It's late, and I'm feeling old and grumpy; please don't take anything I say personally.
I'd like to believe there was a simple and effective verification system that could be built into existing technology; but I just don't see it working in what I've read here.
The thought I had while writing this was to look more in the direction of an authentication-required 'public' VPN. Users could subscribe to one of (m)any Kerberos or equivalent authentication providers, which could sign tokens to allow access (routing) onto participating 'genuine traffic' networks. High- or guaranteed-uptime services could then 'simply' be hosted on such VPNs, with transparent access to anyone with an account with an associated authentication service. Will sleep on that idea, but I like the voluntary association and independent implementation possibilities.... and keep off the lawn;)
I'm not entirely sure that I'm following your proposal; are you saying that we should implement some Internet-wide hierarchy of traffic-control trust up to 'DNS root server' level, and allow the 'blackholing' of networks that don't adhere to it?
What if your ISP doesn't adhere to it (I can't get mine to add reverse lookup from the static IP block I've had for nearly 3 years to my own domain...), or their implementation is buggy? Or 30 users in your subnet get infected (or 'volunteer')? If your ISP doesn't catch it in time is it okay for their upstream(s) to revoke them?
How about if you have a/22 and private cable all across your town - who signs your key if you want to negotiate peering with the local telcos, who won't deal with you without it?
When does this information get looked up? By any (every?) edge or core router before a packet is allowed through? Just TCP SYN? Drop it or reject it?
Assuming this is an edge-router solution, what if the look up is done by a host that doesn't use their direct "superior"'s DNS servers? Or if there is no clear 'upstream' at the time the packet hits an edge router? Are you suggesting reverse-DNS lookup to get the source network name, then forward DNS lookup for the domain 'DDoS status' authority server, then a second forward request for this DDoS-participant status, any or all of which may have to fall all the way back to the root servers?
Or is this based on traversed routers; so we can start with a reflected 'trace route' and verify everything on the hops back to the source?
Revoking certificates via DNS is another time sink, since I understand that you're suggesting a server host their own 'DDoS safe' certificate and the public key they use to sign data (signed by their parent...?)
To revoke trust from a signature, it would have to be regularly (within 'response time for DDoS attack') validated by re-requesting the possibly available revocation certificate from the network's 'parent'. Since the parent may be the one that is compromised (and bogusly revoking certificates, for example, also thusly denying service to and from any 'subservient' networks), this would have to force an un-cached validation up to 'root' to be secure.
Revoking a signature means nothing if there is any way the un-revoked signature could be accessed for a meaningful amount of time in the context that it's used in. Since DNS is made for (and scales by) delegating responsibility to the lowest-possible authority, and aggressively caching without revalidation, I think you're looking in the wrong place for the answer to this solution.
Oh, also - DNS works largely over UDP; so would that be exempt from DDoS protection (read: vulnerable), or would every UDP packet (validation request...) also be subject to this validation?
I hope you've got a much better idea about this than I do, because when I was, err... discovering networks in my younger years, I found plenty of routes that: a) have no identifiable parent - they can be accessed from multiple networks, and route directly to multiple networks with no distinct hierarchy b) have no meaningful reverse DNS or whois records c) traverse networks with 'private' IP ranges internally d) seem to traverse multiple (sub-)networks with some externally-invisible encapsulation e) reset or otherwise tamper with TTLs f) plainly not forward entire protocols, port ranges, or other stuff at random, and expect (contract?) their peers to route around it Hrm, most of my discovery of these behaviours could probably have been detected as some kind of attack, should anyone have been monitoring for it. Perhaps I should have set the 'evil' bit...
Also, keeping in mind that many core networks must allow traffic from any (or at least, very very many) source to enter at any edge (as those networks are likely to have other peering arrangements as well), the bulk of traffic cannot be trusted to have been validated in-route; as 'children' may just use source address ranges from 'sibling' networks for their DDoS attacks.
But the concept is still flawed - implementing this would just create another way to take somebody offline by convincing their router, their ISP's router, etc. that they are participating in a DDoS, and let their own system do the work for you.
It's also assuming that the ISPs and carriers themselves care about the ethics of the traffic they carry at least as much as their customers do; which is plainly false in many cases.
The point is that there is no public, dynamic system yet conceived to implement such behaviour that would not be subject to some layer of 'trusted' input being misused.
I touch-type, and don't use caps lock at all; so I map it to a second ctrl key - this matches the layout of the PowerBook I first discovered Emacs on (purchased in Japan), so it's pretty hard-wired in my command reflexes.
There's a convenient enough way to do so on every OS I've used since I read about it somewhere and thought I'd give it a try. OS X (at least Leopard and Snow Leopard), Windows (at least XP and Vista), and Fedora 10 onwards.
The exception to this rule is that my last workplace would keep overwriting the setting, with the admin muttering something about "shouldn't be messing with the registry anyway" - so rather than try to explain, justify, and force the issue; I pried the key cap off. Not doing anything is better than doing the wrong thing, at least in this case.
Having a caps lock key is like having a bear trap on your desk, if you work in an office with the occasional bear.
Most of the time it sits there taking up space. But when you use it, it's the right tool for the job.
Probably just my lack of sleep, but I first read this as 'like having a beer tap on your desk' - possibly an even better analogy for your point;)
I'd just like to emphasise that boilerplate is used because it is language that has stood the test of the courts for explicitly defining the intent that is being expressed. Writing the same passage from scratch each time would be wasteful and legally dangerous.
I wasn't referring to your rhetorical 'Frenchian', 'Germanian', etc.
"French", "German" (and "Greenlandic", btw) - These words are plainly different to those used by citizens of the countries they refer to.
If it is okay for you to call somebody who refers to themselves as 'ein Deutscher' 'a German', why is it not okay for me to call somebody who calls themselves 'an American' 'an USian'?
Further, if my culture and dialect (Australian English) has an acceptance of 'American' as referring to the broader (continental) sense of the word; why can we not find and use another word that suits a need to refer to the specific 'U.S.-of' identity?
In more recent history, England and Australia (at least) have accepted the term 'yank' (i.e. Yankee) as pejorative for the same meaning; but I'm unaware of any formal (or even polite) term in modern usage.
If you (as a nation) have a suggestion that's more palatable than 'USian', and more succinct than '(citizen|resident) of the USA', feel free to interject it into common usage. We can pick it up, I swear.
Isn't the problem that it's played as a volume game? If they're only making 1c in the dollar back after tax, they're still making money on it - and should they turn a loss they'd instead have 99% of the risk subsidised by the taxpayer in the form of deductible capital losses. I'd be very surprised if any of the companies involved traded through just one tax file, so with the (in)appropriate book-keeping the net outcome of your system may just be to make it a tax dodge as well.
We non-USians do it just to piss of those (mostly USians) who think it's a retarded term. Thank you for giving us our reward.
I use it mostly as a benign distinction between the US, and Canada, Mexico, Cuba, Colombia, Brazil...
I use the name of their choosing when referring to them. That's only reasonable. Do you have to right to decide what citizens of another country should call themselves? I mean, should I call the French "Frenchians"? The Germans "Germanians"? How about "Greenies" for people from Greenland?
You're not bringing up good points in the defence of your stance with that one. While you're kind of close with French (Francais); the German for German is Deutscher, the Inuit and Dutch heritage of 'Greenland' certainly doesn't use 'Greenlander' (but my google-fu hasn't turned up a roman-alphabet approximation of it). And while we're at it, the Japanese for Japanese is (ni.hon-jin)
Locking somebody away for longer makes them less hateful when they are released?
I think this is the problem with your criminal system - the majority of public opinion seems to be focused on harsher punishment rather than more effective rehabilitation.
Somebody with no marketable skills or employment history goes to jail for burglary, gets out two years later with exactly the same skills and a worse attitude toward society, and the best people can think when she re-offends is that she wasn't in jail long enough?
Photonics to the rescue indeed; but I thought wave-synchronised light sources at this distance would be considered part of the lab-experiment grade equipment this was said to be doable without.
Not sure where I got 4x from; been years since I did RF theory (GSM was the big news at the time...), but 2.5x makes sense now.
Still, the more I think about it the more I'm impressed that it works at all at those speeds.
Different wavelengths follow different paths down the fibre and will arrive with different latency and distortion; so multiple wavelengths carry concurrent frames, rather than concurrent bits; but yeah, pretty much.
Also, no production DSP will pull phase information out of optical frequencies; to do so reliably requires a sample rate of at least 4x the frequency, so your 1530nm signal would need to be sampled and processed at around 800,000 GHz (yes, the best part of 1 PHz. Per-channel). Good luck with that.
You basically did nothing to support your statement about education. I could just as easily say education would be less productive and more inefficient using private schools. (This "efficiency" factor you're talking about: is it efficient in a purely profit-driven sense, or efficient for the public good?)
Profit is good for the public good. If someone who graduated from a private institution gets a job, that helps the public good because he is contributing something to society, which in turn helps the private institution because it gets them recognized and they got the money from that one person. On the other hand, a private institution detrimental to the public good by offering crap educational classes wouldn't be profitable because soon no one would enroll there.
I'm going to leave the civil points about labor movement, space programs, etc. aside for the moment; but your system is full of holes. No social security because people should just live on their investment income?
And the hundreds (if not thousands) of attendes from these schools in the meantime are supposed to do what? Live on their investment returns from thousands of dollars of student loan debt until they can somehow work their way through getting a better education someplace else over the course of the next decade? Rely on the generosity of abundant charities to pay for their re-education? Or just realize that they threw their life away by choosing the wrong school and try to find work sweeping the gutter along some private toll road...
At this point alone I'm going to err on the side of caution and assume you're just trolling; but if you're serious you need to take the silver spoon out and live in the Real World for a while.
"When they called and offered to remove my headlights, I only agreed because it was the only way I could use the petrol and tires I'd already installed; or any future petrol or tires I may need. Also, they'd stop letting me drive on the Interstate if I declined."
Except that the difference can be accurately modeled in software and corrected at the LCD pixel - the performance and effectiveness of the algorithms used for this process are a key difference in the resultant picture quality in the models currently available.
The brightside demo models apparently had excellent correction; and I imagine this is what a lot of the company's IP investment was based in.
Slashdot Mirror
He and the guy hiding in your closet with a machete, obviously.
Scimitar; but I can see how you'd think machete from looking in that window.
Mine won't burn hot enough to stay alight - is there a process (grinding?) I'm missing, or do I just need a bigger bundle?
It's late, and I'm feeling old and grumpy; please don't take anything I say personally.
I'd like to believe there was a simple and effective verification system that could be built into existing technology; but I just don't see it working in what I've read here.
The thought I had while writing this was to look more in the direction of an authentication-required 'public' VPN. Users could subscribe to one of (m)any Kerberos or equivalent authentication providers, which could sign tokens to allow access (routing) onto participating 'genuine traffic' networks. High- or guaranteed-uptime services could then 'simply' be hosted on such VPNs, with transparent access to anyone with an account with an associated authentication service. Will sleep on that idea, but I like the voluntary association and independent implementation possibilities. ... and keep off the lawn ;)
I'm not entirely sure that I'm following your proposal; are you saying that we should implement some Internet-wide hierarchy of traffic-control trust up to 'DNS root server' level, and allow the 'blackholing' of networks that don't adhere to it?
What if your ISP doesn't adhere to it (I can't get mine to add reverse lookup from the static IP block I've had for nearly 3 years to my own domain...), or their implementation is buggy? Or 30 users in your subnet get infected (or 'volunteer')? If your ISP doesn't catch it in time is it okay for their upstream(s) to revoke them?
How about if you have a /22 and private cable all across your town - who signs your key if you want to negotiate peering with the local telcos, who won't deal with you without it?
When does this information get looked up? By any (every?) edge or core router before a packet is allowed through? Just TCP SYN? Drop it or reject it?
Assuming this is an edge-router solution, what if the look up is done by a host that doesn't use their direct "superior"'s DNS servers? Or if there is no clear 'upstream' at the time the packet hits an edge router? Are you suggesting reverse-DNS lookup to get the source network name, then forward DNS lookup for the domain 'DDoS status' authority server, then a second forward request for this DDoS-participant status, any or all of which may have to fall all the way back to the root servers?
Or is this based on traversed routers; so we can start with a reflected 'trace route' and verify everything on the hops back to the source?
Revoking certificates via DNS is another time sink, since I understand that you're suggesting a server host their own 'DDoS safe' certificate and the public key they use to sign data (signed by their parent...?)
To revoke trust from a signature, it would have to be regularly (within 'response time for DDoS attack') validated by re-requesting the possibly available revocation certificate from the network's 'parent'. Since the parent may be the one that is compromised (and bogusly revoking certificates, for example, also thusly denying service to and from any 'subservient' networks), this would have to force an un-cached validation up to 'root' to be secure.
Revoking a signature means nothing if there is any way the un-revoked signature could be accessed for a meaningful amount of time in the context that it's used in. Since DNS is made for (and scales by) delegating responsibility to the lowest-possible authority, and aggressively caching without revalidation, I think you're looking in the wrong place for the answer to this solution.
Oh, also - DNS works largely over UDP; so would that be exempt from DDoS protection (read: vulnerable), or would every UDP packet (validation request...) also be subject to this validation?
I hope you've got a much better idea about this than I do, because when I was, err... discovering networks in my younger years, I found plenty of routes that:
a) have no identifiable parent - they can be accessed from multiple networks, and route directly to multiple networks with no distinct hierarchy
b) have no meaningful reverse DNS or whois records
c) traverse networks with 'private' IP ranges internally
d) seem to traverse multiple (sub-)networks with some externally-invisible encapsulation
e) reset or otherwise tamper with TTLs
f) plainly not forward entire protocols, port ranges, or other stuff at random, and expect (contract?) their peers to route around it
Hrm, most of my discovery of these behaviours could probably have been detected as some kind of attack, should anyone have been monitoring for it. Perhaps I should have set the 'evil' bit...
Also, keeping in mind that many core networks must allow traffic from any (or at least, very very many) source to enter at any edge (as those networks are likely to have other peering arrangements as well), the bulk of traffic cannot be trusted to have been validated in-route; as 'children' may just use source address ranges from 'sibling' networks for their DDoS attacks.
But the concept is still flawed - implementing this would just create another way to take somebody offline by convincing their router, their ISP's router, etc. that they are participating in a DDoS, and let their own system do the work for you.
It's also assuming that the ISPs and carriers themselves care about the ethics of the traffic they carry at least as much as their customers do; which is plainly false in many cases.
The point is that there is no public, dynamic system yet conceived to implement such behaviour that would not be subject to some layer of 'trusted' input being misused.
I touch-type, and don't use caps lock at all; so I map it to a second ctrl key - this matches the layout of the PowerBook I first discovered Emacs on (purchased in Japan), so it's pretty hard-wired in my command reflexes.
There's a convenient enough way to do so on every OS I've used since I read about it somewhere and thought I'd give it a try. OS X (at least Leopard and Snow Leopard), Windows (at least XP and Vista), and Fedora 10 onwards.
The exception to this rule is that my last workplace would keep overwriting the setting, with the admin muttering something about "shouldn't be messing with the registry anyway" - so rather than try to explain, justify, and force the issue; I pried the key cap off. Not doing anything is better than doing the wrong thing, at least in this case.
Having a caps lock key is like having a bear trap on your desk, if you work in an office with the occasional bear.
Most of the time it sits there taking up space. But when you use it, it's the right tool for the job.
Probably just my lack of sleep, but I first read this as 'like having a beer tap on your desk' - possibly an even better analogy for your point ;)
I'd just like to emphasise that boilerplate is used because it is language that has stood the test of the courts for explicitly defining the intent that is being expressed. Writing the same passage from scratch each time would be wasteful and legally dangerous.
I wasn't referring to your rhetorical 'Frenchian', 'Germanian', etc.
"French", "German" (and "Greenlandic", btw) - These words are plainly different to those used by citizens of the countries they refer to.
If it is okay for you to call somebody who refers to themselves as 'ein Deutscher' 'a German', why is it not okay for me to call somebody who calls themselves 'an American' 'an USian'?
Further, if my culture and dialect (Australian English) has an acceptance of 'American' as referring to the broader (continental) sense of the word; why can we not find and use another word that suits a need to refer to the specific 'U.S.-of' identity?
In more recent history, England and Australia (at least) have accepted the term 'yank' (i.e. Yankee) as pejorative for the same meaning; but I'm unaware of any formal (or even polite) term in modern usage.
If you (as a nation) have a suggestion that's more palatable than 'USian', and more succinct than '(citizen|resident) of the USA', feel free to interject it into common usage. We can pick it up, I swear.
Isn't the problem that it's played as a volume game? If they're only making 1c in the dollar back after tax, they're still making money on it - and should they turn a loss they'd instead have 99% of the risk subsidised by the taxpayer in the form of deductible capital losses. I'd be very surprised if any of the companies involved traded through just one tax file, so with the (in)appropriate book-keeping the net outcome of your system may just be to make it a tax dodge as well.
Stop using the retarded term "USian".
We non-USians do it just to piss of those (mostly USians) who think it's a retarded term. Thank you for giving us our reward.
I use it mostly as a benign distinction between the US, and Canada, Mexico, Cuba, Colombia, Brazil...
I use the name of their choosing when referring to them. That's only reasonable. Do you have to right to decide what citizens of another country should call themselves? I mean, should I call the French "Frenchians"? The Germans "Germanians"? How about "Greenies" for people from Greenland?
You're not bringing up good points in the defence of your stance with that one. While you're kind of close with French (Francais); the German for German is Deutscher, the Inuit and Dutch heritage of 'Greenland' certainly doesn't use 'Greenlander' (but my google-fu hasn't turned up a roman-alphabet approximation of it). And while we're at it, the Japanese for Japanese is (ni.hon-jin)
Locking somebody away for longer makes them less hateful when they are released?
I think this is the problem with your criminal system - the majority of public opinion seems to be focused on harsher punishment rather than more effective rehabilitation.
Somebody with no marketable skills or employment history goes to jail for burglary, gets out two years later with exactly the same skills and a worse attitude toward society, and the best people can think when she re-offends is that she wasn't in jail long enough?
Food for thought: http://en.wikipedia.org/wiki/Incarceration_in_the_United_States states that the US has nearly 25% of the *worlds* prison population.
Aww, sounds like the network guys are getting all the cool equipment these days.
Just imagine all the chicks you could get with a wave coherent oscillator...
Photonics to the rescue indeed; but I thought wave-synchronised light sources at this distance would be considered part of the lab-experiment grade equipment this was said to be doable without.
Not sure where I got 4x from; been years since I did RF theory (GSM was the big news at the time...), but 2.5x makes sense now.
Still, the more I think about it the more I'm impressed that it works at all at those speeds.
Different wavelengths follow different paths down the fibre and will arrive with different latency and distortion; so multiple wavelengths carry concurrent frames, rather than concurrent bits; but yeah, pretty much.
Also, no production DSP will pull phase information out of optical frequencies; to do so reliably requires a sample rate of at least 4x the frequency, so your 1530nm signal would need to be sampled and processed at around 800,000 GHz (yes, the best part of 1 PHz. Per-channel). Good luck with that.
Coming This Summer: iPhone 5!
With all-new criticism-sensing technology and an explosive charge to silence the un-enlightened.
<spoiler>The defect is that they can develop a crack going RIGHT DOWN THE MIDDLE!</spoiler>
You basically did nothing to support your statement about education. I could just as easily say education would be less productive and more inefficient using private schools. (This "efficiency" factor you're talking about: is it efficient in a purely profit-driven sense, or efficient for the public good?)
Profit is good for the public good. If someone who graduated from a private institution gets a job, that helps the public good because he is contributing something to society, which in turn helps the private institution because it gets them recognized and they got the money from that one person. On the other hand, a private institution detrimental to the public good by offering crap educational classes wouldn't be profitable because soon no one would enroll there.
I'm going to leave the civil points about labor movement, space programs, etc. aside for the moment; but your system is full of holes. No social security because people should just live on their investment income?
And the hundreds (if not thousands) of attendes from these schools in the meantime are supposed to do what? Live on their investment returns from thousands of dollars of student loan debt until they can somehow work their way through getting a better education someplace else over the course of the next decade? Rely on the generosity of abundant charities to pay for their re-education? Or just realize that they threw their life away by choosing the wrong school and try to find work sweeping the gutter along some private toll road...
At this point alone I'm going to err on the side of caution and assume you're just trolling; but if you're serious you need to take the silver spoon out and live in the Real World for a while.
Actually, it's more like:
"When they called and offered to remove my headlights, I only agreed because it was the only way I could use the petrol and tires I'd already installed; or any future petrol or tires I may need. Also, they'd stop letting me drive on the Interstate if I declined."
I was about to RTFA; but got to the word "Antennagate" and closed the tab out of disgust.
It's a limit, not a challenge.
Sure, but what use is telling you the time, position, and direction of something interesting and/or aesthetic?
Marijuana is harmless? Are you high?
Except that the difference can be accurately modeled in software and corrected at the LCD pixel - the performance and effectiveness of the algorithms used for this process are a key difference in the resultant picture quality in the models currently available.
The brightside demo models apparently had excellent correction; and I imagine this is what a lot of the company's IP investment was based in.
Actually, by using base 2, I can count to 31 on each hand, or 1023 using both.
So, 4.
The assertion was that only things that fit in your pocket converge
iPad gen 2: now with 4" blade and screwdriver?