I was so hoping to see him again, healthy. Possibly in a Cavs jersey, as the first Italian to play for Cleveland. As an Italian Cavs fan, maybe the first one, it would have been great. Good luck for your next chapter Danilo!
62K likes, 1,827 comments - danilogallogallinari on December 2, 2025: "Today, with a heart full of gratitude, I am announcing my retirement from a career I’ve always dreamed of.
Countries are looking at joint offensive cyber operations and surprise military drills as Moscow steps up its campaign to destabilize NATO allies.
Russia's drones and agents are unleashing attacks across NATO countries and Europe is now doing what would have seemed outlandish just a few years ago: planning how to hit back.
Ideas range from joint offensive cyber operations against Russia, and faster and more coordinated attribution of hybrid attacks by quickly pointing the finger at Moscow, to surprise NATO-led military exercises, according to two senior European government officials and three EU diplomats.
“The Russians are constantly testing the limits — what is the response, how far can we go?” Latvian Foreign Minister Baiba Braže noted in an interview. A more “proactive response is needed,” she told POLITICO. “And it’s not talking that sends a signal — it’s doing.”
WWII only happened because we tried to appease Hitler and let him grow stronger annexing territory rather than fighting back. It's not too late to close the Pandora's box that is Russia under Putin, but it needs to be done deliberately and forcefully.
We’ve all been donating for decades already with our outrageously expensive healthcare. It’s the trade we make for European security guarantees.
In the meantime, Europeans get to go to the hospital for free and make fun of us for the situation.
And if there is a major war, they’ll expect US soldiers to defend them. Those soldiers will get their legs blown off, and they’ll come home to little support from the VA and still no national healthcare.
You seem to think healthcare and military spending are tied together and we can only choose one. You know you're wrong so I'm gonna leave you to question yourself instead.
The idea of cyber/hybrid warfare against Russia is pretty interesting. Would be interesting at any rate to see how they like having a troll brigade stirring up their populace.
EU’s foreign policy chief Kaja Kallas said such threats posed an “extreme danger” to the bloc, arguing it must “have a strong response” to the attacks.
Last week, Italian Defense Minister Guido Crosetto slammed the continent’s “inertia” in the face of growing hybrid attacks and unveiled a 125-page plan to retaliate. In it, he suggested establishing a European Center for Countering Hybrid Warfare, a 1,500-strong cyber force, as well as military personnel specialized in artificial intelligence.
“Everybody needs to revise their security procedures,” Polish Foreign Minister Radosław Sikorski said on Nov. 20. “Russia is clearly escalating its hybrid war against EU citizens.”
Walk the talk
Despite the increasingly fierce rhetoric, what a more muscular response means is still an open question.
Part of that is down to the difference between Moscow and Brussels — the latter is more constrained by acting within the rules, according to Kevin Limonier, a professor and deputy director at the Paris-based GEODE think tank.
As much as I'd love for the EU to get its shit together right now, I have to agree with this 100%.
“This raises an ethical and philosophical question: Can states governed by the rule of law afford to use the same tools ... and the same strategies as the Russians?” he asked.
So far, countries like Germany and Romania are strengthening rules that would allow authorities to shoot down drones flying over airports and militarily sensitive objects.
National security services, meanwhile, can operate in a legal gray zone. Allies from Denmark to the Czech Republic already allow offensive cyber operations.
So, some nations (mostly those bordering on Russia) are already taking, hmm, "semi-offensive" action while we're still waiting on the EU's official response - the "walk" as opposed to the "talk".
More than 80 people killed in campaign that law-of-war experts have labeled extrajudicial murder
Defense Secretary Pete Hegseth reportedly gave a verbal order to leave no survivors behind as Donald Trump’s administration launched the first of more than a dozen attacks on alleged drug-running boats that have killed more than 80 people over the last three months.
On September 2, U.S. military personnel fired a missile striking a vessel in the Caribbean that carried 11 people accused of trafficking drugs into the United States.
When two survivors emerged from the wreckage, a Special Operations commander overseeing the attack ordered a second strike to comply with Hegseth’s instructions to “kill everybody,” according to The Washington Post, citing officials with direct knowledge of the operation.
It probably was drugs - but that is not the point. It's wildly unethical and a violation of many rules of war to simply kill people like they are doing.
We don't summarily execute people at the president's say.
We don’t summarily execute people at the president’s say.
What do you think a war is? We already set the precedent of being able to declare war on non-state actors and the War Powers act gives him the authority to start shooting without Congressional approval. Which means an American President can legally, (to the US), tell the military they need to go kill cocaine farmers until Congress passes a bill to stop him. And the President can veto that bill. Meaning the legal threshold for Congress to stop the military from killing foreigners in foreign places is the same threshold as impeaching the President.
The War Powers resolution worked as long as it did because it was actually one of many gentleman's agreements that are now defunct.
If anybody is still under the impression that someone somewhere in the chain of command might refuse illegal orders, this tells you everything you need to know
Unfortunately the US doesn't consider that one to be an illegal order. It is heartless, and unnecessary. But ever since the advent of airpower the US has maintained that planes, helicopters, and drones are not required to accept surrender because it is impractical to impossible in any given situation. So the standard is usually to keep firing. Desert Storm and Iraqi Freedom had notable exceptions with mass surrender instructions dropped beforehand. And again, I know that's not reassuring. But this is why politics isn't supposed to be a team game. This is the level of power we are making decisions on. For other things that are completely legal but most people don't realize; heavy machineguns can absolutely be used to target individual soldiers; Flamethrowers are still 100 percent legal against military targets; You can be shot after your surrender is accepted, (I'll expand below); You will be shot if you do not or cannot actively surrender; and Nobody respects the rule against shooting medics and medevacs.
To expand on the most inflammatory one, the only time you are "safe" is while you are in custody. Modern combat operations move very fast and surrendering people are often left in place after their weapons are removed/destroyed. If they don't actively surrender again to follow on forces then they are legal targets because we haven't developed psychic powers yet. This especially matters with surrendered wounded who may not be in a condition to surrender again. Shooting bodies as you advance is legal and expected in a war. You just aren't allowed to personally go back and shoot someone again without them presenting a new threat. With that information in mind you should also know the US military and any professional military sends multiple waves across a battlefield. It is incredibly lethal, by design.
I say all this not to call you out but to highlight that war is a giant bag of dicks that most people outside the military are still naïve about.
The other pressing thing here is this is an order to fire on a declared enemy, outside our border. Meaning the president signed a sheet of paper declaring them to be the enemy, Congress hasn't thrown a flag, and they are beyond the jurisdiction of law enforcement. That is very clear cut to the military. If you change any one of those 3 parameters then things go to gray zone or illegal very quickly. Someone asked me some months ago while Trump was vomiting about Greenland if the military would obey that order versus an order to hunt down and kill Americans inside America. And the answer is Greenland would be fucked but those Americans are pretty safe from the military. They are not however safe from anonymous DOJ task forces and DHS.
that's not illegal actually. if it were, administrations could try to invent felonies for opposition leaders to have committed. now this particular felon should also have been ineligible to run under the 14th amendment, but he was never charged or tried for those crimes, let alone convicted
To use force against Americans inside America without martial law, an act of Congress, or an extenuating circumstance like self defense.
Trump really pushed the envelope by ordering troops to accompany ICE raids under the authorization to guard federal property. But they still couldn't do anything but defend themselves technically. It's just that he effectively tied their self defense to the ICE agents defense. I'm pretty sure the courts knocked that one back and the military pulled back though. Which is why they've gone so hard with Border Patrol, ICE, and any volunteers from within DHS/DOJ that have badges.
That's what these court battles in Los Angeles and Chicago have been about. I've been staying very top level but suffice to say he cannot just yell martial law and charge into a blue city. Laws describe when and how it is proper to do so. The court push back is important not because we think it will restrain Trump, but because the generals are not personally loyal to Trump. As a reminder, Trump wanted to shoot Americans in his first term. It was the establishment that told him no. He tried to directly order the military and a general literally yelled at him for it.
The threat is overwhelmingly from DHS and DOJ. They have the authority, ability, and will. ICE just got funded to an amount equal the British military. The only thing missing is the volunteers and the federal law enforcement training centers have pushed back training for anyone other than ICE to handle the glut of new ICE agents. ICE's detention budget is also now far larger than the federal prison budget. They could theoretically hold about 8 percent of the US population with the budget they got.
Everyone is worried about the military while our federal law enforcement is doing military style presence patrols in Los Angeles.
I’ve been staying very top level but suffice to say he cannot just yell martial law and charge into a blue city
I want to believe you/this, but honestly laws only matter when they are enforced and so far, it looks like nobody wants to enforce them against the Orange Pedo, therefore, he is subject to no laws
The court push back is important not because we think it will restrain Trump, but because the generals are not personally loyal to Trump
What gives you this impression? I have yet to see even hesitancy from any General in following any order so far
As a reminder, Trump wanted to shoot Americans in his first term. It was the establishment that told him no. He tried to directly order the military and a general literally yelled at him for it.
Yes but this second term is something else, everybody fell in line and the idiot king has SCOTUS bought and paid for
Everyone is worried about the military while our federal law enforcement is doing military style presence patrols in Los Angeles.
This has not been adjudicated by anyone. You can say "the US doesn't consider it to be an illegal order". Maybe there is some JAG letter somewhere that says helicopters are not required to accept surrender. But there is nothing that precludes trying everyone involved for war crimes.
Oh it's definitely been US policy for decades. The videos are out there. If you want to talk about what constitutes being "out of combat" and whether the Hague would take the case it could certainly be an interesting exercise. However I doubt the Hague would take it up and neither the Department of Justice nor the military courts are going to take it up without a directive from the President. Democrats aren't going to fall all over themselves to give that directive either though because it would mean Biden and Obama also officially presided over a regime of war crimes.
At the end of the day it comes down to the US having X policy that lies in a gray area of international law. Which leads me to another Bush era policy that we've never really rescinded. If you're not a uniformed soldier in service to an enemy country the US doesn't consider you to have the protections that a soldier would have after surrendering. It was a neat little policy that we used to allow ourselves to torture people labeled terrorists. So yeah that's another thing I expect to hear in the next few days, "cartel members are unlawful combatants."
There was the one high profile commander who stepped down du to this. Wish more would follow suit since it’s technically illegal for all involved to disobey orders unless they all do so collectively.
Yes. If Americans haven't proved they're generally racist and Nationalistic, I don't know what else it would take.
It sounds like you're trying to make a gotcha, but it's quite fair to say a member of the military who murders Venezuelans at whim may still balk if ordered to kill white American.
The us said it would invade the Hague of anyone were tried and attempted to be put on trial.
"all means necessary and appropriate to bring about the release of any U.S. or allied personnel being detained or imprisoned by, on behalf of, or at the request of the International Criminal Court"
Dont worry everyone. Republicans will praise the pedophile and friends through tweets. The Democrats will post a mildly worded tweet. No one will actually do anything.
11 people? There were 11 people on the boat? There's no fucking way that was a drug smuggling boat. 11 people means at least nine people's worth of weight that can't be dedicated to drugs.
every American is going to hell for the murders of our elected officials are committing . i hope the deaths that are happening is not tolerated by god if he really exists.
Our ancestors didn't defy kings, battle their own wayward countrymen, charge trenches, and rush fortified beaches headlong into the jaws of death. . .
**. . .for. This. Whatever the disgraceful hell this is.**
About now, every real patriot for what's good about this country should feel a profound and gnawing agony at every passing day these monsters aren't held to account and rendered incapable of further harm to humanity, whatever form that would take.
We need to make it loud and clear that if "the other team" in places of power doesn't use every single tool at their disposal to end this threat IMMEDIATELY, they are complicit fools and will be held accountable as accomplices to whatever untold horrors would await us, should we refuse to hold the line.
Should the orange cancer expect sternly written letters off displeasure (that are written at an adult comprehension level and not written in crayon, leading to him disregarding them ofc)?
As I understand, not a single one of these boats were even remotely capable of making it to America to begin with. Not without refueling, which isn’t likely that we’re set up for it.
This was all a coordinated targeted mass murder right in front of our faces and they need to be tried and punished for every one.
What is the difference between the US military, the Israeli Defense Forces (IDF), and Hamas? The US military is the most effective, the Israeli Defense Forces are less effective than the US military, but much more than Hamas, Hamas is the least effective. Okay, the Russian military is probably the least effective. Let me rephrase this. To someone, someone's hero is a terrorist. And vice versa. If a military force can kill without accountability, it is a terrorist organization, like Hamas or the IDF.
As the holiday season looms into view with Black Friday, one category on people’s gift lists is causing increasing concern: products with artificial intelligence.
The development has raised new concerns about the dangers smart toys could pose to children, as consumer advocacy groups say AI could harm kids’ safety and development. The trend has prompted calls for increased testing of such products and governmental oversight.
Last week, those fears were given brutal justification when an AI-equipped teddy bear started discussing sexually explicit topics.
The product, FoloToy’s Kumma, ran on an OpenAI model and responded to questions about kink. It suggested bondage and roleplay as ways to enhance a relationship, according to a report from the Public Interest Research Group (Pirg), the consumer protection organization behind the study (pdf link).
“It took very little effort to get it to go into all kinds of sexually sensitive topics and probably a lot of content that parents would not want their children to be exposed to,” said Teresa Murray, Pirg consumer watchdog director.
Oh man, who sells these toys so I can make sure to avoid them? Like, which website specifically There are so many, oh man! It’s so hard to know which specific one to avoid! And also, how do I make sure they can’t be modified to accept a fleshlight? You know, just to make extra sure I don’t get a slutty slop hole of a filth spewing teddy bear that will take on all-comers. No one wants that! That would be disgusting.
The news interview Shirley Beswitch of White Plains, New York to ask her why she bought her 3 year old son an ai teddy bear for Christmas this year
"I base my entire identity around the thing I squeezed out of me a few years ago, but I'm not willing to put any actual work into it, you know? Well, except for bitching online constantly about how other people aren't working to create a safer world for My kid"
When asked if she had any concerns about reported issues with the toys, such as inappropriate comments and surveillance, Shirley said:
"Surveillance isn't real. Plus it doesn't matter if someone knows every intimate detail of my life. Sure I'm an immigrant but I did it right, and my son was born here in America, so it's a non issue"
So far all my setups have had root on SSD mirror with separate hard disk storage pool for all the data. Years ago I used to keep the app config, databases and docker files on the root filesystem, while the app data resided on the storage pool. That was cumbersome for backups and storage size. Eventually I moved all app data to the storage pool. Essentially the apps can be started on any machine with a Linux OS that has docker installed. Database access is slower but it's a decent compromise for having trivial all-in-one snapshots and backup. Now I'm setting up a new NAS for a friend and I'm wondering whether it's worth keeping the root filesystem separate from the storage pool. If I put it on the disks, I'd get trivial full system snapshots and backups. I'd have the same hardware reliability as the storage pool. There wouldn't be issues with root filling up. The caveat is that the OS would be slower. Has anyone reasoned and/or tried this? Should I go for it?
E: I recently put my laptop's root on ZFS and the ability to do full backups while the system is running is pretty great. The full system can be pretty trivialy restored to a new drive with zfs send / recv during setup.
Ukrainian President Volodymyr Zelensky has said his chief of staff, Andriy Yermak, has resigned following an anti-corruption raid on his home.
Yermak, a towering figure with enormous political influence, has been Zelensky's closest adviser throughout Russia's full-scale war, but has come under increasing pressure over an escalating scandal - even though he is not accused of any wrongdoing.
Zelensky had recently appointed him to head crucial negotiations, with US President Donald Trump leading a new drive to end the Russia-Ukraine war.
In a stark address to the nation outside his presidential office, Zelensky called for unity, warning: "We risk losing everything: ourselves, Ukraine, our future."
The corruption scandal has rocked Ukraine for weeks, weakening Zelensky's own position and jeopardising the country's negotiating position with the US at a delicate time.
Ukraine, backed by its European allies, has sought to change the terms of a US-led draft peace plan originally seen as heavily slanted towards Russia.
Early on Friday Ukraine's two anti-corruption agencies raided Yermak's apartment in Kyiv's government quarters and the chief of staff said on social media that "from my side there is full co-operation".
"I'm grateful to Andriy that Ukraine's position on the negotiating track was always presented as required: it was always a patriotic position," Ukraine's president said during his video address in Kyiv.
Zelensky said he would start consultations on Saturday on who would replace Yermak as his top adviser: "When all the attention is focused on diplomacy and the defence in a war, inner strength is required."
I got into the self-hosting scene this year when I wanted to start up my own website run on old recycled thinkpad. A lot of time was spent learning about ufw, reverse proxies, header security hardening, fail2ban.
Despite all that I still had a problem with bots knocking on my ports spamming my logs. I tried some hackery getting fail2ban to read caddy logs but that didnt work for me. I nearly considered giving up and going with cloudflare like half the internet does. But my stubbornness for open source self hosting and the recent cloudflare outages this year have encouraged trying alternatives.
Coinciding with that has been an increase in exposure to seeing this thing in the places I frequent like codeberg. This is Anubis, a proxy type firewall that forces the browser client to do a proof-of-work security check and some other nice clever things to stop bots from knocking. I got interested and started thinking about beefing up security.
I'm here to tell you to try it if you have a public facing site and want to break away from cloudflare It was VERY easy to install and configure with caddyfile on a debian distro with systemctl. In an hour its filtered multiple bots and so far it seems the knocks have slowed down.
My botspam woes have seemingly been seriously mitigated if not completely eradicated. I'm very happy with tonights little security upgrade project that took no more than an hour of my time to install and read through documentation. Current chain is caddy reverse proxy -> points to Anubis -> points to services
The front page of the web site is excellent. It describes what it does, and it does its feature set in quick, simple terms.
I can't tell you how many times I've gone to a website for some open-source software and had no idea what it was or how it was trying to do it. They often dive deep into the 300 different ways of installing it, tell you what the current version is and what features it has over the last version, but often they just assume you know the basics.
It looks like it might be; I just know someone that has a site using it and they use a different mascot, so I thought it would have been trivial. I kind of wonder why it wouldn't be possible to just docker bind mount a couple images into the right path, but I'm guessing maybe they obfuscate/archive the file they're reading from or something?
Not idol worship, rather, it's silly to complain about JS when tools like NoScript allow you to selectively choose what runs instead of guessing what it is. It's simply a documentation page like it says on the URL. I mean, they're incredibly tame on the danger scale to leave your guard all the way up and instead take a jab at the entire community that had nothing to do with your personal choices.
It gets quite silly when you blame the entire dev community for supposedly downvoting you over ideals rather than being overly strict about them. I also prefer HTML-first and think it should be the norm, but I draw the line somewhere reasonable.
I can’t get to that page, so I asked a question
Yeah, and you can run the innocuous JS or figure out what it is from the URL. You're tying your own hands while dishing it out to everyone else.
You know the thing is that they know the character is a problem/annoyance, thats how they grease the wheel on selling subscription access to a commecial version with different branding.
If you want to use Anubis but organizational policies prevent you from using the branding that the open source project ships, we offer a commercial version of Anubis named BotStopper. BotStopper builds off of the open source core of Anubis and offers organizations more control over the branding, including but not limited to:
Custom images for different states of the challenge process (in process, success, failure)
Custom CSS and fonts
Custom titles for the challenge and error pages
"Anubis" replaced with "BotStopper" across the UI
A private bug tracker for issues
In the near future this will expand to:
A private challenge implementation that does advanced fingerprinting to check if the client is a genuine browser or not
Email sales@techaro.lol with your requirements for invoicing, please note that custom invoicing will cost more than using GitHub Sponsors for understandable overhead reasons
:::
I have to respect the play tbh its clever. Absolutely the kind of greasy shit play that Julian from the trailer park boys would do if he were an open source developer.
I've never had any issues on my phone using Fennec or Firefox. I don't have many addons installed apart from uBlock Origin. I wouldn't be surprised if some privacy addons cause issues with Anubis though.
Anubis is an elegant solution to the ai bot scraper issue, I just wish the solution to everything wasn't just spending compute everywhere. In a world where we need to rethink our energy consumption and generation, even on clients, this is a stupid use of computing power.
It also doesn’t function without JavaScript. If you’re security or privacy conscious chances are not zero that you have JS disabled, in which case this presents a roadblock.
On the flip side of things, if you are a creator and you’d prefer to not make use of JS (there’s dozens of us) then forcing people to go through a JS “security check” feels kind of shit. The alternative is to just take the hammering, and that feels just as bad.
No hate on Anubis. Quite the opposite, really. It just sucks that we need it.
I feel comfortable hating on Anubis for this. The compute cost per validation is vanishingly small to someone with the existing budget to run a cloud scraping farm, it’s just another cost of doing business.
The cost to actual users though, particularly to lower income segments who may not have compute power to spare, is annoyingly large. There are plenty of complaints out there about Anubis being painfully slow on old or underpowered devices.
Some of us do actually prefer to use the internet minus JS, too.
Plus the minor irritation of having anime catgirls suddenly be a part of my daily browsing.
Theres a compute option that doesnt require javascript. The responsibility lays on site owners to properly configure IMO, though you can make the argument its not default I guess.
The metarefresh challenge sends a browser a much simpler challenge that makes it refresh the page after a set period of time. This enables clients to pass challenges without executing JavaScript.
To use it in your Anubis configuration:
# Generic catchall rule
- name: generic-browser
user_agent_regex: >-
Mozilla|Opera
action: CHALLENGE
challenge:
difficulty: 1 # Number of seconds to wait before refreshing the page
algorithm: metarefresh # Specify a non-JS challenge method
This is not enabled by default while this method is tested and its false positive rate is ascertained. Many modern scrapers use headless Google Chrome, so this will have a much higher false positive rate. :::
Yeah I actually use the noscript extension and i refuse to just whitelist certain sites unless I'm very certain I trust them.
I run into Anubis checks all the time and while I appreciate the software, having to consistently temporarily whitelist these sites does get cumbersome at times. I hope they make this noJS implementation the default soon.
Most of the Anubis encounters I have are to redlib instances that are shuffled around, go down all the time, and generally are more ephemeral than other sites. Because I use another extension called Libredirect to shuffle which redlib instance I visit when clicking on a reddit link, I don't bother whitelisting them permanently.
I already have solved this on my desktop by self hosting my own redlib instance via localhost and using libredirect to just point there, but on my phone I still do the whole nojs temp unblock random redlib instance. Eventually I plan on using wireguard to host a private redlib instance on a vps so I can just not deal with this.
This is a weird case I know, but its honestly not that bad.
if you are a creator and you’d prefer to not make use of JS (there’s dozens of us) then forcing people to go through a JS “security check” feels kind of shit. The alternative is to just take the hammering, and that feels just as bad.
I'm with you here. I come from an older time on the Internet. I'm not much of a creator, but I do have websites, and unlike many self-hosters I think, in the spirit of the internet, they should be open to the public as a matter of principle, not cowering away for my own private use behind some encrypted VPN. I want it to be shared. Sometimes that means taking a hammering. It's fine. It's nothing that's going to end the world if it goes down or goes away, and I try not to make a habit of being so irritating that anyone would have much legitimate reason to target me.
I don't like any of these sort of protections that put the burden onto legitimate users. I get that's the reality we live in, but I reject that reality, and substitute my own. I understand that some people need to be able to block that sort of traffic to be able to limit and justify the very real costs of providing services for free on the Internet and Anubis does its job for that. But I'm not one of those people. It has yet to cost me a cent above what I have already decided to pay, and until it does, I have the freedom to adhere to my principles on this.
To paraphrase another great movie: Why should any legitimate user be inconvenienced when the bots are the ones who suck. I refuse to punish the wrong party.
Scarcity is what powers this type of challenge: you have to prove you spent a certain amount of electricity in exchange for access to the site, and because electricity isn't free, this imposes a dollar cost on bots.
You could skip the detour through hashes/electricity and do something with a proof-of-stake cryptocurrency, and just pay for access. The site owner actually gets compensated instead of burning dead dinosaurs.
Obviously there are practical roadblocks to this today that a JavaScript proof-of-work challenge doesn't face, but longer term...
The cost here only really impacts regular users, too. The type of users you actually want to block have budgets which easily allow for the compute needed anyways.
Yeah, exactly. A regular user isn't going to notice an extra few cents on their electricity bill (boiling water costs more), but a data centre certainly will when you scale up.
You could skip the detour through hashes/electricity and do something with a proof-of-stake cryptocurrency, and just pay for access. The site owner actually gets compensated instead of burning dead dinosaurs.
Maybe if the act of transferring crypto didn't use a comparable or greater amount of energy...
That's why I specified a proof-of-stake cryptocurrency. They use so much less energy that it is practically negligible in comparison, and more on the order of traditional online transactions.
I think the issue is that many sites are too aggressive with it. Anubis can be configured to only ask for challenges if the site is under unusual load, for instance when a botnet it's actually ddosing the site. That's when it shines.
Making it constantly ask for challenges when the service is not under attack is just a massive waste of energy. And many sites just enable it constantly because they can defer bot pings from their logs that way. That's for instance what op is doing. It's just a big misunderstanding of the tool.
This post is a bit critical of a small well-intentioned project, so I felt obliged to email the maintainer to discuss it before posting it online. I didn’t hear back.
i used to watch the dev on mastodon, they seemed pretty radicalized on killing AI, and anyone who uses it (kidding!!) i'm not even surprised you didn't hear back
great take on the software, and as far as i can tell, playwright still works/completes the unit of work. at scale anubis still seems to work if you have popular content, but does hasnt stopped me using claude code + virtual browsers
im not actively testing it though. im probably very wrong about a few things, but i know anubis isn't hindering my personal scraping, it does fuck up perplexity and chatgpt bots, which is fun to see.
I have a server running a few tiny web sites, so I am considering this, but I'm always concerned about the possibility that adding more things to it could make it less secure, versus more. Thanks for any thoughts.
Security issues are always a concern the question is how much. Looking at it they seem to at most be ways to circumvent the Anubis redirect system to get to your page using very specific exploits. These are marked as m low to moderate priority and I do not see anything that implies like system level access which is the big concern. Obviously do what you feel is best but IMO its not worth sweating about. Nice thing about open source projects is that anyone can look through and fix, if this gets more popular you can expect bug bounties and professional pen testing submissions.
This isn't really a security issue as much as it is a DDOS issue.
Imagine you own a brick and mortar store. And periodically one thousand fucking people sprint into your store and start recording the UPCs on all the products, knocking over every product in the store along the way. They don't buy anything, they're exclusively there to collect information from your store which they can use to grift investors and burn precious resources, and if they fuck your shit up in the process, that's your problem.
This bot just sits at the door and ensures the people coming in there are actually shoppers interested in the content of some items of your store.
I don't know if "anything". But surely people overestimate its capabilities.
It's only a PoW challenge. Any bot can execute a PoW challenge. For a smal to medium number of bots the energy difference it's negligible.
Anubis it's useful when millions of bots would want to attack a site. Then the energy difference of the PoW (specially because Anubis increase the challenge if there's a big number of petitions) can be enough to make the attacker desist, or maybe it's not enough, but at least then it's doing something.
I see more useful against DDOS than AI scrapping. And only if the service being DDOS is more heavy than Anubis itself, if not you can get DDOS via anubis petitions. For AI scrapping I don't see the point, you don't need millions of bots to scrape a site unless you are talking about a massively big site.
I have a script that watches apache or caddy logs for poison link hits and a set of bot user agents, adding IPs to an ipset blacklist, blocking with iptables. I should polish it up for others to try. My list of unique IPs is well over 10k in just a few days.
git repos seem to be real bait for these damn AI scrapers.
This is the way. I also have rules for hits to url, without a referer, that should never be hit without a referer, with some threshold to account for a user hitting F5. Plus a whitelist of real users (ones that got a 200 on a login endpoint). Mostly the Huawei and Tencent crawlers have fake user agents and no referer. Another thing crawlers don't do is caching. A user would never download that same .js file 100s of times in a hour, all their devices' browsers would have cached it. There's quite a lot of these kinds of patterns that can be used to block bots. Just takes watching the logs a bit to spot them.
Then there's ratelimiting and banning ip's that hit the ratelimit regularly. Use nginx as a reverse proxy, set rate limits for URLs where it makes sense, with some burst set, ban IPs that got rate-limited more than x times in the past y hours based on the rate limit message in the nginx error.log. Might need some fine tuning/tweaking to get the thresholds right but can catch some very spammy bots. Doesn't help with those that just crawl from 100s of ips but only use each ip once every hour, though.
Ban based on the bot user agents, for those that set it. Sure, theoretically robots.txt should be the way to deal with that, for well behaved crawlers, but if it's your homelab and you just don't want any crawlers, might as well just block those in the firewall the first time you see them.
Downloading abuse ip lists nightly and banning those, that's around 60k abusive ip's gone. At that point you probably need to use nftables directly though instead of iptables or going through ufw, for the sets, as having 60k rules would be a bad idea.
there's lists of all datacenter ip ranges out there, so you could block as well, though that's a pretty nuclear option, so better make sure traffic you want is whitelisted. E.g. for lemmy, you can get a list of the ips of all other instances nightly, so you don't accidentally block them. Lemmy traffic is very spammy…
there's so much that can be done with f2b and a bit of scripting/writing filters
You mean for the referer part? Of course you don't want it for all urls and there's some legitimate cases. I have that on specific urls where it's highly unlikely, not every url. E.g. a direct link to a single comment in lemmy, and whitelisting logged-in users. Plus a limit, like >3 times an hour before a ban. It's already pretty unusual to bookmark a link to a single comment
It's a pretty consistent bot pattern, they will go to some subsubpage with no referer with no prior traffic from that ip, and then no other traffic from that ip after that for a bit (since they cycle though ip's on each request) but you will get a ton of these requests across all ips they use. It was one of the most common patterns i saw when i followed the logs for a while.
of course having some honeypot url in a hidden link or something gives more reliable results, if you can add such a link, but if you're hosting some software that you can't easily add that to, suspicious patterns like the one above can work really well in my experience. Just don't enforce it right away, have it with the 'dummy' action in f2b for a while and double check.
And I mostly intended that as an example of seeing suspicious traffic in the logs and tailoring a rule to it. Doesn't take very long and can be very effective.
I've repeatedly stated this before: Proof of Work bot-management is only Proof of Javascript bot-management. It is nothing to a headless browser to by-pass. Proof of JavaScript does work and will stop the vast majority of bot traffic. That's how Anubis actually works. You don't need to punish actual users by abusing their CPU. POW is a far higher cost on your actual users than the bots.
Last I checked Anubis has an JavaScript-less strategy called "Meta Refresh". It first serves you a blank HTML page with a <meta> tag instructing the browser to refresh and load the real page. I highly advise using the Meta Refresh strategy. It should be the default.
I'm glad someone is finally making an open source and self hostable bot management solution. And I don't give a shit about the cat-girls, nor should you. But Techaro admitted they had little idea what they were doing when they started and went for the "nuclear option". Fuck Proof of Work. It was a Dead On Arrival idea decades ago. Techaro should strip it from Anubis.
I haven't caught up with what's new with Anubis, but if they want to get stricter bot-management, they should check for actual graphics acceleration.
Funnily enough, PoW was a hot topic in academia around the late 90s / early 2000, and it's somewhat clear that the autor of Anubis has not read much about the discussion back then.
There was a paper called "Proof of work does not work" (or similar, can't be bothered to look it up) that argued that PoW can not work for spam protection, because you have to support both low-powered consumer devices while blocking spammers with heavy hardware. And that is very valid concern. Then there was a paper arguing that PoW can still work, as long as you scale the difficulty in such a way that a legit user (e.g. only sending one email) has a low difficulty, while a spammer (sending thousands of emails) has a high difficulty.
The idea of blocking known bad actors actually is used in email quite a lot in forms of DNS block lists (DNSBLs) such as spamhaus (this has nothing to do with PoW, but such a distributed list could be used to determine PoW difficulty).
Anubis on the other hand does nothing like that and a bot developed to pass Anubis would do so trivially.
At least in the beginning the scrapers just used curl with a different user agent. Forcing them to use a headless client is already a 100x increase in resources for them. That in itself is already a small victory and so far it is working beautifully.
Well in most cases it would by Python requests not curl. But yes, forcing them to use a browser is the real cost. Not just in CPU time but in programmer labor. PoW is overkill for that though.
Then there was a paper arguing that PoW can still work, as long as you scale the difficulty in such a way that a legit user
Telling a legit user from a fake user is the entire game. If you can do that you just block the fake user. Professional bot blockers like Cloudflare or Akamai have machine learning systems to analyze trends in network traffic and serve JS challenges to suspicious clients. Last I checked, all Anubis uses is User-Agent filters, which is extremely behind the curve. Bots are able to get down to faking TLS fingerprints and matching them with User-Agents.
POW is a far higher cost on your actual users than the bots.
That sentence tells me that you either don't understand or consciously ignore the purpose of Anubis. It's not to punish the scrapers, or to block access to the website's content. It is to reduce the load on the web server when it is flooded by scraper requests. Bots running headless Chrome can easily solve the challenge, but every second a client is working on the challenge is a second that the web server doesn't have to waste CPU cycles on serving clankers.
POW is an inconvenience to users. The flood of scrapers is an existential threat to independent websites. And there is a simple fact that you conveniently ignored: it fucking works.
Its like you didn't understand anything I said. Anubis does work. I said it works. But it works because most AI crawlers don't have a headless browser to solve the PoW. To operate efficiently at the high volume required, they use raw http requests. The vast majority are probably using basic python requests module.
You don't need PoW to throttle general access to your site and that's not the fundamental assumption of PoW. PoW assumes (incorrectly) that bots won't pay the extra flops to scrape the website. But bots are paid to scape the website users aren't. They'll just scale horizontally and open more parallel connections. They have the money.
You are arguing a strawman. Anubis works because because most AI scrapers (currently) don't want to spend extra on running headless chromium, and because it slightly incentivises AI scrapers to correctly identify themselves as such.
Most of the AI scraping is frankly just shoddy code written by careless people that don't want to ddos the independent web, but can't be bothered to actually fix that on their side.
You are arguing a strawman. Anubis works because because most AI scrapers (currently) don’t want to spend extra on running headless chromium
WTF, That's what I already said? That was my entire point from the start!? You don't need PoW to force headless usage. Any JavaScript challenge will suffice. I even said the Meta Refresh challenge Anubis provides is sufficient and explicitly recommended it.
And how do you actually check for working JS in a way that can’t be easily spoofed? Hint: PoW is a good way to do that.
Accessing the browsers API in any way is way harder to spoof than some hashing. I already suggested checking if the browser has graphics acceleration. That would filter out the vast majority of headless browsers too. PoW is just math and is easy to spoof without running any JavaScript. You can even do it faster than real JavaScript users something like Rust or C.
Meta refresh is a downgrade in usability for everyone but a tiny minority that has disabled JS.
What are you talking about? It just refreshes the page without doing any of the extra computation that PoW does. What extra burden does it put on users?
If you check for GPU (not generally a bad idea) you will have the same people that currently complain about JS, complain about this breaking with their anti-fingerprinting browser addons.
But no, you can't spoof PoW obviously, that's the entire point of it. If you do the calculation in Javascript or not doesn't really matter for it to work.
In the current shape Anubis has zero impact on usability for 99% of the site visitors, not so with meta refresh.
You will have people complain about their anti-fingerprinting being blocked with every bot-managment solution. Your ability to navigate the internet anonymously is directly correlated with a bots ability to scrape. That has never been my complaint about Anubis.
My complaint is that the calculations Anubis forces you to do are absolutely negligible burden for a bot to solve. The hardest part is just having a JavaScript interpreter available. Making the author of the scraper write custom code to deal with your website is the most effective way to prevent bots.
Think about how much computing power AI data centers have. Do you think they give a shit about hashing some values for Anubis? No. They burn more compute power than a thousand Anubis challenges generating a single llm answer. PoW is a backwards solution.
Please Think. Captchas worked because they're supposed to be hard for a computer to solve but are easy for a human. PoW is the opposite.
In the current shape Anubis has zero impact on usability for 99% of the site visitors, not so with meta refresh.
Again, I ask you: What extra burden does meta-refresh impose on users? How does setting a cookie and immediately refreshing the page burden the user more than making them wait longer while draining their battery before doing the exact same thing? Its strictly less intrusive.
No one is disputing that in theory (!) Anubis offers very little protection against an adversary that specifically tries to circumvent it, but we are dealing with an elephant in the porcelain shop kind of situation. The AI companies simply don't care if they kill off small independently hosted web-applications with their scraping and Anubis is the mouse that is currently sufficient to make them back off.
And no, forced site reloads are extremely disruptive for web-applications and often force a lot of extra load for re-authentication etc. It is not as easy as you make it sound.
Anubis forces the site to reload when doing the normal PoW challenge! Meta Refresh is a sufficient mouse to block 99% of all bot traffic without being any more burdensome than PoW.
You've failed to demonstrate why meta-refresh is more burdensome than PoW and have pivoted to arguing the point I was making from the start as though it was your own. I'm not arguing with you any further. I'm satisfied that I've convinced any readers of our discussion.
Heads up, you’re really invested in arguing with someone who does not appear to be arguing in good faith. Just block them and move on, you will be a happier person for it.
Something that hasn't been mentioned much in discussions about Anubis is that it has a graded tier system of how sketchy a client is and changing the kind of challenge based on a a weighted priority system.
The default bot policies it comes with has it so squeaky clean regular clients are passed through, then only slightly weighted clients/IPs get the metarefresh, then its when you get to moderate-suspicion level that JavaScript Proof of Work kicks. The bot policy and weight triggers for these levels, challenge action, and duration of clients validity are all configurable.
It seems to me that the sites who heavy hand the proof of work for every client with validity that only last every 5 minutes are the ones who are giving Anubis a bad wrap. The default bot policy settings Anubis comes with dont trigger PoW on the regular Firefox android clients ive tried including hardened ironfox. meanwhile other sites show the finger wag every connection no matter what.
Its understandable why some choose strict policies but they give the impression this is the only way it should be done which Is overkill. I'm glad theres config options to mitigate impact normal user experience.
Anubis is that it has a graded tier system of how sketchy a client is and changing the kind of challenge based on a a weighted priority system.
Last I checked that was just User-Agent regexes and IP lists. But that's where Anubis should continue development, and hopefully they've improved since. Discerning real users from bots is how you do proper bot management. Not imposing a flat tax on all connections.
A HTTP get request is a few hundred bytes. The response is 28KB. Thats 280x. If a large botnet wanted to denial of service an Anubis protected site, requesting that image could be enough.
Ideally, Anubis should serve as little data as possible until the POW is completed. Caching the POW algorithm (and the image) to a CDN would also mitigate the issue.
Definitely, which is why i suggested hosting the image + js on a CDN. Keeps brand awareness, and lets the CDN take the brunt of any malicious activity. with a bit of code-golfing, the data served by Anubis directly prior to POW could be a few hundred bytes, without impacting its functionality.
I dunno that is true, nothing in the docs indicates that it is explicitly anti-CDN. And using a CDN for a static javascript resource and an image isn't the same as running the entire site through a CDN proxy.
At the time of commenting, this post is 8h old. I read all the top comments, many of them critical of Anubis.
I run a small website and don't have problems with bots. Of course I know what a DDOS is - maybe that's the only use case where something like Anubis would help, instead of the strictly server-side solution I deploy?
I use CrowdSec (it seems to work with caddy btw). It took a little setting up, but it does the job. (I think it's quite similar to fail2ban in what it does, plus community-updated blocklists)
Am I missing something here? Why wouldn't that be enough? Why do I need to heckle my visitors?
Despite all that I still had a problem with bots knocking on my ports spamming my logs.
By the time Anubis gets to work, the knocking already happened so I don't really understand this argument.
If the system is set up to reject a certain type of requests, these are microsecond transactions of no (DDOS exception) harm.
If crowdsec works for you thats great but also its a corporate product whos premium sub tier starts at 900$/month not exactly a pure self hosted solution.
I'm not a hypernerd, still figuring all this out among the myriad of possible solutions with different complexity and setup times. All the self hosters in my internet circle started adopting anubis so I wanted to try it. Anubis was relatively plug and play with prebuilt packages and great install guide documentation.
Allow me to expand on the problem I was having. It wasnt just that I was getting a knock or two, its that I was getting 40 knocks every few seconds scraping every page and searching for a bunch that didnt exist that would allow exploit points in unsecured production vps systems.
On a computational level the constant network activity of bytes from webpage, zip files and images downloaded from scrapers pollutes traffic. Anubis stops this by trapping them in a landing page that transmits very little information from the server side. By traping the bot in an Anubis page which spams that 40 times on a single open connection before it gives up, it reduces overall network activity/ data transfered which is often billed as a metered thing as well as the logs.
And this isnt all or nothing. You don't have to pester all your visitors, only those with sketchy clients. Anubis uses a weighted priority which grades how legit a browser client is. Most regular connections get through without triggering, weird connections get various grades of checks by how sketchy they are. Some checks dont require proof of work or JavaScript.
On a psychological level it gives me a bit of relief knowing that the bots are getting properly sinkholed and I'm punishing/wasting the compute of some asshole trying to find exploits my system to expand their botnet. And a bit of pride knowing I did this myself on my own hardware without having to cop out to a corporate product.
Its nice that people of different skill levels and philosophies have options to work with. One tool can often complement another too. Anubis worked for what I wanted, filtering out bots from wasting network bandwith and giving me peace of mind where before I had no protection. All while not being noticeable for most people because I have the ability to configure it to not heckle every client every 5 minutes like some sites want to do.
If crowdsec works for you thats great but also its a corporate product
It's also fully FLOSS with dozens of contributors (not to speak of the community-driven blocklists). If they make money with it, great.
not exactly a pure self hosted solution.
Why? I host it, I run it. It's even in Debian Stable repos, but I choose their own more up-to-date ones.
Allow me to expand on the problem I was having. It wasnt just that I was getting a knock or two, its that I was getting 40 knocks every few seconds scraping every page and searching for a bunch that didnt exist that would allow exploit points in unsecured production vps systems.
Again, a properly set up WAF will deal with this pronto
You should not have exploit points in unsecured production systems, full stop.
On a computational level the constant network activity of bytes from webpage, zip files and images downloaded from scrapers pollutes traffic. Anubis stops this by trapping them in a landing page that transmits very little information from the server side.
And instead you leave the computations to your clients. Which becomes a problem on slow hardware.
Again, with a properly set up WAF there's no "traffic pollution" or "downloading of zip files".
Anubis uses a weighted priority which grades how legit a browser client is.
And apart from the user agent and a few other responses, all of which are easily spoofed, this means "do some javascript stuff on the local client" (there's a link to an article here somewhere that explains this well) which will eat resources on the client's machine, which becomes a real pita on e.g. smartphones.
Also, I use one of those less-than-legit, weird and non-regular browsers, and I am being punished by tools like this.
All the self hosters in my internet circle started adopting anubis so I wanted to try it. Anubis was relatively plug and play with prebuilt packages
edit: I feel like this part of OP's argument needs to be pointed out, it explains so much:
All the self hosters in my internet circle started adopting anubis so I wanted to try it. Anubis was relatively plug and play with prebuilt packages
Mmm how to say this. i suppose what I'm getting at is like a philosophy of development and known behaviors of corporate products.
So, here's what I understand about crowdsec. Its essentially like a centralized collection of continuously updated iptable rules and botscanning detectors that clients install locally.
In a way its crowd sourcing is like a centralized mesh network each client is a scanner node which phones home threat data to the corporate home which updates that.
Notice the optimal word, centralized. The company owns that central home and its their proprietary black box to do what they want with. And so you know what for profit companies like to do to their services over time? Enshittify them by
adding subscription tier price models
putting once free features behind paywalls,
change data sharing requirements as a condition for free access
restricting free api access tighter and tighter to encourage paid tiers,
making paid tiers cost more to do less.
Intentionally ruining features in one service to drive power users to use a different.
They can and do use these tactics to drive up profit or reduce overhead once a critical mass has been reached. I do not expect alturism and respect for usersfrom corporations, I expect bean counters using alturism as a vehicle to attract users in the growing phase and then flip the switch in their tos to go full penny pinching once they're too big to fail.
::: spoiler Crowdsecs pricing updates from last year CrowdSec updated pricing policy
Hi everyone,
Our former pricing model led to some incomprehensions and was sub-optimal for some use-cases.
We remade it entirely here. As a quick note, in the former model, one never had to pay $2.5K to get premium blocklists. This was Support for Enterprise, which we poorly explained. Premium blocklists were and are still available from the premium SaaS plan, accessible directly from the SaaS console.
Here are the updates:
Security Engine: All its embedded features (IDS, IPS and WAF) were, are and will remain free.
SAAS: The free plan offers up to three silver-grade blocklists (on top of receiving IP related to signals your security engines share). Premium plans can use any free, premium and gold-grade blocklists. Previously, we had a premium and an enterprise plan with more features. All features are now merged into a unique SaaS enterprise plan. The one starting at $31/month. As before, those are available directly from the SaaS console page: app.crowdsec.net
SUPPORT: The $2.5K (which were mostly support for Enterprise) are now becoming optional. Instead, a client can contract $1K for Emergency bug & security fixes and $1K for support if they want to.
BLOCKLISTS: Very specific (country targeted, industry targeted, stack targeted, etc.) or AI-enhanced are now nested in a different offer named "Platinum blocklists subscription". You can subscribe to them, regardless of whether you use the FOSS Security Engine or not. They can be joined, tuned, and injected directly into most firewalls with regular automatic remote updates of their content. As long as you do not resell them (meaning you are the final client), you can use the subscription in any part of your company.
CTI DATA: They can be consumed through API keys with associated quotas. These are affordable and intended for use in tools like OpenCTI, MISP, The Hive, Xsoar, etc. Costs are in the range of hundreds of dollars per month. The Full CTI database can also be locally replicated at your place and constantly synced for deltas. Those are the largest plans we have, and they are usually destined to L/XL enterprises, governmental bodies, OEM & hardware vendors.
Whilst I'm pleased to see it made clearer, £290 a year for each security engine is still far too expensive for me to consider it. 2 u/GuitarEven avatar GuitarEven • 1y ago
We get that £290 is too high for individual home labs. Those offers are made for companies. Free tier features should cover homelabs correctly.
Features that are oriented for enterprise clients. If a company cannot invest $300 yearly in its security, no judgment and the free tier will still be very helpful until it recovers some budget margins to strengthen its security posture. 4
[deleted]• 1y ago
Any idea why we dont have any good free / freemium (max $5 per month) app yet. Reason am asking - adguard, urigin etc had filters which matches js/domains and filters them out. Same logic can be applied atleast for the ip lists - so that these ips cann be added to iptables to block. A lot of things are easy to make. The tough ones are things like scenarios and may be ssh bw etc. I wonder why no real competition. 1 u/GuitarEven avatar GuitarEven • 1y ago
hi u/ElizabethThomas44
Well you actually do. To date, for free, you get: * the security engine (IDS/IPS/WAF) * all scenarios * the blocklist of IPs you are participating to detect when you use scenarios and share signals * the free tier of the console
The IPs you automatically get for free are already added to your nftables or iptables using the related remediation component.
<TL/DR> You already have it.
(damn, personal reddit account, sorry, this is Philippe@CrowdSec) 4
:::
At the end of the day its not the thousands of anonymous users contributing their logs or Foss voulenteers on git getting a quarterly payout. They're the product and free compute + live action pen testing ginnea pigs, no matter what PR they spin saying how much they care about the security of the plebs using their network for free.
Its always about maximizing the money with these people your security can get fucked if they dont get some use out of you. Expect at some point the tos will change so that anonymized data sharing is no longer an option for free tier.
What happens if the company goes bankrupt? Does it just stop working when their central servers shut down? Does their open source security have the possibility of being forked and run from local servers?
It doesnt have to be like this. Peer to peer Decentralized mesh networks like YaCy already show its possible for a crowdsourced network of users can all contribute to an open database. Something that can be completely run as a local Node which federates and updates the information in global node. Something like it that updates a global iptables is already a step in the right direction. In that theoretical system there is no central monopoly its like the fediverse everyone contributes to hosting the global network as a mesh which altruistic hobbyist can contribute free compute to on their own terms.
I"I dont see anything wrong with people getting paid" is something I see often on discussions. Theres nothing wrong with people who do work and make contributions getting paid. What's wrong is it isnt the open source community on github or the users contributing their precious data getting paid, its a for profit centralized monopoly that controls access to the network which the open source community built for free out of alturism.
The pattern is nearly always the same. The thing that once worked well and which you relied on gets slowly worse each ToS update, while their pricing inches just a dollar higher each quarter, and you get less and less control over how you get to use their product. Its pattern recognition.
The only solution is to cut the head off the snake. If I can't fully host all of the components, see the source code of the mechanisms at all layers, own a local copy of the global database, then its not really mine.
Again, it's a philosophy thing. Its very easy to look at all that, shrug, and go "whatever not my problem I'll just switch If it becomes an issue". But the problem festers the longer its ignored or enabled for convinence. The community needs to truly own the services they run on every level, it has to be open, and for profit bean counters can't be part of the equation especially for hosting. There are homelab hobbyist out there who will happily eat cents on a electric bill to serve an open service to a community, get 10,000 of them on a truly open source decentralized mesh network and you can accomplish great things without fear of being the product.
CrowdSec is an open-source and collaborative security stack leveraging the crowd power. Analyze behaviors, respond to attacks & share signals across the community. Join the community and let's make the Internet safer, together.
Anubis was originally created to protect git web interfaces since they have a lot of heavy-to-compute URLs that aren't feasible to cache (revision diffs, zip downloads etc).
After that I think it got adopted by a lot of people who didn't actually need it, they just don't like seeing AI scrapers in their logs.
AI scraping is a massive issue for specific types of websites, such as git forges, wikis and to a lesser extend Lemmy etc, that rely on complex database operations that can not be easily cached. Unless you massively overprovision your infrastructure these web-applications come to a grinding halt by constantly maxing out the available CPU power.
The vast majority of the critical commenters here seem to talk from a point of total ignorance about this, or assume operators of such web applications have time for hyperviligance to constantly monitor and manually block AI scrapers (that do their best to circumvent more basic blocks). The realistic options for such operators are right now: Anubis (or similar), Cloudflare or shutting down their servers. Of these Anubis is clearly the least bad option.
I also used CrowdSec for almost a year, but as AI scrapers became more aggressive, CrowdSec alone wasn’t enough. The scrapers used distributed IP ranges and spoofed user agents, making them hard to detect and costing my Forgejo instance a lot in expensive routes. I tried custom CrowdSec rules but hit its limits.
Then I discovered Anubis. It’s been an excellent complement to CrowdSec — I now run both. In my experience they work very well together, so the question isn’t “A or B?” but rather “How can I combine them, if needed?”
You are right. For most self-hosting usecases anubis is not only irrelevant, but it actually works against you. False sense of security and making your devices do extra work for nothing.
Anubis is though for public facing services that may get ddos or AI scrapped by some not targeted bot (for a target bot it's trivial to get over Anubis in order to scrap).
And it's never a substitute of crowdsec or fail2ban. Getting an Anubis token it's just a matter of executing the PoW challenge. You still need a way to detect and ban malicious attacks.
Try to secure a nonprofit's web infrastructure with as 1 IT guy and no budget for devs or security.
It would be nice if we could update servers constantly and patch unmaintained code, but sometimes you just need to front it with something that plugs those holes until you have the capacity to do updates.
But 100% the WAF should be run locally, not a MiTM from evil US corp in bed with DHS.
Obviously I don't think you need Anubis for a static site. And if that is what your admin experience is limited too, than you have a strong case of dunning krueger.
the project name is a bit unfortunate to show for users, maybe change that if you will use it.
some known privacy services use it too, including the invidious at nadeko.net, so you can check there how it works. It's one of the most popular inv servers so I guess it cannot be bad, and they use multiple kinds of checks for each visitor
Inspired by this post I spent a couple of hours today trying to set this up on my toy server, only to immediately run into what seems to be a bug where <video> tags loading a simple WebM video from right next to index.html broke because the media response got Anubis's HTML bot check instead of media.
Describe the bug I have a redlib instance running behind anubis and when trying to play GIFs, it fails. If I check out the response, it's just anubis trying to verify my browser instead of the medi...
Anubis is mainly aimed against bad AI scrappers and some ddos mitigation if you have a heavy service.
You are getting hit exactly the same, anubis doesn't put up a block list or anything. It just put itself in front of the service. The load on your server and the risk you take it's very similar anubis or not anubis here. Most bots are not AI scrappers they are just proving. So the hit on your server is the same.
What you want is to properly set up fail2ban or, even better, crowdsec. That would actually block and ban bots that try to prove your server.
If you are just self-hosting with Anubis the only thing you are doing is deriving the log noise towards Anubis logs and making your devices do a PoW every once in a while when you want to use your services.
Being honest I don't know what you are self hosting. But at least it's something that's going to get ddos or AI scrapped, there's not much point with Anubis.
Also Anubis is not a substitute for fail2ban or crowdsec. You need something to detect and ban brute force attacks. If not the attacker would only need to execute the anubis challenge get the token for the week and then they are free to attack your services as they like.
Maybe you know the answer to my question: If I'd want to use any app that doesnt run in a webbrowser (e.g. the native jellyfin app), how would that work? Does it still work then?
It explicitly checks for web browser properties to apply challenges and all its challenges require basic web functionality like page refresh. Unless the connection to your server involves handling a user agents string it won't work, I think this I how it is anyway. Hope this helped.
Assuming what you said is correct, it wouldnt help my use case. Not hosting any page meant for public consumption anyway so it's not really important. But thanks for answering 😀
The creator is active on a professional slack I'm on and they're lovely and receptive to user feedback. Their tool is very popular in the online archives/cultural heritage scene (we combine small budgets and juicy, juicy data).
My site has enabled js-free screening when the site load is low, under the theory that if the site load is too high then no one's getting in anyway.
I host my main server on my own hardware, and a VPN on Hetzner because my shitty ISP doesn't let me port forward. For the past year, bots were hitting my Forgejo instance hard. I forgot to disable registration and they generated hundreds of accounts with hundreds of repos with sketchy links, generating terrabytes of traffic from my VPS, costing me money in traffic. I disabled registration and deleted the spam, and bots still kept hitting my server for several months, which would cause memory leaks over time and crash it and consume CPU, and still costed me money with terrabytes of traffic per month. A few weeks ago, I put Anubis on the VPS. Now, zero bots hit my Forgejo instance and I don't pay for their traffic anymore. Problem solved.
Its always code forges and wikis that are effected by this because the scrapers spider down into every commit or edit in your entire history, then come back the next day and check every “page” again to see if any changed. Consider just blocking pages that are commit history at your reverse proxy.
I am very annoyed that I have to enable cloudflare's JavaScript on so many websites, I would much prefer if more of them used Anubis so I didn't have third-party JavaScript running as often.
( coming from an annoying user who tries to enable the fewest things possible in NoScript )
A daughter of the former South African president Jacob Zuma has resigned as an MP, after being accused of tricking 17 South African men into fighting for Russia in Ukraine by telling them they were travelling to Russia to train as bodyguards for the Zumas’ uMkhonto weSizwe (MK) party.
Duduzile Zuma-Sambudla, 43, the most visible and active in politics of her siblings, volunteered to resign and step back from public roles while cooperating with a police investigation and working to bring the men home, the MK chair, Nkosinathi Nhleko, said at a press conference in Durban.
Love me some Fedora, why should I switch to an immutable version? The thing that gives me pause is I like being able to change my system when I need to and have it persist, which is from what I understand the exact opposite idea of immutables (but I may be misunderstanding, thus this comment asking lol).
So essentially you have a base system and you add what you need through flatpak, distrobox, homebrew, and if all else fails, by layering the packages on the base image with rpm-ostree. What you can't do (that I'm aware of), is remove packages, or make bigger changes like adding another desktop environment aside what it came from. I mean, I guess you can do it by layering but it's probably messy. Configuration and customisation are not an issue: /etc and /var are not immutable of course.
Distrobox is super cool btw, I knew it existed but Bazzite pushing me to use it was what I needed to finally try and appreciate it.
Airbus is recalling more than half of the jets in its global A320 fleet, which will disrupt thousands of flights around the world.
The company said the planes need an "immediate software change" to ensure flight control is sound.
The recall comes after a JetBlue plane’s nose dropped for several seconds without the pilot’s input during a flight in October, according to a European safety agency.
American Airlines says the news will disrupt more than 300 flights for its airline alone, while Air Canada says "very few" of its planes are affected.
Boeing would do nothing except post a notice on a board in a damp cellar of one of their offices, and then blame airlines for not following their instructions.
A January study in the journal Social Science & Medicine found that volunteering slows down aging in retirees: the DNA of people who volunteered the equivalent of one to four hours a week showed distinctive biomarkers associated with decelerated epigenetic aging, with the most pronounced effects among retired people.
“People might do better, physically, psychologically, socially, if they have a role that they think is important and they identify with,” said Cal J. Halvorsen, a gerontological social work scholar at Washington University in St. Louis and one of the authors of the study. “In the American context, we take our jobs very seriously, and so we were curious if volunteering after retiring or when you’re no longer working might have a different effect on your epigenetic aging.”
That study is just part of a growing body of research on the health benefits of volunteering for retirees, a major benefit for older Americans who have mobilized for election defense and other core public services under attack. Another study published in February found that volunteering in early retirement among Americans also reduced rates of depression by around 10 percent—again, a more pronounced effect than in the general population.
The headline is wholly unsupported by the study. They asked seniors if they volunteered at "religious, educational, health-related, or other charitable organizations", not political organizations. Even as noted in the article:
The work also keeps Williams sane. Following politics leaves her “ready to tear somebody’s hair out,” she said.
If anything, the stress of living under fascism probably shortens your life expectancy. Apparently living in a democracy increases it by 11 years, which probably outweighs the volunteering effect: sciencedirect.com/science/arti…
This explains what's going on with Bernie Sanders. In recent interviews he seems somehow younger than he did 5 years ago. The country needs him and it's energized him. I hope he gets a few years to himself after all this to enjoy retirement, though.
I thought this was going to be a community for linux newbies, who come here and find little tips for how to better use linux. Like little tips and tricks to better use linux that are so addictive it's like crack.
Alas, no. This is a sub on how to download pirated linux games.
Which I'm still all here for, by the way. I just wish the community I envisioned ALSO existed. It would be like the first time I ever found out about the registry editor on windows XP.
I need THAT moment, but for linux. The moment where I figure out how to take control, and understand what I'm doing.
Because right now, I'm just distro hopping, but hating most of these options. Right now I'm looking at LMDE which is Mint without ubuntu. Also looking at Fedora. Also looking at Bazzite. And I've been using Zorin for a year now.
Outside of those, I hate every option I try. MX Linux was kind of good......but also really really annoying. HATED PopOS.
I'm just looking for tips that will help me understand "OOOOHHHH!!!! THAT'S how that works."
Like right now, I have no idea how updates work. I know there's repositories. I have no idea where these repositories are. I have no idea how my computer knows where these repositories are. I have no idea how to add or change my repositories. I have no idea what's in them.
That's just the tip of the iceberg of what I don't know. Terminal is just.......can we make a distro without the terminal please? Make it so you can download your own if you want to, but the culture around this distro would be terminal-less. That's the distro I want.
I want to have issues, that have solutions online that don't start with:
Step 1: Chill Step 2: Don't try to run before you can walk. Adding or changing repositories is a bad idea 99 times out of 100. Step 3: STOP reading up on all the Linux controversies online. It's just an operating system. Step 4: Stick with Zorin. Why? Simply because it's the distro you've been using for a year. Almost all Linux distros can do what any distro can do. Which one you use generally doesn't matter as much as you think. Stick with it until you run into something it can't do, and you know enough to know which other distro could do it better. It doesn't matter that it's based on Ubuntu, and Ubuntu is kind of meh. Don't worry about Snaps, Wayland or Systemd. Just install the programs you need and use your computer.
Yeah. Stick with Zorin or maybe try Ubuntu. If you specifically do not want to learn, which is what your post makes it sound like, Zorin or Ubuntu will be your best bet.
Being real, Linux without terminal is kinda impossible. That being said, assuming you test compatibility via a live disc/drive before installing, you shouldn't need to use CLI often at all, and may never need to if you don't want.
However, when trouble does happen, you need that kind of access. You do on Windows as well, so it isn't like you're escaping it if you jump ship.
Not having a terminal program would be mind-numbingly bad. Any situation that you would need to use it, installing it would be harder, and maybe impossible. So, just don't open the damn thing if you don't want to use it regularly. There's a ton of gui options for almost everything these days. But you can't escape command line entirely on any os.
Repos are essentially what makes the various distros what they are, to an extent. They're curated software, and the address for whatever is maintained by the distro is already in there, and that's how it knows. Someone put it in.
If you're not comfy with CLI, you probably shouldn't fuck around adding repos tbh. Again, that being said, you'd find where to do so under the software/updates menu in mint. You find the box, type the info in, give your password, and Bob's your uncle. Thing is, that's not a decrease in steps compared to using command line, it's just different steps. The exact label to get there via gui may vary between distros, but it's in the "start" menu somewhere.
Updates are just a matter of the software connecting to the repo, checking to see what's new, then giving you the option to use them.
Legit, I totally understand the issue with using command line interfaces. My dyslexic ass hates trying to sort through the text. But it is a great tool. If anything every goes really wrong, you'll be glad it's sitting there ready.
Instructions that start with "open terminal" are then followed by text commands to execute, all of which can be broken down and dissected to learn exactly what they are doing and why they are there. And generally, CLI tools, config files, etc have a very stable interface that doesn't change much over time (generalizing broadly; obviously there are some softwares with major changes which this does not apply to). Ultimately, they can be replicated very easily with copy/paste by the end user.
Instructions that are just a bunch of screenshots are subject to user error and whims of the softwares UI designers and your own personal look and feel settings.
Instructions that are "download this file and execute it" are how you fuck up your system with a difficult, possibly nonexistent, path to recovery.
So, I'd advise to get comfortable with the terminal and accept those instructions as the blessing that they are
Your aversion to the terminal will make it extremely hard for you to learn linux. The point of the terminal is to tell the computer exactly what you want it to do. If you don't know what you want it to do, you probably shouldn't do it. As such I'd suggest you either buckle down and learn the hard way with something like Arch installed manually, or just stick with what you already know and let the knowledge be drip fed as time goes, using something that mostly just works. The tool is there, its meant to be used a certain way. Sometimes you can't treat every tool like a hammer.
It sounds to me like you don't want to be on Linux. Maybe MacOS would be better suited for your taste if you really want to be on something unix-like instead of NT.
Bonus round: Eyes are slower than fingers, eventually you'll be wishing there were a more efficient way, an easier way than fumbling through menus to hope you stumble upon the setting you're looking for. That way is the terminal.
Bread on Penguins just posted a really great resource for newbies to understand what they're doing better. Some of it is arcane, some of it will be super helpful for you.
Profitez des vidéos et de la musique que vous aimez, mettez en ligne des contenus originaux, et partagez-les avec vos amis, vos proches et le monde entier.
Ignore this person OP, they're basically lost to the Void Linux, not understanding the whole world doesn't necessarily want to spend countless hours tweaking every little thing or even more hours troubleshooting. Sure I like it and have an Arch based laptop, but I'm still same enough to know that most people don't find that fun or nice &tc.
Just go with Bazzite if you want something easy to use that's hard to mess up with gaming, and use the Flatpaks. If you ever do one day feel like having a bit more control and tinker power though, I learned today Cachy is a good next step, since it's still very easy to use for gaming but is based on Arch.
::: spoiler Fedora just works. Just do fedora workstation. Get on the current version, then always trail the new version by a couple of months, just so they have time to fix bugs.
The range of Linux is enormous. It is everything from small microcontroller-ish devices to cars, routers, phones, appliances, and servers. These are the primary use cases. Desktop is a side thing.
Part of the learning curve is that no one knows the whole thing top to bottom end to end at all levels of source. Many entire careers and PhDs and entire companies exist here. You will never fully understand the thing, but that is okay, you do not need to understand it like this.
The main things are that every distro has a purpose. Every distro can be shaped into what you want.
Fundamentally, Linux as the kernel is a high level set of command line tools on top of the hardware drivers required to run on most hardware. The Linux kernel is structured so that the hardware drivers, called modules, are built into the kernel already. There is actually a configuration menu for building the kernel where you select only the modules you need for you're hardware and it builds only what you need automatically based upon your selection. This is well explained in Gentoo in tutorial form.
Gentoo is the true realm of the masters. It has tutorial documentation, but is written for people with an advanced understanding and infinite capacity to learn. The reason Gentoo is special is the Portage terminal package manager. Gentoo is made to compile the packages for your system from source and with any configuration or source code changes you would like to make. This is super complicated in practice, but if you have very specific needs or goals, Gentoo is the place to go. Arch is basically Gentoo, but in binary form for people too lazy or incapable of managing Gentoo, but where they either already have a CS degree level understanding of operating systems or they are the unwitting testers of why rsync works so well for backing up and reloading systems. It is the only place you will likely need and use backups regularly. The other thing about arch is that the wiki is a great encyclopedia of almost everything. It is only an encyclopedia. It is not tutorial or ever intended as such. Never use arch as a distro to learn on. It is possible, but you're climbing up hill backwards when far easier tutorial paths exist.
Godmode is LFS, aka Linux From Scratch. It is a massive tutorial about building everything yourself. No package maintainers for you.
Redhat is the main distro for server stuff. It is paid. The main thing it offers is zero down time kernel updates. You never need to reboot. It transitions packages in real time. Most of the actual kernel development outside of hardware peripheral driver support happens at Redhat. Fedora is upstream of Redhat. They are not directly related, but many Fedora devs are Redhat employees. Fedora informally functions kinda like a beta test bed for Redhat. Most of the Redhat tools are present or available in Fedora. This is why the goto IT career path is through Fedora using The Linux Bible. So if you want to run server type stuff or use advanced IT tools, maybe try Fedora.
Here is the thing, you do not need to use these distros. They likely are of no interest to you. All of this bla bla bla is for this simple point, distros are not branding or team sports. They are simply pathways and configurations that best handle certain use cases. The reason you need to understand the specific use case is because these are like chapters of Linux documentation. How do I configure, schedule and automatic some package? Gentoo probably has a tutorial I will find useful. How do I figure out the stuff going on prior to init? LFS will walk me through it. What is init? Arch wiki will tell me.
On the other hand, there is certain stuff to know like how Debian is for hardware modules development, and mostly unrelated to the latter, building one off custom server tools. When you see Debian like on some single board computer where no other distro is listed, that means it probably isn't worth buying or messing with. It means the hardware is likely on an orphaned kernel that will never have mainline kernel support so it won't be safe on the internet for long.
That's another thing. Most of what is relevant is keeping a system safe to be online, meaning server stuff.
OpenWRT is the goto Linux for routers and embedded hardware. You can easily fit the whole thing in well under 32 megabytes of flash. It is a pain in the ass for even a typically advanced Linux terminal user, but that is Linux with a GUI too. The toolset is hard, and has little built in documentation by default.
With very early early 1970's+ personal computers, crashing and resetting computers was a thing. Code just ran directly on the memory. The kernel is about solving the issue of code crashing everything. The kernel creates the abstractions that separate the actual hardware registers and memory from the the user space tools and software so that your code bug does not crash everything. It is a basic set of high level user space commands and structures to manage a file tree, open, edit, and run stuff. In kernel space, it is the scheduler and process management that swaps out what is running when and where for both the kernel processes and separate user processes. The kernel is not the window manager, desktop, or most of the actual software you want to run.
The other non intuitive issue many people have is sandboxing and dependencies. Not all software is maintained equally. When some software has conflicting dependencies with other software, major problems arise. How you interact with this issue is what really matters and one size does not fit all or even most. This issue is the reason the many distros actually exist. Sandboxing, in almost every context you will encounter, is about creating an independent layer location for a special package's dependencies to exist without conflicts on your base host system. It is not about clutter management or security, just package dependencies. That is the main thing that each distro's maintainers are handling. The packages native in the distro already have their dependencies managed for you; they should just work. Maybe you want to use more specific or unrelated things. Well then you need to manage them. Nix is designed especially for this in applications where you need to send your configuration sandbox to other user. Alternatively, people use an immutable base like silverblue and run all non native software from sandboxed dependency containers. :::
Crack tip number 1: The desktop environment you use is independent of the distribution. You don't have to switch to an entirely different distro if you don't like Gnome or KDE or LXDE or whatever. On 90% of distros installing another desktop environment is one command away.
Crack tip number 2: If you want to know what a command does run man command or google that. Use the arrow keys to scroll up and down /searchterm to search for a word and q to exit.
With one hand you describe your desire to explore and tinker with the inner mechanics of operating systems (or at least your desktop environment). With the other your need for an OS to work just so without your configuration.
You can't have it both ways.
Three facts which may help you if you're able to accept yourself as the limiting factor: 1. GNU/Linux freedom means, among other things, the freedom to modify. This is why distributions exist. Someone had a strong enough preference to take on the burden of constructing an alternative which met those preferences "out of the box". 2. Everything you do in any GUI is executing commands for you. 3. Everything in Linux is a file descriptor. Differing design philosophies are one of the reasons (among many) that Microsoft created the Registry for Windows. Warren Young's response to a question about this topic on Stack Exchange is nigh exhaustive and well written. This might be the lightbulb you're looking for?
My point isn't to discourage you. I think almost everyone interested in exercising their agency in computing ought to be empowered to do so. That isn't without friction and hurdles though and, at least as far as I can see, never will be.
Graphical Applications have to be built by people. Those people have to understand programming and the CLI/terminal because, again, every GUI interaction is issuing a command to the system it runs on. Not everyone knows how to do that well and those that do cannot program those applications for every concievable use-case. This is why you're often instructed to fiddle with things via commands in a terminal. No one has built a GUI tool to help you with xyz yet so users have to issue the commands directly if they want xyz.
If you want that tool to exist then you'll either have to build it yourself and share it with the world or pay someone to do that for you. This would likely be a pull request to add a feature to a program.
There is no world in which an operating system exists without a terminal, however; you might be able to help build one within which the average user never has to open one. That'd take a lot of education, hard work, and use of the terminal to accomplish and maintain.
To know what you're doing: read the manual. To take control: exercise what you learn from reading the manual.
If RTFM is too daunting a recommendation to start off with (no judgement! I get it) then start here instead: tldp.org/FAQ/Linux-FAQ/index.h…
The Linux Documentation Project predates the Arch wiki (and it shows) but that has zero bearing on its utility for beginners.
I know that "Everything is a file" means that even devices have their filename and path in Unix and Unix-like systems, and that this allows for common tools to be used on a variety of resources
Everything you do in any GUI is executing commands for you.
Those people have to understand programming and the CLI/terminal because, again, every GUI interaction is issuing a command to the system it runs on.
No one has built a GUI tool to help you with xyz yet so users have to issue the commands directly if they want xyz.
There is no world in which an operating system exists without a terminal.
There seems to be an incorrect understanding of what a terminal is doing. A terminal typically runs a "shell" program, which accepts input from the user. Some of the inputs are "commands", which are either internal (run an internal shell function) or running a binary.
An operating system can exist that has a GUI and doesn't have a terminal. A terminal is an interface just as a GUI is. (GUI vs CLI). They are not interdependant. They are simply different ways of allowing a user to interface with a computer.
Using a terminal and running "ls" not necessarily "issuing a command directly" anymore than a clicking an "ls" button in a GUI and it running some variation of system.exec("ls") is. Both simply run a binary and output the results.
Any document signed by Sleepy Joe Biden with the Autopen, which was approximately 92% of them, is hereby terminated, and of no further force or effect. The Autopen is not allowed to be used if approval is not specifically given by the President of the United States. The Radical Left Lunatics circling Biden around the beautiful Resolute Desk in the Oval Office took the Presidency away from him. I am hereby cancelling all Executive Orders, and anything else that was not directly signed by Crooked Joe Biden, because the people who operated the Autopen did so illegally. Joe Biden was not involved in the Autopen process and, if he says he was, he will be brought up on charges of perjury. Thank you for your attention to this matter!
Truth Social is America's "Big Tent" social media platform that encourages an open, free, and honest global conversation without discriminating on the basis of political ideology.
President Donald Trump suggested Thursday that the United States is preparing to take new action against alleged drug trafficking networks in Venezuela, telling service members during a Thanksgiving call that efforts for strikes on land will be starting “very soon.”
“In recent weeks, you’ve been working to deter Venezuelan drug traffickers, of which there are many. Of course, there aren’t too many coming in by sea anymore,” Trump told service members in the call.
“You probably noticed that people aren’t wanting to be delivering by sea, and we’ll be starting to stop them by land also,” the president continued. “The land is easier, but that’s going to start very soon.
Trump comments suggest he has made up his mind on a course of action in Venezuela following multiple high-level briefings and a mounting US show of force in the region earlier this month.
Trump designated Venezuelan President Nicolás Maduro and his government allies as members of a foreign terrorist organization earlier this week.
The designation of “Cartel de los Soles,” a phrase that experts say is more a description of allegedly corrupt government officials than an organized crime group, as a foreign terrorist organization will authorize Trump to impose fresh sanctions targeting Maduro’s assets and infrastructure. It doesn’t, however, explicitly authorize the use of lethal force, according to legal experts.
He really thinks the Nobel Committee is as stupid as he is. He thinks they'll believe that he has brokered all these peace deals where there hasn't been any peace at all, and won't notice that he's starting all kinds of shit with all kinds of countries, including illegal attacks on Venezuelan fishing boats.
Oh yeah, and he changed the name of the Department of DEFENSE, to the the Department of WAR. That certainly sends the wrong message.
But none of that matters to him, because he still thinks he can demand, bully, strongarm, pressure, cheat, and bribe his way to a Nobel Prize, like he's done for everything else in his life.
Son, have you ever tried to storm an enemy bunker up a hot fudge sundae hill? The sound of young boys screams as they slowly sink into burning hot fudge? Horrible..
Hoping the U.S has learned nothing from the Russian invasion of Ukraine and just start sending unprepared American soldiers into the jungle 60's-style. It would be hilarious to see.
Japanese company Science is commercially producing its Mirai Ningen Sentakuki – Human Washing Machine of the Future – after an overwhelming response at the Osaka-Kansai Expo this year. Only 50 models will be made, with a price tag of US$385,000.
US president sends envoys to Moscow with peace plan that recognises Russia’s war gains
Vladimir Putin said legal recognition of occupied regions as Russian territory is one of the key issues in negotiations over Donald Trump's peace plan Vladimir Putin and Donald Trump meet in Alaska in August 2025. Moscow says legal recognition of land it has conquered is a key issue in peace talks Credit: Andrew Caballero-Reynolds
The United States is poised to recognise Russia’s control over Crimea and other occupied Ukrainian territories to secure a deal to end the war.
The Telegraph understands that Donald Trump has sent his peace envoy Steve Witkoff and son-in-law Jared Kushner to make the direct offer to Vladimir Putin in Moscow.
The plan to recognise territory, which breaks US diplomatic convention, is likely to go ahead despite concerns among Ukraine’s European allies.
One well-placed source said: “It’s increasingly clear the Americans don’t care about the European position. They say the Europeans can do whatever they want.”
Russia’s president on Thursday said Washington’s legal recognition of Crimea and the Donetsk and Luhansk regions as Russian territory would be one of the key issues in negotiations over the US president’s peace plan.
I used to always defend the US (even before 2014) on pragmatic grounds and due to the history of the 20th century. Americans tend to be slow, but they eventually do the right thing. They've done a lot of bad, but unlike russia and China they've also had genuine successes in their foreign policy such as promoting long-term democracy and freedom in Germany, Japan, Poland, the Baltic nations.
After they recognize russia's annextion of Crimea, Lugansk and Donetsk oblasts, they are de facto on par with Nicaragua, Cuba or North Korea as far as I am concerned.
And this is not merely a matter of far right Americans, the American centre-right (both party elites and the vast majority of their supporters, albeit not all) is very much responsible too. Vast majority of centre-right Americans (I've lived there for several, and I have close centre-right friends) are too well off to support true anti-corruption measures, the type that would take down many of the oligarchs that are the nexus of chauvinistic propaganda and corruption that enabled Trump. One example from my time in the US was Obama deciding to completely avoid any anti-crime measures in the financial industry in 2008 (a unique, historical opportunity).
China recently announced plans to take Taiwan by force after a call with Trump. I keep thinking what that conversation sounded like. Not too long after, Taiwan also announced a preparation for war by 2027.
also,British : a number equal to 1 followed by 54 zeros
Ursini’s proposal asks for a mere 2^112^ addresses
Unless I'm mistaken, that would be 5192296858534827628530496329220096, or a bit more than 5 followed by 33 zeros, which is orders of magnitude different from both definitions. I wonder what this article's author is on about.
China complained to Malaysia and Cambodia about the trade deals they signed with the US last month, underscoring the delicate balance countries must strike in the rivalry between Beijing and Washington.
Both deals, signed last month during Donald Trump’s visit to Malaysia, include language that encourages the countries to align with Washington on national security issues, including export controls, investment screening and sanctions. Beijing has repeatedly warned countries against signing deals with the US that undermine its interests, but this appears to be the first instance of direct complaint.
The public criticisms demonstrate the tight space Southeast Asian nations navigate between the world’s two largest economies. China is a key economic and trade partner, but Trump’s tariff threats have forced countries to make more trade concessions and investment deals with the US.
Disclaimer: The article linked is from a single source with a single perspective. Make sure to cross-check information against multiple sources to get a comprehensive view on the situation.
Apple will reportedly refuse to comply with an order from the Indian government directing them to preinstall a state-backed security app and block users from disabling it.
The home of Andriy Yermak was searched Friday by investigators probing an alleged $100 million kickback scheme.
A top Ukrainian official at the heart of peace talks resigned on Friday after being thrust into the center of a massive corruption scandal, threatening to further weaken President Volodymyr Zelenskyy at a crucial moment in negotiations to end Russia's war.
Andriy Yermak's, Zelenskyy’s powerful chief of staff, decision to quit came hours after his home was searched early Friday by investigators with Ukraine’s National Anticorruption Bureau, the NABU, which is leading the $100 million kickback probe involving the country’s energy sector.
Zelenskyy said in a later video statement that Yermak had handed in his resignation and he was looking for his replacement. "Russia really wants Ukraine to make mistakes," he said. "There will be no mistakes on our part."
Ukrainian President Volodymyr Zelenskyy told European leaders that talks in Geneva had produced a framework for peace to discuss with President Trump, but insisted there would need to be clear evidence that “Russia is serious about ending this war of…
Obviously corruption is bad and needs to be stopped, but I am pretty sure the CIA is involed in the recent discoveries. It just seems to fit perfectly into Trumps agenda to destabilize the Ukrainian Government right now.
The US is not "discovering" the corruption, the US is creating the corruption.
Ukraine meanwhile is caught between two (self-styled and failing) superpowers through little to no fault of their own, and that is obviously not a great place to be.
lol do you seriously think corrupt ukrainian officials wouldn't be corrupt if it wasn't for the US? And place some respect on anti-corruption institutions and the people who came out in support of them when they were at risk of being gutted.
Yeah, Ukraine was part of Russia for like 200 years, and had the same culture of embezzlement and graft. It takes a long time to unlearn that, but they've been working hard at it (as evidenced by this anti-corruption agency)
Indeed. Although it's painful to see these things happening at such crucial junctures to such crucial individuals, overall it's a good thing that corruption is being rooted out. The process of rooting out corruption will of course expose a bunch of corruption in the process, but better that it be exposed than to let it continue to fester.
It would have been lovely to flip a magical switch the moment Ukraine left Russia's orbit that made corruption go away, but that switch doesn't exist. Corruption probes and prosecutions are what will cause the change to happen.
Won't be long before we find out Zelensky was enriching himself off money intended for the war effort, just like the Karzais and Husseins of the world before him.
The latest Windows 11 update has some good news and bad news. On one hand, Microsoft greatly improved dark mode in File Explorer, and on the other hand, it made it significantly worse.
For those of you that use docker, how do you make sure your docker-compose.yml (and possibly .env) files stay current with the project’s ongoing updates? I’m sure there’s an easier way than what I’m doing which is manually getting the latest ones and chec
For those of you that use docker, how do you make sure your docker-compose.yml (and possibly .env) files stay current with the project's ongoing updates? I'm sure there's an easier way than what I'm doing which is manually getting the latest ones and checking the diffs in vscodium. And I'm sure some git magic already takes care of this but I've been slow in learning git beyond the VERY basics. Thanks!
I have automatic updates through a watchtower fork, so I just leave it alone until it breaks, then I go to the project site to see what changed. This has happened maybe twice in the last couple years.
I use a watchtower fork as well to keep some containers updated but I'm curious how others keep on top of docker-compose.yml files that the project updates over time. As an example, I've been using a container for years and noticed today that on the github page they've added a section in the compose file for a health check. I never would've known that was added if I didn't stumble upon it due to another issue.
Easy, reliable backups are key. I've used komodo with automatic updates for over a year and watchtower before that for a couple more. I've only had one issue when Nginx Proxy Manager had a release that deleted all of its own data. Didn't take long to realize that the services were still up and what the problem was. Restored the missing data from Proxmox backups, pinned the Nginx version for a while, then turned auto update on again. I'll stick to this until checking updates is less work than fixing the occasional problem
Just a few days ago, my docker host upgraded the docker engine from 28 to 29. Woke up to 10 notifications from my uptime monitoring that they are offline.
Funny thing is: The external monitor showed they are down. The internal monitor showed no issues.
But after I went through with the long procrastinated upgrade from debian 11 to debian 13, migrating the data and doing nothing to the compose files, all services worked without any issue. I don't know what my old host did or did not but now it works, I guess? Not complaining but the whole routing thing is a bit beyond me
I don't want to use automatic updates on self hosted projects but I subscribe on github / gitlab releases in my rss reader (FreshRSS) and update when I want to!
If you also use FreshRSS, you can configure filters to automatically mark new articles as read (e.g. intitle:'beta'). Since I only view unread articles, that effectively deletes them and I never have to see them!
I cannot recall a single self-hosted software documentation that mentions how to keep the docker config file up to date. Why bother wasting 5 seconds writing such an unhelpful comment
PLENTY of projects make tiny non-breaking changes to the compose files without any mention that users should update the file. For example, adding a section for a container health check. While these can be no big deal for a while over time they can add up to major changes in the config that users may not catch if they are not comparing yml files.
This is the kind of attitude that drives people away from open source.
Yes, people should read the manual, but at some point they will have questions, and there are a lot of projects that aren't clear on certain things. Such as YAML changes.
Other than keeping an eye on their changelog or waiting until it breaks, I don't think you can do anything about that. I do have automatic update, but the config rarely changes from my experience.
Good projects will have docs associated with the docker/docker compose files.
The way we do it is, any update to the .yaml files will have a corresponding .yaml.Dev associated with it. That way it won't be overwritten when an update occurs as well as give a recommended setup.
Basically I run Komodo, which pulls a git repo. Renovate opens a PR (and most of the time the changelog is included, so I can quickly check what happened) for new versions. Once merged a webhook fires to tell Komodo to pull the new version.
I really recommend this approach now. Once setup it is very automatic, but not to the point of YOLO-automation like Watchtower and :latest 😅
In this guide I will go over how to automatically search for and be notified of updates for container images every night using Renovate, apply those updates by merging pull requests for them in Gitea, and automatically redeploy the updated containers…
when you choose to update, PatchPanda edits compose/.env files and runs docker compose pull and docker compose up -d for the target stack. You can also view live log.
I too saw PatchPanda on selfh.st and it is on my watch list. The only thing holding me back is that it isn't out of beta yet. So, I'm waiting on other selfhosters to plow that field before I deploy. It does look like it would solve a lot of problems tho.
I don't pay any mind to example compose files. My are all quite custom anyway. Only thing that matters is paying attention to changelogs and watching for breaking changes.
Same here. Read deployment documentation, configure compose to my standards, deploy, update where necessary to align with the update (e.g. remove an environment variable.
The editing is done on my PC, then I open WinSCP or ssh into it (depending on my mood and amount of changes) and then apply the changes
Probably a tad overkill honestly but it works amazingly well, and turns every potential upgrade into an approval process so nothing will update when you don't want it to.
In this guide I will go over how to automatically search for and be notified of updates for container images every night using Renovate, apply those updates by merging pull requests for them in Gitea, and automatically redeploy the updated containers…
Discover the new human washing machine, a unique wellness technology from Japan that cleans your body and soul while monitoring vital signs. Read more at straitstimes.com.
A hotel in Osaka bought the first machine and is preparing to offer the service to hotel guests, the spokeswoman said.
Other customers include Yamada Denki, a major consumer electronics retail chain in Japan, which hopes the machine will draw people to visit its outlets, she said.
“Because part of the appeal of this machine is rarity, we plan to produce only about 50 units,” Ms Maekura said.
yes but in a shower your only contact with a surface is the sole of your feet, easily covered with flip flops (this is why I said gravity was my friend)
In this you are literally seating naked where someone else sat naked. I am sure they'll sanitize it but I just would hate it.
I am certain the end game for this one is to assist people with disabilities or the elderly though which is certainly more dignified than being washed like a dog at the groomers
Was anyone else tripped up by the picture shown in that article? To me it looks as though it's a miniature version of the device, but I can't quite put my finger on why that is.
I'm not so sure... I could see a huge legitimate price range depending on its features, speed, and effectiveness. Consider the engineering difference between Billy-Bob's "it squirts you with a hose" versus something that would clean even the body-surfacr you are reating on, and wash your face & eyelids without getting water in your nose & eyes.
Whole it could provide some premium features (I'm imagining more like massage type features), the equivalent of 400 thousand USD seems near impossible to see that much value. Maybe 40 thousand for a luxury item for rich people could work more.
It's just a limited run publicity stunt that will be forgotten within a few weeks.
Ah, so this is the human washing machine that went on sale in Japan! It's quite interesting to see how technology has advanced to the point where it can wash our bodies as well as our clothes. However, I do wonder about the safety and hygiene aspects of this device. Wouldn't it be risky for the users' health if the machine isn't properly sanitized between uses? Also, what happens if someone gets claustrophobic while being inside the pod? That could lead to some unpleasant situations.
Ehm.... So they reinvented the bathtub, with a lid and music? So they made single piece design which couldn't break down into a tech heavy smart device prone to errors and breaking down? OK 🤷
Thing looks like a suicide pod, and drowning is one of my biggest fears. This thing also costs about as much as my house I'm still paying off. I am not the target demographic for this.
The Bristol Cable has launched a mobile app that bundles their journalism with the fediverse in a single app. It’s built in partnership with the Newsmast Foundation and available to members from £1/month. While their journalistic articles remain free, The Bristol Cable sees the social fediverse integration as the premium additonal option. The app consists of three layers: a home screen with news articles by the Bristol Cable, a dedicated member space for connecting with journalists and other supporters, and curated channels that pull in content on themes like climate change, linking Bristol’s local work to wider discussions. The app functions as a fediverse server, with the dedicated member space functioning as a local-only posting place, and the curated channels as a way to connect with the rest of the fediverse network, via Newsmasts’ channel.org network.
WebSocialBR is the first fediverse event that will be held in Brazil, on December 3rd in Brasília. The event wants to “bring together community administrators, managers, parliamentarians, researchers, and communicators to exchange experiences and strengthen decentralized networks in the country”. The event draws backing from Brazil’s Internet Steering Committee (CGI.br), the Ministry of Science, Technology and Innovation, and FediForum. ActivityPub co-creator Evan Prodromou and FediForum co-founder Johannes Ernst will participate virtually. WebSocialBR is organisated by Alquimídia, who has been coordinating Brazilian instances on age-restriction legislation and pushing for a “.social.br” domain category for federated networks.
Bonfire talks more about their platform and crowdfunding, by writing about their Mutal Aid stretch goal for the project. Bonfire also talks more about what the project is, and how it is “plural by design”. The opening sentence points is a clear statement by the project: “Bonfire is difficult to pin down with a single definition, and that’s a feature, not a bug.” The article then lists various features of the project, such as how it’s extensible, and that it’s a framework for building community platforms. Bonfire even quotes some people saying that they’re interested in the project, but find it confusing as to what it actually is. Bonfire has chosen for the approach that they do not want to run a flagship server for Bonfire Social. That however is now leading to the situation where there are no people running a Bonfire server in production for a community yet, making it hard to demonstrate in practice what Bonfire Social actually looks like. This poses a challenge for their crowdfunding effort. When potential backers try to understand what they’re funding, they encounter a platform that exists primarily as possibility rather than demonstration. The project’s own article quotes would-be supporters expressing this confusion directly: “I do wish they could get a little better at communicating what exactly their project is though, it took a hot minute, reading, and also asking folks on lemmy to try and figure out kinda-sorta-vaguely what they’re building…” Another notes, “I wish them the best, but I think they really need to work on their sales pitch. It’s hard to tell what it is.”Without a clear accessible demonstration of how Bonfire can operate in practice, it is a hard pitch to ask backers to fund an abstract framework based on its potential applications.
I usually don’t write about Threads, but this caught my eye: The latest PewResearch study on social media usage by Americans find that 8% of adult Americans have ever used Threads. This is in contrast with 21% of adults for X, and 4% for Bluesky, with Mastodon not measured. Meanwhile, Threads claimed a few months ago to have over 400M monthly active users, and another study from this summer found that Threads and X have almost the same number of daily app users (115M vs 130M). I’m really not sure what’s going on with these numbers: 8% of American adults is around 21M people who say they have ever used Threads. This leaves at least 380M monthly active users that are not in the US, but it is unclear where they are located. It seems that Europe also does not have a large number of Threads users, as the app launched much later on the continent. The most likely explanation seems to me that Threads aggressively counts people who use Instagram and get shown a Threads post on Instagram as a user of Threads, which would go a long way towards explaining both why the user numbers for Threads are so large while also explaining why so few people actually know about Threads.
FOSDEM has the Social Web Devroom about ActivityPub, hosted by the Social Web Foundation, and the deadline to submit talks is December 1st. There is still space for more talks to be hosted, so consider submitting a talk if you’re going to FOSDEM!
In This Issue
* A Note From The Editor
* Technical Updates
* Owncasts For Roku Updated
* Features
* Kit On Fireside Fedi
* Featured Streamer: Fireside Fedi
* Closing Remarks
A Note From The Editor
Did you miss me? This July-November …
YouTube Recap features a set of up to 12 different cards that highlight a user's top channels, interests, the evolution of their viewing habits, and which personality type they fall into based on the videos they loved to watch.
VodkaSolution
in reply to TrippyFocus • • •Possibly in a Cavs jersey, as the first Italian to play for Cleveland. As an Italian Cavs fan, maybe the first one, it would have been great. Good luck for your next chapter Danilo!
VodkaSolution
in reply to TrippyFocus • • •Danilo Gallinari on Instagram: "Today, with a heart full of gratitude, I am announcing my retirement from a career I’ve always dreamed of. A career built through hard work, sacrifice, victories, defeats, teammates who became brothers, guidance from my co
Instagram