Your eyes learn to relax, instead of straining. My body retains multiple context profiles for everything, so my vision without glasses isn't any worse; but I do notice my eyes straining without them, whereas they're very relaxed (and vision is greatly improved) with them.
I'm glad my optometrist is experienced and not stupid. He recommended I not use glasses just yet, as I can get by without them; I told him I'm most interested in whether there's a quality-of-life improvement. There is: I can see things just fine without glasses due to my visual system reassembling the multitude of images it receives (I get two images in each eye, divergent based on distance, due to misshapen eyes); but the glasses make things... so... so real, and clear, and crisp. Instead of knowing what this blurry blob is and thus not noticing it's blurry, everything is actually crisp in my view.
My optometrist gave me a partial prescription, which means I'll need to upgrade later. That means buying two sets of $380 glasses (I decked out the options: anti-reflective, transition to polarized, polycarbonate lenses, the works) in a year; but it also means my visual system will adjust smoothly. Inexperienced optometrists will toss you a +2.25 or +5.0 right off, and then look confused when you tell them you haven't been wearing them; experienced optometrists will gradually migrate you onto a higher prescription so you don't get headaches, eye strain, and the like.
For me, this is not a problem: I'll donate my lenses (this is useful), and probably move to contact lenses (glasses have proven to be a suboptimal solution to this problem). Contact lens fitting is traumatic, but oh well; I hate having to clean these every 20 minutes. They gather dust and oils and such from my eyelashes or something.
My single trouble with my optometrist is a matter of goals: he's experienced enough to estimate the best average case; but I'm a special type of outlier, and try to make theoretically optimal decisions based on balanced constraints. My vision is distorted; I must correct this, and therefor I must take all reasonable steps to maximize the quality of my vision. Additional costs and up-front effort aren't a problem; but I require a more complete understanding of my options and relevant concerns, and may wind up bouncing through various attempts (e.g. getting glasses, and then immediately wanting contacts instead). In the end, I will invest a small sum to determine the absolute best course of action, and make any adjustments as necessary (contacts need to be re-prescribed every year, so I'll have adequate information for this).
Most people want to be handed a solution. I want to determine the best solution.
I decided LASIK is sub-optimal due to high risk of complications. If you get the wrong strength contacts or glasses, you change them; if you get LASIK and your eyes get worse, you can't re-LASIK them. You're burning off part of the cornea, which means you get one shot; and it's minimally possible that heat stress will damage your cornea, which is an non-mitigatable risk, and will destroy your vision permanently.
My final solution is probably going to be contact lenses. I have found glasses sub-optimal, and I can control the risk of contact lenses much more reliably than I can control the risk of LASIK. The severity of contact lens complication is lower: most issues can be caught before they're a problem (ill-fitted lenses will irritate you before causing damage), and the ones more likely to be caught late are just stuff like growing blood vessels in the eyes because you got low-permeability lenses and didn't take them out at night like the instructions say (this is purely cosmetic). That last one can be mitigated with silicone soft lenses (30 days without removal is safe).
When given something that almost never happens, can't be detected until it's happened, and destroys viability, I look for other viable solutions with risks I can control and accept. LASIK is not unreasonable, and it's perfectly reasonable for you to get it and not worry about any complications, because they're dismally unlikely; but it is outside my risk tolerance, because those complications are of high severity and impossible to detect beforehand.
With proper, prescription lenses, the lenses are designed to accommodate your eyes. That means you may have a +0 (non-corrective) and a +0.25 or a +1.75 and +1.25. Interpupiary distance is also important: poorly-centered lenses are the cause of painful headaches. All in all, prescription lenses, even prescription reading glasses, are vastly superior to off-the-shelf bifocals.
I got transition lenses in a single-focus design, and I hate them. They're fantastic, except when they get dirty every 5 minutes, get a burrito shoved into them (they're further from my face than my eyes are), or cause my eyes to water. I plan to have contact lenses fitted; this will be more annoying at first, but will have the incredible advantage of being cleaned every 11 seconds, as well as providing a larger field of view. Silicone soft lenses transmit enough oxygen to safely use them for 30 days straight, rather than removing them at night time; I can elect to remove them at night if desired, but I'll still minimize the risk of complications by providing oxygen permeability similar to not having lenses.
Optometry is hard. Some of us are decisionary maximizers, so it's hard even being the patient!
Most people don't understand lock contention, or lockless code. That's why Dragonfly BSD is ignored, yet is so far ahead: every time someone sees a new problem with parallel computing, with semaphore contention, with threading models, DragonflyBSD is there with a fix from 10 years ago, DragonflyBSD wanted fast semaphores, lockless schedulers, threading models designed to handle running thousands of threads on hundreds of cores, and so on; this was seen, in the early 21st century, as a useless waste of time and a source of complexity; DFBSD is a fork of FreeBSD because the FreeBSD devs wouldn't let the DFBSD guy just do it in FBSD.
It's one of those things. I expect a long, arduous path to catch up to DragonflyBSD, to Minix, and so on, in the same way that we spent so much time catching up to XFS (ext4 spent years trying to reach feature and performance parity with XFS; it now even has on-the-fly inode allocation as an option). There's always some laughable side project somewhere claiming it will change the world, and there's always a point in the future where everyone else starts imitating that project. Whenever I see something big and long-running like this, I recognize it as some other thing; when people start doing multi-version Linux, I will immediately start talking about NixOS (which I think is implemented like crap, but has the right idea).
So what you're saying is that with Linux I have to do something deliberately stupid
Well, on Windows, you have to run an external program, install an extension, or use a Web browser or e-mail client with a security hole. For example, Firefox and Chrome have had dozens of bugs over the past 6 months which allowed for the automatic background downloading and executing of programs without informing the user, or which would execute some data (images, java script variables) as code (which could then download a program and run it).
On Linux, the same has been true. If you haven't run apt-get update/upgrade for a while, you may have picked up a shell script sitting in your $HOME and injected into your ~/.bashrc, or possibly a Gnome start-up application, or a Firefox or Chrome extension in your profile directory. This could happen without your knowledge.
Often, these bugs are exploited in the wild by hacked ad networks or odd attachments on forum posts. It may be impossible to defend against them, sometimes. Apple has this problem with people exploiting Safari well before Apple knows it's exploitable, which has been used for the famous Carpet Bomb attack (which was capable of putting an icon on the desktop that claimed to be Safari, but ran a malicious program that installed a trojan and then ran Safari so as to do what the user expected).
It's not the open ports; we're all behind NAT, and don't have public IPs to hack. I can open all kinds of shit on my machine safely. I don't need to run a firewall on Windows, and can turn on all services, with no authentication: nobody can actually connect to my machine from the Internet. It's the client software that's the problem. It's the buggy Web browsers, e-mail clients, instant messenger software, and so on.
Yawn, reductio ad absurdum is extremely unimpressive.
It was a blunt analogy; considering a DDOS similar to a fiber line cut is patently absurd. One of them is an infrastructure problem, such as the dry rotting of a support timber; the other is an adversarial problem, such as a mob stationed outside your house with siege engines (you know, catapults, ballistas, gunpowder barrels).
Really now? How can that be possible when nobody else can function without a broadcast address at a minimum.
The broadcast address is the highest address in a subnet. For 200.100.100.0/24, the broadcast address would be 200.100.100.255. Maybe you should learn about networking.
You attempted to first claim that a client would have a delay in connecting so HA was impossible.
Yes, I covered all considerations, rather than just one.
In your world it seems impossible for 2 or more addresses to exist on a single host, and for a CNAME point to one of these addresses.
First off, it doesn't help. Second, your claims included that I can't migrate a subnet between providers. Third, I've repeatedly pointed out that having an attack come to any address on the subnet clogs that entire subnet.
I haven't claimed that you can't have 2 or more addresses on a single host, or point a CNAME to either. I claimed that it doesn't help. I have covered that: 1) when I fail over the subnet to a different line, the DDoS will follow it; 2) DNS takes time to propagate, and so changing DNS isn't a solution in any case; 3) if I change the IP address to a different subnet, the C&C can detect the change and instruct the botnet to retarget to the new IP address. I've done this many times.
You said that handling attacks was impossible
You assert that a host can magically filter DDoS and keep legit traffic by some mechanism. I assert that the way to handle the DDoS is to have the target IP NULL routed, which takes the host entirely off the network. You cannot defend against DDoS: you can only withdraw the target and concede.
Your imaginary scenario of having a single access point is still wrong
I'm working, again, in a multiple access point scenario. You claim that scenario is impossible: you claim I can't fail-over subnets to alternate providers--a task that takes about 1 minute. Fail-over works by our primary provider ceasing to hold ownership of the subnet, while the secondary provider advertises the route. This causes a propagation of routing table updates over the Internet backbone, which makes packets addressed to our subnet follow the path to our new link. It's not even a phone call; we have online UIs at each provider to make them assume ownership of the route.
You did make the claim that this simple routing update is so ungodly complex that nobody does it, anywhere, ever.
No, it's not the same but the reaction a company should have is similar because the result of the attack is almost exactly the same.
Choking on a hotdog is almost exactly the same as an angry biker wrapping a half-inch steel chain around your neck and choking you to death. The reaction should be similar.
The only way this would be true is if I had the same IP space on the two carriers, and we don't. In fact the amount of work to move IPs between carriers means that nobody does.
Uh. When our/23 fails on Verizon, Comcast takes up the link. We even have multi-path, so we can send out stuff from the same IP on Comcast OR Verizon at any time; return packets always route down whichever link is active. We have exactly one/23 address space.
Last month, Comcast managed to lose a fiber line. That line was rerouted through our Comcast link. Packets routed to the same IP addresses came down it.
Notice that you completely ignore the question and go off on a tangent back to your same "I only have 1 IP for access" bullshit answer.
We have 510 IP addresses for access. They're on a/23 routed subnet. DDoS any one of those and the rest go down. Do you know why that happens? It has to do with how routing works: a routed subnet, at its last leg, goes across one link (one cable or multiple cables bound together as one link). When you send anything to that subnet, it eventually hits that link. If you flood that link, the whole subnet is blocked off.
Straw man argument, I never said that there was an instant fix to a DDoS.
You started talking about DNS, remember?
Clients generally don't use the IP address, they use the host name for access.
This is saying, "Oh, you just go change the DNS entry for the host under attack, and the packets go nowhere." Yeah, no. DDoS attacks generally don't use the host name; they use the IP address for access.
Given that you can not consider a world without your invalid premise that everything must live on a single static IP address
My premise is that routing works the way it does in the real world, and that attacking a single IP address in a subnet takes down the whole subnet. That's how it works. My premise is also that changing the link used to route your subnet (e.g. from Verizon to Comcast) will bring all traffic--including attack traffic. You function in this imaginary world where you just switch over all your services and somehow evade shitloads of legitimate-like traffic behaving exactly like legitimate traffic, without taking out your legitimate traffic as well; that doesn't work.
I handle these things in the real world. I've handled 14 DDoS attacks this year. I know how our links are built, I know how our links fail over, I know how routing works from routing protocols right down to the way frames are forwarded across the wire. I know, physically, how DDoS attacks work--what links are lighting up, how the packets are formed, and how the routers decide where to forward them. I know how they comingle with legitimate traffic, and how they crowd it out.
I know god damn everything.
You're floundering around with inspecific and blatantly wrong comments. You don't even understand what DNS does, what it's for, or how IP and hostnames work--otherwise you wouldn't yammer on about how clients access by hostname and not IP. You don't seem to understand how useless DDoS against a DNS server is, either (since every client uses their ISP's local DNS server, which has your server's data cached anyway).
Seriously, what kinds of systems do you architect? Because they're obviously not network systems. Do you mean "System Engineer" as in "guy who builds Web servers"?
Otherwise, if you can answer the question I proposed regarding a
The bold and emphasis tags haven't worked for me in 4 years.
If you have a mail server on the Internet and your line is from Level3 what do you do if your line gets cut?
A line getting cut is not a DDOS. A DDOS is when you open a web browser, go to the page, and hit REFRESH 40 times a second. On 80,000 computers. At the same time. For 2 hours.
A DDoS attack is similar, except that you need to figure out what the target is so that you can start rerouting everything else and filter unwanted content (or non-critical content)
Wrong. DDOS you black hole the server: you shut it off by having the backbone of the Internet route your shit elsewhere. That means your upstream ISP has to insert a static route into their routers--their equipment, not yours.
Not hosting your own DNS is a cost issue, not an impossible task.
You don't fix DDOS by DNS. www.Slashdot.org here is 216.34.181.48, and the plain slashdot.org is.45; if I fire a DDOS at either of those IP addresses, they both go down (it's the same subnet, thus routed to the same link). If you change the slashdot.org DNS, the packets keep coming down that link anyway.
If our Level3 access route gets DDoS'd, we start routing everything over to AT&T or Qwest, or Sprint, or what ever carrier we need to use.
If you fail over the link from Verizon to Comcast, the packets start coming down Comcast immediately. Think about it: when you fail over the link, you are rerouting packets going to those addresses. Well, DDoS packets are going to those addresses. They're not addressed to a link (they can't be), but to an IP address. They flood your active line, always; you can't prevent that.
Clients generally don't use the IP address, they use the host name for access.
Clients generally cache the IP address for a little bit; but that's irrelevant. A DDoS attack, in particular, is ineffective if you run a DNS look-up between each packet: there would be a wide delay between packets (it takes anywhere from 20 to 500mS to run a DNS look-up; meanwhile, you're trying to send over 2000 packets per second from one node, i.e. one per 1/2 mS). Instead, you pull the IP at the beginning of the attack, and then you start shoving packets at that IP. 800 trillion packets to 216.34.181.45, one DNS look-up.
Again, you are trying to claim that you must hedge all of your bets on a single access point which is absolutely false.
I'm claiming that packets going to a route will affect all routes on that link; and that failing over that link to a different link will route all packets going to that route to the new link. If you are attacking a node on that route, failing over the link will move the attack to the new link. You can't block the attack downstream; it has to be blocked upstream, because the attack is flooding the link, and your firewall or router receives packets *after* they've traversed the link you're trying to defend. Only your upstream ISP can respond to a DDoS in any effective way.
The only "financial decision" you can make regarding this is the decision to buy a different physical line to your building for each individual public service you run. Possibly multiple physical lines for a service, e.g. two lines for a HA web cluster. That means you would pay $500/mo for Verizon 250Mbit/s to your Web server, $500/mo for another Verizon 250Mbit/s line run over a separate cable to your second Web server, $500/mo more for another 250Mbit/s fiber line run to your e-mail server, etc.
You clearly have no idea what you're talking about. This became clear the moment you started treating packet attacks like infrastructure attacks. "Oh, if they cut the link, I'll just use another link." Yeah, no. This isn't that somebody bombed the road to the bunker, so you take a different road; people are dropping bombs on YOU, and whatever road you drive down will have bombs dropped all over it trying to hit your Jeep.
If a Level3 line is getting hit with a DDoS you reroute traffic to the AT&T line
72.133.15.2, which is on your assigned 72.133.15.0/24 block, is being hit by gigabits of traffic per second. That means everything else on the 72.133.15.0/24 block is affected.
To reroute, you have to call your ISP and failover your incoming route. It comes off the Level 3 line, and onto your AT&T line.
Now your AT&T line is being hit by gigabits of traffic per second, as the traffic is still going to 72.133.15.2, which is routed to the 72.133.15.0/24 subnet.
I'm not talking about fiber traffic; I'm talking about ROUTING A TON OF TRAFFIC TO AN IP ADDRESS. When you move the line that the IP address is on, ALL THE TRAFFIC GOES TO THE NEW LINE. IP addresses are routed to by subnets, which means THE WHOLE SUBNET FOLLOWS THE ROUTE CHANGE, and so the traffic and all affected addresses follow the route change. Your Web, E-mail, FTP, and VPN servers are all affected by this DDOS? Well, when you swap over to your AT&T line, your Web, E-mail, FTP, and VPN servers all go there, and so does the DDOS traffic!
You can change lines when somebody physically digs up and cuts a fiber line. That works. It works when Verizon fucks up and Qwest is working. When bombs are being brought down Green street to your house, blocking off Green street and making the bombers carry them down Violet street to THE SAME HOUSE doesn't stop your house from getting blown up.
Communism is a perfect system, but requires more information than is physically possible to obtain. We have a lot of these types of systems in physics, economics, programming, chemistry, psychology, and so on; they're used to model small-scale effects and search for risks or viable plans, rather than to implement large systems, because it's always impossible to get enough information to implement and maintain a large, theoretically-perfect system.
No shit communism is bad for life. It only works when you can accurately predict every single individual human being's wants, needs, and thoughts, forever. Why do you think I use market models to predict behaviors and develop social and economic policy? High-level models account for these things, largely by providing less concrete goals such as "the market will fix X as long as fixing X in an acceptable way is more profitable than addressing X in any other way, including ignoring it or fixing it in an unacceptable way". The large mistake most hard-nose capitalists make is assuming the market will automatically address X in the most optimal way for all stakeholders in all cases, which is unsurprising when you consider that communists's answer for everything is they simply know everything.
If I got you to install a Chromium extension that started when you log into your desktop (KDE, Unity, Gnome, whatnot), I could have you install an extension which runs in the background (like Google Hangouts) and simply pings the shit out of things I tell it to.
In other words: if I can get you to download and run a program on Linux, as a regular user, with no root privileges and no write access outside $HOME, I can turn your machine into a DDOS node in a botnet.
The problem we have on Windows is users downloading stupid shit from the Internet, such as Slashdot's ads constantly sending me to install some kind of codec to watch a video or to a fake Firefox update site. I even got caught by BlueStacks, as I had no idea wtf I was doing and typed "BlueStacks" into Google, and the first result falsely claimed to be the BlueStacks home page (it was a sponsored result!) and packaged 5 pieces of software--TWO of which were malware (one hijacked Firefox by installing some RocketTab extension, which sent everything I did through a proxy)--with BlueStacks.
Any software can install a start-up option in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Any string entry there is run on start-up for that user. The hive for this is stored in the user's directory (usually C:\Users\$USER\). This is where e.g. Yahoo Messenger puts itself when you install it (if you install it as Administrator, it puts itself in HKLM under the same key, so it starts on log-in for ANY user). Such software can make a connection to a Web site (just like a Web browser), obtain instructions, and then do whatever (e.g. make thousands of connections per second to some IP address, just like a Web browser or FTP client or AOL Instant Messenger).
Writing to C:\Windows isn't required any more than writing to/usr/bin is required. You can hijack someone's computer without administrative rights.
The bottleneck is the 1Gbit link that's carrying 1Gbit of DDoS traffic to your border router, which is evaluating it and dropping it all. Dropping that traffic doesn't free up additional bandwidth to carry legitimate traffic; you'd have to block the traffic further upstream.
I work at a broadcast company. I have worked for the Government. I have worked for a Government contractor.
In all of these cases, Verizon or Comcast or Qwest run a cable to your site. You plug in your router, your firewall, demarc equipment. A packet sent to your network comes to that before you can do anything; you can't get on the backbone of the Internet and block it.
For businesses who do not control the Internet backbone, 1000Mbit/s coming down their 1Gbit/s pipe means they can no longer receive client requests. If they block traffic coming from DDoS sources (static or dynamic detection, but assume correctly blocking only DDoS packets--impossible best case), they will still have traffic coming to their firewall, being evaluated, and being dropped. There won't be room for traffic to come from other sources: a site receiving 5000 connections per second at 20k/s per connection requires 100Mbit/s, but has more than that in DDoS packets trying to force it's way down the pipe, and so will receive few legitimate packets. The packets it does receive will be delayed (this is why you receive few legitimate packets: they start queueing, infinitely, and then get dropped off the end).
To stop this, you must have some upstream router (controlled by your ISP) block those packets before they propagate down your link. For DDoS from infected computers, this means your ISP must be able to reliably detect DDoS packets and differentiate them from normal traffic. If you have an on-going short list (50, 100 nodes), you may be able to provide a temporary NULL route. More than likely, you will have one particular server under attack, with a specific public IP, and so will have to have your ISP NULL route YOUR server (take it down entirely) so that your OTHER services stay up.
Our DDoS attacks on our CDN are allieviated automatically by NULL-routing our servers: the server's IP address is sent to the upstream ISP, which drops all packets going to that server. That server has its cable cut from the Internet for a few hours, and becomes non-functional; attacking another server would result in the same, until there is nothing left of our network. Blocking by firewall on the network not only fails to allieviate the problem, but also causes the DDOS traffic to affect all other servers connected to the Internet from that link.
Yeah, there you go. "Microsoft should make a secure operating system." You don't understand the problem.
To mitigate DDoS as you say, at the OS level, we would need to make the OS only run software that the Great Benevolent Dictator allows. Microsoft could publish a list of software Microsoft has decided you can install, and you can install only those softwares. Mind you, if the softwares have any security holes, it's still possible to hack in and use the node as a DDOS source.
Think about it. No installing Cygwin. No downloading open source games. No Indie games, unless the Indie developers pay Microsoft to let their games run on their platform. Steam? Uh, no, no software that runs arbitrary code. Java? Java is dead. No scripting languages.
What business do you work in? I bet it isn't important. Hospice, I bet. Some hackers disrupted your hospice, and the old people's heating went out, and they all froze to death. Well, who fucking cares? They're just old people; the sun went up that morning AND went down that evening, and only a bunch of old people who were in hospice to die anyway died.
It's business. There are businesses. They make money, and they loose money. YOU are unimportant; yet the police would arrest me for raping and beating and robbing you, even if you didn't die or get HIV. Why? Why should anyone care? The sun went up that morning AND went down that evening, right? You're less important than some gaming services, which millions of people notice when they go offline.
Google made or acquired Gmail, GTalk/Hangouts, Plus, Picasa, Youtube, Docs, an OAuth thing, Chrome, Android, Glass, driverless cars, and so on. Lots of Google products have failed; lots have succeeded.
Google makes things which give them options for monetization, licensing, or new things. The Google car, Google glass, they get Google press and create markets (Google Glass basically created the wearables market; smart watches took over after that, rather than smart glasses). Future potential is there, but so is cross-potential: Google Glass and Android smart watches both share similar characteristics, so many of the same problems solved for one apply to the other. Google's self-driving car might see upgrades and porting into GM and Tesla offerings. It could happen.
By and large, the most important impact of Google's constant experimentation is the sweeping domination of a multitude of markets. Android brought hundreds of millions of users to Google and GMail, ripe for serving ads through that little bar at the top of Gmail. Hangouts brings people to Gmail. Plus was a flop, but is still tangentially used: Google Pictures is Google Plus, and Google Plus is tied into Picasa. People use Picasa. People use Google Docs and Google Drive.
All of these things are things that stuck. Google Drive now sells storage space; sharing links to Google Drive attracts people to Google services. Chrome attracts people to Chromebooks, which attracts them to Google Drive, Gmail, and so on. Failed products could have been these things, but weren't; successful products could have been failed products, but were attempted anyway, and didn't fail.
That's what Google does: they make shit, and see what sticks.
I'm sure this thing called a Cultural Revolution at that exact same time had absolutely nothing to do with it. Or a communist government that mistakenly eradicated beneficial sparrows as a pest a decade prior (Google Four Pest Campaign).
I brought up China due to a previous argument with somebody over whether China's traditional diet was "very healthy" due to not containing much meat (98% grains and vegetables, bits of meat for flavoring). China had a major revolution, alright: in the late 1970s, they drastically increased their meat consumption. This has been cited in studies on diet because the drastic boost in China's lifespan occurred during a period where the only thing that changed was diet: China's cultural revolution occurred a decade away from their major health gains, which coincided with their dietary changes.
The fact remains you want to imagine that people who are not eating as much food as they need each day are not starving, are not experiencing negative effects from chronic hunger, and thus are not facing degrading health and eventual early death from not eating. This includes people who are so far from having enough food as to experience physical pain from hunger multiple times each week.
You have built up an argument around not needing to solve any hunger problems in America because nobody is starving; it is as if you had said that sokushinbutsuku were not killing themselves. You may as well say that vaccinations are a waste of money because nobody is dying from being unvaccinated, or that water sanitization is a waste of time because we don't have scattered bodies from entire towns being wiped out by toxic water.
I recall instead the more well-grounded example of China, with its single change of diet in the late 1970s suddenly moving the median age of death from 39 years to 80 years--with an average lifespan of nearly 40 years, nobody was exactly "dying of starvation", right? Even though simply giving them proper access to FOOD doubled their life span, they were not starving to death? These were not people dying from a rigorous practice of self-mummification over years, or from contaminated water; they were people who were not properly fed, who were malnourished to the point of weakening and slowly destroying the body over decades. Access to food increased the average lifespan by 40 years; the same will be true of the poor in America: their lifespans will expand by decades when we correct the hunger problem in America.
You can play your lets-pretend preschool games all you want, but that's the truth: people are losing tens of years off their lives in America thanks to hunger. People are living to their 30s and 40s because they routinely don't get enough to eat, and changing that will give them lifespans into the 60s and 80s. When they die, they die of typhoid or heart disease or "natural causes"; they don't die of "starvation". The cause of their short lifespans is hunger, malnourishment, starvation. That is the reality your clouded and distorted mind cannot see.
A surplus of energy. Yeah, that hasn't happened yet, and won't for a while: energy scarcity is the root of all scarcity. Once we solve energy scarcity, communism works.
That sounds like a problem I'll have later, and not the problem I have now.
Your eyes learn to relax, instead of straining. My body retains multiple context profiles for everything, so my vision without glasses isn't any worse; but I do notice my eyes straining without them, whereas they're very relaxed (and vision is greatly improved) with them.
I guess I'm lucky. I have single-vision glasses that correct for all distances.
I'm glad my optometrist is experienced and not stupid. He recommended I not use glasses just yet, as I can get by without them; I told him I'm most interested in whether there's a quality-of-life improvement. There is: I can see things just fine without glasses due to my visual system reassembling the multitude of images it receives (I get two images in each eye, divergent based on distance, due to misshapen eyes); but the glasses make things... so... so real, and clear, and crisp. Instead of knowing what this blurry blob is and thus not noticing it's blurry, everything is actually crisp in my view.
My optometrist gave me a partial prescription, which means I'll need to upgrade later. That means buying two sets of $380 glasses (I decked out the options: anti-reflective, transition to polarized, polycarbonate lenses, the works) in a year; but it also means my visual system will adjust smoothly. Inexperienced optometrists will toss you a +2.25 or +5.0 right off, and then look confused when you tell them you haven't been wearing them; experienced optometrists will gradually migrate you onto a higher prescription so you don't get headaches, eye strain, and the like.
For me, this is not a problem: I'll donate my lenses (this is useful), and probably move to contact lenses (glasses have proven to be a suboptimal solution to this problem). Contact lens fitting is traumatic, but oh well; I hate having to clean these every 20 minutes. They gather dust and oils and such from my eyelashes or something.
My single trouble with my optometrist is a matter of goals: he's experienced enough to estimate the best average case; but I'm a special type of outlier, and try to make theoretically optimal decisions based on balanced constraints. My vision is distorted; I must correct this, and therefor I must take all reasonable steps to maximize the quality of my vision. Additional costs and up-front effort aren't a problem; but I require a more complete understanding of my options and relevant concerns, and may wind up bouncing through various attempts (e.g. getting glasses, and then immediately wanting contacts instead). In the end, I will invest a small sum to determine the absolute best course of action, and make any adjustments as necessary (contacts need to be re-prescribed every year, so I'll have adequate information for this).
Most people want to be handed a solution. I want to determine the best solution.
I decided LASIK is sub-optimal due to high risk of complications. If you get the wrong strength contacts or glasses, you change them; if you get LASIK and your eyes get worse, you can't re-LASIK them. You're burning off part of the cornea, which means you get one shot; and it's minimally possible that heat stress will damage your cornea, which is an non-mitigatable risk, and will destroy your vision permanently.
My final solution is probably going to be contact lenses. I have found glasses sub-optimal, and I can control the risk of contact lenses much more reliably than I can control the risk of LASIK. The severity of contact lens complication is lower: most issues can be caught before they're a problem (ill-fitted lenses will irritate you before causing damage), and the ones more likely to be caught late are just stuff like growing blood vessels in the eyes because you got low-permeability lenses and didn't take them out at night like the instructions say (this is purely cosmetic). That last one can be mitigated with silicone soft lenses (30 days without removal is safe).
When given something that almost never happens, can't be detected until it's happened, and destroys viability, I look for other viable solutions with risks I can control and accept. LASIK is not unreasonable, and it's perfectly reasonable for you to get it and not worry about any complications, because they're dismally unlikely; but it is outside my risk tolerance, because those complications are of high severity and impossible to detect beforehand.
With proper, prescription lenses, the lenses are designed to accommodate your eyes. That means you may have a +0 (non-corrective) and a +0.25 or a +1.75 and +1.25. Interpupiary distance is also important: poorly-centered lenses are the cause of painful headaches. All in all, prescription lenses, even prescription reading glasses, are vastly superior to off-the-shelf bifocals.
I got transition lenses in a single-focus design, and I hate them. They're fantastic, except when they get dirty every 5 minutes, get a burrito shoved into them (they're further from my face than my eyes are), or cause my eyes to water. I plan to have contact lenses fitted; this will be more annoying at first, but will have the incredible advantage of being cleaned every 11 seconds, as well as providing a larger field of view. Silicone soft lenses transmit enough oxygen to safely use them for 30 days straight, rather than removing them at night time; I can elect to remove them at night if desired, but I'll still minimize the risk of complications by providing oxygen permeability similar to not having lenses.
Optometry is hard. Some of us are decisionary maximizers, so it's hard even being the patient!
Most people don't understand lock contention, or lockless code. That's why Dragonfly BSD is ignored, yet is so far ahead: every time someone sees a new problem with parallel computing, with semaphore contention, with threading models, DragonflyBSD is there with a fix from 10 years ago, DragonflyBSD wanted fast semaphores, lockless schedulers, threading models designed to handle running thousands of threads on hundreds of cores, and so on; this was seen, in the early 21st century, as a useless waste of time and a source of complexity; DFBSD is a fork of FreeBSD because the FreeBSD devs wouldn't let the DFBSD guy just do it in FBSD.
It's one of those things. I expect a long, arduous path to catch up to DragonflyBSD, to Minix, and so on, in the same way that we spent so much time catching up to XFS (ext4 spent years trying to reach feature and performance parity with XFS; it now even has on-the-fly inode allocation as an option). There's always some laughable side project somewhere claiming it will change the world, and there's always a point in the future where everyone else starts imitating that project. Whenever I see something big and long-running like this, I recognize it as some other thing; when people start doing multi-version Linux, I will immediately start talking about NixOS (which I think is implemented like crap, but has the right idea).
So what you're saying is that with Linux I have to do something deliberately stupid
Well, on Windows, you have to run an external program, install an extension, or use a Web browser or e-mail client with a security hole. For example, Firefox and Chrome have had dozens of bugs over the past 6 months which allowed for the automatic background downloading and executing of programs without informing the user, or which would execute some data (images, java script variables) as code (which could then download a program and run it).
On Linux, the same has been true. If you haven't run apt-get update/upgrade for a while, you may have picked up a shell script sitting in your $HOME and injected into your ~/.bashrc, or possibly a Gnome start-up application, or a Firefox or Chrome extension in your profile directory. This could happen without your knowledge.
Often, these bugs are exploited in the wild by hacked ad networks or odd attachments on forum posts. It may be impossible to defend against them, sometimes. Apple has this problem with people exploiting Safari well before Apple knows it's exploitable, which has been used for the famous Carpet Bomb attack (which was capable of putting an icon on the desktop that claimed to be Safari, but ran a malicious program that installed a trojan and then ran Safari so as to do what the user expected).
It's not the open ports; we're all behind NAT, and don't have public IPs to hack. I can open all kinds of shit on my machine safely. I don't need to run a firewall on Windows, and can turn on all services, with no authentication: nobody can actually connect to my machine from the Internet. It's the client software that's the problem. It's the buggy Web browsers, e-mail clients, instant messenger software, and so on.
Yawn, reductio ad absurdum is extremely unimpressive.
It was a blunt analogy; considering a DDOS similar to a fiber line cut is patently absurd. One of them is an infrastructure problem, such as the dry rotting of a support timber; the other is an adversarial problem, such as a mob stationed outside your house with siege engines (you know, catapults, ballistas, gunpowder barrels).
Really now? How can that be possible when nobody else can function without a broadcast address at a minimum.
The broadcast address is the highest address in a subnet. For 200.100.100.0/24, the broadcast address would be 200.100.100.255. Maybe you should learn about networking.
You attempted to first claim that a client would have a delay in connecting so HA was impossible.
Yes, I covered all considerations, rather than just one.
In your world it seems impossible for 2 or more addresses to exist on a single host, and for a CNAME point to one of these addresses.
First off, it doesn't help. Second, your claims included that I can't migrate a subnet between providers. Third, I've repeatedly pointed out that having an attack come to any address on the subnet clogs that entire subnet.
I haven't claimed that you can't have 2 or more addresses on a single host, or point a CNAME to either. I claimed that it doesn't help. I have covered that: 1) when I fail over the subnet to a different line, the DDoS will follow it; 2) DNS takes time to propagate, and so changing DNS isn't a solution in any case; 3) if I change the IP address to a different subnet, the C&C can detect the change and instruct the botnet to retarget to the new IP address. I've done this many times.
You said that handling attacks was impossible
You assert that a host can magically filter DDoS and keep legit traffic by some mechanism. I assert that the way to handle the DDoS is to have the target IP NULL routed, which takes the host entirely off the network. You cannot defend against DDoS: you can only withdraw the target and concede.
Your imaginary scenario of having a single access point is still wrong
I'm working, again, in a multiple access point scenario. You claim that scenario is impossible: you claim I can't fail-over subnets to alternate providers--a task that takes about 1 minute. Fail-over works by our primary provider ceasing to hold ownership of the subnet, while the secondary provider advertises the route. This causes a propagation of routing table updates over the Internet backbone, which makes packets addressed to our subnet follow the path to our new link. It's not even a phone call; we have online UIs at each provider to make them assume ownership of the route.
You did make the claim that this simple routing update is so ungodly complex that nobody does it, anywhere, ever.
No, it's not the same but the reaction a company should have is similar because the result of the attack is almost exactly the same.
Choking on a hotdog is almost exactly the same as an angry biker wrapping a half-inch steel chain around your neck and choking you to death. The reaction should be similar.
The only way this would be true is if I had the same IP space on the two carriers, and we don't. In fact the amount of work to move IPs between carriers means that nobody does.
Uh. When our /23 fails on Verizon, Comcast takes up the link. We even have multi-path, so we can send out stuff from the same IP on Comcast OR Verizon at any time; return packets always route down whichever link is active. We have exactly one /23 address space.
Last month, Comcast managed to lose a fiber line. That line was rerouted through our Comcast link. Packets routed to the same IP addresses came down it.
Notice that you completely ignore the question and go off on a tangent back to your same "I only have 1 IP for access" bullshit answer.
We have 510 IP addresses for access. They're on a /23 routed subnet. DDoS any one of those and the rest go down. Do you know why that happens? It has to do with how routing works: a routed subnet, at its last leg, goes across one link (one cable or multiple cables bound together as one link). When you send anything to that subnet, it eventually hits that link. If you flood that link, the whole subnet is blocked off.
Straw man argument, I never said that there was an instant fix to a DDoS.
You started talking about DNS, remember?
Clients generally don't use the IP address, they use the host name for access.
This is saying, "Oh, you just go change the DNS entry for the host under attack, and the packets go nowhere." Yeah, no. DDoS attacks generally don't use the host name; they use the IP address for access.
Given that you can not consider a world without your invalid premise that everything must live on a single static IP address
My premise is that routing works the way it does in the real world, and that attacking a single IP address in a subnet takes down the whole subnet. That's how it works. My premise is also that changing the link used to route your subnet (e.g. from Verizon to Comcast) will bring all traffic--including attack traffic. You function in this imaginary world where you just switch over all your services and somehow evade shitloads of legitimate-like traffic behaving exactly like legitimate traffic, without taking out your legitimate traffic as well; that doesn't work.
I handle these things in the real world. I've handled 14 DDoS attacks this year. I know how our links are built, I know how our links fail over, I know how routing works from routing protocols right down to the way frames are forwarded across the wire. I know, physically, how DDoS attacks work--what links are lighting up, how the packets are formed, and how the routers decide where to forward them. I know how they comingle with legitimate traffic, and how they crowd it out.
I know god damn everything.
You're floundering around with inspecific and blatantly wrong comments. You don't even understand what DNS does, what it's for, or how IP and hostnames work--otherwise you wouldn't yammer on about how clients access by hostname and not IP. You don't seem to understand how useless DDoS against a DNS server is, either (since every client uses their ISP's local DNS server, which has your server's data cached anyway).
Seriously, what kinds of systems do you architect? Because they're obviously not network systems. Do you mean "System Engineer" as in "guy who builds Web servers"?
Otherwise, if you can answer the question I proposed regarding a
Writing in all caps does not make you correct,
The bold and emphasis tags haven't worked for me in 4 years.
If you have a mail server on the Internet and your line is from Level3 what do you do if your line gets cut?
A line getting cut is not a DDOS. A DDOS is when you open a web browser, go to the page, and hit REFRESH 40 times a second. On 80,000 computers. At the same time. For 2 hours.
A DDoS attack is similar, except that you need to figure out what the target is so that you can start rerouting everything else and filter unwanted content (or non-critical content)
Wrong. DDOS you black hole the server: you shut it off by having the backbone of the Internet route your shit elsewhere. That means your upstream ISP has to insert a static route into their routers--their equipment, not yours.
Not hosting your own DNS is a cost issue, not an impossible task.
You don't fix DDOS by DNS. www.Slashdot.org here is 216.34.181.48, and the plain slashdot.org is .45; if I fire a DDOS at either of those IP addresses, they both go down (it's the same subnet, thus routed to the same link). If you change the slashdot.org DNS, the packets keep coming down that link anyway.
If our Level3 access route gets DDoS'd, we start routing everything over to AT&T or Qwest, or Sprint, or what ever carrier we need to use.
If you fail over the link from Verizon to Comcast, the packets start coming down Comcast immediately. Think about it: when you fail over the link, you are rerouting packets going to those addresses. Well, DDoS packets are going to those addresses. They're not addressed to a link (they can't be), but to an IP address. They flood your active line, always; you can't prevent that.
Clients generally don't use the IP address, they use the host name for access.
Clients generally cache the IP address for a little bit; but that's irrelevant. A DDoS attack, in particular, is ineffective if you run a DNS look-up between each packet: there would be a wide delay between packets (it takes anywhere from 20 to 500mS to run a DNS look-up; meanwhile, you're trying to send over 2000 packets per second from one node, i.e. one per 1/2 mS). Instead, you pull the IP at the beginning of the attack, and then you start shoving packets at that IP. 800 trillion packets to 216.34.181.45, one DNS look-up.
Again, you are trying to claim that you must hedge all of your bets on a single access point which is absolutely false.
I'm claiming that packets going to a route will affect all routes on that link; and that failing over that link to a different link will route all packets going to that route to the new link. If you are attacking a node on that route, failing over the link will move the attack to the new link. You can't block the attack downstream; it has to be blocked upstream, because the attack is flooding the link, and your firewall or router receives packets *after* they've traversed the link you're trying to defend. Only your upstream ISP can respond to a DDoS in any effective way.
The only "financial decision" you can make regarding this is the decision to buy a different physical line to your building for each individual public service you run. Possibly multiple physical lines for a service, e.g. two lines for a HA web cluster. That means you would pay $500/mo for Verizon 250Mbit/s to your Web server, $500/mo for another Verizon 250Mbit/s line run over a separate cable to your second Web server, $500/mo more for another 250Mbit/s fiber line run to your e-mail server, etc.
You clearly have no idea what you're talking about. This became clear the moment you started treating packet attacks like infrastructure attacks. "Oh, if they cut the link, I'll just use another link." Yeah, no. This isn't that somebody bombed the road to the bunker, so you take a different road; people are dropping bombs on YOU, and whatever road you drive down will have bombs dropped all over it trying to hit your Jeep.
If a Level3 line is getting hit with a DDoS you reroute traffic to the AT&T line
72.133.15.2, which is on your assigned 72.133.15.0/24 block, is being hit by gigabits of traffic per second. That means everything else on the 72.133.15.0/24 block is affected.
To reroute, you have to call your ISP and failover your incoming route. It comes off the Level 3 line, and onto your AT&T line.
Now your AT&T line is being hit by gigabits of traffic per second, as the traffic is still going to 72.133.15.2, which is routed to the 72.133.15.0/24 subnet.
I'm not talking about fiber traffic; I'm talking about ROUTING A TON OF TRAFFIC TO AN IP ADDRESS. When you move the line that the IP address is on, ALL THE TRAFFIC GOES TO THE NEW LINE. IP addresses are routed to by subnets, which means THE WHOLE SUBNET FOLLOWS THE ROUTE CHANGE, and so the traffic and all affected addresses follow the route change. Your Web, E-mail, FTP, and VPN servers are all affected by this DDOS? Well, when you swap over to your AT&T line, your Web, E-mail, FTP, and VPN servers all go there, and so does the DDOS traffic!
You can change lines when somebody physically digs up and cuts a fiber line. That works. It works when Verizon fucks up and Qwest is working. When bombs are being brought down Green street to your house, blocking off Green street and making the bombers carry them down Violet street to THE SAME HOUSE doesn't stop your house from getting blown up.
Communism is a perfect system, but requires more information than is physically possible to obtain. We have a lot of these types of systems in physics, economics, programming, chemistry, psychology, and so on; they're used to model small-scale effects and search for risks or viable plans, rather than to implement large systems, because it's always impossible to get enough information to implement and maintain a large, theoretically-perfect system.
No shit communism is bad for life. It only works when you can accurately predict every single individual human being's wants, needs, and thoughts, forever. Why do you think I use market models to predict behaviors and develop social and economic policy? High-level models account for these things, largely by providing less concrete goals such as "the market will fix X as long as fixing X in an acceptable way is more profitable than addressing X in any other way, including ignoring it or fixing it in an unacceptable way". The large mistake most hard-nose capitalists make is assuming the market will automatically address X in the most optimal way for all stakeholders in all cases, which is unsurprising when you consider that communists's answer for everything is they simply know everything.
If I got you to install a Chromium extension that started when you log into your desktop (KDE, Unity, Gnome, whatnot), I could have you install an extension which runs in the background (like Google Hangouts) and simply pings the shit out of things I tell it to.
In other words: if I can get you to download and run a program on Linux, as a regular user, with no root privileges and no write access outside $HOME, I can turn your machine into a DDOS node in a botnet.
The problem we have on Windows is users downloading stupid shit from the Internet, such as Slashdot's ads constantly sending me to install some kind of codec to watch a video or to a fake Firefox update site. I even got caught by BlueStacks, as I had no idea wtf I was doing and typed "BlueStacks" into Google, and the first result falsely claimed to be the BlueStacks home page (it was a sponsored result!) and packaged 5 pieces of software--TWO of which were malware (one hijacked Firefox by installing some RocketTab extension, which sent everything I did through a proxy)--with BlueStacks.
Any software can install a start-up option in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Any string entry there is run on start-up for that user. The hive for this is stored in the user's directory (usually C:\Users\$USER\). This is where e.g. Yahoo Messenger puts itself when you install it (if you install it as Administrator, it puts itself in HKLM under the same key, so it starts on log-in for ANY user). Such software can make a connection to a Web site (just like a Web browser), obtain instructions, and then do whatever (e.g. make thousands of connections per second to some IP address, just like a Web browser or FTP client or AOL Instant Messenger).
Writing to C:\Windows isn't required any more than writing to /usr/bin is required. You can hijack someone's computer without administrative rights.
The bottleneck is the 1Gbit link that's carrying 1Gbit of DDoS traffic to your border router, which is evaluating it and dropping it all. Dropping that traffic doesn't free up additional bandwidth to carry legitimate traffic; you'd have to block the traffic further upstream.
I work at a broadcast company. I have worked for the Government. I have worked for a Government contractor.
In all of these cases, Verizon or Comcast or Qwest run a cable to your site. You plug in your router, your firewall, demarc equipment. A packet sent to your network comes to that before you can do anything; you can't get on the backbone of the Internet and block it.
For businesses who do not control the Internet backbone, 1000Mbit/s coming down their 1Gbit/s pipe means they can no longer receive client requests. If they block traffic coming from DDoS sources (static or dynamic detection, but assume correctly blocking only DDoS packets--impossible best case), they will still have traffic coming to their firewall, being evaluated, and being dropped. There won't be room for traffic to come from other sources: a site receiving 5000 connections per second at 20k/s per connection requires 100Mbit/s, but has more than that in DDoS packets trying to force it's way down the pipe, and so will receive few legitimate packets. The packets it does receive will be delayed (this is why you receive few legitimate packets: they start queueing, infinitely, and then get dropped off the end).
To stop this, you must have some upstream router (controlled by your ISP) block those packets before they propagate down your link. For DDoS from infected computers, this means your ISP must be able to reliably detect DDoS packets and differentiate them from normal traffic. If you have an on-going short list (50, 100 nodes), you may be able to provide a temporary NULL route. More than likely, you will have one particular server under attack, with a specific public IP, and so will have to have your ISP NULL route YOUR server (take it down entirely) so that your OTHER services stay up.
Our DDoS attacks on our CDN are allieviated automatically by NULL-routing our servers: the server's IP address is sent to the upstream ISP, which drops all packets going to that server. That server has its cable cut from the Internet for a few hours, and becomes non-functional; attacking another server would result in the same, until there is nothing left of our network. Blocking by firewall on the network not only fails to allieviate the problem, but also causes the DDOS traffic to affect all other servers connected to the Internet from that link.
Yeah, there you go. "Microsoft should make a secure operating system." You don't understand the problem.
To mitigate DDoS as you say, at the OS level, we would need to make the OS only run software that the Great Benevolent Dictator allows. Microsoft could publish a list of software Microsoft has decided you can install, and you can install only those softwares. Mind you, if the softwares have any security holes, it's still possible to hack in and use the node as a DDOS source.
Think about it. No installing Cygwin. No downloading open source games. No Indie games, unless the Indie developers pay Microsoft to let their games run on their platform. Steam? Uh, no, no software that runs arbitrary code. Java? Java is dead. No scripting languages.
You can't block a DDOS at your doorstep; it has to be blocked on the Internet backbone itself.
Ah, Chess. The game for less-intelligent people who want to display their supposed intellect.
What business do you work in? I bet it isn't important. Hospice, I bet. Some hackers disrupted your hospice, and the old people's heating went out, and they all froze to death. Well, who fucking cares? They're just old people; the sun went up that morning AND went down that evening, and only a bunch of old people who were in hospice to die anyway died.
It's business. There are businesses. They make money, and they loose money. YOU are unimportant; yet the police would arrest me for raping and beating and robbing you, even if you didn't die or get HIV. Why? Why should anyone care? The sun went up that morning AND went down that evening, right? You're less important than some gaming services, which millions of people notice when they go offline.
It's not, and it's not real.
Google made or acquired Gmail, GTalk/Hangouts, Plus, Picasa, Youtube, Docs, an OAuth thing, Chrome, Android, Glass, driverless cars, and so on. Lots of Google products have failed; lots have succeeded.
Google makes things which give them options for monetization, licensing, or new things. The Google car, Google glass, they get Google press and create markets (Google Glass basically created the wearables market; smart watches took over after that, rather than smart glasses). Future potential is there, but so is cross-potential: Google Glass and Android smart watches both share similar characteristics, so many of the same problems solved for one apply to the other. Google's self-driving car might see upgrades and porting into GM and Tesla offerings. It could happen.
By and large, the most important impact of Google's constant experimentation is the sweeping domination of a multitude of markets. Android brought hundreds of millions of users to Google and GMail, ripe for serving ads through that little bar at the top of Gmail. Hangouts brings people to Gmail. Plus was a flop, but is still tangentially used: Google Pictures is Google Plus, and Google Plus is tied into Picasa. People use Picasa. People use Google Docs and Google Drive.
All of these things are things that stuck. Google Drive now sells storage space; sharing links to Google Drive attracts people to Google services. Chrome attracts people to Chromebooks, which attracts them to Google Drive, Gmail, and so on. Failed products could have been these things, but weren't; successful products could have been failed products, but were attempted anyway, and didn't fail.
That's what Google does: they make shit, and see what sticks.
I'm sure this thing called a Cultural Revolution at that exact same time had absolutely nothing to do with it. Or a communist government that mistakenly eradicated beneficial sparrows as a pest a decade prior (Google Four Pest Campaign).
I brought up China due to a previous argument with somebody over whether China's traditional diet was "very healthy" due to not containing much meat (98% grains and vegetables, bits of meat for flavoring). China had a major revolution, alright: in the late 1970s, they drastically increased their meat consumption. This has been cited in studies on diet because the drastic boost in China's lifespan occurred during a period where the only thing that changed was diet: China's cultural revolution occurred a decade away from their major health gains, which coincided with their dietary changes.
Let's not forget that meat is expensive.
The fact remains you want to imagine that people who are not eating as much food as they need each day are not starving, are not experiencing negative effects from chronic hunger, and thus are not facing degrading health and eventual early death from not eating. This includes people who are so far from having enough food as to experience physical pain from hunger multiple times each week.
You have built up an argument around not needing to solve any hunger problems in America because nobody is starving; it is as if you had said that sokushinbutsuku were not killing themselves. You may as well say that vaccinations are a waste of money because nobody is dying from being unvaccinated, or that water sanitization is a waste of time because we don't have scattered bodies from entire towns being wiped out by toxic water.
I recall instead the more well-grounded example of China, with its single change of diet in the late 1970s suddenly moving the median age of death from 39 years to 80 years--with an average lifespan of nearly 40 years, nobody was exactly "dying of starvation", right? Even though simply giving them proper access to FOOD doubled their life span, they were not starving to death? These were not people dying from a rigorous practice of self-mummification over years, or from contaminated water; they were people who were not properly fed, who were malnourished to the point of weakening and slowly destroying the body over decades. Access to food increased the average lifespan by 40 years; the same will be true of the poor in America: their lifespans will expand by decades when we correct the hunger problem in America.
You can play your lets-pretend preschool games all you want, but that's the truth: people are losing tens of years off their lives in America thanks to hunger. People are living to their 30s and 40s because they routinely don't get enough to eat, and changing that will give them lifespans into the 60s and 80s. When they die, they die of typhoid or heart disease or "natural causes"; they don't die of "starvation". The cause of their short lifespans is hunger, malnourishment, starvation. That is the reality your clouded and distorted mind cannot see.
People around me would probably eat the fucking branches off the trees. You don't know what it's like here, man.
A surplus of energy. Yeah, that hasn't happened yet, and won't for a while: energy scarcity is the root of all scarcity. Once we solve energy scarcity, communism works.