Plusnet concern me because they have abolished all their IPv6 trials and rolled out CGNAT instead. Its certainly looking like they have no plans to roll out IPv6 at all.
Fairly sure there's a legal requirement for the telco to keep the phones working during a power outage.
There shouldn't be these days. Nearly everyone has a cell phone.
Which won't work when the base station is unpowered
Back here in the UK a battery backed power supply is provided. I would have thought it would be cheaper to run some copper from the exchange and provide a standard -48VDC to the building. You could even use the copper or copper coated steel as armour for your fibre.
In the UK too... I'm not sure how feasible it would be to run the fibre optic kit off a -48vdc supply that's been carried by several kilometers of wire... the equipment isn't going to be extremely low power and the resistance of the cable will not be negligable...
VDSL is sketchy though. And you left out their "line rental" charge which for some reason they leave out of their advertised price (14.50 GBP).
Well yes, ok - you have to pay for a POTS line to go with it (which is annoying - if I didn't have to pay for POTS I wouldn't bother having it; my whole home phone system runs off an Asterisk server anyway). But that's the same for all the DSL based services in the UK.
Fibre providers have an ONU (optical network unit) supplied by the mains power on the property. Unless there's some kind of requirement for power-free phones I don't know about there really is no reason to run expensive copper wires.
Fairly sure there's a legal requirement for the telco to keep the phones working during a power outage. Certainly do-able with fibre, but would require a UPS and regular battery servicing - probably cheaper just to run copper.
Sorry for you, Joe Blow, but you live in the wrong country: in Romania you get FTTB - Cat 5 in your house with 100Mbps for just unde 12$/month. Of course, you can allways go cheap and pay just unde 9$/month for 50Mbps. You may start weeping now.
80Mbps vDSL is widely available in the UK.. prices below £10/month if you're willing to go with cheap crappy ISPs who are on record saying they have no interest in planning for the future (plusnet).
It's the last mile problem, and they haven't even started working on it really. New estates are being built with only FTTC and ADSL available instead of just taking the opportunity to run fibre right into each home.
BT always does the absolute minimum possible to remain slightly competitive. That's all we can ever expect.
They would never be able to run *only* fibre into the home, because they need to be able to provide power for POTS; so running fibre as well is an additional cost (this is also presumably why they still run POTS all the way back to the exchange instead of handling it at the cabinet). That said, there are a number of regions where you can get FTTP if you want.
But when will they upgrade my 4Mbps down / 256Kbps up DSL connection that I pay through the nose per month for? Cuz really, I keep reading about those marvelous link speeds but in the past 10 years, I haven't seen much of that reach the average Joe Blow internet user like me...
Where abouts are you? Most people can get way more than that (I'm on 8Mbps down / 1MBps up; if I turned on Annex M I'd get more upstream, and if I could be bothered I could switch to FTTC (80Mbps down, 20 up) for only about a pound a month more...) Also, British internet prices aren't exactly "through the nose" - especially if your local loop is crap (if you're never going to get a decent throughput on the local loop you may as well go for a cheap ISP).
Nothing prevents you to put a link to the binaries on your website. And if you can't afford a to host a website, there are still file hosting service happy to finally get some legal files.
Also, you know, there were some malware abusing the system and downloading some files on some popular legitimate projects ( http://news.softpedia.com/news/New-TDL-Malware-Variant-Uses-Chromium-Embedded-Framework-339791.shtml ). I don't know many projects affected beside this one and I'm sure Google knows better and this move wasn't just to mess around with legitimate users and reduce the costs.
Google seems to be cutting lots of services in the name of abuse...
Google Code downloads gone because they were being abused.
XMPP federation gone because it was being used by spammers.
CalDAV gone because... well, that one just seems to be because its open and Google wants to push everyone to their proprietary APIs instead.
I'm just waiting for them to pull the plug on email federation with Gmail and Google web search because they both get used by spammers too...
Guess what; pretty much any useful service is going to get abused - its an ongoing battle to reduce abuse whilst keeping the service useful and if Google are going to pull the plug on everything that might be abused they may as well give up and wind up the company now... (FWIW, I see a lot of spam email originating from real gmail accounts or using gmail accounts as contact addresses for replies; also a lot of phishing emails that use Google Docs to collect responses).
Yet, litigating is expensive, and ignoring/throwing it away is cheap
Which is why individuals can't be expected to do it - this is the government's job in the interest of protecting the law abiding public.
If I got a letter with that kind of language from an entity that has a name that looks like it was spewed out by a random letter generator, I'd chuck it into the trash thinking it was a scam. Because there are TONS of scams where "companies" bill for office supplies and other services that were never received with the hopes that the recipient would just pay it.
And the fact that these scams keep happening demonstrates that there is money in it because some people fall for it. Same with spam. So the only way to stop these scammers is to actually litigate rather than just ignoring it, throwing it away and claiming it isn't a problem.
Some offices don't even bother with Ethernet cabling anymore; they just use WiFi.
I've seen it done, but I still think its bonkers - a few tens (or more) of users hammering wifi to transfer data to/from the file server isn't sensible; especially when the users are using desktops or docked laptops. Hell, even at home I plug my laptop in to the wall network point if I'm going to shift some big files around (I have cat6 structured cabling installed throughout).
Of course the card number is on the card itself. You need it for a whole lot of things, ranging from online transactions to ordering pizza. If you can't keep the physical card secure, that's your problem.
My point is that anyone who has accepted payment from me will automatically have my name, card issuer's name and card number on file (and possibly my email address too if they were an online merchant), so claiming that I can authenticate an email proporting to come from my card issuer by checking that my name and the last 4 digits of the card number are quoted in it is patently bullshit (the vendor does not need physical access to the card to get this information - you have to give them exactly this information in order to make a transaction). Even using the bank account number, rather than the card number would be risky since this information is also available to retailers who have accepted my card.
This isn't about "keeping the physical card secure", this is about the banks making their emails actually authenticatable rather than implementing some security theatre that does nothing but give people a false sense of security.
I'm not so keen on having the bank account number on it, but it follows the same general principal - if someone has physical access to your card, they aren't going to be able to do any worse with that extra information than the card itself. Think about it - it's a debit card attached to a bank account. At least in the US, you can run a debit card as a credit card (requiring a signature instead of a PIN), and it gets processed under credit transaction fees, but it still just draws from the bank account.
Please go back and read the whole thread - none of this discussion was about making fraudulent debit/credit card transactions; this was about banks using trivially obtainable information, such as credit card numbers, post codes, etc. in an insecure attempt to allow the customer to authenticate an email, rather than using a strong cryptographic signature that the email client can verify (which, seemingly contrarary to general belief on slashdot, *is* standardised in the form of S/MIME).
They aren't going to be able to access other information about the account, like the balance, online or elsewhere without detailed personal information like answers to security questions anyway, so your damage is limited to whatever they charge up in person.
This is precisely the point - they are able to access other information by virtue of phishing. The banks are sending out legitimate emails with links to web pages on domains that aren't the bank's main domain, that ask for authentication credentials and telling the recipient that its all perfectly safe because they can authenticate the email by checking that some trivial information (last 4 digits of CC number, post code, etc.) is in it. If you want to gain access to someone's bank account, all you need to do is:
1. Obtain access to the customer database on some retailer's website (this seems to happen with reasonable frequency anyway).
2. Register a domain that looks almost-but-not-quite like a bank's domain (e.g. register mybankonline.com if you're targetting mybank.com customers).
3. Build a website on the mybankonline.com domain that looks like mybank.com's website, including authentic looking login pages that will collect a user's login details.
4. From the database obtained in (1), pick out all the email addresses, post codes and card numbers of people who have a card issued by mybank.com.
5. Send out authentic looking emails to the email addresses you found in (4), remembering to include their post code and the last 4 digits of their credit card number in the email. Include a "log in" link that points at your fake website. Remember to add some friendly information to the email along the lines of "So you know that emails we send are genuinely from us, we will always quote the last 4 digits of your account number." (*)
6. Sit back and wait for the credentials to roll in, because there is absolutely *nothing* the user could do to tell this apart from the legitimate emails the banks are sending out. You've now gained access to the accounts of rather a lot of customers.
(* This text was taken from a real legitimate email from Capital One. Other banks do similar).
Again, please go back and read the thread - you seem to be replying to a conversation that we are not having rather than the one we are...
The other two banks I deal with are regular bank accounts, so the last 4 digits are much less likely to be linked to a full account number
My "regular bank" credit and debit cards have both the Visa/Mastercard number, *and* the bank account number printed across the front of the card. I wouldn't mind betting that both numbers are encoded on the magstripe, although its very rare for cards to be swiped these days (I'm not entirely sure what data retailers get to see during a chip&pin transaction though).
Interestingly enough, several Swiss banks do.
Swiss banks must be decidedly more clueful than British ones then. Most of the British banks seem to think that putting some easilly obtainable PII in a plain text email allows you to authenticate it.
A few years ago, the Nationwide took to sending me marketing email that:
1. Came from a domain other than nationwide.co.uk.
2. Included web links to their product descriptions, but also not at nationwide.co.uk (can't remember the exact domain, probably something like nationwidebanking.co.uk or nationwideonline.co.uk - either way, something that could easilly have been registered by a third party.
3. Included the first half of my post code.
4. Wasn't electronically signed.
I complained to them, pointing out that although the stuff they linked to didn't actually ask for any personal account details(*), they were basically muddying the waters when it came to people being able to identify phishing emails from legitimate emails and that they were training people to expect legitimate emails to employ exactly the same properties as phishing emails, which is obviously very bad for security. I also pointed out that it would be better for them to use a technology like S/MIME to allow the user to authenticate the email, rather than some trivially publically available information like half a post code.
They responded - basically they couldn't understand any of my points about why what they were doing was a bad idea or why a postcode isn't suitable authentication criteria.
I escallated the complaint to the regulator. They refused to get involved.
In the end I ended up closing my Nationwide accounts - mainly because of several repeated screwups, one of which almost caused a house purchase to fall through (which they compounded by refusing to talk to me about when I was trying to sort it out); but their utter lack of clue about security certainly played a part.
Unfortunately, since that time, almost all the banks I use have started doing similar stuff. I brought this up with a friend who works in the highstreet banking sector (although not on the IT side) and he pointed out that the banks are generally not interested in security, they only want to limit their liability - if a bank were to sign all their emails and their key got compromised then the bank would be liable, whereas if the customer hands their details to a phisher because the bank has trained them that they should expect legitimate emails to look like phishing emails then the customer is liable.
No confidential content is ever sent via email -- users are directed to login to the (https-enabled) website to view the sensitive information. All PDFs, such as account statements, are digitally signed and timestamped by a third-party timestamping service to prove their authenticity.
I would find it very useful for banks, credit card companies, etc. to email my statements to me (encrypted and signed), as this would allow me to automate archiving of them. It seems very unlikely to happen any time soon though.
Here's a good example of bad email from a bank - in this case, Capital One, a credit card issuer, they email me monthly to say my account statement is ready for download from their website:
1. The email comes from capitaloneonline.co.uk - why not capitalone.co.uk, which is their usual domain?
2. It includes my name and the last 4 digits of my credit card number and says: "So you know that emails we send are genuinely from us, we will always quote the last 4 digits of your account number." - my name, card number and the fact that the card is issued by Capital One are going to be known by *anyone* who has accepted payment from my card. Not exactly great authentication credentials.
3. It includes an "access your account" link, which takes me to the sign-in page on the capitalone.co.uk site. At least they're using the right domain this time, but still it seems risky training people to click random links in emails and then enter their account details.
4. The email is not signed.
5. I know most people won't look at email headers, but if you do you can see the originating system is tsyseurope.com - that doesn't seem to be in any way connected with Captial One, even the whois record doesn't seem to show an obvious association.