Econ 101 moron... If as you rightly state Karaoke is a niche market it certainly isn't large enough to support 12 labels... Hell, there are only 4 recording labels left in the country for MAINSTREAM music...
Niche markets have 1 or 2 dominant players and everyone else dies... that is what a niche market is.
WRONG... The *MICROSOFT RECOMMENDED* upgrade path from XP to Win 7 is to upgrade XP to Vista SP1 then upgrade Vista SP1 to Win 7. That is how you're *SUPPOSED* to do it.
Sure it makes no sense for desktop applications, but your argument is *EXACTLY* why it makes sense for web applications.
I've never had a "web server" for a desktop machine... By that I mean a machine with no GUI, no compiler, just an interpreter (for php, python, ruby, whatever your choice is) and a web server...
Having to constantly "recreate" the web server environment on my desktop/laptop machine is a headache which regardless presents no end of incompatibilities. On my desktop I run ubuntu, and I have a macbook pro laptop... now, try to get the exact same version of apache, python, postgressql, modpython, and all the other supporting cast members on those 2 machines and on the RHEL 5 servers the company mandates for server OS.... And then you start to see the problem of developing web apps on your desktop machine...
If there was a nice web based IDE we could plunk on the server itself, it would save literally hundreds if not thousands of man hours reconfiguring desktop/laptop machines across our team of 10 developers (about 30 machines total) to "match" our production environment so that when we deploy we don't say "Oh.. crap the server only has python 2.4 but I developed this against 2.5 and the feature I used isn't there..." Or any number of small and subtle bugs we've run into over the years because of minor version mis-matches, packages named/installed differently across architectures, one system having a built in package for foo while the production system doesn't, requiring either a compile from source or reworking the code entirely to remove that dependency (more often its the desktop OS that doesn't have a package, requiring a build from source)....
In short developing web apps on a desktop machine is an IT nightmare... it would be great if I could build on the server itself... Obviously we have test servers... and that is where the dev would happen, but the test servers are configured *JUST LIKE* the production servers... and its easy cause they are the same OS.
Doing bad things on the internet is illegal too (maybe not lying about who you are specifically) but, I've seen lots of complaints on this forum and others about how hacking laws are too strict.
The FBI has broad powers to pursue and prosecute IT crimes of all types.
Just because someone has powers to prosecute crimes doesn't mean it works... We still don't know who sent the anthrax through USPS after 9/11. Man those postal inspectors sure are effective.
This would really only work for new products/services as opposed to improving existing things I think, but I suggest a new product, with my help the company builds it, I should get some percentage of the profits of said product... If its not profitable, I don't make anything extra.
I have at least 10-20 ideas of new things that should be built at any one time... Sure not all of them are germane to my current employer's business, but at least 5 of them are. Will I give them to this company? No, not unless something like the above is implemented to reward me. 2 or 3 of them I've already implemented in my spare time with my own resources and outside of my contract of employment entirely.. I could turn over a nearly finished product...
With improvements to existing products or services, it would be near impossible to measure the "profitability" of the improvement, so maybe a one time bonus of $100-300 for each improvement that is accepted and implemented.
Well it changes the user agent.. I assume to say firefox is IE, thus making firefox's market share look smaller, making firefox appear less relevant to pointy haired bosses everywhere.
Even if *EVERYONE* in the NSA who knows about these programs voted against the people who implemented them or more specifically voted against the people who nominated the people who implemented the programs... without telling *OTHER PEOPLE* why they are voting the way they are they won't be able to effect change by voting. There aren't enough people who "know" about the classified programs to effect change without.
Besides, how can monitoring journalists communications ever protect america from anything?
yeah unfortunately that is exactly how the patent system works. Trademark is the only IP that you have to "protect" proactively or risk loosing.
With patents it is 100% acceptable to patent a bunch of ideas and then wait for someone else to develop them commercially, and then sue them and take the profits.
sorry to reply again.. The ladder in IT is what you are saying... My big "bump" in pay happened when I moved from IT to Software Development. I made this mistake (graduated in 01), and "took what I could get" which was a network admin job for 35k/yr... I spent the next 4 years building my software dev resume through open source, and various personal projects... Finally in 05 I got a nice bump when I got my first software development job, which was hard to get, because of my experience on my resume (I interviewed for software dev jobs through 03, 04, and 05, and was consistently turned down because I had so much network/system admin experience on my resume). I found it actually helped to delete all my network admin/system admin experience, the hiring manager where I finally got the job I talked to him after I had the job and showed him my "old" resume he said he wouldn't have even called me back based on it. Point being the wrong experience can be extremely detrimental if it isn't focused enough on where you want to go.
However, I have a friend who graduated last year (spring of 07) (he is about 5 years younger than I), anyway, he got 4 offers and already makes the same amount I do... with 1 year of experience vs my 8 years of experience... Point being, if he wants to be in security, he better get experience in security. Any other experience doesn't count when you actually get to the career you want.
It may be... but that isn't what these studies said... Students who stayed in school an extra year or two easily made up for extra debt and the lost earnings for those couple years by graduating in a good economy.
Uh... how so? The article cited studies by Standford and Harvard economists who studied the lives of graduates during the 80-82 recession the 90-91 recession and the 87 market crash... In all 3 cases graduates of those years significantly under earned graduates with similar degrees from the years immediately surrounding the recession years for example the graduating classes of 78,79, and 83 all earned significantly more over the next 20 years than their peers who graduated during the recession. Same for the market crash in 87, classes of 86 and 88 earned much more over the next 20 years... obviously 20 years haven't elapsed yet on the 91 recession, but the trend is still in place through 15 years graduates of the classes surrounding the recession are much better off.
this is the worst advice on this board.. There is no such thing as "climbing the ladder" multiple studies by economists at Stanford and Harvard have confirmed this. Aim high, get the job you want for the pay you want or stay in school, any other choice will hurt your earnings potential for literally decades to come.
If you "take whatever you can get" now, you will artificially hurt your earnings potential because generally you will only ever get a cost of living raise and 3-5% of 40k for 20 years puts you way way behind 3-5% of 60 or 70k over 20 years. And unless you can change your career, you won't get a big bump in salary when the economy improves. Even if the economy gets a lot better, they aren't going to suddenly give you a 20 or 30% raise for the same or similar job you've been doing for much less.
sorry to reply to self... these are CS and Information Systems grads from a majory private US university... They are in the tech field... just not specifically "network security" jobs.
I have a couple friends graduating this year, they are in a bad way... Last year graduates from the same school, with the same degree all had 3-4 offers and could basically pick where they wanted to live and what company they wanted to work for...
This year students are lucky if they've got 1 offer, and the offers are 30-40% below last year's offers. All the big companies have hiring freezes or are outright laying people off.
Just read an article on CNBC about how graduating in a recession will hurt your earnings potential for as much as 20 years... I'd recommend staying in school til things recover.
it doesn't contribute to google's business model, the rumor speculates that this is a bit like big table, and the rest of google's internal stuff. Basically they can't buy routers to handle internal traffic that satisfy their needs, so they are building their own for use in their data centers (ala big table, where they built a db technology rather than use oracle, or some other existing tech)
Ok, as to "tracking all movements of all cars" that is obviously not going to happen. The only way this would be enforceable would be in conjunction with the registration process for cars.
A) you implement the tax B) first time you register your car after the tax is implemented the state takes down the odometer reading and stores it in a DB with the VIN C) Next year when you register again, take reading again, compare to last years reading, subtract, multiply by.012 and add that to the bill for registration. Easy, clean, simple to implement, no mass tracking...
It's really a pretty minimal tax if you drive 20k miles in a year its only $240. I don't even drive 20k miles in a year and I drive more than most people I know.
well... could you not condense the "baliwick" to say in this case the NS record is ns.mydomain.lu, so I can cache things in the glue that pertain to ONLY THAT exact host name?
To me the fundamental problem is that in the DNS system as it currently stands, the "client" can ask one question and get back an unrelated answer (IE I asked for the nothere.mydomain.com address, and got back an answer for www.mydomain.com (in the glue), so I'll happily cache that...) when I should only be caching things I asked for... In the chicken and egg problem, if I ask for an authoritative source of info, I'm expecting an NS record and some glue with the A record for that NS, that would in my mind be a valid thing to cache, it is what I asked for, if the glue also contains an A record for www.mydomain.com, well tough, I can't cache it www.mydomain.com does not match the name in the NS record... I just can't see how limiting the caching to that level of exactness would necessarily completely break the system.
Granted, someone could try to use this to still take over the whole domain (IE, I ask for who's authoritative for a domain, and then I get blasted with responses saying "attackers site!") but that attack would be much less likely to succeed, because you wouldn't have the opportunity to keep asking for unknown hosts, once the server asked once for the domain, it would cache the NS, and no longer ask on each successive query for a non-existent A record for the authoritative NS for the domain... until the TTL on the NS record was reached...
I see that the glue is useful, if only in decreasing transaction volume. But my real question was "why do we cache the glue". I would say the rule should be "if it isn't exactly what I asked for, I won't cache it". This would stop someone being able to poison the cache through a response to a different question.
We could make the DNS servers smarter... IE if I ask for www.example.com and the root replies with a list of NS servers for.com, well I can use that answer including the glue IN THIS TRANSACTION only to then skip the extra request to get the IPs of the NS servers, if I want to cache the IPs of the.com NS servers, then I need to make an explicit request asking for the A record of the NS.
Seems like this would be a pretty simple change in the DNS server software itself, and it would only increase traffic initially to the root servers, or periodically when caches expire, DNS servers would then not overwrite their cache with anything from the glue, which to me seems like the root of this problem
That's fine and all... but why does DNS cache the "extra" info at all? I can understand sending it along in an RR, as that saves a trip, but I would say the "rule" should be, no DNS server should cache anything it didn't explicitly ask for. That change alone eliminates this problem completely, and yeah it will increase some traffic because things can't be cached that are being cached now, but, it wouldn't be hard for the server to be set up if it gets a CNAME back, to then query specifically for that name if it wants to cache it.
So, this is the first I've read in depth about this attack (its been 3 years since I was in IT, and in charge of DNS servers, patches, and all the rest...)
So the attack works by asking for a non-existant domain (ie nothere.domain.com), then blasting the DNS server with response packets that have a RR for www.domain.com, and then the DNS server caches the www RR because it passes the "baliwick" test...
So, uh... why not just turn off caching of everything besides the *ACTUAL* request? What would that break? Seems like that would be a very very easy fix, and would eliminate the problem completely wouldn't it?
Unless what is happening is that the spoofed response packets are actually responses for www.domain.com, and then still why is the DNS server asking for something (nothere.domain.com) and caching a response for something else (www.domain.com)? It really seems stupid to me, and I don't see any reason why DNS should be caching info that it didn't ask for.
Any DNS gurus out there care to explain the rational for that? Or do I have the attack wrong?
I also love it when they do that because 6-12 months from now I get the job anyway and get paid 150% of what I would have been paid in the first place to come in and clean up the mess:)
Slashdot Mirror
Econ 101 moron...
If as you rightly state Karaoke is a niche market it certainly isn't large enough to support 12 labels... Hell, there are only 4 recording labels left in the country for MAINSTREAM music...
Niche markets have 1 or 2 dominant players and everyone else dies... that is what a niche market is.
WRONG...
The *MICROSOFT RECOMMENDED* upgrade path from XP to Win 7 is to upgrade XP to Vista SP1
then upgrade Vista SP1 to Win 7. That is how you're *SUPPOSED* to do it.
Sure it makes no sense for desktop applications, but your argument is *EXACTLY* why it makes sense for web applications.
I've never had a "web server" for a desktop machine... By that I mean a machine with no GUI, no compiler, just an interpreter (for php, python, ruby, whatever your choice is) and a web server...
Having to constantly "recreate" the web server environment on my desktop/laptop machine is a headache which regardless presents no end of incompatibilities. On my desktop I run ubuntu, and I have a macbook pro laptop... now, try to get the exact same version of apache, python, postgressql, modpython, and all the other supporting cast members on those 2 machines and on the RHEL 5 servers the company mandates for server OS.... And then you start to see the problem of developing web apps on your desktop machine...
If there was a nice web based IDE we could plunk on the server itself, it would save literally hundreds if not thousands of man hours reconfiguring desktop/laptop machines across our team of 10 developers (about 30 machines total) to "match" our production environment so that when we deploy we don't say "Oh.. crap the server only has python 2.4 but I developed this against 2.5 and the feature I used isn't there..." Or any number of small and subtle bugs we've run into over the years because of minor version mis-matches, packages named/installed differently across architectures, one system having a built in package for foo while the production system doesn't, requiring either a compile from source or reworking the code entirely to remove that dependency (more often its the desktop OS that doesn't have a package, requiring a build from source)....
In short developing web apps on a desktop machine is an IT nightmare... it would be great if I could build on the server itself... Obviously we have test servers... and that is where the dev would happen, but the test servers are configured *JUST LIKE* the production servers... and its easy cause they are the same OS.
yeah but it sucks when all the *good* charges are thrown out on the first day...
Doing bad things on the internet is illegal too (maybe not lying about who you are specifically) but, I've seen lots of complaints on this forum and others about how hacking laws are too strict.
The FBI has broad powers to pursue and prosecute IT crimes of all types.
Just because someone has powers to prosecute crimes doesn't mean it works... We still don't know who sent the anthrax through USPS after 9/11. Man those postal inspectors sure are effective.
Some form of defined ongoing benefit...
This would really only work for new products/services as opposed to improving existing things I think, but I suggest a new product, with my help the company builds it, I should get some percentage of the profits of said product... If its not profitable, I don't make anything extra.
I have at least 10-20 ideas of new things that should be built at any one time... Sure not all of them are germane to my current employer's business, but at least 5 of them are. Will I give them to this company? No, not unless something like the above is implemented to reward me. 2 or 3 of them I've already implemented in my spare time with my own resources and outside of my contract of employment entirely.. I could turn over a nearly finished product...
With improvements to existing products or services, it would be near impossible to measure the "profitability" of the improvement, so maybe a one time bonus of $100-300 for each improvement that is accepted and implemented.
a little sad the the species doesn't want to be computer literate.
I'm sure a large portion of the species wishes that they didn't have to study algebra, trig, chemistry or physics...
yeah that's the large portion of the species that will be poor, starving, and useless in the next 100 years. I'm glad I'm not one of them.
Well it changes the user agent.. I assume to say firefox is IE, thus making firefox's market share look smaller, making firefox appear less relevant to pointy haired bosses everywhere.
you must be an idiot.
Even if *EVERYONE* in the NSA who knows about these programs voted against the people who implemented them or more specifically voted against the people who nominated the people who implemented the programs... without telling *OTHER PEOPLE* why they are voting the way they are they won't be able to effect change by voting. There aren't enough people who "know" about the classified programs to effect change without.
Besides, how can monitoring journalists communications ever protect america from anything?
we'd also immediately eliminate 10% of our economy.... but yeah otherwise great idea
yeah unfortunately that is exactly how the patent system works. Trademark is the only IP that you have to "protect" proactively or risk loosing.
With patents it is 100% acceptable to patent a bunch of ideas and then wait for someone else to develop them commercially, and then sue them and take the profits.
LOL, classifying NYC as a "decent local economy" these days...
Heartening story though, thanks :) Everything I've heard from grads this year is absolutely abysmal.
sorry to reply again.. The ladder in IT is what you are saying... My big "bump" in pay happened when I moved from IT to Software Development. I made this mistake (graduated in 01), and "took what I could get" which was a network admin job for 35k/yr... I spent the next 4 years building my software dev resume through open source, and various personal projects... Finally in 05 I got a nice bump when I got my first software development job, which was hard to get, because of my experience on my resume (I interviewed for software dev jobs through 03, 04, and 05, and was consistently turned down because I had so much network/system admin experience on my resume). I found it actually helped to delete all my network admin/system admin experience, the hiring manager where I finally got the job I talked to him after I had the job and showed him my "old" resume he said he wouldn't have even called me back based on it. Point being the wrong experience can be extremely detrimental if it isn't focused enough on where you want to go.
However, I have a friend who graduated last year (spring of 07) (he is about 5 years younger than I), anyway, he got 4 offers and already makes the same amount I do... with 1 year of experience vs my 8 years of experience... Point being, if he wants to be in security, he better get experience in security. Any other experience doesn't count when you actually get to the career you want.
It may be... but that isn't what these studies said... Students who stayed in school an extra year or two easily made up for extra debt and the lost earnings for those couple years by graduating in a good economy.
Uh... how so? The article cited studies by Standford and Harvard economists who studied the lives of graduates during the 80-82 recession the 90-91 recession and the 87 market crash... In all 3 cases graduates of those years significantly under earned graduates with similar degrees from the years immediately surrounding the recession years for example the graduating classes of 78,79, and 83 all earned significantly more over the next 20 years than their peers who graduated during the recession. Same for the market crash in 87, classes of 86 and 88 earned much more over the next 20 years... obviously 20 years haven't elapsed yet on the 91 recession, but the trend is still in place through 15 years graduates of the classes surrounding the recession are much better off.
this is the worst advice on this board.. There is no such thing as "climbing the ladder" multiple studies by economists at Stanford and Harvard have confirmed this. Aim high, get the job you want for the pay you want or stay in school, any other choice will hurt your earnings potential for literally decades to come.
If you "take whatever you can get" now, you will artificially hurt your earnings potential because generally you will only ever get a cost of living raise and 3-5% of 40k for 20 years puts you way way behind 3-5% of 60 or 70k over 20 years. And unless you can change your career, you won't get a big bump in salary when the economy improves. Even if the economy gets a lot better, they aren't going to suddenly give you a 20 or 30% raise for the same or similar job you've been doing for much less.
sorry to reply to self... these are CS and Information Systems grads from a majory private US university... They are in the tech field... just not specifically "network security" jobs.
I have a couple friends graduating this year, they are in a bad way... Last year graduates from the same school, with the same degree all had 3-4 offers and could basically pick where they wanted to live and what company they wanted to work for...
This year students are lucky if they've got 1 offer, and the offers are 30-40% below last year's offers. All the big companies have hiring freezes or are outright laying people off.
Just read an article on CNBC about how graduating in a recession will hurt your earnings potential for as much as 20 years... I'd recommend staying in school til things recover.
it doesn't contribute to google's business model, the rumor speculates that this is a bit like big table, and the rest of google's internal stuff. Basically they can't buy routers to handle internal traffic that satisfy their needs, so they are building their own for use in their data centers (ala big table, where they built a db technology rather than use oracle, or some other existing tech)
Ok, as to "tracking all movements of all cars" that is obviously not going to happen. The only way this would be enforceable would be in conjunction with the registration process for cars.
A) you implement the tax .012 and add that to the bill for registration. Easy, clean, simple to implement, no mass tracking...
B) first time you register your car after the tax is implemented the state takes down the odometer reading and stores it in a DB with the VIN
C) Next year when you register again, take reading again, compare to last years reading, subtract, multiply by
It's really a pretty minimal tax if you drive 20k miles in a year its only $240. I don't even drive 20k miles in a year and I drive more than most people I know.
well... could you not condense the "baliwick" to say in this case the NS record is ns.mydomain.lu, so I can cache things in the glue that pertain to ONLY THAT exact host name?
To me the fundamental problem is that in the DNS system as it currently stands, the "client" can ask one question and get back an unrelated answer (IE I asked for the nothere.mydomain.com address, and got back an answer for www.mydomain.com (in the glue), so I'll happily cache that...) when I should only be caching things I asked for... In the chicken and egg problem, if I ask for an authoritative source of info, I'm expecting an NS record and some glue with the A record for that NS, that would in my mind be a valid thing to cache, it is what I asked for, if the glue also contains an A record for www.mydomain.com, well tough, I can't cache it www.mydomain.com does not match the name in the NS record... I just can't see how limiting the caching to that level of exactness would necessarily completely break the system.
Granted, someone could try to use this to still take over the whole domain (IE, I ask for who's authoritative for a domain, and then I get blasted with responses saying "attackers site!") but that attack would be much less likely to succeed, because you wouldn't have the opportunity to keep asking for unknown hosts, once the server asked once for the domain, it would cache the NS, and no longer ask on each successive query for a non-existent A record for the authoritative NS for the domain... until the TTL on the NS record was reached...
I see that the glue is useful, if only in decreasing transaction volume. But my real question was "why do we cache the glue". I would say the rule should be "if it isn't exactly what I asked for, I won't cache it". This would stop someone being able to poison the cache through a response to a different question.
We could make the DNS servers smarter... IE if I ask for www.example.com and the root replies with a list of NS servers for .com, well I can use that answer including the glue IN THIS TRANSACTION only to then skip the extra request to get the IPs of the NS servers, if I want to cache the IPs of the .com NS servers, then I need to make an explicit request asking for the A record of the NS.
Seems like this would be a pretty simple change in the DNS server software itself, and it would only increase traffic initially to the root servers, or periodically when caches expire, DNS servers would then not overwrite their cache with anything from the glue, which to me seems like the root of this problem
That's fine and all... but why does DNS cache the "extra" info at all? I can understand sending it along in an RR, as that saves a trip, but I would say the "rule" should be, no DNS server should cache anything it didn't explicitly ask for. That change alone eliminates this problem completely, and yeah it will increase some traffic because things can't be cached that are being cached now, but, it wouldn't be hard for the server to be set up if it gets a CNAME back, to then query specifically for that name if it wants to cache it.
So, this is the first I've read in depth about this attack (its been 3 years since I was in IT, and in charge of DNS servers, patches, and all the rest...)
So the attack works by asking for a non-existant domain (ie nothere.domain.com), then blasting the DNS server with response packets that have a RR for www.domain.com, and then the DNS server caches the www RR because it passes the "baliwick" test...
So, uh... why not just turn off caching of everything besides the *ACTUAL* request? What would that break? Seems like that would be a very very easy fix, and would eliminate the problem completely wouldn't it?
Unless what is happening is that the spoofed response packets are actually responses for www.domain.com, and then still why is the DNS server asking for something (nothere.domain.com) and caching a response for something else (www.domain.com)? It really seems stupid to me, and I don't see any reason why DNS should be caching info that it didn't ask for.
Any DNS gurus out there care to explain the rational for that? Or do I have the attack wrong?
I also love it when they do that because 6-12 months from now I get the job anyway and get paid 150% of what I would have been paid in the first place to come in and clean up the mess :)