Hmm. How do you set "flood protection" thresholds when your Internet service is faster than anybody else could possibly flood you, and yet most of your LAN devices would die if they actually had to handle that many packets?
Or in the outgoing direction, what's the difference between a "flood" of outgoing packets vs. "just sending stuff at full speed?" (About 970 megabits/sec, some would say :))
This all feeds into the larger question of what happens when someone figures out how to use a super fast ISP as a DDOS source. They have so much legitimate upstream bandwidth that it's hard to tell what constitutes an attack. Ironically, since everyone else is so slow, if you're using anywhere close to a gigabit of uplink, it probably is an attack. But enforcing that as a rule would be kind of ridiculous.
This was much more interesting than I expected.
Many of my problems lately have been caused by people making exactly the same kinds of tradeoffs I would have made if I were in their place. That leads to two possible conclusions:
1) Crap, guess I need to rethink my methods.
2) Yay, finally I'm working with people who do things the way I would do them without me bugging them all the time!
#2 sounds a lot nicer, but unfortunately it has a problem, namely that, look guys, my way obviously didn't work! What were you thinking?
In which the White House outshines Canadian Politics
People who are aware of my political view template know that I try to follow a simple process, which is to try to reject low-quality arguments that resort to rhetoric and personal attacks. The result is I sometimes sound like I'm in favour of some policy or motion that I actually disagree with (or vice versa) because I tend to end up arguing about the presentation, and noting the complexity of the problem, rather than just choosing a side and joining the fray. Since I complain that you're being stupid, you assume that I think the opposite point of view is less stupid, but that's missing the point.
In short, I want to see politicians (and politically interested citizens) raising the level of discourse. Having written off American politics long ago, I'm still disappointed when Canadians result to meaningless sludge instead of stopping to understand what's going on.
So imagine my surprise when I discovered an actual U.S. political web site with actual facts and opinions and policy statements from an actual political party, responding to questions from actual citizens in the hope of raising the level of discourse.
The web site I'm referring to is the whitehouse.gov online petition system. In short, they promise to have some senior policymaker respond to your petition, no matter how stupid, if you can get at least 25,000 people to online-sign it. (25,000 is roughly 0.008% of the population of the United States, so that seems reasonable to me to get the attention of a high-level executive.)
Note what they promise: not that they'll change anything, or that the president itself will read your message, or that the response will be useful. Just that they'll respond, and the response will come from some actual person that matters. The content of the response, well, you'll have to judge that for yourself.
(This reminds me of the rules for petitioning the Government of Canada, except doing that only needs 25 signatures instead of 25,000. On the other hand, you're only guaranteed your petition will be read in parliament, and you probably won't get any response at all, other than the hope they might be thinking about it.)
So, how does it turn out? Well, I read through a few of the responses. Apparently there are 96 existing responses, which seems like a good number to me: it means the filter is blocking out the idiotic petitions (and oh boy, idiotic ones exist) but not just silencing everybody (the total number of responses is bigger than I want to read). Moreover, they sometimes combine multiple related petitions into one response (even if each one has less than 25,000 votes) and sometimes respond to petitions with less than 25,000 even though they didn't promise to do so. That tells me real people are actually reading all the petitions and looking for input, even though they don't have to. Moreover, there are less than 40 petitions open right now with more than 25,000 votes and no responses. Since that's less than half the total responses, that suggests to me that there's simply a time delay to answer them (which I'd expect), not that they don't take it seriously. And I doubt they're just deleting petitions they don't like, since anything that managed to get 25,000 signatures would obviously generate a major internet fuss if the signees found it missing.
So yes, the 25,000 signature threshold works, the accountability works, the promises are being kept, and there are actual answers up there.
Are the answers partisan? Of course, they're written by a political party. Are they all satisfying? No, sometimes they just avoid the question and don't bother to back up their claims, like the Transportation Security Administration one. (On the other hand, the petition itself wasn't so hot either.)
But what I do see is a real effort to respond in a way that really represents what the administration believes. You might not like the TSA response, but after reading it, you know exactly what their policy is about it. There are also things like the several immigration reform responses that are ultra-clear about the policy and beliefs - while admitting that, well, you kinda came to the wrong place, because the President isn't the one who sets the immigration policy.
Even the ones with a "blame the republicans" section, like the NASA funding response, do it pretty respectfully. They say "unfortunately, not everyone is supportive" and explain some problems of the alternative policy, but they do it with a tone that it encourages you to think about, and maybe talk to, your representatives to see if you can change their minds. They don't start from the assumption that the alternative viewpoint is idiotic and the only solution is the vote them the hell out. I can respect that.
Canada should have this (maybe with a different threshold). The U.S. House and Senate should have this, or at least the Democrats and the Republicans. You know what would be cool? If every party, not just the one in power, submitted a response to every petition that got 25,000 votes, to make their position clear, and we could read them side by side and decide what we believe. And if they could refrain from personal attacks and stick to the issues, like the current site does, and campaigns and TV debates generally don't.
That would be progress.
Bug report of the day: weather predictions are inaccurate.
Don't we all wish we had a workaround for that one.
Every now and then I remember my internship in fall 2000, at a startup where we were doing real-time audio and video over a multicast-like unicast protocol my friend had invented, which avoided actual multicast because actual multicast requires cooperation from all the intervening networks. My job was to write the software and firmware, including some FPGA code, for the GPS PCI card that we designed to provide the time signal. It turns out if you sync your media clock within 20 microseconds or so of GPS (this is safely within the available GPS precision), you can choose your packet boundaries based on the timestamp and guarantee that particular live digital audio samples will always be in the same spot in the same packet, even between independent/redundant packet sources ("nework transmitters") that don't talk to each other. And you can reliably add sequence numbers to those packets that will be identical between transmitters. From there, it's a "simple" matter to distribute the packets over redundant network links and at each router along the way, take the first packet you receive with a given sequence number, then retransmit to your three downstream peers.
The net result is that adding redundancy reduces average latency (since you take the first match, you don't wait for voting), it virtually eliminates any need for retransmission (since 99% reliability is 1% packet loss, and for three independent network paths times, that makes 0.0001% loss), and only costs 3x as much as a single feed. When you're distributing live data to, say, 1000 people, 3 feeds is not expensive compared to 1000 feeds.
Sadly this company was a .com victim (their primary customers, including Intel's Media business, were shut down shortly after my internship), so this technology never left the beta stage. They did okay though, moving into medical imaging distribution and storage, and eventually getting acquired by some famous storage company for lots of money.
12 years later, when I see ill-conceived proposals for how to distribute video over the internet, mostly they just make me sad.
Most thought-provoking question from the Reddit SRE AMA so far:
"What does the 'server-busy' or page look like for google.com?"
"I'm aware that 'family reasons' is usually management speak for 'I think the boss is an asshole' but I'd like to assure everyone that while I frequently think Linus is an asshole [...] I am departing quite genuinely for family reasons [...]" – Alan Cox
Whoever titled this article is, I think, trolling us. MoCA doesn't even go at a gigabit, so I can't really see how it could be driving gigabit home networking.
I have this scary feeling that Linux's swapfile management is still based around the idea of swapping out 4096-byte pages, in random order, and then swapping them in one by one as you realize you need them. With no readahead or clustering whatsoever.
ssh+2FA to all your machines, anywhere, without opening firewall ports.