* Posts by B Candler

44 posts • joined 5 Feb 2008

Uber is a taxi company, not internet, European Court of Justice advised

B Candler

Re: Finally some common sense

Their problem is they want to be a taxi service without abiding by any of the rules or regulations that govern being a taxi service - criminal background checks for drivers, fare tariffs, limits on number of licenced cars on the road, vehicle safety checks, adequate insurance, employment benefits, other regulations governing public transportation.

Don't forget that all the drivers must already adhere to standards - at least in the UK they need to be licensed.

So the question as to whether "Uber is a hail-a-cab (taxi) service" or "Uber is a minicab (private hire vehicle) service" is a side issue here. In both cases the drivers themselves *are* regulated and licensed, albeit under different regulations.

What the legal opinion seems to be saying is that if you contact Uber, ask for a ride, and pay them, then Uber is providing some sort of transportation service, not an introduction agency. This seems a rare and remarkable victory for common sense.

Plusnet ignores GCHQ, spits out plaintext passwords to customers

B Candler

Re: TalkTalk customer Schadenfreude...

Actually, they *must* store the plaintext password. This is because they use BT's wholesale ADSL network, which requires CHAP for PPP authentication (RFC 1994).

With CHAP the plaintext password is not sent over the wire; but instead you must possess the plaintext password at both ends. Storing a hash of the password would be no good, because then you would be able to authenticate using the hash; the hash itself would be as good as a cleartext password.

However, that is no excuse for their systems revealing the cleartext password, either to staff or users themselves. It should be pushed down to the RADIUS servers using a write-only mechanism. If a customer forgets their password, then staff should be able to change it but not reveal it.

Probably the reason they don't do this is because it would also require the user to change the password stored in their ADSL router, which is a support headache. They should consider using a different password for ADSL authentication than the one used for accessing the portal; the latter could of course be hashed, and used to reset the former.

Finally, there is another reason they use cleartext passwords, which is to authenticate a user phoning the call centre. They challenge the user by asking them to give (say) the first and last letters of the password, and this requires the individual characters of the cleartext password. It's worth remembering that many banks and utilities use the same practice.

Sleepy eNom bombs websites in HUGE DNS OUTAGE – remains silent despite gripes

B Candler


Judging by those links in twitter, the actual nameservers affected are:


Those are the same nameservers which registrationagency.com uses.

Does anyone know the relationship? e.g. is registrationagency reselling enom, or vice versa, or they both outsource their DNS to the same provider?

Upstart brags about cheaper-than-Amazon private cold data cloud

B Candler

Eighteen nines? Utter nonsense

This implies a failure rate of 1 in 10^18

For availability: that would mean that the system downtime is guaranteed to be 32 picoseconds per year.

For data loss: that would mean losing one byte in every exabyte (= 1000 petabytes)

Anyone who makes such claims is a shyster.

Home lab operators: Ditch your servers ... now!

B Candler

Mac Mini

I run training workshops using a Mac Mini (server edition, i7 quad-core plus hyperthreading), souped up to 16GB RAM and 2 x SSD. So far this is the best power to size ratio I can find, helped by the fact that the Mac Mini doesn't have an external power brick.

The OS is Ubuntu Server 12.04, using KVM/libvirt. On this platform I can run 36 Ubuntu VMs with 512MB each. (ksmd finds identical memory pages between the guests and shares them, so a small degree of memory overcommitment is possible if the guests are similar)

It would however be much better if the Mac Mini could take 32GB of RAM, and I'm hoping the rumoured upcoming Haswell refresh will support this.

If I were building a home lab, and could afford it, I'd probably use two Mac Minis, and install Debian and Ganeti on top. Ganeti is a production-grade VM management system (it's what Google run their office infrastructure on), and its key benefit is being able to manage DRBD for replicating VM instances from a primary node to a secondary node. This allows live migration between those nodes, without any shared storage backend.

You can however use shared storage backends like NFS, or distributed filesystems like ceph (rados/rdb)

Ganeti is not for people averse to command lines though. There's a Ganeti Web Manager project, but it only offers a limited subset of functionality. Synnefo is built on top of Ganeti and gives you a full cloud environment.

Oi, small biz! Attach our Syncro to your storage, says LSI

B Candler

Two servers attach to the same disks!

That would be the same as, er, SCSI?

New 4TB drive spaffs half a telly season into your eyes AT ONCE

B Candler

Re: WD Red?

Example of a nobbled drive:

# /usr/sbin/smartctl -i /dev/sdb


Model Family: Seagate Barracuda (SATA 3Gb/s, 4K Sectors)

Device Model: ST3000DM001-9YN166


Firmware Version: CC4C

User Capacity: 3,000,592,982,016 bytes [3.00 TB]


# /usr/sbin/smartctl -l scterc /dev/sdb


Warning: device does not support SCT Error Recovery Control command

B Candler

Re: WD Red?

Not that I have tested this exact model, but Seagate now nobble their consumer drives so that they can't be used in RAID. Specifically, they disable Error Recovery Control. In the event of a read error, the drive will retry forever instead of giving up after a few seconds so that the RAID controller can find the data on another drive. Result: the drive gets kicked out of the array, and the whole array goes into degraded mode, just for one bad block.

Under Linux this is easy to test:

/usr/sbin/smartctl -l scterc,70,70 /dev/sda

If this command works, then you've enabled ERC with a 7-second timeout. If the command is rejected then your drive doesn't support ERC, so tough.

WD Red drives do have ERC, so I'd strongly suggest those instead for any sort of home RAID. Hitachi drives used to be a good bet too, but they've changed hands so you should check.

FoundationDB uncloaks ACID-compliant NoSQL beta

B Candler

Re: Closed source - undisclosed price

The FAQ says that only the APIs and outer layers will be open source, but later talks about a free "community edition". So I enquired as to what this meant.

They confirmed that the core will remain closed-source.

"Community edition" means that it is free for developers to build their applications with - not that the database itself is open to code contributions from the community.

Ubuntu for smartphones aims to replace today's mobes, laptops

B Candler

Re: Nice try, probably no cigar

Or an Android emulation layer, so you can run stock Android apps.

Oracle offers tiny tools for pint-sized Java devices

B Candler

Java iButtons

What happened to the Java iButtons from 15 years ago? These were gimmicks given out at conferences, but apparently ran a JVM.


Curiosity's new OS upgrade ready to go live

B Candler

Re: Clearly Fake

According to the BBC's report you're not alone: "Scientists have remarked that the rover's surroundings resembled parts of the southwestern US."


Microsoft: It's not Metro, it's Windows 8

B Candler

Re: Sod that!

In the old 1980's, Apple used to call these little applets "desk accessories", and they hung off the Apple menu.

What goes around, comes around...

O2's titsup network struggles to find its feet

B Candler

Re: Is this the start of a trend?

I disagree. Companies do spend a lot of money and effort building systems and services with "resilience" built in.

What they often don't appreciate is how much complexity this "resilience" adds, and that the complexity itself results in additional failure modes (which are harder to diagnose).

It's pretty easy to design a system which is resilient against a node powering off completely. It's much harder to design a system which is resilient against a node which starts sending out corrupt data. Google for "byzantine fault tolerance".


"For example, in 2008 Amazon S3 was brought down for several hours when a single-bit hardware error propagated through the system.[2]"

Ten... Satnavs to suit all budgets

B Candler

Re: Please reformat...

There is already a way to reformat. Go to the URL bar, and replace the initial 'www' with 'm', so you end up with m.theregister.co.uk/whatever

Hey presto, you get all the pages in one, in a wonderfully clean and easy-to-read layout.

Now all we need is links on the m and www versions of the site to link to the corresponding page in the other site. This would be useful on mobile devices too, as you have to switch to the desktop version to do a 'search'.

Commodore outs Linux-running Amiga Mini desktop

B Candler

Where's the yawn icon?

I have a 2-year-old Dell Zino HD which looks rather like this but shinier. Mine came with 3GB RAM and a dual-core CPU, a copy of Windows 7 (which I don't use) and I think it cost £329 inc VAT. Unfortunately Dell have stopped making it.

Microsoft shuttering Windows Mobile 6.x Marketplace

B Candler

Re: No, we aren't bothered by the marketplace

Android lets you install software from anywhere, at least my HTC Desire (2.2) does. There's just one tickbox you set in the settings to allow it .

It also allows direct sync to PC over USB - although I don't use it because (a) I don't suppose there's a Linux client, and (b) I don't mind Google knowing what's in my address book.

I'm not sure if you can use it without setting up a google account at all.

Ten exabytes wedged into a rather large box by Cleversafe

B Candler

Might as well build your own

> a "portable datacenter", containing 21 racks with 189 nodes and 45 3TB drives per node

So that's 21 racks each with 9 x 4U servers holding 45 drives each.

As it happens, Backblaze have published the details of how they build 4U servers containing exactly 45 drives. Details in the links from here:


If you're buying the custom cases in that sort of quantity you should get a good price. Then stick Gluster or Openstack Swift on top of it, and away you go.

World braces for domain name EXPLOSION

B Candler

Root servers...

...will only have a few hundred extra entries, according to that article. Even if it gets into thousands, it's still a small static file to be served.

That doesn't make it any less of a stupid idea though, except for ICANN and the domain registrars who will make a tidy packet from it.

Actually, people have been selling new TLDs (and making a packet from it) for many years - even though they don't work. See www.new.net. They will presumably register their 75 fake TLDs, and thus turn themselves into a legitimate business. The point is, even when it was selling snake-oil, it still made tons of money!

Google rolls out fix for Android security threat

B Candler

This is no fix

Unfortunately, whilst Google's change might protect against passive sniffers, it doesn't protect against a man-in-the-middle attack. This is easy to mount:

* Attacker inserts their own server pretending to be Google

* Fake server says that it can only do HTTP

* Phone happily connects to it

* Fake server opens a separate HTTPS connection to Google

* Fake server copies traffic back and forth, reading and/or modifying it as it goes

This can only be properly fixed client-side. The client code must not fallback to HTTP, and the client must validate the certificate of the server it's talking to.

Self-erasing flash drives destroy court evidence

B Candler

Garbage collection

I think the point is that the SSD is only garbage-collecting its own data structures and duplicate copies of blocks; it's not doing filesystem-level garbage collection.

When you delete a file on your PC, the OS just updates the directories and FAT (or equivalent). There is no signal to the drive that the blocks which contained the file data are no longer needed, and so those blocks will persist. This sort of feature *is* just coming available in high-end SANs, so that thinly-provisioned space can be reclaimed when files are deleted, but it needs support both in the OS and the device.

However, this article does suggest that overwriting your file blocks with zeros *might* actually have some value for flash drives, because the previous copies of the blocks are then eligible for garbage collection and the drive might erase them in the background at some point in the future. Or it might not, as it sees fit.

FOSS maven says $29 'Freedom Box' will kill Facebook

B Candler

It's been tried before

Back in 1996, John Gilmore proposed putting Linux-based "crypto walls" on the boundaries of every network, which would opportunistically IPSEC-encrypt all traffic in and out of your network when the other side supported it too. His goal was to have 5% of Internet traffic encrypted within one year. He failed.

I suspect the main cause of failure was lack of any global trusted key infrastructure. However the idea *might* work if it was restricted to just your circle of friends, and you explicitly set up links between them.

You would need some sort of "pairing" mechanism to make this as simple as possible whilst remaining secure. For example, your box generates a one-time password, which you print out and give to your friend (or E-mail it, if you are not too paranoid) and they use it to establish the first connection. Under the hood it might issue a certificate from your own CA, for instance.

With a large circle of friends you'd want to avoid the N^2 problem, so you could provide a simpler way to join friends-of-friends, maybe with a simple click via an existing pairing. The other party would have to accept or reject this too, of course.

IPv6 uptake still slow despite looming address crunch

B Candler

Re: Think of it like this.

> what happens when a user or provider wants an IP address and the provider doesn't have any to provide?

99% of users don't care. As long as they type www.porn.com into their browser and get a page back, they don't care if it's gone through 3 levels of NAT or not. Business users see it as a security advantage.

I agree there are minorities who are interested in direct addressing: e.g. peer-to-peer filesharers, gamers (although many games are server-based anyway), and VOIP users. These may actually take the trouble to configure up their IPv6 stacks, and pay to replace their CPE routers. They will not displace the IPv4 majority though.

B Candler

Takeup is slow?

Duh, of course it is, for the simple reason that being connected to IPv6 (as opposed to being connected to The Internet) doesn't give any benefit for the two groups of people who matter: the users, and the content providers.

ISPs are a small band who sit in the middle, and can moan all they like about IP address depletion (because it will probably start costing them more to get IP addresses), but the users don't give a hoot.

Right now, if you go the recommended IPv6 deployment approach - dual stack - then you are connected to two networks. One is The Internet, and the other one isn't. It's just like the days when people connected to IP and X25, or IP and CLNP. The one which wasn't IP didn't have the content and services that the users wanted, so it withered away.

Even if by some huge stretch, just imagine that 50% of the content on the Internet was also available on the IPv6 network. People would still need IPv4 connections to access the rest of the Internet. So they've gained absolutely nothing by deploying IPv6 (*).

The pain and cost in going dual-stack is huge. Not only does your OS need to change, but all your network-aware *applications* need to be modified too. Sure, things like Cisco routers nominally support IPv6 - but try turning on the full set of features you need (let's say MPLS and IPSEC), and see if it works. Pain and expense without business benefit = no deployment.

Of course, content *providers* will have to remain on IPv4 indefinitely anyway, to keep themselves visible to the IPv4 users, which in circular fashion means that users who stay on IPv4 are the ones who benefit most: they can still access the whole Internet, and they avoid the costs. Any content provider who went IPv6-only would be suicidal.

There's only one way in which you'll get IPv6 deployment, and that is to embrace NAT. Treat IPv6 as a sort of super-RFC1918 address space. Run only IPv6 on your corporate or campus LAN, and have NAT/PAT gateways which let you talk at least TCP and UDP to the IPv4 world.

Unfortunately, the IPv6 nazis are so anti-NAT that they have decreed this is a forbidden approach - it's dual stack or nothing. They shouldn't be surprised, then, if nothing is what they get.

(*) Remember that IPv6 doesn't solve *any* of the problems of IPv4 - such as multi-homing, mobility, or security. IPv6 may mandate IPSEC in the spec, but without a global keying infrastructure, it gives you nothing more than IPSEC on IPv4.

Apple's fresh Mac mini stripped naked

B Candler

You don't know how lucky you are

> Which difficult to upgrade Mac models are you referring to apart from the Mac Mini?

I upgraded a Mac 128 to a Mac 512 by desoldering all the DRAM chips (16 of them I think) and soldering in new ones.

Pass the zimmerframe please...

NetSecure SmartSwipe credit card reader

B Candler

I never realised...

... that the three-digit security code was also present on the mag stripe. So much for the extra 'security' it provides...

Dell Inspiron Zino HD

B Candler

Re: Good Value?

Good value compared to the £500+ for a Mac Mini which has less RAM and a smaller HD.

I'm also happy to have the larger box, given that it means I have a proper 3.5" drive rather than a 2.5" laptop drive which is less likely to survive long periods switched on.

B Candler
Thumb Up

Good value

I have one of these, but not at the £630 price point shown in the article. I got the dual-core 1.5GHz processor, 3GB RAM, 500GB HD, DVD-RW drive, wireless keyboard and mouse, and it came to £329 inc delivery. I think it would have been £20 extra for the wifi card, but I didn't need it.

It came with Win7 64-bit, but is now running Ubuntu Karmic. There are a few minor problems with Ubuntu: Suspend/resume isn't reliable; I have to turn off USB2 to talk to my Canon camera; and audio only comes out of the front jack. But otherwise I'm extremely happy with my purchase.

Dell's order status website wobbles at knees

B Candler

Fixing the customer number

What also doesn't help is that the tracking link which goes to the Syncreon website doesn't work, because the customer numbers don't match up.

Apparently sometimes you can convert a Dell customer number into a Syncreon customer number by replacing the leading GB1 with 02. This didn't work for me. In the end I found the solution here:


I had to remove the GB, add 02 to the front, and drop the last digit off the end. Obvious.

Google betas Chrome for Mac, Linux

B Candler


Blindingly fast under 32-bit Ubuntu on a low-spec machine; flash block extension works fine; and the built-in DOM and Javascript debugging tools look to be comparable to firebug at first glance.

Now all I want is to:

- disable animated gifs

- be able to change the user-agent header

Looks like the chromeextensions.org site is being crushed under the weight of new users...

T-Mobile Pulse

B Candler

Flash animation

1. Can it play flash in web pages?

2. If it does, can it be turned off? Flashblock in Firefox is a sanity-saver (moreso if I end up paying per MB on another PAYG tariff)

El Reg launches 'Comment of the Week'

B Candler

Sweet prize

Must have gotten it off E-bay. E-bay gum.

I'll get my coat.

VMware plots world data centre domination

B Candler

No monopoly on x86

VMware isn't going to have a strangehold.

Virtual machines are pretty easy to move between hypervisors, because they're all just emulating a vanilla x86 machine. So if VMware licensing gets excessively expensive, then people will first start moving their test and development environments to standalone (free) ESXi instances; then to other virtualisation platforms like KVM or Xen; and the ultimate sanction is to move their live platforms across too. The other vendors have a good incentive to provide tools to make this as seamless as possible. It's not like moving an app from Windows to Linux, or even from one Unix flavour to another.

"There is the prospect - there surely must be the prospect - of apps being produced which request their previously Windows-delivered resources direct from ESX. Every step in an app's resource consumption stack needs physical host server cycles. Why not minimise the number of steps and have apps run more and more in VMs that have a thin or almost non-existent O/S layer between the app and the VM?"

There appears to be a misunderstanding here between the services provided by the real or virtual hardware (e.g. block devices) and the services provided by the OS (e.g. filesystem). They are complementary.

Of course, vendors can and do distribute applications as .vmdk images. That gives a minor advantage to VMware users, but other platforms can import and run these images too, because they are little more than blobs of disk space.

These images are almost certain to include some sort of OS, because VMware on its own isn't going to provide OS services such as filesystem, scheduler, virtual memory etc. But regardless of what sort of OS it bundles, the .vmdk image would still be portable.

The only "OS-less" x86 app I can think of is Netware, and that's really an OS in its own right.

Philips Cinema 21:9 56in LCD TV

B Candler
Thumb Up

Don't worry about the black bars...

... at this price it should have built-in curtains which automatically roll out from the sides :-)

Microsoft: Don't rush to download Windows 7 RC

B Candler

@Arnold Lieberman

The Latitude X1 is a great little machine. Note that Dell are still selling the 1GB memory upgrade for just £21.87 including VAT and shipping - part number A1476451. As the laptop has 256MB soldered on board, this gives you 1.25GB in total.

The Pirate Bay punts BitTorrent cloaking device

B Candler
Thumb Down

Err, there's a flaw here

> The service costs €5 per month, and the swashbuckling Swedes say they

> will collect no personal data if you sign up. Um, well, other than an email address.

How are they collecting payment without a credit card number, name and address? Are people sending 5 euro notes in the mail every month, along with a piece of paper with their E-mail address written on it?

NASA space tests 'interplanetary internet' protocol

B Candler

New technology

"Unlike TCP/IP, the DTN does not assume a continuous end-to-end connection. If a destination path cannot be found, data packets are not discarded. Each node keeps the information as long as necessary until it can communicate safely with another node."

Ah, that'll be uucp then. Might need to crank the window sizes up a bit though.

@AC: "I thought TCP/IP was delay-tolerant to a degree?"

Sure - it buffers all data at the sender until acknowledged by the receiver. But you still need delay*bandwidth worth of storage. The TCP Window Scale option lets this be up to 1 gigabyte (8 gigabits), giving you ~7Mbps to Mars with a 20-minute RTT.

But if the application decides that the connection has dropped you'll lose it all.

$ ftp downloads.mars.net

<< 20 minutes later >>

Timed out waiting for login

Shuttleworth on Ubuntu: It ain't about the money

B Candler

Ubuntu *does* have call-home features

"Ubuntu does not have any call-home features to help Canonical count installations"

... except that it forcibly installs a package called "popularity-contest", which calls home every week with details of your installed packages. You can't remove it, because it is a required dependency of the "ubuntu-standard" metapackage.

It may or may not be disabled by default; I wasn't sure, so I stuck an "exit 0" at the top of /etc/cron.weekly/popularity-contest to make sure it's neutered. But if it is disabled by default, why on earth is it a mandatory dependency??

$ dpkg-query --status popularity-contest


Description: Vote for your favourite packages automatically. The popularity-contest package sets up a cron job that will periodically anonymously submit to the Ubuntu developers statistics about the most used Ubuntu packages on this system.

This information helps us making decisions such as which packages should go on the first CD. It also lets us improve future versions of Ubuntu so that the most popular packages are the ones which are installed automatically for new users.

(Aside: their definition of "anonymous" is using sendmail to send outgoing mail, which means at very least they will have your hostname in the headers)

Becta schools deal stuns British open-istas

B Candler
Thumb Down

You can't win...

Presumably the "open source community" would equally be "up in arms" if the contract were awarded to a company with a vested interest in pushing its own commercial open-source platform and agenda, such as Red Hat or Canonical/Ubuntu.

Anyway, the open source community != The Open Source Consortium. Could they perhaps be a bit miffed at having lost the contract?

World economy group gives IPv6 big push

B Candler

IPv6? No thanks

>> I've always wondered why haven't we already done the "Great Leap Forward" into IPv6

IMO, it's because the Internet isn't driven by people saying "wouldn't it be nice if we had longer IP addresses?" It's driven by businesses who say "how much does this IT project cost, and what benefits does it generate?"

The cost of IPv6 deployment is high. Remember that you have to upgrade not just your routers and your operating systems, but all your networked application software too.

And in return, how many businesses would see any commercial benefit (i.e. increased revenue or reduced cost)? I think few, if any.

>> IPv6 brings QoS, better routing and improved security

Sorry, but none of the above.

Perhaps people think that IPv6 brings security because it mandates IPSEC implementation. But you can run IPSEC on IPv4 too. The fact that there is no acceptable trust model for distribution of IPSEC keys (DNSSEC? Hah!) means that neither is useful for anything other than VPNs.

QoS? Where did that idea come from?

Better routing? IPv6 routing is the same as IPv4, apart from the longer prefixes.

In theory it was supposed to be easy to renumber your network in IPv6, to make it easier to change provider and maintain aggregation. In practice, it's no easier than IPv4. As anyone who's renumbered a network knows, changing your *interface* configuration is the easy part; changing all your interdependent *application* configurations is the hard part.

IPv6 doesn't offer any solution to the multihoming problem either. Registry policies on PI space are irrelevant. If businesses need to multihome, then they will buy the service, and so ISPs will make the necessary route announcements, leading to the same explosion of routing tables as IPv4 has now.

Where are the benefits? There is only one, and that's the availability of more addresses. (Of course, if we started with a brand-new IPv4 Internet without all those legacy classful allocations, we'd be fine too, but that's a side issue)

So let's suppose the day comes along when an ISP goes to a registry and is told there are no more addresses available, period. The ISP will then have two alternatives:

(1) Give their customers private IPv4 addresses behind a NAT firewall. For those few users who want to receive incoming connections, have application-level proxies (e.g. SMTP, HTTP)

(2) Give their customers IPv6 addresses, and also set up a NAT firewall for them to be able to access the IPv4 Internet, which is where all the content is anyway.

Solution (1) works today. It can even be sold as a "security" benefit to customers, since the user will be behind the ISP's firewall. The majority of users won't see any difference.

Solution (2) is a pain to implement for both the ISP and the customer. ISPs work on tight margins. Do they want the support overhead of getting all their customers to upgrade and reconfigure their endpoints to IPv6? (Again, including all application software?)

In the "no more IPv4" scenario, gamers and peer-to-peer filesharers may be persuaded to switch to IPv6, as they would see a benefit. But the majority will be happy with NAT.

Pano Logic gives VMware case of VDS 2.0

B Candler

Hardware only...

It's conceivable. You can get off-the-shelf USB->VGA adapters, and there are proprietary schemes for encapsulating USB messages in ethernet frames or IP datagrams. I don't know if any of those have been integrated down to the chip level yet. If it's over IP then you'll need at least a DHCP client, which most likely means a small embedded processor.

But in any case, I'm not sure I fancy running all that down an ASDL line...

How big an eco-hazard is IT equipment?

B Candler

Not even as much as that

"Power wasted by a typical notebook computer or monitor is approximately 12 Wh per day, which Dr Reger estimates would amount to 12.74 kWh per year ... A similar saving could be made by simply using one 100 watt light bulb for 30 minutes less every day"

If my maths is right, the actual usage is only a fraction of that:

(a) 12 / 1000 * 365.24 = 4.38 kWh per year

(b) 12 Wh is the same as 7.2 minutes of a 100W light bulb (7.2/60 * 100 = 12)

Equifax typo derails digital cert

B Candler

"Unique" E-mail addresses aren't secure

"I use unique email addresses for each business I deal with to catch any spammers (ie: equifax@insertmydomainhere.com) and almost 2 yrs after getting my credit record from them, I received a phishing attempt mailed to, yep, equifax@insertmydomainhere.com."

Not surprising - just a brute-force attack. Spammers frequently send mails to {dictionary-of-usernames}@{dictionary-of-domains}. It's cheap and easy for them to do, and lets them discover new addresses to spam.

To prevent this happening, you should add a sufficiently long strong random cookie into each username you generate, e.g.


Or you could use something more sophisticated like BATV, which encodes an expiry timestamp and a signature into the address.

There's no evidence of Equifax having misappropriated your data here.

IPv6 roots planted on the net

B Candler

IPv6 is damage - the market will route around it

>> "I think IPV6 is destined to join OSI in the network junkyard."

> Aww don't talk about the OSI model like that or I will cry.

He's talking about the OSI protocol stack - i.e. CLNP - not the OSI 7-layer model, which is a useful way of thinking about any sort of network. The US government mandated OSI in all government network purchases (as it is mandating IPv6 today). Look what good that did.

Some people I know and respect in the Internet industry are resigned to a rollout of IPv6. A typical comment is:

"most of us are ipv6 haters, but we're also pragmatic. ipv6 may suck caterpillar snot, but we have no alternative. so get over it."

I am still in the camp which believes it won't happen. Right now we have two alternative universes ahead: one with massive amounts of NAT/PAT, and one with IPv6. The first works today and gives the user full connectivity to the whole Internet. The second gives the user nothing.

One problem is that deploying dual-stack IPv4 + IPv6 (whether it's in your own network, or in your ISP's network) doesn't deliver any incremental benefit to the deployer. "The Internet" is IPv4, and you could reach that already. Nothing worthwhile is IPv6 only. No major content provider is going to put up IPv6-only services; it would be commercial suicide. And if someone did put up a massive IPv6 free porn server, all that will happen is that people will build IPv4-to-IPv6 proxies, perhaps adding a few banner ads at the same time.

Even if your ISP's network is running IPv6, and your home network is running IPv6, a more insiduous problem is that all your *applications* need to be rewritten to use it too. You might argue "patched" rather than "rewritten", but there are substantial changes: (a) resolver APIs are different; (b) applications may get a choice of IPv6 and IPv4 addresses, and have to try one and fallback to the other; (c) IPv6 addresses contain colons, but many applications use "x.x.x.x:port" as a syntax; (d) user interfaces may need to display both forms of address. There are others.

Consider all that software you've bought. All those on-line games which communicate using IPv4. All those legacy Windows NT 3.51 servers still running out there. Until you can remove or update every single networked *application* you have, then you will need dual-stack IPv6/IPv4; and as long as you have IPv4 in your stack, you have no need for IPv6.

Of course, dual stack IPv4/IPv6 *does* open up lots of new possibilities for virus propagation and network intrusion, since you will have double the number of firewall policies which need to be checked.

(Maybe IPv6 will find a niche as an RFC1918 replacement in some organisations; IPv6 inside the firewall, IPv4 outside. But for most people, I think RFC1918 is good enough as it is)

Regards, Brian.

P.S. The most ludicrous thing is, IPv6 doesn't really solve the address depletion problem either. Several ISPs have already obtained /19 allocations of IPv6 addresses, e.g. France Telecom. Since the first 3 bits of the address are fixed, this means that France Telecom by itself has already obtained 1/65536th of the total IPv6 address space.


Biting the hand that feeds IT © 1998–2020