1. La Liga (Spanish Football) finds pirates streaming their games objectionable
2. They notice that many of these streamers use Cloudflare for something, presumably CDN and load balancing.
3. They appear in court in Spain and get an ex-parte TRO blocking all Cloudflare IPs. (Ex parte TRO: restraining order granted without Cloudflare being summoned to court)
4. Based on this, they tell ISPs to block pretty much all of Cloudflare in Spain.
5. Cloudflare goes public in frustration, noting that they could just send take down requests for infringing content like every other rights holder in the world, and that many Spanish utilities and civil resources use Cloudflare.
Interesting. My gut is that it’s hard to beat La Liga on their home turf, as evidenced by not even being invited to the court hearings which shut you down across all of Spain.
Long term, I’d guess CF wins this one? Probably they will have to escalate in some way to Eurozone courts, although I have no idea how this might work. No cloud business could meet the standard put forward by La Liga; but also there are only so many CDN companies. Meantime I guess illegal streamers can move to Google and see which legal group wins that battle.
one extra thing to mention is he role of Telefonica here. they are both an ISP that needs to apply the blocks, but also its subsidiary "Telefonica Audiovisual", who holds rights for the football, is a plaintiff.
one of the claims were that this is somewhat a procedural fraud since the plaintiff (Telefonica Audiovisual) and the defendant (Telefonica Spain) is technically the same thing. the order was granted after the defendants admitted, and therefore there wasn't any hearing with CF.
What’s even more confusing is how can a Spanish court just order a legitimately registered taxpaying Spanish business (assuming cloudflare has done so) to shut down their services without even a chance to provide an argument?
They didn't order Cloudflare to shut down, they ordered ISPs to block any IP LaLiga claims is hosting pirated football. The president of LaLiga "Javier Tebas" also called Cloudflare a criminal organisation for enabling and making a profit off anything including child pornography (without any evidence of this, of course, just his word).
Now, there is also a conflict of interest, because Telefonica (the main telecom provider here, think Deutsche Telekom in germany or any formerly-public ISP) is also a rights holder to some football, meaning their interest is to block everything instead of their internet users, who suddently can't work on Github, visit Twitter or many other large sites; or even can't buy in many places online because Redsys (the largest payment processor here) also uses Cloudflare to protect their infra, and Cloudflare IPs were being blocked indiscriminately. All of this while being able to force other ISPs to block those IP ranges too, and without any possible recourse by either Cloudflare or the sites themselves, which according to Tebas "are only used by 4 nerds who like to complain".
> 2. They notice that many of these streamers use Cloudflare for something, presumably CDN and load balancing.
And DDoS protection.
Sports broadcast piracy has a history of serious organized crime involvement, and then some, such as https://www.theregister.com/2002/03/13/murdoch_company_crack... where the allegation was NDS did the hacking and leaked the keys of the rival tech to various mob groups for exploitation.
And not just DDoS protection, but privacy. Cloudflare offers a huge amount of privacy protection which causes huge headaches for IP holders. You can read online about the feedback loop of Cloudflare/OVH for example sending automated notices back and forth. Usually the process is:
1. IP holder representative sends notice to Cloudflare
2. Cloudflare sends automated notice to account manager
3. Cloudflare informs person from step 1 of who actually hosts the site
4. Person from #1 emails web host who is probably a shady company who in turn ignores email
5. Nothing happens
This is kind of a cute thing that wanna-be-rebels may enjoy trying on, much like some hipster who buys a leather jacket. But you don't. Believe me. You don't.
But for fun, go pay for a legit ticket to watch a movie like "The Godfather" or "The Irishman." Count the dead bodies.
In my hometown there used to be at least 2 shops (yes, shops) that sold bootlegged/pirate software. Mostly games but they had all sorts of business software as well. This was earlier than the 90s.
The shops themselves were not in the software business. One of them was specialised in turntable needles, and it was pretty popular. You had to go to the counter and specifically ask for "the menu" in order to access the "other side" of the business. It was an open secret though, as there was a lot of traffic in the shop for "the menu". You'd choose what you wanted, paid for your copy and leave with a bunch of floppy disks with it. They charged extra for the actual disks but you could also bring your own and only pay for the service.
If you mean electronic music bootlegs, then I don't see why the media or the format is that relevant. It's still just regular bootleg, and it's been popular since whenever copying and selling music was made possible.
> Cloudflare goes public in frustration, noting that they could just send take down requests for infringing content like every other rights holder in the world,
Live sports piracy has the unusual property that you have to be able to get the block in place within the ~90 minutes of a football match, even at weekends and across time zones. Otherwise there’s no point.
If the courts let Cloudflare slow roll this, at the legal system’s normal snail-like pace, the law would be effectively useless.
How are streaming sites registering new domains and getting the site info out to the audience in that time frame? I suspect they're not and there's actually a period there's a window of weeks or longer for enforcement actions to be taken.
Whatsapp has mechanisms to prevent this kind of thing by blocking the messages from being sent, but I guess I'm confused about how this works financially. Sports streaming (especially something like La Liga) is the textbook example of a mass market product. The vast majority of the audience isn't technically sophisticated, and live streaming infrastructure is expensive. Pirate sites need a reasonably large audience to make money. I find it hard to believe that there's enough reach for people waiting to click on random links in private signal chats to make pirate streaming a viable business when people can just go to a bar or a friend's house. Is that really happening at any meaningful scale?
> Is that really happening at any meaningful scale?
Anecdotally: oh yes. I don’t know anybody who pays, although that may say more about the populations I work with and hang out with.
I hear there’s plenty of headroom for the direct economics to work, if you’re reselling for less than the ~EUR100/month range the commercial providers charge [1]. Gross median income in Spain is on the order of EUR27000 annually, for reference [2]—so I’m not sure how many of the pirate viewers would be able to afford the legit product if the pirate channels dried up.
I also hear [0] there’s a robust side trade in exploiting pirate viewers’ machines though malware-style techniques while they’re there and feeling enticed to click yes to things…
I've seen these sites run ads, so I assume that means that they do have significant reach and further the ad providers get some return on their investment.
Note that the ads were for things like VPN providers and pirate IPTV feed services, which people are willing to pay for.
> Whatsapp has mechanisms to prevent this kind of thing by blocking the messages from being sent
Sorry, you mean WhatsApp detects and prevents the sharing of piracy links? I wasn’t aware of this, good to know. Is there a source of the various checks they have like this?
You don't even need to distribute the URLs. An aggregator can use a DGA[0] in and automagically find the correct stream URLs. Unless the seed and specific DGA leak it would be difficult to get ahead of the pirate streams.
A lot of them will share a link to a page of all the domains they operate. So you just bookmark the page and if the site goes down just busy that page for the new links.
I might be out of date but. I think the article is incorrect. It is the same corp that owns both the streaming rights and the ISPs. The court order allows those ISPs to block IP-addresses of sites that hosts illegal streaming. I find it hard to see how CF could have a case here.
There is a new factor in the equation: Rising anti-american sentiments. This ties in with point 5 especially. Forcing Spanish websites off Cloudflare could seem like an additional benefit.
The “anti American sentiment” is overblown. Average person doesn’t care. I live in Spain and I’m not seeing much anti-American anything. Anti-Israel has reached hysterical levels on the other hand — at least in the media, though the average person really doesn’t care about that much either.
In my circles of high level Spanish/European motorcycle racing, we continue to have a very positive reception as Americans in the paddock. The (Spanish) TV announcers have been positive towards our riders, the teams and crew are positive and helpful. We have more people wanting to talk about Route 66 than trade policy. Most Spaniards I know tend to roll their eyes at their own government more than anything happening in the U.S. The only exceptions are hysterical US expats on Facebook groups acting like the sky is falling. But they do that reliably every time a Republican gets elected.
Anecdotes aren’t data of course, but vocal people online don’t represent broader thought.
Yeah, you're in a bubble and you're likely misreading their politeness. I don't know any Spainards who would want to get into pointless political arguments with Americans who they guessed to be right of center in the off chance they were supporters of the current US government. Unless of course they were Vox affiliated, but even then I'm not sure they would bother engaging. They'd probably prefer to stick to talking about common interest stuff (like motoracing). "Anti-American sentiment" in the European context usually means being Anti-American government, not being dicks to individual Americans. The few cases where it actually crosses into Anti-Americanism the way you describe it seems to happen when the US militarily attacks a country they consider to be "brothers" or very close to. One example would be Greeks during the NATO bombing of now Serbia. Definitely one of the worst times to visit the Acropolis for an American.
I think your error is that you are gauging "Anti-American sentiment" by measuring how much you witness them bitching about Americans or Israelis. Whereas you should measure it by their actions. Tesla sales dropped signifcantly in Spain as it did in the rest of Europe. BYD sales are up 644%. See what they think about taking family vacations to the US.
Spanish people often end up buying local alternatives when available anyway but don't mind buying whatever when there are no alternatives (iphones, sneakers etc)
You ask the Spaniards if you want to send ammunitions to a country convicted of war crimes, the majority will most likely say no. And if your government is actually acting in accordance with that position and pushing the rest of Europe on that front, there's even less reason to bitch about Israelis to random foreigners.
> Most Spaniards I know tend to roll their eyes at their own government more than anything happening in the U.S.
This we can agree on. As it should be. Why bother with things out of your control?
I live in Spain and there is no rising anti-American anything. The average person doesn't care beyond the Trump hate that is spewed by the mass media, but the mass media spews hate about many things, so much that the average person can't really invest much energy into hating every little thing.
I know that people here would love to live in an alternate reality where everybody in the EU is fuming at the US having a right-wing government but that's not here at least yet. The US has done so many terrible things throughout history; they will survive this too.
This situation also applies to any hosting provider which doesn't give every website a separate IP address. (The newest versions of TLS encrypt domain names, so the ISP only sees the IP.)
When a thing or technology becomes so large and so relied upon that removal of that thing causes real physical harm to unrelated citizens or indeed the government itself, you should think about the risk and benefits of allowing that thing to be controlled entirely by a private entity with no oversight or responsibilities.
This is just barking up the wrong tree and it applies to everything that people use.
The root issue here is that La Liga is able to get a court to shut down a web host. It's shouldn't be anyone's problem but La Liga's that people pirate their stream, but a court let them make it everyone's problem. And there are any number of dumb things the court could have let them do, and turning CF into a utility company that can get shut down by the court doesn't solve the issue.
Finally, the main/original reason CF is useful is because the internet was created naively with no protections against bad actors. Weakening CF just empowers bad actors like LaLiga that much more at the expense of the rest of us. Being able to cloak my origin behind CF so that LaLiga or any other overpowered government or private entity doesn't know who I am is a feature. LaLiga having no option but to throw a tantrum that takes down half the internet is also a feature, and not one we should quickly hand away just because, idk, we can imagine some utopian vision where CF is unnecessary.
> This is just barking up the wrong tree and it applies to everything that people use.
You're missing the part where it's a single company, not just "the entire anti-DDoS infrastructure", that's being talked about here.
It would be perfectly possible (no idea how practical offhand) to have an entire ecosystem of competing CDNs all doing the same thing that Cloudflare does, rather than just Cloudflare making those decisions all by itself.
The EU should be sanctioning Spain the same way we're sanctioning Hungary for this sort of authoritarian behaviour. What's next, they're banning Google cause pirates use it to search for streams?
I don't know how this doesn't count as a net neutrality violation.
Look, I don't like these blocks, but comparing it to the situation in Hungary is hysterical and ignorant. And the EU going around sanctioning every member state at the drop of a hat if it does something the other member states don't like would mean the end of the EU, as support for this kind of EU is extremely thin.
I live in Spain, while I find the whole "life-threatening" narrative a tad overblown: I agree these obnoxious blocks are unacceptable. Incredible how much power LaLiga is capable of wielding.
Didn't one of the major ISPs in Spain go down like a weeek ago (movistar) and that caused some emergency numbers to not function properly for some time? I wouldn't be surprised if critical (digital) infrastructure would rely on Cloudflare. If Liga is banning blocks of IP addresses without distinction, then anyone is at the mercy of being shutted down in Spain.
In a globalized internet, your health institutions websites may run through, or depend on (i.e. 3rd party sites, js dependencies, etc) going through Cloudflare. Or emergency services, or whatever. With enough players you go from a side possibility to a certainty.
They are, but that doesn't mean it's their fault when websites fail because LaLiga decided to block an entire ISP. That's pure victim blaming. "Oh, what did you expect when you rely on a third party and another company wields the power of blocking anything without a specific court order?"
Also Serie A, in Italy we had people losing everything this winter due to floods, and clubs were still trying to not postpone matches, it's so crap that there are so many people following football
In Brazil it is not uncommon for fans to organize protests, sometimes violent, when a club starts performing poorly due to perceived slack on the players. At the same time, seemingly more pressing political issues often go unnoticed. It's beyond me how some people get more riled up by the sport, not being a sports person myself.
It's designed for this purpose. Rome was organizing those games to thrill the romans, it worked splendid. When political concerns gets on the rise, you pump the show.
It works better than your typical propaganda as players become heroes, managers and clubs make great money. Distributors get their cut. The machine is well oiled with solid monetary incentives.
Football (and other sports watching): cheap but deep rooted emotions, press here to get your dose.
_Rollerball_ a movie from 1975 (not the 2002 remake) is an interesting take on this. A futuristic society that promotes an increasingly violent game to entertain and misdirect the masses.
These are just so much useless phrases, don't italian treat their job market seriously? We have a referendum as soon as next month to remove laws introduced by neoliberals few years ago that removed job safety and made everyone expendables, among other things.
Many will disagree here, but I really respect Cloudflare fight against government-enabled censorship and abuse of power by anti-piracy whatever.
Yes, sometimes CloudFlare used for some actually bad stuff, but same can be said for any cloud service. Having major internet infrastructure provider react to every whim of every single government in the world is not a good idea.
They aren't really fighting against censorship and especially anti-piracy censorship. If they were, they'd refuse to take down sites. Instead they've a streamlined process for just that purpose, and are only fighting because they have been censored, affecting their bottom line.
Might be something have changed recently, but CloudFlare is kind a infamous for not taking down some questionable services. At the same time companies like Apple and Microsoft still continue to censor stuff on requests from Russia where they supposedly not operate.
Cloudflare does not fight censorship. It actively helps create it. They have a strong team that delivers great products, but at the end of the day, it’s a for-profit company with as much for-profit morals that exist.
Lookup Tor project problems and CrimeFlare. Cheers.
Piracy only flourishes when the content is priced too high. Most people don't want to bother, pirate streams tend to be glitchy, low quality, and unreliable. But they will if they feel they are being bent over a barrel. Drop the price and most people will pay it. I.e. make it easy for people to do it the right way.
I think it’s extremely naive to think Cloudflare is anti-government. It’s more likely that they’re a US Intelligence company, whose purpose is to decrypt and monitor global internet traffic.
This kind a sucks if you're inside the US, but as someone outside I'd rather use service reporting to single country intellegence rather than 100 of them.
I don't entirely disagree, but at the same time, La Liga shouldn't have this much power to shut down large swaths of the internet because of a handful of piracy sites, that probably only have a minimal impact on their income anyway.
Also, CDNs have inherent economies of scale and network effects, so it is natural that there would be just a few at the top.
Only it's not La Liga censoring, it's a court order as far as I can understand from the TF article. Should the judicial system of a country have the power to shut down large swaths of the Internet after presumably due process and in accordance with the law? IMO yes.
Now, the question really turns out to be "Is a law stating that large swaths of the Internet must be censored to stop a handful of piracy sites just?"
Yeah. I think this is the elephant in the room. I keep stumbling upon "We need to verify you are a human" by Cloudflare in many sites around the web. Crazy.
I agree that having so many sites behind one CDN (and related services) is a problem, but I don't think it is the elephant in this room. Even if there were 100 very popular CDNs having 1% of sites blocked because one user was streaming sports doesn't feel acceptable. Shared hosting has always been very popular and you have sites like Shopify, Squarespace, WordPress.com that are hosting thousands of sites.
Maybe with IPv6 it will become normal to assign each customer their own IP? But I don't see it. This also reduces privacy because we are moving towards Encrypted Client Hello in TLS but we have made no progress to hide IPs.
Anubis is affective against certain kinds of bots and abuse, but wouldn't be that affective against large scale DDoS attacks. And it does have a negative impact on usability, as users have to wait for the browser to do the proof of work, which may or may not be worse than cloudflare's captchas.
Anubis is a partial mitigant of DDOS attacks, since it's less resource intensive to serve the Anubis page than the origin[1].
Cloudflare's captchas are only convenient for a subset of users, I'll bet there'd be decent money in one of the competing CDNs (Fastly maybe?) including an Anubis-like captcha.
Also, if (when) their Captcha decides that you're a bad actor, there's literally no way around it. You can spend tons of time checking the box/trying again, but there's no way to "solve" it.
My sarcasm well is tapped, but this is why I was sus of CDNs like Cloudflare and Akamai at the outset. Yes, they’re highly convenient and enable more sites and services to weather large attacks or traffic spikes, but we willingly sunk a huge swath of the net behind a handful of for-profit entities and yet somehow expected nothing but sunshine and roses forever.
Stop. Trusting. Companies. To. Do. The. Right. Thing.
Cloudflare could’ve prevented this if they’d taken a stand on anything but profit motives, but they’ve repeatedly chosen not to. Piracy sites pay the bills just like Porn or Government sites, after all, and companies won’t turn down money unless forced to through regulation.
You seen to be implying that Cloudflare has been abusing this position of power, but then listing things it allows? Porn, of consenting adults, is actually a great example of business Cloudflare's right to take on. You may not care for it, but legal/ethical pornography is a matter only of taste. We'd be far worse off if Cloudflare was blocking content based off of personal preference.
TL;DR: "The tipping point for us making this decision [to discontinue service] was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology."
…that’s not what I was saying at all? Like, remotely close?
I was saying that:
* For-profit companies like Cloudflare have a vested interest in preserving as many paying customers as possible
* Their own process for getting content taken down makes it deliberately difficult to remove content, as that would harm their business model
* We have willfully chosen to sink large swaths of the internet behind companies like Cloudflare
* As a result, the only tools left to governments and the judiciary are often draconian in nature, harming innocent parties in pursuit of criminals
* We are naive to believe that any for-profit entity will act in the best interests of society, especially when those interests conflict with their profit-motives.
I think we are partially to blame for this too though. For the last 10-20 years the whole goal of a founder was to grow a business, get acquired then exit. If founders instead focused on building a sustainable business maybe we would have a more diverse tech landscape.
Nobody would fund a founder who wanted to build a sustainable business. It would have to be bootstrapped, and there are a lot of such businesses, but you never hear about them because they stay small.
Classic economies of scale. It’s a lot more efficient for one company to make one million services of lemonade than it is for one million people to make one serving each. Even if the homemade version is “better”.
This is what happens when everyone is incented to trade low-probability risk for short-term profits. Because who would bet that a giant CDN would be blocked like this?
I agree that oligopolies are more stable than polyopolies, but a huge part of why the internet collapsed in a handful of companies is how stock markets and venture capital love monopolies.
I was always unsure about cloudflare as an end user - I don’t want all my traffic going through one provider, but their business use case seemed reasonable.
Then my in-laws got tricked into sending login credentials to a phishing page fronted by cloudflare. It was obviously spoofing IDP logins of Yahoo, Microsoft, etc. I sent a request assuming they would disable the domain and it was immediately closed (in minutes) as not an issue. It made no sense that they would want to front phishing sites. I eventually got them to look more closely and it was removed, but it soured my perception of them.
I think large scale internet businesses may need to start having more liability in matters like this. Being blocked from an entire country seems extreme, but if there are financial incentives to solve the problem, the problem will get solved.
Auto-closing an issue and waiting to see if there is followup is probably a decent filter for real complaints. Like you, a person with a legitimate concern will persist, at least for a while.
Of course it could claim lives. Hopefully Prince has considered people have also likely died as a result of Cloudflare's repeating captcha which holds the next page in front of you like a carrot on a stick, never letting you know that you will be clicking that box forever.
I'm sure while someone's in the process of keeling over is the perfect time to arbitrarily scrutinize their connecting details. You need to contact your doctor ASAP. Okay, but did you neighbor have a virus last week? Is your neighborhood in your city more "problematic" than average? You may have forgot to check these details before you fell ill.
Cloudflare sites should come with a big banner warning all users their connection will be arbitrarily approved by an algorithm with chilling effects built in as dark patterns.
Last I checked, Cloudflare does basically no educating of customers how badly their website will be broken for users arbitrarily when they don't use the ISP or browser Cloudflare likes. No explanation for how many customers you will lose when your website can't be visited by someone who doesn't know how to change their IP, no explanation that if you're offering a critical service then Cloudflare will give that service thousands of tiny downtimes left unknown, the screams too quiet to carry the weight of a tech CEO worried about something similar.
When I've tried to get a customer of CloudFlare to fix a consistent block of their site -- not safety-critical, but mission-critical, and costing them a SaaS sale -- nobody seemed to care.
My impression is that everyone knows that Cloudflare is blocking some legitimate people, but nobody -- neither the customer, nor Cloudflare -- cares enough to solve that problem.
It's similar to why Google doesn't have much tech support. Or why people can be locked out of their Google or Apple accounts without recourse. Caring about the people who fall through the cracks that you created isn't profitable.
When the Internet is part of the basic material of society, we need to rediscover ideals like "it is better that ten guilty persons escape than that one innocent suffer".
And we need to start removing from power the entities who are too lazy or greedy to uphold our ideals.
(Before someone jumps on literal numbers: That doesn't mean let through 10 botnet floods, rather than prevent grandma from finding a doctor. That could just mean, for example, don't block grandma because one of her browser headers looks suspiciously like an incompetent script kiddie, even though you can see that her traffic isn't yet part of a DDoS flood. Once you change the parameters to be more consistent with a fair and just society, maybe that means that, say, a Web site's servers do see a brief blip, as a new DDoS attack spins up, so it's not a perfectly smooth ride, but every legitimate person remains served. First, don't run over grandma; apply your engineering creativity with that hard requirement in mind.)
Do you ever find that advocating for these tenets feels "weird" nowadays? As in, don't you know these publicly traded companies are legally bound to extract profit without these silly notions of empathy or trust? What do you expect them to do? To start acting silly?
> As in, don't you know these publicly traded companies are legally bound to extract profit without these silly notions of empathy or trust?
Based on your first question, I think you might already know this, but just in case you don't: This is a myth.
> The idea that choosing a 1% strategic internal investment over a 4.5% T-bill constitutes actionable "financial malpractice" or a breach of fiduciary duty leading to successful lawsuits is incorrect. Courts recognize that running a business requires strategic choices and risk-taking, not just maximizing immediate, risk-free yield. A lawsuit would fail unless plaintiffs could show the decision was tainted by disloyalty, bad faith, or gross negligence in the decision-making process, none of which are implied by simply choosing a lower-yield strategic project.
> Hence why no one ever gets sued for this. It doesn't happen. It lives in the minds of HNers and Redditors to provide a very convenient excuse for their employers, or in general companies, making abhorrent decisions purely based on feels and short-term next-quarter profits/stock price, regardless of the negative externalities they inflict on society.
A "Fiduciary responsibility to shareholders" means exactly what I said: "legally bound to extract profit without these silly notions of empathy or trust".
The only notions of empathy or trust you see from publicly traded companies nowadays is the over-engineered calamity of ESG. If you have a single example of a moderately-adopted trend which demonstrates a genuine desire to do right by their society, or to build long-term trust at the expense of short-term profits, I'll readily adopt it into my world model.
> A "Fiduciary responsibility to shareholders" means exactly what I said: "legally bound to extract profit without these silly notions of empathy or trust".
You can define the term that way, but then it doesn't apply to anything that actually exists. Firms do have enforceable legal obligations to their shareholders, but that isn't one of them.
(OTOH, for a widely-held publicly-traded firm, the set of incentives facing management will encourage much the same behvior that that mythical obligation would require, but the mechanism is entirely different.)
That entirely ignores the reality I displayed showing that such a thing does not exist by law in any meaningful way. Yes, the overwhelming majority of publicly held companies behaves this way. No, this is not because they're bound by any kind of law to do so, nor would they be at any legal risk if they were to behave differently.
As someone who implemented cloudflare because of a massive DDOS and bot problem, sorry, but I will cheerfully allow 1% of my visitors to find the site unusable rather than 100%.
It sucks, but no sane business would be so invested in equality of experience that they’d allow it to be completely broken for everyone.
The choice isn't necessarily between 99% and 0% of legitimate users/visitors getting through.
What if you, and every other customer of Cloudflare or its competitors, applied pressure to make that 100% of legitimate users/visitors getting through?
What if legislators also mandated that 100% for many sites?
Mandating 100% availability sounds like regulating pi to 3.0.
It can’t be done. If someone is on a home network whose router has been compromised and is part of a ddos attack, there’s no way their innocent HTTP traffic is getting through. Ditto if their machine has been compromised. Lots of scenarios where an innocent user must be blocked, unless the entire internet is reinvented. Which is beyond the scope of my project.
> It can’t be done. If someone is on a home network whose router has been compromised and is part of a ddos attack, there’s no way their innocent HTTP traffic is getting through. Ditto if their machine has been compromised.
To me, this sounds like giving up way too easily on engineering problems.
One distinction to start with: Let's say grandma's router isn't part of a DDoS attack. Even if she might be trying to talk with a site that someone is trying to attack.
After solving that one, maybe the solution also somehow solves the problem of when grandma's router is involved in DDoS (or that site? of a different one?), or maybe we have to think harder.
We have thought harder. We know the solution. But you have to trade off privacy for security. It's having every person get a cryptographic key from the government to identify themselves.
Some states are trying this now with porn sites and users are rightfully not having it.
Then maybe don’t put critical services on the open internet. I know most tech people would balk at such a possibility, but the status quo isn’t really compatible with either long-term goal:
* If we want the internet to be a place of anonymity and free speech, then we shouldn’t be putting critical services on the public internet - or we need to stop using intermediaries like Cloudflare where a single court order could disrupt legal services
OR
* If we want critical services online and widely available, then verifiable identity is a must from the outset, such that these sorts of blocks can be highly targeted when enforced.
Piracy exists between those two forces: an anonymous internet would be rife with piracy, while an authenticated internet would see minimal amounts of it because it’s so easily eradicated. Coexistence of both worked because the internet was optional, which is no longer the case.
But nobody wants to talk about that, I find. Everyone wants the status quo to continue unabated forever, because it’s familiar. Familiarity does not mean permanent, though.
I think the status quo exists as a more-or-less stable equilibrium between those forces. (Plus another equilibrium of people wanting to get paid for content and the people who don't want to give cash but will sell their attention and privacy.)
It's more than just familiarity. It's what works.
If someone had a significantly better alternative I think the world would jump on it. But many have tried to disrupt this equilibrium and failed.
That’s basically what I was getting at, albeit in (deliberately) far more inflammatory terms. There’s this misconception at a very fundamental level that the internet is a “place” that can be regulated, or obstructed, as human needs change and evolve.
It is little more than a multitude of computers talking to each other in a similar “language”. It is not a singular place or entity, and attempting to regulate the entirety of it as such is fundamentally impossible.
And the sooner people and governments understand that, the sooner we can resume difficult discussions on its use.
Simple: Connect larger NICs and do "dumb" DDoS filtering at your fattest point.
Consider an HTTP daemon serving static content on a physical server. If that physical server has a 10Gig NIC it will withstand 90%[0] of the real-world DDoS attacks which would affect the same server with a 1Gig NIC.
"Dumb" DDoS filtering means blocking UDP and SYN floods, and other simple attacks. Your goal is essentially to block traffic which could be spoofed, making your downstream traffic somewhat attributable. Many ISPs provide functions like this, and is not nearly as complicated or invasive as letting Cloudflare MITM every bit of your traffic.
Any effort past that point should just be made in caching static assets, and optimizing dynamic pages. If your website uses sessions, you can implement basic rate controls very easily. No WAF required!
This conclusion stems from that it is much easier to launch a DDoS from a single server w/ spoofed traffic than to use a botnet. If you have a single 10Gig server, you will likely not be able to take down another 10Gig server unless the target is already doing near 1gbps[0]. I believe most "noise" DDoS which effects random website operators is considerably less than 10Gbps, and pretty much every giant attack uses spoofed traffic which can be blocked upstream without a WAF. So long as your upstream is big enough.
DDoS is distributed denial of service. It isn't coming from one server. It's now trivial to buy 100 Gbps or more of DDoS so sites would need 400G or more to simply eat it.
I see so many people in these threads always complain about Cloudflare or Google CAPTCHA loops.. but even when using Private Internet Access (one of the most abused VPNs), I rarely if ever got on a full-on loop. Maybe Google CAPTCHA made me solve 3 things instead of one. Cloudflare is always just a checkbox. And I have my Brave and Firefox profiles hardened.
I'm not saying you aren't experiencing this, but I am curious: what is your setup that Cloudflare and Google treat you with such suspicion / hostility?
It's because you have previous cookies/state in your browser that you got from non-VPN addresses, which adds to your trust score. Do it with a clean browser with AdBlock and many, many things block you.
If you don't clear your state or keep its original origin VPN only, you're breaking a big point of using VPNs.
I use Firefox Focus on mobile, use-once containers on Firefox Nightly w/ Mozilla VPN or Mullvad and have never entered the doom loops that are described.
I use Firefox Focus on Android (wipes its cookies on close) + Mullvad and Cloudflare captchas don't even make me solve anything, just tap on them and they let me through.
Brave uses Forgetful Browsing, nuking all stateful site data after a tab close. I have Firefox configured to do the same via the Cookie Autodelete extension.
Nothing unusual here; just Safari on OSX, with an ad blocker. CAPTCHA loops happen all the time, to the point that I try to avoid Cloudflare-served websites.
Football is the cancer on European societies and economies. From low level hooligans literally bullying and beating children, to high level infuence on the broadcasting infrastructure. Sell it all to Saudis for billions of trillions and ship the football stadiums overseas as a bonus.
I live in Spain and love LaLiga games, but I dislike the executives. There's no straightforward way to stream all matches. The Cloudflare/piracy issue is the lack of clear streaming options. Even with DAZN, Movistar Plus, and TVBar, none offer complete coverage.
So on the one hand I am sympathetic. On the otherhand, I'm also pretty sure cloudflare won't take down pirated stuff, so what do they expect?
I don't like the way that large football conglomerates abuse copyright, but then those same rules _should_ be open to me for anything I produce. The main difference is I don't have a team of lawyers.
Actually, this is a Cloudflare problem - simply take extra steps to ensure your clients paying for your services aren’t harmed by natural market forces.
If you read between the lines, he’s claiming people will die because Cloudflare doesn’t want to take the time, effort, or money to fix the problem that they easily could by creating a separate system for critical services.
This type of “tech hypochondria” should be absolutely dragged at every opportunity. This guy runs a business and whines that his clients don’t deserve what his business agrees to provide? FOH with that ish mang I ain’t buying it.
The "tech hypochondria" is downstream of tech's particularly warped understanding of free speech: i.e. "censorship is when packet loss".
If you define censorship as packet loss, then anything that drops packets is inherently evil, and your business (which ultimately boils down to sending packets along) is inherently good. Ergo anything you do is good and anything that questions or checks your power is evil.
This understanding of free speech didn't evolve in a vaccum, though. It was a response to the "copyright hypochondria" of the publishing industry outfits that have been insisting that "censorship is when free movies". One of the most irritating tenets of copyright maximalism is the idea that copyright somehow backstops free speech, because having an economic incentive to publish is supposed to make politicians think twice[0] about stupid censorship bullshit?
So we have two industries here that have both psyopped themselves into thinking their profit margins are a moral good, unwilling to compromise in any way that would allow legal websites to remain online. Or at least I'm assuming both sides are unwilling to compromise, because La Liga isn't saying anything, and Cloudflare is going to the public rather than the actual courts imposing this blocking order.
[0] The logic doesn't logic here, this is the same kind of thinking that gave us "capitalism has won" in the 1990s and "military alliances will make war impossible" a century prior. Politicians are ultimately polite brokers of violence, and economics is a tool they impose upon us to make us do things in lieu of guns to head. Not the other way around. Politicians will happily censor economically valuable art all day long.
I'm tempted to say "the master's tools can't destroy the master's house", but that saying is complete bullshit for different reasons.
I never watched sports but my kids want to, so tried to buy them subscription to some sport broadcaster.
Bundesliga, F1, NHL and FIFA world cup, that's all I (they) needed.
It turned to total mess. Service A shows F1 but not NHL. Service B shows NHL but not all NHL, only games where my city team plays. Some show LaLiga but not Bundesliga. All cost $30/mo but still show ads. Periodically they show ads instead of the event. If they can't, they split screen show the event in a little rectangle that's 25% of screen space. Dazn, TSN, ESPN are all total scam. You can see a lot of bull riding though.
We cancelled all this nonsense and just moved to pirate sites. Screw this bs.
I have done something similar too, as I wanted to watch a specific football game - Barcelona v Real Madrid - and it was available on a different streamer to the THREE that I already have. So I simply took the easier route.
These countries all have the same problem: older generation has sufficient power to say "we don't need immigration or jobs or anything; we're fine" while Americans who visit say "wow this place is great; such good food for so cheap!" and young people are desperate to emigrate for jobs.
X now shows logged out visitors a "greatest hits" timeline instead of a users actual timeline. You can use a proxy like xcancel to get around that without an account.
How come no one is mentioning the obvious solution -- LaLiga needs to make their product as easy to access as piracy. If they offered worldwide streaming of the matches available on an easy interface at a reasonable price, then none of this would be a problem.
Piracy is almost never about the price -- it's almost always about the availability. Especially when it comes to live sports.
I suspect it's not quite that easy: it's likely similar to the situation with the Premier League in the UK (and other things like Formula 1 previously) where a particular broadcaster has been given exclusive distribution rights, and has paid a lot of money for those rights (which in theory go back into the game and pay for the huge salaries of players).
This solution clearly does not actually work. Musicians make pittances off of streaming in comparison to the money they made with physical media. Hollywood has seen strikes and streaming services continually raise prices.
With piracy they make nothing, so they'd still make more than they make today. Almost all of the pirates are people trying to watch from outside the coverage area. It's not like stopping piracy gets those people to pay.
I live in Spain and my ISP is Digi, which uses the network from Telefonica. These blocks are incredibly frustrating, and a ton of people have noticed websites and services not working. However, because the block lasts some hours, people don't know what is happening: "is my mobile network bad?", "Is the website down?". They try a few hours later and it's back up, so they move on.
My company's website is behind Cloudflare and I discovered this whole situation because someone couldn't access it. Also my home assistant is not accessible from the internet the days with a match. And we use it to open the garage and the house. We learned the lesson the hard way being locked outside until I managed to connect with a VPN. This is just nuts and incredibly frustrating. And for La Liga we are just a bunch of "frikis" (nerds) complaining about it... because we are the only ones that understand what the problem is.
Unfortunately, someone would have to die and a lawsuit to follow, and maybe that could stop this crazy nonsense. E.g. A few days ago I read about someone with diabetes whose device was malfunctioning because of these blocks.
They split the rights up in much more imaginative ways, like local channels can broadcast sold out local games and then the nfl itself or an rsn or major network can broadcast the remote half. I would guess that a lot of local games are over the air but if you follow a team somewhere else you might need a fairly inexpensive subscription
The NFL streaming services are truly bizarre. You can't stream local games, based on billing address, because you're supposed to watch TV. Which means if you go on vacation, you still can't watch, because they're not on TV and not streamable with your account.
CloudFlare is free/cheap, has (AFAIK) no KYC policy, and is generally unresponsive to abuse reports unless the courts get involved, so it's the default choice for nearly all piracy sites, phishing sites, DDoS providers, etc. The few which do get kicked out of CF generally have to resort to dubious Russian CDNs because none of the other mainstream CDNs will have them.
No, CloudFlare is implicated as well. If you watch videos from any of the major pirate TVoD sites and inspect the traffic, you can see they're frequently using CloudFlare as their global CDN with a Chinese origin site.
Entire Amazon AS-numbers are sometimes blocked so CloudFront consumers have the same issue. The thing with CF is the scale. They are really big and that is why it gets noticed. When it comes to Akamai they don't have shady customers in general and the risk of a problem is less. They also have a better infrastructure.
Ignoring the Spain block for a while, I wonder how/why these piracy sites use Cloudflare. Are they using something like R2 or Stream? This means someone still has to pay for it, right?
Free tier that let you hide your server IPs, cheap domain registry (with no margin) and even some also tunnels for zero trust. Like I used them for a lot of personal and tbh even commercial projects for years paying them $0. Also they have bandidth alliance with Backblaze so you can serve 100s of TBs for free.
So there a lot of convinience and free stuff. It's quite obviously that when I had commercial customers where for whatever reason free tier wasn't anough I juse used them as well. Why not? There are horror stories about their corporate pricing, but for smaller company paying $20-200 for CDN is no brainer.
Also huge massive advantage of CloudFlare is that majority of their services are not metered so it's hard to wake up to $100,000 bill like it can happen with AWS and almost any other CDN provider.
I still believe this kind of centralized MiTM is bad for us all, but honestly I'd rather it be CloudFlare than Amazon, Microsoft or some other "evil corp".
Maybe they should separate vetted services behind different IP ranges. Or even company. And put in place massive financial penalties for those services if for any reason because of them they have to block traffic.
Very telling how the article ends with a snippet about how the previous season had record-breaking revenues and how La Liga is one of the most profitable sports competitions in the world. It is never enough.
Football leagues are in a bit of a weird position here where one league (English) being drastically stronger in pure monetary terms than the rest means the others can't really let up.
Similarly there's quite a lot of push from the most powerful teams in some of these leagues to break off and form a European Super League; with Spain's two biggest teams being the biggest backers of the project.
ETA: not agreeing with how aggressive they are exactly, but do think long term they're probably in a lot of trouble if/when money starts to properly force a European Super League into existence.
It's bad to steal things and we should try to prevent it.
(I'm generally pro-piracy and don't know the details here, but am also old enough for "the people like MONEY" to not be a particularly noteworthy quality. The things that jump out to me here are A) is Cloudflare's attempted implication that they just need a better injunction true? B) The sophomoric argument that "people will die due to this" is my "people like MONEY" smell)
I’m gonna argue that piracy is the only thing keeping platforms somewhat in check to not get completely enshittified.
I stopped pirating stuff when content platforms gave a compelling easy to use product, I’m back to pirating because it’s genuinely a better product compared to the endless hoops you have to jump through to use streaming services
The appeal of Peak Netflix was that it had everything in one place with reasonably working discovery mechanisms. You could pay $10 or so per month and be satisfied. The current streaming era is "if you want to see all your favourite shows, it will cost $60 per month and you'll have to bounce around among 12 apps to find what you want."
If we had a mandatory-licensing regime, I'd expect multiple choices would work great. Services couldn't survive on "Only we have The Office/Game of Thrones/Bluey" alone and would have to differentiate based on other factors like "best discovery tools" or "built to better suit your specific devices"
Yeah, split payments across multiple streaming services can get tedious. Though I agree with you for the most part, piracy comes with more hurdles even with a fancy automatic setup.
But really the most important benefit of piracy is the one you're already taking advantage of. The cost would be significantly higher if they had a true content monopoly, instead they have to price with the idea that should the cost be too high, the inconvenience of piracy becomes increasingly worthwhile.
Shitty non-platform-integrated UI 8: my particular bug bear. I want a native Apple TV app using native controls if I’m to pay money for a streaming service. That said, I just don’t bother watching if that isn’t available.
My words and art are constantly being stolen and mined for AI.
People being stolen from most likely aren't going to advocate for the class stealing from them. Capitalism has one rule to wit: an in-group that is not bound but protected by the law and an out-group that is bound by but not protected by the law.
As a working class person if you 'pirate' materials you could be facing fines or even jail time.
If the capital owning class wants your IP, they'll just take it.
I wonder why the site owners and the users who are affected by such broad and indiscriminate blocking will not sue LaLiga AND the judges for damages and violation of freedom of speech?
I seem to recall news a while back about how cloudflare was very deliberately making it impossible to block only some things they provide, specifically for the purpose of causing any blocks to have enough blast radius to cause popular outrage. At the time it was presented in terms of fighting back against political censorship.
This is the second time I have seen an article on this topic that talks about "LaLiga" without ever defining it. As if ordinary people outside of Europe are expected to know what LaLiga is.
This goes to Spain government (Nazi-like behavior has long tradition there) and Spain citizens letting laws, which allows this, to pass.
Because same law was or will be used to block opposition, etc.
Of course, that similar organizations (paid by huge copyright companies) tried the same in my country.
And luckily our government listens to local experts (NIC.cz and others) and not to mention, pirating has big tradition here.
So they failed to pass this ridiculous law. (blocking IP addresses)
It's a taste of his own medicine. Having your entire service blocked due to a portion of it being illegal is not much different to how he personally terminated service for 8chan due to a portion of it he claimed was illegal.
1. La Liga (Spanish Football) finds pirates streaming their games objectionable
2. They notice that many of these streamers use Cloudflare for something, presumably CDN and load balancing.
3. They appear in court in Spain and get an ex-parte TRO blocking all Cloudflare IPs. (Ex parte TRO: restraining order granted without Cloudflare being summoned to court)
4. Based on this, they tell ISPs to block pretty much all of Cloudflare in Spain.
5. Cloudflare goes public in frustration, noting that they could just send take down requests for infringing content like every other rights holder in the world, and that many Spanish utilities and civil resources use Cloudflare.
Interesting. My gut is that it’s hard to beat La Liga on their home turf, as evidenced by not even being invited to the court hearings which shut you down across all of Spain.
Long term, I’d guess CF wins this one? Probably they will have to escalate in some way to Eurozone courts, although I have no idea how this might work. No cloud business could meet the standard put forward by La Liga; but also there are only so many CDN companies. Meantime I guess illegal streamers can move to Google and see which legal group wins that battle.