People care. Unfortunately the realisation that the people can't change anything is what causes apethy - why bother to go and vote if your only choices are equally bad parties? Coupled with the fact that those who actually understand a bit about what freedoms are being taken away are swamped out by the daily mail readers who just vote for what the media tell them to vote for.
Unfortunately I'm fast coming to the conclusion that things will continue to go down hill until there's a revolution because the public don't have the ability to effect change by legal means any more.
Why would any manufacturer in their right mind agree to such a thing when it would open them up to possible lawsuits and expenses?
In order to avoid a lawsuit and expenses? in the UK this would probably be covered under the DPA and they would likely be required to provide this data under penalty of criminal proceedings.
No, but you might have copyrighted (or be a trade secret) the frequency the data is collected, or the structures the data is stored in or examined.
Something as trivial as a frequency isn't copyrightable. Nor are simple structs (plenty of case law showing that.h files containing structs aren't copyrightable). Complex data structures may be copyrightable, but there's also no requirement to provide the data in this form, it could just be exported into a simple form.
On his blog one of the reasons he says the manufacturers give is that patients with raw data would be worried by things they don't understand and constantly wanting to see their doctor for reassurance.
The correct way of dealing with this is to publish reference material explaining how the data can be interpretted rather than just denying access.
This likely wouldn't fly here in the UK - the data contained in the device constitutes data relating to an individual and therefore is covered by the DPA.
If a consumer buys an Android device in lieu of a Windows device be it phone or tablet then that does dilute Windows' mindshare.
Correct, but that is irrespective of whether MS is making cash out of it. No one is going to say "well, I was going to buy a Windows phone, but since I can give MS $15 by buying Android I'll do that instead".
The silver lining is that while it seems like a lot of money it is "paltry" compared to what MS and its ecosystem partnerswould have gotten had they sold an entire device instead of just taxing the Android one.
Well, not a huge amount more actually - Windows Phone 7 licences go for $20-30 a pop, so MS only charges marginally more for a whole OS than they do to licence a few questionable patents for Android. Luckilly, Android currently appears to be what the customers want, so the fact that the vendors end up paying MS about the same whatever OS they use doesn't affect what is offered to the consumer.
If they're raking in cash then that means Linux units are shifting. What is better for Linux, more mindshare from more Windows licenses in the field or a paltry patent fee and less mindshare due to a Linux unit in the field and the Linux using OEM gets a share of the profit.
You're making it sound like anyone is benefitting from MS charging a licence fee on Android. Paying MS a chunk of money for each Android device doesn't decrease the windows mindshare whilst it does support MS for doing basically nothing. The licence fee isn't "paltry" - I certainly would prefer my phone to be $15 cheaper. If you don't mind paying people who've done nothing to help produce the thing you're buying, how about you give $15 to me the next time you buy a phone? I've probably done about as much as MS to further the development of Android..
how many ordinary people are going to answer "Yes" to the question "Would you like other companies to be able to watch and compile databases of everything you do online?"... I'm guessing approximately NOBODY
If you say "do you want to have your online movements tracked and get nothing in exchange" I guess you'd be right. But sometimes there are benefits to the consumer to being tracked, so you may have different answers if you asked "do you want to have your online movements tracked in exchange for a pony"... See: store loyalty cards.
The gist of your post is fine, but this sentence is ridiculous:
Companies that threaten alledged infringers but won't say what is being infringed really should have to forefit those patents.
If the company won't say which patents they is talking about, how are you going to those patents away from them?
Because when company A threatens company B by saying "Linux infringes a number of our patents but we're not going to tell you which, pay us a licence fee in order to avoid court action", company A would automatically forefit those patents. Now, you're right that no one will know which patents they are forefitting, but it does mean that if company A subsequently sues someone for infringing their patents through the use of Linux, they have now revealed some of the patents they have forefitted and therefore have no suitable patents left to continue that court case. The upshot of this is that there is no reason for company B to ever pay the licence fee because they know that if it goes to court, the patents will be invaid.
I have owned a couple of Acer laptops over the years and they were great bang for buck. They were cheap and broke down, but by then I wanted an upgrade anyway. Buying a higher end machine would have still been out of date, I would still want to update, and the resale value would not pay back the difference I initially paid...
I've got an Acer laptop and will never buy from Acer again.
It kills batteries - after only a year their capacity is significantly degraded. But Acer considers batteries "consumables" so the fact that the charger in the laptop kills them isn't covered by the warranty.
They flatly refused to refund my Windows licence fee (first thing I did when I got the machine was wipe Windows since I have no use for it). Not that long after they did this a French court ruled that they weren't allowed to decline to refund the Windows licence so I guess I should've tried again.
The machine has a DSDT bug, which I reported to them, then I wrote a DSDT patch and sent that to them too in the hope that they might release a new BIOS for the machine to correct it. They won't even acknowledge my emails any more: http://www.nexusuk.org/~steve/acer.xhtml
I find the hardware largely ok, but their complete refusal to provide any kind of after-sales support, even for design defects, would stop me buying from them again.
Maybe so but Linux went though the copyright trial by fire against some very powerful enemies and when it was done and over, Linux came through looking better than ever. So when the FUD slinging starts, this is an easily cited IP victory.
And yet MS is still raking in the cash over patents they claim Linux is infringing...
If they're making scandalous sums off of android and Linux that just means android and Linux are worth scandalous sums of money and then some. It legitimizes the platforms just that much more. Patents run out so the racket can't last forever and when it's over Linux will still be there. How much are they making off of windows phone again?
By the time the patents have run out they will be obsolete and will have been replaced with something else that MS is claiming they own. The problem isn't that Linux might be infringing MS patents, its that MS will never tell anyone what those patents are to give Linux a fighting chance of avoiding infringement. Someone needs to call MS's bluff and go to court over this so the patents get exposed. Companies that threaten alledged infringers but won't say what is being infringed really should have to forefit those patents.
Case in point: Care to take a guess just how many routers / switches the big telcos have to replace because existing ones are not IPV6 capable ?
Oooh, ooh, I know this one: none. Because they started planning the rollout of IPv6 14 years ago and therefore were able to ensure that the normal rolling replacement of equipment accommodated the IPv6 rollout without needing to do any out-of-schedule replacements of equipment.
Oh, they didn't? I guess that was short-sighted planning then. Seems to be a recurring theme when it comes to telecomms network management...
The email handling for both iOS and Android is considerably less efficient than for the Blackberry.
Blackberry worked by installing servers at the MNOs which had direct access to the device over the network - no having to tunnel through NAT, etc. (which requires sending periodic keepalives even when idle). But then bandwidth got cheap enough that this was unnecessary - far easier and cheaper to stick the servers out on the internet rather than trying to cut deals with the MNOs to install them within their networks.
There is a chance that IPv6 may reduce these problems since the NATs will disappear. Although its still possible the MNOs will shove stateful firewalls in the way, necessitating the need for sending keepalives still. This is a double edged sword - on the one hand, without a firewall, someone on the internet could DoS your phone. On the other, sticking a firewall in the way requires the phone to keep prodding it to prevent the connections timing out.
Personally, I've been reasonably surprised at how little 3G bandwidth I've needed since I got an Android device several years ago. On my old HTC Dream (Android 1.6) 150MB would usually last me 2-3 months. Then the wifi broke and I started going through ~150 per month. Since replacing it with a Captivate Glide (Android Gingerbread) I've noticed that I go through around 150MB in 1-1.5 months, so clearly I am doing something that requires a lot more bandwidth on the more powerful phone. There are a lot of things that could account for this - e.g. the facebook app runs all the time and waits for status updates under Gingerbread, whereas this wasn't the case before Android 2.0, I use K9 for my email now, etc.
When they came out, nobody knew exactly what they were capable of until they bought one
Happens every time Apple release a new device and I just don't get it - people queue for hours and spend a big chunk of money on a shiny new device which no one actually knows anything about. Why not wait a few days for the reviews to appear, play with a friend's device and see if it actually does what you want? Unless the thing you want it to do is just help you pose with a brand new device that only a few million other people have got so far...
Can the WiFi handle calls from GSM handsets as-is?.
Yes.
The Android OS supports SIP calls.
Unfortunately I'm still using sipdroid because the native SIP stack is very weak on features: No calling over 3G (unless you apply a fairly complex OS hack), only supports plain old G.711 codecs as far as I know, runs the battery down very quickly by sending keepalives way too frequently (keepalive frequency should really automatically tune itself... ISTR Android was sending them at 10 second intervals even when it was on the same LAN as the SIP server (so it didn't actually need to send keepalives at all)), no trivial way of choosing between SIP and GSM/3G when dialing numbers, only supports 1 SIP account at a time...
I wish sipdroid would get support for bluetooth and the front-facing camera though... And updating the UI to look like current Android builds would also be nice.
Can the WiFi handle calls from GSM handsets as-is? No.
Does your WiFi router improve your cell phone reception? No.
No, but the sort of handsets they are complaining about don't just do GSM - they usually have GSM, WCDMA, HSPA, Wifi and possibly a load of other types of wireless connectivity. When I'm within range of a wifi access point, I _do_ make phone calls via the wifi network instead of the 3G network - its cheaper and has better call quality. However, again, voice calls aren't what they are complaining about, and all the non-voice applications work via Wifi too.
Of course, the MNO's problem with all this is that they don't get to charge you for your use of your own wifi...
My point is: what's the use of authenticating proxies? Why do you need them? What value do they provide?
They allow a reasonably drop-in style way of providing per-user restrictions on web access.
802.11+802.1X isn't per-machine. The same username+password can be used simultaneously on different devices. We use this at work/university/home. I fail to see how it requires more hardware than an authenticating proxy.
Ok, take an existing network. It may have a combination of managed and unmanaged switches, or maybe all unmanaged (it is extremely rare to find a network that has nothing but managed switches throughout). So in order to do 802.1x we first have to replace all the unmanaged switches with managed ones capable of 802.1x - that's a big stack of new hardware right there.
Now, once a client has authenticated, (AFAIK) the only way their traffic can be tied back to them is by comparing the MAC address they are using against the detail that was stored through RADIUS when they authenticated. If there are any routers on the network you're SOL since those routers will replace the source MAC on the packets. This makes doing per-user filtering in a central location a problem (and yes, there are ways around this - I imagine WCCP would work, but the configuration is a *lot* more complex than just dropping a proxy in to the network, and is probably going to involve replacing routers as well as switches).
My final point is: what value does an authenticating proxy add to the network? Do you give some users internet acces and not others? Do you need to account internet traffic (excluding intranet traffic)?
All of the above: My customers need to restrict web access differently for various groups of user. For example, staff often have reasonably lax filtering that just helps to prevent the "accidentally stumbling across porn infront of a class of kids" situation, 6th form kids have slightly stricter filtering, younger kids have more filtering. Often these filtering rules are set up to automatically change based on the time of day - it is common for kids to be allowed access to facebook during break times but not during classes. It is also important to be able to provide per-user accounting information and our customers also have the ability to apply a quota to each user's web access.
A proxy isn't "drop-in-and-go" solution; this thread started on that very specific point: you need every application to support it, and for all application to somehow share settings.
Well, yes it is largely a drop-in-and-go solution, at least more than other options. Most software does support it, and on desktops the user doesn't usually even need to manually authenticate (this is handled by NTLM or Kerberos usually). Settings regarding which proxy to use can usually be set globally (e.g. Windows Active Directory allows this, or by using WPAD).
While 802.1X is done at an OS level, so you don't need to verify each app to make sure it works properly. The each-application-authenticates-using-shared-credentials is simply bad design if you can have the computer authenticate once.
Doing this stuff at the OS level would certainly be nice, but does greatly increase the complexity of retrofitting systems to existing networks. If you were building the whole network from the ground up then it'd work well, but telling a customer that in order to use our software they need to replace all their switches and routers isn't going to result in a lot of sales.
It's not like a non-transparent proxy adds any real value over transparent proxies
Yes, they do - transparent proxies cant authenticate users. We do use transparent proxying in situations where authentication isn't required (or to provide restricted network access to certain broken software that can't handle proxies correctly)
if you want to filter out people from your network, just use 802.1X.
802.1x largely provides per-machine auth rather than per-user, requires a much more complex setup and more hardware. A proxy is a more drop-in-and-go solution that tends to Just Work with most software.
I believe it. iOS might not be the best, but it's pretty good when you just want to get business done.
iOS devices are one of the most problematic devices that we have to support. These are some of the problems we have had with them:
1. The web proxy server settings are all centralised on the device, which is a really good design. Unfortunately, many (most?) iOS apps seem to ignore them. 2. Many apps don't support authenticated web proxies. 3. Of the apps that do support authenticated web proxies, most of them do their own authentication (i.e. you open the browser and get asked to authenticate and can then browse without any more problems... but then you go to another app and have to auth again because the browser and the other app don't share the same authentication credential store. Then you open another app and have to auth *again*. 4. The iCloud stuff can't handle HTTP errors it didn't expect. If the iOS device tries to contact the iCloud servers and the web proxy returns a 407 (not authorised), the device just blindly tries again immediately (without supplying any authentication credentials). On networks where our customers have decided to severely restrict internet access (we supply systems to schools, who often put up very restrictive controls on their internet connections at certain times of the day), we frequently see the iOS devices hammering away at the proxy with repeated attempts to contact Apple's servers; we're talking hundreds of requests per second for hours on end - the batteries on these dumb devices can't last long with that kind of behaviour.
Notably, Apple seems to have a general habit of many of these things - much of their OS X software also has terrible support for authenticated web proxies, and iChat has a well known bug similar to (4) that results in it fighting with remote XMPP clients if they return a (legal) response it doesn't like - I tend to see constant network traffic totalling about 3Kbps per paid of fighting clients, and they do it even when not in a conversation.
Some models are good, some aren't.
Well, what is "good" often depends on what use you want to put it to. I can point at a lot of devices (running any of the OSes), which I regard as "not good", whilst other people will regard them as "good" because they happen to fit with their usage best. This is the benefit of choice, and is something you don't get with the iOS devices.
I think it's even worse than religion. At least the goal of religious organization (ideally, without the greed and corruption) is about people as a group trying to find a spiritual part of themselves.
Religions are always centred around greed - usually they are greedy for more members, which is precisely why religions have a habit of telling you thinks like you're going to hell if you don't believe - if they were just trying to find a spiritual part of themselves, they wouldn't care if you didn't believe, but their greed makes them want to expand their religion to more members. More members means the religion is more powerful, and we can regularly see religious organisations trying to hold on to this power by attempting to control people (both members and non-members) - for example, look at the Church of England arguing about how people who *aren't members of the church* should not legally be allowed to get married in ways the church does not approve of, which is quite ironic, given the whole reason the Church of England was even created for in the first place.
Slashdot Mirror
People care. Unfortunately the realisation that the people can't change anything is what causes apethy - why bother to go and vote if your only choices are equally bad parties? Coupled with the fact that those who actually understand a bit about what freedoms are being taken away are swamped out by the daily mail readers who just vote for what the media tell them to vote for.
Unfortunately I'm fast coming to the conclusion that things will continue to go down hill until there's a revolution because the public don't have the ability to effect change by legal means any more.
instead of, e.g., "Engine Warning" icon lighting up, it can say "Your O2 sensor is broken".
Don't be silly, how then would the main dealer be able to charge you a £100 "diagnostic fee" for the 30 second job of plugging an ODB II reader in?
Why would any manufacturer in their right mind agree to such a thing when it would open them up to possible lawsuits and expenses?
In order to avoid a lawsuit and expenses? in the UK this would probably be covered under the DPA and they would likely be required to provide this data under penalty of criminal proceedings.
No, but you might have copyrighted (or be a trade secret) the frequency the data is collected, or the structures the data is stored in or examined.
Something as trivial as a frequency isn't copyrightable. Nor are simple structs (plenty of case law showing that .h files containing structs aren't copyrightable). Complex data structures may be copyrightable, but there's also no requirement to provide the data in this form, it could just be exported into a simple form.
On his blog one of the reasons he says the manufacturers give is that patients with raw data would be worried by things they don't understand and constantly wanting to see their doctor for reassurance.
The correct way of dealing with this is to publish reference material explaining how the data can be interpretted rather than just denying access.
This likely wouldn't fly here in the UK - the data contained in the device constitutes data relating to an individual and therefore is covered by the DPA.
why would we detonate a bomb on earth, a bomb large enough to shift an asteroid's trajectory, anyway?
To fight global warming by nudging earth away from the sun?
To be fair, a nuclear winter would probably do wonders to offset climate change... I welcome one for the improved skiing conditions.
If a consumer buys an Android device in lieu of a Windows device be it phone or tablet then that does dilute Windows' mindshare.
Correct, but that is irrespective of whether MS is making cash out of it. No one is going to say "well, I was going to buy a Windows phone, but since I can give MS $15 by buying Android I'll do that instead".
The silver lining is that while it seems like a lot of money it is "paltry" compared to what MS and its ecosystem partnerswould have gotten had they sold an entire device instead of just taxing the Android one.
Well, not a huge amount more actually - Windows Phone 7 licences go for $20-30 a pop, so MS only charges marginally more for a whole OS than they do to licence a few questionable patents for Android. Luckilly, Android currently appears to be what the customers want, so the fact that the vendors end up paying MS about the same whatever OS they use doesn't affect what is offered to the consumer.
If they're raking in cash then that means Linux units are shifting. What is better for Linux, more mindshare from more Windows licenses in the field or a paltry patent fee and less mindshare due to a Linux unit in the field and the Linux using OEM gets a share of the profit.
You're making it sound like anyone is benefitting from MS charging a licence fee on Android. Paying MS a chunk of money for each Android device doesn't decrease the windows mindshare whilst it does support MS for doing basically nothing. The licence fee isn't "paltry" - I certainly would prefer my phone to be $15 cheaper. If you don't mind paying people who've done nothing to help produce the thing you're buying, how about you give $15 to me the next time you buy a phone? I've probably done about as much as MS to further the development of Android..
how many ordinary people are going to answer "Yes" to the question "Would you like other companies to be able to watch and compile databases of everything you do online?" ... I'm guessing approximately NOBODY
If you say "do you want to have your online movements tracked and get nothing in exchange" I guess you'd be right. But sometimes there are benefits to the consumer to being tracked, so you may have different answers if you asked "do you want to have your online movements tracked in exchange for a pony"... See: store loyalty cards.
The gist of your post is fine, but this sentence is ridiculous:
If the company won't say which patents they is talking about, how are you going to those patents away from them?
Because when company A threatens company B by saying "Linux infringes a number of our patents but we're not going to tell you which, pay us a licence fee in order to avoid court action", company A would automatically forefit those patents. Now, you're right that no one will know which patents they are forefitting, but it does mean that if company A subsequently sues someone for infringing their patents through the use of Linux, they have now revealed some of the patents they have forefitted and therefore have no suitable patents left to continue that court case. The upshot of this is that there is no reason for company B to ever pay the licence fee because they know that if it goes to court, the patents will be invaid.
I have owned a couple of Acer laptops over the years and they were great bang for buck. They were cheap and broke down, but by then I wanted an upgrade anyway. Buying a higher end machine would have still been out of date, I would still want to update, and the resale value would not pay back the difference I initially paid...
I've got an Acer laptop and will never buy from Acer again.
It kills batteries - after only a year their capacity is significantly degraded. But Acer considers batteries "consumables" so the fact that the charger in the laptop kills them isn't covered by the warranty.
They flatly refused to refund my Windows licence fee (first thing I did when I got the machine was wipe Windows since I have no use for it). Not that long after they did this a French court ruled that they weren't allowed to decline to refund the Windows licence so I guess I should've tried again.
The machine has a DSDT bug, which I reported to them, then I wrote a DSDT patch and sent that to them too in the hope that they might release a new BIOS for the machine to correct it. They won't even acknowledge my emails any more: http://www.nexusuk.org/~steve/acer.xhtml
I find the hardware largely ok, but their complete refusal to provide any kind of after-sales support, even for design defects, would stop me buying from them again.
Maybe so but Linux went though the copyright trial by fire against some very powerful enemies and when it was done and over, Linux came through looking better than ever. So when the FUD slinging starts, this is an easily cited IP victory.
And yet MS is still raking in the cash over patents they claim Linux is infringing...
If they're making scandalous sums off of android and Linux that just means android and Linux are worth scandalous sums of money and then some. It legitimizes the platforms just that much more. Patents run out so the racket can't last forever and when it's over Linux will still be there. How much are they making off of windows phone again?
By the time the patents have run out they will be obsolete and will have been replaced with something else that MS is claiming they own. The problem isn't that Linux might be infringing MS patents, its that MS will never tell anyone what those patents are to give Linux a fighting chance of avoiding infringement. Someone needs to call MS's bluff and go to court over this so the patents get exposed. Companies that threaten alledged infringers but won't say what is being infringed really should have to forefit those patents.
Case in point: Care to take a guess just how many routers / switches the big telcos have to replace because existing ones are not IPV6 capable ?
Oooh, ooh, I know this one: none. Because they started planning the rollout of IPv6 14 years ago and therefore were able to ensure that the normal rolling replacement of equipment accommodated the IPv6 rollout without needing to do any out-of-schedule replacements of equipment.
Oh, they didn't? I guess that was short-sighted planning then. Seems to be a recurring theme when it comes to telecomms network management...
The email handling for both iOS and Android is considerably less efficient than for the Blackberry.
Blackberry worked by installing servers at the MNOs which had direct access to the device over the network - no having to tunnel through NAT, etc. (which requires sending periodic keepalives even when idle). But then bandwidth got cheap enough that this was unnecessary - far easier and cheaper to stick the servers out on the internet rather than trying to cut deals with the MNOs to install them within their networks.
There is a chance that IPv6 may reduce these problems since the NATs will disappear. Although its still possible the MNOs will shove stateful firewalls in the way, necessitating the need for sending keepalives still. This is a double edged sword - on the one hand, without a firewall, someone on the internet could DoS your phone. On the other, sticking a firewall in the way requires the phone to keep prodding it to prevent the connections timing out.
Personally, I've been reasonably surprised at how little 3G bandwidth I've needed since I got an Android device several years ago. On my old HTC Dream (Android 1.6) 150MB would usually last me 2-3 months. Then the wifi broke and I started going through ~150 per month. Since replacing it with a Captivate Glide (Android Gingerbread) I've noticed that I go through around 150MB in 1-1.5 months, so clearly I am doing something that requires a lot more bandwidth on the more powerful phone. There are a lot of things that could account for this - e.g. the facebook app runs all the time and waits for status updates under Gingerbread, whereas this wasn't the case before Android 2.0, I use K9 for my email now, etc.
When they came out, nobody knew exactly what they were capable of until they bought one
Happens every time Apple release a new device and I just don't get it - people queue for hours and spend a big chunk of money on a shiny new device which no one actually knows anything about. Why not wait a few days for the reviews to appear, play with a friend's device and see if it actually does what you want? Unless the thing you want it to do is just help you pose with a brand new device that only a few million other people have got so far...
Can the WiFi handle calls from GSM handsets as-is?.
Yes.
The Android OS supports SIP calls.
Unfortunately I'm still using sipdroid because the native SIP stack is very weak on features: No calling over 3G (unless you apply a fairly complex OS hack), only supports plain old G.711 codecs as far as I know, runs the battery down very quickly by sending keepalives way too frequently (keepalive frequency should really automatically tune itself... ISTR Android was sending them at 10 second intervals even when it was on the same LAN as the SIP server (so it didn't actually need to send keepalives at all)), no trivial way of choosing between SIP and GSM/3G when dialing numbers, only supports 1 SIP account at a time...
I wish sipdroid would get support for bluetooth and the front-facing camera though... And updating the UI to look like current Android builds would also be nice.
Can the WiFi handle calls from GSM handsets as-is? No.
Does your WiFi router improve your cell phone reception? No.
No, but the sort of handsets they are complaining about don't just do GSM - they usually have GSM, WCDMA, HSPA, Wifi and possibly a load of other types of wireless connectivity. When I'm within range of a wifi access point, I _do_ make phone calls via the wifi network instead of the 3G network - its cheaper and has better call quality. However, again, voice calls aren't what they are complaining about, and all the non-voice applications work via Wifi too.
Of course, the MNO's problem with all this is that they don't get to charge you for your use of your own wifi...
My point is: what's the use of authenticating proxies? Why do you need them? What value do they provide?
They allow a reasonably drop-in style way of providing per-user restrictions on web access.
802.11+802.1X isn't per-machine. The same username+password can be used simultaneously on different devices. We use this at work/university/home.
I fail to see how it requires more hardware than an authenticating proxy.
Ok, take an existing network. It may have a combination of managed and unmanaged switches, or maybe all unmanaged (it is extremely rare to find a network that has nothing but managed switches throughout). So in order to do 802.1x we first have to replace all the unmanaged switches with managed ones capable of 802.1x - that's a big stack of new hardware right there.
Now, once a client has authenticated, (AFAIK) the only way their traffic can be tied back to them is by comparing the MAC address they are using against the detail that was stored through RADIUS when they authenticated. If there are any routers on the network you're SOL since those routers will replace the source MAC on the packets. This makes doing per-user filtering in a central location a problem (and yes, there are ways around this - I imagine WCCP would work, but the configuration is a *lot* more complex than just dropping a proxy in to the network, and is probably going to involve replacing routers as well as switches).
My final point is: what value does an authenticating proxy add to the network? Do you give some users internet acces and not others? Do you need to account internet traffic (excluding intranet traffic)?
All of the above: My customers need to restrict web access differently for various groups of user. For example, staff often have reasonably lax filtering that just helps to prevent the "accidentally stumbling across porn infront of a class of kids" situation, 6th form kids have slightly stricter filtering, younger kids have more filtering. Often these filtering rules are set up to automatically change based on the time of day - it is common for kids to be allowed access to facebook during break times but not during classes. It is also important to be able to provide per-user accounting information and our customers also have the ability to apply a quota to each user's web access.
A proxy isn't "drop-in-and-go" solution; this thread started on that very specific point: you need every application to support it, and for all application to somehow share settings.
Well, yes it is largely a drop-in-and-go solution, at least more than other options. Most software does support it, and on desktops the user doesn't usually even need to manually authenticate (this is handled by NTLM or Kerberos usually). Settings regarding which proxy to use can usually be set globally (e.g. Windows Active Directory allows this, or by using WPAD).
While 802.1X is done at an OS level, so you don't need to verify each app to make sure it works properly. The each-application-authenticates-using-shared-credentials is simply bad design if you can have the computer authenticate once.
Doing this stuff at the OS level would certainly be nice, but does greatly increase the complexity of retrofitting systems to existing networks. If you were building the whole network from the ground up then it'd work well, but telling a customer that in order to use our software they need to replace all their switches and routers isn't going to result in a lot of sales.
So. If you don't need web proxies all your problems vanish. Neat...
Most large organisations use web proxies...
It's not like a non-transparent proxy adds any real value over transparent proxies
Yes, they do - transparent proxies cant authenticate users. We do use transparent proxying in situations where authentication isn't required (or to provide restricted network access to certain broken software that can't handle proxies correctly)
if you want to filter out people from your network, just use 802.1X.
802.1x largely provides per-machine auth rather than per-user, requires a much more complex setup and more hardware. A proxy is a more drop-in-and-go solution that tends to Just Work with most software.
I believe it. iOS might not be the best, but it's pretty good when you just want to get business done.
iOS devices are one of the most problematic devices that we have to support. These are some of the problems we have had with them:
1. The web proxy server settings are all centralised on the device, which is a really good design. Unfortunately, many (most?) iOS apps seem to ignore them.
2. Many apps don't support authenticated web proxies.
3. Of the apps that do support authenticated web proxies, most of them do their own authentication (i.e. you open the browser and get asked to authenticate and can then browse without any more problems... but then you go to another app and have to auth again because the browser and the other app don't share the same authentication credential store. Then you open another app and have to auth *again*.
4. The iCloud stuff can't handle HTTP errors it didn't expect. If the iOS device tries to contact the iCloud servers and the web proxy returns a 407 (not authorised), the device just blindly tries again immediately (without supplying any authentication credentials). On networks where our customers have decided to severely restrict internet access (we supply systems to schools, who often put up very restrictive controls on their internet connections at certain times of the day), we frequently see the iOS devices hammering away at the proxy with repeated attempts to contact Apple's servers; we're talking hundreds of requests per second for hours on end - the batteries on these dumb devices can't last long with that kind of behaviour.
Notably, Apple seems to have a general habit of many of these things - much of their OS X software also has terrible support for authenticated web proxies, and iChat has a well known bug similar to (4) that results in it fighting with remote XMPP clients if they return a (legal) response it doesn't like - I tend to see constant network traffic totalling about 3Kbps per paid of fighting clients, and they do it even when not in a conversation.
Some models are good, some aren't.
Well, what is "good" often depends on what use you want to put it to. I can point at a lot of devices (running any of the OSes), which I regard as "not good", whilst other people will regard them as "good" because they happen to fit with their usage best. This is the benefit of choice, and is something you don't get with the iOS devices.
I think it's even worse than religion. At least the goal of religious organization (ideally, without the greed and corruption) is about people as a group trying to find a spiritual part of themselves.
Religions are always centred around greed - usually they are greedy for more members, which is precisely why religions have a habit of telling you thinks like you're going to hell if you don't believe - if they were just trying to find a spiritual part of themselves, they wouldn't care if you didn't believe, but their greed makes them want to expand their religion to more members. More members means the religion is more powerful, and we can regularly see religious organisations trying to hold on to this power by attempting to control people (both members and non-members) - for example, look at the Church of England arguing about how people who *aren't members of the church* should not legally be allowed to get married in ways the church does not approve of, which is quite ironic, given the whole reason the Church of England was even created for in the first place.
Actually I think the British Army is now the official police force of the olympic games. Previously it was G4S, but they failed miserably.
Well, if you can call not bothering to do the job and still getting paid for it "failed"...
The Olympics are a deterrent to people going to London at all - shops or otherwise.
London is a pretty good deterrent to people going to London at all... Can't see why anyone would want to visit the place, let alone live there.