* Posts by Joe Montana

823 posts • joined 12 Mar 2007

Page:

Sysadmins: Why not simply verify there's no backdoor in every program you install, and thus avoid any cyber-drama?

Joe Montana

Segmentation...

Supply chain attacks can and will happen, you can't prevent this entirely without EXTREME cost but you can reduce the risks cost effectively by increasing segmentation.

Instead of having a big flat network with a single authentication domain where a single breach gets you a foothold and an attacker can easily escalate to take control of everything, you have ever service segmented and partitioned off, with active monitoring on the interconnects.

You may not be able to prevent every attack, but you can hopefully detect an attack and keep the damage contained.

The Register just found 300-odd Itanium CPUs on eBay

Joe Montana

Re: Abandonware

I have a couple at home, bought a few years ago when linux distros and microsoft were still providing token support for it.

These machines are basically worthless now, but you have people who will continuously relist them on ebay for 50% of what they cost when new and wonder why they never sell.

A lot of companies will just junk the machines as scrap, or occasionally you'll find someone who wants to get rid of a whole pallet load of them for the cost of shipping.

China sets goal of running single-stack IPv6 network by 2030, orders upgrade blitz

Joe Montana

Re: Still not there...

The part about deleting forum posts, because as you see my reply (sent over ipv6) is still visible after 3 days, as are other posts i've made.

I'm not sure if he was implying that posts would be deleted manually, or if posts would fail entirely, but neither seems to be happening for me. If i don't access the site over ipv6, half the time it times out because the cgnat connection here is very flakey.

On another note, cloudflare ipv6 addresses are typically a hex encoding of the ipv4 address so very easy to work out. For fastly, akamai and some others there are usually multiple dns aliases which are with or without ipv6 so it's also quite easy to force ipv6 on.

Joe Montana

Re: Still not there...

Well if you can see this reply then it's simply not true.

I have native IPv6 connectivity, but IPv4 connectivity only through CGNAT because the ISP does not have enough IPv4 addresses for all their customers.

The IPv6 is fast and stable, while the CGNAT is overloaded, slow and unreliable. Consequently I force everything to use IPv6 whenever possible, and that includes synthesizing AAAA records for the common CDNs if they are not already published (very simple to do with cloudflare). I also have the ipvfoo extension so i can see which protocol is being used for any given site.

I am connected here over IPv6, and posting using IPv6.

Joe Montana

Re: Still not there...

Except they use Cloudflare, which supports IPv6 by default at no extra cost. They have explicitly turned it off by removing the DNS entry. The site is actually reachable via IPv6 using the address 2606:4700::6812:516 (try adding it to your hosts file). All Cloudflare sites are reachable like this, the IPv6 address will be 2606:4700:: followed by the IPv4 address encoded as hex.

IPv6 is actually cheaper than IPv4, because the addresses are more plentiful. Some providers charge less for IPv6-only access as it costs them less to provide. If you're using cloudflare as the frontend to your site then you can benefit from hosting the backend on an IPv6-only host:

Cloudflare handles the costs of IPv4 and hassles of dual stack, you don't need to worry about it and legacy users can still reach your site.

Your IPv6-only server won't be subject to constant scans and other background noise that plagues the legacy IPv4 internet.

You save money by not having to pay for an IPv4 address - a scarce and therefore expensive resource.

I run several sites like this, Cloudflare for the frontend, backend IPv6-only.

Joe Montana

Re: possible?

It's not an issue for a number of reasons:

1) IPv6 makes it *possible* to give every device its own address *at a reasonable cost*. There is no reason you can't do this with IPv4 too, it's just prohibitively expensive and so not commonly done. And there is also nothing actually forcing you to do this with IPv6 - you simply have the option to. People configure IPv6 without NAT not because IPv6 doesn't support NAT, but because they explicitly want to get away from NAT because it's simply a bad thing. You're complaining that a new car doesn't come with a roll of duct tape to hold the doors on, when it has doors that stay closed on their own.

2) NAT doesn't provide firewalling, NAT requires a stateful firewall but a stateful firewall does not require NAT.

3) All of the IPv6 capable home routers i'm aware of do not allow unsolicited inbound connections by default.

4) Protocols like UPNP exist which allow devices inside the network to open arbitrary ports through the firewall - this works on IPv4 too, and is worse on IPv4 (see 5)

5) IPv6 address space is vast, assuming you do leave something open either intentionally or unwittingly (see 4) the chances of it being discovered by an attacker are extremely small. Attackers routinely scan the entire IPv4 address space so anything left open will be found very quickly and exploited if vulnerable, this simply won't happen on IPv6 because it's not practical to do.

6) Modern windows devices (and mobile devices, and other operating systems) simply don't have as many vulnerable network listening services by default as they used to. Windows for instance now comes with a software firewall which blocks unsolicited connections by default. It's not like the early days when MSRPC and SMB were exposed by default.

7) You are putting your device at risk of attack every time you connect to a public wifi network (users on the same network will be able to connect to any services you leave open), but (see: 6) modern software is simply a lot less vulnerable to this kind of attack than it was. Public wifi is everywhere now, and used by millions of people every day.

The fact that phone networks are more likely to be using IPv6 is because phone networks are newer and have many more users, so they don't have enough IPv4 addresses to provide one to every potential user. Mobile services almost always put you behind CGNAT which causes all manner of problems and costs the operators a fortune to run.

This kind of ignorance is very damaging to progress.

Joe Montana

Re: Static IP addresses

You are thinking of EUI-64, where the IPv6 address is derived from the MAC address. This is optional, and not the default on most systems these days.

Most end user systems pick a random address at install time (of the network driver), which will be the "stable" address of your machine that you can use if you want to make inbound connections to it.

They will then pick random addresses to use for outbound connections, and rotate them periodically (24 hours by default) so that remote sites will see random addresses within your /64.

ISPs often allocate dynamic addresses, so a single /64 becomes no more trackable than a dynamic IPv4 address was. The ISP knows who it is, but the external sites you access don't, they can only tell that you're a customer of that ISP.

NAT doesn't make anything less trackable, quite the contrary. If the ISP provides you routable addresses they can just log who was allocated the address when and leave it at that. If a court orders them to hand over customer information, they do so.

With NAT the address could be multiple users, so the ISP is compelled to log a _LOT_ more traffic. They basically have to log every state - every TCP connection you make, every UDP flow, every ICMP packet you send etc, and retain this data for as long as the law requires. This gets very expensive very fast, and leaves the ISP with a huge amount of data. Once they have this data, they will seek ways to recover some of the cost, so monetising it and selling the data to advertisers or other such parties becomes an obvious thing to do since they have the data anyway.

Joe Montana

Re: At least they won't have to worry about international payment security

It's worse than that, if you put in a site name eg "www.google.com" into the vast majority of scanners they will pick one IPv4 address to scan at random even if the site address resolves to multiple addresses (eg load balancing round robin dns).

If you have multiple IPv4 addresses, they will be totally ignored.

If you have IPv6, it will be totally ignored.

Security scanners typically report "by exception", so if there are no issues raised in the report you assume they are not present. No suggestion is made anywhere that issues are not present because not all of the target addresses were actually scanned.

India appoints ‘IP Guru’ to push nation towards IPv6

Joe Montana
FAIL

Re: Time to give up on IPv6?

According to the APNIC stats, IPv6 adoption is around 75% of all users in India:

https://stats.labs.apnic.net/ipv6/IN

And today's article shows the government is pushing to get that closer to 100%, because IPv4 is a broken and dangerous legacy technology that they want to avoid the cost and inconvenience of.

If billions of people in India can manage to use IPv6 but you can't, that says more about you than about IPv6 itself.

Joe Montana

Re: About time

CGNAT is only for legacy IPv4 services, any service you migrate to IPv6 is no longer encumbered by CGNAT. It's the same on most mobile networks, IPv6 gives you proper two way connectivity with routable addresses while IPv4 puts you behind CGNAT and breaks stuff.

Adobe Illustrator's open source rival Inkscape delivers v1.0.1 - with experimental Scribus PDF export

Joe Montana

Re: Yup, buy it once

Let's hope you never use these programs to open files sent to you by third parties, because software this old is probably full of unpatched security holes that you can't do anything about.

Joe Montana

Re: a fun, relevant read

Misuse of cups...

If you enable network printer sharing on the host which has the printer physically connected (and obviously sharing wouldn't be enabled by default because this is easily abused), then all other devices on the same segment also running cups should automatically see the printer and let you choose it as a print destination without needing to configure anything whatsoever.

Gartner on cloud contenders: AWS fails to lower its prices, Microsoft 'cannot guarantee capacity', Google has 'devastating' network outages

Joe Montana

Re: Gartner in the title of the article...

It's not random speculation, it's paid propaganda.

In 2011 gartner "predicted" that windows phone would leap ahead of iOS in market share by 2015...

Back in 2003 they said that windows mobile would dominate the smartphone market.

Microsoft paid gartner a lot of money for this marketing..

There are some people who actually consider gartner reports to be worth something, and this did result in a few companies standardising on microsoft mobile devices for a time based on reading the gartner reports - only to be forced to quickly move to android or ios devices when the devices they were using got dropped.

They don't actually use or test the products/services they write about, information published by gartner is supplied by the vendors themselves - ie it's "best case" marketing material and doesn't reflect real world experience where advertised functionality is almost never as good as the marketing literature claims it to be.

At most what they do, is compare the claimed feature sets of vendors... Only many vendors will exaggerate their claims, they may have features X Y and Z on paper but that doesn't mean you as a potential customer would need or want those features, nor does it mean that they actually perform as expected.

When it comes to choosing products or services, there really is no substitute for actual experience. There are people who have used a product extensively and know its individual strengths and weaknesses. Every product/service has its own strengths and weaknesses, but which set is best for your individual use case can vary massively.

On another note, why should AWS lower prices so long as people are still buying? Their cost of supplying the service may decrease but they have no reason to pass that saving on to the customer. This is how capitalism works, companies will gouge their customers whenever they are able to.

Amiga Fast File System makes minor comeback in new Linux kernel

Joe Montana

Not just directory of the OS, you could actually load a copy of the driver into the partition table itself, so it could boot from a totally alien filesystem...

You could also load corrupted drivers there, which would cause the system to crash as soon as it read the partition table (ie before boot). Only way to recover was to take the drive to a non amiga and delete the offending data.

Anyone else noticed that the top countries for broadband speeds are well-known tax havens? No? Just us then?

Joe Montana

Re: no mention of IPv6?

You can, it's called NAT64 and several mobile operators already work this way, such as t-mobile usa.

Many other providers also run dual stack, where you have both protocols at once so you can still access both.

Most users do not actually have proper ipv4 these days anyway, they are behind nat and in many cases don't control the gateway. At least with ipv6 you get a proper internet connection that's under your control.

Joe Montana

Re: no mention of IPv6?

Lack of ipv6 is one of the biggest reasons why connections in developing countries are poor... Sharing a small handful of ipv4 addresses with thousands of customers, overloaded and highly expensive nat gateways, no inbound connections, ip blacklisting hitting thousands of customers at once etc.

Delaying the rollout of ipv6 allows incumbent providers with large allocations of ipv4 to raise the barrier of entry, making it much more expensive for any new provider to offer service.

Joe Montana

Re: Lies... Damn Lies...

These speed checker sites are pretty useless...

Some ISPs prioritise traffic to speedtest sites to make themselves look better.

Some speedtest sites are hosted on 1gbps or 100mbps links etc, which may be shared with other functions. Your line may actually have more spare capacity than the site, making it the bottleneck.

Just because a speedtest site is located locally to you, doesn't mean the routing is direct. You may be in lancashire, but your isp might have a lot of peering links in london, so traffic from you to preston or sheffield might go via london and back which could result in latency similar to amsterdam.

Performance will often be better over ipv6, but many speedtests don't support it (or don't declare what protocol they use), but real world traffic will prefer ipv6 whenever its available.

Your network performance to an arbitrary speed test site is not important. What matters is connectivity performance to things you actually use. How much of what you routinely access is located near you? I bet most things you interact with are hosted in london or abroad.

Joe Montana

Other factors

Most of these tax havens are small, affluent and densely populated. You don't have to lay miles of cables past houses containing only one potential customer, you lay short runs to large apartment blocks containing many potential customers. The economics are very favourable.

Developing countries have different problems... Laying fibre is usually cheap because there are few or no regulations. It's not necessary to dig up the street, obtain permits or ensure the installation is tidy. Instead, fibre will just be strung up on poles leaving very unsightly bundles of wires along the streets. It would be extremely easy to have multi gigabit networks spanning most cities in developing countries.

Where this all falls down however, is the fact that ipv4 was never designed for such a large network and most of the available ip addresses are already allocated to developed countries leaving only scraps for new providers. Whereas in the uk you will typically get your own ipv4 address at home, in developing countries a single address could be shared with thousands of other customers using carrier grade nat.

Implementing CGN is expensive, and causes a lot of extra cost for these providers - costs which providers in developed countries don't have.

These CGN gateways are often overloaded, and are usually the single biggest cause of poor performance.

The use of CGN also prevents p2p protocols from working, yet countries like these are the ideal candidates for p2p downloads. If every user is on fibre, there is no reason that local traffic couldn't flow at multi gigabit speeds - however as none of them have public routable addresses, they can only make outbound connections to peers able to receive inbound connections. All of those peers will usually be located in foreign countries, significantly reducing throughput and increasing load on the international links and cgn gateways.

The difference is very noticeable on the few providers in developing countries who have implemented ipv6... While ipv4 traffic might grind to a halt at peak times, ipv6 is much faster and you can connect to your neighbours over ipv6 at high speed.

UK govt: It's time to get staff back into the office! Capita: Hey everyone... about that...

Joe Montana

Re: Isnt that good?

As you say, it's likely to only be a temporary restructuring...

People will still eat, producers of foods aren't going to be affected at all by you eating in a different location. Entertainment venues will spread out as there's no reason you can't go out near where you live instead of near where you work. The other advantage is that going out near your residence makes it easy to walk home, less temptation for drink driving to avoid expensive late night taxi rides.

There is a severe shortage of housing in the uk, and everyone having both a home and a workplace is a terribly inefficient use of space. Repurposing a lot of office space into residential will lead to more efficient use of the space.

The student housing is likely to decrease if more people study remotely too.

Heating you only need during the winter, and keeping your home at a reasonable temperature 24/7 probably won't cost that much more than letting it go cold during the day and then heating it back up in the evening. Aside from this, everyone's temperature preference is different - it's common for people to find the temperature of their workplaces uncomfortable, at home you can have a temperature which suits you.

Chromium devs want the browser to talk to devices, computers directly via TCP, UDP. Obviously, nothing can go wrong

Joe Montana

Short sighted hate.

There seems to be a lot of hate for this feature, and on the surface it sounds potentially very dangerous... But think of the bigger picture?

The ability to open arbitrary sockets is likely to be tightly controlled, no browser is going to allow sites to open arbitrary sockets by default, and it's going to require users to explicitly accept the opening of sockets.

If users want to explicitly allow arbitrary sockets they can already do this, but they do so through things like java applets or even downloading and running an arbitrary binary. By doing this, not only can the code open arbitrary sockets - it can do A LOT WORSE TOO.

For cases where there is a legitimate need to connect over an arbitrary socket connection, having the client software running in the browser sandbox is an improvement on the status quo. Not only is the software sandboxed, but it allows legitimate use cases to work in this way instead of encouraging more dangerous behaviour like running random native executables.

The less need there are for native executables, the less likely users will be willing to run such executables.

It's also going to be possible to turn this functionality off entirely or restrict it by policy, if you're in an environment where such features are never required.

Overall this is an improvement to security.

Joe Montana

Re: It was nice while it lasted

Why would you want to do that? Keeping bank branches open and widespread enough to be useful is extremely expensive... This cost has to be paid for, by the customers using the services (ie YOU).

Setting up a network of bank branches widespread enough to be useful is extremely expensive, this creates a significant barrier of entry and pretty much ensures that the incumbent banks will have no new competition...

Metro bank launched in 2010, they were the first new high street bank in the uk in 150 years, they only have a presence in some limited areas and required a HUGE investment for this.

All of the recent innovations in banking have been introduced by new players, the vast majority of which are branchless.

The larger the barriers to entry, the more you stifle innovation.

Joe Montana

Re: It was nice while it lasted

The need to have a widespread physical presence also ensures that new competitors won't enter the market (its extremely costly to open thousands of branches). That's why the same banks have been screwing their customers for years with no new competitors until recently.

In the last few years it's become more acceptable to have an online-only banking service, and this has resulted in lots of new services popping up with many advantages compared to legacy banks. We have faster/cheaper transfers (including international), forex with better rates and lower fees, 24/7 service etc etc.

Also those branches are extremely expensive to operate, the operation costs are paid for by you and other customers.

I don't want to go back to the days of physical branches, small cartel of providers with no competition etc.

Joe Montana

Re: It was nice while it lasted

The US banking system is still years behind europe.. They expect you to make some random scrawl on a piece of paper instead of entering a pin when paying with a card etc.

Trucking hell: Kid leaves dad in monster debt after buying oversized vehicle on eBay

Joe Montana

Re: Unlikely story

What's wrong with spending that much on a card? If you're going to be spending anyway, why not do so on a card that gives you some kind of benefits like cashback or airmiles etc? Better than spending the same amount on a debit card or with cash where you'll get absolutely nothing back.

Before covid i used to travel a lot for work, that would routinely involve multiple long-haul flights, several weeks in hotels, food, car rentals etc. This all adds up and can take a significant chunk out of a credit limit. So long as the company reimburses the expenses before the card payment is due you're never out of pocket. Plus with some cards you will get a small percentage back which is basically free since the company reimburses the actual expenses anyway.

Joe Montana

Re: As far as eBay and PayPal are concerned

If the purchase was made by someone other than the owner of the account, then it was either:

A) authorised by the owner, in which case the account owner is liable for the purchase.

B) not authorised by the owner, in which case the actual purchaser is guilty of unauthorised access to the account. In which case you can report their crime to the police and it may be covered by the bank/card issuer using fraud protection. The bank will want to pursue the criminal however in an attempt to recover the costs.

Joe Montana

Where's the proof that the purchase was actually made by the minor?

What's to stop anyone with kids from claiming that their kid made any purchase they might want to cancel?

CREST exam cheat-sheet scandal: New temp chairman at UK infosec body as lawyers and ex-copper get involved

Joe Montana

Re: Having to sign an NDA

There are many things to weigh up when offering a certification...

They want to make it repeatable and fair, if there is too much variation you will have people complaining that they got a harder set of questions than others.

The shortness of the exam is also a concern for some, none of it is especially difficult but people often lose time and fail to gain enough marks who would have passed if given a bit more time / less pressure. This teaches you to cut corners to get it done in the time, something you shouldn't really be doing in the real world.

The old CHECK model had the examiners mirroring your screen and watching what you did while discussing your progress as you went along, this was in some ways better as it gave them a good feel for the skill level of the candidate and someone who had been briefed how to complete the specific challenges but lacked in general skills had a chance of being caught out. On the other hand, people would complain it's too subjective and down to the whims of the examiners on the day.

Joe Montana

Re: Very very annoying...

I'm in the same boat as you, have done several CREST certs while working at smaller companies not affiliated with NCC or the other large players. I managed to pass, yet the companies have also put forward other candidates who have failed. None of us were asked to divulge information from our tests either. Had we done so, the pass rate would probably have been higher.

We've heard some made-up stories but this is ridiculous: Microsoft Flight Simulator, Bing erect huge skyscraper out of bad data

Joe Montana

Re: Roof

The concorde simulator was like that too:

https://www.heritageconcorde.com/concorde-simulators

Google extends homeworking until this time next year – as Microsoft finds WFH is terrific... for Microsoft

Joe Montana

Well for the price of a crappy freezing house share in london, you could get a reasonable apartment or even a full house somewhere else in the country. If you're working from home you have the opportunity to move out of london and go somewhere cheaper.

Joe Montana

Self Control

You need self control, but flexibility is a good thing...

The 4 hours extra of working a week, can be offset by the reduced time wasted commuting. I've worked in jobs where commuting wasted 10 hours a week, so spending 4 of those working and 6 of them relaxing is a win for both sides, and helps justify the idea to the company.

In terms of working weekends and evenings we should take a flexible approach...

I'm happy to work some evenings and weekends if i have nothing better to do (which is frequently lately, as many of the places i could go to are closed) providing i get something in return - either the ability to take off an equivalent number of hours at times i would otherwise be working, or get paid for the extra time.

I've been working from home for quite some time, and will frequently take a few hours off during a weekday if work is quiet, and then work an equivalent number of hours in an evening or weekend. I complete timesheets for the hours i worked, and aim to balance them out so that i stick to my contracted hours per week on average.

Work often isn't 9-5 anyway, dealing with people in different timezones, encountering delays or having to wait for things etc. If i was in an office i might be sat twiddling my thumbs while i wait for something, if i'm at home i can clock off and go do something else for a couple of hours and then resume work later.

Networking boffins detect wide abuse of IPv4 addresses bought on secondary market

Joe Montana

Re: Interesting market effects

Setup of new v6 networks is already easier than v4, you don't need to worry about nat, or address conflicts, or conservation of limited address space etc.

Companies like microsoft and facebook are entirely ipv6 internally, with border devices that can proxy traffic to legacy ip for when they have to communicate with outdated third parties.

Four years after swallowing Arm Holdings, SoftBank said to be mulling Brit chip biz sale

Joe Montana

Greed

The ARM people are not stupid, they have priced the royalty rates where they are for a reason...

If they start cranking them up, a lot of customers would leave and move to other architectures - MIPS, RISC-V or POWER etc. Most embedded devices are not tied to any particular architecture, Linux runs on everything and the firmware is generally rebuilt for each new device anyway so their customers are generally not locked in.

Detroit Police make second wrongful facial-recog arrest when another man is misidentified by software

Joe Montana

No, because racism is not the issue here.

Faulty software and incompetent/lazy cops are the issue at hand.

Trying to blame racism when there is no evidence of that is creating unnecessary divisions in society, and diverting attention away from the actual issue being raised.

Joe Montana

Re: Fella?

It's not so much the software that's at fault, what's at fault is officers trusting its results blindly. The software is a tool, and all it can do is reduce the number of photos that you need to check manually. You still need to do the actual detective work.

This guy needs to sue for wrongful arrest. If the costs start stacking up they will have an incentive to improve officer training and deal with incompetent/lazy officers. If you don't hit them in the budget, nothing will change.

Linus Torvalds banishes masters, slaves and blacklists from the Linux kernel, starting now

Joe Montana

Re: Lovely.

The term "blocklist" might refer to "a list of things to be blocked", or it might refer to "a list of blocks" for instance in a filesystem.

And how do we specify a list of blocks that are to be blocked?

IBM job ad calls for 12 years’ experience with Kubernetes – which is six years old

Joe Montana

Windows 2000

I recall jobs asking for 5 years Windows 2000 experience, in 2000/2001... This is even more stupid, since the very name "Windows 2000" gives a clue as to how old it is...

I was screwed over by Cisco managers who enforced India's caste hierarchy on me in US HQ, claims engineer

Joe Montana

Protecting culture...

One the one hand we're constantly being told to protect and respect different cultures...

And yet it's the indian culture which has this caste system and has resulted in this discrimination. It is his indian colleagues who are discriminating, non indians probably wouldn't even be aware what caste he was from or what the traditional relationships between them are.

Some aspects of cultures like these are simply incompatible with the ideas of equality expected in western societies, but the idea of forcing others to change their culture in order to be compatible is also supposed to be bad, and people get accused of racism for expecting immigrants to adapt to a new way of doing things.

ZFS co-creator boots 'slave' out of OpenZFS codebase, says 'casual use' of term is 'unnecessary reference to a painful experience'

Joe Montana

What "painful experience" ?

I doubt any of the people complaining about this have ever experienced slavery, and have only read about it in history books or news articles.

Keepnet kerfuffle: Firing legal threats at bloggers did infosec biz more damage than its exposed database

Joe Montana

"We then store this data in our own secure Elasticsearch database"

This statement has proven to be false, their database was demonstrated to not be secure.

If all it contained was a mirror of already-public data then noone would have cared anyway.

Also what is it with hiding known insecure services behind a firewall? The service should have been configured to use a secure form of authentication first, and then placed behind a firewall as a second layer. If one layer still fails you still have others.

MacOS on Arm talk intensifies: Just weeks from now, Apple to serve up quarantini with Kalamata golive, reportedly

Joe Montana

I also recall the m68k to PPC transition...

A lot of software and even key parts of the OS remained 68k code for quite a long time.

Apple stopped making 68k machines at i believe the 33mhz 68040, and transitioned to the 50mhz PPC601.

The early PPC machines were often slower than the high end 68k machines because of the emulation overhead.

For software that was 68k only, running a mac emulator on a 68060 amiga was at one point faster than any real mac.

The 68060 itself was fairly competitive with the 601 even running native code.

Joe Montana

There are some pretty powerful SIMD options available for ARM too...

There's even an ARM based supercomputer:

https://en.wikipedia.org/wiki/Fugaku_(supercomputer)

And with the lower power usage of ARM, they could clock higher or add more cores while keeping in the same power/heat budget.

GPUs are also good at a lot of the things that SIMD instruction sets are used for.

It could be 'five to ten years' before the world finally drags itself away from IPv4

Joe Montana

"It's ok for me so i dont care about anyone else"

In developed countries you still get your own ipv4 address when you sign up for home internet...

In developing countries this is not the case, you are stuck behind CGN and have a second class connection. You are an outside viewer, you are not part of the internet. Not to mention the performance overhead and extra cost caused by this setup.

Getting new ipv4 allocations is difficult and expensive, and developing countries are not exactly flush with cash.

Many popular sites and services on the internet started out as a hobby, if getting an externally addressable connection is difficult or expensive this innovation goes away too.

Until ipv6 takes over, ipv4 will continue to stifle developing countries and will continue to stifle the development of new services.

Joe Montana

Re: Doomed to eternal limbo

IPv6 is less complicated than ipv4, and nat is one of those things that makes it so. Your devices have multiple addresses, you have the added complexity of correlating them. Then on a network of any size with interconnects you have to worry about address overlaps.

NAT does break things, many protocols have been redesigned to work with nat and often losing features or performance in the process, many nat implementations have specific kludges for certain protocols (eg ftp) that can be abused for malicious purposes. Having a single nat gateway under you control is also nowhere near as bad as one provided by the isp that you have no control over, or multiple layers of nat.

NAT turns the internet into a client-server model instead of a peer to peer model... Communications protocols were designed to connect users directly together (eg original ICQ, the DCC features of IRC etc), nowadays since users can't connect to each other directly all communication takes place through a third party server which decreases performance and reduces security/privacy.

Joe Montana

Re: Doomed to eternal limbo

Using ipv4 addresses with AWS and similar providers has problems...

With AWS at least all ipv4 traffic is natted, ipv6 traffic is not, some protocols don't like this.

Also ipv4 addresses are recycled whereas ipv6 addresses are not, if you shut down an ipv4 instance you have to make sure anything that was pointing to it (firewall rules, dns records, static configurations etc) has also been cleaned up otherwise you could have a security breach when someone else is allocated the same address. For an example of malicious activity taking advantage of this, read the recent story about houseparty posted here a couple of weeks back.

Man responsible for least popular iteration of Windows UI uses iPad Pro as a desktop*

Joe Montana

Re: in Sinofsky's defence - is iPad Pro + iPadOS heading towards achieving the Windows 8 vision...?

// The security landscape is getting worse. The app security model for WIN32 and macOS was never designed for such a hostile security landscape. Mobile app models (secure sandbox; limitations; app store; automated updates; etc) are better suited to this.

This is the key point..

Traditional operating systems were designed by and for geeks. They are complex tools that require knowledge and experience to operate correctly.

They are kit cars, whereas an ipad is a ready to drive vehicle. You won't get the same performance or flexibility, but you will be able to drive to work or the shops without any hassle and that's what matters.

Fully featured computers have always been a niche product aimed at specialist use cases and only ended up being used by the masses because actual consumer oriented products were not available yet.

TCL 10L: Remember the white goods flinger that had a licence to make BlackBerrys? It made a new own-name phone

Joe Montana

Re: Tickle?

It's an acronym with no vowels, it can't be pronounced you simply say the letters - T C L.

https://www.youtube.com/watch?v=5QBHukn8Qm8

Linus Torvalds drops Intel and adopts 32-core AMD Ryzen Threadripper on personal PC

Joe Montana

Actually the os most often used with linus' kernel is probably android, followed by busybox...

Forget BYOD, this is BYOVM: Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems

Joe Montana

Re: Use of SMBv1 for XP compat may be at the core

Encryption is not the reason to deprecate SMBv1... SMBv2 doesn't implement encryption either, and it's optional for newer versions of SMBv3.

The problem is the inherent complexity and age of the protocol, with smbv2/v3 being much cleaner and simpler.

However they are also not without problems, on windows the protocol is deeply embedded into the os and runs with a high privilege level, the protocol allows a lot more than just file sharing, and there are still weaknesses with the authentication system - especially ntlm.

Houseparty denied it had been hacked... while miscreants were abusing its dot-com domain name infrastructure

Joe Montana

Address recycling

Yet another reason why we need IPv6...

IPv4 address on AWS and other such platforms need to be recycled because there's a shortage of them, if a machine gets killed and they don't remove the DNS records then someone else will soon inherit them. The address allocations are also random and spread all over the address space AWS owns so if your trying to add firewall rules, or determine what the traffic is from a packet capture or logs its painful.

IPv6 allocations are based on blocks per customer, so houseparty will be allocated a large block by AWS and all of their allocations will come from that. If they drop a machine then the address goes dead and won't be allocated to a different customer as it still belongs to houseparty.

Another good example of this absolute mess is Zoom:

https://support.zoom.us/hc/en-us/articles/201362683-Network-Firewall-or-Proxy-Server-Settings-for-Zoom

75 separate spread out ipv4 blocks that belong to aws (and do zoom even control all the addresses in those blocks?), or a single ipv6 block that belongs exclusively to zoom... I know which i'd rather use for monitoring and firewall rule purposes.

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021