys do is dump your traffic off at the local public exchange point at the soonest opportunity. Which is exactly what they should do. If the packet is destined for one of their customers, they should get it there directly. If the packet is not destined for one of their customers, they should get it off of their network ASAP. Why? Because the carriers have no idea what each others network looks like. Not at the BGP level. All any of them know is what AS path they should use. In other words, they don't know how many hops away a destination is. They just know which carriers the packet needs to go thru. So they get it to the proper carrier as quickly as they can. Would you rather that UUNet bounced your packets around for a few extra hops instead?
To make this more clear, let's make up an example. Say an MCI customer in Washington DC is sending a packet to a Sprint customer in San Jose. Let's also stipulate that MCI and Sprint peer in DC and SJ. Someone needs to carry that packet across the country. Who should that be? The answer is Sprint, not MCI. We can complain that MCI is dump[ing] traffic at the soonest opportunity, and we would be correct. Because, MCI has no way to tell that the destination is in California. Only Sprint knows that. So, MCI gives the packet to Sprint ASAP (in DC) because the alternative is for MCI to bounce the packet around it's own network at random. Remember, only Sprint knows where Sprint customers are. Is it "fair" that Sprint has to carry the packet, and that MCI just dumped it as fast as it could? Maybe yes, maybe no. It doesn't matter. The way backbone routing works mandates that it be done this way. Don't like it? Feel free to try and improve on BGP.
If you read thru the preferred implementation in the patent, it details a kind of neat trick for allowing a group of servers who cooperate to in effect use the same cookie across all of them. While I don't think it's an appropriate thing to be patented, as far as I know it is novel (although not very complex).
The basic gist of it is this. A new client connects to a server say www.domainA.com. DomainA sets a cookie on the users client as it serves up the web page. It also includes in the web page a reference to something (such as a 1x1 GIF) at www.domainB.com. Now, normally, your browser prevents domainB from accessing the cookie set by domainA. To work around this, the URL for the GIF on domainB is really a notice from domainA to domainB about the value of the cookie it just set. For example, it would be http://www.domainB.com/set-cookie/value=0xdeadbeef /1x1.gif, where 0xdeadbeef is the value of the cookie that domainA just set on the client. In the reponse from domainB back to the client, it includes the cookie value=0xdeadbeef. Now, both domainA and domainB have identical cookies installed on the unsuspecting client. While they are in fact two different cookies, it works just like a cookie that is served to both domainA and domainB. Tricky, eh?
You say that the vision of free exchange of information is Utopian, and you're right in many ways. However, the vision that Lars has that he can actually exert control over all copies of his music is equally Utopian (or Orwellian depending on your point of view.) The simple reality is that you can exert some control in some circumstances. But, you can't stop people from simply creating a new venue for exchange that you don't control.
I think that the music industry can remain relevant and competitive, but not with it's current tact. Take Napster for example. They want to hold Napster liable for the people who misuse it's product. By this train of logic, if people were trading songs via email (a fairly easy thing to set up.), Metallica would be harassing Microsoft for making email programs.
In order to prosper in the new economy, I believe that the music industry (and all other IP-based industries really) need to adopt the following strategy.
First, use the legal system against the individuals who are illegally distributing your music. Can you stop them all? No, don't be ridiculous. But that's not the point. All you need to do is make them hide. Make sure the general public can't find them just by doing a Yahoo search. Any pirate distributor who is dumb enough to make themself easily visible and accessable to the general public is also accessable to your lawyers. Remember, the goal is not to eliminate all sources of pirated material. The goal is to push it underground so that it's a pain in the ass to find and use.
Second, make your music easily available over the Internet on YOUR terms. The public wants to be able to easily download music off the Internet. If it's not on your terms, it's on somebody elses terms. But the bottom line is that your music WILL end up on the Internet. Have a web site where your fans can easily sign up and purchase your music for a reasonable price. If you don't provide this option, they have no choice but to go to the pirates. However, if you make your site attractive, affordable, and a pleasure to use your fans will use it. Assuming that you've done your work in step one and made it a pain in the ass to get music from the pirates.
The bottom line is that the media companies cannot stop piracy. But, they can compete with it.
There is something to be said for the idea that the consumer operating system is something of a natural monopoly. After all, it is certainly easier for the consumer to know that any program they buy will run on their machine. It's certainly easier for developers to just be able to target a single platform.
However, if we take it as a given that OS is a natural monopoly (or at least a desirable one), it is far from clear whether or not Microsoft is the answer. If we assume that M$ should be the OS, then it only makes sense that M$ must be heavily regulated (as Ma Bell was). That means fixed pricing controlled by goverment. Equal access to licenses for all companies, etc. etc.
But, unlike in the case of the telephone companies, there is an interesting alternative in the OS space. That alternative is Linux. Since no one really owns it in the traditional sense, we could have dozens of companies selling the same OS. They could compete based on price, service, etc. They could distinguish themselves by tuning their distro's to different application spaces, such as novice users, servers, embedded applications, etc. As long as there is a certain amount of standardization with respect to included libraries, paths, etc. consumers and developers can have all the benefits of a "monopoly" OS without the downside of giving a single company some ridiculous amount of power and having the corresponding burdonsome government regulation.
But I suspect I'm preaching to the choir here. It is a good argument to give to non-technical people about the advantages for everyone of Linux. We can all have the benefits of a standardized OS without the negative effects of a monopoly company owning a huge and vital portion of our infrastructure.
I think the judge is thinking of this in the commercial domain. I believe that copyright law often distinguishes between things that are OK for private individual to do for personal use, but not OK for a corporation to do for profit. For example, can I turn up my stereo really loud so that I can hear my tunes in the front yard? Certainly. No judge in the world is going to have a problem with that (unless it's a noise violation in your town.) Now, suppose that I turn the stereo way up and begin charging people a dollar a piece to sit in my front yard and listen to my stereo. Think the judge would mind? Almost certainly.
In the same vien, do you think a judge would mind if I rip my own CD's and put them on my personal web server on my DSL line or whatever so that I can access it (via password or whatever) from work or wherever? Almost certainly not. But this isn't what my.mp3.com was doing. Imagine a company that begins making tapes of CD's. Now imagine that it begins selling these tapes without getting permission from the copyright holder. But, the company says, we only sell the tapes to people who show us their copy of the CD! Do you think the judge is going to care? No. They are selling illegal copies of copyrighted material. Just because an individual is allowed to do something for personal use doesn't mean a company can do it for profit.
Re:The problem with Rambus compared to SDRAM...
on
Will Rambus Go Bust?
·
· Score: 2
This is the argument I always here, is that RAMBUS will scale better. But, somehow, I'm just not buying it. Right now, high end RDRAM is about three times as fast as high end SDRAM (400MHz vs. 133MHz) with the advantage of being DDR. This is enough to beat out SDRAM despite transfering 1/4 the data at a time (16 bits vs. 64 bits). But, soon DDR-SDRAM will hit the market, and RDRAM needs to clock four times as fast to hit the same bandwidth. It seems that 133MHz DDR-SDRAM will be the first version to hit the street. RDRAM will need to clock at 532MHz just to have the same bandwidth, a hefty increase over the current 400MHz top-speed of RAMBUS today. If SDRAM manages to hit 250MHz (slower than the slowest RAMBUS available today), RAMBUS will have to clock at a full 1GHz to keep up. How long do you think it's going to be before you can buy a motherboard that runs at 1Gig?
Something else, and I could be wrong about this, but I don't think RAMBUS really qualifies at a serial protocol. It sends 16-bits at a time, and hence has the same sort of timing constraints as a "parallel" solution. If you really tried to send single bits over a single channel to avoid skew problems, you would have to clock that channel at 6.4GHz to keep up with lowly PC100 memory. Good luck!
Well, this is kind of a dead givaway: localhost% cd obj.i586.dyn localhost% ls ef_malloc.o ef_print.o malloc.o ef_page.o efence.o mcheck.o localhost% strings * | sort | uniq | more Electric Fence 2.0.5 Copyright (C) 1987-1998 Bruce Perens.
If they reimplemented the functions, that was pretty nice of them to give credit to Bruce anyways. I'm sure this is an oversight on their part. I mean, why would you follow the GPL on dozens of packages and include many MB's of source on your FTP server, and then try and "steal" four.c files (leaving the authors copyright notice intact at that.)
I don't think it was the Slashdotter's who made fools of themselves. Keep in mind that this story was carried on numerous major news sites, including WSJ and C|Net, and included the phrase "Microsoft confirmed" along with other quotes from Microsoft management. I really don't think you can blame people for believing the story when it appears that Microsoft itself believed it to be true. Take this quote from the C|Net article about the bug:
"This is a vulnerability because it allows an author on one Web site on a shared server to see anything on another server," said Steve Lipner, manager of Microsoft's Security Response Center. "That's the extent of the vulnerability."
Skepticism is always a healthy thing, but I don't think it's unreasonable to believe that a security hole exists in a Microsoft product when Microsoft says that there is a hole! I mean, do we all have to go install IIS and verify the existence of the hole ourselves to avoid acting "foolish"?
I think what you actually mean to say is that with the introduction of Windows95, Microsoft made it easy for Microsoft users to "log onto the Internet." The fact that you convienently forget to mention is that Microsoft was the LAST major OS manufacturer to include TCP/IP support. The Unix vendors had all been including it for a very long time when Win95 came out. Apple had also been shipping TCP/IP functionality with the MacOS for quite some time. Poor Win3.1 users were stuck searching around for a copy of Trumpet and trying to get it to work if they wanted to do anything Internet related.
It never ceases to amaze me how people will point to what a great job Microsoft did implementing this or that feature, and how they are making everyone's life better, when the truth of the matter was that they are the last ones to get onto a boat that everyone else had been on for years.
What??? I don't see how you can even pretend that there is a major difference here. If I run a download site that offers music copied from some other label I am clearly "trading using someone elses material, which they have invested time and money developing". I can also clearly undercut them because I have not had to find the artists, pay the artists, or pay production costs.
Now, the interesting thing is that you can't copy a web site the way you copy an MP3. When you get right down to it, a lot of the value of a web site is the address. The same content at a different address is probably worth a lot less because no one knows it's there. Say I snuck into CmdrTaco's house one night and dd'd the drives that contain Slashdot. Then I make that copy available under my own url http://nowhere.org or whatever. Is that copy worth anything? Not really. The interesting thing is that domain names are much more like real property in that you can't just copy it. There can be only one slashdot.org. If it points to my servers, it doesn't point to andover's servers anymore. Also, most web sites that are valuable are dynamic. Having a copy of slashdot from six months ago isn't very valuable. Having a web site that changes constantly means that you get regular repeat visitors. If you just have static content, people can read it once, and never bother coming back. In order to copy a dynamic site, you need to copy the process that changes the site, which in many cases is difficult or impossible.
Actually, this seems like a pretty good idea to me. If they had to give all OEM's the same pricing, perhaps with a scale to take volume into account, they wouldn't have a lot less leverage to punish OEM's who dare to sell computers with other OS's. It was largely the per-processor licenses and the ability to crush OEM's with excessive prices that they used to keep other OS's out of the market.
As to what is keeping their prices in check, that's a good question. Here's a little quote I found about M$'s earnings:
For the 6 months ended 12/31/99, revenue rose 22% to $11.5B. Net income applic. to Common rose 26% to $4.61B.
A little rudimentary math indicates that M$'s is clearing a whopping 40% (and rising!) profit margin. Now, I'm not an MBA or anything, but most companies would probably be happy making a quarter of that. Hell, most companies would probably be happy with a tenth of that. In a quick search of other large, famous companies, I can't find a one making more that 15%, and most are making less than 5%.
Let me start with the disclaimer that I am not an expert in either quantum mechanics or number theory. That said, there is a fundamental difference between public and private key crypto. Public key is all based upon various problems which are considered to be "trapdoor" problems. This means that they are easy to compute in one direction, and "hard" to compute in the other. The classic one (which RSA is based upon) is factoring. It is easy to multiply two prime numbers together. It is "hard" to factor the resulting number to get the original primes back. I put "hard" into quotes because no one has ever proven that these problems are actually hard. It's just that no one has ever figured out an efficient algorithm for solving them, at least not with classical computers. The quantum computers, it appears, will be able to brute force these problems by just trying all possible answers at once. This works for factoring because one answer is provably right, and the others are provably wrong.
On the other hand, private key does not suffer from this problem. The reason being that you can't prove which answer is the correct one. In the most extreme form, we have the one time pad. This is a provably secure encryption method, the reason being that given a ciphertext of a certain size, there exists a key which will decrypt that ciphertext into any possible plaintext of the same size with equal probablility. So, even if you did try every possible key, the results would be every possible plaintext with no way to tell which one is correct. Even the practical private key systems that we use (DES, Blowfish, IDEA), a successful cryptanalysis relies upon there being patterns or detectable traits in the plaintext so that we can distinguish the "junk" produced by bad keys from the correct answer. This is very different from the public-key case where you can mathematically prove that you have the correct answer.
Slashdot Mirror
I believe the original question was about ISP's filtering any packets whose source address doesn't match the customers range. In the case of a core router, this task is impossible. If a router is truely a core transit router, (almost) any source address it sees is a valid address. The place for these filters is on the links from individual customers or ISP's. Having a router that's fast enough to filter your customers connections is just a cost of doing business in my opinion.
I think it's only a matter of time before an ISP gets sued out of business for allowing forged packets onto the network. If I'm the victim of a DoS attack whose source addresses at least belongs to the true originating ISP, I can probably get things cleaned up in less than an hour. If the source is forged, it might take me days. Do the math on a busy ecommerce site being down for days instead of hours.
No matter what excuses people make, the only beneficiary of allowing forged source addresses onto the net are crackers and script kiddies. If your router can't handle the load, buy a bigger one.
Eh? I don't think this is why they run PPPoE. It's easy enough to set up DSL so that each user is bridged in and gets a single IP address. However, this approach has some security drawbacks. One is that it's hard to keep people from hooking up more than one computer, and grabbing more than one real IP address (or a whole ton of IP addresses.) It's also pretty hard to track down who did what when without PPPoE. If the evil hax0r kiddie changes his MAC address, steals an IP (instead of going thru the DHCP server), starts his DoS attack, and then puts his MAC back to normal and DHCP's an address, the ISP is going to have a hell of a time figuring out which user that traffic came from. They will have an IP address, but it was never assigned. If they happen to have an arp entry, they may have a MAC address. But, it's a MAC that isn't on the network anywhere. They could keep a log of every change in the bridging tables, but I'm not sure how realistic that is. Even then, and "smart" kiddie will change his MAC address to one used by a legit user, so when the ISP starts looking around they will track the traffic down to the wrong house.
On the other hand, getting an IP address from PPPoE requires you to login. So, any traffic from that address is provably from that user. All neat and tidy. Any reasonable PPP server will easily log each login session. Much easier from an ISP's point of view than dealing with the limitless ways a customer can screw with a plain old DSL line (or a cable modem. Most of the problems I mentioned apply to them both.)
Someone should really patent this, it sounds like wonderful technology. Maybe when I get thru with my WOM (Write Only Memory) patent (I can acheive memory densities that are beyond your imagination!!!) I'll work on this one.
The sad part is, with the current state of the PTO, you probably could patent both of these if you wanted to spend the time and money.
I can't believe the number of posters who are worrying that this company is somehow scanning their networks or invading their privacy. Numerous posts refer to port scanning, despite the fact that the article neither states nor implies that they are doing any such thing. Numerous comparisons are made to walking down a street trying all the doorknobs looking for unlocked doors. This is a completely unfounded comparison.
Yes, running a portscan of a host is a lot like checking to see if any windows or doors are unlocked. However, pinging hosts is not like trying doors. It's not even like knocking on doors. It like driving down a street and taking note of which lots have houses on them. Having somebody ping your host has zero negative impact on your performance, and the only security related information it reveals is whether or not the address is in use at all.
Traceroute is the same way. It's not revealing anything personal, private, or security related to the person running traceroute. It's most akin to somebody driving around your neighborhood building a map of the streets. Thank god the paranoids around here aren't making up the laws in meat space. They would make it illegal to drive into a neighborhood and even look at the houses without being escorted by a resident. After all, if a person doesn't live in your neighborhood, they don't have any business there, right? And everyone knows that criminals drive around looking at the houses trying to figure out which one to rob, right? So lets make it illegal to drive thru any neighborhood without the permission of the residents. Never mind that on the Internet, there is no zoning and there is no way to distinguish "residential" addresses from "business" addresses.
And I could care less if some of you get paged when these folks ping your network. That's your problem, that you let something this innocuous interrupt your life. You could have your pager go off every time time_t takes on a prime value, also. That doesn't make prime numbers evil.
What? Where does stuff like this come from? Most states have laws that require that when a private citizens records their own phone conversations the recorder should beep periodically to remind the other party that they are being taped. However, no such requirement exists for a law enforcement wiretap. I don't think the FBI would worry about wiretaps very much if they had to announce them in advance to the suspects. I can't imagine that they would be very effective if they told the crooks when they were tapping them. Crooks may not be the smartest bunch, but they are able to function at some level.
Now, there are requirements that they inform people after the fact that they have been recorded by a wiretap. But, this can happen many months after the call itself. I don't know how careful they are about actually doing this, however. After all, if you didn't know you were tapped in the first place, you wouldn't know that you hadn't been informed.
I have to correct myself. I haven't tested it personally, but according to my trusty copy of the IEEE 802.11 Handbook, FHSS devices should be interoperable with 11Mbps DSSS devices. Given that, $78 is a pretty good deal for a PCMCIA wireless card. I would still recommend an Airport for an access point, however.
Um, exactly how an AirPort, which is 802.11b compatable, can run at 11Mbps, includes a NAT/DHCP server, a modem/PPP client, can be configured from Linux, and priced at $280 is somehow "overpriced crapola" compared to an access point which runs 802.11 at 2Mbps for $360. But whatever.
Their PCMCIA cards are attractvely priced at $78, however. Too bad most of the 802.11 manufactures have moved to DSSS instead of FHSS so that they can run at 11Mbps, so the Webgear stuff won't work with most new equipment.
This will start happening pretty fast. With Apple AirPort's going for $280.00 at PCConnection which can be configured under Linux with a Java management client, the other folks won't have a choice but to drop prices.
kinnunen wrote:
So being a vegetarian is Ok, but if a person is a vegan it makes makes him an asshole who should kill himself. I see. I am not a vegan, nor am I a vegetarian - I enjoy a good burger every now and then (in McDonalds). I may not agree with the PETA ideals (or methods), but I sure as hell don't condem a group of people for having a very high respect for life.
What was the point of the message that you replied to? Think really hard.
I think you missed a certain level of sarcasm in my post, along with a heathy dose of reductio ad absurdam argument. My point being, that if you think that your life is worth the same as any other living being on the planet, the only logical conclusion is to kill yourself. Why? Because it is simply not possible for a human to live their life without destroying millions if not billions of "innocent" lifeforms in the process. Is my life worth the same as another humans? Sure. Is my life worth the same as a cat or dog? Debatable. Is my life worth the same as a worm? No. Anybody who really believes so really has no logical option but to kill themselves.
This does not mean that I think that vegan's are necessarily assholes? (your word, not mine.) Nor does it mean that I condemn people for having a high respect for life. I condemn them for having a set of beliefs which is directly at odds with their own voluntary choice to continue their life at all. People whose beliefs don't take into account that their own life by necessity continues only at the cost of other beings lives are hypocrites whose beliefs are just so much touchy feely nonsense.
There's nothing wrong with being vegetarian. I don't happen to be, but there are valid reasons for it. Peta, however, is a pretty radical organization in my opinion. I can see not wanting to harm mammals, which do a pretty good job of acting like sentient beings. But, they go far beyond wanting to help cute bunnies and friendly cows.
Take a look here for example. Not only should you give up beef to save the cows, but you should give up honey to save bees and give up silk to save worms! This is what lost the last shred of credibility I had for PETA. I mean, insects? By this logic it's immoral for me to rid my house of termites because I would be cruelly murdering thousands or millions of innocent, sentient, insects for my own financial well-being. Whatever. By this definition of moral behavior, it is virtually impossible to live your life at all. My recommendation for all PETA members is to save the planet: kill yourself. Except that that would deprive all the innocent E. Coli in your guts a home. Oh well. At least the rest of us will be rid or your misguided guilt about your own existence.
Here is why you can't reuse your pad, even to send the next pad. In this case, we will assume that you encrypt your data using XOR with the pad. We will have the following variables:
O1 and O2 = OTP one and two.
P1 and P2 = Plaintext one and two
C1, C2, and C3 = the three ciphertexts.
Send the first encrypted message:
C1 = P1 XOR O1
Send the first pad encrypted with the second pad:
C2 = O1 XOR O2
Send the second encrypted message:
C3 = P2 XOR O2
Your opponent has C1,C2,C3, since that's what you transmitted.
So, your opponent performs the following:
C1 XOR C2 XOR C3 =
(P1 XOR O1) XOR (O1 XOR O2) XOR (P2 XOR O2)
The way XOR works, duplicated variables cancel out, so the above is equal to:
P1 XOR P2
because the two O1's and the two O2's each cancel out.
Now, your opponent has your two plaintexts XOR'd with each other, which is easily solvable. You may as well use ROT13.
Undoubtedly, it will. Why? It absolutely has to. All of these schemes such as typing rhythm, retina scan, fingerprint, are all nothing but disguised password schemes. It doesn't matter if your password is the word "secret", your credit card number, your SSN, a vector of your typing speed, or a GIF of your finger. In ALL cases, a program on the client gets the "password" and sends it to the server. In ALL cases, the client software has to be "trusted" by the server. In other words, any kind of open source is completely out of the question. Otherwise, the server can't stop someone from putting together a version of the program that reads it's input from a file instead of from the "legit" source. And how are you going to know whether or not the client is saving your ID to a file? Actually, you can't stop them even with a binary-only solution. It's just security thru obscurity.
What's worse, is that all of these schemes rely on you giving the server all the information the server needs to impersonate you every time you sign in. What if your bank and your favorite pr0n site both use a fingerprint scan to ID you? Congratulations, the only thing keeping your pr0n dealer out of your bank account is their skill with a debugger! It's just like the crappy security on credit cards. Every single vendor you do business with has all the information they need to impersonate you. It's a testament to how honest the majority of people are that the entire industry hasn't gone belly up.
But the biometrics are the absolute worst, since you can't change your password. At least you can close a credit card account and get a new one. I don't know where to buy new fingers or retina's, however. The only long term solution will be based on some sort of public-key algorithm. Anything else is just a scam. Actually, the one place where a fingerprint scanner might be handy is to authenticate you to a hardware smart-card that does your public key for you. Since the whole thing is built by a single vendor in hardware, it could be made pretty secure. At a minimum, a crook would have to steal the card and have a fair amount of hardware skill to get anything useful out of it. But this whole idea of using biometrics over the internet is just a bunch of snake oil. And poisonous snake oil at that. You're better off sticking with what you have now, at least then you can be concious of that fact that your security sucks.
I looked over InterNAP's web site, and I fail to see how they are doing anything special. It appears that they simply want to run the large access points. However, changing the legal structure of the access points doesn't imply any real change from a technical standpoint.
What's really needed are simply more peering points. If InterNAP can help throw a few more into the mix, that's great. But I don't think they are doing anything special from networking point of view. When you get down to it, peering points are difficult to get started. It costs a backbone provider real resources in terms of cost, equipment, and time to drop a connection into a peering point. Unless it's already a popular point, why bother? I mean, who wants to be the first one into a peering point, right?
It's also important to keep in mind that there are a lot more peering points than just the MAE's. Some are big, some are small. Some are popular, others are pretty much failures. Sometimes big backbone companies peer with each other multiple times all over the country. Other times, there are egregious failures of companies to peer. My favorite example is USWest and Qwest, which are in the process of merging and both have HQ's literally within blocks of each other in Devner, but don't peer!
So while peering can definitely use some improvement, I don't think it's all that bad. In fact, I would hazard a random guess that most slowdowns are due to the smaller ISP and web sites on the edge of the net. A lot of ISP's grossly oversubscribe to make ends meet. A lot of smaller web sites can't afford the bandwidth they really need if they get popular or a flash-crowd hits. Actually, a lot of days I'm amazed that this thing still works at all.
You know, I've heard this spin before, and I feel the need to debunk it. What the carriers are doing is exactly what they should be doing with the information they have. As you put it, What the big guys do is dump your traffic off at the local public exchange point at the soonest opportunity. Which is exactly what they should do. If the packet is destined for one of their customers, they should get it there directly. If the packet is not destined for one of their customers, they should get it off of their network ASAP. Why? Because the carriers have no idea what each others network looks like. Not at the BGP level. All any of them know is what AS path they should use. In other words, they don't know how many hops away a destination is. They just know which carriers the packet needs to go thru. So they get it to the proper carrier as quickly as they can. Would you rather that UUNet bounced your packets around for a few extra hops instead?
To make this more clear, let's make up an example. Say an MCI customer in Washington DC is sending a packet to a Sprint customer in San Jose. Let's also stipulate that MCI and Sprint peer in DC and SJ. Someone needs to carry that packet across the country. Who should that be? The answer is Sprint, not MCI. We can complain that MCI is dump[ing] traffic at the soonest opportunity, and we would be correct. Because, MCI has no way to tell that the destination is in California. Only Sprint knows that. So, MCI gives the packet to Sprint ASAP (in DC) because the alternative is for MCI to bounce the packet around it's own network at random. Remember, only Sprint knows where Sprint customers are. Is it "fair" that Sprint has to carry the packet, and that MCI just dumped it as fast as it could? Maybe yes, maybe no. It doesn't matter. The way backbone routing works mandates that it be done this way. Don't like it? Feel free to try and improve on BGP.
If you read thru the preferred implementation in the patent, it details a kind of neat trick for allowing a group of servers who cooperate to in effect use the same cookie across all of them. While I don't think it's an appropriate thing to be patented, as far as I know it is novel (although not very complex).
f /1x1.gif, where 0xdeadbeef is the value of the cookie that domainA just set on the client. In the reponse from domainB back to the client, it includes the cookie value=0xdeadbeef. Now, both domainA and domainB have identical cookies installed on the unsuspecting client. While they are in fact two different cookies, it works just like a cookie that is served to both domainA and domainB. Tricky, eh?
The basic gist of it is this. A new client connects to a server say www.domainA.com. DomainA sets a cookie on the users client as it serves up the web page. It also includes in the web page a reference to something (such as a 1x1 GIF) at www.domainB.com. Now, normally, your browser prevents domainB from accessing the cookie set by domainA. To work around this, the URL for the GIF on domainB is really a notice from domainA to domainB about the value of the cookie it just set. For example, it would be http://www.domainB.com/set-cookie/value=0xdeadbee
You say that the vision of free exchange of information is Utopian, and you're right in many ways. However, the vision that Lars has that he can actually exert control over all copies of his music is equally Utopian (or Orwellian depending on your point of view.) The simple reality is that you can exert some control in some circumstances. But, you can't stop people from simply creating a new venue for exchange that you don't control.
I think that the music industry can remain relevant and competitive, but not with it's current tact. Take Napster for example. They want to hold Napster liable for the people who misuse it's product. By this train of logic, if people were trading songs via email (a fairly easy thing to set up.), Metallica would be harassing Microsoft for making email programs.
In order to prosper in the new economy, I believe that the music industry (and all other IP-based industries really) need to adopt the following strategy.
First, use the legal system against the individuals who are illegally distributing your music. Can you stop them all? No, don't be ridiculous. But that's not the point. All you need to do is make them hide. Make sure the general public can't find them just by doing a Yahoo search. Any pirate distributor who is dumb enough to make themself easily visible and accessable to the general public is also accessable to your lawyers. Remember, the goal is not to eliminate all sources of pirated material. The goal is to push it underground so that it's a pain in the ass to find and use.
Second, make your music easily available over the Internet on YOUR terms. The public wants to be able to easily download music off the Internet. If it's not on your terms, it's on somebody elses terms. But the bottom line is that your music WILL end up on the Internet. Have a web site where your fans can easily sign up and purchase your music for a reasonable price. If you don't provide this option, they have no choice but to go to the pirates. However, if you make your site attractive, affordable, and a pleasure to use your fans will use it. Assuming that you've done your work in step one and made it a pain in the ass to get music from the pirates.
The bottom line is that the media companies cannot stop piracy. But, they can compete with it.
There is something to be said for the idea that the consumer operating system is something of a natural monopoly. After all, it is certainly easier for the consumer to know that any program they buy will run on their machine. It's certainly easier for developers to just be able to target a single platform.
However, if we take it as a given that OS is a natural monopoly (or at least a desirable one), it is far from clear whether or not Microsoft is the answer. If we assume that M$ should be the OS, then it only makes sense that M$ must be heavily regulated (as Ma Bell was). That means fixed pricing controlled by goverment. Equal access to licenses for all companies, etc. etc.
But, unlike in the case of the telephone companies, there is an interesting alternative in the OS space. That alternative is Linux. Since no one really owns it in the traditional sense, we could have dozens of companies selling the same OS. They could compete based on price, service, etc. They could distinguish themselves by tuning their distro's to different application spaces, such as novice users, servers, embedded applications, etc. As long as there is a certain amount of standardization with respect to included libraries, paths, etc. consumers and developers can have all the benefits of a "monopoly" OS without the downside of giving a single company some ridiculous amount of power and having the corresponding burdonsome government regulation.
But I suspect I'm preaching to the choir here. It is a good argument to give to non-technical people about the advantages for everyone of Linux. We can all have the benefits of a standardized OS without the negative effects of a monopoly company owning a huge and vital portion of our infrastructure.
I think the judge is thinking of this in the commercial domain. I believe that copyright law often distinguishes between things that are OK for private individual to do for personal use, but not OK for a corporation to do for profit. For example, can I turn up my stereo really loud so that I can hear my tunes in the front yard? Certainly. No judge in the world is going to have a problem with that (unless it's a noise violation in your town.) Now, suppose that I turn the stereo way up and begin charging people a dollar a piece to sit in my front yard and listen to my stereo. Think the judge would mind? Almost certainly.
In the same vien, do you think a judge would mind if I rip my own CD's and put them on my personal web server on my DSL line or whatever so that I can access it (via password or whatever) from work or wherever? Almost certainly not. But this isn't what my.mp3.com was doing. Imagine a company that begins making tapes of CD's. Now imagine that it begins selling these tapes without getting permission from the copyright holder. But, the company says, we only sell the tapes to people who show us their copy of the CD! Do you think the judge is going to care? No. They are selling illegal copies of copyrighted material. Just because an individual is allowed to do something for personal use doesn't mean a company can do it for profit.
This is the argument I always here, is that RAMBUS will scale better. But, somehow, I'm just not buying it. Right now, high end RDRAM is about three times as fast as high end SDRAM (400MHz vs. 133MHz) with the advantage of being DDR. This is enough to beat out SDRAM despite transfering 1/4 the data at a time (16 bits vs. 64 bits). But, soon DDR-SDRAM will hit the market, and RDRAM needs to clock four times as fast to hit the same bandwidth. It seems that 133MHz DDR-SDRAM will be the first version to hit the street. RDRAM will need to clock at 532MHz just to have the same bandwidth, a hefty increase over the current 400MHz top-speed of RAMBUS today. If SDRAM manages to hit 250MHz (slower than the slowest RAMBUS available today), RAMBUS will have to clock at a full 1GHz to keep up. How long do you think it's going to be before you can buy a motherboard that runs at 1Gig?
Something else, and I could be wrong about this, but I don't think RAMBUS really qualifies at a serial protocol. It sends 16-bits at a time, and hence has the same sort of timing constraints as a "parallel" solution. If you really tried to send single bits over a single channel to avoid skew problems, you would have to clock that channel at 6.4GHz to keep up with lowly PC100 memory. Good luck!
Well, this is kind of a dead givaway:
.c files (leaving the authors copyright notice intact at that.)
localhost% cd obj.i586.dyn
localhost% ls
ef_malloc.o ef_print.o malloc.o
ef_page.o efence.o mcheck.o
localhost% strings * | sort | uniq | more
Electric Fence 2.0.5 Copyright (C) 1987-1998 Bruce Perens.
If they reimplemented the functions, that was pretty nice of them to give credit to Bruce anyways. I'm sure this is an oversight on their part. I mean, why would you follow the GPL on dozens of packages and include many MB's of source on your FTP server, and then try and "steal" four
"This is a vulnerability because it allows an author on one Web site on a shared server to see anything on another server," said Steve Lipner, manager of Microsoft's Security Response Center. "That's the extent of the vulnerability."
Skepticism is always a healthy thing, but I don't think it's unreasonable to believe that a security hole exists in a Microsoft product when Microsoft says that there is a hole! I mean, do we all have to go install IIS and verify the existence of the hole ourselves to avoid acting "foolish"?
I think what you actually mean to say is that with the introduction of Windows95, Microsoft made it easy for Microsoft users to "log onto the Internet." The fact that you convienently forget to mention is that Microsoft was the LAST major OS manufacturer to include TCP/IP support. The Unix vendors had all been including it for a very long time when Win95 came out. Apple had also been shipping TCP/IP functionality with the MacOS for quite some time. Poor Win3.1 users were stuck searching around for a copy of Trumpet and trying to get it to work if they wanted to do anything Internet related.
It never ceases to amaze me how people will point to what a great job Microsoft did implementing this or that feature, and how they are making everyone's life better, when the truth of the matter was that they are the last ones to get onto a boat that everyone else had been on for years.
What??? I don't see how you can even pretend that there is a major difference here. If I run a download site that offers music copied from some other label I am clearly "trading using someone elses material, which they have invested time and money developing". I can also clearly undercut them because I have not had to find the artists, pay the artists, or pay production costs.
Now, the interesting thing is that you can't copy a web site the way you copy an MP3. When you get right down to it, a lot of the value of a web site is the address. The same content at a different address is probably worth a lot less because no one knows it's there. Say I snuck into CmdrTaco's house one night and dd'd the drives that contain Slashdot. Then I make that copy available under my own url http://nowhere.org or whatever. Is that copy worth anything? Not really. The interesting thing is that domain names are much more like real property in that you can't just copy it. There can be only one slashdot.org. If it points to my servers, it doesn't point to andover's servers anymore. Also, most web sites that are valuable are dynamic. Having a copy of slashdot from six months ago isn't very valuable. Having a web site that changes constantly means that you get regular repeat visitors. If you just have static content, people can read it once, and never bother coming back. In order to copy a dynamic site, you need to copy the process that changes the site, which in many cases is difficult or impossible.
Actually, this seems like a pretty good idea to me. If they had to give all OEM's the same pricing, perhaps with a scale to take volume into account, they wouldn't have a lot less leverage to punish OEM's who dare to sell computers with other OS's. It was largely the per-processor licenses and the ability to crush OEM's with excessive prices that they used to keep other OS's out of the market.
As to what is keeping their prices in check, that's a good question. Here's a little quote I found about M$'s earnings:
For the 6 months ended 12/31/99, revenue rose 22% to $11.5B. Net income applic. to Common rose 26% to $4.61B.
A little rudimentary math indicates that M$'s is clearing a whopping 40% (and rising!) profit margin. Now, I'm not an MBA or anything, but most companies would probably be happy making a quarter of that. Hell, most companies would probably be happy with a tenth of that. In a quick search of other large, famous companies, I can't find a one making more that 15%, and most are making less than 5%.
Let me start with the disclaimer that I am not an expert in either quantum mechanics or number theory. That said, there is a fundamental difference between public and private key crypto. Public key is all based upon various problems which are considered to be "trapdoor" problems. This means that they are easy to compute in one direction, and "hard" to compute in the other. The classic one (which RSA is based upon) is factoring. It is easy to multiply two prime numbers together. It is "hard" to factor the resulting number to get the original primes back. I put "hard" into quotes because no one has ever proven that these problems are actually hard. It's just that no one has ever figured out an efficient algorithm for solving them, at least not with classical computers. The quantum computers, it appears, will be able to brute force these problems by just trying all possible answers at once. This works for factoring because one answer is provably right, and the others are provably wrong.
On the other hand, private key does not suffer from this problem. The reason being that you can't prove which answer is the correct one. In the most extreme form, we have the one time pad. This is a provably secure encryption method, the reason being that given a ciphertext of a certain size, there exists a key which will decrypt that ciphertext into any possible plaintext of the same size with equal probablility. So, even if you did try every possible key, the results would be every possible plaintext with no way to tell which one is correct. Even the practical private key systems that we use (DES, Blowfish, IDEA), a successful cryptanalysis relies upon there being patterns or detectable traits in the plaintext so that we can distinguish the "junk" produced by bad keys from the correct answer. This is very different from the public-key case where you can mathematically prove that you have the correct answer.