- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
The original developer should have put all the individual IP addresses in a database. Or perform a Regex on the frist part of the binary representation of the IP address.
Admin
So what if you were not allow-listed, but just went directly to http://www.somedomain.com/something/that/is/meant/to/be/private?
Admin
Or at least whoever it was should have table-driven it with a "if the address itself is directly in this table OR if the first three 'bytes' are in that table" check.
And then (later?) read the tables from a database.
But for the comment in the article, the complaint by the manager, "Every computer has a unique IP address!", well, you tell the manager to go home and find out the IP address of his home PC (er, by asking the computer itself, not by asking whatismyip dot com), then do the same yourself. Highly likely that both will be 192.168.1.something, and far from impossible that both will have the same "something".
Or you slap him around, possibly with a week-dead mackerel(1), until he accepts that he just said something truly stupid.
(1) Week-dead (and kept at room temperature) for olfactorily obvious reasons. Wear gloves when handling it. Mackerel because it's a convenient size to slap someone with.
Admin
Whitelisting IP addresses could technically make sense in the specific context of allowing access to the internal tools of a company only to employees that use the proper VPN. But that's it. And even that would not replace login, it would merely be an additional measure.
Authentication humans into a computer system is a hard problem. Identifying devices, IP addresses, cryptographic secrets, etc, are just imperfect substitutes.
Admin
My computer has the IP address 10.9.10.55 and I invite everyone here to try to hack into it :)
Management not knowing about NAT - what a surprise!
Admin
"Allow-listing", really? Is there no jargon that's safe from the PC police?
Admin
Huh, the machine I'm sitting at right now has three IPv4 addresses and 20 IPv6 ones (7 of which are GUAs). I wonder which one is The Unique One?
Admin
"Allowlist" is a literal description of the thing. "Whitelist" requires a cultural knowledge to understand. Is it PC police or just clear language?
Admittedly, I prefer "blacklist" because "in one's black books" is an awesome sounding phrase, but it's not the clearest use of language.
Also, your useless trivia for the day: in old English, "blac" meant extremely pale, and "blaec" meant "the color of coal", which means through Middle English, "blake" ended up meaning either extremely pale or extremely dark.
Admin
OK, boomer.
Admin
Many termini ternici in IT have been invented with some specific cultural background knowledge, but today those t. t. stand "as is", without this knowledge where it originally came from. Can you - without any Internet - explain what a mainframe is and why it is named that way? Primary master, primary slave, secondary master, secondary slave, cable select? I could even object to the word "select" because of... selection, and I could object to the word "object" because of implied dehumanization. I could even imply religious fanatism into "host address". And where is the post office in POP3? Given enough imginative power, a whole technical language can be deconstructed and destroyed, or turned into something that the majority of users can no longer understand (like Microsoft inventing non-standard terms to be used instead of the ones established years or even decades ago). Personally, I fully agree with "allowlist" as an appropriate terminus technicus, and given some time, it can surely become the common name of what we might call "whitelist" today without any further thinking (and "blacklist" replaced by "blocklist" in the same way), because we just have accepted it as a (neutral) terminus specific to IT. Just let us be tolerant to this change, it is okay. Times change. People change. Opinions and interpretations change. So does language - often because people learn and become more sensitive to what they say; sometimes because they are just plain stupid though...
By the way, cultural differences can also be seen in captchas people have to solve all the time. Hydrants and school buses in my country look different than those presented from what I believe are US hydrants and school buses. How am I supposed to know how a US hydrant looks like? Or US Zebrastreifen? Help help I'm being oppressed! I'm not even a robot!
Admin
Just curious if you meant "termini tecnici" or if my google-fu is insufficent to find "ternici".
Admin
I'm sorry your sense of identity is so fragile that you get offended by the renaming of whitelist
Admin
Setting aside the recent digression ...
And setting aside the whole idea that this approach to "security" makes any sense ...
My scrollbar was panting pretty hard by the time I got to the right margin. I wonder how it is they ended up with quite so many /24 subnets where everyone there was allowed. That certainly smells like this is intranet allow-listing, not public internet. I will bet a couple Jacksons that the networking department there has no idea there's now a business requirement to notify the dev who controls this code any time they restructure their address space or add new /24 addresses. I will further bet there's a hell of a lot of redundancy in the /16 part of all those /24 addresses where they could have cut down a LOT of comparisons with a little thought to code structure.
I also like two of the three mongo comparisons could have been short-circuited by an
if ok=1 or ...
. Although IIRC, classic ASP Visual Basic did not do short-circuiting evaluation (hence VB.Net's eventual addition of AndAlso and OrElse to do short-circuiting), so they'd really need to enclose the longif ip3 = ... or ... or ... or ...
crapola in an outerif ok = 0 then ... end if
block.Admin
I'm confused, what language is that (maybe that one should be part of the article). Looks to me like a really version of BASIC... the naming is off those for VB.net, but maybe it's just not cleanup code. Odd.
Addendum 2024-02-02 10:45: Nvm, missed the "old- classic ASP". So it is VB.net after all.
Admin
On a related note: I find there are a lot of companies which don't attach DNS names to their addresses, and even fewer with reverse DNS.
I once worked with a partner company like that, but worse yet, no internal host names either. The employees had memorized ip addresses for the computers they used.
Admin
It’s good that Amanda deleted that block, otherwise some poor soul would have to eventually deal with IPV6 …
Admin
No, this isn't VB.NET - it's VB. Classic ASP, not ASP.NET. This is pre-2001 code, what I cut my teeth on when starting web design back in the day. I'm sure I've many such WTF's littered out there, as I had nobody to learn from but experience, so I just... went with what seemed to work without understanding. I have learned, though, so nowadays I'm a little better :D
Admin
If you need to restrict access based on a VPN, you don't do that in the application code. The application shouldn't know whether it's running inside a firewall or not.
Admin
This is so common in subscription information services - e.g., corporate subscription access to a newspaper, or organisation subscription to a journal or something like that, where they will whitelist your proxy server so that all users from your network have access. It's common because it's what was done before credential federation technologies (like SAML) were commonplace.
Obviously, it means that if your IT team changes the IP for whatever reason (because they change suppliers or fail-over), things break. All of a sudden the (non-IT) library information team complain that the IT team changed something. But this malarky is so common that Universities have resorted to running their own proxy servers for offsite staff to access subscriptions that the University pays for.
(The best fix is, of course, that newspapers should accept ODIC/SAML/oAuth authentication for their corporate/organisational clients instead.)
Admin
Apple has an interesting license for macOS applications: up to six family members for non-commercial use. For commercial use you have the choice of any number of users on a single computer or one user on any number of computers.
If an application wanted to enforce this… Good luck.
Admin
Im a millennial, but I disagree with all the PC verbiage and stepping on eggshells as of late in the culture. I also disagree with Marxism and its derivatives. Call me intolerant, but then you're being intolerant of my view point. There is a term I learned back in my worldviews class many years ago that has stuck with me, I think primarily because it describes so many people: the Relative Relativist. In short, it means: what's good for you is good for you, and what's good for me is good for me. Where this falls apart is when what one believes disagrees with what another believes, eg:
Person 1: I believe it is ok to steal from another Person 2: I believe it is not ok to steal. Person 1: You're wrong. Person 2: No, you're wrong.
While stealing seems like an extreme, it highlights that the relative relativist's position is not tenable. And what's happening is a minority group is imposing their worldview on the rest. Not saying that's right or wrong, because that's a logical fallacy (appealing to the minority), just as appealing to the majority is a logical fallacy. This leads us to the all important age old question: what is truth?