Comment by WJW
5 days ago
> bad actors will spoof their location
Isn't that exactly the point? Why are North Korean hackers even allowed to connect to the service, and why is spoofing location still so easy and unverifiable?
Nobody is expected to personally secure their physical location against hostile state actors. My office is not artillery proof, nor does it need to be: hostile actions against it would be an act of war and we have the military to handle those kind of things. But with cybersecurity suddenly everyone is expected to handle everyone from the script kiddie next door to the Mossad. I see the point in OPs post: perhaps it would be good if locking down were a little easier than "just setup zero-trust network".
> Why are North Korean hackers even allowed to connect to the service,
Asking why some group is “allowed” to use the internet is equivalent to demanding either strict verification or that we cut off some entire country where they reside from the entire internet.
Either that, or someone doesn’t understand basic fundamentals of networking and thinks there’s some magic solution to this problem.
A common variation of this comment is “why do we allow kids to access <insert topic here>” with demands that something be done about it. Then when something is done about it, there is shock and outrage upon realizing that you can’t filter out children without forcing identity verification upon everyone. Similar vibes here, just replace age with demographic.
It wouldn't surprise me at all if mandatory online ID verification will become a thing within the next century or so.
North Korea in particular is weird because of sanctions, but pick any country in Europe instead: The user might be a past or future visitor to the gas station and need to access the system even if they're outside the US right now. Or maybe they're actually at the gas station but their phone's data is based in Europe.
Even accurate country tracking is flawed in most situations.
If the goal is specifically "is at the gas station right now" then maybe there's a gap in functionality here, but you could make them connect to the wifi.
Also country-sponsored hackers can easily get a real presence in the US. If country level geoblocking became perfect, they wouldn't be slowed down for more than a week.
you can as easily get attackers from within your own networks, you're falling for fallacy that everything on the 'inside' is secure.
Just because one group of attackers is (/might be) inside your network doesn't mean you also have to let all other groups in. There is zero reason to let (say) North Koreans interact with your gas pump API, other than that the internet is set up so that it is virtually impossible to prevent unfriendly parties from contacting your servers.
but you can be secure from all at the same time with similar effort, meanwhile most actual attacks that lead to damages come from the inside the network?
extreme shortsightedness.