this post was submitted on 06 Oct 2023
391 points (97.1% liked)
World News
32297 readers
633 users here now
News from around the world!
Rules:
-
Please only post links to actual news sources, no tabloid sites, etc
-
No NSFW content
-
No hate speech, bigotry, propaganda, etc
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This doesn't absolve them of anything. If you see thousands of accounts being individually logged in from the same block of IP addresses, and those users have never logged in from there before. That should raise red flags. No, Fred from California shouldn't be logging in from a vpn based out of Ireland right after Anne from NY logged in from that same VPN from Ireland.
Users are dumb. This is why there's tools to track odd behavior and clamp down on it.
"This doesn't absolve them of anything"
Of course it does. "Security" based on behaviour tracking is not the expected default like you are making it to be. (neither should it be.)
I'm sorry, but what behavior tracking would be enabled here to detect that thousands of accounts are logging in from the same ASN that the accounts don't identify as being in?
They have your address... They sent you the spit tube kit. and it's probably in your profile that you willingly give them. What "tracking" is it when "hey this IP belongs to a location that's 10000 miles away from their profile! Let's send an email and double check!".
This means you are tracking the information that I have moved or am currently am at 10000 miles whatever place. You have no business knowing where I move to. It is kind of tracking as you are collecting more info than you need to in the name of "Security".
If I think my data on a website is important enough I will make the password there random and complex enough not to be guessed or brute forced. I don't need your extra tracking.
They can increase security by matching address. Sure. The can also increase security by checking everything on your pc and house to figure out if you are you. I don't need it.
That's a different point. They should always provide an option for 2nd or extra authentication for people who want it. But it doesn't need any other info than that I want 2fa.
More i
An ip lookup isn't tracking jack shit. You are demonstrating that you don't understand how technology works.
You furnished your address to the service (by function of how the service works), you accessed the site which exposes your IP. An IP lookup it's tracking. If you truly believe it is... Hoo boy you should spin up an apache server and look at the logs.
Sigh! now you are arguing on definition of tracking. Which is pointless as you can replace that word with whatever you are comfortable with.
Perhaps. But the since concept of ip hasn't changed much since the internet became public it's doubtful that don't understand ip.
Yes. Doesn't mean you have to save my ip address that I used. Or even the general location I used it from even if it will increase security.
Shrug. What does that means? You can control the info logged in server and also if you choose to keep it or classify it.
The most basic webserver keeps access logs. It will save "this person logged in at this address" or some data about the session regardless if it's looked back on later.
Who the fuck said anything about saving an IP?
IP lookups are not "saving your location".
No... Not at all. If you reach out to my server, my server has to know where to send the data back to. Part of this process can be an IP lookup that actually identifies where your ASN is based out of. There is no way around this... the request MUST have IP information. Nobody said shit about logging anything. And logging IPs is not required to do anything that I've mentioned.
No... I'm arguing pedantic shit. I'm telling you what actually happens and what the actual definition is.
Edit: To the point. I actually do IP lookups to BLOCK specific countries in my router. Using a database like maxmind you can get a general idea of location without knowing anything specific at all. So it goes 1 step further to run a check on if your current ASN is even remotely close to your known location. If not, fire off email. nothing about this requires any logging or outside information than what you already gave the company in this case. Other fields use these mechanisms that are well regulated and nobody else except for you calls this "tracking".
The "where" in above quote is my ip. That's all nothing else.
?? Let's pretend that's true. Ignoring the previous comment.
Why not. Wouldn't your so called "security" will increase if they log things so they are more sure of your identify.
Correct... Which you can use ASN data to determine general location... If 1 million people start logging in from the same set of ASNs or ASNs known to be VPN services. That's a red flag... I'm not sure how many times I can state this... Especially since your server is serving the requests that are these malicious people logging in. You can check the query/account details against the IP location WITHOUT LOGGING ANYTHING.
Now you purposefully conflating what I specifically said and am imparting some mystical properties I never stated were required. You're a terrible person who goes out of their way to argue in bad faith.
I was clear and specifically outlined what mechanism should be put in place. I never stated anything about logging. then you come out of the woodwork and complain that logging is bad and argue against that point. And now here you are claiming that it would increase security. Bro... nobody here said shit about logging. Go argue with someone else.
My original comment, and every one since then has not made any requirements that logging is enabled. You can view active TCP connections without logs. You don't need behavior tracking to do these things. You don't need logging. This can be done without ANY of that shit and is regularly done on the internet without logging. You must think that companies have unlimited storage space... to store infinite logs and that logs are the end all-be all of how all of computing works.
Until you can show where I said ANYTHING that REQUIRES logging to function. This conversation is over since you've proven at this point you're arguing in bad faith.