Posts by Lou Gosselin 487 publicly visible posts • joined 1 May 2007
It's just as much about having equal access.
Even under fixed payment plans verizon could prioritize traffic for youtube (for example) at the expense of some other service.
Net neutrality ensures that users get an equal share of bandwidth, and that they choose how they wish to allocate that bandwidth. The alternative, where verizon gets to dictate which services to prioritize, means that small scale developers will likely be at a disadvantage.
Does the US has any legal rights to prevent wikileaks from publishing anything? I don't know.
Of course it would more responsible of them to remove specific and personally identifying information before publishing it. At least they're asking the pentagon for help in this area.
As to whether or not they ought to release any of the information at all. I think the people have the right to know what their government is doing, otherwise, how can democracy possibly work? I don't think the government has a right to hide it's actions, whether or not it claims to do so legally. It works for the people and should be treated as such. Having too little transparency means no accountability.
Yes, allowing whistle blowers to speak does have negative repercussions, likely tarnishing the image of the country and potentially loosing supporters. But the public deserve better than to be lied to with cover-ups and misinformation.
If any branch of the government has done something wrong, it's better that it comes out and can be debated, eventually to be voted on in public. Any other policy is borderline fascism.
It sounds like we agree then.
"Incidentally, you can get the post office to block some junk mail, but not the stuff that actually has your address on it."
I don't know about you, but I get tons of mail "to Lou Gosselin or resident". The bulk mailers do have my name and address, but I don't know how they get it. Needless to say, I never subscribed to this crap and it goes strait in the garbage. I'm not sure if I even have any legal rights in US to not receive bulk mail (like I do with spam).
If it wasn't for the odd mail from the DMV or IRS, I'd just replace the mailbox with an arrow pointing to the trash bin.
If you don't like the valentine's card, then don't buy it.
I don't want to be regulated by a censorship regime. When we leave the abodes of our homes, we should accept that we'll see things we don't like. It's our responsibility to avoid stores which don't share our values. We can complain to the manager, and if they agree, they can take it down voluntarily. If not, then stop supporting with cash. But to go crying to the government for imposing a national ban on everyone else's rights is absurd.
However, I gotta say the situation may be different when I receive unsolicited mail(*) to my door (or email), that's my home, and I should have the ultimate say on what's offensive. That the advertiser doesn't posses a means of printing a non-offensive version for me is not my problem.
* Of course I believe we should have the right to block unsolicited mail entirely. The amount of junk I get every week is unconscionable. But that's a different matter.
Generally speaking, on the windows side, drivers are expected to expose a standard Direct-X/Media interface, and any application using that interface can be hardware accelerated.
What I'm getting at is, that if an app is written to supports directx on one piece of hardware, it generally should work on another without alteration. On windows, it would be very bad practice to talk directly to the drivers outside of the standard interface except in very special cases.
"It wouldn't have been anything stopping Adobe from talking to the drivers directly. (Provided Nvidia helped them. Which they did on Windows any way.)."
I'll admit to being clueless about mac os internals, but you seem to imply that there is no standard for media acceleration which can be accessed without a proprietary driver interface. Is that true? In my opinion, an app developer should never need to "talk to the drivers directly".
If a standard accelerated interface exists and adobe is not using it, then yes that's their fault. However if there is no standard accelerated interface, or if it doesn't work on all hardware, then it's more apple's fault.
Now when we're talking "powerline networking", I'm assuming we're talking wide area networks, and not consumer home lan. Is this right?
Is this medium bi or unidirectional?
The thing about power lines is that, before reaching the home, all current is inductively transfered through step down transformers. Any signal which is to survive that gap would have to survive the EM conversion before being used in the home. It's a little shocking that regulators don't have the authority to regulate this interference simply because it's not supposed to be radio equipment in the first place.
The sooner we get end to end fiber, the better.
Trevor,
I cannot agree with your more on that last comment on banks.
The truth is, banking and charge cards are decades behind the technology. The visa/mastercard duopoly has stiffed innovation and held back consumer smart cards. All I keep hearing is that "real security is too complex for real people", but I'm of the opinion that it's not true. Secondly, even if it were true, why don't the banks offer secure more services to people who are security conscious? It all sounds like an excuse to remain complacent and stick to the status quo.
XSS is strictly a web server issue.
If website A has a form directed to website B, and that form has a text box. There is no reason that a user shouldn't be allowed to enter text resembling javascript or html in that text box.
The problem is when website B then goes on to dump that input verbatim to one or more uses without proper escaping.
A browser could apply heuristics to disallow javascript/html from being submitted in a post/get request, but technically there's nothing inherently wrong with it. A message board that accepts and validates html formatting would be broken.
Now about blocking third party scripting, I think it's a good idea, but a lot of sites break (as you mentioned, google affiliate sites, my bank, and many others). I disagree with built in white listing though, many small developers won't be lucky enough to make the cut. Why should a given script work for google & affiliates, but not for me?
XSS is a real problem, but I also think we need to crack down on another security breach which is just as common and frequently overlooked: third party javascript.
Many websites foolishly (deliberately) include third party scripts, such as google analytics, on their own webpages.
It may not occur to webmasters that technically they are giving the keys to all user credentials and contents to google. Google can snoop all traffic, forge requests, and intercept all fields.
We may analyze google's public javascript, to feel safer, but there's absolutely nothing to stop them targeting a specific ip for more invasive monitoring. Between search/embeded maps/analytics/adsense/doubleclick/etc, google has plenty of attack vectors using unseen javascripts.
It seems to me that tapes have been loosing ground to hard drives in recent times, both in terms of price and capacity.
I'm looking hastily on amazon for tape media (just the media).
The best price I can find is around $75/TB for "LTO 3 ULTRIUM 400GB".
On the other hand, I can find new drives for $47/TB.
Disks can be backed up to directly, whereas tapes may need another grand or more for a tape drive.
It looks like hard disks have an edge on tape prices. Is this right?
The characteristics of each are probably more important than the price anyways.
"If you use a stateless IPv6 ISP, which means it does not use DHCPv6...how does one know which IPv6 points to the local DNSv6 server?"
The answer is very simple, as I've already mentioned, use DHCP.
Ipv6 has an auto ip configuration option, but that doesn't eliminate the need to use "stateless DHCP" for other information.
Stateless DHCP is called this because it doesn't need to track ip addresses. This is not to say that there is no DHCP at all, that's the same mistake made by the OP.
Of course if you disable DHCP entirely, then you'll need to configure your network statically, but this will not be the norm.
"The mac of one of my servers is 00:50:56:3f:58:50. Go ahead, try hack me based on that information. Or even work out what OS it's running."
This is registered to vmware. Of course it was wise not to temp fate, but had you provided an ip address, there are tools to profile the ip stack and reliably derive the operating system in use.
Firstly, DHCP is still used on ipv6 networks.
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-dhcp.html
Secondly, DNS is still needed to resolve names on ipv6 networks, regardless of how it gets configured in the first place (stateless or stateful dhcp mode).
"The ISP and carriers are starting to plan for IPv6. Once the address space is out, it is hard to attract new customers. So it is not a Catch-22."
Of course once the numbers are out, they'll have no choice put to stop issuing publicly addressable ipv4s, but I'm still right that an IPv4 endpoint cannot send a packet *directly* to a IPv6 one.
Despite your remarks, I don't think we actually disagree on this point, since you acknowledge the need for NAT.
"They will be using CGN and issuing new customers a private IP"
This of course comes with all the shortcomings of not being able to connect directly to people/devices behind the NAT or Proxy. People get around these shortcomings today on their own routers with port forwarding and UPNP. It is likely that ISPs are going to be reluctant to do this on their NAT routers. Therefor clients behind NAT will inevitably loose connectivity, particularly P2P (such as games, voip, bittorrent, etc).
Anyone solely on IPv6 will be at a loss until everyone else joins them. No reason to deny a catch 22 here.
"I question whether they are taking into account all the NAT (private) addresses out there."
We really do need more ip addresses.
Though it's been adopted out of necessity, NAT really does cause numerous headaches, breaks protocols, causes inefficiency. It was a stop gap measure while waiting for a real fix. Also, NAT should not be a replacement for a genuine firewall.
IP6 addresses the primary 32bit addressing issue, however it also introduces numerous other features whether or not we want them.
Article quotes:
"It means that everything you send or receive is labeled with your real MAC address and therefore if you were to do something naughty, like download copyrighted material, they would know"
I have wondered why the spec calls for such a personal identifier in every packet, especially as it's not necessary to make ip6 work. It lends a lot of weight behind the conspiracy theory that it was designed to track people. Given how easy it is to forge in practice, I would hope that it could never pass as "evidence".
"IPv6 gets rid of DHCP servers"
"there are no DNS servers."
Hmm, I suppose that neither of these are strictly necessary if you configure everything via static ip addresses. However these can both continue to play a role on ipv6 networks.
"It will continue to run IPv4 and te ISP's will be turning on IPv6 on them. When the ISP is out of IPv4 addresses, new customers will be getting IPv6 only."
The main problem (the reason we haven't upgraded sooner), is that ipv4 and ipv6 addresses cannot communicate directly with each other, period.
An ipv4 client cannot address an ipv6 server, and an ipv4 server cannot reply to an ipv6 client. This necessitates rather undesirable ipv4/6 proxy servers.
The loss of direct connectivity is a major stumbling block. Once major portions of the internet are version 6 only, then people will want ipv6 addresses, until then people will want/need ipv4 ones. Catch-22.
"I've always thought that having a /64 'host' block is a huge waste of space; hardwiring this host ID to a MAC address is infinitely stupid as well."
I'm glad that people upvoted your post, since it gives me a slight bit more confidence that in practice we will disregard the publicly routable mac address.
"They lost me when I couldn't find a free programming language to learn on windows back in 96. I've been told that had I looked harder I would have found something, but I didn't."
I believe that the excellent 32bit djgpp compiler for dos could compile windows apps too. The RHIDE editor was on par with the commercial offerings from Borland, but again this was console mode.
In my opinion these excellent 32bit dos tools had not been matched by windows tools (commercial or otherwise) for another 10 years.
I'm not sure if you've thought about this sufficiently. You wrongly assume that I just dismissed the quantum entanglement.
The claim I'm doubting is that the device will only work from a specific location.
If this were true, even the owner shouldn't be able to fake the location any more than a thief. However, what would stop someone from moving the crypto device, possibly putting a fake in it's place, then acting as a relay between the fake and original locations?
Obviously latencies can change, but as long as the device is moved closer to the other party and/or uses a more direct network, then artificial latency can be introduced to match the original. Even just a 5ms jitter can mean a 1000 mile discrepancy by the speed of light. To get 1 mile accuracy, the jitter has to be constrained to 0.005ms. So switched networks are clearly ruled out.
Even on complete circuit networks, there's still the problem that public networks are rarely "line of sight", the thief could almost certainly find a shorter path than the original. The resulting slack means that he can change locations without this being detected.
"The task of verifying a recipient's location involves sending the quantum equivalent of bits using a protocol that requires the receiver to respond to random challenges. The so-called no-cloning principle of quantum mechanics makes impossible for people elsewhere to provide the correct answer."
I'm obviously missing a key piece of info. What's to prevent someone responding to the random challenges from a physically different location?
The quantum bits, as I understand it, cannot be intercepted without modification by a man in the middle. However, by itself (without traditional authentication keys), a man in the middle is still possible when the impostor pretends to be both end points such that each end point is security connected to the impostor. The impostor can act as a relay, while snooping the traffic.
I guess we'll find out when this is presented, but it sounds like the claims in this article are a little off base.
...are the last organization on earth I would voluntarily choose for interoperability and standards. Microsoft are neither qualified nor impartial enough to be trusted with such an important responsibility.
That said, microsoft has a very large checkbook and powerful monopoly to help convey it's view.
"this is tyical and should have been expected. Oracle don't 'get it' - rather, they don't get IT (chuckle)... they are old dinosaurs"
All companies are expected by share holders to produce naturally unsustainable growth. People forget that ultimately, real growth is dependent on actual market growth. Once the market is saturated, that's it, further growth is necessarily at the expense of others and is therefor "zero gain". Oracle is unable to grow the market itself, but it has the wealth to buy a larger piece of the pie. This behavior is pretty much the norm these days.
Sun, despite having many intelligent people and many innovative initiatives, were not sufficiently ruthless and cutthroat to grow in a mature market. They were unable to survive on their own. For better or worse, we encourage corporations to buy each other out to produce monopolies and oligopolies rather than encourage an environment where smaller firms can thrive.
"Some argue that terrorists will simply move to better encryption systems and only the innocent will suffer, but that credits the terrorists with smarts they don't always possess."
Isn't this the case with most laws? Law abiding citizens are restricted and at times burdened by laws while law breakers can often do as they please as long as they're smart enough not to get caught.
Of course, laws should exist to protect people from actual violence and crime, but world governments these days are too eager to make crimes out of normal behavior. Where the hell did this entitlement come from?
In a democracy, some might argue that the people are responsible for their own governments. But that's only true to a point, since people generally don't vote directly on issues/laws. They vote on politicians who, out of logically substantiated concern over their political career, are influenced by entities not representing public interest.
"I don't know whether you think every Australian has access to a reliable connection with a minimum speed"
No, I wouldn't presume so, just saying the study didn't appear to take into account quality or reliability. Although point taken, averages aren't representative like medians.
"good quality ISP receive 24Mb/s, and there are cable subscribers in limited areas on 30Mb/s in this country"
Really? Wow I'm impressed, this speed is unheard of for residential cable users in the US.
Regarding the lack of access to competition, I can sympathize with that.
"shows the country ranked a dismal 50th place in the global broadband speed league with an average speed of 2.6Mbps, behind even New Zealand (42nd and 2.9Mbps)...Yes, it's that bad."
Well I think their distraught is a bit exaggerated. 2.6Mbps isn't too bad at all.
Until recently, on cablevision in the suburbs of NYC, we experienced irregular dropouts (0bps) for 15 minutes a day (I measured them), this lasted for a year before they fixed their lines.
I would have gladly taken a reliable 2Mbps over shoddy 5Mbps, but cablevision has a 100% broadband monopoly in the region.
Um, no they can't.
A browser is still an app, albeit one that is highly configurable at run time by specifying a URI.
I don't want apple or anybody else to have a monopoly on creating apps that run outside the browser.
As trendy as centralized HTML applications are these days, I don't believe the pendulum has completed swinging yet. Locally running apps are still king for performance (high performance cpu&rendering, no need for postback on every page). When the industry inevitably looks for the "next big thing", it will be local applications which can install and maintain themselves - perhaps just as easily as visiting a web site.
"Pearson has been involved in futurology for almost 20 years and claims to have been the first to come up with the idea of text messaging, a concept dismissed by engineers when he first suggested it."
The FCC approved one way pagers in the late 1950s.
http://inventors.about.com/od/pstartinventions/a/pager.htm
I kinda doubt he was the first to come up with the "idea" of two way mobile text messaging in 1990s. I'll be nice though and give him credit for predicting it's upcoming popularity.
"Archiving" means to copy not only the current file contents, but to retain a copy of the older contents as well. Mozy does not do archiving. A single backup is merely a snapshot of the current dataset. Note that this excludes data which has been deleted at the source.
Normal backup:
rsync -avr --del /$src/* /mnt/backups/
Not that one could remove the --del, however the backup will only contain the very last copy of a file, which could be corrupt on the source, therefor the backup may overwrite a clean version with a corrupt version.
True archive (with hardlinks to eliminate dups):
rsync -avr --link-dest=`ls /mnt/bacups/backup_* -1d|tail -n 1` /$src/* /mnt/backups/tmp/
mv /mnt/backups/tmp /mnt/backups/backup_`date +%Y-%m-%d`
The above technique is both simple and allows the admin to lookup the contents of a file any day in the past. For example, I could go to /mnt/backups/backup_2009-10-20/ and find a specific version of a file. Consider the difference with the following backup, which can only go back as many days as there are backup media.
Either technique can be used with as many backup media disks as desired.
One thing to notice is that the backup is itself already a second copy of the data, where as the archive is the only copy of the data for historical files.
As for the external drive backups.
I haven't read anything definitive from EMC or anyone else, but I speculate that the customers who are backing up external drives are doing so less than once a month, after Mozy has deleted their backup copy. Since mozy is not an archive, as explained previously, they delete any files not present at the source within a 30 day window. Therefor when the external drive is backed up again, the files need to be transfered again.
Their claim that the service is working as designed may be true, however if this is the case apparently many customers are unaware that Mozy deletes their data after the 30 day backup window.
"The person quoted is a general, he doesn't mean 'firewalls and making sure your PHP is safe' sort of defense, he is talking about the military meaning of the word"
Maybe that's what he meant, but either way anyone who is an authority on network security should apply the terminology as a network security specialist would. Metaphors between the physical and internet worlds are often fraught with error.
"Obviously, in cyberwarfare, allowing hackers to attack your site deliberately to 'kill' them as they do so isn't going to do anything."
I guess your talking about an immediate directed retaliation, but generally the hackers will have better defenses than their target. One could throw honeypots into the mix, which are designed to deter from real targets, and collect information about the attackers.
"The inherent geography of this domain – everything plays to the offense. There's almost nothing inherent in the domain that plays to the defense."
I'm not sure I get the premise, of course there are things that can be done to improve defenses, not that the government is doing them necessarily.
First of all, no critical systems should use unencrypted traffic, these should be secured through VPNs.
No critical systems should use security by obscurity, which is all too prevalent in proprietary control applications.
The entire network needs more redundancy, in particular critical services should not be in control of one entity (read "government" or organization) which could become infiltrated or compromised.
Software mono-cultures are devastating in the field due as they enable attacks which are massively scalable. Sourcing components from a single vendor should be discouraged.
Critical systems and security practices need to be audited by third parties.
The right time to build up defenses is now, before an incident occurs. However we know that motivation is rather unlikely until afterwards. Given this reality, it's important to have a plan on how to best react after the fact when preventable attacks are successful to minimize damage.
"Remember, all google were doing was recording network IDs."
Get the facts strait, they recorded entire packets. This is mostly what the controversy is about.
"or tell your router not to broadcast its SSID."
Technically, the broadcast is a public announcement about the AP, but apparently google recorded actual private traffic, which includes the SSID. Not broadcasting an SSID may change the legal status of connecting to the AP, it certainly doesn't stop the snoopers (like google) from sniffing it.
Micky1
"The MAC, SSID and GPS coords are NOT personally identifiable information. You cannot use them to find out who a person is without a 4th dataset that most people wont have access to (e.g ISP records)."
Like an IP, these may or may not identify a single "person". Never the less, it could still reveal the address of someone at a hotspot or hotel after their SSID has been recorded. With the scale of google's dataset, it's possible they could pull it off.
As for correlating the SSID to other accounts, this may be possible (for example) by capturing the user's traffic as they're connecting to email/google/theregister, and extract personal information that way.
Given how often IMAP/POP checks for email, it's very likely google captured some of these active sessions.
As evidenced by this report, obscurity is not security.
Open code review = more good guys looking at the code = fewer trivial vulnerabilities.
If the code cannot be made public, at the very least use proven cryptography. While we're at it, quit outsourcing all the jobs and hence all the expertise which is needed to develop robust products in the first place.
You're absolutely right that it's all about the money.
An $X loss is justifiable if it costs >$X to repair. But over time it generally makes sense to fix the leak. Considering that the banks haven't eliminating the biggest flaw in banking for several decades now, static CC numbers, it's readily apparent they don't think security is a priority.
That flowchart represents just about every dynamic mouseover menu I've ever coded, literally, line by line. I'm not in the ad business, but it's the same technique.
I can say I had the idea well before google, as I'm sure plenty more have well before me.
It's neither novel nor does it constitute more than a half hour of R&D. What benefit does the world get by granting this patent? Absolutely ridiculous.
It's all relative.
If an "intruder" is intentionally given access to the wireless access point which is bridged onto the lan, why should anyone expect more security than if the intruder had connected directly to the lan?
We should also report on how intruders can gain unauthorized access by plugging into unguarded ethernet ports.
Untrusted people should not be allowed on unauthenticated/trusted lans wireless or not.
I'm usually an advocate for all things open/unlocked, but medical devices may be a rare exception to that. Don't want patients flashing their own firmwares willy nilly, ha ha.
As for the open sourcing of the code base in the name of security, it makes sense. You wouldn't use proprietary voting machines to tabulate an election, would you? Err, scratch that.
Banks wouldn't trust your money to an unverified closed platform, would they? Oh, wait.
The military wouldn't use a closed source operating system to run it's battle ships would it, much less one with known vulnerabilities, right?? Ah it's hopeless.
"for H&S reasons, every single pair* of those glasses has to be washed after every performance"
If that were the case, at least that's understandable.
Here they're plastic, come individually wrapped and we're told to dispose of them in the trash after each performance (you'll have to pay for new ones anyways). It's totally wasteful, but what do they care if it increases profits?
At the nearby theater, they charge for the polarized glasses on top of the film price. However here the local movie theater would not sell just the ticket if we already had 3d glasses from a previous visit. We asked why, and they said that the studios don't allow them not to sell the glasses with each ticket.
What a scam! It's just a way to increase the admission price while continuing to advertise at a lower price.
Obviously the DMCA was rushed into law without due consideration. This is a big win for the people, but I have to wonder, what changed law maker's minds? The arguments for and against the DMCA are the same today as when it was instituded. Are the media companies falling out of favor with law makers?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
