Posts by Vic

Re: And who told you I want to be measured?

On your router, and on Windows. Both of those will block inbound connections on v6 by default.

Not on my router,. And I don't have any Windows machines.

But if you're running any services on those machines - e.g. RDP - can you be sure those connections will be blocked? That requires an understanding of the firewall rules - which means additional knowledge over and above what is required to run a NAT router.

Consider what happens if your router gets a packet on its WAN interface with, say, 192.168.1.20 as the destination address. What will it do with it? You can't say the packet has nowhere to go, because it certainly does -- it can go to 192.168.1.20. And that's exactly where it'll go if the router doesn't have a firewall configured to drop the packet.

Have you actually tried this? Because when I did, it was only true for some real shit routers. Now I've not done the experiment for a while, but I actually do doubt your assertion here. And if my ISP is sending bogons, both he and I have got bigger problems.

If you don't believe me, feel free to try it.

I no longer work for an ISP, so I can't.

NAT is no easier or harder to set up than a firewall is

Of course it is. Plug in router, stuff works. Incoming packets are dropped/rejected until such time as a connection is established, at which time they become accepted.

Now try doing that with a simple firewall - changing the rule from DROP to ACCEPT on the basis of the state of outgoing packets. It's possible, but it;s not easy.

If you can't manage one of those then you can't manage the other.

That's simply untrue. There are millions of people in the world doing just fine with NAT. It provides all the protection they seek. Taking that away from them means they have to learn to program a firewall - now you might claim that it's "two rules which you copy/paste from a website", but the vast bulk of these users couldn't even get a text editor to change the correct file. That's the reality of users. And even if you are capable of this, that doesn't mean you are in the majority.

And that's before we go anywhere near whether or not the website has got it right in the first pace; the number of times I've seen someone post a "fix" for a problem that ends up being chmod 777 doesn't bear repeating.

The problem with NAT is that actually running a network with NAT is harder than running one without it, because translating addresses mid-flight is an extra layer of unnecessary complexity to deal with.

It isn't harder, as you can tell by the number of people doing it without even knowing that they are. And if you're doing anything about that translation, you either work for a network appliance vendor or you're doing it wrong.

I run networks that don't use any NAT at all and I still have to deal with NAT (when I help other people or when I write -- or use -- software that's affected by it).

I run networks that do use NAT, and I don't have to deal with it - it just works. If I'm writing software that has to deal with NAT, I just use STUN to cope with it. Stuntman, for example, gives you everything you need.

Vic.

Re: How much is a IPv4 address worth

how about because most large ISPs are run by complete sh**s

Fair point.

Given that some ISPs will not give a static IPv4 address, and others will only do it if you pay extra for a business connection AND also charge you extra rent for the address - I see no reason they won't do exactly the same with IPv6.

Given the scarcity of IPv4 addresses, there are *some* grounds for this - although I agree that many ISPs just gouge such customers because they can. But with IPv6, it actually requires more effort on their behalf to allocate dynamically than to do so statically.

Needless to say, I'm with an ISP that costs more, but doesn't do this sort of stuff.

Likewise. AAISP have done a fantastic job for me...

Vic.

Re: NAT and firewalling and stuff

Guess why many PC games DO support it?

Well if they do support it, then there's no problem. NAT won't get in the way.

Not AN internet. THE Internet (proper noun)

The Internet is one instance of an internet, and follows all the same principles. That's like saying "THE Cat (proper noun)" when someone has described the features of a cat.

yes that was one of the basic goals: to be able to connect anyone to anyone

Perhaps you'd like to provide a reference for that statement, since it's never been true to my recollection.

Oh? What about carrier-grade NAT? That's definitely NOT the user's choice and prevents the user from choosing to be visible because it's hard to STUN or otherwise route through a carrier-grade NAT, and doubly so if BOTH ends are NAT-ed.

What about carrier-grade NAT? It's trivial to STUN through it. I've done it regularly. And both ends are frequently NATted when you're using STUN. This is an everyday occurrence. Your objection makes as much sense as someone saying "Oh? And what about if someone's using 110V to power their PC?"; it's a total irrelevance.

Vic.

Re: And who told you I want to be measured?

I could easily rephrase this to "the majority of people want to be capable of accepting inbound connections in at least some circumstances", and for that we're going to need v6. v4 just isn't going to cut it.

This is simply incorrect. Incoming TCP connections might need some assistance in the event of CGNAT, but UDP doesn't. And if you're looking for the sort of isochronous connections that end-users might generally want - games, VoIP, that sort of thing - then UDP is going to be what you're after. If you want to set up web or mail servers, CGNAT probably isn't for you. But how many of us want to run web or mail servers and don't know how to work around CGNAT?

Behind CGNAT? If not then I suspect that'll be a nasty surprise for you when it happens.

Effectively, yes. My second tier of NAT - which I put on place - gives me the same effect. My first tier probably does - but as I didn't build that, I can't actually be certain without a load of work that I cannot be arsed to do.

And yet - it still works.

Indeed - the only time I've had difficulty with such setups is when the router tries to do something clever; a colleague of mine from years ago use to love putting Juniper kit anywhere he could. I soon found that the best way to use this was to turn off every ALG it offered; they were all crap. Running STUN sorted the problem every single time.

Also... I'm doing this too, on v4. I know it's possible. But I'm also doing it on v6, and I can tell you that it's just easier on v6.

Well, I can install SIP phones on an IPv4 network without a firewall, and they just work. If I install them on an IPv6 network, I must have a firewall to prevent the administration interfaces being visible to the Internet at large. I fail to see how this is "easier".

NAT doesn't seem hard until you get rid of it, and suddenly you realize how much of a pain it really was.

I can't agree with you. I run NAT on my IPv4 network, and not on my IPv6 networks. The IPv4 network takes much less thinking about.

And partly because there's no other choice

Nonsense. There are numerous application that run over IPv4 - there's VoIP that I've already mentioned, or there's BitTorrent, for example. Or any other P2P app - the original Skype? There are choices. They work. Game vendors are not eschewing this technology because it doesn't work, they are preventing it because it doesn't pay.

Do you want it to be _possible_ for a company to release something that isn't trivial to spy on, or not?

That's FUD. The visibility of your data to an attacker is entirely unrelated to the transport mechanism chosen.

Not every company wants all your info (just most), but none of them will have any choice if everybody is behind CGNAT.

No. That's just bollocks. CGNAT does not preclude TLS. Nor, indeed, does it make any difference in either direction to the snoopability of plaintext.

Adding two bytes is exactly as hard as adding 12 bytes.

In protocol terms, yes. In human terms, no. Any time you have to get humans to modify their behaviour in any significant way in order to accommodate a computer, you've almost certainly screwed up.

If you're going to add bytes, you may as well add enough bytes that you don't need to go "whoops, we didn't add enough, we need to go through all that again" later on.

A 64-bit address space with a MAU of /16 would give you individual prefixes for nearly 3x10¹⁴ users, with 65K addresses for each. Given that this planet really can't support 10¹⁰ people, and that no individual is going to be able to maintain 65K devices, that would have been enough until approximately the time we've colonised 10,000 other worlds. I can't see that happening before Christmas, if I'm honest.

Okay, for starters: DNS. It's awesome and it's been around for years now and it makes your life a lot easier; I really suggest you read up on it.

Until it breaks. Some of us make a living fixing stuff like that; having memorable addresses really does make life easier. Holding more than four numbers in memory at any time is actually quite difficult for dyslexics like myself. Now I know this is my problem, but just claiming "DNS makes it go away" entirely ignores the situation where DNS has gone down. And DNS does go down...

For seconds: why did you pick such an awkward v6 address? If you needed to remember this address you should've picked something easier to remember, like 3ffe:1900:4545:3::2 (read that as "address 2 on subnet 3").

For starters, that's all very well if you know the prefix. But the prefix is the bit that will need memorising; most public addresses are likely to be on low subnet/address pairs, but the prefix is going to be utterly unpredictable. For a MAU, it's a 64-bit number with no memorable cues.

So we all know that Google runs a DNS server on 8.8.8.8. But if you want to do that over IPv6, it's on 2001:4860:4860::8888. They've clearly worked hard to get the repetition into that prefix, but that's still not a number I can carry in my head.

[Of forging local network addresses]

I do like to point out that this isn't completely true: your ISP (or anyone who can strongarm them) can connect to you even if you're behind a NATing router, unless you prevent them with a firewall.

It's quite a few years since I worked for an ISP, but when I did, our experiments with forging LAN addresses on the WAN port only got through to the LAN side on a few really shitty routers. I cannot tell you whether or not that is still the case.

You are free to do this to yourself. I accept your right to make your own life more annoying than it needs to be for no real benefit. Just don't force it on anybody else.

That last is the only thing that actually needs saying; there are many people for whom NAT is a really useful thing. With IPv6, no-one is forced to use NAT, but similarly, no-one should be prevented from using it either. If the High Priests would stop telling us we can't use NAT, most of the objections would disappear...

IPv6 does _not_ take this perimeter away.

Yeah, it does unless you do something to replace the perimeter. A NAT router in front of an RC1918-based LAN gives you a default DENY configuration. An IPv6 router gives you a default ACCEPT. To get the perimeter afforded by the first, you need to add a stateful firewall, which is another piece of equipment that needs maintenance. This is an increase in complexity, which might well be a show-stopper for those not versed in networking.

This is backwards. NAT is the tricky thing to understand; things are a lot easier without it.

It really isn't. NAT might be tricky to understand if you're trying to program it, but the vast majority of users never do that. They just use it, and it just works. If you want them to use firewalls in addition to what they've done before, that's a bunch of new learning they have to do. Now you and I might not think that a big deal - but for substantially all[1] Internet users, that's a huge amount of work that will never happen.

Note that I'm basing this on actual experience, not fear of the unknown like most other people in this thread.

As am I. I am a networking professional and I run both IPv4 and IPv6. But I also have a fair bit of contact with "home users", for whom the transition to IPv6 without NAT will be a total nightmare. Now I could make quite a bit of cash out of that - but I'd rather see standards working for users, rather than the reverse. That will transition us to IPv6 more rapidly, with fewer catastrophes along the way. And the single biggest thing we need to happen is for IPv6 proponents to stop trying to prevent NAT; it's not going to harm you, no-one is going to force it on you, and it will make many people's lives much easier.

Vic.

[1] I was going to write "the vast majority" or somesuch, but it is so close to "everyone" as to make no difference.

Re: And who told you I want to be measured?

And now, hopefully, you see what I mean by "the entire point of NAT is to let you make outbound connections which you otherwise wouldn't be able to make"

No - your statement is simply incorrect. What NAT is doing, per your example, is allowing multiple devices to share a single external address. That's a good thing, and it means that being able to make outgoing connections is orthogonal to the firewall permitting it.

Where the NAT situation scores is that any other connection attempt - i.e. an unsolicited inbound connection - simply has nowhere to go. And that is why NAT is such a nice setup for people who don't know about networking - which is most people.

I have no problem at all with people who want to run IPv6 without NAT. That's just dandy, and will work for everyone who knows what they're doing. I have a real problem with people who want to force everyone not to use NAT; it works perfectly well for IPv6, it provides an easy setup for those that don't know how to maintain a firewall, and it is entirely transparent to everyone else.

Vic.

Re: NAT and firewalling and stuff

The NAT records this and maintains the relationship for as long as the connection is open. Once it closes, the relationship is removed. Now, this usually only works for stateful TCP-based connections (UDP doesn't work this way so requires something cleverer to deal with it) and only if the connection is initiated from the inside

STUN passes through NAT very easily. It only requires that both endpoints know about each other and are happy to cooperate. This is a very easy way to get a zero-configuration UDP service set up...

Gamers have one of two options. They can either open ports (solution 2) or use solution 1 to establish a bridge connection to a point outside.

Well, if their games were to want to support it, they could also STUN their way through, just the same as we telephony types do. But that would mean that the gamers wouldn't need the games comany's services, and that means a reduction in revenue. Guess why those games don't support it...

the spirit of the Internet is that any connected device should be reachable by any other device if it wishes to

No, I don't think that's true. Any internet is a "network of networks"; the interaction between those networks is at the discretion of the network owners, not the endpoints.

What some are wondering, though, is if the "automatic" shielding can't be achieved simply by offering a firewall with something like a "drop incoming by default, allow outgoing by default" ruleset.

You'd need something a little more complex than that; you'd need to open those incoming ports in response to outgoing operations. Or just run NAT and forget all about it.

We all know that IPv6 doesn't require NAT in the way that IPv4 now does; but the opposition to people using it if they want to is simply irrational. It solves a problem for some people, and doesn't impinge upon anyone else except those that believe they have a right to unfettered access to everyone else's devices.

Vic.

Re: And who told you I want to be measured?

There is no downside to v6

There is no downside to v6 if you understand networking. If you don't, Internet use will become much trickier.

Vic.

Re: How much is a IPv4 address worth

you will likely get a dynamic /56

Why?

IPv6 gives 2⁶⁴ MAUs, which is enough for one each for up to 1.8x10¹⁹ people. Each MAU gives you 1.8x10¹⁹ addresses, which is more that I'm likely to need this week.

So the only reason to have more than a /64 is if you're sub-allocating (which most people won't be), and there are more than enough MAUs to have a static allocation.

I would expect the standard allocation to be a static /64; is there reason to suspect something else?

Vic.

Re: Genuine query

are there genuine tools (pen test i suppose) that i could use to test that my home setup is secure/insecure, from a WAN perspective?

Go to grc.com, fight your way through the adverts for his other products, and look for "Shields Up". This will scan your WAN address.

Take everything else you find there with a pinch of salt; Steve Gibson is one of those people who knows quite a bit about some things, is massively deluded about others, and it's often hard to tell which is which.,..

Vic.

Re: The mythical NAT router firewall

NAT, router and firewall are three different functions.

Yes.

They're often found in the same box, but they are separate.

Yes.

It isn't NAT that blocks incoming crap. It's the firewall function

No.

It is NAT that provides the first line of defence; if there is no port forwarding defined, then an unsolicited connection simply cannot be forwarded, as the NAT router has no idea what to do with that packet. This is how the vast majority of Internet users have their networks configured.

Firewalls give you a furtherl ine of defence - and a more effective one as well. But they require far more knowledge to maintain, and the majoprity of users simply do not have that knowledge.

Until you acknowledge that it is NAT that is shielding most users and not a firewall, you will not understand the objections raised against you. And nor will you get buy-in from users that don't want to have to learn about firewall configuration just to keep doing what they are currently doing.

Now it's up to you whether or not you want to continue patronising those who disagree with you, but there is an important point here that you simply haven't understood. Where you go with that is entirely up to you.

Vic.

Re: And who told you I want to be measured?

NAT is not a security measure

Yes it is.

Millions of users around the world have their ports shielded by a NAT router that does not know how to route unsolicited connection requests. I don't care how many times you tell me it doesn't provide any security - it fucking does. There are better ways of doing the job, but that doesn't meant the technique has no merit.

A standard firewall rules base is more than effective enough on its own, irrespective of the version of IP passing through it.

It ids, but only if you have someone capable of maintaining those rules. Without that knowledge, you either have a user largely disconnected form the Internet, or you have a bunch of open ports (perhaps all of them) that should not be so exposed. And the number of people on the Internet who cannot maintain a set of firewall rules is orders of magnitude higher than the number who can.

Removing NAT is also quicker as there is one less layer of translation to have to go through.

Who cares? Dealing wih NAT might have been a problem 15 years ago, but it isn't any more. We plug boxes in and they work. That;s all that matters.

Vic.

Re: I don't want to be measured!

Imagine a version of Skype where the calls go directly to the other party, rather than through a Microsoft server

What, like SIP?

I've been using that for years. My wired phones trivially get through my NAT router to make this work. My wireless phones have to go through two layers of NAT. And yet it just works...

Vic.

Re: And who told you I want to be measured?

My understanding is that V6 allows a version of the LAN address to get out as the return address for the connection

Each device will have several addresses - e.g. one for link-local work, and another for Internet connection. The latter is the one that will be seen by external servers.

So the manufacturer can be detected

No. The MAC address is *one way* to form link-local addresses, but it is not mandatory to use that method. And the link-local address does not leave the LAN.

the number of different addresses used from my subnet gives an indication as to how many devices I have

Technically, yes, I suppose. But there's no need for addresses to be allocated sequentially - indeed, for privacy reasons, that's unlikely to be the case. Enumerating your devices is going to be very difficult.

Vic.

Re: @Novex

my IPv6 address is an /128 one.

The Minimum Allocation Unit for IPv6 is a /64; it's not standard-compliant to allocate any less.

That's probably why you've got no IPv6 on the inside; it's not a valid network configuration.

Vic.

Re: And who told you I want to be measured?

Oh good grief. v6 "high priest" here

And therein lies your disconnect with those who disagree with you: you understand the networking concepts. You need to consider the position of those who have no idea what an IP protocol is - neither v4 nor v6. That's most of the Internet users in the world, buy a significant margin.

There is absolutely no reason to make things difficult for people who do need inbound connections.

Yes there is. The majority of users do not want inbound connections - or when they do, they want those connections very carefully controlled. At present, with IPv4, they've got that; the default is for connections to be denied, with explicit work required to enable them. Moving to an IPv6 stack without further work reverses that - connections are enabled by default, with work required to disable them. That's not what most users want.

everything _has_ to talk to the cloud because peer-to-peer communication is so difficult on v4 with all the NAT

So the High Priests keep telling me. And yet, here I am, running peer-to-peer communication through at least one layer of NAT (two for my wireless devices). And the only work *I* did to get that working was to set up the second layer of NAT; most users wouldn't want my network topology.

That's why all the IoT stuff ends up bouncing through a server owned by the company.

It isn't. That's partly because it's the zero-configuration option, and partly because it's how the IoT companies monetise their marks.

Most people with v6 see about 30-60% of their traffic go over v6.

That's going to depend on what you're doing. I've seen negligible traffic over IPv6. I might even take it down.

As a side note: ugh Sixxs and their "ban you for anything" attitude

With you on that. Having to earn reputation to get anywhere (so it's some while before you can get an allocation) meant that my first tunnel was through Hurricane (who were much more helpful). Having to trade that reputation to change my tunnel IP address when I changed ISP. And now they won't even offer allocations. Looks like they actually *want* to become irrelevant...

Even when stuff does work, it's because the software author has spent time dealing with NAT-related issues

Not really. Very little of that sort of code is written from scratch any more - there are many code fragments and examples freely available. It's a solved problem.

NAT traversal often involves running a server to bounce through, which costs money to run (which could otherwise be funneled into more development work on the software) and also is a nice easy place to monitor whatever you're doing with the software.

Running a STUN server is a trivial matter; there's hardly any cost involved. And there are many already available at no cost, as it's such a trivial addition to add to an already-running server.

But it's not going to monitor what you're doing because there's no application data in it; all STUN gives you is your external IP address and your NAT type. And that's all you need.

NAT is one of the reasons that games often don't let you run your own dedicated servers any more.

It really isn't. Those servers are the subscription revenue stream for the games company. They represent real money. That's why you can't run your own any more.

This is actually exactly the opposite of what NAT does; it inherently decreases your security, because the entire point of NAT is to let you make outbound connections which you otherwise wouldn't be able to make

That's incorrect. You are perfectly able to make outgoing connections on a non-NATted connection as well; it is the firewall that prevents such outgoing traffic - and setting up a firewall for a NATted IPv4 connection is just the same as for a non-NATted IPv6 connection.

And that's the crux of the problem: moving to IPv6 means that end-users are going to *have* to be able to configure firewalls, or else they default to wide-open. And the vast bulk of the world's Internet users are not capable of that.

Vic.

Re: And who told you I want to be measured?

If the industry wants me to adopt IPv6, then give me a translation router that: allows my v4 network to work internally

That's not completely possible, although at present most of it will work.

The IPv4 address space is entirely mapped within the IPv6 space, so you could exchange data with any machine in IPv4 space over an IPv6 connection. But as time goes by, more and more systems will take up residency in IPv6 addresses that simply cannot be mapped into IPv4.

That's quite a way away. Most of the IPv6-only services at present are set up by IPv6 proponents who want to offer differentiated services.

Vic.

Re: OK it looks small to radar

Try getting a field howitzer within 20k of it. Betcha can't.

Time to rebuild M1?

Vic.

Re: This sounds a bit odd.

The drogue parachute (the only part of the ejector seat relevant to this discussion) fires after the seat starts descending.

No, that's not true.

The seat is lifted from the airframe either by cannon (old-style seat) or rocket (new style, somewhat easier on the pilot). As it lifts, there are two straps (extendible rod-type things) between the seat and the airframe; as they reach full extension, one triggers the barostat to start the chute deployment sequence, and the other fires a rocket which deploys the drogue chute from the headrest.

A cable from the drogue ends in a shackle which is held in a pincer arrangement at the top of the seat. This allows the seat to be suspended from the drogue alone. Once the barostat finishes, the seat chassis is released from the harness (and falls away), and the pincer is released, allowing the drogue to pull out the main parachute.

Any earlier and the seat would just tangle with the drogue before it opened

No. The drogue is fired from the seat (and after the seat has already started moving), and is rocket-powered.

The extra lift given by the rocket assist is to get the seat occupant up to parachute height

Not so. The rocket ejection system is used to spread the total impulse over a longer time period, leading to lower forces acting on the pilot. This makes life easier for the pilot. But the old-style cannon ejectors could get the pilot plenty high enough - just with a risk of damage.

Vic.

Re: Is there any other type?

If you are aware of an aircraft which might summarily eject its occupant(s) please give a link. I would be really interested in reading up on it.

The first aircraft I found with command ejection is the F-14. I'm sure there are others...

Vic.

Re: Handling the G's

there is a significant maneuverability downside to having an additional half tonne of mass right at the sharp end of the aircraft

Ejection seats aren't anything like that heavy. You can pick one up on your own quite easily.

Vic.

Re: Handling the G's

Which is more important, the fact that they are women or the fact that they are shorter ?

Shorter.

The pressure difference between the heart and the head is a multiple of the density of the blood, the current acceleration, and the height. The first is pretty much constant, the second is the acceleration we're talking about, and the third is down to the dimensions of the pilot.

The brain requires a certain pressure to maintain consciousness; the smaller the distance from the heart, the less pressure that heart is required to develop. Thus smaller pliots are more able to handle high-g situations.

Vic.

Re: minimum weight

They probably used a very, very simple fault impervious and time proven system like a burning fuse lit by the initial ejection charge

They don't. They use a barostat. This contains a clockwork timer and a diaphragm pressure switch. Deployment is delayed until the timer has expired - so that the seat is clear of the airframe - and until the pressure is high enough. If the pressure is too low, then the seat might be too high, or else it is travelling too fast. In either case, it sits under the drogue until it reaches the correct height & speed, and then a clamp is released which allows the drogue chute cable to pull the main parachute out.

It's quite ingenious really.

Vic.

Re: minimum weight

I have, enough to know I'd never want to do it unless there's no other choice.

I was reading an article a while back about that way of thinking; apparently, there is a real problem with civilians flying ex-military aircraft in that they really don't want to eject.

A substantial proportion of pilots who eject spend the rest of their careers flying desks thanks to spinal damage.

I think that might have been true for very early seats, but that was a long time ago. There's been lots of development on ejection seats.

The fact that this is related to the mass of the helmet indicates that this is related to the compression forces generated on cervical vertebrae when the eject rocket fires.

It;s the pilot's mass that is important. To my mind, that implies it's the deceleration on deployment that causes the problem.

Ejector seats clamp the pilot's head to the seat back during eject specifically to ensure that forces are vertical and to prevent whiplash injuries when the chutes open.

Errr - you sure about that? Because none of the seats I've played with do that...

Vic.

Re: minimum weight

But delaying the parachute opening allows the seat to slow down a little??? What laws of physics are in operation here?

The seat has a two-stage parachute system: as the seat leaves the airframe, a rocket is fired from the top which putts a drogue chute out.The main chute is delayed by a fixed time delay and an air pressure switch (the barostat), preventing the chute from deploying if the seat is too high or travelling too fast.

Prior to the main chute being deployed, the drogue slows the descent of the seat. Once the barostat has fired, it then pulls the main chute out.

Also, bodies of different masses fall with the same acceleration. Some old Italian dude is credited with that one. So what difference does the pilot's weight make?

By the time the main chute deploys, the seat frame has been thrown away, and only the pilot's weight remains in the harness. The force exerted by the parachute is going to be pretty much constant for a given descent speed, and the resulting acceleration is given by Newton's second law. The heavier the pilot, the lower the deceleration.

Vic.

Re: In the UK...

Trafficators?

How old are you, exactly?

I used to have an A30 with trafficators...

Vic.

So self-driving cars don't get stuck in traffic like ordinary cars?

Most traffic jams are caused by people doing unbelievably selfish things. Like slowing down to look at a crash on the side of the road. Or fighting to make sure you get into the merge before the guy in the other lane, despite it being his turn if you were to apply "merge in turn" rules.

By doing away with such petty behaviour, traffic jams will be significantly reduced.

Vic.

Re: Laser please...

ink doesn't run if it gets wet (as I use printed maps outdoors, that's important).

I use a laminator. I can print out tables for a specific dive plan and take them underwater with me.

So far, none of them have leaked...

Vic.

Re: Powering up in the right order

The problem with this is that it is an incredibly complex problem to solve (you have to define all of the hardware and software dependencies in order to allow the systems to restart in the correct order)

It's not *that* complex; I've done it a number of times. Puppet is my tool of choice.

The tricky bit is coping with failure - and importantly, what happens when your primary machine for a particular service takes so long to boot that the secondary has already started doing the job. These things take a bit of thinking about...

The trick, as ever, is to keep everything as simple as possible. And no simpler.

Vic.

Re: At least make sure your contract include TOIL

i asked for a clause about inventions to be removed

I had to get a clause removed when I went contracting a few years back.

They offered me their "standard" contract, which required that I give them the copyrights to any software I used. I told them I couldn't do that - and nor could anyone else.

What they wanted was the copyright to anything I wrote - which was completely reasonable. But the contract as worded would require me to furnish them with the copyrights to both GNU/Linux and MS Windows, since I wrote for both.

There were many contractors at this company. Apparently, I was the first ever to require a change to the contract (and I got it).

Vic.

Re: Water to 30 meters, but what about SALT water??

Then how do you do your deco calcs?

DDPlan. Written by a Gentleman of this Parish.

Vic.

Re: Water to 30 meters, but what about SALT water??

Never got the point of "diving watches" other than for posing. Get a computer, get a backup.

See, I've gone the other way; I still use my old Suunto Solution Nitrox, but bend the snot out of it on every dive[1]. I've got an HS Explorer computer, but I rarely use it; most of my dives are with my watch (an Apeks-branded thing ,but I don't know who actually made it) and my Solution...

Vic.

[1] The Solution Nitrox is a single-mix OC Nitrox computer. I dive CC, with nitrox or trimix diluents to suit. As such, the calculations performed by the computer are completely wrong - but I like the display, so I just use it as a dive timer.

Re: UPS

I think if you could lick both terminals on most car batteries, you'd be in another industry!

One of my favourite quotes from Mad Max:

"Watch the tongue, sweetheart. I've seen him lick his eyebrows clean"

:-)

Vic.

Re: UPS

Maybe you guys are at cross purposes to some degree

Sadly not. The contention is that a 12V, low internal resistance battery can drive lethal currents through a human body by touching the terminals. You, I, and pretty much everyone else knows this to be incorrect.

Vic.