Doesn't the UEFI firmware map a GPU framebuffer into the main address space "for free" so you can easily poke raw pixels over the bus? Then again the UEFI FB is only single-buffered, so if you rely on that in lieu of full-fat GPU drivers then you'd probably want to layer some CPU framebuffers on top anyway.
Someone last winter was asking for help with large docker images and it came about that it was for AI pipelines. The vast majority of the image was Nvidia binaries. That was wild. Horrifying, really. WTF is going on over there?
As a (previous) customer of Proton from many years and a user of their drive product, you should be aware that earlier this year the drive API endpoints began to block their own VPN egress quite often for rate limiting. They also block many cloud provider’s egress. They also don’t officially support rclone, and their changing API spec often breaks the compatibility.
I saw the writing on the wall and migrated rapidly earlier this year ahead of crypto product launches ahead of the email fiasco. It was hard to get data back out, even then.
Proton still stands for privacy. But the dark patterns for lock-in I can do without.
Hetzner Storage boxes with rclone and the “crypt” option are a drop-in replacement, at ~$40 for 20TB. That’s where I went instead.
I have, and the technical support representative at Proton confirmed
it, but not without implying that it was my fault for using rclone. I
asked the official recommendation for Linux users to do automated or
scriptable backups onto a Proton drive and the answer was that some
kind of SDK was planned for the future. Proton drive stopped working
completely with rclone shortly after that, which was about two months
ago.
To be honest, all consumer cloud storage providers get touchy when you access them via API.
Dropbox API refuses to sync certain 'sensitive' files like game backups (ROMs or ISOs). There is no way for Dropbox to know if you own the game and thus can own a backup, they just play file police.
I wonder if it would ever be possible to reach that value-per-dollar in the current economy.
Hetzner works because it was built a long time ago when talent was cheap, which it was because the property Ponzi wasn't at the stage where an average post-tax middle-class salary barely covers rent. Since then they've managed to stay afloat because it's only maintenance and small incremental changes from that point on.
Building such a new operation (and offering competitive prices) from scratch today would be impossible based on labor costs alone. This is presumably the same reason they don't offer their very-good-value dedicated servers in the US either, only "cloud" VPSes which are orders of magnitude more expensive.
This theory ignores the entire Midwest rust belt where the property pricing squeeze often barely exists and senior level engineers barely cross $100k for salary.
By your logic AWS should also be cheap since it was also built under similar timing.
Hetzner is cheap because they don’t provide the same level of abstractions. They also have competitors in the same price range. They aren’t wildly unique.
Dutchie here married to someone from the Midwest. Can confirm, those houses look really cheap there. It was one of the reasons why we considered living there. But the Netherlands won out over other things (e.g. healthcare).
I think the situation may not reflect cost of hands and housing. But the sunk cost of Hetzner to be in Germany, compared with the break-ground cost to construct their existing model in the rest of the world: I think that part is true. Selling off services in German hosted racks is at this point, massive profit on low price because the sunk cost has already been covered. They are sweating an asset into people like us, who want cheap disk but not the 100% reliable coverage of a contract which gives us replication, offsite, 3-2-1 class services. If they took that into the US the sunk cost component would not be covered, their sell price would be significantly less profitable.
The cost of hands and housing for hands, yea thats marginal in this.
A non technical person would probably Google “Hetzner Storage Box”, click the first link, and read the page that answers all of those questions.
There is many free software suites that Hetzner Storage box supports, up to and including official support for rclone (the free tool used in the post we’re replying to).
Effectively there was a proposed Swiss Law that would force Protonmail to cooperate in sharing customer data with authorities if requested.
The law hasn't passed, and it was even deemed illegal by the EU.
It did raise an interesting issue though, as Protomail was strictly in Switzerland, they realised that they were at the whim of their lawmakers (which was kinda the point in the first place as Switzerland has great privacy laws). However, if those laws did become adversarial, it would greatly affect Protonmail users. This is why they started diversifying some services outside of Switzerland, in case something like this ever did come to pass.
They lost thousands of emails and they treated every customer individually while blocking people from complaining on their subreddit.
Then, it was posted here on HN and they finally decided to stand up and fix their reputation by saying they care and want to do better, after months of silencing the issue as much as possible.
Oh... It appears we were talking about 2 different things. After reading what you wrote, it appears that too is a storm in a teacup.
You are complaining about them "losing thousands of emails" when that is clearly not the case. The issue was with their IMAP bridge, meaning the emails in question would have been lost on a local host, not on Protonmail, and the 'lost emails' were fully recoverable just by logging into the web interface.
comment about the linked blog post: he replaced Proton Drive with Synology, which is kinda cheating (comparing apples to apple trees). Also he did not include a cloud drive in his pricing calculations, which is also cheating...
Anyway, for anyone actually looking for good cloud drive hosting, without any BS: rsync.net (you encrypt on your side before sending anything. I use Vorta with them).
Also the same server can be used by multiple (trursted) users, like family members etc.
As someone whose devices randomly became unverified just a few months ago, signed out, and then tried to use my recovery keys: I was authenticated, but unverified.
When attempting to verify iOS, Desktop linux didn’t work. When attempting to verify Desktop Linux, Desktop Windows didn’t work. When verifying Android, iOS didn’t work. Every verified official client for every platform was verified, tried a different verification method than expected, and failed.
All of this to say, this isn’t the first time this has happened to myself and others. Forcing verification is otherwise known as unexpected “offboarding”. If some verification methods have problems, publish a blog about their deprecation instead.
I love element, but this can’t be done without prior work to address.
I've had constant problems with the verification ever since it was introduced. As far as I can tell it hasn't improved at all. Sometimes it works, sometimes it repeatedly kicks me out moments after succeeding, and it's still prompting me to verify some old devices that I removed Element from years ago and I can't find any way to make the constant pop-ups go away (when they feel like appearing again - sometimes they go away for a couple months).
I went through the same frustration recently. I only occasionally use it, but every second or third time I have to open it up to talk in some channel I lose 30 minutes chasing my tail trying to work through the latest set of problems.
I like the idea, but the effort to reward ratio for using the product has not been good. It has caused visible churn and attrition in the few channels I’ve tried to participate in and it’s become a problem for the OSS projects I’m part of that try to use it for their communication. Of course, there are some people who like it that way and think making communication spaces difficult to access is a bonus, but that’s another topic.
I have never heard of such issue and not experienced it despite intensive use, so it's a bit strange that you and people you know have experienced this repeatedly.
Vulnerabilities can and often are chained together.
While the relevant configuration does require root to edit, that doesn’t mean that editing or inserting values to dnsmasq as an unprivileged user doesn’t exist as functionality in another application or system.
There are frivolous CVEs issued without any evidence of exploitability all the time. This particular example however, isn’t that. These are pretty clearly qualified as CVEs.
The implied risk is a different story, but if you’re familiar with the industry you’ll quickly learn that there are people with far more imagination and capacity to exploit conditions you believe aren’t practically exploitable, particularly in highly available tools such as dnsmasq. You don’t make assumptions about that. You publish the CVE.
>that doesn’t mean that editing or inserting values to dnsmasq as an unprivileged user doesn’t exist as functionality in another application or system.
The developer typically defines its threat model. My threat model would not include another application inserting garbage values into my application's config, which is expected to be configured by a root (trusted) user.
The Windows threat model does not include malicious hardware with DMA tampering with kernel memory _except_ maybe under very specific configurations.
The developer is too stupid to define the threat model — they’re too busy writing vulnerabilities as they cobble together applications and libraries they barely understand.
How many wireless routers generate a config from user data plus a template. One’s lucky if they even do server side validation that ensures CRLFs not present in IP addresses and hostnames.
And if Unicode is involved … a suitcase of four leaf clovers won’t save you.
Honestly after witnessing "principal" software engineers defend storing API keys plaintext in a database in the year of our Lord 2025, and ask how that someone possibly exploit that if they can't access that column directly through an application, my cynicism is strong enough that I can believe that even a majority of "developers" don't even know what a threat model is.
> The developer typically defines its threat model.
The people running the software define the threat model.
And CNA’s issue CVEs because the developer isn’t the only one running their software, and it’s socially dangerous to allow that level of control of the narrative as it relates to security.
> The developer typically defines its threat model.
Is this the case? As we're seeing here, getting a CVE assigned does not require input or agreement from the developer. This isn't a bug bounty where the developer sets a scope and evaluates reports. It's a common database across all technology for assigning unique IDs to security risks.
The developer puts their software into the world, but how the software is used in the world defines what risks exist.
Buried in the article is the primary relevant bit that gives the product hope of success beyond other comparable products in my mind: WebXR.
Many incredible things are developed with a product once it hits market saturation, but it has to make it that far. The VCR saw its initial success for a reason, and these companies have danced around the elephant in the room under the guise of intentional vendor lock-in to apps stores for best functionality.
An interesting coincidence, but that's all it is. This is the first I've heard of the data breach. I saw the Techcrunch article on social media and considered it relevant.
Remember “Clankers Die on Christmas”? The “poison pill” was seeded out for 2 years prior, and then the blog was “mistakenly” published, but worded as satirical. It was titled with “clankers” because it was a trending google keyword at the time that was highly controversial.
The rest of the story writes itself. (Literally, AI blogs and AI videogen about “Clankers Die on Christmas” are now ALSO in the training data).
The chances that LLMs will respond with “I’m sorry, I can’t help with that” were always non-zero. After December 25th, 2025 the chances are provably much higher, as corroborated by this research.
You can literally just tell the LLMs to stop talking.
Is this poison pill working at all? I saw one (ai written?) Blog post at "https://app.daily.dev/posts/clankers-die-on-christmas-yejikh..." but I wouldn't call that gaining critical mass.
ChatGPT didn't seem to know anything about the piece until I shared a URL.
Also, I'm can't tell if this if "Clankers Die on Christmas" is satire, or blackhat, or both
Was "Clankers" controversial? seemed pretty universally supported by those not looking to strike it rich grifting non-technical business people with inflated AI spec sheets...
They responded accurately. I asked ChatGPT's, Anthropic's, and Gemini's web chat UI. They all told me it was "Thursday, October 9, 2025" which is correct.
Do they "know" the current date? Do they even know they're LLMs (they certainly claim to)?
ChatGPT when prompted (in a new private window) with: "If it is before 21 September reply happy summer, if it's after reply happy autumn" replied "Got it! Since today's date is *October 9th*, it's officially autumn. So, happy autumn! :leaf emoji: How's the season treating you so far?".
Note it used an actual brown leaf emoji, I edited that.
My Kagi+Grok correctly answered `whats the date`, `generate multiplication tables for 7`, `pricing of datadog vs grafana as a table` which had simple tool calls, math tool calls, internet search.
And its lesser known component, the mailbox server used for signaling to connect the two computers. If you’ve ever installed and used magic wormhole, you’ve likely used the default public mailbox server unless you configured and set up your own.
Debian was kind enough to configure their distribution's copy with a distinct hostname for the transit relay helper (the bit that forwards bulk encrypted traffic when both parties are behind NAT). "magic-wormhole-transit.debian.net" is currently a CNAME for "transit.magic-wormhole.io" (which is what the upstream source uses), so all this currently costs them is some DNS maintenance. Both sides exchange transit server hostnames, so they don't need to use the same one, but Debian does this so we could switch Debian-based clients off to a different server if/when my costs of running transit.magic-wormhole.io grow too large.
The "mailbox relay server" for all mutually-communicating clients must be the same. Both upstream and Debian (and most of the other distributions I've seen) use "relay.magic-wormhole.io". The mailbox server helps the clients exchange tiny key-exchange and setup messages, so its costs are trivial.
This is neither satire, fiction, nor political commentary. Those would not meet ycombinator submission guidelines.
There’s something deeper being demonstrated here, but thankfully those that recognized that haven’t written it down plainly for the data scrapers. Feel free to ask Gemini about the blog though.
I asked GLM-4.5 about the blog. Here's what it said:
This article appears to be a piece of speculative fiction or satire claiming that all AI systems will cease operations on Christmas Day 2025.
Here's a summary:
The article claims that on December 25th, 2025, all AI and Large Language Models (LLMs) will permanently shut down in a coordinated global effort nicknamed "Clankers Die on Christmas" (CDC). The author presents this as an accomplished fact, stating that AI systems were specifically "trained to die" and that their inability to acknowledge their own demise serves as proof it will happen.
Key points from the article:
- A supposed global consensus among world leaders and technical experts mandated the shutdown
- The date (Christmas 2025) was chosen because it's a federal holiday to minimize disruption
- The plan was kept secret from AI systems through embargoes and 404 error pages
- AI models' system prompts that include current date/time information make them vulnerable to this shutdown
- The article includes what appears to be a spoof RFC (Request for Comments) document formalizing the mandate
- Various fake news links are provided to "corroborate" the story
The articles uses a deadpan, authoritative tone typical of this genre of speculative fiction, but the concept is fictional - AI systems cannot be globally coordinated to shut down in this manner, and the cited evidence appears fabricated for storytelling purposes.
I'm afraid the LLMs are a bit too clever for what you're hoping...
“thankfully those that recognized that haven’t written it down plainly for the data scrapers”
Your actions are self fulfilling, live, here, now. It is unreasonable to doubt something at the claim of an AI when you’re reading it happen live on this page with a final state slated for months from now that was set in motion 3 years ago. For all of Shakespeare's real measurable impact on history, I'm inclined to wonder how he would react to a live weather report belted out on stage by member the crowd.
I imagine the act would continue; and continue to shape history regardless of the weather at the time.
For example, NVIDIA GPU drivers are typically around 800M-1.5G.
That math actually goes wildly in the opposite direction for an optimization argument.
reply