There is actually mobile banking for these cases. Which at least for HSBC requires your account details, a (Up to? I don't know the minimum) 10 digit (numeric) pin and you have to say "My Voice is My Password" which sounds like complete theatre.
In the UK, yes, banks are on the hook if _you_ get scammed. It seems the bar for them to prove that you were at fault is too high so in reality the banks just make the decision on what you can buy for you.
A good few years ago now (when it was possible to get something in good condition for such a measly sum) I was buying a car from a private individual. The transaction was in cash. You can't take £1500 out from an ATM, unless you spread it over multiple days, and probably doing that would also get you flagged. So I went to my bank (also HSBC coincidentally) and they required me to tell them what I was buying with that money.
Now I could have lied, of course. But they could also have just told me that I can't take cash out if they didn't believe me.
If you look around, there are news stories of people being denied access to their own money because the bank decided it was too risky.
You can get kicked out of a bank for being too risky. And there's not even any legal requirement in the UK for a bank to offer you an account. Or well, there _is_ but like with all UK regulations which protect the individual, it's full of caveats. You are entitled to a Basic Bank Account (BBA) if you can't get any other account except if you can't verify your identity/residency, or you have a history of financial misbehaviour, or if you are too closely associated with terrorism. So I guess homeless people or pro-palestine protesters aren't allowed bank accounts.
I don't use a Mac, but have you ever used Windows?
I mean, maybe you have, but if you are not fussy then at worst MacOS is quirky and Windows and Linux are identical and merely have different icons.
If you pay a little bit of attention you will notice that on linux things seem more flexible and intuitive.
If you are very finnicky, there is nothing that comes close to X11 window managers when it comes to window management flexibility, innovation and power.
Windows allows you to launch applications from a menu or via search. You can switch between windows with a mouse or keyboard shortcuts. Windows can either be floating, arranged in pseudo-tiled layers, or full screen. KDE can pretty much do the same under Wayland. Ditto for Gnome under Wayland, albeit to a lesser degree. That covers the bases for most people.
X11 window managers were a mixed bag. While there were a few standouts, most of the variation was in the degree to which they could be configured and how they were configured. There may be fewer compositors for Wayland because of the difficulty in developing them, but the ones that do exist do standout.
> I don't use a Mac, but have you ever used Windows?
I have
> I mean, maybe you have, but if you are not fussy then at worst MacOS is quirky and Windows and Linux are identical and merely have different icons.
Neither have keybindings that make any sense. The other failures are secondary
> If you pay a little bit of attention you will notice that on linux things seem more flexible and intuitive.
Only for windows refugees that have never used Mac OSX
> If you are very finnicky, there is nothing that comes close to X11 window managers when it comes to window management flexibility, innovation and power.
Unless you want to copy and paste, or have consistent key bindings cross applications, or take screenshots. Sure
I can agree on Windows, but there is no such thing as "keybindings that don't make sense" on a proper Linux WM given that you can literally make up any keybindings you want. I mean this strictly from a window management perspective, yes applications running in those windows have often got their own idea of what good UX is, and this clashes. That's just a trade-off of Linux and to a lesser extent Windows not being complete walled gardens.
> that have never used Mac OSX
I have _used_ Mac OSX. It was and continues to be a confusing experience every time. I'm not saying that this would be the case if I bothered to learn it, but in all the times I have used it, I have failed to see any feature which would make me want to switch to it over i3 or which I feel like is missing in i3. Really it doesn't seem like there is any way of making it act remotely close to i3. Tiling as an option on top of whatever Mac OSX has is just as appealing to me as tiling on top of what Windows has.
> Unless you want to copy and paste, or have consistent key bindings cross applications, or take screenshots. Sure
I've never had copy and paste fail on Linux. The only issues I've had is with more modern applications not implementing the selection properly which is a feature you don't have on windows in the first place. No idea about Macs.
Screenshots have always and will continue to work (the way I want them to) because I can, as mentioned, bind any key to any action.
It sets a bad precedent to call things like this hacks.
Firstly, calling this redaction implies that the data is missing, and calling what was done "unredacting" is akin to saying someone "decrypted" a cryptographic hash function.
Nobody unredacted anything here, they merely discovered that it hadn't been redacted, and simply looked like it was redacted.
Calling this a hack places responsibility on the people who discovered the information, rather than on the people were put in charge of handling the redaction and screwed it up.
The journalist writing the story has the same level of technical knowledge about how to "redact" properly in the digital realm as the individuals doing the redaction. To the journalist, with zero knowledge of the technical aspects, viewing the "redacted" document, it appears to be "redacted", so when someone "unredacts" it, the action of revealing the otherwise hidden material appears to be "magical" to them (in the vein of the Arthur C Clarke quote of: "Any sufficiently advanced technology is indistinguishable from magic").
To the journalist, it looks like "hackers at work" because the result looks like magic. Therefore their editor attaching "hacks" to the title for additional clickbait as well.
To us technical people, who understand the concept of layers in digital editing, it is no big deal at all (and is not surprising that some percentage of the PDF's have been processed this way).
>How someone like this gets a paying job as a journalist is beyond me.
You seem highly confused on what a journalists job is in this era. Very few publishers are about correctness. It's about speed of getting the article out and getting as many eyeballs as possible to look at the ads in the article.
Or as the saying goes, A lie can travel halfway around the world before the truth can get its boots on.
But there is a more-powerful combo we’re beginning to see: journalists can take a story and prompt their way into a list of missing perspectives. The Lindbergh baby, for example.
You could easily replace them with an LLM if that were the case.
Although I don’t completely disagree with your cynical take I don’t think that’s actually the case for most of the Guardians journalists, they do a lot of quality reporting too
And the lawyers should have used an LLM to perform a first pass of the redactions and methods of redaction.
Going forward the full stack of perpetrators, unindicted coconspirators, lawyers, judges, legislators, journalists, editors, fact checkers, ... it'll all be LLM all the way down such that nothing will be trustable save something akin to Stephenson's gargoyles and Flock cameras for which people will conduct spectacles to shape the salience landscape.
Back when LLM chatbots were new and shiny, I was comparing the failure modes to journalism by way of the Gell-Mann amnesia effect.
Sure, deep investigative jounalism with real skill and effort behind it is a thing; but it is an expensive thing, and opinion pieces disguised as jounalism are much cheaper, as is reporting on other people's reports.
I wish it was true.
From the bullshit jobs in the book, I can only see the box tickers being replaced.
The flunkies, goons, task masters, and duct tapers will probably continue to exist.
Als unless we come up with something like UBI or a dramatic rethinking of how capitalism works in our society there will probably be __more__ bullshit jobs.
My wife was a reporter with a top tier news agency in DC and I was shocked how they divvied up topics.
At best, it was "you're good with computers, go report on this hearing on cybersecurity" but more commonly, it was "who has this morning open? You do? Great. Go cover this 9am on the Israel-Palestine negotiations and what the implications are. We'll do a segment in the 11am hour."
It's important to understand who becomes a journalist in this age.
It's people who are very good with words, and at talking to anyone and everyone about anything, both is a friendly and confrontation way.
They also have almost no understanding of math, science or technology. If they did, they'd get better paying jobs.
Journalism used to be a well paid prestigious career that attracted brilliant people. There is not enough money in what's left of that industry to do that anymore.
I agree they have no understanding of math, science or technology. But I disagree with your assessment of motivations to get "better paying jobs", most people who went into journalism I knew were in brownstones right out of college. They didn't need the money, they inherited it, it was the lifestyle they were after.. that's why we get the journalism we do..
They're not after money. They're motivated by prestige which CAN be money (ew, tacky) but is actually measured by access to key figures, your name being in the right places with the right people, and the cocktail party circuit.
My wife was a reporter in DC and she was at the White House Correspondents Dinner and everything. Living in those circles is surreal. The namedropping is a whole other level. When I realized I was doing it too (with some legit impressive names at the time), I gtfo. I'd rather be evaluated by what I've done or can do vs who I know or knows me.
I think you have the source of the problem wrong. It's just rich kids who don't actually need the salary, and want to align to a point of view that gets them a contract to write a book, so they get invited to the right parties. They don't know anything, or care about anything.
Journalism school is "eye-wateringly" expensive:
> J-school attendees might get a benefit from their journalism degree, but it comes at an eye-watering cost. The price tag of the Columbia Journalism School, for instance, is $105,820 for a 10-month program, $147,418 for a 12-month program, or $108,464 per year for a two-year program. That’s a $216,928 graduate degree, on top of all the costs associated with gaining the undergraduate prerequisites. (Columbia, it seems important to say, is also the publisher of Columbia Journalism Review, the publication you’re now reading.)
And FWIW, in my very limited and anecdotal experience, the programs are inhabited by people who fully understand their employment and salary prospects, but believe in the work, and often have above-average family wealth to compensate for the gaps. They're good people, but they are not experts.
I don't think you have an understanding of job specialization.
I know some journalists. They are smart people. However, they are not experts in math, science, or technology. They are experts in journalism. This wasn't any different at any time in the past.
Haha. I was a journalist for many years. I went to UC Berkeley. I likely currently have a far better paying job than you and have invented technical concepts that founded the LLM.
Obviously, "who becomes a journalist in this age" does not translate to "every person who is alive now who has ever been a journalist".
I'm not sure if your error lies in parsing colloquial English, or in basic statistics. Either way, I think you have fully illustrated the commenter's point.
Journalists are not reliably selected for, or demonstrative of, comprehension or accuracy.
This is dumb trying to call others dumb. This argument is not just inhumane it’s also wrong. The average of something assumed does not negate a real data point. If you did even bit of data science you’d know that. But just another HNer calling someone dumb while confidently wrong. And ironic calling others dumb because of it. So think on that.
Maybe Christmas just leaves the worst on HN … statistically.
(You can’t engagement logically technically or even correctly here and keep
Spouting others are wrong. Think hard on how poorly you comprehension here is even when explained why you are
Wrong.)
Points have been illustrated contradicting the statement. No points have been made supporting it.
Your argument boils down to “all x is bad is valid by default and all Ys that contradict are inherently ‘statistically invalid’”. Do you not get how horribly dumb your logic is?
By this logic I could state all HNErs posting on Christmas are idiots and wrong by default. This of course can’t by contradicted by any statement you make because you are just a data point of one and therefore invalid. Also the original point is supported with exactly 0 data points so in actuality data point of 1 > 0. So my guy. Jesus. Learn stats. Or anything.
To us, it's a life skill. To a non-technical person, it's black magic.
Some folks had to be taught on how folder structures work because they grew up with the appliance we called a "phone" as opposed to a real computer that also happened to be known as a "phone".
I can assure you that plenty of people who were using computers before smartphones, and who have used them every day at work for decades, also do not grasp what we could consider the very basics of file management.
I think.. the way to understand it is: levels. After all, files as the abstractions work with are not exactly there in the form of files in a cabinet. In a sense, even names are made made up fiction, BUT.. a helpful one.
> To us, it's a life skill. To a non-technical person, it's black magic.
I’m sorry, but “this text is black on black background; the actual letters are still there” isn’t “black magic” unless someone is being deliberately obtuse.
So I don't know your specialty, but I'm going to make a wild guess and assume that it isn't stage magic.
State magicians have a whole range of different ways to make something seem like it's levitating, or to apparently get a signed playing card inside a fruit that they get someone in the audience to cut open to reveal.
To a magician, these things are cute, not mysterious.
To the general public… a significant percentage have problems with paged results and scroll bars. Including my dad, who developed military IFF simulation software before he retired, and then spent several years of retirement using Google before realising it gave more than three results at a time.
Would he, with experience working with the military, have made this soecific mistake about redaction? Perhaps, perhaps not, but the level of ignorance was well within his range. (I'm not better, it's just my ignorance is e.g. setting fire to resistors).
Your analogy fails because the purpose of stage magic is concealing what’s going on. That’s not what happened here. Someone just made a really stupid mistake that even non-technical folks can accidentally discover.
There are undoubtedly some people who would be fooled by this, but you don’t have to be technical in order to not be one of them.
Most journalists are ex. English majors (or some other non-technical degree). I would not expect any (even the supposed tech. journalists) to understand the technology they report upon to the level that us here on HN understand that same technology.
Their job is to write coherent articles that gather views, not truly understand what it is they are writing about. That's why the Gell-Mann Amnesia [1] aspect so often crops up for any technical article (hint, it also crops up for every article, but we don't recognize the mistakes the journalist makes in the articles where we don't have the underlying knowledge to recognize the mistakes).
I’m my experience most posters on HN are don’t under technology either. So they both don’t understand people or technology putting them two steps behind a journalist.
Journalists are people, like everyone else, and most people are bad at their jobs.
Plus, what even is the job? For most journalists out there, it's just writing something that draws ad impressions and clicks.
The percentage of journalists that work for outlets where the content itself is the cash source is very small (NYTimes, probably a bunch of other paid subscriptions). And even the NYTimes isn't above clickbait.
No, it is not. But given the abysmal lack of technical knowledge of the "typical computer user" they don't see the redacted PDF's as "having black stick-it notes stuck on top of the text". They see the PDF as having had a "black marker pen" applied that has obliterated the text from view.
When someone then shows them how to copy/paste out the original text, because the PDF was simply black stick-it notes above the text, it appears to them as if that someone is a magical wizard of infinite intelligence.
This. Similar issue if you introduce someone to how you can "view source" and then edit (your view of) a website. They're like "omg haxors!"
True story: one time I used that technique to ask for a higher credit card limit than the options the website presented. Interestingly enough, they handled it gracefully by sending me a rejection for a higher amount and an acceptance for the maximum offered amount (the one I edited). And I didn't get arrested for hacking!
Using view-source to accomplish something could be considered hacking in the old school MIT sense* of curious exploration of some place or thing for clever purposes.
*: disclaimer, I didn't attend MIT, but did hang out with greybeards on 90s IRC
I have helped someone get an executive job at a Fortune 500 company... by teaching them how to use the dev tools and edit the DOM to replace text and images.
They had been asked for an assignment as part of the interview process, where they were supposed to make suggestions regarding the company's offers. They showed up on the (MS teams) interview having revamped what looked like the live website (www. official website was visible in the browser bar).
The interviewers gave them the job pretty much on the spot, but did timidly ask at the end "do you mind putting it back though, for now?", which we still laugh about 5 years later
The journalist is not necessarily responsible for the title. Editors often change those and they don’t need to get the approval of the journalist. The editor knows what they are doing and that it will irk some tech folks.
I seriously doubt the journalist doesn’t understand exactly how this “hack” worked too. Right in the first paragraph, “simply highlighting text to paste into a word processing file.”
A lot of people in the thread here are calling them a non-technical English major who doesn’t understand the technology. Word processors also happen to be the tools of their trade, I am sure they understand features of Word better than most of the computer science majors in this thread…
Agreed - not sure why so many are being so critical here. They probably didn't write the title and for better or worse "hack" has now become a common word casually used by many to mean "workflow trick" or similar.
As far as creating a click bait title, yep, the editor knows what they are doing, and most likely picked the word for the click bait factor.
But I'd also bet the editors technical knowledge of how this "revelation" of the hidden material really works is low enough that it also appears to be magic to them as well. So they likely think it is a 'hack' as well.
Typical quality of The Guardian unfortunately. Don't read their energy reporting if you're at all literate about any of those topics. Any time they do a story on fusion I just about have an embolism.
I also like to think this was maybe done as a form of malicious compliance. Someone inside the agency was tasked with redacting this, and found a way to sneak the information through but still getting it passed by their supervisors, so that the information got out.
To me this is the only explanation that makes sense.
However wouldn’t they risk repercussions when this is inevitably found out? I assume they have records who redacted which documents
> I assume they have records who redacted which documents
(1) Considering it was a rush job (2) general ineptness of this administration and (3) the management wouldn't have defined the explicit job description ("completely black out, not use black highlighter"), the likeliness that there is any evidence that this was intentionally malicious is pretty low.
This happens too regularly across both minor and major issues for me to think this is entirely redactors intentionally messing up. It's just a lot of people being pulled on to the job and not all of them are competent. Maybe some of it is intentional but not all of it I'm certain.
Out of a thousand people? Where they probably have an email from a PHB that says something like "put a black box over all references to <this list of things?"?
Not in this case, this is just a cover for the guilty because this shows that Epsteins Estate also works for Trump. The rot runs deep. There is no investigation, that is the point.
Furthermore, this happens so often, so frequently, in so many high profile cases that even my 80 year old mother knows this "secret hack to unredact a pdf".
If you are CIA / FBI / Court / Lawyer or professional full time redactor of documents you should know that the highlighter doesn't delete the text underneath it.
I think the more likely cause was precisely that it wasn't a technical professional/lawyer/writer doing the redacting, but someone in the administration or close to it that has no idea how to redact information correctly.
Yeah but there was no lock; somebody put a box around the doorknob without anything holding it there, and somebody removed the box and opened the door.
There's nothing else to say about this. Also, your comment is nested even deeper within the same semantic squabbling, so it's odd that you think that it's a waste of time in light of more important things that you are also not talking about.
They're likely viewing the electronic documents by analogy to photocopies with blacked out sections where there is nothing to distinguish the text from the redacting marks and nothing you can project out. They don't know the structure of the file format and how information in it is encoded or rendered, or even that there is a distinction between encoding and rendering.
(A better analogy might be the original physical document with redaction marks. If the text is printed using a laser printer or a type writer, and the marker used for redaction uses some other kind of ink - let's say one that doesn't dissolve the text's ink or toner in any way - then you can in principle distinguish between the two and thus recover visibility of the text.)
File formats are complicated. The only reliable way to redact is to reduce that complication to one which humans can manage. This is even true for software that is written by humans.
Plain text and flat images are my preferred formats for things which must be redacted. Images require a slight bit of special care, as the example in the underhanded C contest highlights, but it's possible to enforce visible redaction and transcription steps that destroy hidden information.
I think that doesn’t do the scenario justice. They tried to redact and did so in a way that looks visibly redacted (in screenshots many have seen) but can be uncovered.
If you say “they failed to redact data” to a layperson looking at a visibly redacted document they’re going to be confused.
They are not. They are factually incorrect. Look up the various definitions of redacted. They fit perfect for the title. Arguing otherwise suggests you are making up definitions and words, in which case, I am still correct.
To be fair, I put partial blame on the advertisers.
They've been claiming "AI" on their products on anything that has an algorithm basically for the past few years.
> It sets a bad precedent to call things like this hacks.
That ship sailed a long time ago. The “phone hacking scandal” in ~2010¹ was mostly calling answering services that didn't have pins or other authorisation checks set.
These days any old trick gets called a hack, heck tying your shoelaces might get called a miraculous footwear securing hack.
I think we should all come to terms with it that "hack" doesn't mean anything anymore so we don't have to fight over words that were never clearly defined anyways. On most days this site here should be called "frontendnews".
I find it funny to use a hack to argue about the misuse of words and definitions.
Regardless, redaction does not imply that data is missing. The words were censored or obscured. That's it. Simply looking at the documents proves that. Interacting with them showed how easy they were to uncensor, but the simplicity of the method doesn't change facts.
By all means, complain about definitions and words, but get it right.
I agree, but this would mean that almost anything can’t be called hacking, bc it usually relies on vulnerabilities and implementation defects. If something is poorly encrypted and you retrieve data, you didn’t hack because it wasn’t encrypted to begin with. That can’t be the standard.
There is a line, it is fuzzy, but if all you did was find something which was there for anyone to find, I would place that firmly on the not hacking side. If it was rot 13 I would put that marginally closer to hacking than this.
It also removes blame from the departments that redacted, it's not like they messed up big time, no, some resourceful brainiac hackers did things that were not allowed to undo the redaction process that was put in place to protect victims.
Putting aside the post and whether it's correct or not.
Reinvent what wheel exactly?
D-Bus can't read your mind (yet) and as such it can't generate an API for you, you still need to design a protocol, it's just that it's on top of D-Bus with certain quirks and restrictions.
Doing the same over UDS in 2025 isn't any more work and doesn't have any negative impact on end users. There's nothing unique about D-Bus from a usability standpoint that can't be done with a service listening over UDS.
This is equivalent to saying that you're reinventing the wheel by not using HTTP as a transport.
> Do you hate a{sv}? If you propose JSON as alternative, you are going to make me laugh.
Maybe you should look at Varlink. The systemd backed D-Bus alternative. It uses JSON.
Regarding secrets management:
My password manager's protocol is handled using exec and command line arguments. Arbitrary applications can ask for passwords, but they won't get them. They won't read them from disk.
The design of the gnome keyring isn't great, but I actually don't think the protocol matters much in this case.
Let's put aside whether you can trust apple for a moment.
Where the hardware comes from is much less of a risk than the fact than where the locked down firmware and software comes from.
Yes the west's over-dependence on Chinese hardware is a liability, but what's easier? Compromising hardware or compromising software? If you don't know, I'll tell you, it's the latter.
It wasn't really abandoned so much as killed by PayPal.
The project used PayPal to gather downpayments, PayPal decided to lock the funds for months (almost a year or maybe longer IIRC) because they saw money coming in but no confirmation of goods coming out. And, you know, when it comes to big companies, no explanation is sufficient, you are guilty of something because some heuristic said so, so the funds were locked, legal threats didn't work (try threatening a company with the power of a small/medium country), and by the time they got their money back, key people who were going to work at a discount to cover key milestones had moved on.
This seems like weird revisionist history or I missed something. I never got a dime back that I spent on the Neo900, which I assumed they spent on their personal lifestyles and travel while trying and failing to design and manufacture a board.
If there was actually a holdup of funds that killed the project, and eventually the funds were released, that's an even worse story. I didn't think there could be a worse story. It would mean that the project fell apart while they were waiting on cash, then when they got it they just treated it like a personal windfall. IIRC I ended up out $1.5K on the thing.
Paypal released the funds to the project, not to the people making the downpayments. Paypal never returns money immediately to anyone, they sit on it for months while they "investigate".
I don't know who you are or where you were but the paypal problems were pretty well announced and _I_ was there. The project was already facing delays because a key person who was needed to make the board layouts was held up with the also now dead DragonBox Pyra handheld.
I have no idea where you think the money went, how much you think there was, but it was a constant game of trying to drum up enough activity to gain attention of potential customers to bring in enough down-payments to pay the salaries of the small number of people working on the project while having enough money to buy parts. The money went into salaries, parts, nobody bought hookers or blow with it, and certainly nobody got anything but stress out of that project in the end. I believe Joerg Reisenweber paid a lawyer out of pocket to try to get PayPal to release the funds.
That weird feeling when you realise that the people you hang out with form such a weird niche that something considered common knowledge among you is being described as "buried deep within the C standard".
What's noteworthy is that the compiler isn't required to generate a warning if the array is too small. That's just GCC being generous with its help. The official stance is that it's simply undefined behaviour to pass a pointer to an object which is too small (yes, only to pass, even if you don't access it).
And probably never will, because C++ compatibility with C beyond what was done initially, is to one be close as possible but not at the expense of better alternatives that the language already offers.
Thus std::array, std::span, std::string, std::string_view, std::vector, with hardned options turned on.
For the static thing, the right way in C++ is to use a template parameter,
template<typename T, int size>
int foo(T (&ary)[size]) {
return size;
}
Not surprising and not a "wart". C and C++ have diverged since the mid-90s and are two very different languages now. E.g. trying to build C code with a C++ compiler really doesn't make much sense anymore (since about 20 years).
The most important C feature that C++ lacked for a long time was C99 designated initializers, but C++ finally supports them in C++20[0].
Other than that... I'm not sure what hobbling you have in mind. Many C23 features come directly from earlier C++ standards (auto, attribute syntax, nullptr, binary literals, true/false keywords). VLAs? Though these are optional in newer C standards, too.
> C99 designated initializers, but C++ finally supports them in C++20
Unfortunately C++20 designated init has been butchered so much compared to the C99 that it is pretty much useless in practice except for the most trivial structs (for instance designators must appear in order of declaration, array item init is completely missing, designator chaining doesn't work ... and those are only the most important things).
A lot of "modern" C features (e.g. added after ca 1995) are unknown to C++ devs, I would have expected that at least the Linux kernel devs know their language though ;)
The article seems to perpetuate one of those age old myths that NAT has something to do with protection.
Yes, in a very superficial sense, you can't literally route a packet over the internet backwards to a host behind NAT without matching a state entry or explicit port forwarding. But implementing NAT on it's own says nothing about the behavior of your router firewall with regards to receiving Martians, or with regards to whether the router firewall itself accepts connections and if the router firewall itself isn't running some service which causes exposure.
To actually protect things behind NAT you still need firewall rules and you can keep those rules even when you are not using NAT. Thus those rules, and by extension the protection, are separable from the concept of NAT.
This is the kind of weird argument that has caused a lot of people who hadn't ever used IPv6 to avoid trying it.
Yeah, I keep meaning to write something about this. I've definitely noticed people wary of IPv6 because their machines get "real" IP addresses rather than the "safe" RFC1918 ones. Of course, having a real IP address is precisely the point of IPv6.
It's like we've been collectively trained to think of RFC1918 as "safe" and forgotten what a firewall is. It's one of those "a little knowledge is a dangerous thing" things.
In a world where people think NAT addresses are safe because you don’t need to know anything else about firewalls, IPv6 _is_ fundamentally less secure.
> In a world where people think NAT addresses are safe because […]
The vast, vast majority of people do not know what NAT is: ask your mom, aunt, uncle, grandma, cousin(s), etc. They simply have a 'magic box' (often from the ISP) that "connects to Internet". People connect to it (now mostly via Wifi) and they are "on the Internet".
They do not know about IPv4 or IPv6 (or ARP, or DHCP, or SLAAC).
As long as the magic box is statefully inspecting traffic, which is done for IPv4-NAT, and for IPv6 firewalls, it makes no practical difference which address family you are using from a security perspective.
The rending of garments over having a globally routable IPv6 address (but not globally reachable, because of SPI) on your home is just silliness.
If you think NAT addresses are safe because… of any reason whatsoever really… simply shows a lack of network understanding. You might as well be talking to a Flat Earther about orbital mechanics.
> which is done for IPv4-NAT, and for IPv6 firewalls
Are internet routers that do ipv4 NAT usually also doing an IPv6 firewall (meaning they only let incoming connections in if they are explicitly allowed by some configuration)? Maybe thats the point where the insecurity comes from. A Home NAT cannot work any other way(it fails "safely"), a firewall being absent usually means everything just gets through.
All the ones I've had have had a firewall by default for IPv4 and IPv6, yes. If ISPs are shipping stuff without a firewall by default I'd consider that incompetence given people don't understand this stuff and shitty IoT devices exist.
I do wonder how real the problem is, though. How are people going to discover a random IPv6 device on the internet? Even if you knew some /64 is residential it's still impractical to scan and find anything there (18 quintillion possible addresses). If you scanned an address per millisecond it would take 10^8 years, or about 1/8 the age of the earth, to scan a /64.
Are we just not able to think in such big numbers?
> Are internet routers that do ipv4 NAT usually also doing an IPv6 firewall (meaning they only let incoming connections in if they are explicitly allowed by some configuration)?
Consider the counter-factual: can you list any home routers/CPEs that do not do SPI, regardless of protocol? If someone found such a thing, IMHO there would be a CVE issued quite quickly for it.
And not just residential stuff: $WORK upgraded firewalls earlier in 2025, and in the rules table of the device(s) there is an entry at the bottom that says "Implicit deny all" (for all protocols).
So my question to NAT/IPv6 Truthers is: what are the devices that allow IPv6 connections without SPI?
And even if such a thing exists, a single IPv6 /64 subnet is as large as four billion (2^32) IPv4 Internets (2^32 addresses): good luck trying to find a host to hit in that space (RFC 7721).
There is one practical difference. IPv6 without a NAT exposes information about different devices inside the private network. A NAT (whether ipv4 or ipv6) will obfuscate how many devices are on the network. Whether that is desirable depends on the circumstances.
> […] In this paper, we design an efficient and scalable system via spatial-temporal traffic fingerprinting from an ISP’s perspective in consideration of practical issues like learning- testing asymmetry. Our system can accurately identify typical IoT devices in a network, with the additional capability of identifying what devices are hidden behind NAT and the number of each type of device that share the same IP address. […]
> IPv6 without a NAT exposes information about different devices inside the private network.
In practice this has not been true for over 20 years.
IPv6 devices on SLAAC networks (which is to say, almost all of them) regularly rotate their IPv6 address. The protocol also explicitly encourages (actually, requires) hosts to have more than one IPv6 address active at any given time.
You are also making a wrong assumption that the externally visible address and port ranges chosen by the NAT device do not make the identity of internal devices easily guessable.
In both cases the only consumer security comes from "the home router defaults to being a stateful firewall". The only difference between the two is whether it also defaults to doing NAT with that state, which is not what was making IPv4 secure for people unaware either.
If you think about it, NAT offers pretty much the same protection as a default stateful firewall. Only allowing packets from the outside related to a connection initiated from the inside.
> Only allowing packets from the outside related to a connection initiated from the inside.
NAT a.k.a IP masquerading does not do that, it only figures out that some ingress packets whose DST is the gateway actually map to previous packets coming from a LAN endpoint that have been masqueraded before, performs the reverse masquerading, and routes the new packet there.
But plop in a route to the network behind and unmatched ingress packets definitely get routed to the internal side. To have that not happen you need to drop those unmatched ingress packets, and that's the firewall doing that.
Fun fact: some decade ago an ISP where I lived screwed that up. A neighbour and I figured out the network was something like that:
192.168.1 and 192.168.2 would be two ISP subscribers and 10.0.0.x some internal local haul. 192.168.x.1 would perform NAT but not firewall.
You'd never see that 10.0.0.x usually as things towards WAN would get NAT'd (twice). But 10.0.0.x would know about both of the 192, so you just had to add respective routes to each other in the 192.168.x.1 and bam you'd be able to have packets fly through both ways, NAT be damned.
Network Address Translation is not a firewall and provides no magically imbued protection.
I have never seen a NAT implementation that forwarded every packet sent to it. As you stated in your first sentence, NAT forwards packets that match previous packets. Assuming it does that job well, that’s filtering right there.
its pretty common to have the NAT gateway also be a stateful firewall (you’re tracking state, after all) but they’re not the same and you can have one without the other.
Its just uncommon in consumer or prosumer devices.
A similar allegory is perhaps industrial washing machines vs consumer ones or that printer/scanner combos are common (even in offices) but print shops and people who actually need a lot of paper would have dedicated equipment that does either scanning or copying better.
It’s also like a leatherman, they all have some commonality (the need to be gripped) so theres a lot of combination; but a tradie would only use one as a last resort- often preferring a proper screwdriver.
> NAT offers pretty much the same protection as a default stateful firewall
Most NAT requires itself to include a stateful firewall; it's the same thing as the NAT flow table. This whole trope is mostly getting into people's heads to not forget about actually configuring that "free" firewall properly, since it'll just be a poor one otherwise.
>Yes, in a very superficial sense, you can't literally route a packet over the internet backwards to a host behind NAT without matching a state entry or explicit port forwarding.
Don’t forget source routing. That said, depending on your threat model, it’s not entirely unreasonable to just rely on your ISP’s configuration to protect you from stuff like this, specifically behind an IANA private range.
Although that in itself might be a hint to change language and write your library there, instead of inventing a new one.
reply