But apparently there was actual CSAM there, since the article mentioned that archive.is removed it within a few hours. So the claim was real. Why did they make up such a story around it?
>They replied within a few hours. The response was straightforward: the illegal content would be removed (and we verified that it was), and they had never received any previous notifications about those URLs.
They never notified archive.today of the illegal material, instead they chose to demand blocking actions of archive.today from a DNS provider. I would be interested to know whether any other DNS service providers have received similar such demands.
I would assume (like any normal individual), that you would notify the service first (archive.today) and if they've proven to be a non-responder to CSAM material then escalate to legal action.
If archive.today is honest about never receiving a prior notification, then the way in which they've decided to go about removing the illegal material is very suspicious.
Generally if you encounter CSAM you should report to your countries appropriate organisation. Skip the police and go straight there to save everyone some time and avoid confusion. This agency will handle notifications etc to the site.
UK - https://report.iwf.org.uk/org/ (technically the NCA, but they are a catch all reporting target. As a private individual IWF will handle the onward report for you).
If you are in a country without such an agency, the above agencies are good to inform, as they will both handle international reports.
These organisations will ensure the material is taken down, and will capture and analyse it. CSAM can be compared against hash databases (https://www.thorn.org/) to determine whether there it is as yet unknown material or reshared known material. This can help lead to the identification, arrest, and conviction of material creators as well as the identification and support of victims.
If you tell the site administrator directly there is a good chance they will remove the material and not report it; this is a huge problem in this space at the moment.
In the UK and the USA (and many other places) operators are obligated to report the material; in fact the controversial Online Safety Act puts actual teeth around this very obligation in the UK.
Thorn is the same organisation which drives Chat Control in the EU and to have their secret component installed in every app to scan your messages. Working with these organisations harms consumers, is detrimental for privacy and human rights even if they somehow have good intentions.
The point is that these organisations are in contact with each other and have established channels of funneling reports to each other and relevant legal systems for action.
Making the report is a long way off court action, and it would be unusual for a court to be involved. In most cases the data is connected, documented, and site owners contacted and educated.
Very few countries see accidental/unintentional hosting as a crime (it will fail most reasonableness tests) and fewer are interested in prosecuting one off offenders who can just be asked to stop.
Most countries are very interested in prosecuting the underlying creators and finding and supporting the victims.
I would generally use the standard precautions (VPN/Tor/etc.) but I think these organizations would much rather have you report the content than go after you, unless you've been reporting a suspicious amount of content that indicates you frequent such circles (i.e. you're one of those internet vigilantes).
Both of the reporting tools I linked allow fully anonymous reports.
If you are consuming or encountering CSAM in a fashion where it is not clear that you are not seeking it out and participating in its acquisition and distribution I suggest that you seek both medical and legal help.
One might even go so far to insinuate that they were the party responsible for the CSAM being there to begin with. Wouldn't be the first time someone weaponized such content. I remember at least one case were a steamer was "digitally" swatted using a Dropbox upload link.
It's not inconceivable to suggest that the people claiming that the CSAM hadn't been removed knew it was still there not only because they'd never actually sent the request for removal, but because they themselves put up the original site and requested the CSAM be indexed in the first place.
If the world ran by conspiracy theories, the goal would be to normalize censorship at DNS level. Sony has tried (>2 years ago) by taking Quad9 to court over a copyright matter. There are too many parties involved for whom this practice would be a useful tool to have.
Since archive.is doesn’t scan the internet and only archives content on demand, those might as well have been planted exactly for this purpose - which would put another crime onto the accuser.
It’s a reasonable possibility to consider given the evidence of bad faith, the factually incorrect claims, the apparent impersonation of a lawyer, and the apparent history of targeting using similar claims but “different” claimants.
False flag attacks are a thing that wannabe censors do.
They post CSAM to some service/site, then immediately report it to every possible contact of the site's hosting provider, DNS provider, DDoS protection provider, etc. But not the site itself.
Before they do that, they spend weeks probing the site's moderation response, to work out the best time to evade detection on the site itself.
Then they do it again, and again, and again. They fight against the site's attempt to block them.
Their intent is to _deliberately_ get the site into trouble, and ultimately get the site's hosting, DNS, peering, etc. to abandon it.
The same sort of shitstains also persistently DDoS the site.
Why do they do it? Usually minor and petty internet squabbles, the instigator hates the site and wants to destroy the site, and uses these underhand tactics to do it.
They have no legal way to get what they want -- destroy someone else's site for their own pleasure -- so they use illegal ways. https://protectthestack.org/
I don’t understand this attack, are these reports anonymous or something?
In order to pull off this attack the attacker would have to have a collection of CSAM to upload. What if the site being attacked logged the uploader’s IP and went above-and-beyond complying with authorities and provided the source of the upload.
Well, I guess some people doing this sort of thing would try to hide their identity while doing the upload. Honestly, in that case… it might be reasonable for sites to not accept uploads via things like TOR, right? (Or however else these people hide their tracks).
People who have money to rent DDoS services from criminals also have money to rent VPNs that use US residential IP addresses (usually from home computers infected with malware under the control of criminals)
Many commenters are implying that there is a security issue here, and that I'm putting everyone in danger. That is quite frankly a pretty absurd claim to just casually make. I'm of course very curious to hear more details on what the security risk here actually would be?
Do you think I'm reading/writing sensitive data to/from subdomain-wide cookies?
Also, yes, the PSL is a great tool to mitigate (in practice eliminate) the problem of cross-domain cookies between mutually untrusting parties. But getting on that list is non-trivial and they (voluntary maintainers) even explicitly state that you can forget getting on there before your service is big enough.
I am not implying you’re putting “everyone” in danger. I’m merely implying that you’re putting your own service in danger by allowing clients to act like a trusted subdomain like controlpanel.statichost.eu, .secure, or Unicode similarities of www.
Ok, I see. You mean the possibility of users impersonating statichost.eu itself. That is actually a good point, and the exact reason why user subdomains are required to have a dash in them. Edit: Also, only ASCII is allowed. :)
I guess control-panel.statichost.eu is still possible, of course, but that already seems like a pretty long shot.
Let's say I have an open source project under the GPLv3 which only contains a foo.txt.
"If you are creating an open source application under a license compatible with the GNU GPL license v3, you may use BrowserBox Pro under the terms of the GPLv3."
So I can merge the BrowserBox Pro under GPLv3 to become part of my project.
Now I remove the foo.txt and my project will be a BrowserBox Pro clone under GPLv3 without the commercial restriction.
IANAL, but I'm wondering if this license really is GPL3? Because it's like a modified version of it - "GPL3 with a condition". From there, that possibly non-GPL3 license says that you can "use" the software, but not redistribute it.
But anyway it sounds like he needs to decide what he wants, and that's probably a non-open source license, if he doesn't want commercial use.
The license for the project is not GPLv3 but if my project is GPLv3 then the non-GPLv3 license for the project grants me a GPLv3 license if I include it.
Which shows the problem with this specific license in a single sentence.
I think that's a little too reductive—foo.txt wasn't a real app.
Nonetheless, I agree with your broad point: that if somebody can use it under the GPL, they can redistribute it and then all those downstream users can use it under the GPL.
But I disagree there is anything to fix. It's copyleft FOSS but businesses are encouraged to buy a license. Everybody wins.
My suggestion would be to license it under the AGPLv3+ for everyone, and then continue to sell commercial licenses to anyone who wants an alternative to the AGPL. Most corporations will refuse to use that license even though they're allowed to (e.g., https://opensource.google/documentation/reference/using/agpl...) and it's 100% FOSS.
I think the confusion over the licensing definitely indicates there is an opportunity for us to communicate better about this.
In terms of there being an actual better solution, though? I don't know. We're doing what other products are doing.
We remain open to that possibility there could be a better solution tho. But we haven't yet seen anything to convince us we're not on the money as we are.
> if he wants his license to enforce being paid for commercial use.
Then it wouldn't be open source, so I am not rooting for that.
However, for better or worse, large successful businesses can be built on scaring companies to pay for a commercial proprietary license and/or support, for copyleft open source.
The Chinese put that in the ISO-3166 standard. Many statistics tools aggregte data by the ISO two-letter short country code, and automatically shown the full name in output.
That’s porous asphalt, developed in the Netherlands and used on 90% of the roads here. It is fantastic when it’s raining and it gets damaged really quickly when it’s freezing. In our climate the benefits heavily outweigh the downsides and we just apply a new top layer very often (once every 1 - 5 years).
Exactly. Optimising care and attention to detail out of product design because it's too expensive is one of the reason technology today is absolute crap anywhere you look.
A decade ago I used to view Steve Jobs as an a designer that was a little too full of himself, today I see him as an extinct breed of people that had a vision and didn't compromise in the name of revenue and cutting corners.
Many engineers and managers nowadays think good, opinionated and well-crafted product are a waste of time and money. Shipping early is the only metric that matters, and the various Tim Cooks in charge are a sign of the times.
What's wrong with that sentence? Phones are generally pretty horrific in my experience.
Dog-shit usability compared to a desktop computer, massive brain-draining time-sinking cheap dopamine-spiking apps which add virtually zero value to the world, 99% of which have no real reason of being an "app" in the first place.
reply