did you mean that Phorm's servers intercept everything coming across my connection
Have a look at how BT will be implementing the Phorm interceptor line tap. The equipment is located where it intercepts all flows from all customers on the exchange, filtering out port 80 traffic to be passed to the F5 interception engine. The box known as "ACE" in the slides is provided, configured, and administered by Phorm, although it officially is "gifted" in accounting terms to the ISP to circumvent UK privacy laws.
Nobody knows exactly what the "ACE" box is, but from where it is positioned in the ISP network, it can intercept, alter, or block all your traffic. Not just your web traffic, ALL your traffic.
Here are the notes I took from a sales pitch to a client. Although NDAs were passed around, all of the technical and business consulting staff refused to sign them, so this information is freely available and can in no way be considered a trade secret. Some of my notes come from other people's observations in the ensuing PR war. Phorm's sales teams have been aggressively targeting large ISPs with low margins around Europe and the US in the last year or so. They only pitch to board level decision makers, and like to avoid providing any technical detail whenever possible.
Phorm has hired a specialty PR company, Citigate Dewe Rogerson to alter public perception of any complaints found in blogs, news programs, and on technical sites. They have been aggressively pasting boilerplate responses about the legality of the system, using carefully sanitized language to obfuscate the debate. The company specialises in mastering public opinion as part of crisis management during corporate fiascos. They may be employing a few companies like this, I've seen Dutch, German and French language follow-up posts in the last few weeks.
Phorm has addressed the main part of pesky privacy laws in Europe by "gifting" the collection equipment to the ISP using a standard 5 year depreciation schedule. The interception and initial filtering kit officially becomes property of the ISP, but is installed, maintained, configured and run by Phorm's technical team. If the equipment stays 5 years in the ISP's premises, then it becomes the full property of the ISP. The ISP can claim to privacy oversight groups that the equipment belongs to them, and that all the personal information hasn't left their network should post-analysis show the customer has "opted-out" of passing the information to Phorm's China-based servers. The data is still captured and analyzed, just not all of it is passed to Phorm.
The Phorm collectors sit inside the ISP's network, and collect all internet traffic from all clients all the time. Web traffic is directed to machines that analyze the request, and respond with some HTML code redirecting the browser to one of the many domains operated by Phorm. The code can be customised depending on browser string to put an invisible iframe or other HTML structure surrounding the subsequent web pages. The redirect is to trick the browser into sending cookies associated with one of the many Phorm domains, and to accept new cookies. Once the cookies are read and re-written, more HTML code is sent to once again redirect the browser to try the original request, which then passes through the ISP's network to the internet. This is how Phorm claims to read the opt-out cookies should they exist. No cookies returned is considered opt-in at this point.
The problem I, and others, had with Phorm's plan was that they leave some kind of HTML trick code running in the browser session to track all subsequent web traffic and to allow them to intercept anything they believe to be relevant.
As an example, let's take an ordinary, un-intercepted session to slashdot.org. The browser sends an HTML request to the slashdot servers, which respond with code asking about cookies which can be used to display a customised page for logged-in slashdot users. The browser can't be tricked by slashdot's servers to return cookies from digg or google.
With Phorm, the initial HTML request to slashdot.org gets intercepted by the Phorm equipment, which respond with a 302 redirect to spyware.ru, the browser then does a lookup and redirect to the new site. Note, that at this point, no traffic has managed to escape the ISP and get to the internet. At this point, the Phorm interceptor machine can also respond to the DNS lookup for malware.ru with the correct address for slashdot.org, to prevent any kind of local firewalling based on known bad networks. The browser tries to get to malware.ru with the new address, and once again the Phorm equipment returns some HTML code. This is where the serious trouble begi
I came here to say that. Except for the part about marketing, which is possibly the worst advice you could give. Marketing should only have minimal input, with neither approval or veto power over the project, or you will end up with neon blink tags and worse.
This is a job for someone who has prior experience in creating Human Interface Guidelines, who can create a set of guidelines for your company free from any plagiarism or theft of Creative Commons licensed material. There is a substantial amount of work to be done to create this, it isn't just another task to be tacked onto to your 80 hour weeks in the run-up to shipdate.
You have to tread carefully with CC licensed stuff. Just because it's on the internet doesn't mean its completely free for you to do with what you will. Does the original author want attributions? If so, then everywhere in your Interface Guidelines you must put attributions, something that may clutter up or cheapen your work.
The great thing about CC is that if you find someone who has published their work under CC and it mostly fits your project, you now have a good lead on hiring them to make a derivative of their work specifically for you. You've already seen the quality of their work, and you know they are modern and cool enough to use CC for their own purposes.
You need to go back to your boss and explain that a HIG book is not the responsibility of the geeks in IT or product development, it should come straight out of the marketing budget. You also have to balance the absolute requirement that marketing can't have any input other than basic guidance, because any radical changes to the HIG means scrapping the work to date and starting over. Tell your boss that the company needs to hire a professional for this important part of your project, and no IT person is qualified to do it.
I had the pleasure to work on projects associated with Metcalfe at the beginning of my career, notably the migration of Ethernet I to Ethernet II standard. He was an autistic, anti-social, self-centered, egotistical curmudgeon from the start, and despite those charming qualities he nevertheless adopted an ivory-tower academic approach in his later life of hating anything created since his 15 minutes of brilliance.
He can always point to DJB as a worse curmudgeon, so there is that solace in knowing he isn't the most disrespected hasbeen still seeking the limelight.
the AC
I don't think a smattering of emoticons in this post will stave off the imminent hater responses, and there isn't really anything I'd put a smiley to.
They have also accounted for US$900 million of this fine in advance, and gave those numbers at the last quarterly analysts conference as a future debt. So their stock price has already adjusted downward for this event, the only difference is the continued slide of the dollar vs. the euro.
Can somebody else can google up a link to the last earnings meeting? Micro$oft getting ready to pay this fine is somewhere mentioned in that meeting, they expect to be able to pay it over at least 4 quarters, and were hoping to spread the payments over an even longer period of time. They didn't make any remarks about trying one more legal defence or appeal, so I doubt they'll even bother.
Although TFA mentions the French equivalent of the RIAA, I'm puzzled at which it could be. Is it the IFPI, or the only group with legal jurisdiction in France, the SNEP? I can't find any other reference to France or French companies.
The original shareaza.com site resolves to an IP address (207.232.22.55) in New York, but listed with a fake front company with an Israeli ISP. The ISPs netvision.net.il and elron.net are known pink-contract, i.e. spammer friendly, hosting companies, they've been known to set up netblocks for spammers and run them until they are in every blacklist, then migrate in another netblock for the spammers. Most of the dodgy hosting is done in the U.S. and Russia. elron.net has been associated with the Russian Business Network, but a quick google doesn't turn up any easy links to back that up.
Someone posted above about shareazasecurity.be (195.47.247.137), but that goes to a server hosted in Denmark.
Although there is some mis-direction by throwing international company names into the mix (a classic scammer tactic), this appears to be mostly a U.S. based operation.
True I've never worked for UUNET, but given their reputation I could believe they still have cisco 7500s in their core. And I wouldn't count UUNETs carrier core as an ISP.
Around here most of the core kit installed in Tier-1 and Tier-2 backbones is Juniper M and T series, Cisco 3700, 12000 and CRS-1, Nortel optical DWDM carrier components, and Foundry MLX and XMR series. There is now starting to be more Alcatel-Lucent and Huawei kit seen in lower cost areas.
I never said that core kit was entirely replaced every few years, but as the core components get upgraded, the lesser capable machines get pushed out towards edge functions. Top of the line kit from 2000 just isn't going to be able to handle today's routing tables, MPLS functions, or new 10G, 40G or OC768 interfaces. But that older kit will do fine feeding less demanding clients.
Migration of old kit is a constant, slow and absolutely necessary function in any well managed carrier network. There are also buy-back programs from the big manufacturers, and plenty of reselling of older machines to finance purchase of new kit. I can believe what you have seen in Tier-3 ISPs with a few hundred or few thousand customers could be a decade old, but that's not what I consider backbone.
I've asked before if/. is truly geek enough to be the first major tech site to start testing IPv6 connectivity. It's time to ask again, so slashdot people, consider it asked, again.
Slashdot has good admins and programmers behind it. Certainly CmdrTaco seems to be constantly improving the slashcode base, and for those of us with low IDs we can see the improvements being rolled out on a regular basis (and it's all appreciated, despite occasional grumbling, thanks all).
What needs to happen is for one of their more competent OSTG network admins to obtain a tunnel from either Hurricane Electric or Sixxs. If they were to send an email to one of the people at either HE or Sixxs, there would probably be all kinds of technical assistance offered. Both tunnel providers have ubergeeks behind them, and a high profile site like/. would be a major win for them.
Putting the tunnel on one of their Cisco 3745 routers is about 9 lines in IOS for the routing and interface addressing, and a handful of ACLs to protect the router on the new addresses. Finish it off by providing a/64 subnet to the VLAN where one of their test or development webserver machines resides.
After that, the fun begins. They can put a static IPv6 address onto one of the test or development machines, make Apache bind to it, and they will be off and running. More like off and limping, because there will be work to do before they are ready to make any kind of announcements or even put the AAAA record into DNS. They'll have to make sure the local firewall also deals with IPv6 addresses, and a ton of other little sysadmin things to make sure badness doesn't sneak in on the new connectivity.
First off, CmdrTaco will probably find bugs or deficiencies in the slashcode and database structures when dealing with a new address family. There WILL be bugs found in perl network modules and in mySQL. Logging scripts may need to be updated. Statistical packages run against logs may choke or ignore longer addresses. Some functions may mangle colon delimited addresses. RSS feeds may not deal with square brackets around v6 addresses. Although there will be some things needing fixing, a surprising amount will just work with IPv6 with no modification.
When most of it seems to be functional, they can stick a separate AAAA record in their DNS for something like ipv6.slashdot.org and ask those of us with connectivity to test for a while. No need yet to add it to the main A record of slashdot.org. Just get it out for those of us with IPv6 to test.
Even if the network admins were to have the tunnel up by next week, I wouldn't expect to see even basic functionality before mid-summer, and if limited testing all went well to just put a AAAA record in parallel by the end of 2008. It takes a while, but it can be done.
When/. does have a working IPv6 code base, they can put pressure on their upstream provider to get native v6 connectivity, because a tunnel isn't going to hold up for too long.
All website upgrades are going to follow a path like what I've just described. The networking takes almost no effort, but the coding of website functionality will require some work, work that can be rolled into ongoing website maintenance.
I've been thinking about this post for the last few IPv6 stories on/., this seemed like a good time to point out the easy and hard parts for a dual-stack rollout. After this, we can only wait and hope...
That is true, the AEBS only does 6to4 tunneling, but that tunneling works with both Hurricane Electric and Sixxs static service. In fact, it works pretty well for home use, and if you've got Macs behind it, they pick up their IPv6 address quite nicely and it all works pretty transparently. I'd recommend it as a good (but expensive) way for geeks to get up and running on v6 with a minimum of hassle.
I've tried making some of my AEBSes work on a native dual-stacked network connection, with no luck. It doesn't listen to Router Advertisements, DHCPv6 service, or anything I can detect. You can manually set a local node address, but it doesn't seem to route or bridge at that point. Apple's forums have been less than enlightening, and I've never heard back from their developer tech support on the issue. There firewall is very buggy, it seems to be just a simple two line IPFW entry to block incoming connections and keep state on outgoing. Any kind of P2P activity causes the firewall to fail badly.
A Chinese company last year gave me a DSL router that speaks IPv6. It is some kind of OEM version of a popular Belkin model, but with a Chinese only firmware installed. They claimed it was the most widespread model inside of China, where many ISPs can only hand out IPv6, and there is a NAT-PT+totd translation service somewhere within the ISP. I played around with it for the few days I had, and couldn't figure out how to make it work for what I expected. Some of the configuration pages looked identical to Belkin, but in Chinese and with some obvious IPv6 entries on some pages. It certainly worked as an IPv6 only DSL modem, and dual-stack v4/v6 just like a Belkin, but I never got it to work with a NAT-PT gateway.
There was a muttered admission that by having a lot of IPv6 only services that aren't announced outside of China it makes it a lot easier to do the great firewall of china function. There is apparently a government funded push toward IPv6, but none of it is announced externally because of firewall issues.
I'm so glad someone else is aware of this problem, NAT can't be infinite, or even large.
I saw a Cisco presentation years ago on their experiences from rolling out NAT internally. They started with an address overload of a/24 (251 usable addresses) into a single external IP address. For an office with about 120 active machines, the NAT box (biggest, beefiest box they made at the time) completely fell over. With only light internet use, the NAT tables filled to take over all of the outgoing 65k ports in short time. That was in 1998, when most internet use was web pages, some email and simple IM. At the time, they recommended no more than a/26 (59 usable addresses) per external address.
Move forward to 2007, and I made an updated presentation (for Cisco and non-Cisco NAT kit) that took into account all the new kinds of traffic we see, office workers who listen to internet radio, streaming video, youtube, multimedia conferences with H.323, peer-to-peer apps like Skype, other internet telephony apps, etc. Turns out that more than 15 to 20 active office users stuck behind a single overloaded external address would be the limit, even with a tight policy to prevent non-work traffic.
It is much worse for ISPs with home users, who are not limited by workplace rules against peer-2-peer for popular TV shows or looking at pr0n pages. If you look at the typical pr0n page (it was a tough job, but I did it in the spirit of improving my understanding of the industry;-), there will be between 200 and 300 embedded elements or links to affiliate sites and advertising partners. So every pr0n page view going through NAT takes 200 new external ports, with associated timeouts and state tables. A typical pr0n user (I'm guessing here, you the/. reader can supply your own values), can open a dozen or more pages in tabs in a relatively short period of time, leading to 10s of thousands of entries in the NAT state table. Remember, you have 65,533 maximum entries in the state table for a single external IP, or for a typical saturday night in basement-dweller-land, about 4 machines.
Don't get me started about how many NAT states a typical 3Mbyte facebook page can open, and leave open for quite a while.
If you think you can hide many ISP customers behind NAT, there are limits if you don't want a ton of calls to the support lines when your users can't effectively use the net. For modern home connections, that already have a NAT box with a handful of machines behind the NAT (Mom keeping 20 eBay pages open and doing Skype, Dad doing gaming, teenage son looking at pr0n and daughter with 20 different IM chats going while she P2Ps the latest TV episode and looks at 50 different bebo and facebook pages), you just can't NAT much more than that.
That post was the voice of experience, if you want the nice real-world figures in a printed report and a keynote or powerpoint presentation to your CTO, you have to give me money.
There are no 10 year old backbone routers still in service on any backbone. Anywhere.
Growth of the IPv4 routing table has left all them obsolete. Big routers from 10 years ago have all been migrated towards the edge, where they no longer fulfill a backbone role. Or they've been scrapped for being too costly, slow, power hungry and un-upgradable to modern interfaces.
For all that old kit that tosses IPv6 traffic to the CPU to be routed, it will still be usable for the next few years until IPv6 traffic starts to become more prevalent. By then, the current IPv6 backbone kit will have been migrated out from the core towards the edges. There is no problem with old kit, at least at the routing and switching level.
All the major backbone router manufacturers have included IPv6 natively for at least the last 3 to 6 years. Any internet company that has done a major upgrade to deal with ever increasing traffic levels and customer demands now have IPv6 capable hardware in service in the backbone. Some manufacturers may still charge more to turn the capability on. The ones that don't are seeing increasing sales because all their major clients don't like have a tiered system of features, where the only set with all the needed features is the most expensive one.
But you don't "own" that netblock, you were allocated it from ARIN for a single use.
Put it on eBay and ARIN will then send you a polite email about how they have now reclaimed the netblock since it obviously no is no longer being used for it's original declaration. They will then turn around and allocate it to the next demand in their queue. They have all the authority, you have none.
If your sale goes though on eBay, for selling something that did not belong to you, you have committed fraud. I hope you have put aside some of your windfall for legal fees.
Even if all that early allocation/8 space were to be reclaimed without any fights, that would buy us between 17 and 23 months until exhaustion.
Apple makes extensive use of their 17/8 space, when you go into Apple stores you get a nice, non-NAT but firewalled, connection. They aren't even wasteful, when I visited several Apple stores last year, I noticed they had netmasks of either/26 or/27 being handed out to machines getting on their wireless network. So they are making an effort to conserve.
I've seen similar use inside of HPuq, extensive use internally of non-NAT space, and their network admins remain (for the most part) blissfully unaware of the horrors of trying to support a NATed network. They've heard of the horrors, but I'm sure they are quite happy to not really have to deal with the extra overhead of NAT.
I've heard stories from friends who went from working in a non-NAT environment to one with NAT, and they couldn't believe the loss of productivity and usefulness in those poorly connected places.
If you want to continue to use an IPv4 address from your upstream ISP, you currently pay about US$10 per month for that address, more if you want a nice static address to run services on.
After 2012, or if one of the hair-brained free-market schemes to buy & sell netblocks comes into effect, the price your ISP has to pay for an IP address goes from ZERO to $10 or $20 per month per address. Currently, with a freely available pool of IP addresses, there was minimal cost associated with obtaining a netblock, just some administrative overhead to ask, and some technical cost to program the routers. ISPs discovered that they could charge US$30/month to a user, of which $10/month covers bandwidth, $10/month for the connection, and the remaining $10/month is the pure profit from renting you an individually addressable IP address.
When the crunch hits, IPv4 addresses will be accounted differently, no longer will they be seen as a free resource that earns $10/month, they'll be seen as a cost center that needs to have a margin associated with it. So if the company has to start paying even $1/month per address, they'll pass that cost on to the end users as a higher monthly fee.
In the end, those who don't have an IPv6 service with a migration strategy will see their internet connectivity increase in price. Maybe only a little in 2010, more in 2012, and if there isn't a mass migration to v6, significant costs after that. You, and every consumer, better hope that ISPs and hosting centers get a migration strategy in place soon, or your costs are going to skyrocket.
That was costs from the consumer PoV.
From the techie PoV, imagine what will happen to your router FIBs if some of those nicely aggregated/8s and/16s de-aggregate into 100s of thousands of individual prefixes. Is there any Cisco router right now that can handle a BGP IPv4 routing table of 2 million entries? Are you willing to scrap your entire Border Router investment in 2010 when the routing table grows from 300,000 routes to 750,000 routes? Do you know what the cost of a Cisco CRS-1 is, even if you can find one used?
Where did you get your IPv4 netblock and AS number from? It's from them that you get your IPv6. If you deal directly with ARIN, then you are already an LIR.
Since you claim to be an end user, get yourself a PI block from your current LIR and start negotiating a BGP link to one of your upstreams that has v6 transit. At worst, tunnel your IPv6 BGP session to one of the tunnel providers until you can get native transit. Make sure your announcements show up in looking glasses before putting AAAA records externally on your sites.
# be an existing, known ISP in the ARIN region or have a plan for making at least 200/48 assignments to other organizations within five years
You always answer yes to this, just about anyone should have expansion plans to have 200 new customers in 5 years. It's not like they are going to check on you in 5 years, allocations are only revoked for bankruptcies and occasionally for blocks that haven't been seen ever.
Have you not paid your 2008 ARIN fees? Are you not an ISP? You can't come up with the US$35 for a/32? How is ARIN blocking you in any way? Are you just trolling/. as a substitute for having a life?
I don't understand your complaint. If you already have an IPv4 allocation from ARIN, getting an IPv6 allocation requires only filling out the form, sending it in, and getting your allocation. They stick the $35 onto your ARIN fee at the next billing cycle. It's even easier than getting an IPv4 allocation now.
Yeah, those last two sentences don't stand on their own. They are two separate things, each needs more explanation.
Over land, rights of way can be quite expensive. Under sea, once away from a coastline, a fibre doesn't require any property rights payments.
Over land, fibre runs are not very well protected in some areas, often attracting the evil backhoe or other dangerous mechanica. What makes fibre on land cheap is the ability to put in easily to maintain repeaters and dispersion compensators, and electricity can be obtained locally. Repairs are also relatively cheap and rapid.
Under water and once away from the immediate coastline, there isn't much dangerous to fibres except boat anchors, and the occasional earthquake caused rockfall. Fibre runs, still need active electronics every 80 to 300 Kms to boost the signal, shape it, or compensate for dispersion. To power electronics far away out to sea, the only place to put electricity is at the landing point. The longest Pacific Ocean fibres require something like 25,000 volts at 10 amps from each end to power the most distant repeaters. That means the first sections of a fibre support cladding need to carry huge currents and have large dielectrics to prevent arc-overs.
If you can build additional landing points to provide electricity, you can build cheaper fibres. With the most recent advances in optic fibre quality, a run up to 200 Kms doesn't even need repeaters, some manufacturers are claiming 320 Kms without a repeater with the most modern optics powering the signal. That makes short run underwater fibres about the same cost with less risks of cuts.
Your ignorance stems from lack of knowledge, because you aren't looking at real maps, just some graphics made by someone with absolutely no knowledge of the topic who had to make something, by deadline. The telegeography maps are the worst, it's as if they've gone to great lengths to get it as wrong as possible.
There are at least 60 separate landing spots on the east coast of north america, from Miami up into Newfoundland. All those cables that look like they go to NY actually land at various spots on long island and in NJ, but then get hauled overland into the data centers in the NY area.
There is as much redundancy and diversity as could be engineered in, given the budget constraints that the fibre system has to some day earn a profit. Undersea topography plays a big part as well, certain parts of the ocean just can't be used to safely lay fibre upon. There is also a need to avoid busy ports and shipping lanes. All taken into consideration when financing a US$1Billion cable.
I already posted in a previous thread about the Suez Canal, where many/.ers thought the fibres went along the bottom of the canal, because that is what some low-res graphics seemed to show. The reality is all the fibres that hit Egypt do so away from Suez, travel overland, then hit the Red Sea at various diverse points. It is much easier and cheaper to put in overland fibre systems, and certainly easier to maintain by sending a truck full of engineers out rather than wait for a repair ship to be scheduled. Undersea fibres are also much cheaper for shorter hauls with more landings, because of all the power requirements for repeaters.
The Alcatel-Lucifer map shows only fibres that Alcatel Fibre and Submarine Systems built, plus a few that Lucent brought to the clusterfuc^Wmerger from the old AT&T Long Lines. It is very much a subset of the total fibre under the sea, although Alcatel is now the largest undersea fibre company since Tyco (née AT&T Long Lines) pretty much handed the market to the French.
You would trust anything published in the Grauniad? When did such a level of cluelessness descend upon/.? That map is just a poorly hacked-together graphic that doesn't show any real fibres or routes, it is designed to mislead readers, not enlighten them. The Guardian doesn't do enlightenment.
Go look here, find the PDFs for Irish Sea and SouthWest, and you can see 17 fibres connecting Ireland to the UK or France. I think there are at least 24 fibres or older copper cables connecting the emerald isle to the rest of the world, at least one heads out of Galway across the Atlantic and doesn't show on the Kingfisher maps.
I don't know where you are getting your information from, but hire a proctologist to put it back for you.
There are no fibres running on the bottom of the Suez canal, all the fibres take an overland route. There are three major Egyptian landing areas in the Mediterranean, two west of Al Iskandariyah (Alexandria), and one to the east of Port Said, well away from the entry to the canal. The cable routes overland are now quite redundant, as cable cuts happen so often in Egypt every company now has at least two routes with circuit protection. On the Red Sea side, there are at least two landing points, at Abadiya and one across from there on the eastern side of the sea.
All the cable landing zones are quite well marked on shipping charts (my google skills have failed me, I can't find an online chart site for Egypt, similar to this one for the UK). Ships are not supposed to drop anchor in those zones, no fishing allowed, no recreational boating, etc. At least in Europe, boaters can get a pretty heavy fine for dropping anchor in a restricted area, big enough that any captain who values his vessel/career knows to stay out of the areas. I doubt Egypt has such draconian enforcement, but the charts are clearly marked.
For the two cuts off of Al Iskandariyah, there was a large storm in the eastern Med the day of the cuts, gale force 7 winds with large swells. So the local authority moved the anchorage area to west of Al Iskandariyah, and many ships ended up anchoring in the restricted zone, dragging their anchors as they were pulled along by the strong easterly winds.
Only one cable near Egypt was cut at first, the second major cut was near France, which took out FLAG. There was then a third cut in the Egypt area, of the same FLAG fibre, but by a different ship dragging anchor. So FLAG got hit double hard.
The most recent cut was somewhere down off of Dubai, which took out even more capacity. It's been an interesting week, as European banking traffic to the Emirates now has to flow all the way around the world the wrong way, and many of the intermediate carriers are choking on the traffic.
the megastores have unreasonable buying power and use it wilfuly to beat down the price they pay for goods, with the result that they can undercut everybody else
This is exactly what amazon is doing to publishers in Europe. I've got quite a few friends in the publishing business who complain about this all the time.
Amazon approaches the publishers, tells them they have to give a 70% to 90% discount over all other sales, or they won't list any titles from that publisher at all. They also require complete access to the accounting records, to make sure the price amazon gets is at least 70% less than the next most discounted distributor.
The publishers can take it or leave it, but with book sales being almost completely driven by amazon these days, to not take it means people on the internet will never see your book unless they visit B&M stores. Amazon then only buys books that are popular, and ignores all the lesser titles unless they get a special order. That is why for many less popular books, there is a 7 to 10 week lead time, amazon has a large delay for most titles.
B&M stores have now found it is cheaper to deal with amazon than directly with the publishers, as the publishing houses can no longer offer any good discounts without amazon always profiting. This is driving margins down below zero, meaning that many B&M bookshops are closing in Europe.
When England repealed their protection law, somewhere between 80% and 95% of small, independent bookshops closed up within two years. Many publishers were driven out of business at the same time, and if you are an author in England looking for a publisher, you no longer have a nice selection of specialist publishing houses to choose from. France has not repealed their law, and is requiring amazon to play by the rules everyone else has to play by. This will not end well for amazon, the fines are only 1000/day until the next hearing in the case, at which point a percentage of daily sales could become the fine, up to where fines equaling 100% of all sales could be levied.
I'm siding with the publishers and small bookshops on this. If amazon wants to play in a free market, they have to play by the rules everyone else plays by.
I used to talk with Joe from time to time back in the mid-'70s and early '80s, I was introduced to him by Draper. Everything I learned about R2 signaling I got from Joe and the other Phreaks on the loops and conferences and by building my own boxes. That knowledge still serves me well, on projects in Africa where R2 is still widely used. Joe always gave without expecting anything in return, and his largess influenced many who started the open source movement.
SS7 was an absolute necessity, the old inband signaling system was very expensive, too slow to deal with traffic growth, and too exploitable. Now, there is a whole new generation of Phreaks manipulating the SS7 system with relative impunity and ease. You have been reading about the very public exploits of the destructive and immature ones. They insert false info into remote PSAPs (e911 systems) and social engineer an armed SWAT response to a distant victim's house. For the little bit you hear about in the press, there is a large amount going on quietly unseen even to the/. crowd. Last night I got several impossible calls and SMS text messages, from some Phreaks who knew just how to inject the right info. Either that, or GW Bush sent me a New Years greeting from the whitehouse, Putin sent me greetings in Russian from the Kremlin, and the Pope sent greetings from the Vatican switchboard.
Someday, when the rest of us around Joe's age have passed to greener pastures, the current/. crowd will be reminiscing about the old SS7 exploit crews, and the clever hacks they coded up. Ahh, the good old days when the internet was neutral and still ran IPv4 and websites were popular:-)
Mod up! QFT. AOL. This. Insert cute internet meme-of-the-week here.
This has been one of the ongoing bewilderments of my professional career, running across many companies that have so lost their way that they won't hire someone competent for missing one vital skill. I've seen several companies go out of business because the boss was so clueless about hiring he passed over all the qualified applicants and one day woke up with no more customers or revenue.
The first time I touched Solaris was when 2.3 had already been out, by about one month. The company who employed me was run by the most clueless individuals, and they had reached the desperation point, a lawsuit filed for breach of contract. Although I had almost a decade of SunOS and other unix experience, they just didn't count it at all and had already turned me down. They wanted Sol2.3 and a whole laundry list of other obscure skills, all recent and with a decade or two of experience behind it. It was their lawyer who hired me, overruling the boss and HR after a long internal battle. I had one day in the office to learn Sol2.3 and their product before heading to the client site and fix the cock-up, but it was enough. Later, I learned they had passed over some of the best and brightest, including a Sun engineer who wrote or ported many parts of the original Solaris release.
The company later went out of business, the only asset worth anything was their client contact list.
I've never once been on a job where I knew every technology or product. Every job has some aspect of learning. It's not just the skills and knowledge, it's all the other things like how to deal with internal company politics, vendor relations, and all the rest. I'd say about 30% of all interviews I've been in during my life had a clueless HR person or boss looking for a 100% skillset match, rather than ability.
I once met a woman who was fired from her HR job for turning down Linus Torvalds for a programming job because he obviously didn't have any experience (sometime in the early or mid 90's) despite a CV full of accomplishments and a reputation. Soon after, the head of the company approached Linus at a conference, and when he heard Linus' story he made it his personal vendetta to rid his company of incompetent HR people.
The one pen-test group I consulted for long ago had a very serious procedure in place to verify and document everything before starting the job. This was just electronic/internet/social penetration, no testing of physical security. Much of what they did was related to legal (through the courts) attacks, they would mostly have meetings with the in-house council or retained law firms to ensure they were ready to respond to lawsuits, indictments, and media accusations. The electronic pen-test was a sideline to verify legal compliance where personal and financial data was stored or processed.
Before they would do any kind of network scanning, database testing, or even attach one of their laptops to the network, they would require a face-to-face meeting with the entire board of directors and senior management. The meetings would be video taped and documented, and all sides would sign the agreement stating the entire scope of the work, and work wouldn't start until after the video tapes and legal documents were safely stored off-site and reviewed. They required the head of legal council to affirm on video and in a signed document that the company was aware of the testing to be done, and held the pen-test firm free of any liability (I don't remember the exact British legal term they used).
It was good they got this level of protection for us, I've heard many stories from ex-pen testers about being hired by the supposed head of IT, only to discover the CTO was unaware of the agreement. Even having a signed document from someone in the company isn't good enough in the short term if the company turns around and bites you. One friend was driven out of business by court costs despite a signed document, his company just didn't perform due-diligence on the authority of the IT director. Another friend was blamed for hacking and destroying the main database, before they had even arrived on site to plug into the network. While they were still in the IT directors office looking for a working network jack, the DBA accused them of hacking and destroying the main data base. They didn't get paid for that job, they just walked away when the IT director didn't side with them.
I don't do security pen-testing any more, most companies who hire pen-testers do so in place of either writing a policy, or implementing it. They want pen-testers to break things so they can get more budget, and that's it. Even asking up front for the basics like a list of equipment or range of IP addresses shows most companies don't know their own inventory. Pen-testers then become scapegoats, often with associated criminal complaints.
The video clip commercial looks downright scary. This show has the potential to turn public opinion into laws preventing any kind of security consulting, whether it's something simple like a paper audit of a security policy or a complex review of network configuration. You just know this show is edited for maximum Rambo/DieHard/IndianaJones effect because preparation and meetings are boring.
Slashdot Mirror
did you mean that Phorm's servers intercept everything coming across my connection
Have a look at how BT will be implementing the Phorm interceptor line tap. The equipment is located where it intercepts all flows from all customers on the exchange, filtering out port 80 traffic to be passed to the F5 interception engine. The box known as "ACE" in the slides is provided, configured, and administered by Phorm, although it officially is "gifted" in accounting terms to the ISP to circumvent UK privacy laws.
Nobody knows exactly what the "ACE" box is, but from where it is positioned in the ISP network, it can intercept, alter, or block all your traffic. Not just your web traffic, ALL your traffic.
the AC
Here are the notes I took from a sales pitch to a client. Although NDAs were passed around, all of the technical and business consulting staff refused to sign them, so this information is freely available and can in no way be considered a trade secret. Some of my notes come from other people's observations in the ensuing PR war. Phorm's sales teams have been aggressively targeting large ISPs with low margins around Europe and the US in the last year or so. They only pitch to board level decision makers, and like to avoid providing any technical detail whenever possible.
Phorm has hired a specialty PR company, Citigate Dewe Rogerson to alter public perception of any complaints found in blogs, news programs, and on technical sites. They have been aggressively pasting boilerplate responses about the legality of the system, using carefully sanitized language to obfuscate the debate. The company specialises in mastering public opinion as part of crisis management during corporate fiascos. They may be employing a few companies like this, I've seen Dutch, German and French language follow-up posts in the last few weeks.
Phorm has addressed the main part of pesky privacy laws in Europe by "gifting" the collection equipment to the ISP using a standard 5 year depreciation schedule. The interception and initial filtering kit officially becomes property of the ISP, but is installed, maintained, configured and run by Phorm's technical team. If the equipment stays 5 years in the ISP's premises, then it becomes the full property of the ISP. The ISP can claim to privacy oversight groups that the equipment belongs to them, and that all the personal information hasn't left their network should post-analysis show the customer has "opted-out" of passing the information to Phorm's China-based servers. The data is still captured and analyzed, just not all of it is passed to Phorm.
The Phorm collectors sit inside the ISP's network, and collect all internet traffic from all clients all the time. Web traffic is directed to machines that analyze the request, and respond with some HTML code redirecting the browser to one of the many domains operated by Phorm. The code can be customised depending on browser string to put an invisible iframe or other HTML structure surrounding the subsequent web pages. The redirect is to trick the browser into sending cookies associated with one of the many Phorm domains, and to accept new cookies. Once the cookies are read and re-written, more HTML code is sent to once again redirect the browser to try the original request, which then passes through the ISP's network to the internet. This is how Phorm claims to read the opt-out cookies should they exist. No cookies returned is considered opt-in at this point.
The problem I, and others, had with Phorm's plan was that they leave some kind of HTML trick code running in the browser session to track all subsequent web traffic and to allow them to intercept anything they believe to be relevant.
As an example, let's take an ordinary, un-intercepted session to slashdot.org. The browser sends an HTML request to the slashdot servers, which respond with code asking about cookies which can be used to display a customised page for logged-in slashdot users. The browser can't be tricked by slashdot's servers to return cookies from digg or google.
With Phorm, the initial HTML request to slashdot.org gets intercepted by the Phorm equipment, which respond with a 302 redirect to spyware.ru, the browser then does a lookup and redirect to the new site. Note, that at this point, no traffic has managed to escape the ISP and get to the internet. At this point, the Phorm interceptor machine can also respond to the DNS lookup for malware.ru with the correct address for slashdot.org, to prevent any kind of local firewalling based on known bad networks. The browser tries to get to malware.ru with the new address, and once again the Phorm equipment returns some HTML code. This is where the serious trouble begi
I came here to say that. Except for the part about marketing, which is possibly the worst advice you could give. Marketing should only have minimal input, with neither approval or veto power over the project, or you will end up with neon blink tags and worse.
This is a job for someone who has prior experience in creating Human Interface Guidelines, who can create a set of guidelines for your company free from any plagiarism or theft of Creative Commons licensed material. There is a substantial amount of work to be done to create this, it isn't just another task to be tacked onto to your 80 hour weeks in the run-up to shipdate.
You have to tread carefully with CC licensed stuff. Just because it's on the internet doesn't mean its completely free for you to do with what you will. Does the original author want attributions? If so, then everywhere in your Interface Guidelines you must put attributions, something that may clutter up or cheapen your work.
The great thing about CC is that if you find someone who has published their work under CC and it mostly fits your project, you now have a good lead on hiring them to make a derivative of their work specifically for you. You've already seen the quality of their work, and you know they are modern and cool enough to use CC for their own purposes.
You need to go back to your boss and explain that a HIG book is not the responsibility of the geeks in IT or product development, it should come straight out of the marketing budget. You also have to balance the absolute requirement that marketing can't have any input other than basic guidance, because any radical changes to the HIG means scrapping the work to date and starting over. Tell your boss that the company needs to hire a professional for this important part of your project, and no IT person is qualified to do it.
the AC
I had the pleasure to work on projects associated with Metcalfe at the beginning of my career, notably the migration of Ethernet I to Ethernet II standard. He was an autistic, anti-social, self-centered, egotistical curmudgeon from the start, and despite those charming qualities he nevertheless adopted an ivory-tower academic approach in his later life of hating anything created since his 15 minutes of brilliance.
He can always point to DJB as a worse curmudgeon, so there is that solace in knowing he isn't the most disrespected hasbeen still seeking the limelight.
the AC
I don't think a smattering of emoticons in this post will stave off the imminent hater responses, and there isn't really anything I'd put a smiley to.
They have also accounted for US$900 million of this fine in advance, and gave those numbers at the last quarterly analysts conference as a future debt. So their stock price has already adjusted downward for this event, the only difference is the continued slide of the dollar vs. the euro.
Can somebody else can google up a link to the last earnings meeting? Micro$oft getting ready to pay this fine is somewhere mentioned in that meeting, they expect to be able to pay it over at least 4 quarters, and were hoping to spread the payments over an even longer period of time. They didn't make any remarks about trying one more legal defence or appeal, so I doubt they'll even bother.
Cost of doing business
the AC
Although TFA mentions the French equivalent of the RIAA, I'm puzzled at which it could be. Is it the IFPI, or the only group with legal jurisdiction in France, the SNEP? I can't find any other reference to France or French companies.
The original shareaza.com site resolves to an IP address (207.232.22.55) in New York, but listed with a fake front company with an Israeli ISP. The ISPs netvision.net.il and elron.net are known pink-contract, i.e. spammer friendly, hosting companies, they've been known to set up netblocks for spammers and run them until they are in every blacklist, then migrate in another netblock for the spammers. Most of the dodgy hosting is done in the U.S. and Russia. elron.net has been associated with the Russian Business Network, but a quick google doesn't turn up any easy links to back that up.
Someone posted above about shareazasecurity.be (195.47.247.137), but that goes to a server hosted in Denmark.
Although there is some mis-direction by throwing international company names into the mix (a classic scammer tactic), this appears to be mostly a U.S. based operation.
the AC
True I've never worked for UUNET, but given their reputation I could believe they still have cisco 7500s in their core. And I wouldn't count UUNETs carrier core as an ISP.
Around here most of the core kit installed in Tier-1 and Tier-2 backbones is Juniper M and T series, Cisco 3700, 12000 and CRS-1, Nortel optical DWDM carrier components, and Foundry MLX and XMR series. There is now starting to be more Alcatel-Lucent and Huawei kit seen in lower cost areas.
I never said that core kit was entirely replaced every few years, but as the core components get upgraded, the lesser capable machines get pushed out towards edge functions. Top of the line kit from 2000 just isn't going to be able to handle today's routing tables, MPLS functions, or new 10G, 40G or OC768 interfaces. But that older kit will do fine feeding less demanding clients.
Migration of old kit is a constant, slow and absolutely necessary function in any well managed carrier network. There are also buy-back programs from the big manufacturers, and plenty of reselling of older machines to finance purchase of new kit. I can believe what you have seen in Tier-3 ISPs with a few hundred or few thousand customers could be a decade old, but that's not what I consider backbone.
the AC
I've asked before if /. is truly geek enough to be the first major tech site to start testing IPv6 connectivity. It's time to ask again, so slashdot people, consider it asked, again.
/. would be a major win for them.
/64 subnet to the VLAN where one of their test or development webserver machines resides.
/. does have a working IPv6 code base, they can put pressure on their upstream provider to get native v6 connectivity, because a tunnel isn't going to hold up for too long.
/., this seemed like a good time to point out the easy and hard parts for a dual-stack rollout. After this, we can only wait and hope...
Slashdot has good admins and programmers behind it. Certainly CmdrTaco seems to be constantly improving the slashcode base, and for those of us with low IDs we can see the improvements being rolled out on a regular basis (and it's all appreciated, despite occasional grumbling, thanks all).
What needs to happen is for one of their more competent OSTG network admins to obtain a tunnel from either Hurricane Electric or Sixxs. If they were to send an email to one of the people at either HE or Sixxs, there would probably be all kinds of technical assistance offered. Both tunnel providers have ubergeeks behind them, and a high profile site like
Putting the tunnel on one of their Cisco 3745 routers is about 9 lines in IOS for the routing and interface addressing, and a handful of ACLs to protect the router on the new addresses. Finish it off by providing a
After that, the fun begins. They can put a static IPv6 address onto one of the test or development machines, make Apache bind to it, and they will be off and running. More like off and limping, because there will be work to do before they are ready to make any kind of announcements or even put the AAAA record into DNS. They'll have to make sure the local firewall also deals with IPv6 addresses, and a ton of other little sysadmin things to make sure badness doesn't sneak in on the new connectivity.
First off, CmdrTaco will probably find bugs or deficiencies in the slashcode and database structures when dealing with a new address family. There WILL be bugs found in perl network modules and in mySQL. Logging scripts may need to be updated. Statistical packages run against logs may choke or ignore longer addresses. Some functions may mangle colon delimited addresses. RSS feeds may not deal with square brackets around v6 addresses. Although there will be some things needing fixing, a surprising amount will just work with IPv6 with no modification.
When most of it seems to be functional, they can stick a separate AAAA record in their DNS for something like ipv6.slashdot.org and ask those of us with connectivity to test for a while. No need yet to add it to the main A record of slashdot.org. Just get it out for those of us with IPv6 to test.
Even if the network admins were to have the tunnel up by next week, I wouldn't expect to see even basic functionality before mid-summer, and if limited testing all went well to just put a AAAA record in parallel by the end of 2008. It takes a while, but it can be done.
When
All website upgrades are going to follow a path like what I've just described. The networking takes almost no effort, but the coding of website functionality will require some work, work that can be rolled into ongoing website maintenance.
I've been thinking about this post for the last few IPv6 stories on
the AC
That is true, the AEBS only does 6to4 tunneling, but that tunneling works with both Hurricane Electric and Sixxs static service. In fact, it works pretty well for home use, and if you've got Macs behind it, they pick up their IPv6 address quite nicely and it all works pretty transparently. I'd recommend it as a good (but expensive) way for geeks to get up and running on v6 with a minimum of hassle.
I've tried making some of my AEBSes work on a native dual-stacked network connection, with no luck. It doesn't listen to Router Advertisements, DHCPv6 service, or anything I can detect. You can manually set a local node address, but it doesn't seem to route or bridge at that point. Apple's forums have been less than enlightening, and I've never heard back from their developer tech support on the issue. There firewall is very buggy, it seems to be just a simple two line IPFW entry to block incoming connections and keep state on outgoing. Any kind of P2P activity causes the firewall to fail badly.
A Chinese company last year gave me a DSL router that speaks IPv6. It is some kind of OEM version of a popular Belkin model, but with a Chinese only firmware installed. They claimed it was the most widespread model inside of China, where many ISPs can only hand out IPv6, and there is a NAT-PT+totd translation service somewhere within the ISP. I played around with it for the few days I had, and couldn't figure out how to make it work for what I expected. Some of the configuration pages looked identical to Belkin, but in Chinese and with some obvious IPv6 entries on some pages. It certainly worked as an IPv6 only DSL modem, and dual-stack v4/v6 just like a Belkin, but I never got it to work with a NAT-PT gateway.
There was a muttered admission that by having a lot of IPv6 only services that aren't announced outside of China it makes it a lot easier to do the great firewall of china function. There is apparently a government funded push toward IPv6, but none of it is announced externally because of firewall issues.
the AC
I'm so glad someone else is aware of this problem, NAT can't be infinite, or even large.
/24 (251 usable addresses) into a single external IP address. For an office with about 120 active machines, the NAT box (biggest, beefiest box they made at the time) completely fell over. With only light internet use, the NAT tables filled to take over all of the outgoing 65k ports in short time. That was in 1998, when most internet use was web pages, some email and simple IM. At the time, they recommended no more than a /26 (59 usable addresses) per external address.
;-), there will be between 200 and 300 embedded elements or links to affiliate sites and advertising partners. So every pr0n page view going through NAT takes 200 new external ports, with associated timeouts and state tables. A typical pr0n user (I'm guessing here, you the /. reader can supply your own values), can open a dozen or more pages in tabs in a relatively short period of time, leading to 10s of thousands of entries in the NAT state table. Remember, you have 65,533 maximum entries in the state table for a single external IP, or for a typical saturday night in basement-dweller-land, about 4 machines.
I saw a Cisco presentation years ago on their experiences from rolling out NAT internally. They started with an address overload of a
Move forward to 2007, and I made an updated presentation (for Cisco and non-Cisco NAT kit) that took into account all the new kinds of traffic we see, office workers who listen to internet radio, streaming video, youtube, multimedia conferences with H.323, peer-to-peer apps like Skype, other internet telephony apps, etc. Turns out that more than 15 to 20 active office users stuck behind a single overloaded external address would be the limit, even with a tight policy to prevent non-work traffic.
It is much worse for ISPs with home users, who are not limited by workplace rules against peer-2-peer for popular TV shows or looking at pr0n pages. If you look at the typical pr0n page (it was a tough job, but I did it in the spirit of improving my understanding of the industry
Don't get me started about how many NAT states a typical 3Mbyte facebook page can open, and leave open for quite a while.
If you think you can hide many ISP customers behind NAT, there are limits if you don't want a ton of calls to the support lines when your users can't effectively use the net. For modern home connections, that already have a NAT box with a handful of machines behind the NAT (Mom keeping 20 eBay pages open and doing Skype, Dad doing gaming, teenage son looking at pr0n and daughter with 20 different IM chats going while she P2Ps the latest TV episode and looks at 50 different bebo and facebook pages), you just can't NAT much more than that.
That post was the voice of experience, if you want the nice real-world figures in a printed report and a keynote or powerpoint presentation to your CTO, you have to give me money.
the AC
There are no 10 year old backbone routers still in service on any backbone. Anywhere.
Growth of the IPv4 routing table has left all them obsolete. Big routers from 10 years ago have all been migrated towards the edge, where they no longer fulfill a backbone role. Or they've been scrapped for being too costly, slow, power hungry and un-upgradable to modern interfaces.
For all that old kit that tosses IPv6 traffic to the CPU to be routed, it will still be usable for the next few years until IPv6 traffic starts to become more prevalent. By then, the current IPv6 backbone kit will have been migrated out from the core towards the edges. There is no problem with old kit, at least at the routing and switching level.
All the major backbone router manufacturers have included IPv6 natively for at least the last 3 to 6 years. Any internet company that has done a major upgrade to deal with ever increasing traffic levels and customer demands now have IPv6 capable hardware in service in the backbone. Some manufacturers may still charge more to turn the capability on. The ones that don't are seeing increasing sales because all their major clients don't like have a tiered system of features, where the only set with all the needed features is the most expensive one.
the AC
But you don't "own" that netblock, you were allocated it from ARIN for a single use.
Put it on eBay and ARIN will then send you a polite email about how they have now reclaimed the netblock since it obviously no is no longer being used for it's original declaration. They will then turn around and allocate it to the next demand in their queue. They have all the authority, you have none.
If your sale goes though on eBay, for selling something that did not belong to you, you have committed fraud. I hope you have put aside some of your windfall for legal fees.
the AC
Even if all that early allocation /8 space were to be reclaimed without any fights, that would buy us between 17 and 23 months until exhaustion.
/26 or /27 being handed out to machines getting on their wireless network. So they are making an effort to conserve.
Apple makes extensive use of their 17/8 space, when you go into Apple stores you get a nice, non-NAT but firewalled, connection. They aren't even wasteful, when I visited several Apple stores last year, I noticed they had netmasks of either
I've seen similar use inside of HPuq, extensive use internally of non-NAT space, and their network admins remain (for the most part) blissfully unaware of the horrors of trying to support a NATed network. They've heard of the horrors, but I'm sure they are quite happy to not really have to deal with the extra overhead of NAT.
I've heard stories from friends who went from working in a non-NAT environment to one with NAT, and they couldn't believe the loss of productivity and usefulness in those poorly connected places.
the AC
Why? Your money is why.
/8s and /16s de-aggregate into 100s of thousands of individual prefixes. Is there any Cisco router right now that can handle a BGP IPv4 routing table of 2 million entries? Are you willing to scrap your entire Border Router investment in 2010 when the routing table grows from 300,000 routes to 750,000 routes? Do you know what the cost of a Cisco CRS-1 is, even if you can find one used?
If you want to continue to use an IPv4 address from your upstream ISP, you currently pay about US$10 per month for that address, more if you want a nice static address to run services on.
After 2012, or if one of the hair-brained free-market schemes to buy & sell netblocks comes into effect, the price your ISP has to pay for an IP address goes from ZERO to $10 or $20 per month per address. Currently, with a freely available pool of IP addresses, there was minimal cost associated with obtaining a netblock, just some administrative overhead to ask, and some technical cost to program the routers. ISPs discovered that they could charge US$30/month to a user, of which $10/month covers bandwidth, $10/month for the connection, and the remaining $10/month is the pure profit from renting you an individually addressable IP address.
When the crunch hits, IPv4 addresses will be accounted differently, no longer will they be seen as a free resource that earns $10/month, they'll be seen as a cost center that needs to have a margin associated with it. So if the company has to start paying even $1/month per address, they'll pass that cost on to the end users as a higher monthly fee.
In the end, those who don't have an IPv6 service with a migration strategy will see their internet connectivity increase in price. Maybe only a little in 2010, more in 2012, and if there isn't a mass migration to v6, significant costs after that. You, and every consumer, better hope that ISPs and hosting centers get a migration strategy in place soon, or your costs are going to skyrocket.
That was costs from the consumer PoV.
From the techie PoV, imagine what will happen to your router FIBs if some of those nicely aggregated
the AC
Since it took me only about 3 seconds to find this:
/48 assignments to other organizations within five years
http://www.arin.net/registration/guidelines/ipv6_assignment.html
I can only assume you are trolling.
Where did you get your IPv4 netblock and AS number from? It's from them that you get your IPv6. If you deal directly with ARIN, then you are already an LIR.
Since you claim to be an end user, get yourself a PI block from your current LIR and start negotiating a BGP link to one of your upstreams that has v6 transit. At worst, tunnel your IPv6 BGP session to one of the tunnel providers until you can get native transit. Make sure your announcements show up in looking glasses before putting AAAA records externally on your sites.
# be an existing, known ISP in the ARIN region or have a plan for making at least 200
You always answer yes to this, just about anyone should have expansion plans to have 200 new customers in 5 years. It's not like they are going to check on you in 5 years, allocations are only revoked for bankruptcies and occasionally for blocks that haven't been seen ever.
the AC
So what is stopping you?
/32? /. as a substitute for having a life?
Have you not paid your 2008 ARIN fees?
Are you not an ISP?
You can't come up with the US$35 for a
How is ARIN blocking you in any way?
Are you just trolling
I don't understand your complaint. If you already have an IPv4 allocation from ARIN, getting an IPv6 allocation requires only filling out the form, sending it in, and getting your allocation. They stick the $35 onto your ARIN fee at the next billing cycle. It's even easier than getting an IPv4 allocation now.
the AC
Yeah, those last two sentences don't stand on their own. They are two separate things, each needs more explanation.
Over land, rights of way can be quite expensive. Under sea, once away from a coastline, a fibre doesn't require any property rights payments.
Over land, fibre runs are not very well protected in some areas, often attracting the evil backhoe or other dangerous mechanica. What makes fibre on land cheap is the ability to put in easily to maintain repeaters and dispersion compensators, and electricity can be obtained locally. Repairs are also relatively cheap and rapid.
Under water and once away from the immediate coastline, there isn't much dangerous to fibres except boat anchors, and the occasional earthquake caused rockfall. Fibre runs, still need active electronics every 80 to 300 Kms to boost the signal, shape it, or compensate for dispersion. To power electronics far away out to sea, the only place to put electricity is at the landing point. The longest Pacific Ocean fibres require something like 25,000 volts at 10 amps from each end to power the most distant repeaters. That means the first sections of a fibre support cladding need to carry huge currents and have large dielectrics to prevent arc-overs.
If you can build additional landing points to provide electricity, you can build cheaper fibres. With the most recent advances in optic fibre quality, a run up to 200 Kms doesn't even need repeaters, some manufacturers are claiming 320 Kms without a repeater with the most modern optics powering the signal. That makes short run underwater fibres about the same cost with less risks of cuts.
the AC
Your ignorance stems from lack of knowledge, because you aren't looking at real maps, just some graphics made by someone with absolutely no knowledge of the topic who had to make something, by deadline. The telegeography maps are the worst, it's as if they've gone to great lengths to get it as wrong as possible.
/.ers thought the fibres went along the bottom of the canal, because that is what some low-res graphics seemed to show. The reality is all the fibres that hit Egypt do so away from Suez, travel overland, then hit the Red Sea at various diverse points. It is much easier and cheaper to put in overland fibre systems, and certainly easier to maintain by sending a truck full of engineers out rather than wait for a repair ship to be scheduled. Undersea fibres are also much cheaper for shorter hauls with more landings, because of all the power requirements for repeaters.
There are at least 60 separate landing spots on the east coast of north america, from Miami up into Newfoundland. All those cables that look like they go to NY actually land at various spots on long island and in NJ, but then get hauled overland into the data centers in the NY area.
There is as much redundancy and diversity as could be engineered in, given the budget constraints that the fibre system has to some day earn a profit. Undersea topography plays a big part as well, certain parts of the ocean just can't be used to safely lay fibre upon. There is also a need to avoid busy ports and shipping lanes. All taken into consideration when financing a US$1Billion cable.
I already posted in a previous thread about the Suez Canal, where many
the AC
The Alcatel-Lucifer map shows only fibres that Alcatel Fibre and Submarine Systems built, plus a few that Lucent brought to the clusterfuc^Wmerger from the old AT&T Long Lines. It is very much a subset of the total fibre under the sea, although Alcatel is now the largest undersea fibre company since Tyco (née AT&T Long Lines) pretty much handed the market to the French.
the AC
You would trust anything published in the Grauniad? When did such a level of cluelessness descend upon /.? That map is just a poorly hacked-together graphic that doesn't show any real fibres or routes, it is designed to mislead readers, not enlighten them. The Guardian doesn't do enlightenment.
Go look here, find the PDFs for Irish Sea and SouthWest, and you can see 17 fibres connecting Ireland to the UK or France. I think there are at least 24 fibres or older copper cables connecting the emerald isle to the rest of the world, at least one heads out of Galway across the Atlantic and doesn't show on the Kingfisher maps.
the AC
I don't know where you are getting your information from, but hire a proctologist to put it back for you.
There are no fibres running on the bottom of the Suez canal, all the fibres take an overland route. There are three major Egyptian landing areas in the Mediterranean, two west of Al Iskandariyah (Alexandria), and one to the east of Port Said, well away from the entry to the canal. The cable routes overland are now quite redundant, as cable cuts happen so often in Egypt every company now has at least two routes with circuit protection. On the Red Sea side, there are at least two landing points, at Abadiya and one across from there on the eastern side of the sea.
All the cable landing zones are quite well marked on shipping charts (my google skills have failed me, I can't find an online chart site for Egypt, similar to this one for the UK). Ships are not supposed to drop anchor in those zones, no fishing allowed, no recreational boating, etc. At least in Europe, boaters can get a pretty heavy fine for dropping anchor in a restricted area, big enough that any captain who values his vessel/career knows to stay out of the areas. I doubt Egypt has such draconian enforcement, but the charts are clearly marked.
For the two cuts off of Al Iskandariyah, there was a large storm in the eastern Med the day of the cuts, gale force 7 winds with large swells. So the local authority moved the anchorage area to west of Al Iskandariyah, and many ships ended up anchoring in the restricted zone, dragging their anchors as they were pulled along by the strong easterly winds.
Only one cable near Egypt was cut at first, the second major cut was near France, which took out FLAG. There was then a third cut in the Egypt area, of the same FLAG fibre, but by a different ship dragging anchor. So FLAG got hit double hard.
The most recent cut was somewhere down off of Dubai, which took out even more capacity. It's been an interesting week, as European banking traffic to the Emirates now has to flow all the way around the world the wrong way, and many of the intermediate carriers are choking on the traffic.
the AC
the megastores have unreasonable buying power and use it wilfuly to beat down the price they pay for goods, with the result that they can undercut everybody else
This is exactly what amazon is doing to publishers in Europe. I've got quite a few friends in the publishing business who complain about this all the time.
Amazon approaches the publishers, tells them they have to give a 70% to 90% discount over all other sales, or they won't list any titles from that publisher at all. They also require complete access to the accounting records, to make sure the price amazon gets is at least 70% less than the next most discounted distributor.
The publishers can take it or leave it, but with book sales being almost completely driven by amazon these days, to not take it means people on the internet will never see your book unless they visit B&M stores. Amazon then only buys books that are popular, and ignores all the lesser titles unless they get a special order. That is why for many less popular books, there is a 7 to 10 week lead time, amazon has a large delay for most titles.
B&M stores have now found it is cheaper to deal with amazon than directly with the publishers, as the publishing houses can no longer offer any good discounts without amazon always profiting. This is driving margins down below zero, meaning that many B&M bookshops are closing in Europe.
When England repealed their protection law, somewhere between 80% and 95% of small, independent bookshops closed up within two years. Many publishers were driven out of business at the same time, and if you are an author in England looking for a publisher, you no longer have a nice selection of specialist publishing houses to choose from. France has not repealed their law, and is requiring amazon to play by the rules everyone else has to play by. This will not end well for amazon, the fines are only 1000/day until the next hearing in the case, at which point a percentage of daily sales could become the fine, up to where fines equaling 100% of all sales could be levied.
I'm siding with the publishers and small bookshops on this. If amazon wants to play in a free market, they have to play by the rules everyone else plays by.
the AC
I used to talk with Joe from time to time back in the mid-'70s and early '80s, I was introduced to him by Draper. Everything I learned about R2 signaling I got from Joe and the other Phreaks on the loops and conferences and by building my own boxes. That knowledge still serves me well, on projects in Africa where R2 is still widely used. Joe always gave without expecting anything in return, and his largess influenced many who started the open source movement.
/. crowd. Last night I got several impossible calls and SMS text messages, from some Phreaks who knew just how to inject the right info. Either that, or GW Bush sent me a New Years greeting from the whitehouse, Putin sent me greetings in Russian from the Kremlin, and the Pope sent greetings from the Vatican switchboard.
/. crowd will be reminiscing about the old SS7 exploit crews, and the clever hacks they coded up. Ahh, the good old days when the internet was neutral and still ran IPv4 and websites were popular :-)
SS7 was an absolute necessity, the old inband signaling system was very expensive, too slow to deal with traffic growth, and too exploitable. Now, there is a whole new generation of Phreaks manipulating the SS7 system with relative impunity and ease. You have been reading about the very public exploits of the destructive and immature ones. They insert false info into remote PSAPs (e911 systems) and social engineer an armed SWAT response to a distant victim's house. For the little bit you hear about in the press, there is a large amount going on quietly unseen even to the
Someday, when the rest of us around Joe's age have passed to greener pastures, the current
the AC
Mod up! QFT. AOL. This. Insert cute internet meme-of-the-week here.
This has been one of the ongoing bewilderments of my professional career, running across many companies that have so lost their way that they won't hire someone competent for missing one vital skill. I've seen several companies go out of business because the boss was so clueless about hiring he passed over all the qualified applicants and one day woke up with no more customers or revenue.
The first time I touched Solaris was when 2.3 had already been out, by about one month. The company who employed me was run by the most clueless individuals, and they had reached the desperation point, a lawsuit filed for breach of contract. Although I had almost a decade of SunOS and other unix experience, they just didn't count it at all and had already turned me down. They wanted Sol2.3 and a whole laundry list of other obscure skills, all recent and with a decade or two of experience behind it. It was their lawyer who hired me, overruling the boss and HR after a long internal battle. I had one day in the office to learn Sol2.3 and their product before heading to the client site and fix the cock-up, but it was enough. Later, I learned they had passed over some of the best and brightest, including a Sun engineer who wrote or ported many parts of the original Solaris release.
The company later went out of business, the only asset worth anything was their client contact list.
I've never once been on a job where I knew every technology or product. Every job has some aspect of learning. It's not just the skills and knowledge, it's all the other things like how to deal with internal company politics, vendor relations, and all the rest. I'd say about 30% of all interviews I've been in during my life had a clueless HR person or boss looking for a 100% skillset match, rather than ability.
I once met a woman who was fired from her HR job for turning down Linus Torvalds for a programming job because he obviously didn't have any experience (sometime in the early or mid 90's) despite a CV full of accomplishments and a reputation. Soon after, the head of the company approached Linus at a conference, and when he heard Linus' story he made it his personal vendetta to rid his company of incompetent HR people.
the AC
The one pen-test group I consulted for long ago had a very serious procedure in place to verify and document everything before starting the job. This was just electronic/internet/social penetration, no testing of physical security. Much of what they did was related to legal (through the courts) attacks, they would mostly have meetings with the in-house council or retained law firms to ensure they were ready to respond to lawsuits, indictments, and media accusations. The electronic pen-test was a sideline to verify legal compliance where personal and financial data was stored or processed.
Before they would do any kind of network scanning, database testing, or even attach one of their laptops to the network, they would require a face-to-face meeting with the entire board of directors and senior management. The meetings would be video taped and documented, and all sides would sign the agreement stating the entire scope of the work, and work wouldn't start until after the video tapes and legal documents were safely stored off-site and reviewed. They required the head of legal council to affirm on video and in a signed document that the company was aware of the testing to be done, and held the pen-test firm free of any liability (I don't remember the exact British legal term they used).
It was good they got this level of protection for us, I've heard many stories from ex-pen testers about being hired by the supposed head of IT, only to discover the CTO was unaware of the agreement. Even having a signed document from someone in the company isn't good enough in the short term if the company turns around and bites you. One friend was driven out of business by court costs despite a signed document, his company just didn't perform due-diligence on the authority of the IT director. Another friend was blamed for hacking and destroying the main database, before they had even arrived on site to plug into the network. While they were still in the IT directors office looking for a working network jack, the DBA accused them of hacking and destroying the main data base. They didn't get paid for that job, they just walked away when the IT director didn't side with them.
I don't do security pen-testing any more, most companies who hire pen-testers do so in place of either writing a policy, or implementing it. They want pen-testers to break things so they can get more budget, and that's it. Even asking up front for the basics like a list of equipment or range of IP addresses shows most companies don't know their own inventory. Pen-testers then become scapegoats, often with associated criminal complaints.
The video clip commercial looks downright scary. This show has the potential to turn public opinion into laws preventing any kind of security consulting, whether it's something simple like a paper audit of a security policy or a complex review of network configuration. You just know this show is edited for maximum Rambo/DieHard/IndianaJones effect because preparation and meetings are boring.
the AC