By the way, I am now officially tied to a device which is too old to support Anubis. Not just in the “it takes too long” sense, but also being unable to install any version of Chromium that supports the required APIs.

This is probably what a lot of people which are less fortunate than you feel like.

This is all I get.

@alexia wtf, is it actually using new enough APIs??? i expected the implementation to actually take old devices into consideration

In other words, I encourage you to look to other solutions.

Some that I know of in no particular order:

• go-away – fork (I think?) of Anubis with No-JS challenges and more customizability
• Iocaine – actively poison AI scrapers, best paired with nam shub of enki configuration

I heard mumbles that Anubis is also getting No-Javascript methods eventually, but I don’t know more than that.

(feel free to add to that list, I had something bookmarked but I've lost it on my old phone)

@alexia go-away isn’t a fork of Anubis

@nay

it uses WebAssembly or WebCryptography APIs, both of which I don’t have.

mind you, technically I CAN install firefox, however on hardware that has:

• 900 megabytes of RAM
• 4 CPU cores clocked at ~1.3 gigahertz
• Android 7
• 32Bit SoC

it’s……..less than serviceable in comparison to Chromium 66. Yes, chromium 66. That’s what comes shipped and I’ve yet to find ARM 32bit builds newer than this which install on this architecture and device.

To put this into perspective, I cannot visit some static websites that have Anubis deployed, but I can:

• Chat over XMPP using Conversations or use delta.chat for Chatmail
• Hang out on Fedi using Tusky
• Listen to music using any player, or by visiting my local Copyparty instance <small>(which works all the way back to Netscape 4.0)</small>
• Navigate places using Comaps

But visiting websites with Anubis? Nope. Not happening.

Even if it could run, it would probably take me a minute to visit your website.

I think the biggest statement that I want to make here is this:

Software should be efficient, and fast. We’ve all forgotten what it means to be on a platform that is restricted ever since our computing resources started going up, and this is where it left us.

Those less fortunate are unable to view even the simplest pages because there is software in front that simply won’t run on my device.

Our software isn’t quick or snappy anymore, to the point where any software which IS quick or snappy markets itself as being so. It has become a marketing feature.

Sure, all our new fancy tech is quite nice, but let’s not forget that not everyone is as fortunate.

I am very glad that there’s tools which work even on the cheapest or oldest devices.

@nay fixed :)

@alexia this is why I don’t run anubis, and why I dislike most webapps

@alexia My site, as well as @enjarai’s, are both under Iocaine. It’s worth noting that if it’s configured very aggressively, it will block Brave and Opera for pretending to be a different browser. x3

But it seems to be pretty effective (more so than Anubis, at least) and doesn’t require deploying JS in the frontend. :3

@aurakle @enjarai

the entirety of starlight network projects and my personal site is under iocaine :333

@enjarai @aurakle I’ve also added a caddy rule to redirect brave users to the “Please stop using Brave” post

@alexia @aurakle o! how do you recognise them? that seems like something i should do as well

@enjarai @aurakle they advertise themselves in the Sec-Ch-Ua header

@alexia wait what device do u have

@sneexy Until the Pixel 7 arrives somewhere between 18th and 23rd of this month, I am stuck with:

• Moto C Plus <small>(32bit, armv6, Android 7, modded)</small>
• ZTE Blade A34 <small>(64bit, armv7?, Android 13, stock, cannot unlock)</small>

@alexia And thus, not only does it not actually accomplish anything, it also entirely blocks legitimate users.

Impressive⸮

@alexia I finally cracked and installed Anubis on a niche service which was getting pounded, since the options were to either use Anubis or turn off the service.

My use of Anubis isn't a great solution, but it was the least-worst choice. Either way, you were not going to be able to visit the site.

@pndc @alexia use iocaine

@soop @alexia Iocaine is a lot more involved to set up, and solves a different (albeit related) problem, which I don't have.

@pndc @soop

eh, it depends.

iocaine can be configured to do a lot of the same things as Anubis whilst also serving LLM scrapers markov-chain garbage

That is, it can be configured to serve a javascript challenge like Anubis uses, and I think that the developer uses such a challenge on their own stuff too and has it in their nam-shub-of-enki configuration

but, yeah fair enough, moving is a bit of effort; Not because it’s difficult but just because it’ll obviously take some time to read the docs and move things around

@alexia I stopped using Anubis because I found better alternatives, and currently there’s nothing in between.

I dropped it because it drove people off and broke many things such as git

@alexia may I suggest Pale Moon as a workaround?

@echedellelr No.

For one, that isn’t even on Android, and also they consider accessibility features “bloat” which makes the entire project a no-go for me.

@alexia I don't have a problem with them doing paid features, time costs money. I also doubt that many people will move to a different option just for older devices to get through.

I'm also curious as to why you're tied to such an old device. That's an unfortunate situation.

EDIT: Just saw that you're getting a Pixel 7 soon, enjoy!

@carbonatedcaffeine

I mean yeah sure I’m getting a pixel soon but only thanks to fundraising

god knows how many people are out there which aren’t as fortunate as me and cannot just get a newer device

what do like the majority of people in idk Cuba or something do, they don’t even got most newer devices over there

@alexia that's a good question actually. I'm sure it would affect a lot of people from those areas then.

How long do you think mobile devices should realistically be usable for? (At least 10 years for web browser use, surely?)

@alexia where potatoeirc

@gen oh my god right, let me see if I can get Goguma on this thing

otherwise…I guess termux + some terminal IRC client would do???

@alexia @enjarai I have never heard of that header. 😭

@aurakle @enjarai

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-UA

@alexia @enjarai This is… silly.

@alexia you have disabled GMS on it right? it makes a world of difference

@carbonatedcaffeine

honestly in my optimal dream world you’d be able to buy a device and use it for 15 years straight, only having to repair it when damaged but not outright replace it

@alexia @carbonatedcaffeine I’m going to be trying my best to keep my current PC for that long, previous PC held strong for almost 7 years before I managed to earn some funds for a new one in 2021. Old hardware is still sitting here ofc, ready to serve as a retro machine or backup PC if needed (although I also have a steamdeck now)

@alexia i remeber you saying irc would work

@alexia you could change your user agent

@alexia delta chat has xmpp?

@piku No, delta.chat is a separate thing, it was meant to be read as “Chat over XMPP with Conversations, or chat using delta.chat”

@alexia anubis is getting non-JS methods in their commercial offering

@niko @alexia “in their commercial offering” ok so that’s where the “we’re keeping the opensource version intentionally shit” bit kicks in. cool. Anubis is never getting non-JS methods because they insist on purposefully being a garbage solution just so they can scam people who don’t know better out of their money

@crmsnbleyd not always, that is very much dependant on the configuration.

I would know, because I used to have Anubis set up.

@alexia i don’t believe gyatt-away is a fork

@sneexy I fixed that

@alexia my phone has 8 cores, 2 Cortex-A73 and 6 Cortex-A53, a whole 2 GIGABYTES of ram, and still, that isn't enough to run certain apps properly

the discord emoji picker ? it OOMs the entire phone if i open it. Websites ? be it chromium or firefox, a website will take 10 seconds to actually show up, even without anubis.

with anubis, that shoots up to a minute. But! i can have modern browsers so anubis does work, it's just, really slow

which, i get it, it's the whole point, but come on.

this isn't that old of a phone, it's barely 6 years old.

mobile first webdev my ass

@SRAZKVT @alexia mobile first (has to be this year's phone)

@alexia

This I can get behind. Sure, energy conservation and all that is goddamn important, but people actually being able to use their devices comes first for me.

@alexia @sneexy oh you poor poor soul who has to use a non-pixel phone for two weeks and develop empathy for others who are stuck on obsolete versions of Android with no custom ROMs… that ZTE blade has a newer version of Android than my phone yet you’re whining about it?

@cuddlebug @sneexy

My brother in Christ shut the fuck up nobody asked for your shitty opinion

@alexia okay so like this is not a solution to anubis but
if you change your UA to something unlike a browser it should just ignore you if it's using defaults

@alexia @carbonatedcaffeine
i mean i imagine the infrastructure isn’t built around having a modernish phone
like
until 2019 2020ish my grandma lived pretty fine on her own with just a feature phone

@piku @alexia fair point!

@piku @carbonatedcaffeine

in Germany it increasingly is, and that’s despite more people becoming poorer :/

@alexia ah you were asking for Android aaaaaaah. Okay.

@izzy yeah I know I can just set my user-agent to like, curl, but that’s a hack and doesn’t solve it for all those other people which is the main thin I’m trying to critique

@soop that device doesn’t have it installed to begin with

@alexia Oh i’m so sorry . i feel like you can probably fuck around with the zte blade though in some capacity , seems . new enough for fuckery

@sneexy it’s a speadtrum unisoc device but all threads I’ve found of trying to use various tools (ALL of which are windows-only anyways) ended up permabricking the device

so, unless there is a temp-root, dm-verity and AVB bypass, I won’t be unlocking this thing anytime soon

I debloated it to hell and back, yet despite having significantly better specs it lags more than the Moto C plus lol

@alexia

Software should be efficient, and fast. We’ve all forgotten what it means to be on a platform that is restricted ever since our computing resources started going up, and this is where it left us.

It isn’t even good on high end hardware Tbh it gives me a vibe of a commercially-funneled open source project (or just the team who really wants to commercialize their idea without a well-defined principle), but it is unclear to me the team even have the experience of designing performance related software.

To me this is an “apathy” based defense: the assumption always is an attacker won’t bother to optimize or pay for rigs. But if that is the case (1) the “defense” shouldn’t get “harder”: that just frustrate the hell out of lgtm visitors without imposing real cost barrier on attacks (2) you shouldn’t encourage a monoculture of identical rules and challenge scheme on all your users, that concentrates risk of complete breakage.

Thanks for letting me know of Locaine, it looks like a pragmatic solution: ticks all my checkmarks: security by diversity; no magical thinking; not being the weakest link yourself.

https://yumechi.jp/en/blog/2025/proof-of-mutex-outspeeding-anubis-with-valid-pow/

@niko fixed

@alexia @sneexy there's a sketchy ass piece of software called DC Unlocker, that while it doesn't have the Blade listed, I do wonder if it would somehow support it? Maybe worth contacting their support. It primarily supports unlocking Huawei phones, and hasn't had updates since 2023...

Alternatively there are numerous weird sketchy sites online that seem to offer "unlocks", which I assume means SIM unlocking and not bootloader unlocking...

@alexia @niko And in the open source version: https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh

The paid one is something I'm actively finishing and involves every single way I can trick a browser into loading things from pages with and without JavaScript.

@alexia @sneexy you can probably get firefox on at least the latter one

fuck anubis though.

@soop @sneexy

I can get Firefox on both but it’s genuinely unbearably slow on both

@alexia @sneexy i figure the latter is slow because it’s running a newer and thus more bloated android version

i have an android 7 phone with 2gb of ram and it runs fennec quite well, though admittedly i’m used to stuff stuttering a bit, my bar for those things is low

@pndc @alexia not really no iocaine is a complete alternative to anubis

@alexia aren't you risking like a million CVEs sticking with old chromium? i have similarly old hardware and i usually just grumble, install firefox ESR, and pay the price

@alexia https://firmwarespro.com/bootloader/zte-blade-a34-detail also guessing you may have tried this, the official process?

Maybe it's just not worth playing with...

@jessienab That’s not the official process at all, ZTE doesn’t have one! :D

They literally use screenshots for unlocking a Xiaomi device — A completely different manufacturer

@jessienab @sneexy

I already know that there is tools that can unlock this device, I’ve seen people use those, however they all permabricked their devices in doing so and 99,99% of these tools cost money and have DRM that only works on Windows.

@alexia @enjarai Probably better than handing them the Markov pages.

@soop @niko

please read the replies, and my original post, it is not just in the commercial offering.

@alexia @niko what replies…? i’m not seeing any elaboration on that point

@alexia thanks for the list, will check it out!
(I use Anubis for my Forgejo instance but am desperate for alternatives)

@alexia I have a fairly new phone with 8 damn gigabytes of RAM and I'm still astounded at how bad Android runs. I seem to remember the home PC back in the day having 500MB of RAM, and it ran Windows XP with probably the same performance, maybe slightly better??

@alexia @enjarai @aurakle Okay, that's amazing. Can you link to that post? I want to do my part too.

@KFears @enjarai @aurakle

sure :)

https://www.spacebar.news/stop-using-brave-browser/

@alexia @aurakle amazing. im always happy to hear about folk helping poison the shit of of these models

i hope it will have a real effect eventually. the bubble needs to pop already

@enjarai @alexia :3 :3 :3

@imyxh this device is vulnerable to a flaw in the SoC allowing for privilege escalation and has no concept of Verified Boot or dm-verity

i have other problems ;w;

@alexia that's one of the reason i like how my website is light and efficient regardless of your hardware of internet speed
even with the slowest network simulation on firefox it loads so fast :3

@alexia @gen gamja web client?

@domi @alexia hear hear

@alexia meanwhile iocaine gives me the gibberish no matter what 😭

inb4 yes i know it's just the docs site's strict config

@alexia this is literally one of the planned slides of my DDoS Mitigation talk (i need to continue writing slides)

@alexia you can bypass Anubis by changing your useragent in most websites.

This is how many extensions work https://addons.mozilla.org/en-US/firefox/addon/anubis-bypass/

@ulveon I know, but it’s not a foolproof solution. I know how Anubis works and there’s many that challenge all user-agents.

@xyhhx can you visit cyrneko.eu

@alexia i can but i get le gibberish

@xyhhx mhm okay what browser do you use

I have the same configuration and I actually sort of understand it now

the most common blunder is faked User-Agent and Sec-Ch-Ua headers

@alexia vanadium 🤷

lmk if I can help debug

@alexia can i ask a quick favour of you? (no worries if not, just ignore me or tell me to buzz off lol). if you visit my profile https://k.iim.gay/@kim in your browser, how long does the scraper deterrence there take to complete on your device? it's something we're testing embedding a very simplified form of in gotosocial as an optional defense for users (defaults to off). but depending on accessibility issues it's not something we're set in stone on keeping. we're ultimately just experimenting with making it easy for users to protect themselves, but only if it doesn't compromise on our core principles of accessibility, ease of deployment and low resource usage (at least on the server side, though you'll see from our extremely minimal web client we do care about that client side too)

@kim 13450ms on my ZTE Blade A34 (so, quad-core 1.6GHz)

on the Moto C Plus, it doesn’t work at all. Just never loads, as I can’t get a browser with the required APIs on this thing

(well except Firefox but it gets OOM’d too frequently)

@alexia I'm interested that it never loads. we don't actually use any browser crypto APIs, we use our own lil sha256 function in pure js. maybe it doesn't support service workers? 🤔

even the no-JS proof of work methods I've seen are super hacky. finding solutions to protect against LLM scrapers is such a pain in the ass.

thank you for doing this btw, very useful, and clearly i need to go do some more thinking on it

@xyhhx hm. Can you drop your User-Agent string and Sec-Ch-Ua headers?

You can use this to check Sec-Ch-Ua, found it on a whim: https://51degrees.com/client-hints

@kim well supposedly Chromium 66 (which is roughly what I’m stuck on) should have service workers, I’ve ran it for a minute and it just sorta went nowhere so I assumed it’d never finish

@alexia @sneexy if it's 64-bit it'll be armv8, armv7 and earlier were 32-bit-only

@mitsunee @alexia @carbonatedcaffeine It's much easier to do that with PCs than with phones, since they're more repairable, don't require a battery, will run upstream kernels and so can be kept up to date without support from the vendor, and are generally more powerful than phones. I still regularly use a laptop from 2008 and it's perfectly usable, but a phone from that period would be almost unusable (especially without a new battery) and might not even be able to connect to the mobile network in some countries.

@alexia I think it will be feasible. Hopefully applications won't require 8GB of memory just to function in the future. That would be absurd.

My main concern is the availability of battery replacements. It would make it much easier if there was a battery size and connection standard in the future. But since all phones are different shapes and sizes that wouldn't work.

The Fairphone is probably the best in terms of what we want. But it's a lot of money and isn't available to purchase from my country. The PinePhone also uses a J7 sized battery which can still be found on ebay. But the device isn't made to last.

@noisytoot @alexia @carbonatedcaffeine yeah I honestly have no clue what I’ll do if my current phone dies or stops getting updates entirely. There isn’t a single manufacturer I trust with keeping up-to-date with security patches for longer than the first one to three years of a device’s lifespan and I honestly don’t even have the money to replace it currently

@noisytoot @mitsunee @carbonatedcaffeine

fun fact: one of the two devices (the ZTE) that I’m currently on until the used order arrives has a Unisoc SoC that is apparently supported by mainline linux :3

@noisytoot @sneexy oh neat good to know, this must be armv8 then

@mitsunee @alexia @carbonatedcaffeine Maybe a postmarketOS device that can run mainline Linux? Something with SDM845 is probably the best choice currently (or a PinePhone, but the hardware sucks).

@noisytoot SDM845 and SDM670 phones.

The PinePhone has always been a device aimed at developers and that sentiment still stands true.

@noisytoot as long as I also have my tablet that might be fine, I need at least one device that can reliably play android games (at least the one I sank way too much money into… I refuse to quit that game before it shuts down officially)