The typical way people implement that sort of thing in IPSEC is to build GRE tunnels, usually running in IPSEC transport mode. In general, bridging protocols over Layer 2 is just inviting trouble, and should be avoided when you can do routing as an alternative - broadcast storms used to be a real problem. Also, if you're running a Layer 2 protocol over an OpenVPN tunnel, then you're adding an extra protocol header layer for the Layer 2 as well as adding a protocol layer for OpenVPN's Layer 4, compared to IPSEC where the secure side's Layer 3 IP is running directly on top of the IPSEC's Layer 3. If the stuff you're tunnelling is mostly large packets, e.g. 1500 byte FTP stuff, the percentage of bandwidth isn't that high, though you've still got a couple extra passes of checksum calculation, and you've got to be extra careful about MTU sizes - but if you're trying to carry 10-byte VOIP payloads on a dialup connection, each 20-40 byte header layer is just adding extra insult to injury.
The FreeSWAN project did a bunch of stuff with different ways to mush parts of subnets out to various remote sites (e.g. giving a remote site a single IP off the hub site's subnet.) There's way too much documentation on it if you're interested.
Actually, IPSEC does require setting up point-to-point connections (though they can be tunnel mode or transport mode) - but one of the goals of FreeSWAN's Opportunistic Encrytion was to do this automatically whenever possible.
The real difference is that IPSEC is encrypting at the IP layer of the protocol stack, aka Layer 3 in OSI terms, while OpenVPN is creating a TCP Layer 4 tunnel. Inside the tunnel, IPSEC normally puts Layer 3 IP packets, while OpenVPN does something with a TUN/TAP driver on the ends, so they could be doing Layer 3 IP packets or Layer 2 Ethernet packets, and I haven't read the docs enough to know which they did. Layer 4 has more overhead, but has a potentially easier time going through NAT.
For both of these applications, you have to create an association between two endpoints, and then tell your endpoints' packet handlers to use that association when they want to get packets somewhere. The choice of protocol layers for the inside and outside of the crypto tunnel has a major impact on how you get the routing mechanisms (or whatever) to decide to set up a tunnel and send packets through it.
IPX actually did fine - it was the IP layer equivalent. What sucked on large networks was Netware. One of its problems was inadequate flow control (though I forget if that was SPX's fault or other Netware protocols - the PBurst stuff just didn't cut it when there were congestion problems.)
But the real performance killer on lots of networks was all the chatty SAP announcements - even on a medium-sized network, all the printers advertising themselves can clog up any useful bandwidth, which often meant 56kbps back when this sort of networking was common for users like banks, retail stores, and branch offices of big companies. Yes, we learned how to do SAP filtering, and eventually Novell came out with NLSP which helped a lot.
The more important problems were pricing - upgrading to Netware 5 which could use TCP/IP instead of IPX tended to cost too much for the types of companies that were big Netware users back in mumblety-95, so they stayed with IPX way past its prime, around the time that Microsoft was figuring out how to make NetBIOS-over-IP perform badly over long distances (as opposed to NetBIOS-over-NETBEUI.) While Microsoft _still_ doesn't have a clue about decent networking, they were good enough to beat Netware in the market, and small networks of either Netware or NetBEUI could both be self-configuring, a lesson we're trying to relearn for IPv6.
but you knew it was going to take a while anyway... We hung a couple of 3B2s on our network just to crunch troff, and set up an LP queue thingy to feed them. That kept the CPU load managable, and gave you a way to check on your print job's status before walking over to the printer.
I'm going to try Mozilla 1.7 and hope it works well, but otherwise I'm going to back the Firefox 0.9 sucker out and upgrade to 0.8 again, unless _it_ annoys me enough to upgrade to 0.7. Some things that are annoyingly broken:
Javascript-driven navigation buttons don't work. I installed 0.9 last night, and found that I can't get into a number of critical sites, mostly at work. Sure, Javascript navigation is a total loser approach to things, but I'm not in charge of the web site with internal documentation on the products I support, and our IT droids increasingly write things for IE only.
Autoproxy doesn't appear to work; I've had to resort to manual proxies, with the "Don't use proxy for my-domain.com" option (which means I can't see my company's public websites, just internals.)
Usual nitpick - some of my bookmarks, cookies, passwords, etc. seem to have been imported successfully, some haven't.
Minor nitpick - some of the themes and extensions I like haven't been ported to 0.9 yet, such as the ones that take less screen space for toobars. The problem isn't the proxy server - works fine with 0.8.
Somebody really needs to put Harlan and RMS in the same room for a while. Maybe with ESR to moderate.
AOL didn't put enough work into blowing off Harlan and his lawyer when they first complained. The DMCA is an awful mess, and people besides Harlan have found even worse things to do with it than he did, but he really does not appear to have understood Usenet or ISPs or the Internet particularly well, except as a medium for evil nassttyy fffffile ssssharrerrrssss to steal hisss preciousssss. Now, piracy is not unknown on Usenet, and while it's not quite mandatory in many of the alt.binaries newsgroups, that's only because spam fills up the rest of the spare bits. But that not only doesn't mean that he can reasonably expect ISPs to pay copyright lawyers to read through every terabyte of slowly-moving-self-parody that comes in on the newsgroups to determine what might or might not be pirated, it also doesn't mean that it's reasonable for him to demand that they block access to material or sites that their subscribers might try to access, any more than he can reasonably demand that Xerox not sell devices that facilitate book piracy.
Sounds like they haven't enabled POP3 or IMAP then. You could try to telnet to the ports for those protocols on the Exchange server's IP address just for fun, but it's probably a lost cause.
Exchange can support POP3, IMAP4, and SMTP, if your sysadmins at work configure it to do so. You'll have to ask them if they've done so. Thunderbird can support POP3 and IMAP4.
If your sysadmins support both, then you'll have to make a choice, depending on your work style and environment. Are you on a desktop machine that's always connected, with your Outlook mailboxes living on the server? Are you on a laptop that's usually disconnected, and you want to keep all your mail on it for when you're offline? Do your sysadmins make you keep your mail on your PC where space administration is your problem, not the server's? Do you have shared folders that you regularly access?
It's only wrong if you care about other people
on
Spammer Apologizes
·
· Score: 3, Insightful
If you don't care about other people, it's simply not a problem, except if it makes less money for *you*, because you're the only person in the universe who matters. The fact that you're annoying people who *aren't* potential customers doesn't matter as long as they don't sue you or get you kicked off your ISP, because they weren't going to give you money anyway.
Annoying potential customers is something most spammers _do_ understand, but since they can make money with a 0.0001% success rate (or whatever), they're happy to let the other 49.9999% of the potential customers get their Herbal Fake Viagra from other sources - it's just a marketing niche choice, and different spammers may make different choices about how blatantly to lie and how flashy and annoying their ads can be based on real or imagined response rate.
During a lawsuit, some spammers may realize how much direct cost they've caused (because they may have to pay it, if they've got any money), and they may realize how many people are mad enough at them to sue them, and they may even begin to understand how many of the 9 billion email messages they sent went to duplicate addresses. But that's not the same as realizing the effects it has on the recipient, because you have to _care_ about the recipient, and sociopaths fundamentally don't care about other people.
On the other hand, some spammers do _begin_ to understand how spam recipients feel when they have to keep changing their phone numbers because of all the calls in the middle of the night asking them if they're unsatisfied about their penis size or whether they'd like a great deal on a mortgage on their new place in Siberia.
And the Supreme Court says it's ok because as citizens we're supposed to know the Bill of Rights well enough that we know they don't have any authority to demand ID or do anything to you if you refuse. (Exception: if you're driving, they can demand to see your driver's license, which is pretty dodgy Constitutionally but tends to hold up.)
So if they ask my for ID, they can try to scan the prints on my middle finger.
Searching for routes in a collection of roads is a discrete graph optimization problem that people have put lots of work into. Searching for routes across arbitrary terrain is much more complex, and the math's different.
For instance, if a road is zigzagging up a hill, and you're in a car or tank, the road is probably your best route. If you're on foot going uphill, it might still be your best route, or it might not. If you're on foot, cutting off the curves and going straight down might be a better route, depending on how steep it is, and if you're in a tank, it might also be a good route if it's not too steep and doesn't have too many trees in the way.
If you're on foot, do you walk through a swamp or take the longer road around it? ("Waist deep in the big muddy.mp3")
But John, you work at a company that has really good network engineers doing their infrastructure, so they've made sure to do things competently and think of the important issues. (For instance, they were one of the early companies to figure out that you put the 802.11 _outside_ the corporate firewall and run VPNs over it.) They've almost certainly got enough switched lan bandwidth behind the Access Points to get good throughput, while the columnist was at a trade show where the network was overloaded, just barely stayed up at all, and was probably installed by convention center union engineers instead of techies. (That's not to criticize union engineers - the hardware is probably nailed to the wall securely enough you could stand on it, in a location picked for mechanical stability, rather than attached to the radio-propagation-optimal spot with duct tape like a techie would do.) VON is probably a much more benign networking environment that, say, DEFCON, but the standard VOIP codecs aren't good at high latency and high packet loss which were apparently a problem for even regular data. Skype uses some of the codecs from GlobalIP which are designed to tolerate higher-loss environments, so it would have had a better chance,
The stuff should Just Work if you install it out of the box, as long as you're not getting too much interference from microwave ovens, 2.4GHz cordless phones, etc., and as long as you do something with traffic shaping to handle slow cable/DSL uplinks, but it's possible to do it badly, and the columnist appears to have reviewed what happens under near-pessimal conditions, and appears to be surprised that that didn't work.
The term "Darknet" used for pirated content distribution appears in a Microsoft Paper. The term appears to be appropriated from Tim May'sBlacknet gedankenexperiment on uses of private communications and digital cash. A few magazine pundits have adopted it, but the term doesn't appear to be in wide use even among pundits.
The Cymru Darknet is something entirely different, and it's not a honeynet either. Honeynets are nice sticky traps waiting to snare actively attacking crackers. This Darknet is primarily a passive monitoring system, and while it will see some active attacks such as port scans, another interesting thing it sees is backscatter from forged traffic, like CAIDA's System is tracking. Many DOS attacks use spoofed packets from random addresses, such as ICMP or SYN floods, and the victims or some routers will send TCP ACKs or ICMP responses back to the (forged) source, and some proportional fraction of that will end up in your darknet's detectors. It won't catch all such attacks - ISPs that want to be good citizens run the RFC2267 / RFC2827 best practices like uRPF spoof-proofing, which prevent their customers from forging packets except from the forger's own subnet address space, so you won't see those, but they're usually much less of a problem because they're easier to block, trace, and shut down. (Some of the cracker tools out there have built-in options to only forge within your/24 for just this reason.)
If you want the Eurocrats to go paranoid, remind them that making Open Source software test for the banknote pattern GIVES AWAY THE PATTERN, and gives away code that tests for it. That means that it's easy for higher-tech Bad Guys to print just the right patterns. Sure, it cuts down on some of the lower-tech bad guys running up money on a Xerography machine, but counterfeiting has always had the reputation of being a crime for geeky specialists, not dumb thugs.
I just took my Exchange mailbox and WinZipped it. 1.4 GB raw became 760 MB compressed - about 50%. Not only is a typical Exchange user unlikely to have most of their mail messages fit into 10KB of text, they're stored in clunky formats. Probably most of the bytes in my mailbox are Powerpoint, and most of the rest are Word. 3/4 of my spam is probably 10 KB of text:-), but the rest has embedded pictures, and in any case it all gets deleted.
Sure, it's nice to get a guaranteed 10 year minimum lifetime. But these droids are talking about a guaranteed 90 day MAXimum lifetime. Unreliable disks aren't great, but they're much better.
Also, there's the issue of centralized vs. distributed archiving. If you're centralizing, DVDs are obviously the better choice, because you can store 6 times are much data on each, and if you're doing one mailbox at a time, you're less likely to need multiple disks. For distributed use, though, CDs may win, because government bureaucrats are much more likely to have CD readers than DVD readers; some of them will also have CD writers. Probably the best choice is to have one archive copy and one copy for the user to keep, and bar-code-label the archive.
They're estimating that it would cost $250K/year in management and hardware to expand their system. Assuming that half of that's hiring a good sysadmin (:-), the only way I can see them spending that much money just for expansion is that they must be running some clumsy proprietary mail system - probably MS Exchange, or possibly some antique from IBM (worst case = PROFS.) Exchange has the advantage that it encourages bloatmail - sending attached Word documents instead of simply writing text, or sending Powerpoints instead of Word. I've probably got a gigabyte of mail from the last year, even though I delete lots of stuff. A better-behaved user (:-) might have a mere 100 MB, and it's hard to compress this stuff beyond 2:1 because of MS's binary mailbox formats, even if they're not using the encrypted stuff.
The real way to do storage, though, is to let the users keep their mailboxes on their own PCs. My company's IT department pushed us in that direction many years ago, partly because it's the only way to really support laptop users, but partly because it gets rid of the central storage bottleneck and makes it the user's problem to not run out of disk.
A more convenient mail system would make it possible to archive this stuff to DVDs, or CDs for users with smaller mailboxes. (CDs are more useful, because most PCs have CD readers, and most government-office PCs are unlikely to have DVD readers, and probably most don't have CD writers yet either - you'd have to do this in a centralized fashion.) So have a centralized group burn the stuff to CD, unless the users have their own CD burners.
Coders of old? I resemble that remark! The Caps Lock key on PC keyboards is where the Control key belongs. I've occasionally had programs that would remap it to be an extra control key, or at least to beep without doing anything else, but unfortunately every version of Windows seems to do something else to kill that, or I can't find one to reinstall when my hard drive flakes.
Regexps were one of the couple of critically cool Unix tools back in the day. Of course, with screen-based editing it's less critical than it was with "ed" and its friends, but it's still a fundamental tool you need to learn.
What *would* be great would be a little more consistency in which regexp formats were being used:-)
Passfaces were friendly, and gave you 4 sets of 9 faces to pick the right ones from. (I'm not sure if the current implementation is still that arrangement - it wants some plugin I'm not running.) That's cute, but it's no more secure than a 4-digit PIN, so it's useless against any automated attack. If this thing has 100,000 possible values, that's still just 5 digits.
It's ok as an add-on in addition to a password, for environments that can use it practically, since it balances out people's preferences for wimpy passwords, but it's not enough for most standalone use.
That also takes care of one of the concerns I had about their system, which was access for laptops that don't have GigE in them. (Sure, you can get a GigE switch for about $100 now that'll connect your $200 fiber/GigE to your laptop's 10/100, but it's yet another annoying frob to pay for.)
If you RTFP, they do reference Palm in their prior art section, but all through the patent description they're referring to "palm-sized computers" and similar phrasings that sound annoyingly close to "Palm". Tacky.
The FreeSWAN project did a bunch of stuff with different ways to mush parts of subnets out to various remote sites (e.g. giving a remote site a single IP off the hub site's subnet.) There's way too much documentation on it if you're interested.
The real difference is that IPSEC is encrypting at the IP layer of the protocol stack, aka Layer 3 in OSI terms, while OpenVPN is creating a TCP Layer 4 tunnel. Inside the tunnel, IPSEC normally puts Layer 3 IP packets, while OpenVPN does something with a TUN/TAP driver on the ends, so they could be doing Layer 3 IP packets or Layer 2 Ethernet packets, and I haven't read the docs enough to know which they did. Layer 4 has more overhead, but has a potentially easier time going through NAT.
For both of these applications, you have to create an association between two endpoints, and then tell your endpoints' packet handlers to use that association when they want to get packets somewhere. The choice of protocol layers for the inside and outside of the crypto tunnel has a major impact on how you get the routing mechanisms (or whatever) to decide to set up a tunnel and send packets through it.
But the real performance killer on lots of networks was all the chatty SAP announcements - even on a medium-sized network, all the printers advertising themselves can clog up any useful bandwidth, which often meant 56kbps back when this sort of networking was common for users like banks, retail stores, and branch offices of big companies. Yes, we learned how to do SAP filtering, and eventually Novell came out with NLSP which helped a lot.
The more important problems were pricing - upgrading to Netware 5 which could use TCP/IP instead of IPX tended to cost too much for the types of companies that were big Netware users back in mumblety-95, so they stayed with IPX way past its prime, around the time that Microsoft was figuring out how to make NetBIOS-over-IP perform badly over long distances (as opposed to NetBIOS-over-NETBEUI.) While Microsoft _still_ doesn't have a clue about decent networking, they were good enough to beat Netware in the market, and small networks of either Netware or NetBEUI could both be self-configuring, a lesson we're trying to relearn for IPv6.
but you knew it was going to take a while anyway... We hung a couple of 3B2s on our network just to crunch troff, and set up an LP queue thingy to feed them. That kept the CPU load managable, and gave you a way to check on your print job's status before walking over to the printer.
Grrr.. ch ch ch.. grrrr. ch ch ch... grrrr.. ch ch ch.
Moneyyyyy - it's a crime. Gotta buy a new disk in a real _short_ time.
AOL didn't put enough work into blowing off Harlan and his lawyer when they first complained. The DMCA is an awful mess, and people besides Harlan have found even worse things to do with it than he did, but he really does not appear to have understood Usenet or ISPs or the Internet particularly well, except as a medium for evil nassttyy fffffile ssssharrerrrssss to steal hisss preciousssss. Now, piracy is not unknown on Usenet, and while it's not quite mandatory in many of the alt.binaries newsgroups, that's only because spam fills up the rest of the spare bits. But that not only doesn't mean that he can reasonably expect ISPs to pay copyright lawyers to read through every terabyte of slowly-moving-self-parody that comes in on the newsgroups to determine what might or might not be pirated, it also doesn't mean that it's reasonable for him to demand that they block access to material or sites that their subscribers might try to access, any more than he can reasonably demand that Xerox not sell devices that facilitate book piracy.
Sounds like they haven't enabled POP3 or IMAP then. You could try to telnet to the ports for those protocols on the Exchange server's IP address just for fun, but it's probably a lost cause.
If your sysadmins support both, then you'll have to make a choice, depending on your work style and environment. Are you on a desktop machine that's always connected, with your Outlook mailboxes living on the server? Are you on a laptop that's usually disconnected, and you want to keep all your mail on it for when you're offline? Do your sysadmins make you keep your mail on your PC where space administration is your problem, not the server's? Do you have shared folders that you regularly access?
Annoying potential customers is something most spammers _do_ understand, but since they can make money with a 0.0001% success rate (or whatever), they're happy to let the other 49.9999% of the potential customers get their Herbal Fake Viagra from other sources - it's just a marketing niche choice, and different spammers may make different choices about how blatantly to lie and how flashy and annoying their ads can be based on real or imagined response rate.
During a lawsuit, some spammers may realize how much direct cost they've caused (because they may have to pay it, if they've got any money), and they may realize how many people are mad enough at them to sue them, and they may even begin to understand how many of the 9 billion email messages they sent went to duplicate addresses. But that's not the same as realizing the effects it has on the recipient, because you have to _care_ about the recipient, and sociopaths fundamentally don't care about other people.
On the other hand, some spammers do _begin_ to understand how spam recipients feel when they have to keep changing their phone numbers because of all the calls in the middle of the night asking them if they're unsatisfied about their penis size or whether they'd like a great deal on a mortgage on their new place in Siberia.
So if they ask my for ID, they can try to scan the prints on my middle finger.
For instance, if a road is zigzagging up a hill, and you're in a car or tank, the road is probably your best route. If you're on foot going uphill, it might still be your best route, or it might not. If you're on foot, cutting off the curves and going straight down might be a better route, depending on how steep it is, and if you're in a tank, it might also be a good route if it's not too steep and doesn't have too many trees in the way.
If you're on foot, do you walk through a swamp or take the longer road around it? ("Waist deep in the big muddy.mp3")
And does this means they're going to steal it, or just cram it into that narrow slot in the reader?
The stuff should Just Work if you install it out of the box, as long as you're not getting too much interference from microwave ovens, 2.4GHz cordless phones, etc., and as long as you do something with traffic shaping to handle slow cable/DSL uplinks, but it's possible to do it badly, and the columnist appears to have reviewed what happens under near-pessimal conditions, and appears to be surprised that that didn't work.
The Cymru Darknet is something entirely different, and it's not a honeynet either. Honeynets are nice sticky traps waiting to snare actively attacking crackers. This Darknet is primarily a passive monitoring system, and while it will see some active attacks such as port scans, another interesting thing it sees is backscatter from forged traffic, like CAIDA's System is tracking. Many DOS attacks use spoofed packets from random addresses, such as ICMP or SYN floods, and the victims or some routers will send TCP ACKs or ICMP responses back to the (forged) source, and some proportional fraction of that will end up in your darknet's detectors. It won't catch all such attacks - ISPs that want to be good citizens run the RFC2267 / RFC2827 best practices like uRPF spoof-proofing, which prevent their customers from forging packets except from the forger's own subnet address space, so you won't see those, but they're usually much less of a problem because they're easier to block, trace, and shut down. (Some of the cracker tools out there have built-in options to only forge within your /24 for just this reason.)
If you want the Eurocrats to go paranoid, remind them that making Open Source software test for the banknote pattern GIVES AWAY THE PATTERN, and gives away code that tests for it. That means that it's easy for higher-tech Bad Guys to print just the right patterns. Sure, it cuts down on some of the lower-tech bad guys running up money on a Xerography machine, but counterfeiting has always had the reputation of being a crime for geeky specialists, not dumb thugs.
I just took my Exchange mailbox and WinZipped it. 1.4 GB raw became 760 MB compressed - about 50%. Not only is a typical Exchange user unlikely to have most of their mail messages fit into 10KB of text, they're stored in clunky formats. Probably most of the bytes in my mailbox are Powerpoint, and most of the rest are Word. 3/4 of my spam is probably 10 KB of text :-), but the rest has embedded pictures, and in any case it all gets deleted.
Also, there's the issue of centralized vs. distributed archiving. If you're centralizing, DVDs are obviously the better choice, because you can store 6 times are much data on each, and if you're doing one mailbox at a time, you're less likely to need multiple disks. For distributed use, though, CDs may win, because government bureaucrats are much more likely to have CD readers than DVD readers; some of them will also have CD writers. Probably the best choice is to have one archive copy and one copy for the user to keep, and bar-code-label the archive.
The real way to do storage, though, is to let the users keep their mailboxes on their own PCs. My company's IT department pushed us in that direction many years ago, partly because it's the only way to really support laptop users, but partly because it gets rid of the central storage bottleneck and makes it the user's problem to not run out of disk.
A more convenient mail system would make it possible to archive this stuff to DVDs, or CDs for users with smaller mailboxes. (CDs are more useful, because most PCs have CD readers, and most government-office PCs are unlikely to have DVD readers, and probably most don't have CD writers yet either - you'd have to do this in a centralized fashion.) So have a centralized group burn the stuff to CD, unless the users have their own CD burners.
Coders of old? I resemble that remark! The Caps Lock key on PC keyboards is where the Control key belongs. I've occasionally had programs that would remap it to be an extra control key, or at least to beep without doing anything else, but unfortunately every version of Windows seems to do something else to kill that, or I can't find one to reinstall when my hard drive flakes.
What *would* be great would be a little more consistency in which regexp formats were being used :-)
It's ok as an add-on in addition to a password, for environments that can use it practically, since it balances out people's preferences for wimpy passwords, but it's not enough for most standalone use.
Just an FP, nothing to see here...
That also takes care of one of the concerns I had about their system, which was access for laptops that don't have GigE in them. (Sure, you can get a GigE switch for about $100 now that'll connect your $200 fiber/GigE to your laptop's 10/100, but it's yet another annoying frob to pay for.)
If you RTFP, they do reference Palm in their prior art section, but all through the patent description they're referring to "palm-sized computers" and similar phrasings that sound annoyingly close to "Palm". Tacky.