Congress is not fully briefed on this, that is one of the problems. The other problem is that the FISA court IS NOT consulted, as if even that makes a difference, as the FISA court routinely gives in to whatever internal spying they want to do. Bush has used the Patriot Act to essentially do whatever he wants. This "us vs. them" krap is getting way old...
I didn't say congress is fully briefed, I said congressional leaders (two members of each party in the house and the senate, don't remember the specifics on who beyond majority and minority leaders) and the FISA court are fully briefed. Yes, the FISA court normally grants the ability to do what is asked. That has little to do with the Patriot Act (god, I hate that name), which has only been around for a tiny fraction of the time that FISA has been around.
And this ultra lame ass "I want to live in a fucking police state NOW!" argument of "if you're not doing anything wrong you have nothing to hide" is the most UNAMERICAN bullkrap I've ever heard.
WTF is wrong with those who espouse this krap?
For starters, and this is the most important of all, let me break the news to you:
We can't trust Bush.
You know it's just that simple.
I agree. You can't trust government period. That's the reason for our three-tiered government, checks and balances, FISA review, oversight commitees, etc.
The fact that all of congress didn't know the details of what was going on is a function of the type of investigation being conducted. You don't spread around information about who you're keeping tabs on if you want to glean useful information. The alternative solution to that conflict is to not collect intelligence on people that you think you should be collecting intelligence on, and that might be hurtful.
I don't see this as a black-and-white issue, as many on opposing sides of the whole "should we do wiretapping on international communications" question are. I want civil liberties to be safeguarded by oversight, which (by the lack of statements to the contrary by the FISA court or the congresscritters involved) they appear to be, and I want to have good intelligence on people that we have reason to beleive want to see Americans harmed.
Uhh...you're aware that the program's activities are fully briefed to and reviewed by both the FISA court and congressional leadership in the house and the senate every month and a half, right? And that they already halted the program once to address concerns that were raised...
Don't get me wrong, I think that a bit more oversight and disclosure is probably in order, but this is hardly Nixonesque.
You just convinced me that we need a recursive backronym for DRM...
DRM Recurses Malevolently?
DRM is Rationally Murky
Somebody help out with the good ideas. At least if we're going to force people into infinite logic loops, we ought to christen the harbinger of pain properly.
The article you linked to didn't say that Linus has no problem with DRM in the kernel. It said that he has no problem with people using the kernel for whatever purpose they like, which is a vastly different viewpoint.
It sounds like his gripe with the GPLv3 is that it is imposing restrictions on what modifications or contributions can be made, which is not the same agnostic view as in previous versions.
The idealist (RMS) and the engineer (Linus) are definitely at a point of contention on this issue...it'll be interesting to see what happens.
I don't care if he pulls Disney out of it's "spiral of mediocrity". What I care about is if Disney eviscerates Pixar and ruins one of the better animation studios existing today.
I can hardly wait for "Toy Story 6, Slinky dog Gets a Kink", rendered at 320 X 240 in wireframe.
So, I have to correct myself. It's possible to do, but it'll change the color of all of the end-markers (which is due to the particulars of the SVG 1.1 specification).
The correct way to do it, apparently, depends on whether you want all of your arrows to be the same color. If you want different-colored arrows, you have to make the tips yourself (Just make one shape and copy it, I suppose). If they can all be the same color, you have to go into the XML and change the color of the end-marker by assigning it a "Fill:" attribute.
Neither of those is a particularly handy solution to your use case. If that's all you ever plan on using Inkscape for, then I'd have to say that for you, Inkscape probably does indeed suck.
At least you got the devs to mention the reason for the problem and say they'll try to support it in the future.
Since I had never tried it the way you mentioned, I had to try it out...you're right. It's impossible to do it that way, which is pretty stupid.
To be fair, there are zero items in the project feature requests or bug reports about this, so it's not likely that the devs know that it's broken. I have (hopefully) brought it to someone's attention.
I'm glad that wasn't the first thing I ever tried to do with inkscape, or I probably would never have bothered learning to use it. This guy *really* knows how to use it.
And to boot, their definitions (at least the brief version outlined in TFA), seem to be mainly about malware and viruses.
They would classify the Sony rootkit (*ROOTKIT*!!!) as spyware, rather than malware or a virus, and "programs that install themselves without a user's permission or knowledge, via a security exploit" as spyware.
Great. So if a program installs itself without my permission or knowledge, but not via a security exploit, it's okay?
I have serious problems with their definitions...it sounds as if "spyware" means "malware, viruses, and worms that are less damaging than they could be".
I guess we're even, since I don't understand what your problem was/is with creating an arrow of some particular color. A fairly trivial task insofar as creating a shape in a vector drawing program is to make a triangle and a line and group them together.
Are you saying that there's no button to "insert arrow" in Inkscape, and that was your problem with it? If you'd like, I could tke 5 minutes out of my day to create and send you an.svg of an arrow (red, blue, purple, rainbow gradient, whetever) for future use in your choice of vector image editing apps.
I just don't get what it is that's leading you to the conclusion that inkscape is crap.
You're kidding, right? If that took you more than 5 minutes and there's not some esoteric "can't create arrow with red tip" bug that's been reported but onsolvable on sourceforge, then you need to find somebody who can help you or run through a tutorial.
Not to pick nits, but why would you bother using inkscape for something so trivial? If you want to create scalable vector graphics (icons, logos, etc), sure, but adding an arrow to a jpeg?
My vote is for Inkscape. GIMP is great for raster stuff in the same way that Inkscape is great for vector stuff (and they have equally irritating menu systems).
I'll agree with the caveat that I much preferred the Tandberg systems we compared them against.
The reason we ended going with Polycom 7800a/s systems (despite the fact that they didn't seem quite as glitch-free) was that you couldn't share video from a Polycom unit to a Tandberg (and our parent company uses Polycom). Other way around worked fine, though.
If it finally renders CSS (and supports Javascript) as well as Firefox, I'll agree with you. Opera was the fly in my cross-browser compatible AJAX + CSS web development ointment.
(off to go download Opera and see if it sucks less today than it did 8 months ago)
Momma Moses isn't getting a reduced level of service. The shows that she watches don't get displayed less well than his, regardless of the amount they each pay.
Momma Moses is paying for what she wants.
If Momma Moses paid less and got consistently choppy or garbled video and audio on most channels, but crystal clear reception on a few that partnered with the cable company, that would be a better comparison.
Here's how you fix the analogy. If the telco's offered access to only US IP addresses, for example, and didn't throttle bandwidth, etc for any of those, that'd be roughly equivalent.
They DO have the ability to control quality of service, end to end, and to use things like multicasting effectively. What this means to you and I is good quality media and let's say a very, very impressive Quake arena for all players and it could conceivably not be that expensive because they control the distribution equipment. It won't be cheap, but it COULD be, in a happier world, I digress.
That they have the ability to do a thing is irrespective of their desire to do it in a way that benefits you or I.
Here's the thing; they want a "two-tier internet" that means "we control the good stuff that goes fast, and you can use whatever's left over". That doesn't benefit me.
It probably also doesn't benefit you or result in an impressive Quake Arena (since there's no huge ad-revenue stream inside of Quake...yet). What it means is that the phone companies can offer you something like internet-based cable TV that takes up as much bandwidth as they think it needs to, and makes any newly-developed (and many existing) internet applications automatically slow and low-priority.
I have no problem with the telcos offering two levels of service...one level that's the same as what we have in existence, and a so-called "premium" level with streaming whatever coming out of every orifice sounds fine...as long as they don't purposely degrade the existing functionality of the internet.
The telcos should wake up and realize that voice and video (in a peer-to-peer sense) are just data, which should become their core business...preempting dialtone. We already *have* video and audio content providers (radio, satellite radio, broadcast television, cable, satellite TV), and their business models don't require making things suck for my internet connection in order to offer their services.
Evolution is actually not that bad at dealing with Exchange. For the rest of us, Thunderbird is just fine.
If that were true, all of my clients would be using Evolution or Thunderbird.
Here's the thing...almost all of the companies out there that are using Outlook are using it with Exchange as their mail server. When you do that for long enough, you become accustomed to a certain degree of seamless access to the things that Outlook and Exchange give you access to.
I wish that there was an interface (other than OWA) through which Evolution could connect to exchange mailboxes, public folders, calendars, task lists, journals, contacts, etc. Because Evolution can't do that the same way that Outlook can, users end up with a negative experience rather than a positive one.
Don't get me wrong...I like Evolution, and for my most basic needs, I'll just run dig to find the host your MX record points to and type out an SMTP conversation (haven't got a taste for Thunderbird yet), or use my gMail account. The people I do work for, however aren't interested in having apparent limitations imposed on them, so Evolution is not a good fit for their environment. They have valid concerns about usability.
It's not necessarily a problem with a good solution...at least not until we fill in the blank for the following:
Evolution:Outlook::???:Exchange
P.S. I know there are products that *almost* fit the bill
Exactly right. If Evolution could talk to Exchange the same way that Outlook does, though (rather than via OWA, which doesn't always work right), I could probably get my clients to use it based on price and usability.
If they can't get to their mail because the web server's bogged down, they will definitely be upset about it.
I didn't quote your sentence about everything being the same/invisible to end users, that's true. I didn't quote it mainly because I don't agree with it. There are plenty of protocols that don't automatically work behind a NAT (especially when both ends of a wanna-be connection are behind a NAT). That makes things not invisible.
The average user is not smart about why certain things don't seem to work well (slow bittorrent downloads, gnutella not working well, etc, etc). Theere's a real problem in the ways that applications have to be developed now vs. the way they would be able to be developed in an internet without NAT. Firewalls would still work as intended and stop undesired connections, but basic node-to-node connectivity wouldn't suffer as it does with NAT.
My comment about corporations was meant to illustrate the point that they don't *suffer* from the same problem, not that they don't face it. They have resources and people and know about site-to-site VPNs that get them past the problems that NAT causes otherwise. Firewalls solve the same problem as ever, but NAT causes problems with inter-site connectivity that have to be engineered around.
Your question sounds like a good "ask Slashdot", actually...I'd love to see that conversation played out.
I figured you knew about gateways and routers already. It's not as if you are on the same ethernet wire as I am.
You're absolutely right. How about this. We can just replace all of the routers currently in use with proxies. If you're arguing that they're equivalent, or something like that.
For other protocols, how are you going to convince the security manager in XYZ corporation to let your traffic through?
I'm not. Why would I? Most corporations don't suffer from the dearth of IP addresses that the rest of us do, and my goal is not to get around security that's in place on purpose. On other protocols, how am I going to let more than one machine inside my NATed network be a peer for an arbitrary protocol or port?
Anytime I'm at home and I want to set up anything, I'm limited to masq rules in my router/firewall or virtualhost directives on my web server (or using non-standard ports). Notice that all of those are work-arounds for dealing with not having enough addresses? We consider them necessary because we don't want to change something.
I'm not sure what you read that you felt was a personal attack, but I suppose I might have said something to justify that comment. If so, I apologize.
I'm not yelling "NAT IS DEAD"...it's not. I use it (I have no choice, really). What I'm trying to say is that there would be advantages to regular people if we transitioned to IPv6 (as well as confusion, heartache, overhauling, etc). Non-NATed IP addresses mean direct communication is possible, and that opens up a lot of possibilities in node-to-node communication that are not possible via NAT.
You keep bringing up the work-arounds that are already in place, and while I agree that they work all right for the way we use the net right now, making them go away could open the door to new ideas, new functionality, and a whole new experience for everyone.
Yes, it is quite easy with named virtual hosts and reverse proxies, and the usual NAT firewall.
...and then you give an example of something that demonstrates specifically that I cannot connect to those web servers...I have to connect to a proxy.
So, your answer is "no, you can't do that without a third machine as a go-between".
I'm not talking about removing firewalls...access control is a necessity in any network that's open to the public (I think I even mentioned having a firewall in what you responded to). What I'm talking about is the perversions that NAT forces us through.
Suppose we were talking about a different protocol...should we have no choice but to use proxies for any given protocol just because we want to connect to it on more than one machine in a given network?
Again...NAT solves the problems that ISP's have. It ensures that they can continue on without making significant changes, and lets their customers make outbound connections pretty easily, most of the time. It does so by removing the ability of any machine on a given network to be a peer simultaneously with other wanna-be peers if they're behind a NAT device.
NAT is an artful hack, and it has spawned many other artful hacks (virtualhosts, name-based and otherwise, being examples), but why would you want to make things complicated and restrictive when they can be simpler and open?
There comes a time when you're just arguing to argue. I know, believe me (been there, done that). Drop me a note when you've had your own moment of clarity.
Quick test: if you have a web server running on each of your dozens of machines (all on port 80...no bucking the standard), can I connect to each of them using http?
No? Why not? Why can't you just get more IPv4 addresses so that I can connect to each of them?
The advent of NAT has solved the main problems that ISPs have had with giving their customers addresses to use for connecting to "content providers", but it has pretty much eliminated the original "every node is a peer" architecture of the internet.
Sure, if you're an ISP that works for you, but if you're some random guy that wants it to be easy to connect two (currently natted) devices together without involving a third device as a go-between, it's not such a good solution.
It's easy not to get it, just because we're all so used to having to do things the way we have been forced to. The epiphany comes when you realize how much more flexible the system is when NAT is not involved.
You realise that because most distributions use modules, that a clever hacker (who's already got root) can easily install a root kit on your machine that cloaks itself, via good ol' insmod.
That says a lot, really, about the difference in playing said CD on Windows vs. Linux. A typical Linux user is *probably* not going to be in a situation where he opens a CD and a program automagically runs with root/admin permissions. True, cloaking and rootkits can happen on Linux, but it's a much harder job to do without doing something purposely evil, like using a known bug that has root elevation privileges (and even then, the linux community itself would be highly likely to notice a commercially distributed rootkit).
While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints.
That's not the issue, really.
Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these companies to take a few days. Several (including Microsoft, in fact) already classify it as malware and look for it.
It took somebody looking for evidence of rootkits on a well-maintained system that should have been rootkit free. I expect AV companies to do *that*, yes. You say "already" as if the rootkit had only been around for a few days. It's been around for many months, and the fact that we didn't know that before the guys at sysinternals noticed it is inexcusable.
Sony distributed software to millions of random people that installed half of itself silently, offered no option to not install, left machines vulnerable to infection by absolutely any wanna-be hacker that can spell "$sys$", has no uninstaller, leaves no indication that it *is* installed, makes the machines that it is installed on unstable if removed, and uses bandwidth and network connectivity without informing the owner of the computer.
If AV vendors can't protect against this type of threat, and cannot identify cloaked software when it has been distributed for a year, I don't exactly have a lot of faith in the security of any machines protected by their software (sadly, that seems to be every AV vendor). Maybe Mr. Russinovich could give a few paid talks at each of these companies about how to detect rootkits...
I'm off to go install SuSE on my desktop...cheers.
Slashdot Mirror
Congress is not fully briefed on this, that is one of the problems. The other problem is that the FISA court IS NOT consulted, as if even that makes a difference, as the FISA court routinely gives in to whatever internal spying they want to do. Bush has used the Patriot Act to essentially do whatever he wants. This "us vs. them" krap is getting way old...
I didn't say congress is fully briefed, I said congressional leaders (two members of each party in the house and the senate, don't remember the specifics on who beyond majority and minority leaders) and the FISA court are fully briefed. Yes, the FISA court normally grants the ability to do what is asked. That has little to do with the Patriot Act (god, I hate that name), which has only been around for a tiny fraction of the time that FISA has been around.
And this ultra lame ass "I want to live in a fucking police state NOW!" argument of "if you're not doing anything wrong you have nothing to hide" is the most UNAMERICAN bullkrap I've ever heard.
WTF is wrong with those who espouse this krap?
For starters, and this is the most important of all, let me break the news to you:
We can't trust Bush.
You know it's just that simple.
I agree. You can't trust government period. That's the reason for our three-tiered government, checks and balances, FISA review, oversight commitees, etc.
The fact that all of congress didn't know the details of what was going on is a function of the type of investigation being conducted. You don't spread around information about who you're keeping tabs on if you want to glean useful information. The alternative solution to that conflict is to not collect intelligence on people that you think you should be collecting intelligence on, and that might be hurtful.
I don't see this as a black-and-white issue, as many on opposing sides of the whole "should we do wiretapping on international communications" question are. I want civil liberties to be safeguarded by oversight, which (by the lack of statements to the contrary by the FISA court or the congresscritters involved) they appear to be, and I want to have good intelligence on people that we have reason to beleive want to see Americans harmed.
Don't get me wrong, I think that a bit more oversight and disclosure is probably in order, but this is hardly Nixonesque.
DRM Recurses Malevolently?
DRM is Rationally Murky
Somebody help out with the good ideas. At least if we're going to force people into infinite logic loops, we ought to christen the harbinger of pain properly.
It sounds like his gripe with the GPLv3 is that it is imposing restrictions on what modifications or contributions can be made, which is not the same agnostic view as in previous versions.
The idealist (RMS) and the engineer (Linus) are definitely at a point of contention on this issue...it'll be interesting to see what happens.
I can hardly wait for "Toy Story 6, Slinky dog Gets a Kink", rendered at 320 X 240 in wireframe.
The correct way to do it, apparently, depends on whether you want all of your arrows to be the same color. If you want different-colored arrows, you have to make the tips yourself (Just make one shape and copy it, I suppose). If they can all be the same color, you have to go into the XML and change the color of the end-marker by assigning it a "Fill:" attribute.
Neither of those is a particularly handy solution to your use case. If that's all you ever plan on using Inkscape for, then I'd have to say that for you, Inkscape probably does indeed suck.
At least you got the devs to mention the reason for the problem and say they'll try to support it in the future.
To be fair, there are zero items in the project feature requests or bug reports about this, so it's not likely that the devs know that it's broken. I have (hopefully) brought it to someone's attention.
I'm glad that wasn't the first thing I ever tried to do with inkscape, or I probably would never have bothered learning to use it. This guy *really* knows how to use it.
They would classify the Sony rootkit (*ROOTKIT*!!!) as spyware, rather than malware or a virus, and "programs that install themselves without a user's permission or knowledge, via a security exploit" as spyware.
Great. So if a program installs itself without my permission or knowledge, but not via a security exploit, it's okay?
I have serious problems with their definitions...it sounds as if "spyware" means "malware, viruses, and worms that are less damaging than they could be".
Are you saying that there's no button to "insert arrow" in Inkscape, and that was your problem with it? If you'd like, I could tke 5 minutes out of my day to create and send you an .svg of an arrow (red, blue, purple, rainbow gradient, whetever) for future use in your choice of vector image editing apps.
I just don't get what it is that's leading you to the conclusion that inkscape is crap.
Not to pick nits, but why would you bother using inkscape for something so trivial? If you want to create scalable vector graphics (icons, logos, etc), sure, but adding an arrow to a jpeg?
My vote is for Inkscape. GIMP is great for raster stuff in the same way that Inkscape is great for vector stuff (and they have equally irritating menu systems).
syslinux is the bootloader for me, at least on all of my routers and firewalls. Sometimes, you need small, and that's not LILO or GRUB.
The reason we ended going with Polycom 7800a/s systems (despite the fact that they didn't seem quite as glitch-free) was that you couldn't share video from a Polycom unit to a Tandberg (and our parent company uses Polycom). Other way around worked fine, though.
(off to go download Opera and see if it sucks less today than it did 8 months ago)
Momma Moses is paying for what she wants.
If Momma Moses paid less and got consistently choppy or garbled video and audio on most channels, but crystal clear reception on a few that partnered with the cable company, that would be a better comparison.
Here's how you fix the analogy. If the telco's offered access to only US IP addresses, for example, and didn't throttle bandwidth, etc for any of those, that'd be roughly equivalent.
That they have the ability to do a thing is irrespective of their desire to do it in a way that benefits you or I.
Here's the thing; they want a "two-tier internet" that means "we control the good stuff that goes fast, and you can use whatever's left over". That doesn't benefit me.
It probably also doesn't benefit you or result in an impressive Quake Arena (since there's no huge ad-revenue stream inside of Quake...yet). What it means is that the phone companies can offer you something like internet-based cable TV that takes up as much bandwidth as they think it needs to, and makes any newly-developed (and many existing) internet applications automatically slow and low-priority.
I have no problem with the telcos offering two levels of service...one level that's the same as what we have in existence, and a so-called "premium" level with streaming whatever coming out of every orifice sounds fine...as long as they don't purposely degrade the existing functionality of the internet.
The telcos should wake up and realize that voice and video (in a peer-to-peer sense) are just data, which should become their core business...preempting dialtone. We already *have* video and audio content providers (radio, satellite radio, broadcast television, cable, satellite TV), and their business models don't require making things suck for my internet connection in order to offer their services.
Evolution is actually not that bad at dealing with Exchange. For the rest of us, Thunderbird is just fine.
If that were true, all of my clients would be using Evolution or Thunderbird.
Here's the thing...almost all of the companies out there that are using Outlook are using it with Exchange as their mail server. When you do that for long enough, you become accustomed to a certain degree of seamless access to the things that Outlook and Exchange give you access to.
I wish that there was an interface (other than OWA) through which Evolution could connect to exchange mailboxes, public folders, calendars, task lists, journals, contacts, etc. Because Evolution can't do that the same way that Outlook can, users end up with a negative experience rather than a positive one.
Don't get me wrong...I like Evolution, and for my most basic needs, I'll just run dig to find the host your MX record points to and type out an SMTP conversation (haven't got a taste for Thunderbird yet), or use my gMail account. The people I do work for, however aren't interested in having apparent limitations imposed on them, so Evolution is not a good fit for their environment. They have valid concerns about usability.
It's not necessarily a problem with a good solution...at least not until we fill in the blank for the following:
Evolution:Outlook::???:Exchange
P.S. I know there are products that *almost* fit the bill
If they can't get to their mail because the web server's bogged down, they will definitely be upset about it.
The average user is not smart about why certain things don't seem to work well (slow bittorrent downloads, gnutella not working well, etc, etc). Theere's a real problem in the ways that applications have to be developed now vs. the way they would be able to be developed in an internet without NAT. Firewalls would still work as intended and stop undesired connections, but basic node-to-node connectivity wouldn't suffer as it does with NAT.
My comment about corporations was meant to illustrate the point that they don't *suffer* from the same problem, not that they don't face it. They have resources and people and know about site-to-site VPNs that get them past the problems that NAT causes otherwise. Firewalls solve the same problem as ever, but NAT causes problems with inter-site connectivity that have to be engineered around.
Your question sounds like a good "ask Slashdot", actually...I'd love to see that conversation played out.
You're absolutely right. How about this. We can just replace all of the routers currently in use with proxies. If you're arguing that they're equivalent, or something like that.
For other protocols, how are you going to convince the security manager in XYZ corporation to let your traffic through?
I'm not. Why would I? Most corporations don't suffer from the dearth of IP addresses that the rest of us do, and my goal is not to get around security that's in place on purpose. On other protocols, how am I going to let more than one machine inside my NATed network be a peer for an arbitrary protocol or port?
Anytime I'm at home and I want to set up anything, I'm limited to masq rules in my router/firewall or virtualhost directives on my web server (or using non-standard ports). Notice that all of those are work-arounds for dealing with not having enough addresses? We consider them necessary because we don't want to change something.
I'm not sure what you read that you felt was a personal attack, but I suppose I might have said something to justify that comment. If so, I apologize.
I'm not yelling "NAT IS DEAD"...it's not. I use it (I have no choice, really). What I'm trying to say is that there would be advantages to regular people if we transitioned to IPv6 (as well as confusion, heartache, overhauling, etc). Non-NATed IP addresses mean direct communication is possible, and that opens up a lot of possibilities in node-to-node communication that are not possible via NAT.
You keep bringing up the work-arounds that are already in place, and while I agree that they work all right for the way we use the net right now, making them go away could open the door to new ideas, new functionality, and a whole new experience for everyone.
Yes, it is quite easy with named virtual hosts and reverse proxies, and the usual NAT firewall.
...and then you give an example of something that demonstrates specifically that I cannot connect to those web servers...I have to connect to a proxy.
So, your answer is "no, you can't do that without a third machine as a go-between".
I'm not talking about removing firewalls...access control is a necessity in any network that's open to the public (I think I even mentioned having a firewall in what you responded to). What I'm talking about is the perversions that NAT forces us through.
Suppose we were talking about a different protocol...should we have no choice but to use proxies for any given protocol just because we want to connect to it on more than one machine in a given network?
Again...NAT solves the problems that ISP's have. It ensures that they can continue on without making significant changes, and lets their customers make outbound connections pretty easily, most of the time. It does so by removing the ability of any machine on a given network to be a peer simultaneously with other wanna-be peers if they're behind a NAT device.
NAT is an artful hack, and it has spawned many other artful hacks (virtualhosts, name-based and otherwise, being examples), but why would you want to make things complicated and restrictive when they can be simpler and open?
There comes a time when you're just arguing to argue. I know, believe me (been there, done that). Drop me a note when you've had your own moment of clarity.
No? Why not? Why can't you just get more IPv4 addresses so that I can connect to each of them?
The advent of NAT has solved the main problems that ISPs have had with giving their customers addresses to use for connecting to "content providers", but it has pretty much eliminated the original "every node is a peer" architecture of the internet.
Sure, if you're an ISP that works for you, but if you're some random guy that wants it to be easy to connect two (currently natted) devices together without involving a third device as a go-between, it's not such a good solution.
It's easy not to get it, just because we're all so used to having to do things the way we have been forced to. The epiphany comes when you realize how much more flexible the system is when NAT is not involved.
You realise that because most distributions use modules, that a clever hacker (who's already got root) can easily install a root kit on your machine that cloaks itself, via good ol' insmod.
That says a lot, really, about the difference in playing said CD on Windows vs. Linux. A typical Linux user is *probably* not going to be in a situation where he opens a CD and a program automagically runs with root/admin permissions. True, cloaking and rootkits can happen on Linux, but it's a much harder job to do without doing something purposely evil, like using a known bug that has root elevation privileges (and even then, the linux community itself would be highly likely to notice a commercially distributed rootkit).
It's getting hard to take, is all.
I think's things are not so simple.
And then some...
While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints.
That's not the issue, really.
Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these companies to take a few days. Several (including Microsoft, in fact) already classify it as malware and look for it.
It took somebody looking for evidence of rootkits on a well-maintained system that should have been rootkit free. I expect AV companies to do *that*, yes. You say "already" as if the rootkit had only been around for a few days. It's been around for many months, and the fact that we didn't know that before the guys at sysinternals noticed it is inexcusable.
Sony distributed software to millions of random people that installed half of itself silently, offered no option to not install, left machines vulnerable to infection by absolutely any wanna-be hacker that can spell "$sys$", has no uninstaller, leaves no indication that it *is* installed, makes the machines that it is installed on unstable if removed, and uses bandwidth and network connectivity without informing the owner of the computer.
If AV vendors can't protect against this type of threat, and cannot identify cloaked software when it has been distributed for a year, I don't exactly have a lot of faith in the security of any machines protected by their software (sadly, that seems to be every AV vendor). Maybe Mr. Russinovich could give a few paid talks at each of these companies about how to detect rootkits...
I'm off to go install SuSE on my desktop...cheers.
I bought and installed OS/2 on the same PC that I had windows 3.11 running on, launched program manager, and minimized it.
Yeah, it's a pretty pitiful thing to feel triumphant about, but it made my two best (geek) friends grin when I demonstrated it to them.
If only there had been decent drivers for trident video cards in OS/2...