NX over a low-bandwidth or high-latency link blows VNC clear out of the water. It's not even comparable. Combine that with the ability of NX to run rootless, and it's a *far* better solution than VNC will ever be.
The twats who modded you up have clearly never used NX before. And you, it seems, have only tried it over a large pipe, where NX will, of course, lose out to other technologies better suited for that usage model.
Like, oh I don't know... maybe revising the X windows protocol so it doesn't suck so hard it has its own event horizon?
Or we could just keep using the existing, already open NX codebase, fork, and move on with a perfectly usable technology, rather than starting from scratch under the naive belief that new == better?
Fun fact: this specialized app is probably "thinner" (in terms of resource utilization, etc), than a web-based app.
Which brings me to a dispute I have: to my mind, the definition of "thin" client is that the display component is local, and all the work is done remotely. How is a magazine *display* app *not* a thin client?
Oh, no no, I think you misunderstand what I said ('course, I did communicate it poorly).
What I meant was, it's trivial to identify any changes these people made. You are right in that any weaknesses or backdoors introduced may be challenging to spot. But at least the OBSD folks don't have to sift through the entire codebase to find them.
Actually... it is, assuming exponential growth continues.
Interesting, do you normally just ignore arguments that invalidate your ideas? Because it's a piss poor debating technique.
And in case you missed it: this is a *stupid assumption*. Even *if* exponential growth continued, the IPv6 address space is so insanely large that the *physically limitations of the planet earth* would prevent you from running out of addresses.
However, that's not the case... the population and number of connected devices will grow exponentially
Yeah, we're gonna hit the earth's physical capacity to store humans and devices before we hit the IPv6 address limit.
Seriously, just think for a moment or two (you can do it!). The surface area of the earth is 5.10072 × 10^20 square millimeters. A *single*/48 contains 2^80 addresses. A little basic math shows you can have 2,370 *unique* IPv6 addresses for *every square millimeter on the planet*. In just *one subnet*. And there's *hundreds of trillions of subnets*.
I think we'll be fine for a while.
plus, there's the fact that corporations are going to be expect multiple subnets
And they'll get one. One of those trillions and trillions of/48s. They can then break that down into 65535/64's. And if they *really* need more than 65k subnets? Just give 'em another/48, it's not as if there aren't hundreds of trillions more.
Anyways, assuming the exponential growth goes unabated, some relatively straightforward math shows that it will only take *roughly* 4 times as long for IPv6 space to run out as it has for IPv4 space to be facing depletion, since the address space is 4 times as wide (even though it is 2^96 times as large).
Wow... epic math fail.
"4 times wider" != "4 times longer before exhaustion again". 2^96 is such a mindbogglingly huge number it's inconceivable. Certainly inconceivable for you, it seems.
As unlikely as it is that any backdoors have made it into OpenBSD, even an audit cannot conclusively prove that there are no backdoors in the code. Witness the Underhanded C Code Contest.
Except, of course, they know who these contributors were, and they have a source control system. Scrutinizing their changes would be trivial.
Of course, it's always possible they worked through third-party intermediates, or broke into the SCM, but if that's the case, the OpenBSD team has far bigger problems, IMO.
You cannot run.exe/.cmd/.com/.lnk attachment from e-mail
Correct. On the iPhone, you just had to visit a *website*, ffs.
Seriously, this statement is beyond short-sighted. It's one zero-day vulnerability from being completely false.
A lot of users still... don't ever install a single extra app
Again, who cares? All you need is a hole in one of the stock apps, and voila, users are hosed. Moreover, given how slow mobile phone operators are in updating the OSes on their network (the Android situation being the most obvious), a vulnerability like that could be a) near universal, and b) very slow to close.
Unless Apple/Google becomes careless it's hard to believe that malware authors can (frequently) penetrate their app stores
See above. This point is, well, pointless.
There is still some variety: iPhoneOS/Android/RIM/W7 so malware writers can hardly target all platforms at once - so outbreaks are hardly possible
Please... you need only target one of those platforms to hit millions and millions of people. That's by far lucrative enough to make it worthwhile.
Frankly, I think the only reason you haven't seen this yet is because most malware is directed at turning a machine into a zombie, something for which a mobile device isn't that useful. But the minute someone can, for example, break an iOS device or Android device and start snarfing passwords, it'll become a far more interesting target.
Actually, I take that back... with a/80, you can embed the full device MAC in the host bits and autoconfigure that way (as opposed to "upconverting" the MAC, as is the standard practice today). 'course, I have no idea if any operating systems actually support doing that.
Some African ISPs have been proposing allocating/80s to customers. I don't know if they are actually going to, but that's the smallest proposal I've seen. Most ISPs seem to be converging on/64s. Not sure who would need a/48.
Anyone who wants subnets. Which could be anyone at all.
And a/80 is absurd, as that wouldn't allow for autoconfiguration./64 is the bare minimum that makes any sense at all.
Or... you just don't worry about it. I'm not suggesting that you support them... I'm just suggesting that you don't exclude them from being able to use the Internet at all when there are plenty of applications that can still benefit from a 1-way connection.
So then bury them behind a one-way firewall.
Why the hell do you believe NAT is required to make that possible?
which, given how wasteful IPv6 addresses are being proposed to be allocated, I anticipate is going to be an even bigger issue than the migration to IPv6 itself is right now sometime before the next turn of the century.
You really have absolutely no fucking idea how *huge* the IPv6 address space is, do you? Here, let's try to put this in perspective:
1. An IPv6 subnet is 80 bits (a/48). This is 1,208,925,819,614,629,174,706,176 addresses. In *one* subnet. 2. That means there are 48 bits worth of subnets. That's 281,474,976,710,656 individual subnets. 3. There are, say, 8 billion, or 2^33 people on the planet. 4. That means everyone on the planet can have *a whole subnet*, and there would still be 281,466,386,776,064 subnets left over.
Of course, this isn't the whole story... yeah, there's some addresses that, like in v4, are reserved, etc. But even with that, the available space for assignment to devices is beyond imagining.
In short, if you *really* think IPv6 is gonna experience address shortages before our species wipes itself out, frankly, you're completely delusional.
Well, if you apply a little logic that defense seems a lot more probable than 'I was minding my own business doing nothing wrong and the officer started clubbing me.'
It does, huh? Apparently you didn't watch any of the news coverage vis a vis the G20 demonstrations... innocent people beaten and/or arrested by cops rendered unidentifiable by their "safety" equipment, thus rendering them immune to prosecution.
In short: I trust a cop about as far as I can throw them. Anecdotal comments like those in the OP only make me *more* suspicious.
I work with an ex police officer and he's pretty set against 'civilians' recording police, in his eyes its another way to get innocent police officers in trouble since a lot of the videos that have implicated officers in the past have lacked any context. This makes sense because a clip showing police brutality could be part of a longer incident where the suspect resisted arrest and tried to hurt the officer.
Then a court of law will sort it out.
Your cop friend, frankly, sounds like a thin-blue-line, don't-mess-with-the-brotherhood asshole. He should realize that accountability is a *good* thing. Well, assuming he cared about cops actually being held accountable.
I think a better solution, that nobody in law enforcement would like, would be to put cameras on police officers and also allow the public to photograph them. That way in a court of law you have evidence that can provide context to any side videos in play
Absolutely! As you say, there is a *very* obvious solution to this problem: When a cop is involved in a law enforcement action, *the police record themselves*. Problem solved.
But, of course, that would involve transparency, and cops actually, possibly being held accountable for their actions. And who really wants that?
Configuring a firewall, even though it's very simple to do, requires more technical skill than just plugging an appliance into the wall.
Umm... firewalls *are* appliances.
NAT > Firewall
If you can plug in a NAT, you can plug in a firewall just the same.
The only real argument against using NAT is that it breaks some protocols... and I don't refute that point, but those exact same protocols would be broken by a firewall that rejects incoming packets for a particular computer anyways, so what's the difference?
The difference is, if you have transparent, end-to-end connectivity, it's a *hell* of a lot easier to build a nice, user-friendly firewalling product that doesn't require machinations to get peer-to-peer protocols to work properly. You simply turn on/off ports/protocols, and you'd done. No UPnP bullshit. No port forward crap. It Just Works.
Couple that with a nice user-interface that presents you with things like "Enable Bittorrent" or "Enable SIP", and you have a device anyone can use, without needing to understand the details of how NAT might break things.
Why are people bitching about an issue that's been long addressed? I mean, there are a lot of reasons to complain about the way IPv6 was spec'd and implemented (why the hell did it take the IETF so fucking long to realize NAT64 was necessary??), but this certainly isn't one of them.
In terms of Mastercard and Visa, I would say it was a bit more more complicated, as they have a near duopoly of card processing methods
It's called an oligopoly, and that's certainly true. Particularly if you're interested in your card actually being accepted anywhere (there are still the Amexs and Discovers of the world, but they're not nearly as ubiquitous as Visa and Mastercard).
Except, alas, for the surprising number of home routers and WAPs which have the nasty tendency of sending out router advertisements even though they don't actually have a public IPv6 address. Result? Connection timeouts as clients resolve the AAAA record, attempt a v6 connection, and fail (I had a WAP from *this year* do exactly this to me... had to use tcpdump to figure out wtf was going on, and had to reflash the gd firmware on the device to fix it).
How is it not? Last I checked, subnets were a good thing. Hell, I have two subnets on my v6 network at home right now, one for my guest wireless pool and one for my internal LAN. This would be impossible if I only got a/64 (fortunately Hurricane gives out/48's).
Hurricane is far better than SiXXs, IMHO. They seem to have better peering arrangements (the additional latency for me over v6 is negligable), and you don't have to go justify to HE why you want a tunnel. You ask for one, you get it. Plus, then you don't have to deal with SiXXs killing your tunnel without warning.
But ISPs won't, because they have to deal with assholes and abusive users. That's life. Deal.
Honestly, it's people like you that allowed things like unauthenticated BGP to exist. The Internet is not a nice little fairyland where everyone cooperates. In the real world, you have to deal with hostile users who *want* to break the system.
to risk ISPs being jerks systematically in order to limit my Internet-use freedom and foist their preferred commercial partners/content on me.
Slashdot Mirror
I've never seen NX perform as well as VNC
You're nuts.
No, seriously, you're fucking crazy.
NX over a low-bandwidth or high-latency link blows VNC clear out of the water. It's not even comparable. Combine that with the ability of NX to run rootless, and it's a *far* better solution than VNC will ever be.
The twats who modded you up have clearly never used NX before. And you, it seems, have only tried it over a large pipe, where NX will, of course, lose out to other technologies better suited for that usage model.
Like, oh I don't know... maybe revising the X windows protocol so it doesn't suck so hard it has its own event horizon?
Or we could just keep using the existing, already open NX codebase, fork, and move on with a perfectly usable technology, rather than starting from scratch under the naive belief that new == better?
Up next on the conservatives-excuse Hotline, that golden oldie, "Well Clinton did it!"
Fun fact: this specialized app is probably "thinner" (in terms of resource utilization, etc), than a web-based app.
Which brings me to a dispute I have: to my mind, the definition of "thin" client is that the display component is local, and all the work is done remotely. How is a magazine *display* app *not* a thin client?
I think that may be arrogance.
Oh, no no, I think you misunderstand what I said ('course, I did communicate it poorly).
What I meant was, it's trivial to identify any changes these people made. You are right in that any weaknesses or backdoors introduced may be challenging to spot. But at least the OBSD folks don't have to sift through the entire codebase to find them.
Actually... it is, assuming exponential growth continues.
Interesting, do you normally just ignore arguments that invalidate your ideas? Because it's a piss poor debating technique.
And in case you missed it: this is a *stupid assumption*. Even *if* exponential growth continued, the IPv6 address space is so insanely large that the *physically limitations of the planet earth* would prevent you from running out of addresses.
However, that's not the case... the population and number of connected devices will grow exponentially
Yeah, we're gonna hit the earth's physical capacity to store humans and devices before we hit the IPv6 address limit.
Seriously, just think for a moment or two (you can do it!). The surface area of the earth is 5.10072 × 10^20 square millimeters. A *single* /48 contains 2^80 addresses. A little basic math shows you can have 2,370 *unique* IPv6 addresses for *every square millimeter on the planet*. In just *one subnet*. And there's *hundreds of trillions of subnets*.
I think we'll be fine for a while.
plus, there's the fact that corporations are going to be expect multiple subnets
And they'll get one. One of those trillions and trillions of /48s. They can then break that down into 65535 /64's. And if they *really* need more than 65k subnets? Just give 'em another /48, it's not as if there aren't hundreds of trillions more.
Anyways, assuming the exponential growth goes unabated, some relatively straightforward math shows that it will only take *roughly* 4 times as long for IPv6 space to run out as it has for IPv4 space to be facing depletion, since the address space is 4 times as wide (even though it is 2^96 times as large).
Wow... epic math fail.
"4 times wider" != "4 times longer before exhaustion again". 2^96 is such a mindbogglingly huge number it's inconceivable. Certainly inconceivable for you, it seems.
As unlikely as it is that any backdoors have made it into OpenBSD, even an audit cannot conclusively prove that there are no backdoors in the code. Witness the Underhanded C Code Contest.
Except, of course, they know who these contributors were, and they have a source control system. Scrutinizing their changes would be trivial.
Of course, it's always possible they worked through third-party intermediates, or broke into the SCM, but if that's the case, the OpenBSD team has far bigger problems, IMO.
Mobile phones (OS) don't have any form of autorun
So?
You cannot run .exe/.cmd/.com/.lnk attachment from e-mail
Correct. On the iPhone, you just had to visit a *website*, ffs.
Seriously, this statement is beyond short-sighted. It's one zero-day vulnerability from being completely false.
A lot of users still ... don't ever install a single extra app
Again, who cares? All you need is a hole in one of the stock apps, and voila, users are hosed. Moreover, given how slow mobile phone operators are in updating the OSes on their network (the Android situation being the most obvious), a vulnerability like that could be a) near universal, and b) very slow to close.
Unless Apple/Google becomes careless it's hard to believe that malware authors can (frequently) penetrate their app stores
See above. This point is, well, pointless.
There is still some variety: iPhoneOS/Android/RIM/W7 so malware writers can hardly target all platforms at once - so outbreaks are hardly possible
Please... you need only target one of those platforms to hit millions and millions of people. That's by far lucrative enough to make it worthwhile.
Frankly, I think the only reason you haven't seen this yet is because most malware is directed at turning a machine into a zombie, something for which a mobile device isn't that useful. But the minute someone can, for example, break an iOS device or Android device and start snarfing passwords, it'll become a far more interesting target.
Albeit, Jailbroken iPhones are less Secure than... umm... whats the term for that? Non-jailbroken? Jailfixed? StillJailed? Anyways.
What??? I thought Apple's "Jail" was universally bad! That there was absolutely no benefit to it! That's it's evil evil evil!
Are you saying the Slashbots could be *wrong*??
TV is fairly dead and I (and I imagine many many others as well)
Yes... you certainly are imagining things.
Actually, I take that back... with a /80, you can embed the full device MAC in the host bits and autoconfigure that way (as opposed to "upconverting" the MAC, as is the standard practice today). 'course, I have no idea if any operating systems actually support doing that.
Some African ISPs have been proposing allocating /80s to customers. I don't know if they are actually going to, but that's the smallest proposal I've seen. Most ISPs seem to be converging on /64s. Not sure who would need a /48.
Anyone who wants subnets. Which could be anyone at all.
And a /80 is absurd, as that wouldn't allow for autoconfiguration. /64 is the bare minimum that makes any sense at all.
Or... you just don't worry about it. I'm not suggesting that you support them... I'm just suggesting that you don't exclude them from being able to use the Internet at all when there are plenty of applications that can still benefit from a 1-way connection.
So then bury them behind a one-way firewall.
Why the hell do you believe NAT is required to make that possible?
which, given how wasteful IPv6 addresses are being proposed to be allocated, I anticipate is going to be an even bigger issue than the migration to IPv6 itself is right now sometime before the next turn of the century.
You really have absolutely no fucking idea how *huge* the IPv6 address space is, do you? Here, let's try to put this in perspective:
1. An IPv6 subnet is 80 bits (a /48). This is 1,208,925,819,614,629,174,706,176 addresses. In *one* subnet.
2. That means there are 48 bits worth of subnets. That's 281,474,976,710,656 individual subnets.
3. There are, say, 8 billion, or 2^33 people on the planet.
4. That means everyone on the planet can have *a whole subnet*, and there would still be 281,466,386,776,064 subnets left over.
Of course, this isn't the whole story... yeah, there's some addresses that, like in v4, are reserved, etc. But even with that, the available space for assignment to devices is beyond imagining.
In short, if you *really* think IPv6 is gonna experience address shortages before our species wipes itself out, frankly, you're completely delusional.
Well, if you apply a little logic that defense seems a lot more probable than 'I was minding my own business doing nothing wrong and the officer started clubbing me.'
It does, huh? Apparently you didn't watch any of the news coverage vis a vis the G20 demonstrations... innocent people beaten and/or arrested by cops rendered unidentifiable by their "safety" equipment, thus rendering them immune to prosecution.
In short: I trust a cop about as far as I can throw them. Anecdotal comments like those in the OP only make me *more* suspicious.
I work with an ex police officer and he's pretty set against 'civilians' recording police, in his eyes its another way to get innocent police officers in trouble since a lot of the videos that have implicated officers in the past have lacked any context. This makes sense because a clip showing police brutality could be part of a longer incident where the suspect resisted arrest and tried to hurt the officer.
Then a court of law will sort it out.
Your cop friend, frankly, sounds like a thin-blue-line, don't-mess-with-the-brotherhood asshole. He should realize that accountability is a *good* thing. Well, assuming he cared about cops actually being held accountable.
I think a better solution, that nobody in law enforcement would like, would be to put cameras on police officers and also allow the public to photograph them. That way in a court of law you have evidence that can provide context to any side videos in play
Absolutely! As you say, there is a *very* obvious solution to this problem: When a cop is involved in a law enforcement action, *the police record themselves*. Problem solved.
But, of course, that would involve transparency, and cops actually, possibly being held accountable for their actions. And who really wants that?
Configuring a firewall, even though it's very simple to do, requires more technical skill than just plugging an appliance into the wall.
Umm... firewalls *are* appliances.
NAT > Firewall
If you can plug in a NAT, you can plug in a firewall just the same.
The only real argument against using NAT is that it breaks some protocols... and I don't refute that point, but those exact same protocols would be broken by a firewall that rejects incoming packets for a particular computer anyways, so what's the difference?
The difference is, if you have transparent, end-to-end connectivity, it's a *hell* of a lot easier to build a nice, user-friendly firewalling product that doesn't require machinations to get peer-to-peer protocols to work properly. You simply turn on/off ports/protocols, and you'd done. No UPnP bullshit. No port forward crap. It Just Works.
Couple that with a nice user-interface that presents you with things like "Enable Bittorrent" or "Enable SIP", and you have a device anyone can use, without needing to understand the details of how NAT might break things.
This is a solved problem.
Why are people bitching about an issue that's been long addressed? I mean, there are a lot of reasons to complain about the way IPv6 was spec'd and implemented (why the hell did it take the IETF so fucking long to realize NAT64 was necessary??), but this certainly isn't one of them.
In terms of Mastercard and Visa, I would say it was a bit more more complicated, as they have a near duopoly of card processing methods
It's called an oligopoly, and that's certainly true. Particularly if you're interested in your card actually being accepted anywhere (there are still the Amexs and Discovers of the world, but they're not nearly as ubiquitous as Visa and Mastercard).
Except, alas, for the surprising number of home routers and WAPs which have the nasty tendency of sending out router advertisements even though they don't actually have a public IPv6 address. Result? Connection timeouts as clients resolve the AAAA record, attempt a v6 connection, and fail (I had a WAP from *this year* do exactly this to me... had to use tcpdump to figure out wtf was going on, and had to reflash the gd firmware on the device to fix it).
So, how is a /48 required for your house?
How is it not? Last I checked, subnets were a good thing. Hell, I have two subnets on my v6 network at home right now, one for my guest wireless pool and one for my internal LAN. This would be impossible if I only got a /64 (fortunately Hurricane gives out /48's).
Hurricane is far better than SiXXs, IMHO. They seem to have better peering arrangements (the additional latency for me over v6 is negligable), and you don't have to go justify to HE why you want a tunnel. You ask for one, you get it. Plus, then you don't have to deal with SiXXs killing your tunnel without warning.
It wasn't just OS X. Vista, at release time, was advertising itself as a 6to4 gateway, even when it didn't have a public IP.
Hell, my 802.11n WAP that I bought just a couple *months* ago did this! POS... I had to flash it with dd-wrt to fix the problem.
I would prefer to risk server hosts being
Yes, as a user, you would.
But ISPs won't, because they have to deal with assholes and abusive users. That's life. Deal.
Honestly, it's people like you that allowed things like unauthenticated BGP to exist. The Internet is not a nice little fairyland where everyone cooperates. In the real world, you have to deal with hostile users who *want* to break the system.
to risk ISPs being jerks systematically in order to limit my Internet-use freedom and foist their preferred commercial
partners/content on me.
Mmmm... false dichotomy...
If you don't have ideals, or try to improve your lot or that of your fellow citizens, I'd say you're in a pretty bad place.
Yeah, go ask Karl Marx how well his "ideals" stood up to reality.
Or: In theory, theory and practice are the same. In practice, they're not.