Firefox uses the same list.

COPY is often a usable alternative.

Right, for postgres I would use unnest for inserting a non-static amount of rows.

SQL's "feature" of having table and field names in the same syntactic namespace as an ever expanding set of english language keywords is the original eldritch curse behind it all.

With the Nextcloud app I remember having to enable full file permissions to preserve the GPS data of auto-uploaded photos a couple of years ago. Which I only discovered some months after these security changes went into effect on my phone. That was fun. I think Android 10 or 11 introduced it.

Looking now I can't even find that setting anymore on my current phone. But the photos still does have the GPS data intact.

There is never a good reason to permanently modify my files, if that is what is going on here. Seems like I wouldn't be able to search my photos by location reliably if that data was stripped from them.

And permissions should also not be so wide. You should be able to give permission to the GPS data in pictures you consciously took without giving permission to track your position whenever.

That would have a better solution in a date.getCurrentMonth(), in my opinion.

A [StackOverflow thread](https://stackoverflow.com/a/41992352) about this interface says it was introduced by Java way back in 1995, and copied by the first JavaScript implementation.

This is imo ultimately a problem with git.

If git didn't have this setting, then after checking out a bash file with LFs in it, there are many Windows editors that would not be able to edit that file properly. That's a limitation of those editors & nobody should be using those pieces of software to edit bash files. This is a problem that is entirely out of scope for a VCS & not something Git should ever have tried to solve.

In fact, having git solve this disincentives Windows editors from solving it correctly.

> I don't see how this is whole situation is the problem of any Linux tooling

Well, bash could also handle crlf nicely. There's no gain from interpreting cr as a non-space character.

(The same is valid for every language out there and all the spacey things, like zero-width space, non-breaking space, and vertical tabs.)

You will have the same problem if you build a Linux container image using scripts that were checked out on the windows host machine. What's even more devious is that some editors (at least VS Code) will automatically save .sh files with LF line endings on Windows, so the problem doesn't appear for the original author, only someone who clones the repo later. I spent probably half a day troubleshooting this a while back. IMO it's not the fault of any one tool, it's just a thing that most people will never think about until it bites them.

TL;DR - if your repo will contain bash scripts, use .gitattributes to make sure they have LF line endings.

The biggest mistake was running Linux programs over files created by Windows programs. Anything you move between those worlds is suspect.

I guess you're right - I find the tone off but it's not egregious & it is mostly a very useful list.

It doesn’t seem like email scanning is necessary to explain this. It appears that simply having a “bad” subdomain can trigger this. Obviously this heuristic isn’t working well, but you can see the naive logic of it: anything with the subdomain “apple” might be trying to impersonate Apple, so let’s flag it. This has happened to me on internal domains on my home network that I've exposed to no one. This also has been reported at the jellyfin project: https://github.com/jellyfin/jellyfin-web/issues/4076

Chrome sends visited urls to Google (ymmv depending on settings and consents you have given)

if it was just the domain, remember that there is a Cert Transparency log for all TLS certs issued nowadays by valid CAs, which is probably what Google is also using to discover new active domains

Well, that's potentially horrifying. I would love for someone to attempt this in as controlled of a manner as possible. I would assume it's possible for anyone using Google DNS servers to also trigger some type of metadata inspection resulting in this type of situation as well.

Also - when you say banned, you're speaking of the "red screen of death" right? Not a broader ban from the domain using Google Workplace services, yeah?

This reminds me of another post where a scammer sent a gmail message containing https://site.google.com/xxx link to trick users into click, but gmail didn't detect the risk.

G would flag _some_ instances.

Possible scenario:

- A self-hosted project has a demo instance with a default login page (demo.immich.app, demo.jellyfin.org, demo1.nextcloud.com) that is classified as "primary" by google's algorithms

- Any self-hosted instance with the same login page (branding, title, logo, meta html) becomes a candidate for deceptive/phishing by their algorithm. And immich.cloud has a lot of preview envs falling in that category.

BUT in Immich case its _demo_ login page has its own big banner, so it is already quite different from others. Maybe there's no "original" at all. The algorithm/AI just got lost among thousands of identically looking login pages and now considers every other instance as deceptive...

I have my own domain, and Immich is hosted on an "immich" subdomain.

Well, using the public suffix list _also_ isolates cookies and treats the subdomains as different sites, which may or may not be desirable.

For example, if users are supposed to log in on the base account in order to access content on the subdomains, then using the public suffix list would be problematic.

You're in good company! From 12 days ago: https://news.ycombinator.com/item?id=45538760

First rule of the public suffix list...

I will go with Google being bad / evil for 500.

Google 90s to 2010 is nothings like Google 2025. There is a reason they removed "Don't be evil" ... being evil and authoritarian makes more money.

Looking at you Manifest V2 ... pour one out for your homies.

They clearly are? It seems like GitHub users submitting a PR could/can add a `preview` label, and that would lead to the application + their changes to be deployed to a public URL under "*.immich.cloud". So they're hosted content generated by users (built application based on user patches) on domains under their control.

A part of the issue is IMO that browsers have become ridiculously bloated everything-programs. You could take about 90% of that out and into dedicated tools and end up with something vastly saner and safer and not a lot less capable for all practical purposes. Instead, we collectively are OK with frosting this atrocious layer cake that is today's web with multiple flavors of security measures of sometimes questionable utility.

End of random rant.

I'd probably say we ought to use DNS.

I'm under the impression that CORS largely solves it?

which is still much too new to be able to shut down the PSL of course. but maybe in 2050.

Cookies shouldn't be tied to domains at all, it's a kludge. They should be tied to cryptographic keypairs (client + server). If the web server needs a cookie, it should request one (in its reply to the client's first request for a given url; the client can submit again to "reply" to this "request"). The client can decide whether it wants to hand over cookie data, and can withhold it from servers that use different or invalid keys. The client can also sign the response. This solves many different security concerns, privacy concerns, and also eliminates the dependency on specific domain names.

I just came up with that in 2 minutes, so it might not be perfect, but you can see how with a little bit of work there's much better solutions than "I check for not-evil domain in list!"

regular cars?

Admitting I'm old, but my HP-11C still gets pretty-regular use.

And judging by eBay prices, or the SwissMicros product line, I suspect I have plenty of company.

I presume it has to be a curated list otherwise spammers would use it to evade blocks. Otherwise why not just use DNS?

> any platform that needs this functionality but would prefer not to leak any details publicly.

I’m not sure how you’d have this - it’s for the public facing side of user hosted content, surely that must be public?

> We already have the concept of a .well-known directory that you can use, when talking to a specific site.

But the point is to help identify dangerous sites, by definition you can’t just let the sites mark themselves as trustworthy and rotate around subdomains. If you have an approach that doesn’t have to trust the site, you also don’t need any definition at the top level you could just infer it.

It does smell very much like a feature that is currently implemented as a text file but will eventually need to grow to its own protocol, like, indeed, the hostfile becoming DNS.

One key difference between this list and standard DNS (at least as I understand it; maybe they added an extension to DNS I haven't seen) is the list requires independent attestation. You can't trust `foo.com` to just list its subdomains; that would be a trivial attack vector for a malware distributor to say "Oh hey, yeah, trustme.com is a public suffix; you shouldn't treat its subdomains as the same thing" and then spin up malware1.trustme.com, malware2.trustme.com, etc. Domain owners can't be the sole arbiter of whether their domain counts as a "public suffix" from the point of view of user safety.

It looks like Mozilla does use DNS to verify requests to join the list, at least.

  $ dig +short txt _psl.website.one @1.1.1.1
  "https://github.com/publicsuffix/list/pull/2625"

Doing this DNS in the browser in real-time would be a performance challenge, though. PSL affects the scope of cookies (github.io is on the PSL, so a.github.io can't set a cookie that b.github.io can read). So the relevant PSL needs to be known before the first HTTP response comes back.

Why would you compare Web to that? A first fax message would be more appropriate comparison.

Web is not a new thing and hardly a technical experiment of a few people any more.

If you add the time since announcing the concept of Web to that trip date, you have a very decent established industry already. With many sport and mass production designs:

https://en.wikipedia.org/wiki/Category:Cars_introduced_in_19...

We already have a solution to solve it: DNS-based Authentication of Named Entities (DANE)

This solution is even more obvious today where most certificates are just DNS lookups with extra steps.

Yes, my own domain.

The subdomain is "immich", which has crossed my mind as a potential flagging characteristic.

There are other browsers if you want to browse the web with the blinders off.

It's browser beware when you do, but you can do it.

If you have such strong feelings, you could always use vanilla chromium.

You can turn it off in Chrome settings if you want.

Firefox and Safari also use the list. At least by default, I think you can turn it off in firefox. And on the whole, I think it is valuable to have _a_ list of known-unsafe sites. And note that Safe Browsing is a blocklist, not an allowlist.

The problem is that at least some of the people maintaining this list seem to be a little trigger happy. And I definitely thing Google probably isn't the best custodian of such a list, as they have obvious conflicts of interest.

Oh god, you reminded me the horrors of hosting my own mailserver and all of the white/blacklist BS you have to worry about being a small operator (it's SUPER easy to end up on the blacklists, and is SUPER hard to get onto whitelists)

> I don't think the Internet should be run by being on special lists

People are reacting as if this list is some kind of overbearing way of tracking what people do on the web - it's almost the opposite of that. It's worth clarifying this is just a suffix list for user-hosted content. It's neither a list of user-hosted domains nor a list of safe websites generally - it's just suffixes for a very small specific use-case: a company providing subdomains. You can think of this as a registry of domain sub-letters.

For instance:

- GitHub.io is on the list but GitHub.com is not - GitHub.com is still considered safe

- I self-host an immich instance on my own domain name - my immich instance isn't flagged & I don't need to add anything to the list because I fully own the domain.

The specific instance is just for Immich themselves who fully own "immich.cloud" but sublet subdomains under it to users.

> *if you are going to have a "safe sites" list"

This is not a safe sites list! This is not even a sites list at all - suffixes are not sites. This also isn't even a "safe" list - in fact it's really a "dangerous" list for browsers & various tooling to effectively segregate security & privacy contexts.

Google is flagging the Immich domain not because it's missing from the safe list but because it has legitimate dangers & it's missing from the dangerous list that informs web clients of said dangers so they can handle them appropriately.

It always has been run on special lists.

I've coined the phrase "Postel decentralization" to refer to things where people expect there to be some distributed consensus mechanism but it turned out that the design of the internet was to email Jon Postel (https://en.wikipedia.org/wiki/Jon_Postel) to get your name on a list. e.g. how IANA was originally created.

New directive from the Whitehouse. Block all non approved sites. If you don't do it we will block your merger etc...

Yes but that's not a legal argument.

You're honor, we hurt the plaintiff because it's better than nothing!

The alternative is to not do this.

Marking for cookie isolation makes sense, but could be done more effectively via standardized metadata sent by the first party themselves rather than a centralized list maintained by a third party.

Informing decisions about blocking doesn't make much sense (IMO) because it's little more than a speed bump for an attacker. Certainly every little bit can potentially help but it also introduces a new central authority, presents an additional hurdle for legitimate operators, introduces a number of new failure modes, and in this case seems relatively trivial for a determined attacker to overcome.

They didn't say that these are actually for internal use only. They said that they are generated either from maintainers applying labels (as a manual human decision) or from internal PR branches, but they could easily be publicly facing code reviews of internally developed versions, or manually internally approved deployments of externally developed but internally reviewed code.

None of these are the kind of automatic user-generated content that the warning is attempting to detect, I think. And requiring basic auth for everything is quite awkward, especially if the deployment includes API server functionality with bearer token auth combined with unauthenticated endpoints for things like built-in documentation.

I think we might have hit the inflection point where being rude is more polite. It's not that I want people to be rude to me, it's that I don't want to talk to AI when I intend to be talking to a person, and anyone engaging with me via AI is infinitely more disrespectful than any curse word or rudeness.

These days, when I get a capitalized, grammatically correct sentence — and proper punctuation to boot, there is an unfortunate chance it was written using an AI and I am not engaging fully with a human.

its when my covnersation partner makes human mistakes, like not capitalizing things, or when they tell me i'm a bonehead, that i know i'm talking to a real human not a bot. it makes me feel happier and more respected. i want to interact with humans dammit, and at this point rude people are more likely to be human than polite ones on the internet.

i know you can prompt AIs to make releaistic mistakes too, the arms race truly never ends

Sometimes it is also rude to ask without looking the obvious place themselves. It is about signaling that ”my” time is more precious than ”your” time so I let them do that check for me, if I can use someone elses time.

I’m curious about basically all of it. It seems like such a powerful tool.

I seem to have irritated the parallel commenters tremendously by asking, but it seemed implausible I’d understand the design considerations by just skimming the CI config.

Top of mind would be:

1. How do y'all think about mitigating the risk of somebody launching malicious or spammy PR sites? Is there a limiting factor on whose PRs trigger a launch?

2. Have you seen resource constraint issues or impact to how PRs are used by devs? It seems like Immich is popular enough that it could easily have a ton of inflight PR dev (and thus a ton of parallel PR instances eating resources)

3. Did you borrow this pattern from elsewhere / do you think the current implementation of CI hooks into k8s would be generalizable? I’ve seen this kind of PR preview functionality in other repos that build assets (like CLI tools) or static content (like docs sites), but I think this is the first time I’ve seen it for something that’s a networked service.

At least the government is normally elected.

The government tends to get out of their way to have accountability and customer service.

Oh my bad, I severely misinterpreted your comment.

> there's either capitalism, or communism

Can you point them out on the map?

I worked for a company who had this happen to an internal development domain, not exposed to the public internet. (We were doing security research on our own software, so we had a pentest payload hosted on one of those domains as part of a reproduction case for a vulnerability we were developing a fix for.)

Our lawyers spoke to Google's lawyers privately, and our domains got added to a whitelist at Google.

It depends, if it's a clear-cut case, then in jurisdictions with a functioning legal system it can be feasible to sue.

Likewise, if it's a fuckup that just needs to be put in front of someone who cares, a lawsuit is actually a surprisingly effective way of doing that. This moves your problem from "annoying customer support interaction that's best dealt with by stonewalling" into "legal says we HAVE to fix this".

i think it's more akin to "people may have broken in and taken over this house, and within the house there may be sexual predators"

> If you are referring to abidance to the law, you are technically right.

Yes, the question was literally about the law.

I wasn't trying to say anything else. I was answering the commenter's legal question.

I don't know what you are trying to imply.

I'm not sure what exactly you mean by "good faith". The legal standard is "actual malice" which means you had to have either known you were wrong or recklessly disregarded being wrong. Just saying something false about a public figure in a way that causes damages is not enough.

Indeed. Thankfully, this isn't the first time Google has caused an issue like this, so I'm familiar with the appeal process.

Thank you for the "welcome message" suggestion! I'll implement that in the hope it may help in the future.

I'm actually already avoiding this issue but for another reason: hackers will scan subdomains matching known products with known vulnerabilities, so hosting a Wordpress behind "wordpress.domain.tld" will get you way more ill-intentioned requests than "tbyehl.domain.tld".

Thus if I started hosting my Immich instance, I would probably put it behind "pxl.domain.tld" or something like that.

Not a garantee to pass the Google purity test, but, according to some reports, it would avoid raising some redflags.

It is but this established pattern is well standardised & documented by the public suffix list project. There's generally two conventions followed for this pattern:

1. Use a separate dedicated domain (Immich didn't do this - they're now switching to one in response to this)

2. List the separate dedicated domain in the public suffix list. As far as I can tell Immich haven't mentioned this.

It's builds from PRs that can be submitted by anyone with a GitHub account

If you knew how the Mozilla corporation was governed, then you would not think that Firefox should be on the list.

And also, it's very feasible to contribute to Firefox. And through it, to Zen Browser, Librewolf, etc. as well.

Majority of users are on mobile now, and Firefox mobile sucks ass. I cannot bring myself to use it. Simple things like clicking the home button should take you to homepage, but Firefox opens a new tab. It's so stupid.

Firefox enables Google's "safe browsing" aka global internet censorship list by default.

He wasn't just involved with GrayJay, he's actually a member of FUTO - the company behind Immich and GrayJay. Now read grandparent comment one more time:

> Wouldn't be surprised if this leads to a lawsuit over monopolistic behavior

His reaction also matters because he's basically the public face for the company on YouTube and has a huge following. You've probably seen a bunch of social media accounts with the "clippy" character as their avatar. That's a movement started by Louis Rossman.

My work's email filter regularly flags links to JIRA and github as dangerous. It stopped being even ironically amusing after a while.

To be fair, that's a legally invalid copyright notice.

I see the same scam/deepfake ad(s) pretty much persistently. Maybe they actually differ slightly (they are AI gen mostly), but it's pretty obvious what they are, and I'm sure they get flagged a lot.

They just need to introduce a basic deposit to post ads, and you lose it if you put up a scam ad. Would soon pay for the staff needed to police it, and prevent scammers from bypassing admin by trivially creating new accounts.

Nah, they just don't give a fuck. Never have

> They are no longer able to process the requested commercials with due diligence

no longer able? or no longer willing to, because it impacts their bottom line?

Did they ever? They used to only allow text ads, which reduced malware compared to serving random JavaScript. But did they ever vet the ad's content?

They can afford to hire thousands of people to swiftly identify scams and take punitive action. And pay them well.

Use one of the forks. librewolf, waterfox, zen. Firefox itself lost trust when Mozilla tried to push the new Terms of Use earlier this year. That was so aggressively user-hostile that nobody should trust Mozilla ever again. Using a fork puts an insulation layer between you and Mozilla.

Librewolf is just a directly de-mozillaed and privacy-enhanced Firefox, similar to Ungoogled Chromium. I've been trying to get in the habit of using Zen Browser, which has a bunch of UI changes.

Why would a monopoly care about users interests?

>Companies get a pass.

I'm pretty sure that if Springer were to make a fraudulent ad, they would instantly be slapped with a lawsuit and face public outcry.

Do you report those only to Google, or also to your local watchdog/police/commerce regulator?

Same thing with Instagram, they accept all scam ads.

Google and Meta are trillion dollar criminal enterprises. The lion's share of their income comes from fraud and scams, with real victims having their lives destroyed. That is the sad truth, no matter how good and important some of their services are. They will never stop their principal source of income.

I think my comment came across a bit harsh - the Immich team are brilliant. I've hosted it for a long time & couldn't be happier & I think my criticisms of the tone of the article are likely a case of ignorance rather than any kind of laziness or dismissiveness.

It's also in general a thankless job maintaining any open-source project, especially one of this scale, so a certain level of kneejerk cynical dismissiveness around stuff like this is expected & very forgivable.

Just really hope the ignorance / knowledge-gap can be closed off though, & perhaps some corrections to certain statements published eventually.

A safe browsing service is not a terrible idea (which is why both Safari & Firefox use Google for this) & while I hate that Google has a monopoly here, I do think a safe browsing service should absolutely block your preview environments if those environments have potential dangers for visitors to them & are accessible to the public.

> mitigating false positives

First & foremost I really need to emphasise that, despite the misleading article title, this was not a false positive. Google flagged this domain for legitimate reasons.

I think there's likely a conversation to be had about messaging - Chrome's warning page seems a little scarier than it should be, Firefox's is more measured in its messaging. But in terms of the API service Google are providing here this is absolutely not a false positive.

The rest of your comment seems to be an analoy about people not being responsible for protecting their home or something, I'm not quite sure. If you leave your apartment unlocked when you go out & a thief steals your housemate's laptop, is your housemate required to exclusively focus on the thief or should they be permitted to request you to be more diligent about locking doors?

> This allows any member of the public with a GitHub account to deploy any arbitrary code to that subdomain without any review or approval from the Immich team.

This part is not correct: the "preview" label can be set only by collaborators.

> a subdomain of a domain that they also use for production traffic

To clarify this part: the only production traffic that immich.cloud serves are static map tiles (tiles.immich.cloud)

Overall, I share your concerns, and as you already mentioned, a dedicated "immich.build" domain is the way to go.

Having a decade of fresh air is also a good incentive regardless of how it ends

True, but google already censors their search results to push certain imperial agendas so i'm not trusting them in the long run.

How does the Internet addresses that?

This is the key idea.

Companies have economy of scale (Google, for instance, is running dozens to hundreds of web apps off of one well-maintained fabric) and the ability to force consolidation of labor behind a few ideas by controlling salaries so that the technically hard, detailed, or boring problems actually get solved. Open source volunteer projects rarely have either of those benefits.

In theory, you could compete with Google via

- Well-defined protocols

- That a handful of projects implement (because if it's too many, you split the available talent pool and end up with e.g. seven mediocre photo storage apps that are thin wrappers around a folder instead of one Google Photos with AI image search capability).

- Which solve very technically hard, detailed, or boring technical problems (AI image search is an actual game-changer feature; the difference between "Where is that one photo I took of my dog? I think it was Christmas. Which Christmas, hell I don't know" and "Show me every photo of my dog, no not that dog, the other dog").

I'd even risk putting up bullet point four: "And be willing to provide solutions for problems other people don't want solved without those other people working to torpedo your volunteer project" (there are lots of folks who think AI image detection is de-facto evil and nobody should be working on it, and any open source photo app they can control the fate of will fall short of Google's offering for end-users).

States are made of people both at decision and at street level. Many anti-trust laws were made when the decision people that were not very tied with the actual interests - nowadays this seem to change. At no point I think people at street level ever understood the actual implications.

A structural solution is to educate and lift the whole population to better understand the implications of their choices.

A tactic solution is to try to limit the collusion of decision people and private entities, but this does not seem to go extremely well.

An "evolutionary" solution (that just happens) used to be to have a war - that would push a lot of people to look for efficiency rather than for some interests. But this is made more complex by nukes.

I don't really see how anti-trust would address something like Google Chrome's safe browsing infrastructure.

The problem is that the divide of alignment of interests there is between new, small companies and users. New companies want to put up a website without tripping over one of the thousand unwritten rules of "How to not look like a phishing site or malware depot" (many of which are unwritten because protecting users and exploiting users is a cat-and-mouse game)... And users don't want to get owned.

Shard Chrome off from Google and it still has incentives to protect users at the cost of new companies' ease of joining the global network as a peer citizen. It may have less signal as a result of a curtailed visibility on the state of millions of pages, but the consequence of that is that it would offer worse safe browsing protection and more users would get owned as a result.

Perhaps the real issue is that (not unlike email) joining the web as a peer citizen has just plain gotten harder in the era of bad actors exploiting the infrastructure to cause harm to people.

Like... You know what never has these problems? My blog. It's a static-site-generated collection of plain HTML that updates once in a blue moon via scp. I'm not worried about Google's safe browsing infrastructure, because I never look like a malware site. And if I did trip over one of the unwritten rules (or if attackers figured out how to weaponize something personal-blog-shaped)? The needs of the many justify Chrome warning people before going to my now-shady site.

Problem is that as soon as some technology takes traction, it catches the attention of businesses, and there is where the slow but steady enshittification process begins. Not that business necessarily equals enshittification, but in a world dominated by capitalism without borders soon or later someone will break some unwritten rules and others will have to follow to remain competitive, until that new technology will become a new web, and we'll be back to square one. To me the problem isn't technical, as isn't its solution.

"Google will put more effort into fixing them"

Why would they do that? Do they lose money from these people? Why would they care? they're a monopoly they don't need to care

Intriguing comment, but your username does not inspire confidence.

In no way does IPFS "actually scale" while it takes two minutes (120 seconds) to find an object.

Not to mention that they have general council, who are lawyers but also just employees.

This is not accurate. I filed a claim against Bungalow in Oregon. They petitioned the judge to allow their in house attorney I was dealing with to represent them. The judge denied the request citing the Oregon statute that attorneys may not participate in small claims proceedings. Bungalow flew out their director of some division who was ill prepared.

Slam dunk. took all of 6-8 hours of my time end to end. The claim was a single page document. Got the max award allowable. Would have got more had it been California.

55.090 Appearance by parties and attorneys; witnesses. (1) Except as may otherwise be provided by ORS 55.040, no attorney at law nor any person other than the plaintiff and defendant shall become involved in or in any manner interfere with the prosecution or defense of the litigation in the department without the consent of the justice of the justice court, nor shall it be necessary to summon witnesses.

This is just so inaccurate, at least for California.

That's okay, you have backup of your data, and you don't really depend on your Gmail account for anything important.

So what? Why would you want to continue to use the services of a company you had to sue? That’s kind of a “burning the bridges” moment.

I wonder how that will work with mandatory arbitration clauses. Guess you don't know until you try.

it wouldn't work. they'd hire some minimum wage person to go to all of them and just read the terms and conditions you agreed to that include language about arbitration or whatever

I believe so. For me it was helpful to visualize getting up and convincing the judge of the damages.

I’d run a PnL, get average daily income from visitors, then claim that loss as damages. In court I’d bring a simple spreadsheet showing the hole in income as evidence of damages.

If there were contractors to help get the site back up I’d claim their payments as damages and include their invoices as evidence.

The reason Google doesn’t block Microsoft isn’t that they’re “looking out for Microsoft.” They’re looking out for themselves by being aware that blocking something that millions of people use would be bad for business.

Allowing user publishing is an inherent risk - these are good mitigations but nothing will ever be bulletproof.

The main issue is protecting innocent users from themselves - that's a hard one to generalise solutions to & really depends on your publishing workflows.

Beyond that, the last item (Public Suffix list) comes with some decent additional mitigations as an upside - the main one being that Firefox & Chrome both enable more restrictive cookie settings while browsing any domains listed in the public suffix list.

---

All that said - the question asked in the comment at the top of the thread wasn't about protecting users from security risk, but protecting the domain from being flagged by Google. The above steps should at least do that pretty reliably, barring an actual legitimate hack occurring.

We need to fix the jurisprudence around anti-trust.

> No person engaged in commerce or in any activity affecting commerce shall acquire, directly or indirectly, the whole or any part of the stock or other share capital and no person subject to the jurisdiction of the Federal Trade Commission shall acquire the whole or any part of the assets of another person engaged also in commerce or in any activity affecting commerce, where in any line of commerce or in any activity affecting commerce in any section of the country, the effect of such acquisition may be substantially to lessen competition, or to tend to create a monopoly.

Taken at face value, that would forbid companies from buying any large competitors unless the competitor is already failing. Somehow that got watered down into almost nothing.

You'd have to break most of those platforms' TOS to do so.

isn't beeper non-free? there aren't that many decent matrix bridges.

I run an email server with no specific spam filter. Sometimes I get spam. Then I add a filter on my end to delete it and move on. It's nowhere near as bad as people proclaim. Neither is deliverability, for that matter, even after I forgot to set an SPF record and some random internet server sent a bunch of spam on my behalf (which I know because I got the bounces).

> To try to do something about it requires curation, somebody needs to decide what is junk, which is completely antithetical to open protocols.

The contra-example, of course, is email. SpamAssassin figured this out 24 years (!) ago. There is zero reason you couldn't apply similar heuristics to detect AI-slop or whatever particular kind of content you don't want to accept.

> Radical recentralization to companies that had effective spam management

Only for the lazy.

So the solution to AI slop and spam is end of anonymity and total state control of the internet? Talk about the cure being worse than the disease.

The issues with todays internet stem specifically from the centralisation of power in the hands of Google, Apple and the social networks.

Bad search results? Blame Google's monopoly incentivising them intentionally making their results worse.

Difficulty promoting or finding events? Blame Facebooks real revenue model - preventing one to many communications by default and charging for exceptions.

AI overrun with slop? Blame OpenAI and Facebook, both of whom are actively promoting and profiting from the creation of slop.

Automated traffic slowing down sites? It's often the AI companies indexing and reindexing hundreds of times.

Spam? Not a huge issue for anyone that I'm aware of.

The closed internet platforms are the problem. Forcing them to relinquish control over handsets, data and our interpersonal connections is the solution. It will be legislative, or it will be torches to the data centres, likely both. But it is coming.

Why should curation be centralized? We do not need a "decentralized dictatorship" (what would that even be? that's antithetical) and we certainly do not need a centralized one. It seems crazy that your solutions to AI, spam, and "automated traffic" (I don't know what that is, I assume web crawlers and such) is that the police control every single transaction.

First off, we can simply let the user, or client software, choose. Why should we let centralized servers do that by default?

At scale, DNS is somewhat centralized but authorities are disconnected from internet providers and web browsers. They're the best actors to regulate this.

For mail, couldn't we come up with a mail-DNS, that authenticates senders? There could be different limits based on whether you are an individual or a company, and whether you're sending 10'000 emails or just 100.

Regardless of whether these are good solutions -- why jump to extreme ones? "TINA" is not a helpful argument, it's a slogan.

Remind me (in a millenium or two) when you can finally do XMPP MAM + message carbons. Until then: lol

As long as wealth can be transduced into political power, that boat is beached as

That’s not unique to PayPal. Pretty much any payment processor that detects a proprietor paying themselves is going to throw up a red flag for circular cash flow fraud and close the account. Bank-operated payment processors are often slower to catch it, but they will also boot you for this.

Fuck PayPal.

Fwiw Venmo is run by the same thugs who run PayPal. So go figure.

I sold some camera equipment on eBay once. PayPal flagged my account as fraudulent, asked for a receipt for the equipment which I did not have (I bought it years before), so they banned my account indefinitely.

Randomly, years later, they turned it back on. Thanks, I guess?