sylver_dragon

I wouldn’t expect it to replace people. It will make workers more productive. However, because it is already pretty well spread through most companies, those productivity gains will only lead to competitive advantages for companies with highly skilled workers.

Think of it like a chainsaw for lumberjacks. A lumberjack with a chainsaw is going to be far more productive than one with just a hand axe. But since every company equips their lumberjacks with chainsaws, they aren’t really at an advantage, chainsaws are now just a cost of entry for a company. Also, lumberjacks are required to know how to use a chainsaw. But they are ok.

For knowledge workers, AI is our new chainsaw. We’re going to learn to use it. And it’s going to be part of our jobs going forward. From my own experience, it has it’s uses and is pretty good at certain tasks. It can also be endlessly frustrating at tasks where it’s not well suited or the training isn’t up to snuff. We just have to learn and adjust to a world where the tool exists and is used everywhere. The genie isn’t going back in the bottle.

All of the above.

Is it that ISPs are being paid by tech-bros to assign them these IPs?

Bullet Proof Hosting is a thing. Some ISPs basically advertise to criminals about their ability to evade take down orders and unwillingness to work with law enforcement. So, some infrastructure ends up on these devices. However, the IP ranges from these services often get discovered and are added to public reputation and block lists.

Along side this, cloud providers are pretty bad about policing their networks. On my own home server, I have blocked much of the Digital Ocean IP space, as it’s home to a lot of scanners, bots and other malicious traffic.

Is it that residential devices have been hacked /contain malware that does this?

This happens, a lot. The Mirai Botnet thrived on compromised home routers. People are pretty bad at updating their devices and many SOHO routers ship with some pretty bad vulnerabilities. It’s only a matter of time until someone finds an unpatched or misconfigured router and adds it to a botnet. People also get phished or install trojans all the time, adding to botnets. Darknet Diaries just had a fantastic episode on the Bayrob malware, part of which was turning infected machines into a custom botnet.

Is it trivial for companies to assign themselves residential IPs?

Some ISPs just look the other way when they get reports of malicious activity on their network. Also, attackers can force a DHCP refresh and just get a new IP when the old one seems blocked. Getting one in the first place is often as simple as signing up for service and/or compromising someone’s home PC and using it as a relay.

Paid volunteers are doing this for AI companies?

This probably happens. Afterall, we’ve already seen a company selling an AI product which was just workers in India.

Obviously this is a problem because one can rotate / cycle through residential IPs and if I aggressively block each offender in my logs permanently, then the next person assigned this IP who may be a legitimate user will be unable to access my site.

Look into Fail2Ban. This program monitors your logs and will ban IPs automatically based on criteria you set. This can include specific HTTP requests in your web logs. The ban can be permanent or can be time limited. For example, I have a container running in a cloud provider which I use to proxy requests through my ISP’s CGNAT setup. There is an NGinx reverse proxy running there and I have fail2ban watching the access log. If certain request strings are seen, the sending IP gets dumped in a permanent jail. I also have it scanning the sshd logs and banning IPs which fail to login 3 times within a short period.

It’s far from a silver bullet, but it’s something which should be running on any web facing system. Attackers will always be rattling the door knobs. There is no reason to let them keep rattling away.

Ya. It’s not really a new idea:

https://www.imdb.com/title/tt1053424/

The real bitch is the $100k a month subscription fees and required internet connection. If he loses signal, his kidney shuts down.

Sadly, a reluctance to install patches isn’t unique to Windows administration. I worked at a site with a well functioning Satellite infrastructure and support contracts with Red Hat. And we (InfoSec) were still chasing down admins to get their shit patched. Thankfully, we had NAC and authorization to disconnect systems that feel out of compliance. Most departments got with the program pretty quick when they ignored the "please patch all critical vulnerabilities in three days’ email and ended up with a “you are out of compliance and have been disconnected” email.

And Docker had made the whole Linux situation even worse. So many devs love to spin up containers, basically disable any sort of firewall, don’t bother with IP filtering. Oh and let’s just use passwords for ssh. Also, who needs logs? It’s a container, right. So, let’s disable all logging and not forward those anywhere. Then they promptly forget about the container until we run a vuln scan and find it’s got half a dozen RCE vulns and have to run them down and ask why the fuck it’s still running.

Linux is a much better base to build on. But bad security hygiene is still rife and still really bad for security.

Then they transfered a file to /tmp/exp which was linux kernel CVE-2026-43500, nicknamed ‘Dirty Frag’, an RxRPC local privilege escalation. I had not patched these internal servers that nobody should have access to against this.

Lessons Learned #1:
Install your patches.
“But I have a firewall!”
That is not a sufficient control.
Install.
Your.
Fucking.
Patches!

Anything SharePoint.
So many companies end up using SharePoint for “knowledge management” not realizing they are dooming their knowledge to be lost in some byzantine hole of information where no one will ever be able to find or use it ever again. Worse, as more knowledge is yeeted into the pile, the search becomes better and better at presenting outdated, or irrelevant information. So, you will have new employees who find a process which is 5-10 years out of date, completely wrong, but it looks official and the links still work for some gods forsake reason. Of course, the right information is in SharePoint somewhere, but it’s probably locked behind a site with broken permissions, in a document library in a Word document which isn’t properly indexed and there’s 4 different versions of the same document with names like “New procedure_v3_DRAFT_bob’s edits.docx”, because no one understands how file versioning works.

The just stopped working was the client stopped syncing?

The client doesn’t seem to detect new photos as they are created/taken. If I manually upload an image from my photos folder, it syncs just fine. Files in other folders seem to sync just fine. But, photos and videos just never even try to sync.

NextCloud decided to stop allow private made certificates with its client in 2025 and its what made me switch.

This hasn’t been an issue for me. I pay for a domain and have a certificate issued by Let’s Encrypt. The only certificate errors I get are when I refresh the certificate every 6 months, and that’s just the client asking me if I want to trust the new certificate.

Syncthing

I had looked into this a while back, but it seemed to be more of a point to point solution and not a client-server system. I was aiming to have an authoritative server with everything and clients (both phone and desktop) able to pull the needed/request files. I also like the ability to share via a web link when needed. Am I wrong in that understanding?

I currently use NextCloud, but I have been looking to move away from it. My main use case is for syncing photos and videos to the cloud from my phone (Android) and this used to work flawlessly. But, some time in early 2025, it just stopped working. I can still manually upload files and sync still works for other folders (e.g. Documents) just fine. But, photos and videos just won’t sync automatically. Not sure if there are other options which would work better, but NextCloud on Android just seems to be broke.

You come from nothing, you’re going back to nothing. What have you lost?
Nothing!

AI is the shiny new tech and investors are more worried about missing out on “the next big thing” than they areabout pissing away a few billion dollars. For investors at that level, it’s all a game of numbers. If they invest a billion dollars in 20 different things, and 19 of those things fail, but one has a return of 100 billion dollars, that’s a win.

Sure, there is no guarantee that AI will pan out. But, that’s a very hard thing to determine ahead of time. Everyone thought e-commerce would pay off big in the 90’s/00’s. And it did, for a few companies (Google, Amazon). The rest got slaughtered and we got the dot-com bubble. Then folks expected Crypto currencies, EFTs and NFTs to pay off big. Mostly, that didn’t happen, though they do thrive in a few places. Again, investors just wanted to ride that profit wave.

In short, investments are all about making money. And at a sufficient scale, it’s not about picking winners or losers, it’s about picking everything and making sure the wins from the winners cover the losses from the losers.

We used to get Trickling Springs Creamery ice cream from a local farm store. And it was really good ice cream. But, they had some problems and shut down. I’m not sure what they did to make the ice cream so good, but I’ve not found anything since which compared.

Cookie dough ice cream, without chocolate chips. Maybe it was a limited time thing, but I remember having this at an ice cream shop similar to Baskin Robbins in my youth. It was just plain vanilla ice cream with cookie dough in it and neither part had chocolate chips.

I get that I’m likely one of very few people this would have sold to. But, I really do wish I could have this again.

On Feb. 1, 2025, Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter.

What type of shit password storage policies where they using, if this is even remotely accurate? Sure, these guys should face consequences for their actions. But if this is a US FedGov system, whatever management signed off on this system needs to be in the next jail cell over. Their security seems to be criminally negligent.

Don’t feed the trolls.
It’s a rule almost as old as the intranet. It doesn’t work, but there isn’t anything better.

So they need to review every website?

I’m going to assume you’re just trolling now. I refuse to believe that someone can be this stupid, without actually doing it intentionally. Well done, you got me for a few comments. But, I’m done feeding the troll.

Google processes over 5.9 trillion searches per year

That number has nothing to do with the problem. They don’t need to review every search, they need to review every advertising link they have been paid to place (not every link indexed). Presumably, they already have the infrastructure in place to track those links and verify that they comply with laws such as CSAM, copyright or other areas where they actually have some accountability in those areas. The number of paid advertisement links will be far smaller than that 5.9 trillion number.

And through inaction said public is consenting to be ruled by nasty Christian predators.
How (and/or what) should thoughtful people think about the public’s consent to be ruled by elite Epstein class pedophiles?

The world isn’t quite as black and white as you want to make it out. And the range of possible responses do not exist in isolation.
Let’s start with the absurd response of “Annie, grab your gun and let’s go overthrow the government”. This would stupid on so many levels. First and foremost is the simple unlikelihood of success. While the wars in Vietnam and Afghanistan have demonstrated that the overwhelming force of the US Military has problems dealing with a dedicated insurgency, such insurgencies require a fanatical level of dedication on the part of the insurgents. Do you really think you and a million of your closest friends area ready to get blown apart by an Apache Gunship to force Trump out of office? So this is just a dumb idea.

Moving on, you could always just go for targeted assassinations. You can be John Wilkes Booth all over again, though I don’t suspect Trump is as much a fan of live plays as Lincoln was. Maybe stalk him to a McDonalds? Ignoring all the logistical issues of actually getting to and assassinating a sitting President, it’s not like you would get much done. JD Vance isn’t all that much better (couches everywhere beware!), and the GOP has demonstrated that they are quite willing to keep coughing up horrible people for leadership positions. Really, the problem here is that we have a very divided country at the moment and a significant enough part of the electorate is just fine with a rapist, pedophile grifter as President.

So, let’s take political violence off the table. The best outcome it offers is a civil war with maybe your side winning and maybe the US under the direct control of Ya’ll Qaeda. Or worse, a balkanized US locked in a modern version of the Hundred Years War.

That leaves us with civil disobedience, general strikes and other protests. And I don’t want to downplay the impact these things can have; however, the US is a large, diverse place. A general strike in one State is unlikely to have a major impact in another. And coordinating a general strike across the entire US is very, very hard. Maybe that is the answer to your question, but the fact that it hasn’t been done yet lends some credence to the idea that it’s not really possible. If you think this is what is needed, then by all means, get out and start trying to organize one. Or work with existing groups to try and get one going, I wish you the best of luck, but I’m not going to be putting money down on your chances of success. Protests and civil disobedience can get attention, though that will only get you so far.

All that above leaves the quiver pretty empty. And I’m going to point out the answer you don’t want to hear and will complain about: organize, advocate and vote when the option becomes available. Yes, the GOP has been running full throttle trying to hijack elections. And working within the American Democracy is slow, marginally effective at best and endlessly frustrating. But, unless you think you have the gumption to win a civil war (you almost certainly don’t), this is the system of government for the United States for the foreseeable future. It’s a terrible system, but better than the other stuff humans have tried.

Of course, that means you are also stuck in the situation of “through inaction said public is consenting to be ruled by nasty Christian predators”. And that is partly true. One of the downsides of democracy and elections is that the people you disagree with will occasionally get into power and be able to push their ideas on society. That’s part of what it means to live in a functioning democracy. That the whole thing doesn’t devolve into civil war the minute one side or the other loses. We have boundaries written into law which define exactly how far any one party can go in implementing its agenda while in power. And we have some levers for the out of power party to push back on. But, the system is built on the idea that the peaceful transfer of power between parties who disagree is a far sight better than the non-peaceful transfer of power whenever one side of the other manages to out-violence the other.

So ya, I hate that it’s true, but since I value a stable democracy, I consent to the orange shit running the country. Because the alternative isn’t some left-wing utopia, it’s constant civil war. If we want our country to look more like a left-wing utopia, we need to win enough people over to our ideas and implement those ideas when we hold power. It’s not hopeless, and it all entirely possible. But, it’s easy to just complain, give up and scream into the void that “voting never fixes anything”. But cynicism doesn’t solve problems, hard work does. And hard work isn’t fun, it isn’t sexy and it doesn’t play well on social media.

Actually, that’s the start of a solution.

I’ve personally implemented something similar to this in the past. At one site we had an issue with people browsing porn on their office PCs. Some folks got pretty creative in getting around the blocks we had in place. However, we had full packet capture at the firewall; so, all of the evidence was there. I setup a system which pulled images above a certain size out of those packet captures and passed them through an open source image classifier which used a model based on machine learning. Anything above a certain threshold was flagged for human review, everything else was ignored. It wasn’t perfect, I looked as quite a few images of sand dunes, but it did 90% of the work. And sure, some false negatives likely got through. But, it let us run down the worst offenders.

Right now, Google seems to be ignoring the problem and has no incentive to do anything about it. Google is directly profiting from those malvertising links and so should bear some responsibility for ensuring that they are not serving malware to users. We can certainly work out the fine details around their duty of care and how they can meet it (e.g. LLM scanning with human review), but holding our collective dicks with both hands and claiming “nothing can be done” because it would cost Google money is a bad answer.

It actually seems like a good place for an LLM. One of the security tools I work with uses an LLM to scan emails for malicious links and things like Business Email Compromise and Phishing. It’s actually pretty good. It seems like Google, et. al. could use something similar to catch some of the more obvious malvertising links. But, since they don’t have any accountability, they have no incentive. The only way to build that incentive is to start hitting them in the pocketbook. Letting them ignore the problem isn’t working.