The problem isn't TCP stacks that are flawed because they don't implement TCP properly. It's TCP stacks that failed to imagine some of the creative ways to attack them. Sequence number guessing has been around for a while (see papers by Bellovin and others), but apparently the guy has figured a somewhat more efficient way to guess them on some popular platforms, apparently including Cisco routers.
Routers don't usually do a lot of TCP themselves, except SSH or telnet access for management, but the one big exception is the BGP protocol that routers use to connect to each other, primarily at the interfaces between carriers. The BGP sessions stay up for a long time, and killing them tells the router that it's no longer talking to its neighbor so it should go find a different route to get to that network, which is really really annoying. On the other hand, BGP has options to do more checking on BGP messages before accepting them, and carriers that do spoof-proofing to prevent their customers from forging packets have less risk, and carriers that block packets addressed to their routers accept from approved destinations are much safer.
Some customer connections to ISPs use BGP, especially if the customer uses multiple ISPs, though most are static - these could be subject to spoofing by somebody inside the customer's network, if they're not careful. (The customer could be an ISP, or they could be a regular customer with an employee who has next month's interesting virus.) So customers who don't want to get thrown off the net should probably be careful to do good firewalls to keep their own users from spoofing their connections.
Kremen _was_ first out of the gate, and had the domain to himself for most of a year before it got ripped off. He hadn't done anything particularly profitable with it, which was part of how Cohen was able to rip it off without being noticed for a while. Cohen was the one who built it into a valuable property, though much of that was lucky timing on his part, stealing it before the web boom really took off, but it wasn't likely to ever be worth $40M if Kremen had kept owning it.
But still Netsol not only shouldn't have let themselves get fooled, they should have fixed the problem promptly when they were notified about it.
The press release doesn't say whether it was the full $65million or some smaller amount, or how long Verisign would have to pay. Google News has pointers to one or two versions of the press release, plus Slashdot (:-), plus a Wired article that has the press release but also speculated that the settlement is probably a lot less than the full boat, and some comments on Kremen's attempts to track down the assets of Cohen the name thief.
This is the first time I've heard anybody say that Maglev was noisy - the hype I've heard always says they're quiet, smooth, wonderful experiences that will be available Real Soon Now. The real issue is Maglev vs. regular trains, whether electrical or diesel. They have been extraordinarily expensive, at least as pilot projects go, though supposedly they'll provide different economics for the costs of track maintenance because they're not rolling wheels down the track, plus they'll go faster so they'll be practical for more people who currently take automobiles because trains are too slow.
Monorails and old-fashioned elevated trains have the theoretical advantage that they're not competing with cars for road space. In practice, monorails are a cool way to ride to Disney World, but haven't been very useful beyond that. Real maglev developments will need to get right-of-way that's currently mostly used by old-fashioned trains, so unless they can share the same track space, or fit next to the older train tracks, deployment is impractical and expensive in any place that has the population density for them to be interesting. Here in San Francisco, we have a similar problem with BART - the BART trains use a wider track for stability, and that guarantees that they can't share right-of-way with regular freight trains, so they need huge amounts of money to get their own right-of-way. (Some cynics would argue, after watching the BART system operate, that spending huge amounts of money is its primary reason for existence.) By contrast, the Caltrain commuter trains that go up the penninsula from Silicon Valley to San Francisco share tracks with the regular freight trains, so their major costs are just operating the equipment, not buying land after it's become expensive.
Fuel isn't subsidized in the US, it's heavily taxed (though not as heavily as in Europe.) The costs of burning irreplaceable dinosaur juice may be unrealistic compared to the value of saving it for future generations, and the oil companies have been allowed to get away with pollution (though that largely affects land that isn't owned by other people, so it's in some sense a future cost that they're not paying, if anybody ever does clean it up), but those aren't subsidies. Sure, the US military works for the oil companies, but it's a self-sustaining empire all its own.
The real subsidies that affect the US preference for cars as opposed to trains are socialized roadbuilding. The public wants its roads, and any time you build more roads, making commuting easier, you make more housing development possible because more people can now live where you built the roads, and once a new area is opened up for housing, it tends to build more houses than the roads can really support, so there's more pressure to make the roads bigger. Residential streets in suburban land developments are essentially funded as part of the costs of building the houses, either explicitly or indirectly, but the regional connector roads get heavily subsidized. And especially as most of the US economy moves to a white-collar services model and stops being manufacturing-oriented, this also makes it easier for offices to move out of the core cities, decreasing the reasons for people to live downtown. Sometimes they go to edge cities, sometimes to quasi-residential areas.
The world's population isn't moving into cities because the suburbs are too dull. They're moving into cities because the old model of subsistence farming is obsolete - tractors increase the amount of land one person can farm, fertilizer and better seeds increases the yield of the land, modern medicine reduces infant and child mortality to the point that most of your kids live, and you don't need them all as farm workers like you did pre-tractor, so they've got to move to the city because there's nothing to do down on the farm and they might be able to get a job in the city.
In some traditional societies, farms were inherited by the oldest son, so any younger sons that lived had to find other jobs like soldiering or priesthood or occasionally crafts like blacksmithing, or else go find new farm country to move into. In other societies, the farm got split up among the sons (or sometimes sons and daughters), so the farmland per family got smaller and smaller, leading to grinding poverty and increased risk of famine. Societies that did herding rather than grain-growing had an easier time, as long as there was enough pasture land available, either to be nomads or relatively stable locations. But we've filled up most of the locations for new farmland, except for destroying the rest of the rainforest or finding better irrigation techniques. And modern medicine cut down death rates for a long time before modern birth control started to do much about birth rates, and being a nun or monk isn't as popular as it used to be, so it's time for the kids to move to the city.
Forgot to mention - at least in the US, zoning laws that are designed to keep factories and residential areas far apart guarantee that people need to commute. You can't walk to work at a factory if you're not allowed to live near it. White-collar office work has less problem with that, though many cities try to micromanage the locations of office complexes and residential areas, but medium-large cities usually at least have enough office concentration to make transit like trains and busses semi-workable. The other way to make transit work well is to have housing that's concentrated - but suburbs generally don't do that well, and big cities like San Francisco micromanage it to the extent that it's much harder and more expensive to build than it should be, and high-density housing generally means annoyingly small housing, which is bad enough if you don't have kids and worse it you do. It's also much easier to locate a one-worker family close to work than a two-worker family. While I was commuting an hour each way by train, my wife had a 10-minute drive...
TGV is a long-distance train, not a commuter train. It's great for getting from Paris to Bordeaux or Marseilles insteading of flying, but it's not what you use to get to work in the morning if you live in one part of the city and your job is in another part. European trains work well in large part because they fit the way population density evolved, and because you have countries that aren't more than ~500km across. On the other hand, much of the development of American suburban sprawl depends on heavily subsidized road-building and affordable automobiles. It wasn't always this way - Berkeley CA is an example of a city that was developed around a train line that made it possible to commute to San Francisco (the trains crossed the Bay Bridge.) American trains work really well for commuting from New Jersey to Manhattan, and there's enough concentrated job density and local transportation infrastructure in the city to make it feasible (though most people drive from home to the train), and parking in Manhattan is much scarcer and more expensive than train tickets.
I like telecommuting as a way to avoid commuting. I still work for the same huge company I used to work for, and I spent five years taking the train into San Francisco, and a couple years driving to San Jose (15 minute drive vs. 45 minutes for train connections), and it's nice to only need to go to the office once or twice a week.
Obvious bank to pay them from ...
on
419er Lost in Space
·
· Score: 2, Funny
The obvious bank to give them transfer information for is the Bank of Hong Kong in Luna City.
(That's from "The Moon is a Harsh Mistress", and yes, that's Luna City as in the Moon colony...)
My copy of A Brief History Of Time seems to have wandered off into deep bookshelfspace, but I thought Hawking's model was more like a hypersphere, not a hypertoroid.
There are lots of different shapes out there besides flat universes that have at least one theory supporting them, and things aren't even settled about whether the curves are open or closed - will the Universe end in a Big Crunch or a Cosmic Wimpout?
The ancient Greeks weren't Flatlanders living 2-dimensionally on the curved-but-flat surface of the Earth, discovering the curvature by the behaviour of parallel lines in Flatland or by walking around it and getting back to the same place. The basic concepts that let people think about roundness came from standing up and seeing a horizon in the distance, and standing higher up on top of things and seeing a wider horizon. That's already three-dimensional motion. The techniques that they used to figure out more precisely how big the Earth is and how far away the moon is involved going down in wells and looking at objects that were high up (Moon, sun, stars, etc.) and measuring the angles. Those objects were far enough outside the Earth that they could get good measurements, but even the most basic tools they used involved standing up perpendicular to Flatland.
Sure, science cares about observing how things behave, but it does that in the context of making hypotheses about what's really going on, which go way beyond what we expect to actually be able to observe.
Sometimes the universe just misbehaves and fails to cooperate with your theories, which is when science gets to be fun - either your theories are thoroughly bogus, or they're slightly incorrect approximations, and this influences whether your previous models are or are not useful.
There have been lots of discussions since General Relativity came out about what shape the Universe has. Many of the models have a curvature parameter that's more than, equal to, or less than the value for a flat universe.
Some of the models are closed curves that are finite in size - the typical analogy is a 4-space hypersphere with a 3-d surface that the Universe maps onto, similar to the way the 2-d surface of the Earth is wrapped around a 3-d sphere and doesn't have edges. But that's not the only model. (The string-theory and membrane-theory folks add another half dozen dimensions to the mix, but the big dimensions can still mostly follow that model.)
Some of the models say "no, it's not curved, it's flat, maybe a bit bumpy but it's really infinite".
Some of the models say it's the opposite of a closed curve - these typically look saddle-shaped or horn-shaped, because instead of the curvature in the x direction and the curvature in the y direction both going the same way, they're going the opposite way.
A lot of this stuff tends to be related to models about how much matter and energy the Universe has - is there enough mass to make it close in on itself or not, and do we need to postulate lots of as-yet-undiscovered "dark matter" to make it heavier, or enough even-less-defined "dark energy" to blow it apart?
This year's article isn't very clear on what's being taxed, but articles from last year when this silly concept was first noticed say that the tax is "9.17%", and aren't very clear on "9.17% of WHAT?"
9.17% of your bits are belong to us!
Does this just mean an extra sales-like tax on buying LAN equipment, e.g. 9.17% on the $29 hub I bought, and maybe 9.17% of the $10 of CAT-5 cable I bought? That means that they need to go bug Radio Shack into being aware of extra taxes to collect at point of sale.
Some articles implied that it included taxing 9.17% on the depreciation that businesses take on their capital expenditures for equipment, or on the expenses they charge if they expense the cost. But homeowners don't do that kind of accounting, so that's 9.17% of Zero.
If it does cover the expense or depreciation cost of LAN equipment, does it also cover the cost of installation labor? Or just parts?
If you installed wiring for one purpose, and reuse it for something different, does that suddenly make it taxable or non-taxable?
Does the tax cover wireless equipment? Cordless phones? Cordless PBXs? Cell phones? What if the cell phone was free if you bought the service plan?
Isenberg's famous paper "The Stupid Network" advocates network architectures that are stupid in the middle and smart at the edges. Obviously a tax on "stupid networks" is a "stupid tax", and, like the lottery, this is also a real stupid tax.
Yeah. What I've actually got at home is the P133 laptop with the cracked screen rather than the other way around:-) It works fine connected to a monitor (actually, it works *better* connected to a monitor, because it was an ultra-portable-for-its-day subnotebook with a 640x480 screen, and I can do 1024x768 on a monitor.) Once we're really totally done with the critical Windows application that it runs, it'll probably become a wireless router or DNS server, though it could stay running Windows as a web browser appliance in the living room.
Whole machine as Linux + X or ASCII terminal
on
Making Use Of Old LCDs?
·
· Score: 4, Interesting
Trying to salvage just the screen may be difficult. But often there's more of the original machine left than that, and you can find ways to use it efficiently. For instance, that 486-66 laptop is now too slow and lame to run any games other than D00m or Nethack, and the 500MB disk doesn't look so huge any more, and maybe the case is cracked and the keyboard doesn't work, but you may still be able to run enough Debian on it to get X to work so you can have it as an extra display device. If you want to hide most of the mechanism, you may be able to separate the display part of the case and just run longer wires to the base part, leaving the electronics intact. And maybe it can double as a print server as well.
Similarly, if you've got a laptop that's too lame for that, you might still be able to run Windows 3.1 and hyperterm on it, so you've got a scrolling ASCII display for data you feed it on the RS232 port, or maybe VNC running at 112 kbps. It's not your hot-stuff gamez box, but it's enough to display status information, and the great thing about a 386/25 is that you can be Entirely Fearless about performaing dangerous operations on it because there's really no downside risk:-)
PDAs can often run communications programs as well, so you can use the RS232 port to feed them ASCII streams to display. That Palm3 stand can sit neatly on top of your main PC, showing you whatever information you think is interesting in whatever font size you can read. Maybe it's just a clock and weather forecast and network intrusion detection display ("It's 3:32pm, 37 degrees outside, pollen count high, Virus of the Day is Netsky.U".)
If I'm reading the Authpf FAQ correctly, Authpf is a service that you run on your firewall, not on the target server behind it. Logging in to authpf on the firewall is equivalent to knocking on the firewall - both of them tell the firewall to let you access the target server that's hidden behind the firewall, and if you don't knock/authpf, the firewall won't let you in.
There are some tradeoffs - knocking systems are usually lightweight, while authpf is probably more thorough, especially about making sure the firewall hole gets closed when you leave. Different knocking systems have different bugs in them, and OpenBSD+SSH+AuthPF has the risks of more people attacking it, but the knocking systems have random authors while Authpf and its environment have to be blessed by Theo, so you've got some level of assurance about QA and future fixes. Also, knocking systems need various clients to knock with, and may be susceptible to firewall damage in between, while SSH is pretty widespread and firewalls generally let you make outgoing SSH connections.
Similarly, you could just make the knocking sequence dependent on the sender's IP address, e.g. 123.45.67.89 needs to knock on port Hash1(123.45.67.89) then Hash2(123.45.67.89).
Or your could reply to the second correct knock with information required to make the connection, e.g. something as simple as the correct port number that you're going to open, or some password to hash a third knock with. It's probably best not to do this for the first knock unless you require a password in the knock, because somebody who portscans your entire space would presumably hit one correct port, unless you block them after too many incorrect attempts (which has other problems, e.g. they DOS your friends by sending lots of forged incorrect knocking packets....)
Anonymous Coward's assertion that you've got no way to prevent replay attacks other than annoying one-time passwords is incorrect. You could do simple things like using the timestamp as a challenge string, and rejecting knocks that have timestamps that are too old. (Dude - if you want to talk to me, get yourself a decent NTP feed first!) Or you could do the reply-on-second-correct-knock bit I discussed previously. In general, if you're going to be paranoid, it's much more important to be paranoid about somebody hijacking the session that gets built after the knocking is over.
Besides's AC's concerns (and I generally agree with the "keep it simple or don't do it" advice), one of the purposes of this kind of system is to implement the knocking mechanism in a firewall that's simple enough to protect and doesn't contain critical data, and only permit connections to that buggy DDOS-able easily-cracked Windows server in your DMZ after doing some authentication. It's Defense-in-Depth, though it's the kind of thing that's much more useful for your 31337-h4x0r buddies to play games with each other than it is for your blog or corporate web page...
It's really annoying when cable modem companies do this, because there's almost always at most one cable tv company in a given area, so if they're clue-deficient, you don't have an alternative. (And most of them are not only clue-deficient, but contagiously clue-hostile.)
It's much less of a problem when DSL providers have policies like this, at least in the US, because usually the ex-monopoly telcos rent their copper to multiple DSL Layer 2 providers (often including themselves), and the DSL providers usually provide connectivity to many ISPs. So even if, for example, SBC DSL ISP service has some stupid policy, SBC provides Layer 2 access to many ISPs including Sonic.net and Speakeasy, who have friendly clueful policies, and they rent copper to Covad, who provide Layer 2 access to many more ISPs (sometimes with fewer connectivity options, e.g. maybe only SDSL or IDSL and not line-shared ADSL.) Sometimes these alternatives cost more - I'm paying about US$57/month for Sonic.net ADSL with four static IP addresses, vs. some of the newer loss-leader $29 deals from other providers.
Most other countries don't seem to have policies against being a Real User on your broadband service, at least if you're not commercially reselling it. Theoretically, this means that all those non-Americans out there should be creating lots of cool and interesting things to do with their broadband services, but I haven't seen much other than Yet Another File-Sharing System variants or some of the Asian grocery-shopping-on-line things that get magazine articles written about them but aren't very useful outside their local areas.
Comcast and other cable networks have different levels of cluelessness.
From a policy standpoint, they're suicidally clueless about expressing policies that limit their users to couch-potato passive consumerism instead of letting them be active users creating cool and interesting applications that will encourage more people to want broadband. As a stockholder I find this very annoying, and as a Comcast Cable TV subscriber who buys DSL because their policies forbid doing anything vaguely interesting on a cable modem, I also find this very annoying.
Some employees have lots of clue and know that they have stupid policies and don't go out of their way to set up mechanisms to enforce them. As one person said (some years ago) "Well, duh, Napster is the main reason people _buy_ broadband service.".
Some employees are too clueless to understand that an "ssh daemon" is a "server that seems to contradict the policy" so they don't do anything about it.
Most of the things they could do to block services that they bad take enough work (and therefore cost) to implement that they don't bother unless there's a specific performance problem. For instance, scanning for port 80 and 8000 and 8080 etc. takes lots of work, so it's not likely to happen, but blocking port 80 at their routers is pretty simple. So when the pick-your-favorite-Microsoft-IIS-virus happened, they went out and blocked port 80 on all their routers, and didn't go turn it on later when the virus storm was over.
Occasional employees have enough clue to understand what you're talking about and enough to realize that it violates their policies and enough to be able to do something about it but not enough to realize that the policies are stupid and ignore them. Some of these employees work in tech support, and you don't want to get one of them if you're calling in because you're having trouble with people attacking your web server or whatever.
Port Knocking Acceptance using UDP is very unlikely to be detected by ISPs, because the usual implementations are that somebody sends you a packet and you don't respond with a reject packet. It's much less visible than TCP services. On the other hand, if you use port knocking to turn on your Port 80 HTTP server, the ISP may not catch your server when scanning but may still have port 80 blocked in their routers, so it doesn't really help much.
Latency on the wireless part of a connection and latency on the wired part of a connection are much different issues, and the whole VOIP and Video-over-IP world is riddled with mythology about latency. If you've got an ISP connection with decent trunking and your uplink isn't heavily loaded, the biggest components of your latency between LA and Japan are the distance to Japan (which regular phone calls also have) and the sampling time of your codec. But if you're sharing an overloaded community wireless LAN that takes six hops through random users' PCs (anything from laptops to PDAs to Fuzzballs to 5GHz-P4s running Genome@Home) to arrive at a 384/128 ADSL connection that's competing with the Mandrake BitTorrrent and three P2P music sharing networks, you'll get a lousy connection to someone in the next town.
However, I agree with you that ease of use is the more serious problem - the prevalence of NAT routers has been breaking the Internet End-to-End model to the extent that John Walker pulled his support for Speak Freely, one of the early pioneer VOIP systems. Some closed systems like Skype do supernode things to work around it, commercial systems like Vonage and AT&T use appropriately designed equipment, and some systems limit their support to the PC-to-PSTN direction. It's an ugly mess.
Wireless clouds are cute and friendly and don't have really huge bandwidth (though I'm one of those old-timers who remembers when 56kbps *was* really huge bandwidth:-). Fiber optic pipes *do* have really huge bandwidth, and most of the locations you want to talk to are connected to them, and if you want your community wireless network to do anything useful, you're going to need to tie them together, typically using the wireless for local access and maybe cross-town access and using ISPs for long-haul backbones. You might tie into them by buying big-ISP service at some points (e.g. if you're a non-zero-cost cooperative), or community members who have friendly DSL ISPs like Sonic and Speakeasy might share their bandwidth, or you might be part of a commercial local wireless net such as Sonic.net's Sonoma County rooftop networks. The more complex and mobile your network, the harder it is to get routing right.
Interference from the government is a relatively orthogonal problem. There are several different kinds you can run into, including
Government-run or government-mandated private companies providing local telecom or cable services that restrict what you do with your access. Wireless access that doesn't use these services usually avoids this problem, though you're still connected to a longhaul provider at some point. In some countries, it's not that easy - even though most of the world has "telecom liberalization" now, there are still usually some restrictions on competing with The Phone Company.
Government-mandated fees (like Universal Service Gore Tax, access charges for the privilege of connecting your phone line to long distance (even if you only use it for DSL, not voice), etc. that you avoid by not using the government-supported telcos as access providers.
Wiretapping on your data connections: Wirelesstapping is often easier to implement, but wiretappers know where the phone company buildings are, and can often bully the telco into implementing the wiretaps and passing along the cost in their rate base. Either way, if you don't use encryption, you're tappable. The US FBI is trying to expand the current regulations that let them wiretap voice calls to cover all ISPs as well as traditional phone companies, because they want the expanded power, expanded lack of accountability, and ability to force other people to pay the costs of their habit.
Even if you're using encryption, wirelesstappers (or wiretappers, if you're going somewhere far enough away to need wire) can show which IP addresses are talking to which other IP addresses. That means that unless you're using encrypted tunnels across the wired space, and/or changing your IP address for every connection in ways that aren't logged, you're not going to get much anonymity. Building Anonymity is hard work.
Wiretaps on voice calls - if you're using a gateway from IP SIP space into the Public Switched Telephone Network, that gateway can be wiretapped just like any other phone call. The big difference is that the gateways don't have to be located in the same jurisdiction as you are, though for cost reasons they're usually located near the recipient. That means that if you're IP-phoning one of your non-IP-telephony-equipped neighbors to plan next month's anti-war protest, your local police Red Squad can get a court order to wiretap your neighbor's phone, and John Ashcroft can get an unaccountable back door into the VOIP gateway in your area code -- but if you're IP-phoning one of your friends in another state to come speak, your local police can't tap you, because the gateway isn't in their territory, and they probably won't do the paperwork to get a tap on your friend unless you call them a lot. If you're calling somebody in Palestine to come speak, the NSA / GHCQ Echelon wiretappers might be listening, and Mossad or Shin Bet might also be listening, but that's both on the far end.
.... many other forms of interference I haven't thought of - add your own...
Usually the wrong level for solving that problem
on
Ethereal Packet Sniffing
·
· Score: 3, Informative
Spam doesn't arrive in packets - it arrives in SMTP sessions, packaged in TCP flows, packaged in IP packets. That means that you don't have a whole spam session in any given IP packet, so it's much harder to detect spamminess from sampling IP packets than from sampling at the SMTP handler. For most people, all the incoming SMTP is handled at one place - one of your home machines if you're at home, or one of your servers (or clusters of servers) if you're a mailbox provider or a business.
If you're an ISP or hosting center that has customers that you're only providing with IP services, not email services, you _could_ sniff packets and send RSETs to kill sessions that look like spam, but you'd be doing it with less information than your customers, and you would probably end up killing off lots of useful mail, such as the message they're sending to abuse@example.net telling them how to find the spammer that just sent them this message. Usually a bad idea.
It's not an incorrect view about breathing liquids - it's a science fiction futuristic view. Breathing Fluorinert works fine for mice, because it can dissolve lots of oxygen, and theoretically someone could do the same thing for humans, not that *I* want to try it. There's lots of science fiction around the problems or opportunities for doing it in different environments.
But no, I'm not aware of anybody actually using it for deep diving either, as opposed to Trimox or other mixtures. Liquid breathing would have some advantages, because it would let you avoid the risks of crushing that high-pressure water environments have.
Why wait? Vacuum it up right away:-) Should work fine. That does leave you a shop-vac full of this liquid, mixed with whatever other gunk is on the floor, but that's ok.
Or you could pour liquid nitrogen on it and sweep up the resulting ice - freezing point is -108 C, so you can't just use dry ice to freeze the non-wet liquid:-)
Routers don't usually do a lot of TCP themselves, except SSH or telnet access for management, but the one big exception is the BGP protocol that routers use to connect to each other, primarily at the interfaces between carriers. The BGP sessions stay up for a long time, and killing them tells the router that it's no longer talking to its neighbor so it should go find a different route to get to that network, which is really really annoying. On the other hand, BGP has options to do more checking on BGP messages before accepting them, and carriers that do spoof-proofing to prevent their customers from forging packets have less risk, and carriers that block packets addressed to their routers accept from approved destinations are much safer.
Some customer connections to ISPs use BGP, especially if the customer uses multiple ISPs, though most are static - these could be subject to spoofing by somebody inside the customer's network, if they're not careful. (The customer could be an ISP, or they could be a regular customer with an employee who has next month's interesting virus.) So customers who don't want to get thrown off the net should probably be careful to do good firewalls to keep their own users from spoofing their connections.
But still Netsol not only shouldn't have let themselves get fooled, they should have fixed the problem promptly when they were notified about it.
The press release doesn't say whether it was the full $65million or some smaller amount, or how long Verisign would have to pay. Google News has pointers to one or two versions of the press release, plus Slashdot (:-), plus a Wired article that has the press release but also speculated that the settlement is probably a lot less than the full boat, and some comments on Kremen's attempts to track down the assets of Cohen the name thief.
Monorails and old-fashioned elevated trains have the theoretical advantage that they're not competing with cars for road space. In practice, monorails are a cool way to ride to Disney World, but haven't been very useful beyond that. Real maglev developments will need to get right-of-way that's currently mostly used by old-fashioned trains, so unless they can share the same track space, or fit next to the older train tracks, deployment is impractical and expensive in any place that has the population density for them to be interesting. Here in San Francisco, we have a similar problem with BART - the BART trains use a wider track for stability, and that guarantees that they can't share right-of-way with regular freight trains, so they need huge amounts of money to get their own right-of-way. (Some cynics would argue, after watching the BART system operate, that spending huge amounts of money is its primary reason for existence.) By contrast, the Caltrain commuter trains that go up the penninsula from Silicon Valley to San Francisco share tracks with the regular freight trains, so their major costs are just operating the equipment, not buying land after it's become expensive.
The real subsidies that affect the US preference for cars as opposed to trains are socialized roadbuilding. The public wants its roads, and any time you build more roads, making commuting easier, you make more housing development possible because more people can now live where you built the roads, and once a new area is opened up for housing, it tends to build more houses than the roads can really support, so there's more pressure to make the roads bigger. Residential streets in suburban land developments are essentially funded as part of the costs of building the houses, either explicitly or indirectly, but the regional connector roads get heavily subsidized. And especially as most of the US economy moves to a white-collar services model and stops being manufacturing-oriented, this also makes it easier for offices to move out of the core cities, decreasing the reasons for people to live downtown. Sometimes they go to edge cities, sometimes to quasi-residential areas.
In some traditional societies, farms were inherited by the oldest son, so any younger sons that lived had to find other jobs like soldiering or priesthood or occasionally crafts like blacksmithing, or else go find new farm country to move into. In other societies, the farm got split up among the sons (or sometimes sons and daughters), so the farmland per family got smaller and smaller, leading to grinding poverty and increased risk of famine. Societies that did herding rather than grain-growing had an easier time, as long as there was enough pasture land available, either to be nomads or relatively stable locations. But we've filled up most of the locations for new farmland, except for destroying the rest of the rainforest or finding better irrigation techniques. And modern medicine cut down death rates for a long time before modern birth control started to do much about birth rates, and being a nun or monk isn't as popular as it used to be, so it's time for the kids to move to the city.
Forgot to mention - at least in the US, zoning laws that are designed to keep factories and residential areas far apart guarantee that people need to commute. You can't walk to work at a factory if you're not allowed to live near it. White-collar office work has less problem with that, though many cities try to micromanage the locations of office complexes and residential areas, but medium-large cities usually at least have enough office concentration to make transit like trains and busses semi-workable. The other way to make transit work well is to have housing that's concentrated - but suburbs generally don't do that well, and big cities like San Francisco micromanage it to the extent that it's much harder and more expensive to build than it should be, and high-density housing generally means annoyingly small housing, which is bad enough if you don't have kids and worse it you do. It's also much easier to locate a one-worker family close to work than a two-worker family. While I was commuting an hour each way by train, my wife had a 10-minute drive...
I like telecommuting as a way to avoid commuting. I still work for the same huge company I used to work for, and I spent five years taking the train into San Francisco, and a couple years driving to San Jose (15 minute drive vs. 45 minutes for train connections), and it's nice to only need to go to the office once or twice a week.
(That's from "The Moon is a Harsh Mistress", and yes, that's Luna City as in the Moon colony...)
There are lots of different shapes out there besides flat universes that have at least one theory supporting them, and things aren't even settled about whether the curves are open or closed - will the Universe end in a Big Crunch or a Cosmic Wimpout?
The ancient Greeks weren't Flatlanders living 2-dimensionally on the curved-but-flat surface of the Earth, discovering the curvature by the behaviour of parallel lines in Flatland or by walking around it and getting back to the same place. The basic concepts that let people think about roundness came from standing up and seeing a horizon in the distance, and standing higher up on top of things and seeing a wider horizon. That's already three-dimensional motion. The techniques that they used to figure out more precisely how big the Earth is and how far away the moon is involved going down in wells and looking at objects that were high up (Moon, sun, stars, etc.) and measuring the angles. Those objects were far enough outside the Earth that they could get good measurements, but even the most basic tools they used involved standing up perpendicular to Flatland.
Sometimes the universe just misbehaves and fails to cooperate with your theories, which is when science gets to be fun - either your theories are thoroughly bogus, or they're slightly incorrect approximations, and this influences whether your previous models are or are not useful.
- Some of the models are closed curves that are finite in size - the typical analogy is a 4-space hypersphere with a 3-d surface that the Universe maps onto, similar to the way the 2-d surface of the Earth is wrapped around a 3-d sphere and doesn't have edges. But that's not the only model. (The string-theory and membrane-theory folks add another half dozen dimensions to the mix, but the big dimensions can still mostly follow that model.)
- Some of the models say "no, it's not curved, it's flat, maybe a bit bumpy but it's really infinite".
- Some of the models say it's the opposite of a closed curve - these typically look saddle-shaped or horn-shaped, because instead of the curvature in the x direction and the curvature in the y direction both going the same way, they're going the opposite way.
A lot of this stuff tends to be related to models about how much matter and energy the Universe has - is there enough mass to make it close in on itself or not, and do we need to postulate lots of as-yet-undiscovered "dark matter" to make it heavier, or enough even-less-defined "dark energy" to blow it apart?Yeah. What I've actually got at home is the P133 laptop with the cracked screen rather than the other way around :-) It works fine connected to a monitor (actually, it works *better* connected to a monitor, because it was an ultra-portable-for-its-day subnotebook with a 640x480 screen, and I can do 1024x768 on a monitor.) Once we're really totally done with the critical Windows application that it runs, it'll probably become a wireless router or DNS server, though it could stay running Windows as a web browser appliance in the living room.
Similarly, if you've got a laptop that's too lame for that, you might still be able to run Windows 3.1 and hyperterm on it, so you've got a scrolling ASCII display for data you feed it on the RS232 port, or maybe VNC running at 112 kbps. It's not your hot-stuff gamez box, but it's enough to display status information, and the great thing about a 386/25 is that you can be Entirely Fearless about performaing dangerous operations on it because there's really no downside risk :-)
PDAs can often run communications programs as well, so you can use the RS232 port to feed them ASCII streams to display. That Palm3 stand can sit neatly on top of your main PC, showing you whatever information you think is interesting in whatever font size you can read. Maybe it's just a clock and weather forecast and network intrusion detection display ("It's 3:32pm, 37 degrees outside, pollen count high, Virus of the Day is Netsky.U".)
There are some tradeoffs - knocking systems are usually lightweight, while authpf is probably more thorough, especially about making sure the firewall hole gets closed when you leave. Different knocking systems have different bugs in them, and OpenBSD+SSH+AuthPF has the risks of more people attacking it, but the knocking systems have random authors while Authpf and its environment have to be blessed by Theo, so you've got some level of assurance about QA and future fixes. Also, knocking systems need various clients to knock with, and may be susceptible to firewall damage in between, while SSH is pretty widespread and firewalls generally let you make outgoing SSH connections.
Or your could reply to the second correct knock with information required to make the connection, e.g. something as simple as the correct port number that you're going to open, or some password to hash a third knock with. It's probably best not to do this for the first knock unless you require a password in the knock, because somebody who portscans your entire space would presumably hit one correct port, unless you block them after too many incorrect attempts (which has other problems, e.g. they DOS your friends by sending lots of forged incorrect knocking packets....)
Anonymous Coward's assertion that you've got no way to prevent replay attacks other than annoying one-time passwords is incorrect. You could do simple things like using the timestamp as a challenge string, and rejecting knocks that have timestamps that are too old. (Dude - if you want to talk to me, get yourself a decent NTP feed first!) Or you could do the reply-on-second-correct-knock bit I discussed previously. In general, if you're going to be paranoid, it's much more important to be paranoid about somebody hijacking the session that gets built after the knocking is over.
Besides's AC's concerns (and I generally agree with the "keep it simple or don't do it" advice), one of the purposes of this kind of system is to implement the knocking mechanism in a firewall that's simple enough to protect and doesn't contain critical data, and only permit connections to that buggy DDOS-able easily-cracked Windows server in your DMZ after doing some authentication. It's Defense-in-Depth, though it's the kind of thing that's much more useful for your 31337-h4x0r buddies to play games with each other than it is for your blog or corporate web page...
It's much less of a problem when DSL providers have policies like this, at least in the US, because usually the ex-monopoly telcos rent their copper to multiple DSL Layer 2 providers (often including themselves), and the DSL providers usually provide connectivity to many ISPs. So even if, for example, SBC DSL ISP service has some stupid policy, SBC provides Layer 2 access to many ISPs including Sonic.net and Speakeasy, who have friendly clueful policies, and they rent copper to Covad, who provide Layer 2 access to many more ISPs (sometimes with fewer connectivity options, e.g. maybe only SDSL or IDSL and not line-shared ADSL.) Sometimes these alternatives cost more - I'm paying about US$57/month for Sonic.net ADSL with four static IP addresses, vs. some of the newer loss-leader $29 deals from other providers.
Most other countries don't seem to have policies against being a Real User on your broadband service, at least if you're not commercially reselling it. Theoretically, this means that all those non-Americans out there should be creating lots of cool and interesting things to do with their broadband services, but I haven't seen much other than Yet Another File-Sharing System variants or some of the Asian grocery-shopping-on-line things that get magazine articles written about them but aren't very useful outside their local areas.
Port Knocking Acceptance using UDP is very unlikely to be detected by ISPs, because the usual implementations are that somebody sends you a packet and you don't respond with a reject packet. It's much less visible than TCP services. On the other hand, if you use port knocking to turn on your Port 80 HTTP server, the ISP may not catch your server when scanning but may still have port 80 blocked in their routers, so it doesn't really help much.
However, I agree with you that ease of use is the more serious problem - the prevalence of NAT routers has been breaking the Internet End-to-End model to the extent that John Walker pulled his support for Speak Freely, one of the early pioneer VOIP systems. Some closed systems like Skype do supernode things to work around it, commercial systems like Vonage and AT&T use appropriately designed equipment, and some systems limit their support to the PC-to-PSTN direction. It's an ugly mess.
Interference from the government is a relatively orthogonal problem. There are several different kinds you can run into, including
If you're an ISP or hosting center that has customers that you're only providing with IP services, not email services, you _could_ sniff packets and send RSETs to kill sessions that look like spam, but you'd be doing it with less information than your customers, and you would probably end up killing off lots of useful mail, such as the message they're sending to abuse@example.net telling them how to find the spammer that just sent them this message. Usually a bad idea.
But no, I'm not aware of anybody actually using it for deep diving either, as opposed to Trimox or other mixtures. Liquid breathing would have some advantages, because it would let you avoid the risks of crushing that high-pressure water environments have.
That does leave you a shop-vac full of this liquid, mixed with whatever other gunk is on the floor, but that's ok.
Or you could pour liquid nitrogen on it and sweep up the resulting ice - freezing point is -108 C, so you can't just use dry ice to freeze the non-wet liquid :-)