User talk:Thsdb

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search
Account has been renamed from ThscDrb to Thsdb.

Block of Netskope worldwide IP range[edit]

{{unblock|

Re. block ID #321954 for 163.116.128.0/17

[Infobox text – "Your account or IP address has been blocked. 163.116.128.0/17, you have been blocked by ‪Martin Urbanec‬ until 19:28, 13 January 2024, because: No open proxies: please read the FAQ should you be affected."]

This relates to Netskope web security AS55256.

Blocking Netskope stretches the "no open proxies" policy because:

  • Netskope is a corporate security provider, they are not an open proxy (open in the same sense as open relays for email), nor are they publicly accessible (in that their services are not available to private residents, as far as I know).
  • Unlike a paid VPN service like Nord, Express, etc., the customer can't choose their exit node. For example, our Netskope account manager has told us that organisations in Eastern Australia always exit via the Sydney or Melbourne data centres, and there are only a small number of active IP addresses at each DC (the DC has a /24 to allow future scaling). Therefore, if I was trying to avoid a block, I would be unable to just pick another IP, I'm stuck with whichever one I'm already on (just like if I was in the building and using my employer's fixed NAT address).
  • It's not an anonymizing proxy. Netskope correctly sets the X-Forwarded-For header, so MediaWiki could in theory log the real IP source address in addition to the proxy's address. (I'm not a CheckUser, so I don't know what info is logged.)

I believe this block does more harm than good, because:

  • It blocks all of Netskope's customers worldwide, meaning that people at thousands of businesses are unable to edit or to engage in community discussions from their work computers or WFH devices.
  • /17 is a big range, and some of the /24's within that range might not belong to Netskope. (collateral damage)
  • Affects all Wikimedia projects, even where there has been no history of problems from any of its IPs.
  • Current block affects all editing, even for registered users. It is more usual for IP blocks on local wikis to cover anons and account-creation but not registered. If I'm logged in to an account with good reputation, what should it matter which IP address I'm coming from?
  • It sends the wrong message that to use Wikimedia, you have to disable or bypass your security software.
  • It sets a bad precedent. As more services move from on-prem to cloud-hosted, an increasing number of people are going to be attempting to use Wikimedia via external intermediaries.

Thanks in advance for your consideration. ThscDrb (talk) 08:04, 15 April 2021 (UTC) }}[]

You are not locally blocked, so the unblock request won't work. For global blocks please read global blocks and the application informaiton at SRGP. Thanks. @Martin Urbanec: as it is your global block.  — billinghurst sDrewth 14:29, 15 April 2021 (UTC)[]

Thanks, billinghurst. Oddly, when I hit Edit on Meta I get MediaWiki:Blockedtext which says to use {{unblock}}, but on enwiki I get a specific global-lock message that does direct me to SRG or OTRS like you advised. Anyway, my desired outcome is for the block to be re-considered, not an IPBE for just me. If I can't post to SRG then I might have to take the email route, though I would have preferred the discussion to happen in the open and not via some back-channel. ThscDrb (talk) 04:44, 19 April 2021 (UTC)[]

Locally block remove … then you have my apologies, you were locally IP range blocked, and presumably there will also be a global block in place for the same IP range. You got the local and the global messages (they are different) depending where you were. I have removed the local block which should allow you to address the matter further with user:Martin Urbanec or through the stewards requests. I will note that it was a three year block which would indicate that we have had particular issues, though I haven't looked.  — billinghurst sDrewth 05:07, 19 April 2021 (UTC)[]
Thanks, heaps, billinghurst! I got myself autoconfirmed and posted a request at Steward requests/Global#Global unblock for 163.116.128.0/17. ThscDrb (talk) 07:34, 21 April 2021 (UTC)[]