These two queuing disciplines allow you to create a fairly complete WAN simulator.
There are however few gotchas:
Precise Bandwidth limitation at high speed required lots of CPU, powerful bus and quality network adapters (read: server class hardware)
If you want to simulate a complex network and more than two nodes, you'll need IFB (or IMQ) in order to shape incoming traffic and yet some topologies would stay out of reach.
Keep in mind that there are two types of latencies: the "serialization" latency that depends on packet size and link speed and "processing" latency that depends on packets rate and network hardware processing power. Netem simulates the "processing" one.
Simulating "serialization" latency would be harder, require more CPU and as a "side" effect would also implement bandwidth limitation. As of today I'm not aware of any project that would accurately simulate "processing" latency in the Linux QoS framework.
All that being said in most cases having a rough simulation is sufficient to validate the behaviour of an application on WAN before deployment.
For those interested there is an excellent, 13years old but still relevant paper about latency: http://rescomp.stanford.edu/~cheshire/rants/Latency.html
This morning I had my son (4.5y) asking me to get him outside to ride his bicycle. So I've asked him in turn to plan the whole thing: getting dressed, going to the place where the bicycle is stored, getting the key to open the door etc.
It was hard for him but he managed to have an "executive" plot.
So I think I'll do that little exercise again.
As a side note: would be interesting to conduct similar study on a representative population of executive officers and financial experts.
Hint for parents: to *always* explain why you want your kid to do such or such thing is a wrong path, they must know that there are circumstances (until certain age) that questioning parental authority is not allowed (and *that* could be explained: you are totally accountable on what they do and what happens to them).
If at your age you still have the ability and the will to undergo an academic cursus, it means you actually worth more than a youngster in terms of potential.
This is probably your last chance.
I mean, it has not to be related to the reason you are leaving. But nobody's perfect, there is for sure something about you that was painful to your coworkers, recognize it, beg for pardon.
When you put it that way it may seem wrong indeed.
Now please consider the facts from the following perspective:
- I do not need any of M$ products for any particular feature they may provide and I'm perfectly happy with free alternatives...
- Except when I have to exchange with the part of the universe that is captive of M$ formats
- There is so much of people that are captive because M$ have a monopoly
- The M$ created it's monopoly by resorting to illegal activities (convicted guilty in multiple courts)
In this situation I believe that I'm entitled to use M$ products for free in order to achieve interoperability.
"Security Engineering" by Ross Anderson http://www.cl.cam.ac.uk/~rja14/book.html/.
The best book ever, truly enlightening.
If you're young enough it will change your life.
PCI standart adresses only the environment where card numbers are stored and processed.
You can reduce this perimeter with appripriate segmentation.
I shudder when I think of one company that I worked with. They are a very high level financial institution. Guess what their AIX HMC passwords are? Can you get to them from the outside world? Yep. Could I down their production servers, a year after I worked there? Yep. Are they considered compliant to DSS/PCI standards? Yep.
I suppose AIX servers were in PCI environment (otherwise your comment is out of scope).
Then the situation you describe probabely violates the following requirements:
req. 2.1: "Don't use default passwords"
req. 8.5.4 "Immediately revoke access for any terminated users."
req. 8.5.5 "Remove/disable inactive user accounts at least every 90 days."
req. 8.5.6 "Enable accounts used by vendors for remote maintenance only during the time period needed."
req. 8.5.8 "Do not use group, shared, or generic accounts and passwords."
req. 8.5.9 "Change user passwords at least every 90 days."
req. 8.5.10 "Require a minimum password length of at least seven characters."
About the fact that you can connect to servers from outside: that means no segmentation which in its turn means that the whole internet is to be considered as part of the PCI environment of this company.
Now please tell me by WHOM are they considered compliant?
Being financial institution means that they are provider (and may be merchant too) they certainly have to be audited by a QSA (self assessment questionnaire would not be sufficient) which could mean one of tho things:
The QSA did not his job properly
The company concealed things form the QSA
It's more a question about how to handle this particular situation in enterprise on professional level.
Let's summarize:
- you come across something that could harm the enterprise
- person who could be considered liable is still here and has power
- no one knows that you are aware and you don't have the obligation to check such thinks
there are really only to options to you IMHO:
1) less moral but more secure: shut up and pretend you didn't notice anything (btw stop posting about it on public sites) if shit happen the one who stole the code will have to handle the situation. optionnaly you could "accidentally" collect evidence of the fact that you have nothing to do with this legacy code.
2) more moral but involves risk if the one who stole the code is an asshole: you talk to him and express your doubts about this situation. what you risk is that he could see you as a threat and try to mitigate this treat in a way you'd rather avoid
I can't estimate which of the two options above is better for you. To make a decision you need to know what kind of person this person is.
The man behind this noise may be the best voice expert on earth, I still don't like this thing.
HM(very)HO some kind of steam machine sound would be much better here.
A client that cannot receive unicast IP datagrams until its protocol software has been configured with an IP address SHOULD set the BROADCAST bit in the 'flags' field to 1 in any DHCPDISCOVER or DHCPREQUEST messages that client sends. The BROADCAST bit will provide a hint to the DHCP server and BOOTP relay agent to broadcast any messages to the client on the client's subnet. A client that can receive unicast IP datagrams before its protocol software has been configured SHOULD clear the BROADCAST bit to 0. The BOOTP clarifications document discusses the ramifications of the use of the BROADCAST bit [21].
A server or relay agent sending or relaying a DHCP message directly to a DHCP client (i.e., not to a relay agent specified in the 'giaddr' field) SHOULD examine the BROADCAST bit in the 'flags' field. If this bit is set to 1, the DHCP message SHOULD be sent as an IP broadcast using an IP broadcast address (preferably 0xffffffff) as the IP destination address and the link-layer broadcast address as the link-layer destination address. If the BROADCAST bit is cleared to 0, the message SHOULD be sent as an IP unicast to the IP address specified in the 'yiaddr' field and the link-layer address specified in the 'chaddr' field. If unicasting is not possible, the message MAY be sent as an IP broadcast using an IP broadcast address (preferably 0xffffffff) as the IP destination address and the link- layer broadcast address as the link-layer destination address.
Let's try to analyse this:
Vista SHOULD NOT set the flag (because it is able to avoid it if told so via registry values) but it does by default => -1
ISC SHOULD consider the flag but does not by default=> -1
Thus Vista vs ISC DHCPD evilness contest could be considered a tie (yet I think Vista is dumb because it could try w/o bcst bit after the first attempt fails if it really wants an address).
But then, are we really considering M$ vs ISC or rather M$ vs Lund infrastructure?
If we choose the latter, then we should admit that it's rather M$'s fault (disclamer: I'm network admin and I hate M$ so I'm rather biased) here's why:
RFC's recommendations of what SHOULD and SHOULD NOT(capitals because these terms have a very precise meaning in RFC context) are for a reason: following them helps to improve the robustness of the protocol in many situations with constraints that may come from infrastructure specifics. To accommodate those specifics the best any software dealing with ans RFC blessed protocol should(common sense) follow every bit of the RFS.
What I'd like to know is what precisely dhcpd does and what happens on Lund network when a Vista issues its bcst flawoured dhcp request.
Sorry, but it's not fun at all actually. No i'm not religious extremist of any kind,
but just try to figure what people involved in the story you allude to feel like these days, definitively not fun.
RIAA: Hey yr honor, this dude stole my stuf, i know 'cause a guy i pay to hang on the net told me so!
DUDE: Nope, i didn't.
RIAA: Sure, they all claim the same, and actually by now i've got no evidence, but if you let me go his home and put everything upside-down i bet my "experts" will find something!
Well, i hope this is not the way the USA justice works.
And if i were Defendant i'd ask RIAA in return (and before giving anything to them) to let me do forensics on computer their investigators used to identify my IP and computers they used to exchange mails and every other piece of equipement i could think off (like routers of their ISP). And it'd take me 10 years or so, and of course at the expense or RIAA (i mean, forensics is a hard work, i intend to get payd for it) if i figure that they made a mistake.
I'd like to argue about this sentence: 'If you disagree with the "business model" or the legal issues surrounding it, don't be a part of it' which is essentially based on principle that could be formulated as: "One should'n force artists to adopt any particular way to distribute their work" Well, it seems sensible and fair.
Yet i have to disagree: while the personal liberty of the author to do what he wants with his work is something essintial to our society (as many other personal liberties we still have, but watch out...), this liberty gets bounded by other('s) liberties.
Specifically, once the public is exposed to the artist's work (i consider being exposed as soon as i CAN buy it, especially if advertised), it is sensible and fair to limit by law what restrictions one can put on usage of such product.
Fair use is an illustration of this approach: once you publish something you are not allowed to disallow fair use by contract (now you can by DRM +DMCA threat, thats why DMCA is bad and should be abolished).
Thus i don't agree with, nor accept this argument that essentially sais "accept it or go away".
I don't have to accept everything that you do in an inveronment you share with me, i have the right to oppose to something i consider harmfull.
For instance i consider the current business model of entertiment distribution harmfull to my economic an cultural envirenment and thus i consider i have he rigth (and duty) to get it dismantled ASAP.
Beside that, i notice that economic interests of entertinment industries are opposed to mine, in a truly liberal world i should be able to fight them (actually i'm not that interesed in their modern content, but some old goodies that got their copyright abherantly extended are still compelling).
Talking "routers" and "SSL" isn't impressive at all, and there are many ways (discussed in other posts) for chinese gov to make such a trivial approach(known sinse long time cf FireWall piercing howto) ineffective and dangerous(read: detectable).
The main weakness of this solution would be it's popularity as if the connection is encrypted, some specific regularity will probabely appear in it's behavour on the network (detectable by the firewall) and on the computer, detectable by desktop integrity tools eg. antivirii. no doubt, the gov would force the deployment of such a tool on every toaster and cut the inet access without it (and yes, i know, it's like DRM, no way to make such verification bullet-prouf, yet it would lead to a very unpleast situation).
IMHO, the good way to act under such repressive censorchip is, in first place to look innocent, here we could learn a good lesson from botnet overlords. If the the FW drilling prog has a form of a bot-net worm, you could at least claim you were unaware of ot, if it establishes a subliminal channel in a cleartext protocol, it's harder to track it.
The most hard to detect would be an exchange encoded in the timing, like a chat conversation where bits are transmitted by the time elapsed wetween sentences (generating random conversations with data encoded in it would a good start, but don't forget that chinese are very advanced in natural language analysis). Yes, its's slow, but at least you have a chance to not die un jail, AFAIK(and i don't recall where and who told me) in military security specifications they talk about maximum reate of information leak, this is probably because it's almost impossible to stop it completely, but it flows soooo slooooowly.
So i really hope these people are preparing something smarter than "ProxyCommand socat STDIO PROXY:some_proxy:%h:%p" in your.ssh/config, it's a great piece of challange actually.
Now how about disclosing it's source? Sure it would be ethical, but would also ease defeating it.
Several sound samples, taken at different times during the descent, are here combined together and give a realistic reproduction of what a traveller on board Huygens would have heard during one minute of the descent through Titan's atmosphere.
Forgive me if i'm stating obvous already known things (if yes, feel free to patent them:o)
I belive there are two possible ways to mess up with laws and I wonder what would happen if someone did it...
1) we have DMCA that forbids to circoumvent any (even broken) protetion schemes
It could be abused by coding software with broken protection that could be used for p2p.
Example: Personal MultiMedia server that uses passwords for access control (so only the owner of the computer can access to files) and an "infortunate misfeature" that limits password to 4 ASCII caracters, the editor of such software could fail to fix that for looooong time:)
This software could be used to share music, and if
some jerk tries to sue you for that. arguing he detected copirited files on your computer, you have evidence he pirated your network and violaded
DMCA
2) we have "presumption d'innocence", I don't know the correct translation to english.
This means that one have to prove that you're guildty, otherwise you're not.
Now suppose two unrelated individuals share some Mbytes of random bits. And, oh dear!, if you XOR them you get interesting stuff, but who's fault?
Each of two individuals claims his data is plain random and the only way to know who is guilty is to track down which of two chinks of data was published first, not easy.
3)... add your stuff here...
Slashdot Mirror
There are however few gotchas:
All that being said in most cases having a rough simulation is sufficient to validate the behaviour of an application on WAN before deployment.
For those interested there is an excellent, 13years old but still relevant paper about latency: http://rescomp.stanford.edu/~cheshire/rants/Latency.html
This morning I had my son (4.5y) asking me to get him outside to ride his bicycle.
So I've asked him in turn to plan the whole thing: getting dressed, going to the place where the bicycle is stored, getting the key to open the door etc.
It was hard for him but he managed to have an "executive" plot.
So I think I'll do that little exercise again.
As a side note: would be interesting to conduct similar study on a representative population of executive officers and financial experts.
Hint for parents: to *always* explain why you want your kid to do such or such thing is a wrong path, they must know that there are circumstances (until certain age) that questioning parental authority is not allowed (and *that* could be explained: you are totally accountable on what they do and what happens to them).
If at your age you still have the ability and the will to undergo an academic cursus, it means you actually worth more than a youngster in terms of potential.
Now we have to convince the audience that FreeBSD, GNU/Linux etc are just browsers!
This is probably your last chance. I mean, it has not to be related to the reason you are leaving. But nobody's perfect, there is for sure something about you that was painful to your coworkers, recognize it, beg for pardon.
What's your real name allready?
http://www.owasp.org/index.php/Main_Page
When you put it that way it may seem wrong indeed.
Now please consider the facts from the following perspective:
- I do not need any of M$ products for any particular feature they may provide and I'm perfectly happy with free alternatives...
- Except when I have to exchange with the part of the universe that is captive of M$ formats
- There is so much of people that are captive because M$ have a monopoly
- The M$ created it's monopoly by resorting to illegal activities (convicted guilty in multiple courts)
In this situation I believe that I'm entitled to use M$ products for free in order to achieve interoperability.
"Security Engineering" by Ross Anderson http://www.cl.cam.ac.uk/~rja14/book.html/.
The best book ever, truly enlightening.
If you're young enough it will change your life.
We work 217 days/year here :D
I shudder when I think of one company that I worked with. They are a very high level financial institution. Guess what their AIX HMC passwords are? Can you get to them from the outside world? Yep. Could I down their production servers, a year after I worked there? Yep. Are they considered compliant to DSS/PCI standards? Yep.
I suppose AIX servers were in PCI environment (otherwise your comment is out of scope).
Then the situation you describe probabely violates the following requirements:
req. 2.1: "Don't use default passwords"
req. 8.5.4 "Immediately revoke access for any terminated users."
req. 8.5.5 "Remove/disable inactive user accounts at least every 90 days."
req. 8.5.6 "Enable accounts used by vendors for remote maintenance only during the time period needed."
req. 8.5.8 "Do not use group, shared, or generic accounts and passwords."
req. 8.5.9 "Change user passwords at least every 90 days."
req. 8.5.10 "Require a minimum password length of at least seven characters."
About the fact that you can connect to servers from outside: that means no segmentation which in its turn means that the whole internet is to be considered as part of the PCI environment of this company.
Now please tell me by WHOM are they considered compliant?
Being financial institution means that they are provider (and may be merchant too) they certainly have to be audited by a QSA (self assessment questionnaire would not be sufficient) which could mean one of tho things:
The QSA did not his job properly
The company concealed things form the QSA
It's more a question about how to handle this particular situation in enterprise on professional level. Let's summarize: - you come across something that could harm the enterprise - person who could be considered liable is still here and has power - no one knows that you are aware and you don't have the obligation to check such thinks there are really only to options to you IMHO: 1) less moral but more secure: shut up and pretend you didn't notice anything (btw stop posting about it on public sites) if shit happen the one who stole the code will have to handle the situation. optionnaly you could "accidentally" collect evidence of the fact that you have nothing to do with this legacy code. 2) more moral but involves risk if the one who stole the code is an asshole: you talk to him and express your doubts about this situation. what you risk is that he could see you as a threat and try to mitigate this treat in a way you'd rather avoid I can't estimate which of the two options above is better for you. To make a decision you need to know what kind of person this person is.
The man behind this noise may be the best voice expert on earth, I still don't like this thing. HM(very)HO some kind of steam machine sound would be much better here.
ISC SHOULD consider the flag but does not by default=> -1
Thus Vista vs ISC DHCPD evilness contest could be considered a tie (yet I think Vista is dumb because it could try w/o bcst bit after the first attempt fails if it really wants an address).
But then, are we really considering M$ vs ISC or rather M$ vs Lund infrastructure?
If we choose the latter, then we should admit that it's rather M$'s fault (disclamer: I'm network admin and I hate M$ so I'm rather biased) here's why:
RFC's recommendations of what SHOULD and SHOULD NOT(capitals because these terms have a very precise meaning in RFC context) are for a reason: following them helps to improve the robustness of the protocol in many situations with constraints that may come from infrastructure specifics. To accommodate those specifics the best any software dealing with ans RFC blessed protocol should(common sense) follow every bit of the RFS. What I'd like to know is what precisely dhcpd does and what happens on Lund network when a Vista issues its bcst flawoured dhcp request.
Sorry, but it's not fun at all actually. No i'm not religious extremist of any kind, but just try to figure what people involved in the story you allude to feel like these days, definitively not fun.
Let's try to translate:
RIAA: Hey yr honor, this dude stole my stuf, i know 'cause a guy i pay to hang on the net told me so!
DUDE: Nope, i didn't.
RIAA: Sure, they all claim the same, and actually by now i've got no evidence, but if you let me go his home and
put everything upside-down i bet my "experts" will find something!
Well, i hope this is not the way the USA justice works.
And if i were Defendant i'd ask RIAA in return (and before giving anything to them) to let me do forensics on computer their investigators used to identify my IP and computers they used to exchange mails and every other piece of equipement i could think off (like routers of their ISP). And it'd
take me 10 years or so, and of course at the expense or RIAA (i mean, forensics is a hard work, i intend to get payd for it) if i figure that they made a mistake.
I'd like to argue about this sentence:
...), this liberty gets bounded by other('s) liberties.
'If you disagree with the "business model" or the legal issues surrounding it, don't be a part of it'
which is essentially based on principle that could be formulated as:
"One should'n force artists to adopt any particular way to distribute their work"
Well, it seems sensible and fair.
Yet i have to disagree: while the personal liberty of the author to do what he wants with his work is something essintial to our society (as many other personal liberties we still have, but watch out
Specifically, once the public is exposed to the artist's work (i consider being exposed as soon as i CAN buy it, especially if advertised), it is sensible and fair to limit by law what restrictions one can put on usage of such product.
Fair use is an illustration of this approach: once you publish something you are not allowed to disallow fair use by contract (now you can by DRM +DMCA threat, thats why DMCA is bad and should be abolished).
Thus i don't agree with, nor accept this argument that essentially sais "accept it or go away".
I don't have to accept everything that you do in an inveronment you share with me, i have the right to oppose to something i consider harmfull.
For instance i consider the current business model of entertiment distribution harmfull to my economic an cultural envirenment and thus i consider i have he rigth (and duty) to get it dismantled ASAP.
Beside that, i notice that economic interests of entertinment industries are opposed to mine, in a truly liberal world i should be able to fight them (actually i'm not that interesed in their modern content, but
some old goodies that got their copyright abherantly extended are still compelling).
Talking "routers" and "SSL" isn't impressive at all, and there are many ways (discussed in other posts) for chinese gov to make such a trivial approach(known sinse long time cf FireWall piercing howto) ineffective and dangerous(read: detectable).
.ssh/config, it's a great piece of challange actually.
The main weakness of this solution would be it's popularity as if the connection is encrypted, some specific regularity will probabely appear in it's behavour on the network (detectable by the firewall) and on the computer, detectable by desktop integrity tools eg. antivirii. no doubt, the gov would force the deployment of such a tool on every toaster and cut the inet access without it (and yes, i know, it's like DRM, no way to make such verification bullet-prouf, yet it would lead to a very unpleast situation).
IMHO, the good way to act under such repressive censorchip is, in first place to look innocent, here we could learn a good lesson from botnet overlords. If the the FW drilling prog has a form of a bot-net worm, you could at least claim you were unaware of ot, if it establishes a subliminal channel in a cleartext protocol, it's harder to track it.
The most hard to detect would be an exchange encoded in the timing, like a chat conversation where bits are transmitted by the time elapsed wetween sentences (generating random conversations with data encoded in it would a good start, but don't forget that chinese are very advanced in natural language analysis). Yes, its's slow, but at least you have a chance to not die un jail, AFAIK(and i don't recall where and who told me) in military security specifications they talk about maximum reate of information leak, this is probably because it's almost impossible to stop it completely, but it flows soooo slooooowly.
So i really hope these people are preparing something smarter than "ProxyCommand socat STDIO PROXY:some_proxy:%h:%p" in your
Now how about disclosing it's source? Sure it would be ethical, but would also ease defeating it.
Forgive me if i'm stating obvous already known things (if yes, feel free to patent them :o) :) ... add your stuff here ...
I belive there are two possible ways to mess up with laws and I wonder what would happen if someone did it...
1) we have DMCA that forbids to circoumvent any (even broken) protetion schemes
It could be abused by coding software with broken protection that could be used for p2p. Example: Personal MultiMedia server that uses passwords for access control (so only the owner of the computer can access to files) and an "infortunate misfeature" that limits password to 4 ASCII caracters, the editor of such software could fail to fix that for looooong time
This software could be used to share music, and if some jerk tries to sue you for that. arguing he detected copirited files on your computer, you have evidence he pirated your network and violaded DMCA
2) we have "presumption d'innocence", I don't know the correct translation to english.
This means that one have to prove that you're guildty, otherwise you're not.
Now suppose two unrelated individuals share some Mbytes of random bits. And, oh dear!, if you XOR them you get interesting stuff, but who's fault? Each of two individuals claims his data is plain random and the only way to know who is guilty is to track down which of two chinks of data was published first, not easy.
3)