Back in the late 90s I used to work as a stage AV technician to pay my way through university, and I remember one weekend borrowing 16" projection screen and 3 gun video projector, setting it up in the backyard with a Bose PA system and playing Descent with a bunch of friends on the screen. It was mindblowing, although the 3D was so immersive it was had to avoid occasiionally geting nauseous. So yeah I'm fairly sure in VR it could definately cause nausea too.
Played overload in VR for hours on end. Expected to throw up going in - turned out to be a lot of fun. Never felt sick.
Having cockpit, constant speed and lots of translate/strafing motions makes it a safer bet even for VR noobs.
We need more pci-e lanes on the desktop and high end gaming systems.
AMD has more on both and on there high end gaming / workstations chips all cpus have the same number of lanes. Unlike the intel ones where min cpu cost is $1000 just to get the same number lanes that can $350-$500 chip used to have.
AMD also has ECC. Intel would rather play games and intentionally withhold it to upsell Xeon.
We don't need that ability if lack of CT causes the connection to bust.
I offered an example why CT is insufficient even assuming it is fully deployed and made mandatory.
There's DNS CAA
Have a feeling when DNS CAA means something from a security perspective everyone will be using DANE anyway rendering DNS CAA redundant.
Again not that CAA is worthless or not worth doing but it's fundamentally toothless from a security perspective so long as DNS as actually deployed remains insecure.
In the situation where a single entity has complete packet rewrite ability for the connection to a user at all times, then neither HPKP nor CT will help you.
This is widely known. Similar to HSTS having the latch in practice useful or at least better than nothing. Heck virtually the entire constellation of DV certs currently deployed is based on the same leap of faith as certificates are initially provisioned automatically relying on insecure responses from insecure protocols over insecure transports.
It's the flip side to another problem though. Suppose that the dictator suborns the regional web host for my site and steals its key. I can set up a host elsewhere but I need to rotate the key. With HPKP, users will reject my new key and continue to use the old key to connect to the dictator-owned system
I don't accept this argument. Your users trust you. Should it turn out that trust was misplaced it isn't the falling of technology. It's a failing of yourself and a price MUST unavoidably be paid for that failing. Attempting to weasel out of paying MUST only lead to more insecurity. After all technology is only a means of conveying trust. It doesn't turn people into paragons of integrity and mindfulness.
In the event of this type of subversion having no site or having to start over and build trust from scratch even if it means lighting up a different domain or subdomain may well be seen as ideal or at least acceptable.
OK. I think you understand how CT and HPKP work well enough that I don't feel the need to keep arguing. I was mostly upset about "Certificate transparency = Lifelock commercial"
Essentially that's what it is. I do not retract my comment. The security monitor and the dental monitor commercials are exactly what CT is. And this is being generous about CT because practically operationally end users have no way of reasoning about CT. Nobody is actively announcing that a bank is being robbed or a bad cavity. Was the CA subverted? Did an attacker get a cert from a different CA or did the domain holder? Users have no clue. How many CA's exist in the world today? How many are state run? By political and commercial rivals?
(and claim that this move is caused by the NSA, which is a high-school quality calumny) which you've since walked back by stating that CT is good for security.
First I walk back nothing. When I said NSA I didn't really mean NSA specifically I meant "government" in general. Stating an opinion about CT is obviously a separate matter from opinion about or cause of any possible reason for removal of HPKP.
Second yes it is a conspiracy theory of mine that may well be misplaced or wrong. After the Snowden drip, increasing coziness of Alphabet with government and fact every damn secure everything platform always manages to eventually get subverted either through sale to a bigger fish or internal policy changes I suspect there is a good chance of it ringing true.
The thing that really gets me is the sheer pointlessness of this behavior. The feature already exists, people are already using it. They knew from day one that HPKP would always be a NICHE feature used by only a few security cautious people and paranoid fools. It was never intended at any point for mass consumption. So why on earth remove it? What good does that do anyone? What is the incentive for that? I have yet to hear a reason that passes sniff test. I think the answer is more likely than not to be pressure from government. CT is simply NOT a replacement for HPKP. Simply put governments don't care about "getting caught".
We don't need that ability if lack of CT causes the connection to bust.
I offered an example why CT is insufficient even assuming it is fully deployed and made mandatory.
There's DNS CAA
Have a feeling when DNS CAA means something from a security perspective everyone will be using DANE anyway rendering DNS CAA redundant.
Again not that CAA is worthless or not worth doing but it's fundamentally toothless from a security perspective so long as DNS as actually deployed remains insecure.
In the situation where a single entity has complete packet rewrite ability for the connection to a user at all times, then neither HPKP nor CT will help you.
This is widely known. Similar to HSTS having the latch in practice useful or at least better than nothing. Heck virtually the entire constellation of DV certs currently deployed is based on the same leap of faith as certificates are initially provisioned automatically relying on insecure responses from insecure protocols over insecure transports.
It's the flip side to another problem though. Suppose that the dictator suborns the regional web host for my site and steals its key. I can set up a host elsewhere but I need to rotate the key. With HPKP, users will reject my new key and continue to use the old key to connect to the dictator-owned system
I don't accept this argument. Your users trust you. Should it turn out that trust was misplaced it isn't the falling of technology. It's a failing of yourself and a price MUST unavoidably be paid for that failing. Attempting to weasel out of paying MUST only lead to more insecurity. After all technology is only a means of conveying trust. It doesn't turn people into paragons of integrity and mindfulness.
In the event of this type of subversion having no site or having to start over and build trust from scratch even if it means lighting up a different domain or subdomain may well be seen as ideal or at least acceptable.
OK. I think you understand how CT and HPKP work well enough that I don't feel the need to keep arguing. I was mostly upset about "Certificate transparency = Lifelock commercial"
Essentially that's what it is. I do not retract my comment. The security monitor and the dental monitor commercials are exactly what CT is. And this is being generous about CT because practically operationally end users have no way of reasoning about CT. Nobody is actively announcing that a bank is being robbed or a bad cavity. Was the CA subverted? Did an attacker get a cert from a different CA or did the domain holder? Users have no clue. How many CA's exist in the world today? How many are state run? By political and commercial rivals?
(and claim that this move is caused by the NSA, which is a high-school quality calumny) which you've since walked back by stating that CT is good for security.
First I walk back nothing. When I said NSA I didn't really mean NSA specifically I meant "government" in general. Stating an opinion about CT is obviously a separate matter from opinion about or cause of any possible reason for removal of HPKP.
Second yes it is a conspiracy theory of mine that may well be misplaced or wrong. After the Snowden drip, increasing coziness of Alphabet with government and fact every damn secure everything platform always manages to eventually get subverted either through sale to a bigger fish or internal policy changes I suspect there is a good chance of it ringing true.
The thing that really gets me is the sheer pointlessness of this behavior. The feature already exists, people are already using it. They knew from day one that HPKP would always be a NICHE feature used by only a few security cautious people and paranoid fools. It was never intended at any point for mass consumption. So why on earth remove it? What good does that do anyon
HPKP allows the operator to declare this certificate or bust to regular users. Certificate transparency offers no such capability.
Certificate transparency only provides "transparency". It doesn't allow operators to set declarative limits on what is acceptable.
If your website was gearing up for protest against local dictator and chief and they conspired against you obtaining a MITM cert from your CA and properly logged it to transparency log accordingly that information sure as hell won't do your users any good who are now being rounded up thanks to this ridiculous assertion of equivalence.
Certificate transparency *IS* a good thing and it is worth doing yet value offered by each approach does not fully overlap. Removal of HPKP only reduces security. It does not improve it.
This can all be boiled down to, "If everyone only accepted packets from those they trust, and applications were infinitely secure, there would be no need for advanced routing methodology!".
Managing trust isn't effectively feasible at the network layer. It requires higher level context only available at higher layers of the stack.
Given the fact absolutely nothing is "infinitely secure" my assertion is limited to the observation spending resources securing applications provides a higher ROI than wasting them on fools errand that is "network security".
Funny you mention that, since the DNS infrastructure is nothing but a massive mix of anycast routing
Route optimization is a basic feature of network routing. If a given point "B" has multiple possible endpoints it is the job of the network to pick the best path to the best endpoint no different than selecting best path to a single endpoint.
and load balancers.
The reason why there are only a dozen root servers was due to packet size constraints and management concerns with lack of automated update mechanism for root lists. It was a shitty design from the start. DNS also lacks defined functionality to effectively persistently monitor status of redundant pointers.
DNS is however a good high level example even though nuts and bolts of implementation is a bit crummy.
Furthermore, unless you're talking about turning it into some insane global torrent like reachability hash with terrible reachability heuristics, that isn't set to change any time soon.
I was never fond of bit torrent. On more than one occasion I was modded to oblivion by poking fun of it mostly on grounds it was too transparent and that transparency was a lightning rod for damaging political pressures on the Internet.
Yet I do remember being very impressed with some snazzy locality shit making it in to the point that you would end up being best buddies with people on or near you from ISP/network perspective. There were also efforts out of the IETF such as ALTO (RFC7285) to provide applications with topology data so they can make better decisions.
If only parking lots were suitably engineered, we wouldn't need stop lights, onramps, freeways, or anything else.
In a distant future where all driving is automated you can do a lot that isn't possible today. Strings of vehicles can draft each other in close formation to significantly reduce energy utilization. Traffic lights may well not exist as vehicles weave thru intersections in ways that would be suicidal to human controlled vehicles. Yet things like freeways are topological connecting distant population centers so I wouldn't expect it to change very much but who knows.
No, I'm sorry. You're flat out wrong. The problem with all of your musing, is that it's simplified to the point of impossibility- possibly absurdity.
There is nothing simple about any of it. Complexity isn't just vanishing into thin air it is being moved from general domain of network infrastructure to the application domain where more opportunities exist to address concerns in a more efficient domain specific manner that would not otherwise be feasible with general purpose network based solutions.
It ignores the reality of the system for the sake of idealism. "If only it were more ideal, then I'd be right!"
Nothing is being ignored. Things are just being moved to where concerns can be more optimally leveraged.
It never has been, and it never will be. I'm sorry. This is no longer an applied discussion, it's a philosophical one, on par with a religious debate.
Whether you like it or agree with it the transition is already underway.
At more complicated levels, distributed switching, VPN/Labeling protocols, layer-4 switching, IPVS/load balancing, anycast routing.
None of this is necessary for packet forwarding. These things are all band-aids to make up for fundamental deficiencies in application stacks.
Perhaps the carrier grade networks of the world should employ you, so that you can show us what we're doing so wrong.
What did I say you were doing wrong?
Erm... Again, how the fuck do you think the data gets to you? Do you think high availability and scaling to millions of users comes from simple routing tables running on netgears?
I've always assumed a bunch of expensive routers with power hungry TCAMs and smart people to manage physical topology and TE.
How about office virtualized networks across metro areas (and further)?
Why are they virtualized? Is virtualization necessary to move packets? Or is it done to give people their own private wire?
Last I checked, we keep about 750,000 prefixes and close to 100,000 entirely autonomous networks connected with our shitty control planes.
Only 61k with anything to announce. I'm not sure what makes this relevant. When I said management I was talking about operators managing their networks not pulling a full table from external networks.
If I understand you correctly, you propose that as an alternative to protected networks and blocking packets, we should rely on the application?
Network security is not only "ridiculous and wasteful" it's harmful and dangerous because footholds are too easy to attain. As a result when you rely on the network for protection all an adversary has to do is drill one tiny hole thru your castle wall and gooey center of unprotected systems is theirs for the taking.
Contrast that with systems that simply ignore message without the proper cryptographic signatures. In this case having access to the network wins you nothing.
Can you really not see why that is ridiculous and wasteful? It sounds to me like you are proposing that there is no such thing as a secure network. This is beyond stupid.
No, yet I can see why relying on "network security" is in fact dangerous, ridiculous and wasteful.
From a simple architectural standpoint, things like "application availability" absolutely must be done at the network layer, unless you've got some serious
Only shitty ones that were not architected for horizontal scaling and redundancy in the first place. Distributed systems generally have some kind of director responsible for managing access to resources and minimizing effects of failures occurring within a "string" group.
magic tricks up your sleeves. Computers die, network-based attacks happen at protocol or application layers, networking equipment dies. Oh, I know... We can just use client-side redundancy and have 112,554 A records for a name. That'll work.
DNS is a reasonable example of a distributed application with redundancy baked in. SMTP and HTTP are common examples of epic fail in this regard which is just awesome for everyone in the business of selling load balancers.
It isn't though, and you can't back up that assertion. Complexity is not automatically bad. KISS doesn't mean make it simple beyond what it takes to do the job. It means do the job as simple as possible
If someone wants a private network that I carry around for them, i have VRF. If I need a machine that can communicate out 6 different networks with different gateways, I have PBR. The applications have become more demanding than I think you realize.
In a world where applications are properly designed your L4/VPN/load balancing/VLAN/*** alphabet soup would be redundant and pointless. There would be no be
There is both truth, and utter fallacy in this statement. What's worse, is it belies complete ignorance to the topic at hand.
The only service necessary for a network to provide is to get some predefined quantity of packets with some probability of success from point A to point B.
No, I'm sorry. Network isolation is not better handled at a 'more application appropriate manner' at higher layers.
It absolutely is especially across administrative domains. Only packets are not isolated. Data and access to that data using means a heck of a lot more secure then what passes for management plane of most "carrier grade" networks are used.
I think you're speaking for a very application-centric viewpoint, with no idea how data actually gets to you.
Yes, applications are the only things anyone cares about. Nobody cares about wires and packets nor should they.
When people waste time trying to add "security, application availability, isolation and management regimes" to networks they only get more complex for no reason and as a result the probability of successful delivery of packet from point A to point B is diminished or at least a lot more expensive than it otherwise would given the same investment in capability.
I operate a carrier-grade network.
As much as I wish all the idiosyncrasies of modern internet traffic and applications allowed for simple routing paradigms, they simply do not.
Please don't misunderstand what I'm saying. It's not that if I were in your shoes I would do anything any differently. We all must live within the context of our time. I'm not saying your wrong or course of action isn't rational and logical. It's just that it's architecturally very much a dead end.
We have seen containers filling in a niche that VMs never did suit very well. They are nowhere fuuuuuucking close to supplanting them, for the same reason. You can't use a container to replace the cases where you need a VM.
This is not about someone needing to spin up a VM for some immediate need. It's about WHY they felt they needed to do that in the first place. What was it that they were trying to do? For the most part people want to manage software at higher levels of abstraction than what underlying operating system of single computers would allow. VMs were simply the fastest way to fill that need and get from point A to point B.
Containers are a better step in the right direction of providing what users really wanted in the first place. VM is a temporary wasteful unnecessarily complex modality on the decline as solutions more in line what people really wanted in the first place come online.
None of that has anything to do with the reasons those things exist. It's about
From my simpleton know nothing experience castle defense is the central reason.
The network is the wrong layer for security, application availability, isolation and management regimes.
These things can all be handled more effectively in a more application appropriate manner at higher layers.
As we have seen with containers supplanting virtual machines, rise of E2E security, application controlled overlays and supplanting of VPNs the transition is already well underway.
You can continue to build castle walls, fill the motes with alligators and police your cobblestone roads to your hearts desire but don't pretend there is any future in it.
Yet as someone responsible for that much, you didn't switch to iproute2 for network stack management a decade ago? I had to. If you're still administrating linux with ifconfig, route, and netstat, you're just a kid. In your case, a kid with a significant amount of responsibility, but you're still building with legos. Here in the big kid world, we have policy routing, vrf, differently scoped addresses and a myriad of other complicated network requirements.
PBR/VRF are right up there with systems virtualization as band-aids to side step much deeper architectural deficiencies. Complexity in the network is something to be embarrassed about not celebrated.
Wait until you see the replacement for the killall command
Already seen distros with it missing. Even went through ticketing system and found some genius spewing nonsense about it not being compatible with other (SysV) systems as justification.
From what I remember back in the day killall really lived up to its name on Solaris et el.
After all these years to pull that card now when its more irrelevant than ever without any study or hint of repercussions and pour salt on the wound by suggesting replacing it with pkill which is not feature compatible and does not have a wait for completion option is really disappointing but not unsurprising.
It's the same type of people... the ones who spend all their time on Wikipedia deleting articles or combing code so that everything is perfectly in-tuned to their mental wavelength. It's what happens when obsessive compulsive types are left to their own devices in an unsupervised environment.
Installing more programs by default makes the install image larger (in megabytes) and take longer (in seconds). It also increases the attack surface, as more lines of code generally* mean more defects that an intruder can exploit to either gain initial access or elevate privilege.
If you look at "ping" for example which is an suid program its behavior depends on calling process name. There are not really two versions of ping on disk. There is one program that behaves differently depending on whether it is executed as "ping" or "ping6" because it checks calling name and changes internal behavior accordingly.
Even if the programs were physically separate nothing would change WRT to "attack surface". The structure and nature of the code are what matters not the number of programs.
Besides in most cases none of the processes involved/w TFA are actually privileged. There is no suid bit on either ifconfig or netstat. It's hard to see a compelling case for mere presence of unprivileged software increasing "attack surface". If there is a new kernel interface (/proc, netfilter, ioctl or whatever) accepting unprivileged access then that interface presents a risk whether or not associated program is installed or not.
IP aliases have always and still do appear in ifconfig as separate logical interfaces.
The assertion ifconfig only displays one IP address per interface also demonstrably false.
Using these false bits of information to advocate for change seems rather ridiculous.
One change I would love to see... "ping" bundled with most Linux distros doesn't support IPv6. You have to call IPv6 specific analogue which is unworkable. Knowing address family in advance is not a reasonable expectation and works contrary to how all other IPv6 capable software any user would actually run work.
Heck for a while traceroute supported both address families. The one by Olaf Kirch eons ago did then someone decided not invented here and replaced it with one that works like ping6 where you have to call traceroute6 if you want v6.
It seems anymore nobody spends time fixing broken shit... they just spend their time finding new ways to piss me off. Now I have to type journalctl and wait for hell to freeze over just to liberate log data I previously could access nearly instantaneously. It almost feels like Microsoft's event viewer now.
I don't think so. The fact that it can encompass many different degrees of "intelligence" or some simulation thereof does not make it meaningless. That's like saying the term "vehicle" is meaningless because it can encompass a horse-drawn cart, a transport truck, a train, and the space shuttle.
What on earth is the point in saying "vehicle" when one could just as easily say car or rocket ship? Who does that?
At the very least if I were to say "vehicle" most people would assume car/truck and they would be right.
It's not just "AI" lacks specificity it's that it means radically different things to different people. It would be as if "vehicle" conjured image of a scooter to half of your audience and a spaceship to the other half. Piss poor way to communicate.
Great for marketing though. Your shitty "AI" product looks amazing to those who relate "AI" to "spaceship".
The definition of "artificial intelligence" does not include consciousness, nor magical powers. Nor does it require intelligence. You see, that's why the word "artificial" is placed in front of the word "intelligence." It isn't intelligence. It isn't supposed to be intelligence.
Problem with words like "AI" and "Cloud" they convey no more useful information than saying "that thing". They can mean anything by themselves. It is only with qualifying context can useful information be exchanged.
Default mental picture of what they represent varies so wildly by individuals as to be a total write off. It's counterproductive to bother to invoke them at this point.
Your belief that that which is currently labeled "AI" doesn't actually qualify as "AI" is simply false, and is founded entirely on your complete ignorance as to what the word "AI" actually means. You are using the word wrong, and that's a fact.
Language belongs to everyone not just yourself or the people who write dictionaries. What languages means depends on what society says it means at any point in time.
The fact is "AI" has become an empty meaningless term.
The world could have much more arable land thanks to climate change in the future. Rumors of the demise of human beings or the universally negative consequences of climate change have been greatly exaggerated.
Rumors of the demise of human beings or the universally negative consequences of WAR have been greatly exaggerated.
When I discuss the topic with friends, I generally refer to it as anthropogenic climate improvement.
When I discuss the topic with friends, I generally refer to it as defense industry stock improvement.
Data on MicroSD is not secured by phone password. The sooner it goes extinct the better.
Factually incorrect, try again later.
3300 mAh battery is an insult. Having said that, most people crack the screen before the battery is due for upgrade
Since when is 3300 mAh an "insult"? It's at the top of the range of flagship phones from all major competitors. It's way more than iPhone X that costs at least twice as much and is about the same size.
Myth batteries outlast devices is an amusing one given market for battery replacement services and aftermarket batteries.
It has AMOLED display, not LCD. IPS (in-plane switching) is a screen technology for liquid-crystal displays (LCDs).
This is common knowledge. I want an IPS (LCD) display.
OLED displays are worse than LCD in the areas of reliability and daylight visibility. OLED isn't worth it to me.
Price is ridiculously low. Find me another unlocked AMOLED 6" phone that supports 71 LTE bands for $500
71 is a band not the number of bands supported. There are no 71 band LTE phones available from anyone at any price.
The price *IS* ridiculous for a cell phone period. You are free to disagree with me and buy one. I won't.
The black on an OLED display is BLACK, when I use my OLED in bed at night, it's vastly superior to IPS.
Some are bothered by signature "IPS glow". I happen not to notice / care. For myself light sensor auto adjusting backlight brightness for environment makes display no better or worse in day vs night. At least I can see the damn screen outside when the sun is shining.
More power to you wanting one I suppose? I'd never go back. Doubly so when using a VR headset attachment.
Have Rift HMD (OLED) ordered day 1. Not impressed with god rays nor dirty sheens that follow you wherever you look in low light/contrast scenes. This only gets worse with use as elements drift further out of calibration. More than anything what I hate the most is this ridiculous black smearing from lag in powering up portions of display since otherwise "black" would be a very dim red color due to OLED leakage current. This royally sucks ass in my space game. Would take reddish black any day over inane smearing but Facebook apparently knows what I REALLY want better than I do. Don't ever buy an HMD from Facebook. Just don't.
Oculus GO is yet another shitty mobile phone-esq 3DOF experience complete with underpowered mobile GPU and drumroll... an LCD display. Nothing that interests me in the slightest however everyone who has tried both think GO LCD display is much better than Rifts.
Slashdot Mirror
Is there even any 5.1 music available??
The people I feel most sorry for are commercial customers of github paying for version control as a service.
Waking up one day to find out your competitor is not only hosting but has access to all your proprietary source code must royally suck.
Back in the late 90s I used to work as a stage AV technician to pay my way through university, and I remember one weekend borrowing 16" projection screen and 3 gun video projector, setting it up in the backyard with a Bose PA system and playing Descent with a bunch of friends on the screen. It was mindblowing, although the 3D was so immersive it was had to avoid occasiionally geting nauseous. So yeah I'm fairly sure in VR it could definately cause nausea too.
Played overload in VR for hours on end. Expected to throw up going in -
turned out to be a lot of fun. Never felt sick.
Having cockpit, constant speed and lots of translate/strafing motions makes it a safer bet even for VR noobs.
We need more pci-e lanes on the desktop and high end gaming systems.
AMD has more on both and on there high end gaming / workstations chips all cpus have the same number of lanes. Unlike the intel ones where min cpu cost is $1000 just to get the same number lanes that can $350-$500 chip used to have.
AMD also has ECC. Intel would rather play games and intentionally withhold it to upsell Xeon.
Phones aren't really PCs.
They are small portable pocket sized personal computers.
They're too locked down to be used for developing software.
Yours maybe, not mine.
We don't need that ability if lack of CT causes the connection to bust.
I offered an example why CT is insufficient even assuming it is fully deployed and made mandatory.
There's DNS CAA
Have a feeling when DNS CAA means something from a security perspective everyone will be using DANE anyway rendering DNS CAA redundant.
Again not that CAA is worthless or not worth doing but it's fundamentally toothless from a security perspective so long as DNS as actually deployed remains insecure.
In the situation where a single entity has complete packet rewrite ability for the connection to a user at all times, then neither HPKP nor CT will help you.
This is widely known. Similar to HSTS having the latch in practice useful or at least better than nothing. Heck virtually the entire constellation of DV certs currently deployed is based on the same leap of faith as certificates are initially provisioned automatically relying on insecure responses from insecure protocols over insecure transports.
It's the flip side to another problem though. Suppose that the dictator suborns the regional web host for my site and steals its key. I can set up a host elsewhere but I need to rotate the key. With HPKP, users will reject my new key and continue to use the old key to connect to the dictator-owned system
I don't accept this argument. Your users trust you. Should it turn out that trust was misplaced it isn't the falling of technology. It's a failing of yourself and a price MUST unavoidably be paid for that failing. Attempting to weasel out of paying MUST only lead to more insecurity. After all technology is only a means of conveying trust. It doesn't turn people into paragons of integrity and mindfulness.
In the event of this type of subversion having no site or having to start over and build trust from scratch even if it means lighting up a different domain or subdomain may well be seen as ideal or at least acceptable.
OK. I think you understand how CT and HPKP work well enough that I don't feel the need to keep arguing. I was mostly upset about "Certificate transparency = Lifelock commercial"
Essentially that's what it is. I do not retract my comment. The security monitor and the dental monitor commercials are exactly what CT is. And this is being generous about CT because practically operationally end users have no way of reasoning about CT. Nobody is actively announcing that a bank is being robbed or a bad cavity. Was the CA subverted? Did an attacker get a cert from a different CA or did the domain holder? Users have no clue. How many CA's exist in the world today? How many are state run? By political and commercial rivals?
(and claim that this move is caused by the NSA, which is a high-school quality calumny) which you've since walked back by stating that CT is good for security.
First I walk back nothing. When I said NSA I didn't really mean NSA specifically I meant "government" in general. Stating an opinion about CT is obviously a separate matter from opinion about or cause of any possible reason for removal of HPKP.
Second yes it is a conspiracy theory of mine that may well be misplaced or wrong. After the Snowden drip, increasing coziness of Alphabet with government and fact every damn secure everything platform always manages to eventually get subverted either through sale to a bigger fish or internal policy changes I suspect there is a good chance of it ringing true.
The thing that really gets me is the sheer pointlessness of this behavior. The feature already exists, people are already using it. They knew from day one that HPKP would always be a NICHE feature used by only a few security cautious people and paranoid fools. It was never intended at any point for mass consumption. So why on earth remove it? What good does that do anyone? What is the incentive for that? I have yet to hear a reason that passes sniff test. I think the answer is more likely than not to be pressure from government. CT is simply NOT a replacement for HPKP. Simply put governments don't care about "getting caught".
We don't need that ability if lack of CT causes the connection to bust.
I offered an example why CT is insufficient even assuming it is fully deployed and made mandatory.
There's DNS CAA
Have a feeling when DNS CAA means something from a security perspective everyone will be using DANE anyway rendering DNS CAA redundant.
Again not that CAA is worthless or not worth doing but it's fundamentally toothless from a security perspective so long as DNS as actually deployed remains insecure.
In the situation where a single entity has complete packet rewrite ability for the connection to a user at all times, then neither HPKP nor CT will help you.
This is widely known. Similar to HSTS having the latch in practice useful or at least better than nothing. Heck virtually the entire constellation of DV certs currently deployed is based on the same leap of faith as certificates are initially provisioned automatically relying on insecure responses from insecure protocols over insecure transports.
It's the flip side to another problem though. Suppose that the dictator suborns the regional web host for my site and steals its key. I can set up a host elsewhere but I need to rotate the key. With HPKP, users will reject my new key and continue to use the old key to connect to the dictator-owned system
I don't accept this argument. Your users trust you. Should it turn out that trust was misplaced it isn't the falling of technology. It's a failing of yourself and a price MUST unavoidably be paid for that failing. Attempting to weasel out of paying MUST only lead to more insecurity. After all technology is only a means of conveying trust. It doesn't turn people into paragons of integrity and mindfulness.
In the event of this type of subversion having no site or having to start over and build trust from scratch even if it means lighting up a different domain or subdomain may well be seen as ideal or at least acceptable.
OK. I think you understand how CT and HPKP work well enough that I don't feel the need to keep arguing. I was mostly upset about "Certificate transparency = Lifelock commercial"
Essentially that's what it is. I do not retract my comment. The security monitor and the dental monitor commercials are exactly what CT is. And this is being generous about CT because practically operationally end users have no way of reasoning about CT. Nobody is actively announcing that a bank is being robbed or a bad cavity. Was the CA subverted? Did an attacker get a cert from a different CA or did the domain holder? Users have no clue. How many CA's exist in the world today? How many are state run? By political and commercial rivals?
(and claim that this move is caused by the NSA, which is a high-school quality calumny) which you've since walked back by stating that CT is good for security.
First I walk back nothing. When I said NSA I didn't really mean NSA specifically I meant "government" in general. Stating an opinion about CT is obviously a separate matter from opinion about or cause of any possible reason for removal of HPKP.
Second yes it is a conspiracy theory of mine that may well be misplaced or wrong. After the Snowden drip, increasing coziness of Alphabet with government and fact every damn secure everything platform always manages to eventually get subverted either through sale to a bigger fish or internal policy changes I suspect there is a good chance of it ringing true.
The thing that really gets me is the sheer pointlessness of this behavior. The feature already exists, people are already using it. They knew from day one that HPKP would always be a NICHE feature used by only a few security cautious people and paranoid fools. It was never intended at any point for mass consumption. So why on earth remove it? What good does that do anyon
Certificate transparency = distributed HPKP
HPKP allows the operator to declare this certificate or bust to regular users. Certificate transparency offers no such capability.
Certificate transparency only provides "transparency". It doesn't allow operators to set declarative limits on what is acceptable.
If your website was gearing up for protest against local dictator and chief and they conspired against you obtaining a MITM cert from your CA and properly logged it to transparency log accordingly that information sure as hell won't do your users any good who are now being rounded up thanks to this ridiculous assertion of equivalence.
Certificate transparency *IS* a good thing and it is worth doing yet value offered by each approach does not fully overlap. Removal of HPKP only reduces security. It does not improve it.
This can all be boiled down to, "If everyone only accepted packets from those they trust, and applications were infinitely secure, there would be no need for advanced routing methodology!".
Managing trust isn't effectively feasible at the network layer. It requires higher level context only available at higher layers of the stack.
Given the fact absolutely nothing is "infinitely secure" my assertion is limited to the observation spending resources securing applications provides a higher ROI than wasting them on fools errand that is "network security".
Funny you mention that, since the DNS infrastructure is nothing but a massive mix of anycast routing
Route optimization is a basic feature of network routing. If a given point "B" has multiple possible endpoints it is the job of the network to pick the best path to the best endpoint no different than selecting best path to a single endpoint.
and load balancers.
The reason why there are only a dozen root servers was due to packet size constraints and management concerns with lack of automated update mechanism for root lists. It was a shitty design from the start. DNS also lacks defined functionality to effectively persistently monitor status of redundant pointers.
DNS is however a good high level example even though nuts and bolts of implementation is a bit crummy.
Furthermore, unless you're talking about turning it into some insane global torrent like reachability hash with terrible reachability heuristics, that isn't set to change any time soon.
I was never fond of bit torrent. On more than one occasion I was modded to oblivion by poking fun of it mostly on grounds it was too transparent and that transparency was a lightning rod for damaging political pressures on the Internet.
Yet I do remember being very impressed with some snazzy locality shit making it in to the point that you would end up being best buddies with people on or near you from ISP/network perspective. There were also efforts out of the IETF such as ALTO (RFC7285) to provide applications with topology data so they can make better decisions.
If only parking lots were suitably engineered, we wouldn't need stop lights, onramps, freeways, or anything else.
In a distant future where all driving is automated you can do a lot that isn't possible today. Strings of vehicles can draft each other in close formation to significantly reduce energy utilization. Traffic lights may well not exist as vehicles weave thru intersections in ways that would be suicidal to human controlled vehicles. Yet things like freeways are topological connecting distant population centers so I wouldn't expect it to change very much but who knows.
No, I'm sorry. You're flat out wrong. The problem with all of your musing, is that it's simplified to the point of impossibility- possibly absurdity.
There is nothing simple about any of it. Complexity isn't just vanishing into thin air it is being moved from general domain of network infrastructure to the application domain where more opportunities exist to address concerns in a more efficient domain specific manner that would not otherwise be feasible with general purpose network based solutions.
It ignores the reality of the system for the sake of idealism. "If only it were more ideal, then I'd be right!"
Nothing is being ignored. Things are just being moved to where concerns can be more optimally leveraged.
It never has been, and it never will be. I'm sorry. This is no longer an applied discussion, it's a philosophical one, on par with a religious debate.
Whether you like it or agree with it the transition is already underway.
Certificate transparency = Lifelock commercial.
There is no equivalence between the two systems.
It would be swell if you could ask them to please stop selling fake USB sticks and bootleg DVDs.
At more complicated levels, distributed switching, VPN/Labeling protocols, layer-4 switching, IPVS/load balancing, anycast routing.
None of this is necessary for packet forwarding. These things are all band-aids to make up for fundamental deficiencies in application stacks.
Perhaps the carrier grade networks of the world should employ you, so that you can show us what we're doing so wrong.
What did I say you were doing wrong?
Erm... Again, how the fuck do you think the data gets to you?
Do you think high availability and scaling to millions of users comes from simple routing tables running on netgears?
I've always assumed a bunch of expensive routers with power hungry TCAMs and smart people to manage physical topology and TE.
How about office virtualized networks across metro areas (and further)?
Why are they virtualized? Is virtualization necessary to move packets? Or is it done to give people their own private wire?
Last I checked, we keep about 750,000 prefixes and close to 100,000 entirely autonomous networks connected with our shitty control planes.
Only 61k with anything to announce. I'm not sure what makes this relevant. When I said management I was talking about operators managing their networks not pulling a full table from external networks.
If I understand you correctly, you propose that as an alternative to protected networks and blocking packets, we should rely on the application?
Network security is not only "ridiculous and wasteful" it's harmful and dangerous because footholds are too easy to attain. As a result when you rely on the network for protection all an adversary has to do is drill one tiny hole thru your castle wall and gooey center of unprotected systems is theirs for the taking.
Contrast that with systems that simply ignore message without the proper cryptographic signatures. In this case having access to the network wins you nothing.
Can you really not see why that is ridiculous and wasteful? It sounds to me like you are proposing that there is no such thing as a secure network. This is beyond stupid.
No, yet I can see why relying on "network security" is in fact dangerous, ridiculous and wasteful.
From a simple architectural standpoint, things like "application availability" absolutely must be done at the network layer, unless you've got some serious
Only shitty ones that were not architected for horizontal scaling and redundancy in the first place. Distributed systems generally have some kind of director responsible for managing access to resources and minimizing effects of failures occurring within a "string" group.
magic tricks up your sleeves. Computers die, network-based attacks happen at protocol or application layers, networking equipment dies. Oh, I know... We can just use client-side redundancy and have 112,554 A records for a name. That'll work.
DNS is a reasonable example of a distributed application with redundancy baked in. SMTP and HTTP are common examples of epic fail in this regard which is just awesome for everyone in the business of selling load balancers.
It isn't though, and you can't back up that assertion.
Complexity is not automatically bad. KISS doesn't mean make it simple beyond what it takes to do the job. It means do the job as simple as possible
If someone wants a private network that I carry around for them, i have VRF.
If I need a machine that can communicate out 6 different networks with different gateways, I have PBR. The applications have become more demanding than I think you realize.
In a world where applications are properly designed your L4/VPN/load balancing/VLAN/*** alphabet soup would be redundant and pointless. There would be no be
There is both truth, and utter fallacy in this statement. What's worse, is it belies complete ignorance to the topic at hand.
The only service necessary for a network to provide is to get some predefined quantity of packets with some probability of success from point A to point B.
No, I'm sorry. Network isolation is not better handled at a 'more application appropriate manner' at higher layers.
It absolutely is especially across administrative domains. Only packets are not isolated. Data and access to that data using means a heck of a lot more secure then what passes for management plane of most "carrier grade" networks are used.
I think you're speaking for a very application-centric viewpoint, with no idea
how data actually gets to you.
Yes, applications are the only things anyone cares about. Nobody cares about wires and packets nor should they.
When people waste time trying to add "security, application availability, isolation and management regimes" to networks they only get more complex for no reason and as a result the probability of successful delivery of packet from point A to point B is diminished or at least a lot more expensive than it otherwise would given the same investment in capability.
I operate a carrier-grade network.
As much as I wish all the idiosyncrasies of modern internet traffic and applications allowed for simple routing paradigms, they simply do not.
Please don't misunderstand what I'm saying. It's not that if I were in your shoes I would do anything any differently. We all must live within the context of our time. I'm not saying your wrong or course of action isn't rational and logical. It's just that it's architecturally very much a dead end.
We have seen containers filling in a niche that VMs never did suit very well. They are nowhere fuuuuuucking close to supplanting them, for the same reason. You can't use a container to replace the cases where you need a VM.
This is not about someone needing to spin up a VM for some immediate need. It's about WHY they felt they needed to do that in the first place. What was it that they were trying to do? For the most part people want to manage software at higher levels of abstraction than what underlying operating system of single computers would allow. VMs were simply the fastest way to fill that need and get from point A to point B.
Containers are a better step in the right direction of providing what users really wanted in the first place. VM is a temporary wasteful unnecessarily complex modality on the decline as solutions more in line what people really wanted in the first place come online.
None of that has anything to do with the reasons those things exist. It's about
From my simpleton know nothing experience castle defense is the central reason.
LOL. I'm unsure how to respond to this.
The network is the wrong layer for security, application availability, isolation and management regimes.
These things can all be handled more effectively in a more application appropriate manner at higher layers.
As we have seen with containers supplanting virtual machines, rise of E2E security, application controlled overlays and supplanting of VPNs the transition is already well underway.
You can continue to build castle walls, fill the motes with alligators and police your cobblestone roads to your hearts desire but don't pretend there is any future in it.
Yet as someone responsible for that much, you didn't switch to iproute2 for network stack management a decade ago?
I had to. If you're still administrating linux with ifconfig, route, and netstat, you're just a kid. In your case, a kid with a significant amount of responsibility, but you're still building with legos. Here in the big kid world, we have policy routing, vrf, differently scoped addresses and a myriad of other complicated network requirements.
PBR/VRF are right up there with systems virtualization as band-aids to side step much deeper architectural deficiencies. Complexity in the network is something to be embarrassed about not celebrated.
All of ICMP is disabled. It's antiquated, it's unnecessary, and disabling ICMP completely means the NAT routers don't need to translate ICMP.
This is what I keep telling our competitors. I sure hope they'll listen.
Wait until you see the replacement for the killall command
Already seen distros with it missing. Even went through ticketing system and found some genius spewing nonsense about it not being compatible with other (SysV) systems as justification.
From what I remember back in the day killall really lived up to its name on Solaris et el.
After all these years to pull that card now when its more irrelevant than ever without any study or hint of repercussions and pour salt on the wound by suggesting replacing it with pkill which is not feature compatible and does not have a wait for completion option is really disappointing but not unsurprising.
It's the same type of people ... the ones who spend all their time on Wikipedia deleting articles or combing code so that everything is perfectly in-tuned to their mental wavelength. It's what happens when obsessive compulsive types are left to their own devices in an unsupervised environment.
The biggest problem with "everything is a file" is that it limits you to files. Files don't generally call you, for example, you have to poll.
Don't worry, sockets are files too.
Installing more programs by default makes the install image larger (in megabytes) and take longer (in seconds). It also increases the attack surface, as more lines of code generally* mean more defects that an intruder can exploit to either gain initial access or elevate privilege.
If you look at "ping" for example which is an suid program its behavior depends on calling process name. There are not really two versions of ping on disk. There is one program that behaves differently depending on whether it is executed as "ping" or "ping6" because it checks calling name and changes internal behavior accordingly.
Even if the programs were physically separate nothing would change WRT to "attack surface". The structure and nature of the code are what matters not the number of programs.
Besides in most cases none of the processes involved /w TFA are actually privileged. There is no suid bit on either ifconfig or netstat. It's hard to see a compelling case for mere presence of unprivileged software increasing "attack surface". If there is a new kernel interface (/proc, netfilter, ioctl or whatever) accepting unprivileged access then that interface presents a risk whether or not associated program is installed or not.
TFA is full of shit.
IP aliases have always and still do appear in ifconfig as separate logical interfaces.
The assertion ifconfig only displays one IP address per interface also demonstrably false.
Using these false bits of information to advocate for change seems rather ridiculous.
One change I would love to see... "ping" bundled with most Linux distros doesn't support IPv6. You have to call IPv6 specific analogue which is unworkable. Knowing address family in advance is not a reasonable expectation and works contrary to how all other IPv6 capable software any user would actually run work.
Heck for a while traceroute supported both address families. The one by Olaf Kirch eons ago did then someone decided not invented here and replaced it with one that works like ping6 where you have to call traceroute6 if you want v6.
It seems anymore nobody spends time fixing broken shit... they just spend their time finding new ways to piss me off. Now I have to type journalctl and wait for hell to freeze over just to liberate log data I previously could access nearly instantaneously. It almost feels like Microsoft's event viewer now.
I don't think so. The fact that it can encompass many different degrees of "intelligence" or some simulation thereof does not make it meaningless. That's like saying the term "vehicle" is meaningless because it can encompass a horse-drawn cart, a transport truck, a train, and the space shuttle.
What on earth is the point in saying "vehicle" when one could just as easily say car or rocket ship? Who does that?
At the very least if I were to say "vehicle" most people would assume car/truck and they would be right.
It's not just "AI" lacks specificity it's that it means radically different things to different people. It would be as if "vehicle" conjured image of a scooter to half of your audience and a spaceship to the other half. Piss poor way to communicate.
Great for marketing though. Your shitty "AI" product looks amazing to those who relate "AI" to "spaceship".
The definition of "artificial intelligence" does not include consciousness, nor magical powers. Nor does it require intelligence. You see, that's why the word "artificial" is placed in front of the word "intelligence." It isn't intelligence. It isn't supposed to be intelligence.
Problem with words like "AI" and "Cloud" they convey no more useful information than saying "that thing". They can mean anything by themselves. It is only with qualifying context can useful information be exchanged.
Default mental picture of what they represent varies so wildly by individuals as to be a total write off. It's counterproductive to bother to invoke them at this point.
Your belief that that which is currently labeled "AI" doesn't actually qualify as "AI" is simply false, and is founded entirely on your complete ignorance as to what the word "AI" actually means. You are using the word wrong, and that's a fact.
Language belongs to everyone not just yourself or the people who write dictionaries. What languages means depends on what society says it means at any point in time.
The fact is "AI" has become an empty meaningless term.
The world could have much more arable land thanks to climate change in the future. Rumors of the demise of human beings or the universally negative consequences of climate change have been greatly exaggerated.
Rumors of the demise of human beings or the universally negative consequences of WAR have been greatly exaggerated.
When I discuss the topic with friends, I generally refer to it as anthropogenic climate improvement.
When I discuss the topic with friends, I generally refer to it as defense industry stock improvement.
Data on MicroSD is not secured by phone password. The sooner it goes extinct the better.
Factually incorrect, try again later.
3300 mAh battery is an insult. Having said that, most people crack the screen before the battery is due for upgrade
Since when is 3300 mAh an "insult"? It's at the top of the range of flagship phones from all major competitors. It's way more than iPhone X that costs at least twice as much and is about the same size.
Myth batteries outlast devices is an amusing one given market for battery replacement services and aftermarket batteries.
It has AMOLED display, not LCD. IPS (in-plane switching) is a screen technology for liquid-crystal displays (LCDs).
This is common knowledge. I want an IPS (LCD) display.
OLED displays are worse than LCD in the areas of reliability and daylight visibility. OLED isn't worth it to me.
Price is ridiculously low. Find me another unlocked AMOLED 6" phone that supports 71 LTE bands for $500
71 is a band not the number of bands supported. There are no 71 band LTE phones available from anyone at any price.
The price *IS* ridiculous for a cell phone period. You are free to disagree with me and buy one. I won't.
The black on an OLED display is BLACK, when I use my OLED in bed at night, it's vastly superior to IPS.
Some are bothered by signature "IPS glow". I happen not to notice / care. For myself light sensor auto adjusting backlight brightness for environment makes display no better or worse in day vs night. At least I can see the damn screen outside when the sun is shining.
More power to you wanting one I suppose? I'd never go back. Doubly so when using a VR headset attachment.
Have Rift HMD (OLED) ordered day 1. Not impressed with god rays nor dirty sheens that follow you wherever you look in low light/contrast scenes. This only gets worse with use as elements drift further out of calibration. More than anything what I hate the most is this ridiculous black smearing from lag in powering up portions of display since otherwise "black" would be a very dim red color due to OLED leakage current. This royally sucks ass in my space game. Would take reddish black any day over inane smearing but Facebook apparently knows what I REALLY want better than I do. Don't ever buy an HMD from Facebook. Just don't.
Oculus GO is yet another shitty mobile phone-esq 3DOF experience complete with underpowered mobile GPU and drumroll... an LCD display. Nothing that interests me in the slightest however everyone who has tried both think GO LCD display is much better than Rifts.