[floatingatoll]

From an IT operator perspective, IPv4 bans are essentially the only recourse available for many — if not most — abuse/attack scenarios. They're unfair and unjust, but this is the price we pay of making tracing identities inaccessible to online abuse enforcement.

If you have an idea on how abusive actors behind CG-NAT can be identified and blocked without blocking the entire CG-NAT, and that idea is not morally unacceptable to the hacker community (as captchas, fingerprinting, and IP bans are), then you can make a billion dollars on that idea.

But it's been twenty years now that we've needed that idea, and I'm not holding my breath. Tech continues to insist that anonymity is more important than accountability. Our users pay the price of our insistence to this day.

[musicale]

> If you have an idea on how abusive actors behind CG-NAT can be identified and blocked without blocking the entire CG-NAT, and that idea is not morally unacceptable

I don't think a general solution would be required in this instance.

In this case, as I understand it, the abusive actors did the following:

1) tried to join with an abusive name

2) impersonated a student login and yelled abusive things in chat

It seems that (1) could be solved by blocking connections from any user name that is not on a whitelist of approved student names and nicknames, and (2) is most likely an issue of someone else accessing the student's login credentials, so it could potentially be mitigated by multifactor authentication.

[nieve]

If I understand the article correctly they didn't even have evidence his credentials were used. All they had was a shared IP address. Given that his teachers testified in his favor I have to wonder if there was some specific grudge against the kid. Alternatively they were incompetent about the IP thing from the beginning and as soon as they realized they might be wrong went into full cover-up & deny everything mode.

[cdsmith]

Keep in mind that this article was written by a reporter who was unable to talk to the district, and got all their information from a lawyer representing the kid who was suspended. The district itself is prohibited from releasing any information about the case by privacy laws, no matter what the family says or how accurate it is. The same evidence was presented to the school board in an appeal hearing, and they (granted, probably not technical people) did not find it convincing. That doesn't mean the family's lawyer is wrong, but it is worth keeping in mind as you evaluate this. We don't have the whole story here.

[michaelmrose]

It's extremely likely that nobody wants to rock the boat and give an injured party evidence to be used against their employer. Their employer would almost certainly prefer to wrongly punish a student if it has a fraction of a chance at getting them out of a lawsuit.

It's also likely that there isn't a single person in a leadership position with the entire school board who is even slightly technically competent.

Next we already have precedent that IP addresses don't uniquely identify people for the purposes of law. It is incredibly likely that such an action wouldn't pass the sniff test if the IP addresses given were entirely correct.

Lastly even if he actually did try to log in with "i will murder u all of u" no reasonable person would consider this an actual threat without talking with the student. Kids are stupid, and kids say stupid things. Time and again schools fail to address the real problem children before things blow up and then use their persistent failures to justify overreaction to the detriment of students.

[TomSwirly]

Precisely! Even if he did it, for which there's no proof and plenty of counter-evidence, he doesn't deserve to not get an education.

[whimsicalism]

Wow, if only you all saw what regularly occurs in inner-city public schools.

Suspensions like these are common, especially among black boys. I saw all sorts of overly punitive nonsense, not to mention that we had to queue up for an xray + metal detector every day we went to school. Really, really felt like you weren't treated with a shred of dignity.

[TomSwirly]

God, I'm sick of that comment. Far too many institutional wrongdoers hide behind "privacy laws".

If the school board knew that it had incriminating information, it could ask the family to waive its privacy rights, and then if that didn't happen, explain that, without violating any law.

The school admits to punishing this kid based primarily on his IP address. We all know this is utterly worthless. The technical details make it even clearer that this is unreliable.

Also, the teachers uniformly spoke of the kid as quiet, respectful, and studious. This should be worth far more than an IP address. It's not, because administrators consider the opinions of their own teachers to have no value.

AND, let me be blunt here!, even if the kid did do it, which I think highly unlikely, this is NOT an excuse to deprive him of an education!

---

For whatever reason, many people have this fetish for authority, even when that authority through their own words shows their unreliability.

I also think a lot of people respond positively to stories about cruelty and punishment.

[LorenPechtel]

I strongly suspect it was an ignorant IT person coupled with an administration determined to blame somebody. He just had the misfortune to be the first student that came up when looking for someone with that IP.

[MathCodeLove]

Instead of a permanent IPv4 ban consider issuing a temporary one just long enough to dissuade the aggressor from continuing their behavior. This would be just as effective, and is far less likely to impact others down the road.

[missingcolours]

Almost every time I start a new job I find a list of "blacklisted IPs" in the firewall and no one seems to know from whence they came, they've just always been there. It's a perfectly reasonable short term solution in some situations where there are few options, but like, expire them after some period of time, don't leave random IPs blocked for years.

[kaliszad]

Well, at my previous job, the company was blackholing 1.1.1.0/24 and others in the 1.0.0.0/8 subnet because that was the previous LAN. Thankfully, I have done an audit and removed this nonsense.

[rootw0rm]

that's insane. i block IPs for 10 minutes to start. not a big fan of the abuse IP databases either after I leased a server that was blacklisted before I even got it.

[floatingatoll]

I agree, timers are generally a sound approach. I would personally go with 36 hours to wait out the typical human attention span.

[foobar33333]

Short term IP blocks can be fine but to take real world action like the OP post based on a very weak data source is irresponsible.

[vitus]

> If you have an idea on how abusive actors behind CG-NAT can be identified and blocked without blocking the entire CG-NAT

Working with the carrier? Depending on the kind of abuse, it could very well be against the ISP's ToS, and the ISP hopefully doesn't want its users blocked wholesale just because of a few bad actors dragging down the reputation of its IP blocks.

[floatingatoll]

Is the carrier willing to work with any website who is abused by their customer? Is their barrier to accountability the demand for a civil or criminal lawsuit? Can sites with mouth legal presence in the same country as the provider seek accountability? Must sites have vast monetary resources sufficient to survive the provider’s attempt to protect their customer from being held accountable under the banner of privacy? How can the provider defend themselves against abusive and falsified requests for identification? Is there an agreement that can be reached to protect identities while still stopping ongoing willful abuse by anonymous customers?

I appreciate the theory that you’re sketching, and I think it certainly has potential. But we already have the theoretical capability you describe today, and have had it for decades, and yet online abuse continues unchecked — so you’ll have to talk more about how and why your recommendation improves on what we have today.

[vitus]

Oh, I agree that the carrier isn't going to work with just any website.

But companies like Zoom (as would be relevant in this scenario) might hold more sway, especially if the looming threat is "deal with this on your end, or we will, with the blunt instrument that is IP banning". (Now, whether Zoom would engage in an IP ban just for abuse affecting a single school is a different story. But I imagine they must have some motivation to deal with zoombombing. Right??)

The school itself might not have the resources to engage in a legal battle, but they could certainly get law enforcement involved, especially if the abuse enters, say, hate crime territory, as it seems like it may have in this case.

(Granted, the privacy concerns that you raise are an entire issue in themselves, and I don't have any answers there.)

To be clear -- this isn't a novel proposal, per se, unless talking to other people is novel :) But, it's just a suggestion that while circumventing CG-NAT is technologically infeasible from the outside, technical solutions are not the only option.

And if it's not possible from the outside, well, there's one entity who's positioned to further trace the abusive users...

[floatingatoll]

Law enforcement has not demonstrated a willingness to spend its resources on these concerns, and frequently will disregard threats of bodily harm and murder. Expecting them to respond to requests from a web forum, my go-to litmus test for solution viability, is laughable in the United States and I suspect most of the rest of the world as well.

The entity delivering service to the abusive customer is profiting from that delivery. Terminating service to that customer hurts their bottom line. They have strong incentives to not only refuse all requests for help, but to resist even the most serious of requests, in order to protect their bottom line.

I’m sorry to rain on your parade - it’s nothing personal! I wish I could be more supportive! - but there is overwhelming evidence that every entity that is positioned to help will do whatever it takes to avoid helping.

If this remains unsolved, we’re going to end up losing anonymity on the Internet. Several online food delivery systems in the US already permanently block Cloudflare’s 1.1.1.1 VPN product by IP, using Cloudflare’s own CDN protection tools! Because it turns out that effective anonymity for all comers protects abusers from accountability.

That’s why this is a billion-dollar problem.

[vitus]

No offense taken!

I do wish that the market would work as intended such that failures in handling abuse (e.g. frivolous accusations as we're plausibly seeing here) would lead to organizations moving away from Zoom to competitors, whether it's Teams or Meet or BlueJeans or whatever else. But unfortunately the friction of changing platforms is high, between sunk cost of contracts, needing to vet / compare multiple new systems, training on the use of new software, etc.

Meanwhile, the existing solution mostly just works 99% of the time.

(All this said -- even if CG-NAT is to blame for multiple students showing up with the same IP address, that should be tangential to the actual identification of abuse. Either there's a process failure (students aren't required to sign in), or Zoom's not logging or looking at the right things (e.g. display name changes).)

[TomSwirly]

> I do wish that the market would work as intended

(Intended?! By whom?!)

In this case, the market is working exactly as markets are supposed to. Effectively dealing with abuse is expensive, and has no profit potential whatsoever.

The market will therefore penalize companies that spend money on dealing with abuse, and reward companies that do not. Economically, companies that manage to sweep abuse under the rug for the minimum possible cost will naturally dominate, and companies that spend the considerable investments needed to do a good job on it will eventually go to the wall.

If "market working as intended" has any meaning, maximizing profits is certainly it. It's very economically logical for a provider to not cater to the 1% or so abuse victims, who are expensive to handle, offer little revenue, and might stay with you anyway out of a lack of other places to go. It might be unfair, lack compassion, and be cruel to prioritize abusers over the abused, but none of these terms have any meaning by the metric of "markets"

[celsoazevedo]

> Several online food delivery systems in the US already permanently block Cloudflare’s 1.1.1.1 VPN product by IP, using Cloudflare’s own CDN protection tools!

If they use Cloudflare, then that block is dumb. Sites behind Cloudflare are able to see the real IP of a 1.1.1.1 WARP user. Non-Cloudflare sites will see Cloudflare's IP.

WARP isn't a traditional VPN service[0]:

> "From a technical perspective, WARP is a VPN. But it is designed for a very different audience than a traditional VPN. WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit."

[0] https://blog.cloudflare.com/announcing-warp-plus/

[floatingatoll]

Yes, I agree that the block is dumb. No, knowing that technically it’s useless made no difference whatsoever in getting them to lift it. There is no financial incentive for them to improve their block to be more capable or granular. They would rather not have customers who use a VPN, because to them a higher percentage of those customers are abusive. What case might you recommend to convince them otherwise?

[TomSwirly]

> But we already have the theoretical capability you describe today, and have had it for decades, and yet online abuse continues unchecked

There is absolutely no mystery as to why. The for-profit corporations that provide these services have absolutely no interest in preventing online abuse, because doing so is expensive and there's no way to make money out of it.

[the provider blah blah]

As a human being, I really don't give a tuppenny damn about "the providers" anymore. This has been a problem for decades, and for decades we've had nothing but whining excuses from "the providers" while they continue to do nothing.

"The providers" should have been investing in anti-abuse technologies and systems starting in the previous century. They haven't done anything.

Draconian measures are needed. If "the providers" have to scramble, maybe even take losses for a few quarters, it's too damn bad for them.

[bawolff]

Having them be logged in?

There's contexts where that doesn't work. A zoom call isn't one of them.

[u801e]

Certificate based authentication would work in combination with a username and password. The private key could be stored on the school issued device.

I'm not sure why anonymity would play any role in terms of connecting to an online class.

[curryst]

I thought the same thing as you, but many students use their personal devices. I can't imagine the pain of trying to get all the students to set that up correctly, and the security implications of managing certificate stores is not something I would want to hand over to a lowest-bidder contractor for a school district. I don't really love that Microsoft/Linux distros manage them as is (although I'm admittedly too lazy to manage them manually).

[croutonwagon]

Whois abuse reporting is the solution that is already in place and comes to mind. If you NAT segments of your network and mask your userbase from the greater internet, you inherit some responsibility for their actions, same with smtp spam as any other service.

But many carriers simply ignore or don’t respond, much less investigate. To the point that people regularly take to other means to establish backend contact with larger carriers like Comcast, resorting to list serves like nanog.

Ultimately it’s on the carriers to doll out the money to support it. But they could easily implement strike policies like DMCA reports have for many. Against both customers engaging in malicious activity snd reporters abusing the system or making spurious reports that waste resources.

However that would mean carriers like comcast would need to stop their efforts to completely frustrate communication with other NOC's etc.

[tomjen3]

It seems we need something that is difficult/expensive to create, but which does not permit anybody to trace the owner.

We either need something provided by the government that is unique to each recipient and services tuple (so it can't be used to trace anything), but will be the same each time, and so can be banned.

Else we need something like a proof of work, but that would either have to so expensive to create that we would have to reuse it across all the end points.

I guess we could also mandate ipv6, but then blocking the addresses wouldn't be very useful.

Finally I guess we could mandate that all IPs be treated equally and then companies that can't handle that would have to close down.

[tinus_hn]

Here’s the one billion dollar idea: per person authentication instead of one code per room.