This is what happens when "coders" barely fumble through JavaScript, can barely hack a front-end together, and then self-promote themselves to "full-stack" developers without having a lick of clue on system basics, principles of computer science, application programming, etc.
>Care to elaborate? Not even fwknop documentation claims to be secure from all mitm attacks:
You made the claim. You prove it with documentation.
>If I'm MITM'ing you from the same Starbucks or am otherwise behind the same NAT as you, I don't care if you've got the IP encrypted in the packet when I forward it on.
That is by definition NOT a MITM attack.
>There's not enough billion dollar unicorns out there to actually have a lot of dollars, even if 100% of them lacked corporate VPNs :D
The example is only billion dollar ones. If I include +$10m+ ones, I'd have enough to dollars to buy a new laptop ;D!
>Regardless, you don't even need a full on corporate VPN. You can throw up a tiny VM for your VPN in the same private subnet as your servers, only listen on 22 on the private IPs for the servers. You can do this in less than an hour with Wireguard. Super easy.
You just described a bastion host, and port knocking makes sense on those as well LOL. Wireguard only currently supports UDP, which can and had been a limitation in the past.
This means nothing to me? I see a shitty website from probably a has-been "security researcher".
>I don't mention this to go "lol he must be right because of who he is", but calling a well respected security researcher with plenty of real world street cred ignorant is a bit much.
That's sad. Speaks volumes about how meaningless that term has become.
>SPA port knocking doesn't suffer from passive replay attacks, but it does suffer from block and replay attacks. An active MITM can still get you.
Wrong. SPA does not suffer from any MITM attacks.
>His suggestion hasn't been "if you care about security just don't do port knocking", his suggestion has been
No one suggests otherwise.
>"if you care about security just throw up a VPN it'll be more secure and just as much work"
Not the same amount of work, so no, wrong. If I had a dollar for every billion dollar unicorn that that didn't have a corporate VPN, I'd have a lot of dollars.
Almost zero complexity and cost. Maybe if you're a bad at sysadmin work it adds cost and complexity.
>defense without corresponding increases to attacker costs.
It adds a _huge_, almost incalculable cost increase to attackers.
>If you believe there are unknown OpenSSH attacks, you can't coherently believe that port knocking is a real defense, since port knocking doesn't do anything to protect the SSH channel that attacks will be carried out in.
Looks like you don't understand the concept of 0-days. Several CVEs we're listed elsewhere. I suggest researching 0-day exploits so you understand how port knocking mitigates them.
Port knocking mitigates 0-days.
>Instead, if you're actually worried about OpenSSH vulnerabilities, you shouldn't be exposing SSH to the public Internet at all.
I don't disagree here, VPN is a great solution. Nonetheless, for some shops simple port-knocking on a bastion host solves, a lot of these issues, and removed the complexity that VPNs add.
>I'm not super worried about OpenSSH server vulnerabilities, but I would never recommend that teams leave SSH exposed; they should just hide that stuff behind WireGuard.
No one is super worried about things like shellshock, heart bleed, etc. until they happen.
Port knocking solved a lot of problems, protects you from zero-days, and makes SSH noise a non-issue (huge signal-to-noise gains).
>But SSH is a terrible example, because the cost to the defender of simply not having SSH vulnerabilities is the same, or even less, than the cost of obfuscating it with nonstandard ports, "port knocking", or fail2ban, which are all silly ideas.
This just shows how ignorant you (and most) are on the topic of port knocking.
SPA port knocking is cryptographically secure and does not suffer from replay attacks.
Similarly, it defends you against 0-day hacks, and greatly increases your signal-to-noise ratio. With port knocking, ANY failed attempt is super suspicious. Before you'd get hundreds of attempts a day.
It's mostly due to the Bay Area / left coast leftism that infects these companies. That culture permeates through all software companies, since the Bay Area is the center of software.
Most of these young Whites come from ridiculous privilege, grew up in safe suburbs, upper class families, mommy and daddy paid for college, etc. They never had to deal with minorities directly, so they fetishise them.
Soft times create soft people, and we're seeing the product of that.
>What I said had nothing to do with correlation vs causation. What I said was that "variables that a priori have nothing to do with race (e.g. where you live, how much money you make, etc.) are highly correlated with race."
They're highly correlated to race, but they are no caused by race, and are therefore defacto not racist and are free game, QED.
If the variable was "dark skin", it's not necessarily specific to a single race, but it is inherently a property of race, and therefore racist. How much money you make is not a property of race, or a property specific to minorities. It's fair game.
>I'm speaking of signals and information theory.
Not very well.
>The point is allowing variables that combine to be equivalent to allowing the variable of race ends up being the same thing.
Not really, no, this is factually incorrect. Where minorities live ebs and flows through time (Great migration), race does not. What minorities earn ebs and flows through time (Asians), the fact that they are Asian does not. QED.
>Presumably you mean that blacks are _convicted_ (or maybe arrested) for sexual assaults and rapes at a higher level (since obviously what they do are what they are convicted of doing are not the same thing).
Both. Arrested and convicted.
>Do you believe such a general fact has anything to do with individuals and their likely future actions? How? Why?
Now your moving goalposts. I provided a simple to digest fact. This is basic population statistics, and you can indeed inference what individuals can/will do from population statistics.
>Many variables that a priori have nothing to do with race (e.g. where you live, how much money you make, etc.) are highly correlated with race. Allowing those variables is basically the same thing as allowing race into the models. I don't want to pretend like controlling for something like this isn't possible, but I rarely see it considered (and quite rarely do I even see the problem acknowledged).
They may be correlated with race, but correlation != causation. Poor people shoplift more than the well off, but that has nothing to do with race, it has to do with the culture.
>What are examples these facts you refer to?
Blacks commit sexual assaults and rapes at a way higher level than Whites and other minorities, even when accounting for income.
It's mostly due to the Bay Area / left coast leftism that infects these companies. That culture permeates through all software companies, since the Bay Area is the center of software.
Most of these young Whites come from ridiculous privilege, grew up in safe suburbs, upper class families, mommy and daddy paid for college, etc. They never had to deal with minorities directly, so they fetishise them.
Soft times create soft people, and we're seeing the product of that.
>No. Racism is discriminating on the basis of race. Hatred of a race is just a form of racism.
No, you are wrong and this is a straw man. A random definition of racism is not the mechanism underpinning racism.
>If I’m a hiring manager and I turn a black person down simply because “blacks are more likely to commit crimes”, it’s racism; I’m discriminating simply on the basis of a stereotype about a race.
No one said this is not racism, definitely not me.
>Even if your stereotype is based on statistics, it can be racist. Not all black people commit crimes, so saying “because statistically, your race commits more crimes, we’re going to keep a closer eye on you,” is racism. The race doesn’t commit the crime; the person does.
Not all men drive terribly and get in wrecks, so saying "because statistically, your gender wrecks more, we're going to charge you more", is sexism (which is illegal). The gender doesn't wreck cars; the person does.
Again, no one stated that race should be a category upon which these algorithms work. The fact of the matter is, even if the algorithm was 100% accurate and did not factor in race, there will still be inequity, which people will decry racist, even if it's 100% accurate and correct.
>Keeping a closer watch on a group of people because of race leads to statistically more reporting of crimes committed by that race even if it’s not true (less police presence leads to less crimes being reported and visa versa).
No one, definitely not me, has suggested that race should be a factor in these algorithms. Also, these groups are "closely watched" more because they commit more crimes. Police presence does not lead to people committing violent crimes like murder and rape more; it's the other way around. Police are in these communities more because they commit more crimes, and more crimes are reported there.
>Not to mention that generalizing a single statistic to an entire race ignores every other factor that causes it.
Strawman, strawman, strawman. No one has stated race should be a factor.
>Systematic racism is a thing, and because of it, blacks are statistically poorer than their fellow whites. Being poor leads to people doing things that a richer person wouldn’t do, such as stealing because they literally have no money to pay for it.
Systemic racism no longer exists. Indeed there are some inequities caused by previous systemic racism that was in place (Jim Crow), but these systemically racist systems no longer exist. There are more poor White people in total than poor Black people, but Black people commit more violent crimes in total. They are WAY overrepresented per capita. Being poor does not cause rape or murder. If it did, White people and poor Asians should have their proportional share, but they don't.
Poverty can explain things like shoplifting, petty theft. It does not explain rape, murder, etc.
>Drug habits can form and getting off them is hard when society shuns you because you’re “wasting your money on drugs instead of food.”
Non sequitor.
>Simply put, it’s very easy to be racist without realizing it; People like easy to digest facts. But being willfully ignorant about the whole story isn’t right.
Not really, no. Some easy to digest facts are just that, facts. They're inconvenient because they go against certain narratives, so they're immediately labelled "racist", which is the point I originally made. QED.
>The problem is the algorithms are designed to put people in a group and then the groups are treated differently.
That's not the problem, that's literally the solution.
>That's the mechanism underpinning racism. And other disparities.
Not at all. The mechanism underpinning racism is believing that race accounts for differences in human character or ability and that a particular race is superior to others.
Disparities are not inherently racist.
>Current garbage looks like this. I know three people that got popped for drugs. One served time and has a felony record. One had it reduced to a misdemeanor and did 10 hours of community service. And the third has no record at all.
One had a long rap sheet and previously was in jail, one had a few priors, and the third had a clean record.
You can probably guess the socioeconomic status each of those three and you'd guess correctly.
We can both make up dumb anecdotes all day.
>And I'm sure the algorithm will also guess correctly.
The algorithm will correctly guess which of the three is more likely to flee, be a public threat, etc. Sounds like the algorithm is working.
You know, the stuff people go to school for.