Search results for:

did you say that it's better to bundle them up to once a quarter rather than monthly?

PayPal makes it better to have a higher donation less frequently... as they kick in a fixed fee + a %. the fixed fee is 30p, and then it's a % of transaction... hence when people do a 50p donation the % is deducted from 20p... it's pointless... when people do a £1 donation it's almost pointless but still appreciated... but it's best when it's £10 as then the total fees are a low % of the overall.

if you were donating £3 per month, it's better to just do £9 every 3 months, etc... as then the fees consume far less of it.

I think the % is 3%... I'd need to check that.

and once in a while someone will forget they have a donation and dispute it, and then the dispute fee typically wipes out someone else's donation too.

the huge benefit of lots of small transactions is resilience... in the early days we only had a few people donating a high amount, and 1 person stopping the donations would suddenly create a peril that month.

so lots of small is preferred... but not too small as too much goes to fees.

then occasionally people come along and do a one-off £50, £100, £200... and that offsets minor losses for a few months, and sometimes I'm lucky and I'm not out of pocket at all for a long stretch.

you all do need to decide what you want to do though... I can only share opinions.

I will opt for letting go on 16th March, but if I can line it up for whatever your chosen route is... I'll do so.

my personal belief, which is certainly open to being challenged, is that the compliance route is hard today... it's not clear if we're Low or Medium risk, and we're almost certainly a Multi-risk service... it's not just completing a risk assessment, it's then about taking steps to mitigate the risk.

the steps we'd have to take are not just completing paperwork, but a mix of people, tech, process. that's a larger burden, and still some risk and the liability remains.

the tech option is attractive to me as a possible solution others take... because I know tech. and I know that no part of this service really requires any knowledge of location or nationality of the person accessing it... the only thing that grants it that are the person running it (me, I'm in London), where it's hosted (in London), the name of the site (London again), and the self-declared most visible users (London)... but LFGSS is huge, and it's not been about just London for a long while... and 3 of those things are trivial to change, I can stop being involved, the service can be hosted elsewhere, the name can change... and the last, where users declare that they are, maybe don't do that. as a technical exercise to put websites beyond the reach of a jurisdiction, there are lots of examples of this working... it does seem crazy to run a platform of forums as if it's the pirate bay... but this is what happens, when laws have side effects, things go underground, I have a better idea of how to do that and hand it over to someone, than I do of how to make the service fully compliant according to my current understanding of what would be needed.

of course a technical solution appeals to a techie.

I'm still don't understand why there's a need for hosting the site outside the UK and all the rigmarole that entails since most users will be in the UK

The point would be to shutter all UK focused sites (hyper specific and 100% UK such as Islington, Brixton, etc).

And to instead acknowledge that LFGSS has a global audience (yesterday 50% of all traffic was from the USA alone, about 20% of traffic is currently from Tor where I've no idea where it's from)... rename LFGSS to something that isn't London specific, and let it just be a site on the internet, not a site aimed at UK users. It's almost hilarious how many people posting about how sad it is are not even in the UK.

Then, alongside the large international fora in other languages, such as Pignole Fixe, etc... to basically go "no staff in UK, no servers in UK, not aimed at UK people"... and if the Europeans who pick this up do it in Germany and to comply with strict data laws there just disable all logging of country of access, etc...

... well, that would not be a UK service to UK users run by UK staff... in fact, it's way outside of the OSA and UK reach... but only by shuttering the explicitly UK oriented sites.

And honestly, if any user ever says they're in the UK... they should just be banned. Feel free to talk about the place, but internet users should be users of the internet.

Oh gosh, I can't see the comments thankfully. Unsure which of my many blocking things did that

Another thing that occurs to me—how can you moderate risk in PMs?

I can't... and DMs have been used to share shock images like Goatse, and some of those get reported.

The Act also covers harassment and stalking, and many would say that some people who bear grudges have done that on here, that it happens daily.

The Act also covers hate, and I myself have encountered transphobia, and every woman on here will show you the sexism everywhere, or the racism that is pretty much everywhere. It's subtle, but it's there.

There's no way we're a good place... we may be better than most, and more tolerant and accepting... but there's always some few who are present and also exhibiting the worst traits that drive the risk up... I cannot stop them, and tools proposed by the Act won't stop them either.

Welcome to the World for a forum moderator / admin.

The shit I've seen.

And some of the people on this site have done all manner of stuff for which I could've been held liable... they corrected their behaviour, but damn, that liability would've been real whilst they were in the throes of their anger and stupidity.

There was that guy only a week or two ago who wanted to be banned for essentially far-right statements, transphobic statements, and misogynistic statements... I banned him for spam instead as he'd trolled several fora... but still... this is not a zero risk, this is in fact the primary risk.

is there the chance that when it does come out it'll provide some paths for lower compliance burdens on SMEs/single-person outfits? As I understand the CSAM scanning thing is still slightly in the air as the tech doesn't exist yet/is not widely available..?

From what was published two days ago that seems unlikely, the guidance was relatively clear (linked in the main shutdown thread first post)... a forum would come under "All Services" and "Multi-Risk Services"... and the Multi-Risk services include scanning of content (links, images), as well as additional moderation tools, and training for moderators, etc.

The burden I see isn't just the compliance risk assessment, but the actions needed to mitigate the risk identified.

I am old, so recall the https://en.wikipedia.org/wiki/Gay_Nigger_Association_of_America trolls spamming Slashdot continuously for years... and I recall 4chan and 8chan forum invasions and the uploading of an overwhelming amount of porn onto other forums.

We cannot say that the risk is not there, and the Streisand Effect shows that once it's known how to weaponise the risk then it will be weaponised.

To really mitigate the risk we'd need a much larger team of volunteers, all very active... today if I went on holiday, hiking and stargazing, or did a work trip that took me offline as I'm too busy... it could be 1-2 weeks before I could respond to moderation requests. This is realistic today.

Under the Online Safety Act, whilst the material posted remains unmoderated, harm is caused and the risk is realised.

This is fundamentally my concern... I think there is a path for compliance, but it requires not just legal work, but technical work... on a platform that is a decade old and that only I know intimately today.

There is also a path for not making compliance necessary, which is just to leave it as-is in terms of technical capability (no scanning of content, etc), and to take it fully out of the UK (my involvement ends anyway, hosting moves to France or Germany, someone manages the money side from Europe, all UK specific sites shut down).

We do need to evaluate what would be required to consider the compliance path... but if we cannot meet that standard and no-one wants to take the full liability, then what's the path to just keeping the international side of things and breaking all links with the UK?

Another offer turned up yesterday by a company in the US to give us a shelter... it all works, but only if links to the UK are broken (though I'm inclined towards an EU shelter instead).

Fwiw, I have a docker file that can be used to deploy the Django front end

The old crappy code? you know how to deploy it?

Wow... you achieved what I did not :D I like your style.

If you make it an anarchist collective in Europe for an international audience... then the only bit to solve is the money... for which I very highly recommend OpenCollective EU.

I'll emphasise again... the money is the PITA.

I can move the servers to Germany, hand over the keys to some Europeans, shutter the obviously geographic and UK focused forums (Islington CC, Brixton CC, etc)... and move LFGSS to being post-geographic (plausible as a lot of traffic is international, US being very prominent, and Tor seems to be hitting us hard at the moment).

The load balancers could be deployed anywhere and considered disposable, with Tailscale or another Wireguard VPN connecting to wherever the website actually ends up being hosted.

This could easily be an international anarchist collective with no clear owner, and nothing in the UK except for a minority of users.

But the hard thing will always be: Who pays the bills, how do they receive the money.

You can try the "be compliant" route... but read the details, you'd need to add CSAM scanning of attachments, far more moderation tooling, training for moderators... and prove you have all this stuff.

There's a lot of technical work, social work, needed to be compliant. It's not just the risk assessment, as a forum that takes user generated content and provides user-to-user services... we're in the "All Services" and "Multi-Risk Services" buckets of the Ofcom compliance... so if people are serious about keeping something alive, you really have to answer "Are we going to comply and accept that risk?" or "Are we not going to comply and just shutter the UK sites?"... the latter has a path to the platform living on as an international thing that serves international audiences. I'm sure there might be some UK users, but it wouldn't be the focus or intent, and the platform should just outright deny service for UK specific forums (hence you'd still have to shutter Islington CC, Brixton, etc... but could keep a post-geographic LFGSS, PignoleFixe, Espruino and other things)... it would trim the platform to a core few sites, but would be able to live on until such a time that the Europeans also implement a dumb law.

What's the cost breakdown of the 800 per month and can it be reduced without meaningful impact to the service?

£800 per month is what I recommended try to be raised on an ongoing basis by getting just shy of 250 people to donate £10 every 3 months.

£10 every 3 months minimises the impact of payment provider fees on smaller donations. (There is a single person who donates £1 per month, less than half reaches the account... it's such a waste, it's actually more donation to PayPal than it is to LFGSS).

250 people gives a far better spread of donors, and given that almost 10% expire out every 3 months will provide a bit of a buffer.

That amount should mean that over time you accrue a larger buffer, but never need to hit anyone's personal credit card to pay a hosting bill.

We presently have around that number of donors... but, most are doing £3 or £6, and based on the frequency and higher % of payment fees on the smaller donations, it means we're only getting about £300-350 per month... which is why I top it up every month.

The real breakdown of costs today:

• Linode $375 per month for the virtual machines, backups of the virtual machines, and the object storage (currently shy of 1TB for attachments), we received free bandwidth as part of the VPS costs which allows 22TB of traffic, we typically use about 6TB per month as we are very cache efficient. AWS would wipe us out on bandwidth from the account, and from the object storage.
  
• Tarsnap $25 per month for a remote backup of the database
  
• Twilio / Sendgrid $126 per month for 100k emails and a static IP to send them
  
• Some domain names... approx $100 per year
  
• An SSL cert that is wildcard at $250 per year (as I could never work out how to get certbot and LetsEncrypt to do wildcard + SNI for other FQDN at the same time)
  
  

Some of those costs vary due to exchange rates, but basically $501 per month in fixed monthly costs, another $30 per month in annualised costs... $530 per month being the estimate roughly being £420 per month in intrabank exchange rates... add roughly 10% lost to payment fees and forex rounding up that happens because I never figured out early enough to just pay all the bills from a Wise account... roughly £460 per month at the moment.

Donations bringing in roughly £350 per month, and you see the £100 shortfall... hence I just pay all the bills from my personal account, and draw the PayPal money into that account and absorb the loss. Some months someone will donate £50 or £100, and those months I don't subsidise it.

My rough summary here and recommendations here:

• The hosting is very cheap, there's a lot of headroom, but it's not obvious that reducing the VPS devices would be a smart thing to do (they have too much CPU, but the LB needs the disk space for cache, the DB needs the memory, etc)... given that I don't even know how to deploy the old Django... leave it where it is with Linode, but we can move it to Germany and out of the UK.
  
• The money side could easily be dramatically improved... just have an Open Collective EU account, receive donations there, provide the transparency I never managed to with PayPal... and then pay the bills from a Wise account and reimburse that person... this is very very easy to run, especially if an EU citizen runs it.
  
• Add a new service, a shared Protonmail email or Migadu for probably $100 per year per user/role, and give the volunteers access to that... i.e. have a "admin@microcosm.app" email, and make it accessible by a cohort of volunteers... and avoid having a single named individual as the owner anywhere. You probably only need 1-2 email addresses to cover everything, a Fastmail account might even be sufficient.
  
• Encourage each volunteer to have a password manager like Bitwarden, share credentials via Signal and store in local Bitwarden accounts.
  
• Pay for multiple cheap frontends around the World in various hosting providers, all using a Wireguard VPN or the like to connect to wherever the servers are ultimately hosted... this is probably another $100 per month... and we'd just make the DNS round robin to them because they're stateless caches, if any were taken out, the others would be fine.
  
  

Edit: Updated 2024-12-20 as I added a server to help support the archiving efforts.

Also Winchester bike hub CIC has offered to be an umbrella for us.

@eespark

I'm trying to write an article but @Velocio hasn't responded to my DM asking for an interview. I'm trying not to take it personally.

I replied eventually

Only thing I can think of is a carve out for sites under a certain size. Anyone have any better ideas?

That's so I've asked for, run by individuals or below a certain size

wondering why we'd -chosen- to do this?

oh we made good choices, it was everyone else that stayed in who should question theirs

Ah, I remember you and that massive yellow bike on a Bridges ride.

the Bridges ride that was just you and I, and the rain.

You're probably right, a single hetzner server plus object storage can do this... But then you have to manage hardware in addition to software. I wouldn't choose that

I skimmed past the bits about sites that monetise users (and this would be that), but yes it introduces a difference.

If you changed nothing at all cost-wise today... £1 per person per month would be enough.

But... not everyone donates, at peak only 300 people did, and PayPal and other payment providers will take their cut (20p or 5-10%, whichever is greater or something like that)...

So the ideal is something more like £10 every 3 months, for ~250 people to yield around £800 per month, and therefore always have a little more being accumulated such that you have a buffer and if you ever need to add a server, there's the money to do so.

You could keep it donations based, no paywall, if ~250 people signed up to a payment structure like that.

This was what I always aimed at, but as people's payment methods expired, etc... well, I just made up the difference and didn't both to do a focused fundraise in recent years.

If I were doing this now, I would 100% set up an Open Collective https://opencollective.com/europe most bills are in € or $, and I would have someone pay the bill on a Wise card, and then be reimbursed from Open Collective... with Open Collective taking the donations, and showing how much is in the bank, etc... the transparency I wanted to give, but couldn't do via PayPal.

It does look possible to have "officers" in other countries, the servers and systems all over the place, the money running through OpenCollective EU, an entity in US/France/Switzerland... and only volunteers and users in the UK.

Note: even in this scenario... I would step back and fully yield all control. For a collective to be successful, I should reduce myself to an advisor at most, just to point out how things work technically, how situations were approached, etc.

Other threads of conversation:

• Seth from Bike Index (US based) is offering to take the legal entity under their control.
  
• Pignole Fixe are considering a France based entity.
  
• The servers can be moved to Germany quite easily (closer to where the attachments are stored too).
  
• A privacy advocate has proposed a Swiss entity.
  
• Some lawyers/legal types on LFGSS have a DM thread and are considering the compliance side.
  
  

Missing from all conversations is the financial side.

The financial side is critical, it's very boring but it's critical... if you don't pay the bills then the servers get turned off, simple as that.

Something I had considered is OpenCollective, but the risk was that migrating PayPal subscriptions to a new system would too significantly reduce the income, and as it was not quite enough anyway I just didn't ever do this. I think if a collective is formed, if people fill all other roles, then the collective should assign a secretary and start afresh on OpenCollective. We limp month to month at the moment, so I'm confident we'll hit the end date with an empty bank account, a fresh fundraise based on the desire of people to keep the forum alive would likely enable this to be successful and finally get the forum to having several months money in the bank (because now other forums like Pignole will contribute a bit too).

Blue Plaque ride, going around London putting up guerilla plaques of important forum locations. Sponsored and funded by Ofcom.

I wouldn't want to discourage such behaviour.

Sorry, encourage.

"the code":

• https://git.dee.kitchen/buro9/microco.sm landing site
  
• https://git.dee.kitchen/buro9/microco.sm-bootstrap styles
  
• https://git.dee.kitchen/buro9/microcosm main API and database
  
• https://git.dee.kitchen/buro9/microweb Django web ui
  
• https://git.dee.kitchen/buro9/microweb-bootstrap styles
  
  

Yes, the Python is that old... no it's not Python 3, no I don't know how to upgrade Django, if and when it needs surgery I would now do so on the production server... I don't know how to deploy any longer.

The Go code is where all the changes really happen, deploying that is a bash script that does an scp of the single binary.

Oh, and technical things.

• The software is fully open source under AGPL.
  
• The database is PostgreSQL
  
• The website is a very old version of Django (no longer supported, difficult to install)
  
• The API and the bulk of the site is Go
  
• A load balancer and cache is implemented in nginx <-- the Nginx config is not in source control but does a lot of lifting so probably needs to be in source control.
  
• Attachments are stored in S3 compatible object storage
  
• Email is sent via Twilio/Sendgrid
  
  

There are 3 servers that do the majority of things:

• LB = Load balancer and cache
  
• WPY = Web Python runs Django
  
• API = Go backend and the database
  
  

To reduce costs it is actually just 3 main servers, but each slightly beefier than they need to be... I found this more cost efficient a few years back so turned off the others... but it's easy to clone to scale horizontally if ever needed

The servers make use of iptables to ensure that only they can talk to each other and that nothing else can talk to them.

Then we use external services to run other things:

• Object storage is Linode
  
• Email is Sendgrid with dedicated IP address
  
  

the servers all run Linux, some of it is old (the Django server runs an old Ubuntu from a decade ago), and some of it is new (the LB runs a modern Debian, the API a modern Ubuntu).

all work is done via the command line when needed... probably less than an hour per week.

if a team of technical people formed, I would teach them how it's organised and grant access, etc.

and you were witness to its first utterance.

I'm not sure relying on my memory is a wise thing.

But I can't disagree with the need for a blue plaque.

Is it possible to do both, concurrently, and overlap at some point?