Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment Re:As an American no way would I do this (Score 1) 87

No you mentioned the UK, read your own previous post. There was no mention of England.

Yes urination in public spaces is a problem. In open countryside it's less of an issue - noone around to witness it, and plenty of wild/farm animals are already urinating there. But the original post was about Singapore, which is a city state without any countryside so a blanket ban makes sense.

It seems public urination is an offence in at least some parts of England - see: https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fwww.camden.gov.uk%2Frepo...

Comment Re:As an American no way would I do this (Score 1) 87

Since you mention the UK, jaywalking is a crime in Northern Ireland which is part of the UK.

Singapore doesn't ban drinking in public during the day, only late at night. Remember it's a small place, with people living in close proximity to each other. Having drunk people making a lot of noise at night would be unfair to others who are trying to sleep.

Yes public urination makes things stink, and damages brickwork etc. It is absolutely disgusting to go through an area where people have been urinating and having to put up with the smell. A big cause of this is a severe lack of public toilets in many cities especially at night. Generally this is because people vandalise public toilets, which is another highly undesirable activity.

If there were tougher punishments and better enforcement against those who vandalise public toilets, perhaps there would be many more public toilets still open and thus less people urinating in random places. Sometimes people need to do more than urinate too...

Comment Re:As an American no way would I do this (Score 2) 87

Jaywalking is a crime in many other places too:

https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2F...

While it's technically illegal in Singapore, the fine isn't that severe ($50) and is rarely imposed. Lots of people jaywalk, even in front of police and they generally won't do anything unless it causes a nuisance or danger to others.

Similarly lots of places ban drinking of alcohol in public places, especially at night. Some places even ban public consumption of alcohol at any time, not just late at night, for example:
https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fcodelibrary.amlegal.co...

You said it something as an absolute, these are disgusting things no one should do. You can't have it both ways.

Urinating in public is disgusting and should not be done at all. It might be a last resort in the countryside where you're a long way from any toilets but it would still be disgusting to do in an area that's frequented by others.

And it being absolutely outlawed in a city which has no countryside does not conflict with your notion that it's only acceptable in uninhabited countryside.

Comment Re:As an American no way would I do this (Score 1) 87

I don't really see a problem with public urination per-se, more of a problem with where. don't do it in a city, you make the city smell. Taking a whizz up a tree out in the country is fine.

Singapore is a city, there isn't any countryside.

drinking after 10pm (WTF???)

This applies to public places like streets and parks, you can drink at home or in licensed establishments (bars etc).

Comment Re:And with it routing tables increase in size aga (Score 1) 79

NAT, for example. There is NATv6, but few implement it. Why? No idea.

NAT gives you partial connectivity, with additional headaches and cost.

The alternative to NAT44 is no connectivity at all, so NAT44 is tolerated.

The alternative to NAT66 is fully working connectivity, so there are very few instances where you'd want to suffer partial connectivity encumbered by NAT if you don't have to.

Comment Re:And with it routing tables increase in size aga (Score 1) 79

NAT, for example. There is NATv6, but few implement it. Why? No idea.

Exactly, there is NAT66 and it's rarely used - because it breaks things and adds unnecessary complexity/cost.

It's useful in that it removes dependence on an upstream IP address - when your prefix changes, all hell breaks loose. Sure we can blame poor software or hardware for this problem, but it happens. Renumbering an IP network has never been a fun process, and things don't always work. After all, I know every time my ISP gives me a new IP address because connectivity breaks - the router sees a new IP address, but the cable modem refuses to accept it, forcing me to power cycle it.

Poor software is exactly it. For a typical end user network the prefix changes, your machine gets a new autoconfig address, and anything local (if anything) that you access is still accessible via the same mdns hostname. More demanding users can get a static block, or use ULA/LL address space for local use.

Look at the public stats, millions of people are successfully using IPv6 all around the world.

I'm sure the music and movie industry are strongly pushing for it - because one of the big reasons the lawsuits ended on copyright was because a judge ruled you cannot identify a person from an IP address.Which is true from a IPv4 perspective.

There is legislation for that in several countries already, someone is responsible for the NAT gateway and if they're not keeping adequate logs to be able to pin arbitrary traffic to a specific user then the operator of the gateway is held responsible. Several people went to jail in france over this a couple of years back. It makes it very expensive to operate a NAT gateway because you have to log pretty much everything, and this level of logging is extremely bad for privacy too. If you've already sunk the cost of acquiring and retaining all those logs, you might as well try to recoup some of the costs by data mining it.

IPv6 has only one thing going for it - end to end connectivity. And that was broken decades ago because we have firewalls and other fun things designed to break connectivity because it's just not safe to have true end to end connectivity anymore.

If you want to live in a dystopian world where you're only a client, and you're beholden to a small handful of corporations... Welcome to the curated networks of AOL and Compuserve.

Today end to end connectivity is safer than ever, because client operating systems have moved on from the "every listening service enabled by default" of the past. Client devices simply don't have listening services exposed by default.
And you know what's much worse than putting your machine on a connection where inbound traffic is unrestricted? Putting it on a public wifi network where not only is there no restriction whatsoever on what traffic the owner of the network or other users can send to you, but you also have no control over what the owner of the network does to your traffic. He can mitm, attempt ssl interception etc.
And yet people connect to public wifi networks all the time and the world hasn't ended, because current devices don't sit there with 50 unused services listening waiting to be exploited.

How many security breaches of end users occur due to inbound connections to listening services these days? Very few if any, only very niche situations. Virtually all happen via something which the user made an outbound connection to.

Plus by being unable to have inbound connectivity, you now have to rely on third parties for everything. You can't access your devices at home (CCTV, NAS etc) when you're outside unless you have a third party to relay the traffic. Can you trust these third parties? How long will they provide the service? How do you know they wont change the terms? People complain about this kind of enshittification all the time, and a lot of it is driven by widespread NAT preventing self hosting.

Comment Re:As an American no way would I do this (Score 3, Insightful) 87

Nice country you have there. I bet you have to carry a photo ID that is registered with the government too.

You do, there's a mobile ID app too.

The side effect of all these fines is a very low crime rate, a country that's very clean and very safe. And most of these are things that reasonable people would not do anyway.

Similarly most of these things are illegal in other countries too - like drink driving, drugs etc. The only difference is that the punishments are harsher, and the enforcement more rigorous.

I've been to cities where graffiti is everywhere, drugs and drug paraphernalia (needles etc) are all over the place, as is garbage. Quite frankly it's disgusting, and if hefty punishments are the only way to stop it then more countries should copy their example.

Comment Re:That is not a good sign (Score 1) 136

The points come from the transaction processing fees...
There is a transaction processing cost with every form of payment - taking cash is not free, taking checks is not free. Cards are generally more efficient because they're fully electronic, so some of the fees can be passed back to the customer.

The alternative would be giving everyone a discount % for card payments relative to other payment methods. If they just lowered the fees to merchants, then merchants would make more margin on card payments.

Comment Interest free? (Score 1) 136

A lot of these services are interest free, or provide an initial interest-free period.

I could afford to pay up front, but then someone offers me 6 months interest free? Why wouldn't i take that?
Then the money can sit in a savings account for 6 months earning interest for me.
I end up paying the exact same amount, only 6-12 months later by which time i've earned some free interest on my savings and inflation has made the repayment amount marginally lower.

I've bought a number of things in this way for this reason.

Comment Re:And with it routing tables increase in size aga (Score 1) 79

I don't believe that that was the best that could be devised. The simple fact is that there are millions of networks using NAT and some better migration path should have been created for them.

NAT is just a temporary kludge that allowed legacy ip to limp along for longer. It has nothing to do with migration.
The idea is that you'd still have a firewall to control access, but would not need the overhead of NAT.
When IPv6 was designed, it was still possible to get larger blocks of legacy address space and many places operated without NAT, so you could have true dual stack.

In fact most implementations these days are not true dual stack, they provide native v6 and partial legacy ip encumbered by nat.

Please explain how one would scan the address space behind a NAT router.

* Devices adjacent to the WAN interface can typically still route inside (depends on topology of the ISP).
* XSRF can be used to trigger scans through a user browser.
* Similar attacks can be done against other protocols such as SIP or FTP.
* Many strains of malware will automatically scan local legacy address space looking for devices.
* For many ISPs implementing CGNAT you can still scan from one customer to another
* Some NAT gateways use a "full cone" approach, so traffic can still enter from previously uncontacted hosts
* Some ALGs can be triggered to open/forward arbitrary ports

Did you ever hear of "defense in depth"?

Yes.
1) Consistent address space allowing for simple firewall rules and easier logging.
2) Firewall rules preventing access to devices
3) Huge address spaces that mean the devices would not be discovered even if there were no firewall rules
4) Multiple VLANs segregating devices from one another

Better than broken junk duct taped together with added unnecessary complexity.

With v6 you know the device is addressable, you scan it to make sure its services aren't reachable, and you have different policies per device/vlan as needed.
With legacy ip you assume the device isn't reachable, but it could become accessible in unexpected situations.

I'll admit to not being a security expert, but the descriptions of XSRF attacks all talk about tricking the user into going to the wrong site. Do IoT devices typically have users that can be tricked in this way?

XSRF leverages a user browser to target the device... There will typically be users and not just IoT devices on a given network.
For instance i'm aware that a particular (large) ISP ships routers which use the legacy address 192.168.0.1 by default, and which have a vulnerable script on their web interface which allows execution of arbitrary commands. All i need to do is to get their customers to visit an HTML page which includes an IMG tag pointing to http://192.168.0.1/cgi-bin/vul... - when the browser issues a GET request there, the given command is executed as root on the device.
Actually achieving that is easy - embedded images or tags in a forum frequented by such users, emails with an embedded image tag, a site vulnerable to XSS etc.
These same devices also support IPv6, but i have no way to guess the address they will use and the possible address space even knowing the vendor mac address range and EUI-64 is too large to brute force.
Most customers use the default router, in the default configuration.
If i were maliciously inclined im sure i could find other ISPs shipping the same devices too.

Comment Re:And with it routing tables increase in size aga (Score 1) 79

Dual stack was the migration path...
There's not much else you can do, legacy IP was never designed to be extensible so you have to replace it. Temporarily running it alongside the replacement was the best you were ever going to get.

NAT is _NOT_ a security mechanism and does not provide any protection to anything. It's a kludge to restore partial connectivity in a situation where otherwise there would be none. The added complexity actually reduces security in most cases.
If you want to protect insecure devices from network attacks you want a firewall, which is much easier to manage if you take away the overhead of NAT.

The vast majority of compromised IoT devices that form botnets today have been compromised via legacy ip. Aside from the ease of scanning the address space both locally and remotely, the small address space also makes XSRF attacks much easier - and plenty of poorly designed equipment is vulnerable to such attacks.

Comment Re:And with it routing tables increase in size aga (Score 1) 79

The reason for slow adoption is a combination of laziness, fear of progress and "it works for me, fuck everyone else" attitude of those who have large legacy allocations.

Poor hardware is poor hardware, there is lots of poor legacy hardware too.

Legacy IP is extremely harmful to developing countries you have extra costs of address purchases and CGNAT, with a customer based that has less ability to afford high subscription fees. This is offset slightly by low expectations of the customers who *expect* the service to be poor, so aren't surprised when CGNAT is slow and breaks some applications.

Microsoft took long enough to get onboard with MDNS because they had their own proprietary version called LLMNR which is fundamentally very similar but in typical MS fashion different enough.

There have long been third party MDNS implementations for windows - chrome includes one, so does most apple software like itunes.

But MDNS/LLMNR/DNS is not an IPv6 problem, you have similar problems with legacy IP. How do you find out what legacy address a random device has? You might be able to consult the DHCP lease database assuming you connect it to an existing network with a DHCP service, but that assumes the DHCP server has a way of displaying leases and you have access to view them. A lot of lousy ISP-supplied routers don't.
Or what if you don't have an existing network and are just using a crossover cable? No DHCP unless you run one yourself.
Sure you could scan the legacy address space, which is gonna take you a long time if you're using 10/8, or with v6 you can query the multicast address. If it's a device thats actually designed to be discoverable it will respond to multicast and may even join its own multicast group.

It's not a huge departure from legacy ip, it's mostly just a larger address space - which was the whole point. A protocol that's actually designed for a public global network, not a small experiment within a single organisation.
Routing works the same, only now most users will get enough address space to actually do routing.
Ports work the same.
DNS works the same.
You aren't forced to deal with the overhead and complexity of NAT unless you explicitly choose to do so.
You don't have to worry about address conflicts - not just locally, but when using VPNs etc.

Comment Re:And with it routing tables increase in size aga (Score 1) 79

Poor hardware is poor hardware, nothing to do with the protocol. There is huge amounts of poor legacy hardware out there too, online forums are full of complaints of isp-supplied routers devoid of any features.

"If you don't care about privacy"?
Link-local addresses are just that - LOCAL... They will not be seen by anyone outside of the local VLAN. Guess what's also visible within the same VLAN? That's right, the MAC address. So you could go to all the effort of generating a random link-local address, and your MAC is still disclosed to anyone that's in a position to see it anyway.

The MAC address can only be used as a tracking identifier if you connect to multiple unique networks. This is why mobile operating systems all use random MAC addresses by default these days. But you were talking about embedded devices that will typically not move. In which case the MAC address basically just gives away the manufacturer of the device, or of the networking chipset.

For an embedded device or server a predictable address is generally preferable - the MAC is usually printed on the outside of the case.

You don't need to maintain local DNS, that's what multicast DNS is for. And use of DNS applies to legacy IP too.

You don't know the device's address? You have to discover it irrespective of what protocol is in use.
You want to hard code a specific address? You can do this with either protocol.

Another advantage of link-local (and MDNS) is that your devices will still be reachable without any additional infrastructure. Legacy networks break if DHCP is missing/broken. Apple devices take advantage of this - eg the apple airport access points are managed via link-local which means you can configure them before you've setup DHCP *OR* you can put the device on an existing network and configure it. Other routers typically have a DHCP server enabled by default, which means you will get conflicts if you connect it to an existing network.
Apple also uses this for awdl (used by airdrop etc).

Slashdot Top Deals

Two is not equal to three, even for large values of two.

Working...