From TFA: "The claim that GCHQ make is that existing protocols do not support the necessary “scale and usability requirements”"...just like Dual_EC_DRBG does not support the necessary "security" for a cryptographically secure pseudorandom number generator.
No, they don't. Oversimplified: long haul stretches of fibre are "single mode" to prevent the signal dispersion blurring the edges of 0 and 1 transitions. https://en.wikipedia.org/wiki/...
ip6tables is a doddle to use, and assuming you have a new enough kernel pretty much all you'll need will be a variation upon:
ip6tables -A FORWARD -i lo -j ACCEPT ip6tables -A FORWARD -i $lan_if -o $upstream_if -j ACCEPT ip6tables -A FORWRRD -i $upstream_if -o $lan_if -m state --state ESTABLISHED,RELATED -j ACCEPT ip6tables -P FORWARD DROP sysctl net.ipv6.conf.all.forwarding=1
(NB: you probably want more than that, but assuming your $lan_if and $upstream_if have appropriate IPv6 subnets on, and everything is routing correctly, then you get "the same behaviour you used to" when you had your IPv4 NAT... only now you have "real" end-to-end connectivity)
Traders who make money through "arbitrage" need access to more than one exchange — they're making money off the price differences of securities on each. They justify this as being beneficial to the market, because they're making prices equal across the world. Guess it's just coincidence that it's beneficial to their bottom line too, eh?
It's a lot more complicated than that: GP Practices are often private partnership businesses (between a bunch of GPs) and most definitely are run "for profit" in the sense that they have to bid for work from the healthcare commissioners (mostly this used to be the PCTs, now it's mostly the regional StHAs, etc). And the NHS does farm out some work to private hospitals to meet its waiting-list targets (and also under the banner of "Choice" that the Blairite government brought in)......but yes: the vast, vast majority (approx £1000/bed/day that it costs to run a hospital) is state-owned, state-run, taxpayer-funded.
I agree there is significant waste, yes. But removing the context of something for a snappy headline — misrepresenting something to get a soundbite — is bad journalism. Geeks expect better!
Healthcare? Profitable? I worked for the National Health Service for four years. It most definitely has its fair share of wastage. But the NHS — being state-owned and state-provided healthcare — is certainly not "profitable"
The media reporting this story appear to be doing a good job of ignoring what that £3500 PC actually is: three years of PC, with software licensing, hardware replacement, upgrades, maintenance and support. It's not just the bare metal put on someone's desk but the full service behind it.
If you take the IT budget for a large healthcare public sector organisation and divide it by the number of desktop PCs they support, it'll probably come out at around £1000/year.
Current UK Government, with its close ties to Murdoch and News Corp, is unlikely to be fighting for neutrality in this situation. They're not fighting for an equalities commission to look at the News Corp buy-out of BSkyB. I can't see them stepping in here either, even to protect the BBC.
"Best efforts" might mean "best effort getting that traffic through our really congested upstream transit provider".
Something with higher quality might be a direct private peering.
Of course, it's not unknown that ISPs engineer congestion on those upstreams to force a private peering -- and you can bet your bottom dollar it won't be a "settlement free" peering.
This is what the drive to the lowest price possible gets you: a broadband that loses the ISP money in an attempt to get that TV and billboard price-point of £5.99 per month. How does the ISP make money and remain competitive? Answer: more bites at the cherry! Phorm, getting content providers to pay... etc...
I'd be amazed if Comcast had only one 10Gbit/sec transit interface to one of their two upstreams: it's likely they take several at multiple different TATA POPs.
I believe that ACPO (the Association of Chief Police Officers) have written a memorandum of understanding (MoU) in which they state that IT technicians investigating the matter will not be prosecuted... even though technically they are still breaking the law.
Not a good set of circumstances at all!
...and this patent was filed three years ago and published two years ago. Oh wait, the article in the Guardian was published two years ago too.
Did I accidentally get so bored as to click "yesterday" over seven hundred times... or is it a slow news day?:-)
Repeat after me: FREENET IS NOT ANONYMOUS! (but it's slowly getting there!) http://freenetproject.org/faq.html#attack says: "Freenet does not offer true anonymity in the way that Tor and the Mixmaster cypherpunk remailers do." I'm not sure if anything stops BPI from running a Freenet node which has some interesting chunks of data on offer (say, a tiny bit of each MP3 they're currently trying to track). Your IP connects and requests this chunk. Sure, you might be able to plausibly deny "my Freenet node was getting that block for someone else!" But I'm sure it'd be enough ammunition for the BPI to ask your ISP to give you a kick for running a "server" or some other rubbish by way of breaching the AUP. Still, if their "darknet" stuff starts to get up to scratch, it'll be a big improvement.
VPNs, email, uploading images to things like Flickr... there are plenty of reasons why you might have a big spike in outbound traffic while not "hosting a server at home". Some of that traffic might be encrypted (see my comment below).
Encrypted (or at least indecipherable) traffic that's already "mainstream" and can often be "mostly outbound" from the customer includes Skype, VPN clients, VNC or "Back to my Mac", email for clients supporting SSL/TLS, uploading images to gallery websites via HTTPS, DNSsec (maybe, one day)...
And unless ISPs, or companies supplying DPI and monitoring kit, can keep up with all the proprietary software for things like video-conferencing (and gods know what else in the future) there are boggling possibilities for traffic that is not easily distinguishable from "encrypted" which might be going out of a customer's connection. It might not actually be "encrypted" but when you've got multiple gigabit transit feeds and you have to expend a little CPU to tell whether this packet is a chunk of, say, an MPEG stream or part of an SSL session then filtering traffic starts to become expensive. It's an arms race, and eventually the ISPs will throw more CPU power and money at expensive traffic monitoring and categorising kit. When they do, I'll be back to post a similarly glib slashdot post to my earlier one. Till then, I guess the "discerning illegal filesharer" will avoid being the low-hanging fruit, eh?
Slashdot Mirror
From TFA: "The claim that GCHQ make is that existing protocols do not support the necessary “scale and usability requirements”" ...just like Dual_EC_DRBG does not support the necessary "security" for a cryptographically secure pseudorandom number generator.
No, they don't. Oversimplified: long haul stretches of fibre are "single mode" to prevent the signal dispersion blurring the edges of 0 and 1 transitions. https://en.wikipedia.org/wiki/...
and I wanted to moderate this story down for its appalling failure to call W3C "W3C" two times out of three.
ip6tables is a doddle to use, and assuming you have a new enough kernel pretty much all you'll need will be a variation upon:
ip6tables -A FORWARD -i lo -j ACCEPT
ip6tables -A FORWARD -i $lan_if -o $upstream_if -j ACCEPT
ip6tables -A FORWRRD -i $upstream_if -o $lan_if -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -P FORWARD DROP
sysctl net.ipv6.conf.all.forwarding=1
(NB: you probably want more than that, but assuming your $lan_if and $upstream_if have appropriate IPv6 subnets on, and everything is routing correctly, then you get "the same behaviour you used to" when you had your IPv4 NAT... only now you have "real" end-to-end connectivity)
Scan your network topology from anywhere in the world?
See also: stateful firewall. NAT is not a firewall.
Good luck with that.
Traders who make money through "arbitrage" need access to more than one exchange — they're making money off the price differences of securities on each. They justify this as being beneficial to the market, because they're making prices equal across the world. Guess it's just coincidence that it's beneficial to their bottom line too, eh?
It's a lot more complicated than that: GP Practices are often private partnership businesses (between a bunch of GPs) and most definitely are run "for profit" in the sense that they have to bid for work from the healthcare commissioners (mostly this used to be the PCTs, now it's mostly the regional StHAs, etc). And the NHS does farm out some work to private hospitals to meet its waiting-list targets (and also under the banner of "Choice" that the Blairite government brought in)... ...but yes: the vast, vast majority (approx £1000/bed/day that it costs to run a hospital) is state-owned, state-run, taxpayer-funded.
I agree there is significant waste, yes. But removing the context of something for a snappy headline — misrepresenting something to get a soundbite — is bad journalism. Geeks expect better!
Healthcare? Profitable? I worked for the National Health Service for four years. It most definitely has its fair share of wastage. But the NHS — being state-owned and state-provided healthcare — is certainly not "profitable"
About that £3500 PC...
The media reporting this story appear to be doing a good job of ignoring what that £3500 PC actually is: three years of PC, with software licensing, hardware replacement, upgrades, maintenance and support. It's not just the bare metal put on someone's desk but the full service behind it.
If you take the IT budget for a large healthcare public sector organisation and divide it by the number of desktop PCs they support, it'll probably come out at around £1000/year.
Current UK Government, with its close ties to Murdoch and News Corp, is unlikely to be fighting for neutrality in this situation. They're not fighting for an equalities commission to look at the News Corp buy-out of BSkyB. I can't see them stepping in here either, even to protect the BBC.
"Best efforts" might mean "best effort getting that traffic through our really congested upstream transit provider".
Something with higher quality might be a direct private peering.
Of course, it's not unknown that ISPs engineer congestion on those upstreams to force a private peering -- and you can bet your bottom dollar it won't be a "settlement free" peering.
This is what the drive to the lowest price possible gets you: a broadband that loses the ISP money in an attempt to get that TV and billboard price-point of £5.99 per month. How does the ISP make money and remain competitive? Answer: more bites at the cherry! Phorm, getting content providers to pay... etc...
I'd be amazed if Comcast had only one 10Gbit/sec transit interface to one of their two upstreams: it's likely they take several at multiple different TATA POPs.
Multi-national providers are likely to be running their graphs in UTC - reading the graph that way makes a lot more sense.
Taken from wikileaks' Twitter at http://twitter.com/wikileaks/status/17498238199 is this:
"Wired's war on WikiLeaks continues. See comment by 'mpineiro' http://bit.ly/aZm4US"
Not so quick to judge Wired's coverage at face value...
I believe that ACPO (the Association of Chief Police Officers) have written a memorandum of understanding (MoU) in which they state that IT technicians investigating the matter will not be prosecuted... even though technically they are still breaking the law. Not a good set of circumstances at all!
...and this patent was filed three years ago and published two years ago. Oh wait, the article in the Guardian was published two years ago too. Did I accidentally get so bored as to click "yesterday" over seven hundred times... or is it a slow news day? :-)
Roger Waters said it well when he penned the song, "The Bravery of Being out of Range".
These are the same friends that type "com" when you say "org"? =) (yes, I know slashdot.com works... but to me that 301 says it's *wrong* ;-)
Repeat after me: FREENET IS NOT ANONYMOUS! (but it's slowly getting there!) http://freenetproject.org/faq.html#attack says: "Freenet does not offer true anonymity in the way that Tor and the Mixmaster cypherpunk remailers do." I'm not sure if anything stops BPI from running a Freenet node which has some interesting chunks of data on offer (say, a tiny bit of each MP3 they're currently trying to track). Your IP connects and requests this chunk. Sure, you might be able to plausibly deny "my Freenet node was getting that block for someone else!" But I'm sure it'd be enough ammunition for the BPI to ask your ISP to give you a kick for running a "server" or some other rubbish by way of breaching the AUP. Still, if their "darknet" stuff starts to get up to scratch, it'll be a big improvement.
If I were able to moderate you, +1 funny for sure... though I'm not sure Debian's recent SSL "backdoor" was deliberate ;-)
VPNs, email, uploading images to things like Flickr... there are plenty of reasons why you might have a big spike in outbound traffic while not "hosting a server at home". Some of that traffic might be encrypted (see my comment below).
Encrypted (or at least indecipherable) traffic that's already "mainstream" and can often be "mostly outbound" from the customer includes Skype, VPN clients, VNC or "Back to my Mac", email for clients supporting SSL/TLS, uploading images to gallery websites via HTTPS, DNSsec (maybe, one day)... And unless ISPs, or companies supplying DPI and monitoring kit, can keep up with all the proprietary software for things like video-conferencing (and gods know what else in the future) there are boggling possibilities for traffic that is not easily distinguishable from "encrypted" which might be going out of a customer's connection. It might not actually be "encrypted" but when you've got multiple gigabit transit feeds and you have to expend a little CPU to tell whether this packet is a chunk of, say, an MPEG stream or part of an SSL session then filtering traffic starts to become expensive. It's an arms race, and eventually the ISPs will throw more CPU power and money at expensive traffic monitoring and categorising kit. When they do, I'll be back to post a similarly glib slashdot post to my earlier one. Till then, I guess the "discerning illegal filesharer" will avoid being the low-hanging fruit, eh?