- This is all mitigated using WPA2 Enterprise since you have end-to-end per-user encryption
The real problem is that WPA lacks a mode suitable for secure public hotspots. Such a mechanism would need to provide
1: a way of verifying with a reasonable degree of certainty that the operator is who they claim to be evern though the user hasn't previously interfacted with them. Likely this means some kind of certification authority. At least the WPA enterprise deployment i've used (eduroam) required the user to manually install a certificate to connect securely. 2: a way of connecting as an "unknown user" with limited connectivity so that the user can go through the steps needed (agreeing to terms and conditions, possiblly providing payment) to request full connectivity.
So in practice wifi hotspots tend to either use unsecure wifi with a "captive portal" for authentication or they use WPA PSK with the password printed on a peice of paper and stuck on the wall.
HTTP STS helps mitigate the damage to some extent but it doesn't solve the underlying problem of the lack of a suitable WPA mode for hotspot operators.
Unfrotunately people rarely go to websites by typing in a https url. They go to websites by typing something in a search box or by typing in a url without protocol (which for historical reasons defaults to http). This gives an attacker an opertunity to hijack things before the user switches to https and keep the client on plain http as the connection from attacker to server switches to https.
There is a new spec called http strict transport security which tries to mitigate this by allowing servers to tell the browser "if in future you see a http url pointing to me use https instead". TFA is complaining that IOS doesn't implement this new spec while andriod does and also complaining that carriers set up open wifi networks by default (though honestly even if they didn't most users would probablly end up adding several open wifi networks manually because wifi is usually faster and cheaper than cellular data).
And then they need to show that the new fuel formulation won't adversely affect reliability and get the paperwork done to let people fly it legally either by recertifying every plane or by making a blanket rule that the new fuel can be considered equivilent and legally flown in any plane certified for the existing fuel.
That is the big difference between cars and planes, in a car if your engine dies it's an inconviniance but unlikely to cause significant damage to the vehicle or to be life threatening (unless you set out on a trip with totally inadequate preperation). AIUI while pilots try to avoid situations where an engine failure would lead to a crash there are some flights where it is basically unavoidable (consider taking off from an airport in a dense urban area, what do you do if your engine fails and you don't have enough altitude yet to turn and glide back in) so aircraft engines are held to much higher standards than car engines.
Agilent techologies are a company that demerged from HP taking the test equipment buisness and a few other bits and peices. They also produce (or at least produced, I think they may have spun it off.........) some very expensive software for RF circuit design.
"In the 1950s the Panama disease, a wilt caused by the fungus Fusarium oxysporum, wiped out vast tracts of ‘Gros Michel’ plantations in South America and Africa, but the cultivar survived in Thailand."
I know wikipedia can be manipulated but still I trust is more than an anonymous coward on/.
Afaict at the moment you can still order new computers (and not just new old stock ones) with win7 licenses.
I suspect what MS will do when they end that is allow companies to sell machines pre-downgraded for a while. So you will be able to get machines with win7 but you won't find them in places like PC world, it will count as a win 8 sale, you will have to pay the extra for the pro edition and you may have to select from the "buisness" range rather than the consumer range.
Right, the level of privacy offered to a home user by ipv6 with privacy extensions is comparable to the level of privacy offered by an IPv4 NAT which has a wan side IP of comparable stability to your IPv6 prefix. They can identify traffic as coming from your house but they can't track an individual device over time.
I don't use the online services for games consoles much (I don't have a live account at all and I haven't logged into PSN since the hack) and iirc pretty much every new game i've put into a current gen console* has demanded a firmware update.
One game even updated the firmware from disc then updated itself (yeah I have a network cable connected, maybe I shouldn't), then went on to demand another firmware update (or maybe it was the other way round, demanding another firmware update and then updating itself).
Traditionally dynamic allocation of IP addresses was done based on mac addresses. This is simple and predictable but it also allows servers to track individual clients over long periods of time and to continue to track them if they move to a dfferent network.
Privacy extensions provides short lived random IP addresses within the subnet. So the server can still see what subnet you are coming from but it can't tell whether the machine that is talking to it now is the same machine it talked to yesterday.
AIUI they gave up on that idea some time ago. Afaict the proposals for simplifying routing were based on the assumptions that the internet is heirachical. In reality the internet is a loose grouping of autonomous systems with varying relationships that somehow manage to get packets to the right place most of the time. Noone with a significant sized network wants to readdress when one of their upstreams changes and they certainly don't want to readdress when one of their upstream's upstreams changes.
So IPv6 routing in practice is pretty much the same as IPv4 routing except there is less legacy cruft arround and we can afford to be reasonablly generous in allocations meaning the average number of prefixes per AS is lower.
Last I heard comcast had trialled ds-lite but hadn't taken it to full production. Has that changed?
That sounds to me like the best solution, in that it uses zero public IPv4 addresses
The AFTR that the ds-lite clients connect to needs a pool of public IPv4 addresses. So in terms of public IPv4 address usage it's comparable to dual stack with conventional ISP level IPv4 NAT. It's probablly slightly worse on public IPv4 usage than NAT64 because there is less pressure for people to enable IPv6 on their end systems.
IMO DS-lite is probablly the least horrible soloution to IPv4 exhaustion since it allows the ISP access network to be v6 only, allows for IPv4 only client devices behind a CPE that handles the DS-lite implementation, avoids the complications of double NAT and avoids fucking with DNS. However it is still inferior to having your own public IPv4 address.
IS that "latency impact" comparing v4 and v6 connections from the same user (and ignoring users who only used one type of connection) or is it comparing all v6 packets to all v4 packets.
In the latter case it could just be that those on bad connections are more likely to lack IPv6 support.
A stateful firewall is in general less complex than a NAT. A stateful firewall has to understand what the higher level protocols are doing to a sufficient extent to decide what to block. A NAT has to understand what the higher levels are doing and know enough about the packets to alter them.
But that is beside the point. Between servers that aren't available on v6 and residual end systems that don't support IPv6 out of the box (if at all) home routers are going to have to keep doing IPv4 for the forseeable future. So when considering the requirements of IPv6 we need to consider the requirements of adding IPv6 support. Not the requirements of replacing IPv4 support with IPv6 support.
By "nuclear battery" I presume you mean a radioisotope thermal generator.
There are a few issues with those.
1: they provide power at a predetermined gradually reducing rate whether you use it or not. Fine for something like a pacemaker where power draw is likely relatively constant and tolerable for something like a spacecraft where the need for long duration would probablly justify combining a RTG with more conventional recharable batteries. Probablly not so good for a laptop or smartphone. 2: the material is expensive to produce and expensive to safely dispose of. 3: all the regulatory issues surrounding nuclear.
If "brazil telecom" charges exhorbitant roaming fees to the canadian carriers and provides no mechanism to cut users off when they reach their roaming limit then the canadian carriers need to either negotiate a better roaming deal with "brazil telecom", or stop enabling roaming to "brazil telecom" by default.
At least on my HTC phone you can either permanently set how you want it to appear to a USB host device or you can have it ask every time.
Even if you set it to "charge only" it still has to negotiate to comply with the USB spec. A bug in the USB negotiation code could leave things wide open.
And of course there is no gaurantee that people won't set their phones to default to something other than charge only. A malicious charger isn't an attack vector that most people will be thinking about.
There's another scenario other than "buried" or "strung", which is "in a conduit".
I'm not sure if you meant to include underground ducts in your definition of conduit or not but my understanding is the problem in many places is the ducts haven't been touched in years. So while it's not as bad as direct burried cable there is still a lot of digging needed to deal with ducts that are no longer possible to pull stuff through.
What is cellular internet like in norway? My experiance in the UK is it's tolerable for use when on the go but that DSL is far superior in cost, performance and service characteristics (celluar connections at least from O2 have private IPs and forced proxying through a proxy that recompresses images).
And also when you say "bandwidth" (really data rate) do you mean
1: the minimum gauranteed data rate (if any) 2: the theoretical maximum data rate of the technology 3: for "rate adaptive" services (most DSL) the "sync rate" of your line 4: the data rate achivable end to end under average conditions 5: the average data rate the provider will let you use without kicking you off or charging you extra.
Similarly for latency do you mean the minimum latency, average latency or maximum latency.
I think twisted copper as a system of long distance wiring will gradually become less common but won't go away completely for years. Some telcos will likely phase it out quicker than others.
I think Traditional twisted pair telco interfaces (pots, ISDN BRI, ISDN PRI, inband T1 etc) will remain available for those who want to buy them regardless of the physical plant the teclo is using. However I also think such services will likely be priced higher than comparable services delivered by more modern technologies and as such buisnesses will gradually move away from them just as most buisnesses have already moved from ISDN BRI to DSL. IIRC the telcos already use adaptor boxes to run T1 down a single pair rather than the traditional two pairs and also use adaptor boxes to run T3 over fiber because of the very low distance limits of T3 over copper so I can't imagine it would be a big deal for them to do a converter box for T1 over fiber.
I think Twisted pair as an in-building wiring technique is likely to stay around for the foreseeable future because over short distances the ease of termination and low cost of end hardware outweighs the cost of the copper. However I think that phone signals over said twisted pair will increasingly be VOIP over ethernet rather than analog voice or traditional digital voice systems. Again some companies will likely move slower than others.
While one port is a device port I believe it could be converted to a second host port with some relatively minor hackery.
Having looked at the schematics I belive the following steps should do it
1: put a blob of solder between the ground and ID pins of the mini-USB connector (this step may be able to be avoided either by finding a source of mini-B plugs with the ID pin accessible or by forcing things in software) 2: hack up a USB cable to adapt the connectors and inject power.
Note: I have not tested these steps and do not intend to test them until and unless I have a need for a second host port in a beaglebone black based project.
Another option that might be worth looking into for the GGPs application is to ditch the USB audio and look into I2S.
Beaglebone series: more CPU power than a Pi and plenty of IO including anlog inputs. The original beaglebone white was quite a bit cheaper than the udoo and the beaglebone black is cheaper still (though slightly more than a Pi)
Now granted the udoo is dual/quad core while the beaglebone black is only single core but I bet the hype round this will lead to it getting used where the beaglebone black is a better fit.
For a building with significant waste heat generated inside such that it needs cooling even in winter whether you want insulation depends on how the outside and desired inside tempreatures compare.
If the outside temperature is generally hotter than the inside temperature then insulation is blocking heat leaking in so you want as much of it as possible.
OTOH if the outside temperature if generally colder than the inside tempreature then insulation is blocking heat leaking out (and remember you are TRYING to get heat out of the building) so you want as little of it is possible.
This is a very different situation from a house, in a house typically relatively little waste heat is generated internally so you want good insulation in both hot and cold climates.
It's already done while making the original jpg's, there's nothing gained by recrompressing them.
When making a jpeg you can decide how much of the high frequency information to throw away. Some mobile networks are quite prepared to throw away more of it than the original site author did to save bandwidth.
There are also in many cases ways to reduce the size while keeping the quality. AIUI most jpeg creaters use the default huffman coefficients rather than calculating and specifying an optimised set so there are size savings to be made there. More savings can be made by using arithmetic coding but if you do that you break compatibility with some decoders so I don't think many systems do (though I recently found out the hard way that recent versions of jpegcrop use arithmetic coding by default when pdflatex wouldn't read the resulting file).
AIUI the USA has unusually complex elections, with often substantial numbers of propositions and elections for minor local positions (judges etc) whereas most other democracies have much simpler elections.
Not saying whether it is better or worse just saying it explains why they are more interested in automation.
Slashdot Mirror
- This is all mitigated using WPA2 Enterprise since you have end-to-end per-user encryption
The real problem is that WPA lacks a mode suitable for secure public hotspots. Such a mechanism would need to provide
1: a way of verifying with a reasonable degree of certainty that the operator is who they claim to be evern though the user hasn't previously interfacted with them. Likely this means some kind of certification authority. At least the WPA enterprise deployment i've used (eduroam) required the user to manually install a certificate to connect securely.
2: a way of connecting as an "unknown user" with limited connectivity so that the user can go through the steps needed (agreeing to terms and conditions, possiblly providing payment) to request full connectivity.
So in practice wifi hotspots tend to either use unsecure wifi with a "captive portal" for authentication or they use WPA PSK with the password printed on a peice of paper and stuck on the wall.
HTTP STS helps mitigate the damage to some extent but it doesn't solve the underlying problem of the lack of a suitable WPA mode for hotspot operators.
It's SUPPOSED to be carried over https.
Unfrotunately people rarely go to websites by typing in a https url. They go to websites by typing something in a search box or by typing in a url without protocol (which for historical reasons defaults to http). This gives an attacker an opertunity to hijack things before the user switches to https and keep the client on plain http as the connection from attacker to server switches to https.
There is a new spec called http strict transport security which tries to mitigate this by allowing servers to tell the browser "if in future you see a http url pointing to me use https instead". TFA is complaining that IOS doesn't implement this new spec while andriod does and also complaining that carriers set up open wifi networks by default (though honestly even if they didn't most users would probablly end up adding several open wifi networks manually because wifi is usually faster and cheaper than cellular data).
And then they need to show that the new fuel formulation won't adversely affect reliability and get the paperwork done to let people fly it legally either by recertifying every plane or by making a blanket rule that the new fuel can be considered equivilent and legally flown in any plane certified for the existing fuel.
That is the big difference between cars and planes, in a car if your engine dies it's an inconviniance but unlikely to cause significant damage to the vehicle or to be life threatening (unless you set out on a trip with totally inadequate preperation). AIUI while pilots try to avoid situations where an engine failure would lead to a crash there are some flights where it is basically unavoidable (consider taking off from an airport in a dense urban area, what do you do if your engine fails and you don't have enough altitude yet to turn and glide back in) so aircraft engines are held to much higher standards than car engines.
Agilent techologies are a company that demerged from HP taking the test equipment buisness and a few other bits and peices. They also produce (or at least produced, I think they may have spun it off.........) some very expensive software for RF circuit design.
Our labs at uni are full of HP/agilent gear.
Wikipedia claims
"In the 1950s the Panama disease, a wilt caused by the fungus Fusarium oxysporum, wiped out vast tracts of ‘Gros Michel’ plantations in South America and Africa, but the cultivar survived in Thailand."
I know wikipedia can be manipulated but still I trust is more than an anonymous coward on /.
Afaict at the moment you can still order new computers (and not just new old stock ones) with win7 licenses.
I suspect what MS will do when they end that is allow companies to sell machines pre-downgraded for a while. So you will be able to get machines with win7 but you won't find them in places like PC world, it will count as a win 8 sale, you will have to pay the extra for the pro edition and you may have to select from the "buisness" range rather than the consumer range.
Right, the level of privacy offered to a home user by ipv6 with privacy extensions is comparable to the level of privacy offered by an IPv4 NAT which has a wan side IP of comparable stability to your IPv6 prefix. They can identify traffic as coming from your house but they can't track an individual device over time.
I don't use the online services for games consoles much (I don't have a live account at all and I haven't logged into PSN since the hack) and iirc pretty much every new game i've put into a current gen console* has demanded a firmware update.
One game even updated the firmware from disc then updated itself (yeah I have a network cable connected, maybe I shouldn't), then went on to demand another firmware update (or maybe it was the other way round, demanding another firmware update and then updating itself).
*PS3, XBOX 360 and Wii.
Traditionally dynamic allocation of IP addresses was done based on mac addresses. This is simple and predictable but it also allows servers to track individual clients over long periods of time and to continue to track them if they move to a dfferent network.
Privacy extensions provides short lived random IP addresses within the subnet. So the server can still see what subnet you are coming from but it can't tell whether the machine that is talking to it now is the same machine it talked to yesterday.
IPv6 tries to simplify routing
AIUI they gave up on that idea some time ago. Afaict the proposals for simplifying routing were based on the assumptions that the internet is heirachical. In reality the internet is a loose grouping of autonomous systems with varying relationships that somehow manage to get packets to the right place most of the time. Noone with a significant sized network wants to readdress when one of their upstreams changes and they certainly don't want to readdress when one of their upstream's upstreams changes.
So IPv6 routing in practice is pretty much the same as IPv4 routing except there is less legacy cruft arround and we can afford to be reasonablly generous in allocations meaning the average number of prefixes per AS is lower.
I read that Comcast was providing DS-lite
Last I heard comcast had trialled ds-lite but hadn't taken it to full production. Has that changed?
That sounds to me like the best solution, in that it uses zero public IPv4 addresses
The AFTR that the ds-lite clients connect to needs a pool of public IPv4 addresses. So in terms of public IPv4 address usage it's comparable to dual stack with conventional ISP level IPv4 NAT. It's probablly slightly worse on public IPv4 usage than NAT64 because there is less pressure for people to enable IPv6 on their end systems.
IMO DS-lite is probablly the least horrible soloution to IPv4 exhaustion since it allows the ISP access network to be v6 only, allows for IPv4 only client devices behind a CPE that handles the DS-lite implementation, avoids the complications of double NAT and avoids fucking with DNS. However it is still inferior to having your own public IPv4 address.
IS that "latency impact" comparing v4 and v6 connections from the same user (and ignoring users who only used one type of connection) or is it comparing all v6 packets to all v4 packets.
In the latter case it could just be that those on bad connections are more likely to lack IPv6 support.
A stateful firewall is in general less complex than a NAT. A stateful firewall has to understand what the higher level protocols are doing to a sufficient extent to decide what to block. A NAT has to understand what the higher levels are doing and know enough about the packets to alter them.
But that is beside the point. Between servers that aren't available on v6 and residual end systems that don't support IPv6 out of the box (if at all) home routers are going to have to keep doing IPv4 for the forseeable future. So when considering the requirements of IPv6 we need to consider the requirements of adding IPv6 support. Not the requirements of replacing IPv4 support with IPv6 support.
By "nuclear battery" I presume you mean a radioisotope thermal generator.
There are a few issues with those.
1: they provide power at a predetermined gradually reducing rate whether you use it or not. Fine for something like a pacemaker where power draw is likely relatively constant and tolerable for something like a spacecraft where the need for long duration would probablly justify combining a RTG with more conventional recharable batteries. Probablly not so good for a laptop or smartphone.
2: the material is expensive to produce and expensive to safely dispose of.
3: all the regulatory issues surrounding nuclear.
If "brazil telecom" charges exhorbitant roaming fees to the canadian carriers and provides no mechanism to cut users off when they reach their roaming limit then the canadian carriers need to either negotiate a better roaming deal with "brazil telecom", or stop enabling roaming to "brazil telecom" by default.
At least on my HTC phone you can either permanently set how you want it to appear to a USB host device or you can have it ask every time.
Even if you set it to "charge only" it still has to negotiate to comply with the USB spec. A bug in the USB negotiation code could leave things wide open.
And of course there is no gaurantee that people won't set their phones to default to something other than charge only. A malicious charger isn't an attack vector that most people will be thinking about.
There's another scenario other than "buried" or "strung", which is "in a conduit".
I'm not sure if you meant to include underground ducts in your definition of conduit or not but my understanding is the problem in many places is the ducts haven't been touched in years. So while it's not as bad as direct burried cable there is still a lot of digging needed to deal with ducts that are no longer possible to pull stuff through.
What is cellular internet like in norway? My experiance in the UK is it's tolerable for use when on the go but that DSL is far superior in cost, performance and service characteristics (celluar connections at least from O2 have private IPs and forced proxying through a proxy that recompresses images).
And also when you say "bandwidth" (really data rate) do you mean
1: the minimum gauranteed data rate (if any)
2: the theoretical maximum data rate of the technology
3: for "rate adaptive" services (most DSL) the "sync rate" of your line
4: the data rate achivable end to end under average conditions
5: the average data rate the provider will let you use without kicking you off or charging you extra.
Similarly for latency do you mean the minimum latency, average latency or maximum latency.
I think twisted copper as a system of long distance wiring will gradually become less common but won't go away completely for years. Some telcos will likely phase it out quicker than others.
I think Traditional twisted pair telco interfaces (pots, ISDN BRI, ISDN PRI, inband T1 etc) will remain available for those who want to buy them regardless of the physical plant the teclo is using. However I also think such services will likely be priced higher than comparable services delivered by more modern technologies and as such buisnesses will gradually move away from them just as most buisnesses have already moved from ISDN BRI to DSL. IIRC the telcos already use adaptor boxes to run T1 down a single pair rather than the traditional two pairs and also use adaptor boxes to run T3 over fiber because of the very low distance limits of T3 over copper so I can't imagine it would be a big deal for them to do a converter box for T1 over fiber.
I think Twisted pair as an in-building wiring technique is likely to stay around for the foreseeable future because over short distances the ease of termination and low cost of end hardware outweighs the cost of the copper. However I think that phone signals over said twisted pair will increasingly be VOIP over ethernet rather than analog voice or traditional digital voice systems. Again some companies will likely move slower than others.
While one port is a device port I believe it could be converted to a second host port with some relatively minor hackery.
Having looked at the schematics I belive the following steps should do it
1: put a blob of solder between the ground and ID pins of the mini-USB connector (this step may be able to be avoided either by finding a source of mini-B plugs with the ID pin accessible or by forcing things in software)
2: hack up a USB cable to adapt the connectors and inject power.
Note: I have not tested these steps and do not intend to test them until and unless I have a need for a second host port in a beaglebone black based project.
Another option that might be worth looking into for the GGPs application is to ditch the USB audio and look into I2S.
Beaglebone series: more CPU power than a Pi and plenty of IO including anlog inputs. The original beaglebone white was quite a bit cheaper than the udoo and the beaglebone black is cheaper still (though slightly more than a Pi)
Now granted the udoo is dual/quad core while the beaglebone black is only single core but I bet the hype round this will lead to it getting used where the beaglebone black is a better fit.
plus huge energy savings to boot.
Afaict that depends hugely on the climate.
For a building with significant waste heat generated inside such that it needs cooling even in winter whether you want insulation depends on how the outside and desired inside tempreatures compare.
If the outside temperature is generally hotter than the inside temperature then insulation is blocking heat leaking in so you want as much of it as possible.
OTOH if the outside temperature if generally colder than the inside tempreature then insulation is blocking heat leaking out (and remember you are TRYING to get heat out of the building) so you want as little of it is possible.
This is a very different situation from a house, in a house typically relatively little waste heat is generated internally so you want good insulation in both hot and cold climates.
It's already done while making the original jpg's, there's nothing gained by recrompressing them.
When making a jpeg you can decide how much of the high frequency information to throw away. Some mobile networks are quite prepared to throw away more of it than the original site author did to save bandwidth.
There are also in many cases ways to reduce the size while keeping the quality. AIUI most jpeg creaters use the default huffman coefficients rather than calculating and specifying an optimised set so there are size savings to be made there. More savings can be made by using arithmetic coding but if you do that you break compatibility with some decoders so I don't think many systems do (though I recently found out the hard way that recent versions of jpegcrop use arithmetic coding by default when pdflatex wouldn't read the resulting file).
AIUI the USA has unusually complex elections, with often substantial numbers of propositions and elections for minor local positions (judges etc) whereas most other democracies have much simpler elections.
Not saying whether it is better or worse just saying it explains why they are more interested in automation.