"Renting attack capacity from [cloudflare]" is inaccurate as I understand things. That group hosts their site behind cloudflare but I have not seen anyone claim that cloudflare's infra is used for the attacks.
This whole article seems conflate hosting an informational site run by the attackers and hosting the attack itself.
In The Before Times, there were very few problematic DDOS operations because... they would all DDOS one another offline. Websites, control infrastructure, anything.
DDOS protection services were provided by companies like Akamai; call for pricing, big companies only, absolutely no anonymous sign-ups.
Cloudflare revolutionised the industry by providing free DDOS protection to anyone, including DDOS-for-hire services. Preventing them from DDOSing one another offline really let the DDOS industry take flight.
It's been a well known story around Cloudflare from the beginning that they protect booters and other cybercrime actors just like any other (paying or non-paying) customer.
If you report the DDoS-for-hire actors that offer their services on forums where such things are offered openly, they reply with a template that freely interpreted say something along the lines that they can do nothing and who is a crimininal is .. like, just your opinion, man (checks notes) they say here they are a legit load tester operation, so nothing really we can do.
You can say they entered the scene because DDoS exploded in popularity, but you could just as easily make the argument it was the other way around. Make of that what you will but they sure made a lot of money from the same booters they protect their customers from.
So "big companies only, absolutely no anonymous sign-ups" should be the only ones able to put stuff on the internet without fearing that a random teenager can take your site offline for days just because they're bored?
How? Their sign-up flow would have to change dramatically. It might even become a process that is internally "expensive". There is likely one or more managers in charge of this decision and they don't want it. Additionally the current universe rewards the current situation (for them)
This is called KYC and is a standard part of operating a financial service. Seems to me like it should be part of internet infrastructure services as well. And, I thought, in some cases already is?
... and financial services companies huge and small still go out of their way to help their clients move money around in a myriad of ways, because it's very lucrative and there are so many loopholes and ways to obscure things. Offloading the responsibilities of law enforcement and regulatory bodies to private companies makes things worse for everybody. Providing non-crime services to criminals should not be a crime any more than selling a candy bar to a criminal is. As long as you aren't actively aiding or covering up for a crime, not reporting criminal activity is not even a crime in many areas, and if KYC can effectively identify criminals, law enforcement should be able to do it themselves.
No fintech within reach of the US government is going to give money to terrorists under sanctions on the SDN without facing severe fines/consequences. That various groups have faced consequences for giving money to terrorists is a sign of the system working, not that it doesn't work. No system is going to be 100% perfect, but the US is pretty serious about having no one they have control over sending money to eg North Korea.
Ok, terrorists and countries we've been at war with for 70 years. What about drug dealers, mafias, hitmen, corrupt politicians, white collar criminals, scammers, etc? Criminals that actually threaten Americans? Nobody cares about whether terrorists or whatever tinpot dictator can get funding through US banks, because the CIA is bringing pallets of cash to them anyway.
Plausible deniability is all they really need. Asking companies not to make money in very likely to be legal ways will never work. If these people are really doing illegal business in plain sight it should be easy for law enforcement to catch them.
The danger with this is that you're asking cloudflare to know more about you and your website and to be more ready to take websites offline. That's a monkey paw if ive ever seen one.
Or maybe not, I’d rather have more Tor sites that aren’t questionable content. It’s a great tool for hosting even personal sites if you appreciate privacy and resilient infrastructure.
(The great thing, though, is nobody can prevent you, or anyone, from hosting your site there.)
I have no insight into this particular case/incident, but I do have to deal with a lot of http traffic management, and I've lately been seeing Cloudflare IPs show up a lot more often in my logs for probes and nuisances, and not because the traffic is being proxied (or at least, it doesn't have the CF-Connecting-Ip header).
Used for these attacks, dunno, used for some attacks, yes. (But CF still remains a much less frequent nuisance than pretty much any other infrastructure provider.)
One of types of services Cloudflare provides goes by the name "Warp". Calling it a VPN is only wrong in ways that don't really matter — it has the effect of causing client traffic to appear to originate from a different IP address to the one they're notionally connected to the Internet via.
Yes, agreed these are very different things. Also I'm not really sure the argument holds, there are plenty of AWS Command and Control hosted servers and AWS victims, is AWS to blame or blackmailing? The answer is a large no.
It's not their thought, it's core technology created under PRC registered entities before Singapore switcheroo, which makes their IP PRC origin and under purview of PRC according to PRC law. For actual law, article 13 of PRC 2020 export control. Basically catchall provision / blanket ban hammer (for cases of new tech like AI agent), i.e. presumption of denial / ban.
USA has banned the export of some EDA software from Cadence/Synopsys to China.
Therefore the export-control laws of USA obviously make illegal the export of "thoughts".
An even more clear example if that any US citizen who knows classified information or even just a trade secret of some private company and who would tell that information to China would do something illegal.
In this case China argues that the IP has been created in China and its transfer to Singapore does not make it eligible for transfer to USA.
This is the same argument that USA has used multiple times in the past, e.g. for forbidding ASML to sell equipment to China and for forbidding TSMC to have Chinese customers for its advanced fabrication nodes, despite the fact that in both cases the IP that originated in USA some time ago was only a very small part of the products sold by those companies.
If USA may do this, then China is certainly also entitled to do the same. This is not whataboutism, but both countries must be treated equally, either such actions should be forbidden for both under the international laws, or they should be permitted both to do whatever they please.
There is absolutely no doubt that USA is the country who has invented this concept that its laws can be applied outside its territory and they can be applied to things that are the property of non-US entities, as long as they have any component, no matter how small, which has originally been sold to them, directly or indirectly, by an US entity.
I consider any legal interpretation of this kind as abusive and ridiculous, but no American may criticize a foreign country that does nothing else except imitate what USA does.
The checkboxes inform the model as well as the user, and you can observe this yourself. For example in a C++ project with MyClass defined in MyClass.cpp/h:
I ask the model to rename MyClass to MyNewClass. It will generate a checklist like:
- Rename references in all source files
- Rename source/header files
- Update build files to point at new source files
Then it will do those things in that order.
Now you can re-run it but inject the start of the model's response with the order changed in that list. It will follow the new order. The list plainly provides real information that influences future predictions and isn't just a facade for the user.
I've been using qwen-code (the software, not to be confused with Qwen Code the service or Qwen Coder the model) which is a fork of gemini-cli and the tool use with Qwen models at least has been great.
In the original (and maybe also DX) release of Link's Awakening, the game uses a top-down view with the world split up into tiles. Walking of the left side of a screen makes you end up on the right side of the next screen over.
What you could do is pause at the right frame on the screen transition, and you would end up on the new screen but link's position would not change. So you walk off the left side of a screen and end up on the left side of the new screen. Lots of fun to be had with skipping important stuff with that.
I've been largely using Qwen3.5-122b at 6 bit quant locally for some c++/go/python dev lately because it is quite capable as long as I can give it pretty specific asks within the codebase and it will produce code that needs minimal massaging to fit into the project.
I do have a $20 claude sub I can fall back to for anything qwen struggles with, but with 3.5 I have been very pleased with the results.
Not OP, but I ran 122b successfully with normal RAM offloading. You dont need all that much VRAM, which is super expensive. I used 96gb ram + 16gb vram gpu. But it's not very fast in that setup, maybe 15 token per second. Still, you can give it a task and come back later and its done. (Disclaimer: I build that PC before stuff got expensive)
128GB on a mac with unified memory. The model itself takes something like 110 of that and then I have ~16 left over to hold a reasonably sized context and 2 for the OS.
I do have a dedicated machine for it though because I can't run an IDE at the same time as that model.
It only potentially saves money for people on API pricing, it exhausts tokens faster with no benefit for users on the Claude Code subscription. Those users had their cache TTL reduced from 1 hour to 5 minutes and are saving no money because they were not paying based on the cache time in the first place.
So they were not "pressured" but Atari contacted them and they proceeded to make this decision based because they "needed to balance Atari’s commercial interests".
That sound indistinguishable from being pressured.
I think they're saying Atari didn't threaten them but they both understood that they could have. Honestly it sounds like Atari were trying to be nice. Like "you technically aren't allowed to do that, and we could just set our lawyers on you, but we'd like to not do that while also making money on our re-release".
This seems like a perfectly reasonable compromise to me.
In the same way that "you kids aren't allowed to skate here, but maybe if you do it over there I could just turn around and not notice you" isn't a threat.
Reaching compromises with others is part of life. If the question is whether a copyright from 1995 should hold in this case, I would say no. But the world is sometimes not as we may want it to be. So taking that for granted, this seems like a very reasonable and mature resolution.
The types of folks who make reimplemented game engines often do it as a labor of love towards the original. And the best companies often have great appreciation for their modding communities and preservationists. (Witness the good collaborations between some companies and SCUMMVM, for instance.) This may well have been a conversation that was entirely reasonable and respectful.
I just can't believe that given the outcome and the wording of the posts from the project. If there was respect here there would have been no threats. If there were no threats there would be no talk of "balancing commercial interests"
This whole article seems conflate hosting an informational site run by the attackers and hosting the attack itself.
reply