• Registered (unregistered)

    The original developer should have put all the individual IP addresses in a database. Or perform a Regex on the frist part of the binary representation of the IP address.

  • huppenzuppen (unregistered)

    So what if you were not allow-listed, but just went directly to http://www.somedomain.com/something/that/is/meant/to/be/private?

  • (nodebb) in reply to Registered

    Or at least whoever it was should have table-driven it with a "if the address itself is directly in this table OR if the first three 'bytes' are in that table" check.

    And then (later?) read the tables from a database.

    But for the comment in the article, the complaint by the manager, "Every computer has a unique IP address!", well, you tell the manager to go home and find out the IP address of his home PC (er, by asking the computer itself, not by asking whatismyip dot com), then do the same yourself. Highly likely that both will be 192.168.1.something, and far from impossible that both will have the same "something".

    Or you slap him around, possibly with a week-dead mackerel(1), until he accepts that he just said something truly stupid.

    (1) Week-dead (and kept at room temperature) for olfactorily obvious reasons. Wear gloves when handling it. Mackerel because it's a convenient size to slap someone with.

  • Sauron (unregistered)

    Whitelisting IP addresses could technically make sense in the specific context of allowing access to the internal tools of a company only to employees that use the proper VPN. But that's it. And even that would not replace login, it would merely be an additional measure.

    Authentication humans into a computer system is a hard problem. Identifying devices, IP addresses, cryptographic secrets, etc, are just imperfect substitutes.

  • Pabz (unregistered) in reply to Steve_The_Cynic

    My computer has the IP address and I invite everyone here to try to hack into it :)

    Management not knowing about NAT - what a surprise!

  • Brian (unregistered)

    "Allow-listing", really? Is there no jargon that's safe from the PC police?

  • Oracles (unregistered)

    Huh, the machine I'm sitting at right now has three IPv4 addresses and 20 IPv6 ones (7 of which are GUAs). I wonder which one is The Unique One?

  • (author) in reply to Brian

    "Allowlist" is a literal description of the thing. "Whitelist" requires a cultural knowledge to understand. Is it PC police or just clear language?

    Admittedly, I prefer "blacklist" because "in one's black books" is an awesome sounding phrase, but it's not the clearest use of language.

    Also, your useless trivia for the day: in old English, "blac" meant extremely pale, and "blaec" meant "the color of coal", which means through Middle English, "blake" ended up meaning either extremely pale or extremely dark.

  • dusoft (unregistered) in reply to Brian

    OK, boomer.

  • Officer Johnny Holzkopf (unregistered) in reply to Remy Porter

    Many termini ternici in IT have been invented with some specific cultural background knowledge, but today those t. t. stand "as is", without this knowledge where it originally came from. Can you - without any Internet - explain what a mainframe is and why it is named that way? Primary master, primary slave, secondary master, secondary slave, cable select? I could even object to the word "select" because of... selection, and I could object to the word "object" because of implied dehumanization. I could even imply religious fanatism into "host address". And where is the post office in POP3? Given enough imginative power, a whole technical language can be deconstructed and destroyed, or turned into something that the majority of users can no longer understand (like Microsoft inventing non-standard terms to be used instead of the ones established years or even decades ago). Personally, I fully agree with "allowlist" as an appropriate terminus technicus, and given some time, it can surely become the common name of what we might call "whitelist" today without any further thinking (and "blacklist" replaced by "blocklist" in the same way), because we just have accepted it as a (neutral) terminus specific to IT. Just let us be tolerant to this change, it is okay. Times change. People change. Opinions and interpretations change. So does language - often because people learn and become more sensitive to what they say; sometimes because they are just plain stupid though...

    By the way, cultural differences can also be seen in captchas people have to solve all the time. Hydrants and school buses in my country look different than those presented from what I believe are US hydrants and school buses. How am I supposed to know how a US hydrant looks like? Or US Zebrastreifen? Help help I'm being oppressed! I'm not even a robot!

  • (nodebb) in reply to Officer Johnny Holzkopf

    Just curious if you meant "termini tecnici" or if my google-fu is insufficent to find "ternici".

  • löchlein deluxe (unregistered)
    Comment held for moderation.
  • Jaloopa (unregistered) in reply to Brian

    I'm sorry your sense of identity is so fragile that you get offended by the renaming of whitelist

  • (nodebb)

    Setting aside the recent digression ...

    And setting aside the whole idea that this approach to "security" makes any sense ...

    My scrollbar was panting pretty hard by the time I got to the right margin. I wonder how it is they ended up with quite so many /24 subnets where everyone there was allowed. That certainly smells like this is intranet allow-listing, not public internet. I will bet a couple Jacksons that the networking department there has no idea there's now a business requirement to notify the dev who controls this code any time they restructure their address space or add new /24 addresses. I will further bet there's a hell of a lot of redundancy in the /16 part of all those /24 addresses where they could have cut down a LOT of comparisons with a little thought to code structure.

    I also like two of the three mongo comparisons could have been short-circuited by an if ok=1 or .... Although IIRC, classic ASP Visual Basic did not do short-circuiting evaluation (hence VB.Net's eventual addition of AndAlso and OrElse to do short-circuiting), so they'd really need to enclose the long if ip3 = ... or ... or ... or ... crapola in an outer if ok = 0 then ... end if block.

  • (nodebb)

    I'm confused, what language is that (maybe that one should be part of the article). Looks to me like a really version of BASIC... the naming is off those for VB.net, but maybe it's just not cleanup code. Odd.

    Addendum 2024-02-02 10:45: Nvm, missed the "old- classic ASP". So it is VB.net after all.

  • Officer Johnny Holzkopf (unregistered) in reply to dpm
    Comment held for moderation.
  • John (unregistered)
    Comment held for moderation.
  • ghostcartsdiscounts (unregistered)
    Comment held for moderation.
  • BeeKay (unregistered)

    It’s good that Amanda deleted that block, otherwise some poor soul would have to eventually deal with IPV6 …

  • LazerFX (unregistered) in reply to MaxiTB

    No, this isn't VB.NET - it's VB. Classic ASP, not ASP.NET. This is pre-2001 code, what I cut my teeth on when starting web design back in the day. I'm sure I've many such WTF's littered out there, as I had nobody to learn from but experience, so I just... went with what seemed to work without understanding. I have learned, though, so nowadays I'm a little better :D

  • (nodebb) in reply to Sauron
    Comment held for moderation.
  • Shannon (unregistered)

    This is so common in subscription information services - e.g., corporate subscription access to a newspaper, or organisation subscription to a journal or something like that, where they will whitelist your proxy server so that all users from your network have access. It's common because it's what was done before credential federation technologies (like SAML) were commonplace.

    Obviously, it means that if your IT team changes the IP for whatever reason (because they change suppliers or fail-over), things break. All of a sudden the (non-IT) library information team complain that the IT team changed something. But this malarky is so common that Universities have resorted to running their own proxy servers for offsite staff to access subscriptions that the University pays for.

    (The best fix is, of course, that newspapers should accept ODIC/SAML/oAuth authentication for their corporate/organisational clients instead.)

  • Gnasher729 (unregistered)

    Apple has an interesting license for macOS applications: up to six family members for non-commercial use. For commercial use you have the choice of any number of users on a single computer or one user on any number of computers.

    If an application wanted to enforce this… Good luck.

  • A Millennial Here (unregistered) in reply to dusoft
    Comment held for moderation.

Leave a comment on “A Well Known Address”

Log In or post as a guest

Replying to comment #:

« Return to Article