Eh, but then he won't learn anything. I've never found that response acceptable. It just perpetuates the problem. To each their own though!

This article is ancient. We have more recent elections to go off of.

And according to basically everything I can find, "Moms For Liberty" and related groups suffered major losses basically everywhere the last cycle.

I'm not at all suggesting to not worry, after all, it's worry that got us to ensure they didn't win. But I am suggesting that your information is very out of date and that you should do a better job of finding recent points to support your claim.

Also, I think this is off topic for this community and seems far more like political bait as some have pointed out.

I'm a DevOps/SysOps/SecOps engineer - have been for over a decade now. Even if I CAN do all the things listed, it takes time to do it. It takes time to configure your networking layer, especially when documentation of the underlying app is in flux and never 100% correct. It takes time to secure your server, especially when the "prod" configuration in the repo isn't really that secure at all.

Folks saying to just "code it myself" - sure, let me stop doing my day job and start planning on this completely unpaid enhancement. Let me tell my wife - "Sorry babe, gotta prove this internet person wrong and it must be today - can't go to board game night with you". I mean, I'll actually likely end up coding it myself, but when I can. Not when the trolls who say "Oh, come on, it'll be EZ" - yeah, I know better than that.

Folks just say to "Use other solutions" - Great! I already budgeted 150/month of my own money. Oh wait, that doesn't matter much when I have to worry about instances that can't spend that type of scratch.

On a technical level, user count matters less than the user count and comment count of the instances you subscribe to. Too many subscriptions can overwhelm smaller instances and saturate a network from the perspective of Packets Per Second and your ISPs routing capacity - not to mention your router. Additionally, most ISPs block traffic traffic going to your house on Port 80 - so you'd likely need to put it behind a cloudflare tunnel for anything resembling reliability. Your ISP may be different and it's always worth asking what restrictions they have on self-hosted services (non-business use-cases specifically). Otherwise going with your ISP's business plan is likely a must. Outside of that, yes, you'll need a beefy router or switch (or multiple) to handle the constant packets coming into your network.

Then there's a security aspect. What happens if you're site is breached in a way that an attacker gains remote execution? Did you make sure to isolate this network from the rest of your devices? If not, you're in for a world of hurt.

These are all issues that are mitigated and easier to navigate on a VPS or cloud provider.

As for the non-technical issues:

There's also the problem of moderation. What I mean by that is that, as a server owner you WILL end up needing to quarantine, report, and submit illegal images to the authorities. Even if you use a whitelist of only the most respectable instances. It might not happen soon, but it's only a matter of time before your instance happens to be subscribed to a popular external community while it gets a nasty attack. Leaving you to deal with a stressful cleanup.

When you run this on a homelab on consumer hardware, it's easier for certain government entities to claim that you were not performing your due diligence and may even be complicit in the content's proliferation. Now, of course, proving such a thing is always the crux, but in my view I'd rather have my site running on things that look as official as possible. The closer it resembles what an actual business might do, the better I think I'd fare under a more targeted attack - from a legal/compliance standpoint.

Personally, I find it reasonably amusing that defending an open source, arguably collectivist project requires appeals to individualism.

"You can build it" "Just defederate" "It's the instance owner's responsibility" "You can do X for your instance, its in your control"

Like, which is it? Is this a collective undertaking by a community of multiple stakeholders or is this the Dev's individual project and they don't have to listen to anyone?

I mean sure maybe 10 years ago. But most static sites like blogs and such can fit entirely on a cloudflare page worker under the free tier. Or heck, even the free allotment on AWS S3 or other object storage providers.

I mean, perhaps this isn't a static site and it's built on some sort of CMS and has a postgres database in the background. In that case it probably runs around $5 to $10 a month.

Of course, this all presumes that the person setting this up is fairly savvy about the offerings available. I see a lot of people making silly decisions in this space, thinking that they need some full fat virtual private server, when all they really need is an object storage bucket behind a DNS c-name.

Well that's pretty compelling!

Ever since the failure of Windows mixed reality, there hasn't been many non-Meta HMD's worth buying. At least with inside out tracking.

Maybe this will finally pressure Valve to lower the price on the venerable Index? Probably not. But one can hope!

In U.S. law there are generally speaking, two types of bonuses.

Non-Discretionary - A.K.A any bonus that doesn't take into account discretion on part of management and higher. This is usually for bonuses that apply as an "incentive" and have requirements to achieve. Think sales targets for sales teams, on-call incentive structures, and more. This type of bonus is actually considered part of your wage.

Discretionary - A.K.A. any bonus that is paid at the discretion of company ownership. Notably these are bonuses that are not typically communicated in advance, and thus an employee wouldn't know to expect them. They might still expect them from "tradition", but if the only time you ever know about a holiday bonus is when it arrives, it's likely Discretionary. These bonuses aren't guaranteed by anyone - and an employer can indeed to choose not to pay these types of bonuses.

It seems that Twitter failed to pay a non-discretionary bonus and there's a large paper trail of incentives given to employees for this bonus. I really hope the DOL makes an example of them on this case.

Sometimes I wonder if the early version of the internet (the one that millenials grew up with) were too accepting of the "online edgelord" mentality. You know, the people who don't believe their own words, just spouting stuff because it makes them look edgy and cool. Like, I know a younger me thought being edgy was cool, and I took that version of myself to online spaces - it wasn't shut down like it should've been. However, I did end up growing out of it, only to realize my old friends never did. Even in their 30's they still act like "top kek memelords" and are some of the saddest and loneliest people I know.

It kinda made me realize that "grown up people" online need to NOT put up with that crap. Like, zero tolerance, "Oh, your being an edge lord today? Temp ban - come back when you grow up".

These same people, that were my friends back in high-school days often feel "persecuted" when they can't be an edgelord anymore. After all, it was just SO NORMAL before. "It's just a joke bro!". And now every time they interact with society it's through a lens of persecution because they can't be as edgy as they want anymore.

THEN it get's to bad faith bullshit as external bad actors feed the narrative that they "get" to be an edgelord and that's what freedom of speech means - which then becomes a slide into alt-right and incel territory.

It's exhausting, and honestly, I have a bit of myself to blame here - when I was more accepting of that type of behavior rather than pushing back on it. I even think that extends to the larger millenial cohort as well. We just kind of "accepted" 4-chan and the trash that came out of it for so long that many just feel entitled to be an edgelord these days.

Forever GM's unite! (But like, once we get the schedule finalized /s)

Yeah, this is probably the best D&D game in existence now. It definitely has some pretty fun mechanics and a lot of depth that other D&D vidya games just lack.

I'm of the opinion that bots are okay if:

1. They provide value to the community - A news-bot seems to be well received at tucson.social and it helps people get all their Tucson updates in one place without having to share it themselves.

2. They assist with moderation. Auto responding to new posts that reminds thread participants of the rules could be one use-case.

3. They enhance the dialogue of the thread or provide useful and important corrections. Perhaps there's a bot that looks up species names and provides useful links in a reply of a zoological based post? I say that's great and what we want!

As for ChatGPT bots:

1. All bots must disclose they are a bot.
2. All bots must not fake engagement. As in, it's okay to be other bots because of their relatively strict use-cases and minimal ability to hallucinate and no ability to respond to further queries. ChatGPT makes it appear as if it's a person at times and can be subtly wrong - we have people that do that just fine.
3. ChatGPT content should go into their own relevant subs. A MachineLearning community might be good at first, but perhaps eventually a dedicated LLM/ChatGPT Writes type community would eventually be needed for peoples more creative impulses. It's not exactly relevant for someplace like tucson.social, but might be for a place like BeeHaw.

Sure, so implement them in v.0.18 rather than leaving that essential feature for a future release - that's all I personally want.

I don't care about the technical implementation of the Captcha, but given the current threat landscape of low effort bot attacks, removing the feature in the meantime just makes the fediverse worse off.

Yeah, and this would work fine for new features. But for removing existing features that alter the entire ecosystem regardless if you upgrade or not? This isn't at all the same, and casting it as such isn't honest.

I feel like folks keep making this a technical merit discussion when that's not at all what it is. A better technical solution is required, I agree. I'm not even disagreeing that captcha can be bypassed - but so can a lock, or a door, or any security feature really given a sufficiently intelligent threat.

But so far the captcha has already made some difference in what instances have spam account problems and those that don't. To argue that it isn't perfect is a logical fallacy that's making my head hurt. Shall we get rid of door locks because they can be picked? Should we get rid of garage doors entirely with the new hacking devices available - obviously the security isn't perfect so why have it at all?

Since when did perfect become the enemy of good? We had a good solution... And now we're throwing it out of a better one, fine! But leave the good one in place until then.

No kidding, my Pixel graveyard is too damn big... I wish other phones had nearly the AI/Assistant features that Pixels had because I definitely don't want to switch to the Apple ecosystem and found the OnePlus experience flawed, while the Samsung experience feels bloated.

I'd go with a Fairphone, but for some reason it's impossible to get "officially" here in the U.S.

I disagree, once your open source project "sprouts wings" you enter an unspoken power battle. If enough of the community disagrees with something the chance of a successful fork grows. Once a project is forked away, you no longer have any control at all.

Also, even if I don't upgrade to v0.18, I have to live in a fediverse that have other instances that WILL, and they might pose a problem with increased spam.

No, I was around when SysV Init was "replaced" by Systemd and how that impacted the Debian project (and other distros).

But you know what, sure, let's stick to your bad faith, insulting interpretation, after all it is more becoming of an internet troll. I'm sure it'll get you lots of updoots from similarly trollish individuals.

Personally, I believe in something called collective responsibility, and that does including expecting community members to do their fair share. But it sounds like you envision federations as mini fiefdoms.

Right? This was always bound to happen. The only way it wouldn't be innevitable would require Reddit be a non-profit or co-op or equivalent. Which it certainly isn't.

I also agree, the sudden breath into the fediverse (I've been poking my head in since I ran a nextcloud instance and they had a plugin for the fediverse called nextcloud social.). This place isn't just a handful of OSS developers and enthusiasts anymore, but something starting to resemble a community of all types.

It reminds me of when Reddit was good, way back in like 2010 (for me) - but it feels more consequential now!

Hmmm, I'd check the following:

1. Do the emails follow a pattern? (randouser####@commondomain.com)
2. Did the emails actually validate, or do you just not see bouncebacks? There is a DB field for this that admins can query (i'll dig it up after I make this high level post)
3. Did the surge come from the same IP? Multiple? Did it use something that doesn't look like a browser?
4. Did the surge traffic hit /signup or did it hit /api/v3/register exclusively?

With those answers I should be able to tell if it's the same or similar attacker getting more sophisticated.

Some patterns I noticed in the attacks I've received:

1. it's exactly 9 attempts every 30 minutes from the user agent "python/requests"

2. The users that did not get an email bounceback were still not authenticated hours later (maybe the attacker lucked out with a real email that didn't bounce back?). There was no effort to verify from what I could determine.

Some vulnerabilities I know that can be exploited and would expect to see next:

1. ChatGPT is human enough sounding for the registration forms. I've got no idea why folks think this is the end-all solution when it could be faked just as easily.
2. Duplicate Email conflicts can be bypassed by using a "+category" in your email. ie (someuser+lemmy@somedomain.com) This would allow someone to associate potentially hundreds of spam accounts with a single email.

I used to subscribe to YouTube premium as of just a few days ago. Even without the ads. There was something very seriously wrong with the suggestion algorithm.

I was getting cartel violence videos, and dead animal videos. Never watched one before in my life. Yet. YouTube seems to think that I should want to watch this crock of shit. This started coming up about 6 months ago. Until now I've been reporting each video as they come up. But that doesn't seem to help at all.

At this point I think YouTube is a danger to society - if it's recommending cartel violence videos to me unsolicited, what are they suggesting to my nieces?

I have completely nuked it from my life. Almost all of the YouTubers I like are on Nebula or Floatplane so it doesn't feel like I'm missing much.

It looks like they decided to bring it back in time for the next release! - https://github.com/LemmyNet/lemmy/issues/3200#issuecomment-1600505757

They specifically mentioned the feedback in the ticket and it goes to show how collective action can work.

Despite how others felt that I was trying to start a "brigade" - I was only trying to raise awareness by being collectively vocal. I never asked folks to abuse devs or "force" them to do something. I asked them to make their concerns known and let the devs choose. It's just that when I posted there were far less comments, and if I were the developer I wouldn't know that this issue is important to a lot of people - at least just looking at the github issues anyways.

Well, seeing that Insurgency: Sandstorm was on a sale, I just picked it up for him (and myself). Seems to have a lot in the map making scene, and that's a really important factor for him.

It also helps that the prior Insurgency game has the most hours on his profile, by far. Gave me a good hint that he should enjoy this one.

Thanks so much!

EDIT: My dad just got back to me, and loves the gift. Apparently that's where most of his online buddies went and still are. Nailed it!

Everyone is impacted, but especially moderators and admins. Moderators will see more spam if Capcha is removed, even if their own instance isn't on v0.18 - they will exist in a fediverse with instances that are on v0.18.

Admins are impacted because Captcha served as a decent way, when coupled with email validation, to combating spam account sign ups.

So what you're saying is that a poorly constructed door is better than none at all? Huh. That was my exact point.

Fun fact, I purposefully goaded the bots into attacking my instance.

Turns out they aren't even using the web form, they're going straight to the register api endpoint with python. The api endpoint lives at a different place from the signup page and putting a captcha in front of that page was useless in stopping the bots. Now, we can't just challenge requests going to the API endpoint since it's not an interactive session - it would break registration for normal users as well.

The in-built captcha was part of the API form in a way that prevented this attack where the standard Cloudflare rules are either too weak (providing no protection) or too strong (breaking functionality).

In my case I had to create some special rules to exclude python clients and other bots while making sure to keep valid browser attempts working. It was kind of a pain, actually. There's a lot of Lemmy that seems to trip the optional OWASP managed rules so there's a lot of "artisanally crafted" exclusions to keep the site functional.

Anyways, I guess my point is form interaction is just one way to spam sites, but this particular attacker is using the backend API and forgoing the sign-up page entirely. Hidden fields wouldn't be useful here, IMO.

I'll be moving mine to Cloudflare

Sure, that might work for me, but it doesn't scale well for many other larger instances.

I'm not saying to not improve, quite the contrary, improvement is important. I'm saying don't take away the ONE thing that's preventing the spam issue from getting worse.

To be clear, I am a developer in real life. I'm not just talking out of my ass. There are way to roll out a new implementation without leaving everyone exposed.

I guess I didn't really see the pressure that they were under.

I hope they heal! But it's a bummer that such an excellent resource will be taken down.

I wish more creators were willing to hand their creations to someone who wishes to continue it. But oftentimes, I fear that it's far too entwined with a person's identity for that to be common occurrence.

Okay, so do you mind explaining why the servers onboarding the most spam users are the ones without Captchas?

If they are so ineffective, why are they effective now?

Honestly? I used to not care. I usually have internet connectivity and have at least one backup method of getting online.

But now my father is psuedo-homeless and there's so many games he's missed out on because his Van/RV didn't get enough cell signal to work.

After that I understood the problem in a far deeper way.

Games were accessible to me as a kid, not because I could afford them, but because I could just pop in my neighbors CD (and enter their CD key if needed) and be off to the races! If I were to grow up poor now, it would be miserable.

Always-online "single player" games, huge downloads, and if you happen to avoid all that you STILL need to check in online occassionally to use your own Steam Library.

I mean, if 15 year old me existed today, I'd still be pirating things but it would be through a network of friends with Blu-ray burners and good internet connections.

These days, I try to buy on GOG only, and only their non-DRM titles. Then I can throw them onto a samsung t5 and sneaker net it to my dad without worrying if Steam/Origin/Blizzard/Epic will get in the way.

So the solution is to force everyone to be low hanging fruit in the meantime?

Look, I get where everyone is going in terms of improvements, but to remove an already working solution and leaving folks exposed in the meantime is not how we should be rolling improvements.

It is definitely an under provisioning problem. But that under provisioning problem is caused by the customers usually being very very stingy about what they are willing to spend. Also, to be clear, it isn't buckling. It is doing exactly The thing it was designed to do. Which is to stop writes to the DB since there is no disk space left. And before this time, it's constantly throwing warnings to the end user. Usually these customers tend to ignore those errors until they reach this stop writes state.

In fact, we just had to give an RCA to the c-suite detailing why we had not scaled a customer when we should have, but we have a paper trail of them refusing the pricing and refusing to engage.

We get the same errors, and we usually reach out via email to each of these customers to help project where their data is going and scale appropriately. More frequently though, they are adding data at such a fast clip that them not responding for 2 hours would lead them directly into the stop writes status.

This has led us to guessing what our customers are going to end up at. Oftentimes being completely wrong and eating to scale multiple times.

Workload spikes are the entire reason why our database technology exists. That's the main thing we market ourselves as being able to handle (provided you gave the DB enough disk and the workload isn't sustained for a long enough to fill the discs.)

There is definitely an automation problem. Unfortunately, this particular line of our managed services will not be able to be automated. We work with special customers, with special requirements, usually fortune 100 companies that have extensive change control processes. Custom security implementations. And sometimes even no access to their environment unless they flip a switch.

To me it just seems to all go back to management/c-suite trying to sell a fantasy version of our product and setting us up for failure.

Similarly FPS-Z games like Tribes (Ascend, Vengeance, 2) and Legions Overdrive.

Fortunately MidAir 2 is almost here. https://store.steampowered.com/app/1231210/Midair_2/

As somebody with autism. I find this take lacking nuance. You see for me these tools represent a huge leap and accessibility for me. I can turn a wall of stream of consciousness text into something digestible and represents myself.

I find myself constantly exhausted with the societal expectation that I review, edit, and adjust my own speech constantly. And these tools go a long way to helping me actually communicate.

I mean, after all nothing changes for me. People thought of me as a robot before. And I guess they can continue to think I'm still a robot. I've stopped giving a crap about neurotypical expectations.

I very much agree. I self-identified as a socialist for a long while before actually getting on the ground and building things. And you know what? I found that online "socialism" or "communism" is absolutely nothing like the folks you meet in real life.

Turns out that the loudest on the left doesn't always correlate with who shows up to their community. It's easy to be loud these days, after all. Not so easy to build.

I find that those I help clean the streets with or building new community spaces with are far more pragmatic than any of the "chronically online" socialists/communists - and that pragmatism is derived from a deep experience of what does and doesn't work. What does and doesn't build power and community solidarity.

See, I fear that the chronically online "socialism" is largely insular, idealistic, and uncompromising - and so that's what many see it as.

Just like the "good Christians" are basically invisible right now compared to the authoritarian bible thumpers - so too are the "pragmatic socialists" because we're being hidden behind the loudest, craziest, and dumbest at the behest of corporate owned media.

So yeah, it doesn't really matter what ideology you subscribe to, the most important thing is getting out there and building with other like-minded people and figuring out the path to power in your area. It requires pragmatism, patience, and lots of really hard and unforgiving work with no assurance of making the change in your lifetime.

The best "bang for the buck" in your use-case is to use Nextcloud - Nextcloud Talk is your Jitsi replacement, and the files feature can be extended with the Nextcloud Photos plugin (https://github.com/nextcloud/photos).

As for your domain question:

1. You should use any computer you'd like that meets the Nextcloud recommendations, the key is of course isolating this machine on your home network so any "funny business" stays on the server. You can do this with VLANs or an entirely separate LAN connected to a different WAN (ISP).

2. Many places, I like porkbun.com for real custom domains for cheap, but for your use case, you might be able to use a Dynamic DNS provider for free. It just likely won't be an easy to remember URL (or at least, as easy as a root domain only). If you have a newer ASUS or Netgear router/modem they both have Dynamic DNS built in and you can select from a few different providers that have both free and paid tiers. ALSO it might be better to use Google Domains (now squarespace domains) since, IIRC, many DynDNS configs for routers support Google Domains too. Cloudflare can also be a decent registrar, and I'd recommend using them if you use any other cloudflare services (see below).

3. Other things to consider: Your ISP may block port 80, meaning lots of issues. If this is the case, you might want to use a tunnel of some sort. Cloudflare has a great solution here. Even if they don't block port 80, they may aggressively throttle and shape your incoming traffic - causing issues. Again, the tunnel is a good solution here. And, of course, your upload bandwidth matters a lot, you'll need something around 100Mbps upload for a decent experience when accessing your stuff over the internet. The 30Mbps that's typical of DOCSIS modems won't cut it. Outside of these concerns it's all about making sure you isolate your server from your "home stuff" to keep things secure.

Email validation works only until my domain get's blacklisted...

Manual registration only works up until a certain size...

What other effective solution shall I consider? Those aren't very effective to me.

It looks like the fix for this is to disable IPv6 - not all of us can do that (or want to do that).

Lemmy.ml will need to fix their AAAA record likely.

I agree. I think 1440p+HDR is probably the way to go for now. HDR is FAR more impactful than a 4K resolution and 1440p should provide a stable 45ish FPS on Cyberpunk 2077 completely maxed out on an RTX 3080Ti (DLSS Performance).

And in terms of CPU, the same applies. 16 cores are for the gentoo using, source compiling folks like me. 8 cores on a well binned CPU from the last 3 generations goes plenty fast for gaming. CPU bottlenecking only really show up at 144fps+ in most games anyways.

Look, you keep returning back to a point I'm not making, and it seems like its in bad faith.

You keep saying how captcha's aren't perfect. They never needed to be and any sufficiently advanced attacker can bypass them. We've gone over that at length, you returning to this argument just shows how little else you have than "Mondays always suck" / "Evil shall persist" mindset.

Your entire position of chasing me on "oh, but captcha doesn't solve ALLLLLL bots". Yeah, and laws don't deter ALLL crime either.

Shall we remove these pesky laws of civil society? I mean, after all why abide by rules that any one person can chose not to follow the laws? What good are they anyways?

You know it's an inane point that has no logical conclusion, but I think you probably already know that and I'm done assuming good faith in your trolling.

I was literally coming to post "Carne Asada Fries" and you decided to open with it, gee, thanks! /s

But since you got that covered, I guess I'll throw in my #2 - A Carne Seca Chimichanga