The link in the HN submission contains the same text and excerpt from your link.
Additionally they note: -
"While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk."
IMO, probably in of itself, this alone is not able to do much besides maybe a crash / Denial of Service on modern systems. But it might be able to be used as part of a more advanced exploit chain, alongside other vulnerabilities, to potentially reach remote code execution, though this would be a much more sophisticated exploit and is maybe a bit of a reach. Still, I hesitate to call it impossible on modern systems due to the creativity of exploit developers.
> though this would be a much more sophisticated exploit and is maybe a bit of a reach.
Not necessarily. I have successfully exploited stack buffer overflows in major products despite stack canaries, ASLR, and DEP. It largely depends on context; if the vector is something that can be hit repeatedly, such a webform that that takes a cert or whatever, that simplifies things a lot versus something like a file format exploit, where you probably only get one chance. While I haven't analyzed this vulnerability, I would absolutely assume exploitability even if I couldn't see a way myself.
"Modern platform" is doing a lot of lifting; CMS and PKCS#7 rear their heads in all kinds of random places, like encryption/signing of OTA updates for routers. Those platforms are often (unreasonably) 10-20 years behind the norm for compile-time mitigations.
OpenSSL is used by approximately everything under the sun. Some of those users will be vendors that use default compiler flags without stack cookies. A lot of IoT devices for example still don't have stack cookies for any of their software.
It depends on what mitigations are in place and the arrangement of the stack. Even with stack canaries, having an unfortunate value on the stack e.g. a function pointer can still be quite dangerous if it can be overwritten without hitting any of the stack canaries.
…and they did really guess an ipv6 address? Full scans of the ipv6 address space looks infeasible. Or did the sbc reach out to the internet thus having its address exposed?
Otherwise just the huge amount of addresses should make ipv6 “more secure” imho.
I don’t have any idea how they got the ip, it could certainly have been making outbound connections, though. I think it had NTP, although I might have pointed it at a local server we had for that.
In IA_NA mode, you're at the mercy of the DHCPv6 server for any kind of address privacy. And good luck getting a second address if you want to run a CLAT for 464. You don't want this in a home network.
As for servers, you mostly won't want it either, considering (a) you might rather configure things statically, and (b) it's easier to just deal out whole /64s per server, especially since that gives space for VMs.
So where's the niche for DHCPv6? Maybe assigning addresses for telco or OOB equipment… idk.
And just to be clear: DHCPv6 information-only ("stateless") and DHCPv6 prefix delegation modes are perfectly fine. It's the individual address assignment (IA_NA) mode that should just never have been invented.
I don't know how much impact this has in practice, but you do not need to scan the entirety of the ipv6 address space because you can just look at the IPs that are registered to known ISPs/ASs.
You're gonna need to scan 2^64 addresses once you've located the IPv6 network assigned to my connection before you find my phone. 2^56 if you don't get lucky guessing the network prefix it happens to be on at that moment.
Assuming a scan with a minimum 4 byte ICMP packet, that's about 73786 petabytes of network traffic for that /64. You'll need to shove it down the pipe within a day because IPv6 privacy extensions means the IPv6 address used changes after 24 hours. With only 1gbps fiber, I don't think the deanonimysation is the problem at that kind of traffic level.
I'm also not sure how much it helps, but a friend and I were just talking about how big the numbers get today.
My ISP provides my house a /56 allocation. There are 4,722,366,482,869,645,213,696 addresses. I should have enough for a couple of years, at least.
I guess you could scan it. The IPs for most devices are chosen randomly within a /64 subnet, or they're based on MAC address, but they're not sequential by any means. A /64 is still 18,446,744,073,709,551,616 possible IPs.
Unfortunately I think one of the problems with v6 is people are just unable to apply intuition to numbers this big. The minimum number of /64s an ISP will have is around 4 billion. They generally give subscribers a /56 which is 256 /64s. It's all simple power-of-2 arithmetic. Computer people used to get how big 2^64 is.
Most of the time it's going to be a /64, so even if you know the prefix you're still never going to guess a random address. But a lot of older clients will use a deterministic address based on their MAC, searching the space of MACs for known sbcs would be a lot more tractable.
That will only give the NTP server the IP you use for outbound connections. If you use privacy extensions, they'll get a temporary address.
If you don't configure your firewall to allow inbound connections to the temporary address, knowing your temporary address doesn't help them connect back to you. (Also, it's temporary, so their logs of IPs will be useless after a small window.)
Compare this to v4, where connecting out to someone gives them enough information to exhaustively port scan your whole network and trivially find every server you're running.
In theory, IPv6 Privacy Extensions (https://datatracker.ietf.org/doc/html/rfc4941) could mitigate this. In practice, I imagine when you bind to `[::]:port`, that also means that the randomized addresses would work for new inbound connections, too. Not sure how long they typically last, but you'd be fighting against the clock at least before a new randomized address.
That being said, on a slightly less common note: it is quite possible to have each individual service running on a /128. E.g. on IPv6 k8s clusters, each pod can have a publicly addressable /128, so activities like NTP would require the container to have an NTP client in it to expose in that way. That'd mitigate a good chunk of information exposure -- that being said, I agree with the larger point about security via obscurity being insufficient.
If you have a shitty ISP that rotates prefixes like it's 2005, hosting anything public is a massive pain already. DDNS works just as well on IPv6, though.
Internally, a ULA will keep things reachable even if you move ISPs. You could even set up a NAT66 setup to translate your changing prefix to your stable ULA so you don't need to update any firewall rules, but that's a pretty terrible workaround for a problem that shouldn't be on you to fix in the first place.
```
The rights holders also declared, under their own responsibility, providing
certified documentary evidence of the current nature of the unlawful conduct, that the reported
domain names and IP addresses were unequivocally intended to infringe the
copyright and related rights of the audiovisual works relating to live broadcast sporting events
and similar events covered by the reports.
```
So, I'm not sure anybody verified that what the right holders claimed was actually true. While I understand what AGCOM (the italian FCC, more-or-less) is trying to do, it seems that, as usual, a law was created without verifying how the implementation of such law would work in practice (something very common in Italy), and this is the result.
Cloudflare CEO seems irate, and some of his references are not great, but I'd be inclined at thinking he's got at least _some_ reason on his side.
Also another Italian here. For context, the "Piracy Shield" mentioned in the order is basically a legislative hacksaw authorized by the regulator (AGCOM) primarily to protect Serie A football rights. Soccer rules Italy more than the Vatican..
It’s a mess technically: it mandates ISPs and DNS providers to block IPs/domains within 30 minutes of a report, with zero judicial oversight. It’s infamous locally for false positives—it has previously taken down Google Drive nodes and random legitimate CDNs just because they shared an IP with a pirate stream.
The NUCLEAR threat regarding the 2026 Winter Olympics (Milano-Cortina) is the real leverage here. He’s bypassing the regulator and putting a gun to the government’s head regarding national prestige and infrastructure security.
My personal take idea likely outcome: Cloudflare wins.
EU Law: The order almost certainly violates the Digital Services Act (DSA) regarding general monitoring obligations and country-of-origin principles.
Realpolitik: The Italian government can't risk the Olympics infrastructure getting DDoS'd into oblivion because AGCOM picked a fight they can't win. They will likely settle for a standard, court-ordered geo-block down the road, but the idea of Cloudflare integrating with a broken 30-minute takedown API is dead on arrival.
> The NUCLEAR threat regarding the 2026 Winter Olympics (Milano-Cortina) is the real leverage here. He’s bypassing the regulator and putting a gun to the government’s head regarding national prestige and infrastructure security.
Kind of wild that a private company has that kind of power, both in terms of being one of the few that can offer this service and they can make threats at this level.
I have to say I'm curious over whether that's actually leverage or a massively miscalculated threat that is just going to push the Italian population and politicians firmly against cloudflare.
I'm pretty sure if you tried that here (Canada) it would do the latter.
Would a regulating body in Canada do this, though? And if so, hopefully Cloudflare would say fuck you just the same as they did Italy. It's nice to see someone actually taking a principled stand for once.
If our politicians were stupid enough to pass a law telling them to - I sure hope so - we live in a place with the rule of law not the rule of whatever Joe at the CRTC thinks should happen. Regulators exist to enforce the will of parliament...
Would our politicians pass a law this unfortunate... I hope not... but I don't really have that much faith in them. The current government probably wouldn't, but governments change.
Referencing the Trump administration - the people going around threatening, deporting, arresting, taking money from, etc people as a consequence for speech they don't like - as the standard for free speech makes this far from a principled stand by cloudflare. They took their moral high ground and sunk it. This isn't about speech for them, just money.
You're free to believe all that. "Rule of Law" loses all meaning when corruption takes root. We don't like that "for my friends, everything, for everyone else, the law" shit.
Things can be morally wrong and still legal, and the law itself can intentionally enforce immorality. It's your civic duty to determine when upholding the law degrades you and every else more than following it does.
Also I feel like threatening to take your toys and go home when they don't play fair is a totally valid response.
"for my friends, everything, for everyone else, the law" is a weird description, when that's not the problem with this law at all. There's no question of selective enforcement going on here. The problem is lack of due process, not that.
It's a great description of one of the main tactics the administration he is asking for help uses though. Which again goes to Cloudflare entirely abandoning the moral high ground here.
Threatening to leave is "totally valid" in that it's their right to leave, but it's also not something that a sovereign country that cares about staying sovereign should give any respect to. The only response to a foreign corporation saying that that maintains your independence is "you can't quit, you're fired." Otherwise you just become beholden to the corporation providing you "charity".
> It's your civic duty to determine when upholding the law degrades you and every else more than following it does.
That’s a lot more complicated. What happens if a foreign power takes over Canada and changes the law? What is the state law goes against the laws stated by your religion?
If a foreign power takes over your country and changes the laws in ways that conflict with the previous constitution, there’s a break in sovereignty continuity so your options are: 1. Pledge to the new authority and move on
2. Keep your word on your previous pledge and resist
The services aren't pro bono if they're only offered in exchange for getting a law modified.
And if you offer people free stuff and then turn around and demand something in return, they're going to get upset and like you less than if you had never offered the free stuff in the first place.
There was no exchange implied... before this sentence. Cloudflare might well be justified in feeling that the other side altered the deal, so to speak.
I have to doubt that it would push the populace against the company when the company is actually both providing good (free protection, DDOS mitigation, CyberSec) and supporting appropriate judicial process to make decisions.
Political threats of withdrawing from an event in an explicit attempt to pressure the country is the opposite of supporting appropriate judicial process.
No one is entitled to free shit, but anyone who says "I'll stop giving you free shit unless you do X" is not giving you free shit, they're engaging in barter. And bartering to try to change a law, just like paying to change a law, is obvious and illegal corruption.
Pretty sure, speaking as a Canadian, that the Canadian government would not be able to implement that kind of legislation. And that if they did, I would 100% back Cloudflare.
This is one of the consequences of outsourcing this (and other capabilities) to the private sector.
Many governments simply don’t have the skill and political will to invest in these kinds of capabilities, which puts them at the mercy of private actors that do. Not saying this is good or bad, just trying to describe it as I see it.
Governments just can't come to grips with how much money software engineers make.
Paying a contractor $x million? Yeah no problem, projects are projects, they cost what they cost. Does that $x million pay for 5x fewer people than it would in construction or road repair? We don't know, we don't care, this is the best bid we got for the requirements, and in line with what similar IT projects cost us before.
Paying a junior employee $100k? "We can't do that, the agency director has worked here for 40 years, and he doesn't make that much."
Variants of this story exist in practically every single country. You can make it work with lower salaries through patriotism, but software engineers in general are one of the less patriotic professions out there, so this isn't too easy to do.
> Paying a junior employee $100k? "We can't do that, the agency director has worked here for 40 years, and he doesn't make that much."
I can assure you that junior software engineers in Italy or anywhere else in the EU make nowhere near that amount of money. In fact, few of even the most senior software engineers make that amount of money anywhere in the EU (in Switzerland or the UK they might see such salaries, at the higher tiers).
Maybe not junior engineers, but it's quite common to make more than $100k in Denmark nowadays. According to the Danish Society of Engineers[0], the median salary for a CS Bachelor graduating in 2025 was 51 000 DKK / month, which is $95 000 USD / year. The average raise received by a privately employed Danish engineer was 5% last year[1], so you'd expect to reach $100k with two years experience.
And, to support miki123211's point, the Danish government has had continuing problems hiring software engineers for the past decade, leading to a number of IT scandals.
> in Switzerland they might see such salaries, at the higher tiers
Putting UK and Switzerland in the same pot is wrong, the pay scales are totally different. 100k$ is 80k CHF which is entry level salary for a SWE. The difference between Switzerland and US is at senior level (reaching 160k CHF is much more difficult than reaching 200k$).
The figures I gave were in-line with the US (as that's what most of this audience understands), but if you scale everything by a certain factor, the entire principle holds basically anywhere.
Not really. US programming salaries are much higher than most other engineering and specialist positions, which makes it harder for the government to hire good programmers.
However, programming salaries here in the EU are much more in line with other specialist salaries, which the government already hires many of. So there is no significant problem in hiring programmers at competitive rates for government work. The bigger problem, and the reason this doesn't usually happen, is just ideological opposition to state services, preferring to contract out this type of work instead of building IT infrastructure in-house.
And they get exactly what they pay for. There's zero reason for a competent professional to stick around with that kind of pay any longer than strictly necessary (aka until their own gig or freelancing takes off).
Not just governments, that same kind of greed exists in private companies too.
The only way to make good money while being an employee is to have your buddy spin up a "vendor" offering overpriced bullshit and shill it within your company. In exchange, you also spin up a "vendor" and your buddy shills it at his company.
This might explain why there are sooooooooo many vps providers/cloud providers, this might be one valid reason as to why.
I am sure that this might not be the only reason but still, its a valid reason for many. Do you know of companies/people which do this and how widespread this practise is?
To me it still feels like malicious compliance tho for what its worth.
I said this in jest as a reaction to what post-tax SWE salaries in Europe top out at, all while the same companies have no problem burning insane money on vendors. There is zero incentive to do good work as an employee as it won't be compensated anywhere near what even a shoddy vendor gets paid.
But given the rise of many SaaSes selling exactly the same thing every full-stack web framework used to provide for free - think Auth0, Okta, etc, it may very well be happening.
There is a difference of stopping a free service (for whatever reason) and threatening to stop a free service if the other party doesn't do what they want.
> Kind of wild that a private company has that kind of power
Also kind of wild that it’s a private US company pushing their current political views on another sovereign state. Cloudflare as a political tool of leverage is a level of dystopia we really should try not to unlock.
They're threatening to take their ball and go home. If they move all of their operations out of Italy, under what principle does Italy demand they block content globally? Should Wikipedia remove their page on Tiananmen Square because the Chinese government demands it (which they would, if they thought it would work)?
I think the parent is trying to say that whatever issues Italy may have internally, it's not up to Cloudflare to comment or enact solutions on their own.
a private US company pushing their current political views on another sovereign state
This has always been the case in the western world, even before America itself existed. Some use the US govt (CIA) as leverage but often will just do it themselves.
A system like this could actually work as long as every takedown request involves posting a significant bond into a holding account and where the publisher can challenge the block and claim the bond if the block is ruled illegal.
This achieves the advantages of quick blocking while deterring bad behavior, and provides cost-effective recourse for publishers that get blocked, since the bond would cover the legal fees of challenging the block (lawyers can take those cases on contingency and get paid on recovery of the bond).
This is one of the very few non-money-laundering use cases for crypto.
I would support a “5 cents per unsolicited email” email system, in a similar way. If you make it a mildly enjoyable $5/hour task to read the first sentence or two of your spam folder, the overall internet would be better.
BunnyCDN don't run their own network, most of their servers are hosted at DataPacket(.com), but they use some other hosting companies too.
DataPacket has a very large network though and is kind of, sort of EU-based. AFAIK most operations are in Czechia, but the company is registered in UK. And there's also the Luxembourg-based Gcore.
I just want to point out that AGCOM once decided to put out an "Economically Relevant Instagram Influencers Register".
They're not really... let's say, 'on the ball' for understanding how the internet works. It's a bit of a running joke in Italy that their decisions are often anachronistic or completely misunderstanding of the actual technology behind the scenes.
And for the most part they just deliberate, they have no direct judicial authority. They ask an administrative judge to operate on their decisions, which brings us to some of the favourite sentences for any italian lawyer: the... "Ricorso al TAR". ("appeal to the Regional Administrative Court", which is a polite way to say "You messed up, badly and repeatedly, and now we have to spend an eternity trying to sort this out in a court room").
If we truly want to point out the ridiculousness of Italian tech regulations, the influencers' registry, the temporary ChatGPT ban from a few years back or even the new AI regulations cannot hold a candle to the 22-year-old war on... arcade games.
A poorly written regulation from 2003 basically lumped together all gaming machines in a public setting with gambling, resulting in extremely onerous source code and server auditing requirements for any arcade cabinet connected to the internet (the law even goes as far as to specify that the code shall be delivered on CD-ROMs and compile on specific outdated Windows versions) as well as other certification burdens for new offline games and conversions of existing machines. Every Italian arcade has remained more or less frozen in time ever since, with the occasional addition of games modded to state on the title screen that they are a completely different cabinet (such as the infamous "Dance Dance Revolution NAOMI Universal") in an attempt to get around the certification requirements.
I guess they were inspired by a very similar law in Greece from 2002[0] where in an attempt to outlaw illegal gambling done in arcades a poorly written law outlawed all games (the article mentions it was in was in public places but IIRC the law was for both public and private and the government pinky promised that they'll only act on public places). I remember reading that some internet cafes were raided by the police too :-P.
Not the OP, but I tried it when it came out. VR headset technology wasn't good enough for screens within screens and it was nauseating more than anything.
There's also impedance mismatch between using the headset controllers and the physical ones in the game. Ideally, I should be able to use my own fightstick in an augmented reality configuration.
The quest 3 is good enough and the Galaxy XR is incredibly high resolution. But it isn't a really ideal way to play arcade ROMs for long term but just to enjoy the nostalgia.
I got it for $75 a month for two years. Visual clarity is incredible and monitor replacement level but comfort is meh so I bought studioform creative head strap which helped a lot. You can use Virtual Desktop to connect to any computer easily.
I'm a sysadmin so I bought it to see if it would work when I want to ssh into systems I'm physically near in racks. It has worked really well for this.
We live and have lived in a technological civilization for more than a hundred years. Legislators have NO EXCUSE to hide behind 'we don't understand the technology'. Sure computers are complex. But so are nuclear reactors, combustion engines and food safety.
If nuclear reactors cost 3x what they should, yet safety incidents occur 2x as often as they could because of stupid legislation, they shouldn't be able to hide behind 'we only have a legal diploma so we can't figure out what actuall works'.
For some reason, a lot of older folks consider computing as a 'low stakes game', as computers being either an annoyance or convenience but nothing more.
I don't know if the system is fundamentally flawed, and the people in charge are becoming less and less able to actually handle the reins of society and some major upheaval is necessary, or the system can be fixed as is, but this seems endemic and something should be done.
Wait, so is this about censorship, or about copyright?
If the latter, I don't see why CloudFlare is complaining about "global" censorship. The US would simply seize the domains (which they have done so many times before), but I guess Italy doesn't have that power...
There's no accountability or due process. According to this brilliant law, if some crony with write-privilege adds your website to a list, the whole world has to ban your website within 30 minutes no questions asked.
Judicial oversight took a while in Germany, but it is there now (but I guess you will always find an incompetent judge if you really want). I wonder if cloudflare would implement the German blocklist now that we have judicial oversight. Currently it is as nice registry for pirating sites for anyone using 1.1.1.1 [1]
> To some extent, judges are subordinated to a cabinet minister, and in most instances this is a
minister of justice of either the federation or of one of the states. In Germany, the administration of
justice, including the personnel matters of judges, is viewed as a function of the executive branch of
government, even though it is carried out at the court level by the president of a court, and for the lower
courts, there is an intermediate level of supervision through the president of a higher court. Ultimately,
a cabinet minister is the top of this administrative structure. The supervision of judges includes
appointment, promotion and discipline. Despite this involvement of the executive branch in the
administration of justice, it appears that the independence of the German judiciary in making decisions
from the bench is guaranteed through constitutional principles, statutory remedies, and institutional
traditions that have been observed in the past fifty years. At times, however, the tensions inherent in this
organizational framework become noticeable and allegations of undue executive influence are made.
You're completely on the wrong track here. The discussion is not about who does or doesn't control the courts, it's about the question if someone who's rights have been violated can go to court or not with regard to that specific matter. If a court rules that blocking an IP address is illegal, the access provider has to stop blocking it. Period.
A fine doesn't cause immediate harm as you don't have to immediately pay it while you challenge it in court, having your IP or website blocked happens immediately and will continue harming you until it's decreted that it wasn't lawful.
That depends on the country you are in. In some countries you have to pay anyway and then you get it back if you win the court case. And they're banking on you not challenging the fine because the fees for the court case will exceed the fine so you lose either way.
Challenging the IP bans in Italy is stupidly hard. Your VM gets an IP address that was used a few months ago for soccer piracy? Too bad, you won't be able to access it from Italy.
2. parent comment is wrong, CCUI is requiring court action by their members before they act.
3. I rather have companies competing under market pressure to find solutions to topics like copyright infringement than the German state (once again) creating massive surveillance laws and technical infrastructure for their enforcement in -house.
Read the post, they never blocked the activist. They just changed what they replied to a DNS query of an already blocked site to make it harder to detect.
1. Article you've shared is from 2025-02-26
2. New rules have been in place from 2025-07
3. The author hasn't been blocked at all. You're either a liar or you cannot read.
Sometimes it's hard to differentiate between the 2. In this case it sounds like copyright in name but the implementation is such that it's a big hammer that can also be used for censorship if followed.
What is it with Southern Europe and the football overlords? Spain is blocking half the internet, Italy is fighting Cloudflare. What's up? Are football leagues big political donors?
Football is extremely popular, and football clubs (and their owners) are quite influential (socially and politically). But it's a little bigger than that.
EU is pushing for measures against live-event piracy[1], because they frame this as a systemic threat to cultural/economic systems, giving national regulators broad cover to act aggressively.
While football is quite huge in Europe at large, the impact to GDP of these broadcasting rights is sub-1%; however, lobbyists have a disproportionate impact: you have the leagues themselves (LaLiga and Serie A for Spain and Italy respectively), you have the football clubs, and you've got broadcasters. Combined, they swing quite high, even if the actual capital in play is much lower than the total they represent.
Add to this politicians who can frame these measures as "protecting our culture", get kickbacks in the form of free tickets to high profile games, see rapid action because blocks are immediately felt and very visible, and incentives for increased funding from regulatory agencies because "we need the budget to create the systems to coordinate this", and you can see how the whole system can push this way, even if it is a largely blunt instrument with massive collateral damage.
Yeah, in Europe, there tends to be an association between football fans and organized crime, just as there's one between unions and organized crime in the US.
The kind of hooligans who love beating up the hooligans from the other team are also perfect from beating up the hooligans from the opposing drug cartel.
In Spain's case Telefonica (largest telecom, used to be state owned) is private but has a large State participation and the government literally appointed the latest CEO.
Guess who sells the largest football games as part of their expensive TV package?
Guess who asked a judge to order the other telecoms to also block Cloudflare IPs?
If this is true, and seems likely. There is some satisfaction seeing corrupt cronyism agencies getting slapped with a hard "NO" when they are used to getting what they want.
Spain especially but southern europe in general has a really crappy economy. Soccer teams are some of the wealthiest organizations in these countries, which means theyre the ones who are able to fund politicians which means they can get laws passed.
No usually the political figures are football league owners.
Jokes aside, I don't know, the obsession with soccer is extreme in Italy. For people who don't care about soccer like I did, there is so much you have to endure just "because of soccer"
It's not just Italy. The UK is also insane along with some cities in Spain. In the UK one of the rivalries supposedly goes back to the War of the Roses [1].
The way I describe EU football games to Americans is take the craziest student section at a US college football game and extrapolate that energy to the entire stadium.
>as usual, a law was created without verifying how the implementation of such law would work in practice (something very common in Italy), and this is the result.
This is everywhere.
The reason is you DONT want a law to be too detailed with tech mumbo jombo. If too detailed, it will get outdated. See that USA crypto wars ban in the 90s.
I recently learned that Poland literally has a law on the books[1] (from the executive, not the legislative), mandating our use of SOAP and WSDL. You're definitely right on that score. As far as I know, it's supported by some EU directive or other, no less.
At least with DMCA you so get a notice and you can somewhat challenge it. With Italy's Piracy Shield you have no notice and there's no public record of which IPs/websited have been blocked, so it's hard to even challenge it in court.
yes, it's quite similar.
They blocked some lawful services too such as google drive (yes, really) and a TON of sites behind cloudflare by blocking some of its IPs (it happened a while ago, it's not directly related to this).
Most Italian authorities like this one are chock full of incompetents, and I'm almost sure they're just caving in to some soccer broadcaster or some crap like that. He might very well be fully correct on the fact of the matter.
Still, the rhetoric of the post is frankly disgusting. No, I'm not taking lessons in democracy from JD Vance, thank you very much. No, I don't think that might makes right and it's unsurprising that those who believe otherwise are so eager to transparently suck up to this administration.
Making public threats in this way is just vice signaling, nice bait.
This is the Stephen Miller caveman view of the world, but it obviously doesn't make sense if you think about it for more than five seconds. It's a very straightforward consequence of refusing to ever admit you are wrong. "If I did it, then I must have had the right to do it."
It's just a refusal to accept the philosophical concept of rights. The right to vote doesn't exist because you didn't have to defeat the entire army to vote against their leader, it's just that the leader benevolently decided to let you vote against them. You don't have the right to life, it's just that everyone on the planet with a weapon has coincidentally decided not to murder you, for now. Laws don't actually exist. Any right that appeared to be established against the wishes of the men with guns (i.e. all of them) was actually fake or an inexplicable accident. You can imagine a world that works like this, but it certainly isn't our world. No historical period or even any fictional story I can think of operates like this.
> The right to vote doesn't exist because you didn't have to defeat the entire army to vote against their leader,
I would say you're wrong. The right to vote does exist because men rose up together and fought leaders that wouldn't let them vote. And, when leaders rise up that take our right to vote and we don't stop them they will prevail.
> it's just that everyone on the planet with a weapon has coincidentally decided not to murder you, for now.
Correct. Start up a big disaster where food goes away for some reason and it comes back.
We have a stable world where we don't kill each other at the moment because in general we all have food, water, shelter, and I would say enough entertainment that fighting each other isn't worth the risk. There is no rule that says this will last forever. Quite often in history there have been stable times, that then fell apart because of greed and malice of leaders.
I am not saying it's impossible for rights to be taken away, I am arguing against this statement:
> If you can't defend yourself against that then you have no rights.
I do not own a gun and I have no fighting skills, so I cannot defend myself against men with guns. Would you agree that I therefore have no rights?
I think that you and the original poster are seeing the situation "you are vulnerable to potentially losing rights in the future", which is true, but conflating that with "you have no rights". It's like telling a rich person "you actually don't have any money" because it's possible they might be robbed someday.
You have the right to vote, if you lose that right, and you don't have a gun after that you have whatever 'rights' that are provided to you by a dictator.
One of the things you're missing here is the idea of herd immunity. While you won't fight for your rights, theoretically someone else will making taking your rights dangerous. Once enough people won't fight for their rights, or enough of the population gathers together to take your rights, you lose your rights.
I believe that in this conversation one party is saying that people have intrinsic rights (see the Universal Declaration of Human Rights) and the other party might agree on that but they say that those rights can be enforced only if they can be defended. Example: both parties probably agree that people have a right to free speech but nevertheless people end up in jail if they attempt free speech on the wrong subject in the wrong country.
> it obviously doesn't make sense if you think about it for more than five seconds. [...] It's just a refusal to accept the philosophical concept of rights.
Or it's an attempt to reconcile the philosophical concept of rights with global politics and observed reality.
Does an Afghan girl have a right to education? A Uyghur Muslim a right to freedom of religion? A Palestinian a right to food? A Hong Kong resident a right to freedom of expression?
It would appear that in these cases, the politicians commanding the loyalty of the men with guns do what they can, while the weak suffer what they must.
Of course, that's not the only reasonable line of thinking. Just because people in distant lands don't have certain rights in practice, I have those rights because I live in a great country with strong institutions and the rule of law.
Refusing to accept the philosophical concept of rights is just correct. You are born with fuck all unless people have decided you are entitled to something by existing. Plenty of people were born without anything remotely resembling rights. If rights were inherent and not simple enforced by people, that wouldn't be the case, would it? Life isn't a fairy tail.
Civilization is literally built on what you're saying being wrong.
It's not wrong because of physics or biology, but because civilization made it so.
Like so many cultural achievements, it's true when you can count on the person next to you expecting it to be true. (1)
Which in turn means you can make that culture collapse if you impress enough people with your edgelord attitude.
Cooperative culture is fragile and must be preserved by preserving shared values such as these. On the other hand, in the long run, the cultures that do this successfully prevail because cooperation is stronger than the law of the jungle.
Unfortunately that 'long run' may take a while.
(1) That's basically the definition of a cultural value. They're emergent phenomena based on Keynesian beauty contests.
Yes, and people have decided I'm entitled to something by existing. That's what human society and civilization is built on. It's been true for the entire history of our species.
> Because all it takes is men with guns to change what rights you think you have.
Plenty folks of didn't / don't change their minds about what rights they thought they had/have, even in the face of guns. Just look at what's currently going in Iran.
If you're in the US, and believe in your own Constitution, then people have "unalienable Rights" that are "endowed by their Creator", regardless of whether they are recognized by the government or not:
You're conflating rights with freedoms, which is the same category error as confusing legality with morality.
Your rights are, by their nature inalienable. They are recognized (or not) by individual power structures, granting you freedoms.
Under an authoritarian regime, your freedoms maybe be limited, for example, your right to free speech may be curtailed by men with guns. Killing those men is illegal, but not unethical, exactly because they are infringing your rights.
This all may seem academic to the person with a boot on their throat, but it dictates how outsiders view one's actions.
> If you can't defend yourself against that then you have no rights.
My sister is wheelchair bound with MS. Half the time she can barely see. You can give her all the guns you want and she isn't going be to able to defend herself. I reject your nonsense assertion that because of this she has no rights.
this kind of logic will always lead to everyone losing in the long run. always. there will always be a more powerful bully that steps up to take over. history is very clear on this one.
You might be conflating description with prescription.
Descriptively, powerful people have all the rights and weak people have none. This is what we observe in the world. No amount of philosophical thought outweighs actual observations. For example, Donald Trump has (retroactively!) the right to r**e ch*ldren. We know this because he is not suffering consequences for doing that. But Renee Good did not have a right to free speech. We know this because she was executed because of her speech.
You can prescribe whatever fancy academia language you want, but the facts in the real world don't seem to currently support any of it beyond "might makes rights".
Ok. So a man with a gun has the right to shoot you and kill you.
Then a policeman comes with a bigger gun and he has the right to kidnap the murderer.
Then comes a judge with an even bigger gun (the law) and has the right to lock him up in a prison.
But then the murderer gets hold of a weapon and he has the right to escape from prison.
Etc.
What does make them? Children apparently don't have them, and many races in many countries didn't have them for a long time either. How do you account for that? Are we now distinguishing between "having" rights and uh... being allow to use them?
I'll cut the cheekiness, I disagree with a "authoritarian regime". I don't support everything, but to some up an entire government as "authoritarian regime" is wrong IMO.
> to some up an entire government as "authoritarian regime" is wrong IMO
It doesn’t work like that though. The most authoritarian regime in the world has bits that seem benign, we don’t judge them on that.
We judge them based on the extremes. Things like masked men grabbing civilians off the street and shooting them in the face, with the full support of the regime.
> No, I'm not taking lessons in democracy from JD Vance, thank you very much
You are falling into a trap where you can not recognize a true point because it is made by someone you disagree with. I don't condone Vance or the Trump admin. He is right about European governemnt's attacks on free speech.
And you are falling into the trap of thinking that if a person is busy deconstructing what used to be one of the larger democracies in the world that their other words are going to be taken at face value, which obviously is not going to happen.
We're not discussing Pol Pot's views on cooking either, even though he might have had some valuable insight. Bringing up Vance and Musk in polite conversation to bolster your argument is - especially in the context of Europe, which both men seem to have declared to be enemy #1 before Russia and China - a little tone deaf.
To be fair, he's not bringing them up as intellectual support for his argumentative base – he's bringing them up as support for acts of retaliation. This is mostly about power and we've lost 30% in power vs. the US in just ~12 years because we've fucked up our economy.
I absolutely and 100% agree! But it's the stick that others will use to force their world view down your throat. So if you want to be not only righteous, but also hold others accountable according to your standards, you need the economic power to do so.
People will say anything online, but when it comes to action very little. I'd rather live in the US now or 12 years ago vs Italy unless someone gave me a tuscan villa with a pool
Oh I've been multiple times, it's beautiful! But vacationing is not living + working, paying bills, dealing with bureaucracy or culture clashes, etc...
Most of our power loss is from electing a belligerent dumb fuck twice and allowing him to sabotage our international relationships and destroying our remaining credibility.
I was speaking about Europe as a whole. Economically, we suck. Losing UK didn't help, either, but except for Poland, we've become relatively poorer by an insane amount, compared to the US. Another 10 years on that path and we're half the US.
> And you are falling into the trap of thinking that if a person is busy deconstructing what used to be one of the larger democracies in the world that their other words are going to be taken at face value, which obviously is not going to happen.
No. I'm identifying this one statement as factual, regardless of the person saying it. Surely then, you would not deny the color of the sun to be yellow just because Pot might have observed it to be that way?
That's besides the point: JD Vance and Musk are precisely the wrong entities to have opinions on stuff like this because they are on the wrong side of that line most of the time. Especially Musk, but Vance has his own ulterior motives to berate the EU on anything so regardless of the outcome it will be tainted.
> JD Vance and Musk are precisely the wrong entities to have opinions on stuff like this because they are on the wrong side of that line most of the time. Especially Musk, but Vance has his own ulterior motives to berate the EU on anything so regardless of the outcome it will be tainted.
People focus on Vance in this issue because they hate him and hate is easy to come by. They ignore that popular Democrats and progressives said the same thing. Hell, even the Atlantic posted a piece about the issue.
It has been very clear that the Trump adminstrations definition of freedom of speech, including JD Vance's, is that you should be free to say whatever the Trump administration wants and nothing else.
They have consistently prosecuted, threatened, deported, withheld money from, and so on people who say things they do not like.
And the answer to that is to point out the hypocrisy (what you're doing), not to take the opposite view, that censorship is important (what so many others are doing when Trump takes a position on anything).
you are falling into the trap of ignoring the pandering. cloudflare bro is clearly pandering here and showing that, in the moment, he will say/do whatever to whomever to get what he wants. cloudflare kind of has a history of doing this.
there was zero reason to name drop vance and elon besides appealing to their rabid fans to bolster support.
What other option do they have? It’s either comply with unjust rulings that undermine the free internet (and their business) or make a deal with the devil. Either one is bad but only complying has an immediate negative impact.
If there was any sense that this ruling was just a temporary mistake that will be corrected by pending regulation/legislation, then a third option would be on the table: temporarily comply and wait it out. But all indications are that the EU is hell-bent on making things worse, not better, for the open internet.
Cloudflare, the company that regularly blocks me from legitimately visiting websites because their bot detection software absolutely sucks probably is the biggest effective censor on the planet.
Who is locked up for criticizing the government in Germany? You can be fined for insulting a government official, and I think it's a bad law and should be retracted, but a) insulting is not the same as criticizing and b) I've never heard of a single person locked up because of it - you'd basically need to deliberately refuse paying the fine for that
188 Criminal Code Insult, defamation and slander directed against persons in political life[1]:
(1) If an insult (§ 185) is committed against a person involved in the political life of the people, either publicly, at a meeting or by disseminating content (§ 11 (3)), for reasons related to the position of the offended person in public life, and if the act is likely to significantly impede their public activities, the penalty shall be imprisonment for up to three years or a fine. The political life of the people extends to the local level.
(2) Under the same conditions, defamation (§ 186) shall be punished with imprisonment from three months to five years, and slander (§ 187) with imprisonment from six months to five years.
This law is commonly criticized by free speech activists in Germany, as well as liberal parties like Die Linke and FDP. It was updated to be even harsher by our last government. David Bendels received a sentence of 7 months for posting an edited insulting picture of Nancy Faeser, Germany's last minister for interior affairs. The case sparked an international outcry and got a lot of press coverage [2]. Note that ironically the doctored image showed Faeser holding a sign with the message "I hate freedom of speech".
Yanis Varoufakis, I think? Except he was banned from Germany, not locked up. If he tries to enter, then he might be locked up. They used the intermediate step of calling him a terrorist.
"UK police made over 12,000 arrests under laws criminalizing communications causing 'annoyance or anxiety,' with arrests rising 58% since 2019" [1]. Only 10% lead to a conviction. What then, is it, other than a government issuing arrests for speech?
The vast bulk of those cases are about online harassment, usually against former spouses, public servants, etc. If you are aware of a case where an individual was arrested for just expressing their opinion you are welcome to provide the evidence. Until then this is just FUD. Censorship is bad, protecting the rest of the citizens from harassment is the kind of thing that is actually useful.
Are you expecting me to comb through thousands of cases? Obviously they were arrested for saying legal things, if their arrest doesn't follow a conviction in 90% of cases.
I expect that when you say someone was arrested for speech and it's government overreach (as opposed to a legitimate arrest), you should show us the speech they were arrested for, to back up your claim that it's overreach.
> Economic growth or lack of thereof is absolutely irrelevant here
It absolutely is. Being right (and more so, being righteous) is expensive. When you cannot afford to put your money where your mouth is, everyone knows that sooner or later you cannot or will not follow through on your words. Europe hast lost ~30% of power vs. the US in just ~12 years.
> Europe hast lost ~30% of power vs. the US in just ~12 years.
[citation needed] mostly because I'm curious what kind of metric one uses to measure this.
From an economic standpoint, Europe stagnated behind the US coming out of the pandemic, but now it seems to be the US markets that are lagging Europe in the past year.
Militarily, my perception is that Europe is ramping up, not falling off.
I will give you exact sources for the claim later once I'm back at my laptop, but rest assured: these numbers don't lie. And militarily... really? We're a joke. We cannot even defend our neighbor from being invaded without extensive US help.
I wont argue that those two things don't exist, but can you show some proof that GDP is measuring nothing else than ("just") those two things, and that there are meaningful differences between the EU and the US with regard to these two things? Is there no unreported inflation and no money printing in the EU? If that were true, we'd see massive devaluation of USD vs. EUR.
Also, if you don't like GDP, you can just look at real wages – same picture.
No? We've never had such an absolutist view on the freedom of speech as American Constitution holds. We still have enough of it to keep the political debate open to all points of view though (with a reservation for the paradox of tolerance)
> We still have enough of it to keep the political debate open to all points of view though (with a reservation for the paradox of tolerance)
If you're going to reference Popper go read his work he'd spit in your face for suggesting your current censorship and jailing of citizen is in anyway to fix his "paradox of tolerance".
Noone is being jailed for speech in EU, you are misinformed by your antidemocratic elites. Incarceration rate in Germany is almost 10 times lower than in the US, and prison time is used for really severe cases, not for being mean on Twitter
OK, sure, antisemitism is a different topic, and Germany might have a bit of an overreaching definition of it. Which IMO is understandable given German history, but I agree that this is one topic where Germany's freedom of speech is endangered. It's not something Vance would complain about I guess though.
The AI generated art is also disgusting. Makes the CEO look like an angry kid because his multi-billion dolar industry got a 1% income fine, which is nothing for them, for a service they provide that keeps having outages because they have bad coders who thought moving their shit code to Rust was a good idea.
I would like to see a similar rant about the DMCA from US CEOs, which amounts to similar global effect. Not a great law but all this censorship stuff is bullshit.
To replicate the rant: Cloudflare on the otherhand blocks me regularly from using the Internet using a privacy aware browser because I fail to pass their bot checks so that I can enter their CDN based replica of a real internet.
To be fair big tech did do a full court press to stop site blocking when such a law (SOPA/PIPA) was proposed in the US, and they continue to oppose the MPA's attempts to get site blocking via the courts. DMCA on the other hand seems very broken, don't give the MPA the "3 strikes" regime they want and you get sued into the ground like Cox. I suspect tech CEOs don't complain about this because they don't want the same treatment.
AFAIK, the DMCA doesn't require infrastructure providers (ISPs, DNS resolvers, "relay" services like Cloudflare) to block entire websites. It's just for surgical removals of content (and blocking of ISP / hosting provider customers who are notorious infringers).
The US doesn't have the kind of website blocking laws that many European countries have.
If you look at those 'whole websites' it is nearly exclusively sites that do not comply with takedown requests regarding copyright (actually those blocking laws/procedures do mostly foresee any other reason). The question I was addressing is the judicial control and the abuse for censorship. DCMA takedown request are massively abused without any real judicial control. Sure you can fight those in court, but so you could fight ISP blocks. I thing the different methods simply stem from a different legal system with different types of fines (particularly in civil law)
I agree with this sentiment.
His tweet was quite disingenuous and it doesn’t help that he’s tagging Musk and Vance. The noise they make about free speech is a charade.
I still can’t understand why these tech CEOs are doing so many cynical things even in places where they have the chance to start healthy debate.
And I think that when you are so far biased in one direction there is nothing these two could do to alter your opinion in anyway. Thus making it irrelevant to the discussion.
Why? Because tech companies have shown to bbe honest and transparent? Because their flouting of the law has ever been anything but extreme self interest?
FFS Grok is openly a revenge porn and CSAM generator. These aren’t good people and they aren’t the sort we want as champions of speech because they are not interested in anything but their own profits.
I also wonder why he felt emboldened to escalate like this. Maybe he thinks Italy is so small it can be slapped around by a rage post on Twitter?
There's a DNS blocklist from media industry applied by German ISPs and I assume Cloudflare was also asked to block these websites, so why didn't I read a story about Cloudflare making a big stir about the German DNS blocking?
Posting it a hundred times doesn't make your claim more correct. If your rights are infringed, you can always go to court. If you think you being blocked from accessing certain information is an infringement of Art. 2 Abs. 1 GG ("Every person shall have the right to free development of his personality [...]"), you can drag this to The Federal Constitutional Court.
No I can't, since I lack the monetary funds. My claim stands correct, going to the federal constitutional court is expensive enough that many people are barred from that option. My claim stands correct - no judicial verdict is needed for the CUII to censor websites. Don't believe me. Believe the activists [1].
new comment: you're so wrong that not even the opposite of your statement would be true. CUII is a private body, but it forces its members to go to court before they ask CUII to initiate a block:
Jede DNS-Sperre einer strukturell urheberrechtsverletzenden Webseite (SUW) wird im Rahmen der CUII gerichtlich überprüft.
Das ist freiwillige Selbstverpflichtung der CUII-Mitglieder. Denn eigentlich besteht kein Richtervorbehalt für die Sperransprüche nach § 8 Digitale-Dienste-Gesetz (DDG). Aus diesem Grund sind auch die DNS-Sperren nach dem alten Verhaltenskodex mit behördlicher Beteiligung zulässig gewesen (Siehe Fragen: “Was verändert sich durch den neuen Verhaltenskodex der CUII?” und “Warum gab es zum Juli 2025 - nach jahrelanger Arbeit - einen Systemwechsel in der CUII?”).
old comment: CUII is not a governmental body so what the hell should they need a court order for when doing the thing that their members pay them to do? If your not happy with your internet access provider being a member of CUII, switch your internet access provider. I agree that CUII should publish a list of blocked domains as part of transparent communication and proving that they are doing a good job.
the filters the Italian authorities complain about also only apply in italy.
It's likely a process thing, Italy has had website bans since forever, but the new regulation applies _without going through a judge_. Some copyright holders can say "this website is infringing" and ISPs, CDNs etc.. are required to shut them down immediately.
A similar system was introduced in Spain, with the same problems, for the same reason (football $$$).
EDIT: to be clear, CF argues that they need to block the DNS globally, and that's unreasonable. The Italian authority argues that they have the skills to do a local block and are just being uncooperative.
> EDIT: to be clear, CF argues that they need to block the DNS globally, and that's unreasonable. The Italian authority argues that they have the skills to do a local block and are just being uncooperative.
Similar to the UK's attempt to try and get noncompliant sites like Imgur and 4chan to block themselves from serving content to UK locations, I think the responsibility for country-wide blocks lies with the country attempting to regulate the space, not CDNs or websites.
I don't doubt that Italy is correct that CF has the technical ability do a local block like they're asking for, but I also don't see how CF is in any way (legally) compelled to do so. Whether or not Italy (or any country) is capable of doing so, or paying contractors for an appropriate solution, isn't CF's problem either.
The difference is that Imgur/4chan have no presence in the UK but Cloudflare has servers and probably a sales office in Italy. Cloudflare does have to follow Italian law within Italy.
Either Cloudflare can block pirate sites or ISPs will completely block Cloudflare (as seen in Spain). Which way do you prefer?
As I understand it Cloudflare is being asked to block these sites globally, and what I said was that Italy doesn't have the legal authority to request that CF do so globally.
Locally, within Italy I can see the argument that CF can be compelled to adhere to blocking sites for any requests originating from, or being routed to Italy - so long as Cloudflare maintains any kind of presence there. That goes for any other country, too.
Realistically maintaining this kind of work puts a financial and engineering overhead on Cloudflare (or any CDN) for running operations in that country, and that incentivizes Cloudflare to push back on this request from any country. The logical response from CF is to refuse and threaten to remove all operations from the country if the country tries to force the issue, to prevent CF from getting pulled into the same requirements for multiple other countries, which is exactly what CF did a couple days ago.
I'll reiterate my previous stance - if a country wants to block part of the internet, that country needs to do it themselves and for the space within which they have authority to do so (their borders). At that point it's up to the citizens of the country to push back if they disagree, and if they don't want to be compared to China and their Great Firewall they shouldn't try and regulate the internet.
Do you think the Italian bureaucrats really want to ban something in France or Germany?
The Cloudflare CEO is clearly misinterpreting something that was lost in translation, which is the bureaucrats stating "Cloudflare must prevent access to XY from everywhere". For bureaucrats "everywhere" means "in my jurisdiction". I cannot believe that the Cloudflare CEO is trying to nitpick around a single word that he so clearly misinterprets.
No, in fact I think most in US tech are awfully ignorant about Europe. That's why I explicitly brought it up. Just because we Europeans can speak your language doesn't mean that people from the US understand how our countries work. And most US tech companies are located in Ireland in a small US expat bubble.
You are presumably also not an Italian, so I don't know why you would know more about Italy than he just because you are European. I'm also European, and I certainly don't thereby know more about Italy than about, say, the US.
Or he perfectly understands what they meant but chose to create artificial outrage. "don't attribute to malice what can be explained by stupidity" has not aged well in 2026
I'm pretty sure Cloudflare is an ISP according to German law ("Diensteanbieter" according to DDG). You might confuse "ISP" with the terminology of "Access Provider" according to the (now defunct) §8 TMG.
If that were true, sci-hub.se would be blocked in Germany on 1.1.1.1 (1dot1dot1dot1.cloudflare-dns.com), it isn't blocked, therefore it's not true. (Modus tollens)
I am a Service Provider ("Diensteanbieter") according to DDG and I don't block a single page, which makes your statement not only wrong, but rather so wrong that not even the complete opposite would make any sense.
No, it's not. It's a very precise way to state that the law has to be applied to a very wide range of service providers. This is a fundamental change compared to the previous regulation TKG. Now take the loss and next time, read the damn manual first.
What is the escalation? Cloudflare or any company is free to stop doing business in any country which mistreats them or doesn't align with their interest. How can you interpret this in some way as Cloudflare being the aggressor? They don't owe the nation of Italy anything.
I'd probably want some way to understand whether secret.Do is launched within a secret-supporting environment so that I'm able to show some user warning / force a user confirmation or generate_secrets_on_unsupported_platforms flag.
But, this is probably a net improvement over the current situation, and this is still experimental, so, changes can happen before it gets to GA.
I have noticed the same for a lot of long-running software projects. The estimate is created at the start an never revised.
Projects can and will fail or run late; but heck; a 6-months projects cannot found late after 5 months and 29 days; things must be discovered early, so that the most important issues can be addressed.
I think this should become harder to do in general, not just for copyright infringement. A third party alleges an infringement, they do little work since it's AI generated, and then you need to do TONS of work to fix their s*t. THAT needs to be fixed by AI legislation - use AI at your own peril and under your own responsibility.
One thing the article doesn’t mention is that a lot of certs are revoked for purely admin reasons. CeasedOperations seems to be the case for Flair - nothing bad happened to the key, but the cert was revoked nevertheless.
This seems to be a common practice for some CAs or companies, but it’s not required AFAICT; and it contributes to the gigantic CRLsets that we have - most of those revocations wouldn’t actually be needed from a security pov.
Afaik there are some ways to get approval for individual vehicles to be imported in the EU, even if non compliant with EU rules, for specific purposes and with a case-by-case basis, which grants such vehicles an exemption.
This requires a per-vehicle (not per model) specific flow which may take long and cost a lot, and you may be fined if you use the vehicle outside its stated purpose.
I can remember some collectors importing cybertruck indeed, I don’t know the limitations for its use.
reply