173.245.58.0 is owned by cloudflare (https://www.cloudflare.com/ips/). You're probably tracking the IP address of cloudflare's reverse proxy that hits your application instead of true source IP (which cloudflare will copy into X-Forwarded-For header).
Likely you pulled this IP from your application's logs? If you're trying to track bot traffic, use Cloudflare's built-in analytics tool.
Also a single source IP can be hosted in geographically distinct locations - that's called anycasting, which cloudflare does use, however I don't think that's the issue here.
It’s possible, but I think it’s typically used for ingress (ie same IP, but multiple destinations, follow BGP to closest one).
I don’t think I’ve seen a similar case for anycast egress. Naively, doesn’t seem like it would work well because a lot of the internet (eg non-anycast geographic load balancing) relies on unique sources, and Cloudflare definitely break out their other anycast addresses (eg they don’t send outbound DNS requests from 1.1.1.1).
So reading the article you’re right, it’s technically anycast. But only at the /24 level to work around BGP limitations. An individual /32 has a specific datacenter (so basically unicast). In a hypothetical world where BGP could route /32s it wouldn’t be anycast.
I wasn’t precise, but what I meant was more akin to a single IP shared by multiple datacenters in different regions (from a BGP perspective), which I don’t think Cloudflare has. This is general parallel of ingress unicast as well, a single IP that can be routed to multiple destinations (even if on the BGP level, the entire aggregate is anycast).
It would also not explain the OP, because they are seeing the same source IP, but from many (presumably) different source locations whereas with the Cloudflare scheme each location would have a different source IP.
To be clear, they definitely use ingress anycast (ie anycast on external traffic coming into Cloudflare). The main question was whether they (meaningfully) used egress anycast (multiple Cloudflare servers in different regions using the same IP to make requests out to the internet).
Since you mentioned DDOS, I’m assuming you are talking about ingress anycast?
It doesn't really matter if they're doing that for this purpose, though. Cloudflare (or any other AS) has no fine control of where your packets to their anycast IPs will actually go. A given server's response packets will only go to one of their PoPs. It's just that which one will depend on server location and network configuration (and could change at any time). Even if multiple of their PoPs tried to fetch forward from the same server, all but one would be unable to maintain a TCP connection without tunneling shenanigans.
Tunneling shenanigans are fine for ACKs, but it's inefficient and therefore pretty unlikely that they are doing this for ingress object traffic.
This will very likely be an app inside "Toybox" - where there are other fun/goofy/pointless apps like replacing the car's horn with goat bleating / fart noises, light show, romance mode, changing the car's path to rainbow etc.
If that's the case, this may actually be fun. The only notification a user may get would be in release notes when updates happens. It may not be an ad in the way most users understand what an ad is, as in, its not going to play when you turn on the car. That said, Tesla is probably getting paid for this.
1. Don’t work from home. Even if you are working for a fully remote company, get a personal office.
2. Have a laptop or desktop that only has a command line on it. Don’t carry your normal laptop along.
3. Don’t carry your phone. Instead invest in an Apple Watch with cellular or something similar for emergency calling. Have a regular old landline for your office.
4. Invest in specialized devices such as kindles and zoom meeting devices.
1-2 months of this will help change your default behavior of needing to satisfy your frequent dopamine demands immediately. Slowly introduce other devices.
That's the "Idaho stop". You're moving at speeds slow enough to be easily able to check for traffic without stopping, plus losing inertia as a cyclist is much more annoying (and arguably even dangerous) than for a car.
From a driver's perspective, you don't want to wait an extra 5-10 seconds because now the bike in front of you has to get back up to speed. 0-5mph is the slowest change and the most energy
> And I wish cyclists would re-learn that pedestrians have more rights of being on sidewalks.
That's not universal, but I do wish they would just learn those laws for their state.
In my state, they have equal rights, and that is that no one has the right of way. If you run into someone, it's your fault full stop. If you couldn't stop in time, then you were travelling too fast for the situation. If someone is blocking the sidewalk, they're a dick, but you can't do anything about it without getting arrested except to find another way around.
Also, if you're on a bike and about to pass a pedestrian, you must give an audible (to the ped) signal so as to warn of your approach. Even then, if you hit them, it's because you were going to fast to stop safely in case they wandered into your path.
I love the laws in my state regarding shared cycling/pedestrian ways, and sidewalks in particular. Very reasonable and fair.
They are probably testing stolen/hacked PayPal accounts. Probably doing a dispute to ensure the owners don’t suspect anything is going wrong, until they use it for bigger transactions. Unfortunately with PayPal there’s no way to ascertain ownership of an account (like 3DS).
This used to happen to us, eventually after haggling with PayPay support for over a year on who should bear the cost, we just shut down PayPal payments. Don’t have anything better to offer, sorry.
I haven't worked with online payments for a few years, so take it for what it is, but I'd agree. PayPal is possibly the worst payment solution, for the stores. Their support sucks and is completely unhelpful, managing your account was at the time extremely complex, compared any other payment solution.
Our rule taking PayPal: Transfer EVERYTHING out of your PayPal account on a daily basis, do not let them hold your funds, they will block you from accessing it at some point. Minimize what they can touch.
Also don't all smaller amounts to be paid with PayPal. This prevents you from being abused as a source for verifying stolen accounts.
The only company I dealt with that came close to the same level of incompetency was Klarna. Klarna didn't at the time understand the concept of fraud, because they're Swedish and their system in Sweden MOSTLY prevented fraud at the time. Once people found away around that and Klarna expanded beyond Sweden, they gave up and attempted to stick the bill on us, despite their contracts clearly stated that they where responsible for collecting payments.
> Our rule taking PayPal: Transfer EVERYTHING out of your PayPal account on a daily basis, do not let them hold your funds, they will block you from accessing it at some point. Minimize what they can touch.
That only works until your business is successful. Once you reach enough transaction volume/dollars they will require you to float millions of dollars in your PayPal balance and not let you touch anything for 30-45 days after transactions.
Are there services that "guarantee" (or block) transactions for a fee?
In any case, this should be the primary responsibility of the payment service !! The fact it can so casually off load it to the merchants is just bizarre
Guaranteeing transactions would incentivize the provider to block transactions. There are many companies in the space, like sift.com, but they don’t guarantee.
If you can pass on a chunk of customers sure. I've canceled a purchase more than once at checkout when I saw there is no PayPal available, if the website was unknown or looked a little shady, and I didn't desperately need the item. There are people who don't buy at all if there's no PayPal just because it's less convenient.
This. Also, remember that from the consumer standpoint, PayPal was the first ever trusted payment processor that didn't pass your payment account info (bank, CC#, debit card info) along to the vendor. Granted, they passed along your email+shipping address. But the vendor would have had that info anyhow if you were purchasing some physical item from them.
So there's a large swath of the consumer population that views PayPal positively and will skip a purchase if there's no PayPal option.
3DS is not just 2FA, but it has an option to shift liability to the card issuer in case of card-stolen disputes. Our fraud has come to near 0 once we started 3DS enforcement. 1% of 3DS transactions don't lead to a liability shift, and in such cases, we flag those transactions and call the customer to get more forms of identification that they own the card.
With PayPal - beyond ownership of email address (which is already compromised), there's nothing else to validate against.
I'm not that commenter but my business also moved away from PayPal and is using Stripe + Sezzle for transaction processing. It has been about five years now without any issues at all.
Easy example is Stripe. You can enable 3DS, and you can listen for 'early_fraud_warning' events on a webhook to refund users & close accounts to avoid chargebacks and all the associated fees and reputation penalties.
Part of the problem is that not all countries have the same solutions, but credit/debit cards are an easy solution. In some countries that requires 2FA using a government issued ID. It's not 100% secure, people being people and doing stupid things, but it's better. If you're in the US, I don't know, it might not be better. If you can, ask your credit card processor to block cards that's not in the area you serve. E.g. we had huge success in blocking UK and US credit cards from our Scandinavian stores.
In Scandinavia there's also MobilePay, which is much much better, as it is also closely linked to real identities.
The problem with using credit/debit directly is that it requires the customer to trust you with their credit card number.
The nice thing about Paypal is I click the button and a window pops up that Firefox recognizes as coming from Paypal to autofill my login info, then Paypal confirms the payment info and gives the website just the payment info. With a credit card, even if you have a different payment processor with an icon next to it that says "secure", there's not actually any way for me to be sure at a glance that that isn't Stripe_Secure_Checkout_Confirmation.SVG and that you aren't just harvesting my credit card info, other than other contextual information on your website and your company's reputation as an actual company that does actual business in the real world.
Vipps and MobilePay merged, so it's the same product now. It's MobilePay in Denmark and Finland, and Vipps in Norway and Sweden... and apparently Poland.
We get a few thousand fresh grads applying to us each year. It’s practically impossible to interview every one of them. At the same time, any sort of coding assignment we give is easily defeated by AI—so that’s not useful either and there are very few signals there.
What we do instead is send out a test - something like a mental ability test - with hundreds of somewhat randomized questions. Many of these are highly visual in nature, making them hard to copy-paste into an AI for quick answers. The idea is that smarter candidates will solve these questions in just a few seconds - faster than it would take to ask an AI. They do the test for 30 minutes.
It’s not expected that anyone finishes the test. The goal is to generate a distribution of performance, and we simply start interviewing from the top end and make offers every week until we hit our hiring quota. Of course, this means we likely miss out on some great candidates unfortunately.
We bring the selected candidates into our office for a full day of interviews, where we explicitly monitor for any AI usage. The process generally appears to work.
On a different note, things are just getting weird.
> Actually, I would not even do the test most likely and I bet many others neither.
Unpopular observation: Many people say this, but when they actually want or need a job they change their mind quickly.
I've lost count of how many of my peers went from "I will never grind LeetCode!" to working their way through LeetCode challenge lists as soon as a recruiter from a big tech company contacted them.
I talked to one hiring manager at a company who tested their mobile developer applicants by having them make an entire demo app with some non-trivial functionality. I assumed they wouldn't have any applicants, but his current problem was that too many qualified applicants were applying for every position and begging to do the test.
Seriously. I’m interviewing as a programmer and you give me some ridiculous “which cube is next in the sequence” nonsense that probably has three different arguably correct answers for every question? Pass.
We have to use some criteria when all applicants are effectively the same - 4000 applicants and 6 interviewers. We interview each applicant at least 3 times.
Definition of being smart is to be quick at mental math and logic, but the puzzles are represented visually. And yes, both those skills are needed in the course of our work.
Contrary to what you might expect, over 80% take the test. I suppose during next hiring season, we could A/B against random selection to compare what % go past our interview.
We still do a coding assignment, but a significant chunk of the technical interview is dedicated to a walkthrough of the code. Thus far, that’s been able to detect those who relied solely on AI.
…If you used AI and can still explain to me why code works and what it does, even better. You have learned how to use new tools.
(have not tried the randomized question approach to compare, but I’m curious to try it and see what happens)
We do it similarly and it's pretty easy to tell if someone knows their stuff, especially as the assignment is just a platform to dig deeper in the face to face interview.
However, the coding assignment was a really good filter and allowed us to dismiss the majority of candidates before committing to a labour-intensive face to face.
I haven't interviewed anyone since AI took off, but I am assuming that from now on the majority of candidates that would usually send us crap code will send us AI code instead; thereby wasting our time when they finally appear for the face to face.
Yes, but we had that problem before when somebody would farm out coding assignments to a friend. I couldn’t say yet how it’s impacted the coding assignment’s effectiveness as a filter yet. We still do get crap code just sometimes it’s obviously AI generated.
Simpler - eg. A table of some numbers, with a question to quickly compute averages of a filtered set, after performing some quick boolean logic to filter them.
I'm still mad at IBM for giving me one of those tests for an internship after 4 years. It required a lot of fast mental arithmetic, which is, medically speaking, not my strong suit. I thought the job was programming computers, not being the computer, but the test suggests otherwise.
I probably should have figured out how to request an ADA accommodation... oh well.
Hiring devs is perfectly fine if you don't look for F# skills - just hire generally smart people, and allow them 1-2 weeks to get comfortable with F#. Make them just solve problems from project euler or something.
For those who have already done functional programming, they wont take more than 2 days to start getting productive. For those who have written a lot of code, it will take them ~2 weeks to pick up functional thinking.
Anyone who is still uncomfortable with F# after 1 month - well that's a strong signal that the dev isn't a fast learner.
Additionally, I've never had anyone reject our job offer because we do F#. I'm sure a whole bunch of people might only be looking for python or javascript jobs, but that's fine because I'm not looking for them. I always have more people who I want to hire but I can't due to budget constraints.
Source: direct experience - I run a pure F# company with a team size of ~80.
For me, my discomfort with F# is due to not knowing if what I’m doing is the correct/idiomatic way of doing things. With C# I have learned all the ways I should not do things…so it’s easier/faster to just use C#.
> Anyone who is still uncomfortable with F# after 1 month - well that's a strong signal that the dev isn't a fast learner.
I think you may be reading this wrong. Agree with sibling post that even teaching folks C# -- which isn't far off of TypeScript, Java, etc. -- is never so straightforward if the individual wants a full grasp of the tool.
For myself, I feel that I have "full" command of C# as a programming language, but also how to structure projects, how to isolate modules, how to decouple code, how to set up a build system from scratch for C#, how do deploy and scale applications built with C#, what the strengths and weaknesses are, etc. My definition of "comfort" would entail a broader understanding of not just the syntax, but of the runtime ecosystem in which that code operates.
The problem is, many recruiters don't work with this mindset. If they're hiring a Java developer, and they get a CV from someone who has 1 year of Java experience and 5 years of C# experience, they see 1 year of experience, and immediately put it on the "unqualified" pile.
F# is quite usable with AI. All AI models are perfectly capable of generating idiomatic F# code. In fact, because it has a nice type system, if you ask the AI to model the problem well with types before implementing, hallucinated bugs are also easier caught.
Same with Nim. It works surprisingly well with AI tools. I think both have more straightforward syntax so it’s easy to generate. I’m curious how more complex languages do like C++ / Rust.
Last time I tried C++ with Copilot it was terrible.
Everything is an expression (i.e. its an actual functional programming language), and along with it comes a different way of thinking about problems. Coupled with a really good type system which has discriminated unions, you'll have much fewer bugs.
Pro tip: don't write F# like you would write C# - then you might as well write C#. Take the time to learn the functional primitives.
Ah yes that is definitely a nice addition to the C# language, albeit still with a couple of shortcomings compared to F#:
1. It doesn’t support code blocks, so if you need multiple lines or statements you have to define a function elsewhere.
2. To get exhaustiveness checking on int-backed enums you have to fiddle with compiler preprocessor directives.
And for #2 any data associated with each enum variant is left implied by C# and has to be inferred from a reading of the surrounding imperative code, whereas in F# the union data structure makes the relationship explicit, and verifiable by the compiler.
Likely you pulled this IP from your application's logs? If you're trying to track bot traffic, use Cloudflare's built-in analytics tool.
Also a single source IP can be hosted in geographically distinct locations - that's called anycasting, which cloudflare does use, however I don't think that's the issue here.