Calling this "paying to unlock ports" is disingenuous. I'm also a T-2 customer and have run into this before. They block ports on dynamic IPs, but if you pay +2€/mo for static, this is unlocked. This seems reasonable. If you're not paying for static IPv4, you're paying for "internet access", whether that's a rarely chaning dynamic IPv4, a constantly changing IPv4 or full CGNAT.
Would you also say your mobile phone operator is violating net neutrality by putting you behind CGNAT that you can't forward arbitrary ports through? You can pay a bunch of money to get a private APN and get public IPv4 addresses. Would you call that an unblock fee?
I don't know about that law, but GP's point was that you don't get a public IP anyway, firewall or not. And with this NAT in place, you can't ask them to forward specific ports to your equipment.
In France, CG-NAT is getting widespread even for fixed, FTTH links. I'm typing this connected to SFR, which provides a static IPv6 /56, but IPv4 is behind CG-NAT. I can't host anything on IPv4. I think there's an option to get a fixed, internet routable address, but not on the "discount" plan I'm on. I hear you maybe can ask support to get you out of CG-NAT, but that doesn't seem very reliable.
Free (local ISP), by default, doesn't give a static IP for fiber, but you can ask for one for free through your online account page (you just need to tick a box).
I'd agree if you picked Google Docs or something like that, but Gmail? Chrome?? Come on! Edge is just Chrome with extra features, plenty of people use Bing without even noticing and many even non-techy people are fine with DuckDuckGo, good free email providers are everywhere (yahoo, hotmail, proton...).
Here in EU even the 5 €/month phone plans have unlimited SMS. As soon as you want to talk to someone without Whatsapp, you need to figure out which other apps they're on. Completely useless compared to SMS
Have you considered that the EU isn't one country?
It is not unusual for there to be hosting or intermediate storage of images and other files, and from the phone you may tap a link or something to download/access that file, instead of having it automatically download and appear immediately, due to bandwidth and resource constraints.
In France, I'm "charged" for MMS, too. But that's actually considered "data", so it's deducted from the "internet" envelope which is quite generous (at least for my needs: I have multiple dozens of GB for under 10 € a month, of which I only ever went above 10 when backing up photos during a vacation with no wifi).
1. This was not a mitm attack, it was lawful mitm inspection of a user's own traffic. Mitm attacks are prevented by TLS and the system CA store already.
2. Please don't give people bad ideas. This is how we get bikeshare apps that don't work on rooted/old/GrapheneoOS/... devices and further entrench google's position in the Android ecosystem.
If your security depends on devices faithfully reporting their location, you've already lost. Get a whiteboard, start from scratch.
My intent was not to color or frame the activity but to use shared understood knowledge to convey the concept. It's like the terms blacklist and whitelist. Yes they're rooted in racism, and gosh darn it if everyone doesn't still use them because we know immediately what they are and there no better term. On the flip side we successfully switched from master to main.
If you don't want people saying "mitm attack" you gotta come up with something that rolls off the tongue a little better than "it was lawful mitm inspection of a user's own traffic".
The wording is only secondary to my point, which is that this isn't something to prevent. It's not "a security thing". You said "to mitigate the MiTM attack". It's not an attack and nobody should be trying to "mitigate" it. If an app vendor in trying to evade inspection by the user, they're either being shady or incompetent.
And no, most people at least in the reverse engineering circles I'm in/follow, don't say "MiTM attack" when things are done by the user with consent. I've heard MiTM-ing as a verb, MiTM/SSL/TLS proxying/inspection/interception or even (incorrectly) SSL stripping (and surely some more that I don't remember).
I see the lack of cert pinning as a sign of having a good security team. Pinning is usually implemented as "we had an external security audit and their report said we should". Security auditors and pentesters tend to add this kind of crap (alongside root detection and obfuscation) to their reports to pad them out and make their work sound more valuable to the paper-pushers. So either Lyft had their audits done by a competent provider, or their staff know enough to filter this bullshit out. Either way, props.
You on the inside can punch a hole to the outside. This is fine. There's no real difference between hole punching and a regular connection to a regular server from one side's perspective.
And since LLM tokens are expensive and generation is slow, how about we cache that generated code on the server side, so people can just download the pre-generated install.sh? And since not everyone can be bothered to audit LLM code, the publisher can audit and correct it before publishing, so we're effectively caching and deduplicating the auditing work too.
There are so many types of headphones that don't isolate much, including the cheapest crappy on-ears from the walkman era, there's really no excuse.
And on the few occasions where I've had no other option, it made so much more sense to set my phone to low volume and bring it close to my ear instead of holding it iut and maxing the volume.
And if I need to talk as well, many people don't know this, but there's a second smaller speaker on the opposite end of the phone, approximately one mouth-ear distance away from the microphone.
The whole "markdown isn't standardised" point is just bullshit. Any place that supports markdown will support the basics and some places having extra features is a good thing! The only thing worse than not having a feature you need in some app is not having that feature in any app.
And the differences that exist between implementations are there for a reason. Do you think chat apps would let you have headings or footnotes or whatever if they used org mode syntax? No, they don't want to give you those formatting options, so if they used org mode instead of Markdown, they'd just rip it out of there too. And now you have the same problem.
I have a similar, but in one way even more insane story, although I was paid more of an employee than a consultant hourly rate. I worked at a big critical infrastructure type company for a good two months and I was supposed to work on-site on intranet-only software. The thing was, the rest of the people in the department were working from home three days a week, I couldn't be "unsupervised" in the building, and it took them almost a whole months to set me up with a VPN. Since my app had to integrate with half a dozen different internal systems, none of which had API specs let alone mock servers, the only thing I could really do from home was was write CSS on mock HTML files. That, combined with waiting like two weeks to get a Visual Studio license approved, meant I spent more than half of my time there at home, doing absolutely no work. The manager fully knew that and I still got paid tho.
Would you also say your mobile phone operator is violating net neutrality by putting you behind CGNAT that you can't forward arbitrary ports through? You can pay a bunch of money to get a private APN and get public IPv4 addresses. Would you call that an unblock fee?
reply