1. freeserver.com/~userna

2. username.freeserver.com

3. username.fs.com

4. username.tk

Then we grew up a bit and started paying domains :')

On the other hand, .tk was in my mind mostly associated with German hobbyists and piracy. I think my old StarCraft/CounterStrike clan had a .tk domain at one point.

On the other hand .tk is more something I remember in connection with spam and scam :D

I also miss tripod, not sure if its still around how it used to be. Angelfire comes to mind too.

Good times.

$7/yr for a domain was one of the very first internet purchases I made. Then that set me down a path of finding free dynamic DNS services. For a short time my website and Invision forum were only online when I was, but I felt like I'd beaten the advertisers.

One frame at the top with a banner ad and then your site below it.

fucking hell

there are people on this site that were born in the previous millennium! :O

you can't grep paper books, at best you can look things up in the index. even without ChatGPT I can ask Google and get stack overflow and just copy and paste without having to think deeply within minutes. if I'm just trying to get something out there, why do it the hard way? there's still need for the hard way (eg, I'm currently fighting Ida pro for a thing), but there's just less of a call for that.

(reference: https://cdn.vox-cdn.com/thumbor/mO8UICqmeSd97l09w_FgSP1TDPQ=...)

.tk was the only top level domain you could get without having to give them payment details or personal information.

It was a huge deal at the time for kids, students, and spammers.

They made their money by injecting scripts onto your pages to display banner ads.

https://web.archive.org/web/20010331143129/http://www.kliman...

SPOILER: I didn’t become a webdesigner

Heh. I remember thinking '©' and '®' being cool letters. I put it on every page since it looked pro. I guess you didn't actually register the "brand"?

On a good day sure, most days I would settle on me being a house elf, or dozer...

Probably not the smartest thing to do at the time since I may have opened up all ports on the router to get it to work, lol. No https. No security. No moderation. Copy and pasted some html from a site that I thought was cool, search and replaced text to make it my own.

It was kind of like a microblog before twitter, fb, ig, blogspot, tumblr.

Later on in the UK I put a site on a madasafish domain.

Looking back this could have been to slow robots down, but I distinctly remember one if the terms being you speak and host English content.

Another service I used a lot was " dominosfree" which had a bunch of .gs domains that looked like CC-tlds. I used .ca.gs a lot.

.tk was a blessing for us.

Name server changes are still done through email.

I think both of those pages were hosted in geocities and had pretty long urls...

Serious question, Heroku and .tk were such amazing services if you weren't old enough to get a credit card.

You can’t win with these people, I personally think this is the best outcome and shows our systems work (albeit slowly). Sure it took a while, but now there doesn’t have to be a precedent of Cloudflare acting as the internet police more than it has to.

This is the classic fallacy of assuming that because you see comments of type A and comments of type B on the same forum that means they're the same people. They're usually not.

A more accurate way to phrase this is "you can't win with ... people". Whatever you do will end up ticking off some subset of the population.

There are multitudes in every group.

(If people ask me about my political affiliations, I usually answer something like "Hamilton for president! Of maybe Jefferson."; this kind of statesmanship is hard to find now though.)

[1]: https://www.paulgraham.com/identity.html (It's short, read it now.)

Likewise, if you disagree with them, they instantly assume that you are with the other group. It is strange.

Pretty sad :(

That doesn’t change that people seem to think the top upvoted comments being contradictory from day to day represents some kind of inconsistency in the views of the commenters on this site.

It'd be interesting if you could point to a single example of someone taking both sides. I strongly doubt these are the same people.

This comparison actually highlights that there is no “system”, because some (imaginary) impersonal entity decides that those bad actors are allowed, and those bad actors are not allowed. Some public sensibilities are given as a reason, but no one is actually asking anyone's opinion on anything. Still, there are people who believe that Santa Claus brings presents for free, and that the whole thing is not governed by typical hypocrisy and typical politics behind closed doors. The thing is, you've built a turnpike, you can now bargain with people interested in sharing control over that turnpike.

People who want to live in a just world often get in the way of things. I'm just not sure why you're mad at those who want justice and not those who put profits above all else?

> that Cloudflare hosts these criminals

Oh.. it's not that they host them, it's that they go out of their way to protect them, and the profit streams associated with them.

"We do not host the website" was always there response, while that is perhaps technically true, arguing if they shut down the reverse proxying for that website it would be at least offline, never worked.

And if this is about not-illegal-but-objectionable content, I'm actually glad that as an infrastructure company, they're choosing to not get into the business of content moderation.

Agreed. There's one other subset you didn't mention: "Clearly illegal but not yet handled in the court of law". Cloudflare again has a pretty hardline stance that "the courts need to come to us and force us to take it down"

"Hardline"? To me it seems like quite reasonable approach as opposed to "we will just take down anything someone on Twitter didn't like".

If you require a court ruling before blocking a fraud, it means you will keep hosting 99% of frauds.

I also doubt that Cloudflare lets every single analogous issue bubble up to a full court case every single time, but for new/unclear/borderline scenarios, I'm glad that courts don't get to outsource their duty, i.e. determining the legality of actions, to a for-profit organization without public oversight.

Isn't that somewhat of an oxymoron? What are some examples of something that is against the law but not handled by the courts of law?

So it sounds like the system works as intended, as far as I understand.

If the legislature doesn't like the court's interpretation, they can then amend the law and the process restarts.

So basically, at least in the US, nothing is clearly illegal until it is handled by a court -- so yes I think you're right

How do you end up in this limbo where you need critical infrastructure to play judge?

So they're criminals as far as the US and allies are concerned, but de facto not criminals where they live. If they're going to be locked out of the system, it has to be by the infrastructure, because their government has no interest in stopping them.

Do you ever think it's weird that we have gone through web 1.0, web 2.0, semantic web, intertubes clogged with spam bots, web 3.0: crypto edition, and the dawn of AI scraping, and we still haven't figured out these issues?

Would you want authoritarian governments to be able to demand Cloudflare stop serving those they consider criminals that are outside their borders?

International law is messy.

There is a procedure to get a foreign case recognized in the US, too, but it has to be serious, and it's not an easy process.

I again ask: is it desirable for any of those countries to be able to unilaterally force a company to enforce its laws regardless of where the individual in question is?

If CloudFlare chooses to do business in China, that's a choice they're making and it comes with consequences.

Maybe they can offer service where customers will only be served from equipment outside of China, maybe that's not something they choose.

They can easily order it to reveal the origin server of a website, or the sign-up IP address of the account, or to stop providing services to one.

I know, because I bought RX stuff from India and it did not get labelled as medication

To answer your question: most malware actors can be traced back to Russia, what exactly do you think "sending the cops" after them will accomplish and if the answer is "nothing", then does that mean you don't think they can be called criminals?

Our legal system is unfortunately not perfect, which is why it matters what infrastructure providers do.

Do they enable criminals by shielding them from the police? Or do they have policies in place that prevent abuse of their service?

With Cloudflare, I'm pretty sure they lean towards the former.

(This is also why, whenever you hear about e.g. police stings on Tor forums, they never mention requesting courts to issue warrants to ISPs for collection of e.g. traffic-analysis-correlation info about locations of servers hosting illegal content. Instead, this de-anonymization step is something they always have to achieve extra-judicially, usually by contracting a private network threat intelligence firm.)

Is the website illegal? Or maybe the police need to deal with spam calls more sensibly. Presumably they can trace where the calls are coming from in real life

I hope the CEO doesn't drink too much tequila tonight during the celebrations

I'm not sure in what way this is a "loss". I doubt cloudflare is losing money (or revenue) here. Especially if many of these domains are spammy, it seems like this is probably not much of anything for them.

I'm sure Cloudflare will be able to wipe away their tears of this loss using the extra dollar bills they have from reducing their bandwidth costs.

What time? What mitigations?

Cloudflare will proxy anything and then tell you "we're just a proxy, so we wont do anything lol" when you report anything other than cf pages. Doesn't matter if it's terror groups, animal torture, piracy, doxing, far right groups, etc.

I have personally submitted abuse reports and seen that absolutely nothing happens.

Oh and also the amount of abuse I see from people using Cloudflare Warp is also very high.

Cloudflare's policy is that if there's ToU-violating content being served through a Cloudflare-proxied domain, you can report it to request de-anonymization of the domain, so that you can then reach out to the actual host.

I've reported Cloudflare-proxied phishing-site clones of my company's website to Cloudflare, and they've usually come back to me with a pointer to the upstream-origin's ASN/ISP to reach out to within a few hours.

More so than from "traditional" VPNs (i.e. the ones claiming to keep "no logs and never selling your data")?

That's quite surprising, since Cloudflare makes no such promises and markets Warp as a security/performance improvement tool, not an anonymity-providing one. I think at least for a while, Cloudflare-hosted sites would even bypass it entirely and they'd get the real underlying client IP.

Yes, because it is a free service, an easy and free way to just hide your ip address. You don't even need an account.

> I think at least for a while, Cloudflare-hosted sites would even bypass it entirely and they'd get the real underlying client IP.

Correct, this used to be the case, but no longer is as far as I can tell. But even with that, it was an issue for non-Cloudflare websites and services that are being attacked that aren't HTTP(S) (e.g. SSH)

Are they responsive at all to abuse notifications about their VPN users? Presumably the only thing they could even do is to block an upstream IP address, given that it doesn't require an account.

Kiwi Farms used their services for at least 6 years before anything happened.

Cloudflare had the insight that the more DDoS-for-hire services there were out there, the greater the demand for their services. Offering free DDoS protection to DDoS-for-hire services helps keep customers coming back for more.

I mean, you don't need websites to advertise. Most DDoS-for-hire services back before 2009 advertised on IRC, NNTP, via ads in .NFO files found in warez releases found on Kazaa and BitTorrent, and so forth. (Some of the very tech-headed ones ones had Freenet sites.)

As they say, extraordinary claims require extraordinary evidence…

If there's no abuse, nobody will pay their protection money.

Let's do Akamai, but cheaper. Trying to stop everything bad is impossible anyway.

Cloudflare will happily take money from and host (yes, host - they host, in spite of their rather stupid and completely disingenuous assertions that they don't) spammers and scammers. They do all the time, and they have no intention of changing that any time soon.

If you forward phishing spam to [email protected], guess what? Nothing happens. You get an automated response, but they do nothing about it. They expect you to visit a web page that has all sorts of intentional problems (intentional because they've been pointed out to Cloudflare and Cloudflare hasn't addressed them for years) that make the process arduous and time consuming. For one, they don't have "spam" as an abuse type. For another, even though they now literally host web content, and even though they're a domain registrar, if you don't paste in a URL pointing to a site hosted by their proxying product, then you can't submit your form. This means there's literally no way to complain to Cloudflare about domains for which Cloudflare is in WHOIS and SOA records, and for whom Cloudflare hosts DNS. The fields are limited to some particular size (2,000 characters? I forget exactly), and have issues where if you paste more than a certain amount of content but less than the hard limit, you can't submit the form. If you try to use the form more than once a minute or two, IT'S RATE LIMITED and you can't submit the form. Imagine that - they need to protect themselves from human-speed abuse reporting.

In other words, it's REALLY hard to use their site to report abuse to them, and they know this, and it's intentional, unless we want to believe that they just suck at understanding how to make a web page that works.

If they get enough complaints about a given phishing domain, they eventually take action, but it'd be after several days, which is more than the lifetime of a typical phishing campaign. In essence Cloudflare is one of the most popular phishing and spam-promoted hosting platforms because of Cloudflare's intentional foot dragging and claims to want to "protect free speech".

They got on my shit list years ago when they told me - not kidding - that they couldn't just take down a Bank of America phishing site when it was pointed out to them because of "free speech". In other words, they don't want to set a precedent where they can apply the tiniest modicum of common sense and take down phishing sites which any reasonable human on the planet can unambiguously recognize as fraud.

Bottom line: Cloudflare tells the world that there's SO much bad stuff out there, and you'll get in trouble if you don't use their products, and that's mostly true if you want to run phishing and spam-promoted web sites, so scammers and spammers use Cloudflare and are protected from those of us who would report those spammers and scammers.

For all the companies and individuals who use Cloudflare, many are fooled in to thinking they need Cloudflare when they don't and are just making their sites problematic for much of the non-western world while helping a wanna-be monopoly re-centralize the Internet around a for-profit company that has a history of profiting from scammers and spammers.

If anyone thinks Cloudflare legitimately protects the Internet by mitigating fraud and abuse, I'd be very interested to see evidence that doesn't come from Cloudflare that shows this.

2) use literally any other registrar / DNS service / hosting platform. You then won't need to worry about whether people all over the world will be getting CAPTCHAs on ever visit because of where they live or what browser they choose to use.

I know this because I manage a WordPress site fronted by a different WAF, and I can see in the logs that malicious bots are trying to pwn the site basically 24/7.

(and before you say ‘patches’ – yes, but defense in depth is a thing, and you don’t always have the luxury of vendors with good security practices.)

However, if you really care about Wordpress security, a WAF is just covering things up, and yes, you need to patch (but that's not really the fix). The proper fix is to reconfigure things to not follow Wordpress' absolutely ridiculous security. While patching depends on vendors, securing Wordpress from its own hubris doesn't depend on vendors.

But even where Cloudflare's products are arguably good, they still do too much in my opinion to marginalize non-mainstream visitors and to re-centralize the Internet around one big company. Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.

Anyway, WP was just an example. Are you 100% certain that all your software is 100% on the ball when it comes to modern security practices? We all know that not everyone takes security seriously.

> Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.

Which ‘elsewhere’ would you suggest? Every time AWS, Azure or GCP have issues, the internet is affected too.

I'd rather ICANN finally introduce .free, give a few years to alert everyone, and those developing spam filters can treat it how they want.

No, this is (obviously) contrarianism for contrarianisms sake.

It's good when entities facilitating crime stop facilitating it. No debate necessary.

Additionally, it's completely unclear what you mean by your proposal.

Airquotes aren't sarcastic, just, idk exactly what that combination of words means so I want to leave myself an out.

You are free to hand out domains for free to strangers, if you so desire.

Nobody stopped anyone from anything.

> Nobody stopped anyone from anything.

This is impossible, as we have just seen with the ICANN termination of Freenom. Turns out, the legal threats will kill it, even if other TLDs also have plenty of cybersquatting going on. There's realistically no way to repeat Freenom's success in giving out free domains without greatly heightened legal expenses now. It's gone, the fun is over.

Likewise, because of this legal pressure they will likely never allow a .free proposal -- which is to assign .free to an organization wishing to provide free domain names and foot the bill themselves, essentially becoming the LetsEncrypt of domain name registrars.

Essentially, yes. Freenom lost its registrar accreditation a few months ago, so all domain names will be forced by ICANN to go to another registrar. I'm assuming they saw no path towards getting it back, due to the difficult nature of complying with reporting correct registrant information for free users.

https://domainnamewire.com/2023/11/10/icann-terminates-opent...

They also just finished a $500 million settlement with Meta.

Someone said "Wow. It's bad they banned cars"

I said "No they didn't. It's good that seedy car dealership, the one that couldn't stop selling armored cars to Al Capone's crew for years, gave up and shut down."

You added "Cars don't kill people. People kill people."

But sure, yeah, there'd be some admin time spent managing it. As with anything, there are plenty of reasons not to do it. It struck me as a low cost-to-impact ratio thing that could get kids into tech, but reasonable minds could disagree.

It would result in rampant wildness and people complaining, but if you didn't do it that way the burden would be too high.

I was very happy about free TLDs back in the day as a teenager, since I could just try things out before having to convince my parents to let me use their credit card to register a proper domain name.

At a quick glance, many registrars and hosters seem to accept crypto, and anyone can buy prepaid Visa and Mastercard cards anonymously for cash for the ones that don't.

I'd be happy with that one shut down too.

I’m still of the fence with rust using .rs in important places which is fundamentally in control of the Serbian government. You’re going to have to trust the Serbian government with signing .rs DNSSSEC at minimum and I don’t.

But to your point, using a ‘off-brand’ can really hurt sometimes. `.af` might be a cute marketing tactic, but it’s actually Afghanistan, and the Taliban play by a different rulebook. I believe it was `gay.af` that found that out the hard way. Tons of other stories.

I started on the Internet in the (mid) 90s. Back then, it was already common among security conscious folks. A bit later, end 90s, you could buy a shell account for a couple of USD per month. You could run a BNC on it, or IRC client. It had various IPv4 with reverse DNS, this was called vhost. For example, you could end up with I.pwned.the.whole.eu.org and plays where TLD was part of word. Goatse.cx for example reads 'goatsex', Slashdot.org reads 'slashdotdotorg' or 'httpcolonslashslashslashdotdotorg', the founder of first Dutch consumer ISP Xs4all Rop Gonggrijp had gonggri.jp for ages (guess his email address). There are countless of examples.

You already have to implicitly trust the US government when it comes to anything internet-related as all of the critical infrastructure is, whether you like it or not, American, so you might as well set up shop within US control.

I really hope Tokelau chooses a reputable registrar going forward, and .tk becomes usable for serious people.

Not sure how common that is. But I don't think it's a given that all sites hosted on .tk domains are unwilling to pay, especially not if you consider that they must be somewhat popular if they need a CDN.

(The sort of personal homepage that most of us had back in the 90s would never need a CDN because it would get 5 hits per week.)

I don't think it will help reducing malware/scams/phishing. But it will hurt students and young people that want to start in en development and aren't able to pay for a domain.

https://www.name.com/partner/github-students

https://get.tech/github-student-developer-pack

https://nc.me/

But like we learned from .af, any of these TLDs technically meant for a country need to be considered ephemeral. You are sort of borrowing it without explicit (or lasting) permission.

To be fair, this is true of all domains. The broader concern with ccTLDs is this borrowing dynamic layered with whatever geopolitical situation the country is in, how stable the administering authority is with respect to the current regime, or just the political forces at work within the country that may lead to changes or requirements for the ccTLD within the country are registered. There is often a concern of DNS infrastructure and local bandwidth considerations for the data center in which the root nameservers are housed, assuming they are not outsourcing that.

Is this like "one can own land" but really that's asterisked with Eminent Domain (no pun intended)?

Understandable, but a loss all the same. I'll never forget how proud I felt as a kid when I first had a URL I could give to people.

When it because moderately successful, they didn't renew, and then wanted 50€/year.