One starts to wonder, at what point might it be actually feasible to do it the other way around, by whitelisting IP ranges. I could see this happening as a community effort, similar to adblocker list curation etc.
replies(9):
Google indexes in country, as does a few other search engines..
Would recommend.
Source: stopping attacks that involve thousands of IPs at my work.
Would it make sense to have a class of ISPs that didn't peer with these "bad" network participants?
What's the bigoted history of those terms?
from here[0]:
"The English dramatist Philip Massinger used the phrase "black list" in his 1639 tragedy The Unnatural Combat.[2]
"After the restoration of the English monarchy brought Charles II of England to the throne in 1660, a list of regicides named those to be punished for the execution of his father.[3] The state papers of Charles II say "If any innocent soul be found in this black list, let him not be offended at me, but consider whether some mistaken principle or interest may not have misled him to vote".[4] In a 1676 history of the events leading up to the Restoration, James Heath (a supporter of Charles II) alleged that Parliament had passed an Act requiring the sale of estates, "And into this black list the Earl of Derby was now put, and other unfortunate Royalists".[5]"
Are you an enemy of Charles II? Is that what the problem is?
[0] https://en.wikipedia.org/wiki/Blacklisting#Origins_of_the_te...
Leaving aside any other reasons, they're just better names.
I would argue, without any evidence, that when terms are used and embraced, they lose their negative connotations. Because in the end, you want to fight the negativity they represent, not the term itself.
I looked at all the IP ranges delegated by APNIC, along with every local ISP that I could find, unioned this with
https://lite.ip2location.com/australia-ip-address-ranges
And so far i've not had any complaints. and I think that I have most of them.
At some time in the future, i'll start including https://github.com/ebrasha/cidr-ip-ranges-by-country
Say you whitelist an address/range and some systems detect "bad things". Now what? You remove that address/range from whitelist? Doo you distribute the removal to your peers? Do you communicate removal to the owner of unwhitelisted address/range? How does owner communicate dealing with the issue back? What if the owner of the range is hosting provider where they don't proactively control the content hosted, yet have robust anti-abuse mechanisms in place? And so on.
Whitelist-only is a huge can of worms and whitelists works best with trusted partner you can maintain out-of-band communication with. Similarly blacklists work best with trusted partners, however to determine addresses/ranges that are more trouble than they are worth. And somewhere in the middle are grey zone addresses, e.g. ranges assigned to ISPs with CGNATs: you just cannot reliably label an individual address or even a range of addresses as strictly troublesome or strictly trustworthy by default.
Implement blacklists on known bad actors, e.g. the whole of China and Russia, maybe even cloud providers. Implement whitelists for ranges you explicitly trust to have robust anti-abuse mechanisms, e.g. corporations with strictly internal hosts.
- Blacklisted IP (Google Cloud, AWS, etc), those were always blocked
- Untrusted IPs (residential IPs) were given some leeway, but quickly got to 429 if they started querying too much
- Whitelisted IPs (IPV4 addresses are used legitimately by many people), for example, my current data plan tells me my IP is from 5 states over, so anything behind a CGNAT.
You can probably guess what happens next. Most scrapers were thrown out, but the largest ones just got a modem device farm and ate the cost. They successfully prevented most users from scraping locally, but were quickly beaten by companies profiting from scraping.
I think this was one of many bad decisions Pokémon Go made. Some casual players dropped because they didn't want to play without a map, while the hardcore players started paying for scraping, which hammered their servers even more.
That's why I posted that. I'd also point out that in my lifetime, folks with darker skin called themselves black and proudly so. As Mr. Brown[0][1] will unambiguously tell you. Regardless, claiming that a term for the property of absorbing visible light is bigoted, to every use of such a term is ridiculous on its face.
By your logic, if I wear black socks, I'm a bigot? Or am only a bigot if I actually refer to those socks as "black." Should I use "socks of color" so as not to be a bigot?
If I like that little black dress, I'm a bigot as well? Or only if I say "I like that little black dress?"
Look. I get it. Melanin content is worthless as a determinant of the value of a human. And anyone who thinks otherwise is sorely and sadly mistaken.
It's important to let folks know that there's only one race of sentient primates on this planet -- Homo Sapiens. What's more, we are all, no matter where we come from, incredibly closely related from a genetic standpoint.
The history of bigotry, murder and enslavement by and to our fellow humans is long, brutal and disgusting.
But nitpicking terms (like black list) that never had anything to do with that bigotry seems performative at best. As I mentioned above, do you also make such complaints about black socks or shoes? Black dresses? Black foregrounds/backgrounds?
If not, why not? That's not a rhetorical question.
[0] https://www.youtube.com/watch?v=oM1_tJ6a2Kw
[1] https://www.azlyrics.com/lyrics/jamesbrown/sayitloudimblacka...
In reply to your argument, the deny list (the actual list, apart from what term we use for it) is necessarily something negatively laden, since the items denied are denied due to the real risks/costs they otherwise impose. So using and embracing the less direct phrase 'black' rather than 'deny' in this case seems unlikely to reduce negative connotations from the phrase 'black'.
Are you really? How likely do you think is a legit customer/user to be on the same IP as a residential proxy? Sure residential IPS get reused, but you can handle that by making the block last 6-8 hours, or a day or two.
My single-layer thought process:
If they're knowingly running a residential proxy then they'll likely know "the cost of doing business". If they're unknowingly running a residential proxy then blocking them might be a good way for them to find out they're unknowingly running a residential proxy and get their systems deloused.
My cat has a black tail.
The top of my desk is black.
I have several pairs of black shoes.
Every single computer in my possession has a black case.
My phone and its case are both black.
Black Power![0][1][2]
I will put you on my personal blacklist.
Which I'm sure you won't mind since I'm a huge bigot, right?
[0] https://www.britannica.com/topic/Black-Power-Movement
The known good list is IPs and ranges I know are good. The known bad list is specific bad actors. The data center networks list is updated periodically based on a list of ASNs belonging to data centers.
There are a lot of problems with using ASNs, even for well-known data center operators. First, they update so often. Second, they often include massive subnets like /13(!), which can apparently overlap with routes announced by other networks, causing false positives. Third, I had been merging networks (to avoid overlaps causing problems in nginx) with something like https://github.com/projectdiscovery/mapcidr but found that it also caused larger overlaps that introduced false positives from adjacent networks where apparently some legitimate users are. Lastly, I had seen suspicious traffic from data center operators like CATO Networks Ltd and ZScaler that are some kind of enterprise security products that route clients through their clouds. Blocking those resulted in some angry users in places I didn't expect...
And none of the accounts for the residential ISPs that bots use to appear like legitimate users https://www.trendmicro.com/vinfo/us/security/news/vulnerabil....
It really isn’t. It’s a novel term, which implies a functional difference from the common term. Like, I can run around insisting on calling soup food drink because it’s technically more descriptive, that doesn’t mean I’m communicating better.
To the extent we have a bug in our language, it’s probably in describing dark brown skin tones as black. Not a problem with the word black per se. (But again, not a problem really meriting a linguistic overhaul.)
But they're not, so I didn't.
By all means, congratulate yourself for putting this bigoted "culture warrior" in their (obviously) well deserved corner of shame.
I'm not exactly sure how decrying bigotry while pointing out that demanding language unrelated to such bigotry be changed seems performative rather than useful or effective is a "childish culture war provocation."
Perhaps you might ask some folks who actually experience such bigotry how they feel about that. Are there any such folks in your social circle? I'm guessing not, as they'd likely be much more concerned with the actual violence, discrimination and hatred that's being heaped upon them, rather than inane calls for banning technical jargon completely unrelated to that violence and hatred.
It's completely performative and does exactly zero to address the violence and discrimination. Want to help? Demand that police stop assaulting and murdering people of color. Speak out about the completely unjustified hatred and discrimination our fellow humans are subjected to in housing, employment, education, full participation in political life, the criminal "justice" system and a raft of other issues.
But that's too much work for you, right? It's much easier to pay lip service and jump on anyone who doesn't toe the specific lines you set, despite those lines being performative, ineffective and broadly hypocritical.
Want to make a real difference? That's great! Whinging about blacklists vs. denylists in a network routing context isn't going to do that.
Rather it just points at you being a busybody trying to make yourself feel better at the expense of those actively being discriminated against.
And that's why I didn't engage on any reasonable level with you -- because you don't deserve it. For shame!
Or did I miss something important? I am, after all, quite simple minded.
Perhaps you could explain it to me?
Blacklist and whitelist come from black=bad and white=good which if you are black or have empathy is a red flag
Consider how whoever complains about blacklist/whitelist would eventually complain about about allow/deny and say they are non-inclusive. Where would this stop?
I would say that as long as the term in unequivocal (and not meant to be offensive) in the context, then there's no need to self-censor
And what if I'm behind CGNAT? You will block my entire ISP or city all in one go, and get complaints from a lot of people.
Alas, the "enough users get annoyed by being blocked and switch ISPs" step will never happen. Most users only care about the big web properties, and those have the resources to absorb such crawler traffic so they won't get in on the ISP-blocking scheme.
But my main point was in the second paragraph, that "enough of them would" will never happen anyway when the only ones doing the blocking are small websites.
That's an empirical premise in a slippery slope style argument. Any evidence to back it up? Who is opposing the terms allow/deny and why? I don't see it.
> no need to self-censor
The terms allow/deny are more directly descriptive and less contested which I see as a clear win-win change, so I've shifted to use those terms. No biggie and I don't feel self-censored by doing so.
What do the lists do? They allow or deny access, right? Seems allow/deny are fitting descriptive terms for them then. White/black are much more ambiguous prefix terms and and also come with much more semantic baggage. All in all an easy, clarifying change.
What, exactly, do you want ISPs to do to police their users from earning $10 of cryptocurrency a month, or even worse, from playing free mobile games? Neither one breaks the law btw. Neither one is even detectable. (Not even by the target website! They're just guessing too)
There are also enough websites that nobody is quitting the internet just because they can't get Netflix. They might subscribe to a different steaming service, or take up torrenting. They'll still keep the internet because it has enough other uses, like Facebook. Switching to a different ISP won't help because it will be every ISP because, as I already said, there's nothing the ISP can do about it. Which, on the other hand, means Netflix would ban every ISP and have zero customers left. Probably not a good business decision.
You seem to think I said users will think the block is initiated by the ISP and not the website. I said no such thing so I'm not sure where you got this idea.
>What, exactly, do you want ISPs to do
Respond to abuse reports.
>Neither one is even detectable. (Not even by the target website! They're just guessing too)
TFA has IP addresses.
>Which, on the other hand, means Netflix would ban every ISP and have zero customers left.
It's almost like I already said, twice even, that the plan won't work because the big web properties won't be in on it.
You can be completely forgiven if you're speaking from a non-US perspective, but this made me laugh pretty hard -- in this country we usually have a maximum of one broadband ISP available from any one address.
A small fraction of a few of the most populous, mostly East-coast, cities, have fiber and a highly asymmetrical DOCSIS cable option. The rest of the country generally has the cable option (if suburban or higher density) and possibly a complete joke of ADSL (like 6-12Mbps down).
There is nearly zero competition, most customers can choose to either keep their current ISP or switch to something with far worse speed/bandwidth caps/latency, such as cellular internet, or satellite.
In part. A whitelisted party is always allowed access. If you are whitelisted to enter my home, you always have access. This is different from conditionally having access, or having access for a pre-set period of time.
Same for a blacklist. An IP on a blacklist clearly communicates that it should not be casually overridden in a way a ‘deny-access list’ does not.
> White/black are much more ambiguous prefix terms and and also come with much more semantic baggage
That baggage includes the broadly-understood meaning of the word. When someone says to whitelist an IP address, it’s unambiguous. If someone says to add an IP address to an allow access list, that’s longer and less clear. Inventing a personal language can be an effective way to think through a problem. But it isn’t a way to communicate.
Black and white are colours. (Practically.) I am sympathetic to where folks arguing for this come from. But we aren’t going to solve racism by literally removing black and white from our language.
Arguing that allow/deny or allow/block is less descriptive is basically an argument of "I want things to stay the same because I'm old" or "I like to use jargon because it makes me look smarter and makes sure newbies have a harder time" (and those are the BEST two reasons of all other possibilities)
for those reasons, it's expected that using "black" instead of "deny" will have more support as programmers age and become more reactionary on average, but it doesn't make it any less stupid and racially insensitive
It’s everyone I need to communicate this to already understands what those terms mean.
Also, white and blacklisting isn’t technical jargon. It’s used across industries, by people day to day and in common media. Allow/deny listing would be jargon, because nobody outside a small circle uses it and thus unambiguously understands what it means.
For the same reason, "allow-list" list is not jargon, just like "component" or "extension"
To me there is one issue only: two syllables vs one (not a problem with block vs black for example but a problem with allow vs white) and that's about it.
Of course it is. If I tell someone to allow list a group of people for an event, that requires further explanation. It’s not self explanatory because it’s non-standard.
> just like "component" or "extension"
If you use them the way they are commonly used, yes. If you repurpose them into a neologism, no. (Most non-acronym jargon involves repurposing common words for a specific context. Glass cockpit. Repo. Server.)
Server, cockpit those are jargon. Allow and deny just aren't. Whatever.
Irrelevant since the terms allowlist/denylist do not presuppose conditionallity or pre-set time limits.
> If someone says to add an IP address to an allow access list, that’s longer
Allowlist/denylist (9 + 8 chars) is shorter than whitelist/blacklist (9 + 9 chars).
> Inventing a personal language
Sounds like you think the proposal was to invent a whole new language (or one per person)? I would be against that too. But it is really only about updating a technical industry term pair to a more descriptive and less semantically loaded pair. Win-win.
> we aren’t going to solve racism by literally removing black and white from our language.
Changing to allowlist/denylist would not remove the terms black/white from language. There is good reason for making the change that do not involve any claim that doing so would solve racism.
I've switched to using allowlist/denylist in computer contexts because more descriptive and less semantically loaded or contested. Easy win-win.
Using 'black' to refer to the color of objects is fine by me.
'Black power!' as a political slogan self-chosen by groups identifying as black is fine too, in contexts where it is used as a tool in work against existing inequalities (various caveats could be added).
As for 'white/black' as terms for entities that are colorless but inherently valenced (e.g. the items designated white are positive and the items designated black are negative, such as risks or costs), I support switching to other terms when not very costly and when newer terms are descriptive and clear. Such as switching to allowlist/denylist in the context of computers.
As for import, I don't think it is a super important change and I don't think the change would make a huge difference in terms of reducing existing racially disproportional negative outcomes in opportunity, wealth, wellbeing and health. It is only a small terminology change that there's some good reason to accept and no good reason to oppose, so I'm on board.
They don't pre-suppose anything. They're neologisms. So you have to provide the context when you use them versus being able to leverage what the other person already knows.
> Allowlist/denylist (9 + 8 chars) is shorter than whitelist/blacklist (9 + 9 chars)
The point is you can't just say allow list this block of IPs and walk away in the way saying whitelist these works.
> really only about updating a technical industry term pair to a more descriptive and less semantically loaded pair
Eh, it looks more like creating jargon to signal group membership.
> There is good reason for making the change that do not involve any claim that doing so would solve racism
I guess I'm not seeing it. Black = bad and white = good are deep cultural priors across the world.
Trying to bend a global language like English to accomodate the fact that we've turned those words into racial designations strikes me as silly. (The term blacklist predates [1] the term black as a racial designator, at least in English, I believe by around 100 years [2]. If we want to go pedantic in the opposite direction, no human actually has black or white skin in natural light.)
(For what it’s worth, I’ve genuinely enjoyed this discussion.)
[1] https://en.wikipedia.org/wiki/Blacklisting#Origins_of_the_te...
[2] https://nabado.co.ke/2025/01/05/the-origins-and-evolution-of...
Oh I think they do presuppose a link to the main everyday meaning of the terms allow and deny. To their merit! But yes they do not presuppose conditionality or time-limits.
> versus being able to leverage what the other person already knows
I'd guess over a million people start learning software dev every year without any prior knowledge of these industry terms. In addition while dev terms often have english roots many, maybe even a majority, of new devs are not native english speakers, and for them the other meanings and etymology of whitelist/blacklist might be less familiar and maybe even confusing. In that regard allowlist/denylist have a descriptive advantage, since the main everyday meaning of allow/deny are mnemonic towards their precise technical meaning and when learning lots of new terms every little mnemonic helps to not get overwhelmed.
> you can't just say allow list this block of IPs and walk away in the way saying whitelist these works.
You can once the term is adopted in a context, like a dev team's style guide. More generally there can be a transition period for any industry terminology change to permeate, but after that there'd be no difference in the number of people who already know the exact industry term meaning vs the number who don't. Allowlist/denylist can be used as drop in replacement nouns and verbs. Thereafter the benefit of saving one character per written use of 'denylist' would accumulate forever, as a bonus. I don't know about you but I'm quite used to technical terms regularly getting updated or replaced in software dev and other technical work so this additional proposed change feels like just one more at a tiny transition cost.
> it looks more like creating jargon to signal group membership
I don't think any argument I've given have that as a premise. Cite me if you think otherwise.
> The term blacklist predates
Yep, but I think gains in descriptiveness and avoiding loaded language has higher priority than etymological preservation, in general and in this case.
> Trying to bend a global language like English
You make the proposed industry term pair change sound earthshaking and iconoclastic. To me it is just a small improvement.
Thanks for the discussion!
Cloudflare has been a godsend for protecting my crusty old forum from this malicious, wasteful behavior.
Pretty much.
The question you posed above, the question that piqued my interest that I responded to, was
> What's the bigoted history of those terms?
I barely hinted at the bigotry inherent in the creation of a black list by Charles II in response to the bigotry inherent in the execution of Charles I as I was curious as to where your interest lay.
Since then you've ignored the bigotry, ignored the black list in the time of Charles II, imagined and projected all manner of nonsense about my position, etc.
I suspect you're simply ignorant of the actual meaning of the word bigot in the time of Charles I & II, and it's hilarious seeing your overly performative accusations of others being performative.
> Want to help? Demand that police stop assaulting and murdering people of color.
I'm not sure how that has any bearing on the question of the bigotry aspect to the Charles II black list but if it makes you feel any better I was a witness against the police in a Black Deaths in Custody Royal Commission a good many years past.
For your interest:
1661 Cowley Cromwell Wks. II. 655 He was rather a well-meaning and deluding Bigot, than a crafty and malicious Impostor.
1741 Watts Improv. Mind i. Wks. (1813) 14 A dogmatist in religion is not a long way off from a bigot.
1844 Stanley Arnold II. viii. 13 [Dr. Arnold] was almost equally condemned, in London as a bigot, and in Oxford as a latitudinarian.
I am. As a BIPOC, we've been denied rights since the founding of the US. When I read "denylist," I can see my ancestors there, on a list to be denied the right to vote. It's not inclusive to use words like "deny" in the capacity of denying access to things.