The problem is that you actually are spamming. Almost no one wants the junk that comes out of mailchimp. It’s just they are big and powerful enough to get their spam in inboxes rather than the spam box where it belongs.
Depends who is paying. If it’s your own project then 5 hours of your own time might not be worth that much. If someone else is paying you then both options cost money and the equation changes.
No VPS has a shared IP address. The real problem is that the pool may have been dirtied by previous customers. But once you get a clean IP you can keep it for as long as you keep the service running.
I sent emails from a VPS for years without issues. I stopped purely because Fastmail had better software and cheaper storage.
Hopefully as IPv6 takes over, the contamination effect due to some unknown party who might once have used the same IP address will become less of an issue. Although you have to wonder whether the kind of big mail service that will swing the blacklist axe first and probably not ask questions later with IPv4 addresses is just going to start blocking entire service provider ranges with IPv6 to counter that, causing the same problems for legitimate senders with new systems anyway.
Webm and webp have become pretty standard usage on the internet now. Imgur, reddit and many other major sites use it by default when support is detected. Usually when I save an image in the browser it will be webp.
Webm is one of the formats my screen recorder supports and seems to be the one my coworkers use. It’s pretty convenient since it works without having to install proprietary codecs and it even works on safari now.
Blacklisted is the specific terminology for when a website rejects certain file types. I guess in githubs case it would be that webm is not whitelisted since only 2 formats are permitted.
This is possible. Many users can be sharing the same IPv4 using CG-NAT. I have found that when using mobile internet, every site that uses IP bans has already banned me for a previous users actions.
It’s incredibly irresponsible to take action against someone based on their IP address alone.
From an IT operator perspective, IPv4 bans are essentially the only recourse available for many — if not most — abuse/attack scenarios. They're unfair and unjust, but this is the price we pay of making tracing identities inaccessible to online abuse enforcement.
If you have an idea on how abusive actors behind CG-NAT can be identified and blocked without blocking the entire CG-NAT, and that idea is not morally unacceptable to the hacker community (as captchas, fingerprinting, and IP bans are), then you can make a billion dollars on that idea.
But it's been twenty years now that we've needed that idea, and I'm not holding my breath. Tech continues to insist that anonymity is more important than accountability. Our users pay the price of our insistence to this day.
> If you have an idea on how abusive actors behind CG-NAT can be identified and blocked without blocking the entire CG-NAT, and that idea is not morally unacceptable
I don't think a general solution would be required in this instance.
In this case, as I understand it, the abusive actors did the following:
1) tried to join with an abusive name
2) impersonated a student login and yelled abusive things in chat
It seems that (1) could be solved by blocking connections from any user name that is not on a whitelist of approved student names and nicknames, and (2) is most likely an issue of someone else accessing the student's login credentials, so it could potentially be mitigated by multifactor authentication.
If I understand the article correctly they didn't even have evidence his credentials were used. All they had was a shared IP address. Given that his teachers testified in his favor I have to wonder if there was some specific grudge against the kid. Alternatively they were incompetent about the IP thing from the beginning and as soon as they realized they might be wrong went into full cover-up & deny everything mode.
Keep in mind that this article was written by a reporter who was unable to talk to the district, and got all their information from a lawyer representing the kid who was suspended. The district itself is prohibited from releasing any information about the case by privacy laws, no matter what the family says or how accurate it is. The same evidence was presented to the school board in an appeal hearing, and they (granted, probably not technical people) did not find it convincing. That doesn't mean the family's lawyer is wrong, but it is worth keeping in mind as you evaluate this. We don't have the whole story here.
It's extremely likely that nobody wants to rock the boat and give an injured party evidence to be used against their employer. Their employer would almost certainly prefer to wrongly punish a student if it has a fraction of a chance at getting them out of a lawsuit.
It's also likely that there isn't a single person in a leadership position with the entire school board who is even slightly technically competent.
Next we already have precedent that IP addresses don't uniquely identify people for the purposes of law. It is incredibly likely that such an action wouldn't pass the sniff test if the IP addresses given were entirely correct.
Lastly even if he actually did try to log in with "i will murder u all of u" no reasonable person would consider this an actual threat without talking with the student. Kids are stupid, and kids say stupid things. Time and again schools fail to address the real problem children before things blow up and then use their persistent failures to justify overreaction to the detriment of students.
Wow, if only you all saw what regularly occurs in inner-city public schools.
Suspensions like these are common, especially among black boys. I saw all sorts of overly punitive nonsense, not to mention that we had to queue up for an xray + metal detector every day we went to school. Really, really felt like you weren't treated with a shred of dignity.
God, I'm sick of that comment. Far too many institutional wrongdoers hide behind "privacy laws".
If the school board knew that it had incriminating information, it could ask the family to waive its privacy rights, and then if that didn't happen, explain that, without violating any law.
The school admits to punishing this kid based primarily on his IP address. We all know this is utterly worthless. The technical details make it even clearer that this is unreliable.
Also, the teachers uniformly spoke of the kid as quiet, respectful, and studious. This should be worth far more than an IP address. It's not, because administrators consider the opinions of their own teachers to have no value.
AND, let me be blunt here!, even if the kid did do it, which I think highly unlikely, this is NOT an excuse to deprive him of an education!
---
For whatever reason, many people have this fetish for authority, even when that authority through their own words shows their unreliability.
I also think a lot of people respond positively to stories about cruelty and punishment.
I strongly suspect it was an ignorant IT person coupled with an administration determined to blame somebody. He just had the misfortune to be the first student that came up when looking for someone with that IP.
Instead of a permanent IPv4 ban consider issuing a temporary one just long enough to dissuade the aggressor from continuing their behavior. This would be just as effective, and is far less likely to impact others down the road.
Almost every time I start a new job I find a list of "blacklisted IPs" in the firewall and no one seems to know from whence they came, they've just always been there. It's a perfectly reasonable short term solution in some situations where there are few options, but like, expire them after some period of time, don't leave random IPs blocked for years.
Well, at my previous job, the company was blackholing 1.1.1.0/24 and others in the 1.0.0.0/8 subnet because that was the previous LAN. Thankfully, I have done an audit and removed this nonsense.
that's insane. i block IPs for 10 minutes to start. not a big fan of the abuse IP databases either after I leased a server that was blacklisted before I even got it.
> If you have an idea on how abusive actors behind CG-NAT can be identified and blocked without blocking the entire CG-NAT
Working with the carrier? Depending on the kind of abuse, it could very well be against the ISP's ToS, and the ISP hopefully doesn't want its users blocked wholesale just because of a few bad actors dragging down the reputation of its IP blocks.
Is the carrier willing to work with any website who is abused by their customer? Is their barrier to accountability the demand for a civil or criminal lawsuit? Can sites with mouth legal presence in the same country as the provider seek accountability? Must sites have vast monetary resources sufficient to survive the provider’s attempt to protect their customer from being held accountable under the banner of privacy? How can the provider defend themselves against abusive and falsified requests for identification? Is there an agreement that can be reached to protect identities while still stopping ongoing willful abuse by anonymous customers?
I appreciate the theory that you’re sketching, and I think it certainly has potential. But we already have the theoretical capability you describe today, and have had it for decades, and yet online abuse continues unchecked — so you’ll have to talk more about how and why your recommendation improves on what we have today.
Oh, I agree that the carrier isn't going to work with just any website.
But companies like Zoom (as would be relevant in this scenario) might hold more sway, especially if the looming threat is "deal with this on your end, or we will, with the blunt instrument that is IP banning". (Now, whether Zoom would engage in an IP ban just for abuse affecting a single school is a different story. But I imagine they must have some motivation to deal with zoombombing. Right??)
The school itself might not have the resources to engage in a legal battle, but they could certainly get law enforcement involved, especially if the abuse enters, say, hate crime territory, as it seems like it may have in this case.
(Granted, the privacy concerns that you raise are an entire issue in themselves, and I don't have any answers there.)
To be clear -- this isn't a novel proposal, per se, unless talking to other people is novel :) But, it's just a suggestion that while circumventing CG-NAT is technologically infeasible from the outside, technical solutions are not the only option.
And if it's not possible from the outside, well, there's one entity who's positioned to further trace the abusive users...
Law enforcement has not demonstrated a willingness to spend its resources on these concerns, and frequently will disregard threats of bodily harm and murder. Expecting them to respond to requests from a web forum, my go-to litmus test for solution viability, is laughable in the United States and I suspect most of the rest of the world as well.
The entity delivering service to the abusive customer is profiting from that delivery. Terminating service to that customer hurts their bottom line. They have strong incentives to not only refuse all requests for help, but to resist even the most serious of requests, in order to protect their bottom line.
I’m sorry to rain on your parade - it’s nothing personal! I wish I could be more supportive! - but there is overwhelming evidence that every entity that is positioned to help will do whatever it takes to avoid helping.
If this remains unsolved, we’re going to end up losing anonymity on the Internet. Several online food delivery systems in the US already permanently block Cloudflare’s 1.1.1.1 VPN product by IP, using Cloudflare’s own CDN protection tools! Because it turns out that effective anonymity for all comers protects abusers from accountability.
I do wish that the market would work as intended such that failures in handling abuse (e.g. frivolous accusations as we're plausibly seeing here) would lead to organizations moving away from Zoom to competitors, whether it's Teams or Meet or BlueJeans or whatever else. But unfortunately the friction of changing platforms is high, between sunk cost of contracts, needing to vet / compare multiple new systems, training on the use of new software, etc.
Meanwhile, the existing solution mostly just works 99% of the time.
(All this said -- even if CG-NAT is to blame for multiple students showing up with the same IP address, that should be tangential to the actual identification of abuse. Either there's a process failure (students aren't required to sign in), or Zoom's not logging or looking at the right things (e.g. display name changes).)
> I do wish that the market would work as intended
(Intended?! By whom?!)
In this case, the market is working exactly as markets are supposed to. Effectively dealing with abuse is expensive, and has no profit potential whatsoever.
The market will therefore penalize companies that spend money on dealing with abuse, and reward companies that do not. Economically, companies that manage to sweep abuse under the rug for the minimum possible cost will naturally dominate, and companies that spend the considerable investments needed to do a good job on it will eventually go to the wall.
If "market working as intended" has any meaning, maximizing profits is certainly it. It's very economically logical for a provider to not cater to the 1% or so abuse victims, who are expensive to handle, offer little revenue, and might stay with you anyway out of a lack of other places to go. It might be unfair, lack compassion, and be cruel to prioritize abusers over the abused, but none of these terms have any meaning by the metric of "markets"
By "markets working as intended", I mean "if one provider of a service has a critical flaw that's specific to that provider, and that flaw is a dealbreaker for some customers, then they ought to be able to vote with their wallets to switch to otherwise equivalent providers that don't have that flaw.
But I see your point that the markets are working logically from the perspective of there being insufficient incentive for companies (well, Zoom at least) to invest in dealing with this issue. Negative press only goes so far, and it doesn't matter much when it's the dominant player in the market by far (in part due to design choices that facilitated these flaws -- minimized friction in the interest of accessibility also minimizes friction for malicious action).
> Several online food delivery systems in the US already permanently block Cloudflare’s 1.1.1.1 VPN product by IP, using Cloudflare’s own CDN protection tools!
If they use Cloudflare, then that block is dumb. Sites behind Cloudflare are able to see the real IP of a 1.1.1.1 WARP user. Non-Cloudflare sites will see Cloudflare's IP.
WARP isn't a traditional VPN service[0]:
> "From a technical perspective, WARP is a VPN. But it is designed for a very different audience than a traditional VPN. WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit."
Yes, I agree that the block is dumb. No, knowing that technically it’s useless made no difference whatsoever in getting them to lift it. There is no financial incentive for them to improve their block to be more capable or granular. They would rather not have customers who use a VPN, because to them a higher percentage of those customers are abusive. What case might you recommend to convince them otherwise?
> But we already have the theoretical capability you describe today, and have had it for decades, and yet online abuse continues unchecked
There is absolutely no mystery as to why. The for-profit corporations that provide these services have absolutely no interest in preventing online abuse, because doing so is expensive and there's no way to make money out of it.
[the provider blah blah]
As a human being, I really don't give a tuppenny damn about "the providers" anymore. This has been a problem for decades, and for decades we've had nothing but whining excuses from "the providers" while they continue to do nothing.
"The providers" should have been investing in anti-abuse technologies and systems starting in the previous century. They haven't done anything.
Draconian measures are needed. If "the providers" have to scramble, maybe even take losses for a few quarters, it's too damn bad for them.
I thought the same thing as you, but many students use their personal devices. I can't imagine the pain of trying to get all the students to set that up correctly, and the security implications of managing certificate stores is not something I would want to hand over to a lowest-bidder contractor for a school district. I don't really love that Microsoft/Linux distros manage them as is (although I'm admittedly too lazy to manage them manually).
Whois abuse reporting is the solution that is already in place and comes to mind. If you NAT segments of your network and mask your userbase from the greater internet, you inherit some responsibility for their actions, same with smtp spam as any other service.
But many carriers simply ignore or don’t respond, much less investigate. To the point that people regularly take to other means to establish backend contact with larger carriers like Comcast, resorting to list serves like nanog.
Ultimately it’s on the carriers to doll out the money to support it. But they could easily implement strike policies like DMCA reports have for many. Against both customers engaging in malicious activity snd reporters abusing the system or making spurious reports that waste resources.
However that would mean carriers like comcast would need to stop their efforts to completely frustrate communication with other NOC's etc.
It seems we need something that is difficult/expensive to create, but which does not permit anybody to trace the owner.
We either need something provided by the government that is unique to each recipient and services tuple (so it can't be used to trace anything), but will be the same each time, and so can be banned.
Else we need something like a proof of work, but that would either have to so expensive to create that we would have to reuse it across all the end points.
I guess we could also mandate ipv6, but then blocking the addresses wouldn't be very useful.
Finally I guess we could mandate that all IPs be treated equally and then companies that can't handle that would have to close down.
A case could be made that sharing an IP address is like sharing a cell phone number, only that you don't get to make the decision directly. By choosing a provider that has not enough IP addresses to hand out/ hasn't implemented IPv6 and using a site that doesn't use IPv6 either, you make the decision indirectly. (Else you would most likely end up communicating with it over IPv6.) You can also use a VPN to somewhere with a static IPv4 for a few dollars a month.
I know, the reality is most of the world is just stuck with IPv4 in some capacity. It is probably good that using IPv4 starts to hurt else we will never migrate. Btw. HackerNews is stuck with IPv4 only in 2021 still...
> It is probably good that using IPv4 starts to hurt else we will never migrate.
Not sure what you meant by this comment. The kid whose life is ruined won’t know what this is. The people who care about ipv4 vs v6 is unlikely to act based on this incident.
I was replaying to a different anecdote. The kid is another casualty of us engineers and managers not doing our job in migrating to IPv6 in the last ~20 years or so. The world IPv6 launch was actually 10 years ago, there was plenty time to migrate.
The kid might actually do quite ok as I have suggested in other comments. Really depends on the family and its personality.
You are completely right of course. Even if the victim was ok and doing quite alright, the injustice doesn't disappear. I tried to suggest, the punishment of 3 months of no school might be perceived as pseudo-punishment (or maybe even a liberation?) under such circumstance as a nearly abusive school administration.
Of course, we will never see the full picture. I can imagine, having a kid at home puts more stress on the parents that otherwise might rely on the school for something approaching day care/ basically "storage" for human beings. I find just the thought of something like this distasteful but that might be the reality in many families.
The punishment was too extreme. That’s a separate issue from whether using matching IP address is sufficient for enforcement (I believe it is). And let’s be real, cheaters rarely fess. Almost every gamer banned for cheating cries out at the unfairness of it all and denies ever cheating. Given that, it’s important to have a good appeal process and to make sure the punishment is appropriate considering the level of evidence. A full expulsion based solely on a matching IP address is excessive. But a 3 day suspension probably would be fine.
