Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Same applies to Tailscale. A Tailscale client, coordination plane vulnerability, or incomplete understanding of their trust model is also all it takes. You are adding attack surface, not removing it.

If your threat model includes "OpenSSH might have an RCE" then "Tailscale might have an RCE" belongs there too.

If you are exposing a handful of hardened services on infrastructure you control, Tailscale adds complexity for no gain. If you are connecting machines across networks you do not control, or want zero-config access to internal services, then I can see its appeal.



There was a time when people were allowed to drive cars unlicensed.

These days, that seems insane.

As the traffic grew, as speeds increased, licensing became necessary.

I think, these days, we're almost into that category. I don't say this happily. But having unrestricted access seems like an era coming to an end.

I realise this seems unworkable. But so was the idea of a driver's license. Sometimes society and safety comes first.

I'm willing to bet that in under a decade, something akin to this will happen.


I'll take this to mean that you think arbitrary access to a computer's capabilities will require licensure, in which case I think this is a bad metaphor.

The point of a driver's license is that driving a ton of steel around at >50mph presents risk of harm to others.

Not knowing how to use a computer - driving it "poorly" - does not risk harm to others. Why does it merit restriction, based on the topic of this post?


Your unpatched Wordpress install is someone else’s botnet host, forming part of the “distributed” in DDoS, which harms others.

It’s why Cloudflare exists, which in itself is another form of harm, in centralising a decentralised network.


The argument is self-defeating:

1. "Unpatched servers become botnet hosts" - true, but Tailscale does not prevent this. A compromised machine on your tailnet is still compromised. The botnet argument applies regardless of how you access your server.

2. Following this logic, you would need to license all internet-connected devices: phones, smart TVs, IoT. They get pwned and join botnets constantly. Are we licensing grandma's router?

3. The Cloudflare point undermines the argument: "botnets cause centralization (Cloudflare), which is harm", so the solution is... licensing, which would centralize infrastructure further? That is the same outcome being called harmful.

4. Corporate servers get compromised constantly. Should only "licensed" corporations run services? They already are, and they are not doing better.

Back to the topic: I have no clue what you think Tailscale is, but it does increase security, only convenience.


The comment I was replying to was claiming that using your computer 'poorly' does not harm others. I was simply refuting that. Having spent the last two decades null routing customer servers when they decide to join an attack, this isn't theoretical.

As an aside, I dislike tailscale, and use wireguard directly.

Back to the topic: Your connected device can harm others if used poorly. I am not proposing licensing requirements.


I meant: does not increase security.


I would detest living in a world where regulators assign liability in this way, it sounds completely ridiculous. On a level with "speech is violence".


If I threw my license away tomorrow, what would be insane about me driving without a license?

Are you saying "unlicensed" where you mean "untrained?"


The point of massive fines, and in some cases jailtime for driving without a license is control.

If someone breaks regs, you want to be able to levy fines or jail. If they do it a lot, you want an inability to drive at all.

It's about regulating poor drivers. And yes, initially vetting a driver too.


I don't really know any adults who don't drive, and nobody ever told me they weren't capable.

I don't think it's about driving ability, besides the initial vetting.


Most inadequate drivers don't think they're inadequate, which is part of the problem. Unless your acquaintances are exclusively PMC you most likely know several adults who've lost their licenses because they are not adequately safe drivers, and if your acquaintances are exclusively PMC you most likely know several adults who are not adequately safe drivers and should've lost their licenses but knew the legal tricks to avoid it.


From the perspective of those writing the regs, speeding, running lights, driving carelessly or dangerously (all fines or crimes here) are indeed indicators of safe driving or not.

Understand, I am not advocating this. I said I did not like it. Neirher of those statements have anything totk do with whether I think it will come to pass, or not.


I am ~30 years old and I do not drive. In fact, I cannot drive.


Can you be more concrete what do you predict?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: