Re: "Cisco has decided to leave france": (https://web.archive.org/web/20250614052849/https://support.o...)
It's laudable that Quad9 want to fight censorship, but they too could block French requests in this way. Maybe redirect to an HTTP/HTTPS IP that tells users about the issue and gives them contacts to their government representatives?Effective June 28, 2024: Due to a court order in France issued under Article L.333-10 of the French Sport code and a court order in Portugal issued under Article 210-G(3) of the Portuguese Copyright Code, the OpenDNS service is not currently available to users in France and certain French territories and in Portugal. We apologize for the inconvenience. July 23, 2024: Cisco's OpenDNS service has been reactivated in Portugal and is currently available following a decision by the Lisbon Court of Appeal.> Other companies, such as Google and Cloudflare, have the technical means to restrict the blockades to France, but not all providers can do so easily. That includes Quad9, which had no other choice than to apply the French blocking request worldwide.
Just quoting the article, can anyone weigh in on the costs/complexity of a public DNS resolver implementing geo-fencing?
> can anyone weigh in on the costs/complexity of a public DNS resolver implementing geo-fencing
I was a small part of the original team that built OpenDNS. I also operate a less well known public resolver now.
DNS is extremely latency sensitive. You have basically a 20ms budget to work with, which includes the time the request and response traverse the internet. It is also extremely high volume, a large public service like Quad9 could easily see single digit millions of requests per second.
There is nothing that technically prevents you from doing geofencing. Cisco has the money to absorb the costs of the additional overhead - but I could not. My first stab at the problem would be to simply shut down my servers in France to try to get out of the legal jurisdiction. I don't know if that would be sufficient without paying for a lawyer.
Quad9 absolutely has a valid argument here and it pushes more of our public infrastructure into the centralized hands of a small number of players because people like me can't afford to just run free shit on the internet anymore.
There are multiple free and paid geoip databases, from $0 to $1000 a year, depending. Then an hour to write a script to add iptables rules from the database for the country of choice. (Example: https://gist.github.com/asheroto/934e056a302adda334077f0c85c...)
I don't know what is unique about Quad9 that they couldn't do this, but it's possible they have some technical limitation
There's likely a performance impact that is significant at that scale. If they're blocking 670M DNS requests a day, they're likely doing 10-100x that overall.
Have you implemented something at that scale to say this is no big deal for them to do? And what about when 180 countries want their own list and maybe even states, providences, etc do as well?
Who's blocking 670M requests a day? Which requests? From all of France to Quad9? Or all of the whole world's requests to Quad9? It doesn't say anything about that in the article... In any case, 670M DNS requests a day * ~512 bytes (a DNS request is much smaller than this) = 31.76Mbps. Not a tiny amount of traffic, but doable for 1 server.
Assuming this is total blocks for all of Quad9 globally? Spread this over 4 nameservers in a region (assuming anycast), with let's say 4 global regions (to be conservative)? That would be 1.985Mbps per server. That's (max!) 484 DNS requests per second, with 1/500th the bandwidth.
DNS is probably the fastest protocol on the internet other than ICMP. You can handle a ton of traffic with minimal hardware. Bump up the CPU to handle more interrupts/iptables rules. Buy a NIC with packet offload for even less CPU use (thus handling more requests). And eBPF & XDP would be much faster than netfilter.
If you were already gonna accept the request, process it, and send back a reply, dropping the packet doesn't cost you anything. It actually saves bandwidth, tx interrupts, and possibly CPU cycles.
> eBPF & XDP would be much faster than netfilter.
Netfilter is plenty fast, when configured sensibly. You'd probably want script to populate a "hash:net" ipset instead, and have just one iptables rule:
(where "geoblock" is aforementioned set)-A INPUT \ -m set --match-set geoblock \ -j DROP> Who's blocking 670M requests a day
Do you even know what Quad9 does or why it's a thing?
Are you honestly suggesting they just need to add a couple CPUs and some different NICs?
You seriously underestimate how fast modern CPUs are, especially considering how many distributed servers OpenDNS runs on. There’s no meaningful performance impact to be found here.
Also keep in mind we’re talking about Cisco here and not some Ruby on Rails shop.
Anyway, I’m a big fan of the “fuck country $x” approach
- [deleted]
Blocking a growing list of entire countries also sounds like an existential threat.
Hoping the HN DNS savvy reading this can help me understand a Quad9 thing I ran into. I was debugging (as in scratching my head) a bank website login problem and ended up doing some DNS checks against their domain, usual stuff, while using Quad9 as my DNS provider.
While testing, I was using Google and Cloudflare as well, and started noticing something - Quad9 does not return all A records listed for a domain, the same way Google/Cloudflare do.
This gave me a weird feeling; I get there's a lot of DNS geo magic and 8.8/1.1 serve 2 different subnets, and 9.9 a third. But... where did the other 5 expected IPs from Quad9 get off to?dig -t A google.com @8.8.8.8 +short (6x IPs) dig -t A google.com @1.1.1.1 +short (6x IPs) dig -t A google.com @9.9.9.9 +short (1x IP)I used quad9 as the primary upstream DNS for my home. about 11 days ago I wasn't able to send any query to quad9, kinda blocking. Their status page was green I suspected my ip was blocked. Now I'm on quad1 :(
Have you tried Mullvad?
https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
TL;DR
dns.mullvad.net - 194.242.2.2 (no blocking)
adblock.dns.mullvad.net - 194.242.2.3 (ad and tracker blocking)
base.dns.mullvad.net - 194.242.2.4 (ad, tracker, malware blocking)
And others but I primarily use the last two. They offer it as a public service, similar to quad9.
Thanks to multiple mentions of Mullvad in this overall post comments, I decided to replace dnsmasq with unbound and convert the laptop to DoT. Here's the specific Mullvad snippet if anyone needs:
As mentioned in the default unbound config, the "#" is not a comment when used in the value, it's used for TLS checks. I followed this simple blog post from years ago: https://www.jwillikers.com/dns-over-tls-with-unbound# Mullvad Unfiltered forward-addr: 2a07:e340::2@853#dns.mullvad.net forward-addr: 194.242.2.2@853#dns.mullvad.net # Mullvad Adblock # forward-addr: 2a07:e340::3@853#adblock.dns.mullvad.net # forward-addr: 194.242.2.3@853#adblock.dns.mullvad.net
I see a single IP for all 3
While I'm here: Google uses edns0 client subnet to geo target your client IP.
Try a dig -t txt o-o.myaddr.l.google.com @8.8.8.8 vs the others to see the src IP of the packet sent to Google's DNS server, and any edns0 info that came along with it.
Interestingly, I get 3 different source IPs, BUT! The one from Quad9 is IPv6 and the ones from 8.8/1.1 are IPv4. Google returns an extra TXT record as well with "edns0-client-subnet 172.56.95.0/24". I'm not a DNS pro, so not sure what to make of it.
As 9.9 returned an IPv6, I tested with AAAA records just now - 1.1/8.8 respond with 4x IPs, 9.9 only 1x so it mirrors the A records in spirit.
I really wanted to like Quad9, and used it for a while, but there have been constant issues in the northeast with random SERVFAILs for months now. I had to switch back to Cloudflare.
Have you tested it with a static domain with multiple IPs?
Using google is bad way to test this scenario, since they use EDNS and many other DNS load balancing methods to distribute the load.
interestingly, i only get one IP from each command:
$ dig -t A google.com @8.8.8.8 +short
142.250.184.206
$ dig -t A google.com @1.1.1.1 +short
216.58.206.46
$ dig -t A google.com @9.9.9.9 +short
142.250.185.238
I'm sure geo has something to do with it - my connections generally terminate in Austin, TX but it varies around Central US. I have T-Mobile Home Internet and our IPs show up to remotes under the same general ASNs as the traditional mobile network (big huge CGNAT, my IP can change 5 times a day or whatnot and it doesn't reflect where I actually am located).
Edit: in case useful to someone reading, right now I have an IP assigned out of this block:
Edit edit: in the network record is a link to the self-reported geo data, I missed that.NetRange: 172.32.0.0 - 172.63.255.255 CIDR: 172.32.0.0/11 NetName: TMO9 NetHandle: NET-172-32-0-0-1Comment: Geofeed https://raw.githubusercontent.com/tmobile/tmus-geofeed/main/tmus-geo-ip.txtIf you're behind a big CGNAT and Google knows it, they might intentionally return multiple addresses to have more capacity.
Each service port (IP:Port) can only receive 64k connections from each NAT IP, returning more IPs from DNS makes more connections available. Google is a very popular service, so it makes sense to do. (Less so for v6, though)
Alternately, if they can't get a good feel for where you are, returning A records for multiple locations makes sense, too.
No idea why 4 AAAA vs 6 A; Google runs dual stacked and I'd expect the same number of records for both; IIRC, 8 AAAA will usually fit in a 512 byte udp reply, and anyway DNS64 might expand As into AAAAs, so you have to gauge sizes with those anyway.
> Each service port (IP:Port) can only receive 64k connections from each NAT IP
Interestingly, for Tor, the lowest common denominator local port exhaustion threshold at exit is 16384.
https://spec.torproject.org/proposals/348-udp-app-support.ht...
Isn't that because Quad9 does (more) filtering than the other two?
I actually do (did, I demoted it for now) use the unfiltered service (9.9.9.10) but find the same result on both, so I used .9 here to keep the chat more streamlined. But, could still be relevant somehow?
This is also why it is important for Switzerland to not sign the deal with the EU next year. The 8k+ page deal would also require Switzerland to pull the line with EU regulation regarding copyright. The freedom we have right now to download would fall away. Doesn't matter if you are left or right, the deal is bad for all of us.
Many ISPs in Germany have stopped fighting this fight as well and sadly have now even started to self-censor their DNS servers.[1]
In Japan the PM's office once considered to block online piracy websites[1] with DNS in 2018. Japanese tech community fought against it[2][3][4] and it wasn't implemented.
The telco authority currently considers to block online casino websites[5] (gambling is illegal in Japan).
[1] https://www.kantei.go.jp/jp/singi/titeki2/tyousakai/kensho_h... [2] https://www.nic.ad.jp/ja/topics/2018/20180625-01.html [3] https://www.wide.ad.jp/News/2018/20180912.html [4] https://www.nic.ad.jp/ja/materials/iw/2018/proceedings/d3/d3... [5] https://www.soumu.go.jp/main_sosiki/kenkyu/online_casino/ind...
More people should run their own recursive resolvers with unbound. There’s no need to rely on centralized DNS anymore.
Seems like a great use case for Pi-hole to add include lists - have files with lists of DNS entries that are delisted in some areas. Of course a VPN is probably more beneficial in general though.
Isn't this putting unsustainable load on the root servers?(on the scenario that many people do that)
If we are talking about the actually root servers, there are 13 redundant names spread out (thanks to anycast) on around 1700 servers located around the world, and the lookup a user would do is cached for 2 days. That mean the highest amount of traffic a system will generate is one request per unique TLD (like .com) per 2 days, and it will fit a single UDP package.
We can then do some guesses about size for questions like "what is the nameservers for .com". Those are a bit larger than most dns queries since the answer is a bit bigger than most, since .com has a lot of nameservers, so lets put it down to 800 bytes. Every 2 day a average use might then, using some guessing, generate maybe 10 kb of traffic, or about 0.015 seconds of watching a 1080p video on youtube.
Everyone used to query the root servers directly from their ISP or corporate edge servers until the big platforms wanted to gather more of everyone's data in the name of "keeping people safe" from "bad ISP's". As with any manipulation campaign there are a few incidents corporate propagandists can site to say, "See! We are protecting you!!" forcing people to debate the issue and knowing the majority will accept the default settings. Blocking all the DoH/DoT resolvers would be trivial for any ISP to do just as I have been doing at home since the inception of DoH.
The root Anycast clusters are absolutely designed to handle the entire internet querying them which I do from Unbound. If one wishes to help reduce load they can enable large memory caches and rewrite min-ttl to something sane to protect the root servers from Amazon EC2's default 5 second ttl and others like them. Blocking known spam and tracking domains also helps reduce the total number of queries. Groups of friends can even further reduce the load by setting up their own DoH/DoT servers using Unbound DNS and sharing the cache and using cron to keep their favorite domains hot in the cache and increasing private by making the crond queries from a VPS node.
Here's my cache stats for a 3 day uptime:
Memory usage permitting up to 1.5 GB:total.num.cachehits=18149 total.num.cachemiss=2300 total.num.prefetch=4561Private + Shared = RAM used Program 343.1 MiB + 523.5 KiB = 343.6 MiB unboundhttps://datatracker.ietf.org/doc/html/rfc8806
Abstract
Some DNS recursive resolvers have longer-than-desired round-trip times to the closest DNS root server; those resolvers may have difficulty getting responses from the root servers, such as during a network attack. Some DNS recursive resolver operators want to prevent snooping by third parties of requests sent to DNS root servers. In both cases, resolvers can greatly decrease the round-trip time and prevent observation of requests by serving a copy of the full root zone on the same server, such as on a loopback address or in the resolver software. This document shows how to start and maintain such a copy of the root zone that does not cause problems for other users of the DNS, at the cost of adding some operational fragility for the operator.
This document obsoletes RFC 7706.
RFC 7706. Even has config file examples.
Regarding censorship, that works only if there's no network side blocking, otherwise the unencrypted requests to root servers also get intercepted. That's why some people use DoH as the upstream for their resolver.
Not all countries or ISPs do this, but some do.
True, DNSSEC should tell you if requests are being rewritten or blocked, but it will not help you circumvent this.
> have now even started
This has been the case for a very long time. Back when TBP was popular this was already the case.
Does anyone use Mullvad DNS servers? https://mullvad.net/en/help/dns-over-https-and-dns-over-tls#... I found them more acceptable.
Didn't know they have publicly available DNS servers. Thanks.
I've also started using/testing the DNS4EU servers: https://www.joindns4.eu/
I do (as a fallback), but they're extremely slow.
Did you know Wikimedia also runs a public DNS service?
They're pretty slow for me, 350ms on average:
https://dns10.quad9.net/dns-query Unsecured: No Malware blocking, no DNSSEC validation (for experts only!)
Maybe it is fast because it is not secured at all? :D
https://dnsspeedtest.online/ a link with benchmarks for newer readers
I have had nothing but problems with their DNS service. Outages what feels like a daily basis.
But the VPN itself is great!
Going after DNS resolvers seems like the easy win. If a website was breaking the law so egregiously then take it to ICANN to get the domain name seized. I'd wager that's a much harder thing to prove, hence the strong arming of DNS resolvers.
Seizing a domain name via ICANN has to be global, as I understand it, while a website might have only broken some nations laws.
If the UK government wants to ban porn but loves gambling, while the US wants to ban gambling but loves porn, a blocking mechanism that lets them have different blocklists allows both nations to get the censorship their voters have chosen.
Pretty sure the US does it all the time or just contacts the registrar.
Only for TLDs within legal reach. TLDs like .ru and .su require diplomatic outreach and backroom deals.
ICANN has no mandate, mechanism, or ability to seize domains. The only tool they have is de-accreditation of registrars (which obviously affects ALL domains registered by that registrar) and that tool is only used when there is clear and non-cured breach of the ICANN Registrar Accreditation Agreement.
Kind of wild that we're approaching a decentralized internet not for the virtue of decentralization, but because of insane authoritarian censorship.
> insane authoritarian censorship
Sanity, liberty, and censorship-resistance are virtues.
(before mental wellness people get up in my grill, by "sanity", I mean the preconditions likely to make sanity widespread)
ironically/appropriately[?] a virtue of decentralization would be combatting insane authoritarian censorship
I consider conser resistance the defining virtue of decentralization.
Does Quad9 run a resolver with DNSSEC but without "malware" blocking? So far I've had multiple instances (twice for a torrent tracker, once for gist.github.com) where they blocked a non-malware domain for a short while, which is really annoying to deal with.
Unfortunately no, they run 9.9.9.10, which is without "malware" blocking and without DNSSEC.
Would the root DNS servers ever get modified or censored as a result of court action?
My thoughts were that DNS-level censorship is essentially a dead end because the root servers are sacrosanct, and there will always be secondary DNS servers to query, who then use the root servers.
Sucks for DNS providers in authoritarian countries though.
I suspect the US would push back on this unless they were the ones doing the censoring. So far the US has not opened that door with DNS; it’s important to make sure that the door stays closed, as this would create chaos and major fragmentation.
In the meantime it might be worthwhile to develop alternatives, like some kind of DNS-over-Tor or DNS-over-DHT scheme, along with normalizing Tor onion services as an alternative access method for clearnet sites.
Yes, some kind of alternative DNS system where domain assignment is authenticated using some kind of distributed system of ownership consensus! If only such a thing has existed for years already and was well tested and performant...
https://www.kraken.com/learn/what-is-ethereum-name-service-e...
All the things that crypto true believers believed would happen are slowly coming to pass. It wasn't all bored apes and gambling. There was some legitimate developing going on, and still is.
After the Samourai case, you shouldn’t be so confident in cryptocurrency-based solutions for things like this. If devs can somehow stay anonymous and out of reach, maybe.
I’m not ideologically against cryptocurrency-based solutions, but it isn’t a magic bullet by any means. I still think that the EU in particular isn’t done making life difficult for crypto users.
Not to discourage projects like ENS, I think it’s good to have alternatives, but I do think we need noncommercial fallbacks to the current system as well. Anything involving money will always have choke points.
In what way do you think ENS can be compromised if devs are not 'out of reach'? You're comparing a permissioned mixing service whose authors made it centralized on purpose to extract fees with a decentralized DNS system. There is nobody in charge. There are no master keys. There is no means by which a government can shut it down, short of shutting down the ethereum network itself, which I think they would find to be easier said than done.
This is the problem with crypto discourse - people view the guy selling snake oil on the sidewalk outside the gas station on the same level as legitimate infrastructure project that is the combined work product of hundreds of people who aren't trying to scam anyone, just make useful stuff.
The only solution to this is being willing to learn about the technology, which is a very unpopular view on HN.
Fair enough, but I’m not convinced that a significant number of DAO members, contributors, and token holders couldn’t be identified and pressured into making changes. Such a push may not be successful, as ENS is widely distributed, but that doesn’t mean that the EU wouldn’t try if ENS usage became more common. Even if unsuccessful, this attack could have a chilling effect on uptake in the place where it is most likely to be needed.
Additionally, the EU could block purchase of ENS from exchanges. This added friction, though minor, is enough to slow uptake. I look at Monero as an example. It is functional and stable and it does what it claims. Yet hardly anyone uses it, because it has been effectively fenced off through a series of very low hurdles. It is not hard to swap to Monero for privacy, so why don’t more people do it?
IMHO ordinary users are much more likely to install a resolver that doesn’t have any connection to cryptocurrency. (The media campaign against crypto has been very effective.)
I do think crypto people ought to keep trying to develop their tools: there is some utility in it, and it may be more useful as things evolve. But it’s not a panacea, and the fact that it is “digital money” makes operators legally more vulnerable to attacks and regulation under current laws and legal precedents. Distributed, digital-only, non-monetary, volunteer-run networks like Tor are legally very resilient for now, at least in the West. (That could change, but it hasn’t yet.)
How does the access method matter?
No. While root servers are NOT sacrosanct, if such a court action were to occur and a root server operator were to carry it out, the change would fail DNSSEC validation in resolvers that have DNSSEC enabled (which varies depending on where you are, see https://stats.labs.apnic.net/dnssec), resulting in a SERVFAIL. In such cases, resolvers generally try another root server, until it gets a non-SERVFAIL answer, so for this to have the desired effect, you'd have to get all the root servers to implement the same change. This would be unlikely.
However, the root server operators merely publish what ICANN (via the IANA functions) produces.
If the US (either federal or perhaps even the states of California or Virginia) were to decide to "censor" a TLD in the root zone, they would simply go to ICANN, PTI (the folks who provide the IANA functions under contract to ICANN) or, more likely, Verisign (who generate and publish the root zone under contract to ICANN) and demand the root zone be modified.
As a sibling comment mentioned, the root servers are unlikely to get such order since they deal with registries and not what I would call end user domain names.
Registries do get block orders. When the Swedish registry got that for piratebay they choose to treat it like a domain dispute and gave ownership of the domain to the police, which the police in turn could treat like any other taken property and auction it out. The trouble is when the police wanted to destroy it, as there isn't a good definition on how to destroy a name so it can never be used again, and the registry was not keen on allowing the concept of a block.
The root servers do not deal with registries. They deal with the Root Zone Manager (Verisign, under contract to ICANN) only.
The way you "destroy" a name is either to not delegate it or give it to the Registrar of Last Resort (https://www.rolr.eu).
You can choose not to delegate it, but then how long and who should maintain the list of names that should not be delegated? Who should pay for the work to implement it, and who should pay for the maintenance for said system, and for how long? Should there be an appeal process or some kind of oversight, and who should body those roles?
In theory the law makers could specify this in law as form of registry regulation, but no one want to do that just to address one or two court cases where this question comes up. The registrar of last resort doesn't give any direct answer to those questions either.
These cases come up far more frequently than "one or two court cases" -- many takedowns of botnet/malware (e.g., Avalanche) end up in ROLR. See "domain generation algorithms".
In general, the vast majority of registries are fine with marking particular domains as "allocated but not delegated" as long as they get paid. ISTR ICANN waiving their fees, so the costs of marking a domain as undelegatable essentially turn in lost opportunity cost, which most registries are willing to eat.
The number of times a domain ownership get turned over to the police are not that common. For malware it is much more common to just remove the registration than to keep it registered for all eternity. There are a few different procedures used for malicious registrations (got to be careful with cnc), but the absolute most common seems to be to just put the domain on hold and then remove the registration after a short period. 99.9% (likely a few more 9s) are handled like that voluntarily by the registry and also by some registrars, which mean it does not involve the courts. The number of cases where it does goes the full length to court, a guilty verdict is reached, and the ownership of a malicious domain is decided to be given over to the police are very few.
The root DNS servers basically only tell you where the registry servers are, they don't contain records themselves. If someone censored a domain at the registry level then the root servers would be no help
This is true but I can imagine where they might go after the lowest reachable branch of the tree, up to threatening to remove country-level TLDs from the root servers for noncompliance. Only the US really has the leverage to do this, and it would just fragment the internet, as additional root servers would pop up to serve the missing TLDs. So it’s unlikely but possible.
"Additional root servers" popping up that would server missing TLDs would fail DNSSEC validation unless you modified the root hints and turned off DNSSEC or resigned the root zone and updated the trust anchors in validating resolvers.
Oh it would be chaos, but I’m sure there would be a workaround available within a week. Alternative roots already exist: https://en.wikipedia.org/wiki/Alternative_DNS_root
But the query is of the whole name. In theory they could nxdomain blocked names.
But long ttls and caches would mostly break this as an approach
Ever since the Verisign coup in 2003, the world has had the idea of "delegation-only" and suchlike filtering on responses from superdomain servers. More recently, query minimization was invented. Both of these can militate against the root content DNS servers doing that.
Better still, one can run one's own private root content DNS server. I've been doing that (in several ways) for a couple of decades. If ICANN decided to blackhole (say) www.microsoft.com. tomorrow, my DNS lookups wouldn't be affected.
To affect them, the aforementioned "court action" would have to target Verisign.
I'm curious: how did you implement your "private root content" DNS server such that it keeps up with (valid -- and how would you know?) updates made by the TLD registries via IANA?
Yes and no. See QNAME Minimization (https://datatracker.ietf.org/doc/html/rfc7816.html).
I just run my own name server. DNS blocking is no longer an issue unless they get to the root name servers. With a little domain warming from the top 5000 domains it’s pretty snappy most of the time.
More realistically, DNS blocking is no longer an issue unless "they" get to the registries for the top-level/second-level domains. It's easy to make yourself immune to things injected by the root content DNS servers, with at least two mechanisms for combatting this (the better one being just running your own private root content DNS server) having existed for most of this century.
Or block outbound 53 on residential networks
Comcast wonderfully intercepts port 53 traffic and shunts it to their own servers.
I was getting an A record for sending I knew didn't exist. Spent quite a bit of time investigating until I just tried opening the site up in a browser. Then I saw their lovely as page. Thanks guys...
DNS literally would not work if they did that.
Are we heading to a place where there will be many DNS resolvers just to get a "full" picture of the internet? Or perhaps topical upstream resolvers?
Easier to run your own uncensored resolver, no?
See RFC 8806
> “At what point does legal compliance become de facto censorship?”
I genuinely agree with this statement a lot. Also another aspect of this is that the bigger companies can somehow "legally" do things which I don't think would work but they have so many resources to strech the court case for a long time.
And the fact is that even after that, even if they are fined for some dollars. They are more than likely to just pay than try to actually fix the core issues which effects everyone harmfully except the company.
All for profit smh. I sometimes wonder if there is a word for this phenomenon for how our system has gotten into such a rotten state from lobbying to this yet at the same time genuine non profits get existential threats for the same behaviour but they simply don't have the funds...
> Also another aspect of this is that the bigger companies can somehow "legally" do things which I don't think would work but they have so many resources to strech the court case for a long time.
A big part of this impression is that people very often very much underestimate what they can get away with, whereas big companies have lawyers to tell them ”oh yeah you can totally do this”.
Of course there are some exceptions. Uber and AirBnB are probably decent ones, in some jurisdictions anyway.
This seems true.
Look at Donald Trump - he failed, over and over again, but he always kept trying. Seven bankruptcies, but he never said "I'm bankrupt so I'm not allowed to do any business again" - he just kept on doing business. And look at the government shutdown - he kept saying the Democrats will eventually fold and do what he wanted, and they have now folded and done what he wanted. This is a man who doesn't understand the word "no" and look where it got him.
Not just him - you have basically every successful tech entrepreneur too. They don't ask permission. However, some people don't ask permission and as a result of not asking permission they end up in jail, like Sam Bankman-Fried, instead of as billionaires out of jail, like Larry Ellison. So it seems you need a good intuition on which things you shouldn't ask permission for, and this has very little to do with facts and very much to do with personal connections.
> and this has very little to do with facts and very much to do with personal connections.
Disagree, anybody would have gone to prison for doing what SBF did
CZ got a presidential pardon alongside giving the president a bunch of money. So did Ross Ulbricht. SBF did not give him money, and is in jail. It's true none of them did the exact same crimes as each other, but there's a clear pattern here. Let's see if in the future SBF gives the president a bunch of money and gets a pardon.
CZ received and served a four month sentence for vague AML issues, the pardon didn’t really change anything for him.
Ross Ulbricht had no connections prior to his imprisonment. His case demonstrates how even a man in supermax prison with essentially no money to his name was able to build good enough connections to get a presidential pardon for dealing massive amounts of drugs.
Personal connections might matter if you do decide to commit serious crimes, but as Ulbricht demonstrates, anyone can develop those connections.
I find it amusing that it's always the governments fault. Or the users fault.
It's never the fault of the trillion dollar industries that are millions of times more powerful than any individual.
Our system get gotten into a rotten state because a tiny number of modern barons have all the power, and none of the civic responsibility. Concentration of money - when money is power, is the same as concentration of power.
What is always the governments fault?
> if there is a word for this phenomenon for how our system has gotten into such a rotten stat
There is, it's the system's name: Capitalism
Noone ever in the universe claimed that this system serves primarily the needs of humans. It serves profit. Now there is a ven diagram that has a union area between profits and needs, but the system does not care about making this union bigger, it cares about making the profits bigger. When that overlaps with needs... it is just a happy side effect.
and yet the largest group of professional utilitarians in the world (economists) largely do claim what you are saying ‘nobody even in the universe’ would.
transitive preference satisfaction is generally a pretty good framework. if you give more people what they want, you get more of what you want in turn.
Free markets are not unbridled capitalism; capitalism needs strong trust-busting and anti-monopoly enforcement.
[dead]
I tend to agree with this sentiment, but my takeaway is slightly different.
People who would describe themselves as supporters of "capitalism", as well as supporters of "communism" or "socialism", are not able to admit that their belief systems are actually religious in structure. Not spiritual perhaps, but effectively "secular religions".
Both capitalism and its nemesis arose in the mid 1900s, when humanity was obsessed with modernist thinking about "solving problems once and for all". And in that context, the people fell in love with these two "clean systems". A more perfect set of rules.
Sure, capitalism doesn't claim to be the most powerful god. But in surrogacy, it claims to be "the least imperfect system". Which is structurally the same claim: declaring the scripture to be some apex that is not surpassable.
The main difference between communism and capitalism was how it was implemented. The USSR went full-tilt ideologically rigid, and collapsed very quickly. The US didn't go full-tilt capitalism. It implemented a hybrid system with a high marginal tax, welfare programs, subsidies, labour unions, public works projects, along with a market system, and that hybrid non-ideologically rigid model served it well.
Around the time it was clear the USSR was collapsing, the USA went hard tilt in favour of ideological purity in capitalism. Systematic series of clawbacks in the tax regime, privatization, elimination of labour unions.
As they leaned into the religion, it was used against them, much like the communist religion was used against the people of the USSR. And now they have been robbed of their prosperity, of the value of their efforts, much like the people in the USSR were robbed.
Nice read but we also have democracy to prevent things but it still feels effectively hi-jacked by such fictional constructs like capitalism and the lobbying power
Theoretically we should be able to think of the majorities or ourselves and we can have a good system
but we also feel like a lack of choice I suppose, the elections feel between just two parties with choosing the lesser evil (I think zohran is cool tho in the democratic party and maybe he could signify some good things I guess)
Personally I feel like we need to focus more on the incentives and competency of people more than anything and try to vote it on that and not what they speak I suppose.
- [deleted]
We don't have democracy because the people with the most money can use a century of learning how to manipulate people through mass propaganda, advertising, pr, spin to get the results they want. People don't form political opinions in a vacuum, they are formed by the messages they receive.
[dead]
'Both capitalism and its nemesis arose in the mid 1900s, when humanity was obsessed with modernist thinking about "solving problems once and for all". And in that context, the people fell in love with these two "clean systems". A more perfect set of rules.'
All of this is junk. Karl Polanyi famously puts the birth of capitalism very late compared to other important thinkers, in 1834, by defining it as characterised by markets of fictitious commodities, i.e. stuff like labour, land, money. More mainstream would be to point to the Renaissance or british 16th century.
The idea that capitalism and communism would be dependent on an art movement of the early 20th century is quite bizarre, the Communist Manifesto was published in 1848 and by the late 19th century when modernism started to form unions and communist parties were already common.
Actually, modernism is a reaction to the apparent stalling of 'progress', WWI and nostalgia for the optimism of the early modern period. I.e. from 1500 to late 1800s. In part it was also a reaction to what is usually called modern physics, i.e. things like newtonianism and ether hypotheses breaking down in due to Michelson-Morley and early study of quantum phenomena, relativity and so on.
> All of this is junk. Karl Polanyi famously puts the birth of capitalism very late compared to other important thinkers, in 1834, by defining it as characterised by markets of fictitious commodities, i.e. stuff like labour, land, money. More mainstream would be to point to the Renaissance or british 16th century.
Once again, I'm not referring to theorycraft here. I'm talking about the pragmatics of it.
"Capitalism" as an ideological polemic that stood opposed to "Communism" was a concept that society adopted in the mid 1900s.
What you're talking about is some labeling of some social and economic mechanisms.
Marx might have described communism. But when the USSR came to power, the specific brand of communist _ideology_ that was adopted by the government was its own thing, its own creature and entity.
Likewise, many theorists might have described a loose economic structure as "capitalism", but the "Capitalism, Freedom, and American Pie", as an ideological fixpoint that was sold to society as something to aspire to was something entirely different from the academic theorycraft you're referring to.
Hard to tell if you're kidding, misinformed or something else.
At "mid 1900s" Stalin had ruled the USSR for two decades.
another absurd ahistorical comment on HN, where capitalism apparently arose in the mid 20th century despite the long-standing pre-existence of stock issuing multinationals, wage laborers, currency-mediated trade, reserve banking, etc.
The American ideological fixture of Capitalism certainly did arise then. I'm not talking about the general descriptive academic theory that labels certain loose economic and social models as capitalism. I'm talking about the capital C capitalism, standing opposite to capital C communism. The USA vs USSR, the grand battle of ideologies.
We remember that right?
The ideology was born in the mid 1900s, in the middle of modernist fervour where humanity believed itself to be on the cusp of some sort of transformation into a kind of godhood. We had invented flight, we had harness light itself, we had controlled temperature, we had learned how to build buildings of any shape and size. And likewise we turned our attention to a machine for people.
Set up the right rules, and everything else will follow, the ideologies posit.
[dead]
I've increasingly taken the attitude that digital media is simply lost to corporate interests and there's nothing we can do about it aside from not spending money or time on the internet.
No, "not spending money or time" is utterly worthless.
It has zero leverage. Even if you could convince 1 person in 1000 to do that, you'd represent 0.1%. And that "1 in 1000" is hopelessly optimistic as it is.
If you want to change the world, "individual action" should be at the very last place in your list of actions to take.
>If you want to change the world, "individual action" should be at the very last place in your list of actions to take.
The heliocentric model began with one person out of the entire population of earth having the courage to publicly, loudly, and assertively disagree with TPTB.
Presuming you're talking Europe only, are you talking Copernicus? Brahe? Kepler? Galileo? You know that the heliocentric model had been discussed 2000 years earlier in Europe.
Let's assume that correct. Now, what did that "one person" do? Just reject the idea of Earth being the center of the universe? Or actually seek ways to make an alternate model more accepted?
"Individual action" is fucking worthless. But not all types of activism are.
Guessing this might be interpreted by some as a reference to Galileo so I'll take the opportunity to mention Against Method.
My point was not about changing the world but having a pleasant consumer experience. My local library works just fine for just the cost of my tax dollars.
I don't think the cost of writing the above code is an existential threat.if (geoip[sourceIp] === "France") { if (geoblocks["France"][sourceIp]) { return NOT_FOUND; } }[dead]
Another side effect of law makers yoloing legislation on things they don’t seem to understand
This all started, in earnest, with Response Policy Zones being added to BIND. RPZ allow DNS resolvers to lie to clients by returning (nxdomain or redirects to other domains) and the client does not know it is being lied to.
At first, RPZ was used to block known malicious domains (drive by malware downloads, etc.). Then, the security weenies started using RPZ to block other things like TikTok (for administrative/legal reasons). That's when the DNS became a big lie.https://www.isc.org/docs/BIND_RPZ.pdfI guess some day, one political party will use it to block the websites of other political parties, etc. That's stupid to say (I know) but that seems to be the slippery slope we are sliding down.
[flagged]
[flagged]
You mean like ChatGPT? Why is it ok for them to "pirate" the entire internet and not for a small individual. Maybe the whole copyright system is broken.
If you would like to talk about piracy, please define it first.
In my opinion it is unclear what you are referring to because many people have different views on what the term piracy actually means.
>>Pirates need to wake up to the fact that they are harming creators and people who provide the services that make modern life possible.
Could you clarify a single service that is being pirated that could be classified as "make modern life possible"? I'm just curious.
