Pup Biru

ah! sorry i misread/misunderstood privacy to mean security in your comment :)

you sir/maam have not seen the netflix talk on using IPv6 for their full internal stack because of inefficiencies allocating IPv4 ranges i’m guessing

many “unused” IP addresses are unused because they’re kinda like having spare parts: if you’re planning on extending your network in the futures, your IP block kinda should reflect your end state (ie the parts you need over time to replace or “build” new hosts)

or for blue/green deployments where it’s likely that at least half the IP range will be used in terms of process, but unused most of the time in terms of reachability

and then there’s weird things with splitting up IP blocks into subnets with a division of 3 (the minimum needed for dealing with net splits etc) - eg across availability zones… there are always “waste” IPs because you can’t divide multiples of 8 cleaning into 3

Of course you can do IPv6 magic that hides IPv6 from the end device, but nobody understands how that magic works.

it’s not magic… it’s a firewall, and it works pretty much exactly the same as a NAT: a whitelist of IP and port combinations

there are duplicate machines that share programs

yes… that’s why every machine has its own IP address… so that they can both use the same port and you don’t have to connect to crazy bullshit like https://myhomerouter.example.com:8443/

no instead you yell the IP address and they spend 30min trying to debug why they can’t ping it or even get ICMP packets through and then you realise you yelled the private IP address and they were on the wrong side of the NAT

publicly addressable does not mean publicly routable… your router would still not arbitrarily connect untrusted external devices to internal hosts

NAT has the property of a firewall only as an implementation detail. replacing NAT with an IPv6 firewall in the router is an upgrade in every conceivable way

i kinda love that this explanation is so much more complex not because it adds nothing but precisely because it adds a lot of realism: NAT is actually just far more complexity and processing

in the real world we actually use distribution centers and loading docks

because we can pass packages in bulk between large distances… in routing, it’s always delivery boys: a single packet is a single packet: there’s no bulk delivery, except where you have eg a VPN packing multiple packets into a jumbo frame or something…

the comment you’re replying to is only providing an analogy: used to explain a single property by abstraction; not the entire thing

we can have staff specialise in internal delivery

but that’s not at all how NAT works: its not specialising in delivery to private hosts and making it more efficient… it’s a layer of bureaucracy (like TURN servers and paperwork - the lookup tables and mapping) that adds complexity, not because it’s ideally necessary but just because of limitations in the data format

routers still route pretty much exactly the same in IPv6 direct or NAT, but just at the NAT layer public IP and port is remapped to internal addresses and ports: the routing is still exactly the same, but now your router has to do extra paperwork that’s only necessary because of the scheme used to address

NAT is not much different to a firewall though… just because the address space is publicly routable does not mean that the router has to provide a route to it, or a consistent route

NAT works by assigning a public port for the outgoing stream different to the internal port, and it does that by inspecting packets as they go over the wire: a private machine initiates a connection, assign an arbitrary free port, and sends that packet off to the router, who then reassigns a new port, and when packets come in on that port it looks up the IP and remapped port and substitutes them

that same process can easily be true in IPv6 but you don’t need to do any remapping: the private machine initiates a connection, and the router simply marks that IP and port combination as “routable” rather than having to do mappings as well

cc companies

best to say card networks, as cc companies both include a lot of other things (like issuers), and doesn’t include some things (like debit cards, which still use the card networks)

that’s absolutely the main thing yup… in almost every circumstance where people implement blockchain, a trusted entity is involved so there’s no point to the blockchain

almost always there’s a single entity issuing a thing, and then that same entity also consuming that thing

we are absolutely right now in the trough of disillusionment with blockchain (well, among people who actually understand anything at all - as usual let’s not count trump and his base as rational actors), and at some point there will be useful solutions remain

(and side note too, we’re in the peak of inflated expectations with AI… i can not wait for that crash and to be left only with useful things)

i’ll give it a crack

in australia, we have various credentials provided by the government to attest to a persons fitness to work with children (i’ll just refer to these in bulk from now on as WWCC: working with children checks). there are many of these - one per state for individuals, plus teacher’s accreditations per state, and a few more. they’re ongoing certifications, so can be revoked if anything happens

it’s a legal requirement for businesses who engage in activities involving kids to ensure anyone they employ - including volunteers - is appropriately vetted

needless to say, this gets quite complex for national organisations!

i was the engineering lead for a startup that organisations could add their workforce into the system, with the credentials, and the system checked periodically to check that everyone’s credentials are valid, about to expire, etc and notify people if something goes awry

of course, that doesn’t need blockchain BUT

in cases of child sexual abuse, things tend to only come out after 30+ years on average (according to the royal commission into institutional responses to child sexual abuse). organisations need to be able to prove that they were doing everything they possibly could to protect the kids under their care. 30 years on that’s no small task! our company might not even exist in 30 years!

along with our automated checks, we also published an event to the eth blockchain: a hash of the card details as an index (ie if you know the card details, you can look up all instances of validation), and a hash that proves the check took place

what’s that hash? well, i won’t get too into the weeds but essentially we push a payload to IPFS which contains:

• a link to a kind of “template” of an HTTP archive for a typical request to the validation service
• a diff that allows you to reconstruct the HTTP archive of this instance of the request given the original template
• various pieces of the HTTPS handshake with the validation service that allow you to essentially validate after the fact that the content of the HTTP archive was exactly what the validation service sent at the time - HTTPS is essentially signed information after all, so we have a chunk of HTML attesting to the validity of a card that’s been signed by the government! cryptographic proof - not just “take my word for it”

we also published a page on IPFS that allows people to enter card details and load all this information and produce all the technical details to prove what happened (we also had plans for some kind of hardware pack with pinned versions of things because browsers and technology change)

you might be able to do this by relying on the date header that the server sends, but to be really sure, writing the hashes to the blockchain proves that the event given happened at a very specific time and date

blockchain shouldn’t be big and flashy: it’s a very niche use-case, but for those niches there’s really nothing like it

it does still hold value, but the value is super niche and generally shouldn’t be exposed to the user… it’s an implementation detail

i’d argue that any serious company wouldn’t really bother with MAC identification… they’re so easy to spoof that it adds to operational overhead far more than the benefit it brings

more likely with these things you’d have a VLAN mapped to a physical port, and if that port were disconnected you’d instantly get a notification and send someone to check it out

i’d have said that’s less important than TLS or something on your ATM, a VLAN for ATMs that can only access specific services, and all ports not on a VLAN just disabled

really you just want to stop traffic from being sniffed (stolen credentials) and spoofed (“correct - dispense $10000”), and then to make sure it and nothing adjacent to it can access less robust services… beyond that, you just have to assume nothing. the services that an ATM connects to should be robust enough that they do all the validation - the ATM is pretty dumb (kinda in the same way as your browser on your computer: it gets no decision making to access your bank; just is input and output)

MAC addresses are easy to spoof, and physical security is pretty difficult on something like an ATM that’s publicly accessible… plugging into a switch should honestly be a nothing burger… having it publicly accessible - even on the same VLAN as an ATM - shouldn’t be a problem other than defence in depth

First they came for the socialists, and I did not speak out—

Because I was not a socialist.

Then they came for the trade unionists, and I did not speak out—

Because I was not a trade unionist.

Then they came for the Jews, and I did not speak out—

Because I was not a Jew.

Then they came for me—and there was no one left to speak for me.

is banning porn games on the same level?

no… not even a little, but i think it’s pertinent… these groups keep pushing harder and harder and it won’t stop. it’ll eventually reach you as a person; not just your interests

i assume you’re allowed to buy guns with them in the US? that’s WAY more directly attributable

i’d imagine the company would make 2, 4, 6, 10 drink dispensing machines… having commodity hardware makes it super cheap to just have different shells and a power bus that you bolt electronics and mechanics onto in discrete parts

heck each individual controller could read an RFID tag embedded in the syrup and update its display automatically just from the inserted cartridge which would be PITA to do on a single machine

adding all the sensors for each, a display out for each… it’s really just way simpler to duplicate the hardware… honestly, good engineering

let people live life is more than just good for individuals… it’s just safer for everyone

focusing on harm reduction rather than abstinence and bans