←back to thread

The internet is no longer a safe haven

(brainbaking.com)
253 points akyuu | 1 comments | 16 Nov 25 13:12 UTC | HN request time: 0.205s | source
Show context
BinaryIgor ◴[16 Nov 25 13:36 UTC] No.45945045[source]
I wonder why is it that we get an increase in these automated scrapers and attacks as of late (some few years); is there better (open-source?) technology that allows it? Is it because hosting infrastructure is cheaper also for the attackers? Both? Something else?

Maybe the long-term solution for such attacks is to hide most of the internet behind some kind of Proof of Work system/network, so that mostly humans get to access to our websites, not machines.

replies(6): >>45945393 #>>45945467 #>>45945584 #>>45945643 #>>45945917 #>>45945959 #
rkagerer ◴[16 Nov 25 15:00 UTC] No.45945584[source]
long-term solution

How about a reputation system?

Attached to IP address is easiest to grok, but wouldn't work well since addresses lack affinity. OK, so we introduce an identifier that's persistent, and maybe a user can even port it between devices. Now it's bad for privacy. How about a way a client could prove their reputation is above some threshold without leaking any identifying information? And a decentralized way for the rest of the internet to influence their reputation (like when my server feels you're hammering it)?

Do anti-DDoS intermediaries like Cloudflare basically catalog a spectrum of reputation at the ASN level (pushing anti-abuse onus to ISP's)?

This is basically what happened to email/SMTP, for better or worse :-S.

replies(2): >>45945700 #>>45945797 #
JimDabell ◴[16 Nov 25 15:15 UTC] No.45945700[source]
Reputation plus privacy is probably unsolvable; the whole point of reputation is knowing what people are doing elsewhere. You don’t need reputation, you need persistence. You don’t need to know if they are behaving themselves elsewhere on the Internet as long as you can ban them once and not have them come back.

Services need the ability to obtain an identifier that:

- Belongs to exactly one real person.

- That a person cannot own more than one of.

- That is unique per-service.

- That cannot be tied to a real-world identity.

- That can be used by the person to optionally disclose attributes like whether they are an adult or not.

Services generally don’t care about knowing your exact identity but being able to ban a person and not have them simply register a new account, and being able to stop people from registering thousands of accounts would go a long way towards wiping out inauthentic and abusive behaviour.

The ability to “reset” your identity is the underlying hole that enables a vast amount of abuse. It’s possible to have persistent, pseudonymous access to the Internet without disclosing real-world identity. Being able to permanently ban abusers from a service would have a hugely positive effect on the Internet.

replies(3): >>45945753 #>>45945857 #>>45946182 #
jasonjayr ◴[16 Nov 25 15:22 UTC] No.45945753[source]
A digital "Death penalty" is not a win for society, without considering a fair way to atone for "crimes against your digital identity".

It would be way to easy for the current regime (whomever that happens to be) to criminalize random behaviors (Trans People? Atheists? Random nationality?) to ban their identity, and then they can't apply for jobs, get bus fare, purchase anything online, communicate with their lawyers, etc.

replies(2): >>45945924 #>>45946411 #
1. ◴[16 Nov 25 15:47 UTC] No.45945924[source]