Automatically launching whatever executable code a magic file like autorun.inf points to, on the other hand, is one of the most frightening security tradeoffs Microsoft has ever made. The trouble is when MS did it back in 1995 the world was very different. IIRC they didn't do it for floppies or "removable disks", only for CDs and hard drives. Hard drives were things that generally got left in machines (yes external scsi did exist but it was not commonly used). CD burners were practically unheared of so the only CDs normal people encoutered were ones pressed by "trustworthy" big commercial publishers.
Now in 2008 everything has changed. CD recorders and external hard drives are the norm. Worse some USB sticks are deliberately pretending to contain a CD drive to fool the OS into autorunning stuff from them. Unfortunately users have come to rely on autorun as the normal way to install software so turning it off would piss off a lot of users. In other words MS is stuck between a rock and a hard place.
uess how difficult it is to mirror the "pool" directory without also getting the packages from every other version of Ubuntu. Not too hard you just have to use the right tool, https://help.ubuntu.com/community/Debmirror
Why can't I just have a single directory I can rsync? IIRC the main reason debian introduce the pool structure is to allow packages to be shared between versions (particularlly testing and unstable) and therefore reduce the archive size.
I think the default kernel is different on the desktop and server installs (ubuntu like debian is happy to let you have multiple kernels installed at once). They also use a different installer (debian-installer rather than thier own livecd based installer).
Well it's much longer than for the regular ubuntu releases though I agree it's still not really long enough. Redhat's is a couple of years longer but then redhat is a much bigger company than canonical.
Sadly linux's fast evoloution makes it pretty expensive for a distributor to provide good support for a release for a long time.
Is there some reason that you can't command ip6tables to use the source address and the input or output interface to decide whether or not to drop a packet If your machines and your "roommate"s machines are on the same subnet then traffic between them will never hit the IP stack in the router and hence can't be filtered by it.
So if you want to filter traffic between your machines and your roommates machines you need them to be on different subnets.
With IPV4+NAT this is no problem, the private IP space is plenty big enough to have multiple private subnets either managed by one nat or with two nats one behind the other.
IPV6 was designed on the assumption that every subnet would be a/64. If you don't follow this then you will not be able to use stateless autoconfigruation which is iirc the only autoconfiguration option supported by windows. I'm not sure if windows even supports setting up an IPV6 interface with a subnet other than a/64 (if it does I can't find any documentation on it)
ISPs were supposed to give thier users more than a/64 to avoid this problem. Unfortunately many of them don't.
Now, if you're complaining about not being able to subnet a/64, then I hear ya! That is the basic problem, if you want to use stateless autoconfiguration (and the only ipv6 addressing schmes windows XP supports afaict are stateless autoconfiguration and manual configuration from the commandline) you can't subnet a/64
2) What's so difficult about doing this: Internet --> Housemate_Router --> WAN_Port_On_Your_Router --> Your_Machines then setting up a firewall on Your_Router that DROPs traffic going to Your_Machines with a source address from Your_Subnet and is coming in over Your_WAN_Port? It's not that hard providing the ISP is generous enough to give something a bit bigger than a/64 but it does mean you either have to use full blown routing protocols or manually configure a route table entry on the router nearest the internet. This is no trouble for us network geeks but may be difficult for normal users.
No way am I going to be able to memorize one of those, ever. DNS will become mandatory to do anything You have to rememeber your sites prefix but that shouldn't be too bad. The complexity of the rest of the address will depend entirely on your internal allocation policies.
If you use stateless autoconfiguration (which I would only do for end user desktops) then yeah it will be a PITA as you will essentially have to memorise the machines MAC addresses.
I'd love to see a good Router that supported IPv6 and didn't cost 3 figures, does anyone here know of any out there? A WRT54GL with one of the third party firmwares?
NAT breaks the internet and is essentially an ugly workaround that results in the need for lots of other workarounds. If you think this isn't so then you need to get your head out of the sand/your ass (your choice) and pay better attention. Yeah but the few non-geek apps that are affected have already got those workarrounds in place, tested and being used by large numbers of users (afaict most home users are behind a nat router and only fairly geeky ones will set up port forwarding on it).
ISP level nat sucks for us geeks who want to run servers at home but most ordinary users probablly won't notice. For the ISPs it also means a new revenue stream selling globally routable IPs to thier pickier customers.
I remember a pretty long transition period between DVDs becoming readilly availible and vhs tapes stopping being readilly availible.
There are a few issues with IPV6
1: a lot of software needs modification to be able to use it. Many apps were written on the assumption that the only sockets they would work with would be IPV4 ones. For some of theese apps the people who hold the source will have dissapeared or be uncooperative. 2: until such time as the ipv6 internet is as fast and reliable as the IPV4 one moving to IPV6 as the default will mean throwing performance away. It doesn't help that browser writers seem to take a ridiculously long time to timeout and fallback to ipv4 if the ipv6 address is silently unreachable. 3: Many older professional routers have IPV6 options but implemented in software, that means they can handle far less IPV6 load than IPV4 load. 4: MOST home routers don't support ipv6 at all. Sometimes you can get arround this with custom firmware, sometimes that is hard (for example A friend of mine has a router which needs a specific kernel version for the binary driver fro the wireless to work and that kernel version has broken IPV6 support) 5: The linux kernel developers refuse to implement v6-v6 nat. They have good intentions in doing this but it will make it difficult to put one home router (home routers are very often linux based in my experiance) behind another (say because you want to isolate your machines from your housemates), especially if the ISP is a crappy one that only gives the user a/64.
Unfortunately I think we may end up in a situation with IPV4 ISP run nat the norm (note: it doesn't make sense for ISPs to go to ISP run nat until the addresses run out, they will want to justify as many as they can in the runup to allocation so they can use them for premium services later) public IPV4 addresses an expensive luxury and IPV6 used only by geeks.
Are those figures current subscribers or people who can get the service if they want it? Presumablly the latter figureis the more interesting to marketers.....
IIRC their cable service covers about 50% of uk households so a long way off total coverage but not exactly small either.
The cable network is bought and paid for so they are going to want it serving as many customers as possible. I doubt they care so much about the BT wholesale based ADSL.
note: I'm reffering to virgin media cable here, virgin media also do a service using BT wholesale ADSL which by all accounts is shit (the samknows report uses "virgin media" to reffer to the cable service and "virgin.net" to reffer to the ADSL service).
Umm most of the graphs are smaller is better and virgin medias line tends to be near the bottom. They do worst in the voip test but not so badly that it is likely to cause pracitcal issues. They do badly in the "current speed relative to max speed" tests but it seems the rates on virgins 10MBps or 20Mbps services are better than most people can expect from the "up to 8Mbps" services from BT wholesale.
Yes virgin do some throttling, but 25% of 20Mbps is still a very respectable 5Mbps. You have to be pretty close to the exchange to get that on BT wholesale ADSL and if you want to actually achive that performance in practice you will probablly need either a very expensive ISP account or one with a traffic cap.
Unfortunately the sky results do not seem to have been broken down into BT wholesale based and LLU (sky do both) and many of the smaller ISPs don't seem to be listed.
So virgin media cable probablly isn't the best ISP but afaict for most users they are a hell of a lot better than most BT wholesale based options.
Virgin Media offers cable broadband through fibre optic. Well fiber optic is a half-truth. Afaict it's fiber to a local distribution point (not sure how many houses each serves off hand) and then cable TV cable to the premisis. Virgin media cable is only availible to about half of UK properties afaict. They are also not the best of ISPs but they are far from the worst (note: virgin media also do a service using BT wholesale ADSL in non cable areas. Afaict that is one of the shittiest services arround).
There are also the local loop unbundling ADSL providers which cover some places that virgin don't but while some of them (sky, be) are decent others (tiscali.
But I belive there are still quite large parts of the UK where the only broadband availible is BT wholesale ADSL.
All ISPs on BT wholesales network have a difficult descision to make. BT wholesales prices are too high to offer a true unlimited service at prices people will pay. So you either get so called unlimited but heavilly congested or traffic shaped packages or you get packages with an explicit traffic limit.
BT is too busy selling everyone's personal info and browsing habits to notice that in a few years their customers wont be able to do anything on t'internet because of a lack of IPv6. I find that highly unlikely, some users are likely to get stuck behind nat which is far from ideal but any non-suicidal hosting provider is going to keep thier sites availible on V4 for a long time.
Also the protocol used on the network that connects users to ISPs is fairly irrelevent anyway since afaict users will be tunneled through it just like they are now.
My guess would be that since there will still be competition between ISPs running over the infrastrcuture the IPs used on the internal network will be seperate from internet IPs anyway. Whether users get public IPs will probablly be at the discresion of the ISP.
A "no commerce with spammers" law would be well within the powers of the federal government. But it would also be virtually impossible to enforce. All the US bank is going to see is a transaction with a foreign merchant account. Where the money goes after that they are going to find basically impossible to track without the help of the country the merchant account is in.
Equally unless you totally shut down the international post service you are going to find it very difficult stopping the products sold through spam from getting in.
What is more significant is knowing exactly which font and which blur filter was used. Also having the filter applied evenly is going to make things far easier than if someone grabs the blur tool and scribbles over the area with it.
You could accomplish this, if the memory can be read and written with a lower voltage than the refresh pulse, by putting resistors inline on the bus. More likely resistors high enough in value to give the required protection would slow transitions down to the point that your high speed bus can no longer operate at anywhere near it's intended speed.
Be that as it may lots of enterprises want to do thier best to block everything except web browsing. Since there is no easy way to identify https traffic by packet content that means they pretty much have to allow unfettered connections to the standard https port (443). On the other hand they may not want to allow access to arbitary TCP ports because that would allow use of IRC bittorrent etc.
You may or may not think this is a good idea (personally I can see why they do it even though I know that it allows easy workarrounds if you control a box on the outside) but it is reality and if you ignore it you will block lots of people from accessing your site.
or provide a warning when using the lesser security so that users are aware of whats going on??? The problem is that browsers provide a scary warning when using weak security but they provide NO WARNING AT ALL when using NO SECURITY WHATSOEVER.
Which means websites that don't want to scare away thier users are faced with an all or nothing choice on security.
Encryption with self signed certs does several things that make life harder for an evesdropper.
1: The attacker has a much higher chance of getting caught. There is no way for the middleman to know for sure if the users are checking the certificates or not. 2: The attacker will require much greater rescourses since they must intercept, decrypt and reencrypt and retransmit the traffic rather than simply sniffing it.
Sure if the attacker has high rescourses and is after you personally it probablly won't help much.
The problem is that chips need to communicate with each other. Whatever voltage the CPU is running on it needs to be able to safely handle the voltage the ram sends it on it's input lines.
You could have a seperate memory controller chip of course and older designs did, but that is bad for performance and power consumption.
What the manufacturer can do however is figure out from the EDA reports what the most time-critical paths are and design thier test programs to test those as thouroughly as possible.
They can also test the chips at the limits of thier voltage and temperature specifications.
And finally I bet they leave a fairly significant safety margin.
Proving a chip won't fail is not feasible but manufacturers can get a much higher level of confidence than some random overclocker.
I saw the google whitepaper and it debunked very little about the temperature "myth", not sure about wear and tear.
With regards to tempreature the study had a couple of fundamental flaws.
* The temperature measurements came from the drives themselves. That means if say an unreliable hard drive model also underreported it's tempreature it would totally skew the results. * It was data from servers running in a well cooled datacenter. That means there was virtually no data about drives running at the kind of tempreatures you see in a poorly ventilated desktop in a hot room.
Automatically launching whatever executable code a magic file like autorun.inf points to, on the other hand, is one of the most frightening security tradeoffs Microsoft has ever made.
The trouble is when MS did it back in 1995 the world was very different. IIRC they didn't do it for floppies or "removable disks", only for CDs and hard drives. Hard drives were things that generally got left in machines (yes external scsi did exist but it was not commonly used). CD burners were practically unheared of so the only CDs normal people encoutered were ones pressed by "trustworthy" big commercial publishers.
Now in 2008 everything has changed. CD recorders and external hard drives are the norm. Worse some USB sticks are deliberately pretending to contain a CD drive to fool the OS into autorunning stuff from them. Unfortunately users have come to rely on autorun as the normal way to install software so turning it off would piss off a lot of users. In other words MS is stuck between a rock and a hard place.
uess how difficult it is to mirror the "pool" directory without also getting the packages from every other version of Ubuntu.
Not too hard you just have to use the right tool, https://help.ubuntu.com/community/Debmirror
Why can't I just have a single directory I can rsync?
IIRC the main reason debian introduce the pool structure is to allow packages to be shared between versions (particularlly testing and unstable) and therefore reduce the archive size.
I think the default kernel is different on the desktop and server installs (ubuntu like debian is happy to let you have multiple kernels installed at once). They also use a different installer (debian-installer rather than thier own livecd based installer).
but the package repositries are exactly the same.
Well it's much longer than for the regular ubuntu releases though I agree it's still not really long enough. Redhat's is a couple of years longer but then redhat is a much bigger company than canonical.
Sadly linux's fast evoloution makes it pretty expensive for a distributor to provide good support for a release for a long time.
Is there some reason that you can't command ip6tables to use the source address and the input or output interface to decide whether or not to drop a packet
If your machines and your "roommate"s machines are on the same subnet then traffic between them will never hit the IP stack in the router and hence can't be filtered by it.
So if you want to filter traffic between your machines and your roommates machines you need them to be on different subnets.
With IPV4+NAT this is no problem, the private IP space is plenty big enough to have multiple private subnets either managed by one nat or with two nats one behind the other.
IPV6 was designed on the assumption that every subnet would be a /64. If you don't follow this then you will not be able to use stateless autoconfigruation which is iirc the only autoconfiguration option supported by windows. I'm not sure if windows even supports setting up an IPV6 interface with a subnet other than a /64 (if it does I can't find any documentation on it)
ISPs were supposed to give thier users more than a /64 to avoid this problem. Unfortunately many of them don't.
Now, if you're complaining about not being able to subnet a /64, then I hear ya! /64
That is the basic problem, if you want to use stateless autoconfiguration (and the only ipv6 addressing schmes windows XP supports afaict are stateless autoconfiguration and manual configuration from the commandline) you can't subnet a
2) What's so difficult about doing this: /64 but it does mean you either have to use full blown routing protocols or manually configure a route table entry on the router nearest the internet. This is no trouble for us network geeks but may be difficult for normal users.
Internet --> Housemate_Router --> WAN_Port_On_Your_Router --> Your_Machines
then setting up a firewall on Your_Router that DROPs traffic going to Your_Machines with a source address from Your_Subnet and is coming in over Your_WAN_Port?
It's not that hard providing the ISP is generous enough to give something a bit bigger than a
No way am I going to be able to memorize one of those, ever. DNS will become mandatory to do anything
You have to rememeber your sites prefix but that shouldn't be too bad. The complexity of the rest of the address will depend entirely on your internal allocation policies.
If you use stateless autoconfiguration (which I would only do for end user desktops) then yeah it will be a PITA as you will essentially have to memorise the machines MAC addresses.
I'd love to see a good Router that supported IPv6 and didn't cost 3 figures, does anyone here know of any out there?
A WRT54GL with one of the third party firmwares?
NAT breaks the internet and is essentially an ugly workaround that results in the need for lots of other workarounds. If you think this isn't so then you need to get your head out of the sand/your ass (your choice) and pay better attention.
Yeah but the few non-geek apps that are affected have already got those workarrounds in place, tested and being used by large numbers of users (afaict most home users are behind a nat router and only fairly geeky ones will set up port forwarding on it).
ISP level nat sucks for us geeks who want to run servers at home but most ordinary users probablly won't notice. For the ISPs it also means a new revenue stream selling globally routable IPs to thier pickier customers.
I remember a pretty long transition period between DVDs becoming readilly availible and vhs tapes stopping being readilly availible.
There are a few issues with IPV6
1: a lot of software needs modification to be able to use it. Many apps were written on the assumption that the only sockets they would work with would be IPV4 ones. For some of theese apps the people who hold the source will have dissapeared or be uncooperative. /64.
2: until such time as the ipv6 internet is as fast and reliable as the IPV4 one moving to IPV6 as the default will mean throwing performance away. It doesn't help that browser writers seem to take a ridiculously long time to timeout and fallback to ipv4 if the ipv6 address is silently unreachable.
3: Many older professional routers have IPV6 options but implemented in software, that means they can handle far less IPV6 load than IPV4 load.
4: MOST home routers don't support ipv6 at all. Sometimes you can get arround this with custom firmware, sometimes that is hard (for example A friend of mine has a router which needs a specific kernel version for the binary driver fro the wireless to work and that kernel version has broken IPV6 support)
5: The linux kernel developers refuse to implement v6-v6 nat. They have good intentions in doing this but it will make it difficult to put one home router (home routers are very often linux based in my experiance) behind another (say because you want to isolate your machines from your housemates), especially if the ISP is a crappy one that only gives the user a
Unfortunately I think we may end up in a situation with IPV4 ISP run nat the norm (note: it doesn't make sense for ISPs to go to ISP run nat until the addresses run out, they will want to justify as many as they can in the runup to allocation so they can use them for premium services later) public IPV4 addresses an expensive luxury and IPV6 used only by geeks.
Are those figures current subscribers or people who can get the service if they want it? Presumablly the latter figureis the more interesting to marketers.....
IIRC their cable service covers about 50% of uk households so a long way off total coverage but not exactly small either.
The cable network is bought and paid for so they are going to want it serving as many customers as possible. I doubt they care so much about the BT wholesale based ADSL.
note: I'm reffering to virgin media cable here, virgin media also do a service using BT wholesale ADSL which by all accounts is shit (the samknows report uses "virgin media" to reffer to the cable service and "virgin.net" to reffer to the ADSL service).
Umm most of the graphs are smaller is better and virgin medias line tends to be near the bottom. They do worst in the voip test but not so badly that it is likely to cause pracitcal issues. They do badly in the "current speed relative to max speed" tests but it seems the rates on virgins 10MBps or 20Mbps services are better than most people can expect from the "up to 8Mbps" services from BT wholesale.
Yes virgin do some throttling, but 25% of 20Mbps is still a very respectable 5Mbps. You have to be pretty close to the exchange to get that on BT wholesale ADSL and if you want to actually achive that performance in practice you will probablly need either a very expensive ISP account or one with a traffic cap.
Unfortunately the sky results do not seem to have been broken down into BT wholesale based and LLU (sky do both) and many of the smaller ISPs don't seem to be listed.
So virgin media cable probablly isn't the best ISP but afaict for most users they are a hell of a lot better than most BT wholesale based options.
Virgin Media offers cable broadband through fibre optic.
Well fiber optic is a half-truth. Afaict it's fiber to a local distribution point (not sure how many houses each serves off hand) and then cable TV cable to the premisis. Virgin media cable is only availible to about half of UK properties afaict. They are also not the best of ISPs but they are far from the worst (note: virgin media also do a service using BT wholesale ADSL in non cable areas. Afaict that is one of the shittiest services arround).
There are also the local loop unbundling ADSL providers which cover some places that virgin don't but while some of them (sky, be) are decent others (tiscali.
But I belive there are still quite large parts of the UK where the only broadband availible is BT wholesale ADSL.
All ISPs on BT wholesales network have a difficult descision to make. BT wholesales prices are too high to offer a true unlimited service at prices people will pay. So you either get so called unlimited but heavilly congested or traffic shaped packages or you get packages with an explicit traffic limit.
BT is too busy selling everyone's personal info and browsing habits to notice that in a few years their customers wont be able to do anything on t'internet because of a lack of IPv6.
I find that highly unlikely, some users are likely to get stuck behind nat which is far from ideal but any non-suicidal hosting provider is going to keep thier sites availible on V4 for a long time.
Also the protocol used on the network that connects users to ISPs is fairly irrelevent anyway since afaict users will be tunneled through it just like they are now.
My guess would be that since there will still be competition between ISPs running over the infrastrcuture the IPs used on the internal network will be seperate from internet IPs anyway. Whether users get public IPs will probablly be at the discresion of the ISP.
A "no commerce with spammers" law would be well within the powers of the federal government.
But it would also be virtually impossible to enforce. All the US bank is going to see is a transaction with a foreign merchant account. Where the money goes after that they are going to find basically impossible to track without the help of the country the merchant account is in.
Equally unless you totally shut down the international post service you are going to find it very difficult stopping the products sold through spam from getting in.
What is more significant is knowing exactly which font and which blur filter was used. Also having the filter applied evenly is going to make things far easier than if someone grabs the blur tool and scribbles over the area with it.
You could accomplish this, if the memory can be read and written with a lower voltage than the refresh pulse, by putting resistors inline on the bus.
More likely resistors high enough in value to give the required protection would slow transitions down to the point that your high speed bus can no longer operate at anywhere near it's intended speed.
Be that as it may lots of enterprises want to do thier best to block everything except web browsing. Since there is no easy way to identify https traffic by packet content that means they pretty much have to allow unfettered connections to the standard https port (443). On the other hand they may not want to allow access to arbitary TCP ports because that would allow use of IRC bittorrent etc.
You may or may not think this is a good idea (personally I can see why they do it even though I know that it allows easy workarrounds if you control a box on the outside) but it is reality and if you ignore it you will block lots of people from accessing your site.
or provide a warning when using the lesser security so that users are aware of whats going on???
The problem is that browsers provide a scary warning when using weak security but they provide NO WARNING AT ALL when using NO SECURITY WHATSOEVER.
Which means websites that don't want to scare away thier users are faced with an all or nothing choice on security.
Encryption with self signed certs does several things that make life harder for an evesdropper.
1: The attacker has a much higher chance of getting caught. There is no way for the middleman to know for sure if the users are checking the certificates or not.
2: The attacker will require much greater rescourses since they must intercept, decrypt and reencrypt and retransmit the traffic rather than simply sniffing it.
Sure if the attacker has high rescourses and is after you personally it probablly won't help much.
The problem is that chips need to communicate with each other. Whatever voltage the CPU is running on it needs to be able to safely handle the voltage the ram sends it on it's input lines.
You could have a seperate memory controller chip of course and older designs did, but that is bad for performance and power consumption.
What the manufacturer can do however is figure out from the EDA reports what the most time-critical paths are and design thier test programs to test those as thouroughly as possible.
They can also test the chips at the limits of thier voltage and temperature specifications.
And finally I bet they leave a fairly significant safety margin.
Proving a chip won't fail is not feasible but manufacturers can get a much higher level of confidence than some random overclocker.
I saw the google whitepaper and it debunked very little about the temperature "myth", not sure about wear and tear.
With regards to tempreature the study had a couple of fundamental flaws.
* The temperature measurements came from the drives themselves. That means if say an unreliable hard drive model also underreported it's tempreature it would totally skew the results.
* It was data from servers running in a well cooled datacenter. That means there was virtually no data about drives running at the kind of tempreatures you see in a poorly ventilated desktop in a hot room.