Search results for:

is there the chance that when it does come out it'll provide some paths for lower compliance burdens on SMEs/single-person outfits? As I understand the CSAM scanning thing is still slightly in the air as the tech doesn't exist yet/is not widely available..?

From what was published two days ago that seems unlikely, the guidance was relatively clear (linked in the main shutdown thread first post)... a forum would come under "All Services" and "Multi-Risk Services"... and the Multi-Risk services include scanning of content (links, images), as well as additional moderation tools, and training for moderators, etc.

The burden I see isn't just the compliance risk assessment, but the actions needed to mitigate the risk identified.

I am old, so recall the https://en.wikipedia.org/wiki/Gay_Nigger_Association_of_America trolls spamming Slashdot continuously for years... and I recall 4chan and 8chan forum invasions and the uploading of an overwhelming amount of porn onto other forums.

We cannot say that the risk is not there, and the Streisand Effect shows that once it's known how to weaponise the risk then it will be weaponised.

To really mitigate the risk we'd need a much larger team of volunteers, all very active... today if I went on holiday, hiking and stargazing, or did a work trip that took me offline as I'm too busy... it could be 1-2 weeks before I could respond to moderation requests. This is realistic today.

Under the Online Safety Act, whilst the material posted remains unmoderated, harm is caused and the risk is realised.

This is fundamentally my concern... I think there is a path for compliance, but it requires not just legal work, but technical work... on a platform that is a decade old and that only I know intimately today.

There is also a path for not making compliance necessary, which is just to leave it as-is in terms of technical capability (no scanning of content, etc), and to take it fully out of the UK (my involvement ends anyway, hosting moves to France or Germany, someone manages the money side from Europe, all UK specific sites shut down).

We do need to evaluate what would be required to consider the compliance path... but if we cannot meet that standard and no-one wants to take the full liability, then what's the path to just keeping the international side of things and breaking all links with the UK?

Another offer turned up yesterday by a company in the US to give us a shelter... it all works, but only if links to the UK are broken (though I'm inclined towards an EU shelter instead).

Fwiw, I have a docker file that can be used to deploy the Django front end

The old crappy code? you know how to deploy it?

Wow... you achieved what I did not :D I like your style.

If you make it an anarchist collective in Europe for an international audience... then the only bit to solve is the money... for which I very highly recommend OpenCollective EU.

I'll emphasise again... the money is the PITA.

I can move the servers to Germany, hand over the keys to some Europeans, shutter the obviously geographic and UK focused forums (Islington CC, Brixton CC, etc)... and move LFGSS to being post-geographic (plausible as a lot of traffic is international, US being very prominent, and Tor seems to be hitting us hard at the moment).

The load balancers could be deployed anywhere and considered disposable, with Tailscale or another Wireguard VPN connecting to wherever the website actually ends up being hosted.

This could easily be an international anarchist collective with no clear owner, and nothing in the UK except for a minority of users.

But the hard thing will always be: Who pays the bills, how do they receive the money.

You can try the "be compliant" route... but read the details, you'd need to add CSAM scanning of attachments, far more moderation tooling, training for moderators... and prove you have all this stuff.

There's a lot of technical work, social work, needed to be compliant. It's not just the risk assessment, as a forum that takes user generated content and provides user-to-user services... we're in the "All Services" and "Multi-Risk Services" buckets of the Ofcom compliance... so if people are serious about keeping something alive, you really have to answer "Are we going to comply and accept that risk?" or "Are we not going to comply and just shutter the UK sites?"... the latter has a path to the platform living on as an international thing that serves international audiences. I'm sure there might be some UK users, but it wouldn't be the focus or intent, and the platform should just outright deny service for UK specific forums (hence you'd still have to shutter Islington CC, Brixton, etc... but could keep a post-geographic LFGSS, PignoleFixe, Espruino and other things)... it would trim the platform to a core few sites, but would be able to live on until such a time that the Europeans also implement a dumb law.

What's the cost breakdown of the 800 per month and can it be reduced without meaningful impact to the service?

£800 per month is what I recommended try to be raised on an ongoing basis by getting just shy of 250 people to donate £10 every 3 months.

£10 every 3 months minimises the impact of payment provider fees on smaller donations. (There is a single person who donates £1 per month, less than half reaches the account... it's such a waste, it's actually more donation to PayPal than it is to LFGSS).

250 people gives a far better spread of donors, and given that almost 10% expire out every 3 months will provide a bit of a buffer.

That amount should mean that over time you accrue a larger buffer, but never need to hit anyone's personal credit card to pay a hosting bill.

We presently have around that number of donors... but, most are doing £3 or £6, and based on the frequency and higher % of payment fees on the smaller donations, it means we're only getting about £300-350 per month... which is why I top it up every month.

The real breakdown of costs today:

• Linode $375 per month for the virtual machines, backups of the virtual machines, and the object storage (currently shy of 1TB for attachments), we received free bandwidth as part of the VPS costs which allows 22TB of traffic, we typically use about 6TB per month as we are very cache efficient. AWS would wipe us out on bandwidth from the account, and from the object storage.
  
• Tarsnap $25 per month for a remote backup of the database
  
• Twilio / Sendgrid $126 per month for 100k emails and a static IP to send them
  
• Some domain names... approx $100 per year
  
• An SSL cert that is wildcard at $250 per year (as I could never work out how to get certbot and LetsEncrypt to do wildcard + SNI for other FQDN at the same time)
  
  

Some of those costs vary due to exchange rates, but basically $501 per month in fixed monthly costs, another $30 per month in annualised costs... $530 per month being the estimate roughly being £420 per month in intrabank exchange rates... add roughly 10% lost to payment fees and forex rounding up that happens because I never figured out early enough to just pay all the bills from a Wise account... roughly £460 per month at the moment.

Donations bringing in roughly £350 per month, and you see the £100 shortfall... hence I just pay all the bills from my personal account, and draw the PayPal money into that account and absorb the loss. Some months someone will donate £50 or £100, and those months I don't subsidise it.

My rough summary here and recommendations here:

• The hosting is very cheap, there's a lot of headroom, but it's not obvious that reducing the VPS devices would be a smart thing to do (they have too much CPU, but the LB needs the disk space for cache, the DB needs the memory, etc)... given that I don't even know how to deploy the old Django... leave it where it is with Linode, but we can move it to Germany and out of the UK.
  
• The money side could easily be dramatically improved... just have an Open Collective EU account, receive donations there, provide the transparency I never managed to with PayPal... and then pay the bills from a Wise account and reimburse that person... this is very very easy to run, especially if an EU citizen runs it.
  
• Add a new service, a shared Protonmail email or Migadu for probably $100 per year per user/role, and give the volunteers access to that... i.e. have a "admin@microcosm.app" email, and make it accessible by a cohort of volunteers... and avoid having a single named individual as the owner anywhere. You probably only need 1-2 email addresses to cover everything, a Fastmail account might even be sufficient.
  
• Encourage each volunteer to have a password manager like Bitwarden, share credentials via Signal and store in local Bitwarden accounts.
  
• Pay for multiple cheap frontends around the World in various hosting providers, all using a Wireguard VPN or the like to connect to wherever the servers are ultimately hosted... this is probably another $100 per month... and we'd just make the DNS round robin to them because they're stateless caches, if any were taken out, the others would be fine.
  
  

Edit: Updated 2024-12-20 as I added a server to help support the archiving efforts.

Also Winchester bike hub CIC has offered to be an umbrella for us.

@eespark

I'm trying to write an article but @Velocio hasn't responded to my DM asking for an interview. I'm trying not to take it personally.

I replied eventually

Only thing I can think of is a carve out for sites under a certain size. Anyone have any better ideas?

That's so I've asked for, run by individuals or below a certain size

wondering why we'd -chosen- to do this?

oh we made good choices, it was everyone else that stayed in who should question theirs

Ah, I remember you and that massive yellow bike on a Bridges ride.

the Bridges ride that was just you and I, and the rain.

You're probably right, a single hetzner server plus object storage can do this... But then you have to manage hardware in addition to software. I wouldn't choose that

I skimmed past the bits about sites that monetise users (and this would be that), but yes it introduces a difference.

If you changed nothing at all cost-wise today... £1 per person per month would be enough.

But... not everyone donates, at peak only 300 people did, and PayPal and other payment providers will take their cut (20p or 5-10%, whichever is greater or something like that)...

So the ideal is something more like £10 every 3 months, for ~250 people to yield around £800 per month, and therefore always have a little more being accumulated such that you have a buffer and if you ever need to add a server, there's the money to do so.

You could keep it donations based, no paywall, if ~250 people signed up to a payment structure like that.

This was what I always aimed at, but as people's payment methods expired, etc... well, I just made up the difference and didn't both to do a focused fundraise in recent years.

If I were doing this now, I would 100% set up an Open Collective https://opencollective.com/europe most bills are in € or $, and I would have someone pay the bill on a Wise card, and then be reimbursed from Open Collective... with Open Collective taking the donations, and showing how much is in the bank, etc... the transparency I wanted to give, but couldn't do via PayPal.

It does look possible to have "officers" in other countries, the servers and systems all over the place, the money running through OpenCollective EU, an entity in US/France/Switzerland... and only volunteers and users in the UK.

Note: even in this scenario... I would step back and fully yield all control. For a collective to be successful, I should reduce myself to an advisor at most, just to point out how things work technically, how situations were approached, etc.

Other threads of conversation:

• Seth from Bike Index (US based) is offering to take the legal entity under their control.
  
• Pignole Fixe are considering a France based entity.
  
• The servers can be moved to Germany quite easily (closer to where the attachments are stored too).
  
• A privacy advocate has proposed a Swiss entity.
  
• Some lawyers/legal types on LFGSS have a DM thread and are considering the compliance side.
  
  

Missing from all conversations is the financial side.

The financial side is critical, it's very boring but it's critical... if you don't pay the bills then the servers get turned off, simple as that.

Something I had considered is OpenCollective, but the risk was that migrating PayPal subscriptions to a new system would too significantly reduce the income, and as it was not quite enough anyway I just didn't ever do this. I think if a collective is formed, if people fill all other roles, then the collective should assign a secretary and start afresh on OpenCollective. We limp month to month at the moment, so I'm confident we'll hit the end date with an empty bank account, a fresh fundraise based on the desire of people to keep the forum alive would likely enable this to be successful and finally get the forum to having several months money in the bank (because now other forums like Pignole will contribute a bit too).

Blue Plaque ride, going around London putting up guerilla plaques of important forum locations. Sponsored and funded by Ofcom.

I wouldn't want to discourage such behaviour.

Sorry, encourage.

"the code":

• https://git.dee.kitchen/buro9/microco.sm landing site
  
• https://git.dee.kitchen/buro9/microco.sm-bootstrap styles
  
• https://git.dee.kitchen/buro9/microcosm main API and database
  
• https://git.dee.kitchen/buro9/microweb Django web ui
  
• https://git.dee.kitchen/buro9/microweb-bootstrap styles
  
  

Yes, the Python is that old... no it's not Python 3, no I don't know how to upgrade Django, if and when it needs surgery I would now do so on the production server... I don't know how to deploy any longer.

The Go code is where all the changes really happen, deploying that is a bash script that does an scp of the single binary.

Oh, and technical things.

• The software is fully open source under AGPL.
  
• The database is PostgreSQL
  
• The website is a very old version of Django (no longer supported, difficult to install)
  
• The API and the bulk of the site is Go
  
• A load balancer and cache is implemented in nginx <-- the Nginx config is not in source control but does a lot of lifting so probably needs to be in source control.
  
• Attachments are stored in S3 compatible object storage
  
• Email is sent via Twilio/Sendgrid
  
  

There are 3 servers that do the majority of things:

• LB = Load balancer and cache
  
• WPY = Web Python runs Django
  
• API = Go backend and the database
  
  

To reduce costs it is actually just 3 main servers, but each slightly beefier than they need to be... I found this more cost efficient a few years back so turned off the others... but it's easy to clone to scale horizontally if ever needed

The servers make use of iptables to ensure that only they can talk to each other and that nothing else can talk to them.

Then we use external services to run other things:

• Object storage is Linode
  
• Email is Sendgrid with dedicated IP address
  
  

the servers all run Linux, some of it is old (the Django server runs an old Ubuntu from a decade ago), and some of it is new (the LB runs a modern Debian, the API a modern Ubuntu).

all work is done via the command line when needed... probably less than an hour per week.

if a team of technical people formed, I would teach them how it's organised and grant access, etc.

and you were witness to its first utterance.

I'm not sure relying on my memory is a wise thing.

But I can't disagree with the need for a blue plaque.

Is it possible to do both, concurrently, and overlap at some point?

do as kid you say?

fixieskidders.com appears to be available should anyone want to add it to their collection of unused domain names.

high potential for unintentional misreadings though... what is this "fix i es kidders"?

Avoiding the "giving false information" point would require everyone to have to submit significant documentation to prove their identity, and this would need to be held somewhere, which is unworkable for many other reasons

It also doesn't work for me who operates the site, I no longer use my birth name, and more of my identity is now as Dee. I wouldn't provide my deadname to be in a public register, and yet to not do so is also a crime under the Online Safety Act.

Being a trans person running a moderately sized platform for forums has unexpected consequences it seems.

It's my own fault, I put "London" in the name and made it appeal to people within an area, rather than calling it fixieskidders.com and just not having a clue where anyone lived or accessed from.

Also, I'm old

Ah, welcome to the club... that'll be most of us nowadays

I am already talking to https://wiki.archiveteam.org/ about a full site (public facing content) preservation.

are you on a VPN? can't join on one... the links do work

well there's a Bridges thrown in too!