Genuinely curious, how would you block an attacker from getting to your SSH port without knowing the path you will connect from (which is the case for remote access) at configuration time?
I don‘t see how Path-Aware Networking would replace a VPN solution
> Hidden path communication enables the hiding of specific path segments, i.e. certain path segments are only available for authorized ASes. In the common case, path segments are publicly available to any network entity. They are fetched from the control service and used to construct forwarding paths.
Just be aware that with your strategy “blocking 50% of unwanted traffic” means blocking non-attack traffic, as these Internet security companies are mostly legitimate. The automated attack traffic that you actually want to block is in the other half and will frequently change IPs.
> these Internet security companies are mostly legitimate
This is both subjective and highly dependent upon the scope of services being run. My setup would probably progressively create more hassle than it saves as on a scale from small business to large business. For the setup I have, I quite specifically want to block their traffic.
I'm possibly overly militant about this, but they keep databases of the results of their scans, and their business is selling this information to ... whoever's buying. I don't want my IP addresses, open ports, services or any other details they're able to gather to be in these databases over which I have no control and didn't authorise.
To steal an oft-used analogy, they're taking snapshots of all the houses on all the streets and identifying the doors, windows, gates, and having a peek inside, and recording all the results in a database.
I believe all of them are illegitimate. They 'do' because they can, and it's profitable. "Making the internet safer" is not their raison d'être.
Happy for any else to form their own opinion, but this is my current stance.
Yes - Anyone who's FAQ answer to "How to avoid being scanned" is "We don't have an opt-out, you must block all these addresses" isn't behaving like a legit business.
"Nice network you've got there."
"We noticed something might be open. We're not telling you what it is."
"It would be a pity if something happened to your business."
The problem is that becomes a concentrator of IPs behind which privacy conscious individuals exist, which probably has higher value to "whoever's buying". It's a conundrum.
It sounds like what GP is suggesting is to collect ips of all the scanners, and share the list of ips among ourselves, so we can collectively route their traffic to /dev/null.
My experience is that after blocking Censys, unwanted traffic on non-standard ports from other IP blocks has basically gone to zero. It appears to me that some bad actors are using Censys scans for targeting.
> (...) as these Internet security companies are mostly legitimate.
Note that you're basing your assertion on the motivation of random third parties exclusively on the fact that they exist and they are behind active searches for vulnerabilities.
Imagine a major bridge that was built by a contractor. A internal safety inspector repeatedly warned his supervisors of structural deficiencies that could lead to the collapse of the bridge. Furthermore, in the pass of time two external sources publicly warned about the issue, but the company downplayed the importance.
Finally, the bridge collapses. It becomes evident that the company did nothing about the issue because it didn‘t want to loose contracts selling more flawed bridges.
The public would justifiably go nuts, and there would be legal consequences for everyone involved.
What is different in our industry that companies (and managers) get away with such malice?
Here in Norway a bridge built with known structural deficiencies did in fact collapse[1], and basically nothing has happened except tax payers get to pay even more for a new bridge.
Unless enough lives are lost, people generally don't care that much it seems.
I'm not sure if this would line up with the Dunbar number or something similar, but it sure seems reasonable that societies and centralized power should never grow beyond the scale where people stop caring.
If the public is expected to keep government and corporstions in check but the public doesn't care, it can only end poorly.
>What is different in our industry that companies (and managers) get away with such malice?
Software isn't immediately life threatening. That's why it's all thr wild west outside of medical and aerospace. While it sucks to have PI leaked to the internet, you do have time to at least take action compared to a door in an airplane coming off.
>What is different in our industry that companies (and managers) get away with such malice?
Lack of professional licensure that binds you to state regulation with jail time as one of the stated punishments besides financial liability.
Heh, the government could start effecting change by mandating licensure and sign-offs by licensed individuals when contracting for software products sold to the government.
Wasn't there something a bit like that with the Morandi bridge that collapsed in Italy?
(There was definitely something like that with the Mottarone cable car that had been running for years with the safety catch disabled. When the tow-rope snapped, wiht no catch, the cabin rushed down and killed everyone on board.)
Management that knowingly chooses to ignore a major issue should be charged with criminal negligence. The creation of the bug is a common and difficult to avoid mistake. But once it has been found, choosing not to change it despite being warned if the consequences makes you responsible for those consequences.
Sorry, this whole thread is a fantasy of nerds thinking they can create a punitive policy for behavior they don't like. But there is no actual substantive framework under which any of these fantasies can come true.
How about the same as for fraud, manslaughter, conspiracy... But that's the judiciary's problem anyway. People who campaign for this higher accountability argue that it's such a drastic change from fines that it will change company cultures overnight.
It is true that nothing is 100% secure. Sitting on a major security vulnerability internally with a motivated employee pushing to fix it and doing nothing for business reasons is not negligence, but malice.
People in the chain of command need to be held accountable for this.
TLDR: A Denial-of-Service vulnerability triggered via cache poisoning on registry.npmjs.org which can render individual packages inaccessible
I don't see the big security impact that the headline suggests, as active big-scale exploitation would likely be quickly noticed and fixed.
The most interesting attack vector IMHO would be to block individual security fixes to packages on a small scale.
Perhaps, but it could also be fixed/mitigated by cycling the cache state and blocking bots. It might also be something that can be blocked in a web proxy.
It's interesting, but I share the thought that the impact is overstated.
Just as new to LionsOS as you are, but it has a much more permissive license, and it’s not dual licensed. I think this will make it easier for people to support the project.
