Stories with Tag IP address

• Everyone knows your location, Part 2: try it yourself and share the results

  permalink

  Posted: 2025-04-17 13:41:27

  Verbose tl;dr

  The blog post encourages readers to experiment with a provided Python script that demonstrates how easily location can be estimated using publicly available Wi-Fi network data and the Wigle.net API. By inputting the BSSIDs (unique identifiers) of nearby Wi-Fi networks, even without connecting to them, the script queries Wigle.net and returns a surprisingly accurate location estimate. The post highlights the privacy implications of this accessible technology, emphasizing how readily available information about wireless networks can be used to pinpoint someone's location with a simple script, regardless of whether location services are enabled on a device. This reinforces the previous post's message about the pervasiveness of location tracking.

  This blog post, titled "Everyone Knows Your Location, Part 2: Try It Yourself and Share the Results," serves as a follow-up to a previous entry discussing the surprising ease with which location information can be inadvertently leaked online. The author, Tim, expands upon the initial exploration by providing readers with a practical, hands-on exercise designed to demonstrate the potential vulnerability of seemingly innocuous online interactions.

  The core of the post revolves around a self-guided experiment involving the creation and sharing of a specifically crafted HTML file. This file incorporates embedded JavaScript code that, when opened in a web browser, leverages the browser's geolocation API. This API, designed to allow websites to access a user's location for legitimate purposes like providing localized content or directions, can be exploited to subtly extract location data without explicit user consent if not handled cautiously.

  The author meticulously details the steps involved in creating this HTML file, providing clear and concise instructions along with explanations of the underlying code. This careful breakdown empowers readers, even those without extensive technical knowledge, to replicate the experiment themselves and witness firsthand how their location information can be obtained. The provided JavaScript code includes functionality to send the retrieved location data to a designated web server controlled by the author, effectively simulating a scenario where an unwitting user might inadvertently disclose their location.

  Furthermore, the post emphasizes the importance of responsible data handling and highlights the ethical implications of this potential vulnerability. By encouraging readers to participate in the experiment and subsequently share their anonymized results, the author aims to foster a broader understanding of the prevalence and potential impact of location tracking in the digital age. The explicit request for anonymized results underscores the author's commitment to privacy and ethical data collection practices. The overall goal is to raise awareness and promote informed discussions about the trade-offs between convenience and privacy in the context of location-based services and online interactions. The post implicitly suggests that increased awareness can lead to better practices by both developers and users when dealing with location data.

  • location tracking
  • privacy
  • geolocation
  • IP address
  • Wi-Fi
  • cellular triangulation
  • metadata
  • Online Security
  • digital footprint
  • surveillance
  • experiment
  • Data Collection
  • User Data
  • Location Services
  • Mapping

  Summary of Comments ( 50 )
  https://news.ycombinator.com/item?id=43716704

  Verbose tl;dr

  Hacker News users generally agreed with the article's premise, expressing concern over the ease with which location can be approximated or even precisely determined using readily available data and relatively simple techniques. Several commenters shared their own experiences replicating the author's methods, often with similar success in pinpointing locations. Some highlighted the chilling implications for privacy, particularly in light of data breaches and the potential for malicious actors to exploit this vulnerability. A few offered suggestions for mitigating the risk, such as VPN usage or scrutinizing browser extensions, while others debated the feasibility and effectiveness of such measures. Some questioned the novelty of the findings, pointing to prior discussions on similar topics, while others emphasized the importance of continued awareness and education about these privacy risks.

  The Hacker News post titled "Everyone knows your location, Part 2: try it yourself and share the results" generated a moderate amount of discussion with a mix of reactions and insights related to the original article's claims about location tracking.

  Several commenters shared their own experiences attempting the location tracking techniques described in the article, with varying degrees of success. Some reported being able to pinpoint locations with surprising accuracy, while others found the methods less effective or inconsistent. This led to a discussion about the reliability and practicality of these techniques in real-world scenarios.

  A key point of discussion revolved around the ethical implications of readily accessible location tracking methods. Commenters debated the potential for misuse and the need for greater awareness and control over personal location data. Some argued for stricter regulations and increased transparency from companies collecting and utilizing location information.

  Technical details of the tracking methods were also examined. Commenters discussed the specifics of IP address geolocation, WiFi positioning, and other techniques, including their limitations and potential vulnerabilities. Some commenters with expertise in networking and security offered insights into the accuracy and feasibility of these methods, pointing out factors that could influence the results.

  The conversation touched upon the trade-offs between convenience and privacy in the context of location-based services. Commenters acknowledged the benefits of location services for navigation, personalized recommendations, and other applications, but also expressed concerns about the potential for surveillance and data breaches.

  Some commenters also discussed potential mitigations and defenses against unwanted location tracking. Suggestions included using VPNs, disabling location services on devices, and being mindful of the permissions granted to apps.

  Finally, a few commenters questioned the overall novelty of the information presented in the article, suggesting that the methods described were already well-known within the security and privacy community. However, they acknowledged the value in raising public awareness about these issues and making them accessible to a wider audience.

• Launching RDAP; sunsetting WHOIS

  permalink

  Posted: 2025-03-17 00:48:48

  Verbose tl;dr

  ICANN is transitioning from the WHOIS protocol to the Registration Data Access Protocol (RDAP) for accessing domain name registration data. RDAP offers improved access control, internationalized data, and a structured, extensible format, addressing many of WHOIS's limitations. While gTLD registry operators were required to implement RDAP by 2019, ICANN's focus now shifts to encouraging its broader adoption and eventual replacement of WHOIS. Although no firm date is set for WHOIS's complete shutdown, ICANN aims to cease supporting the protocol once RDAP usage reaches sufficient levels, signaling a significant shift in how domain registration information is accessed.

  The Internet Corporation for Assigned Names and Numbers (ICANN) has announced a significant shift in how domain name registration data is accessed, moving from the legacy WHOIS protocol to the Registration Data Access Protocol (RDAP). This transition, formally announced on January 27, 2025, marks the culmination of a multi-year effort to modernize and improve the system for retrieving information about domain name registrants.

  WHOIS, a long-standing system, has served as the primary method for accessing registration data. However, its limitations in terms of data accuracy, consistency, and privacy have become increasingly apparent. It also lacks standardized output formats and internationalization capabilities, presenting challenges for users and developers. Furthermore, its design predates modern data privacy regulations like GDPR, making compliance difficult.

  RDAP, in contrast, is designed to address these shortcomings. It offers a more structured and standardized approach to data access, employing extensible data fields and supporting internationalized character sets. RDAP also incorporates robust access control mechanisms, allowing for differentiated access to registration data based on user roles and policy requirements. This enables better protection of personal data while still allowing legitimate access for purposes such as law enforcement investigations, intellectual property rights protection, and network operations.

  ICANN’s announcement highlights the completion of the technical development and deployment of the RDAP system across all generic Top-Level Domains (gTLDs). This signifies a readiness to fully transition away from WHOIS. While the exact date for complete cessation of WHOIS services has not been definitively established, the announcement reinforces ICANN's commitment to sunsetting the outdated protocol. The eventual decommissioning of WHOIS will mark a significant milestone in the evolution of internet governance, bringing the domain name system into greater alignment with current data privacy best practices and technological advancements. This transition encourages stakeholders to adopt RDAP as the preferred method for accessing registration data moving forward. ICANN recognizes the importance of this change and is committed to supporting users and providers throughout the transition process.

  • ICANN
  • RDAP
  • Whois
  • Domain Name System
  • dns
  • Internet Governance
  • Data Accuracy
  • privacy
  • Security
  • Protocol
  • Transition
  • deprecation
  • Registration Data Access Protocol
  • WHOIS Lookup
  • Domain Information
  • Internet Protocol
  • IP address
  • network administration
  • Policy

  Summary of Comments ( 273 )
  https://news.ycombinator.com/item?id=43384069

  Verbose tl;dr

  Hacker News commenters largely express frustration and skepticism about the transition from WHOIS to RDAP. They see RDAP as more complex and less accessible than WHOIS, hindering security research and anti-abuse efforts. Several commenters point out the lack of a unified, easy-to-use RDAP client, making bulk queries difficult and requiring users to navigate different authentication mechanisms for each registrar. The perceived lack of improvement over WHOIS and the added complexity lead some to believe the transition is driven by GDPR compliance rather than actual user benefit. Some also express concern about potential information access restrictions and the impact on legitimate uses of WHOIS data.

  The Hacker News post "Launching RDAP; sunsetting WHOIS" discussing ICANN's plan to replace WHOIS with RDAP has generated a moderate amount of discussion, with a focus on the practical implications and perceived shortcomings of the transition.

  Several commenters express skepticism about RDAP's purported benefits, particularly regarding data accessibility. One user highlights the increased complexity of querying RDAP compared to WHOIS, noting the requirement for specific queries for each top-level domain (TLD) and the varied responses that can make parsing difficult. This complexity is contrasted with the simplicity of WHOIS, which offered a single point of access. The user expresses doubt that RDAP will be as widely adopted or as useful as WHOIS.

  Building on this theme, another commenter points out the lack of a comprehensive, unified RDAP interface, leading to fragmentation and increased difficulty in obtaining domain information. They argue that this lack of a centralized system negates the benefits of a structured data format, making RDAP less practical than WHOIS for many users. They lament the potential loss of a useful tool and the added complexity introduced by RDAP.

  Another commenter questions the actual improvements offered by RDAP, highlighting the potential for similar abuse and privacy issues despite the structured data format. They point to the existing challenges with WHOIS data accuracy and the possibility of similar inaccuracies persisting in RDAP.

  One user expresses concern about the impact on security researchers and incident responders who rely on WHOIS data. They note the ease of automating WHOIS lookups and worry that the distributed nature of RDAP will hinder efficient data gathering for security purposes.

  The discussion also touches upon the internationalization aspects of RDAP, with one user praising the support for internationalized domain names and other languages. However, another commenter questions the enforcement of accuracy in internationalized data, suggesting that this aspect might introduce further complexities.

  Finally, a couple of comments reflect a more accepting stance towards the transition. One user simply acknowledges the change, while another points out the limited utility of WHOIS even before its deprecation, hinting at the potential for RDAP to offer improvements, albeit with challenges.

  In summary, the comments on Hacker News largely express concerns about the practical usability and effectiveness of RDAP as a replacement for WHOIS. The primary themes include increased complexity, lack of a unified interface, potential for similar data accuracy issues, and the impact on security researchers. While some acknowledge the potential benefits of structured data and internationalization, the prevailing sentiment appears to be one of skepticism and apprehension regarding the transition.

• Docker limits unauthenticated pulls to 10/HR/IP from Docker Hub, from March 1

  permalink

  Posted: 2025-02-21 07:42:45

  Verbose tl;dr

  Starting March 1st, Docker Hub will implement rate limits for anonymous (unauthenticated) image pulls. Free users will be limited to 100 pulls per six hours per IP address, while authenticated free users get 200 pulls per six hours. This change aims to improve the stability and performance of Docker Hub. Paid Docker Hub subscriptions will not have pull rate limits. Users are encouraged to log in to their Docker Hub account when pulling images to avoid hitting the new limits.

  Docker Hub, the primary registry for Docker images, is implementing rate limits on image pulls for anonymous (unauthenticated) users. Starting March 1st, anonymous users will be limited to 10 pulls per six hours per IP address. This change is being implemented to ensure the stability and performance of Docker Hub for all users and to combat abuse.

  This limitation applies to all Docker clients pulling images directly from Docker Hub without authentication. This means users who access Docker Hub through a Docker desktop client or other Docker tools without logging in will be subject to these limits.

  The limits are calculated based on the IP address initiating the pull request. Therefore, multiple users sharing a single IP address, such as those behind a corporate firewall or NAT, will share the same pool of 10 pulls per six hours. Exceeding this limit will result in the pull request being denied with an error message indicating the rate limit has been reached.

  This policy change does not affect authenticated users. Users who log in to Docker Hub with their Docker ID will not be subject to these rate limits and can continue to pull images without restriction. Docker strongly encourages users to log in for uninterrupted access and to take advantage of other benefits, such as access to private repositories and automated builds.

  This new rate limit is specifically for pulls, not pushes. Pushing images to Docker Hub still requires authentication and is unaffected by this change.

  Organizations and individuals who anticipate that the anonymous pull limits will disrupt their workflows are advised to create free Docker Hub accounts and log in when pulling images. This will allow them to avoid the rate limits entirely. This is especially important for automated build processes or environments where many pulls are performed from a shared IP address.

  • docker
  • Docker Hub
  • Rate Limiting
  • Image Pulls
  • Containerization
  • DevOps
  • Security
  • Authentication
  • IP address
  • API Limits

  Summary of Comments ( 290 )
  https://news.ycombinator.com/item?id=43125089

  Verbose tl;dr

  Hacker News users discuss the implications of Docker Hub's new rate limits on unauthenticated pulls. Some express concern about the impact on CI/CD pipelines, suggesting the 100 pulls per 6 hours for authenticated free users is also too low for many use cases. Others view the change as a reasonable way for Docker to manage costs and encourage users to authenticate or use alternative registries. Several commenters share workarounds, such as using a private registry or caching images more aggressively. The discussion also touches on the broader ecosystem and the role of Docker Hub within it, with some users questioning its long-term viability given past pricing changes and policy shifts. A few users report encountering unexpected behavior with the limits, suggesting potential inconsistencies in enforcement.

  The Hacker News post discussing Docker Hub's new rate limits on unauthenticated pulls generated a significant number of comments, with many users expressing their concerns and opinions.

  Several commenters saw the move as a way for Docker to push users towards paid plans. They felt that the limits were too restrictive, especially for open-source projects and smaller developers who rely on Docker Hub for their workflows. The sentiment was that this change would disrupt their current processes and potentially force them to consider alternatives. Some users questioned the effectiveness of this strategy, suggesting it might drive users away from Docker altogether rather than towards paid subscriptions.

  A common point of discussion revolved around the impact on CI/CD pipelines. Commenters pointed out that shared CI/CD runners often use the same IP address, meaning the rate limits could be easily hit, causing builds to fail. This concern highlighted the potential for widespread disruption for projects relying on such infrastructure. Some suggested using authenticated pulls as a workaround, but others noted that this isn't always feasible or desirable, especially for open-source projects.

  The technical details of the implementation were also scrutinized. Some users questioned the choice of using IP addresses for rate limiting, arguing that it's not a reliable method due to the prevalence of shared IPs and dynamic IP allocation. This could lead to legitimate users being unfairly throttled. Alternatives like user-agent based limiting were proposed.

  There was a discussion about the potential for abuse and the motivation behind Docker's decision. Some commenters speculated that this move was aimed at combating cryptocurrency miners who might be leveraging Docker Hub's resources. Others suggested that it could be a response to excessive bandwidth usage and the associated costs.

  Some users expressed understanding for Docker's need to monetize its services, but they also emphasized the importance of a generous free tier for the health of the Docker ecosystem. The feeling was that striking a balance between monetization and community support was crucial for the long-term success of Docker.

  Finally, a few commenters offered alternative solutions and workarounds, such as setting up private registries or using different container registries altogether. This reflected a proactive approach within the community to adapt to the new limitations.

• 0-click deanonymization attack targeting Signal, Discord, other platforms

  permalink

  Posted: 2025-01-21 14:59:44

  Verbose tl;dr

  A security vulnerability, dubbed "0-click," allowed remote attackers to deanonymize users of various communication platforms, including Signal, Discord, and others, by simply sending them a message. Exploiting flaws in how these applications handled media files, specifically embedded video previews, the attacker could execute arbitrary code on the target's device without any interaction from the user. This code could then access sensitive information like the user's IP address, potentially revealing their identity. While the vulnerability affected the Electron framework underlying these apps, rather than the platforms themselves, the impact was significant as it bypassed typical security measures and allowed complete deanonymization with no user interaction. This vulnerability has since been patched.

  A newly disclosed vulnerability, dubbed the "0-click deanonymization attack," poses a significant threat to user privacy on several popular communication platforms, including Signal, Discord, and others employing WebRTC, a real-time communication technology. This attack exploits a subtle flaw in the way these platforms handle IP address leaks within WebRTC connections, allowing a malicious actor to uncover the IP address of a target user without any interaction from the target—hence the "0-click" designation.

  The exploit leverages Session Traversal Utilities for NAT (STUN) and Interactive Connectivity Establishment (ICE) servers, integral components of WebRTC's functionality. These servers facilitate the establishment of peer-to-peer connections by assisting clients in discovering their public IP addresses and traversing network address translation (NAT) gateways. Normally, these IP addresses are exchanged between communicating parties. However, the vulnerability arises from the fact that these platforms inadvertently expose IP addresses to STUN/ICE servers even before a connection is fully established, and crucially, even if the target user declines or ignores a call.

  The attacker initiates a WebRTC connection request to the target user. Even if the target doesn't accept the call, the target's client still interacts with the STUN/ICE servers, revealing its IP address in the process. The attacker, by controlling or monitoring the STUN/ICE server, can passively intercept this communication and capture the target's IP address. This allows for deanonymization, linking the target's online identity on the platform to their real-world location and potentially revealing their true identity.

  This vulnerability is particularly insidious because it requires no action from the target user. Merely receiving a connection request, even an ignored or rejected one, is sufficient for the attack to succeed. This bypasses traditional defenses against IP address leaks, such as disabling WebRTC entirely or using VPNs, as the leakage occurs before these protective measures can effectively intervene. While VPNs might mask the true IP address, the timing correlation between the call attempt and the observed IP address on the VPN server could still provide valuable information to a determined attacker.

  The technical details of the exploit involve manipulating the JavaScript execution within the target's browser to control the flow of WebRTC negotiation and observe the STUN/ICE server interactions. The author of the disclosure emphasizes the simplicity of the attack and its broad applicability to any platform utilizing WebRTC without adequate safeguards. The potential consequences of this vulnerability are serious, ranging from targeted harassment and doxing to large-scale surveillance and privacy breaches.

  • signal
  • Discord
  • deanonymization
  • privacy
  • Security
  • Vulnerability
  • attack
  • metadata
  • 0-click
  • Exploit
  • IP address
  • online privacy
  • communication platforms
  • messaging apps

  Summary of Comments ( 294 )
  https://news.ycombinator.com/item?id=42780816

  Verbose tl;dr

  Hacker News commenters discuss the practicality and impact of the described 0-click deanonymization attack. Several express skepticism about its real-world applicability, noting the attacker needs to be on the same local network, which significantly limits its usefulness compared to other attack vectors. Some highlight the importance of the disclosure despite these limitations, as it raises awareness of potential vulnerabilities. The discussion also touches on the technical details of the exploit, with some questioning the "0-click" designation given the requirement for the target to join a group call. Others point out the responsibility of Electron, the framework used by the affected apps, for not sandboxing UDP sockets effectively, and debate the trade-offs between security and performance. A few commenters discuss potential mitigations and the broader implications for user privacy in online communication platforms.

  The Hacker News post titled "0-click deanonymization attack targeting Signal, Discord, other platforms" generated a significant discussion with a variety of comments. Several commenters focused on the technical aspects of the exploit, highlighting how seemingly innocuous features like generating link previews could be manipulated to leak IP addresses. There's a strong consensus that the core issue stems from servers fetching content from user-supplied URLs without proper safeguards.

  Some commenters questioned the "0-click" nature of the attack, arguing that a user still needs to engage with a message containing a malicious link, even if they don't explicitly click it. Others pointed out that the practicality of the attack is limited by the need for the attacker to control a server capable of logging IP addresses connecting to it.

  The discussion also touched upon the responsibility of different platforms. Some commenters argued that platforms like Signal and Discord should have implemented better protections against this type of attack, while others emphasized that the underlying issue lies with the broader ecosystem of link previews and the lack of standardized security measures.

  A few commenters provided technical insights into potential mitigations, including the use of proxy servers for fetching previews and stricter validation of URLs. The feasibility and potential downsides of these solutions were also debated.

  Some users shared anecdotal evidence of similar attacks or vulnerabilities they've encountered in the past, reinforcing the concern about the potential for abuse of link preview functionality.

  Finally, there was some discussion about the ethical implications of researching and disclosing such vulnerabilities, with opinions varying on the responsible approach to handling such sensitive information. The overall sentiment seems to be one of concern about the potential privacy implications of this attack vector and the need for a broader industry response to address the underlying issues.