Indeed. As an end user who browses behind Tor frequently Just Because, this is actually welcome news. Solving captchas to access sci-hub was a frequent pain point.
As a developer, I'm willing to try and help sci-hub secure their network against DDoS or other malicious traffic, assuming this was their reason for using Cloudflare services, and assuming sci-hub were to open source some of this effort publicly.
Your heart is in the right place. Freedom of information, and access to it, is a critical human right.
There is, however, a possible catch. As a developer, there's a sharp limit to what can be done purely in server-side software to mitigate a DDoS attack. Some classes of attack rely on particular kinds of server-side vulnerabilities, and against these your skills are very valuable! I'm sure your contributions of skill would be most welcome.
But against pure bandwidth-flooding attacks, it's more likely that writing more code is of at best marginal benefit. The state of the art for responding to these requires a big network, a lot of bandwith, and active management. Things difficult to deliver as a lone developer who cares deeply.
Mostly I assume people mean well but suggest silly things because they're ignorant. Reading Dale Carnegie taught me that you have to tell people they're right and stroke their egos a bit before you can imply that they might have the wonderful opportunity to become more right.
It's honestly exhausting to implement. It's a lot of hoops to jump through to tell someone that they don't actually understand what they're talking about. However... most people do not typically respond well to being flatly told they're wrong. Explaining how and why they are wrong does not generally improve matters, as people usually stop honestly listening as soon as they hear "You're wrong".
As you say, it does run the risk of coming off as patronizing. It's hard to avoid that entirely, as different people sometimes have drastically different standards.
>As you say, it does run the risk of coming off as patronizing. It's hard to avoid that entirely, as different people sometimes have drastically different standards.
Definitely. I read your post as very patronizing (even though I agree with it) because you started with "Your heart is in the right place." That's just a sugar-coated way tell a child "nice try but you're extremely naive". IMO it's better to skip telling someone they are wrong like a child and skip right to the rebuttal without including any references to the parent author (an ad-hominem).
In the abstract, I agree with you. In practice, I've found that a lot of people react to being treated that way in the same way they might react to being slapped. This is not always the best way to further a productive conversation.
They actually taught us this in Business English class. They said we should do this when talking to people from the States which was really weird for us since most Europeans said they find it patronizing.
I wonder if it could be done in a less grating way? I agree with the general idea of affirming the good in others' viewpoints, but I do find GP's phrasing patronizing. Why not something like:
I agree, and I think there'd be a lot of developers who feel the same way (re: wanting to help, valuing freedom of access to scientific information). I wonder, though, if there's really that much we can do as developers. There are of course some vulnerabilities that can be mitigated with good code on the server, but most attacks are impossible to prevent without the resources that a company like CloudFlare can marshal. Unfortunately, the state of the art for responding to DDoS attacks requires a big network, a lot of bandwidth, and active management.
Ideally, I'd like to be able to say "Your offer is well-intended, but of little value against the kind of bandwidth-flood-type attacks CloudFlare is very valuable against. This is because the solution to that problem is servers and bandwidth, not more devs hacking things out server-side."
But, obviously, I did not. What I've found is that, if you run light on the praise and ego-stroking, people often either view it as token and ignore it or skip past it entirely. It's a fishhook that lets you smuggle your actual points past defensive mechanisms. You have to set it deep before it's actually useful.
And then you have to wrap your point in completely unjustified uncertainty anyway, to be sure that whoever you're interacting with doesn't feel attacked. People who feel attacked generally aren't listening to, engaging with, or learning from your points.
Makes sense! I tend to take the "wrapping your point in uncertainty" approach, without all the ego-stroking. Nothing against ego-stroking; it just seems hard to make it feel genuine enough for it to work. Most comments (mine included!) contain little enough insight that any praise more intense than "good point!" or "agreed!" or "that's totally right!" feels somewhat disingenuous.
Oh I absolutely agree. Which is why I specified that it should be an open source project. And I wasn’t thinking so much server side code to protect against DDoS but orchestration scripts and test suites to help create some form of redundancy offering some level of resilience.
Orchestration scripts and test suites are of minimal value here. They already exist for pretty much every configuration you might need, and already in open source ways. Open sourcing the tools is of very little value in meeting the needs of a site like SciHub in protecting itself from DDoS attacks. What's actually needed is servers and bandwidth.
Which is to say your heart is in the right place. You have the right ideas, and it's wonderful how much you care! It's just possible that the need at hand might be other than a maximal fit for your skills.
I hope this conversation has been as educational for you as it has for me, and thank you for the opportunity to engage!
> As an end user who browses behind Tor frequently Just Because, this is actually welcome news. Solving captchas to access sci-hub was a frequent pain point.
When using Tor you had the possibility of using captcha-free SciHub with their own onion service: http://scihub22266oqcxt.onion/ (it's down for now)
Yes it appears, AFAICT, that has been down for quite a while. In fact I’ve never gotten the onion service to load. I’m assuming malicious traffic at some point.
As a developer, I'm willing to try and help sci-hub secure their network against DDoS or other malicious traffic, assuming this was their reason for using Cloudflare services, and assuming sci-hub were to open source some of this effort publicly.