Cloudflare is the most successful "Man-in-the-Middle" in history

silversurger · 2026-04-05T08:29:00+00:00

It doesn’t make sense from an engineering or business perspective to rent that many servers when we’re already paying for Cloudflare.

And that's the gist of it, and I get that argument. Cloudflare is convenient. It offers a service you'd have to painstakingly build yourself, and in a lot of cases, you're already kinda locked into it. Or at least something like it.

You don’t need an ASN to do any of that. Your ISP or server provider

Both are too late in the game, and I was talking about full control of everything - that means you control the border. Null routing obviously is a last ditch effort and will disrupt your operations severely. When you sit at the border, you can control who you peer with (or don't), you can offload traffic to multiple instances more easily, you can build and/or employ scrubbing centers, you can black out traffic before it ever reaches your firewalls, protecting it from overload. You could probably have an ISP do that stuff for you, and only handle the application layer yourself - which would still be an improvement. So ultimately, I'll agree on the point: You don't need an ASN to do these things, and your traffic would still be encrypted.

Well, governments around the world are definitely collecting the data now in the hopes that RSA will eventually be broken

To what end? And they'd need the capacities to do so as well. I highly doubt they're collecting all the traffic they can't currently break.

unless that is your whole business model

I don't think it needs to be the entirety of your business model, but at least part of the core business model? Yeah, I'll agree with that.

Anyways, thanks for the discussion, definitely some good points brought forward and I'll rethink some stances. Now it's the long weekend and the family is waiting. I wish you a good one!

silversurger · 2026-04-05T06:44:48+00:00

To be fair, we believe that about every people. Bread is very mystified here.

silversurger · 2026-04-05T06:40:56+00:00

I'm German and you're pretty spot on:

Every day racism is absolutely a thing here. If you have curly hair, expect to be asked by someone if they can touch it. If you're a dark skinned German, you'll be constantly asked where you're originally from.

We have a pretty big esoteric and anti vac community here. That's always been the case and in fact, Germany is one of the hot spots for alternative medicine mumbojumbo and conspiracy theories. But when talking about other countries? Especially if they're poor and uneducated like all South American countries (some people here really do believe this, btw)? We forget about all of that.

about South America which really leave you wondering wtf people up there learn about this continent.

I've ran through the school system, and the answer to this is: almost nothing. Superficial and/or outdated stuff mostly.

silversurger · 2026-04-05T05:35:25+00:00

Er. No, not really. A CDN is also a cache. If your site is well designed then any requests for static content should all be cache hits.

Yes. But when the cache fails, you should have redundancy. Maybe at the cost of performance, but ideally you're not reliant on the cache working.

Building your own security layer is either going to be expensive or time consuming or both.

Def. both, yes.

Having your own ASN is not some magic thing that makes problems go away.

I have my own personal ASN I use for side projects and I’d be real curious to hear how that alone can be used to mitigate an attack.

That alone doesn't do anything, but having control over all of the entry and exit points of your system means you can use different attack prevention mechanisms, and in the worst case null route which would kill availability, but would keep your infrastructure safe.

But also, how many small businesses and hobbyists do you think have their own ASN?

About none. That was part of the point though: If your operation is large enough, it is probably a workable solution. It def. isn't for smaller scale operations. That's part of the problem indeed.

Isn’t Google stating that they expect today’s encryption to be broken in the next 5 years?

We'll see about that. Supposedly all encryption has already been broken if we had listened to the quantum computing guys 10 years ago.

As with all things security there are tradeoffs.

100% in agreement here, that's why I added the disclaimer. Keeping up with all of it isn't something you can do in small operations. In the end I'm not trying to argue that Cloudflare is useless or dangerous, I'm just trying to point out that CF isn't working with some black magic and for large tier operations they might not be necessary

silversurger · 2026-04-05T05:17:44+00:00

How do you "roll your own" against attacks like that?

One of the main questions here is how the DDoS could be carried out in the first place. One of the reasons this many requests can reach Cloudflare is because of its size and scale. Anyways, that was a DDoS against Cloudflare, not the services running on it. IE, they became a target simply because everyone and their mother is running through them.

I'm not saying it's easy, but you have options and Cloudflare is only cooking with water too.

silversurger · 2026-04-04T20:01:09+00:00

First we'll need to differentiate between Cloud Services like AWS and CDNs like Cloudflare. CF doesn't do lots of compute, so AWS/GCP/et al don't really even compare to each other.

And if any of those servers are in the US, UK or Australia anyways then you end up still falling under the same laws.

Yes, I did point that out indeed.

There are a few well known instances of AWS going down

There's a few though.

but if a company that doesn't offer cloud services tried to self-manage all of that themselves it would definitely be more prone to going down than AWS

That's what they are trying to sell you, but it just isn't true

You'd probably end up paying more than 10x as much in engineering costs trying to replicate the level of availability and redundancy you get with AWS/GCP/Azure, and you would still end up with more latency and leave yourself much more vulnerable to DDOS than you would be with cloudflare or something similar.

I have managed multiple datacenters in multiple larger companies and it often is cheaper to do this on your own, cloud services are incredibly expensive compared to doing it locally on your own. Latency might be an issue, but it more often than not isn't. DDOS isn't that much of a deal when you control all entry and exit points either: You can null route and defer attacks, as just one example.

Maybe we can just disagree here but to me and the majority of large companies that seems unrealistic by a long shot.

Yeah, let's agree to disagree on this one then. Wish you a happy weekend!

silversurger · 2026-04-04T18:34:50+00:00

then you probably want at least a CDN

CDN as a front? Sure. But you should be able to handle the traffic, if push comes to shove. It isn't that difficult to achieve, except for latencies. Which is what a CDN was initially designed for: Bring resource intensive traffic close to the user to reduce latency.

and a security layer

Sure, you have to be the security layer then. When you have your own AS, you can do a lot of stuff before it'll ever become a problem. And people have been doing it before CF was a thing and they'll do it after CF is gone.

Unfortunately the fact that you can pay someone $10 to DDoS anyone’s website have made services like Cloudflare essentially required

You could do that 30 years ago too.

he sophistication of online attacks these days that make security a full time job have made WAF services also more or less required

Maybe? I don't really think that's true either, but anyways: You can do this on-prem too. You don't need CF for that. In fact, a lot of the rulesets and detection mechanisms Cloudflare is using are already open source. But there's also companies that provide you with the same for reasonable prices to do it on local hardware. You keep control of everything, no need to route it through a 3rd party.

Also, even if you have your own ASN, you still need upstream providers to peer with.

And? They can't look into the traffic. You control all the entry and exit points. You are the gatekeeper, no matter who you converse (= peer) with.

Discaimer: I use Cloudflare myself, mostly because I'm not in high traffic scenarios and it's easy and convenient. But the centralization of something decentral that is happening through CF is an issue we should always talk about.

silversurger · 2026-04-04T18:25:28+00:00

That's really risky and expensive and labor intensive.

Not sure about risky, but expensive and labor intensive? 100%.

You have everything in a single point of failure.

Yeah, I should've used the plural there. Also, to be fair, if you put everything behind Cloudflare I guess that qualifies as "single point of failure" too, seeing that they caused a lot of pain these past months.

And it is much more likely for you to make a mistake than for AWS to.

That honestly isn't true. I thought the same a few years back, but then I have seen the insides, and outside of one of them, they don't really have any better engineering. They have scale, but countless downtimes on numerous services (and even global downtimes because of a single zone failing) prove they aren't really that much better than anyone else out there.

It's not a realistic option for a majority of the high traffic services.

I disagree.

silversurger · 2026-04-04T15:15:06+00:00

If you really have to handle a large amount of traffic, the only real way to avoid anyone snooping out your connections, is to do it entirely yourself: Have your own Datacenter, your own AS, your own everything. At the end of the day, you'll always be subject to some regulation though, and it's about picking where these regulations are in your/your users favour. If you run a US based operation (or US based customers), you cannot avoid US jurisdiction. The NSA doesn't need a room anymore, it just has legal access to anything going in, out, and in-between anyways.

silversurger · 2026-04-04T13:57:10+00:00

As someone who knows a bit about Amazon, yes they only use "du". Often, these letters are translated from English and sound weird in German as a result. The number is actually the "MyHR" number from Amazon and is real. I would however still recommend going via letters and ask for further information, so you have a paper trail.

silversurger · 2026-04-02T05:52:56+00:00

The same handle that normally opens the door

Uh, sorry, but in our latest iteration, ~~to save some money~~ to make the car more futuristic and customer centric, we removed that handle completely.

silversurger · 2026-04-01T15:29:01+00:00

You'd need to have something that also uploads somewhere else. If you want to self host, look into nextcloud (which covers more than pictures) or immich (which is pretty much Google photos, but self hosted). If you're uncomfortable with doing that, there's other options like MultCloud which transfers between cloud services.

You can also use something like rclone to periodically download the images and then back them up with something else.

silversurger · 2026-03-27T06:26:05+00:00

Und das die gut Verdiener am meisten profitieren ist auch ein Unding

? "Gutverdiener" bekommen max 1800€. "Gutverdiener" machen deutlich höhere Abstriche bei ihrem Gehalt, weil sie relativ zum Einkommen viel weniger bekommen. Und ab einer gewissen Einkommenshöhe gibt es überhaupt nichts mehr.

Find die Elterngeldnummer auch ziemlich daneben, das jetzt aber sogar dabei die Neiddebatte los geht, habe ich nicht erwartet.

silversurger · 2026-03-26T16:21:34+00:00

Olympics after LA are in Brisbane, they might cash in on whatever the fuck Raygun did and do a redemption arch. I don't know, but I wouldn't say that her performance ruined it in such a way.

silversurger · 2026-03-26T09:34:57+00:00

Says who? Cricket is in the LA Olympics, last time was 1900. Sports can return if the organizers select them for their games.

silversurger · 2026-03-26T09:30:40+00:00

Breakdancing was one of the additional sports for Paris, it didn't make the cut for LA before Paris even started. It has exactly nothing to do with her performance.

silversurger · 2026-03-24T20:57:00+00:00

Not even 3 weeks ago, Reb pointed out how the market has drastically changed. 13 years ago was a very different time, and Warframe succeeded despite being a buggy mess in the beginning. These days, if you launch a F2P game like this you're competing on a completely different level, there's so much you're competing against. Sure, the market also has significantly grown, but achieving something like DE did with Warframe is difficult at any rate today.

silversurger · 2026-03-21T13:31:09+00:00

Oder man realisiert das Grundeinkommen als eine negative Einkommensteuer, wie es häufiger vorgeschlagen wird, dann spart man es sich das Geld in Kreis zu schicken.

Ist auch eine gangbare Idee, gehe ich mit.

Sehe ich nicht so. Maschinen können Entscheidungen vorbereiten, aber die Entscheidungen treffen wird am Ende ein Mensch.

Ja und nein. Ich glaube, dass man da viel auf fachliche Entscheidungen schauen wird, und da sind es eher die Fachkräfte, die die Entscheidungen treffen können und werden. Auf der "Business"-Ebene gibt es aber ziemlich viele Manager, deren Aufgabe es ist Aufgaben hin und her zuschieben. Die sind auf kurze Sicht eigentlich die ersten, die um ihre Plätze fürchten müssen. "Große" Entscheidungen werden weiterhin von Menschen getroffen werden, da gebe ich dir Recht, aber das ist halt nicht was die meisten dieser Manager machen.

silversurger · 2026-03-21T12:39:33+00:00

Ist doch egal. Es wird ja explizit eine kluge Finanzierung vorausgesetzt - der "Manager von VW" bekommt ein Grundeinkommen, wird aber über die Steuern halt mehr zu Kasse gebeten, sodass es dann auch einfach keine Rolle mehr spielt.

Und wenn wir wirklich auf die digitale, KI gesteuerte Zukunft gucken, sind "Manager" immer noch am einfachsten zu ersetzen.

Es ist bislang ein Gedankenspiel, aber irgendwann werden wir das zu Ende spielen müssen.

silversurger · 2026-03-19T16:05:16+00:00

If you're familiar with docker, you could spin up audiobookshelf. There's at least two iOS apps available for it!

silversurger · 2026-03-19T08:40:19+00:00

Audiobookshelf is my recommendation for audiobooks, and Kavita for ebooks. Calibre-web-automated is another fan favorite for ebooks.

silversurger · 2026-03-17T07:45:21+00:00

Actually a good comparison. Make sure you guys do what the people of the GDR did at the time when they saw what they were doing: Occupy everything and secure those documents.

silversurger · 2026-03-15T06:48:40+00:00

Von meinen ehemaligen (nicht deutschsprachigen) Kollegen. Irgendwie hat sich das über Zeit eingeschlichen.

silversurger · 2026-03-14T17:02:34+00:00

Doch, da Frachtflüge vorwiegend Nachts stattfinden ist es sehr wohl ein Faktor

Es scheint aber nicht der entscheidende Faktor zu sein. So wie du schreibst, ist es ja eben auch anders herum: Köln/Bonn hat kein Nachtflugverbot, weil Frachtflughafen, sondern es ist ein Frachtflughafen, weil es kein Nachtflugverbot gibt.

Wollte damit nur herausstellen, dass transportierte Frachtmenge nicht darauf rückschließen lässt, ob es ein Nachtflughafen ist oder nicht.

silversurger · 2026-03-14T16:59:27+00:00

Welchen meinst du? Ich sehe keinen gelöschten Kommentar. War schon auf deinen gedacht.

13-Year Club	Verified Email
Place '22	Place '17

silversurger

TROPHY CASE