Hopefully there will be some post-mortem. It seems like we're don't really see that many deliberate DDoS attack anymore. Not that it doesn't happen, but they really don't provide that much value against a target like Bluesky (unless you really hate them).
I'd be interested in how the attack manifests. Is it an actual DDoS? Is it highly aggressive scraping? We should be able to see this in how the attack manifests itself. What is the sources? That's a little harder, but it would be interesting to know if it's compromised devices, residential proxies, rented cloud capacity or something else.
> It seems like we're don't really see that many deliberate DDoS attack anymore.
There are more now then there ever have been in number of infected hosts and total data volume.
The internet is a big place.
”On 13 April 2026, 21 countries joined forces in a coordinated action week that focused on enforcement and prevention measures against over 75 000 criminal users engaging in distributed denial-of-service (DDoS)-for-hire services. With over 75 000 warning emails and letters being sent to identified criminal users and 4 arrests, the action week also led to the takedown of 53 domains and the issuing of 25 search warrants.”
Assuming that this is in any shape or form correct, why hasn't rationing started? Six weeks at normal flight capacity is an insane amount of fuel, rationing it out for transport of critical goods and travel, will stretch it for years. If the plan is to just burn through the existing stock I'd argue that someone is acting incredibly irresponsibly.
From what perspective? The individual flight operators maximize their earnings by running as many flights as they can, and charging as much as they can. Individuals who need transportation also maximize their utility from the same thing.
The cancellations are because of rising prices, that doesn't mean they can get fuel, just that the current price makes the destination unprofitable. (Technically this should free up some fuel).
But I was thinking from a political perspective, allowing airlines to just fly destinations that frankly aren't needed, like vacation hotspots, seems ill advised, if you truly expect to run out off fuel. The reality is that Europe won't run out of jet fuel, it's airlines can pay for the fuel it needs, for the destinations it requires, but prices will go up. Poorer countries will run out, because the fuel is worth more in Europe and will be redirected.
Yep I myself changed my holiday plans from Tokyo to a nice Greek villa. Because I know that ticket prices for Asian flights will skyrocket.
That's how scarcity is dealt with: raising prices.
Long term the government will have to look into reshoring some refineries I suppose.
> allowing airlines to just fly destinations that frankly aren't needed
What exactly is a "needed" destination and who decides that? Who is going to shoulder the financial loss for banning airlines from flying to popular spots?
If you ban airlines, why not other industries too? Why not private individuals too?
Perhaps rationing has already started? My coworker and his family received notice today that their flight to France was cancel. Part of the message said:
"The disruption is caused by extraordinary surge in oil prices followed by unpredictable fuel supply shortage constraints across the aviation industry outside our control. As a result, we are unable to operate this route in a responsible and sustainable manner."
It's not like Europe is actually running out of fuel. 20% of the world's oil passes through the strait of Hormuz, but closer to 10% of Europe's oil imports. They get a lot of their oil from Norway, the US, Libya, Kazakhstan, etc.
Losing that much oil hurts. But it's entirely in the realm of what market forces can deal with. As storages empty prices rise, which lowers demand. There's already reports of multiple airlines suspending some of their flights because they aren't economically viable right now
I think you are mistaking "oil" (crude oil) as a straight stand-in for jet fuel. The former is a raw material (one that has a lot of "flavors"), whereas the latter is one possible product from refinement of that raw material. It should be noted that not all refineries are setup to produce jet fuel, and not all crude oil is viable for making jet fuel. I don't know the details about Europe's mix on refineries an d viable crude oil supplies.
As it happens, about 75% of Europe's jet fuel comes from the Middle East (I don't immediately have numbers for what of that goes through the Persion Gulf). That percentage puts it outside of the range you can correct with market changes (other than most flights don't fly... that is pretty drastic).
European aviation is particularly exposed to the shortage of jet fuel, relying heavily on imports from the Middle East. Around 75 per cent of Europe’s jet fuel imports come from the region, making any prolonged disruption especially problematic for its aviation industry.
As pointed out in the oil crisis article[0], the reduction that led to the 1970's oil shock was about 5%. Effectively eliminating 15% to 20% of global production capacity is going to be a pretty damn big deal.
Rationing in Europe is hard because thanks to free travel it has to be done in all of Europe all at once otherwise people are just gonna go and shop where it's more available, causing problems for neighboring countries, and doing anything at a EU level is incredibly slow and full of bureaucratic rigmarole.
The EU is by its construction a trade harmonization organization, it's not built for acting quickly and dealing with crises.
The distribution of jet fuel is not uniform. Some regions are unlikely to experience shortages while others are already rationing. Global supply chains aren't perfectly elastic, shortages are a local phenomenon. Rationing in the US, for example, wouldn't make sense because physical shortages are unlikely to exist there; the US exports jet fuel and has a completely domestic supply chain. Market prices will increase but the product will physically be there.
An airline can only schedule flights if fuel is guaranteed to be available at both ends. If they fly their plane to a part of the world experiencing severe shortages, the plane may become stranded there because there isn't fuel to fly it back.
Only when the prices raise to the point that low demand leads to actual flight cancellations. The demand for fuel is much less flexible than the demand for tickets.
More than 6 weeks of refined product also tends to be hard to maintain - moisture, bacterial/fungal growths (really - especially in kerosene derived products), oxidation/gumming (usually more of a problem in lighter fractions like gasoline).
Even 6 month type stockpiles usually take special regular maintenance procedures.
True, but you can't affort the none crappy one eventually. Basically everything in modern society trends towards either cheap, but shitty, or excellent, but insanely expensive.
Our problem is that the used to be a huge middle segment, where you'd pay extra, but you got better quality. That middle segment has more or less disappeared, because it requires a fair bit of volume to be sustainable. Initially we, as in society, got lured in by cheaper prices, and reasonable quality, supported by savings in running super markets vs. a butcher, efficiency gains or subsidizes, maybe in the form of an ad here or there. Once we started expecting lower prices, quality started to go down, but restarting the "pay a little more, for better quality" segment isn't easy.
Also don't do it in San Francisco, I think it's an artificial easier market. The type of store wouldn't work in Bumsville Idaho.
Maybe that's for later, if this works out, but I'd love to see the AI attempt to run a moderately successful business in a borderline dysfunctional town in the Midwest. If you don't technically need to pay "the CEO" a salary, could you run e.g. a grocery store in a dying town. One this would really test the AI on creativity, and it would perhaps tell us if these towns are just doomed.
San Francisco is one of the most brutally hard places to run a business, as evidenced by how competitive the landscape is.
What would have been actually interesting about this publicity stunt is if it demonstrated if/how AI could have dealt with some of the SF specific, non-sexy parts of running a business. Filing the relevant permits, co-ordinating inspections, negotiating with landlords, interfacing with locals at planning meetings.
Those are things SF business owners report as empirically unpleasant parts of running a business and a sufficient financial drag that they meaningfully affect business success. But my feeling is they had humans clear the way of all these thorny issues ahead of time so the AI could focus on the "sexy stuff".
>> If you don't technically need to pay "the CEO" a salary, could you run e.g. a grocery store in a dying town
You probably couldn't. I have seen a lot of small town stores that are run and operated by a single person. If somebody could run a business like that for a decent wage, they would be.
Adding AI to the mix on a high level position (for a single employee, who is the actual owner!) wouldn't help, it's just token burning.
AI can find a sale on bananas, but a person at the counter can take feedback from the actual customers, and stock based in that.
No kidding. Last time I used Enlightenment back in the late 90s, both KDE 1.x and GNOME 1.x were orders of magnitude more usable on my lowly Pentium MMX 166 with 16 MB of RAM.
For a lot of project that would be sufficient. I've worked on projects that "required" an S3 storage solution. Not because it actually did, but because it needed some sort of object/file storage which could be accesses from somewhere, might be a Java application running in JBoss, might be a SpringBoot application in a container, on Kubernetes, Nomad or just on a VM.
Like it or not, S3 has become the de facto API for object storage for many developers. From the operations side of things, managing files is easier and already taken care of by your storage solution, be it a SAN, NAS or something entirely different. Being able to backup and manage whatever is stored in S3 with your existing setup is direct saving.
If you actually use a large subset of S3s features this might not be good solution, but in my experience you have a few buckets and a few limited ACLs and that's it.
The language plays a role, but I think the best example of software with very few bugs is something like qmail and that's written in C. qmail did have bugs, but impressively few.
Write code that carefully however is really not something you just do, it would require a massive improvement of skills overall. The majority of developers simply aren't skilled enough to write something anywhere near the quality of qmail.
Most software also doesn't need to be that good, but then we need to be more careful with deployments. The fact that someone just installs Wordpress (which itself is pretty good in terms of quality) and starts installing plugins from un-trusted developers indicates that many still doesn't have a security mindset. You really should review the code you deploy, but I understand why many don't.
I was qmail fanbois back in the day and loved how djb wrote his own string handling library. I built things with qmail that were much more than an email server (think cgi-bin for web servers) and knew the people who ran the largest email installation in the world (not sure how good they were about opt-in…)
Djb didn’t allow forking and repackaging so quail did not keep up with an increasingly hostile environment where it got so bad that when the love letter virus came out it was insufficient to add content filtering to qmail and I had to write scripts that blocked senders at the firewall. Security was no longer a 0 and 1 problem, it was certainly possible to patch up and extend qmail to survive in that environment but there was something to say for having it all in one nice package…. And once the deliverability crisis started, I gave up on running email servers entirely.
qmail was a lot of fun, so was djbdns and daemontools, but you're right it failed to keep up and DJBs attitude didn't help.
We built a weird solution where two systems would sync data via email. Upstream would do a dump from an Oracle database, pipe it to us via SMTP and a hook in qmail would pick up the email, get the attachment and update our systems. I remember getting a call one or two years after leaving the organisation, the new systems administrator wanted to know how their database was always kept up to date. It worked brilliantly, but they felt unsafe not knowing how. I really should have documented that part better.
To me the question is more about why you'd do something. I'm sure that there's a lot of AI generated music I might enjoy, but I'm turned off by why it exists.
AI generated music isn't out there as some experiment by some artists, trying to make sense of something, make a statement, or just for the sheer enjoyment of creating something. It's there because of money. I know, there are exceptions, and I'm fine with those.
The AI music I'm against is the type that's made by the likes of Spotify, because they don't want to pay artists. It's music that only exists because Spotify would like to make more money. That motivation, to me, corrupts the product. AI music isn't created for the sake of creating music, it's created as a means towards a goal, money. I don't think that the management at Spotify particularly cares about music, it's just a means on the path to money. If they could be more profitable selling something else they would.
You can argue that a lot of bands solely exists because a record labels wanted to create a profit generating device, or that some artists are artificially created and wouldn't survive without auto-tune and a media machine pushing their music. I think that's bad as well, but often many of these artists do have some level of talent and actually do care about music.
That one-time announcement is called an email. And therefore that first announcement itself can be flagged as spam.
And naturally, unless they click a link in the first email, gmail should consider anything subsequent to be spam anyway. They have no idea whether consent happened somewhere else or not.
The unsubscribe links must work without even opening the email, according to gmail rules.
What I'd be concerned with is that if you have never sent anything to these users, they might have forgotten where and when they gave you their email address and simply mark your message as spam.
We've trained users to not use "unsubscribe" because some spammers once used that to verify addresses, or they may simply click "Spam" because they forgot who you are and think you got their address illegitimately. Gmail also doesn't make unsubscribe as visible as "Spam", making flagging the easier option. So now Gmail will see some percentage of users manually flagging you as a spammer, tainting your sender. This is why I'd switch the newsletter to a new domain or at least a new sender address. That does mean preparing that new sender, give it a bit of time to mature and send a few emails to Gmail accounts you control and ensure that they are not flagged as spam.
Probably also test with a list of Gmail account you control and check if you're tagged as spam and fix that, before doing the big push.
As a gmail user who may or may not have had to enter an email address to do something on the web, and who gets annoyed by spam, let me describe my decision points (anecdote is not the plural of data, of course, but here I am) when it comes to "unsubscribe" vs marking something "spam."
If your email reminds me (upfront!) how and when and why I specifically gave you (and not some other third party) my email address, and promises that you are advertising this newsletter one time, and it is opt-in, and you keep your promise, I am highly unlikely to mark it spam.
Now, this presupposes that it was really me who gave you my email address. I have a fairly generic email address because I got on gmail early. There are many variants of it, but sometimes people forget to add the trailing numbers or letters, so I get misdirected email all the time.
If the misdirected email is personal, I usually respond letting them know of the issue.
If the misdirected email shows a clear understanding that I might not have been the one who really signed up then I give them a pass.
If the misdirected email blithely assumes that I am the one who signed up, then I blithely assume that its senders are too fucking stupid to use the internet and it goes straight into the spam bucket. (And this is usually an easy call because they use the name of the person with the similar email address, which is not my name. My email address is firstinitiallastname@gmail.com and there are many different first names that start with the same initial.)
Any failure on any of those other points starts to increase the likelihood of it being marked spam, and...
> The unsubscribe links must work without even opening the email, according to gmail rules.
So here's where I'm a hard-ass and maybe even worse than google's rules.
If I see the RFC8058 unsubscribe link, it is too late. I only notice that link after I've decided to mark your email as "spam" and google asks if I'm sure, or if I merely want to unsubscribe.
Why did I decide to mark your email as spam? One possible reason is that I read through it, decided that the sender legitimately had my email address and was acting honorably, and then clicked the unsubscribe link embedded in the email.
When I do that, one of two things happens. Either I get some form of "thank you, you've been unsubscribed" or nothing happens because the sender assumes that I am OK with them executing javascript on my computer.
This is a privilege I jealously guard and only reluctantly offer to as few websites as possible.
Even if I previously gave you my email address, that did not come with an open invitation to use my computing resources for your own purposes.
So by your own description, ANYONE sending you a newsletter, by complying with Google’s rules, they piss you off and make you mark their email as SPAM because, according to you, they made “javascript execute on your computer”. Actually, gmail is the one executing tons of javascript. The mandatory unsubscribe LINK uses HTTP, not even HTML. Google just requires that the unsubscribe instant.
It is an unwinnable situation.
With all respect, why would I care what an impossibly hardass tech person would do if I sent them an email in an unwinnable situation? The vast majority of our users are not this technical, let alone a hardass HN denizen who advertises the fact that the mere compliance with Google’s rules will piss them off due to a misunderstanding of how unsubcribe works.
Here is what we might both agree on: email sucks. You shouldn’t be reachable by anyone who just has your address, and it is not your job to be vigilant. Then all these problems go away.
> So by your own description, ANYONE sending you a newsletter, by complying with Google’s rules, they piss you off and make you mark their email as SPAM because, according to you, they made “javascript execute on your computer”.
Are you deliberately being obtuse, or is it natural? I don't need to use gmail's web interface if I don't want to, but as it happens, I do let google's javascript execute on my computer.
> The mandatory unsubscribe LINK uses HTTP, not even HTML.
Two links are required. One in the header, and one in the email. As I wrote, if I read to the end of the email to make a decision, then I will click on the link in the email. Which often goes to a webpage with javascript on it.
> It is an unwinnable situation.
Did I write that I mark everything as spam? No? Why not, I wonder? Did it ever occur to you that if I am describing when I mark things as spam, that there are things that I don't mark as spam? No? Do you even read what you yourself write? No? You should try it sometime.
> With all respect, why would I care what an impossibly hardass tech person would do if I sent them an email in an unwinnable situation?
With all respect, if you wrongly believe the rules I gave are unwinnable, you shouldn't care. I won't be receiving further missives from you, and nature will take its course in determining whether I was an outlier or the canary in the coalmine.
>So here's where I'm a hard-ass and maybe even worse than google's rules. If I see the RFC8058 unsubscribe link, it is too late. I only notice that link after I've decided to mark your email as "spam" and google asks if I'm sure, or if I merely want to unsubscribe.
The way I read it, this is an unwinnable situation. We must supply this link, in order to comply with Google's rules. If you see this link, it's too late. You're making it as spam. Because I may run javascript on your computer.
Having re-read it, it sounds instead like: you're likely mark it as spam before you get to this link (even though the web interface surfaces the unsubscribe button right in the list of emails -- but you don't use that interface).
Well, I guess there is a narrow path to "victory": mention that it may have been someone else who signed up, then if you see the unsubscribe link, you click it, then I'm supposed to say "thank you" and not serve any javascript. Anything else, and you click SPAM. Or maybe you already did.
> The way I read it, this is an unwinnable situation. We must supply this link, in order to comply with Google's rules. If you see this link, it's too late.
That's an obtuse reading.
I am looking at the email. The email has a different link, mandated by the can-spam act in it.
Gmail has a bunch of icons at the top. There is not one for "unsubscribe".
So, I read your email, decide it is legitimate but I am not interested. I click on the link (not RFC8058) in the body of the email message itself to unsubscribe.
If that link takes me to a page that does nothing because it wants to execute javascript on my computer, then we are done.
Look, I'm not a terrible writer and this isn't that difficult.
> Well, I guess there is a narrow path to "victory": mention that it may have been someone else who signed up, then if you see the unsubscribe link, you click it, then I'm supposed to say "thank you" and not serve any javascript.
Oh, well, you did understand. Sort of. Except I view this as a common-sensical extremely wide path. If it's the first time that you're emailing me, you damn well better realize that it might have been a fake signup, and how the fuck am I supposed to know your intentions if you attempt to serve javascript? What part of removing me from your database requires you to execute shit on my computer?
And by the way, about this part of that statement:
> if you see the unsubscribe link
If you're playing "hide the link" then you've already shown that your intentions aren't honorable.
> Anything else, and you click SPAM.
I don't actually click spam all that often. Only on, you know, spam.
Look, you're the one who mentioned that you might have collected some of these email addresses 10 years ago. I'm just giving you a heads-up. Not only may they have forgotten about signing up, but the addresses themselves might have been recycled by now.
> Or maybe you already did.
Nope. I've been upfront and transparent. I thought you were being that way, too, given your first comment. I even upvoted it because I thought all the downvoting was a bit excessive.
But the intransigence and mischaracterization here is stunning.
Look, there are two possibilities here. (1) is that I'm not that extreme, in which case you're probably fucked. (2) is that, yes, I'm an outlier, and if you satisfy my needs, then you probably won't have enough emails marked spam to trigger google's filters.
Now, if you truly feel that my conditions offer only a narrow path to victory, then you're probably not really someone I should be offering this advice to in any case, because our interests are not congruent. My only solace is that maybe you won't take the advice and you'll receive a banning for your efforts.
I'd be interested in how the attack manifests. Is it an actual DDoS? Is it highly aggressive scraping? We should be able to see this in how the attack manifests itself. What is the sources? That's a little harder, but it would be interesting to know if it's compromised devices, residential proxies, rented cloud capacity or something else.
reply