So please explain: if me and someone I'm trying to contact are both behind NAT, what number do I try to connect to if I want to directly connect to this computer
Whatever "number" is assigned to that user for that connection.
Like has been said before, the people who think NAT is acceptable all want or have their own real IP addresses.
I think NAT is acceptable, and I don't want or have my own real IP address.
one link here, but there are a lot of others. Basically, most NAT routers allow incoming UDP packets to ports which have recently sent outgoing UDP packets. This is usually how DNS requests work through NAT, for instance. So if I send a UDP packet from port 6744 to you on port 6755, and you send me a UDP packet at the same time from port 6755 to port 6744, then both NAT devices will think that the incoming packet is a reply, and will establish the connection. In order to do it with TCP it's much more difficult. You have to align sequence numbers, you have to have access to raw IP packets, and off the top of my head you probably have to send fake SYN/FIN packets to trick the NAT machine. From what I've read it is possible though, and when I read the description it made sense.
It sounds like a security flaw unless you're talking about using UPNP to automatically forward ports.
Well, NAT wasn't designed for security. People just use it that way, in most cases inappropriately. However, this particular attack does require active participation by both ends of the connection.
The point is, if 1 person acting on her own can cause an accidental screw up, what prevents her from putting the company in bankruptcy if she decided to?
I'm not saying there definitively is something in place to stop her from doing that, I"m just saying that you're assuming too much by saying there definitively isn't.
I am not saying she wouldn't get in trouble... but with the events that unfolded in the acciental scenario, apparently, the company would not find out in time to prevent it.
They couldn't find out in time to prevent a single transaction, that doesn't mean they couldn't find out in a scenario that would put them in bankruptcy.
And in fact, they probably could have prevented that single transaction from completing, at least if the transaction was initiated due to fraud. They might not have chosen to do so, as that would hurt their reputation, but they did find out before any actual money changed hands. In the case of direct fraud which cost the company everything it had I think the situation would be a little different.
The point is, the organization needs to have a better process in place to prevent screw ups/sabotage.
It'd be better if they did, and I'm sure they're taking steps to address that.
But if you want to do video conferencing or VOIP then you're screwed unless you go via proxy servers and give up speed and security.
Actually there are hacks now available which can establish a direct UDP connection between two NATed clients without even using port forwarding. Basically you use a third party to exchange port numbers, and then you both send the initial transaction at the same time. You can even do it with TCP if you exchange some additional information.
And all that assumes you're not using port forwarding. If you use port forwarding, it's even easier.
There's no reason why your fridge ith an IPV6 address should not sit behind your home firewall.
You don't need to have an IPv6 connection to the internet to have an IPv6 home network, though.
I work for a company that places trades like that (but an order of magnitude smaller) all the time. There are double checks in place.
I'm sure there are double checks in place with this company too. The checks are just set an order of magnitude (or two) higher.
Crap... what would they do if the employee got pissed and started making trades like this on purpose. Fire her? After making the company bankrupt?
Why do you assume she would have gotten away with any more than she did if she was doing it on purpose? And no, she wouldn't just be fired, she'd go to jail if she did it on purpose.
All financial institutions use the double responsiblity concept for all transactions (or they should). It makes it much harder to commit fraud.
Maybe they should. It could certainly be streamlined so that any million dollar trades go to a conference call where two people can type in the trade at the same time - this would allow mistakes and single-person fraud to be caught and not significantly slow down the speed of the transaction. But I don't think that's at all obvious in any sense other than in hindsight.
Should they have fired her for making this mistake? Probably not if it was really as simple as making a typo. Move her down into a position with greater supervision, perhaps, but if she was an employee and not a contractor firing her was probably a bad decision. And if she was a contractor, well, then they probably would have sued her for damages as well as "firing" her.
NAT, dynamic DNS, and all the other "hacks" which resolved the problems in ways which were backward compatible. Between NAT, dynamic DNS, and application level protocols to negotiate ports, we don't have merely 4 billion IP addresses, we have 28147 trillion, and that, to misquote Bill Gates, should be enough for anyone.
I'm not saying IPv4 is going to last forever. Like anything else, it won't. But I'm pretty convinced that IPv6 won't be the next widely adopted protocol after IPv4. To (properly) quote D. J. Bernstein, "The IPv6 designers made a fundamental conceptual mistake: they designed the IPv6 address space as an alternative to the IPv4 address space, rather than an extension to the IPv4 address space."
And the major reason the vast majority of the big isps don't offer it is because there is no demand for it. Anyone offering a useful service on the web can afford a few bucks a month for a static IPv4 address, and I don't see that fact going away, ever. So what do you get by going with IPv6? AFAICT, nothing but incompatibility problems.
IPv6 would have been better than IPv4, if we were building the internet from scratch. But Beta is better than VHS too, and I don't know very many people with Beta cassette players.
In an IPv6 world... there will be no more anononymity except at a WiFi cafe lacking video cameras.
Hmm, I think just the opposite would be true. Now that every person on the planet can have a billion IP addresses, it'll be feasible to use a different IP address every single minute for the rest of your life. Yes, IPv6 makes it possible for even a dialup server to give out static IP addresses to everyone, but it doesn't require it.
This could have a big impact on sites like Slashdot which rely at least in part on the relative scarcity of IP addresses to keep out the trolls. It'll hurt the spam filters which rely on spammers eventually running out of IP addresses. But these are situations in which the technical ability of anonymity is increased (though one could argue that social controls might tighten to compensate - no more anonymous posts on Slashdot for instance).
The biggest problem I see with this attitude (not that I entirely disagree with it) is that it assumes NAT will go away in v6.
What's more likely, if IPv6 does catch on, is that NAT will be replaced by IPv4 to IPv6 tunnels.
But I seriously doubt this is going to happen. Redesigning everything from scratch is a software engineer's wet dream, but in the real world for a system to work it needs to be much more backward compatible than IPv6. It's like DJB said: "The IPv6 designers made a fundamental conceptual mistake: they designed the IPv6 address space as an alternative to the IPv4 address space, rather than an extension to the IPv4 address space."
The "head honchos" don't want to get fired for putting place an IT system and a business process that allows a single individual to do this kind of thing by mistake, and so are firing her to save their bacon.
When Merrill Lynch tells you to place a $250 million order, you don't tell them "hold on, I've gotta talk to my manager". There have to be single individuals who are trusted to make this kind of trade. Yes, she was new to the system, but any time you use a new system someone still has to fulfill orders.
I'm not saying it's completely her fault, but without more information I also can't say this was just a matter of bad "business processes".
Re:She should take her employer to court.
on
A $251 Million Typo
·
· Score: 1
Maybe there are max trade orders, and they're just set higher than a quarter million dollars. We're talking about a company that submits orders for Merrill Lynch here.
She should take her employer to court
For what? It's not like they're asking her to pay them back. Unless she has a contract, which I highly doubt, then she can be "fired" for just about any reason, at least in the US. If she's in the US she'll probably be eligible for unemployment compensation, but that's it.
No proper database connection pooling (and no, pconnect is not connection pooling).
Huh? What is it, then?
Can't really run Apache2 in its threaded mode because a lot of php libraries are not thread safe (although php itself is).
Clearly only a problem if you're using those php libraries that aren't thread safe, and even then, the performance increase of threaded apache usually isn't worth the additional programming overhead of dealing with threads - and if you really need to squeeze every ounce out of your boxes that you can you're probably better off not using apache in the first place.
Don't get me wrong, I *love* both php and mysql, but for highly-trafficked sites, jsp is definitely a better choice (from my own experience).
I can't imagine a site which is so heavily trafficed that the cost of hardware saved by using jsp vs. php is worth the cost of programmers to program in it. And then, you're probably better off not using apache at all in those situations. Of course, maybe you can find some cheap jsp programmers, but in my experience php is a lot easier to code.
The people selling the converters will have us by the short hairs. If anything, they'll RAISE the prices so they can get stinkin rich off us!
It's not like converters are hard to make. With increased volumes, the cost to make the converters will go down, and if the current manufacturers try to gouge the customers, new manufacturers will come in offering lower prices. That's how capitalism (in the absense of monopolies) works.
Be it the hurricane that's moving into your beach-side town or the crazy riots down the road... sometimes TV is a very good way of keeping up on things. Seems like a bad idea to leave the poor in the dark.
Whatever, just use the radio.
Actually, they should keep around one or two non-profit analog stations, and just auction the rest off to be used for any purpose whatsoever. This whole giving away the public airwaves to for-profit companies has gotta stop.
Anybody can refuse to testify against anyone else, even in a grand jury. The only way someone can be "compelled" is if they are given immunity from prosecution.
That's only true if they raise their right to not incriminate themselves, which wouldn't apply if they hadn't committed a crime.
But even then, as long as they are willing to be jailed they can still refuse to testify.
Yeah, and as long as they're willing to go live in Mexaco they don't even have to be jailed.
Funnily enough, I'd argue the exact opposite. A broad view of who is or isn't a journalist defeats the object.
You know what, I actually agree with this. Basically, I think the object is not something we can obtain in the first place. In my opinion journalists should not be given any special privileges with regard to their sources. If journalists should be able to refuse to testify against others, then so should the average citizen.
In short, I believe protecting your source is completely justifiable if you can convince a court that your story is in the public interest (and that's the usual legal criterion applied to such cases.) Since there's evidently no public interest in protecting the identity of these violent thugs, that defence is simply not going to fly.
Your two statements are not congruent, though. In the first, you're talking about the public interest of the story. In the second, you talk about the public interest of protecting the criminal's identity. I think the second argument is much more persuasive than the first, and it has nothing to do with whether or not the person is a journalist.
Freedom of the press has never included freedom to incite or encourage violent criminal behaviour.
AFAICT, that's not what Indymedia is being accused of. But, on the other hand, this case is not really about freedom of the press ("this 'journalist' defence" as you call it) but rather the right (or lack thereof) against unreasonable search and seizure. But, back to the first hand, you seemed to be saying in the original post that the reason the journalist defense doesn't apply is that Indymedia reporters are not journalists. I'm just saying such a narrow view of who is and isn't journalists renders any protections given to journalists rather meaningless.
There may well be excellent journalists working for indymedia, but responsible journalists do not allow anonymous, unchecked "facts" into their news output.
Actually most responsible journalists will allow annoymous, unchecked facts into their news output, as long as they can independently confirm the facts from two separate sources. The sanctity of this "two source rule" has been declining over the years, and there are many many instances of mainstream publications ignoring it.
But I don't think any of this should be the business of the government. Freedom of the press means nothing if the government can simply respond with "yeah, but you're not a real journalist".
Slashdot Mirror
So please explain: if me and someone I'm trying to contact are both behind NAT, what number do I try to connect to if I want to directly connect to this computer
Whatever "number" is assigned to that user for that connection.
Like has been said before, the people who think NAT is acceptable all want or have their own real IP addresses.
I think NAT is acceptable, and I don't want or have my own real IP address.
one link here, but there are a lot of others. Basically, most NAT routers allow incoming UDP packets to ports which have recently sent outgoing UDP packets. This is usually how DNS requests work through NAT, for instance. So if I send a UDP packet from port 6744 to you on port 6755, and you send me a UDP packet at the same time from port 6755 to port 6744, then both NAT devices will think that the incoming packet is a reply, and will establish the connection. In order to do it with TCP it's much more difficult. You have to align sequence numbers, you have to have access to raw IP packets, and off the top of my head you probably have to send fake SYN/FIN packets to trick the NAT machine. From what I've read it is possible though, and when I read the description it made sense.
It sounds like a security flaw unless you're talking about using UPNP to automatically forward ports.
Well, NAT wasn't designed for security. People just use it that way, in most cases inappropriately. However, this particular attack does require active participation by both ends of the connection.
The point is, if 1 person acting on her own can cause an accidental screw up, what prevents her from putting the company in bankruptcy if she decided to?
I'm not saying there definitively is something in place to stop her from doing that, I"m just saying that you're assuming too much by saying there definitively isn't.
I am not saying she wouldn't get in trouble... but with the events that unfolded in the acciental scenario, apparently, the company would not find out in time to prevent it.
They couldn't find out in time to prevent a single transaction, that doesn't mean they couldn't find out in a scenario that would put them in bankruptcy.
And in fact, they probably could have prevented that single transaction from completing, at least if the transaction was initiated due to fraud. They might not have chosen to do so, as that would hurt their reputation, but they did find out before any actual money changed hands. In the case of direct fraud which cost the company everything it had I think the situation would be a little different.
The point is, the organization needs to have a better process in place to prevent screw ups/sabotage.
It'd be better if they did, and I'm sure they're taking steps to address that.
But if you want to do video conferencing or VOIP then you're screwed unless you go via proxy servers and give up speed and security.
Actually there are hacks now available which can establish a direct UDP connection between two NATed clients without even using port forwarding. Basically you use a third party to exchange port numbers, and then you both send the initial transaction at the same time. You can even do it with TCP if you exchange some additional information.
And all that assumes you're not using port forwarding. If you use port forwarding, it's even easier.
There's no reason why your fridge ith an IPV6 address should not sit behind your home firewall.
You don't need to have an IPv6 connection to the internet to have an IPv6 home network, though.
I work for a company that places trades like that (but an order of magnitude smaller) all the time. There are double checks in place.
I'm sure there are double checks in place with this company too. The checks are just set an order of magnitude (or two) higher.
Crap... what would they do if the employee got pissed and started making trades like this on purpose. Fire her? After making the company bankrupt?
Why do you assume she would have gotten away with any more than she did if she was doing it on purpose? And no, she wouldn't just be fired, she'd go to jail if she did it on purpose.
All financial institutions use the double responsiblity concept for all transactions (or they should). It makes it much harder to commit fraud.
Maybe they should. It could certainly be streamlined so that any million dollar trades go to a conference call where two people can type in the trade at the same time - this would allow mistakes and single-person fraud to be caught and not significantly slow down the speed of the transaction. But I don't think that's at all obvious in any sense other than in hindsight.
Should they have fired her for making this mistake? Probably not if it was really as simple as making a typo. Move her down into a position with greater supervision, perhaps, but if she was an employee and not a contractor firing her was probably a bad decision. And if she was a contractor, well, then they probably would have sued her for damages as well as "firing" her.
NAT, dynamic DNS, and all the other "hacks" which resolved the problems in ways which were backward compatible. Between NAT, dynamic DNS, and application level protocols to negotiate ports, we don't have merely 4 billion IP addresses, we have 28147 trillion, and that, to misquote Bill Gates, should be enough for anyone.
I'm not saying IPv4 is going to last forever. Like anything else, it won't. But I'm pretty convinced that IPv6 won't be the next widely adopted protocol after IPv4. To (properly) quote D. J. Bernstein, "The IPv6 designers made a fundamental conceptual mistake: they designed the IPv6 address space as an alternative to the IPv4 address space, rather than an extension to the IPv4 address space."
And the major reason the vast majority of the big isps don't offer it is because there is no demand for it. Anyone offering a useful service on the web can afford a few bucks a month for a static IPv4 address, and I don't see that fact going away, ever. So what do you get by going with IPv6? AFAICT, nothing but incompatibility problems.
IPv6 would have been better than IPv4, if we were building the internet from scratch. But Beta is better than VHS too, and I don't know very many people with Beta cassette players.
In an IPv6 world... there will be no more anononymity except at a WiFi cafe lacking video cameras.
Hmm, I think just the opposite would be true. Now that every person on the planet can have a billion IP addresses, it'll be feasible to use a different IP address every single minute for the rest of your life. Yes, IPv6 makes it possible for even a dialup server to give out static IP addresses to everyone, but it doesn't require it.
This could have a big impact on sites like Slashdot which rely at least in part on the relative scarcity of IP addresses to keep out the trolls. It'll hurt the spam filters which rely on spammers eventually running out of IP addresses. But these are situations in which the technical ability of anonymity is increased (though one could argue that social controls might tighten to compensate - no more anonymous posts on Slashdot for instance).
The biggest problem I see with this attitude (not that I entirely disagree with it) is that it assumes NAT will go away in v6.
What's more likely, if IPv6 does catch on, is that NAT will be replaced by IPv4 to IPv6 tunnels.
But I seriously doubt this is going to happen. Redesigning everything from scratch is a software engineer's wet dream, but in the real world for a system to work it needs to be much more backward compatible than IPv6. It's like DJB said: "The IPv6 designers made a fundamental conceptual mistake: they designed the IPv6 address space as an alternative to the IPv4 address space, rather than an extension to the IPv4 address space."
Its nice to see that government is implementing IPv6, but I'm more curious as to when it will be implemented by the private sector and widely used.
My guess, probably never.
Congratulations, the time to click through all those confirmations just cost the company $12 million on every large trade, instead of just once.
The "head honchos" don't want to get fired for putting place an IT system and a business process that allows a single individual to do this kind of thing by mistake, and so are firing her to save their bacon.
When Merrill Lynch tells you to place a $250 million order, you don't tell them "hold on, I've gotta talk to my manager". There have to be single individuals who are trusted to make this kind of trade. Yes, she was new to the system, but any time you use a new system someone still has to fulfill orders.
I'm not saying it's completely her fault, but without more information I also can't say this was just a matter of bad "business processes".
Maybe there are max trade orders, and they're just set higher than a quarter million dollars. We're talking about a company that submits orders for Merrill Lynch here.
She should take her employer to court
For what? It's not like they're asking her to pay them back. Unless she has a contract, which I highly doubt, then she can be "fired" for just about any reason, at least in the US. If she's in the US she'll probably be eligible for unemployment compensation, but that's it.
Kill a company? The company seems to be doing fine, in fact, it plans on keeping the stock for a while.
Wikipedia
No proper database connection pooling (and no, pconnect is not connection pooling).
Huh? What is it, then?
Can't really run Apache2 in its threaded mode because a lot of php libraries are not thread safe (although php itself is).
Clearly only a problem if you're using those php libraries that aren't thread safe, and even then, the performance increase of threaded apache usually isn't worth the additional programming overhead of dealing with threads - and if you really need to squeeze every ounce out of your boxes that you can you're probably better off not using apache in the first place.
Don't get me wrong, I *love* both php and mysql, but for highly-trafficked sites, jsp is definitely a better choice (from my own experience).
I can't imagine a site which is so heavily trafficed that the cost of hardware saved by using jsp vs. php is worth the cost of programmers to program in it. And then, you're probably better off not using apache at all in those situations. Of course, maybe you can find some cheap jsp programmers, but in my experience php is a lot easier to code.
The people selling the converters will have us by the short hairs. If anything, they'll RAISE the prices so they can get stinkin rich off us!
It's not like converters are hard to make. With increased volumes, the cost to make the converters will go down, and if the current manufacturers try to gouge the customers, new manufacturers will come in offering lower prices. That's how capitalism (in the absense of monopolies) works.
Be it the hurricane that's moving into your beach-side town or the crazy riots down the road... sometimes TV is a very good way of keeping up on things. Seems like a bad idea to leave the poor in the dark.
Whatever, just use the radio.
Actually, they should keep around one or two non-profit analog stations, and just auction the rest off to be used for any purpose whatsoever. This whole giving away the public airwaves to for-profit companies has gotta stop.
Before you kill off analog broadcast TV, industry must do the following
That's probably backward from the way it'll work. First they'll kill off analog broadcast TV, then the prices of those converters will come down.
Anybody can refuse to testify against anyone else, even in a grand jury. The only way someone can be "compelled" is if they are given immunity from prosecution.
That's only true if they raise their right to not incriminate themselves, which wouldn't apply if they hadn't committed a crime.
But even then, as long as they are willing to be jailed they can still refuse to testify.
Yeah, and as long as they're willing to go live in Mexaco they don't even have to be jailed.
They should be pretty easy to spot; a good rule of thumb is that if something is tall enough to trip over, it's 3D.
Guess that leaves out my home state of Florida.
Anyone else got a real photo and a Google Earth image to compare side by side?
Funnily enough, I'd argue the exact opposite. A broad view of who is or isn't a journalist defeats the object.
You know what, I actually agree with this. Basically, I think the object is not something we can obtain in the first place. In my opinion journalists should not be given any special privileges with regard to their sources. If journalists should be able to refuse to testify against others, then so should the average citizen.
In short, I believe protecting your source is completely justifiable if you can convince a court that your story is in the public interest (and that's the usual legal criterion applied to such cases.) Since there's evidently no public interest in protecting the identity of these violent thugs, that defence is simply not going to fly.
Your two statements are not congruent, though. In the first, you're talking about the public interest of the story. In the second, you talk about the public interest of protecting the criminal's identity. I think the second argument is much more persuasive than the first, and it has nothing to do with whether or not the person is a journalist.
Freedom of the press has never included freedom to incite or encourage violent criminal behaviour.
AFAICT, that's not what Indymedia is being accused of. But, on the other hand, this case is not really about freedom of the press ("this 'journalist' defence" as you call it) but rather the right (or lack thereof) against unreasonable search and seizure. But, back to the first hand, you seemed to be saying in the original post that the reason the journalist defense doesn't apply is that Indymedia reporters are not journalists. I'm just saying such a narrow view of who is and isn't journalists renders any protections given to journalists rather meaningless.
There may well be excellent journalists working for indymedia, but responsible journalists do not allow anonymous, unchecked "facts" into their news output.
Actually most responsible journalists will allow annoymous, unchecked facts into their news output, as long as they can independently confirm the facts from two separate sources. The sanctity of this "two source rule" has been declining over the years, and there are many many instances of mainstream publications ignoring it.
But I don't think any of this should be the business of the government. Freedom of the press means nothing if the government can simply respond with "yeah, but you're not a real journalist".