If the FSF calls your program malware, is that a sign that you've made it?
@cadey wait.... seriously?
@cadey oh shit.. I found it.. wild 🙃
@karolherbst @cadey link me, I need a good laugh
Our small team vs millions of bots — Free Software Foundation — Working together for free software

@natanbc
That took a turn lol
@thephd

@ozzelot @natanbc @thephd
"We're under attack by botnets and LLMs"
"We're under attack by botnets and LLMs"
"We're under attack by botnets and LLMs"
"We're under attack by botnets and LLMs and CI tests"
"This popular botnet and LLM blocker is malware"
"Donate now!"

Perfect, no notes.

@groxx
Seriously how does the fsf have any donors left at all
@natanbc @thephd
@ozzelot @groxx @natanbc @thephd Considering how 80% of the screen real estate is donation requests, they are definitely running out
@groxx @ozzelot @natanbc @thephd

You forgot: the blocker is _literally and completely and no tricks or complication_ Free Software
@groxx @ozzelot @natanbc @thephd “please give us money to fund the lifestyle to which Richard has become accustomed”
@rodgerd @groxx @natanbc @thephd At this point we'd do well to just call him Dick.
@natanbc @thephd calling the computation Anubis asks you to do “useless” when it’s what’s protecting your site is a big leap in logic lol

@reykjalin @natanbc @thephd

I mean…they’re technically correct, but morally off the mark on this one.

@natanbc @thephd I’m sorry, what? Is every proof-of-work system malware in their eyes? Do they not have something similar on their mail servers or do they just drown in spam requests?

@c0dec0dec0de @natanbc @thephd I honestly think "yes", it seems to be pretty strongly implying that [any undesired computation on your hardware is malware].

Obviously we should do nothing about the other vastly more problematic malware (botnets, LLMs, and yolo CI-like automations), but a privacy-preserving and vastly less annoying¹ user-side malware is unacceptable. Allowing blatantly malicious botnets to run rampant is simply the cost of also serving humans without user-side calculations.

¹: compared to requiring logins, or handing all your *and their* data over to cloudflare and google or whoever for ddos protection or captchas.

@groxx @c0dec0dec0de @natanbc @thephd ??? Other people having guns doesn't make *your* gun less gun. Also, the pope can't have sex but also needs you to have sex. That's where Christians come from.

@bakuninboys @c0dec0dec0de @natanbc @thephd it's a defensible, consistent stance, yeah.

though I do think it's odd that they don't label the botnet traffic as similarly "undesirable computation" imposed on their hardware. they should probably not be running that computation.

@groxx @c0dec0dec0de @natanbc @thephd isn't the whole post about what to do about the undesirable computation? I was miffed when the FSF were taking a stance to protect GCC against clang (IIRC), because it wasn't a principled position, so I can't be upset here. It's always frustrating because a principled position is nearly always a coin toss falling on an edge. But when it's not, it really matters.

@bakuninboys @c0dec0dec0de @natanbc @thephd largely true, yeah. but they're edging into "the only ethical option is to shut down our servers, so we stop violating the rules we expect others to follow (run no undesired computation)" territory with such a hard-line approach.

but they probably won't do that, because it's not a hard line that you never cross. it's a tradeoff. the DDoS is not "undesired computation" because running it is necessary to serve their real audience (humans).
and the same claim can be made for anubis. users can reject the cost trivially: disable javascript, and leave sites where it's required. otherwise it's not undesired, it's necessary to serve the audience (them).

extreme stances often devolve into ridiculous conclusions like that. it doesn't mean they're *directionally* wrong, but it does tend to mean that they can't be perfect, and once you accept that you can discuss where you draw the line to actually do something useful.

@groxx @c0dec0dec0de @natanbc @thephd "principled stances yield frustrating positions" and "extreme stances devolve into ridiculous conclusions" are really two ways of saying the same thing. What I'm saying is you need the extreme stance as the other end of the wedge to allow you to make practical changes. Otherwise the other side just keeps on getting away with their own extreme stances.
@groxx @bakuninboys @natanbc @thephd it’s consistent, but — I don’t know — so what? And, technically when unmoored from the reality of what Anubis is used for, Anubis payload is a denial-of-service — but there is a reality here that they’re very aware of that is the whole ‘net being DDoSed by LLM scrapers and that Anubis balances the inconvenience to not be overly burdensome to the typical client!
So, sure, in the abstract, replying to a request with proof-of-work isn’t ideal and in a perfect world no one would do it — but we live in hell and we make fucking do the best we can. How blinkered do you have to be to not recognize that?!
@c0dec0dec0de @groxx @natanbc @thephd consider that Bhagat Singh and Gandhi were on the same team, though they cannot acknowledge each other. Maybe both were needed to succeed.
@c0dec0dec0de @natanbc @thephd to make a separate thread: is hashcash actually a viable option for email now? it seems like a very reasonable option and I have been sad for a long time that it didn't take over.
@c0dec0dec0de @natanbc @thephd Yeah I'm with them on this one. I don't want a client wasting my server's resources (impolite crawlers) and I don't want a server wasting my client's resources either.
@natanbc @thephd What a joke it is to deride free software that solves a practical problem, and then not suggest an alternative.
@cwg1231 @natanbc @thephd they do offer an implied solution. Just have sysadmins on hand to manage the DDoS.
@nob0dy @cwg1231 @natanbc @thephd the solution is - don't serve any information that anybody would give enough of a shit about to scrape.
@natanbc @thephd I mean the statement “[…] savannah.gnu.org are up with normal response times at the moment […]” is kinda true, by the standard that savannah is always slow af
@thephd @karolherbst @cadey I also wish to see
Our small team vs millions of bots — Free Software Foundation — Working together for free software

@dotstdy @zkat @thephd @karolherbst @cadey imagine using the term "malware" on a blog post about LLMs and it's not referring to the LLM scrapers DDOSing them.

@aud @cadey @karolherbst @thephd @dotstdy oh my god they are aligning their argument with “cryptography is also malware”

Literally their argument is “making my cpu do expensive things in exchange for what I want evil” aka “PBKDF2 and Argon are malware”

I’m screaming

@zkat @aud @cadey @thephd @dotstdy a TLS handshake is also malware, because instead of just giving me the page, the page provider literally forces me to do some pointless math problem.

What double standards of the FSF, they should just ship http and disable https entirely!

@karolherbst @zkat @aud @thephd @dotstdy don't tell them I'm looking at JA4 fingerprinting then lol
@cadey @karolherbst @zkat @aud @thephd @dotstdy They would shit on it lmao, tho seriously given that you should be more careful on this one because I noticed that some Bluesky and Fedi folks would go batshit for things like AI or fingerprinting and telemetry and such, even when the nature of such thing isn't abusive unlike the other implementations and they aren't gonna to check or learn about it. Hell, that's how even the whole VLC local "AI" subtitle debacle thing exists in the first place.
@karolherbst @zkat @aud @cadey @thephd @dotstdy
Dependencies are also malware because I only asked to install the top level package!

@zkat @aud @cadey @karolherbst @thephd @dotstdy Anubis tends to be fine and fairly considerate not to bother humans in my experience but I've seen other PoW CAPTCHAs (Friendly Captcha) just make websites completely unusable on my phone.

Multiple minutes to complete the challenge. Challenge is reset when you switch tab or background the browser. Challenge is repeated when you load the page again.

@aud @zkat well that was a wild read.
@dotstdy @zkat @karolherbst @cadey kudos to their small team but I was just talking about this the other day. crazy they pop out an article a few days later that shows how viciously they double-down on poor choices out of fear and purity that has no material or tangible aid to the real world, or even for their own damn workers who should be playing defense against the real threat actors and not the LLM bots.
@thephd @dotstdy @zkat @cadey it's basically virtue signalling and somehow it feels like that's all the FSF is doing these days.
@thephd @zkat @karolherbst @cadey in this case the core notable divergence from the usual bullshit is that the thing they're criticising is free software! I feel it's usually pretty hard to get the fsf to say anything bad about genuine home grown all American organic free software.
@thephd @zkat @karolherbst @cadey but yeah 100% agree on the general point there, the fsf is a puritanism movement and isn't really concerned with anything else. Kinda sad I suppose, but it's such a lost cause at this stage I mostly just find it funny.
@thephd @dotstdy @zkat @karolherbst @cadey ffs, I've gotten into this debate with FSF-zealots before, about browser-based PoW specifically. The argument ended up devolving into "javascript is fundamentally malware because you don't get to choose what code is being executed" countered with "how is HTML and CSS any different? you can do arbitrary calculations with CSS as well"
I feel bad for anybody that deeply embedded into "software purity" ideology that they think it's more freeing to browse the net without stylesheets

@astraleureka @thephd @dotstdy @karolherbst @cadey the FSF is a pathetic parody of itself

It’s as if the NYT got bought out by the Onion

@zkat @astraleureka @thephd @dotstdy @karolherbst @cadey But that would actually be fun, vs this circus.
@astraleureka @thephd @zkat @cadey @dotstdy @karolherbst it's nice to not depend on JavaScript but like. LLM abuse is so hard to deal with that I really can't blame people for using a solution like that. The FSF as usual missing the point and blaming the small resourced side (users/admins) for the problems created by the big resourced side (LLMs)
@karolherbst @zkat @thephd @cadey @dotstdy @astraleureka that's good and all but it's still somewhat sad to lose being able to do low rate curls. That being said it's better than nothing

@karolherbst @Lunaphied @astraleureka @thephd @zkat @dotstdy With the following caveats:

  • Enforce the challenge being served over HTTPS
  • Only show a challenge if the client supports gzip encoding (reject the client and tell them to ensure their browser is up to date otherwise)
  • Set a cookie with a UUID to act as the challenge ID
  • Serve the challenge over gzip level 1 (negligible impact on CPU)
  • Ensure the cookie is and points to the same challenge string when the challenge is validated

I'm working on an implementation for the paid version that has a bank of every single method you can to cause a browser to request files from a server and presents the client 8 of them and if n pass the client gets through

@cadey @Lunaphied @astraleureka @thephd @zkat @dotstdy yeah sure, I'm just surprised that this is enough to get crawlers fail this, because that feels a bit too basic... unless those crawlers disable compression support which would be.... wild?
@karolherbst @Lunaphied @astraleureka @thephd @zkat @dotstdy You would not believe how bad standard library HTTP clients are for most programming languages
@cadey @karolherbst @Lunaphied @astraleureka @thephd @zkat @dotstdy I wish I knew which HTTP client is folding mixed case URLs on our website to lower case, but at least they're easy to block.
@cadey @karolherbst @Lunaphied @astraleureka @thephd @zkat @dotstdy That may be more concerning for me, because yeah, HTTP and other web standards are now too complex for many people to grasp, and I'm learning to be a web dev and in some cases many apps I and many others may need to use these libraries or other libraries based on them.
@astraleureka @thephd @dotstdy @zkat @karolherbst @cadey it's the exact same batshit mindset that brings you incredibly well thought-out threat models like "I think the NSA backdoored Intel ME so I run a 20 year old thinkpad with libreboot".
@gsuberland @astraleureka @thephd @dotstdy @zkat @karolherbst @cadey
The FSF people hate libreboot though. They got so mad about the blobs needed for network cards to work that they tried to do a hostile takeover of the project.
Now Leah maintains a functionally useless soft-fork called canoeboot basically just to keep the fsf people from harassing them.
@thephd @dotstdy @zkat @karolherbst @cadey the FSF: where you give up any and all tangible freedoms in exchange for whichever abstract freedoms some bloke with a beard decided was important this week.