I didn't change anything, so it must be a problem on imgur's end specifically.

Here's an HTTP image:


Here's an HTTP image which redirects to HTTPS:

Democracy sucks. Very few people are knowledgeable about important issues because:
1. A ton of people are just overall stupid to begin with.
2. Even smart people don't have much incentive to become knowledgeable about issues because they know that their vote is almost meaningless.

This is clearly demonstrated by the fact that referenda on raising the minimum wage almost always pass overwhelmingly, despite the fact that virtually every economist says that minimum wage laws are counter-productive.

Usually what you get in the end is a big mess of special-interest-backed laws which don't make any sense, hurt liberty, and drag down the economy. Example: A sugar company will gain $1 million per year from a sugar tariff. Every citizen will lose $0.01 per year due to slightly increased prices from that same tariff, for a total country-wide loss of $3 million per year. Most people won't know that this issue even exists because they are not sufficiently knowledgeable and don't have any incentive to become knowledgeable. For people who do know, it's still usually not rational to spend time and money trying to defeat this measure when you're only going to lose $0.01 per year. Whereas it is rational for the sugar company to spend money trying to get the tariff enacted. (The same sort of thing applies to niche ideological positions, too, not just money.) So these special-interest-backed initiatives often pass (there is in fact a sugar tariff in the US), and they accumulate over time.

The US founding fathers tried to set up the government such that it was more-or-less ruled by an elite set of intellectuals with democracy as only a distant check on possible tyranny, but it clearly didn't work, and nowadays democracy mostly prevails. I suspect that any mixed system of this sort will eventually fail. (Also see my post here.)

I've gone back and forth, but at the moment I tend toward thinking that monarchy would be better than democracy, even though monarchy is clearly also very flawed. At least the monarch can have some sort of guiding vision rather than the total schizophrenia we often see in democracies, and they have more personal skin in the game, since the state's success is their success, for their entire lifetime and extending through the lifetimes of their heirs. But I've never lived in an absolute monarchy, and maybe I'd think differently if I did.

In any case, it'd be better to:
 - Limit government involvement in everything. A government with little power can't do as much harm, even if it constantly makes poor decisions.
 - Have many smaller states rather than a few big ones. If there were 10,000 states and a worldwide culture of allowing freedom of movement, then you wouldn't have to worry so much about your state falling to tyranny or mob rule, since at least one of the other ones should still be OK.
 - Not brainwash people into thinking that democracy or absolutism is by definition good. I've met a lot of people who think that if a majority agrees to something, then that's the end of discussion: the thing agreed to is absolutely moral and correct. This is very stupid.
 - Not treat the law as your god, using it a comfortable shortcut for moral and/or utilitarian thinking.

.onion is even worse for DDoS attacks because the clients are all anonymous, so you can't ban abusive IPs. That's why I haven't created a .onion, even though it would be very easy to do.

Tor needs to address this somehow. I've mentioned some ideas in the past.

They were trying various different things for several hours, but they stopped for now. I wouldn't be surprised if they try it again tomorrow, but I re-activated one of the systems which was part of my custom anti-DDoS setup before moving to Cloudflare, and that's been able to identify and block them so far.

DDoS attacks are back-and-forth affairs:
1. The attacker tries something.
2. Your automated systems handle it, or the site goes down until you manually figure out how to mitigate it.
3. The attacker tries something else.
4. Repeat until one side gets sick of it.


It's not my main area of interest, so I might never get around to it.

If I was interested in that, what I'd do is create an open source project which would basically replicate Cloudflare (plus improvements) by using your own AWS, Azure, Google Cloud, etc. account. So you'd download the open source script, give it your cloud-provider credentials, and it'd set it all up for you, maybe even including a nice Web interface. It would create a small CDN of a few very-lightweight instances spread across the world, and automatically spin up more instances in the correct regions when the existing ones are overloaded. The instances would reverse-proxy your site, cache appropriately, keep track of IP reputation, sometimes insert challenges, etc. Costs would probably be higher than the cheaper Cloudflare plans, but much cheaper than Cloudflare Enterprise.

Also, that this sort of need exists shows that the Internet is fundamentally broken. PoW should be part of TCP, not a janky hack which requires hiding behind huge networks and probably accepting a MITM.

Done, thanks.

No, but for now I'm successfully filtering it.


CF stops all sub-layer-7 attacks, which is somewhat useful. But I was doing pretty well at stopping those on my own. What caused me to switch to Cloudflare in the first place was tens of thousands of IPs doing things which seemed indistinguishable from real-world traffic. For those layer-7 attacks, Cloudflare has been a mixed bag.

First of all, I can enable the "checking your browser" thing, and that stops almost all attacker traffic. But that also breaks noscript browsers and bots, so I don't like to do it too much. Skilled attackers can also sometimes get through that, though I think that it does require a proof-of-work.

Cloudflare is honestly not very good at detecting attack traffic. You'd think that they'd be able to detect things like a huge influx of IPs that are not the regular visitors, or IPs that are not used for regular traffic on any of CF's sites, or a bunch of weird request patterns that have never been done before in the history of the site. I feel like I'd be able to write this kind of general detection code if I had a year to dedicate to it, and I'm not a giant corporation. So that's a disappointment. But nobody else is better AFAIK. I talked to Incapsula at length, and their tech is AFAICT basically the same as Cloudflare, but a lot more expensive.

It's a DDoS.

I restored the four deleted topics, but since they were all very similar, I locked all but one of them.

Except for a few special cases, it should not be policy for subjects to be confined to megathreads. It's OK for there to be overlap between multiple active threads. If a board seems to become monopolized by similar-looking topics, then some lockings or perhaps deletions might be warranted, but Hardware is low-volume.

I added meta tags to most sections which specify the language. Like:
In Firefox, you can see it by looking at "page info".

If you frequent a local section, please check it to make sure that I got it right. For example, the little bit of research I did made me think that "hi,en-IN" (Hindi & Indian-flavored English) is correct for the India section, but I'm not 100% sure about that.

Done. I only did the ones that look really similar to Latin characters, and it only applies to English sections. It's done at display time, so it's retroactive.

It would take at least a couple hours every day to deal with them. Each case typically requires a lot of follow-up. And it's really annoying work. I used to do them sort-of regularly, but at some point I just couldn't stand it anymore, in addition to not really having time. Cyrus is still doing some, though not enough to keep up.

There's no need for any fee, and a fee probably wouldn't be appropriate unless absolutely necessary. Money is not a problem. If I could throw $100k at the problem and make it go away, I would do so. But in the real world, there is no magic wishing well where you can throw money and make things happen. You give people money and they don't do what you want, or the people you hire turn out not to be trustworthy, or you fill out the tax forms wrong and then later have to spend more time&money dealing with that than you would've by just doing the thing with current sub-optimal resources, etc.

I acknowledge that the current situation is very bad, and we have some plans for fixing it. I hope to have manual account reviews going smoothly again before the end of the year at the latest.


Yes, this would be very useful. I hate that I'm basically acting as a CEO here. I hate dealing with lawyers and accountants, or figuring out who to hire. This stuff is not my wheelhouse, and is in fact not even on my ship. I wish that someone would take all of that business-related stuff off my hands. But it looks like that's the one aspect which is most difficult to (safely) get rid of, so I've been trying (with only a bit of success) to delegate in other areas.

A former chair of the Federal Election Commission agrees that the campaign finance stuff has no merit: https://www.c-span.org/video/?450698-4/washington-journal-bradley-smith-discusses-michael-cohens-plea-deal-campaign-finance-laws

I meant that he won't throw people in his in-group under the bus.


Pence is a Cheney-style neocon. Very pro-war and authoritarian. So he'd probably get along well with the neoliberal Democratic establishment, even if they'd pretend to hate him due to his social views (which he's not in a position to do much about as president anyway).

Trump is friends with Manafort, he believes (maybe rightly) that Manafort would not be in any trouble if not for his association with Trump, and Manafort is remaining loyal. Trump has proven throughout his presidency that the #1 thing he cares about is personal loyalty, so he will feel obligated to protect Manafort here. Trump isn't the kind of person who can easily throw someone under the bus, and he will perceive not pardoning Manafort as doing so.

From what I've heard, Cohen's guilty plea was unusual in that he seemed to plea guilty without actually cooperating with law enforcement or even seeking a typical plea deal. I wonder what that's about.

Although Cohen and Manafort both seem like highly unethical characters AFAICT (Cohen was secretly recording his clients in order to collect dirt on them, and Manafort apparently worked for an evil Ukrainian regime), the specifics of these cases make them look more like a move against Trump. For example, it's extremely unusual for anyone to be pursued for bank fraud in which the bank didn't actually lose any money, or criminally for this sort of campaign finance stuff. And the campaign finance thing seems like a real stretch, since Trump has buried personally-damaging stories like this on several occasions before he was running for president. It'd be like saying that spending personal money to renovate your house was a campaign contribution because it'd look bad campaign-wise if you had a run-down-looking house; it's very tangential.

I think that Trump will pardon Manafort, which is a horrible move politically. Impeachment is unlikely, but if it does happen, we might end up looking back on that pardon as being the thing which ultimately resulted in Trump getting impeached. But a strong desire to pardon is understandable from Trump's perspective.

From a libertarian perspective, this whole mess is probably pretty good because it keeps the government chaotic, divided, and busy, and maybe it'll even expose the stupidity of some of these "paperwork crimes".

[btc] is the only custom tag. Some other behavior of the bbcode parser was changed, but it's more stylistic than semantic, like disabling certain tags in some contexts.

If someone wrote a bbcode parser that was 99.9% compatible with the SMF bbcode parser but was based on traditional parsing (ie. lex+yacc-style), that'd be useful. The current regex monstrosity really sucks.

None of these ideas are new to me. Even if I don't respond to suggestions, I do read them, and they float around in my mind going forward. If it's not already done, then there's some reason why. A big possible reason is that I'm the only person who does development on the current code, and my time is limited. Another big reason is that this is a huge forum with complex dynamics, and even small policy changes can have big effects which need to be thought through very carefully.

An example: a bump button sounds good as a fix for certain very visible problems, but it also codifies a broken system. People would use bots to bump all of their threads constantly, giving "industrial" posters a huge advantage over casual posters. A captcha could maybe help a little, but there are services where you can pay a tiny fee to have captchas solved for you. (Which opens another question: maybe a comparatively tiny fee should be allowed as an alternative to having you solve a captcha.) A better solution would be to replace the concept of traditional bumping with something quite different, with different bumping models for different types of sections. But that requires further thought. If implementing a bump button was free, perhaps it'd be worthwhile to at least do it for now and fix a few minor problems with bumping today. But since it's a clearly-imperfect solution, this isn't even on my miles-long to-do list.

I'm not going to respond here in detail to all of these ideas. It'd be extremely long. I will classify them as OK/maybe/no:


OK in principle, would require thought/adjustment/implementation. Many of these things are more complex than they look at first glance.


Maybe.


No. Or not yet. Or the idea would need to be significantly modified.

Partially it's because we're talking about two different situations. I'm thinking mainly of someone actively trying to attack ECDSA, and the lockers symbolize private keys, not addresses or public keys. You seem to be thinking mainly about two people accidentally generating the same address.

In symmetric crypto, if there are no other weaknesses, then a key length of N bits means that you have to search through O(2^N) keys in order to break the cipher. There is no faster way on classical computers. This sort of perfect cipher is used as the security standard for all crypto; when someone says that something has 128 bits of security, they mean that it has the same security as a perfect symmetric cipher with 128-bit keys. My analogy is meant to illustrate that breaking Bitcoin's ECDSA is roughly O(2¹²⁸).

All asymmetric crypto has worse security efficiency than the perfect symmetric cipher. In the case of elliptic-curve crypto, a key length of N bits implies an equivalent security (vis-à-vis the perfect symmetric cipher) of no more than N/2 bits because there are known algorithms for solving the underlying elliptic-curve discrete logarithm problem in O(sqrt(n)) on classical computers. (Also, it's completely broken on quantum computers.)

If you're interested in an attacker who only has an address to work with, without any ECC stuff (ie. unused addresses), then 2¹⁶⁰ is a reasonable number. If you're considering collisions, which cannot usually be useful to an attacker, then 2¹⁶⁰ is OK, but then you need to consider the birthday problem. If someone really wanted to find a collision, then it probably can be done in a human lifetime, but almost certainly they would collide two of their own addresses, not one of theirs with someone else's.

The forum sells ad space in the area beneath the first post of every topic page. This income is used primarily to cover hosting costs and to pay moderators for their work (there are many moderators, so each moderator gets only a small amount -- moderators should be seen as volunteers, not employees). Any leftover amount is typically either saved for future expenses or otherwise reinvested into the forum or the ecosystem.

Ads are allowed to contain any non-annoying HTML/CSS style. No images, JavaScript, or animation. Ads must appear 3 or fewer lines tall in my browser (Firefox, 900px wide). Ad text may not contain lies, misrepresentation, or inappropriate language. Ads may not link directly to any NSFW page. No ICOs^[1], banks, funds, or anything else that a person can be said to "invest" in; I may very rarely make exceptions if you convince me that you are ultra legit, but don't count on it. Ads may be rejected for other reasons, and I may remove ads even after they are accepted.

There are 10 total ad slots which are randomly rotated. So one ad slot has a one in ten chance of appearing. Nine of the slots are for sale here. Ads appear only on topic pages with more than one post, and only for people using the default theme.

Duration

- Your ads are guaranteed to be up for at least 7 days.
- I usually try to keep ads up for no more than 8 or 9 days.
- Sometimes ads might be up for longer, but hopefully no longer than 12 days. Even if past rounds sometimes lasted for long periods of time, you should not rely on this for your ads.

Stats

Exact historical impression counts per slot:
https://bitcointalk.org/adrotate.php?adstats

Info about the current ad slots:
https://bitcointalk.org/adrotate.php?adinfo

Ad blocking

Hero/Legendary members, Donators, VIPs, and moderators have the ability to disable ads. I don't expect many people to use this option. These people don't increase the impression stats for your ads.

I try to bypass Adblock Plus filters as much as possible, though this is not guaranteed. It is difficult or impossible for ABP filters to block the ad space itself without blocking posts. However, filters can match against the URLs in your links, your CSS classes and style attributes, and the HTML structure of your ads.

To prevent matches against URLs: I have some JavaScript which fixes links blocked by ABP. You must tell me if you want this for your ads. When someone with ABP and JavaScript enabled views your ads, your links are changed to a special randomized bitcointalk.org URL which redirects to your site when visited. People without ABP are unaffected, even if they don't have JavaScript enabled. The downsides are:
- ABP users will see the redirection link when they hover over the link, even if they disable ABP for the forum.
- Getting referral stats might become even more difficult.
- Some users might get a warning when redirecting from https to http.

To prevent matching on CSS classes/styles: Don't use inline CSS. I can give your ad a CSS class that is randomized on each pageload, but you must request this.

To prevent matching against your HTML structure: Use only one <a> and no other tags if possible. If your ads get blocked because of matching done on something inside of your ad, you are responsible for noticing this and giving me new ad HTML.

Designing ads

Make sure that your ads look good when you download and edit this test page:
https://bitcointalk.org/ad_test.html
Also read the comments in that file.

Images are not allowed no matter how they are created (CSS, SVG, or data URI). Occasionally I will make an exception for small logos and such, but you must get pre-approval from me first.

The maximum size of any one ad is 51200 bytes.

I will send you more detailed styling rules if you win slots in this auction (or upon request).

Auction rules

You must be at least a Jr Member to bid. If you are not a Jr Member and you really want to bid, you should PM me first. Tell me in the PM what you're going to advertise. You might be required to pay some amount in advance. Everyone else: Please quickly PM newbies who try to bid here to warn them against impersonation scammers.

If you have never purchased forum ad space before, and it is not blatantly obvious what you're going to advertise, say what you're going to advertise in your first bid, or tell me in a PM.

Post your bids in this thread. Prices must be stated in BTC per slot. You must state the maximum number of slots you want. When the auction ends, the highest bidders will have their slots filled until all nine slots are filled.

So if someone bids for 9 slots @ 5 BTC and this is the highest bid, then he'll get all 9 slots. If the two highest bids are 9 slots @ 4 BTC and 1 slot @ 5 BTC, then the first person will get 8 slots and the second person will get 1 slot.

The notation "2 @ 5" means 2 slots for 5 BTC each. Not 2 slots for 5 BTC total.

- When you post a bid, the bids in your previous posts are considered to be automatically canceled. You can put multiple bids in one post, however.
- All bid prices must be evenly divisible by 0.02.
- The bidding starts at 0.02.
- I will end the auction at an arbitrary time. Unless I say otherwise, I typically try to end auctions within a few days of 10 days from the time of this post, but unexpected circumstances may sometimes force me to end the auction anytime between 4 and 22 days from the start. I have a small bias toward ending auctions on Fridays, Sundays, and Mondays.
- If two people bid at the same price, the person who bid first will have his slots filled first.
- Bids are considered invalid and will be ignored if they do not specify both a price and a max quantity, or if they could not possibly win any slots

If these rules are confusing, look at some of the past forum ad auctions to see how it's done.

I reserve the right to reject bids, even days after the bid is made.

You must pay for your slots within 24 hours of receiving the payment address. Otherwise your slots may be sold to someone else, and I might even give you a negative trust rating. I will send you the payment information via forum PM from this account ("theymos", user ID 35) after announcing the auction results in this thread. You might receive false payment information from scammers pretending to be me. They might even have somewhat similar usernames. Be careful.

---

[1]: For the purposes of forum ads, an ICO is any token, altcoin, or other altcoin-like thing which meets any of the following criteria: it is primarily run/backed by a company; it is substantially, fundamentally centralized in either operation or coin distribution; or it is not yet possible for two unprivileged users of the system to send coins directly to each other in a P2P way. The intention here is to allow community efforts to advertise things like Litecoin, but not to allow ICO funding, even when the ICO is disguised in various ways.

Still too investment/ICO-looking.

Auction ended, final result:
Slots BTC/Slot Person
4 0.10 ChipMixer
2 0.10 faucet.ly
1 0.10 TrueFlip.io
2 0.02 Foofighter