That isn't really how it works anymore. It's possible (and standard) to push any political agenda without ever stating an opinion directly. It's all about which specific facts you choose to report and which you choose to ignore. It's very easy to select and report only facts that make group A look good, or only facts that make them look bad. In that way, 2 news sources can give people the opposite opinion without anyone ever stating an opinion or saying something that isn't true.
And furthermore, public sentiment (and therefore elections) are decided by what the main sources of media determine is the most important news.
Example: Cops have shot a thousand people a year for several years in a row (maybe a decade). About 300 of those each year have been black, which is a disproportionate amount by some measures.
However, it is nowhere near the biggest problem in our country even for black people. But because the media has chosen to report on that problem near constantly since Colin Kaepernick took a knee, it has dominated the public consciousness and therefore influences thousands of people to loot, burn, protest, riot and thousands more to develop opinions and attitudes that create more and more division in our country.
Most of what they report is factual but is it as important as the lofty position they are giving it in the news? Is it helping?
> However, it is nowhere near the biggest problem in our country even for black people.
Something tells me you're not qualified to speak on the behalf of black people (even if you were black).
Something tells me that when you choose to categorize what is happening in the US as looting, burning, and rioting (with a casual acknowledgement to protest), then you don't have a very empathetic understanding of the message people are trying to carry across, or why they believe this is a much bigger problem than you deem it to be.
It's not about the pure numbers of deaths. It's about the countless other scenarios just like the infamous ones that led to deaths that black people encounter throughout the US every single day, and have to wonder if they're about to become yet another name, or worse, just a statistic. It's about living in a continual state of terror that the forces of the state that are OSTENSIBLY there to "protect and serve you" do anything but. It's like living in East Germany and being constantly afraid of the STASI, only it's 2020 and it's the US.
That can be a much bigger problem then poverty, drug addiction, or anything else you might point to as a "bigger problem in this country for black people".
What does that statement have to do with the comment you're responding to? Yes cops should kill fewer people, but as the person to whom you replied mentioned, police violence is far from the most serious issue facing the US currently. Let's get outraged at the obesity epidemic, let's revolt against black on black violence in the inner cities, let's "defund" platforms which encourage division and turmoil.
Even my comment is derivative, the point is that news and media outlets are able to control public opinion even by being honest and factual. By simply ignoring some facts it's trivial for these outlets to skew their audiences perspectives on current events. The whole "left vs right" ideology is toxic and cancerous to a healthy society and it sickens me. It's increasingly difficult to hold a moderate opinion about a subject without being demonized by one group of extremists or another.
- Cutting down on high noise / low effort social media
- Reflection on whether the article you just read made you feel good or you learned something, find on the ground experts in fields.
- Debating with your “enemy” in a Socratic Way
- A true intolerant likes wrestling in the mud and stay there.
Michelle Obama tried to make this her primary focus through the entire Obama administration. Like everything else the Obamas did, the Right wing that is currently engaging in the same whataboutism and dogwhistles as this sentence, chastised it at the time as elitist and un-american.
> let's revolt against black on black violence in the inner cities
> let's "defund" platforms which encourage division and turmoil.
While I broadly agree with you that social media platforms are a problem that needs fixing, "defunding" them is a nonsensical statement that only makes sense in reference and in direct contrast to "defunding the police".
These platforms are not "funded" because "funding" in this context refers to allocation decisions of PUBLIC TAXPAYER FUNDS. Private companies are not collecting tax dollars then spending them on fun riot gear to go cosplaying in as they gas people exercising their first amendment rights.
The whole premise of "defunding the police" is to reallocate public funds to different programs that we currently task our police with (mental health, drug addiction, sex work, etc))
> because the media has chosen to report on that problem near constantly since Colin Kaepernick took a knee, it has dominated the public consciousness and therefore influences thousands of people to loot, burn, protest, riot and thousands more to develop opinions and attitudes that create more and more division in our country.
No, systemic racism caused by capitalism is the root cause of that.
The capitalist media is but one contributing factor of this.
The root cause for this rioting is hundreds of years of systemic oppression: redlining (now digital redlining in the digital age), racist banking policies (for a detailed analysis see ‘The Color of Money: Black Banks and the Racial Wealth Gap‘ and ‘How The Other Side Banks‘, both by law Professor Mehrsa Baradaran), the school to prison pipeline, the CIA and Reagan’s ‘war on drugs‘ that flooded inner cities with crack in the 1980’s causing the crack cocaine epidemic (journalist Gary Webb exposed this), the CIA also systemically murdered the leaders of socialist black liberation movements (Martin Luther King, Malcolm X, Fred Hampton, etc.), and more (these are only a few examples that I can think of right now).
Wage slavery of course exploits and oppresses all of the working class (the 99% of us who don’t own capitalist property: technology in the form of trade secrets, patent claims, etc. (the means of production)). Yet black and brown people (both in the global north and the global south) have especially had a harder time simply because of the color of their skin.
It's not nearly that simple. You can essentially print an opinion based only in fact, both by picking carefully which stories you cover, and also which details of which story you choose to report. It's completely possible to frame the exact same story as either left wing or right wing using only facts.
If you want recent proof, look at that debacle with that Toledo kid. Some reported police shoot an armed thug, some report police shoot an unarmed kid. The video proof shows neither side is telling the whole truth.
The reasoning of which was widely derided when Kellyanne Conway offered alternative facts to explain a situation. People don't want to hear reasoning, they want to be angry.
Yeah all the news sources my parents sub’d to in the early 00s and I sort of figured I’d sub to as well once ready are aggravatingly narrative driven. I’m not sure if I never noticed that, or if it’s a new media approach, but I don’t need “baseball + narrative injection” articles in my life. I’m actually fairly bummed out about this, I go to Reuters now.
News coverage has always been narrative driven to some extent, but previously that was more in selectivity of coverage. The quality of reporting has been in a long slow decline due to a mix of sagging finances and low-no quality control competition. The 'Action News' TV format significantly degraded things, and then blogs and specifically conservative-targeted media drove adoption of the narrative approach.
This revealing interview gives an interesting perspective on the media business around the turn of the century. Note that this is a pdf archive copy saved to draw attention to a particular segment, and I'd urge you ignore that and rad the whole thing. I can't link to the original as it vanished some time ago, and this archive predates the establishment of the internet archive. Thus the presentation is biased (sorry) but it's the only complete copy of the interview I know of.
https://zfacts.com/zfacts.com/metaPage/lib/Weekly_Standard_M...
If you're on Android using an app like Materialistic to browser HN, like I am, use a reader-mode-only app like Reedy to open your articles; since it only parses html and doesn't run scripts, it will work on every site that sends the whole article and not just a snippet.
I'm partial to Reedy because it tends to fall "safe" and include more content rather than less, but other similar apps should work just as well (SmartNews has a similar function, as do Article Reader Offline, wallabag, and Webreader; I find Reedy has the best UI/feature set for my use).
TBH, I never use a "smartphone" for web browsing. Screen is too small, no tactile keyboard, etc. Also, I generally do not install mobile apps. Only a few from F-Droid on Android, one or two on iOS.
Really? I use Firefox literally all the time (with the minor exception of some internal work sites where they require Edge) and while all captchas annoy me to no end, recaptcha does work perfectly fine on Firefox even with uBlock origin and pihole running. Both on Desktop (I use FF on Windows, Mac, Linux and FreeBSD :) ) and on Android.
What is the problem you're seeing?
In fact I really rarely have any issues with FF whatsoever, and if I do it is always either uBlock Origin blocking a little bit too much, or a site that specifically rules out Firefox (like https://business.apple.com ), probably for no real reason other than not bothering to test their site with it.
https://github.com/iamadamdev/bypass-paywalls-chrome also really works well on the desktop. Unfortunately I haven't found a way to get it working on Firefox on mobile (the chrome repo also contains the FF one now ;) ). Thanks for the archive link.
PS I understand that websites need to monetise.. But getting a subscription to read one linked article per month or so is just not going to happen. The sites I use a lot I do pay a membership for.
You need Firefox 68 ( fennec 68.11.0 ) to use extensions from the open internet. Mozilla axed general extension support in later versions of their android browser.
I just keep it around next to my regular browser for the occasional paywall.
perhaps you should consider getting a subscription one month per year and using the extension the other 11 if you think that's a more fair price to pay
Good point. But I'm not sure if I'd do this with the Washington post. I wouldn't normally read this unless it's linked from somewhere else (I live in Europe).
I actually had an online subscription to the Guardian for a while because they were really good on the privacy advocacy news. I wanted to support a paper with deep dives into privacy issues. However the last couple of years I got annoyed with too much Brexit stuff (not surprising for a UK based paper obviously but as I don't live in the UK I don't want to read about it every day). So I let it lapse.
But there's another thing holding me back. If I subscribe I have to give all my personal details. I don't want to have too many sites where I have that around, data leaks are now happening too often. Even a couple days ago I got yet another notification from haveibeenpwned (this time it was the Spanish company phonehouse.es that was hit).
Anyway, I just wanted to say that while I use paywall avoiding tools I'm not blind to the problem of monetisation and the cost of real journalism :)
All news outlets are biased. Choosing what to report is part of bias. Nobody has the resources to report on every possible news story. There is even such a thing as "centrist bias". Better to choose a few reputable publications with different bias (according to FAIR or whoever) if you want a more balanced approach.
speaking for myself, state-level bias is harder to ignore than the kind of bias a reporter has when talking about politics that are against their own personal beliefs.
personally I find outlets like NYT or NYPost to be too filled with the type of 'state-level bias' that I have a mental allergy to.
My reading of the Tampa Bay Times article is that the company name was copied from that of a supposedly defunct front for a spammer. The individual supposedly behind it has done DoD contracts before and has supposedly retired.
Both of these leads have a lot of "supposedly"s attached, but the one to the spam front is a lot more tenuous.
The CEO of ARIN has confirmed that the DoD has authorized this specific company to advertise these prefixes, so if there's any known spam or fraud involved, you might want to take that up with the federal contracting agency which issued the contract to this company.
"several Chinese companies use network numbering systems that resemble the U.S. military’s IP addresses in their internal systems"
I don't think I've heard of this before. What does it mean? Does China operate a disconnected BGP network? Or do they have some modified protocol, or what?
Alibaba for example use DoD address ranges for their management servers running Alicloud services. They assumed since nothing in their cloud platform would connect to those addresses they can use these them to alleviate IPv4 shortage. In Alicloud, the customer have the right to use any RFC1918 addresses, so they had to be creative since they didn’t have sufficient IPv4 addresses.
but if they're not filtering BGP announcements for those ranges (however unlikely), and the GFW isn't blocking traffic out to those addresses (even more unlikely), and the internal metrics were high (super unlikely), I guess it'd slurp out all the traffic? maybe this was a weird smash-and-grab.
You'd be surprised, but GFW is a blacklist not a whitelist, as such the blocked domains and/or IPs are a very small subset of all public addresses out there.
These IP addresses were unused for a very long time, so using them on internal networks worked fine. Once the Floridian company in the article started announcing them, gateway routers on the Chinese internal networks may have started sending their traffic to Florida.
Ohh, I think I see. So instead of (or in addition to) creating internal subnets inside 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, they set up subsets inside DoD's 11.0.0.0/8 etc., and it worked out because there were no external BGP announcements for those ranges. But now that there are, if they did not explicitly configure their border gateways to route those ranges inside their networks, the traffic may now leak out to DoD's pilot effort.
Maybe DoD is trying to catch security flaws caused by traffic intended for their own internal networks accidentally reaching the public internet? Advertising those IPs publicly and logging all traffic could be a good way of detecting such bugs in DoD systems.
> What is clear, however, is the Global Resource Systems announcements directed a fire hose of Internet traffic toward the Defense Department addresses. Madory said his monitoring showed the broad movements of Internet traffic began immediately after the IP addresses were announced Jan. 20.
> Madory said such large amounts of data could provide several benefits for those in a position to collect and analyze it for threat intelligence and other purposes.
It's interesting how this is framed as something "defensive in nature", when it's yet another massive funnel for data being slurped up by a US government agency.
If China or Russia would suddenly reroute a ton of traffic from outside their countries, to their respective government agencies, I doubt anybody would believe a benign "Just checking our security!" explanation.
> If China or Russia would suddenly reroute a ton of traffic from outside their countries, to their respective government agencies
It is their IP space. It is entirely on your incompetent network staff if you are stealing IPs that are 1) not yours, 2) in use, 3) not in your country for internal use and on top of that, not rejecting external routes to it.
It is not "rerouting a ton of traffic", the traffic was destined toward them in the first place.
You can debate semantics all you want, it doesn't change the reality of the situation and how the problem of IPv4 address exhaustion is very real and not just down to "incompetent network staff".
The DoD sitting on all that unused address space actively contributed to that problem and now it's exploiting band-aid fixes around it to once again play data kranken of the world under the guise of "We are just fighting APT!".
It’s pretty clear that the DoD realizes how close they were to being forced to sell all that IP space off and wouldn’t have even been able to say “we’re using it” as it wasn’t routed.
Look, if you want to come someone's IP address for your internal network, that's fine, what you do in your private network is your business. But don't blame the owner when they say "hi, I exist" and you forgot to configure your routers to ignore them. It's not the DoD's fault that other netops didn't bother break the rules in a safe way.
Reading what the DOD said "officially" it appears that maybe they were just looking to see if these IP could be registered, simply.
It sounds a bit weird they would have needed 170+M ips to get a good attack sample from the internet if the ip are contiguous, a few thousands would have sufficed. It sounds very weird to expect "China" to suddenly route Xi's dirty videos and why not Iran, Japan, everyone suddenly routing craps there, it's not very targetted and would cost quite a bit to read all the potential tcp packets that got lost by bad WAN vs LAN priority decisions in routers.
Also, it's one shot, so why now ? They would have just lost a huge weapon, if true, in a very public manner, for no particular visible threat, not precise target and at great cost possibly.
I'm okay to believe this was possibly just an inventory/activation exercise because someone noticed they owned stuff they can't use until they register them.
Not sure. If the government is doing something large-scale in public (like construction projects [or maybe global IP routing]), they should communicate what is happening before doing it, in order to not phase people.
Eh, I wouldn't be surprised if an org like the Pentagon is secretive about things that aren't really necessary to be secrets. It's just kinda in their nature to be that way (kinda like Apple's default-secrecy about products and features).
(Also, sorry to be That Guy, but this one always gets to me: in the sense you've used it, it's "faze", not "phase".)
I used to work in intelligence. "Secrecy creep" has long been a serious problem inside DoD. How information get classified has largely been left up to low level federal bureaucrats, people my father used to angrily refer to as "big haired women from Mississippi". Basically, they are low level federal office drones, with minimal knowledge about the actual content of classified programs, who re left to determine how they are classified. They start with the core information of a project and classify it "Top Secret". Then they take all the peripheral information of that project and classify it TS as well, just to be safe, because it might overlap with the core info, but they have no clue because they're a GS-4 clerk from Boogerville with a high school diploma. Later as more content is generated in a program, stuff peripheral to the previous peripheral data, which realistically should be classified "Confidential" at most, it too gets classified as TS because of its proximity to the previously over-classified peripheral data. Lather-Rinse-Repeat for a few decades and you have huge swathes of widely known, utterly inconsequential information classified Secret or Top Secret.
Don't answer this if it isn't legal to answer, but do you have any examples you can share? I can entirely picture the process, and completely believe that it happens, but I don't have a mental image of what the end result looks like.
Yeah. I once worked on a project implementing the software for a fighter aircraft first-line test set - the kind of thing that a maintainer would connect up to the pylons to check out the wiring and make sure the right voltages were getting where they were meant to.
We had to run the whole project on a completely separate network from the rest of the business due to the classification of the software, which was driven entirely by a handful of frequencies used in testing; details of which were also broadly available from OSINT sources.
Things are often classified because of how we know the cat died, not because the cat was special. Suppose you've recruited a foreign intelligence officer to work for you and he happens to mention the cat dying during a debriefing. You can't just declassify the unimportant bits because enough of them will tell you who said it.
It's the same problem as FAANG collecting mountains of "anonymous" metrics. Pretty soon, you can determine who the "anonymous" user is.
I think everyone knows we are in Afghanistan and the cat was a stray on our base. But you’re right. Maybe the fact that Nothing Happened was what was classified, not the cat? Who knows.
Right, because if there's anything the Pentagon has been known for over the past seven decades or so it's clear publication and transparent disclosure of all its large scale classified projects so as not to phase the public.
FWIW Ma seems significantly smarter than he showed during that event when you look at translations of his Chinese (speaking or written). But in any case, even an incompetent CEO can still have competent IT.
I suspect there are a decent number of network engineers who think it's funny to use DoD IPs for their internal network, especially given what their logging system will probably tell them by default.
If you drive around with a WiFi stumbler running, you'll run into networks with names like "UTAH DATA CENTER" and "SIPRnet", etc for the same reason.
The main reason (I've done this at a bank previously) is when you need to ensure you don't overlap with other internal IP (RFC1918 was represented everywhere and routeable internally) and when you're trying to dodge 99% of your engineer's default Docker configs to reduce support request load.
In that case there's never any chance it'll be needed by people using the public internet there, and never any chance it'll be used suddenly by a deployed internal service somewhere else from an outside vendor.
Default Docker configs are atrocious. Most devs/devops don't even know that when it creates a network, it takes a /16 ip range out of 172.[17-31].0.0/16 or 192.168.[0-240].20/20 by default. It is just a matter of time before a restart makes it collide with an existing network range. It does skip networks defined on local interfaces at least, but this only means that devs don't learn about this landmine on their own machines, nuking production instead.
The default should reserve a single ip range and simply fail (with a nice message) if more are needed.
Yeah, sharing SSIDs isnt such a great idea. Check out https://wigle.net ... Obviously multiple people around the world use this one, but it narrows it down for dedicated people
Two things that come to mind are running out of private address space (a /8 isn't that large), or wanting address space that doesn't clash with other private networks (e.g. to ensure a VPN doesn't overlap with home networks). There's probably more reasons.
Company A uses 10/8 Company B uses 10/8, company A buys company B and orders new subsidiary B to renumber into 11/8 "All you have to do is change every first octet to 11"
Merger after merger after merger followed by a massive adoption of public cloud (using Direct Connect/Express Route for hybrid connectivity) has led at least two very large FinServs I worked for adopting CGNAT (100.64/10) for parts of their internal networks.
In both cases RFC1918 was used throughout their global network and while not fully used, had become highly fragmented over time.
Its incompatible with IP v4, has a stupid addressing scheme, it requires new router hardware and software for isps to buy and nobody is using it because of all the aforementioned issues.
What could an increase in the IP address space do to be compatible? I can think of a couple things to be partially compatible but IPv6 already does those.
And by "stupid addressing scheme" do you mean it's too big, or what? You can ignore all that stuff with mac addresses and make all your addresses go like prefix:subnet::1 prefix:subnet::2 prefix:subnet::3 if you want to.
You forgot, they're nowhere as easy to remember as v4. If you're used to remembering phone numbers; important v4 IP's aren't that hard to mentally internalize.
Screw DNS. Screw the recommendation to stay away from IP's. If it's important enough to be on the network, it's important enough to have a static IP.
You're being downvoted, but, last 3 ISP's I used didn't support ipv6. First one didn't support ipv6 at all, second supported it, but was incompatible with my router. And I didn't care about it after that. Hardware incompatibility is a huge roadblock for ipv6.
IPv6 is well over 20 years old. In fact, IPv6 is now older than the IPv4 Internet was when it went mainstream back in the mid 90's. There is really no excuse not to support it...
Because even equipment that claim IPv6 often doesn’t. We have seen both software and hardware which “supported” IPv6 for 5 - 10 year, but we’re the first to use it in production and the manufacturer haven’t tested it since the initial implementation.
Yeah, it works well enough until it doesn't: I love when VoIP calls have one-way audio or when I have to map ports because the traversal method used by this P2P app is not working.
When run at the ISP level it's even more fun: remember when wikipedia blocked the whole Qatar?
IPv6 on an internal network is trivial. It is supported by both Windows and MacOS (and Linux) out of the box.
If your ISP doesn't provide it, get one that does. They should allocate you a /56 by default per connection, if not something larger like a /48 if you have multiple locations.
Subnet the /48 for each connection, subnet each /56 into /64 subnets. reserve one of the /56's for site-to-site if needed.
Ipv6 is like python3. A worthy upgrade, but tried to do too much in a single coup and broke backwards compatibility. If they simply added two top octets, saying that 0.0.... was the old ipv4, everyone would have used it ages ago. Instead they made other improvements which led to complex standard and worse adoption.
> If they simply added two top octets, saying that 0.0.... was the old ipv4, everyone would have used it ages ago.
How would you "simply add two top octets"? The address fields in the IPv4 header are a fixed size of 32 bits. Every time this is discussed, someone comes up with this suggestion to "just make the addresses longer and change nothing else", but there's no way to make the addresses longer without changing something else. And that's before considering compatibility with older hosts or routers; how would an old host talk to a new host, or two new hosts talk one to another with an old router in the path? In the end, what you'd have would be two separate networks, with some hosts being in both networks, which is exactly what we have with IPv4 and IPv6.
Yes, obviously you need a new wire format and bigger addresses; that was always going to change. What did not need to happen was changing/replacing DHCP, routing changes, and a half-hearted attempt to bake in IPsec.
If they're not actually using the whole /8 (highly likely), you can setup a 1:1 NAT. basically from network b, if you want to talk to network a, you find out the address in 11/8 that corresponds to the 10/8 address and vice versa. You can use split horizon dns to make it mostly transparent.
Every networking problem in the world can be solved with more NAT or more encapsulation :)
You don't have to use every address in 10.0.0.0/8 to effectively fill it up. If your corporate policy is to assign a /16 to each floor of a building, and you have a LOT of buildings it's pretty easy to fill up the space even if most of the /16s are sparsely populated. It's much easier to move on to the 11. space when you build that new building that pushes you over than renumbering your entire corporate LAN.
Right, but that's not relevant for 1:1 NAT (well, at least it doesn't have to be). Since the NAT would happen in software, you're no longer constrained by subnets being physically under routers. 11.2.3.0/24 could contain 10.0.1.0/24 and 10.128.128.0/24 without any issues, assuming they don't use in total more than 256 address.
what you call 1:1 NAT is just called NAT by cisco, the stuff most folks think NAT is is actually NAT+PAT (like what you run on your home router with a single public IP)
It basically maps addresses visible on one interface to those on a different interface. So you can route many addresses on 10.x to a single 10.x address that is on a different network.
In our case, we were setting up VPN tunnels to a partner, who for some reason required that the addresses on our side should (appear to be) public IP addresses. So we couldn't use 10/8 or 192.168/16 in (that part of) our network.
They didn't actually need the addresses to be routable from the public internet (that was the whole point of the VPN). I think the requirement was really a way of making sure they were unique. I'm sure they had several partners who used 10/8 internally.
There's also 172.16/12 :) But yeah I agree. If you're running a VPN for a large company it's kinda hard to avoid such conflicts.
In my work we use 10.0.0.0/8 but of course some people use the same at home even though 192.168/16 is way more common. In general I find 172.16/12 the least common in the field.
I personally use a range towards the end of the 172.16/12 reservation for my home network for exactly this reason. Ever since I made the change five years ago I’ve never suffered any conflicts when running a VPN in or out.
I know the old Apple extreme and time machine routers used to default to 10 rather than 192 ever since then I’ve kept my internal routing within that block.
It just looks nicer to me which shows the power of Apple and how easily I am influenced.
I like the 172.12/16 to company network, especially small companies with limited support resources. Getting employees on VPN is much simpler as virtually no home routers use that range.
A trick is to use something in the 10 range but not /8 - 10.185.203/24 will work on a 10/8 network (assuming no actual host overlap) as it’s more specific and will route first.
In my case I got a class C around about 1992 (back then that was the only way to get on the internet), at some point the ISP above my ISP claimed it as theirs without telling me .... I still use it internally why should I change?
In the case of a managed service provider I worked for, using non-announced gov/mil space allowed us to inject routes for monitoring purposes into the MPLS vrfs of our customers so we could poll the routers without using our own public space.
Way back when, I was working at a startup with little clue what I was doing. Long story short, I setup a VPN network to connect 600 devices through 8 wifi routers to a VPC. I used 11.0.0.0/8 because I didn't want to bother sorting through the conflicts with 10.x, 192.168.x, and 172.x which were all used at various places throughout the chain (e.g. the routers on 192, some upstream services on 10.x and 172.)
All I had to do to make it work, IIRC, was add an ip routing rule to prioritize our internal routing for traffic on 11.0.0.0/8 instead of sending it over the default interface.
This solution worked fine, but it broke in weird ways and I remember one time I did arp -a on one of the Amazon boxes and saw some DoD registered addresses, which was a little alarming, but I just chalked it up to my not understanding the details.
Lots of less clueful network operators worldwide have used the DoD /8 IP blocks internally, under the impression that they'll never show up in the global v4 routing table, essentially for the same purposes that people would use the 10/8 RFC1918 blocks.
Some of those less-cluefull operators include Juniper and Azure[1], Cisco[2][3], and probably many other companies. When Cloudflare put its 1.1.1.1 DNS server into use, it started receiving huge amounts of packets destined to unroutable addresses because the 1.0.0.0/8 space was (mostly?) unused.
If you configure your routers correctly, none of these IP addresses should resolve, anyway. If something in your network is intentionally dialing the department of defence, you probably have some kind of problem at hand. In theory this might become a huge problem, but in practice it probably won't.
I know of a couple companies that used 1.0.0.0/8 as their internal VPN/WAN network. Myself and others explained why this could be problematic but we were ignored. It's actually mostly fine as long as you 1) never need to reach that network and 2) block traffic in that network from leaving your edge network and 3) triple-check that you have blocked that network from ever being announced from your routers. Downside being you have to double or triple NAT to reach anything in that network. Hamachi uses or used 25/8 ministry of defense as their VPN network.
Juniper and Cisco are equipment vendors, not ISPs. If the DOD /8s are used in some documentation examples, that's a whole other thing.
If network operators are taking the theoretical network blocks provided in training examples and attempting to copy and paste them into real world use, that is a whole other problem with training and education. And lack of oversight by senior people who should know better at their company.
1/8 is also a whole other thing because it's a legitimately announced block controlled by, as I recall, APNIC. If it's in some peoples' 20 year old bogon folded that's their problem, not apnic's.
NIPR and SIPR don't talk to the global routing tables for v4 and v6. Generally if a DOD person needs to access commercial internet resources for things, it'll be through a separate commercial network purpose LAN, or through something like an rdp session to a Citrix thin client to do that.
I think you'd be surprised. Most NIPR computers just use a regular proxy server for internet access. But example: 214 /8 is a DoD owned block, and "weather.af.mil" is on that block, and both externally and internally reachable.
Not that NIPR computers don't have access to the internet - but because this isn't 1987, those individual workstations would never have public facing DoD v4 IPs. They'll always be behind some combination of NAT and firewall or as you mentioned, proxy. Certainly there could be some DoD public IP on the external interfaces of said firewalls. If I had to guess very often the public facing side of those boxes might be a commercially acquired local ISP using that ISP's IP space, and not actual DoD IP space...
I'm logged into my Google account, and it shows a certain IP address as where I'm logged in from. Checking ipconfig shows the same IP address as being the computer I'm on. The proxy will of course show it as being the actual source, but Google is smart enough to show the IP address that the proxy says it's proxying for. AFAICT, there's no NAT, but there is a firewall blocking traffic that doesn't run through the proxy.
Not just Chinese companies. I know of one FAANG company that used internal IP addresses in the 11.0.0.0/8 space (in addition to, not instead of, RFC 1918 space).
Every time I've seen this it's because of inefficient and wasteful use of 10/8 internally. Like, not every tiny site or thing needs a /24. Once the wasteful use becomes entrenched as a practice, it would be very labor intensive and time-consuming to go on a renumbering plan. As compared to the effort to just use 11/8.
And then ultimately because of refusal to get over the technical hurdle of using IPv6 for internal management.
If that were true, depending on path inforation, any botnet or other traffic destined to those networks would end up in this new AS8003 traffic sink, which would create a map of candidate CCP assets to target on the internet.
You could do the same with any AS. I haven't looked into bgp spoofing since about '99, but it seems to have matured since then. The idea of using it as ephemeral canary/honeynet space for tracking botnet C&C traffic seems like a reasonable play.
But the internet is not just CCP vs Captain America. I mean my home network has random ips and a shit network admin, so I will also send crap data to the DOD, from Hong Kong.
You imagine the work to figure out if my tcp heartbeats between my torrent server and my nginx proxy are CCP botnets or me misconfiguring my router ? From the same place kinda ? And you imagine the amount of people we are in China that are doing shit networking but not CCP-relevant things ?
And the amount of botnets we have in China that are to scam each other that even the CCP doesn't want ? :D
I once had a client who decided to use an IP block that was registered to APNIC for their internal network. Made for quite the headache as I tried to track down why there was a ton of traffic supposedly going to China and Japan. -__-
Yeah, that's why the stated explanation sounds weird.
Suddenly advertise this never-used block, and you're just going to get a massive torrent of previously-internal traffic from bazillions of organizations all over the planet that used it for something internal and were slightly lazy and didn't set up their routing quite right. Probably 99.9% of it is of no use whatsoever to anyone outside that org. It's tough to imagine that anyone thought they'd get any useful information on any hostile CCP activity by doing this.
I would also expect that any department doing hostile things on the net would be at least smart enough to not let any of their internal traffic leak out like that, no matter who they actually worked for.
If you traceroute to any of the announced prefixes you'll see that you enter HE space (but as far as I know won't ever get a ping to the destination IP).
In practice the US government is constrained from paying market rates for tech talent. It can either hire companies to complete the entire project, or it can hire a consulting service (which skims off a massive overhead) to provide technical talent inside a government agency.
I would argue that this is obviously a national security operation and the shell company is operated by the FBI or the NSA, not necessarily some random contracting firm.
I read the article but I believe the key point is since when 11.x.x.x stopped being dormant addresses, instead of these IPs just transferred ownership but not “dormant”.
As an interesting fact, when searching “aliyun 11.0.0.0” which is the mentioned Chinese cloud provider I believe, they apparently has been using that as internal IPs since 2015 as well
My theory: apparently a lot of companies use the IP-addresses internally. And apparently the intention was to sell the IP-addresses already for a long time. But buyers would be faced with a lot of traffic coming from all those companies using the ranges internally, instant DDoS. Maybe this is an attempt to "clean" the IP-addresses before selling them. It will probably only take time before most companies using the ranges internally and having problems now (or happily continuing business now with the help of Pentagon servers), to reconfigure their networks to fix it. In the meantime the Pentagon can probably collect some interesting traffic, speeding up the whole process of reconfiguration by companies who use the ranges, to prevent their secrets from falling into exactly the right hands.
when digging though some of the IPs, i came across 22.0.0.0/8, which if you look at the DNS tab of bgp.he.net (https://bgp.he.net/net/22.0.0.0/8#_dns) shows a LOT of people are "using" those IPs... which means a LOT of people wont be happy that their sites, email, dns, etc, are now essentially being blackholed... for me (I run AS204994), the traffic hits Frankfurt (i peer with HE there) goes over their network though Paris, then to Ashburn and then is blackholed... gone after that... wondering how much traffic is being seen by he.net with this...
If they're using them for internal networks, they'll (probably) work just like they did before. It's likely many folks are using these as like private RFC-1918 addresses.
If they are private, which they could be, I wonder why they are showing up in public on there... Also, ripe.net has ripe stats... Checked a few of the ranges and seen people other than the dod and these lads announcing the range...
Anyone can put an address in their DNS records, whether it's "theirs" or not. I have several records with 192.168.0.0/16 IPs. The DNS can be seen publicly but obviously they don't route. It's the same thing.
Other folks are definitely using those DoD addresses. For example, I see a bunch being announced by AS23352 / Server Central: https://bgp.he.net/AS23352#_prefixes
Still seems a bit odd to me. It doesn't explain why "GLOBAL RESOURCE SYSTEMS, LLC" is involved. Poking around, the individuals associated with that aren't government employees. The company was formed 9/8/2020 in Delaware.
If I were to guess, because private companies aren't subject to FOIA requests. It's a little trick the gov't has been doing for some time now to avoid legitimate, legal scrutiny by the public.
How is "the government" not part of the economy?
Do you imagine all their employees spend their salary in some secret separate economy? Do you imagine all the toilet paper, pens, plumbing repairs and jet fighters they buy are from some magical not part of the economy source?
Are you saying that the most corrupt US president ever (an individual so mentally challenged that managed to bankrupt FOUR casinos, the only money making machines where the customers literally throw money at you) grifted billion of dollars from the most valuable IP4 addresses in the world?
When you want to do some secret squirrel stuff, you start a small closely-held company.
Wait until you read about Air America - an actual airline started by Claire Chennault (of Flying Tigers fame), that was bought by the CIA in the post WW-II years and used to run missions in Southeast Asia up until the mid 1970's.
The simplest would be to make sure the addresses are not announced by the DoD,
which depending on the thinks they want to
test could matter, or could be irrelevant.
If other scammers are using spoofing the ranges then another company does it, that doesn't raise alarm in the other entities abusing the same trick.
If you announce it as DoD then it may scare off the others.
In any good investigation, you want to shroud the data/intel collection. Using a front company, or series of levels of fronts, is the way you have to go about it.
The Delaware company is registered there as a an "outside of the state of Florida" entity operating in Florida. Some actual people names are listed. I'm fairly confident it's the same company, as the Plantation, FL address is there.
There's a reason it's a Florida company. Florida is the only state that provides for "double blind" corporations whereby the people associated with it can remain completely anonymous. Look it up if you aren't familiar.
DDS hires professional engineers at a special paygrade pegged to their civilian pay stubs for a 2 year tour of duty fixing pressing issues in DoD tech via pretty broad authority to sidestep
A) the usual senior military slow-roll* in the way of these fixes
B) the sh**y govt contractors who made the tech and usually get paid to fix their own bad tech.
DDS Hires a lot of motivated engineers who would be in civil service but for the $180k -> $90k paycuts and fear of bureaucratic hell. It is run by one of the ~founders of opentable who, post opentable riches, was flying on 9/11/01, decided to join the Chicago PD as a result, did west Chicago homicide until the PD discovered his past, he then stood up Chicago’s data-based policing technical approaches, and eventually the Obama admin heads about him asked him to take over DDS (iirc, +/- details there).
Cool stuff and I’d work for them in a second, probably need another few years in private sector though.
> DDS hires professional engineers at a special paygrade pegged to their civilian pay stubs
I wish USDS would do this as well; I feel like they'd attract a lot more talent. Although perhaps they want to attract exactly the kind of talent who would take a big pay cut out of a sense of service/duty.
> Cool stuff and I’d work for them in a second
For myself, while I recognize that military is a necessary evil in the world we live in, and I have a ton of respect for the people who put themselves in harm's way, working for an org with a .mil address would be against my values. I'm so torn, though, since (e.g.) the Internet itself came out of the DoD. It's a hard pill to swallow for me sometimes that a lot of essential civilian tech was originally developed by or for the military.
I think it’s ok to have that self awareness about where your values line is, when it’s paired with understanding that you’re able to abstract away that public service to someone else who does it for you.
A ton of folks want to have a free lunch in that respect, especially in tech. God help them if Amazon wins the JEDI contract while they work there, but other nefarious work FAANGs get up to while employed at one is ok as long as it’s ~out of sight. Like the Dragonfly project at GOOG...
Similarly, there’s this issue of so much fundamental tech came out of huge DARPA grants, NIST work, and so on. It’s ok if you don’t want to be the one working with DARPA/DDS, but tech’s roots are so tied to them that it has to be ack’d.
The line of folks who “would be in the DoD but for X” is long, and it’s a comically reoccurring conversation for people who do DoD work. That conversation is much different if that awareness exists, though.
The org has done really interesting things under a few different political climates. To the extent it’s safe/neutral to say we’re entering a more pro-govt can-do env, I think they’ll have a cool next 4 years as an org.
Some of the projects they talk about doing have huge value-adds to technically underserved groups like military families during mandatory base moves every few years. Those groups are totally dependent on following the system as designed (get your travel voucher here, your goods shipped here, etc) and much of it depends on single option, very janky govt, almost intranet-like, porfals. Iirc, one of their projects was fixing a portal was leaking SSNs like gangbusters. Normal times, that’s a 6 month -> 10 year process to work with the contractor. DDS did it fairly quickly.
I don't know Brett super well so I can't speak to the rest of his background, but it's not correct that the Obama admin asked him to take over DDS.
DDS's founding head was Chris Lynch, who served in that role until the middle of the Trump administration, when he left government service and that's when Brett got the job.
The first paragraph a job description gives some context to their culture:
> How do you feel about the cloud? Specifically, what are your thoughts on the cumulus clouds of Bespin? Do you believe Cloud City is composed of only cumulus clouds? Do you have any idea about what we are asking? If your answer is yes, definitely read on. If no, still read on, but we might find your lack of faith disturbing!
More money, I assume. The government does not want to raise all programmers’ pay, so instead of adjusting the pay schedules that apply to everyone, they make a special group that the normal pay schedules don’t apply to.
I wonder if it came about because how much of a dumpster fire the first version of healthcare.gov was for the premier of the Affordable Care Act. That probably embarrassed a lot of people.
healthcare.gov's problem led to a rescue team, whose members helped to start USDS, whose members helped to start DDS!
To your first point, it'd be more accurate to say that many government offices often don't hire any programmers, which can (among other issues) make it challenging for those offices to select strong contractors.
Can someone explain how we know these “announcements” are real? What’s to stop me setting up a company and announcing random dormant address ranges that I don’t own?
rpki[0], but that doesn't mean fake bgp announcements, considered bgp hijacking[1], don't happen[2].
Once every t1 drops invalid prefixes, then rpki will effectively mean no T1 can turn off the internet for other ASNs, but everyone signing their prefixes is required to mean nobody can fake announce an IP.
It looks like the DOD's routes are indeed signed[3].
The HE link doesnt mean they are signed.
It just means the IRR records are correct.
You would see a green key on the prefixes if they were signed (and correct)
> Defense Digital Service (DDS) authorized a pilot effort advertising DoD Internet Protocol (IP) space using Border Gateway Protocol (BGP). This pilot will assess, evaluate and prevent unauthorized use of DoD IP address space. Additionally, this pilot may identify potential vulnerabilities. This is one of DoD’s many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated.
Interesting, seems an effort to find out who was abusing ranges that were exclusively allowed or disallowed based on the ranges. Malware that tries to look like something else that uses a state level IP range to evade blocking, or check for blocks.[1]
>I interpret this to mean that the objectives of this effort are twofold. First, to announce this address space to scare off any would-be squatters, and secondly, to collect a massive amount of background internet traffic for threat intelligence.
>On the first point, there is a vast world of fraudulent BGP routing out there. As I’ve documented over the years, various types of bad actors use unrouted address space to bypass blocklists in order to send spam and other types of malicious traffic.
Cloudflare example shows how much traffic some of these ranges that are included/excluded have when turned on.
>On the second, there is a lot of background noise that can be scooped up when announcing large ranges of IPv4 address space. A recent example is Cloudflare’s announcement of 1.1.1.0/24 and 1.0.0.0/24 in 2018.
>For decades, internet routing operated with a widespread assumption that ASes didn’t route these prefixes on the internet (perhaps because they were canonical examples from networking textbooks). According to their blog post soon after the launch, Cloudflare received “~10Gbps of unsolicited background traffic” on their interfaces.
>And that was just for 512 IPv4 addresses! Of course, those addresses were very special, but it stands to reason that 175 million IPv4 addresses will attract orders of magnitude more traffic. More misconfigured devices and networks that mistakenly assumed that all of this DoD address space would never see the light of day.
Looks like a new cybersecurity policy/process started on inauguration day. Probably a defensive or offensive measure to combat the supply chain attacks that may well have used those ranges in evading blocking.
Why use a front company? As a honeypot.
If other scammers are using spoofing the ranges then another company does it, that doesn't raise alarm in the other entities abusing the same trick.
If you announce it as DoD then it may scare off the others.
In any good investigation, you want to shroud the data/intel collection. Using a front company, or series of levels of fronts, is the way you have to go about it.
I think the downvotes come from entertaining the idea that, because WAPO writes about something, that it’s ultimately in order to further the interests of AWS/Amazon/Bezos. While I think the rest of your comment is something worth discussing, the WAPO thing is not really supported by evidence, so it makes you seem like you're entertaining the conspiracy theory that writers at WAPO try to help AMZN. Quoting dead comments isn't a recipe for success.
Good point, but, here's an anecdote to serve as a counterpoint:
When I was at a US three-letter department from 2013-2015, they did in fact use non-private IPs for their internal datacenter networks, and even for their office space LAN DHCP lease ranges. It blew my mind when I looked at my laptop and saw a public IP on it's ethernet interface. Watching the realization dawn on my InfoSec peers' faces there was amusing as well. IT personnel way up in the hierarchy blessed with institutional knowledge confirmed to me that using public IPs everywhere is one thing they did to justify sitting on that many public IPv4 addresses. They seemed confident that their firewalls and routing configurations were enough to protect their self-drawn boundary lines, and in many ways, they were right. It also made inter-agency connection agreements quite simple.
So the distinction of public vs. private may not actually matter quite as much in the context of IP ranges used on JEDI.
I didnt downvote, but random speculation with no evidence doesn't get upvotes on hacker news; a discussion of things you find interesting that others find baseless with get you downvotes immediately.
I got -4 in downvotes. (-2 before my edit.) I don't know what's going on.
I understand when I call out Apple or Google for bad behavior that I can attract downvotes. Sometimes my posts are snarky, and I understand in that case too.
But I can point to instances where posts I made days ago were all downvoted in unison. Or completely informational threads where every single one of my comments gets a downvote or two.
Just a few days ago I got downvoted the second after I posted a comment. I spotted a typo immediately after submitting, clicked edit, and found myself downvoted before anyone could have possibly even read my comment (it was long). Maybe it was a mis-click -- who knows? But it was great feedback after having just submitted. And in concert with all the other recent downvotes, it's frustrating...
I've been sitting at the same "karma" value for months, and I don't think I'm being a bad member of the community.
It's more than likely noise, but it's got me rattled. It's not actionable feedback. With the pandemic and lack of social contact with other engineers, and this sort of judgement, I don't like it. I honestly don't think I'm being a nuisance.
(And here this comment is with downvotes and no comments. Sigh.)
I upvoted, if nothing else it's a perfectly reasonable comment with an interesting hypothesis.
HN karma is a little weird. IMO, if you've never been downvoted to -4, then you've never said anything really interesting. It's easy to just tell the crowd what they want to hear, saying true and important things doesn't always go down so well. Don't sweat it too hard. Sometimes posts do acquire downvotes at suspicious times and rates. Makes me wonder if some external orgs managed to build downvote bots for HN or are directing voting somehow.
You already got feedback in hobs’s comment. They wrote:
“I didnt downvote, but random speculation with no evidence doesn't get upvotes on hacker news; a discussion of things you find interesting that others find baseless with get you downvotes immediately.”
(via https://news.ycombinator.com/item?id=26924988, but no comments there to speak of)