That's a good thing. The higher up the stack you go, the less value there is in standardizing, and more painful the costs (of being constrained in implementation).
Also: it is much simpler than IPSEC. Pretty much everybody can get WireGuard working in minutes. It's approximately as easy as setting up SSH. That's simply not true of IPSEC.
As they say a typical DNS request comes in as one packet and is replied in one packet, there is no ongoing connection so there's no point keeping tracking information.
The implication of not tracking the connection is that any packets will have to match a more specific rule than the "allow established,related" at the top of the firewall chain.
> they would be better off trying to make DNS a TCP-only service to stop amplification attacks.
Sure, lets get literally everyone on the intenet to agree to a new version of DNS that uses TCP...
Even if you do that - the problem moves from conntrack filling up we can fill up on ephemeral ports stuck in TIME_WAIT because some genius thought a service that doesn't maintain a connection should use TCP
> But that's not what happened here. The editors did their normal endorsement process, but the owner of the paper stepped in and personally overrode their process for this one particular endorsement.
Honestly it’s surprising to me that people really think that the news side of a media company operates with complete autonomy from the business side. They might claim it exists but that’s a fallacy.
I worked at a major daily newspaper 30 years ago and I personally know of two cases in my short tenure there where news stories were killed because they didn’t want to piss off important advertisers. I am also aware of a story involving a family member of one of the executives that was let’s say “barely” reported. Other local media organizations interestingly had much more detail than we carried.
News has always been and will always be first—a business.
The press is free to report on whatever they want. That freedom however is not a mandate that they must report on everything. Newspapers and other media companies have ALWAYS focused on profit. Nothing new there.
Plus in this day and age there is literally no restriction on the flow of public accessible information at least in the US. Even when it was tried recently (twitter, FB, YouTube) during the pandemic the public backlash to that attempts at information control was so great that it might literally sway this election.
like most of the 21st century: Nothing new, just getting more efficient and less subtle with it. 20th century corruption would have had this announced way back in 2023 to make the timing not so obvious at the bare minimium instead of having editorial waste its time on a story that was pulled last minute.
>the public backlash to that attempts at information control was so great that it might literally sway this election.
but nothing much changed. I don't know if public outcry vs output was always this poor, but that certainly seems to have changed over the decades. Too many people uncomfortable enough to complain but not enough to get up and get out.
Two of the three platforms (and the former CEO of one) have publicly admitted what was done at their companies was a mistake and the third has quietly reversed much of the topic controls around pandemic and vaccination content.
Advertisers is one thing, but where's the business sense in not reporting on an executive? That sounds like a little fiefdom, not something that makes "business sense."
Whenever people say stuff like this it reminds me why I'm wary whenever people mention things being business friendly or pro-market because it has a lot to do with protecting certain people who already have a good position over merely following market forces.
Point was that leadership of a media company might make editorial decisions that are in its best interest—whatever that interest might be. Not necessarily profit, but could be personal.
What do you think about black box/IoT/whatever hosts on your LAN pinging external hosts with unknown payloads while you're not using them?
Best security practice is obviously to block any/all ping not intentionally sent by you, whoever the local network admin is, or otherwise only whoever or whatever is explicitly allowed to.
> What do you think about black box/IoT/whatever hosts on your LAN pinging external hosts with unknown payloads while you're not using them?
I think that 1. they can connect out via TCP or UDP much more easily than ICMP, 2. that blanket blocking outbound connections is a short path to madness, 3. if you don't trust a device on your LAN you should unplug it or isolate it, both of which are more effective and less disruptive, and 4. depriving yourself of the most fundamental network diagnostic tool in the name of security is cutting off your nose to spite your face.
1.) Carried out, that logic suggests not performing any outbound filtering because LAN hosts could simply find another way, protocol or port, out? I understand that 99.9% of LANs are configured default-allow LAN outbound. But the premise of your statement is untrue if the firewall is configured default-deny in all directions on all interfaces.
2.) I've not suggested 'blanket blocks' (nor 'blanket allows' for that matter). Specifically, both ingress and egress ICMP should be filtered by type code.
3.) In a zero trust model[1], every LAN device is untrusted. One should perform as much isolation and filtering as possible at all the relevant network layers. Network security is "disruptive" by definition.
4.) The second paragraph of my comment suggested that ping should be explicitly allowed for anyone/any device on the LAN legitimately utilizing it.
How would somebody ping your internal network from the outside? Your firewall should block the ping getting past the router, regardless of the external interface responding.
That said: Who cares? Even if you published exact list of every single IP on your network, it doesn't do an attacker any good, because again, there's a firewall between them and your devices.
Network metadata is sometimes valuable all by itself. Investment firms buy satellite imagery to identify the number and models of cars in corporate parking lots, for better inferring internal business conditions. Frequency of pizza deliveries to the Pentagon revealed when major ops were taking place.
A private network will ideally present as an opaque black box to the outside.
> A private network will ideally present as an opaque black box to the outside.
Good luck (trying to) scanning a IPv6 /64 subnet.
I've been in IT for 20+ years, and I have yet to find a situation where blocking ICMP(v6) caused more benefits than problems.
Ditto for my home network: my last ISP had IPv6, and I had an Asus router which blocked unsolicited incoming connections: I could not SSH to any of my Macs from the outside (by default), but could ping if I knew the address (but good luck guessing 2^64).
If you want to try to enumerate the equivalent of 4.3 billion IPv4 Internets that is a single IPv6 subnet, have fun.
And there will probably never be any standard (non-commercial) "upper-layer" because of this.
The project prides itself on being much simpler than IPSEC etc but that's easy when you leave out half of the functionality
reply