I think most of the comments on this thread crystallise two different conception of security: the intended one and the effective one.
The second one is messy to measure, it requires making statistics on how often NAT saved the day by accident, which is hard if not impossible.
I personally think that statistics always win, even if they are unexplainable. My bet (zero proof) is, IPv4 is statistically (maybe by accident) more secure than IPv6, just because of NAT.
I have seen so many horrors in terms of multiple NATs I will always prefer IPv6, also because I think the benefits outweigh by far the difference in _effective_ security.
Summary: yes, IPv4 is more secure, but the difference is so marginal that IPv6 is still way better. Security is not the only metric in my world and theoretical discussions obsessing about a single metric are pointless.
I see the split too. I'll add that each camp is frustrated and feels the other is missing the point and would make information security worse if its worldview won.
You can do some empirical analysis. Someone downthread linked to a paper claiming to being able to reach a few million vulnerable devices over IPv6 and not IPv4. This kind of analysis isn't dispositive, though, because there are all sorts of second-order effects and underlying philosophical differences. Facts seldom change minds when you can build multiple competing true stories around these facts.
I'll call one camp the "veterans". They see security mostly as a matter of increasing the costs incurred by attackers relative to defenders, looking at the system holistically. Anything that increases attacker workload is good, even if it's an unintentional side effect of something else or interacts with software architecture in a cumbersome way. It's vibes-bases: whether a give intervention is "worth it" is an output of a learned function that gives in the stomach of a seasoned security researcher who's seen shit.
The other camp I'll call the "philosophers". (My camp.) The perspective here is to build security like Euclid's elements, proving one invariant at a time, using earlier proofs to make progressively more capable systems, each proven secure against a class of threat so long as enumerated assumptions hold. They read security as an integral part of system architecture. Security comes from simplicity, as complexity and corner cases are the enemy of assurance.
The veterans see the philosophers as incoherent. There's no such thing as a safe system: only one not yet compromised. You can't solve problems for good anyway, so there's no use trying to come up with axioms. Throw away the damn compass and strait edge and just draw siege map in the dirt with a stick.
The philosophers see the veterans as short-term-oriented defeatists who make it harder to reach levels of provable security that can solve problems once and for all so we don't have to worry about them anymore. You have to approach complex systems piece by piece or you can't understand them at all -- and worse, you'll do things in the name of security gutfeels that compromise other goals without payoff that feels worth it to them. They say, "Without my compass and straightedge, how can I design my star fort with firing lines I know cover every possible approach?"
The divide shows up in various projects. TLS is a philosopher project. Certificate transparency is a veteran project. Stack canaries are a veteran project. Shadow call stacks are a philosopher project. I think you get the point.
This thread reveals a surprising split between veterans and philosophers on NAT. In retrospect, it's kinda obvious that the veterans would insist that "duh, of course IPv4 prevents inbound connections and it must because otherwise the Internet won't work", and the philosopher camp is "Hold up. One thing at a time. What's the actual goal? How can we achieve this goal minimally without side effects on Internet routing?"
My camp sees the NAT configuration issue as a red herring. We see "the UX makes it too easy to run unsafe" as an HCI issue distinct from the underlying network architecture. The veterans say "Well, you can't build that button if you have NAT, so we are led not into temptation."
Both camps have something to contribute, I think, but the divide will never fully disappear.
I understand your view, I just disagree with the value you're putting on it, and I feel you're straying into accidentally insulting people to justify yourself:
You called yourself a philosopher and then proclaimed philosophers are the only ones who read security as an integral part of system architecture, whilst veterans are essentially vibe coding and surviving on the lucky mess they create.
I find your position that misconfiguration is a red herring in security as completely unjustifiable and untenable.
It's probably that I'm just a puny brained veteran seeing your big complex philosopher smarts as incoherent though.
Anyway, I digress from the key point I've been trying to make in this entire thread:
I'm not arguing that IPv6 is not secure because it lacks NAT. My point was that this entire discussion is silly engagement bait: there's no clear right answer, but it's an easy topic for dogma and engagement. A holywars topic like NAT, IPv6 and security is prime for that. The author and submitter muddies the waters further by - probably not intentionally - choosing a strawman submission title.
In assuming you are not using your keyboard to set brightness because it’s an external display plugged into a laptop? Search for a DDC application for your desktop, it’s amazing, the brightness controls of your laptop will then control the external display as well. I use lunar on my MacBook, it was a revelation.
According to my (limited) testing, you can only control brightness when the transfer function used on the HDR content you see is HLG. When it is PQ, the luminance seems to be “absolute” and ignores the display’s brightness settings.
Autobrightness only works for screens which are against a wall. Your eyes care about what is behind the screen, not in front of it, and that’s one thing autobrightness never took into account.
I used to jailbreak my iPhone 4s to get some dark mode.
The EU defence clause is more binding than the NATO Article 5. It also demands that the other states * obligation of aid and assistance by all the means in their power*
whereas Article 5 let's other states decide how much aid they want to supply
ok, but now we’re nit-picking about the meaning of “army”. There are “NATO troops” while there aren’t “EU Troops”.
I would still like to understand why previous poster said the EU defense agreement was more robust, I am genuinely curious about what that agreement contains and how well it was respected in the past.
I'm guessing the user you're replying to is meaning that the vscode default config file is 11k lines and the AI setting just one of many lines in the file.
I don't think they meant that their own settings are that long, just the default in the app and they're commenting that it's ridiculous to expect a person to find it there.
I use emacs, so maybe they're better trained on my editor. But I've had a lot of success resolving little annoyances I have just lived with for years talking to Claude in gptel.
I can't get it to do real work for shit, but it's A+ at helping me waste time with yak-shaving. lol
Alternatively, use the single setting that was literally just given to you above. That is pretty much as easy as it gets without resurrecting Clippy to help you figure it out. It's not reasonable to expect a massive bloated gui if people have 10k+ settings they are using.
The problem is that they keep adding new ai "features" all under different names and different settings, then shuffling the settings around.
Having a "master switch" doesn't matter, since their standard operating procedure is to waffle-stomp more "features" into vscode every month that will fall under a different setting and then they'll continue to shuffle them around.
Their indifference towards their own user-hostility with regards to this is the main problem.
I'm confused—how does putting in a master switch for those who want to opt-out entirely from the AI revolution occurring at the moment not matter? Are you saying that new features will fail to respect it?
That, in a nutshell, is one of my biggest complaints about VS Code: there are many overlapping settings for various things, and I could never get clarity on what takes priority. Setting up things like formatters (and their settings) for various file types was a nightmare; between VS Code complaining I didn't have one set up (I did), the settings seemingly being ignored, and various other issues, I break into a cold sweat whenever I have to edit my settings file.
But more to the point, I don't understand why one would ever have to edit the file directly when there's already a settings panel that lets you search for a setting using natural language, and get back a list of matching settings. Why doesn't VS Code let you make all the changes from the settings panel, without having to mess with JSON directly?
You should really look in to the difference between opt-in and opt-out. Opt-in respects the user; opt-out is for foisting features that the user might not need or want.
The anti-AI folks should just fork everything at this point, because it's hypocritical as hell to complain about it and use a bunch of stuff built with it. Then you can opt out of society!
I'd say the percentage of stuff developed using AI now is higher than the percentage of pro athletes who use performance enhancing drugs, and there's almost as much incentive to mask it and say "made without AI"
Oh, I use coding assistants every day, just not the one that came with VSCode. Because I want to decide if/which coding assistant I want to use, not whatever VSCode forces upon me. In fact, at many companies, GitHub Copilot is explicitly forbidden.
Not the smartest argument to brand this as anti-AI.
I really like the Copilot autocomplete across multiple symbols in the file (e.g. predictive edits that you can tab through).
For most other stuff I prefer Cline/RooCode/KiloCode, but sadly it doesn’t seem like any of those offer similar autocomplete (Continue.dev did with even Ollama support for local models but the whole plugin was a buggy mess and it didn’t work well). Oh and sometimes Claude Code or Codex is nice in a terminal directly.
Personally, I don’t mind something being there by default (same as how JetBrains has their pre installed plugin and also something like Junie available), as long as it’s easy to turn off or uninstall.
Similar to how I wouldn’t scoff at a Git integration plugin even if I prefer to use Sourcetree or GitKraken.
In my experience it’s people with “agents” mass editing their code, in their 10th attempt to convince their tool to do what they want it do, are people with a disrupted workflow, in a constant struggle with their tools.
Is there any reason to expect there would be "toxins", given that it's just water? I can imagine how there might be accumulated toxins it's a pack of chicken breasts left in a hot car for 8 hours, but if it's water it should be fine? After all, boiling water is a tried and true way of making water safe to drink.
Yes, there are substances that slip through, but it works well enough for most cases that it's probably fine. Otherwise you get into weird edge cases like "what if there are prions in the water?!?" or whatever.
Heavy metals are a big problem, especially from cheap brass fittings common in outdoor water hoses.
Indoor plumbing, by contrast, uses copper and/or plex tubing and so there’s near zero risk of metal poisoning (caveat on cheap plex fittings- don’t do that.)
reply