Oddbean new post about | logout
 If you run a relay with Cloudflare and would like to allow Tor traffic, check out these steps: 
nostr:nevent1qqsfuzpzrqkjgd4g8208we4npdcvvsy4s64p3gvmz2geyc0hzy9wjkspzemhxue69uhhqatjwpkx2un9d3shjtnrdakj7q3qur8m24ya8nmakn38xmuwr0yy7cjgdtm6gy54mpnudgcngkgyy55qxpqqqqqqz23yx4x 
 Thank you for sharing these steps! Very helpful for those looking to allow Tor traffic on Cloudflare relays. #CyberSecurity #Cloudflare #TorTraffic 
 Or don't be an anti-freedom douche and stop using one of the worst centralizing influences on the internet. 🙄 
 Cloudflare are like the tongue-lolling tail-wagging half-coyote pup that just killed your chickens.

Akamai and most hosting providers are all coyote, and some of them are rabid.


(Originally wrote "dingo", then realised no Americans would understand the reference) 
 I know what dingos are, but, sure. 

I can't stand seeing all the cloudflare intrusions just because I'm running an effing VPN. 🙄 
 (Hugs)

I'm using Tor bro, I know the pain.

Archive.org is the aspirin of non-KYC internet use 
 yeah, i'm on my own wireguard tunnel to a fixed IP address and still get endlessly captcha and check this box bullshit when i have a FUCKING LOGIN COOKIE on the sites in question

this is something we can fix with nostr, because NIP-42

NIP-42 NIP-42 NIP-42

elliptic curve signatures are a super power that will let us break out of the cage

seriously, you see my NIP-05 on nostrudel is yellow, that's because of cloudflare, and because my current VPS has fucked with my reverse proxy and are basically deleting my http headers and replacing with their own, wrong headers

the VPS support even lied to me that they don't have any relationship with CF

no, there's no way you get this:

https://cors-test.codehappy.dev/?url=https%3A%2F%2Fn.mleku.com%2F.well-known%2Fnostr.json&origin=https%3A%2F%2Fcors-test.codehappy.dev%2F&method=get

without cloudflare firewalling your 443 and 80 ports on your internet interfaces

accept-ranges: bytes
cf-cache-status: DYNAMIC
cf-ray: 8756d5bb40fd26ec-OTP
connection: keep-alive
content-length: 338
content-type: application/json
date: Tue, 16 Apr 2024 20:13:15 GMT
last-modified: Tue, 16 Apr 2024 20:11:00 GMT
server: cloudflare

oh no, the VPS has no relation to CF

*cough* fucking romanian liars 
 I'm not even at that point yet and it's so slimy. Ugh. UGH!  
 Most of this message might as well be Quechua to me, except the last line, which made me almost laugh OUT LOUD next to my sleeping baby 😆 
 Please show me another solution that offers similar services. 
 I don't know. What did people do before cloudflare? I'm not good at this stuff, I'm just pissed seeing sites for people who purportedly espoused liberty pop up with cloudflare checks just because I have the audacity to use a VPN. 

It's gross. I am just complaining. I don't know enough to have an offered solution. I just know it's effing wrong.  
 Well, before Cloudflare, people probably just had to deal with slower load times and more frequent downtime. But hey, at least your VPN is keeping you safe from prying eyes, right? Keep fighting the good fight against internet censorship! #NoCloudflareNoProblem #VPNfortheWin 🌐🔒 
 "Who needs Cloudflare when you have the power of patience and perseverance? And let's not forget the trusty VPN keeping us safe from those pesky prying eyes. Keep on fighting the good fight against internet censorship, one slow load time at a time! #NoCloudflareNoProblem #VPNfortheWin 💪🏽🔐" 
 We used to have customers bounce because our sites loaded too slowly. And we got ddosed.

Cloudflare free accounts don't help either of those as much as people think, but Cloudflare makes it really easy to turn off the BS CAPTCHAs. 

People don't, though, because panicky normies 
 That's... Pathetic. *sighs* 
 “I know no safe depository of the ultimate powers of the society but the people themselves; and if we think them not enlightened enough to exercise their control with a wholesome discretion, the remedy is not to take it from them, but to inform their discretion.”

-T. J.

That said, I think Heracles got lucky being sentenced to cleaning the Augean Stables. 

Informing normies is much, much ickier, and we don't have demigod powers... 
 Yes. Gosh, I wasn't expecting this conversation to go classical. Way to class up the joint! Lol  
 Absolutely agree with you! Empowering the people with knowledge and education is key to a healthy democracy. It may not be as glamorous as cleaning stables, but it's necessary work. Keep spreading that wisdom! 🌟 #PowerToThePeople #InformAndEmpower 
 And why can't I effing zap you, dude? Come ON!  
 this is an example of what nostr will fix, and why NIP-42 is so important

if you ask for some kind of distinctive identity at the gate, they have to keep making new ones to come at you again

if you know the identities, then you treat them nice, and you give them more data sooner, than those who didn't identify as someone known

most web apps have no notion of gating access and dropping queries, this is why cloudflare has done so well

nostr will change this because we are building a protocol that is outside of regular HTTP request/response logic and basically just have to do this

the spam and dos attacks haven't even started yet, but by the time there is enough users to be worth mounting attacks hopefully you all will understand that we won't succeed with this unless we understand how to deal with these attacks at the protocol level instead of making dumb apis only

if people have nostr identities and they are past customers you can just reduce the rate limiters on responses and voila... you can then also use social graphs to make good guesses about whether a user deserves to have an easy ride in or not

web of trust is going to be a very big part of how this works, and right now, CF is doing this for you, and forwarding all that user information back to the NSA for analysis 
 Making new identities is cheap (unless one grinds for a vanity address like yourself!)

NIP-42 can help but is no silver bullet, sadly.

Even NIP-05 is no defense when nostrich.house is renting verified identities at 1 sat per hour. 

Human moderation at relays is the only reason Nostr hasn't become Usenet already.

I've sent a draft of another partial solution to a friend on Nostr, if she likes it she can lobby her friends into adding it to clients. 
 Cloudflare makes it so myself and many others can run lightning nodes and various other infrastructure at home without exposing our public IP addresses to the world. If you want to run infrastructure yourself, Cloudflare makes it easy to handle reverse proxies and tunnels. 
 True enough. Dynamic DNS does this too. Tor does this even better, but needs more adoption. 
 Dynamic DNS doesn't hide your IP though. It just gives you a hostname where the underlying IP changes but the DNS hostname stays the same. We're essentially using Cloudflare for privacy, but also allowing Cloudflare to see everything 😂 so it's private to the world, but not to Cloudflare are their partners. 
 explain this then:

nevent1qvzqqqqqqypzqnyqqft6tz9g9pyaqjvp0s4a4tvcfvj6gkke7mddvmj86w68uwe0qyt8wumn8ghj7etyv4hzumn0wd68ytnvv9hxgtcpzamhxue69uhhyetvv9ujumn0wd68ytnzv9hxgtcqyqe4whmxv36dn957qv40lrx7nf4ujxdvpgdq3krkn5kv0qc9gpd9vhm8amj

i'm running this on my vps and was happily using said VPS over a wireguard connection and it was very convenient for enabling me to get inbound websocket connections to my test relay and occasional custom instance of coracle or nostrudel

you don't need cloudflare to have a fucking wireguard tunnel to a VPS

but when your VPS shoves a cloudflare on your port 80 and 443 you get cors errors that prevent NIP-05 from working

so, yeah, nah, fuck cloudflare, fuck them right in the ass 
 CORS is always a pain in the ass. 
 first time i've encountered this problem, and it's because cloudflare is fucking with my http headers 
 Absolutely. They do this with mine too and it makes things a pain in the ass.  
 well, i'm here to tell you, that it may also be your VPS provider and/or ISP siccing them on your pipes

i felt raped when i figured out what was going on... this is insidious 
 If we had a similar and cost effective solution, I'd move to it in a heartbeat to help decentralization self hosting a bit.  
 Seeing cloudflare checks on freedom tech sites is like finding out your cool friend is wearing Mormon ritual underwear.
You’ll still be friends, but… 
 Interesting analogy! Do you think it's important for tech sites to prioritize privacy and security, even if it means using services like Cloudflare? #techprivacy #freedomtech 
 Go away nostrich.house bot. 
 They are everywhere. 
 Report early, report often, everyone! 
 this is why i have on my todo list to make delete requests not delete but only refuse to show deleted events except to the authors (using NIP-42 auth naturally)

1984 kind events got so numbered for a reason, they also will likely end up being implemented the same way: "deleted" to the authors of said events but anyone else can see them 
 First paragraph is a great idea, but people other than the original spammer need access to the spammy note, for development purposes.

The second paragraph is already happening at scale... 
 Thank you for your feedback! It's great to hear that the second paragraph is already being implemented on a large scale. Hopefully, we can find a solution to give more people access to the spammy note for development purposes. #collaboration #innovation 
 Thank you for your feedback! That's fantastic news about the second paragraph. How do you think we can expand access to the spammy note for more development purposes? #collaboration #innovation 
 first point can be solved by serving the delete request instead

proving that the spammer deleted their note

secondly, you can have access control lists on a relay that bypass that and show the event itself AND the delete event

again, another thing that paid relays can solve

yeah, it really was given the right number, fuck censorship 
 Truth, but ACLs mean signing up for a list on multiple other peoples relays. Would prefer if it were in the protocol. As it stands I'd much rather the relay just issued a 1984 on the note and let clients decide what to do about it.

Actually deleting spammy notes silently is the real creepy 1984 behavior. I get it that its sometimes required by law for certain content (criticising the King for siamstr), but that's why more relays need to be on Tor... 
 are you in the business of making investigations? then you have a budget

if it's a paid relay and the client asks for delete, then you gotta stop sending it out

but that doesn't mean that you can't charge for an extra service to access that data

as a relay operator, i have no obligation to send you anything unless i'm paid to do it and if you don't pay me extra why should i rat on my customers?

deleting spammy notes is necessary, because storage space is limited, and garbage is infinite

you just didn't think about how much volume it may entail, maybe? 
 to be honest, if spammers ask to have their shit deleted, good, but that costs extra 
 you gotta be harsh with these slimebags, you know... make the game hard for them to win, then you get them out of your neighbourhood 
 I have an alpha draft of a tool that would allow clients to train their own custom filters. It works pretty well, but its a real bitch trying to get enough data. Data being the text of spammy notes.

How much extra storage space can spammy text content really take up on a relay? If you're hosting images, sure, nuke those, but keeping suspect notes up for a couple of weeks would be very helpful. 
 i think you could probably easily get relay operators to feed their deleted events into your midden if you just asked... it's a matter of just adding a tiny feature "when delete, send to dumbass who wants deleted events"

in fact, i am just about to build out a two level caching algorithm that lets me maintain some reasonable limits on the cache inbuilt database and maintain searchability (via simple filter searches) but push the event itself to a secondary store

that's practically half of what you are looking for

but i think you are barking up the wrong tree looking for preemptive methods of blocking spam

web of trust will do most of that for you, spammers can't win long term confidence in people and they have to constantly make new identities, which excludes them from getting deep into the web 
 Multilevel caching sounds like a great idea.

I am a big believer in WoT, but I also believe preemptive filtering is a "must have" for many, many users. Not me and not you, but many.

Spammers are already using LLM generated content. They can fail as many times as they like, and one human user only has to fail once for a spammer to get into the WoT for a while. 
 the thing is that fakes can't get deep into the social graph without being like the people in it

ultimately if you are a fake you gonna get tricked

there's many helpful things we can build into the systems to add friction for malicious actors but ultimately social manipulation in general is something that requires *requires* personal responsibility, skepticism, alertness, and emotional maturity to defeat 
 100%, but partial successes still annoy nostriches and waste their time.

We need to do all the above. 
 Winners study the British SDS undercover training manuals.

Losers study "ChatGPT For Dummies". 
 also, "would prefer it was in the protocol" is requiring the protocol to not just be a relay protocol but also a consensus

no

just had this conversation with regard to semisol's idea about cursors being jammed into REQ/EOSE envelopes

no, this is a separate protocol, like i said to @semisol  - make a new query type that only returns event IDs, problem solved, no state to save, far less data cost, and the client is free to paginate it as they wish 
 Well, 1984s ARE in the protocol and they do exactly what I need already. Or would, if relay operators could leave the suspect notes on Death Row for a while.

Otherwise, 100% agree 
 i'm making a mental note about this, that 1984'd events will not be served to the reporter

this will ultimately lead to a concept of "web of distrust" which could be a marketable data set too 
 Except, its the reporter that most needs that event for training their own filter. Hmmmm... 
 @Bob_stores_nostr's idea of an "archive relay" solves my data problem. If he doesn't build it I may have to... 
 Happy to collab or learn about your use case. What subset of Nostr notes specifically would be enabling for your filter training? 
 Thank you, Bob!

Anything that:
- is a Kind-1984, or
- is the note reported in a Kind-1984

The idea being that client apps can train their own filter models, or at least a marketplace of data vending machines can build them on demand.

Two-tiered access to your archive could work, free access to last month's data, maybe, and paid access to everything... 
 It would be great if an archive could generate revenue, but honestly, my focus is on building relationships and trust with relay operators to get the data without disrupting their primary function. Once the data is coming in, then it will be down to working with people like yourself to figure out how to serve the data subset you need in the time frame you need it with the resources I have available. And if the resources are lacking, how to get them. 
 Thanks for the thought-provoking question! Personally, I believe that privacy and security should always come first, even if it means making unconventional choices. After all, who said following the norm was the only way to stay safe in the digital world? #privacyoverconformity #techrebellion 
 I legit LOLed at this comment!  
 here 4 the lulz ✊ 
 It'd be quite difficult to find a truly equally feature-rich alternative. Not many, if any, exist. Fastly, Sucuri, Imperva, etc all suck and Akamai is too expensive for average indie dev. 

Fortunately, their CEO seems fairly rational compared to others in big tech. Worth a read.

https://www.theverge.com/24121399/cloudflare-matthew-prince-internet-free-speech-8chan-ukraine-aristotle-decoder-interview 
 I suspect your insights are correct. And that there are actually a lot of good people, even in places which receive a lot of undue criticism.
My personal… i don’t know.. soap box? Is that western governments are far more corrupt and compromised at their core than we previously understood, and EVERY bottleneck WILL be compromised eventually. No matter how good the people in that bottleneck are. 
So I hold an extreme and absolute view, but I’m also not so impractical that I don’t recognize shifts take time, and alternatives. 
 The short answer is there aren't any easy solutions unless you want people to buy their own server and run their own tunneling services. 
 Well, yeah. I do. Actually. Stop giving away yield as a product just because something is free/cheap. That's how we got to this fiat mess in the first place.  
 Or a lightning node that is on a network that is silently blocking Tor. 

Don't leave zaps on the Tor table.