Unfortunately a tremendous amount of talent has also been lost to "social media" services and figuring out how to get people to look at "better" ads. Certainly we haven't completely stagnated but a huge amount of really bright people were wasted on this shit.
No, because it's not many phones DISTRUBUTED, as in Distributed DoS (DDoS). It's just a piece of software that calls many times. It's not "distributed" in any sense of the word.
Connectivity to the server is cheap, and ubiquitous. It's called the Internet. The point of Chrome OS is to see if we can build a functional computer using only web based applications. And to be honest, we're getting pretty darn close, considering the majority of people spend all their time on their computers on facebook or youtube.
What web based application is 100x slower? I find pretty much every web based app I use is much faster than a compiled client version (gmail vs any email client) and you get the advantages of being able to access the application (and more importantly, information) from anywhere and any device.
You win red herring of the day! A vague fictional scenario where somehow the laptop isn't working correctly without any details. Are you a Microsoft astroturfer?
Ok, reality check: The vast majority of people use their computers where the Internet is accessible. That's just reality. People spend their time on youtube or facebook or emailing. That's the reality of modern day computer use. So for most people, the network coverage is already there. We don't live in an Apple commercial where we're all working from parks and the beach. Second of all, Photoshop users represent a tiny fraction of users. If no photoshop user ever bought a Chromebook it could still be WILDLY popular.
For you, that's great it's not for you you're still paranoid and scared of "the cloud". Not arguing with you at all on that one. But, for the general public, nothing else you mentioned is really a concern. People already store their data on these 3rd party services, it's why they're so popular. No one is going to discontinue the SSD in a chromebook either. Worst case scenario they stop releasing updates in a couple years and you buy a new laptop. So what? You would have probably replaced it anyway. Or just throw another OS on it if you want to keep it around.
Yeah that whole "internet" thing is just a fad. Web browsers are the new dumb terminals. Or maybe, technology continues to evolve forever and that doesn't make it wrong today? I buy a new laptop about every 2 years, pretty sure nothing google could do could make it stop working within that time period.
You're not the target market. If no final cut use ever bought a Chromebook they could still be wildly successful. We didn't need video editors to buy iPads for them to take off. You represent about 0.001% of the computer buying public. Seriously, stick to your Mac, that's what you should be using (obviously). These devices are not designed for you.
Why is over $300 "absurdly expensive" and under it not absurdly expensive? Seems really arbitrary. You can get an X520-T2 (dual port 10GBASE-T) for under $700.
But the simple answer is supply and demand. The only people who really need 10GbE (other than network carriers) is in the datacenter. Especially in highly virtualized workloads and extra especially when we're carrying storage and network traffic on the same 10GbE link(s). I guess you don't remember how insanely expensive 1GbE was when it first hit the market.
I don't believe this should be handled by the DNS software. We shouldn't have to add rate-limiting code into every individual service we run. It's easily implemented using a firewall. Even iptables (software firewall) supports rate limiting:
If you read my later posts in this thread, you'll see that I agree that source address filtering should be our #1 concern.
With that said, there are ways to provide recursive DNS resolution to clients openly, but without being used as an attack vector. Specifically by rate limiting the requests.
The reason ISPs are allowing spoofed traffic is simply one of two things: ignorance or laziness. It's very easy to write an ACL that mirrors your BGP announcements then apply that as an outbound filter at your peering points. It's absolutely as trivial as it sounds. The Tier 1 carriers need to start de-peering anyone who's found to not filter traffic they're not announcing.
Depends on the services you offered, I suppose. But not having redundant internet connectivity would be a problem. Also what business would want their data hosted at someones house? Can you provide five 9's of uptime? Do you have 24x7 support?
Here in healthcare we'd love to be able to use more "cloud" services, where it makes sense. One of the main problems we have is a stated lack of HIPAA compliance. Also the ability to integrate these services. For example, how do I integrate my "cloud based" (read: web app) health information system with my web based office suite and do it securely?
You're compounding two things. One is providing RECURSIVE RESOLUTION to clients and the other is providing an AUTHORITATIVE NAMESERVICE for particular zones. I'll explain the two briefly:
1. Recursive resolver - this is a nameserver that you can ask to resolve any domain name and it'll do just that. If it isn't authoritative for it (meaning you RUN the zone and it's in a config file locally) it will go through the recursive resolution process for you. It will look at it's root hints, talk to the root name servers, find the TLD zone, ask for the next nameserver to ask and on down the chain. This is "recursive resolution" it's how clients find things on the internet. This is the dangerous thing and what you want to secure. You can do this in BIND for example by writing a bind ACL and only allowing recursion to clients you trust, typically the RFC 1918 address space (aka "private IP addresses").
2. Authoritative Nameserver - this is what you put on the internet if you want to run your own nameservice for your domains. This will only answer questions to clients about domains that it runs specifically. So if you own abc.com and a client asks about www.abc.com it will provide the answer. If you ask it to resolve google.com it will kindly tell you to fuck off (or possibly provide root hints, by an old convention).
Well, there's a couple million of them. It's really an uphill battle. For every one you shut down today another will popup tomorrow. Plus this is just one attack vector. What we need to do is get ISPs to start filtering egress traffic and we can solve an entire range of these attacks by being able to track down the source.
Slashdot Mirror
I mean, it's running the Linux Kernel, so shouldn't it be Google Linux instead of ChromeOS?
For the same reason we don't call it GNU/Linux, despite RMS's complaints.
Unfortunately a tremendous amount of talent has also been lost to "social media" services and figuring out how to get people to look at "better" ads. Certainly we haven't completely stagnated but a huge amount of really bright people were wasted on this shit.
It's horribly sad when you think about it. An entire generation of engineers trying to get people to click on ads.
(That's a poor version of a quote I heard once that'd I'd love to attribute to the source, who I can't find at the moment)
Anyone know how to filter stories in Google Reader? If I have to read another story about Aaron fucking Swartz I'm going to vomit.
Too hard to trace the source. Most of it is hacked PBXs. We should just do what we always do to catch them, just follow the money.
No, because it's not many phones DISTRUBUTED, as in Distributed DoS (DDoS). It's just a piece of software that calls many times. It's not "distributed" in any sense of the word.
Just a platform for deploying and managing a big openstack installation. You could call it cluster management software I guess.
Connectivity to the server is cheap, and ubiquitous. It's called the Internet. The point of Chrome OS is to see if we can build a functional computer using only web based applications. And to be honest, we're getting pretty darn close, considering the majority of people spend all their time on their computers on facebook or youtube.
What web based application is 100x slower? I find pretty much every web based app I use is much faster than a compiled client version (gmail vs any email client) and you get the advantages of being able to access the application (and more importantly, information) from anywhere and any device.
Yeah I sure wish chrome was more open and "independent" (whatever that means).
You win red herring of the day! A vague fictional scenario where somehow the laptop isn't working correctly without any details. Are you a Microsoft astroturfer?
Ok, reality check: The vast majority of people use their computers where the Internet is accessible. That's just reality. People spend their time on youtube or facebook or emailing. That's the reality of modern day computer use. So for most people, the network coverage is already there. We don't live in an Apple commercial where we're all working from parks and the beach. Second of all, Photoshop users represent a tiny fraction of users. If no photoshop user ever bought a Chromebook it could still be WILDLY popular.
For you, that's great it's not for you you're still paranoid and scared of "the cloud". Not arguing with you at all on that one. But, for the general public, nothing else you mentioned is really a concern. People already store their data on these 3rd party services, it's why they're so popular. No one is going to discontinue the SSD in a chromebook either. Worst case scenario they stop releasing updates in a couple years and you buy a new laptop. So what? You would have probably replaced it anyway. Or just throw another OS on it if you want to keep it around.
Yeah that whole "internet" thing is just a fad. Web browsers are the new dumb terminals. Or maybe, technology continues to evolve forever and that doesn't make it wrong today? I buy a new laptop about every 2 years, pretty sure nothing google could do could make it stop working within that time period.
You're not the target market. If no final cut use ever bought a Chromebook they could still be wildly successful. We didn't need video editors to buy iPads for them to take off. You represent about 0.001% of the computer buying public. Seriously, stick to your Mac, that's what you should be using (obviously). These devices are not designed for you.
Compared to a $250 Samsung Chromebook ? You think that's only $150 in hardware?
What kind of development? Personally, all I need for development is ssh and a web browser.
I don't need local storage I just need it to be fast. On linux I basically use a terminal and a browser. 32GB is WAY more than enough for me.
Why is over $300 "absurdly expensive" and under it not absurdly expensive? Seems really arbitrary. You can get an X520-T2 (dual port 10GBASE-T) for under $700.
But the simple answer is supply and demand. The only people who really need 10GbE (other than network carriers) is in the datacenter. Especially in highly virtualized workloads and extra especially when we're carrying storage and network traffic on the same 10GbE link(s). I guess you don't remember how insanely expensive 1GbE was when it first hit the market.
I don't believe this should be handled by the DNS software. We shouldn't have to add rate-limiting code into every individual service we run. It's easily implemented using a firewall. Even iptables (software firewall) supports rate limiting:
http://wiki.opennicproject.org/IPTablesRulesToBlockDDOSTraffic
http://falkhusemann.de/blog/2012/07/iptables-dns-query-limiting-with-burst-rate/
If you read my later posts in this thread, you'll see that I agree that source address filtering should be our #1 concern.
With that said, there are ways to provide recursive DNS resolution to clients openly, but without being used as an attack vector. Specifically by rate limiting the requests.
The reason ISPs are allowing spoofed traffic is simply one of two things: ignorance or laziness. It's very easy to write an ACL that mirrors your BGP announcements then apply that as an outbound filter at your peering points. It's absolutely as trivial as it sounds. The Tier 1 carriers need to start de-peering anyone who's found to not filter traffic they're not announcing.
Depends on the services you offered, I suppose. But not having redundant internet connectivity would be a problem. Also what business would want their data hosted at someones house? Can you provide five 9's of uptime? Do you have 24x7 support?
Here in healthcare we'd love to be able to use more "cloud" services, where it makes sense. One of the main problems we have is a stated lack of HIPAA compliance. Also the ability to integrate these services. For example, how do I integrate my "cloud based" (read: web app) health information system with my web based office suite and do it securely?
You're compounding two things. One is providing RECURSIVE RESOLUTION to clients and the other is providing an AUTHORITATIVE NAMESERVICE for particular zones. I'll explain the two briefly:
1. Recursive resolver - this is a nameserver that you can ask to resolve any domain name and it'll do just that. If it isn't authoritative for it (meaning you RUN the zone and it's in a config file locally) it will go through the recursive resolution process for you. It will look at it's root hints, talk to the root name servers, find the TLD zone, ask for the next nameserver to ask and on down the chain. This is "recursive resolution" it's how clients find things on the internet. This is the dangerous thing and what you want to secure. You can do this in BIND for example by writing a bind ACL and only allowing recursion to clients you trust, typically the RFC 1918 address space (aka "private IP addresses").
2. Authoritative Nameserver - this is what you put on the internet if you want to run your own nameservice for your domains. This will only answer questions to clients about domains that it runs specifically. So if you own abc.com and a client asks about www.abc.com it will provide the answer. If you ask it to resolve google.com it will kindly tell you to fuck off (or possibly provide root hints, by an old convention).
http://falkhusemann.de/blog/2012/07/iptables-dns-query-limiting-with-burst-rate/
Well, there's a couple million of them. It's really an uphill battle. For every one you shut down today another will popup tomorrow. Plus this is just one attack vector. What we need to do is get ISPs to start filtering egress traffic and we can solve an entire range of these attacks by being able to track down the source.