Almost zero complexity and cost. Maybe if you're a bad at sysadmin work it adds cost and complexity.
>defense without corresponding increases to attacker costs.
It adds a _huge_, almost incalculable cost increase to attackers.
>If you believe there are unknown OpenSSH attacks, you can't coherently believe that port knocking is a real defense, since port knocking doesn't do anything to protect the SSH channel that attacks will be carried out in.
Looks like you don't understand the concept of 0-days. Several CVEs we're listed elsewhere. I suggest researching 0-day exploits so you understand how port knocking mitigates them.
Port knocking mitigates 0-days.
>Instead, if you're actually worried about OpenSSH vulnerabilities, you shouldn't be exposing SSH to the public Internet at all.
I don't disagree here, VPN is a great solution. Nonetheless, for some shops simple port-knocking on a bastion host solves, a lot of these issues, and removed the complexity that VPNs add.
>I'm not super worried about OpenSSH server vulnerabilities, but I would never recommend that teams leave SSH exposed; they should just hide that stuff behind WireGuard.
No one is super worried about things like shellshock, heart bleed, etc. until they happen.
Port knocking solved a lot of problems, protects you from zero-days, and makes SSH noise a non-issue (huge signal-to-noise gains).
I believe they tried blaming this on the creator of the C++ port of their server software without any proof and it sort of left a bad impression with me.
The post makes their mistakes pretty clear, I think. Public out-of-date Jenkins instance, SSH forwarding enabled by developers for all matrix.org servers, and not realizing they only rotated their personal Cloudflare API key and not their admin one.
It's very embarrassing for sure, but tons of huge private corporations have been breached through worse mistakes than this. Making their Jenkins public was probably the worst decision. They explain why they did it, and it's not unreasonable (radical openness and transparency, basically), but they should've thought it through more.
I think everyone should be free to post whatever they want; nonetheless, providing some kind of source to incriminating claims would be great--if only to make verifying them easier to other users.
In any case, this kind of posts is a reminder to stay alert and think critically; otherwise, we would believe many instances of misinformation without giving them a second thought. And we cannot expect others to downvote comments to oblivion or moderate them: it's something we ourselves have to be responsible for.
That post was nothing to do with the security incident in question here (which happened April 11th 2019; that post is from March). The details in that post are sadly true (as others confirm on that thread).
However, we have no reason to believe there was a link to the April incident.
yes, and he was, by his own admission: repeatedly bragging about exploiting bugs in Matrix’s beta design which we hadn’t fixed fast enough in his estimation (hijacking Matrix HQ; bricking #matrix-dev; threatening to loop over all public rooms to brick them unless we paid him; etc). It wasn’t exactly subtle, and it’s bizarre if you think we’re making this up or presenting without evidence.
However, the matrix.org security breach in Apr 2019 was unrelated to him, as far as we know.
Glad they spent time replacing the facist, sexist, homophobic, transphobic, white supremacist verbiage "master" instead of ensuring their white and Asian employees had jobs.
> Not sure why there are so many myths about this.
Politics. And not every place is Texas. Also, because there are precious few examples of voter fraud while there is ample evidence of voter suppression.
Which of those IDs is available for free? I just checked the state website and they charge for drivers licenses and state IDs and all the federal IDs require money.
They at least offer the alternate forms of ID, but those still eliminate people. A homeless person is probably not going to have any of those documents on hand, but they have every right to vote. There is also the inherent problem of singling out people without ID for further scrutiny. This added "security" has notoriously been used as a method to suppress the vote over the course of US history. The simple act of requiring someone to state on a government form they can't "reasonably" obtain an ID is going to scare some people off from voting. What is "reasonable"? Am I going to be charged with voter fraud if I simply didn't want to spend the money on an ID? Will I end up in jail for voting? There is a chilling effect here.
>Which of those IDs is available for free? I just checked the state website and they charge for drivers licenses and state IDs
The Texas Election Identification Certificate ID is free.
>and all the federal IDs require money.
Wrong. Military and veteran IDs are federal IDs that are free of charge.
>They at least offer the alternate forms of ID, but those still eliminate people. A homeless person is probably not going to have any of those documents on hand, but they have every right to vote.
They wouldn't have been allowed to vote under the previous system either. This is a red herring.
> There is also the inherent problem of singling out people without ID for further scrutiny. This added "security" has notoriously been used as a method to suppress the vote over the course of US history.
There is no "further scrutiny". You either have the documentation that proves your eligibility to vote in your locality, or you don't. Studies showed that Voter ID laws have little to no effect on turn out.
> The simple act of requiring someone to state on a government form they can't "reasonably" obtain an ID is going to scare some people off from voting.
No doubt, but in Texas and in many other states, they are reasonably attainable, and have no fees. Somewhat of a straw man here. Again, studies showed that Voter ID laws have little to no effect on turn out.
> What is "reasonable"? Am I going to be charged with voter fraud if I simply didn't want to spend the money on an ID?
No, you just won't be allowed to vote. You won't be charged with any crime. Also, you don't spend money on fees, the above ID mentioned is free.
> Will I end up in jail for voting? There is a chilling effect here.
This is all conjecture. There is no chilling effect on requiring a free voter ID according to the studies.
>The Texas Election Identification Certificate ID is free.
Which itself requires ID to acquire defeating its purpose as an alternative ID for people without ID.
>Wrong. Military and veteran IDs are federal IDs that are free of charge.
I was referring to the IDs available to the general public. A military ID being free is irrelevant to a huge majority of the US.
>They wouldn't have been allowed to vote under the previous system either. This is a red herring.
How is that a red herring? A flaw existing in both the old and new system doesn't mean it isn't a flaw. Do you think disenfranchising homeless people is acceptable?
>There is no "further scrutiny". You either have the documentation that proves your eligibility to vote in your locality, or you don't. Studies showed that Voter ID laws have little to no effect on turn out.
It takes added time and requires further documentation. The time it takes to vote has been shown to have an impact on voter turnout. Also I don't know what studies you are talking about. Here is one from a nonpartisan Government Accountability Office that says the exact opposite[1].
Your other points all rely on something refuted in the above points.
>Which itself requires ID to acquire defeating its purpose as an alternative ID for people without ID.
You need documentation to prove you're eligible to vote in your locality in order to be able to vote in your locality. The is the same logic behind any type of identification/registration, Voter ID or not.
>I was referring to the IDs available to the general public. A military ID being free is irrelevant to a huge majority of the US.
You specifically stated "all the federal IDs require money", which is patently false, QED.
>How is that a red herring? A flaw existing in both the old and new system doesn't mean it isn't a flaw. Do you think disenfranchising homeless people is acceptable?
It is by definition a red herring because being a flaw or not is immaterial to the discussion at hand since it is not specific to Voter ID laws. You asking the question is a textbook logical fallacy.
>It takes added time and requires further documentation. The time it takes to vote has been shown to have an impact on voter turnout.
Sometimes it takes time to leverage your rights. Gun background checks is an example of that, as are voter ID laws. There is no conclusive study that has shown voter ID laws impact turnout.
> Also I don't know what studies you are talking about. Here is one from a nonpartisan Government Accountability Office that says the exact opposite
You linked a piece from a laughably biased news source. It even states opposite of your claim: "That change wasn't entirely due to voter ID, of course, but the GAO report suggests it played a part."
"In a 2014 review by the Government Accountability Office of the academic literature, five studies out of ten found that voter ID laws had no significant effect on overall turnout, four studies found that voter ID laws decreased overall turnout, and one study found that the laws increased overall turnout."
"Studies of the effects of voter ID laws on turnout in the United States have generally found that such laws have little, if any, effect on turnout."
I'm far from an expert in Texas election law, but here is what I found in a quick Google search[1]. In order to get an Election Identification Certificate you need to go to a DMV office during business hours with a proof of citizenship and a proof of identity. It sounds like the existence of this ID is redundant if you need ID to acquire it. It almost seems designed solely to counter people when they complain voter ID laws are the equivalent of a poll tax.
Why do you need to validate citizenship when issuing a voter ID if citizenship was already validated when registering to vote? That seems like a completely redundant requirement that is only put in place to make it slightly more difficult to acquire said ID.
I don't think citizenship is actually validated when you register to vote. I live in California and all I had to do was go on their website and check a couple boxes and fill out a form.
In several areas it is permissible for residents to be registered to vote in municipal elections etc. In some places, the local government has made efforts to get those who are neither legal residents not citizens registered for local elections. In those locations, enforcing a requirement to validate citizenship when availing onesself of the privileges thereof (e.g. voting in federal elections) makes sense.
It is very easy in the US, especially in either very urban or very rural communities. If you don't drive on public roads and are already established in life with a job or bank account, you probably don't actually need an ID for much in your day to day life. Even activities that we normally think of as requiring an ID like traveling on a plane are possible without an ID if you are willing to jump through some hoops.
Then it's even better than in Europe, you usually pay a small tax to get documents. Then what is this fuzz about having a proper documents to vote about? Republicans being suspicious about the fraud has merit.
Requiring any tax in order to allow someone to vote is expressly illegal in the US as it used to be abused as a form of voter suppression.
From our Constitution (24th Amendment, Section 1)[1]:
>The right of citizens of the United States to vote in any primary or other election for President or Vice President for electors for President or Vice President, or for Senator or Representative in Congress, shall not be denied or abridged by the United States or any State by reason of failure to pay any poll tax or other tax.
Well you need a home too to vote? Or how do they send you the envelope otherwise? Isn't that a tax as well. I could count tons on items, where's the line? Transport to polling station? Clothes to show up?
You do not need a home or address to vote. You can setup your mail to be sent to a shelter, a social worker, or any number of other options. The US Postal Service has also been known to deliver to places that don't have official addresses so you might even be able to get something delivered to the "red tent behind the Walmart". You can also generally pick up whatever you need from the local elections office.
Numerous services exist to provide free rides to polling places including some publicly owned transportation options.
The right to vote does not excuse you committing crimes in order to vote and being naked is generally illegal is most of the US which would probably be what prevents you from voting without clothes.
Poor people are the least likely to have the time and means to get any of these free IDs. To add to that, states like Alabama strategically place offices to make it even more difficult for e.g. people who do not have access to a car to get said ID.
The Social Security Card is a free document. They mail it to you without you having to present yourself anywhere. There would be far less objection to voter ID if this type of system was being proposed by proponents of voter ID.
>Poor people are the least likely to have the time and means to get any of these free IDs.
I'd say it's the opposite. Employed middle class working 9-to-5 with 2 kids have less time and means. There's a Hitchen's quote somewhere here...
Voter ID laws have not been show to reduce turn out.
>To add to that, states like Alabama strategically place offices to make it even more difficult for e.g. people who do not have access to a car to get said ID.
That's not a problem with voter ID laws though. This is a red herring.
>The Social Security Card is a free document. They mail it to you without you having to present yourself anywhere.
This is patently false. I just personally went through this. You absolutely have to show up to a SSA office and bring documentation.
> Employed middle class working 9-to-5 with 2 kids have less time and means.
"Employed middle class" typically reads as "mobile" and "9-5" frequently reads as "white-collar". Those folks feel time constrained, but they are also very likely to have e.g. PTO/flexible work schedules and access to transportation.
It's worse for (say) unemployed people with no transportation. This is to say nothing of the disabled, bedridden, etc. There are significant numbers of people for whom this is an unnecessary burden.
And again -- this burden is significantly higher than the requirement placed on residents who wish to carry shotguns into restaurants.
> Voter ID laws have not been show to reduce turn out.
Voter ID laws have not been shown to reduce voter fraud. At best, they add cost and bureaucracy without any proven benefit.
> That's not a problem with voter ID laws though. This is a red herring.
A common argument against voter ID laws is that they are of a lineage with historic disenfranchisement mechanisms in the US. Strategically making it difficult to get a newly-required voter ID is a direct descendant of the voter suppression schemes our parents fought against. It's absolutely relevant to bring in recent history.
> This is patently false. I just personally went through this. You absolutely have to show up to a SSA office and bring documentation.
Did you lose your card, or need a replacement in a hurry? For decades, newborns have been able to be issued cards without anyone showing up at an SSA office. (Yes, I have personally done this for an infant. I can confirm that you fill out a form and they mail you a card, just like you'd expect.) SSA also has a site where residents of many states can request a replacement card online if they have state ID: https://www.ssa.gov/myaccount/replacement-card.html.
[Edit: The SSA forms indicate that even replacements for adult citizens can be done via mail. It would be fair for you to mention that you had an atypical situation that required you to go in to get a card, but that this is not required.]
If voter ID proponents start advocating for Social Security cards or other 100% free-by-mail IDs as voter documents, a lot of the opposition would go away. But then, so would the perceived partisan benefit, so that's not in the cards.
>"Employed middle class" typically reads as "mobile" and "9-5" frequently reads as "white-collar". Those folks feel time constrained, but they are also very likely to have e.g. PTO/flexible work schedules and access to transportation.
"In 2005, sociologists William Thompson and Joseph Hickey estimate an income range of roughly $35,000 to $75,000 for the lower middle class and $100,000 or more for the upper middle class."
That encompasses the likes of 9-to-5ers, licensed electricians, oil field workers, etc.
>It's worse for (say) unemployed people with no transportation. This is to say nothing of the disabled, bedridden, etc. There are significant numbers of people for whom this is an unnecessary burden.
It's probably even easier. With unemployment benefits, additional stimulus, and lots of time on their hands, it's a perfect time to get their voter ID. Disabled and bedridden were equally disadvantaged under prior systems; this is a red herring.
>And again -- this burden is significantly higher than the requirement placed on residents who wish to carry shotguns into restaurants.
Categorically wrong. You need a photo ID to purchase a firearm, and some states require a license to carry long guns. Other states outright ban open carry of long guns.
>Voter ID laws have not been shown to reduce voter fraud. At best, they add cost and bureaucracy without any proven benefit.
Voter ID laws have been shown to reduce and/or prevent certain types of voter fraud, though indeed voter fraud is rare. At best, they prevent voter fraud, speed up the actual voting process at poll sites, reduce certain types of errors, etc.
>A common argument against voter ID laws is that they are of a lineage with historic disenfranchisement mechanisms in the US.
It's a common argument, but it's more of a conspiracy theory without any hard numbers to back it up.
>Strategically making it difficult to get a newly-required voter ID is a direct descendant of the voter suppression schemes our parents fought against. It's absolutely relevant to bring in recent history.
It's not difficult, nor do voter ID laws suppress voter turn out. Unproven conspiracy theories have nothing to do with recent history.
>Did you lose your card, or need a replacement in a hurry?
I needed to change my name, which most married females do. Nonetheless, if you lose your voter ID card and you don't have to make a change, you can similarly get a replacement without showing up to an office. This makes your entire point moot.
>For decades, newborns have been able to be issued cards without anyone showing up at an SSA office. (Yes, I have personally done this for an infant. I can confirm that you fill out a form and they mail you a card, just like you'd expect.) SSA also has a site where residents of many states can request a replacement card online if they have state ID: https://www.ssa.gov/myaccount/replacement-card.html.
That website specifically outlines that you need a "driver's license or a state-issued identification card from one of the many participating states.", so, again, that absolutely negates your point.
>[Edit: The SSA forms indicate that even replacements for adult citizens can be done via mail. It would be fair for you to mention that you had an atypical situation that required you to go in to get a card, but that this is not required.]
Changing your name is not an atypical situation. About 80% of married females end up changing their name. Also, the SSA form literally outlines that you need a state issued ID... like a driver's license that you can use for voting!
>If voter ID proponents start advocating for Social Security cards or other 100% free-by-mail IDs as voter documents, a lot of the opposition would go away.
>But then, so would the perceived partisan benefit, so that's not in the cards.
There is no effect on voter turn out, nor is there a partisan benefit. One of the supposedly most "at risk" groups to be suppressed by voter ID laws are the elderly. They overwhelmingly vote Republican.
Wrong, it solves tons of them.
>adds complexity and cost
Almost zero complexity and cost. Maybe if you're a bad at sysadmin work it adds cost and complexity.
>defense without corresponding increases to attacker costs.
It adds a _huge_, almost incalculable cost increase to attackers.
>If you believe there are unknown OpenSSH attacks, you can't coherently believe that port knocking is a real defense, since port knocking doesn't do anything to protect the SSH channel that attacks will be carried out in.
Looks like you don't understand the concept of 0-days. Several CVEs we're listed elsewhere. I suggest researching 0-day exploits so you understand how port knocking mitigates them.
Port knocking mitigates 0-days.
>Instead, if you're actually worried about OpenSSH vulnerabilities, you shouldn't be exposing SSH to the public Internet at all.
I don't disagree here, VPN is a great solution. Nonetheless, for some shops simple port-knocking on a bastion host solves, a lot of these issues, and removed the complexity that VPNs add.
>I'm not super worried about OpenSSH server vulnerabilities, but I would never recommend that teams leave SSH exposed; they should just hide that stuff behind WireGuard.
No one is super worried about things like shellshock, heart bleed, etc. until they happen.
Port knocking solved a lot of problems, protects you from zero-days, and makes SSH noise a non-issue (huge signal-to-noise gains).
Used in production for years. It's fantastic.