It’s better than most VPNs, but the amount of Cloudflare challenges I get is really annoying.
It’s a little weird because Apple has device attestation which is run via Cloudflare and Fastly. You’d think that would get you around the challenges, but that doesn’t seem to happen.
You should only get more challenges with VPN if the VPN users are abusing the websites. I actually get fewer CF challenges with NordVPN than without it.
It’s not a VPN service in the usual sense, and does not allow you to change locations, and they also have a mapping of IP addresses and the served geographical users.
I also assume being a service that requires an expensive device and that the browsing happen through Safari limits the abuse somewhat.
There are working end-points and they tend to be stable. If you find a Mullvad server which works with Reddit, you can configure a socks5 proxy for a Firefox container assigned to Reddit (or any domain). This way, Reddit will always use the connection of the working route and your general internet experience isn't affected otherwise. Eg. you can still switch around connections to find a working one for Youtube... Don't forget about this setting, since sometimes a Mullvad server is down temporarily and the container's assigned domains won't resolve (usually enough to count up/down the Mullvad proxy id). This will also prevent you from accessing Reddit without a Mullvad VPN connection.
My bank app forces me to turn my VPN off. I’m not going to change my bank over that and I imagine most others do the same anyway or will eventually. I imagine many sites and services will just continue go “we’re gonna break this thing you need until you turn the vpn off.”
Can really spot someone who has never had to deal with OFAC with a comment like this. Even if I don't necessarily agree with the concept, or who is actually being blocked, my business is dead in the water if I'm a) sent to prison or b) fined out of existence.
Geographic IP information is one of our best tools to defend against those outcomes, and if anything it should be better.
On the other hand, GeoIP is arguably the reason you are in this situation in the first place, i.e., having to use it since it's there and everybody else is doing so as well.
Intentionally ambiguous regulations (in terms of how companies and individuals are expected to comply) backed by the existential threat of huge fines often lead to a race to the bottom in terms of false positives and collateral damage to non-sanctioned users.
If you were serious about limiting who uses your services you'd use an allowlist of ASNs. Even then, what about users using US-based residential proxies?
ASNs can obviously span multiple countries, and aren't a great way to gate this at all. While we block ASNs we KNOW are owned/operated by companies in limited countries, but I couldn't imagine a worse way to approach it at scale. Hate doing it, it's heavy-handed and wrong.
> Even if I don't necessarily agree with the concept, or who is actually being blocked, my business is dead in the water if I'm a) sent to prison or b) fined out of existence.
Is there some specific way we can get the laws like this to be gone? They're obviously useless (witness this very thread of people describing ways for anyone to get around them) and threatening people with destruction for not doing something asinine isn't the sort of thing any decent government should be doing.
It was a great session and we received a lot of questions. We attend different NOG conferences regularly. ISPs are incentivized to help us by providing good data. Although we are agnostic about adversarial geofeeds, ISPs themselves need to work with us to ensure good quality of service to their users.
We already do quite a lot of outreach, in fact, most network engineers in the ISP industry across the world are familiar with us. But if any ISP operator has any feedback for us, we are only an email (or even a social media comment) away.
> ISPs are incentivized to help us by providing good data.
That's the entire problem in a nutshell. Good quality of service should not depend on every site I visit knowing my geographic location at the ZIP code or even street level (I've actually seen the latter occasionally).
I can somewhat understand the need for country-wide geoip blocking due to per-country distribution rights for media and whatnot, but when my bank does it, it just screams security theater to me.
That is why we have the IP to country level data available for free. As you have recognized the fact that country level data is good for security, we are willing to take a massive hit on potential revenue to allow everyone to use our country level data for free, even for commercial purposes. We literally built separate dedicated infrastructure that provides unlimited queries for our IP to Country data. We want to ensure that everyone has access to reliable data.
For us, based on active measurements, what we do is distribute IP addresses to more densely populated areas. The issue is that we are good at zip code level accuracy, but it is impossible for us to get street addresses correct for residential internet connections. Even if we get geographic coordinates fairly close to you, it is largely coincidental. Our accuracy radius goes as low as 5 KM.
However, consider hotels, conference centers, airports, train stations, etc., where large numbers of people gather and where there are a few public WiFi hotspots that usually remain in the same location. We can identify the exact building from those WiFi hotspot IP addresses.
We have approximately 1,200 servers in operation. Simply by knowing which data centers house our servers, we can reliably identify neighboring hosting IP addresses to the exact data center.
> As you have recognized the fact that country level data is good for security [...]
That's the opposite of what I said. I think blocking entire countries is largely security theater. Bad actors will just use botnets or other residential proxies wherever needed, while legitimate users traveling abroad get locked out.
I can see it make sense for login-free distribution of media with limited regional rights (e.g., some public broadcasters offer their streams for free but are only allowed to do so domestically), or to provide a best guess for region-specific services (weather forecasts, shipping rate estimates etc.), although I'd also love to see that handled via the user agent instead, e.g. via granting coarse location access, to prevent false positives.
I also wouldn't mind it as much as one of many input signals into some risk calculation, e.g. for throttling password (but not passkey) attempts, to be overridden by login status, but outright bans are incredibly annoying, and unfortunately that's what I see many companies doing with GeoIP data.
Almost as annoying: Companies insisting on serving me a different language just because I traveled abroad, even though my "Accept-Language" header is right there.
With CGNAT becoming more widespread, formats like this might need expansion to include location data for ports. Ie. Port 10,000-20,000 are consumers in New york, port numbers 20000-30000 are in Boston, etc.
IPv4 addresses are not that scarce yet, and realistically any CG-NAT will have several IPv4 addresses per metro area, if only to allow for reasonable levels of geolocation (e.g. to not break the "pizza near me" search use case).
The ietf standardization was irrelevant so I would give them some slack. ISPs were using CGNAT already in a widespread fashion. The ietf just said, “if we’re gonna do this shit, at least stay out of the blocks used by private networks”.
It has been a non-existent problem for roughly 20 years now. Why do people still keep pulling out "uniquely identified down to the device" as an argument?
Windows, macOS and most Linux distros by default rotate SLAAC addresses every 24 hours.
That is really interesting. I wonder if we have any internal data on this. I will check.
We are trying to work with ISPs everywhere, so if port level geolocation of the IP address is common, we surely need to account for that. I will flag this to the data team. To get the ball rolling, I would love to talk to an ISP operator who operates like this. If you know someone please kindly introduce me to them.
well, the good news is, that the attacker (should there be one) has to be either on the same flight, or have pesistence (bi-directional entry) into that infrastructure
that's a good edge case for not using a hotspot, but at the same time, i've never been on a flight with 'good' internet, but the main question, what to tell the general population about joining untrusted networks, now, you get thousands of feet in the air, you might think it's a tolerable risk to join sleazyJetFreeWiFi, and I would agree, it's unlikely that it's an evil-twin attack, but coming back to giving population level advice, is this kind of nuance useful ? or just fun
Sometimes. You can publish whatever geolocation data file you want, but others aren't required to respect that file. It's known that geolocation providers run pings and traceroutes from different locations as well as looking at BGP data.
I guess maybe we should start some kind of initiative to detect these geolocation providers so we can blacklist them. Maybe it can be some kind of database that is used to null-route all traffic coming from their network /s
What they saying in this post is that they are designing these LLM-based features to support search.
The post describes how their use-case is finding high quality sources relevant to a query and providing summaries with references/links to the user (not generating long-form "research reports")
FWIW, this aligns with what I've found ChatGPT useful for: a better Google, rather than a robotic writer.
I have a no-AI mode that filters out the bad results too. The problem is that it doesn't return any results at all, as it doesn't help with the harder problem of filtering out only the bad results without the good ones though. So far it's not clear to me that LLMs have significantly moved the needle on the ability to differentiate this.
If you look at my post history, I’m the last person to defend LLMs. That being said, I think LLMs are the next evolution in search. Not what OpenAI and Anthropic and xAI are working on - I think all the major models are moving further and further away from that with the “AI” stuff. But the core technology is an amazing way to search.
So I actually find it the perfect thing for Kagi to work with. If they can leverage LLMs to improve search, without getting distracted by the “AI” stuff, there’s tons of potential value,
Not saying that’s what this is… but if there’s any company I’d want playing with LLMs it’s probably Kagi
A better search would be rich metadata and powerful filter tools, not result summarizer. When I search, I want to find stuff, I don’t want an interpretation of what was found.
This is building on top of the existing core product, so the output is directly tied to the quality of their core search results being fed into the assistants. I overall really enjoy all of their A.I products, using their prompt assistant frequently for quick research tasks.
It does miss occasionally, or I feel like "that was a waste of tokens" due to a bad response or something, but overall I like supporting Kagi's current mission in the market of AI tools.
Is there anyone selling LLM tools that would claim they aren't keeping their deficiencies in mind or admit that they're ignoring user choices? I'm not saying you are or aren't wasting money on slop, because I have no way of knowing, but it's hard to imagine someone who is concerned about a company acting in bad finding this compelling.
Same, though in fairness as long as they don't force it on me (the way Google does) and as long as the real search results don't suffer because of a lack of love (which so far they haven't), then it's no skin off my back. I think LLMs are an abysmal tool for finding information, but as long as the actual search feature is working well then I don't care if an LLM option exists.
It would be a lot easier for the UK to just block any site they don't like. Especially when the concern is ostensibly to protect UK citizens from harm.
This is the key point. No site is sending material to the UK unsolicited. People in the UK are initiating the download of information they find of interest. If the UK government has a problem with that, it's on them to block the downloads on their side. UK laws have no power outside the UK.
If VPN usage becomes the norm, sites will have to give in eventually.
reply