> When the ISPs discovered that the IP addresses belonged to Cloudflare, arms were thrown up in despair.
The level of desperation the ISP’s engineers have felt in front of such incompetence must have been through the roof. I am getting tired of our politics here in europe: tech literate people in governments are put to work on surveilance stuff, never for actual policymaking.
Surely they should have contacted Cloudflare and asked them to sort out the issue with their network ...
CF will probably retort {common carrier, we are American and you are not etc}. Austrian policy makers get upset and ... THIS NONSENSE IS STILL NOT SORTED.
The internets are somewhat broken, quite badly. We all allow ourselves to end up in a series of virtual walled off silos - Facebook, Twitter etc, run by some pretty worrying monster commercial companies, whilst living within quite disparate physical societies. I think that the fediverse is a possible contender for the way forwards. I dumped Reddit for Lemmy and that seems to be working so far. I know a lot of 'X'iles are finding a home with Mastodon.
I worry about quite a few networks. One of the tools in the box is the IP block list. With the rise of the hyper-scalers, the IP blocklist is becoming increasingly useless. Same with SMTP filtering for spam. You can't block M365 or Gmail en-masse (tempting for my home setup, though!)
I recently gave CrowdSec a run at work (I will stick with it but with care). Great idea for the 2010s but not so much now. I got it to watch HA Proxy logs (proxies on site Exchange) and it pretty soon decided that my real users should be banned because of how Outlook works, or rather how the auth that Outlook uses works. Outlook doesn't just use Kerberos, it also uses EWS for the Addressbook and the good Lord knows what else. So you get a connection to a endpoint from Outlook without auth creds which generates a 401 (failed auth) error, then Outlook tries again, this time with creds and it works OK (200). To a CrowdSec agent those repeated 401s look like bots pissing around.
That is one reason why we cannot have nice things.
I'm a Brit (yes we Brexited) but I am still very much a European and so is my little country, like it or not - I have seen shed loads of number plates from across the EU trundling along the large A30/A37 crossroads/roundabout called Yeovil in Somerset. Mostly lorries and quite a few cars and campervans.
So I am from country X (GB in my case, not that X!) but I engage with (w,x,y,z) societies on line. Now whose laws apply? In general it seems we muddle along effectively but should there be a formal internationally accepted agreement?
401 does not indicate anything apart from authentication failure. Bear in mind that I am trying to parse logs to decide what is happening.
I'm no expert but I suspect that http works a bit like this:
C: hello web server
S: yes I exist and I speak the following languages: lol, rofl, powershell (on thursdays)
C: cool, let's talk lfor and I will sacrifice my first born child and give you my wallet
S: no chance, but I speak lol and thank you for your wife
C-S: witter on in "lol" for some time.
<cat memes flow regardless>
Kerberos has overloaded how auth should work and inadvertently fucked up log processing. Actually I think it is really NTLM. It goes in with auth instead of hello.
Foreign licensed vehicles can operate and drive in the UK for up to 30 days without applying to the DVLA (DMV) for UK registration.
However the UK government has never subscribed to any of the available EU crime and general population administration data sources which has always left the UK vulnerable to overseas criminal activities concentrating here because there's obviously no reciprocating return of information to the continental authorities either and so the UK has become the best place to let the law slip if you're up to no good in Europe.
> CF will probably retort {common carrier, we are American and you are not etc}.
Considering how quickly they reversed course on their grand statement about having principles, any such retort would probably be about as effective as they predicted in that statement.
.
> The internets are somewhat broken, quite badly. We all allow ourselves to end up in a series of virtual walled off silos
The problem with the Internet is that between nat and annoying rules and asymmetric connections, most home connections aren't suitable for serving things.
The big services being centralized isn't a problem with the Internet, which can be seen from how often non-Internet things consolidate the same way.
>The level of desperation the ISP’s engineers have felt in front of such incompetence must have been through the roof.
If I was an engineer there I would block the addresses and call it a day. What do I care? After all it's customer service who will deal with the angry calls.
Yes, who would also yell at you when customers can't access their cat pictures.
Of course it could be an accident, and you didn't know. But if it was clearly malicious compliance, personally and I think I speak for many, I wouldn't continue to have on the team somebody with these kinds of traits.
I don't think I understand. A court orders you to block certain IP addresses: you have no options. If that block disallows access to unrelated pages there's nothing either the engineer or the boss can do. Should the engineer lose any sleep over this? Am I missing something?
Courts don't work like computer programs, if the court order would have clearly unintended outcomes then you have some option to in good faith not comply with the order, have your lawyers raise it with the right politicians or courts, and not end up in legal trouble.
The job if the engineer who notices this is to raise it to their boss and legal counsel and let them decide whether you should still execute the planned block or not. If they decide you should then you do, if they decide you shouldn't then you don't.
> The job if the engineer who notices this is to raise it to their boss and legal counsel...
...shouldn't the legal department be involved way before the issue reaches the engineer? Why should the engineer ever care about it in the first place? Chances are these orders do not come directly to their email.
In this case the court said to block illegal content, and here are the IP addresses where that content is served which should be blocked. It passes the sniff test of the lawyers as not much different than blocking domains of piracy sites. They pass the requirement on through the engineering org, it eventually reaches an individual contributor who is tasked to make it a reality.
Then that engineer looks at the specific IPs and realizes that some of them are cloudflare ips and the collateral damage of blocked content would be significant. Their job is to then escalate and pass it back to higher managers and the legal department to confirm they knew about that implication and want to move forward.
The legal department at the isp having specialists means that they could understand this situation in a single email from the engineer, not that they obviously have the foresight or capability to even find out that some of the IPs might be for cloudflare. Or sometimes the lawyer might even assume that's not a big deal but higher managers can realize that it is a big deal and then discuss options.
All that I mean is that even at FAANG companies with extensive and competent legal departments its not correct to just blindly execute a change like this if you think it looks wrong; it's not at all a safe assumption that what you know is somehow a subset of what they know.
you are missing the experience of an asshole manager pressuring you to 'just fix it' in an enraged state accompanied by their phone constantly buzzing from the sweet notification sound of getting bombarded by emails/tickets.
for context, i didnt experience this yet. I hope i never do.
The level of desperation the ISP’s engineers have felt in front of such incompetence must have been through the roof. I am getting tired of our politics here in europe: tech literate people in governments are put to work on surveilance stuff, never for actual policymaking.
The shit show continues.