It's certainly not by definition. You're either making a lot of assumptions about the behavior of the file sharing network and the individual's client (e.g., that it's very BitTorrent-like), or you're taking an entirely useless sense of the term "average".
The organization he's referring to is the American Association of Concerned Scientists -- which is not the organization used in TFA, but is an open-membership, left-leaning organization of scientists.
Many priests, as you point out, are actually well educated. I've also found that well-educated priests tend to be much more reasonable and insightful people than you might think. (I can't say the same for their followers.)
Purely anecdotally, scientists (and other random educated people) don't agree on being fiscally liberal. They generally agree on being socially liberal (with a fair fraction of exceptions). But then, all the poll was asking about was party affiliation: it's not like you get much choice, and it's not like either choice is fiscally conservative.
Looks like a mean of 8, which suggests a standard deviation of about 3. Actual data seems a little higher than that, but not much. How big your influence is directly determines how difficult it would be to measure that. Two years with zero storms is an extreme result, but would be statistically valid.
That doesn't seem related to this. An external DNS had better be incapable of resolving VPN-internal DNS names. So your three choices are internal DNS only, external then internal, and internal then external. Redirection breaks only "external then internal", which is the one out of the three you ought not be doing. (If you can do external and fall back to internal, you ought to be able to do the same in reverse.)
So if I mis-type an FQDN hostname in an SSH command, will the DNS resolution request now suceed? Previously SSH would fail with a "cannot resolve hostname" error or something similar. Will it now try to connect with SSH to the Comcast "domain helper" servers? What about its effects on local DNS caching servers (e.g. dnsmasq)?
Yes, yes, and none. (A local DNS server doesn't contact your ISP's recursive resolver. They're not doing hijacking of DNS packets not destined for them. So, what their resolver would return is irrelevant for your local server.)
Example: your POP client is configured to contact mail.mycompany.com. For some reason, a DNS lookup for mail.mycompany.com results in an NXDOMAIN and Comcast redirects you to 1.2.3.4 (their IP address for redirection). Are you seriously suggesting that 1.2.3.4 (a) is listening for POP connections (b) has and presents to you a valid certificate for mail.mycompany.com? You realize these are the certificates you pay people like Verisign to sign, yes? Falsifying them is difficult (which is a gross understatement) and comes with serious consequences.
Considering Comcast isn't even a Certificate Authority, it would be prohibitively expensive for them to acquire a valid, signed certificate for every non-existing domain -- if a CA was dumb enough to actually provide them with such.
Or is your client going to contact mail.mycompany.com and, handed a cert for comcast.net, decide that that's close enough?
For security's sake, people using VPN split tunneling need to contact the DNS server for the VPN network first, then fall back to the public DNS server; not the other way around. (Better, use the VPN DNS server exclusively.)
think about what happens if you mistype an email address
Okay. If I'm using a Comcast SMTP server, a webmail service, or any SMTP server not behind Comcast, then this doesn't affect it at all. If I or my organization (whose ISP is Comcast) is running their own SMTP server (as a Linux user might well do), then the mail still won't be sent, unless Comcast provides valid MX records for their redirect domains, which would be a stunningly bad idea.
what happens when your configured NTP server goes offline
The same thing that happens when it goes offline without redirection, unless by "goes offline" you mean "has its domain name expire". If the latter, your NTP client will attempt to contact the IP address for the redirection server... which will only produce interesting results if that server happens to be running an NTP server. That would be a bad idea, just like above.
No, it screws with "what is a valid domain name" by making all domain names valid. Domain names are not the same as URLs.
Since this is implemented within Comcast's recursive resolvers, new domains can be recognized immediately. These recursive resolvers are the ones caching DNS lookup responses. They can (and should) choose not to cache NXDOMAIN responses (which are the ones they provide redirection for).
Third, if you are running your own DNS, you aren't communicating with Comcast's recursive resolvers, and so they won't supply you with any information, fake or otherwise.
I think the point really is, how likely is it that the site Comcast redirects you to will do anything other than serve Web pages related to DNS redirection?
That depends. If you have server authentication, it won't. More importantly, if the Comcast server doesn't listen on any port but 80, it certainly won't.
If you were relying on correct DNS responses to provide security (such as preventing your login credentials from being given away), you were doing it wrong in the first place.
Except for the bit where Comcast users not using Comcast DNS servers are unaffected, as per TFS.
Unless you're complaining that they could, in theory, redirect port 53. Frankly, anyone remotely familiar with how the Internet works should know that your ISP *could* completely and arbitrarily control any nonauthenticated protocol, including DNS.
It's not cloning, because it's a haploid cell. Cloning requires that an embryo be formed from a diploid.
In other words, in a clone, the clone is a genetic duplicate of the parent. In this procedure, a cell is induced into meiosis, which creates two half-sets of DNA. This is combined with a half-set of DNA in an egg, just like in non-lab sexual reproduction. With the genetic juggling that goes on during meiosis, it wouldn't even be cloning if the sperm and egg were from the same individual. (I guess that would be F1 self-hybridization, which would frankly be pretty creepy, but not as much as cloning.)
It actually turns out that's not true -- if you had nothing but the DNA sequence, you could not (even in theory) construct a human from it. For one, the mitochondria organelles have their own genetics independent of our own. The organelles are inherited directly from the mother's cells. For another, how DNA is used and rendered into proteins, etc. is altered by chemicals that are carried along with the cell. If those are stripped away, information is lost.
An IP address identifies exactly one Internet node. However, that node may well be forwarding traffic to the Internet from an unspecified number of private-network nodes.
Re:"The magnetic field lines are clearly visible.
on
Sunspots Return
·
· Score: 1
Remember, the contour lines aren't real; they're an imaginary construct used to illustrate height. The lake is real, and since its boundary is determined by height (more or less), the real object's border matches a single contour line. That doesn't make the contour line real.
Continental divide.
No engineer I've talked to considers the continental divide to be part of fluid flow or fluid mechanics. I'll ask some geologists, and then quiz them about fluid flow lines.
Re:"The magnetic field lines are clearly visible.
on
Sunspots Return
·
· Score: 1
Slashdot Mirror
It's certainly not by definition. You're either making a lot of assumptions about the behavior of the file sharing network and the individual's client (e.g., that it's very BitTorrent-like), or you're taking an entirely useless sense of the term "average".
There are a variety of solutions. I would go with "author's life or 15 years, whichever is longer" -- or something like that.
The organization he's referring to is the American Association of Concerned Scientists -- which is not the organization used in TFA, but is an open-membership, left-leaning organization of scientists.
Many priests, as you point out, are actually well educated. I've also found that well-educated priests tend to be much more reasonable and insightful people than you might think. (I can't say the same for their followers.)
Purely anecdotally, scientists (and other random educated people) don't agree on being fiscally liberal. They generally agree on being socially liberal (with a fair fraction of exceptions). But then, all the poll was asking about was party affiliation: it's not like you get much choice, and it's not like either choice is fiscally conservative.
Looks like a mean of 8, which suggests a standard deviation of about 3. Actual data seems a little higher than that, but not much. How big your influence is directly determines how difficult it would be to measure that. Two years with zero storms is an extreme result, but would be statistically valid.
That doesn't seem related to this. An external DNS had better be incapable of resolving VPN-internal DNS names. So your three choices are internal DNS only, external then internal, and internal then external. Redirection breaks only "external then internal", which is the one out of the three you ought not be doing. (If you can do external and fall back to internal, you ought to be able to do the same in reverse.)
So if I mis-type an FQDN hostname in an SSH command, will the DNS resolution request now suceed? Previously SSH would fail with a "cannot resolve hostname" error or something similar. Will it now try to connect with SSH to the Comcast "domain helper" servers? What about its effects on local DNS caching servers (e.g. dnsmasq)?
Yes, yes, and none. (A local DNS server doesn't contact your ISP's recursive resolver. They're not doing hijacking of DNS packets not destined for them. So, what their resolver would return is irrelevant for your local server.)
There's more than one: DNSSEC and DNSCurve. DNSSEC is further along, which isn't saying much.
If I understand correctly, using DNSSEC prevents any kind of NXDOMAIN redirection. (It also prevents other kinds of falsified answers.)
I think Verisign would disagree with you there.
Example: your POP client is configured to contact mail.mycompany.com. For some reason, a DNS lookup for mail.mycompany.com results in an NXDOMAIN and Comcast redirects you to 1.2.3.4 (their IP address for redirection). Are you seriously suggesting that 1.2.3.4 (a) is listening for POP connections (b) has and presents to you a valid certificate for mail.mycompany.com? You realize these are the certificates you pay people like Verisign to sign, yes? Falsifying them is difficult (which is a gross understatement) and comes with serious consequences.
Considering Comcast isn't even a Certificate Authority, it would be prohibitively expensive for them to acquire a valid, signed certificate for every non-existing domain -- if a CA was dumb enough to actually provide them with such.
Or is your client going to contact mail.mycompany.com and, handed a cert for comcast.net, decide that that's close enough?
For security's sake, people using VPN split tunneling need to contact the DNS server for the VPN network first, then fall back to the public DNS server; not the other way around. (Better, use the VPN DNS server exclusively.)
think about what happens if you mistype an email address
Okay. If I'm using a Comcast SMTP server, a webmail service, or any SMTP server not behind Comcast, then this doesn't affect it at all. If I or my organization (whose ISP is Comcast) is running their own SMTP server (as a Linux user might well do), then the mail still won't be sent, unless Comcast provides valid MX records for their redirect domains, which would be a stunningly bad idea.
what happens when your configured NTP server goes offline
The same thing that happens when it goes offline without redirection, unless by "goes offline" you mean "has its domain name expire". If the latter, your NTP client will attempt to contact the IP address for the redirection server... which will only produce interesting results if that server happens to be running an NTP server. That would be a bad idea, just like above.
No, it screws with "what is a valid domain name" by making all domain names valid. Domain names are not the same as URLs.
Since this is implemented within Comcast's recursive resolvers, new domains can be recognized immediately. These recursive resolvers are the ones caching DNS lookup responses. They can (and should) choose not to cache NXDOMAIN responses (which are the ones they provide redirection for).
Third, if you are running your own DNS, you aren't communicating with Comcast's recursive resolvers, and so they won't supply you with any information, fake or otherwise.
I think the point really is, how likely is it that the site Comcast redirects you to will do anything other than serve Web pages related to DNS redirection?
That depends. If you have server authentication, it won't. More importantly, if the Comcast server doesn't listen on any port but 80, it certainly won't.
If you were relying on correct DNS responses to provide security (such as preventing your login credentials from being given away), you were doing it wrong in the first place.
Except for the bit where Comcast users not using Comcast DNS servers are unaffected, as per TFS.
Unless you're complaining that they could, in theory, redirect port 53. Frankly, anyone remotely familiar with how the Internet works should know that your ISP *could* completely and arbitrarily control any nonauthenticated protocol, including DNS.
That's what I recall (I'm mostly being pedantic), but there are no two-electron electrolysis reactions?
It wont' be weightless; it'll be in freefall!
I'm familiar with the electron volt. That's written "electron volt" or "eV", though, not "volt".
Also, I don't recall being able to apply 1.23 eV across a cell.
When did they make volts a unit of energy?
It's not cloning, because it's a haploid cell. Cloning requires that an embryo be formed from a diploid.
In other words, in a clone, the clone is a genetic duplicate of the parent. In this procedure, a cell is induced into meiosis, which creates two half-sets of DNA. This is combined with a half-set of DNA in an egg, just like in non-lab sexual reproduction. With the genetic juggling that goes on during meiosis, it wouldn't even be cloning if the sperm and egg were from the same individual. (I guess that would be F1 self-hybridization, which would frankly be pretty creepy, but not as much as cloning.)
It actually turns out that's not true -- if you had nothing but the DNA sequence, you could not (even in theory) construct a human from it. For one, the mitochondria organelles have their own genetics independent of our own. The organelles are inherited directly from the mother's cells. For another, how DNA is used and rendered into proteins, etc. is altered by chemicals that are carried along with the cell. If those are stripped away, information is lost.
An IP address identifies exactly one Internet node. However, that node may well be forwarding traffic to the Internet from an unspecified number of private-network nodes.
Remember, the contour lines aren't real; they're an imaginary construct used to illustrate height. The lake is real, and since its boundary is determined by height (more or less), the real object's border matches a single contour line. That doesn't make the contour line real.
Continental divide.
No engineer I've talked to considers the continental divide to be part of fluid flow or fluid mechanics. I'll ask some geologists, and then quiz them about fluid flow lines.
Um, no.