Emmanuele BassiJul 7
I've said it before, but I have to say it again: my days of not taking the FSF seriously are certainly coming to a middle
Show threadCarlos Solís
If there was a way to run the required calculation straight from the HTTPS handshake protocol though, I'd say go for it
Jul 8 at 3:17amWeb
×
Emmanuele BassiJul 7
I've said it before, but I have to say it again: my days of not taking the FSF seriously are certainly coming to a middle
Show threadEmmanuele BassiJul 7
The amount of pretzeling logic in that paragraph is staggering; I'm surprised the entire page didn't collapse under its own weight straight into a singularity
Show threadEmmanuele BassiJul 7

"The calculations are the same kind of calculations done by crypto-currency mining programs"—so it's TLS, used by your web server.

"A program which does calculations that user does not want done is a form of malware"—I assume the FSF is switching to bare HTTP or Gopher, then, because I certainly didn't ask my web browser to use encryption to read that bunch of crap.

"Proprietary software is often malware"—where the hell does that sentence come from?

Show threadEmmanuele BassiJul 7

"if we used Anubis, we would be pressuring users into running malware"—once again, where is that coming from?

1. Anubis is using computations
2. Other bad software is using similar computations
3. Proprietary software is bad
4. Some proprietary software is malware
5. Anubis is malware

This whole thing is intellectually bankrupt

Show threadEmmanuele BassiJul 7
I mean, the FSF is a morally bankrupt organisation without a reason to exist outside the maintenance of the quality of life that RMS is accustomed to, but I half expected obsessive rule lawyers with nothing better to do to *at least* get syllogisms right
Show threadDavid Fleetwood - RG AdminJul 7

@ebassi So long as RMS is involved I can't take it seriously. Sex pests need to be excised.

Also I haven't a clue what Anubis is.

Show threadMarcin SJ Jul 7
@reflex It's an anti-spam filter, used for example by the GNOME GitLab instance:
https://anubis.techaro.lol/
Anubis: Web AI Firewall Utility | Anubis

Weigh the soul of incoming HTTP requests to protect your website!

Show threadDavid Fleetwood - RG AdminJul 7
@manualcookie Oh my lord the FSF is nuts.
Show threadǝʌɐpJul 7
@ebassi heaven forbid we do some computations to make things a little less bad
Show threadrose Jul 7

@ebassi not to defend the FSF, or the argument they're trying to make here (i use anubis myself), but anubis does use proof of work, which is indeed the same algorithm used by many cryptocurrencies. i don't think it's really fair to say that TLS is basically the same as anubis.

i think this speficially is a fair critique of anubis, not for the reasons that the FSF is suggesting, but because ideally we shouldn't be fighting wasteful, irresponsible usage of compute by requiring more wasteful compute from real clients. but unfortunately it's the best solution there is right now

Show threadElias MårtensonJul 7
@ebassi I'm not agreeing with them, but they have a very wide definition of malware. In fact, I'm not sure how their definition excludes any proprietary software at all.
Show threadLeafletJul 7

@loke @ebassi

They don’t consider preincluded microcode and firmware to be unacceptable. However, updating the microcode and firmware is unacceptable.

So they would rather you use old proprietary firmware rather than new proprietary firmware.

Show threadAGRO TURBO SATAN 🇺🇦🇨🇿👃💨Jul 7

@ebassi > "Proprietary software is often malware"—where the hell does that sentence come from?

possibly things like the most popular proprietary document reader stealing every document you open?

Show threadflere-imsaho 🇺🇦Jul 7
@lkundrak @ebassi which is not relevant in case of anubis, like, at all.
Show threadEmmanuele BassiJul 7
@lkundrak content aside, which still doesn’t apply but whatever, it’s the non sequitur that makes me wonder what on earth is that about
Show threadElias MårtensonJul 7
@ebassi @lkundrak if you read the statement, removing the word 'often'n it makes sense. It's not correct, but it at least becomes a statement that makes sense and can be refuted.
Show threadAGRO TURBO SATAN 🇺🇦🇨🇿👃💨Jul 7
@loke @ebassi the statement is indeed out of place, but given how prevalent stealing data from the proprietary apps got, it's sort of easy to prove right as it is, isn't it?
Show threadint*dmi;*dmi=0Jul 7

@ebassi their point (which i don’t agree with fully) was that PoW is also used for cryptocurrency. TLS computes a hash, but not necessarily a million of them from each other.

however, the rest of their argumentation is properly insane and devoid of any logic. which is not surprising coming from FSF

Show threadMaRIa_MaJJul 7
@ebassi oh boy 🙄...
Show threadPhilJul 7
@ebassi yeah nah, that statement makes just about no sense from them.
I highly appreciate the dev for what they contributed and the FSF Takes the time out of their day to accuse them of developing "near" proprietary software for bs reasons? That feels so disrespectful
Show threadbenJul 7
@ebassi “even though it’s free software, it’s far too similar to proprietary software to be acceptable” is a weird stance from an organisation which was effectively founded to do free-software reimplementations of proprietary software.
Show threadhalva Jul 7
@ebassi i think i just had an aneurysm reading that
Show threadAutumn (Fopbreaking /srs)Jul 7
@ebassi "uses the same algorithms as crypto" by that logic, the interner is bad because it uses stuff made by the US military
Show threadRoss BurtonJul 7
@ebassi HAHAHAHAHA oh god
Show threadEmmanuele BassiJul 7
@ross somebody spent actual time typing that. The mind boggles.
Show threadGary "grim" KramlichJul 7

@ebassi If I may utter a common phrase to the FSF.. Patches Welcome! 🤣

All things aside, until the FSF actually does something to fight AI bots that is aligned with their stated ethics they can just STFU.

Show threadJeder  Jul 7
@ebassi average fsf moralising paragraph
Show threadEfi (nap pet) 🦊💤Jul 7
@ebassi a human wrote that??!?
Show threadLisPiJul 7
@ebassi @Seirdy Mandating Javascript on a site is an undue trust requirement.

Even with a Free license there is no guarantee it is benign and no particular reason to risk it.
Show thread Tired Bunny  Jul 7
@lispi314 @ebassi @Seirdy

That way it makes sense.

- Anubis requires JS
- JS is a security risk for a lot of reasons

FSF post was looking more like throwing every plausible and made up reason together to justify hating on that particular piece of software...
Show threadLisPiJul 7
@untsuki @ebassi @Seirdy They would have been better off just claiming it is actively disrespectful of the user and their resources in nearly the same way that JS webworker miners are.

Because even if it were to be verifiably benign, the above remains.
Show threadSeirdyJul 7

@untsuki @ebassi @lispi314 yeah “we would be pressuring users into running malware” was like. wow.

i agree that forcing JS is a really awful solution but unless there’s a Web standard for remote-JS-free anti-LLM measures with comparable efficacy, I don’t see any good alternatives.

Show threaderi Jul 7
@Seirdy@pleroma.envs.net @ebassi @lispi314@udongein.xyz @untsuki@udongein.xyz go-away includes a bunch of js-free challenges, which only trigger if you are on a browser UA
Show threadSeirdyJul 7
@untsuki @ebassi @lispi314 perhaps a standalone tool to hash an input string provided by the site could work, with custom difficulty levels. submit the result via POST if JS is turned off.
Show threadm04Jul 7
@Seirdy @ebassi @lispi314 @untsuki i remember seeing that anubis actually has a no-js mode that uses meta refresh tags, but i'm not sure how effective it is
Show threaddelta  Jul 9
@Seirdy@pleroma.envs.net @ebassi @lispi314@udongein.xyz @untsuki@udongein.xyz i thought about it a little on and off, and i kinda wonder if instead of relying on cookies or w/e to present that it has a pass, what if the server instead kept a TTL database of currently allowed IPs, where you could then run the challenge from anything on your network (including a cli tool if you wanted) and have that access pass apply to everything else under the same IP

and then once its done it requires nothing from whatever browser or application is accessing it for however long the pass lasts, not even a cookie or auth token
Show threadSeirdyJul 9
@delta @ebassi @untsuki @lispi314 scrapers with rotating IPs shared with robots (or users!) you actually want make this difficult. you’d need more data, at which point you’ve reinvented services like Cloudflare.
Show threadWolf480plJul 7

@Seirdy @ebassi @lispi314 @untsuki

I'd go a step further:

Any software that does proof-of-work on the user's computer, that you run on that user's computer without the user's consent, is malware.

Now, if the user had to manually run proof-of-work software on their choice, then it'd probably not be malware anymore, just a nuisance.

Show threadkhmJul 7
we don't need standards for this, we need common sense.

there's no compelling reason to put compute-heavy repository views bare-assed on the internet.

require login for compute-heavy views. ban accounts that abuse access. mercilessly rate-limit unauthenticated access. problem solved forever

CC: @ebassi@mastodon.social @lispi314@udongein.xyz @untsuki@udongein.xyz
Show threadoutsidecontext 🇺🇦🕊️Jul 7
@khm @Seirdy @ebassi @lispi314 @untsuki Requiring an account to access this site is I think even more limiting to users than running something like Anubis.
Show threadOwOdayJul 7
@untsuki @ebassi @Seirdy @lispi314 they certainly make it sound like someone is using it to mine crypto or something, which doesnt seem to be the case. its ridiculously sad as a culture we need to do artificial workloads to defend against ai scapers. I wish there was some layer of the web that worked for the users and could help protect from this kind of thing without the wasted cycles from anubis--or maybe we just put folding @ home in anubis and fund protein folding at metas $
Show threadLisPiJul 8
@OwOday @Seirdy @ebassi @untsuki For a lot of use-cases a mix of distributed and p2p schemas (particularly with peer reputation mechanisms) would answer the problem appropriately.

For the rest the main options remaining are aggressive rate-limiting and authentication & authorization.

In a lot of cases, abandonning low-latency/synchronous interaction models would help both reducing the load on endpoints as well as perceived latency & functional limitation by users (message-based remote interaction with focus on local user-agent interaction instead of low-latency bytestreams with a remote endpoint, for example).
Show threadgrillchenJul 8
@lispi314 @ebassi @Seirdy i understand where they are coming from. you request a http site, you get a javascript thingie wasting your cpu time.

properietary software is pretty much always malware from the perspective of free software enjoyers.

anubis is a radical answer to a huge problem but to my understanding also heavily overrated. (see this thread for alternative approaches)
Show threadLeaf EriksenJul 7
@ebassi I wish the fsf would stay off the internet and just focus on building emacs, gcc and coreutils. they never have anything smart to say about anything.
Show threadarihi   Jul 7
@ebassi basically all users would agree that tls is a good thing and actively seek out having a tls connection to websites, it's beneficial. many users (myself included) don't like that if i want to for example view a git diff through a web interface or view an html website i must run a script whose sole purpose is to waste the user's resources.
i don't see any users who would actively want their browsers to run such scripts or benefit from it, they either allow and accept it because they're forced to if they want to continue or they leave the website.

with how focused the fsf is on user freedoms i expected them not to support this kind of thing.
Show threadCarlos SolísJul 8
If there was a way to run the required calculation straight from the HTTPS handshake protocol though, I'd say go for it