I'm not sure what you mean by the DNS server chain. If the dns resolver you're pointed to is doing a recursive lookup, then there is no chain per-se. A recursive resolver locates the NS for the address you want and then queries it on your behalf. A chain implies at least one of more servers acting as forwarders and not doing a recursive lookup. Or were you thinking of the chain of servers that get queried while the dns server is recursing to locate the authoritative server?
This notion of passing the requestors IP along so you can 'customize' the dns reply is a bad idea. For it to work properly, you'd have to disable dns caching altogether which will significantly increase dns traffic. Also in many cases, when an intermediate dns server is in the loop, it's because the requestor is behind nat and their IP would be meaningless.
The privacy issues are another valid concern. The ip you're looking up gets this info as soon as you connect anyway. A load balancer can theoretically redirect you to a physically closer node at that point. Your configured resolver sees everything anyway. It's just potentially a few other dns servers that get queried along the way that might also find out what ip originated the request.
My guess is google wants to use it to better target ads. I can see the server goind "oh that ip address is on main street - lets show them the ad for the restaurant that's just down the street".
The first 64-bits are the "network" portion of the address, and the second 64-bit chunk is the interface portion (ie the ipv6 version of your mac address). I'm ignoring multicast for the present. For normal unicast, you can't subnet smaller than a/64.
It may not be allowed, but it is widely deployed. Not with hosts in those subnets, but it is fairly popular with router-only subnets.
Yes, there are some address types like router loopback and multicast that are different, but that's not your typical globally accessible unicast stuff. Breaking unicast addresses into smaller than/64 breaks the normal routing mechanism and is against the RFCs.
If your ISP is following the standard, they can't give you bigger than a/48 for your site.
If you can demonstrate need, you can get up to a/32 even as a non-ISP. Obviously demonstrating the need for such a large allocation is a bit theoretical.
In that case, you're really getting multiple TLAs, which isn't really the same as subnetting per the RFCs. In practice though it works to get bigger than a/32, and the routing tables may have something bigger than a/32 to reflect the contiguous TLA assignments.
Microsoft doesn't enable services to listen on IPv6 unless the application explicitly requests it. Furthermore, the built-in firewall doesn't allow unsolicited inbound traffic unless you explicitly enable it.
I'm not sure that first link applies to Windows XP, as its for Windows Mobile 6.
The second link you referenced says NetBT is not defined over ipv6, which is correct as NetBT is netbios implemented over ipv4. To be more precise I should have said file/print sharing instead of netbios, which by default is listening on ipv6 if its running.
A fair number of people are not running the built-in firewall when they are behind a corporate or home firewall. If file/print sharing are enabled, there are holes punched in the local firewall anyway. A lot of third-party software opens up holes in the Microsoft firewall as well. Some third-party firewalls I tested last year totally ignored ipv6 traffic and let it all through.
My point is that enabling ipv6 adds exposure. If you've implemented an ipv6 tunnel, you could be inadvertently bypassing firewall protections as you essentially create a tunnel for the entire ipv6 world to directly access your computer.
As an example, try setting up teredo on an XP box that's behind NAT (the main reason for using teredo, btw). Doing a bit of packet sniffing, you'll discover that you're getting an occassional port scan. Yes indeed there are black hats out there scanning ipv6 space already.
Luckily, the same software on your PC doesn't listen on IPv6 in the first place, so it doesn't really matter that your box is v6 accessible.
Huh? Most of the Microsoft services listen just fine on ipv6. Are you comfortable with anyone on the ipv6 internet being able to hit your netbios ports? Even Microsoft points out ipv6 tunneling at a security risk and recommends blocking teredo traffic as the network boundary. http://technet.microsoft.com/en-us/library/bb726956.aspx
Okay that makes sense. The router is actually running ipv6 dhcp and assigning stateful addresses with the 2002 prefix. The router is doing the 6to4 tunneling for you.
There is no "selling point". The move to IPv6 will be transparent to Joe Sixpack pr0n downloader/web browser/emailer, and Grandma Moses. The move is required in order for them to stay in business, and provide services to their customers. Its that simple.
In more ways than you might expect. Enabling ipv6 with something like terado on windows can accidentally provide a nice backdoor through your router, and firewall. Most of the personal firewall software on the market does absolutely nothing with ipv6. You might find out the hard way that setting up ipv6 exposes your computer to a lot more than you realize.
No, that is not allowed (well the police won't stop them, but it's definitely not best practice). Best practice was originally a/48, but now ISP's are allowed to cut all the way down to a/56 if they feel a/48 is too much.
You shouldn't put hosts in anything but a/64, and some don't think there should exist non-/64 unicast networks at all. Personally I believe that at least/128 should be allowed.
The first 64-bits are the "network" portion of the address, and the second 64-bit chunk is the interface portion (ie the ipv6 version of your mac address). I'm ignoring multicast for the present. For normal unicast, you can't subnet smaller than a/64. If your ISP is following the standard, they can't give you bigger than a/48 for your site.
It's also a bit of a myth that ipv6 allows for 2^128 addresses. That's not really true given the first several bits define the address type, not all of the TLAs have been assigned, some of the prefixes are special (like 6to4, and terado), 64-bit host id's uniqueness (generally derived from the 48-bit mac address), ranges set aside for multicast, link-local, non-routable addresses, etc.
Still ipv6 is a massive expansion of the available range, and solves many routing difficulties. It's also much more complicated and has some drawbacks.
$ ping6 ipv6.comcast.net PING6(56=40+8+8 bytes) 2002:1159:44ef::226:48ff:fe12:a9a7 --> 2001:558:1002:5:68:87:64:59 16 bytes from 2001:558:1002:5:68:87:64:59, icmp_seq=0 hlim=52 time=235.216 ms 16 bytes from 2001:558:1002:5:68:87:64:59, icmp_seq=1 hlim=52 time=245.426 ms
This is through an Apple airport base station via whatever tunnel provider it uses for its IPv6 support. No manual setup, just click the buttons to turn IPv6 on and to block incoming connections.
The 2002 prefix on your ipv6 address says you're using 6to4 address translation/tunneling. The ipv4 address at the time was 17.89.68.239. I'm not sure if its your computer doing the 6to4 tunneling or your airport. I'm thinking it's the computer as its using the 2002 address as opposed to the router doing it all in the background.
I'll bet it will include information on who originally purchased the song over the internet. If they find an mp3 on a file sharing site with your personalized serial number, then they can claim that you made it available for distribution. Of course, all the popular sharing sites and software will quickly learn to strip that out.
No different than watermarking in movies sent to the theaters. I wouldn't be surprised if NetFlix or other pay-per-view streaming media sites are doing this already.
Seriously, this is a hack and a half. That's one of the worst soldering and assembly jobs I've ever seen (cat5 for hookup wire?) I don't even see enough parts to make it work at all. You'd need one relay to provide ignition power, then a second to hit the starter. Plus there are no other features here like a neutral/park detect (so the vehicle doesn't start moving), an auto shutdown so the vehicle won't run for days if you accidentally start it and forget, etc.
A cheap remote start kit like the Bulldog Security Deluxe 500 is $105 anyway.
We could replace the entire Federal Income Tax with a 12.68% flat tax and still collect the same amount of money as we are now.
The problem here is defining 'income'. There are so many exemptions, bonus, and incentives that it's nearly impossible to figure it out and easy to cheat. Businesses are even more complicated. The first step is to get the congress to stop meddling with the tax codes in order to give their campaign contributors (big business) tax breaks. Next start getting rid of all the tax laws that are complicating the issue for regular citizens.
Why would you want to do that? You don't expect evil people to use botnet nodes in every country?
Simply this: If you don't expect any traffic from foreign countries, then it's safe and prudent to block traffic from foreign countries. It's the whole least-privileges approach applied at the firewall level. For example, you might have http/https accessible from anywhere, but VPN is only allowed from within the US where your sales staff is reasonably expected to travel.
You're right that it's not foolproof, given botnets and compromised computers within the US. Still it's a layer of security that can improve the overall security of the network.
Keep in mind that blocking all foreign IPs isn't foolproof as some US clients may still end up going through a foreign relay or some sort of proxy. Also systems compromised by foreign adversaries or foreign controlled botnets will be seen coming from within the US. I block all non-US addresses, bogons, a few problematic US ISP ranges, and a select list of other subnets based on previous attacks. The company I work for also maintains a very large list of addresses to black-hole (both in and out) based on other information such as previous attacks or IPs controlled by foreign companies. Outgoing traffic to specific addresses triggers red flags for potentially compromised systems.
I didn't think I did. I think Slashdot is fucked up. If you open another topic and go back to the original thread, it seems replies might end up in the wrong thread.
In general a high-speed chase is a safety problem when there are other vehicles around. Those vehicles would likely be knocked out by this as well. Pace makers, and collateral damage to other electronics including the police car itself would probably be way too unacceptable. Second problem is that the size of the panel require to generate sufficient power density is so big that the chasing police car would be unable to do high speed (think parachute). Plus it's simply cheaper to call the dispatcher and have them put in the OnStar kill order instead of outfitting each cop car with $200k of equipment.
My prediction is a bill or NHSTA rule requiring all new cars to have on-star installed. We're getting close, as I heard a commercial on the way home stating that all new GM (I think) cars would come equipped with OnStar. The OnStar approach makes much more sense anyway. You can send a signal to a fleeing car to limit power. Or if the car is stolen, tell the car to refuse to restart after it's stopped. Much safer than making the car stall in a potentially dangerous position.
Whereas coal plants are a constant source of not-immediately-lethal-but-still-nasty pollutants.
Very true and those pollutants contain radioactive components. In fact, if you could extract all the uranium from a ton of typical coal, it has more potential energy than if you burned the coal.
As the VP nominee said, "There's no such thing as clean coal".
"Do you really think that the cop who pulls you over for a traffic violation really needs to call a judge to get approval to ask you if he can search your vehicle? That's ridiculous."
In the US? Yes, he does.
NO, he does not.
Of course the cop doesn't need a permission from a judge to ask. The cop can always ask, but you don't have to agree to the search. In fact you are best off to explicitly state that you do not consent to a search. They can still do an involuntary search in some circumstances like probable cause, open view, etc.
Cygwin isn't a bad solution for keeping a semi-consistent shell across OS's. I use it in a few places where we need windows and have a few tasks like reading old sun tar tapes. I have more issues remembering the syntax differences between difference shells. PowerShell is pretty decent, but it is certainly not the same as a *nix shell.
And you cannot use a name for mount points, just one letter
Go lookup volume GUID path and mount points. MS has been trying to get rid of drive letters. Underneath you can refer to the volumes by their gui. http://msdn.microsoft.com/en-us/library/aa365248(VS.85).aspx. NTFS supports mount points work just like *nix mounts, although that capability isn't exposed to the user very well.
I could go on and on, for any professional systems administrator, Unix is far superior to Windows, there is no doubt about that. It's only for home computers that familiarity is a convenience, professionals can be readily trained to use a system that's intrinsically easier to use.
I somehow feel that trying to make a new OS that has exactly the same "feel" as Windows is like trying to make a modern car that has exactly the same feel as a Ford Model T.
You're starting to rant a bit here. The _best_ operating system is the one provides the functionality with minimal maintenance and good security. Just because you prefer and understand linux best, doesn't automatically mean linux is the best solution for everything. Try implementing the ease and manageability that a well deployed Active Directory solution provides with Linux. You'll end up with a one-off cobbling together of ldap and scripts that will require _more_ expertise and maintenance than a similar Microsoft solution.
I somehow feel that trying to make a new OS that has exactly the same "feel" as Windows is like trying to make a modern car that has exactly the same feel as a Ford Model T.
I think you missed the point. It's not about the "feel" of the OS. It's about getting Windows software to run seamlessly on an open-source OS.
My compromise to the problem of users installing Firefox is simply to accept it and push updates to them.
I have a GPO with computer startup script that checks if Firefox is installed, if it's not the latest version it installs the latest version. The downside of this approach is that I have to manually update the script everytime there is an update, and this does nothing to update add-ons. IE at least gets updated via wsus and I don't even have to think about it.
For example, all of the cheap chinese knockoff of brand name stuff. A large portion of it is dishonest suppliers simply doing their own runs of the product and selling it to the grey market.
Why the hell would they recommend counseling for a non-violent and non-criminal act?
They probably need counseling after being abused and strip searched by an overreacting school and police dept!
I wonder what wasn't said in the article. If the kid was uncooperative or suspicious (perhaps he was overheard calling it a bomb), then I can see this kind of reaction. If the kid was just tinkering and liked electronics, he probably would have loved to explain it.
Not god-like. If you had access to the intel reports that I do, I'm pretty sure you'd have the same opinion. That the US govt and private industry is badly hemorrhaging information to the Chinese due to extensive network infiltrations.
Publishing new zero-day exploits just puts it in the hands of the black hats sooner. Obviously a black hat who learns a new exploit is under no pressure to announce it and ruin the value of his find.
I think immediate disclosure has some problems, and it should depend on how it was found and it it's already been exploited. I think the software owner needs some grace to look at the issue. Then they need to either fix it, advise for work arounds, or advise on how to block or recognize attempts to exploit it.
If the person who found and reported it believes it's being actively exploited or the software owner is not going to respond in a timely manner (ie Microsoft), then yes I agree they should disclose enough details to allow the public to protect itself. Publishing exploit code is a bad idea all the way around.
Other way around. Cisco bought out LinkSys and is selling their stuff with a fancy Cisco label on it. It's definitely not the same as the normal Cisco stuff. If it's like other acquisitions, Cisco will eventually start producing them and what's under the hood will change. Another good example of this is when Cisco bought out Komodo and rebadged their voip box into the ATA-18x series. Cisco rewrote the software and made it a nice unit.
Slashdot Mirror
I'm not sure what you mean by the DNS server chain. If the dns resolver you're pointed to is doing a recursive lookup, then there is no chain per-se. A recursive resolver locates the NS for the address you want and then queries it on your behalf. A chain implies at least one of more servers acting as forwarders and not doing a recursive lookup. Or were you thinking of the chain of servers that get queried while the dns server is recursing to locate the authoritative server?
This notion of passing the requestors IP along so you can 'customize' the dns reply is a bad idea. For it to work properly, you'd have to disable dns caching altogether which will significantly increase dns traffic. Also in many cases, when an intermediate dns server is in the loop, it's because the requestor is behind nat and their IP would be meaningless.
The privacy issues are another valid concern. The ip you're looking up gets this info as soon as you connect anyway. A load balancer can theoretically redirect you to a physically closer node at that point. Your configured resolver sees everything anyway. It's just potentially a few other dns servers that get queried along the way that might also find out what ip originated the request.
My guess is google wants to use it to better target ads. I can see the server goind "oh that ip address is on main street - lets show them the ad for the restaurant that's just down the street".
The first 64-bits are the "network" portion of the address, and the second 64-bit chunk is the interface portion (ie the ipv6 version of your mac address). I'm ignoring multicast for the present. For normal unicast, you can't subnet smaller than a /64.
It may not be allowed, but it is widely deployed. Not with hosts in those subnets, but it is fairly popular with router-only subnets.
Yes, there are some address types like router loopback and multicast that are different, but that's not your typical globally accessible unicast stuff. Breaking unicast addresses into smaller than /64 breaks the normal routing mechanism and is against the RFCs.
If your ISP is following the standard, they can't give you bigger than a /48 for your site.
If you can demonstrate need, you can get up to a /32 even as a non-ISP. Obviously demonstrating the need for such a large allocation is a bit theoretical.
In that case, you're really getting multiple TLAs, which isn't really the same as subnetting per the RFCs. In practice though it works to get bigger than a /32, and the routing tables may have something bigger than a /32 to reflect the contiguous TLA assignments.
Microsoft doesn't enable services to listen on IPv6 unless the application explicitly requests it. Furthermore, the built-in firewall doesn't allow unsolicited inbound traffic unless you explicitly enable it.
As for netbios, it's not defined over IPv6.
I'm not sure that first link applies to Windows XP, as its for Windows Mobile 6.
The second link you referenced says NetBT is not defined over ipv6, which is correct as NetBT is netbios implemented over ipv4. To be more precise I should have said file/print sharing instead of netbios, which by default is listening on ipv6 if its running.
A fair number of people are not running the built-in firewall when they are behind a corporate or home firewall. If file/print sharing are enabled, there are holes punched in the local firewall anyway. A lot of third-party software opens up holes in the Microsoft firewall as well. Some third-party firewalls I tested last year totally ignored ipv6 traffic and let it all through.
My point is that enabling ipv6 adds exposure. If you've implemented an ipv6 tunnel, you could be inadvertently bypassing firewall protections as you essentially create a tunnel for the entire ipv6 world to directly access your computer.
As an example, try setting up teredo on an XP box that's behind NAT (the main reason for using teredo, btw). Doing a bit of packet sniffing, you'll discover that you're getting an occassional port scan. Yes indeed there are black hats out there scanning ipv6 space already.
Luckily, the same software on your PC doesn't listen on IPv6 in the first place, so it doesn't really matter that your box is v6 accessible.
Huh? Most of the Microsoft services listen just fine on ipv6. Are you comfortable with anyone on the ipv6 internet being able to hit your netbios ports? Even Microsoft points out ipv6 tunneling at a security risk and recommends blocking teredo traffic as the network boundary. http://technet.microsoft.com/en-us/library/bb726956.aspx
Okay that makes sense. The router is actually running ipv6 dhcp and assigning stateful addresses with the 2002 prefix. The router is doing the 6to4 tunneling for you.
There is no "selling point". The move to IPv6 will be transparent to Joe Sixpack pr0n downloader/web browser/emailer, and Grandma Moses. The move is required in order for them to stay in business, and provide services to their customers. Its that simple.
In more ways than you might expect. Enabling ipv6 with something like terado on windows can accidentally provide a nice backdoor through your router, and firewall. Most of the personal firewall software on the market does absolutely nothing with ipv6. You might find out the hard way that setting up ipv6 exposes your computer to a lot more than you realize.
No, that is not allowed (well the police won't stop them, but it's definitely not best practice). Best practice was originally a /48, but now ISP's are allowed to cut all the way down to a /56 if they feel a /48 is too much.
You shouldn't put hosts in anything but a /64, and some don't think there should exist non-/64 unicast networks at all. Personally I believe that at least /128 should be allowed.
The first 64-bits are the "network" portion of the address, and the second 64-bit chunk is the interface portion (ie the ipv6 version of your mac address). I'm ignoring multicast for the present. For normal unicast, you can't subnet smaller than a /64. If your ISP is following the standard, they can't give you bigger than a /48 for your site.
It's also a bit of a myth that ipv6 allows for 2^128 addresses. That's not really true given the first several bits define the address type, not all of the TLAs have been assigned, some of the prefixes are special (like 6to4, and terado), 64-bit host id's uniqueness (generally derived from the 48-bit mac address), ranges set aside for multicast, link-local, non-routable addresses, etc.
Still ipv6 is a massive expansion of the available range, and solves many routing difficulties. It's also much more complicated and has some drawbacks.
Pinging ipv6.comcast.net [68.87.64.59]
It works for me.
$ ping6 ipv6.comcast.net
PING6(56=40+8+8 bytes) 2002:1159:44ef::226:48ff:fe12:a9a7 --> 2001:558:1002:5:68:87:64:59
16 bytes from 2001:558:1002:5:68:87:64:59, icmp_seq=0 hlim=52 time=235.216 ms
16 bytes from 2001:558:1002:5:68:87:64:59, icmp_seq=1 hlim=52 time=245.426 ms
This is through an Apple airport base station via whatever tunnel provider it uses for its IPv6 support. No manual setup, just click the buttons to turn IPv6 on and to block incoming connections.
The 2002 prefix on your ipv6 address says you're using 6to4 address translation/tunneling. The ipv4 address at the time was 17.89.68.239. I'm not sure if its your computer doing the 6to4 tunneling or your airport. I'm thinking it's the computer as its using the 2002 address as opposed to the router doing it all in the background.
I'll bet it will include information on who originally purchased the song over the internet. If they find an mp3 on a file sharing site with your personalized serial number, then they can claim that you made it available for distribution. Of course, all the popular sharing sites and software will quickly learn to strip that out.
No different than watermarking in movies sent to the theaters. I wouldn't be surprised if NetFlix or other pay-per-view streaming media sites are doing this already.
Seriously, this is a hack and a half. That's one of the worst soldering and assembly jobs I've ever seen (cat5 for hookup wire?) I don't even see enough parts to make it work at all. You'd need one relay to provide ignition power, then a second to hit the starter. Plus there are no other features here like a neutral/park detect (so the vehicle doesn't start moving), an auto shutdown so the vehicle won't run for days if you accidentally start it and forget, etc.
A cheap remote start kit like the Bulldog Security Deluxe 500 is $105 anyway.
We could replace the entire Federal Income Tax with a 12.68% flat tax and still collect the same amount of money as we are now.
The problem here is defining 'income'. There are so many exemptions, bonus, and incentives that it's nearly impossible to figure it out and easy to cheat. Businesses are even more complicated. The first step is to get the congress to stop meddling with the tax codes in order to give their campaign contributors (big business) tax breaks. Next start getting rid of all the tax laws that are complicating the issue for regular citizens.
Why would you want to do that? You don't expect evil people to use botnet nodes in every country?
Simply this: If you don't expect any traffic from foreign countries, then it's safe and prudent to block traffic from foreign countries. It's the whole least-privileges approach applied at the firewall level. For example, you might have http/https accessible from anywhere, but VPN is only allowed from within the US where your sales staff is reasonably expected to travel.
You're right that it's not foolproof, given botnets and compromised computers within the US. Still it's a layer of security that can improve the overall security of the network.
Where can one get a list of IP addresses for countries like China and India so that server admins like myself can block these countries entirely?
Google can tell you within minutes what IPs ranges correspond to non-US locations. Here's one such list that's reasonably close. http://www.experts-exchange.com/Networking/Misc/Q_21787352.html. You should also be blocking bogons (address that you shouldn't see on the internet such as unassigned ranges) http://www.cymru.com/Documents/bogon-list.html.
Keep in mind that blocking all foreign IPs isn't foolproof as some US clients may still end up going through a foreign relay or some sort of proxy. Also systems compromised by foreign adversaries or foreign controlled botnets will be seen coming from within the US. I block all non-US addresses, bogons, a few problematic US ISP ranges, and a select list of other subnets based on previous attacks. The company I work for also maintains a very large list of addresses to black-hole (both in and out) based on other information such as previous attacks or IPs controlled by foreign companies. Outgoing traffic to specific addresses triggers red flags for potentially compromised systems.
I didn't think I did. I think Slashdot is fucked up. If you open another topic and go back to the original thread, it seems replies might end up in the wrong thread.
In general a high-speed chase is a safety problem when there are other vehicles around. Those vehicles would likely be knocked out by this as well. Pace makers, and collateral damage to other electronics including the police car itself would probably be way too unacceptable. Second problem is that the size of the panel require to generate sufficient power density is so big that the chasing police car would be unable to do high speed (think parachute). Plus it's simply cheaper to call the dispatcher and have them put in the OnStar kill order instead of outfitting each cop car with $200k of equipment.
My prediction is a bill or NHSTA rule requiring all new cars to have on-star installed. We're getting close, as I heard a commercial on the way home stating that all new GM (I think) cars would come equipped with OnStar. The OnStar approach makes much more sense anyway. You can send a signal to a fleeing car to limit power. Or if the car is stolen, tell the car to refuse to restart after it's stopped. Much safer than making the car stall in a potentially dangerous position.
And generally whatever the train hit is toast. Yes, you might be safer in a heavy vehicle, but you imflict a lot more damage on whatever you hit.
Whereas coal plants are a constant source of not-immediately-lethal-but-still-nasty pollutants.
Very true and those pollutants contain radioactive components. In fact, if you could extract all the uranium from a ton of typical coal, it has more potential energy than if you burned the coal.
As the VP nominee said, "There's no such thing as clean coal".
"Do you really think that the cop who pulls you over for a traffic violation really needs to call a judge to get approval to ask you if he can search your vehicle? That's ridiculous."
In the US? Yes, he does.
NO, he does not.
Of course the cop doesn't need a permission from a judge to ask. The cop can always ask, but you don't have to agree to the search. In fact you are best off to explicitly state that you do not consent to a search. They can still do an involuntary search in some circumstances like probable cause, open view, etc.
http://www.associatedcontent.com/article/54988/know_when_police_can_search_your_vehicle.html?cat=17
http://flexyourrights.org/faq/74
They use Cygwin for scripting a command shell.
Cygwin isn't a bad solution for keeping a semi-consistent shell across OS's. I use it in a few places where we need windows and have a few tasks like reading old sun tar tapes. I have more issues remembering the syntax differences between difference shells. PowerShell is pretty decent, but it is certainly not the same as a *nix shell.
And you cannot use a name for mount points, just one letter
Go lookup volume GUID path and mount points. MS has been trying to get rid of drive letters. Underneath you can refer to the volumes by their gui. http://msdn.microsoft.com/en-us/library/aa365248(VS.85).aspx. NTFS supports mount points work just like *nix mounts, although that capability isn't exposed to the user very well.
I could go on and on, for any professional systems administrator, Unix is far superior to Windows, there is no doubt about that. It's only for home computers that familiarity is a convenience, professionals can be readily trained to use a system that's intrinsically easier to use.
I somehow feel that trying to make a new OS that has exactly the same "feel" as Windows is like trying to make a modern car that has exactly the same feel as a Ford Model T.
You're starting to rant a bit here. The _best_ operating system is the one provides the functionality with minimal maintenance and good security. Just because you prefer and understand linux best, doesn't automatically mean linux is the best solution for everything. Try implementing the ease and manageability that a well deployed Active Directory solution provides with Linux. You'll end up with a one-off cobbling together of ldap and scripts that will require _more_ expertise and maintenance than a similar Microsoft solution.
I somehow feel that trying to make a new OS that has exactly the same "feel" as Windows is like trying to make a modern car that has exactly the same feel as a Ford Model T.
I think you missed the point. It's not about the "feel" of the OS. It's about getting Windows software to run seamlessly on an open-source OS.
My compromise to the problem of users installing Firefox is simply to accept it and push updates to them.
I have a GPO with computer startup script that checks if Firefox is installed, if it's not the latest version it installs the latest version. The downside of this approach is that I have to manually update the script everytime there is an update, and this does nothing to update add-ons. IE at least gets updated via wsus and I don't even have to think about it.
For example, all of the cheap chinese knockoff of brand name stuff. A large portion of it is dishonest suppliers simply doing their own runs of the product and selling it to the grey market.
Why the hell would they recommend counseling for a non-violent and non-criminal act?
They probably need counseling after being abused and strip searched by an overreacting school and police dept!
I wonder what wasn't said in the article. If the kid was uncooperative or suspicious (perhaps he was overheard calling it a bomb), then I can see this kind of reaction. If the kid was just tinkering and liked electronics, he probably would have loved to explain it.
Not god-like. If you had access to the intel reports that I do, I'm pretty sure you'd have the same opinion. That the US govt and private industry is badly hemorrhaging information to the Chinese due to extensive network infiltrations.
Publishing new zero-day exploits just puts it in the hands of the black hats sooner. Obviously a black hat who learns a new exploit is under no pressure to announce it and ruin the value of his find.
I think immediate disclosure has some problems, and it should depend on how it was found and it it's already been exploited. I think the software owner needs some grace to look at the issue. Then they need to either fix it, advise for work arounds, or advise on how to block or recognize attempts to exploit it.
If the person who found and reported it believes it's being actively exploited or the software owner is not going to respond in a timely manner (ie Microsoft), then yes I agree they should disclose enough details to allow the public to protect itself. Publishing exploit code is a bad idea all the way around.
Other way around. Cisco bought out LinkSys and is selling their stuff with a fancy Cisco label on it. It's definitely not the same as the normal Cisco stuff. If it's like other acquisitions, Cisco will eventually start producing them and what's under the hood will change. Another good example of this is when Cisco bought out Komodo and rebadged their voip box into the ATA-18x series. Cisco rewrote the software and made it a nice unit.