IIRC he's said its from when he was a teenager on mushrooms.

That seems like a flight of stairs up.

Its long been known.

With all his experience I'm genuinely surprised he only managed to kill one guard.

Like the NYT suddenly cares about Palestinian women.

For more than a century, Russia and the Soviet Union sought to weaken their adversaries in the West by inflaming racial and ethnic tensions.

FUCK ALL THE WAY OFF, NYT. DID YOU FORGET FRED HAMPTON? DID YOU FORGET THE FBI BLACKMAILING MLK?

🤙

Anubis forces the site to reload when doing the normal PoW challenge! Meta Refresh is a sufficient mouse to block 99% of all bot traffic without being any more burdensome than PoW.

You've failed to demonstrate why meta-refresh is more burdensome than PoW and have pivoted to arguing the point I was making from the start as though it was your own. I'm not arguing with you any further. I'm satisfied that I've convinced any readers of our discussion.

Well in most cases it would by Python requests not curl. But yes, forcing them to use a browser is the real cost. Not just in CPU time but in programmer labor. PoW is overkill for that though.

Anubis is that it has a graded tier system of how sketchy a client is and changing the kind of challenge based on a a weighted priority system.

Last I checked that was just User-Agent regexes and IP lists. But that's where Anubis should continue development, and hopefully they've improved since. Discerning real users from bots is how you do proper bot management. Not imposing a flat tax on all connections.

Then there was a paper arguing that PoW can still work, as long as you scale the difficulty in such a way that a legit user

Telling a legit user from a fake user is the entire game. If you can do that you just block the fake user. Professional bot blockers like Cloudflare or Akamai have machine learning systems to analyze trends in network traffic and serve JS challenges to suspicious clients. Last I checked, all Anubis uses is User-Agent filters, which is extremely behind the curve. Bots are able to get down to faking TLS fingerprints and matching them with User-Agents.

Its like you didn't understand anything I said. Anubis does work. I said it works. But it works because most AI crawlers don't have a headless browser to solve the PoW. To operate efficiently at the high volume required, they use raw http requests. The vast majority are probably using basic python requests module.

You don't need PoW to throttle general access to your site and that's not the fundamental assumption of PoW. PoW assumes (incorrectly) that bots won't pay the extra flops to scrape the website. But bots are paid to scape the website users aren't. They'll just scale horizontally and open more parallel connections. They have the money.

I've repeatedly stated this before: Proof of Work bot-management is only Proof of Javascript bot-management. It is nothing to a headless browser to by-pass. Proof of JavaScript does work and will stop the vast majority of bot traffic. That's how Anubis actually works. You don't need to punish actual users by abusing their CPU. POW is a far higher cost on your actual users than the bots.

Last I checked Anubis has an JavaScript-less strategy called "Meta Refresh". It first serves you a blank HTML page with a <meta> tag instructing the browser to refresh and load the real page. I highly advise using the Meta Refresh strategy. It should be the default.

I'm glad someone is finally making an open source and self hostable bot management solution. And I don't give a shit about the cat-girls, nor should you. But Techaro admitted they had little idea what they were doing when they started and went for the "nuclear option". Fuck Proof of Work. It was a Dead On Arrival idea decades ago. Techaro should strip it from Anubis.

I haven't caught up with what's new with Anubis, but if they want to get stricter bot-management, they should check for actual graphics acceleration.