A report into government appointments to boards savages the system, which it says too often allows governments to award friends or pick candidates for political purposes, eroding trust with the public.
A report into government appointments to boards savages the system, which it says too often allows governments to award friends or pick candidates for political purposes, eroding trust with the public.
Tens of thousands of people in four Croatian cities took to the streets on Sunday, November 30, responding to a call from the initiative [url=https://www.maz.hr/2025/11/20/mars-ujedinjeni-protiv-fasizma-30-11-2025/]United Against Fascism[/url] (Ujedinjeni
Tens of thousands of people in four Croatian cities took to the streets on Sunday, November 30, responding to a call from the initiative United Against Fascism (Ujedinjeni protiv fašizma), a broad coalition of civil society organizations and grassroots groups. Marchers in Zagreb, Rijeka, Zadar, and Pula denounced the escalating wave of far-right violence and historical revisionism, vowing to build broad resistance to trends that are encouraged and supported by the political establishment.
“We stand united against fascism because, day after day, we are not witnessing isolated outbursts, but the emergence of a blueprint – one that grows when we remain silent, gains strength when we tolerate it, and ultimately turns fear into the rule rather than the exception,” United Against Fascism declared in its call. “But when we stand together, there is no room for fear.”
United Against Fascism warned that public funds are being cut from education and violence prevention budgets while military spending rises. “Society is being led to believe that armament is the solution, that enemies surround us, and that fear is the appropriate state of mind,” the statement continued. “More and more often, security is defined through borders, military might, and ‘external threats,’ while working conditions, housing, and social rights are ignored.”
Antifascist demonstration in Rijeka, November 30, 2025. Source: United Against Fascism/Građani i građanke Rijeke Facebook
In Rijeka and Zadar, demonstrators faced coordinated attacks by right-wing groups, including members of violence-prone sports supporter factions. In Zadar, where assaults were anticipated, police intervened to push back the attackers. In Rijeka, despite the city’s reputation for tolerance and progressive-leaning politics, participants of the 2,000-strong march were targeted with pyrotechnics and confronted by men dressed in black performing fascist salutes. Police allowed them to remain nearby under “supervision,” drawing strong criticism from the organizers.
A summer of attacks
This weekend’s demonstrations were sparked by a series of far-right attacks on ethnic minorities and cultural events since the summer, a trend linked to the Croatian Democratic Union (HDZ) government’s revisionist narrative. Right wing forces in Croatia, including HDZ, have built their narrative around inciting chauvinism toward the Serb population, sustaining anti-communist animosity, and, more recently, directing public frustration over falling living standards at immigrants.
Among the most visible examples of the changing climate this year was a mass concert by right-wing singer Marko Perković Thompson in Zagreb. His performances, often banned domestically and abroad, are associated with symbols glorifying the World War II Ustaša regime. The concert in Zagreb welcomed thousands and was more or less explicitly endorsed by several senior officials, including Prime Minister Andrej Plenković.
Prompted by such signals, right-wing groups, including organizations representing veterans of the 1990s war, disrupted festivals and cultural events addressing Croatia’s antifascist legacy or including Serb voices. The attacks included the obstruction of a festival in Benkovac, a town where most of the Serb population was violently expelled in 1995. There, groups of men blocked a children’s theater performance and threatened local journalists, eventually leading to the event’s cancellation. More recently, organized mobs targeted a in Split and attempted to attack the opening of an art exhibition organized by the Serb national minority in Zagreb.
Antifascist demonstration in Pula, November 30, 2025. Source: United Against Fascism/Tedi Korodi
These incidents are a reflection of ongoing processes led by the right. For more than three decades, Croatia has suffered a historical revisionism trend aimed at erasing the antifascist legacy of socialist Yugoslavia. Among other things, since the 1990s, HDZ and other conservative forces have reshaped school curricula to minimize or remove antifascist content. At the European level, political pressures to equate communism and fascism have further normalized alternative historical narratives that rehabilitate collaborators and demonize antifascist resistance. As a result, children and youth are pushed toward right-wing ideologies and offered fabricated historical accounts.
The organization Fališ, which successfully resisted right-wing attempts to cancel its annual festival in Šibenik this summer, linked these developments to reactions to last weekend’s protests, including comments claiming that Croatia was “occupied” between 1945 and 1991. This is “the result of a political perversion that turns liberation into occupation, and the defeat of fascism into a trauma,” Fališ wrote.
“It’s a complete reversal of reality, in which the antifascist becomes the enemy, the fascist becomes a patriot, and crime becomes identity,” they continued. “This logic erases all moral compasses and shapes a society in which truth is a nuisance and lies a political currency.”
Popular resistance challenges party silence
As alarms mounted over the rising violence, state authorities downplayed the danger and offered few concrete assurances to targeted communities. But the massive turnout over the weekend appears to have rattled government figures. Prime Minister Plenković attempted to recast the demonstrations as an effort to “destabilize” his administration, while Defense Minister Ivan Anušić, widely regarded as a leading figure of HDZ’s extreme-right wing, claimed: “This was a protest against Croatia, I would say pro-Yugoslav, maybe even more extreme than pro-Yugoslav.”
Antifascist protest in Zadar, November 30, 2025. Source: United Against Fascism
Liberal parties, including social democrats and greens, also failed to take meaningful action against the growing right-wing violence. Instead, Zagreb’s Green-led city authorities acknowledged that another concert by Perković would take place at the end of the year despite recognizing possible correlations between such events and far-right mobilization.
Against this backdrop of institutional silence and complicity, protesters promised to continue building resistance. “We stand united against fascism because violence over blood cells or skin color must stop,” United Against Fascism stated. “We will not accept Serb children being attacked, insulted, or intimidated for dancing folklore. We will not accept that the presence of national minorities is treated as a provocation, or that migrants are considered less human.”
“We stand united against fascism because silence is never neutral. Silence always serves those who profit most from darkness.”
Carnivore A.D. No Profit Recordings najavljuje dolazak američkog crossover/thrash metal benda Carnivore A.D. 4. prosinca u Klubu Kotač. Podršku te večeri dat će im dark hardcore punk sastav Črnomor iz Rijeke.
from +972’s Sunday Recap +972Magazine [published in Israel] Nov. 30, 2025
Gazan analyst Muhammad Shehada examines how Israel is using the ‘Yellow Line’ to re-engineer its control over the Strip even after the ceasefire. [Podcast]
Also: * Why the death penalty would cement the Israeli radical right’s ascendancy * At settlers’ bidding, Israel arrests prominent Palestinian activist * Israel is set to destroy our guesthouse. But Masafer Yatta still welcomes all who resist * AI-powered surveillance firms are gunning for a share of the Gaza spoils
from +972’s Sunday Recap +972Magazine [published in Israel] Nov. 30, 2025
Gazan analyst Muhammad Shehada examines how Israel is using the ‘Yellow Line’ to re-engineer its control over the Strip even after the ceasefire. [Podcast]
Also: * Why the death penalty would cement the Israeli radical right’s ascendancy * At settlers’ bidding, Israel arrests prominent Palestinian activist * Israel is set to destroy our guesthouse. But Masafer Yatta still welcomes all who resist * AI-powered surveillance firms are gunning for a share of the Gaza spoils
from +972’s Sunday Recap +972Magazine [published in Israel] Nov. 30, 2025
Gazan analyst Muhammad Shehada examines how Israel is using the ‘Yellow Line’ to re-engineer its control over the Strip even after the ceasefire. [Podcast]
Also: * Why the death penalty would cement the Israeli radical right’s ascendancy * At settlers’ bidding, Israel arrests prominent Palestinian activist * Israel is set to destroy our guesthouse. But Masafer Yatta still welcomes all who resist * AI-powered surveillance firms are gunning for a share of the Gaza spoils
FBI Director Kash Patel and U.S. Attorney General Pam Bondi spent nearly $1 million in overtime pay for personnel to redact the files related to the case of late sex offender Jeffrey Epstein.
OpenAI may soon be forced to explain why it deleted a pair of controversial datasets composed of pirated books, and the stakes could not be higher.
At the heart of a class-action lawsuit from authors alleging that ChatGPT was illegally trained on their works, OpenAI’s decision to delete the datasets could end up being a deciding factor that gives the authors the win.
It’s undisputed that OpenAI deleted the datasets, known as “Books 1” and “Books 2,” prior to ChatGPT’s release in 2022. Created by former OpenAI employees in 2021, the datasets were built by scraping the open web and seizing the bulk of its data from a shadow library called Library Genesis (LibGen).
As OpenAI tells it, the datasets fell out of use within that same year, prompting an internal decision to delete them.
But the authors suspect there’s more to the story than that. They noted that OpenAI appeared to flip-flop by retracting its claim that the datasets’ “non-use” was a reason for deletion, then later claiming that all reasons for deletion, including “non-use,” should be shielded under attorney-client privilege.
To the authors, it seemed like OpenAI was quickly backtracking after the court granted the authors’ discovery requests to review OpenAI’s internal messages on the firm’s “non-use.”
In fact, OpenAI’s reversal only made authors more eager to see how OpenAI discussed “non-use,” and now they may get to find out all the reasons why OpenAI deleted the datasets.
May I interest you in the program I just wrote. I think you might like the subcommand type.
I use it to automatically copy mime types "video" and extensions ".srt" from the Torrent folder to the jellyfin folder. The other two subcommands, I use them to save user dotfiles and system config files on git
A specification for metadata of technology designs (aka Open Source Hardware), to enable indexing and searching such projects - iop-alliance/OpenKnowHow
I was so hoping to see him again, healthy. Possibly in a Cavs jersey, as the first Italian to play for Cleveland. As an Italian Cavs fan, maybe the first one, it would have been great. Good luck for your next chapter Danilo!
62K likes, 1,827 comments - danilogallogallinari on December 2, 2025: "Today, with a heart full of gratitude, I am announcing my retirement from a career I’ve always dreamed of.
Countries are looking at joint offensive cyber operations and surprise military drills as Moscow steps up its campaign to destabilize NATO allies.
Russia's drones and agents are unleashing attacks across NATO countries and Europe is now doing what would have seemed outlandish just a few years ago: planning how to hit back.
Ideas range from joint offensive cyber operations against Russia, and faster and more coordinated attribution of hybrid attacks by quickly pointing the finger at Moscow, to surprise NATO-led military exercises, according to two senior European government officials and three EU diplomats.
“The Russians are constantly testing the limits — what is the response, how far can we go?” Latvian Foreign Minister Baiba Braže noted in an interview. A more “proactive response is needed,” she told POLITICO. “And it’s not talking that sends a signal — it’s doing.”
WWII only happened because we tried to appease Hitler and let him grow stronger annexing territory rather than fighting back. It's not too late to close the Pandora's box that is Russia under Putin, but it needs to be done deliberately and forcefully.
We’ve all been donating for decades already with our outrageously expensive healthcare. It’s the trade we make for European security guarantees.
In the meantime, Europeans get to go to the hospital for free and make fun of us for the situation.
And if there is a major war, they’ll expect US soldiers to defend them. Those soldiers will get their legs blown off, and they’ll come home to little support from the VA and still no national healthcare.
You seem to think healthcare and military spending are tied together and we can only choose one. You know you're wrong so I'm gonna leave you to question yourself instead.
The idea of cyber/hybrid warfare against Russia is pretty interesting. Would be interesting at any rate to see how they like having a troll brigade stirring up their populace.
EU’s foreign policy chief Kaja Kallas said such threats posed an “extreme danger” to the bloc, arguing it must “have a strong response” to the attacks.
Last week, Italian Defense Minister Guido Crosetto slammed the continent’s “inertia” in the face of growing hybrid attacks and unveiled a 125-page plan to retaliate. In it, he suggested establishing a European Center for Countering Hybrid Warfare, a 1,500-strong cyber force, as well as military personnel specialized in artificial intelligence.
“Everybody needs to revise their security procedures,” Polish Foreign Minister Radosław Sikorski said on Nov. 20. “Russia is clearly escalating its hybrid war against EU citizens.”
Walk the talk
Despite the increasingly fierce rhetoric, what a more muscular response means is still an open question.
Part of that is down to the difference between Moscow and Brussels — the latter is more constrained by acting within the rules, according to Kevin Limonier, a professor and deputy director at the Paris-based GEODE think tank.
As much as I'd love for the EU to get its shit together right now, I have to agree with this 100%.
“This raises an ethical and philosophical question: Can states governed by the rule of law afford to use the same tools ... and the same strategies as the Russians?” he asked.
So far, countries like Germany and Romania are strengthening rules that would allow authorities to shoot down drones flying over airports and militarily sensitive objects.
National security services, meanwhile, can operate in a legal gray zone. Allies from Denmark to the Czech Republic already allow offensive cyber operations.
So, some nations (mostly those bordering on Russia) are already taking, hmm, "semi-offensive" action while we're still waiting on the EU's official response - the "walk" as opposed to the "talk".
More than 80 people killed in campaign that law-of-war experts have labeled extrajudicial murder
Defense Secretary Pete Hegseth reportedly gave a verbal order to leave no survivors behind as Donald Trump’s administration launched the first of more than a dozen attacks on alleged drug-running boats that have killed more than 80 people over the last three months.
On September 2, U.S. military personnel fired a missile striking a vessel in the Caribbean that carried 11 people accused of trafficking drugs into the United States.
When two survivors emerged from the wreckage, a Special Operations commander overseeing the attack ordered a second strike to comply with Hegseth’s instructions to “kill everybody,” according to The Washington Post, citing officials with direct knowledge of the operation.
It probably was drugs - but that is not the point. It's wildly unethical and a violation of many rules of war to simply kill people like they are doing.
We don't summarily execute people at the president's say.
We don’t summarily execute people at the president’s say.
What do you think a war is? We already set the precedent of being able to declare war on non-state actors and the War Powers act gives him the authority to start shooting without Congressional approval. Which means an American President can legally, (to the US), tell the military they need to go kill cocaine farmers until Congress passes a bill to stop him. And the President can veto that bill. Meaning the legal threshold for Congress to stop the military from killing foreigners in foreign places is the same threshold as impeaching the President.
The War Powers resolution worked as long as it did because it was actually one of many gentleman's agreements that are now defunct.
If anybody is still under the impression that someone somewhere in the chain of command might refuse illegal orders, this tells you everything you need to know
Unfortunately the US doesn't consider that one to be an illegal order. It is heartless, and unnecessary. But ever since the advent of airpower the US has maintained that planes, helicopters, and drones are not required to accept surrender because it is impractical to impossible in any given situation. So the standard is usually to keep firing. Desert Storm and Iraqi Freedom had notable exceptions with mass surrender instructions dropped beforehand. And again, I know that's not reassuring. But this is why politics isn't supposed to be a team game. This is the level of power we are making decisions on. For other things that are completely legal but most people don't realize; heavy machineguns can absolutely be used to target individual soldiers; Flamethrowers are still 100 percent legal against military targets; You can be shot after your surrender is accepted, (I'll expand below); You will be shot if you do not or cannot actively surrender; and Nobody respects the rule against shooting medics and medevacs.
To expand on the most inflammatory one, the only time you are "safe" is while you are in custody. Modern combat operations move very fast and surrendering people are often left in place after their weapons are removed/destroyed. If they don't actively surrender again to follow on forces then they are legal targets because we haven't developed psychic powers yet. This especially matters with surrendered wounded who may not be in a condition to surrender again. Shooting bodies as you advance is legal and expected in a war. You just aren't allowed to personally go back and shoot someone again without them presenting a new threat. With that information in mind you should also know the US military and any professional military sends multiple waves across a battlefield. It is incredibly lethal, by design.
I say all this not to call you out but to highlight that war is a giant bag of dicks that most people outside the military are still naïve about.
The other pressing thing here is this is an order to fire on a declared enemy, outside our border. Meaning the president signed a sheet of paper declaring them to be the enemy, Congress hasn't thrown a flag, and they are beyond the jurisdiction of law enforcement. That is very clear cut to the military. If you change any one of those 3 parameters then things go to gray zone or illegal very quickly. Someone asked me some months ago while Trump was vomiting about Greenland if the military would obey that order versus an order to hunt down and kill Americans inside America. And the answer is Greenland would be fucked but those Americans are pretty safe from the military. They are not however safe from anonymous DOJ task forces and DHS.
that's not illegal actually. if it were, administrations could try to invent felonies for opposition leaders to have committed. now this particular felon should also have been ineligible to run under the 14th amendment, but he was never charged or tried for those crimes, let alone convicted
To use force against Americans inside America without martial law, an act of Congress, or an extenuating circumstance like self defense.
Trump really pushed the envelope by ordering troops to accompany ICE raids under the authorization to guard federal property. But they still couldn't do anything but defend themselves technically. It's just that he effectively tied their self defense to the ICE agents defense. I'm pretty sure the courts knocked that one back and the military pulled back though. Which is why they've gone so hard with Border Patrol, ICE, and any volunteers from within DHS/DOJ that have badges.
That's what these court battles in Los Angeles and Chicago have been about. I've been staying very top level but suffice to say he cannot just yell martial law and charge into a blue city. Laws describe when and how it is proper to do so. The court push back is important not because we think it will restrain Trump, but because the generals are not personally loyal to Trump. As a reminder, Trump wanted to shoot Americans in his first term. It was the establishment that told him no. He tried to directly order the military and a general literally yelled at him for it.
The threat is overwhelmingly from DHS and DOJ. They have the authority, ability, and will. ICE just got funded to an amount equal the British military. The only thing missing is the volunteers and the federal law enforcement training centers have pushed back training for anyone other than ICE to handle the glut of new ICE agents. ICE's detention budget is also now far larger than the federal prison budget. They could theoretically hold about 8 percent of the US population with the budget they got.
Everyone is worried about the military while our federal law enforcement is doing military style presence patrols in Los Angeles.
I’ve been staying very top level but suffice to say he cannot just yell martial law and charge into a blue city
I want to believe you/this, but honestly laws only matter when they are enforced and so far, it looks like nobody wants to enforce them against the Orange Pedo, therefore, he is subject to no laws
The court push back is important not because we think it will restrain Trump, but because the generals are not personally loyal to Trump
What gives you this impression? I have yet to see even hesitancy from any General in following any order so far
As a reminder, Trump wanted to shoot Americans in his first term. It was the establishment that told him no. He tried to directly order the military and a general literally yelled at him for it.
Yes but this second term is something else, everybody fell in line and the idiot king has SCOTUS bought and paid for
Everyone is worried about the military while our federal law enforcement is doing military style presence patrols in Los Angeles.
This has not been adjudicated by anyone. You can say "the US doesn't consider it to be an illegal order". Maybe there is some JAG letter somewhere that says helicopters are not required to accept surrender. But there is nothing that precludes trying everyone involved for war crimes.
Oh it's definitely been US policy for decades. The videos are out there. If you want to talk about what constitutes being "out of combat" and whether the Hague would take the case it could certainly be an interesting exercise. However I doubt the Hague would take it up and neither the Department of Justice nor the military courts are going to take it up without a directive from the President. Democrats aren't going to fall all over themselves to give that directive either though because it would mean Biden and Obama also officially presided over a regime of war crimes.
At the end of the day it comes down to the US having X policy that lies in a gray area of international law. Which leads me to another Bush era policy that we've never really rescinded. If you're not a uniformed soldier in service to an enemy country the US doesn't consider you to have the protections that a soldier would have after surrendering. It was a neat little policy that we used to allow ourselves to torture people labeled terrorists. So yeah that's another thing I expect to hear in the next few days, "cartel members are unlawful combatants."
There was the one high profile commander who stepped down du to this. Wish more would follow suit since it’s technically illegal for all involved to disobey orders unless they all do so collectively.
Yes. If Americans haven't proved they're generally racist and Nationalistic, I don't know what else it would take.
It sounds like you're trying to make a gotcha, but it's quite fair to say a member of the military who murders Venezuelans at whim may still balk if ordered to kill white American.
The us said it would invade the Hague of anyone were tried and attempted to be put on trial.
"all means necessary and appropriate to bring about the release of any U.S. or allied personnel being detained or imprisoned by, on behalf of, or at the request of the International Criminal Court"
Dont worry everyone. Republicans will praise the pedophile and friends through tweets. The Democrats will post a mildly worded tweet. No one will actually do anything.
11 people? There were 11 people on the boat? There's no fucking way that was a drug smuggling boat. 11 people means at least nine people's worth of weight that can't be dedicated to drugs.
every American is going to hell for the murders of our elected officials are committing . i hope the deaths that are happening is not tolerated by god if he really exists.
Our ancestors didn't defy kings, battle their own wayward countrymen, charge trenches, and rush fortified beaches headlong into the jaws of death. . .
**. . .for. This. Whatever the disgraceful hell this is.**
About now, every real patriot for what's good about this country should feel a profound and gnawing agony at every passing day these monsters aren't held to account and rendered incapable of further harm to humanity, whatever form that would take.
We need to make it loud and clear that if "the other team" in places of power doesn't use every single tool at their disposal to end this threat IMMEDIATELY, they are complicit fools and will be held accountable as accomplices to whatever untold horrors would await us, should we refuse to hold the line.
Should the orange cancer expect sternly written letters off displeasure (that are written at an adult comprehension level and not written in crayon, leading to him disregarding them ofc)?
As I understand, not a single one of these boats were even remotely capable of making it to America to begin with. Not without refueling, which isn’t likely that we’re set up for it.
This was all a coordinated targeted mass murder right in front of our faces and they need to be tried and punished for every one.
What is the difference between the US military, the Israeli Defense Forces (IDF), and Hamas? The US military is the most effective, the Israeli Defense Forces are less effective than the US military, but much more than Hamas, Hamas is the least effective. Okay, the Russian military is probably the least effective. Let me rephrase this. To someone, someone's hero is a terrorist. And vice versa. If a military force can kill without accountability, it is a terrorist organization, like Hamas or the IDF.
As the holiday season looms into view with Black Friday, one category on people’s gift lists is causing increasing concern: products with artificial intelligence.
The development has raised new concerns about the dangers smart toys could pose to children, as consumer advocacy groups say AI could harm kids’ safety and development. The trend has prompted calls for increased testing of such products and governmental oversight.
Last week, those fears were given brutal justification when an AI-equipped teddy bear started discussing sexually explicit topics.
The product, FoloToy’s Kumma, ran on an OpenAI model and responded to questions about kink. It suggested bondage and roleplay as ways to enhance a relationship, according to a report from the Public Interest Research Group (Pirg), the consumer protection organization behind the study (pdf link).
“It took very little effort to get it to go into all kinds of sexually sensitive topics and probably a lot of content that parents would not want their children to be exposed to,” said Teresa Murray, Pirg consumer watchdog director.
Oh man, who sells these toys so I can make sure to avoid them? Like, which website specifically There are so many, oh man! It’s so hard to know which specific one to avoid! And also, how do I make sure they can’t be modified to accept a fleshlight? You know, just to make extra sure I don’t get a slutty slop hole of a filth spewing teddy bear that will take on all-comers. No one wants that! That would be disgusting.
The news interview Shirley Beswitch of White Plains, New York to ask her why she bought her 3 year old son an ai teddy bear for Christmas this year
"I base my entire identity around the thing I squeezed out of me a few years ago, but I'm not willing to put any actual work into it, you know? Well, except for bitching online constantly about how other people aren't working to create a safer world for My kid"
When asked if she had any concerns about reported issues with the toys, such as inappropriate comments and surveillance, Shirley said:
"Surveillance isn't real. Plus it doesn't matter if someone knows every intimate detail of my life. Sure I'm an immigrant but I did it right, and my son was born here in America, so it's a non issue"
So far all my setups have had root on SSD mirror with separate hard disk storage pool for all the data. Years ago I used to keep the app config, databases and docker files on the root filesystem, while the app data resided on the storage pool. That was cumbersome for backups and storage size. Eventually I moved all app data to the storage pool. Essentially the apps can be started on any machine with a Linux OS that has docker installed. Database access is slower but it's a decent compromise for having trivial all-in-one snapshots and backup. Now I'm setting up a new NAS for a friend and I'm wondering whether it's worth keeping the root filesystem separate from the storage pool. If I put it on the disks, I'd get trivial full system snapshots and backups. I'd have the same hardware reliability as the storage pool. There wouldn't be issues with root filling up. The caveat is that the OS would be slower. Has anyone reasoned and/or tried this? Should I go for it?
E: I recently put my laptop's root on ZFS and the ability to do full backups while the system is running is pretty great. The full system can be pretty trivialy restored to a new drive with zfs send / recv during setup.
I got into the self-hosting scene this year when I wanted to start up my own website run on old recycled thinkpad. A lot of time was spent learning about ufw, reverse proxies, header security hardening, fail2ban.
Despite all that I still had a problem with bots knocking on my ports spamming my logs. I tried some hackery getting fail2ban to read caddy logs but that didnt work for me. I nearly considered giving up and going with cloudflare like half the internet does. But my stubbornness for open source self hosting and the recent cloudflare outages this year have encouraged trying alternatives.
Coinciding with that has been an increase in exposure to seeing this thing in the places I frequent like codeberg. This is Anubis, a proxy type firewall that forces the browser client to do a proof-of-work security check and some other nice clever things to stop bots from knocking. I got interested and started thinking about beefing up security.
I'm here to tell you to try it if you have a public facing site and want to break away from cloudflare It was VERY easy to install and configure with caddyfile on a debian distro with systemctl. In an hour its filtered multiple bots and so far it seems the knocks have slowed down.
My botspam woes have seemingly been seriously mitigated if not completely eradicated. I'm very happy with tonights little security upgrade project that took no more than an hour of my time to install and read through documentation. Current chain is caddy reverse proxy -> points to Anubis -> points to services
The front page of the web site is excellent. It describes what it does, and it does its feature set in quick, simple terms.
I can't tell you how many times I've gone to a website for some open-source software and had no idea what it was or how it was trying to do it. They often dive deep into the 300 different ways of installing it, tell you what the current version is and what features it has over the last version, but often they just assume you know the basics.
It looks like it might be; I just know someone that has a site using it and they use a different mascot, so I thought it would have been trivial. I kind of wonder why it wouldn't be possible to just docker bind mount a couple images into the right path, but I'm guessing maybe they obfuscate/archive the file they're reading from or something?
Not idol worship, rather, it's silly to complain about JS when tools like NoScript allow you to selectively choose what runs instead of guessing what it is. It's simply a documentation page like it says on the URL. I mean, they're incredibly tame on the danger scale to leave your guard all the way up and instead take a jab at the entire community that had nothing to do with your personal choices.
It gets quite silly when you blame the entire dev community for supposedly downvoting you over ideals rather than being overly strict about them. I also prefer HTML-first and think it should be the norm, but I draw the line somewhere reasonable.
I can’t get to that page, so I asked a question
Yeah, and you can run the innocuous JS or figure out what it is from the URL. You're tying your own hands while dishing it out to everyone else.
You know the thing is that they know the character is a problem/annoyance, thats how they grease the wheel on selling subscription access to a commecial version with different branding.
If you want to use Anubis but organizational policies prevent you from using the branding that the open source project ships, we offer a commercial version of Anubis named BotStopper. BotStopper builds off of the open source core of Anubis and offers organizations more control over the branding, including but not limited to:
Custom images for different states of the challenge process (in process, success, failure)
Custom CSS and fonts
Custom titles for the challenge and error pages
"Anubis" replaced with "BotStopper" across the UI
A private bug tracker for issues
In the near future this will expand to:
A private challenge implementation that does advanced fingerprinting to check if the client is a genuine browser or not
Email sales@techaro.lol with your requirements for invoicing, please note that custom invoicing will cost more than using GitHub Sponsors for understandable overhead reasons
:::
I have to respect the play tbh its clever. Absolutely the kind of greasy shit play that Julian from the trailer park boys would do if he were an open source developer.
I've never had any issues on my phone using Fennec or Firefox. I don't have many addons installed apart from uBlock Origin. I wouldn't be surprised if some privacy addons cause issues with Anubis though.
Anubis is an elegant solution to the ai bot scraper issue, I just wish the solution to everything wasn't just spending compute everywhere. In a world where we need to rethink our energy consumption and generation, even on clients, this is a stupid use of computing power.
It also doesn’t function without JavaScript. If you’re security or privacy conscious chances are not zero that you have JS disabled, in which case this presents a roadblock.
On the flip side of things, if you are a creator and you’d prefer to not make use of JS (there’s dozens of us) then forcing people to go through a JS “security check” feels kind of shit. The alternative is to just take the hammering, and that feels just as bad.
No hate on Anubis. Quite the opposite, really. It just sucks that we need it.
I feel comfortable hating on Anubis for this. The compute cost per validation is vanishingly small to someone with the existing budget to run a cloud scraping farm, it’s just another cost of doing business.
The cost to actual users though, particularly to lower income segments who may not have compute power to spare, is annoyingly large. There are plenty of complaints out there about Anubis being painfully slow on old or underpowered devices.
Some of us do actually prefer to use the internet minus JS, too.
Plus the minor irritation of having anime catgirls suddenly be a part of my daily browsing.
Theres a compute option that doesnt require javascript. The responsibility lays on site owners to properly configure IMO, though you can make the argument its not default I guess.
The metarefresh challenge sends a browser a much simpler challenge that makes it refresh the page after a set period of time. This enables clients to pass challenges without executing JavaScript.
To use it in your Anubis configuration:
# Generic catchall rule
- name: generic-browser
user_agent_regex: >-
Mozilla|Opera
action: CHALLENGE
challenge:
difficulty: 1 # Number of seconds to wait before refreshing the page
algorithm: metarefresh # Specify a non-JS challenge method
This is not enabled by default while this method is tested and its false positive rate is ascertained. Many modern scrapers use headless Google Chrome, so this will have a much higher false positive rate. :::
Yeah I actually use the noscript extension and i refuse to just whitelist certain sites unless I'm very certain I trust them.
I run into Anubis checks all the time and while I appreciate the software, having to consistently temporarily whitelist these sites does get cumbersome at times. I hope they make this noJS implementation the default soon.
Most of the Anubis encounters I have are to redlib instances that are shuffled around, go down all the time, and generally are more ephemeral than other sites. Because I use another extension called Libredirect to shuffle which redlib instance I visit when clicking on a reddit link, I don't bother whitelisting them permanently.
I already have solved this on my desktop by self hosting my own redlib instance via localhost and using libredirect to just point there, but on my phone I still do the whole nojs temp unblock random redlib instance. Eventually I plan on using wireguard to host a private redlib instance on a vps so I can just not deal with this.
This is a weird case I know, but its honestly not that bad.
if you are a creator and you’d prefer to not make use of JS (there’s dozens of us) then forcing people to go through a JS “security check” feels kind of shit. The alternative is to just take the hammering, and that feels just as bad.
I'm with you here. I come from an older time on the Internet. I'm not much of a creator, but I do have websites, and unlike many self-hosters I think, in the spirit of the internet, they should be open to the public as a matter of principle, not cowering away for my own private use behind some encrypted VPN. I want it to be shared. Sometimes that means taking a hammering. It's fine. It's nothing that's going to end the world if it goes down or goes away, and I try not to make a habit of being so irritating that anyone would have much legitimate reason to target me.
I don't like any of these sort of protections that put the burden onto legitimate users. I get that's the reality we live in, but I reject that reality, and substitute my own. I understand that some people need to be able to block that sort of traffic to be able to limit and justify the very real costs of providing services for free on the Internet and Anubis does its job for that. But I'm not one of those people. It has yet to cost me a cent above what I have already decided to pay, and until it does, I have the freedom to adhere to my principles on this.
To paraphrase another great movie: Why should any legitimate user be inconvenienced when the bots are the ones who suck. I refuse to punish the wrong party.
Scarcity is what powers this type of challenge: you have to prove you spent a certain amount of electricity in exchange for access to the site, and because electricity isn't free, this imposes a dollar cost on bots.
You could skip the detour through hashes/electricity and do something with a proof-of-stake cryptocurrency, and just pay for access. The site owner actually gets compensated instead of burning dead dinosaurs.
Obviously there are practical roadblocks to this today that a JavaScript proof-of-work challenge doesn't face, but longer term...
The cost here only really impacts regular users, too. The type of users you actually want to block have budgets which easily allow for the compute needed anyways.
Yeah, exactly. A regular user isn't going to notice an extra few cents on their electricity bill (boiling water costs more), but a data centre certainly will when you scale up.
You could skip the detour through hashes/electricity and do something with a proof-of-stake cryptocurrency, and just pay for access. The site owner actually gets compensated instead of burning dead dinosaurs.
Maybe if the act of transferring crypto didn't use a comparable or greater amount of energy...
That's why I specified a proof-of-stake cryptocurrency. They use so much less energy that it is practically negligible in comparison, and more on the order of traditional online transactions.
I think the issue is that many sites are too aggressive with it. Anubis can be configured to only ask for challenges if the site is under unusual load, for instance when a botnet it's actually ddosing the site. That's when it shines.
Making it constantly ask for challenges when the service is not under attack is just a massive waste of energy. And many sites just enable it constantly because they can defer bot pings from their logs that way. That's for instance what op is doing. It's just a big misunderstanding of the tool.
This post is a bit critical of a small well-intentioned project, so I felt obliged to email the maintainer to discuss it before posting it online. I didn’t hear back.
i used to watch the dev on mastodon, they seemed pretty radicalized on killing AI, and anyone who uses it (kidding!!) i'm not even surprised you didn't hear back
great take on the software, and as far as i can tell, playwright still works/completes the unit of work. at scale anubis still seems to work if you have popular content, but does hasnt stopped me using claude code + virtual browsers
im not actively testing it though. im probably very wrong about a few things, but i know anubis isn't hindering my personal scraping, it does fuck up perplexity and chatgpt bots, which is fun to see.
I have a server running a few tiny web sites, so I am considering this, but I'm always concerned about the possibility that adding more things to it could make it less secure, versus more. Thanks for any thoughts.
Security issues are always a concern the question is how much. Looking at it they seem to at most be ways to circumvent the Anubis redirect system to get to your page using very specific exploits. These are marked as m low to moderate priority and I do not see anything that implies like system level access which is the big concern. Obviously do what you feel is best but IMO its not worth sweating about. Nice thing about open source projects is that anyone can look through and fix, if this gets more popular you can expect bug bounties and professional pen testing submissions.
This isn't really a security issue as much as it is a DDOS issue.
Imagine you own a brick and mortar store. And periodically one thousand fucking people sprint into your store and start recording the UPCs on all the products, knocking over every product in the store along the way. They don't buy anything, they're exclusively there to collect information from your store which they can use to grift investors and burn precious resources, and if they fuck your shit up in the process, that's your problem.
This bot just sits at the door and ensures the people coming in there are actually shoppers interested in the content of some items of your store.
I don't know if "anything". But surely people overestimate its capabilities.
It's only a PoW challenge. Any bot can execute a PoW challenge. For a smal to medium number of bots the energy difference it's negligible.
Anubis it's useful when millions of bots would want to attack a site. Then the energy difference of the PoW (specially because Anubis increase the challenge if there's a big number of petitions) can be enough to make the attacker desist, or maybe it's not enough, but at least then it's doing something.
I see more useful against DDOS than AI scrapping. And only if the service being DDOS is more heavy than Anubis itself, if not you can get DDOS via anubis petitions. For AI scrapping I don't see the point, you don't need millions of bots to scrape a site unless you are talking about a massively big site.
I have a script that watches apache or caddy logs for poison link hits and a set of bot user agents, adding IPs to an ipset blacklist, blocking with iptables. I should polish it up for others to try. My list of unique IPs is well over 10k in just a few days.
git repos seem to be real bait for these damn AI scrapers.
This is the way. I also have rules for hits to url, without a referer, that should never be hit without a referer, with some threshold to account for a user hitting F5. Plus a whitelist of real users (ones that got a 200 on a login endpoint). Mostly the Huawei and Tencent crawlers have fake user agents and no referer. Another thing crawlers don't do is caching. A user would never download that same .js file 100s of times in a hour, all their devices' browsers would have cached it. There's quite a lot of these kinds of patterns that can be used to block bots. Just takes watching the logs a bit to spot them.
Then there's ratelimiting and banning ip's that hit the ratelimit regularly. Use nginx as a reverse proxy, set rate limits for URLs where it makes sense, with some burst set, ban IPs that got rate-limited more than x times in the past y hours based on the rate limit message in the nginx error.log. Might need some fine tuning/tweaking to get the thresholds right but can catch some very spammy bots. Doesn't help with those that just crawl from 100s of ips but only use each ip once every hour, though.
Ban based on the bot user agents, for those that set it. Sure, theoretically robots.txt should be the way to deal with that, for well behaved crawlers, but if it's your homelab and you just don't want any crawlers, might as well just block those in the firewall the first time you see them.
Downloading abuse ip lists nightly and banning those, that's around 60k abusive ip's gone. At that point you probably need to use nftables directly though instead of iptables or going through ufw, for the sets, as having 60k rules would be a bad idea.
there's lists of all datacenter ip ranges out there, so you could block as well, though that's a pretty nuclear option, so better make sure traffic you want is whitelisted. E.g. for lemmy, you can get a list of the ips of all other instances nightly, so you don't accidentally block them. Lemmy traffic is very spammy…
there's so much that can be done with f2b and a bit of scripting/writing filters
You mean for the referer part? Of course you don't want it for all urls and there's some legitimate cases. I have that on specific urls where it's highly unlikely, not every url. E.g. a direct link to a single comment in lemmy, and whitelisting logged-in users. Plus a limit, like >3 times an hour before a ban. It's already pretty unusual to bookmark a link to a single comment
It's a pretty consistent bot pattern, they will go to some subsubpage with no referer with no prior traffic from that ip, and then no other traffic from that ip after that for a bit (since they cycle though ip's on each request) but you will get a ton of these requests across all ips they use. It was one of the most common patterns i saw when i followed the logs for a while.
of course having some honeypot url in a hidden link or something gives more reliable results, if you can add such a link, but if you're hosting some software that you can't easily add that to, suspicious patterns like the one above can work really well in my experience. Just don't enforce it right away, have it with the 'dummy' action in f2b for a while and double check.
And I mostly intended that as an example of seeing suspicious traffic in the logs and tailoring a rule to it. Doesn't take very long and can be very effective.
I've repeatedly stated this before: Proof of Work bot-management is only Proof of Javascript bot-management. It is nothing to a headless browser to by-pass. Proof of JavaScript does work and will stop the vast majority of bot traffic. That's how Anubis actually works. You don't need to punish actual users by abusing their CPU. POW is a far higher cost on your actual users than the bots.
Last I checked Anubis has an JavaScript-less strategy called "Meta Refresh". It first serves you a blank HTML page with a <meta> tag instructing the browser to refresh and load the real page. I highly advise using the Meta Refresh strategy. It should be the default.
I'm glad someone is finally making an open source and self hostable bot management solution. And I don't give a shit about the cat-girls, nor should you. But Techaro admitted they had little idea what they were doing when they started and went for the "nuclear option". Fuck Proof of Work. It was a Dead On Arrival idea decades ago. Techaro should strip it from Anubis.
I haven't caught up with what's new with Anubis, but if they want to get stricter bot-management, they should check for actual graphics acceleration.
Funnily enough, PoW was a hot topic in academia around the late 90s / early 2000, and it's somewhat clear that the autor of Anubis has not read much about the discussion back then.
There was a paper called "Proof of work does not work" (or similar, can't be bothered to look it up) that argued that PoW can not work for spam protection, because you have to support both low-powered consumer devices while blocking spammers with heavy hardware. And that is very valid concern. Then there was a paper arguing that PoW can still work, as long as you scale the difficulty in such a way that a legit user (e.g. only sending one email) has a low difficulty, while a spammer (sending thousands of emails) has a high difficulty.
The idea of blocking known bad actors actually is used in email quite a lot in forms of DNS block lists (DNSBLs) such as spamhaus (this has nothing to do with PoW, but such a distributed list could be used to determine PoW difficulty).
Anubis on the other hand does nothing like that and a bot developed to pass Anubis would do so trivially.
At least in the beginning the scrapers just used curl with a different user agent. Forcing them to use a headless client is already a 100x increase in resources for them. That in itself is already a small victory and so far it is working beautifully.
Well in most cases it would by Python requests not curl. But yes, forcing them to use a browser is the real cost. Not just in CPU time but in programmer labor. PoW is overkill for that though.
Then there was a paper arguing that PoW can still work, as long as you scale the difficulty in such a way that a legit user
Telling a legit user from a fake user is the entire game. If you can do that you just block the fake user. Professional bot blockers like Cloudflare or Akamai have machine learning systems to analyze trends in network traffic and serve JS challenges to suspicious clients. Last I checked, all Anubis uses is User-Agent filters, which is extremely behind the curve. Bots are able to get down to faking TLS fingerprints and matching them with User-Agents.
POW is a far higher cost on your actual users than the bots.
That sentence tells me that you either don't understand or consciously ignore the purpose of Anubis. It's not to punish the scrapers, or to block access to the website's content. It is to reduce the load on the web server when it is flooded by scraper requests. Bots running headless Chrome can easily solve the challenge, but every second a client is working on the challenge is a second that the web server doesn't have to waste CPU cycles on serving clankers.
POW is an inconvenience to users. The flood of scrapers is an existential threat to independent websites. And there is a simple fact that you conveniently ignored: it fucking works.
Its like you didn't understand anything I said. Anubis does work. I said it works. But it works because most AI crawlers don't have a headless browser to solve the PoW. To operate efficiently at the high volume required, they use raw http requests. The vast majority are probably using basic python requests module.
You don't need PoW to throttle general access to your site and that's not the fundamental assumption of PoW. PoW assumes (incorrectly) that bots won't pay the extra flops to scrape the website. But bots are paid to scape the website users aren't. They'll just scale horizontally and open more parallel connections. They have the money.
You are arguing a strawman. Anubis works because because most AI scrapers (currently) don't want to spend extra on running headless chromium, and because it slightly incentivises AI scrapers to correctly identify themselves as such.
Most of the AI scraping is frankly just shoddy code written by careless people that don't want to ddos the independent web, but can't be bothered to actually fix that on their side.
You are arguing a strawman. Anubis works because because most AI scrapers (currently) don’t want to spend extra on running headless chromium
WTF, That's what I already said? That was my entire point from the start!? You don't need PoW to force headless usage. Any JavaScript challenge will suffice. I even said the Meta Refresh challenge Anubis provides is sufficient and explicitly recommended it.
And how do you actually check for working JS in a way that can’t be easily spoofed? Hint: PoW is a good way to do that.
Accessing the browsers API in any way is way harder to spoof than some hashing. I already suggested checking if the browser has graphics acceleration. That would filter out the vast majority of headless browsers too. PoW is just math and is easy to spoof without running any JavaScript. You can even do it faster than real JavaScript users something like Rust or C.
Meta refresh is a downgrade in usability for everyone but a tiny minority that has disabled JS.
What are you talking about? It just refreshes the page without doing any of the extra computation that PoW does. What extra burden does it put on users?
If you check for GPU (not generally a bad idea) you will have the same people that currently complain about JS, complain about this breaking with their anti-fingerprinting browser addons.
But no, you can't spoof PoW obviously, that's the entire point of it. If you do the calculation in Javascript or not doesn't really matter for it to work.
In the current shape Anubis has zero impact on usability for 99% of the site visitors, not so with meta refresh.
You will have people complain about their anti-fingerprinting being blocked with every bot-managment solution. Your ability to navigate the internet anonymously is directly correlated with a bots ability to scrape. That has never been my complaint about Anubis.
My complaint is that the calculations Anubis forces you to do are absolutely negligible burden for a bot to solve. The hardest part is just having a JavaScript interpreter available. Making the author of the scraper write custom code to deal with your website is the most effective way to prevent bots.
Think about how much computing power AI data centers have. Do you think they give a shit about hashing some values for Anubis? No. They burn more compute power than a thousand Anubis challenges generating a single llm answer. PoW is a backwards solution.
Please Think. Captchas worked because they're supposed to be hard for a computer to solve but are easy for a human. PoW is the opposite.
In the current shape Anubis has zero impact on usability for 99% of the site visitors, not so with meta refresh.
Again, I ask you: What extra burden does meta-refresh impose on users? How does setting a cookie and immediately refreshing the page burden the user more than making them wait longer while draining their battery before doing the exact same thing? Its strictly less intrusive.
No one is disputing that in theory (!) Anubis offers very little protection against an adversary that specifically tries to circumvent it, but we are dealing with an elephant in the porcelain shop kind of situation. The AI companies simply don't care if they kill off small independently hosted web-applications with their scraping and Anubis is the mouse that is currently sufficient to make them back off.
And no, forced site reloads are extremely disruptive for web-applications and often force a lot of extra load for re-authentication etc. It is not as easy as you make it sound.
Anubis forces the site to reload when doing the normal PoW challenge! Meta Refresh is a sufficient mouse to block 99% of all bot traffic without being any more burdensome than PoW.
You've failed to demonstrate why meta-refresh is more burdensome than PoW and have pivoted to arguing the point I was making from the start as though it was your own. I'm not arguing with you any further. I'm satisfied that I've convinced any readers of our discussion.
Heads up, you’re really invested in arguing with someone who does not appear to be arguing in good faith. Just block them and move on, you will be a happier person for it.
Something that hasn't been mentioned much in discussions about Anubis is that it has a graded tier system of how sketchy a client is and changing the kind of challenge based on a a weighted priority system.
The default bot policies it comes with has it so squeaky clean regular clients are passed through, then only slightly weighted clients/IPs get the metarefresh, then its when you get to moderate-suspicion level that JavaScript Proof of Work kicks. The bot policy and weight triggers for these levels, challenge action, and duration of clients validity are all configurable.
It seems to me that the sites who heavy hand the proof of work for every client with validity that only last every 5 minutes are the ones who are giving Anubis a bad wrap. The default bot policy settings Anubis comes with dont trigger PoW on the regular Firefox android clients ive tried including hardened ironfox. meanwhile other sites show the finger wag every connection no matter what.
Its understandable why some choose strict policies but they give the impression this is the only way it should be done which Is overkill. I'm glad theres config options to mitigate impact normal user experience.
Anubis is that it has a graded tier system of how sketchy a client is and changing the kind of challenge based on a a weighted priority system.
Last I checked that was just User-Agent regexes and IP lists. But that's where Anubis should continue development, and hopefully they've improved since. Discerning real users from bots is how you do proper bot management. Not imposing a flat tax on all connections.
A HTTP get request is a few hundred bytes. The response is 28KB. Thats 280x. If a large botnet wanted to denial of service an Anubis protected site, requesting that image could be enough.
Ideally, Anubis should serve as little data as possible until the POW is completed. Caching the POW algorithm (and the image) to a CDN would also mitigate the issue.
Definitely, which is why i suggested hosting the image + js on a CDN. Keeps brand awareness, and lets the CDN take the brunt of any malicious activity. with a bit of code-golfing, the data served by Anubis directly prior to POW could be a few hundred bytes, without impacting its functionality.
I dunno that is true, nothing in the docs indicates that it is explicitly anti-CDN. And using a CDN for a static javascript resource and an image isn't the same as running the entire site through a CDN proxy.
At the time of commenting, this post is 8h old. I read all the top comments, many of them critical of Anubis.
I run a small website and don't have problems with bots. Of course I know what a DDOS is - maybe that's the only use case where something like Anubis would help, instead of the strictly server-side solution I deploy?
I use CrowdSec (it seems to work with caddy btw). It took a little setting up, but it does the job. (I think it's quite similar to fail2ban in what it does, plus community-updated blocklists)
Am I missing something here? Why wouldn't that be enough? Why do I need to heckle my visitors?
Despite all that I still had a problem with bots knocking on my ports spamming my logs.
By the time Anubis gets to work, the knocking already happened so I don't really understand this argument.
If the system is set up to reject a certain type of requests, these are microsecond transactions of no (DDOS exception) harm.
If crowdsec works for you thats great but also its a corporate product whos premium sub tier starts at 900$/month not exactly a pure self hosted solution.
I'm not a hypernerd, still figuring all this out among the myriad of possible solutions with different complexity and setup times. All the self hosters in my internet circle started adopting anubis so I wanted to try it. Anubis was relatively plug and play with prebuilt packages and great install guide documentation.
Allow me to expand on the problem I was having. It wasnt just that I was getting a knock or two, its that I was getting 40 knocks every few seconds scraping every page and searching for a bunch that didnt exist that would allow exploit points in unsecured production vps systems.
On a computational level the constant network activity of bytes from webpage, zip files and images downloaded from scrapers pollutes traffic. Anubis stops this by trapping them in a landing page that transmits very little information from the server side. By traping the bot in an Anubis page which spams that 40 times on a single open connection before it gives up, it reduces overall network activity/ data transfered which is often billed as a metered thing as well as the logs.
And this isnt all or nothing. You don't have to pester all your visitors, only those with sketchy clients. Anubis uses a weighted priority which grades how legit a browser client is. Most regular connections get through without triggering, weird connections get various grades of checks by how sketchy they are. Some checks dont require proof of work or JavaScript.
On a psychological level it gives me a bit of relief knowing that the bots are getting properly sinkholed and I'm punishing/wasting the compute of some asshole trying to find exploits my system to expand their botnet. And a bit of pride knowing I did this myself on my own hardware without having to cop out to a corporate product.
Its nice that people of different skill levels and philosophies have options to work with. One tool can often complement another too. Anubis worked for what I wanted, filtering out bots from wasting network bandwith and giving me peace of mind where before I had no protection. All while not being noticeable for most people because I have the ability to configure it to not heckle every client every 5 minutes like some sites want to do.
If crowdsec works for you thats great but also its a corporate product
It's also fully FLOSS with dozens of contributors (not to speak of the community-driven blocklists). If they make money with it, great.
not exactly a pure self hosted solution.
Why? I host it, I run it. It's even in Debian Stable repos, but I choose their own more up-to-date ones.
Allow me to expand on the problem I was having. It wasnt just that I was getting a knock or two, its that I was getting 40 knocks every few seconds scraping every page and searching for a bunch that didnt exist that would allow exploit points in unsecured production vps systems.
Again, a properly set up WAF will deal with this pronto
You should not have exploit points in unsecured production systems, full stop.
On a computational level the constant network activity of bytes from webpage, zip files and images downloaded from scrapers pollutes traffic. Anubis stops this by trapping them in a landing page that transmits very little information from the server side.
And instead you leave the computations to your clients. Which becomes a problem on slow hardware.
Again, with a properly set up WAF there's no "traffic pollution" or "downloading of zip files".
Anubis uses a weighted priority which grades how legit a browser client is.
And apart from the user agent and a few other responses, all of which are easily spoofed, this means "do some javascript stuff on the local client" (there's a link to an article here somewhere that explains this well) which will eat resources on the client's machine, which becomes a real pita on e.g. smartphones.
Also, I use one of those less-than-legit, weird and non-regular browsers, and I am being punished by tools like this.
All the self hosters in my internet circle started adopting anubis so I wanted to try it. Anubis was relatively plug and play with prebuilt packages
edit: I feel like this part of OP's argument needs to be pointed out, it explains so much:
All the self hosters in my internet circle started adopting anubis so I wanted to try it. Anubis was relatively plug and play with prebuilt packages
Mmm how to say this. i suppose what I'm getting at is like a philosophy of development and known behaviors of corporate products.
So, here's what I understand about crowdsec. Its essentially like a centralized collection of continuously updated iptable rules and botscanning detectors that clients install locally.
In a way its crowd sourcing is like a centralized mesh network each client is a scanner node which phones home threat data to the corporate home which updates that.
Notice the optimal word, centralized. The company owns that central home and its their proprietary black box to do what they want with. And so you know what for profit companies like to do to their services over time? Enshittify them by
adding subscription tier price models
putting once free features behind paywalls,
change data sharing requirements as a condition for free access
restricting free api access tighter and tighter to encourage paid tiers,
making paid tiers cost more to do less.
Intentionally ruining features in one service to drive power users to use a different.
They can and do use these tactics to drive up profit or reduce overhead once a critical mass has been reached. I do not expect alturism and respect for usersfrom corporations, I expect bean counters using alturism as a vehicle to attract users in the growing phase and then flip the switch in their tos to go full penny pinching once they're too big to fail.
::: spoiler Crowdsecs pricing updates from last year CrowdSec updated pricing policy
Hi everyone,
Our former pricing model led to some incomprehensions and was sub-optimal for some use-cases.
We remade it entirely here. As a quick note, in the former model, one never had to pay $2.5K to get premium blocklists. This was Support for Enterprise, which we poorly explained. Premium blocklists were and are still available from the premium SaaS plan, accessible directly from the SaaS console.
Here are the updates:
Security Engine: All its embedded features (IDS, IPS and WAF) were, are and will remain free.
SAAS: The free plan offers up to three silver-grade blocklists (on top of receiving IP related to signals your security engines share). Premium plans can use any free, premium and gold-grade blocklists. Previously, we had a premium and an enterprise plan with more features. All features are now merged into a unique SaaS enterprise plan. The one starting at $31/month. As before, those are available directly from the SaaS console page: app.crowdsec.net
SUPPORT: The $2.5K (which were mostly support for Enterprise) are now becoming optional. Instead, a client can contract $1K for Emergency bug & security fixes and $1K for support if they want to.
BLOCKLISTS: Very specific (country targeted, industry targeted, stack targeted, etc.) or AI-enhanced are now nested in a different offer named "Platinum blocklists subscription". You can subscribe to them, regardless of whether you use the FOSS Security Engine or not. They can be joined, tuned, and injected directly into most firewalls with regular automatic remote updates of their content. As long as you do not resell them (meaning you are the final client), you can use the subscription in any part of your company.
CTI DATA: They can be consumed through API keys with associated quotas. These are affordable and intended for use in tools like OpenCTI, MISP, The Hive, Xsoar, etc. Costs are in the range of hundreds of dollars per month. The Full CTI database can also be locally replicated at your place and constantly synced for deltas. Those are the largest plans we have, and they are usually destined to L/XL enterprises, governmental bodies, OEM & hardware vendors.
Whilst I'm pleased to see it made clearer, £290 a year for each security engine is still far too expensive for me to consider it. 2 u/GuitarEven avatar GuitarEven • 1y ago
We get that £290 is too high for individual home labs. Those offers are made for companies. Free tier features should cover homelabs correctly.
Features that are oriented for enterprise clients. If a company cannot invest $300 yearly in its security, no judgment and the free tier will still be very helpful until it recovers some budget margins to strengthen its security posture. 4
[deleted]• 1y ago
Any idea why we dont have any good free / freemium (max $5 per month) app yet. Reason am asking - adguard, urigin etc had filters which matches js/domains and filters them out. Same logic can be applied atleast for the ip lists - so that these ips cann be added to iptables to block. A lot of things are easy to make. The tough ones are things like scenarios and may be ssh bw etc. I wonder why no real competition. 1 u/GuitarEven avatar GuitarEven • 1y ago
hi u/ElizabethThomas44
Well you actually do. To date, for free, you get: * the security engine (IDS/IPS/WAF) * all scenarios * the blocklist of IPs you are participating to detect when you use scenarios and share signals * the free tier of the console
The IPs you automatically get for free are already added to your nftables or iptables using the related remediation component.
<TL/DR> You already have it.
(damn, personal reddit account, sorry, this is Philippe@CrowdSec) 4
:::
At the end of the day its not the thousands of anonymous users contributing their logs or Foss voulenteers on git getting a quarterly payout. They're the product and free compute + live action pen testing ginnea pigs, no matter what PR they spin saying how much they care about the security of the plebs using their network for free.
Its always about maximizing the money with these people your security can get fucked if they dont get some use out of you. Expect at some point the tos will change so that anonymized data sharing is no longer an option for free tier.
What happens if the company goes bankrupt? Does it just stop working when their central servers shut down? Does their open source security have the possibility of being forked and run from local servers?
It doesnt have to be like this. Peer to peer Decentralized mesh networks like YaCy already show its possible for a crowdsourced network of users can all contribute to an open database. Something that can be completely run as a local Node which federates and updates the information in global node. Something like it that updates a global iptables is already a step in the right direction. In that theoretical system there is no central monopoly its like the fediverse everyone contributes to hosting the global network as a mesh which altruistic hobbyist can contribute free compute to on their own terms.
I"I dont see anything wrong with people getting paid" is something I see often on discussions. Theres nothing wrong with people who do work and make contributions getting paid. What's wrong is it isnt the open source community on github or the users contributing their precious data getting paid, its a for profit centralized monopoly that controls access to the network which the open source community built for free out of alturism.
The pattern is nearly always the same. The thing that once worked well and which you relied on gets slowly worse each ToS update, while their pricing inches just a dollar higher each quarter, and you get less and less control over how you get to use their product. Its pattern recognition.
The only solution is to cut the head off the snake. If I can't fully host all of the components, see the source code of the mechanisms at all layers, own a local copy of the global database, then its not really mine.
Again, it's a philosophy thing. Its very easy to look at all that, shrug, and go "whatever not my problem I'll just switch If it becomes an issue". But the problem festers the longer its ignored or enabled for convinence. The community needs to truly own the services they run on every level, it has to be open, and for profit bean counters can't be part of the equation especially for hosting. There are homelab hobbyist out there who will happily eat cents on a electric bill to serve an open service to a community, get 10,000 of them on a truly open source decentralized mesh network and you can accomplish great things without fear of being the product.
CrowdSec is an open-source and collaborative security stack leveraging the crowd power. Analyze behaviors, respond to attacks & share signals across the community. Join the community and let's make the Internet safer, together.
Anubis was originally created to protect git web interfaces since they have a lot of heavy-to-compute URLs that aren't feasible to cache (revision diffs, zip downloads etc).
After that I think it got adopted by a lot of people who didn't actually need it, they just don't like seeing AI scrapers in their logs.
AI scraping is a massive issue for specific types of websites, such as git forges, wikis and to a lesser extend Lemmy etc, that rely on complex database operations that can not be easily cached. Unless you massively overprovision your infrastructure these web-applications come to a grinding halt by constantly maxing out the available CPU power.
The vast majority of the critical commenters here seem to talk from a point of total ignorance about this, or assume operators of such web applications have time for hyperviligance to constantly monitor and manually block AI scrapers (that do their best to circumvent more basic blocks). The realistic options for such operators are right now: Anubis (or similar), Cloudflare or shutting down their servers. Of these Anubis is clearly the least bad option.
I also used CrowdSec for almost a year, but as AI scrapers became more aggressive, CrowdSec alone wasn’t enough. The scrapers used distributed IP ranges and spoofed user agents, making them hard to detect and costing my Forgejo instance a lot in expensive routes. I tried custom CrowdSec rules but hit its limits.
Then I discovered Anubis. It’s been an excellent complement to CrowdSec — I now run both. In my experience they work very well together, so the question isn’t “A or B?” but rather “How can I combine them, if needed?”
You are right. For most self-hosting usecases anubis is not only irrelevant, but it actually works against you. False sense of security and making your devices do extra work for nothing.
Anubis is though for public facing services that may get ddos or AI scrapped by some not targeted bot (for a target bot it's trivial to get over Anubis in order to scrap).
And it's never a substitute of crowdsec or fail2ban. Getting an Anubis token it's just a matter of executing the PoW challenge. You still need a way to detect and ban malicious attacks.
Try to secure a nonprofit's web infrastructure with as 1 IT guy and no budget for devs or security.
It would be nice if we could update servers constantly and patch unmaintained code, but sometimes you just need to front it with something that plugs those holes until you have the capacity to do updates.
But 100% the WAF should be run locally, not a MiTM from evil US corp in bed with DHS.
Obviously I don't think you need Anubis for a static site. And if that is what your admin experience is limited too, than you have a strong case of dunning krueger.
the project name is a bit unfortunate to show for users, maybe change that if you will use it.
some known privacy services use it too, including the invidious at nadeko.net, so you can check there how it works. It's one of the most popular inv servers so I guess it cannot be bad, and they use multiple kinds of checks for each visitor
Inspired by this post I spent a couple of hours today trying to set this up on my toy server, only to immediately run into what seems to be a bug where <video> tags loading a simple WebM video from right next to index.html broke because the media response got Anubis's HTML bot check instead of media.
Describe the bug I have a redlib instance running behind anubis and when trying to play GIFs, it fails. If I check out the response, it's just anubis trying to verify my browser instead of the medi...
Anubis is mainly aimed against bad AI scrappers and some ddos mitigation if you have a heavy service.
You are getting hit exactly the same, anubis doesn't put up a block list or anything. It just put itself in front of the service. The load on your server and the risk you take it's very similar anubis or not anubis here. Most bots are not AI scrappers they are just proving. So the hit on your server is the same.
What you want is to properly set up fail2ban or, even better, crowdsec. That would actually block and ban bots that try to prove your server.
If you are just self-hosting with Anubis the only thing you are doing is deriving the log noise towards Anubis logs and making your devices do a PoW every once in a while when you want to use your services.
Being honest I don't know what you are self hosting. But at least it's something that's going to get ddos or AI scrapped, there's not much point with Anubis.
Also Anubis is not a substitute for fail2ban or crowdsec. You need something to detect and ban brute force attacks. If not the attacker would only need to execute the anubis challenge get the token for the week and then they are free to attack your services as they like.
Maybe you know the answer to my question: If I'd want to use any app that doesnt run in a webbrowser (e.g. the native jellyfin app), how would that work? Does it still work then?
It explicitly checks for web browser properties to apply challenges and all its challenges require basic web functionality like page refresh. Unless the connection to your server involves handling a user agents string it won't work, I think this I how it is anyway. Hope this helped.
Assuming what you said is correct, it wouldnt help my use case. Not hosting any page meant for public consumption anyway so it's not really important. But thanks for answering 😀
The creator is active on a professional slack I'm on and they're lovely and receptive to user feedback. Their tool is very popular in the online archives/cultural heritage scene (we combine small budgets and juicy, juicy data).
My site has enabled js-free screening when the site load is low, under the theory that if the site load is too high then no one's getting in anyway.
I host my main server on my own hardware, and a VPN on Hetzner because my shitty ISP doesn't let me port forward. For the past year, bots were hitting my Forgejo instance hard. I forgot to disable registration and they generated hundreds of accounts with hundreds of repos with sketchy links, generating terrabytes of traffic from my VPS, costing me money in traffic. I disabled registration and deleted the spam, and bots still kept hitting my server for several months, which would cause memory leaks over time and crash it and consume CPU, and still costed me money with terrabytes of traffic per month. A few weeks ago, I put Anubis on the VPS. Now, zero bots hit my Forgejo instance and I don't pay for their traffic anymore. Problem solved.
Its always code forges and wikis that are effected by this because the scrapers spider down into every commit or edit in your entire history, then come back the next day and check every “page” again to see if any changed. Consider just blocking pages that are commit history at your reverse proxy.
I am very annoyed that I have to enable cloudflare's JavaScript on so many websites, I would much prefer if more of them used Anubis so I didn't have third-party JavaScript running as often.
( coming from an annoying user who tries to enable the fewest things possible in NoScript )
A daughter of the former South African president Jacob Zuma has resigned as an MP, after being accused of tricking 17 South African men into fighting for Russia in Ukraine by telling them they were travelling to Russia to train as bodyguards for the Zumas’ uMkhonto weSizwe (MK) party.
Duduzile Zuma-Sambudla, 43, the most visible and active in politics of her siblings, volunteered to resign and step back from public roles while cooperating with a police investigation and working to bring the men home, the MK chair, Nkosinathi Nhleko, said at a press conference in Durban.
Love me some Fedora, why should I switch to an immutable version? The thing that gives me pause is I like being able to change my system when I need to and have it persist, which is from what I understand the exact opposite idea of immutables (but I may be misunderstanding, thus this comment asking lol).
So essentially you have a base system and you add what you need through flatpak, distrobox, homebrew, and if all else fails, by layering the packages on the base image with rpm-ostree. What you can't do (that I'm aware of), is remove packages, or make bigger changes like adding another desktop environment aside what it came from. I mean, I guess you can do it by layering but it's probably messy. Configuration and customisation are not an issue: /etc and /var are not immutable of course.
Distrobox is super cool btw, I knew it existed but Bazzite pushing me to use it was what I needed to finally try and appreciate it.
Airbus is recalling more than half of the jets in its global A320 fleet, which will disrupt thousands of flights around the world.
The company said the planes need an "immediate software change" to ensure flight control is sound.
The recall comes after a JetBlue plane’s nose dropped for several seconds without the pilot’s input during a flight in October, according to a European safety agency.
American Airlines says the news will disrupt more than 300 flights for its airline alone, while Air Canada says "very few" of its planes are affected.
Boeing would do nothing except post a notice on a board in a damp cellar of one of their offices, and then blame airlines for not following their instructions.
A January study in the journal Social Science & Medicine found that volunteering slows down aging in retirees: the DNA of people who volunteered the equivalent of one to four hours a week showed distinctive biomarkers associated with decelerated epigenetic aging, with the most pronounced effects among retired people.
“People might do better, physically, psychologically, socially, if they have a role that they think is important and they identify with,” said Cal J. Halvorsen, a gerontological social work scholar at Washington University in St. Louis and one of the authors of the study. “In the American context, we take our jobs very seriously, and so we were curious if volunteering after retiring or when you’re no longer working might have a different effect on your epigenetic aging.”
That study is just part of a growing body of research on the health benefits of volunteering for retirees, a major benefit for older Americans who have mobilized for election defense and other core public services under attack. Another study published in February found that volunteering in early retirement among Americans also reduced rates of depression by around 10 percent—again, a more pronounced effect than in the general population.
The headline is wholly unsupported by the study. They asked seniors if they volunteered at "religious, educational, health-related, or other charitable organizations", not political organizations. Even as noted in the article:
The work also keeps Williams sane. Following politics leaves her “ready to tear somebody’s hair out,” she said.
If anything, the stress of living under fascism probably shortens your life expectancy. Apparently living in a democracy increases it by 11 years, which probably outweighs the volunteering effect: sciencedirect.com/science/arti…
This explains what's going on with Bernie Sanders. In recent interviews he seems somehow younger than he did 5 years ago. The country needs him and it's energized him. I hope he gets a few years to himself after all this to enjoy retirement, though.
Japanese company Science is commercially producing its Mirai Ningen Sentakuki – Human Washing Machine of the Future – after an overwhelming response at the Osaka-Kansai Expo this year. Only 50 models will be made, with a price tag of US$385,000.
also,British : a number equal to 1 followed by 54 zeros
Ursini’s proposal asks for a mere 2^112^ addresses
Unless I'm mistaken, that would be 5192296858534827628530496329220096, or a bit more than 5 followed by 33 zeros, which is orders of magnitude different from both definitions. I wonder what this article's author is on about.
Disclaimer: The article linked is from a single source with a single perspective. Make sure to cross-check information against multiple sources to get a comprehensive view on the situation.
For those of you that use docker, how do you make sure your docker-compose.yml (and possibly .env) files stay current with the project’s ongoing updates? I’m sure there’s an easier way than what I’m doing which is manually getting the latest ones and chec
For those of you that use docker, how do you make sure your docker-compose.yml (and possibly .env) files stay current with the project's ongoing updates? I'm sure there's an easier way than what I'm doing which is manually getting the latest ones and checking the diffs in vscodium. And I'm sure some git magic already takes care of this but I've been slow in learning git beyond the VERY basics. Thanks!
I have automatic updates through a watchtower fork, so I just leave it alone until it breaks, then I go to the project site to see what changed. This has happened maybe twice in the last couple years.
I use a watchtower fork as well to keep some containers updated but I'm curious how others keep on top of docker-compose.yml files that the project updates over time. As an example, I've been using a container for years and noticed today that on the github page they've added a section in the compose file for a health check. I never would've known that was added if I didn't stumble upon it due to another issue.
Easy, reliable backups are key. I've used komodo with automatic updates for over a year and watchtower before that for a couple more. I've only had one issue when Nginx Proxy Manager had a release that deleted all of its own data. Didn't take long to realize that the services were still up and what the problem was. Restored the missing data from Proxmox backups, pinned the Nginx version for a while, then turned auto update on again. I'll stick to this until checking updates is less work than fixing the occasional problem
Just a few days ago, my docker host upgraded the docker engine from 28 to 29. Woke up to 10 notifications from my uptime monitoring that they are offline.
Funny thing is: The external monitor showed they are down. The internal monitor showed no issues.
But after I went through with the long procrastinated upgrade from debian 11 to debian 13, migrating the data and doing nothing to the compose files, all services worked without any issue. I don't know what my old host did or did not but now it works, I guess? Not complaining but the whole routing thing is a bit beyond me
I don't want to use automatic updates on self hosted projects but I subscribe on github / gitlab releases in my rss reader (FreshRSS) and update when I want to!
If you also use FreshRSS, you can configure filters to automatically mark new articles as read (e.g. intitle:'beta'). Since I only view unread articles, that effectively deletes them and I never have to see them!
I cannot recall a single self-hosted software documentation that mentions how to keep the docker config file up to date. Why bother wasting 5 seconds writing such an unhelpful comment
PLENTY of projects make tiny non-breaking changes to the compose files without any mention that users should update the file. For example, adding a section for a container health check. While these can be no big deal for a while over time they can add up to major changes in the config that users may not catch if they are not comparing yml files.
This is the kind of attitude that drives people away from open source.
Yes, people should read the manual, but at some point they will have questions, and there are a lot of projects that aren't clear on certain things. Such as YAML changes.
Other than keeping an eye on their changelog or waiting until it breaks, I don't think you can do anything about that. I do have automatic update, but the config rarely changes from my experience.
Good projects will have docs associated with the docker/docker compose files.
The way we do it is, any update to the .yaml files will have a corresponding .yaml.Dev associated with it. That way it won't be overwritten when an update occurs as well as give a recommended setup.
Basically I run Komodo, which pulls a git repo. Renovate opens a PR (and most of the time the changelog is included, so I can quickly check what happened) for new versions. Once merged a webhook fires to tell Komodo to pull the new version.
I really recommend this approach now. Once setup it is very automatic, but not to the point of YOLO-automation like Watchtower and :latest 😅
In this guide I will go over how to automatically search for and be notified of updates for container images every night using Renovate, apply those updates by merging pull requests for them in Gitea, and automatically redeploy the updated containers…
when you choose to update, PatchPanda edits compose/.env files and runs docker compose pull and docker compose up -d for the target stack. You can also view live log.
I too saw PatchPanda on selfh.st and it is on my watch list. The only thing holding me back is that it isn't out of beta yet. So, I'm waiting on other selfhosters to plow that field before I deploy. It does look like it would solve a lot of problems tho.
I don't pay any mind to example compose files. My are all quite custom anyway. Only thing that matters is paying attention to changelogs and watching for breaking changes.
Same here. Read deployment documentation, configure compose to my standards, deploy, update where necessary to align with the update (e.g. remove an environment variable.
The editing is done on my PC, then I open WinSCP or ssh into it (depending on my mood and amount of changes) and then apply the changes
Probably a tad overkill honestly but it works amazingly well, and turns every potential upgrade into an approval process so nothing will update when you don't want it to.
In this guide I will go over how to automatically search for and be notified of updates for container images every night using Renovate, apply those updates by merging pull requests for them in Gitea, and automatically redeploy the updated containers…
The Bristol Cable has launched a mobile app that bundles their journalism with the fediverse in a single app. It’s built in partnership with the Newsmast Foundation and available to members from £1/month. While their journalistic articles remain free, The Bristol Cable sees the social fediverse integration as the premium additonal option. The app consists of three layers: a home screen with news articles by the Bristol Cable, a dedicated member space for connecting with journalists and other supporters, and curated channels that pull in content on themes like climate change, linking Bristol’s local work to wider discussions. The app functions as a fediverse server, with the dedicated member space functioning as a local-only posting place, and the curated channels as a way to connect with the rest of the fediverse network, via Newsmasts’ channel.org network.
WebSocialBR is the first fediverse event that will be held in Brazil, on December 3rd in Brasília. The event wants to “bring together community administrators, managers, parliamentarians, researchers, and communicators to exchange experiences and strengthen decentralized networks in the country”. The event draws backing from Brazil’s Internet Steering Committee (CGI.br), the Ministry of Science, Technology and Innovation, and FediForum. ActivityPub co-creator Evan Prodromou and FediForum co-founder Johannes Ernst will participate virtually. WebSocialBR is organisated by Alquimídia, who has been coordinating Brazilian instances on age-restriction legislation and pushing for a “.social.br” domain category for federated networks.
Bonfire talks more about their platform and crowdfunding, by writing about their Mutal Aid stretch goal for the project. Bonfire also talks more about what the project is, and how it is “plural by design”. The opening sentence points is a clear statement by the project: “Bonfire is difficult to pin down with a single definition, and that’s a feature, not a bug.” The article then lists various features of the project, such as how it’s extensible, and that it’s a framework for building community platforms. Bonfire even quotes some people saying that they’re interested in the project, but find it confusing as to what it actually is. Bonfire has chosen for the approach that they do not want to run a flagship server for Bonfire Social. That however is now leading to the situation where there are no people running a Bonfire server in production for a community yet, making it hard to demonstrate in practice what Bonfire Social actually looks like. This poses a challenge for their crowdfunding effort. When potential backers try to understand what they’re funding, they encounter a platform that exists primarily as possibility rather than demonstration. The project’s own article quotes would-be supporters expressing this confusion directly: “I do wish they could get a little better at communicating what exactly their project is though, it took a hot minute, reading, and also asking folks on lemmy to try and figure out kinda-sorta-vaguely what they’re building…” Another notes, “I wish them the best, but I think they really need to work on their sales pitch. It’s hard to tell what it is.”Without a clear accessible demonstration of how Bonfire can operate in practice, it is a hard pitch to ask backers to fund an abstract framework based on its potential applications.
I usually don’t write about Threads, but this caught my eye: The latest PewResearch study on social media usage by Americans find that 8% of adult Americans have ever used Threads. This is in contrast with 21% of adults for X, and 4% for Bluesky, with Mastodon not measured. Meanwhile, Threads claimed a few months ago to have over 400M monthly active users, and another study from this summer found that Threads and X have almost the same number of daily app users (115M vs 130M). I’m really not sure what’s going on with these numbers: 8% of American adults is around 21M people who say they have ever used Threads. This leaves at least 380M monthly active users that are not in the US, but it is unclear where they are located. It seems that Europe also does not have a large number of Threads users, as the app launched much later on the continent. The most likely explanation seems to me that Threads aggressively counts people who use Instagram and get shown a Threads post on Instagram as a user of Threads, which would go a long way towards explaining both why the user numbers for Threads are so large while also explaining why so few people actually know about Threads.
FOSDEM has the Social Web Devroom about ActivityPub, hosted by the Social Web Foundation, and the deadline to submit talks is December 1st. There is still space for more talks to be hosted, so consider submitting a talk if you’re going to FOSDEM!
In This Issue
* A Note From The Editor
* Technical Updates
* Owncasts For Roku Updated
* Features
* Kit On Fireside Fedi
* Featured Streamer: Fireside Fedi
* Closing Remarks
A Note From The Editor
Did you miss me? This July-November …
I run WireGuard on my router to hit my LAN services (SAMBA, home assistant, etc) from afar.
But when I enable the VPN client on my router, I can no longer access LAN services over Wireshark. "Allow LAN access is set to 'true'" on the UI (Merlin).
With the GlobalBuildingAtlas, a research team at the Technical University of Munich (TUM) has created the first high-resolution 3D map of all buildings worldwide. The open data provides a crucial basis for climate research and the implementation of the UN Sustainable Development Goals. They enable more precise models for urbanization, infrastructure and disaster management – and help to make cities around the world more inclusive and resilient.
The United Arab Emirates “embarked on a lobbying blitz” of European Parliament members to ensure its involvement in the war in Sudan was not mentioned in a resolution calling for the conflict's end, Politico reported on Thursday.
On Wednesday, Dutch Member of European Parliament (MEP) Marit Maij told DW News about plans to “call on the European Commission to stop the trade negotiations with the UAE for as long as we see that weapons are going through the UAE to the RSF,” referring to Sudan’s paramilitary Rapid Support Forces.
The call comes in the wake of the widespread atrocities committed by the RSF during its siege and eventual capture of el-Fasher, the capital of North Darfur in western Sudan, which were abetted by advanced weaponry from the UAE.
But following a lobbying effort from an Emirati delegation to Strasbourg led by envoy Lana Nusseibeh, the final resolution passed on Thursday included no references to the UAE’s role in the war.
The United Arab Emirates “embarked on a lobbying blitz” of European Parliament members to ensure its involvement in the war in Sudan was not mentioned in a resolution calling for the conflict's end, Politico reported on Thursday.
I remember back in 2014 or so, I found a YT channel about companies an tech with very high production values on their videos, they had several videos on Elon and his companies.
And in just about every time they spoke about Elon, they said it like this
Entrepreneur Elon Musk
It kinda became a weird mantra they repeated as if being an Entrepreneur made him some kind of expert.
I noticed that at the time, and it has pissed me off since.
Reminds me of companies that still call themself “startup” even after several years with a successful product. Just so they can rip employees off with low base pay and unpaid overtime because “we’re a startup”.
Musk isn't worth a single person's life. He's not worth a dogs life. He's not even worth the life of my old phones battery. We'd have to compare him to other parasites to decide "value". Like, what's better: tapeworms or musk.
Grok has achieved average human intelligence: It believes that someone paying other people, regardless of how they got their money and the ethical failures involved in using it, is equivalent to having done the work themselves. Nevermind that the only reason any of his shit works is in spite of his painfully stupid decisions and not because of them.
In a way, I’m not even mad. We do these things to ourselves and we refuse to look at the obvious.
Well, that explains why your first link is dead. Thanks for the explanation! I haven't been around this long; db0 is my first instance. I'm not that crazy, I just looked at them and said "damn that's wild, you know what you crazy SOB, I'm in." Like the meme... Futurama? Rick and Morty? Not sure.
I miss it... I never knew how much I'd appreciate seeing who down voted me. Occasionally I'd think, 'hmmm this guy with opinions I respect didn't like that? Why?' more often I'd think 'hahaha nazi'
geddit.social was technically my first Lemmy instance (although I used /kbin earlier and more than this). Owned by Stux (mstdn.social, pixey.org, gram.social,...) but it was late for lemmy.world-like growth.
trivia: Stux tried also to make a /kbin instance, (along with other prominent Mastodon instance owners. Only Fedia.io, from infosec.exchange survived. Kudos for Jerry). He has called it forum.fail
Il blogger non è solo un informatore: è un narratore. Anche quando parla di tecnologia, di cucina, di filosofia, di attualità o di qualunque altro argomento apparentemente “freddo”, il suo compito rimane quello di raccontare. Perché un’informazione senza narrazione è un elenco; una narrazione senza informazione è un esercizio di stile. Il blogger efficace vive nel punto di incontro fra questi due poli: illumina il contenuto con il suo modo unico di esprimerlo.
Chinese exporters have been raising prices for Russian military-industrial buyers, exploiting the Kremlin’s reliance on their supplies as western sanctions restrict imports, new research has revealed.
Prices of export-controlled products shipped from China to Russia rose 87 per cent between 2021 and 2024 on average, according to a new paper from the Bank of Finland Institute for Emerging Economies (Bofit). The price of similar goods shipped elsewhere rose only 9 per cent.
The research shows that while Russia has been able to use Chinese suppliers to get around western restrictions on the purchase of products that have potential military uses, the wave of sanctions imposed in the wake of the full-scale invasion of Ukraine in 2022 has pushed up costs for the Kremlin.
...
The authors, Iikka Korhonen and Heli Simola, focused on a major pinch point: the trade in goods listed as “machinery and mechanical appliances”, a category that includes a large number of items identified as being of importance to the war-industry push.
They concluded sanctions have “limited Russia’s technological capabilities by making the importing of critical goods more expensive”.
In some cases, they found that increases in the value of export-controlled imports from China to Russia had been driven entirely by price rises rather than an increase in trade flows. By 2024, Russia’s imports of Chinese ball bearings had surged 76 per cent since 2021 in dollar terms. But the volume of exports dropped 13 per cent over that time.
...
Relief from sanctions remains a critical goal of the Kremlin. In the original 28-point peace plan devised by the US and Russia and presented last week to Ukraine, the document states “the lifting of sanctions will be discussed and agreed upon in stages and on a case-by-case basis”.
It’s true. I uploaded a nude out of curiosity. I then searched “Penis”. It found my penis. Now if only my wife could too. 10/10 Immich best self hosted google photos replacement.
Personally I host all this kind of stuff using containers, only mounting the folders that need backing up. Then I just back up all my podman volumes. It's pretty nice not depending on any tools that have to be maintained or anything like that.
I have experience with both Ente and Immich and I can say they are both excellent. I like Ente a little bit more, but Immich is imho better for selfhosting (both are easy to self host). What I like about Immich in that regard is that it keeps photos organized as files too, they can be categorized in folders (like year > month > day and its customizable). I just want to have an option to have access to the files directly on the filesystem and if (big if) Immich dies, I still have my photos accessible and organized in directories without me needing to do anything. Ente uses s3 storage system.
It feels quite equal now that immich is stable. I was actually waiting for that, because I knew the updates before the stable release were sometimes painful and I didn't want to do that on my production env. 😀
Anyone with Nextcloud Memories setup? I've read it's the only one that still respects a sane files and folders setup, whereas the other options basically force you to forever use their database-based system and files are terribly organized, so you are forced to use their interface.
whereas the other options basically force you to forever use their database-based system and files are terribly organized, so you are forced to use their interface.
Immich has a "storage templates" section which allows you to choose a folder structure that it will use to store the files in.
Or go the other way and include your folders as external libraries.
What do you use for 3-2-1? I try, so far I have my phone, backed up to a server HDD via SMB (Too poor for RAID-1 atm), and the very important stuff sent to a USB drive and returned to a drawer. Am I doing it right haha
I have it and immich set up. Nextcloud memories is fine, but for me the auto upload would randomly stop at some points. Overall ux with immich is better, but memories gets the job done.
I don't use Memories, but yes, uploading photos with FolderSync to Nextcloud (via WebDAV) does add them to the Nextcloud database. They show up as new photos in the recent activities list.
Ah, that makes sense. Didn't realize FolderSync went through the WebDAV protocol. I'm used to manually copying things to my nextcloud drive and running a scan.
I use Nextcloud Memories for uploading folders to quickly share to relatives. Love it, very straightforward for them to use.
I also host Immich but unlike Memories not exposed, local only. I set Immich up because we found we never looked at our photos when they were just stored on a hard drive but we look at them much more now theyre easily accessible. I spent months slowly retrospectively tagging & adding geo locations to our photos in order to utilise the powerful search capability of Immich. I use the template option & set it up to match the folder structure of our photos.
I'm using Kopia to back up the entire Immich directory including the nightly Immich-db dumps & ive also moved a backup of the backup to another drive, currently somewhere in the region of about 80+GB.
I switched from Nextcloud Memories to Immich when Immich added support for external libraries. From what I remember, Memories was pretty good but a bit slower, not as polished, and had significantly worse AI tools. I recommend Immich.
Oh yeah, I've killed mine a couple times. Usually it's because I didn't keep it updated and jumped too far ahead too quickly. Rolling it back and walking it forward fixed it for me once, another time there was something I was supposed to run first and I didn't read the release notes (that one was a really long time ago though).
Every part of what you just said can be encapsulated in proper packaging so you don't even need to care -- about pre/post upgrades, or even dependencies and checks before it starts.
The lack of a proper release is the absolute only thing keeping me from using it.
When I used iOS, background upload seemed to work okay. On both iOS and Android, though, I occasionally go into the app to manually backup since both like to kill background processes to save on battery life.
They should use what's out there and improve it. Like including simplelogin. They should use immich, make it private, and include it in their setup. They even suck for calendar. You can't integrate it anywhere. Integrating email is difficult as well. They want to become the next tech silo. I am somewhat stuck with them for now but I may move to tuta if I can
Proton services generally are not bad, but I could never use Proton Drive for anything else than mid to long term backups, because they don't have it integrated with Linux. I am not angry though, it is what it is and I am only in the niche (even-though Linux is the best OS for privacy). Ever since I have setup my Truenas (and Immich) I find myself caring even less about not being able to use Proton drive 😀 That said, once they have integration I want to use it for a few files.
Immich + a backup solution of your choice. If it's worth saving, it's worth backing up. Try to follow 321 as much as possible, but having at least a second copy is a good start.
I started using photoprism. But their viewer doesn't show my 3D side by side stereo photos. Immich brings a better viewer that gets out of the way and it also has multiple users. The immich multiple user accounts function a bit weird. My family photos need to be shared as external libraries while our phone photos cannot be shared unless you share accounts. They did some decisions around handling multiple users that is not fabulous. I used photoprism for awhile but just a few months on immich I can tell its going to be a better experience.
There isn't an online specific place for 3D printing optic assemblies but there are plenty of places to read about stereo photos. There's even a software called stereophotomaker that helps you crop and adjust the photos you take.
Yeah its pretty simple yet very much not trivial. You can get images that are relatively fine by just making one from cardboard even. All you need is 4 mirrors. Two pairs for one side and two for the other. The non trivial part is how to fill the whole sensor frame and what specific angles to use for your specific lens. I'm using a 40mm lens full frame. 35mm can see the inside of the adapter so that's not good. It gets worse with the wide lenses on your phone, but you can still get an image you can crop. And its its really freaking cool to see your kids and family in 3D on your phone on a finished image. Unfortunately my family runs from the camera and doesn't get the 3D effect at all..and doesn't even want to try. But whatever. Maybe one day when I'm long gone, one of their kids will find an old rusty SD card and discover the awesome thing that 3D is. I don't understand why all the 3D headset makers haven't jumped on this with a standard....simple, have all new phones get 2 cameras, and then create the software to take the images or video. Finally have that video in a standard format for all viewers. There's plenty of smart people that can do this.
Oh and yes, you can do 3D video and it kicks wide angle viewed video so so much. It's phenomenal to watch my kid slide down a slide in 3D. I know it sounds stupid but man....the possibilities for the right open minded community are endless.
One more vote for Immich. While I don't like how it's not easy to create albums from existing folder structures out of the box, the search and face recognition is amazing for a free self hosted app.
It wasn't mentioned in the list, but I like Photoview; it uses your existing file structure (rather than its own structure or a database), works with read-only access, accepts external syncing like Syncthing, and can handle multiple users. Not sure how it compares on features, but I just wanted something basic anyways, so I'm happy with it.
Does anyone know if any of these systems will interpret a Google takeout export from Photos? The data separation is brutal, I haven't found something to pull it together yet.
A record number of people are set to take China’s notoriously gruelling national civil service exam this weekend, reflecting the increasing desire of Chinese workers to find employment in the public rather than private sector.
Around 3.7 million people have registered for the tests on Saturday and Sunday, which will be the first since the government increased the age limit for certain positions. The age limit for general candidates has increased from 35 to 38, while the age limit for those with postgraduate degrees has been raised from 40 to 43.
Opinion piece by Li Qiang, founder and executive director of China Labor Watch, and a human rights advocate with over 30 years of experience investigating global supply chains.
China’s low rights model is no longer a domestic labor issue but a systemic challenge to global labor standards, supply chain governance, and fair market competition. Without a coordinated civil society response, the global baseline for worker rights will continue to fall.
I call China’s economic model a “low rights” one because it has long relied on suppressing labor costs to maintain industrial competitiveness. As a result, trade imbalances between China, the United States, and Europe are strategically linked to China’s ability to attract multinational companies through low-cost labor and policy incentives. At the same time, Chinese companies internalized the technology and management know-how of these foreign companies into their domestic systems, gradually transforming what were originally Western competitive advantages into China’s own strengths.
[...]
In recent years, China’s “low-standard, low-cost” development model has expanded beyond its borders. Through the Belt and Road Initiative, it has spread globally, exporting labor, environmental, and governance risks to host countries. Nowhere is this more evident than in Indonesia’s nickel sector, where mining and smelting contracts are so short that they function like countdown clocks, pressuring companies to recoup capital as fast as possible.
[...]
This “low-cost” model has been permitted to exist due to an increasingly shrinking civic space. Independent labor monitoring inside China has become dramatically harder in the past decade. Today, only a few independent organizations remain capable of conducting investigations, such as China Labor Watch. Yet, political risks deter most international funders from supporting work inside China, leaving independent oversight critically under-resourced in an area where it is needed most.
[...]
To counter this dynamic, civil society organizations must be central to any strategy for raising global labor standards. We can advance change in three key ways.
First, increase public awareness. We can collectively highlight that consumers must recognize the real costs behind low-priced products: long working hours, low pay, job displacement, low labor standards. The public must understand that declining labor standards ultimately harm every society. In reality, with wages stagnating in many Western countries, more consumers rely on cheaper products that are produced by workers who are, in fact, competing with them for similar types of jobs in the global labor market.
Second, advocate and partner with authorities for the rigorous enforcement of forced-labor laws. Import bans, labor regulations, and due diligence laws already exist. But enforcement depends on independent organizations holding authorities accountable, and providing evidence if there are enforcement gaps. It also requires sufficient and sustained funding to ensure that these laws can be implemented in practice, rather than remaining symbolic commitments.
[...]
The EU Forced Labor Regulation and the Corporate Sustainability Due Diligence Directive (CSDDD) had their scope narrowed during the legislative process, while U.S. forced labor import enforcement remains inconsistent and lacks clear direction, making the global regulatory landscape by significant uncertainty. If global civil society does not intervene now, global labor standards will not simply stagnate; they will be redefined downward by a model built on speed, opacity, and the suppression of rights.
Pretty sure they'd excuse the labor laws in some massive feat of mental gymnastics. Something something "things are so good everywhere else that workers don't need protection!" Something something cherry picked worker demonstration in a wealthy factory district "See?? They have rights!"
China is communist in name only, clearly. Would take a determined moron not to see that. Anyways, tankies are just red coloured fascists so I guess it's silly to expect much from them anyways.
China is a brand new type of socialism, one that Marx couldn't ever hope to write about, as that would have needed him to go through many important moments of world history (great wars, nuclear development, age of information...) that he could never have predicted. China in the 50s was an agrarian/third world nation, after the CCP took over their plan was simple: "Muster the strength of the entire population to push China into a new age through carefully planned country-wise economic strategies". It's a different perspective when compared to western capitalist societies that value individual freedom above the well-being of the nation, their idea was to value the nation above everything and everyone. To sacrifice generations in favor of economic development, to turn weakness, a poor country with more people than it could feed, into strength, a country where labor was so cheap it became the perfect trap to steal the advantages the first-world had developed: industries. Now, the western world has lost all of its advantages, they no longer have manufacturing capabilities that are enough even to supply their own demand, and its final advantage, technological supremacy slowly slips away from their hands. All that they have left is a class of uber-billionaires more than willing to sacrifice entire nations just so they can buy another yacht. Meanwhile, western media points their finger and exclaims: "Inhuman! The Chinese are using their own people to steal our western jobs with cheap labor!!!", and Liberals left and right look down from their "moral superiority" seat of ignorance and agree, calling the chinese the evil masterminds of the century for daring to not (EDIT: word order) have their same views that valuing individual freedom as a divine natural right, as said Locke, is the only correct moral path, and anything else is Evil wrought upon this world. Thus, they fail to see that, although indeed Machiavellian-looking, valuing the community, the society, above the individual is exactly where the true left had always resided. What good is personal freedom when a man can buy another? And do not mistake me, I do not claim their methods to be flawlessly, they are indeed ruthless, but the Chinese Government can most certainly be conferred the title of "efficient", in a few decades they took a country from the throngs of poverty and the past and pushed it forward, with sacrifices indeed, to the forefront of modern development. Are they truly wrong? Would you prefer they'd stuck to being slaves of first-world countries? As someone who does live in a third world, developing country, as they say, I'd be very very glad to see the same mentality of my own government, I'd sacrifice myself gladly to hope for a better future for the next generations. Instead, all I get is the proverbial choice of working my whole life to not starve to death while making a garbage human billionaire hiding in a mansion somewhere richer and richer at the cost of the people, all while my country not only barely inches forward in quality of life, but is constantly shoved back down the mud by the actions of western interests, that easily stoop to all the tricks of the CIA handbook just to keep us too busy too see that the evil wears not red, but blue and stars.
You wrote a lot to not say much, China's 'new brand of socialism' is just state run capitalism. Don't get me wrong, they have achieved a lot and modern china is very impressive, Id like to visit one day. Still ain't communist, and the ccp knows this, they just like the branding.
I think the argument is rather that the dictatorship of the proletariat is the proletariat taking political control over capital. The tankies, so to speak, recognize that this does not resolve all internal contradictions of society nor instantly improve the material conditions of said society.
What you might agree on is that: 1. The current world order is capitalist. 2. China was an extremely poor country that has improved the material conditions for their populace tremendously in a short time span.
Does this mean that worker's rights are unimportant? No. However, I believe the political leadership prioritizes the development of productive forces over worker's rights at this stage of development.
I also want to highlight the question of who benefits from this labour. If the proletariat is the class that benefits from their own work and the government has their popular support, is this really the red fash, authoritarian exploitation that the other comments and western media assume it to be?
This is just my flawed understanding, of course. There are probably many who can give better answers. Looking at the comment section at time of writing, I am not sure such an effort is deserved.
The dictatorship of the proletariat was a philosophical construct. Not a literalism. Industrialization has improved the material condition of every society that has been through it. It has nothing to do with left or right etc.
The current world order is capitalist.
And capitalists like China aren't going to change that.
China was an extremely poor country that has improved the material conditions for their populace tremendously in a short time span.
Again that's a factor of industrialization. Not economic model. The problem they're just starting to face that countries like the United States and others have been struggling with for some time now. Is that the petite bourgeoisie has always benefited more. And expansion or growth can never be infinite. Once that slows the proletariat is always the first victim of the bourgeoisie.
First of all, the advance of the bourgeois class cannot be separated from the industrial technological revolution in a historical materialist context.
With regards to
The dictatorship of the proletariat was a philosophical construct. Not a literalism. Industrialization has improved the material condition of every society that has been through it. It has nothing to do with left or right etc.
note that (quoting Wikipedia)
In philosophy, a construct is an object which is ideal, that is, an object of the mind or of thought, meaning that its existence may be said to depend upon a subject's mind.
You are making a reductionist claim that the form is only ideal, which is untrue. The dictatorship of the proletariat is not ideal, it is material and can be analyzed as such, whether or not you agree on its ideal form.
The crux of your argument is that the industrial revolution and the bourgeois revolution has developed the productive forces, i.e. capital, and thus improved the material conditions of many people as a result. Even Marx agreed on this issue in the 1800s, remarking the absence of novelty of this idea. What you conveniently ignore is the exploitation that this development has inflicted upon every citizen outside the imperial core.
The nonsensical wording of
the petite bourgeoisie has always benefited more
than the proper haute bourgeoisie, is self explanatory for anyone understanding what the word "petite" means.
That
expansion or growth can never be infinite. Once that slows the proletariat is always the first victim of the bourgeoisie
is also not novel to any socialist worth their salt. However, this is more of a nod in the opposite direction of what you think, towards western countries currently undergoing a state of crisis.
If the proletariat is the class that benefits from their own work and the government has their popular support, is this really the red fash, authoritarian exploitation that the other comments and western media assume it to be
Yes, because without basic political rights which do not exist in China, Chinese workers have no political agency by which they can express a political preference. It is entirely possible that given such freedoms, the Chinese people would implement the exact same system of government they have now, but there is no way to know that since the functional basis for political self determination does not exist.
I am not quite sure I agree that proclaiming a resolution to class struggle by taking political control over the means of production is sufficient to resolve internal contradictions. The statement regarding "basic political rights" however seem to imply that this in particular is ensured in liberal democracies, on which I definitely categorically disagree.
I spend one third of my life at work, one third sleeping and one third making myself ready for either. At work I have no "basic political rights", not because I live in China, but because there is no democratic control over the mode of production in my liberal democracy.
I think that freedom ultimately necessitates equity, at the very least with regards to opportunities in life. In western countries, you pretty much only have the option to live subservient to the capitalist class. The political freedoms are hollow as long as political power is controlled by capital.
So what am I saying? That I believe a socialist society is the only one that can give any basic rights, and that in turn one must rephrase the question whether China has attained socialism to whether they are working to attain it. Then the situation of current worker's rights become a question of whom their work serves.
To the victor goes the spoils, after all. Bear this in mind when you relativize the material conditions of Chinese workers to that of western ones, who historically directly benefitted on the exploitation of the former.
You are doing the age old ML trick of attaching the rights which convey political agency to a specific historical epoch of economic liberalism. If we are to understand that the Chinese socialism is a process which inherently must navigate through flaws and imperfections of the material conditions it is dealt, then surely we much acknowledge the same of the western struggle. And yes, it is a struggle all the same, albeit from a position of historical privilege.
In reality there is nothing about the enshrinement of individual rights which requires or implies capitalism or imperialism, other than historical snapshot these things have been attached to. It is no more correct than saying all socialism requires autocracy. In fact, we have an entire century of revisionist thinking which modifies Marx with this specific goal in mind. So just as China approaches this struggle from a more Orthodox perspective inspired by Lenin and molded by a period of historical oppression (itself a bit or a contradiction given China's broader history), the west's struggle is throwing off the shackles of its comparative success and influence which binds it to so much old world influence. Both molded by imperialism in different ways. Both currently stuck in a vicious cycle of capitalism, thrust on them by material reality.
If we are to understand that the Chinese socialism is a process which inherently must navigate through flaws and imperfections of the material conditions it is dealt, then surely we much acknowledge the same of the western struggle.
We are, and we are analyzing the situation materially and historically in hope to arrive at a real understanding of the internal contradictions of either system. Historically, as you say, the capitalists use their privilege to exploit the rest of the world. When the crisis revolving around the internal contradictions become to great, they decay into fascism.
📍This is where we currently are with respect to the stages of the western capitalist cycle.
In reality there is nothing about the enshrinement of individual rights which requires or implies capitalism or imperialism, other than historical snapshot these things have been attached to.
Well no. Conversely the enshrinement of individual rights requires the absence of capitalism and imperialism, in favour of socialism. I am not saying that communism with Chinese characteristics is the only way to attain this, that would be stupid and contrasting our understanding of material reality.
I agree that the West is not only as much, but even more powerless to change its own capitalist mode of production due to the material reality. This is even more favouring the line of China in paving a new path for the betterment of all. Give the west a bit deepening of state of crisis, and it will be sure for all we are going to need it.
We are in agreement on many topics. Where we diverge is in the mythologizing of deterministic western fascism without making the same potential attribution to failures at implementing socialism. This is, simply put, a failure at critical analysis. History has seen both cases. The idea that the Chinese system is the answer to, or even a protective force relative to western imperialism, simply because it exists as an alternative, is flawed reasoning. I would even say dangerous reasoning. The path forward is understanding and learning from the failure and success in all systems through history. In China's case, a big part of that is literally the inability to discuss its failures. And I'm not just talking about the legal state of China itself, but also the broad hesitancy to acknowledge this as a failure within leftist circles.
These acknowledgements do not collapse any house of cards unless it has been built on fragile ground in the first place.
Alexstarfire
in reply to Peter Link • • •