This seems a bit convoluted as an explanation if I’ve understood it correctly. If Telegram as using a compromised hosting provider then you could have the strongest crypto in the world to prevent a man-in-the-middle from seeing the unique identifier for each device and it wouldn’t matter since they already who which user is which IP from the servers they control. They don’t stand to gain anything by exposing the unique string to MiTM attacks when they already control Telegram’s servers unless their goal is also to allow other countries to see which user has which IP too. It just seems like an incompetent implementation.

I might be mistaken, but isn’t using a mixer considered money laundering in the US?

Same is true for any tech thing. Sure, you can buy a perpetual licence for something but if you’re running it on anything but an isolated device then you will at minimum need security updates or the source code to fix it yourself. Same is true for things like console games where eventually the hardware will just die and it may become too expensive to replace it. Even emulation is case-by-case since some games use obscure calls which have no adequate emulation. Software doesn’t exist in isolation. For that, you have to revert to pen, paper and some analog tech.

Ah you’re right about the GDPR part in the article! My bad. Signing might be the best bet in that case since it avoids storage IF you were to try and implement this kind of system.

The idea of having them send an e-mail to an address containing their IP is clever, however you need to authenticate that the person who sent the e-mail is either somebody who queried your site, or somebody that got the address from somebody who queried your site or else you could just figure out how to generate that base64 yourself and impersonate somebody else’s IP address which could have catastrophic results if you then fed these IPs into something like a block list and suddenly you’ve blocked Microsoft/Office 365. To be fair, I doubt anybody is going to try and reverse engineer one person’s code to then figure out how to impersonate who sent spam, but if this became a widely distributed program you could just pull off Github then it would be more concerning.

A couple ways to solve this:

1. Sign the information before encoding it in Base64 so you can verify it came from your site and wasn’t just spoofed. This has the upside of being stateless since you don’t need to keep a record of every e-mail you’ve generated but comes with the disadvantage of spending CPU time signing the text which could be exploited as a DDoS.
2. Spit out a random e-mail address and record which e-mail address was given to each IP. Presumably you wouldn’t hold on to this list forever since IPs change owners frequently and so an IP that was malicious 1 month ago could be used by a completely different person now and so you can trim this list down once a month to avoid wasting disk space. You’d probably also want to keep some amount of these requests in memory (maybe 10Mb or so) to avoid ruining your IOPS.

All this said, I think your time is better spent with the using unique e-mail aliases as the author suggested but with 2 changes: 1) use aliases which are not guessable to prevent somebody from making it look like somebody else was hacked (e.g. me+googlecom@ gets compromised, but the spammer catches on and sends from me+microsoftcom@ instead to throw off the scent) and 2) don’t use me+chickenjockey@, use chickenjockey@ or else the spammer can just strip “+chickenjockey” from the address to get the real e-mail address.

Eh it depends. I’m fortunate enough to be in a good IP block so I don’t get my e-mails dropped purely on that. It’s been a good learning experience and I’ve leaned on my own server a number of times for troubleshooting at work since I can see the whole mail flow. The only problem I have is the free Outlook/Hotmail will not accept my e-mails. Everybody else seems fine. All that said, I don’t host anybody else’s e-mail so I haven’t had any spam come out of my IP, and I would never in a million years host e-mail for a customer.

The spam filtering is painful. I kinda work around it by giving a unique e-mail for everything and of one starts getting spammed I just rid of that e-mail. Tends to give you advance warning of data breaches too since you’ll start seeing the spam come in before the announcement.

It’s a colocated server. I provided the physical server and they put it into a rack in a datacenter with power and networking (static IP).

If this works out it might be a nice place to migrate to away from my self-hosted e-mail provided they eventually let you bring your own domain. Just sucks that e-mail is essentially the most secure thing you need to have since compromising that can compromise every account attached to the e-mail. That’s a lot of trust you need to instill in your e-mail host.

This forced account shit is infuriating. I’d see students with computers that cannot get to government-provided education sites because they are forced to sign up with a Microsoft account to use their PC, which forced them to setup a child account because of their age and therefore be under a parent account, which means the child account can only use Edge and can only go to whitelisted websites, which blocks some government education sites unless the parent account allows it through which they can’t until the student goes home.

Garry’s Mod…. what a rabbit hole that was…

PatchLess

The problem is if anti-cheat does not have full access but the cheat does, the cheat can just hide itself. Same for anti-virus vs viruses. It’s particularly nasty on free-to-play games where ban evading really just means you have to get a new e-mail. It’s the same reason why some anti-cheats block running games in VMs. Is it fool proof? Hell no! Does it deter anybody not willing to buy hardware to evade VM detection or run the cheat on completely separate hardware? Yes.

Personally, I’d prefer having a stake/reputation system where one can argue that they can be trusted with weaker anti-cheat because if you do detect cheating then I lose multiplayer/trading/cosmetics on the account I’ve spent $80 USD or more on. Effectively making the cost of cheating $80 minimum for each failed attempt. Haven’t spent $80 yet? Then use the aggressive anti-cheat.

Invidious still seems to work for VODs provided the instance doesn’t get restricted. Livestreams have been broken for ages though.

I don’t really see the advantage here besides orchestration tools unless the top secret cloud machines can still share it’s resources with public cloud to recoup costs?

So much better than my FunnelWAP. Best it can do is 100 KillerBytes. :(

Wait you’re getting MEGAbits?!

Could it be a fear of a software patent relating to the design? Back in the day Apple had one for swipe to unlock that prompted Android to use different patterns.