Shardis wrote, "If you're responsible for corporate network security, hopefully you have some..."
What makes you think I'm responsible for corporate network security? I never said that. My day job is in curriculum development, and doesn't involve IP security at all. That, however, doesn't stop me from trying to understand how it all works, and asking lots of questions.
Um, no not really, "the net" thing was a back door.:P...
Details, details;) I know the background of SecurityFocus, and I've followed BugTraq for years. The point I was making is that I don't know the people. I don't know who would have access to my information. My sole rationale for trusting them (or not) is what other people say about them.
"...and a bad movie when it comes to technical points, although not as bad as the infamous 'hackers'"
My wife won't even watch that kind of movie with me anymore, because I keep pointing out the technical flaws. It takes some serious willing suspension of disbelief to enjoy movies like those. I did enjoy Sneakers, though.
"I'm tired and this was too unfortunately typical of responses for me to not respond."
After looking over the ARIS site, I'm left with a bunch of questions.
First, what the heck is the definition of an "incident"? Their FAQ doesn't indicate what this means. If some goofball script kiddie runs a script that sends out 100,000 pings of death, is that one incident, or 100,000? If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000? It sounds like AOL's goofy customer count: "Here, set up seven screen names so that we can claim you're seven different customers."
Secondly, does handing all your log files over to these guys remind anyone of the movie The Net? How do we know SecurityFocus can be trusted? How do we know we're not handing our log files over to someone who's already hacked SecurityFocus? What does this service do for us?
Greenpeace should be very weary about corporations that are in reality environmental pigs, but try to obsfucate this by displaying the Greenpeace logo and link to their site.
I presume you mean they should be "wary," although maybe they're just tired of it <grin>. Anyway, I disagree with what you're saying. Using Greenpeace's logo without their permission is a trademark violation, and it's against the law. That's very different than a link. If I disagree with an article on the Web, why shouldn't I be able to say, "I think this article is a pile of hooey" (including a link to the article I don't like)?
I strongly feel that if information is placed on the web for public consumption (no login required), then anyone should be able to link to it from anywhere, as long as they're not claiming ownership of it. Heck, I encourage it! That's what the Web is all about! People keep asking you how to become a hacker? Link 'em here! You want people visiting your Web site to be able to learn about closed captioning? Link 'em here! Visitors looking for information about Scratch 'n Sniff Macintoshes? Link 'em here!
Non-compete clauses do hold up in California under certain circumstances. A former employer wanted me to sign a non-compete that would prohibit me from working in the same field for two years. That won't hold up in CA, according to my attorney.
IANAL, but as I understand things, to be valid in CA, a non-compete agreement must have some form of compensation (the company offered a cash bonus if I'd sign it, so they were covered there), and must leave you with a reasonable way to make a living using your skills and knowledge.
They can't tell you, for example, "Sorry, Bubba, but you can't write code in Java for two years." They can, however, tell you, "You can't create a directly-competing transaction system compatible with our interface formats that would be sold to the same customer base."
When you sell stock, you aren't selling it to the company that issued it (there is an exception known as a "stock buyback," but that's a different story).
You are selling your shares to a broker or a "market maker" that trades in the company's stock. They, in turn, sell it to someone else. If a company's stock loses half its value in a day (or doubles in a day), the company doesn't lose (or make) any money at all. The affect of the stock price on the company is a bit more indirect. It affects market perception of the company, the ability to attract employees by using stock options, and the number of shares necessary to buy other companies using stock swaps.
Here's the theory... Right now, you can't build a CPU that generates too much heat, or it will fry itself. If you come up with an efficient way to remove the heat (without pumping it out of the case entirely), then they'll make hotter-running CPUs, which will cause more heat in the case, which will cause nearby chips to overheat and fail instead.
IP.com could be a "fishing expedition," attracting nifty new ideas for use by who knows whom. I don't see anything that limits what they can do with the "publications" that appear on their site.
Isn't that what open source is all about?;)
I understand what you're saying. Any one of us could easily write up an idea, put a timestamped digital signature wrapper around it, and post it on our own Web site. The centralization concept is both the good and the bad.
The good is that the PTO knows where to find it, and it's in a standardized format that's easy for them to search.
The bad is that it costs money and depends on the future existence of a company that may or may not survive.
I see no inherent evil in this plan. Let those who believe the good outweighs the bad use it. Let those who don't, not.
It sounds from the article (which was lacking in technical detail), like the microcoolers can chill the portion of the chip they're in contact with. Okay, I'm good with that. But where does the heat go?
Assuming that it's redistributed, what we're really looking at is a way to take that 1GHz+ CPU and let it run nice and cool while we fry everything else inside the case, right?
The Open Source movement would do just as well by having a central repository or library of "prior art" that can be used by the patent office to determine if a "new invention" is indeed a new invention. We need to make it easier to prevent patents on core knowledge; I don't see the point in making more patents when our goal is to prevent patents.
You didn't actually read the article, did you? What you're suggesting is precisely what the article says they're doing. The open source software that's submitted to this group isn't actually being used to get patents, it's being used to create a searchable database of prior art that the PTO has agreed to refer to.
x-empt wrote, "Take the lists of addresses and emails, pretend you are really spamming thousands, while in reality you only spam a couple of accounts (yours and your boss's)... fake the logs"
Oh, that's great! I love it! Except I'd add a few other accounts to the list. How about webmaster@fbi.gov, abuse@aol.com, the webmaster at spam.abuse.net, postmaster@cauce.org, and key individuals at other various law enforcement and anti-spam groups?
I think that might get a little bit of extra action;)
"...get the ISP to terminate the account after a few days..."
That's even better. And I can't think of an admin that wouldn't do it. Happily.
I was placed in a similar position when I was CTO of a company and the marketing weenies decided to start a spamathon.
Remember that the main motivator is money when you're dealing with marketing/sales people. If ethics won't sell them on the spam=BAD equation, then use money to do it. I wrote a lengthy memo (I don't recall whether I saved a copy or not) describing the possible negative side-effects of starting a spam campaign.
The primary negative was revenge. Ask them how they'd like to have their 800# shut down by people calling to complain, or how they'd like their main Web site (not just the spam machine) and network compromised and destroyed by anti-spam hackers. Ask how they'd like the fax machine to be constantly busy and out of paper. Ask how they feel about hauling in the lawyers to respond to complaints that they've violated California's anti-spam law (you don't have to be in California--you just have to spam someone in California). Even if they can show they didn't violate the law, it'll cost money to fight it.
When I made this argument to the marketing guy, he said that if someone did that to us, they'd be breaking the law. I told him that wouldn't prevent people from doing it! I also had him read CAUCE propoganda and other anti-spam materials.
I'm not sure whether he ended up seeing my point, or gave up out of frustration having to deal with me, but he gave up.
Is the real lesson here how to increase security on your Linux box, or how to perform forensic analysis after a crack attack, or why you should/shouldn't pick Linux? No. None of the above.
I have long contended that the applicable formula is convenience = 1 / security
The safer you want your system to be, the less convenient it will be to use the system.
If you have a computer for fun and entertainment, you don't want to make keeping it secure a full-time job (unless, of course, that's your idea of fun). Take some reasonable precautions, keep good backups, don't tempt fate, and get on with life. If you get hacked, deal with it.
If you have a mission-critical system in a business environment, then hire a professional sysadmin to keep it secure. This is not a do-it-yourself job, whether you're using M$, Linux, Solaris, MacOS, OS/2, or BSD.
Actually, Cheetahs are considered the largest of the small cats, specifically because they can purr but not roar. Using them as an argument in the purr discussion is rather pointless.
I don't know where this whole "growl" thing came from. I learned that the big cats can roar, and small cats purr. Anyone who believes a small cat can't growl hasn't owned one (or hasn't seen one really pissed off).
I don't know if I'd agree that "ftp->archie->gopher->lynx" was the actual sequence there. Sure, gopher has a place in the parentage of the Web, but the breakthrough was in applying hypertext across the network.
Languages like SGML have as much place in the Web browser lineage as indexing programs like gopher.
So what you're saying, Magic, is that you like being told, "Even if you meticulously craft, draft, redraft, and spellcheck your email, I'm going to ignore it because some other idiots send in incomprehensible poorly-written drek"?
The facts (at least, I'm assuming them to be facts) and statistics in the article are saddening. There is, however, still a way to get your message through.
First, follow the rules they set. If you're writing about a specific issue, make the subject line of the message reflect the issue and your position. As an example, "Please vote NO on AB12345." Most emails, like most snail mails and faxes, are just used to tally support for a position. This means, of course, that the carefully thought-out and worded contents of your email will probably never be seen.
Second, identify yourself properly. Members of the House, for example, are elected to represent only members of their own district, and if you don't show a snail mail address in their district, they're not going to pay attention to your email.
Third, ask for action in a separate email. Not the one with the short, sweet "No on AB12345" header. Like I said, they probably didn't read it. Send an email asking for information or asking for some specific document (again, make the header clear and identify yourself). Staffers will deal with those, and if you phrase your message well, you can get across a point along with your request. If you phrase it extremely well, the staffer will pass it on to the boss.
There's no question, though, that emails get lower priority than phone calls, faxes, or snail mail. I don't like it, and I don't agree with it, but when the subject matters, I do my best to go around it.
Can any rational human being actually believe that songwriters and lyricists shouldn't have copyright protection for what they write? Much of the best music is written by people who do it for a living (not by the artists that perform it), and if they have no way to get paid for their work, they're going to stop doing it. If Ogerman was a music fan, he wouldn't believe that.
I'm an author and software engineer. I've written code that I've chosen to give away for free, and I've written articles and essays that I've chosen to give away for free (that's what we're all doing here on slashdot). But if we didn't have copyright protection on software, books, and articles, I wouldn't have had the opportunity to develop my writing and coding skills over the last 20+ years, and I wouldn't be producing much worth giving away. Without the ability to make a living at it, innovation in songwriting, software development, and writing would shrivel up and die.
Oh, and by the way, Ogerman, you haven't mentioned what you do for a living. Take your ridiculous sig and apply it to your own work. Do you give away your time for free every day?
The majority of the pro-8.3 arguments in these comments boil down to either "I don't use long names, so you shouldn't either" or "Because that's the way we've always done it."
How about a different perspective? First of all, I don't know about the rest of you, but I rename virtually every file I pull of the Internet, unless it's a part of a large set that depends on its name to fit in (like a piece of Linux source code or a group of HTML/XML/HGML documents that link to each other).
Arguing that people put spaces in long names, so 8.3 is better is ludicrous. You want to limit me to 8 descriptive characters because somebody else might come up with a name you don't like? I happen to use a lot of names like "FrobozzDriverInstallW32V4.zip" or "foobar_source_8.tar"
But hey, if you want to use 8.3 filenames on your stuff, feel free. I don't really care. Just don't tell me that I can't use more descriptive names on my stuff.
The link posted with the story didn't provide a whole lot of information, but you can get all you need to know at the 2001 documentation section of the FIRST Web site.
This competition is a lot more education-oriented than "battlebots," and looks like a lot more fun.
Matt2413 wrote, "Anytime you call an 800 number, your caller ID is available for display."
True, but utterly irrelevant. We're discussing geographically locating an Internet connection, based on stuff like your IP address. When dialed in through an 800 number, your caller ID may be logged by the ISP, but it's not visible to other servers on the Web.
First, the use of VPNs and VLANs makes it just about impossible to find people. I am currently connected to my employer's network, behind their firewall, despite being over an hour drive away at my home. I could just as easily be across the country. You have no way of telling where my notebook computer is connected. Until IPv6 is deployed, this will only get more common, as will use of NAT (network address translation) and PAT (port address translation), both of which make it impossible to locate a system by IP address.
Secondly, proxy servers make it easy to dodge geographical constraints, for those who wish to do so.
Third, ISPs often offer 800 numbers in addition to the local POPs. How is anyone supposed to know where you are when you're dialed up through an 800 number?
A local government does not (and should not) have jurisdiction over the Internet any more than it has jurisdiction over satellite television and radio broadcasts from neighboring towns or countries.
Billy Gates wrote, "All major OSI protocals use the mac address in their protocals for athentication."
No, they don't. The MAC address is used at Layer 2 (only) for switching, not for authentication.
You can't use the MAC address for authenticating anything outside your own subnet because of the fundamental way that routing works. Take this example:
You send a packet out on your LAN, intended for the SlashDot Web server. The source MAC and IP address are your own. The destination IP is SlashDot. The destination MAC is the router that connects your LAN to the Internet.
Your router's interface card sees your packet. Since the destination MAC address belongs to your router, it accepts the packet, and strips off the OSI Layer 2 header, which is where your MAC address lives. Your router determines the next router in the chain, and generates a new Layer 2 header with the next router's MAC address as a destination and its own (your router's) MAC address as a source.
At each step in the chain (try a traceroute to see how long a typical chain is), the Layer 2 header is stripped and regenerated, and the previous MAC address is forgotten. The system at the other end has no way to check the validity of the sender using a MAC address because it has no idea what the MAC address is for the packet's original sender.
That's not a bad summary, but it has a few technical errors in it:
"For each sequential packet, a new ISN is generated."
As others have pointed out, the ISN is the initial sequence number. The sequence number of the nth packet in a session is ISN+n.
"For every packet the server sends the client, the client MUST respond with an ACK message."
It's a bit more complex than that. The protocol allows you to ack not every packet, but every n packets, with each ack containing the sequence number of the next packet you're expecting to receive. If n was set to 5, then packets 1 to 4 would get no ACK, and packet 5 would ack with 6+ISN.
bay43270 uttered, "Students can do this today on a pair of $150 palms and thier ir ports".
And how many classrooms have you been in where you could establish an IR (line-of-sight) link with someone not in the classroom without being really obvious?
Slashdot Mirror
Shardis wrote, "If you're responsible for corporate network security, hopefully you have some..."
What makes you think I'm responsible for corporate network security? I never said that. My day job is in curriculum development, and doesn't involve IP security at all. That, however, doesn't stop me from trying to understand how it all works, and asking lots of questions.
Um, no not really, "the net" thing was a back door. :P ...
Details, details ;) I know the background of SecurityFocus, and I've followed BugTraq for years. The point I was making is that I don't know the people. I don't know who would have access to my information. My sole rationale for trusting them (or not) is what other people say about them.
"...and a bad movie when it comes to technical points, although not as bad as the infamous 'hackers'"
My wife won't even watch that kind of movie with me anymore, because I keep pointing out the technical flaws. It takes some serious willing suspension of disbelief to enjoy movies like those. I did enjoy Sneakers, though.
"I'm tired and this was too unfortunately typical of responses for me to not respond."
No sweat.
Thank you, Ryan.
It's refreshing to see a vendor reading the articles on SlashDot and replying with useful information. I appreciate it.
After looking over the ARIS site, I'm left with a bunch of questions.
First, what the heck is the definition of an "incident"? Their FAQ doesn't indicate what this means. If some goofball script kiddie runs a script that sends out 100,000 pings of death, is that one incident, or 100,000? If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000? It sounds like AOL's goofy customer count: "Here, set up seven screen names so that we can claim you're seven different customers."
Secondly, does handing all your log files over to these guys remind anyone of the movie The Net? How do we know SecurityFocus can be trusted? How do we know we're not handing our log files over to someone who's already hacked SecurityFocus? What does this service do for us?
Greenpeace should be very weary about corporations that are in reality environmental pigs, but try to obsfucate this by displaying the Greenpeace logo and link to their site.
I presume you mean they should be "wary," although maybe they're just tired of it <grin>. Anyway, I disagree with what you're saying. Using Greenpeace's logo without their permission is a trademark violation, and it's against the law. That's very different than a link. If I disagree with an article on the Web, why shouldn't I be able to say, "I think this article is a pile of hooey" (including a link to the article I don't like)?
I strongly feel that if information is placed on the web for public consumption (no login required), then anyone should be able to link to it from anywhere, as long as they're not claiming ownership of it. Heck, I encourage it! That's what the Web is all about! People keep asking you how to become a hacker? Link 'em here! You want people visiting your Web site to be able to learn about closed captioning? Link 'em here! Visitors looking for information about Scratch 'n Sniff Macintoshes? Link 'em here!
Non-compete clauses do hold up in California under certain circumstances. A former employer wanted me to sign a non-compete that would prohibit me from working in the same field for two years. That won't hold up in CA, according to my attorney.
IANAL, but as I understand things, to be valid in CA, a non-compete agreement must have some form of compensation (the company offered a cash bonus if I'd sign it, so they were covered there), and must leave you with a reasonable way to make a living using your skills and knowledge.
They can't tell you, for example, "Sorry, Bubba, but you can't write code in Java for two years." They can, however, tell you, "You can't create a directly-competing transaction system compatible with our interface formats that would be sold to the same customer base."
When you sell stock, you aren't selling it to the company that issued it (there is an exception known as a "stock buyback," but that's a different story).
You are selling your shares to a broker or a "market maker" that trades in the company's stock. They, in turn, sell it to someone else. If a company's stock loses half its value in a day (or doubles in a day), the company doesn't lose (or make) any money at all. The affect of the stock price on the company is a bit more indirect. It affects market perception of the company, the ability to attract employees by using stock options, and the number of shares necessary to buy other companies using stock swaps.
Here's the theory... Right now, you can't build a CPU that generates too much heat, or it will fry itself. If you come up with an efficient way to remove the heat (without pumping it out of the case entirely), then they'll make hotter-running CPUs, which will cause more heat in the case, which will cause nearby chips to overheat and fail instead.
IP.com could be a "fishing expedition," attracting nifty new ideas for use by who knows whom. I don't see anything that limits what they can do with the "publications" that appear on their site.
Isn't that what open source is all about? ;)
I understand what you're saying. Any one of us could easily write up an idea, put a timestamped digital signature wrapper around it, and post it on our own Web site. The centralization concept is both the good and the bad.
The good is that the PTO knows where to find it, and it's in a standardized format that's easy for them to search.
The bad is that it costs money and depends on the future existence of a company that may or may not survive.
I see no inherent evil in this plan. Let those who believe the good outweighs the bad use it. Let those who don't, not.
It sounds from the article (which was lacking in technical detail), like the microcoolers can chill the portion of the chip they're in contact with. Okay, I'm good with that. But where does the heat go?
Assuming that it's redistributed, what we're really looking at is a way to take that 1GHz+ CPU and let it run nice and cool while we fry everything else inside the case, right?
The Open Source movement would do just as well by having a central repository or library of "prior art" that can be used by the patent office to determine if a "new invention" is indeed a new invention. We need to make it easier to prevent patents on core knowledge; I don't see the point in making more patents when our goal is to prevent patents.
You didn't actually read the article, did you? What you're suggesting is precisely what the article says they're doing. The open source software that's submitted to this group isn't actually being used to get patents, it's being used to create a searchable database of prior art that the PTO has agreed to refer to.
x-empt wrote, "Take the lists of addresses and emails, pretend you are really spamming thousands, while in reality you only spam a couple of accounts (yours and your boss's)... fake the logs"
Oh, that's great! I love it! Except I'd add a few other accounts to the list. How about webmaster@fbi.gov, abuse@aol.com, the webmaster at spam.abuse.net, postmaster@cauce.org, and key individuals at other various law enforcement and anti-spam groups?
I think that might get a little bit of extra action ;)
"...get the ISP to terminate the account after a few days..."
That's even better. And I can't think of an admin that wouldn't do it. Happily.
I was placed in a similar position when I was CTO of a company and the marketing weenies decided to start a spamathon.
Remember that the main motivator is money when you're dealing with marketing/sales people. If ethics won't sell them on the spam=BAD equation, then use money to do it. I wrote a lengthy memo (I don't recall whether I saved a copy or not) describing the possible negative side-effects of starting a spam campaign.
The primary negative was revenge. Ask them how they'd like to have their 800# shut down by people calling to complain, or how they'd like their main Web site (not just the spam machine) and network compromised and destroyed by anti-spam hackers. Ask how they'd like the fax machine to be constantly busy and out of paper. Ask how they feel about hauling in the lawyers to respond to complaints that they've violated California's anti-spam law (you don't have to be in California--you just have to spam someone in California). Even if they can show they didn't violate the law, it'll cost money to fight it.
When I made this argument to the marketing guy, he said that if someone did that to us, they'd be breaking the law. I told him that wouldn't prevent people from doing it! I also had him read CAUCE propoganda and other anti-spam materials.
I'm not sure whether he ended up seeing my point, or gave up out of frustration having to deal with me, but he gave up.
Is the real lesson here how to increase security on your Linux box, or how to perform forensic analysis after a crack attack, or why you should/shouldn't pick Linux? No. None of the above.
I have long contended that the applicable formula is
convenience = 1 / security
The safer you want your system to be, the less convenient it will be to use the system.
If you have a computer for fun and entertainment, you don't want to make keeping it secure a full-time job (unless, of course, that's your idea of fun). Take some reasonable precautions, keep good backups, don't tempt fate, and get on with life. If you get hacked, deal with it.
If you have a mission-critical system in a business environment, then hire a professional sysadmin to keep it secure. This is not a do-it-yourself job, whether you're using M$, Linux, Solaris, MacOS, OS/2, or BSD.
Actually, Cheetahs are considered the largest of the small cats, specifically because they can purr but not roar. Using them as an argument in the purr discussion is rather pointless.
I don't know where this whole "growl" thing came from. I learned that the big cats can roar, and small cats purr. Anyone who believes a small cat can't growl hasn't owned one (or hasn't seen one really pissed off).
I don't know if I'd agree that "ftp->archie->gopher->lynx" was the actual sequence there. Sure, gopher has a place in the parentage of the Web, but the breakthrough was in applying hypertext across the network.
Languages like SGML have as much place in the Web browser lineage as indexing programs like gopher.
So what you're saying, Magic, is that you like being told, "Even if you meticulously craft, draft, redraft, and spellcheck your email, I'm going to ignore it because some other idiots send in incomprehensible poorly-written drek"?
I still don't like it.
The facts (at least, I'm assuming them to be facts) and statistics in the article are saddening. There is, however, still a way to get your message through.
First, follow the rules they set. If you're writing about a specific issue, make the subject line of the message reflect the issue and your position. As an example, "Please vote NO on AB12345." Most emails, like most snail mails and faxes, are just used to tally support for a position. This means, of course, that the carefully thought-out and worded contents of your email will probably never be seen.
Second, identify yourself properly. Members of the House, for example, are elected to represent only members of their own district, and if you don't show a snail mail address in their district, they're not going to pay attention to your email.
Third, ask for action in a separate email. Not the one with the short, sweet "No on AB12345" header. Like I said, they probably didn't read it. Send an email asking for information or asking for some specific document (again, make the header clear and identify yourself). Staffers will deal with those, and if you phrase your message well, you can get across a point along with your request. If you phrase it extremely well, the staffer will pass it on to the boss.
There's no question, though, that emails get lower priority than phone calls, faxes, or snail mail. I don't like it, and I don't agree with it, but when the subject matters, I do my best to go around it.
How on earth did that troll get modded up?
Can any rational human being actually believe that songwriters and lyricists shouldn't have copyright protection for what they write? Much of the best music is written by people who do it for a living (not by the artists that perform it), and if they have no way to get paid for their work, they're going to stop doing it. If Ogerman was a music fan, he wouldn't believe that.
I'm an author and software engineer. I've written code that I've chosen to give away for free, and I've written articles and essays that I've chosen to give away for free (that's what we're all doing here on slashdot). But if we didn't have copyright protection on software, books, and articles, I wouldn't have had the opportunity to develop my writing and coding skills over the last 20+ years, and I wouldn't be producing much worth giving away. Without the ability to make a living at it, innovation in songwriting, software development, and writing would shrivel up and die.
Oh, and by the way, Ogerman, you haven't mentioned what you do for a living. Take your ridiculous sig and apply it to your own work. Do you give away your time for free every day?
The majority of the pro-8.3 arguments in these comments boil down to either "I don't use long names, so you shouldn't either" or "Because that's the way we've always done it."
How about a different perspective? First of all, I don't know about the rest of you, but I rename virtually every file I pull of the Internet, unless it's a part of a large set that depends on its name to fit in (like a piece of Linux source code or a group of HTML/XML/HGML documents that link to each other).
Arguing that people put spaces in long names, so 8.3 is better is ludicrous. You want to limit me to 8 descriptive characters because somebody else might come up with a name you don't like? I happen to use a lot of names like "FrobozzDriverInstallW32V4.zip" or "foobar_source_8.tar"
But hey, if you want to use 8.3 filenames on your stuff, feel free. I don't really care. Just don't tell me that I can't use more descriptive names on my stuff.
The link posted with the story didn't provide a whole lot of information, but you can get all you need to know at the 2001 documentation section of the FIRST Web site.
This competition is a lot more education-oriented than "battlebots," and looks like a lot more fun.
Matt2413 wrote, "Anytime you call an 800 number, your caller ID is available for display."
True, but utterly irrelevant. We're discussing geographically locating an Internet connection, based on stuff like your IP address. When dialed in through an 800 number, your caller ID may be logged by the ISP, but it's not visible to other servers on the Web.
This will never be workable.
First, the use of VPNs and VLANs makes it just about impossible to find people. I am currently connected to my employer's network, behind their firewall, despite being over an hour drive away at my home. I could just as easily be across the country. You have no way of telling where my notebook computer is connected. Until IPv6 is deployed, this will only get more common, as will use of NAT (network address translation) and PAT (port address translation), both of which make it impossible to locate a system by IP address.
Secondly, proxy servers make it easy to dodge geographical constraints, for those who wish to do so.
Third, ISPs often offer 800 numbers in addition to the local POPs. How is anyone supposed to know where you are when you're dialed up through an 800 number?
A local government does not (and should not) have jurisdiction over the Internet any more than it has jurisdiction over satellite television and radio broadcasts from neighboring towns or countries.
Billy Gates wrote, "All major OSI protocals use the mac address in their protocals for athentication."
No, they don't. The MAC address is used at Layer 2 (only) for switching, not for authentication.
You can't use the MAC address for authenticating anything outside your own subnet because of the fundamental way that routing works. Take this example:
You send a packet out on your LAN, intended for the SlashDot Web server. The source MAC and IP address are your own. The destination IP is SlashDot. The destination MAC is the router that connects your LAN to the Internet.
Your router's interface card sees your packet. Since the destination MAC address belongs to your router, it accepts the packet, and strips off the OSI Layer 2 header, which is where your MAC address lives. Your router determines the next router in the chain, and generates a new Layer 2 header with the next router's MAC address as a destination and its own (your router's) MAC address as a source.
At each step in the chain (try a traceroute to see how long a typical chain is), the Layer 2 header is stripped and regenerated, and the previous MAC address is forgotten. The system at the other end has no way to check the validity of the sender using a MAC address because it has no idea what the MAC address is for the packet's original sender.
That's not a bad summary, but it has a few technical errors in it:
"For each sequential packet, a new ISN is generated."
As others have pointed out, the ISN is the initial sequence number. The sequence number of the nth packet in a session is ISN+n.
"For every packet the server sends the client, the client MUST respond with an ACK message."
It's a bit more complex than that. The protocol allows you to ack not every packet, but every n packets, with each ack containing the sequence number of the next packet you're expecting to receive. If n was set to 5, then packets 1 to 4 would get no ACK, and packet 5 would ack with 6+ISN.
bay43270 uttered, "Students can do this today on a pair of $150 palms and thier ir ports".
And how many classrooms have you been in where you could establish an IR (line-of-sight) link with someone not in the classroom without being really obvious?