| ▲ | stroebs 13 hours ago |
| The problem is far more nuanced than the internet simply becoming too centralised. I want to host my gas station network’s air machine infrastructure, and I only want people in the US to be able to access it. That simple task is literally impossible with what we have allowed the internet to become. FWIW I love Cloudflare’s products and make use of a large amount of them, but I can’t advocate for using them in my professional job since we actually require distributed infrastructure that won’t fail globally in random ways we can’t control. |
|
| ▲ | Aurornis 12 hours ago | parent | next [-] |
| > and I only want people in the US to be able to access it. That simple task is literally impossible with what we have allowed the internet to become. Is anyone else as confused as I am about how common anti-openness and anti-freedom comments are becoming on HN? I don’t even understand what this comment wants: Banning VPNs? Walling off the rest of the world from US internet? Strict government identity and citizenship verification of people allowed to use the internet? It’s weird to see these comments get traction after growing up in an internet where tech comments were relentlessly pro freedom and openness on the web. Now it seems like every day I open HN and there are calls to lock things down, shut down websites, institute age (and therefore identify) verification requirements. It’s all so foreign and it feels like the vibe shift happened overnight. |
| |
| ▲ | thewebguyd 20 minutes ago | parent | next [-] | | > It’s all so foreign and it feels like the vibe shift happened overnight. The cultural zeitgeist around the internet and technology has changed, unfortunately. But it definitely didn't happen overnight. I've been witnessing it happen slowly over the past 8-10 years, with it accelerating rapidly only in the last 5. I think it's a combination of special interest groups & nation states running propaganda campaigns, both with bots and real people, and a result of the internet "growing up." Once it became a global, high-stakes platform for finance and commerce, businesses took over, and businesses are historically risk averse. Freedom and openness is no longer a virtue but a liability (for them). | |
| ▲ | dmoy 11 hours ago | parent | prev [-] | | > Is anyone else as confused as I am about how common anti-openness and anti-freedom comments are becoming on HN? In this specific case I don't think it's about being anti-open? It's that a business with only physical presence in one country selling a service that is only accessible physically inside the country.... doesn't.... have any need for selling compressed air to someone who isn't like 15 minutes away from one of their gas stations? If we're being charitable to GP, that's my read at least. If it was a digital services company, sure. Meatspace in only one region though, is a different thing? | | |
| ▲ | teiferer 11 hours ago | parent | next [-] | | > In this specific case I don't think it's about being anti-open? It's that a business with only physical presence in one country selling a service that is only accessible physically inside the country.... doesn't.... have any need for selling compressed air to someone who isn't like 15 minutes away from one of their gas stations? But that person might be physically further away at the time they want to order something or gather information etc. Maybe they are on holidays in Spain and want to access their account to pay a bill. Maybe they are in Mexico on a work trip and want to help their aunt back home to use some service for which they need to log in from abroad. The other day I helped a neighbor (over here in Europe) prepare for a trip to Canada where he wanted to make adjustments to a car sharing account. The website always timed out. It was geofenced. I helped him set up a VPN. That illustrated how locked in this all has become, geofencing without thinking twice. | | |
| ▲ | dmoy an hour ago | parent [-] | | I guess GP didn't provide enough info, but to me it looked like it was the underlying infra that is networked That is I'm assuming: 1. Customers are meatspace only, never use any computer interface
2. The network access is for administration only
3. That administration is exclusively in the US |
| |
| ▲ | Aurornis 3 hours ago | parent | prev | next [-] | | > In this specific case I don't think it's about being anti-open? The anti-open part was the mention of “allowed to become”, as if we needed to disallow something to achieve this unstated goal. | |
| ▲ | tensegrist 10 hours ago | parent | prev | next [-] | | "only need US customers to be able to" vs "want non-US customers to be unable to" | |
| ▲ | vpribish 11 hours ago | parent | prev [-] | | you're being obtuse, GP clearly wants a locked down internet |
|
|
|
| ▲ | zrm 11 hours ago | parent | prev | next [-] |
| > I want to host my gas station network’s air machine infrastructure, and I only want people in the US to be able to access it. That simple task is literally impossible with what we have allowed the internet to become. That task was never simple and is unrelated to Cloudflare or AWS. The internet at a fundamental level only knows where the next hop is, not where the source or destination is. And even if it did, it would only know where the machine is, not where the person writing the code that runs on the machine is. |
| |
| ▲ | teiferer 11 hours ago | parent [-] | | And that is a good thing and we should embrace it instead of giving in to some idiotic ideas from a non-technical C-suite demanding geofencing. |
|
|
| ▲ | Xelbair 10 hours ago | parent | prev | next [-] |
| Genuine question - why are you spending time and effort on geofencing when you could spend it on improving your software/service? It takes time and effort for no gain in any sensible business goal. People outside of US won't need it, bad actors will spoof their location, and it might inconvenience your real customers. And if you want a secure communication just setup zero-trust network. |
| |
| ▲ | WJW 7 hours ago | parent [-] | | > bad actors will spoof their location Isn't that exactly the point? Why are North Korean hackers even allowed to connect to the service, and why is spoofing location still so easy and unverifiable? Nobody is expected to personally secure their physical location against hostile state actors. My office is not artillery proof, nor does it need to be: hostile actions against it would be an act of war and we have the military to handle those kind of things. But with cybersecurity suddenly everyone is expected to handle everyone from the script kiddie next door to the Mossad. I see the point in OPs post: perhaps it would be good if locking down were a little easier than "just setup zero-trust network". | | |
| ▲ | Aurornis 3 hours ago | parent | next [-] | | > Why are North Korean hackers even allowed to connect to the service, Asking why some group is “allowed” to use the internet is equivalent to demanding either strict verification or that we cut off some entire country where they reside from the entire internet. Either that, or someone doesn’t understand basic fundamentals of networking and thinks there’s some magic solution to this problem. A common variation of this comment is “why do we allow kids to access <insert topic here>” with demands that something be done about it. Then when something is done about it, there is shock and outrage upon realizing that you can’t filter out children without forcing identity verification upon everyone. Similar vibes here, just replace age with demographic. | | |
| ▲ | WJW 2 hours ago | parent [-] | | It wouldn't surprise me at all if mandatory online ID verification will become a thing within the next century or so. |
| |
| ▲ | Xelbair 5 hours ago | parent | prev [-] | | you can as easily get attackers from within your own networks, you're falling for fallacy that everything on the 'inside' is secure. | | |
| ▲ | WJW 2 hours ago | parent [-] | | Just because one group of attackers is (/might be) inside your network doesn't mean you also have to let all other groups in. There is zero reason to let (say) North Koreans interact with your gas pump API, other than that the internet is set up so that it is virtually impossible to prevent unfriendly parties from contacting your servers. |
|
|
|
|
| ▲ | Fnoord 13 hours ago | parent | prev | next [-] |
| Literally impossible? On the contrary; Geofencing is easy. I block all kind of nefarious countries on my firewall, and I don't miss them (no loss not being able to connect to/from a mafia state like Russia). Now, if I were to block FAMAG... or Cloudflare... |
| |
| ▲ | stroebs 12 hours ago | parent [-] | | Yes, literally impossible. The barrier to entry for anyone on the internet to create a proxy or VPN to bypass your geofencing is significantly lower than your cost to prevent them. | | |
| ▲ | Aurornis 12 hours ago | parent | next [-] | | I don’t even understand where this line of reasoning is going. Did you want a separate network blocked off from the world? A ban on VPNs? What are we supposed to believe could have been disallowed to make this happen? | |
| ▲ | Dylan16807 11 hours ago | parent | prev | next [-] | | I don't understand why you want to allow any random guy anywhere in the US but not people country hopping on VPNs. For your air machine infrastructure. It's a bit weird that you can't do this simple thing, but what's the motivation for this simple thing? | |
| ▲ | Joel_Mckay 11 hours ago | parent | prev [-] | | Actually, the 140k Tor exit nodes, VPNs, and compromised proxy servers have been indexed. It takes 24 minutes to compile these firewall rules, but the black-list along with tripwires have proven effective at banning game cheats. Example, dropping connections from TX with a hop-count and latency significantly different from their peers. Preemptively banning all bad-reputation cloud IP ranges except whitelisted hosts has zero impact on clients. =3 |
|
|
|
| ▲ | asimovDev 11 hours ago | parent | prev | next [-] |
| not a sysadmin here. why wouldn't this be behind a VPN or some kind of whitelist where only confirmed IPs from the offices / gas stations have access to the infrastructure? |
| |
| ▲ | yardstick 11 hours ago | parent [-] | | In practice, many gas stations have VPNs to various services, typically via multiple VPN links for redundancy. There’s no reason why this couldn’t be yet another service going over a VPN. Gas stations didn’t stop selling gas during this outage. They have planned for a high degree of network availability for their core services. My guess is this particular station is an independent or the air pumping solution not on anyone’s high risk list. |
|
|
| ▲ | notepad0x90 10 hours ago | parent | prev | next [-] |
| Is Cloudflare having more outages than aws, gcp or azure? Honestly curious, I don't know the answer. |
| |
| ▲ | nananana9 10 hours ago | parent [-] | | Definitely not. I was a bit shocked when my mother called me for IT help and sent me a screenshot of a Cloudflare error page with Cloudflare being the broken link and not the server. I assumed it's a bug in the error page and told her that the server is down. |
|
|
| ▲ | Joel_Mckay 11 hours ago | parent | prev [-] |
| Client side SSL certificates with embedded user account identification are trivial, and work well for publicly exposed systems where IPsec or Dynamic frame sizes are problematic (corporate networks often mangle traffic.) Accordingly, connections from unauthorized users is effectively restricted, but is also not necessarily pigeonholed to a single point of failure. https://www.rabbitmq.com/docs/ssl Best of luck =3 |
