dual_sport_dork

Penguins are cool. I ride dual sport motorcycles. (And other motorcycles. But definitely those.)

"Calls."

There's only one call, and it's coming from Tim Sweeny at Epic. It's just more of his usual yelling at clouds, because he's got a pathological hate-on for anyone else who runs a storefont, including Apple and Google but especially Valve. He hasn't made any positive contribution to the world since about 1998, and at this point we can all safely discard his opinion with nothing of value being lost. He wants to allow AI slime on his own platform because he thinks it'll make him free money, but maybe he ought to worry about the smell coming from his own house before he goes around trying to dictate at others how they should run theirs.

I'm more of a Magnetbox bird, myself.

"You yadda-yaddad a homie stock? You can't yadda-yadda a homie stock!"

Well, my answer is nothing, and as anyone who follows me knows, seeing me not buy any random novelty cutlery trash from China has certainly got to count for something.

Are we still doing "Oh, exploitable?"

Uh-huh. Now ask it how to center a div vertically.

There are several things you could do in that regard, I'm sure. Configure your services to listen only on weird ports, disable ICMP pings, jigger your scripts to return timeouts instead of error messages... Many of which might make your own life difficult, as well.

All of these are also completely counterproductive if you want your hosted service, whatever it is, to be accessible to others. Or maybe not, if you don't. The point is, the bots don't have to find every single web service and site with 100% accuracy. The hackers only have to get lucky once and stumble their way into e.g. someone's unsecured web host where they can push more malware, or a pile of files they can encrypt and demand a ransom, or personal information they can steal, or content they can scrape with their dumb AI, or whatever. But they can keep on trying until the sun burns out basically for free, and you have to stay lucky and under the radar forever.

In my case just to name an example I kind of need my site to be accessible to the public at large if I want to, er, actually make any sales.

I wasn't going to type that many commas for the sake of brevity, but it's 340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses. I.e. 2^128^. So yes, I do.

I consider 96 orders (in binary, anyway) as "multiple." Wouldn't you?

Almost certainly. There are only 4,294,967,296 possible IPv4 addresses, i.e. 4.3ish billion, which sounds like a lot but in computer terms really isn't. You can scan them in parallel, and if you're an advanced script kiddie you could even exclude ranges that you know belong to unexciting organizations like Google and Microsoft, which are probably not worth spending your time messing with.

If you had a botnet of 8,000 or so devices and employed a probably unrealistically generous timeout of 15 seconds, i.e. four attempts per minute per device, you could scan the entire IPv4 range in just a hair over 93 days and that's before excluding any known pointless address blocks. If you only spent a second on each ping you could do it in about six days.

For the sake of argument, cybercriminals are already operating botnets with upwards of 100,000 compromised machines doing their bidding. That bidding could well be (and probably is) probing random web servers for vulnerabilities. The largest confirmed botnet was the 911 S5 which contained about 19 million devices.

That's because it's numerically possible to sweep through the entire IPv4 address range fairly trivially, especially if you do it in parallel with some kind of botnet, proverbially jiggling the digital door handles of every server in the world to see if any of them happen to be unlocked.

One wonders if switching to purely IPv6 will forestall this somewhat, as the number space is multiple orders of magnitude larger. That's only security through obscurity, though, and it's certain the bots will still find you eventually. Plus, if you have a doman name the attackers already know where you are — they can just look up your DNS record, which is what DNS records are for.

"Lots of people are selfish shitheads unless they think there may be immediate consequences for them acting like shitheads" is a well-worn observation on human nature, and is not especially new. Just watch how people drive for the next few miles after they spot a cop on the interstate as an example.

The fact that apparently these people can't quite separate the fictional concept of Batman with reality, i.e. the threat of real-world consequences, is somewhat novel. Not especially encouraging, but novel.