Nope, we've got to do both, at least in California. You still need all the spinning reserves for when the wind doesn't blow and when the sun isn't shinning. Even if we are not growing and don't need more generation, we still have to start buying/producing 33% from "green" sources by 2020. Mind you hydro isn't green and doesn't count. As I said, since you can't trust any of the "green" energy to be reliable, you still have to maintain all the equipmemt and keep a certain percentage of it as spinning reserves.
Won't work at my office. Nothing goes out/in that isn't decrypted and verified first. Mostly this is to prevent backdoors and data breaches.
Anyway, smart phones are dirt cheap and if you really need to be that connected pay $20/mo. more and get a data plan. Surf all you want on your own equipment and network connection.
While I agree with this 100% (and follow it the same), why is it that upper management never have to follow the same rules? "You want me to bring a work laptop back and forth, and where would I put it?"
As we tell our staff, get a smart phone and do whatever you want. Just never connect it to our network (including even USB to charge), and never use our network/PCs for personal use. Don't want to spring for a smart phone? Surf at home.
VLANs are layer 2, not layer 3. Your same VLAN that has IPv4 can have IPv6.
Not sure what you're running, all of my Cisco gear just needed an IOS upgrade to get IPv6. My HP switches don't need IPv6 addresses or even understanding of IPv6 to pass the traffic along. Only my core routers where my VLAN interfaces route IPv4 & IPv6. Same with all the microwave stuff we have - it's all just bridging equipment, and (mostly) doesn't care what we are bridging (that's not 100% true, as I've run into pieces of few low-end gear that won't bridge IPv6 traffic, but that's few and far between).
My biggest problem is that some of my Cisco gear won't do L2L VPNs with IPv4 & IPv6 remote LANs going over IPv4. I can do 4in4, 6in4, 4in6, but not 4&6in4 (or 4&6in6). It'll get there, but for now my remote sites don't get IPv6, and that's OK.
I do have to keep pestering Websense to add IPv6 filtering support. Any time now they're supposed to add it. For now, that means we don't allow any external IPv6 surfing since we can't filter it.
You don't need NAT for HA. Your LBs float the virtual IP and redirect traffic to the real IPs on the real servers behind. Return traffic from the real servers' real IPs come back to the LBs and the LBs pass it on as the original virtual IP that was accessed by the original request.
I think what they were referring to is that the ISP presently gives out dynamic IPv4 addresses. The correlation in this case would giving out a dynamic IPv6/64 to each network that connects. While this could be done, there are many reasons not to do so as it would require constant renumbering (which can be done, but it's confusing for the end-user).
Either way, it's all bunk, as the ISP will keep track of the address assignments to the network level either way. Both IPv4 and IPv6 have a way to "anonymize" the end-PC (IPv4 NAT, IPv6 random IPv6 addressing) - but it's very easy to fingerprint the PC without the IP address.
You have the same ability to be "anonymous" as with IPv4. With IPv4, they can track it down to your gateway, but have no idea what PC inside originated the traffic. I doubt you get a unique IPv4 address each time your gateway restarts. My Comcast connection has had the same one for 8 years, through two cablemodems, because my MAC address on my router stayed the same (or rather, I told my newer routers to use the one my older one had). Even if it is different each time, like with many PPPoE implimentations, your ISP has logs where each account-to-IP-assignment is known.
With IPv6, if you leave the global randomize identifier option enabled (default in Windows), then all they can do is track it down to your network/64 which is assigned to your gateway, and not to the individual PC.
Not sure about other OS, but if being "anonymous" is important to you, you might look into it.
That's bunk. NAT doesn't provide real security, and in fact a false sense of security. Your firewall should always deny/drop traffic by default, except where permitted otherwise, either explicitly or by a stateful connection originating from the inside.
If you want pseudo anonymity on the level of what you have with IPv4, then leave the global randomize identifiers on. It's on by default in Windows. You actually have to disable it with netsh interface ipv6 set global randomizeidentifiers=disabled.
IPv6 is actually very easy to remember when done right. Further, we have DNS for address resolution - how many of the websites you visited today do you know the IPv4 address for?
For an enterprise, once they get their allocation, it's really not that bad. I will make up an allocation as an example:
2600:123:b000::/48
With 5 more octets left (octets isn't the right term, but divisions seperated by colons), you can do a large amount of intelligent numbering, and even just reuse all of your VLAN and IPv4 numbering right inside your IPv6 addressing.
For instance, if you have a server network at 172.16.2.0/24 and it is vlan 203, you can assign 2600:123:b000:203::/64 (with the nodes getting::172:16:2:yyy), so a given server node with 172.16.2.105 would be 2600:123:b000:203:172:16:2:105 . It's wasteful, but with IPv6, who cares?
If you have more than one site, then each site should get you your own/48. When applying for addreses, you should do so for all sites at once. We have a/44 (x:x:b000 - x:x:b00f) as we have 9 sites. We can then assign each site based on their site numbers (2600:123:b001 - 2600:123:b009). We use 2600:123:b000 for infrastructure, and still have 2600:123:b00a - 2600:123:b00f left over.
So, site 3, vlan 405, network 172.24.5.0/24 would be assigned 2600:123:b003:405::/64 with nodes having 2600:123:b003:405:172:24:5:yyy. For workstations that use SLAAC and/or DHCPv6, you don't care about the last 64 bits and you rely on DNS. But you still know the site and VLAN if you use the same numbering. 2600:123:b002:464::/64, which is site 2, vlan 464.
All the IT staff has to do is learn that 2600:123:b000 - b00f is our assignment and explain the rest of our addressing plan. It's actually rather natural to do it this way and makes a ton of sense.
Oh, and personally I would skip doing any decimal to hex conversion where it can be avoided. For instance, I would not make vlan 165 be A5 (the hex value), but rather just 165. This does mean you'll "waste" something like 37.5% of your address space - but again, who cares? I'll take readability over maximum use any day.
As one who believes in the literal truth of the Bible, I don't have any conflict with life on other planets. I tend to doubt that there is, but it would not be earth-shattering for me if there was.
C.S. Lewis even has a series, The Space Trilogy, with life on other planets and addresses the issue of Christianity - if there was no original sin on the other planets, do they need Salvation?
Christian fundamentalists are not as backward as you may think, and we do put on our thinking caps.
Yup, which is why our department has a VZN mifi. It's on our corporate plan so we have unlimited data for $40/mo per device. Two hotels stays a month pays for it (must hotels charge a rip-off $20/night for wifi). That and we use it when we need to troubleshoot in the field with our private fiber/backbone. More than pays for itself. We check it out just like our company pool cars, return it when we're done.
Only downside one guy found is that if you take it to Mexico, data is very expensive there if you don't have the right plan (which we didn't, since it wasn't intended to go out of country).
My kids phones are $10/mo for unlimited text - which is all they care about, and 500 minutes (used mostly for when we want to talk and texting is going to require too much back and forth). Only downside is T-mobile limits a "family plan" to 5 lines, and we've got 6 in our family.
Just got two T-Mobile Android phones fo $50/month each or $100/month total for both (unlimited talk/text family plan, with 2gb data of 4G speeds and unlimited data after 2gb at 2G speeds). Only downside I see is that I have a 2 year contract. But since I can't just take any phone to any carrier in the US (or when coming from compatible networks there is still a $50 "flashing" fee), it seems worth while to get good service (never again, MetroPCS or Cricket - 4G at 2G speeds and constant outtages, no thanks). Phones each had a $50 off deal, but might have been specific to Costco.
I've bought a number of cheap MetroPCS phones online. Kids do stupid things all the time that lose "$49" phones (jump in pools, go bike riding with them in loose pockets, to name a few). You cannot replace them for $49 unless you activate a new line of service with it. The sad thing is that I can pick up used MetroPCS phones for less than MetroPCS charges to re-activate them ($15).
Sleep-journal.com: "Results: There was a significant increase in accidents for the Monday immediately following the spring shift to DST (t=1.92, P=0.034). There was also a significant increase in number of accidents on the Sunday of the fall shift from DST (P0.002)."
Get rid of DST. Arizona has it right (no DST). Doesn't help that the whole world doesn't even follow the DST change at the same time.
I never trusted that a doctor would make the right call.
Before I was married, I kept a donor card with my ID which said, "Ask my mom," and listed her number. Once I got married, I updated my donor card to say, "Ask my wife" and listed her number (unless we're both unable to ask, in which case we both have our own mother's listed).
Both know my wishes, and both will see that they are carried out.
The color thing has been dropped by DHS: The National Terrorism Advisory System, or NTAS, replaces the color-coded Homeland Security Advisory System (HSAS).
The ISC is a little slow on the uptake, but isn't government.
You would not have to redirect all of.SE, but you would have to get the cooperation of all the Root DNS server operators. As the Root zones are all public information, there is no way you could hide what you were doing either. Redirecting some or all of.SE would be the equivalent of taking sovereign Internet territory (for lack of another phrase).
What? If your org's domain is so important, would you not use your own resolvers which would know where to go for authoritative data, and not us the root and gTLD NS?
Sure, it might present a problem external to your org for email, web presense, etc. if you lose your gTLD registration and therefore NS glue, but that shouldn't break your org's own DNS resolution for its own systems.
Firefox known-vulnerabilities says shows that Firefox 9 has problems with it which should make you want to upgrade to 10.0.2: Fixed in Firefox 10.0.2 MFSA 2012-11 libpng integer overflow Fixed in Firefox 10.0.1 MFSA 2012-10 use after free in nsXBLDocumentInfo::ReadPrototypeBindings Fixed in Firefox 10 MFSA 2012-09 Firefox Recovery Key.html is saved with unsafe permission MFSA 2012-08 Crash with malformed embedded XSLT stylesheets MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files MFSA 2012-06 Uninitialized memory appended when encoding icon images may cause information disclosure MFSA 2012-05 Frame scripts calling into untrusted objects bypass security checks MFSA 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes MFSA 2012-03 element exposed across domains via name attribute MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26)
This is the job the Executive Branch exists for: to enforce the laws. If nothing else, the response should have been, "We are looking into this." Talk about making people lose any shred of faith in their elected officials.
Slashdot Mirror
Nope, we've got to do both, at least in California. You still need all the spinning reserves for when the wind doesn't blow and when the sun isn't shinning. Even if we are not growing and don't need more generation, we still have to start buying/producing 33% from "green" sources by 2020. Mind you hydro isn't green and doesn't count. As I said, since you can't trust any of the "green" energy to be reliable, you still have to maintain all the equipmemt and keep a certain percentage of it as spinning reserves.
https://en.wikipedia.org/wiki/Survivors_(2008_TV_series)
Go outside.
Yes, and we document air-gapped systems this way.
Won't work at my office. Nothing goes out/in that isn't decrypted and verified first. Mostly this is to prevent backdoors and data breaches.
Anyway, smart phones are dirt cheap and if you really need to be that connected pay $20/mo. more and get a data plan. Surf all you want on your own equipment and network connection.
While I agree with this 100% (and follow it the same), why is it that upper management never have to follow the same rules? "You want me to bring a work laptop back and forth, and where would I put it?"
As we tell our staff, get a smart phone and do whatever you want. Just never connect it to our network (including even USB to charge), and never use our network/PCs for personal use. Don't want to spring for a smart phone? Surf at home.
VLANs are layer 2, not layer 3. Your same VLAN that has IPv4 can have IPv6.
Not sure what you're running, all of my Cisco gear just needed an IOS upgrade to get IPv6. My HP switches don't need IPv6 addresses or even understanding of IPv6 to pass the traffic along. Only my core routers where my VLAN interfaces route IPv4 & IPv6. Same with all the microwave stuff we have - it's all just bridging equipment, and (mostly) doesn't care what we are bridging (that's not 100% true, as I've run into pieces of few low-end gear that won't bridge IPv6 traffic, but that's few and far between).
My biggest problem is that some of my Cisco gear won't do L2L VPNs with IPv4 & IPv6 remote LANs going over IPv4. I can do 4in4, 6in4, 4in6, but not 4&6in4 (or 4&6in6). It'll get there, but for now my remote sites don't get IPv6, and that's OK.
I do have to keep pestering Websense to add IPv6 filtering support. Any time now they're supposed to add it. For now, that means we don't allow any external IPv6 surfing since we can't filter it.
You don't need NAT for HA. Your LBs float the virtual IP and redirect traffic to the real IPs on the real servers behind. Return traffic from the real servers' real IPs come back to the LBs and the LBs pass it on as the original virtual IP that was accessed by the original request.
I think what they were referring to is that the ISP presently gives out dynamic IPv4 addresses. The correlation in this case would giving out a dynamic IPv6 /64 to each network that connects. While this could be done, there are many reasons not to do so as it would require constant renumbering (which can be done, but it's confusing for the end-user).
Either way, it's all bunk, as the ISP will keep track of the address assignments to the network level either way. Both IPv4 and IPv6 have a way to "anonymize" the end-PC (IPv4 NAT, IPv6 random IPv6 addressing) - but it's very easy to fingerprint the PC without the IP address.
You have the same ability to be "anonymous" as with IPv4. With IPv4, they can track it down to your gateway, but have no idea what PC inside originated the traffic. I doubt you get a unique IPv4 address each time your gateway restarts. My Comcast connection has had the same one for 8 years, through two cablemodems, because my MAC address on my router stayed the same (or rather, I told my newer routers to use the one my older one had). Even if it is different each time, like with many PPPoE implimentations, your ISP has logs where each account-to-IP-assignment is known.
With IPv6, if you leave the global randomize identifier option enabled (default in Windows), then all they can do is track it down to your network /64 which is assigned to your gateway, and not to the individual PC.
Not sure about other OS, but if being "anonymous" is important to you, you might look into it.
That's bunk. NAT doesn't provide real security, and in fact a false sense of security. Your firewall should always deny/drop traffic by default, except where permitted otherwise, either explicitly or by a stateful connection originating from the inside.
If you want pseudo anonymity on the level of what you have with IPv4, then leave the global randomize identifiers on. It's on by default in Windows. You actually have to disable it with netsh interface ipv6 set global randomizeidentifiers=disabled.
IPv6 is actually very easy to remember when done right. Further, we have DNS for address resolution - how many of the websites you visited today do you know the IPv4 address for?
For an enterprise, once they get their allocation, it's really not that bad. I will make up an allocation as an example:
2600:123:b000::/48
With 5 more octets left (octets isn't the right term, but divisions seperated by colons), you can do a large amount of intelligent numbering, and even just reuse all of your VLAN and IPv4 numbering right inside your IPv6 addressing.
For instance, if you have a server network at 172.16.2.0/24 and it is vlan 203, you can assign 2600:123:b000:203::/64 (with the nodes getting ::172:16:2:yyy), so a given server node with 172.16.2.105 would be 2600:123:b000:203:172:16:2:105 . It's wasteful, but with IPv6, who cares?
If you have more than one site, then each site should get you your own /48. When applying for addreses, you should do so for all sites at once. We have a /44 (x:x:b000 - x:x:b00f) as we have 9 sites. We can then assign each site based on their site numbers (2600:123:b001 - 2600:123:b009). We use 2600:123:b000 for infrastructure, and still have 2600:123:b00a - 2600:123:b00f left over.
So, site 3, vlan 405, network 172.24.5.0/24 would be assigned 2600:123:b003:405::/64 with nodes having 2600:123:b003:405:172:24:5:yyy. For workstations that use SLAAC and/or DHCPv6, you don't care about the last 64 bits and you rely on DNS. But you still know the site and VLAN if you use the same numbering. 2600:123:b002:464::/64, which is site 2, vlan 464.
All the IT staff has to do is learn that 2600:123:b000 - b00f is our assignment and explain the rest of our addressing plan. It's actually rather natural to do it this way and makes a ton of sense.
Oh, and personally I would skip doing any decimal to hex conversion where it can be avoided. For instance, I would not make vlan 165 be A5 (the hex value), but rather just 165. This does mean you'll "waste" something like 37.5% of your address space - but again, who cares? I'll take readability over maximum use any day.
As one who believes in the literal truth of the Bible, I don't have any conflict with life on other planets. I tend to doubt that there is, but it would not be earth-shattering for me if there was.
C.S. Lewis even has a series, The Space Trilogy, with life on other planets and addresses the issue of Christianity - if there was no original sin on the other planets, do they need Salvation?
Christian fundamentalists are not as backward as you may think, and we do put on our thinking caps.
Yup, which is why our department has a VZN mifi. It's on our corporate plan so we have unlimited data for $40/mo per device. Two hotels stays a month pays for it (must hotels charge a rip-off $20/night for wifi). That and we use it when we need to troubleshoot in the field with our private fiber/backbone. More than pays for itself. We check it out just like our company pool cars, return it when we're done.
Only downside one guy found is that if you take it to Mexico, data is very expensive there if you don't have the right plan (which we didn't, since it wasn't intended to go out of country).
My kids phones are $10/mo for unlimited text - which is all they care about, and 500 minutes (used mostly for when we want to talk and texting is going to require too much back and forth). Only downside is T-mobile limits a "family plan" to 5 lines, and we've got 6 in our family.
Just got two T-Mobile Android phones fo $50/month each or $100/month total for both (unlimited talk/text family plan, with 2gb data of 4G speeds and unlimited data after 2gb at 2G speeds). Only downside I see is that I have a 2 year contract. But since I can't just take any phone to any carrier in the US (or when coming from compatible networks there is still a $50 "flashing" fee), it seems worth while to get good service (never again, MetroPCS or Cricket - 4G at 2G speeds and constant outtages, no thanks). Phones each had a $50 off deal, but might have been specific to Costco.
I've bought a number of cheap MetroPCS phones online. Kids do stupid things all the time that lose "$49" phones (jump in pools, go bike riding with them in loose pockets, to name a few). You cannot replace them for $49 unless you activate a new line of service with it. The sad thing is that I can pick up used MetroPCS phones for less than MetroPCS charges to re-activate them ($15).
Sleep-journal.com: "Results: There was a significant increase in accidents for the Monday immediately following the spring shift to DST (t=1.92, P=0.034). There was also a significant increase in number of accidents on the Sunday of the fall shift from DST (P0.002)."
Get rid of DST. Arizona has it right (no DST). Doesn't help that the whole world doesn't even follow the DST change at the same time.
I never trusted that a doctor would make the right call.
Before I was married, I kept a donor card with my ID which said, "Ask my mom," and listed her number.
Once I got married, I updated my donor card to say, "Ask my wife" and listed her number (unless we're both unable to ask, in which case we both have our own mother's listed).
Both know my wishes, and both will see that they are carried out.
The color thing has been dropped by DHS:
The National Terrorism Advisory System, or NTAS, replaces the color-coded Homeland Security Advisory System (HSAS).
The ISC is a little slow on the uptake, but isn't government.
You would not have to redirect all of .SE, but you would have to get the cooperation of all the Root DNS server operators. As the Root zones are all public information, there is no way you could hide what you were doing either. Redirecting some or all of .SE would be the equivalent of taking sovereign Internet territory (for lack of another phrase).
What? If your org's domain is so important, would you not use your own resolvers which would know where to go for authoritative data, and not us the root and gTLD NS?
Sure, it might present a problem external to your org for email, web presense, etc. if you lose your gTLD registration and therefore NS glue, but that shouldn't break your org's own DNS resolution for its own systems.
Firefox known-vulnerabilities says shows that Firefox 9 has problems with it which should make you want to upgrade to 10.0.2:
Fixed in Firefox 10.0.2
MFSA 2012-11 libpng integer overflow
Fixed in Firefox 10.0.1
MFSA 2012-10 use after free in nsXBLDocumentInfo::ReadPrototypeBindings
Fixed in Firefox 10
MFSA 2012-09 Firefox Recovery Key.html is saved with unsafe permission
MFSA 2012-08 Crash with malformed embedded XSLT stylesheets
MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
MFSA 2012-06 Uninitialized memory appended when encoding icon images may cause information disclosure
MFSA 2012-05 Frame scripts calling into untrusted objects bypass security checks
MFSA 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
MFSA 2012-03 element exposed across domains via name attribute
MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26)
This is the job the Executive Branch exists for: to enforce the laws. If nothing else, the response should have been, "We are looking into this." Talk about making people lose any shred of faith in their elected officials.