Yeah, I think it is a bit more subtle of an issue than this flamewar always descends into.
There's people upthread arguing that every cellphone in the country is on IPv6 and nobody worries about it, but I'm certain there are thousands of people getting paid salaries to worry about that for you.
Meanwhile, the problem is about the level of trust in the consumer grade router sitting on my desk over there. With IPv4 NAT it is more likely that the router will break in such a way that I won't be able to access the internet. Having NAT break in such a way that it accidentally port forwards all incoming connection attempts to my laptop sitting behind it is not a likely bug or failure mode. If it does happen, it would likely only happen to a single machine sitting behind it.
OTOH, if my laptop and every other machine on my local subnet has a public IPv6 address on it, then I'm trusting that consumer grade router to never break in such a way that the firewall default allows all for some reason--opening up every single machine on my local subnet and every single listening port. A default deny flipping to a default allow is absolutely the kind of security bug that really happens and would keep me awake at night. And even if I don't go messing around with it and screw it up myself, there's always the possibility that a software bug in a firmware upgrade causes the problem.
I'd like to know what the solution to this is, other than blind trust in the router/firewall manufacturer or setting up your own external monitoring (and testing that monitoring periodically).
Instead of just screaming about how "NAT ISN'T SECURITY" over and over, I'd like someone to just explain how to mitigate the security concerns of firewall rulesets--when so very many of us have seen firewall rulesets be misconfigured by "professionals" at our $DAYJOBs. Just telling me that every IPv6 router should have default deny rules and nobody would be that incompetent to sell a router that wouldn't be that insecure doesn't give me warm fuzzies.
I don't necessarily trust NAT more, but a random port forward rule for all ports appearing against a given target host behind it is going to be a much more unusual kind of bug than just having a default firewall rule flipped to allow.
You could set up a monitoring solution that alerts you if one of your devices is suddenly reachable from the internet via IPv6. It will probably never fire an alert but in your case might help you sleep better. IPv6 privacy extensions could help you too.
In practice I don't think it's really an issue. The IPv6 firewall will probably not break in a way that makes your device reachable from the internet. Even if it would, someone would have to know the IPv6 address of the device they want to target - which means that you have to connect to a system that they have control of first, otherwise it's unlikely they'll ever get it. Lastly, you'd have to run some kind of software on that device that has a vulnerability which can be exploited via network. Combine all that and it gets so unlikely that you'll get hacked this way that it's not worth worrying about.
It really seems like all the complaints about firefox are mostly ego-deflection.
People know it is wrong to stay on Chrome and empower Google to the extent that it is, but they're stuck on that workflow and don't want to change, so they find nits to pick about firefox and get very LOUD about that. Then it becomes Mozill's fault that they're still using Chrome, and you can't blame them for anything.
It is going to die because it won't ever be perfect enough, while Google will win because the vastly more important problems with Google's control are just the status quo.
Also, compared to the scale of harm that Google does and the risk of it de facto controlling the web with the chromium engine, all the things that Mozilla does to piss people off should be small potatoes.
And when the cost of training LLMs starts to come down to under $1B/yr, Apple can jump on board, having saved >$100B in not trying to chase after everyone else to try to get there first.
Economic models are complex and far from perfect, and we're still waiting for Hari Seldon's psychohistory models to be created to tie together macroeconomics and macropsychology.
I have bad things to say about him. But they're firmly on pause. What Trump wants for the Federal Reserve is far worse.
And anyone who is a hard-currency quantity-theory-of-money conservative, should also be appalled by it.
Trump is way worse than what the harshest critics of the Federal Reserve think about it. Nobody right or left should support it. Only the billionaires will profit off the monetary disorder.
By design, kiss the ring. It’s a natural progression of the kind of grifting that has been occurring through 2025: shitcoin rugpulls, tariff announcements, etc.
> then attempted to murder a police officer with her car.
This is just false information. He was off to the left of her hood, and her wheels were hard to the right. He wasn't in front of her vehicle, she wasn't driving towards him, and she wasn't trying to murder anyone.
Maybe pg should come back to this board, and make HN his primary venue. Does he really like getting backscatter from all the bots and botlike humans on xitter? He could still syndicate there.
Meanwhile, HN certainly could stand to use an opinionated benevolent dictator (or at least tone-setter), not mere "both sides" moderation (as heroic as it has been). With such an anchor we might be able to constructively discuss these problems without getting derailed by the handful of reactionary flamebaiters.
The moral of the story is: if you’re against witch-hunts, and you promise to found your own little utopian community where witch-hunts will never happen, your new society will end up consisting of approximately three principled civil libertarians and seven zillion witches. It will be a terrible place to live even if witch-hunts are genuinely wrong.
It is unfortunately very true. For about 20 years I moderated a very large forum. We tried so hard to be even handed it was somewhat comical, and then one day I decided to just clean house. Things improved remarkably after that but there were always new people willing to see how far they could bend the rules. It's interesting how you get these new accounts on HN that immediately start lawyering with the rule book in hand. There is no way that that is organic.
Dan & Tom are so incredibly restrained, I'd be much more of a shoot-first-and-ask-questions-later type because the longer such behavior goes on the more people will believe it is acceptable.
There's people upthread arguing that every cellphone in the country is on IPv6 and nobody worries about it, but I'm certain there are thousands of people getting paid salaries to worry about that for you.
Meanwhile, the problem is about the level of trust in the consumer grade router sitting on my desk over there. With IPv4 NAT it is more likely that the router will break in such a way that I won't be able to access the internet. Having NAT break in such a way that it accidentally port forwards all incoming connection attempts to my laptop sitting behind it is not a likely bug or failure mode. If it does happen, it would likely only happen to a single machine sitting behind it.
OTOH, if my laptop and every other machine on my local subnet has a public IPv6 address on it, then I'm trusting that consumer grade router to never break in such a way that the firewall default allows all for some reason--opening up every single machine on my local subnet and every single listening port. A default deny flipping to a default allow is absolutely the kind of security bug that really happens and would keep me awake at night. And even if I don't go messing around with it and screw it up myself, there's always the possibility that a software bug in a firmware upgrade causes the problem.
I'd like to know what the solution to this is, other than blind trust in the router/firewall manufacturer or setting up your own external monitoring (and testing that monitoring periodically).
Instead of just screaming about how "NAT ISN'T SECURITY" over and over, I'd like someone to just explain how to mitigate the security concerns of firewall rulesets--when so very many of us have seen firewall rulesets be misconfigured by "professionals" at our $DAYJOBs. Just telling me that every IPv6 router should have default deny rules and nobody would be that incompetent to sell a router that wouldn't be that insecure doesn't give me warm fuzzies.
I don't necessarily trust NAT more, but a random port forward rule for all ports appearing against a given target host behind it is going to be a much more unusual kind of bug than just having a default firewall rule flipped to allow.
reply