This is similar to buying bus tickets or tokens from the local convenience store; or tickets from Ticketmaster to a rock concert. In each case, a 3rd party sells you a ticket (physical or virtual) or some goods or services. Question... in Canada, there is a GST (Goods and Services Tax), and most provinces have a PST (Provincial Sales Tax). For administrative convenience, the 2 taxes are combined in some provinces as HST (Harmonized Sales Tax). So will each transaction be subsect to sales taxes in Canada? What about the US?
> For starters it will allow you to host a bunch of services on different machines without > having to put them all on weird ass ports because you only have a single ip. Peer to peer > software will work as intended without nasty hacks to poke holes through the nat.
> It essentially stops the internet from becoming broken into a one-way thing, which is one of the side effects of nat.
Did you read the message you responded to? He was talking about his ***HOME*** network. I'm sure that Slashdot has its share of "l33t h@x0r d00ds" who want to run their own servers, etc. And of course, you're *ASSUMING* static ip addresses. But what will it do for the other 99% of users?
> Not to mention their web bugs that will track which websites you visit just in case > you decide to create a FB account later. Even if you've never visited Facebook in your life.
Here are the CIDRs for Fecesbook that I block in my iptables ruleset, coming+going so they get no response from my browser.
See http://en.wikipedia.org/wiki/Morris_worm That didn't turn out so well, did it? One minor miscalculation, and it'll shut down the internet. And how will it adjust itself to handle different versions of Windows, let alone different versions of Mac, Linux, PalmOS, etc, etc?
> Also, strangely, the need for additional IP addresses is also on > the decline, as the ability to manage NAT traversal improves.
And there's a lot of "conservation" that can be carried out. E.g. I retired earlier this year from a Canadian government office in Toronto. It has approx 800 desktop PC's (1 per employee), and every last single one of them has a publically routable address. You can get fired for setting up unauthorized public servers or bittorrent (assuming you could hack the 2-way firewall), so public addresses are pointless. Nobody would notice any difference if all desktop PC's went to RFC1918 space. 8 public IP addresses leaves 5 usable external IP addresses (subtract network base, broadcast, and gateway addresses). This is easily sufficient for public mailserver, webserver, and 2 ftp servers. leaving 1 spare address.
> Do they have to pay any extra money for a copy of Windows on a new PC? > No, because the makers of Windows-exclusive trialware subsidize OEM Windows.
Alright, that gets you a PC with Windows on it. Now you want to actually use it for something productive. With all the annoying "Windows-exclusive trialware" crap popping up and nagging you to buy-buy-buy, and burning cpu cycles like crazy, you first need to pay Geeksquad to remove the "craplets". Then you have to set up and use an antivirus. And then there's applications. True, many of the linux apps are cross-platform, and have Windows equivalants. But you then have to update each one manually. There are no "Windows distros" that I'm aware of. unless you count Cygwin. It's essentially a ful-blown linux sitting on top of Windows.
> I know nothing about this, but with X being a > display protocol, couldn't you run X in 64-bit > and connect to it from a 32-bit app just fine?
Emphatic yes. One day I decided to do a pure 64-bit Gentoo linux install (pure as in no multi-lib). I use one freeware Windows app that has to be run under WINE. Then I found out the hard way that WINE will not build under a 64-bit-only system. I ended up building a 32-bit Gentoo guest under QEMU-KVM. Wine runs on the 32-bit guest, using the display of the 64-bit host. A chroot would probably also work.
> Each home is supposed to get a/48 from the IPv6 ISP. Then the residential subscriber can provision > up to 65 thousand subnets. The remaining 64 bits are left for the autoconfigured MAC address.
> Because of privacy concerns, the MAC address can be obfuscated. That way, nobody will be able > to tell for sure which physical device in your home posted the controversial contribution.
Well... like... whoopee. Marketeers (e.g. Fecesbook) will love it. It'll still let them know that certain web requests are coming from the same home. They'll be able to aggregate all your web browsing, etc, regardless of how much you spoof your mac address, because it's just a matter of seeing which/48 it's in. I prefer dynamic IP addresses thank you. Those l33t h@x0r d00ds out there who want to run your own public webservers are more than welcome to ask your ISP for static addresses.
And WTF are they thinking, handing out that many addresses per account? That's 9.022 * 10^14 addresses for every man+woman+child in China or 1.727 * 10^14 addresses for every man+woman+child on this planet. A/96 should be enough to run an ISP anywhere except China or India.
25 years from now, we're going to run into an unexpected shortage, and we're going to have to scrap a whole bunch of routers, etc which are hardcoded to expect/48's, and replace them with routers, etc that expect slightly smaller blocks. The Ciscos of this planet will love it.
> That is not actually true. Adobe Reader is a > "conforming implementation" of the ISO 32000 PDF specification.
I think that's the problem right there. Adobe is writing a honking big "application platform". 99% of average users just want a stinking PDF *READER* to display the PDF. That was the original idea behind the acronym... Portable Document Format.
99% of end users do *NOT* want/need a huge, slow, bloated monstrosity that supports singing/dancing PDF's with javascript, radio boxes, checkboxes, playback of videos, and for f*** sake, *WHY* do they include "/launch" which can launch native executables on your machine?
What adobe should do is make 2 versions... 1) A "Reader Lite" that does nothing but display PDF documents, and is incapable of compromising your system. 2) A full-featured, bloated "Enterprise Edition Reader" for the 1% that want all the bells and whistles.
And how does this so-called "true fix" help in the case where the attacker blows away the log file (text or binary)? Have fun analyzing that. Seriously, if you want to have the actual logs, you need to log to another machine. Note also, that if a machine is *REALLY* rooted, you can't trust the log output (text or binary).
> What ISPs need to do is charge all customers the same rate, where that > rate includes a certain amount to pay for a regular stream of upgrades.
Do you work for a cable company? You sound like the typical cableco apologist whining about how customers should continue to pay for 500 crappy channels, instead of the dozen or so that they watch.
> Then when the upgrade comes everybody gets it. That helps the ISP because...
That helps the ISP because they get more money in the bank, for "services" that most customers don't want/need.
> Maybe part of the point is that you shouldn't need a general-purpose applet > platform just to create a distribution method for DRMed video? Like maybe you > could create a more specialized DRM-video-player plugin that didn't have so > many problems and security risks? ===== Maybe part of the point is that you shouldn't need a general-purpose platform just to create a distribution method for DRMed video? Like maybe you could create a more specialized DRM-video-player that didn't have so many problems and security risks? =====
There, fixed it for ya. Netflix currently streams its entire catalogue to Netflix-enabled TV's, Xbox's, PS3's, etc, etc. It streams only a part of its catalogue to PC's. Worst-case scenario, they drop support for PC's entirely, and keep streaming to game consoles and TV sets. Problem? What problem?
Netflix streams their complete catalogue to "Netflix-enabled TV's", Xbox's, PS3's, etc, etc. They only stream a subset of their catalogue to PC's. They can drop PC support and tell you to buy a console, or a Netfix-enabled TV set. No problem at their end.
> You wouldn't believe how shitty that site turned out to be, all in the name of avoiding > HTML. You couldn't select and copy text, and you couldn't open links in another tab.
Ding-ding-ding-ding-ding... we have a winner. This is *EXACTLY* what the MAFIAA wants. A locked-down system that doesn't allow copying. I'm surprised that MS is dropping it.
> Then perhaps it's about time that manufacturers put some thought > into security rather than blaming something else if their devices get > pwned. There's no reason why a home appliance should need a > separate firewall to be secure.
For 99.9% of home devices, you shouldn't have them connected to the internet in the first place. Outside of a Netflix-streaming TV set, or an "internet radio", there isn't much in the way of home appliances that *NEEDS* an internet connection to function. And even those should not respond to incoming unsolicited connections.
Anybody got more ranges? The first 3 entries are on AS 32934. I was going to post more detailed output at the end, but I ran into Slashdot's "lame filter".
Showing my age, but I remember * the Apple ][ came with BASIC, as did the Commodore, etc * MS DOS 1.0, through Windows 95 came with BASIC
It wasn't a super-duper language, but if you followed structured programming principles, you could write some powerful business apps. Kids could sit down and write programs. Yeah, many of them gave up on it, but many went on to become programmers. Today's kids don't have that opportunity to learn the basics (sorry) of programming at home on their own toy, and try, try again until they get it right. That's a real loss.
> My use case goes like this: > I have 330,000 photos I've taken in the last 14 years. > I'd like to share them. The current choices are email a > few at a time post them on Flickr, FaceBook, or some > other site give someone a copy of ALL of them on an > external drive.
It's simple. Set up a database server, and store the database on it... Table 1 All the photos as BLOBS, plus add additional fields for filename, date/place taken etc, etc.
Table 2 A list of users with additional fields for files they're allowed to access, and additional stuff (e.g. thumbnail or full, etc)..
Give him a limited user account on your server that only allows him to run a program that checks which files he's allowed to access, and then download files he's authorized to download. You're basically recreating iTunes
My problem is with people who wnt to change *EVERYBODY'S* filesystem to accomadate their edge case. To use a car analogy... your neighbour uses a Ford F-350 Super-Duty to tow his 5-ton trailer for work-related stuff. Should your Toyota Echo be rebuilt with a diesel V8 engine and 5-ton towing capacity, simply because a few people need it?
Same thing here. Do what you want on *YOUR* machine. Leave mine alone.
PDF started out as "Portable Display Format" that showed you what a document would look like if you sent it to a decent printer.. If it had stayed that way, it would be ideal. Unfortunately Adobe succumbed to the Microsoft/Mozilla "features disease". The "latest greatest" versions now support javascript, live URLs that you can click and go to. And then there's "/launch" (it's not a security hole, it's a feature). Not to mention support for schlockwave trash.
Over the years people have complained about how every new version of Adobe Reader is more bloated, and takes longer to load than its predecessor. If Firefox offers a lightweight PDF ***READER***, I'm all for it. But puhlease, not all the stupid features in Adobe's version. Speaking of versions, the one feature I strongly suggest is that Mozilla allows its PDF engine to lie about what it is. Just like asshole webdesigners who hardcode Internet-Explorer-only into their web pages, I'm sure there are idiots who hardcode their webpages to only allow Adobe Reader above a certain version to access their PDF documents.
> Its all sorts of little incidents like that one that > add up, and then somehow get linked to you > specifically, maybe through an invitation email > with images that happen to autoload and slap you > with a cookie.
I've blocked all emails allegedly "from Facebook" for quite some time. This isn't paranoia, but rather because I got sick and tired of spammers (who assume everybody's on Facebook), filling my inbox with messages saying "Alice has left a message for you on Facebook". Those were probably poison URLs linking to autoloading exploits. Since I don't do Fecesbook, I don't have to worry about about any real messages from them.
Slashdot Mirror
This is similar to buying bus tickets or tokens from the local convenience store; or tickets from Ticketmaster to a rock concert. In each case, a 3rd party sells you a ticket (physical or virtual) or some goods or services. Question... in Canada, there is a GST (Goods and Services Tax), and most provinces have a PST (Provincial Sales Tax). For administrative convenience, the 2 taxes are combined in some provinces as HST (Harmonized Sales Tax). So will each transaction be subsect to sales taxes in Canada? What about the US?
> For starters it will allow you to host a bunch of services on different machines without
> having to put them all on weird ass ports because you only have a single ip. Peer to peer
> software will work as intended without nasty hacks to poke holes through the nat.
> It essentially stops the internet from becoming broken into a one-way thing, which is one of the side effects of nat.
Did you read the message you responded to? He was talking about his ***HOME*** network. I'm sure that Slashdot has its share of "l33t h@x0r d00ds" who want to run their own servers, etc. And of course, you're *ASSUMING* static ip addresses. But what will it do for the other 99% of users?
> Not to mention their web bugs that will track which websites you visit just in case
> you decide to create a FB account later. Even if you've never visited Facebook in your life.
Here are the CIDRs for Fecesbook that I block in my iptables ruleset, coming+going so they get no response from my browser.
66.220.144.0/20
69.63.176.0/20
69.171.224.0/19
74.119.76.0/22
173.252.64.0/18
204.15.20.0/22
If you're using a Windows firewall that requires address ranges, the corresponding ranges are...
66.220.144.0 - 66.220.159.255
69.63.176.0 - 69.63.191.255
69.171.224.0 - 69.171.255.255
74.119.76.0 - 74.119.79.255
173.252.64.0 - 173.252.127.255
204.15.20.0 - 204.15.23.255
See http://en.wikipedia.org/wiki/Morris_worm That didn't turn out so well, did it? One minor miscalculation, and it'll shut down the internet. And how will it adjust itself to handle different versions of Windows, let alone different versions of Mac, Linux, PalmOS, etc, etc?
Good thing they didn't have VCRs back then.
> Also, strangely, the need for additional IP addresses is also on
> the decline, as the ability to manage NAT traversal improves.
And there's a lot of "conservation" that can be carried out. E.g. I retired earlier this year from a Canadian government office in Toronto. It has approx 800 desktop PC's (1 per employee), and every last single one of them has a publically routable address. You can get fired for setting up unauthorized public servers or bittorrent (assuming you could hack the 2-way firewall), so public addresses are pointless. Nobody would notice any difference if all desktop PC's went to RFC1918 space. 8 public IP addresses leaves 5 usable external IP addresses (subtract network base, broadcast, and gateway addresses). This is easily sufficient for public mailserver, webserver, and 2 ftp servers. leaving 1 spare address.
> Do they have to pay any extra money for a copy of Windows on a new PC?
> No, because the makers of Windows-exclusive trialware subsidize OEM Windows.
Alright, that gets you a PC with Windows on it. Now you want to actually use it for something productive. With all the annoying "Windows-exclusive trialware" crap popping up and nagging you to buy-buy-buy, and burning cpu cycles like crazy, you first need to pay Geeksquad to remove the "craplets". Then you have to set up and use an antivirus. And then there's applications. True, many of the linux apps are cross-platform, and have Windows equivalants. But you then have to update each one manually. There are no "Windows distros" that I'm aware of. unless you count Cygwin. It's essentially a ful-blown linux sitting on top of Windows.
> I know nothing about this, but with X being a
> display protocol, couldn't you run X in 64-bit
> and connect to it from a 32-bit app just fine?
Emphatic yes. One day I decided to do a pure 64-bit Gentoo linux install (pure as in no multi-lib). I use one freeware Windows app that has to be run under WINE. Then I found out the hard way that WINE will not build under a 64-bit-only system. I ended up building a 32-bit Gentoo guest under QEMU-KVM. Wine runs on the 32-bit guest, using the display of the 64-bit host. A chroot would probably also work.
> Each home is supposed to get a /48 from the IPv6 ISP. Then the residential subscriber can provision
> up to 65 thousand subnets. The remaining 64 bits are left for the autoconfigured MAC address.
> Because of privacy concerns, the MAC address can be obfuscated. That way, nobody will be able
> to tell for sure which physical device in your home posted the controversial contribution.
Well... like... whoopee. Marketeers (e.g. Fecesbook) will love it. It'll still let them know that certain web requests are coming from the same home. They'll be able to aggregate all your web browsing, etc, regardless of how much you spoof your mac address, because it's just a matter of seeing which /48 it's in. I prefer dynamic IP addresses thank you. Those l33t h@x0r d00ds out there who want to run your own public webservers are more than welcome to ask your ISP for static addresses.
And WTF are they thinking, handing out that many addresses per account? That's 9.022 * 10^14 addresses for every man+woman+child in China or 1.727 * 10^14 addresses for every man+woman+child on this planet. A /96 should be enough to run an ISP anywhere except China or India.
25 years from now, we're going to run into an unexpected shortage, and we're going to have to scrap a whole bunch of routers, etc which are hardcoded to expect /48's, and replace them with routers, etc that expect slightly smaller blocks. The Ciscos of this planet will love it.
> That is not actually true. Adobe Reader is a
> "conforming implementation" of the ISO 32000 PDF specification.
I think that's the problem right there. Adobe is writing a honking big "application platform". 99% of average users just want a stinking PDF *READER* to display the PDF. That was the original idea behind the acronym... Portable Document Format.
99% of end users do *NOT* want/need a huge, slow, bloated monstrosity that supports singing/dancing PDF's with javascript, radio boxes, checkboxes, playback of videos, and for f*** sake, *WHY* do they include "/launch" which can launch native executables on your machine?
What adobe should do is make 2 versions...
1) A "Reader Lite" that does nothing but display PDF documents, and is incapable of compromising your system.
2) A full-featured, bloated "Enterprise Edition Reader" for the 1% that want all the bells and whistles.
And how does this so-called "true fix" help in the case where the attacker blows away the log file (text or binary)? Have fun analyzing that. Seriously, if you want to have the actual logs, you need to log to another machine. Note also, that if a machine is *REALLY* rooted, you can't trust the log output (text or binary).
> What ISPs need to do is charge all customers the same rate, where that
> rate includes a certain amount to pay for a regular stream of upgrades.
Do you work for a cable company? You sound like the typical cableco apologist whining about how customers should continue to pay for 500 crappy channels, instead of the dozen or so that they watch.
> Then when the upgrade comes everybody gets it. That helps the ISP because...
That helps the ISP because they get more money in the bank, for "services" that most customers don't want/need.
> Maybe part of the point is that you shouldn't need a general-purpose applet
> platform just to create a distribution method for DRMed video? Like maybe you
> could create a more specialized DRM-video-player plugin that didn't have so
> many problems and security risks?
=====
Maybe part of the point is that you shouldn't need a general-purpose platform just to create a distribution method for DRMed video? Like maybe you could create a more specialized DRM-video-player that didn't have so many problems and security risks?
=====
There, fixed it for ya. Netflix currently streams its entire catalogue to Netflix-enabled TV's, Xbox's, PS3's, etc, etc. It streams only a part of its catalogue to PC's. Worst-case scenario, they drop support for PC's entirely, and keep streaming to game consoles and TV sets. Problem? What problem?
Netflix streams their complete catalogue to "Netflix-enabled TV's", Xbox's, PS3's, etc, etc. They only stream a subset of their catalogue to PC's. They can drop PC support and tell you to buy a console, or a Netfix-enabled TV set. No problem at their end.
> You wouldn't believe how shitty that site turned out to be, all in the name of avoiding
> HTML. You couldn't select and copy text, and you couldn't open links in another tab.
Ding-ding-ding-ding-ding... we have a winner. This is *EXACTLY* what the MAFIAA wants. A locked-down system that doesn't allow copying. I'm surprised that MS is dropping it.
> Then perhaps it's about time that manufacturers put some thought
> into security rather than blaming something else if their devices get
> pwned. There's no reason why a home appliance should need a
> separate firewall to be secure.
For 99.9% of home devices, you shouldn't have them connected to the internet in the first place. Outside of a Netflix-streaming TV set, or an "internet radio", there isn't much in the way of home appliances that *NEEDS* an internet connection to function. And even those should not respond to incoming unsolicited connections.
> (blocking FB servers when I don't want to talk with them, etc.)
Speaking of blocking Fecesbook, here are a few entries for your firewall. I ran nslookups on the following...
66.220.144.0/20 fbcdn.net
69.63.176.0/20 facebook.com
69.171.224.0/19 facebook.com
200.58.112.0/20 opengraph.net
213.155.64.0/19 opengraphprotocol.net
Anybody got more ranges? The first 3 entries are on AS 32934. I was going to post more detailed output at the end, but I ran into Slashdot's "lame filter".
Showing my age, but I remember
* the Apple ][ came with BASIC, as did the Commodore, etc
* MS DOS 1.0, through Windows 95 came with BASIC
It wasn't a super-duper language, but if you followed structured programming principles, you could write some powerful business apps. Kids could sit down and write programs. Yeah, many of them gave up on it, but many went on to become programmers. Today's kids don't have that opportunity to learn the basics (sorry) of programming at home on their own toy, and try, try again until they get it right. That's a real loss.
> My use case goes like this:
> I have 330,000 photos I've taken in the last 14 years.
> I'd like to share them. The current choices are email a
> few at a time post them on Flickr, FaceBook, or some
> other site give someone a copy of ALL of them on an
> external drive.
It's simple. Set up a database server, and store the database on it...
Table 1
All the photos as BLOBS, plus add additional fields for filename, date/place taken etc, etc.
Table 2
A list of users with additional fields for files they're allowed to access, and additional stuff (e.g. thumbnail or full, etc)..
Give him a limited user account on your server that only allows him to run a program that checks which files he's allowed to access, and then download files he's authorized to download. You're basically recreating iTunes
My problem is with people who wnt to change *EVERYBODY'S* filesystem to accomadate their edge case. To use a car analogy... your neighbour uses a Ford F-350 Super-Duty to tow his 5-ton trailer for work-related stuff. Should your Toyota Echo be rebuilt with a diesel V8 engine and 5-ton towing capacity, simply because a few people need it?
Same thing here. Do what you want on *YOUR* machine. Leave mine alone.
PDF started out as "Portable Display Format" that showed you what a document would look like if you sent it to a decent printer.. If it had stayed that way, it would be ideal. Unfortunately Adobe succumbed to the Microsoft/Mozilla "features disease". The "latest greatest" versions now support javascript, live URLs that you can click and go to. And then there's "/launch" (it's not a security hole, it's a feature). Not to mention support for schlockwave trash.
Over the years people have complained about how every new version of Adobe Reader is more bloated, and takes longer to load than its predecessor. If Firefox offers a lightweight PDF ***READER***, I'm all for it. But puhlease, not all the stupid features in Adobe's version. Speaking of versions, the one feature I strongly suggest is that Mozilla allows its PDF engine to lie about what it is. Just like asshole webdesigners who hardcode Internet-Explorer-only into their web pages, I'm sure there are idiots who hardcode their webpages to only allow Adobe Reader above a certain version to access their PDF documents.
> I've consulted for a bank, and here's the dream : full offline money.
We've had "full offline money" for centuries. It's called "money", believe it or not. And it works. The "dreams" are peoples' worst nightmares...
1) the bank can ding you for a fee everytime you buy anything, even a 1 dollar item.
2) the TLA's (Three Latter Agencies) would have access to the data, and be able track everything you do
> Its all sorts of little incidents like that one that
> add up, and then somehow get linked to you
> specifically, maybe through an invitation email
> with images that happen to autoload and slap you
> with a cookie.
I've blocked all emails allegedly "from Facebook" for quite some time. This isn't paranoia, but rather because I got sick and tired of spammers (who assume everybody's on Facebook), filling my inbox with messages saying "Alice has left a message for you on Facebook". Those were probably poison URLs linking to autoloading exploits. Since I don't do Fecesbook, I don't have to worry about about any real messages from them.
Remember Phorm http://yro.slashdot.org/story/08/06/05/148234/Covert-BT-Phorm-Trial-Report-Leaked and all the ideas about screwing them by running a script to randomly load websites? Howsabout people *NOT* blocking the Facebook domains? Instead, everybody share their Facebook cookies, and let Facebook load them.
This would pollute Facebook's database, and reduce (hopefully destroy) its economic value. I hereby formally state the Slashdot-contrapositive meme...
3 No Profit from X
2 ...
1 Company won't waste money doing X
> Wasn't there a guy who said "never put in writing what
> can be spoken,
> and never speak what can be communicated with a gesture"?
Eliot Spitzer's "Golden Rule" as per http://money.cnn.com/2005/11/28/news/newsmakers/goldenrule_biz20_1205/index.htm
"Never write when you can talk. Never talk when you can nod. And never put anything in an e-mail."
He should have also added added that if you're a politician, don't fuck anybody but your wife...
* Eliot Spitzer
* Arnold Schwarzenegger
* Al Gore
> My point is that Facebook has done what they
> reasonably can to eliminate this as a privacy matter
> unique to their network.
My point is that Facebook has done what they
reasonably can to eliminate privacy. This is unique
to their network.
There, fixed it for you.