Ask HN: Why does the US Visa application website do a port-scan of my network?
489 points by mbix77 21 hours ago
489 points by mbix77 21 hours ago
I have recently installed this extension on FF: https://addons.mozilla.org/en-US/firefox/addon/port-authorit... and yesterday I visited this website: https://ceac.state.gov/genniv/ and I got a notification that the website tried to do a port-scan of my private network.
Is this a common thing? I have just recently installed the extension, so I am not sure if there are a lot of other websites who do it.
Since looking into it, I noticed that uBlock Origin already has the default list "Block Outsider Intrusion into LAN" but it wasn't enabled.
Visa application is riddled with scams. From the simple website that charges you twice the price to websites that will tell you that you were rejected and then fake your documents to get in with your name.
So they're probably trying to see that you're not one of those web servers, a proxy for them or detect some known C2 channels. That would be quite clever for an incredibly horrible website. The other day my SO, who is a Turkish citizen, was filling up her visa application and after half an hour of meticulous form filling the system just kick her out. I think the session times out or something. If you haven't created an account or you haven't write down the current application ID everything is lost. In the process she was also directed to a non-.gov website for something during the process, I thought she was getting scammed but no. It actually makes sense to have a paid service that makes this abomination less painful. Though they work with VFS Global for collecting the applications and relevant documents, the VFS Global itself is an abomination and doesn't help with the handling of the form filling anyway. Recently EU streamlined the Schengen visa application process for Turkish citizens as those "visa agencies" that are the official agencies and the only way to apply for a visa for many countries don't actually help with anything and are scamming people by selling the "good hours" for the visa appointment on the black market. An agency was dropped for this and the scams by agencies were listed among the reasons to streamline the application process. Both with US and EU people are losing scholarships etc. due to outrageous wait times that are sometimes are years ahead or there's an issue with the systems handling the applications. I guess there must be an opportunity there to fix all this together with smaller stuff like handling transliteration and character encodings, I wonder if some of those scam site are not scams and actually help with it. An AI agent can be useful here. I had to deal with the DS-160 multiple times over the year. I don't think you give justice to how bad this website really is. I have started to notice that these "timeouts" are very random. At the worst times, the session "times out" immediately after login. These random logouts happens more frequently during certain times of the day and seems to follow a semi-predictable pattern. It is almost certainly tied to system load in some way. Also, the site's HTML and JavaScript are bloated beyond hope for what should be a fairly simple set of web forms. And itnhas been thisnway since at least 2018 with exactly zero improvements. One thing a developer sat in DC or SV with a 5G iPhone 16 doesn't realize too, is that if you are visiting these web sites with a phone plan that has a tiny monthly data allowance then this bloat can blow out an entire month in one sitting. I worked with people on parole that were given free phones to use for job applications, finding their way around etc, and they would only get 3GB data a month. Some of the sites they visited were dropping 250MB of payload on the home page. You'd get some plans that would drop down to 2G, but try using that for Google Maps when you're trying to find a bus to get you across the city. You might be making the assumption that the US wants to make the process easier. Not to defend the US immigration system, but my experience is that this user-hostile behavior (modulo the port scanning lol) is endemic across US government websites - including those that nominally want to serve you, those that are at the state level instead of the federal level (such as the DMV sites), and those that are even internal for use by government employees only. It's bad enough that in some cases I believe the designers should be threatened with legal penalties. That e-filing web site for taxes has never worked for my son because he can’t complete the id.me process, it might be as simple as you are an unperson if you use an android phone or maybe because he’s just started in the workforce he does not have a long history of tax filing and credit history to match up with. Two years in a row we’ve been able to fill out a 1040 and the NY state equivalent and make a paper submission in less time than it takes to reach an operator on hold. These identity verification services look like a scam to me. LinkedIn incessantly hassles me to verify with CLEAR and it always fails without a clear error message, either “it just doesn’t work” or my hair has grown too much since I got my driver’s license or it is making me take my glasses off and comparing to a driver’s license photo where I am wearing glasses. >These identity verification services look like a scam to me. Even if their intent is to run an 'honest' business, the method of bouncing a user around to god knows how many domains during the process becomes effectively indistinguishable from a compromised service, and the alternative of having each site host their own id verification system screams, HACK US.
I can see users becoming increasingly accustomed to getting out their cards several times during a sign-up and not having the foggiest idea of where their information went to. The id.me process is absolutely horrific. I'm not sure the word horrific is up to carrying the weight of just how bad id.me is. Still, a great effort. > user-hostile behavior (modulo the port scanning lol) is endemic across US government websites I discovered this when it was late at night and I was procrastinating going to bed and I was curious what my estimated Social Security benefit would be at retirement so I tried to log into mySSA and it said the website is closed from like 11 PM to 5 AM or something like that. I couldn't believe it. I could understand a weekly several-hour maintenance/batch processing window, but DAILY? Gaming of the procurement system. The websites are all written by big consulting outfits. Not to mention the disaster that is big corporate IT projects combined with government rules. Obama had the Digital Service (that Trump shut down) which paid higher salaries. Those folks were sharp and everything they touched was actually decent. As I noted this is not unique to government. Large corporate projects at the Fortune 500 are often the same sort of consultant-driven crap. Digital Service didn't shut down, it just temporarily got retasked to DOGE. It wasn't temporarily retasked, it was reorganized and permanently repurposed and renamed the US DOGE Service, and then within that reorganized service, a subordinate temporary organization was created called the US DOGE Service Temporary Organization that was scheduled to sunset not later than July 4, 2026. (All but 65 of USDS's pre-reorg employees were also fired as part of the reorg, and 21 of those remaining 65 employees did a mass resignation.) If you visit their website, you will notice that except for historical documents, there is no full name branding at all; mostly only the logo and the occasional "USDS", when prior to the reorg (as can be seen on the Wayback machine) the original full name was prominent. This. The website for buying treasury products is straight out of the year 2002. The login is so bad I would never consider buying them there - the service fee charged by brokerages is absolutely worth it in this case. Which brokerages charge fees for purchasing US Treasuries? Schwab definitely doesn't. Really the only reason you need TreasuryDirect is for buying Series I bonds (and maybe a few other niche Treasury products), which are not available through brokerages. Schwab folds their fees into their bid/ask spread, they're not doing it for free. Back when interest rates peaked around that period I bought a huge number of I bonds which were a great investment —- got fired by my broker because I interrupted a sales presentation with “why don’t I just buy I bonds?” Back then I thought Treasury Direct was great. The web front ends are awful, but the back ends are even worse. The backlogs for some of these applications is insane. I was at a US embassy one time and got talking to a girl who had just had her application approved after an 18 year wait. 18 year wait for approval or 18 year wait for family sponsored immigrant visa? Because from some countries those do have 18 year backlogs. I'd invoke Hanlon's razor, but in this case, it's certainly both malice and stupidity... You use the same system for Business visas. Hard to imagine US wouldn’t want those as easy as possible. You don't have a good enough imagination for how stupid our current leadership really is. During 8 years of Obama and 4 years of Biden, none of this was different or better. Perhaps this isn't a partisan political issue. From 2014 until it was, in effect, obliterated by DOGE actions this year there was the "United States Digital Service", a crack team of programmers, a sort of skunkworks who worked to improve U.S. government websites of departments that wanted the help. So it seems to be partisan to want good websites, but there are countless people involved in politics with many agendas. I don’t know if you’re US-based or not but in the US, government work has the stigma of attracting the bottom of the barrel. It is nearly impossible to get fired for performance reasons. Combine low pay and high job security, and you’re not going to attract the most innovative, motivated, or competent people. Early in my career, I was warned that if I took a job with the state of California, I’d be stuck there for my whole career. I’d be unhirable in the private sector. > high job security Not so much after DOGE fired entire departments for dubious reasons. I don't know why anyone would work for the federal government now - pay still sucks, and job security has been demonstrated to no longer be guaranteed. Recent events isn't going to change decades of stigma and reputation. People aren't saying, "Oh cool, they purged the low performers. I'll go work for the government!" Hard to imagine that the US wouldn't be as paranoid, self-sabotaging, and bureaucratically inept as possible? </sarcasm> As a US citizen, I feel it’s opposite. Hard to imagine they’d want anything related to visas to be easy. [flagged] My wife, a green card holder, applied for citizenship in April and was naturalized yesterday (from an EU country). Not that I don’t believe it could be true but where are you getting the 3-4yr timeline? If that’s accurate she/we may have dodged a massive bullet. Spouses always get better treatment as there is
a voter who would be mad otherwise. They check for scam marriages but otherwise hurry the process through - if they don't a voter contacts their congressman to push the process. That voter will also likely know a lot of other voters and thus influence the next election while someone not married is unlikely to have that local network to use. This is patently false for one reason - once someone has a U.S. green card and has met the residency requirement to apply for citizenship, the application form and process are the same for everyone, regardless of how they got their green card (through work, marriage, asylum, investment, etc.). Once you are eligible to apply, the whole process is basically form N400->biometrics->interview (just doublechecking your name and other paper info, takes 5 minutes)->civics test->ceremony. However, the timelines and process for getting the green card itself is different depending on the nature of your visa, and they will indeed try to check for scam marriages before you get your green card (if you were applying for it through the marriage visa). Not exactly, if you're married to a citizen the residence requirement is 3 years not 5, and the form clearly distinguishes the 3 and 5 year options (3 years requires extra evidence of marriage and spouse's US citizenship)
edarchis - 20 hours ago
mrtksn - 18 hours ago
gmueckl - 10 hours ago
qingcharles - 9 hours ago
rwmj - 17 hours ago
throw10920 - 12 hours ago
PaulHoule - 10 hours ago
jofla_net - 8 hours ago
smithkl42 - 9 hours ago
IT4MD - 5 hours ago
Sohcahtoa82 - 10 hours ago
xenadu02 - 9 hours ago
anticensor - 6 hours ago
dragonwriter - 6 hours ago
Our_Benefactors - 11 hours ago
ryandrake - 11 hours ago
aianus - 9 hours ago
PaulHoule - 10 hours ago
qingcharles - 9 hours ago
LorenPechtel - 7 hours ago
dfxm12 - 13 hours ago
cromka - 16 hours ago
jazzypants - 13 hours ago
xp84 - 11 hours ago
schlauerfox - 11 hours ago
snapetom - 11 hours ago
klipt - 10 hours ago
snapetom - 8 hours ago
nkoren - 16 hours ago
conductr - 13 hours ago
jimz - 15 hours ago
cogogo - 15 hours ago
bluGill - 14 hours ago
filoleg - 13 hours ago
klipt - 10 hours ago