Comment by mnau

Comment by mnau 10 months ago

14 replies

View on Hacker News

We are not not doing anything wrong, but we are completely neglecting the attacker side.

All our actions are defensive.

Look at our physical security. Basically nothing is reasonably protected. 99% of stuff (buildings, locks) can be broken into with tools available in any home depot.

The key reason why it doesn't happen that much is because it's possible to find the attacker.

Why can any scammed just create a website without any traceability? It wouldn't be foolproof, but it would raise a bar.

chii 10 months ago

> Why can any scammed just create a website without any traceability?

because jurisdictional challenges.

Not to mention that this very same traceability would be abused by some other authoritarian gov't to track down dissidents for example.

There's no real way to systematically have good security, if the human element is the weakest link tbh. Securing windows is not a technical problem, but a social and educational one.

Reply View 12 replies
  • mnau 10 months ago

    More like no will.

    Does the domain/server implements required level? No? Block connection. Dtto email with automatic response.

    Is your IP in a botnet? Cut it off.

    Edit: I already get blocked connection (on target site) because EU regulation is too onerous. I get reminded on basically every Google search I am being censored (Some results may have been removed under data protection law in Europe).

    Completely doable.

    Reply View 11 replies
    • GTP 10 months ago

      > I already get blocked connection (on target site) because EU regulation is too onerous

      More like "we want to track every single user coming to our website without giving them the option to not be tracked".

      Reply View 3 replies
      • mnau 10 months ago

        You can serve consent form only to the connections from EU.

        I have been part of se several GDPR compliance projects and it's the other stuff that's the problem.

        Data protection officer (recurring cost, even though it is only a part of a job, not full time position) , user data deletion and user data take-out. Compliance is not free. If system wasn't designed from the beginning, it's really expensive to add it.

        Restore from backup after disaster recovery - make sure you anonymize/delete people who were deleted after backup was made.

        BTW, IP address is PII, so...

        Honestly, it would be cheaper to buy everyone in EU VPN.

        Reply View 2 replies
    • guappa 10 months ago

      What do you suggest? Bomb even more countries?

      Reply View 6 replies
      • mnau 10 months ago

        You don't need to bomb anyone.

        Add IP rules at cables inside and out of let's say EU and block it there.

        Same way we deal with any non-compliance thing. You can't import it.

        Your server/domain doesn't satisfy requirments. Either the originator complies or not (e.g. through trusted third party).

        Reply View 5 replies
unethical_ban 10 months ago

Do you think people should have to get permission to host a server on the internet?

Reply View 0 replies