Comment by stroebs
6 days ago
The problem is far more nuanced than the internet simply becoming too centralised.
I want to host my gas station network’s air machine infrastructure, and I only want people in the US to be able to access it. That simple task is literally impossible with what we have allowed the internet to become.
FWIW I love Cloudflare’s products and make use of a large amount of them, but I can’t advocate for using them in my professional job since we actually require distributed infrastructure that won’t fail globally in random ways we can’t control.
> and I only want people in the US to be able to access it. That simple task is literally impossible with what we have allowed the internet to become.
Is anyone else as confused as I am about how common anti-openness and anti-freedom comments are becoming on HN? I don’t even understand what this comment wants: Banning VPNs? Walling off the rest of the world from US internet? Strict government identity and citizenship verification of people allowed to use the internet?
It’s weird to see these comments get traction after growing up in an internet where tech comments were relentlessly pro freedom and openness on the web. Now it seems like every day I open HN and there are calls to lock things down, shut down websites, institute age (and therefore identify) verification requirements. It’s all so foreign and it feels like the vibe shift happened overnight.
> Is anyone else as confused as I am about how common anti-openness and anti-freedom comments are becoming on HN?
In this specific case I don't think it's about being anti-open? It's that a business with only physical presence in one country selling a service that is only accessible physically inside the country.... doesn't.... have any need for selling compressed air to someone who isn't like 15 minutes away from one of their gas stations?
If we're being charitable to GP, that's my read at least.
If it was a digital services company, sure. Meatspace in only one region though, is a different thing?
> In this specific case I don't think it's about being anti-open? It's that a business with only physical presence in one country selling a service that is only accessible physically inside the country.... doesn't.... have any need for selling compressed air to someone who isn't like 15 minutes away from one of their gas stations?
But that person might be physically further away at the time they want to order something or gather information etc. Maybe they are on holidays in Spain and want to access their account to pay a bill. Maybe they are in Mexico on a work trip and want to help their aunt back home to use some service for which they need to log in from abroad.
The other day I helped a neighbor (over here in Europe) prepare for a trip to Canada where he wanted to make adjustments to a car sharing account. The website always timed out. It was geofenced. I helped him set up a VPN. That illustrated how locked in this all has become, geofencing without thinking twice.
2 replies →
> In this specific case I don't think it's about being anti-open?
The anti-open part was the mention of “allowed to become”, as if we needed to disallow something to achieve this unstated goal.
"only need US customers to be able to" vs "want non-US customers to be unable to"
you're being obtuse, GP clearly wants a locked down internet
> It’s all so foreign and it feels like the vibe shift happened overnight.
The cultural zeitgeist around the internet and technology has changed, unfortunately. But it definitely didn't happen overnight. I've been witnessing it happen slowly over the past 8-10 years, with it accelerating rapidly only in the last 5.
I think it's a combination of special interest groups & nation states running propaganda campaigns, both with bots and real people, and a result of the internet "growing up." Once it became a global, high-stakes platform for finance and commerce, businesses took over, and businesses are historically risk averse. Freedom and openness is no longer a virtue but a liability (for them).
> I want to host my gas station network’s air machine infrastructure, and I only want people in the US to be able to access it. That simple task is literally impossible with what we have allowed the internet to become.
That task was never simple and is unrelated to Cloudflare or AWS. The internet at a fundamental level only knows where the next hop is, not where the source or destination is. And even if it did, it would only know where the machine is, not where the person writing the code that runs on the machine is.
And that is a good thing and we should embrace it instead of giving in to some idiotic ideas from a non-technical C-suite demanding geofencing.
Genuine question - why are you spending time and effort on geofencing when you could spend it on improving your software/service?
It takes time and effort for no gain in any sensible business goal. People outside of US won't need it, bad actors will spoof their location, and it might inconvenience your real customers.
And if you want a secure communication just setup zero-trust network.
> bad actors will spoof their location
Isn't that exactly the point? Why are North Korean hackers even allowed to connect to the service, and why is spoofing location still so easy and unverifiable?
Nobody is expected to personally secure their physical location against hostile state actors. My office is not artillery proof, nor does it need to be: hostile actions against it would be an act of war and we have the military to handle those kind of things. But with cybersecurity suddenly everyone is expected to handle everyone from the script kiddie next door to the Mossad. I see the point in OPs post: perhaps it would be good if locking down were a little easier than "just setup zero-trust network".
> Why are North Korean hackers even allowed to connect to the service,
Asking why some group is “allowed” to use the internet is equivalent to demanding either strict verification or that we cut off some entire country where they reside from the entire internet.
Either that, or someone doesn’t understand basic fundamentals of networking and thinks there’s some magic solution to this problem.
A common variation of this comment is “why do we allow kids to access <insert topic here>” with demands that something be done about it. Then when something is done about it, there is shock and outrage upon realizing that you can’t filter out children without forcing identity verification upon everyone. Similar vibes here, just replace age with demographic.
1 reply →
North Korea in particular is weird because of sanctions, but pick any country in Europe instead: The user might be a past or future visitor to the gas station and need to access the system even if they're outside the US right now. Or maybe they're actually at the gas station but their phone's data is based in Europe.
Even accurate country tracking is flawed in most situations.
If the goal is specifically "is at the gas station right now" then maybe there's a gap in functionality here, but you could make them connect to the wifi.
Also country-sponsored hackers can easily get a real presence in the US. If country level geoblocking became perfect, they wouldn't be slowed down for more than a week.
you can as easily get attackers from within your own networks, you're falling for fallacy that everything on the 'inside' is secure.
2 replies →
not a sysadmin here. why wouldn't this be behind a VPN or some kind of whitelist where only confirmed IPs from the offices / gas stations have access to the infrastructure?
In practice, many gas stations have VPNs to various services, typically via multiple VPN links for redundancy. There’s no reason why this couldn’t be yet another service going over a VPN.
Gas stations didn’t stop selling gas during this outage. They have planned for a high degree of network availability for their core services. My guess is this particular station is an independent or the air pumping solution not on anyone’s high risk list.
Literally impossible? On the contrary; Geofencing is easy. I block all kind of nefarious countries on my firewall, and I don't miss them (no loss not being able to connect to/from a mafia state like Russia). Now, if I were to block FAMAG... or Cloudflare...
Yes, literally impossible. The barrier to entry for anyone on the internet to create a proxy or VPN to bypass your geofencing is significantly lower than your cost to prevent them.
I don’t even understand where this line of reasoning is going. Did you want a separate network blocked off from the world? A ban on VPNs? What are we supposed to believe could have been disallowed to make this happen?
1 reply →
Actually, the 140k Tor exit nodes, VPNs, and compromised proxy servers have been indexed.
It takes 24 minutes to compile these firewall rules, but the black-list along with tripwires have proven effective at banning game cheats. Example, dropping connections from TX with a hop-count and latency significantly different from their peers.
Preemptively banning all bad-reputation cloud IP ranges except whitelisted hosts has zero impact on clients. =3
2 replies →
I don't understand why you want to allow any random guy anywhere in the US but not people country hopping on VPNs. For your air machine infrastructure.
It's a bit weird that you can't do this simple thing, but what's the motivation for this simple thing?
It is definitely "literally impossible" if your acceptable false positive and false negative rates are zero.
Having said that, vanishingly few companies/projects require that. For probably 99+% of websites, just using publicly available GeoIP databases to block countries will work just fine, so long as you don't pretend to yourself that North Korean or Chinese or Russian (or wherever) web users (or attackers) cannot easily get around that. And you'll also need to accept that occasionally a "local/wanted" user will end up with an IP address that gets blocked due to errors in the database.
I worked on a project a decade or so back where we needed to identify which (Australian) state a website user was in, to correctly display total driveaway prices including all state taxes/charges (stamp duty, ctp insurance, and registration) for new cars. The MaxMind GeoIP database was not all that accurate at a state or city level, especially for mobile devices with CGNATed IP addresses. We ended up with "known errors and estimates of error rates", and a way for our Javascript to detect some of the known problems (like Vodafone's national CGNAT IP addresses) and popped up a "We detected you're in NSW, and are displaying NSW pricing. Click here to change state." message where we could, and got legal signoff that we could claim "best effort" at complying with the driveway price laws. 100% compliance with the laws as-written was "literally impossible" with zero error rates.
Client side SSL certificates with embedded user account identification are trivial, and work well for publicly exposed systems where IPsec or Dynamic frame sizes are problematic (corporate networks often mangle traffic.)
Accordingly, connections from unauthorized users is effectively restricted, but is also not necessarily pigeonholed to a single point of failure.
https://www.rabbitmq.com/docs/ssl
Best of luck =3
Is Cloudflare having more outages than aws, gcp or azure? Honestly curious, I don't know the answer.
Definitely not.
I was a bit shocked when my mother called me for IT help and sent me a screenshot of a Cloudflare error page with Cloudflare being the broken link and not the server. I assumed it's a bug in the error page and told her that the server is down.
I absolutely hate companies thinking they are being smart by blocking foreign IPs from using their websites.
Every single time I want to order a burger from the local place, I have to use a VPN to fake being in the country (even though I actually am already physically here) so that it will let me give them my money.
My phone's plan is not from here, so my IP address is actually not geographically in the same place as me.