A word of caution if you are starting a small LCD project: the framebuffer approach is dead on Linux. The new approach is DRM (Direct Rendering Manager), that allows partial LCD updates from userspace. See
With this little SPI screen, there is no GPU behind, so no way to use DRM. If you want to run X, you also need to use framebuffer turbo driver. So everything goes through the framebuffer anyway.
The fun here was to use only Warp 10 database on the system, the only time series database that has built-in image creation function in the language. Normal use is to build heavy dataviz on the server, then return a base64 encoded png.
Even if this is true, isn’t that about drivers and not interfaces? Perhaps I am wrong but I was under the impression that the framebuffer userspace device worked on DRM-based drivers still, just it didn’t use fbdev internally.
DRM has a thing called “dumb framebuffer” which exposes a memory mapped file with the CPU-accessible frame buffer data. See DRM_IOCTL_MODE_CREATE_DUMB and DRM_IOCTL_MODE_MAP_DUMB IOCTLs. The only inconvenience, some boilerplate is required to find the correct GPU connector, and setup a supported video mode.
Even though it does not look this way now, I think this is a seminal legislation that in time will move small startup scene out of California for good, due to what you have described. I have the same experience, bootstrapping a software company that initially could not afford an employee payroll and administrative/legal burden. Where do we go next to start non-VC companies? Oregon? Texas?
What if you just incorporate in Delaware and contract remotely out of less restrictive states in the US? I think this will only apply to employees working within CA
This really isn't the point. I'm not talking about comments but how you manipulate the perception of the public discussion.
By the way your assumption about free comments is really arrogant I guess power corrupts but it could be that you've always believed that.
Anyway 1984 will enter the public domain in 2020, we could actually try and see this then; and I bet the average comment will be more thoughtful than your
average comment that seriously doesn't bring to the discussion anything but hate and frustration.
edit - I think I'm done here, bye Dang. You do a hard job, but this is utterly ridiculous. In the ongoing attempt to edit out anything contentious, this place has completely jumped the shark.
Contractors send 1099 they receive from a company to FTB. They don't need to complain.
This means that a bootstrapped start-up cannot temporarily hire a graphics designer or a coder in California anymore, without the budget to make him an employee. But non-VC entrepreneurship has been hardly possible here for other reasons: building and rent control regulations driving the housing and office space costs. Since the 2006's "web2.0", progressive California regulators are at it for real, pitching entrepreneurship as an enemy of labor: it's no longer a place for small business and non-VC startups. Those have been fleeing.
This means that a bootstrapped start-up cannot temporarily hire a graphics designer or a coder in California anymore, without the budget to make him an employee.
This is so completely wrong.
You know what the difference between a temporary, part-time employee and an independent contractor is, from the business' financial point of view? They have to pay payroll taxes (and in some states unemployment insurance levies) for the part-time worker instead of forcing the worker to handle those costs themselves. And that's it. They aren't required to provide benefits or anything else until they exceed a threshold size in terms of employees (generally 50) or annual income (usually >$10 million/year).
In your specific example, the startup could hire both the designer and the coder as employees or as contractors, so long as both were allowed to work on other gigs while they were temporarily contracting with you and your startup wasn't in the business of graphics design or software. (If your business is a software business, the analysis is more granular: is the coder working on the revenue-generating part of your software, or on a supporting part of the software like the networking code?)
Since the 2006's "web2.0", progressive California regulators are at it for real, pitching entrepreneurship as an enemy of labor: it's no longer a place for small business and non-VC startups. Those have been fleeing.
California went from being the world's 8th largest economy to the world's 5th largest economy over this time. Has lead the nation in small business growth for the past decade. California's regulations basically just filter out all of the fake businesses that don't have enough backing to at least attempt existence.
They have to pay payroll tax and administer payroll. I ran a bootstrapped business, that initially had several contractors, till a day I could afford to replace (in several cases, promote) them to employees, so I know this intimately. Additionally, there are payroll costs and the accounting costs, and the payroll administration burden. For a tiny growing business with no outside capital it matters more than you know.
The 5th largest economy figures come from semi monopolies like Google and Facebook. In the beginning, they get a VC investment, a comfortable office, a payroll admin and Wilson and Sonsini from day one. In the meantime, San Francisco restaurants cannot afford cooks.
I think the delta between "contractor" and "part-time or temporary employee" is a bit steeper than you are claiming.
The tax issues are not minor, to begin with. If I have no property and no employees in a given State, I likely do not pay all sorts of taxes to that state which I otherwise might have to. I likely do not even file an income tax return with that State. As soon as I have an employee living in a State, then I definitely have to file taxes there. I also have to register with their labor department, there are probably state-specific labor laws which I could run afoul of, maybe state-specific postings and notices, etc. It's not simply a matter of the payroll company making the correct deductions.
I have to follow a different hiring practice to hire an employee than a contractor. There are likely to be more requirements on how I must make the job posting, and how I can conduct the interview process. There are additional government forms that must be filled out during the hiring process, and after the candidate is hired. The legal rights of a temporary employee are different from the legal rights of a contractor in important ways that I might not fully understand.
Once an employee is hired, I either have to pay them hourly, or a guaranteed monthly salary. I cannot offer to pay the employee a fixed amount for a certain deliverable. I have to pay the employee on a set time schedule, and not based on deliverables. I cannot withhold payment based on deliverables not being met.
I will have to update my worker's compensation policy. Depending on the size of my company and the state, I may have to enroll this person (and their family) to provide health benefits, life insurance, disability, etc. Also, certain states impose family and medical leave requirements on employees which would not apply to contractors. Federal discrimination regulations only apply to employees. I'm sure the list goes on and on...
And here I was, just wanting to get some help mocking up this new UI screen, or porting some code from one language to another, or making a new logo for my site, or updating the CSS to work with latest device X, or...
Over the last decade I've spent mid-6-figures on sites from Rent-a-Coder to Upwork and it's been a game changer for being able to quickly tackle big problems which arise due to a new R&D effort, or closing a new customer contract which our current feature set doesn't quite support, or just getting logos and wireframes because I'm not a designer and don't have nearly enough work to justify hiring one.
In short, contractors are super fucking important, and the "ABC" test seems to fundamentally mischaracterize a lot of tried and true contract work. Someone that I am hiring to perform a specific task, who is working remotely, who I will not be on-boarding, who will not be working closely with many employees, and who is paid upon completion of that task and then goes away, should be a contractor, even if they are doing work that is central to my business, and even if I closely monitor or specify how the work is to be completed.
Someone that I am hiring to perform a specific task, who is working remotely, who I will not be on-boarding, who will not be working closely with many employees, and who is paid upon completion of that task and then goes away, should be a contractor, even if they are doing work that is central to my business, and even if I closely monitor or specify how the work is to be completed.
Right, they would probably be treated as a contractor under the ABC test and the new law.
You're hung up on the "central to business" part of the test without paying attention to the nuance. Laws aren't black and white, they're many shades of grey.
If you're in the business of doing X, say programming widgets, then if you hire someone to do X (i.e, program widgets) for you, then that person will be an employee for all purposes of this law. Because they should be. They're literally doing your business activity for you, and there are plenty of legal reasons that you should be liable for their work--you're passing off their work as your own to the end customer.
OTOH, if you hire a contractor to program your back end, that guy wouldn't become an employee under the test, because you're not in the business of programming back ends. That back end may still be central to your business, but it's not your primary business activity (i.e., it's not your revenue-generating activity).
even if I closely monitor or specify how the work is to be completed.
This is the most misunderstood part of the ABC test. The ABC test doesn't require that the contractors have free reign to do whatever. It simply provides that a contractor should have free reign to accomplish the work unless the manner in which the project is completed is a relevant part of the contractual requirements. For example, specifying that a contractor program your backend in Node, with spaces instead of tabs, use git, and make use of specific AWS APIs, to match your standard coding practices in the rest of the project would be fine. Another example: telling a designer they must use Illustrator and specific design tools within Illustrator to match the processes or products of other designer work is also fine.
Monitoring work for purposes of quality assurance or quality control is also acceptable under the ABC test and is indeed even expected by the courts--not conducting QA/QC has been used as a factor indicating that the worker is an employee.
> OTOH, if you hire a contractor to program your back end, that guy wouldn't become an employee under the test, because you're not in the business of programming back ends.
I have zero faith in the courts’ ability to distinguish this. In the case of Uber, their business is providing the back-end, and their revenue is a commission for doing all the back-end work. They are not in the business of driving cars — no Uber employee drives a car — and yet this bill would make the car drivers employees.
Similarly, I would have to expect someone working on any instrumental part of the product which generates revenue will fail the ABC Test.
If my product is a web API and I hire contractors to port my library to 17 different languages, pretty sure that is failing the ABC test.
If my product is food ordering, and I hire contractors to key in local restaurants’ menus into my database...
"I have zero faith in the courts’ ability to distinguish this. In the case of Uber, their business is providing the back-end, and their revenue is a commission for doing all the back-end work. They are not in the business of driving cars — no Uber employee drives a car — and yet this bill would make the car drivers employees."
I find this an interesting interpretation of how Uber defines their business. If Uber only provided the back-end for their work, the common consumer wouldn't know about Uber, you would know the driver directly and reach a deal with the driver directly. I would relate this most closely to things like in China where you can pay via WeChat or elsewhere with Square where they just facilitate the transfer of funds. They would be a distant party to the work actually being done.
Instead the average consumer knows Uber, goes to Uber with the goal of fulfilling their need of getting personal transport door-to-door, and the act is delivered by their contracted driver. They expect Uber to handle the complaint escalations, money handling, route planning, and basically everything related to that goal. If Uber provided only backend you could create your own frontend/theme to Uber for your local town (like you would a wordpress for a SMB) and create a business around just that. While there may be some back and forth on interpretation I think the real test is that based on all those steps that have to happen if the ride itself was omitted from all the services they created would Uber still be able to function and the answer is no which would make it part of the "usual course of the hiring entity's business." If Uber (not counting their other lines of business) didn't actually arrange rides for people, they aren't a company providing a marketable service anymore.
If the CSS was omitted from my website it wouldn’t function very well either.... But I still think I should be able to hire a web designer on a contract basis to setup my CSS.
This is exactly why I think the ABC test is so disingenuous. It papers over the whole reason contracts are great — providing a single well defined service for a fixed price, and then moving on with life without worrying about a million regulations and forms and paperwork and insurance and hiring practices and workplace blahbity blah.
I think the sunsetting is very premature. Python 3 became a stable and viable alternative only since 3.6.1 (look at the evolution of async/await before that for example). Giving it 2 years is definitely not enough for enterprise (unless their focus is startup, tinkerers and data scientists)
Loads of open source and commercial projects have already made the switch to python 3 years ago. If all of them could do it, so could your org. No excuses, you've made your bed, etc.
It looks like a volumetric attack from this tweet. Wikipedia needs to use Verisign BGP mitigation. They create GRE tunnels to your routers and are capable of handling 2Tbps. During an attack, you make a BGP announcement and the traffic goes via Verisign scrubbing/tunnels. No application changes are required, no Matthew Prince selectively and benevolently enforcing CF neutrality. It's used by large banks.
After working with a few large corporations and their DDoS protection solutions, I did not have a good experience with Verisign, and they were not able to handle attacks or get things working.
However, I have great experiences with Akamai and Cloudflare. I trust the people at Wikimedia will choose wisely.
I would I have learned that Verisign has one of the worst BGP mitigation/scraping solutions out there.
There are a few alternatives that have more experience and provide much better uptime, include solutions from Cloudflare and Akamai.
Any serious mitigation solution must be BGP based, not proxy. Besides its technical merits and convenience, it also minimizes the risk of a benevolent controller (e.g. Matthew Prince of Cloudflare) ruining your company, because it becomes your upstream provider only during the attacks. Otherwise the GRE tunnels are not in use. The IP addresses are still yours always.
We used Verisign for mitigation of a 44Gbps volumetric attack and it worked very well. We also evaluated Neustar, but Verisign's infrastructure seemed to be more robust.
That's your requirement, but it might not be Wikipedia's requirement. Ownership of IPs is really a technical detail invisible to most people; ownership of eyeballs by way of the domain name and top Google result is probably more important. Cloudflare doesn't impact that ownership other than being able to temporarily take you offline if they choose to terminate your site.
Still, large proxy-based CDNs do have the ability to completely bypass all the same-origin protections in the browser. Even if they are angels and don't abuse this trust for identity theft and surveillance, it makes them a juicy target for bad actors, state sponsored and otherwise.
A proxy is a perfectly acceptable “serious” solution for this type of problem, as well as nearly all of the rest. Wikipedia is not the kind of website that would warrant being removed from Cloudflare. What’s wrong with having an upstream provider for caching close to the user and other features when you’re not under attack?
That’s not what MITM means. I get that you don’t like Cloudflare but voluntary use of a CDN isn’t a MITM any more than, say, Amazon is a MITM because you host on EC2.
Cloudflare is in between the client and the server, decrypting, rewriting and (if set up right) re-encrypting the request/response. It masquerades as the server by presenting a proper certificate for the domain even though it is not the entity that is actually controlling the domain.
That to me sounds very much like MITM, although it is not a MITM attack since the entity controlling the domain opted into it, so basically it is voluntary MITM.
Using a VPS like EC2 is a different story since the decryption happens within the layer that you control. Of course you need to make sure that you choose a vendor for that layer that you trust, but on EC2 the traffic that amazon sees is encrypted with keys they don't have and decrypted with keys stored on a layer that I control. Amazon could read out the memory of my EC2 to get the keys but their business depends on not doing so, so in this case either I have a vendor that always will decrypt and read traffic (Cloudflare), or a vendor whose business depends on hypothetically being able to but not doing it. There is a clear difference to me.
That is the same for most CDN's (including CloudFront and all the other major offerings), so I'm not trying to single out Cloudflare.
If you don’t trust Cloudflare, don’t use them but there’s no meaningful security distinction between what they do and what AWS does: in both cases you have a vendor with the capability of violating your security and a promise that they won’t abuse that access.
This is why having a threat model is so important: it keeps you from wasting effort on things which sound like security but aren’t actually changing anything meaningful.
There is a security distinction, and this has been shown by for example cloudbleed. Every step that has access to plaintext data is a potential attack vector and might be logging/leaking information.
Cloudflare’s business also depends on not messing with your traffic, right? It would certainly be easier for them to get your users’ content than for Amazon to do the same, but I think you still have to accept that risk with either. “Hypothetically being able to but not doing it” isn’t a whole lot of confidence if I were hosting some kind of shady website.
Sure, but since Cloudflare’s business is actively "messing" with all your traffic, all the time it's a smaller technical step to do it some more, and can also lead to accidents like cloudbleed. Every step that has access to unencrypted data is a potential attack vector or might be logging/leaking data.
You upload your private SSL key to Cloudflare for example. And I was talking about hosting on your own hardware/colos like most large sites do (7x cheaper than AWS list prices on avg)
Please specify in detail how you believe that’s an MITM using the standard industry definition. In particular, consider whether “attack” and “voluntary business agreement” are synonyms.
Breaking open encryption to monitor activity between users and other sites is a completely different thing than having a provider handle hosting for your site.
A better comparison would be Cloudfront and Application Load Balancers since you can expose your own ec2 server or load balancer and be e2e encrypted (unless AWS wanted to run commands on your instance, which they could do, but that's a different threat vector entirely).
That was the model I had in mind but it’s not really a meaningful distinction since the host could almost certainly compromise those servers as well. In any case, you’re trusting a third party rather than having their involvement maliciously imposed.
The originalcontent was posted on IG. 8ch took the reposts down when it became known that it was connected to the real shooting. Watch the video with the 8ch founder explaining (unless YouTube took it down too). Matt was preparing for the IPO.
You appear to be extremely mad that anyone questions the power of political pressure and an angry mob.
Look, you can feel however you like about whether the high-profile takedowns are right or wrong, whether the CEO's promises after the Daily Stormer are hypocritical — but let's be clear-eyed about placing a site in a position where one outside person can do it real harm. The question you should look at is whether the risk is actually acceptable for your organization.
By your statement then reddit was complicit with the Russian trolls during election season because the bitcoin trolls who evolved into trump trolls were not punished in the slightest (I have a list of 300+ usernames that are still active today)
The point is that Reddit tries to moderate, which is good enough for their providers (AWS/Fastly).
The 8ch takedown wasn't actually due to issues with moderation, since (at least based on the owner's video) 8ch removed the post, actively responds to real law enforcement requests, and the original post was actually posted to IG. The issue was that CF was getting enough bad press, and more importantly enough calls/concerns from real Enterprise clients (this is speculation on my part), to take down the website.
That's a valid stance but they didn't host the website; they only provided DDOS protection for the actual host (which proceeded to drop 8ch once CF stopped providing the protection).
> It looks like a volumetric attack from this tweet. Wikipedia needs to use Verisign BGP mitigation. They create GRE tunnels to your routers and are capable of handling 2Tbps.
Great way for a state actor to intercept your traffic. little bit of volumetric dos and the target themselves responds by tunning through your partner(s).
>no Matthew Prince selectively and benevolently enforcing CF neutrality.
What's the logic behind this? It's still a single point of failure and relying on a corporation. If the daily stormer or 8chan tried to use them, they would probably kicked off as well.
CloudFlare has strategic business partnership with Baidu [1]. They are very likely to cooperate with the chinese government to implement the great chinese firewall.
Additionally, helping to block Wikipedia because China says so is much easier to excuse than blocking 4chan - they would just be complying with local regulations after all.
The cloudfare 8chan action was based on a direct link with multiple actual mass-shootings. Moreover, as they took the decision they went to great pains to explain this was an exceptional case.
Going from that to 'undesired political speech will be censored' requires more of a slippery cliff than a slippery slope.
> What is this "direct link" you speak of? Did the shooters plan/recruit/organize their attacks on 8chan?
Legally, a "direct link" is irrelevant, you can rarely find a "direct link" between two of anything. What matters legally is whether 8chan was a "proximate cause" in creating the mass shootings. Whether one thing is the "proximate cause" of another is often pretty difficult to discern.
However, as a helpful guide towards determining proximate cause, lawyers ask whether one thing was the "but for" cause of another, i.e., would the mass shootings occur "but for" 8Chan? Put another way, if 8Chan did not exist, would these shootings occur?
Unfortunately, we do not have an alternative reality to play out events without 8Chan, so we cannot know for certain, but we can use evidence (e.g., 8Chan chats, how the shooter interacted with 8Chan and others on the service, etc) to try to simulate that alternative reality. All of this analysis also needs to consider related issues like freedom of speech on public forums and any commercial interests.
I'm not saying 8Chan is guilty or innocent, just that the existence (or lack thereof) of a "direct link" is pretty meaningless.
So FB's internet peers should depeer Facebook then in their routers, since the original material (the stream) was on FB? Or you prefer your justice selective?
you're not really engaging with his point. Effectively banning 8chan by removing network protection does not just restrict extremists; it restricts anyone who used that forum.
Ultimately, such matters should be prosecuted by courts. It is inappropriate for organisations like cloudflare to leverage their position within essential network infrastructure to start editorialising what passes through their network.
It is inappropriate for organisations like cloudflare to leverage their position within essential network infrastructure to start editorialising what passes through their network.
No, I think it's entirely appropriate.
"Don't troll" and methods for dealing with trolls has been a thing all sites have done since the internet was invented. I don't see any difference here at all.
Cloudflare blocking people that abuse the network is legitimate (e.g. spam, denial-of-service), just like it is legitimate for forum admins to block people that abuse the forum (trolling, explicit posts).
But cloudflare, or any other network infrastructure provider, shouldn't be determining permissible content for websites because they are not hosts/administrators for that content.
It is like a postal service reading your letters and then saying "we don't like what is being said, so you can't send letters anymore." They can and should stop people sending dangerous materials by post, but they should not be determining permissible content of letters.
See, I think 8-chan itself is a troll, and it is entirely reasonable to deal with it by refusing to provide service.
It is like a postal service reading your letters and then saying "we don't like what is being said, so you can't send letters anymore." They can and should stop people sending dangerous materials by post, but they should not be determining permissible content of letters.
No it's not. It's like FedEx declining to deliver for a company which continues to cause it problems, or refusing to service Amazon[1]. Or like Visa refusing to service businesses which have lots of charge-backs.
if 8chan was cut off because they were subject to extensive network attacks and cloudflare did not see any profit or value in serving them then I am ok with that. I just don't think that's the reason.
I expect that a different site with the same contract and payment terms, subject to the same attacks would have continued to be protected. maybe I'm wrong but it looked like a political decision, not a business decision.
It's not just supporting. Taking a neutral stance on censoring these things, or not being adequately proactive on hate speech, is now seen as condoning. You either censor your user base, or upstream will censor you. Gone are the days of "The net interprets censorship as damage and routes around it." The new policy is "The net interprets wrongthink as noise and filters it out."
It’s not censorship: they are not suppressing information, they just aren’t allowing their resources to be used to spread it.
It would be “censorship” if they actively antagonized any attempt to spread the information, such as by lawsuit or DMCA notice. They are just refusing to participate.
And given that the “information” is definitively known to be child pornography and violent white supremacy propaganda presented as news, I would personally say refusing to participate is the only responsible action.
> Gone are the days of "The net interprets censorship as damage and routes around it."
But it's clear that it matters just what's being censored. Surely you wouldn't say the same trite clever-sounding hackerspeak if we're talking about censorship of threats, assault and child pornography, would you?
They are beyond a certain line; some very-very far past it, some just crossed it. It makes them unsupportable by any corporation that aims to look decent.
Genocide has been and still is a political tool. It is extreme, but ultimately something that people consider and carry out as part of political processes, not a special category of its own. And realpolitik is to continue dealing with countries that practice genocide. Consider Burma or China.
Cloudflare simply has the luxury of choosing which politically disagreeable parties they do not want to associate with because they are insignificant customers.
Pretending that this is not due to differences in politics and moral judgment is semantic smoke and mirrors.
Anyway, the point is that they are not a neutral carrier/providers. Unlike banks or telecoms which are required by regulation to accept any legal business. CF styles itself as neutral infrastructure, until they decide they are not.
The risk of getting deplatformed due to someone's moral judgment is quite real, even for an entity such as Wikipedia. For example they were blocked in the UK because the Virgin Killer album cover landed it on a block list used by major ISP.
I didn’t say it wasn’t political, but it’s not just undesirable for immediate political reasons — it’s undesirable for nearly universally-agreed moral and ethical reasons. So implying it’s only inconvenient for politics is, in my opinion, misleading.
The political tends to encompass or at least subsume the moral and ethical aspects, as I tried to allude to with the realpolitik aspect.
But again, this is just a tangent. The core argument is that it is best not to rely on providers that have the freedom to make political/moral decisions who they deal with because that freedom makes them susceptible to moral denial of service attacks. You are one moral outrage away from being deplatformed.
The argument made here is there is a chance (however minute) that the same can happen to something like Wikipedia because of some misplaced sense of morality, like say - we don't agree with wikipedia edits and editing process which we see if offending certain sections of X population. It does not matter how right their reason is. The fact that providers like cloud flare are in such position to take a moral high stance is not right ...
There's plenty of specialized providers which provide this service, Verisign is one of many.
The issue with on-demand BGP mitigation is that an attacker can do short attacks on and off over a long period of time. Each time the mitigation kicks in, BGP propagation takes at least ~1 minute and will cause some downtime. Proper protection is always-on without requiring redirection.
Looks like they are starting to get seriously concerned about projecting non-monoplistic "fair competition" image. Unfortunately most devs know it's not the case in reality.
The trick with shorting is timing. Sometimes financial indicators continue growing for 2-3 years after the company peaks. Apple cider vinegar anymore perhaps decay but it's unclear where the markets would price this in.
https://www.raspberrypi.org/forums/viewtopic.php?t=128736
https://github.com/notro/fbtft/issues/432