I self-host a (non-critical) mail server and a few other things and occasionally look at live firewall logs, seeing the constant flow of illegitimate traffic hitting random ports all over the place, some hitting legitimate service ports but others just probing basically anything and everything. I decided to setup a series of scripts that detect activity on ports that aren't open (and therefore there's no legitimate reason for the traffic to exist) and block those IP addresses from the service ports since the traffic source isn't to be trusted.
Something that came out of analysis of the blocked IP addresses was that I discovered a few untrustworthy /24 networks belonging to a bunch of "internet security companies" whose core business seems to depend on flooding the entire IPv4 space with daily scans. Blocking these Internet scanner networks significantly reduced the uninvited activity on my open service ports. And by significantly I mean easily over 50% of unwanted traffic is blocked.
I'm semi-aware of the futility of blocking IP addresses and networks. I do believe, however, that it can significantly reduce the load on the next layers of security that require computation for pattern matching etc.
One thing I do is I blocklist entire countries' and regional ISP' CIDR blocks. Believe it or not: straight to firewall DROP.
China, North Korea, so many african countries who's only traffic is from scammers, tiny islands in the pacific that are used for nothing but scamming...
Had a travel insurance do this and when I was in hospital in Asia I couldn't start a claim and the hospital nearly kicked me out. I'm sure the sysadmins thought it was a great way to reduce hacking attempts by blocking Asia.
I think it comes from the divorce of what people are hired to do versus what their work actually contributes to. I also remember the countless cloudflare turnstiles that I've had to get through one way or another on airlines' websites which reset every minute (looking at you, airserbia, for being the worst).
If there’s one single business that I might expect to honor traffic from foreign countries, it would be the travel industry. I can suddenly envision using a VPN to route through Asia and check a travel agent’s site access before purchasing.
That’s awful but why is the onus on random sys admins around the world to deal with this correctly and not the government hosting the problem entities?
You don't think a travel agency selling policies covering china should have their sysadmins ensure that their customers can actually make use of those policies? They can always explicitly exclude china if they don't want to deal with this but then they wouldn't have gotten GP's money.
if the government in question is supportive of said problem entities, they won't "deal" with it
If the government in question has free reign on regulating said traffic, it's an avenue for repressions and censorship
Otherwise it's a legal matter to seek action against such entities, which is already how it works
(... but I'm afraid we're actually mostly talking about "scenario 1 entities" here, which makes it futile to seek action from the very offices that already play a role in making it harder to use existing legal means)
And it’s not like we will invade countries to stop spam calls, although China is probably the closest to getting to that stage given that the scam centers in Myanmar seem to be a deciding factor in who they throw their support behind: https://www.theguardian.com/world/2024/jan/31/myanmar-hands-...
That's like asking why don't we expect burglars to not burgle, they won't, but that doesn't mean walling off a whole neighborhood is the solution either.
As a Russian, I hate it when people do this. It's extremely annoying when you just click some random interesting-looking link from HN or Reddit or Twitter only to be greeted by a 403 or a connection timeout. Then you turn your VPN on, and magically, it loads just fine.
For many services, the expected value of letting people from Russia access their service is negative.
The reality is that Russia contributes a large portion of hacking attempts while providing very little to no revenue for the service.
At the end of the day it is just business, and sometimes letting countries access your service is bad for the bottom line.
I think you and the person above you can both have valid concerns at the same time. If someone said "~50% of theft is from <insert minority group> while they only account for 5% of my business, so I'm not going to let them in the door", assuming the absence of social and legal consequences which would realistically occur, it could be argued that it's the right move for their "bottom line" or whatever. Does that mean it's right, or good, or equitable?
Of course at the same time, if you hold yourself to a much higher standard than what's socially or legally acceptable, there's the inevitable fact that your competitors aren't. So it's a fine balance.
If <minority group> is covered by the same jurisdiction as <business>, then it's not close to a 1:1 comparison.
It's perfectly reasonable to not do business with people in countries that support piracy. And I'm referring to the Arrg/EyePatch type and the Buh/KeyboardWarrior type. In the end, it's a choice. If you don't have a legal means to deal with illicit activity, and blocking mostly works, there you go.
Your country is a bad global citizen. If they started taking action against the groups trying to break into my systems every minute of every day then I wouldn't need to block the entire jurisdiction.
Geoblocking all sanctioned countries was the best thing I ever did
I am powerless to prevent even my local county from voting to steal my income to fund nonsense welfare, so I can only imagine how much less hope you have for political change and in your ability to meaningfully enact any.
Anyone can attempt political change, but it all comes down to EV.
I live in the US. I can openly speak my mind with relative safety. And I mean relative. My physical safety will likely not be risked, nor the physical safety of my family. But we are very much at a stage where any dissent is accompanied by internet mobs and unemployment.
Do I think that I can convince > 50% of voters in my county to rescind a 1% tax on my household income over $200k? Unlikely. Near zero probability. And my guess is that that probability is certainly less than the probability I am called a racist, transphobe, white supremacist. And that may reduce my income to $0. The EV play doesn't make sense when I have children to raise.
I imagine the above weighted by an openly corrupt gov willing to imprision and kill further diminishes the EV for an individual.
But the voters in the US aren't voting for or against a 1% tax on household income over $200k, or anything complicated like that. They've voting for team vs the other. So even if you could convince people about this tax or whatever, you really still are just hoping that the tax aligns with one team or another. Just hope you don't have any other issues you care about.
But voting exists at all levels, and I've found that the more local, the more you're exposed to the tyranny of the majority.
My example is based off the very real Portland Metro Supportive Housing Tax. The process was: get measure on ballot => get > 50% of votes. There were no "better men" involved to declare gov welfare as beyond the scope of government. All it took were a bunch of people that wanted an outcome voting for a process to achieve that outcome without having to pay for it.
My point was that I'm effectively powerless to prevent that issue or to reverse it, yet it's likely much easier to change relative to Russian, state-level policies, and I'm not dealing with physical dangers. Hence my condolences to the Russian.
you are naive to think whether your government takes feedback is relevant or not (or that I was specifically talking about Russia, That is just one of many countries with shitty internet crime prevention that are routinely blocked and each of those shite countries have varying levels of shite leadership with varying levels of responsiveness).
Ah, yes, the remaining English speakers in Russia will overthrow the literal millions of the silovik class whose entire job is to repress (with violence) any independent political activity. There is no "lobbying" in Russia, if you didn't know.
If you hate all Russians just say you hate all Russians. No need for this "lobby your government" euphemistic BS.
>So political change in russia is literally impossible
Precisely. It's basically impossible. There has to be at least be a generational change, or a severe economic / military loss if we are talking about this decade, but even that isn't a guarantee since the system is perpetuating itself with force, with economic self-interest to continue doing so. Isolating Russian citizens from western sources of information (in addition to what the Russian government is already doing by itself) is not only not helping, it's counterproductive, since rejection engenders a rejection in return, lowering the probability that an inflection point in the Russian history would result in anything western.
>countries change
Authoritarian countries change when their enforcement class relaxes and loses control. It takes decades for it to occur. If there is no relaxation, then no change occurs, as demonstrated by numerous countries, not only Russia. Right now the control and propaganda are very tight. "Wanting to make change" publicly is literally a life-threatening activity.
Oh we do want to make this change. Desperately. The only minor issue with that is that we lack any means to do so. I'll be sure to do my part as soon as the window of opportunity opens.
No, there really isn't any means right now. Even peacefully protesting gets one arrested in minutes. It's not probably risky, it's risky with absolute certainty.
I did participate in opposition activities that were 100% safe. I signed for Nadezhdin and voted for Davankov for example.
What you're saying is there's no 100% safe way, not that there is no way.
Apparently desperately wanting change in Russia means desperately wanting someone else to change it for you, which perfectly aligns with the apathy the Russian population is infamous for.
If Putin somehow became unable to provide the population with food for three days, or pay his security team, you'd all quickly discover what desperately means, and I'm confident the problem would resolve itself quickly.
Your population's apathy has become the whole world's problem. pls fix.
Not sure what concrete advice you expect me to write here in a public comment. I'm not in Russia, only started learning about Russia 3 years ago, and know nothing about you.
I presume you're good with computers so have the ability to access (and distribute) information that others may not. There's historical precedent, research how people have fought oppression in the past. Many books and manuals have been written about how this is done.
You may be able to access forums where like minded people can discuss and possibly work together. Obviously stay as safe as you can.
"Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it's the only thing that ever has. We must remember that one determined person can make a significant difference, and that a small group of determined people can change the course of history."
You're the best one to know what you can achieve - but I can tell you this, it's not nothing.
Anything that makes the mechanisms of oppression less efficient is a step in the right direction.
Every mechanism has weak points, leaky abstractions and incomplete assumptions. Find them.
There is no problem with access to information. Everyone who wants to access government-blocked resources knows how to do so.
The problem is that political change can't happen on the internet. And as soon as anyone tries to do something — anything — to that end in the real world, they face very real and fierce repression.
The consensus among most of the opposition-minded people at this point it that it's just better to wait it out because there's currently no opportunity for change.
They've won then. Nobody can do anything and Russia is lost and has become North Korea. I don't believe that.
How do you think change happens? Someone does something, while you continue to "wait it out".
Look into the Arab spring and many other examples of people changing things in ways that probably seemed impossible just the week before. Nothing was 100% safe, and yet it happened.
I hope that somewhere out there is a Russian that doesn't think it's "just better to wait it out", and isn't just impotently waiting for a fantasy 100% safe solution to be provided without any sacrifice.
I do understand that it's scary, but from the perspective of an interested outsider looking in...
Just like the Russian military, Russian society seems like a disorganized drunken shitshow, not well-organized nor impossible to overcome with concerted effort. It's all lies, bullying, bluster, imaginary facades, short-sighted and selfish corruption. Vranyo.
In comparison, I'm sure you'd agree that North Korea is much more of a brutal, almost impossible to overcome dictatorship. People starving and with no electricity.
What do you think would happen at a North Korean rally if the people threw the flags in the trash immediately after, with open disdain for the authorities, as they do after Russian ones?
That's the society to which you're headed.
Don't kid yourself, you are not headed in the direction of a society where 100% safe solutions will present themselves out of thin air. Russians need to do something to change that direction before it becomes increasingly difficult.
You have been lucky so far that you have been comfortable enough to have the luxury of not understanding what desperate means. Your stomach is full and you and probably nobody from your family has been mobilized yet. You can pretend the war won't affect you.
But it will eventually. As sanctions continue to take effect and resources are squeezed, times will become even tougher and the Russian people will lose more and more of their ability to create change.
They're already sending meat waves on motorbikes and golf carts against entrenched positions. Almost 500,000 Russians dead or wounded, for what? Defending the motherland from NATO, a defensive alliance? Nobody was attacking Russia.
This is all nothing but a manufactured distraction from the authorities' own financial corruption and mismanagement.
Soon enough will come Totaler Krieg and the paper-thin mask will come off.
Relatively free access to information will be restricted further, to strengthen the propaganda which will trend more and more towards alternate reality propaganda.
Russia's greatest success has been their post-truth propaganda that made their people, especially the ones without access to the government-blocked resources, apathetic and unable to determine truth for themselves despite relatively straightforward (for you) access to information.
The whole world is now having to deal with the consequences of your apathy.
Why do you think they made laws against disrespecting the military? Because the truth, if it was distributed to the ones who don't have access to it, is a weapon that will work against them. Bullies are weak and they know it. Also, their resources are getting more and more stretched the more they waste in Ukraine.
I'm sure with a bit of imagination and introspection you can think of other weapons that might work as well.
Or, hopefully someone else will, because you seem to have given up.
>Nobody can do anything and Russia is lost and has become North Korea. I don't believe that.
>seems
Can you not sanctimoniously and arrogantly teach people, who actually live in it, what to do, from the comfort of your western home, while knowing almost nothing, as evident from this write up?
The first youtuber you linked is systematically misinformed blabbing head, the other one is an immigrant turned neocon. If these are your sources of information, and you don't know Russian, good luck understanding anything at all.
Whatever nonsense I may spout, it's still up to the Russians to fix it. The country is a terrorist state and cancer on the world.
You've addressed nothing in my post, given no information, and provided no counter to anything I wrote.
The poster sounds like Putin's perfect Russian citizen. "Desperate for change", but does nothing because they must be "100% safe" at all times. Can't even consider doing anything.
They'll be a perfect mobik next year. Better order some more golf carts, or maybe by then they'll be down to stolen bicycles.
The idea that Westerners might "hate" Russians (the people -- not the dictators and their regimes' activities) always seemed so silly to me that I assumed the majority of the related propaganda would be laughed off.
In my experience, the worst general case you have from Americans is absolute "other side of the planet" indifference. Hence the apathetic practice of blocking Russian-originating IP traffic... This may be arguably worse than hate.
A slightly better case, I think, is a healthy segment of the American populace thinks Russians are like the FPSRussia YouTube channel from a few years ago. (Disclaimer: Not sure what the status of that channel is now. Plus, I always figured he was geographically in the southern USA.)
people here are not thinking in whole systems-- roads have dual purpose.. there is security AND there is trade .. a world without trade is a poor world.. that includes the intellectual arts, civilian institutions cooperating, common issues like Climate.
The voices here that say "I block everyone, don't bother me with your whining" .. it is a security practice.. OK. security is not the whole story of civilizations; obstinate thinking leads to ignorance, not evolution.
The topic is SSH, an administrative and secured access. Yes security applies. to be on-topic
Of course one can obfuscate and secure their own SSH access as much or as little as they want. Run sshd on a different port, require port knocking, ban IPs after failed login attempts, all that kind of stuff.
I'm, however, specifically talking about public-facing services like HTTP(S), which also get blocked with this "I'll just indiscriminately blacklist IPs belonging to countries I don't like" approach.
Malicious traffic is not limited to ssh and comes from the same usual suspects. Automated attacks against web applications is constant. I wouldn't say it's indiscriminate, it's practical.
There are bad people on both side of the border - don't be fooled that they are more on the "other" side of the border because there might be ones that you are not seeing (yet). Blocking the whole "other side" is simply the "path of least resistance" or the "low hanging fruit". Creation and all other good things ALWAYS require more energy than destruction and other bad things. But creation/invention is the only activity that leads to progress and evolution - everything else is stalling, regression, devolution ...
Internet was created BY military FOR military - but it evolved into THE only thing in the world that connects people. ALL people.
References at the bottom.
The most general problem in Internet are not the malicious people - botnets can infect insecure devices ANYWHERE in the world.
The main problem is that some (many) of the ISPs at the last mile allow outgoing IP packets with source IP address which is outside of the IP range(s) these ISPs operate/own. Larger ISPs on the upper layer can not prevent this because otherwise IP routing will break. So it all depends on the "last mile" ISPs. And it is quite possible for the "status quo" to live for many years ....
I think it’s harmless though if say it’s a business site or mail site that is only meant to do business with a subset of people, like a country or region. That said, I think it’s of highly limited value though because any hacker above Lvl 1 will know how to use a bot, remote box, or VPN from a more local IP.
Now imagine how annoying is russian traffic to world's sysadmins. Then could you please point your finger to who's more wrong here: your government or sysadmins of the world?
Or they host a business site that doesn't do business in those countries and so nothing of value is lost to them. For example, it's literally illegal for me to accept payments from .ru, so why bother wasting their time and my bandwidth?
I live in EU,and a bunch of american sites just block the whole EU due to GDPR laws.
Then someone in US uses my email by accident to subscribe to some newsletter (not the first time, I also get personal emails for that person, since it's just one letter difference, and i'm guessing it's someone old, considering the emails I get), i try to click "unsubscribe", and it just redirects me to "<site> is unavailable in EU, blah blah" page, without unsubscribing.
I make sure to report that site to every goddamn spam list possible.
IMO replying unsubscribe should always work for marketing emails and if it doesn’t then I flag the email as spam. Nope, I’m not going to visit that tracked / info gathering unsubscribe link.
I only use unsubscribe links from things I voluntarily and willingly subscribed to.
If I was involuntarily subscribed to something, or subscribed because of an inconspicuous "subscribe me" checkbox that I probably didn't notice, including from a legit business that I purchased an item, it's getting reported as spam in Gmail.
That situation is quite different. The US is using its significant power and weight to coerce those non-US banks into compliance with FACTA. Those banks don't have to comply, but they want to do business with the US and US companies, then they don't have much of a choice.
It's not like they just made a law and now insisted it applies globally, which is what the EU did.
Isn’t it actually exactly the same? The website doesn’t have to comply (and many don’t), but if they want to do business in the EU, they have to. How is that different?
The US is using the fact that people want to do business with them to coerce compliance, and as written the law only applies to US persons.
The EU claims the GDPR applies globally, regardless of if people want to do business with the EU, or even if people ever set foot in the EU. It's amusing nonsense.
it's effectively the same, small banks just shove you out of the building and refuse to open a bank account for you if FATCA applies to you, their compliance is through just not accepting US tax payers.
This is a real issue that leaves US citizens only able to open accounts at bigger banks (with shittier services but enough budget to hire a FATCA compliance department)
I haven't changed the meaning, I simply stated things accurately.
Here, though, you've misstated things inaccurately. You seem to think the points are interchangeable, and the only issue here is semantics. You couldn't be more wrong.
Perhaps you should re-read what you wrote. You specifically stated that US law does not apply to US citizens abroad.
In addition, one of my examples specifically allows the prosecution of non-us citizens for their actions abroad toward US citizens. This directly contradicts the point you claim you were making but didn't accurately state.
You're right, I noticed the inconsistency due to my error, but I had no way to edit and refine it.
I didn't know that it is illegal to pay bribes overseas, and as someone who has traveled extensively and knows it is necessary sometimes, I'm curious how enforced that law actually is. Either way though, that example and the illegal sex one are both US law applying to US persons, not US law applying to non-US persons.
> In addition, one of my examples specifically allows the prosecution of non-us citizens for their actions abroad toward US citizens.
I apologize for not giving this specific point more attention. That law is interesting, and to quote the wiki page, "The law is quite specific in that it is intended to be extraterritorial in nature".
This seems to be the first law of its kind, as unlike the other examples you gave, it explicitly applies worldwide o any foreign officials.
In response to this law I would make two points. One, it hasn't been signed into law yet, and two, this is significantly more narrow in scope than the EU law which applies to anyone running a site that an EU citizen visits.
Enforcement of the anti-bribery laws isn't really targeted at individuals traveling for fun. It is more meant to stop businesses from bribing officials.
> this is significantly more narrow in scope than the EU law which applies to anyone running a site that an EU citizen visits.
If you are looking for broad scopes, copyright and espionage are both areas where the US asserts it's right to prosecute non-citizens for acts committed outside the country. For specific high-profile examples, look at Kim DotCom and Julian Assange.
In the age of the internet, pretty much every country would like to be able to prosecute non-citizens for acts they commit while outside the country. Hackers, scammers and fraudsters frequently commit crimes against citizens of other countries and the countries where the victims reside have a clear interest in prosecuting those criminals. The limitations of doing so depends on their ability to get that criminal expedited.
With this understanding, the EU laws aren't really any different.
> Enforcement of the anti-bribery laws isn't really targeted at individuals traveling for fun. It is more meant to stop businesses from bribing officials.
That's fair enough. But then it isn't really comparable, is it? If I host a site for fun in the US that targets as much data as I can about EU citizens and targets EU citizens but doesn't break any US laws, I would still be targeted, right?
Not to mention, bribery is likely illegal in all or at least most countries.
> If you are looking for broad scopes, copyright and espionage are both areas where the US asserts it's right to prosecute non-citizens for acts committed outside the country.
These still are not good examples. Every country has laws to prosecute spies, and copyright has numerous international treaties.
These areas still don't compare, at all, to the EU saying EU law applies to anyone in any country if a EU citizen visits it and the site collects their data and targets them in a way Europe doesn't like.
> With this understanding, the EU laws aren't really any different.
You say in the age of the internet a lot of countries would like to persecute people outside their borders for offenses that take place, to some extent, in their borders.
The thing is, the EU is the first to actually claim the power to do so. The other examples you or anyone else gives just don't map for one reason or another.
> These still are not good examples. Every country has laws to prosecute spies, and copyright has numerous international treaties.
You are just moving the goal post yet again. I fail to see any difference between laws that govern forieng citizens movement of copyright data and laws that govern foriegn citizens movement of private data.
If anything, I think privacy laws are MORE ethically defensible than copyright laws since they tend to protect the powerless against the powerful rather than vice versa
> The thing is, the EU is the first to actually claim the power to do so
Again you are saying things that have been already shown to not be true.
No, I'm not. I've been consistent from the start. Seriously, go look at my earlier replies.
All your examples are either laws that have treaties backing them, or don't apply to most people, or only apply in very specific circumstances.
None of them, absolutely NONE, are as far-reaching as the EU law. The EU claims it applies to ANY entity in ANY country so long as ANY EU citizen visits, and that entity collected data and targeted EU citizens in a way the EU didn't like.
That's what makes it different. That isn't moving the goal posts, that's pointing out very clearly that this apple very clearly isn't like your orange.
> Again you are saying things that have been already shown to not be true.
Only if you remove all relevant details that show everything I've said is absolutely correct.
Enough with the tribalism. There is no shame in admitting the EU made a far-reaching law, a first of its kind, that it has no hope of enforcing.
I did, you mentioned 'treaties' for the first time in your last comment.
The ability of the USA to prosecute Kim DotCom didn't depend on any treaty. The extradition process did, but that is a question of custody.
In addition, there ARE numerous trade treaties that cover privacy, the right of countries to implement privacy regulation on international trade and specific protections that allow data exportation from the EU.
> The EU claims it applies to ANY entity in ANY country so long as ANY EU citizen visits, and that entity collected data and targeted EU citizens in a way the EU didn't like.
This is false. The entity has to be based in the EU or be offering goods and services to people in the EU to have the GDPR apply.
> There is no shame in admitting the EU made a far-reaching law, a first of its kind, that it has no hope of enforcing.
While it is a far reaching law, it is not the first of it's kind and there are thousands of fines and penalties issued under it each year.
> Only if you remove all relevant details that show everything I've said is absolutely correct.
I've already provided several examples that disprove your statment. The "relevant details" are the qualifications that you keep making up but conviently still leave off when making your false claims.
You've said so many false things throughout your comments, starting with the "US law as written is entirely reasonable and doesn't try to claim the law applies to US citizens anywhere in the world." which you even doubled down on with a double "absolutely" when I first called you on it.
At this point, I suggest you put far more effort into verifying the accuracy of what you say or nobody will take anything you say seriously. I certainly don't anymore.
I said "go look at my earlier replies" not specificly to say I had mentioned treaties earlier, but to say I hadn't been moving the goalposts. My point is the exact same.
> The extradition process did, but that is a question of custody.
This is the key point though. Plenty of western countries and especially AU/NZ are super buddy buddy with the US and happy to cooperate. Especially when they agree with the laws.
Most countries won't extradite someone for a (from their point of view) silly GDPR violation.
> In addition, there ARE numerous trade treaties that cover privacy, the right of countries to implement privacy regulation on international trade and specific protections that allow data exportation from the EU.
There is not a single treaty that covers allowing the EU the extraterritorial jjurusdiction they claim for the GDPR.
> This is false. The entity has to be based in the EU or be offering goods and services to people in the EU to have the GDPR apply.
You're right, my apologies - I should have added "offering goods and services to people in the EU" to be more specific, I had thought you would infer that from our discussion as I'd made that point previously, multiple times.
SO, here you go, a refined point: The EU claims it applies to ANY entity in ANY country offering goods and services to ANY EU citizen, and that entity collected data and targeted EU citizens in a way the EU didn't like.
That's what is ridicukous, that is what is entirely unlike any US law you've tried to compare it to. They have no ability to prosecute foreign violations and that's why, since teh GDPR came into effect, they never have.
> it is not the first of it's kind
It is. Specifically for declaring it's extraterritorial jurusdiction in the legislation, and because that can be aimed at anyone operating the 'wrong' type of website, not just officials or people commiting a specific crime.
> I've already provided several examples that disprove your statment.
No. You provided examples of laws that are not analogous, and I explained why that is.
> The "relevant details" are the qualifications that you keep making up but conviently still leave off when making your false claims.
I have not made a single false claim. Not one. You either have a misunderstanding of the GDPR, or you are going out of your way to defend and downplay the issues.
> you even doubled down on with a double "absolutely" when I first called you on it.
Yeah. I really suspect you are deliberatlly taking thing literally instead of just inferring what is obvious from the context so you can make these kinds of points, but instead of assuming bad faith I'll assume it's a misunderstanding.
> At this point, I suggest you put far more effort into verifying the accuracy of what you say or nobody will take anything you say seriously. I certainly don't anymore.
At this point, I suggest you do a little more research before jumping into these kinds of discussions. Sure, you caught me out with lacking a few qualifier, but my overall claim is absolutely correct.
No other western country has a law as far-reaching and widely applying as the GDPR, and no other western country has such a toothless law that has been so publicized that could never hope to be enforced.
I'm not lying and you know I wasn't. You can't support your point so you were looking to get points in any way you can. It's OK, I called out tribalism earlier on in the thread. I'm pretty used to it at this point. All good, no hard feelings.
The EU claims their law applies globally regardless of if people set foot in or do business in the EU. According to the EU, an EU citizen just needs to visit a site and the law applies, regardless of where the site is hosted.
According to the EU, the GDPR applies to some small shop owner in China with a website that harvests all data it can that isn't advertising in the EU, courting EU citizens in any way, has no business with the EU, etc.
Once privacy is considered as a fundamental human right, everything makes sense. When an EU citizen visit a site and the site collects their data in an unbounded way, their privacy is violated and any goverment should be responsible of protecting its citizen.
In my point of view, this is a difference of how much we define privacy as human right and what data are considered private.
> Once privacy is considered as a fundamental human right, everything makes sense.
Does it? I agree it should be, and I want to work towards a better world also, but pretending you have jurisdiction when you clearly do not, doesn't seem helpful in any way.
> If the EU didn't try to claim EU law applies globally, those sites might still be up.
It doesn't; it applies to EU residents. Your non-EU business is free to do whatever it wants, but as soon as you do business with EU residents EU law applies.
This is more or less how it works everywhere (with some exceptions).
And deciding not to do business with EU residents (i.e. block in EU) is of course perfectly valid and reasonable choice. But not because "EU laws apply globally".
> It doesn't; it applies to EU residents. Your non-EU business is free to do whatever it wants, but as soon as you do business with EU residents EU law applies.
See, you say it only applies to EU residents, but that isn't the case.
The real issue is where you say but as soon as you do business with EU residents EU law applies., and, well, that's just nonsense.
I have a US site. I can operate my business any way I like as long as I don't break any Federal or State laws, and I can break every single EU law that doesn't have an equivalent US law.
The EU can't touch me. EU law doesn't apply to me, even if I advertise the hell out of my site to try and attract as many EU citizens as possible.
All the Eu can do is firewall me off, prosecute me if I come to the Eu and police or punish its citizens.
> This is more or less how it works everywhere (with some exceptions).
It's really not. The EUs claim of global jurisdiction is unique and a first. There may have been loosely similar things, but nothing quite like this.
> But not because "EU laws apply globally".
You should inform the EU they should correct their legislation then.
Sure, but if some Little Whinging news from North Arizona (fictional newssite) starts spamming me, because some grandma there can't remember his email address, and won't let me unsubscribe, I'll do everything I can do within my five minutes of anger to make them rethink.
Claiming jurisdiction by server location is the stupidest thing ever if you trying to have any kind of customer protection laws. You have to go by customer location.
However, the claim that they have jurisdiction over EU citizens abroad is very questionable.
> However, the claim that they have jurisdiction over EU citizens abroad is very questionable.
The GDPR makes no jurisdictional claims at all based on citizenship, despite a lot of inaccurate summaries saying otherwise. For those cases where the GDPR cares about individuals being EU or non-EU, it only cares about their location, not about their citizenship / nationality or their residence.
> Claiming jurisdiction by server location is the stupidest thing ever if you trying to have any kind of customer protection laws. You have to go by customer location.
I disagree, because that's impossible. That's why the EU's attempt is largely a joke. Literally - it seems to get mocked a lot when I tried reading up on the credibility and practicality of what they claim.
> However, the claim that they have jurisdiction over EU citizens abroad is very questionable.
It's the claim that they have jurisdiction over non-EU citizens and businesses in their own countries which is so laughable.
> Literally - it seems to get mocked a lot when I tried reading up on the credibility and practicality of what they claim.
[...]
> It's the claim that they have jurisdiction over non-EU citizens and businesses in their own countries which is so laughable.
Most of this mockery is based on misunderstandings that overgeneralize what the EU is asserting and overlook what most other countries assert.
Most countries have some laws that under some circumstances purport to apply to foreign non-citizens located outside the country, not just the EU.
A key example is defamation law. If you are a Brazilian citizen located in Brazil and you specifically target publications online to UK or Canadian or US audiences in ways that are viewed as defamatory in those jurisdictions, you could very well get sued in those countries' courts, and there are absolutely cases where those courts would uphold their jurisdiction based on the specifically targeted publication.
Similarly, when asked to decide if they have jurisdiction to enforce local consumer protection law against a foreign defendant, the courts in the Canadian province of Quebec will consider whether the foreign defendant has tried to target Quebec consumers, should know that it has ongoing substantial sales to Quebec consumers, et cetera - not only whether it has a business establishment in Quebec.
Conversely, if you are a hotel in New Hampshire, USA and someone located in an EU country visits your US-based English-language USD-only hotel website and books a room for their upcoming visit, the GDPR probably does not apply, since there is no attempt to target the EU. Among other exceptions, the conclusion could be different if the hotel website allows bookings in EU currencies or languages (not counting English and maybe not US/Latin American Spanish because of their use in the US), since that shows an intention to target EU visitors.
If merely being foreign allowed EU-focused businesses to avoid the GDPR, that would be an extremely huge loophole, and EU businesses would make deals with those foreign businesses to shift as much as possible of their data processing stream outside the scope of the GDPR. It would pretty much swallow the whole law. It's not a viable approach.
Similarly, monitoring the behavior of visitors in the EU can also lead to the GDPR applying, since otherwise EU businesses would pay foreign businesses to track their visitors on their behalf, doing whatever legal ownership transfer shenanigans they have to in order to make that work. ("Oh no, this is not a European-owned website, it's an American website to which we've licensed our brand content and which shares 99% of its subscription and ad revenue with us as their license fee... they are allowed to track you even if we can't...")
Of course, you're quite right if you view it as a mockable idea that the EU would be going into foreign countries to bust down doors and collect fines from foreign businesses. Just as clearly, they aren't pretending they can do that.
But if a foreign company does get assessed with a GDPR violation fine in the EU, it certainly gets harder for them to continue to engage in business dealings with anyone in the EU without that fine becoming more possible to collect - and in some cases there are established mutual legal assistance treaties through which EU countries can get foreign countries to help with collecting a judgment outside of the EU.
My guess as to why these non-EU companies prefer to block the EU instead of comply with the GDPR is simply that they don't view the risks of being found in violation as worth the benefits of the additional audience - not because they would necessarily be found in violation. Most of the local news channels would probably not be found in violation if they excluded visitors in the EU from behavior monitoring, but many of those sites don't consider it worthwhile even to take the risk.
> Most of this mockery is based on misunderstandings that overgeneralize what the EU is asserting and overlook what most other countries assert.
I think that mostly assumption. Much of the mockery was in legal journals for example - an audience that would be more familiar with the ext of the legislation than most.
> Most countries have some laws that under some circumstances purport to apply to foreign non-citizens located outside the country, not just the EU.
Maybe a few other countries have something in the same general category, but none as far reaching as GDPR law tries to be. And certainly it's a minority of countries that have such laws, not most.
> A key example is defamation law. If you are a Brazilian citizen located in Brazil and you specifically target publications online to UK or Canadian or US audiences in ways that are viewed as defamatory in those jurisdictions, you could very well get sued in those countries' courts, and there are absolutely cases where those courts would uphold their jurisdiction based on the specifically targeted publication.
I'm not exactly clear what you are saying here, but in any event, at least in any interpretation I can think of, the analogy doesn't map. If a UK entity sues a Brazilian in a Brazilian court, that's all pretty normal. That's just the UK entity doing something they are able to do in compatible courts, that's not UK law applying to Brazilians.
> Similarly, when asked to decide if they have jurisdiction to enforce local consumer protection law against a foreign defendant, the courts in the Canadian province of Quebec will consider whether the foreign defendant has tried to target Quebec consumers, should know that it has ongoing substantial sales to Quebec consumers, et cetera - not only whether it has a business establishment in Quebec.
And how is this relevant? That foreign defendant would be present in Quebec to be tried, so it's quite a bit different from the EU claiming Joe Schmoe halfway around the world who has no interest in the EU or Europe and has never been there, is subject to EU law because an EU citizen visited their data collecting site.
> Conversely, if you are a hotel in New Hampshire, USA and someone located in an EU country visits your US-based English-language USD-only hotel website and books a room for their upcoming visit, the GDPR probably does not apply, since there is no attempt to target the EU.
The attempt to target the EU would be simply be having online advertising that would show up in the EU.
> Among other exceptions, the conclusion could be different if the hotel website allows bookings in EU currencies or languages (not counting English and maybe not US/Latin American Spanish because of their use in the US), since that shows an intention to target EU visitors.
I don't think this is the actual text of the law. The EU claims GDPR applies to a small data collecting site, say, in Vietnam, that wants to store and retain and sell all the data it can about anyone that visits its site. That's what is ridiculous, that's what is incomparable to anything else you have listed.
But in any event, let's say that is the law. Let's say this site in my Vietnamese example goes out of it's way to target the EU, having French and Spanish as default languages, having language flags for every EU country, and paying for advertisements (but only on US sites with US companies, lets say, just to reinforce the point that no business has been done in the EU) - well, in that case, it's still bonkers that the EU thinks they have any jurisdiction over the operator of that site.
The ONLY thing they can do is firewall it off, like China does. That's it. Claiming to have global jurisdiction as they do just makes them look foolish.
> If merely being foreign allowed EU-focused businesses to avoid the GDPR, that would be an extremely huge loophole,
This is already reality, though. Any business in the world can court EU consumers, and only the EU can prevent that by further policing its citizens. They are powerless to stop foreign businesses any other way since they only have jurisdiction in their own borders...yet they claim the opposite.
> Of course, you're quite right if you view it as a mockable idea that the EU would be going into foreign countries to bust down doors and collect fines from foreign businesses. Just as clearly, they aren't pretending they can do that.
It's mockable that they claim they have any jurisdiction outside their borders in the contexts they do, period.
> But if a foreign company does get assessed with a GDPR violation fine in the EU, it certainly gets harder for them to continue to engage in business dealings with anyone in the EU without that fine more becoming possible to collect - and in some cases there are established mutual legal assistance treaties through which EU countries can get foreign countries to help with collecting a judgment outside of the EU.
There is absolutely no instance of a foreign court upholding a GDPR fine and I don't expect there ever will be, nor is there any treaty that would allow for that as far as I know. If you know otherwise and could name such a treaty I would appreciate it.
The only thing the EU can do is get a judgement against that person or company and arrest people if they enter the EU, firewall off hosts, or police and punish its own citizens.
> I think that mostly assumption. Much of the mockery was in legal journals for example - an audience that would be more familiar with the ext of the legislation than most.
There's lots of bullshit in legal journals too, partly due to how most of those journals are student-reviewed rather than peer-reviewed, and partly due to how politicized the legal academy is. Care to provide a cite?
> I'm not exactly clear what you are saying here, but in any event, at least in any interpretation I can think of, the analogy doesn't map. If a UK entity sues a Brazilian in a Brazilian court, that's all pretty normal. That's just the UK entity doing something they are able to do in compatible courts, that's not UK law applying to Brazilians.
No, I'm saying that a UK entity can sue a Brazilian for defamation in UK court, not Brazilian court, and win jurisdictional arguments in the UK court based on the Brazilian's publications being targeted to the UK - even if the Brazilian has never been to the UK. And all of this would be based on UK law, not Brazilian law.
> And how is this relevant? That foreign defendant would be present in Quebec to be tried,
I said nothing about the foreign defendant being present in Quebec, no. Everything I said applies even when that is not true.
> so it's quite a bit different from the EU claiming Joe Schmoe halfway around the world who has no interest in the EU or Europe and has never been there, is subject to EU law because an EU citizen visited their data collecting site.
> [...]
> The attempt to target the EU would be simply be having online advertising that would show up in the EU.
This is among the common global misinformation about the GDPR that does not reflect the EU's actual legislation or their actual guidance about the GDPR. Read Article 3 of the GDPR or Recitals 23 and 24 of the official guidance about it.
(Note, that website is not an official source, but it's a more convenient way for me to link to the relevant sections than the official sources.)
Merely not blocking online advertising from showing up in the EU does not cause GDPR to apply. Nor does merely receiving a visit from an EU citizen.
However, monitoring behavior by visitors where that behavior occurs in the EU does. So if a website's preferred online advertising model depends on monitoring the behavior of their visitors and they don't want to make an exception to that for visitors in the EU, that's the source of the GDPR applicability - not the online advertising itself.
And I already explained why this is necessary to avoid a huge truck-sized loophole.
> I don't think this is the actual text of the law. The EU claims GDPR applies to a small data collecting site, say, in Vietnam, that wants to store and retain and sell all the data it can about anyone that visits its site. That's what is ridiculous, that's what is incomparable to anything else you have listed.
Again, read Article 3 of the GDPR and Recitals 23 and 24 of the official guidance. The EU does not claim the GDPR applies there.
> But in any event, let's say that is the law. Let's say this site in my Vietnamese example goes out of it's way to target the EU, having French and Spanish as default languages, having language flags for every EU country, and paying for advertisements (but only on US sites with US companies, lets say, just to reinforce the point that no business has been done in the EU) - well, in that case, it's still bonkers that the EU thinks they have any jurisdiction over the operator of that site.
You would be amazed at how many countries would apply their jurisdiction to foreigners with respect to how many laws in this kind of scenario. People have been persuaded otherwise by anti-GDPR propaganda by the industries that depend on routinely violating the GDPR, but it's really true.
In particular, look at this summary on Wikipedia of personal jurisdiction in Internet cases in the United States:
Many, many, many of those scenarios can happen when the out-of-state website operator has never been to the US and is not a US citizen or company. The phrase "purposely availed itself" in that US jurisprudence is very similar to what I was calling targeting the EU in my previous comments.
More information on the underlying principles and laws, again from the US perspective:
> The ONLY thing they can do is firewall it off, like China does. That's it. Claiming to have global jurisdiction as they do just makes them look foolish.
They claim just as much jurisdiction as most countries do - but most countries don't have privacy laws like the GDPR, so the industries who are crying about the GDPR aren't crying about most other examples.
> There is absolutely no instance of a foreign court upholding a GDPR fine and I don't expect there ever will be, nor is there any treaty that would allow for that as far as I know. If you know otherwise and could name such a treaty I would appreciate it.
Small correction to my previous comment: while there are indeed some multilateral treaties about the recognition of foreign judgments such as can happen for unpaid GDPR fines, you're right that the US isn't part of those treaties.
However, US state laws do allow recognition of many foreign judgments, with the details varying widely. There is a federal law which prohibits US enforcement of foreign libel judgments that would violate the First Amendment if they had been from a US court, but there is no federal law restricting states from recognizing most other foreign judgments they might choose to recognize. And again, in many cases states do so choose.
I would be quite surprised if all US states would never enforce a court judgment from an EU country resulting from a GDPR violation. Said differently, I expect that at least some US states would enforce such a judgment under at least some facts and circumstances.
> The only thing the EU can do is get a judgement against that person or company and arrest people if they enter the EU, firewall off hosts, or police and punish its own citizens.
Even when the company has no assets in a jurisdiction that allows recognition of EU judgments resulting from GDPR violations, they can also seize movements of money or goods into or out of the EU which belong to the company that isn't paying the judgment.
Anyway, "police and punish its own citizens" isn't the scenario being discussed here - nobody violates the GDPR by accessing or using a website that violates the GDPR. The violation is the website's alone.
> There's lots of bullshit in legal journals too, partly due to how most of those journals are student-reviewed rather than peer-reviewed, and partly due to how politicized the legal academy is. Care to provide a cite?
I do't care to provide a cite, but this seems rather dismissive. Plenty of peer reviewed legal journals also found the idea mockable.
> No, I'm saying that a UK entity can sue a Brazilian for defamation in UK court, not Brazilian court, and win jurisdictional arguments in the UK court based on the Brazilian's publications being targeted to the UK - even if the Brazilian has never been to the UK. And all of this would be based on UK law, not Brazilian law.
Oh, sure. There's nothing really special about that. I can sue anyone in the world if I want to, it won't matter much if they are not in the same country as me and never come. A best case scenario would be getting a default judgement that couldn't be enforced and if they ever did come would be overturned instantly, so basically worthless.
That doesn't mean US laws apply to everyone in the world though.
> I said nothing about the foreign defendant being present in Quebec, no. Everything I said applies even when that is not true.
OK. Then like your previous example it isn't relevant or analogous.
> This is among the common global misinformation about the GDPR that does not reflect the EU's actual legislation or their actual guidance about the GDPR
Except it does. They explicitly assert extra-territorial jurisdiction for cases like this. That's why there was so much written about it.
> However, monitoring behavior by visitors where that behavior occurs in the EU does. So if a website's preferred online advertising model depends on monitoring the behavior of their visitors and they don't want to make an exception to that for visitors in the EU, that's the source of the GDPR applicability - not the online advertising itself.
Right, and that's nonsense. It still all boils down to the basically zero possibility of practically enforcing any of their laws against, say, actors in developing countries with no relationship with the EU, or worse, hsotile to the EU.
> And I already explained why this is necessary to avoid a huge truck-sized loophole.
And I responded explaining why I think you're explanation is incorrect.
> Again, read Article 3 of the GDPR and Recitals 23 and 24 of the official guidance. The EU does not claim the GDPR applies there.
Instead of just quoting the GDPR, which we've both read, how about sharing the text you think applies and your interpretation? Something I can actually refute.
> You would be amazed at how many countries would apply their jurisdiction to foreigners with respect to how many laws in this kind of secnario. People have been persuaded otherwise by anti-GDPR propaganda by the industries that depend on routinely violating the GDPR, but it's really true.
I don't think it has anything to do with "anti-GDPR propaganda", more the GDPR being uniue. The examples you gave didn't map to the GDPR, can you give some that do?
> They claim just as much jurisdiction as most countries do
This is false. They claim more than any other western country does.
> Everything and everyone is mockable, even me, even you, even everyone we know. That doesn't mean what you think it does.
It means exactly what I think it does. To try and dismiss the meaning I intended and suceeded in conveying and that you understood, you are taking the meaning literally when you know that isn't the meaning conveyed here - "mockable" here means, having something juicy and rich to milk for material, the results of which are relateable and appreciated by the intended audience. Not everything meets that definition, certainly not everything and everyone.
> while there are indeed some multilateral treaties about the recognition of foreign judgments such as can happen for unpaid GDPR fines,
Can you name one non EU country that has a treaty that specifically covers the GDPR?
> However, US state laws do allow recognition of foreign judgments, with the details varying widely.
They sure do, and the details as to why can be interesting, but usually it's going to be a case of there being an equivalent US law. There isn't in this case, and several judges would be repulsed by the suggestion that the law should apply in the US at all.
> I would be quite surprised if all US states would never enforce a court judgment from an EU country resulting from a GDPR violation. Said differently, I expect that at least some US states would enforce it in some scenarios, dependent on the relevant facts and circumstances.
I don't really see that ever happening, to be honest. Well, to be fair, maybe states with data privacy legislation like CA might, as long as only parts that map to CA's own legislation were being enforced. Although even then they would have to be present in the state. I can make a site in the US, target it as much as I can to EU citizens, blatantly violate the GDPR as much as I can, and the EU can't touch me if I didn't break any US laws. I can do what I like with that EU citizen data I collected, sell it to whoever I want, etc - as long as I don't break any US laws.
> Even when the company has no assets in a jurisdiction that allows recognition of EU judgments resulting from GDPR fines, they can also seize movements of money or goods into or out of the EU which belong to the company that isn't paying the judgment.
Sure, like I said, they have power within their borders and that's it. If the entity never goes through EU borders, then they can't really be touched.
> Anyway, "police and punish its own citizens" isn't the scenario being discussed here
I mentioned it because it's one of only 3 things the EU can do to try and deal with a website violating the GDPR outside their borders. The other is dealing with it any way they can if anything physical, or any money goes through their borders, and the final is what I suggested - to police and punish its own citizens. This nonsense of claiming global jurisdiction is nothing but theater.
> The violation is the website's alone.
And when that website is firmly out of EU jurisdiction, they can't do a damn thing about it. Sometimes, they might get a country to enforce a fine, but that has yet to happen despite fines being issued.
I can’t force you to see parallels you are very firmly convinced don’t exist, nor can I force you to provide new evidence or arguments instead of rehashing conclusions I’ve already refuted as best I can.
This is especially true when you’ve declined my open-ended request to provide one of the “plenty of” peer-reviewed legal journal citations you say exist and don’t engage substantively with the evidence I do share, even while making ever more specific legal citation requests to me and asking me to do all the legwork of substantively explaining “some [interpretation of my evidence] that [you] can actually refute.”
These asymmetries are beyond the scope of what’s warranted here: we are two people having a casual unpaid Hacker News discussion, not you as a judge or juror and me as a lawyer trying to prove my client’s case in court. Similarly, if the point of me doing interpretive legwork is just to give you something to refute, that’s not worth my time.
I don’t think we have anything productive left to say to each other in this subthread, so don’t be surprised if this turns out to be my last reply to you here.
> I can’t force you to see parallels you are very firmly convinced don’t exist, nor can I force you to provide new evidence or arguments instead of rehashing conclusions I’ve already refuted as best I can
Oh. OK. So you're not actually providing any of the proof I asked you to, you're just wanting me to trust your arguments as correct in spite of all the evidence I've seen to the contrary. Yeah, that sure is reasonable. The 'trust me bro' defense.
> This is especially true when you’ve declined my open-ended request to provide one of the “plenty of” peer-reviewed legal journal citations you say exist and don’t engage substantively with the evidence I do share
Because I'm not particularly interested in doing research for you. That would actually take me maybe 10 0or 15 minutes, to find something you wouldn't just dismiss because it was cited by students and whatever reason you found convenient.
You're making a claim which against common knowledge and understanding, so the onus is on you to support it. Not just say 'read X section of the GDPR' and treat that as though you've provided proof.
> asking me to do all the legwork of substantively explaining “some [interpretation of my evidence] that [you] can actually refute.”
No. I'm just first asking you to support your point directly and not with vague handwaving. That's more than reasonable.
> These asymmetries are beyond the scope of what’s warranted here: we are two people having a casual unpaid Hacker News discussion, not you as a judge or juror and me as a lawyer trying to prove my client’s case in court.
Sure. I'm not trying to make it that. But clearly one of us is incorrect. You've been confident from the start it's me, but instead of actually showing how, you're just saying read section X of the GDPR and wanting me to trust your interpretation as correct. How is that reasonable?
There's plenty of peer reviewed legal articles talking about EU overreach. There really are not many saying "whoah, hold up guys, there's been a huge misunderstanding!" - you didn't even provide so much as a blog post claiming that.
The way I see it, EU tribalism can be just as bad as US tribalism, and EU citizens often try to defend EU laws even when it doesn't necessary make sense to do so. Likek how many EU citizens will try and say cookie banners are not the fault of the EU and try to shift blame to the websites, which is nonsense.
> Similarly, if the point of me doing interpretive legwork is just to give you something to refute, that’s not worth my time.
WHy do you think that stance wouldn't apply to me?
> I don’t think we have anything productive left to say to each other in this subthread, so don’t be surprised if this turns out to be my last reply to you here.
Same here. I country-block I think 4 countries and my "not-me" ssh login attempts dropped 90+%. As I run funzies sites, I couldn't care less about the reduced legit traffic.
Business? You're a pain to many people and don't care.
I live in EU and many US pages just block the whole EU due to GDPR laws... then someone (by mistake) subscribes me to their newsletter, and the "unsubscribe" links leads to "this page is unavalable in EU"? I'll goddamn make sure your domain ends up on every goddamn possible antispam filter I can find.
For me? Sure. I never subscribed to them. Ans the unsubscribe links doesn't work, probably illegal, although not sure if they can spam an EU citizen from usa, and which/whose/what law are they breaking.
> Your hosting provider and ISP will see this differently. So will the FTC.
No. They absolutely won't. Not if I'm not breaking any US laws. The EU bitching would have as much impact as a government official from say Narau doing the same. None.
> Your butthurt about the GDPR doesn't absolve you from your obligations under the CAN SPAM act.
No. You are misunderstanding and conflating things. My point is I can do whatever I want so long as I am in compliance with US law including CAN-SPAM, and even if I violate GDPR as much as I want (again, as long as it doesn't violate US law).
It's a greyzone situation, but if you started sending (for me) spam emails to me, and your unsubscribe link doesn't work, because you decided to block the whole eu from all of your services, including the unsubscribe feature, you probably are breaking the US spam laws too.
I'm not sure I understand what you're suggesting. Are you saying that the US govt should make it illegal for people in its borders to communicate with people in those countries?
> and block those IP addresses from the service ports since the traffic source isn't to be trusted
Don't get me wrong, I want to do the same, I run a lot of servers and see all the automated nonsense aimed at public servers. However, you should consider the fact that today blocking an IP is akin to blocking a street, a village or sometimes even a town. For ~better or~ worse we now live in the age of CGNAT.
If your threat model and use case means you only care about a known subset of users with static IPs who are lucky enough to not share IPs then fair enough; but if you are running services intended for wide spread consumption you are likely blocking legitimate users without even knowing it.
I have thought about that and, as you say, my use-case is entirely "hobby" so there's nothing I host that's of much interest to others (if things break, which they have, it inconveniences me rather than other people).
Having said that, the websites I host are behind Cloudflare and so port 443 allows Cloudflare's ASN, but blocks everything else. This way, any of the IP addresses that are blocked from direct access to port 443 can still access the websites, just through Cloudflare's added layer of protection.
I (DevRel of IPinfo) run Fail2Ban on a VM as well. Protip use the CLI.
- The CLI has the `grepip` command that extracts all the IP addresses from a text. You do not have to parse your logs.
- Analyze your data. After you have extracted your IP addresses from your logs, pipe them to the `summarize`, `map`, and `bulk` commands on the CLI.
- If you are doing bulk enrichment with the `bulk` command, you can use some kind of CSV query tool like CSVtoolkit, DuckDB, or Python-Pandas.
- Look into the ASN data. ASN data is always going to be the more interesting IP metadata for honeypots IPs. Summarize the IP addresses with the `summarize` command; it will give you a high-level report. If you want a web-shareable report, make a POST call to that endpoint. Docs: https://ipinfo.io/tools/summarize-ips
You can always send your logs to me and ask what I think of them, and if I can find common patterns based on IP metadata. I am running our API and database services 24/7 and enjoy looking at logs. I can suggest firewall configurations based on country and ASN information provided by our free data.
I use a bastion host on a VPS as the only source IP address allowed to ssh into my systems, so any attempts to connect to ssh (from any IP address other than the bastion) are both blocked and logged into "the list" to be blocked from connecting to any other service ports.
Just be aware that with your strategy “blocking 50% of unwanted traffic” means blocking non-attack traffic, as these Internet security companies are mostly legitimate. The automated attack traffic that you actually want to block is in the other half and will frequently change IPs.
> these Internet security companies are mostly legitimate
This is both subjective and highly dependent upon the scope of services being run. My setup would probably progressively create more hassle than it saves as on a scale from small business to large business. For the setup I have, I quite specifically want to block their traffic.
I'm possibly overly militant about this, but they keep databases of the results of their scans, and their business is selling this information to ... whoever's buying. I don't want my IP addresses, open ports, services or any other details they're able to gather to be in these databases over which I have no control and didn't authorise.
To steal an oft-used analogy, they're taking snapshots of all the houses on all the streets and identifying the doors, windows, gates, and having a peek inside, and recording all the results in a database.
I believe all of them are illegitimate. They 'do' because they can, and it's profitable. "Making the internet safer" is not their raison d'être.
Happy for any else to form their own opinion, but this is my current stance.
Yes - Anyone who's FAQ answer to "How to avoid being scanned" is "We don't have an opt-out, you must block all these addresses" isn't behaving like a legit business.
"Nice network you've got there."
"We noticed something might be open. We're not telling you what it is."
"It would be a pity if something happened to your business."
The problem is that becomes a concentrator of IPs behind which privacy conscious individuals exist, which probably has higher value to "whoever's buying". It's a conundrum.
It sounds like what GP is suggesting is to collect ips of all the scanners, and share the list of ips among ourselves, so we can collectively route their traffic to /dev/null.
My experience is that after blocking Censys, unwanted traffic on non-standard ports from other IP blocks has basically gone to zero. It appears to me that some bad actors are using Censys scans for targeting.
> (...) as these Internet security companies are mostly legitimate.
Note that you're basing your assertion on the motivation of random third parties exclusively on the fact that they exist and they are behind active searches for vulnerabilities.
You end up sharing signals (IPs) to their crowd-sourced bad IP databases, but only get 3 free IP lists on the free plan. To get some of the bigger IP lists you need an enterprise plan at $2500 a month.
Essentially they use the free customers to build the lists that drive their enterprise sales, which is fair enough as you get to use their free dashboard and open source software. But to me it seems they're really only targeting enterprise customers as a business.
Hi all and @snorremd,
(Philippe from the CrowdSec team)
The $2.5K / month was for enterprise, but we didn't correctly understand the need and converted it to 2 optional prices: $1K for LTS and $1K for support.
This will be reflected in an update on our pricing page this week; thanks, everyone, for your patience in this matter.
It took us time to segment our four products properly. We wanted to avoid pivoting later, as it happened to so many other open-source tools recently.
* The Security Engine (IDS+WAF+IPS) is for everyone.
(Free / MIT license, three free blocklists)
* Its SaaS companion is made for anyone with a security engine.
(Generous free tier, $31/engine/month for pro industrialization features, 3 premium blocklists + all free ones. Volume discounts avail. We'll soon merge SecOPS and enterprise plans, all features at the price of the SecOPS plan)
* Blocklists are made for M/L entities to use.
(In the range of a few ten of K$ yearly, all blocklists, unlimited)
* The Full CTI database is intended to be used by L/XL Corps.
(It contains 32 fields about ~25M IP, with industry targeted, country targeted, tech stack targeted, AS and range reputation, etc. Local replication at your place, several updates/day. 10 to 20K$ / month, depending on some parameters)
PS: As we did for the Olympic Games 2024, we'll also give away a blocklist for the US presidential election of the most aggressive IP against US assets. With a quarter of a million machines running CS, we have a fairly good overview of this, in real-time.
For SSH, changing to a random port number resulted in zero connection attempts from bots for months on end. It seems bots just never bother scanning the full 65535 port range.
For most of my VMs there's no ssh running. I use wireguard to connect to a private IP. I haven't done this on the bare metal yet but I might. Though barring exploits like we had recently nobody is getting into a server with either strong passwords or certificates. Fail2ban in my eyes is a log cleaner. It's not useful for much else.
A server with fail2ban can be DOSed by sending traffic with spoofed IP addresses, making it unavailable to the spoofed IP addresses (which could be your IP, or the IP of legitimate users).
That is typically a bigger problem than polluting your logs with failed login attempts.
Yeah, but many ISPs, especially smaller, have a same pool of ip addresses for all of their users in that 'region' (for whatever size and definition of a "region").
So with some effort, reconnections from/to a mobile network and many tcp/ip connectons, you can achieve that your device is connecting to the attacked site with many different (if not all) IP addresses from the ISPs pool, and if each of those is blocked, none of the legit users (using the same IP address pool) can access those services anymore.
Look at services like digitalocen with cheap virtual machines... even amazon... so many of their IP addresses were used for something "bad" and got blocked, that running a legit service on any of them can mean that a portion of your potential users won't be able to access them, because they'll be on some block list somewhere.
Don't most isps check the source address before relaying traffic nowadays? I know at least one of mine started a few years ago (and we had no idea we were asymmetrically routing our traffic till then...)
fail2ban is another layer which is susceptible to abuse and vulnerabilities. It might keep noise out of your logs but at a huge cost. I'd rather just change the SSH port to something non-standard and write it down.
Something I didn't mention in my original comment, but have mentioned in another reply somewhere, is that I have the websites running behind Cloudflare, and I allow Cloudflare's ASN into port 443 but block everything else.
Essentially outsourcing the security of port 443 to Cloudflare.
My use-case is "hobby / enthusiast", so I believe I'm losing nothing and the "world at large" is losing nothing from this setup. Having said that, all policies on this kind of thing need to be strongly thought about in terms of their applicability to the use-case.
Were I running a small or even medium business, I'd probably do it exactly the same with maybe a bit more of an eye on what's being blocked and the ownership of the IP addresses, and I'd have some stats to point to on the range of sources of legitimate traffic. It'd have to be a pretty big, international business for it to cause much of an effect (although I'm talking well out of school here because I don't have anything at stake).
Flipside, though, I have my outgoing traffic routed through a couple of different exits, and I've had to make specific rules for some websites that block traffic from VPNs and VPSs, which is annoying, so I'm not completely dismissing your point.
Lastly, however, at all scales I'd still block the Internet Scanners for reasons I've given elsewhere. Blocking them massively cut down on the uninvited activity - again, it's not about making clean logs, but it really helped clear a lot of the noise.
Something that came out of analysis of the blocked IP addresses was that I discovered a few untrustworthy /24 networks belonging to a bunch of "internet security companies" whose core business seems to depend on flooding the entire IPv4 space with daily scans. Blocking these Internet scanner networks significantly reduced the uninvited activity on my open service ports. And by significantly I mean easily over 50% of unwanted traffic is blocked.
Network lists and various scripts to achieve my setup can be found here: https://github.com/UninvitedActivity/UninvitedActivity
Internet Scanner lists are here: https://github.com/UninvitedActivity/UninvitedActivity/tree/...
Large networks that seem responsible for more than their fair share of uninvited activity are listed here: https://github.com/UninvitedActivity/UninvitedActivity/tree/...
I'm semi-aware of the futility of blocking IP addresses and networks. I do believe, however, that it can significantly reduce the load on the next layers of security that require computation for pattern matching etc.
Be aware: there are footguns to be found here.