1. La Liga (Spanish Football) finds pirates streaming their games objectionable
2. They notice that many of these streamers use Cloudflare for something, presumably CDN and load balancing.
3. They appear in court in Spain and get an ex-parte TRO blocking all Cloudflare IPs. (Ex parte TRO: restraining order granted without Cloudflare being summoned to court)
4. Based on this, they tell ISPs to block pretty much all of Cloudflare in Spain.
5. Cloudflare goes public in frustration, noting that they could just send take down requests for infringing content like every other rights holder in the world, and that many Spanish utilities and civil resources use Cloudflare.
Interesting. My gut is that it’s hard to beat La Liga on their home turf, as evidenced by not even being invited to the court hearings which shut you down across all of Spain.
Long term, I’d guess CF wins this one? Probably they will have to escalate in some way to Eurozone courts, although I have no idea how this might work. No cloud business could meet the standard put forward by La Liga; but also there are only so many CDN companies. Meantime I guess illegal streamers can move to Google and see which legal group wins that battle.
m3drano · 1d ago
one extra thing to mention is he role of Telefonica here. they are both an ISP that needs to apply the blocks, but also its subsidiary "Telefonica Audiovisual", who holds rights for the football, is a plaintiff.
one of the claims were that this is somewhat a procedural fraud since the plaintiff (Telefonica Audiovisual) and the defendant (Telefonica Spain) is technically the same thing. the order was granted after the defendants admitted, and therefore there wasn't any hearing with CF.
MichaelZuo · 1d ago
What’s even more confusing is how can a Spanish court just order a legitimately registered taxpaying Spanish business (assuming cloudflare has done so) to shut down their services without even a chance to provide an argument?
arielcostas · 1d ago
They didn't order Cloudflare to shut down, they ordered ISPs to block any IP LaLiga claims is hosting pirated football. The president of LaLiga "Javier Tebas" also called Cloudflare a criminal organisation for enabling and making a profit off anything including child pornography (without any evidence of this, of course, just his word).
Now, there is also a conflict of interest, because Telefonica (the main telecom provider here, think Deutsche Telekom in germany or any formerly-public ISP) is also a rights holder to some football, meaning their interest is to block everything instead of their internet users, who suddently can't work on Github, visit Twitter or many other large sites; or even can't buy in many places online because Redsys (the largest payment processor here) also uses Cloudflare to protect their infra, and Cloudflare IPs were being blocked indiscriminately. All of this while being able to force other ISPs to block those IP ranges too, and without any possible recourse by either Cloudflare or the sites themselves, which according to Tebas "are only used by 4 nerds who like to complain".
cr125rider · 1d ago
Welcome to China!
Or America
Or Europe… wait where is this again?
fidotron · 1d ago
> 2. They notice that many of these streamers use Cloudflare for something, presumably CDN and load balancing.
And DDoS protection.
Sports broadcast piracy has a history of serious organized crime involvement, and then some, such as https://www.theregister.com/2002/03/13/murdoch_company_crack... where the allegation was NDS did the hacking and leaked the keys of the rival tech to various mob groups for exploitation.
skarz · 21h ago
And not just DDoS protection, but privacy. Cloudflare offers a huge amount of privacy protection which causes huge headaches for IP holders. You can read online about the feedback loop of Cloudflare/OVH for example sending automated notices back and forth. Usually the process is:
1. IP holder representative sends notice to Cloudflare
2. Cloudflare sends automated notice to account manager
3. Cloudflare informs person from step 1 of who actually hosts the site
4. Person from #1 emails web host who is probably a shady company who in turn ignores email
5. Nothing happens
lesuorac · 20h ago
> 5. Nothing happens
Then lobby the government to change the laws or other requirements so that any IP holder can have a more effective process.
The solution is not to hack some workaround.
razakel · 1d ago
I'd prefer to deal with the mafia than Rupert fucking Murdoch.
xhkkffbf · 21h ago
This is kind of a cute thing that wanna-be-rebels may enjoy trying on, much like some hipster who buys a leather jacket. But you don't. Believe me. You don't.
But for fun, go pay for a legit ticket to watch a movie like "The Godfather" or "The Irishman." Count the dead bodies.
butlike · 15h ago
tbf, you only get hit (punched) if you don't pay back, and you only end up dead if you don't take the hint from the punch.
Yeul · 1d ago
Back in the 90s when most people didn't have broadband internet or CDROM burners piracy was very big business.
cassianoleal · 1d ago
If you mean bootlegs, then it's been big business for way longer than the 90s.
ranger_danger · 1d ago
Electronic bootlegs, most likely they meant.
cassianoleal · 1d ago
In my hometown there used to be at least 2 shops (yes, shops) that sold bootlegged/pirate software. Mostly games but they had all sorts of business software as well. This was earlier than the 90s.
The shops themselves were not in the software business. One of them was specialised in turntable needles, and it was pretty popular. You had to go to the counter and specifically ask for "the menu" in order to access the "other side" of the business. It was an open secret though, as there was a lot of traffic in the shop for "the menu". You'd choose what you wanted, paid for your copy and leave with a bunch of floppy disks with it. They charged extra for the actual disks but you could also bring your own and only pay for the service.
If you mean electronic music bootlegs, then I don't see why the media or the format is that relevant. It's still just regular bootleg, and it's been popular since whenever copying and selling music was made possible.
michaelt · 1d ago
> Cloudflare goes public in frustration, noting that they could just send take down requests for infringing content like every other rights holder in the world,
Live sports piracy has the unusual property that you have to be able to get the block in place within the ~90 minutes of a football match, even at weekends and across time zones. Otherwise there’s no point.
If the courts let Cloudflare slow roll this, at the legal system’s normal snail-like pace, the law would be effectively useless.
AlotOfReading · 1d ago
How are streaming sites registering new domains and getting the site info out to the audience in that time frame? I suspect they're not and there's actually a period there's a window of weeks or longer for enforcement actions to be taken.
michaelt · 1d ago
Users visit aggregator sites which don’t host the streams, they just link to them.
Then the streams are on sites with names like fins38gy2m.ws a new URL for every game.
The hosts of the streams can set up an URL days in advance, and post it to the aggregators at the start of the game.
haiku2077 · 1d ago
Preregister domain names, distribute then via chat apps like signal or whatsapp or telegram.
AlotOfReading · 1d ago
Whatsapp has mechanisms to prevent this kind of thing by blocking the messages from being sent, but I guess I'm confused about how this works financially. Sports streaming (especially something like La Liga) is the textbook example of a mass market product. The vast majority of the audience isn't technically sophisticated, and live streaming infrastructure is expensive. Pirate sites need a reasonably large audience to make money. I find it hard to believe that there's enough reach for people waiting to click on random links in private signal chats to make pirate streaming a viable business when people can just go to a bar or a friend's house. Is that really happening at any meaningful scale?
alwa · 1d ago
> Is that really happening at any meaningful scale?
Anecdotally: oh yes. I don’t know anybody who pays, although that may say more about the populations I work with and hang out with.
I hear there’s plenty of headroom for the direct economics to work, if you’re reselling for less than the ~EUR100/month range the commercial providers charge [1]. Gross median income in Spain is on the order of EUR27000 annually, for reference [2]—so I’m not sure how many of the pirate viewers would be able to afford the legit product if the pirate channels dried up.
I also hear [0] there’s a robust side trade in exploiting pirate viewers’ machines though malware-style techniques while they’re there and feeling enticed to click yes to things…
That price point is insane. How could it ever rise to such a level that it prices out almost the entire audience of potentially casual subscribers?
drw85 · 1d ago
Streaming services bid on the licenses and spent so much investor money that they have to charge this much and still not make a profit.
aerostable_slug · 1d ago
I've seen these sites run ads, so I assume that means that they do have significant reach and further the ad providers get some return on their investment.
Note that the ads were for things like VPN providers and pirate IPTV feed services, which people are willing to pay for.
haiku2077 · 1d ago
I personally don't know _anyone_ my age who pays to stream sports.
yunohn · 1d ago
> Whatsapp has mechanisms to prevent this kind of thing by blocking the messages from being sent
Sorry, you mean WhatsApp detects and prevents the sharing of piracy links? I wasn’t aware of this, good to know. Is there a source of the various checks they have like this?
giantrobot · 1d ago
You don't even need to distribute the URLs. An aggregator can use a DGA[0] in and automagically find the correct stream URLs. Unless the seed and specific DGA leak it would be difficult to get ahead of the pirate streams.
A lot of them will share a link to a page of all the domains they operate. So you just bookmark the page and if the site goes down just busy that page for the new links.
ithkuil · 1d ago
Cloudflare presumably has an infrastructure to prevent abuse. Is it too slow to react?
AtNightWeCode · 1d ago
I might be out of date but. I think the article is incorrect. It is the same corp that owns both the streaming rights and the ISPs. The court order allows those ISPs to block IP-addresses of sites that hosts illegal streaming. I find it hard to see how CF could have a case here.
im3w1l · 1d ago
There is a new factor in the equation: Rising anti-american sentiments. This ties in with point 5 especially. Forcing Spanish websites off Cloudflare could seem like an additional benefit.
spookie · 1d ago
I've heard enough of this anti-american talk, and it sure smells like propaganda.
The huge majority of europeans have nothing against the american people. Please, do not propagate these claims.
No comments yet
briandear · 1d ago
The “anti American sentiment” is overblown. Average person doesn’t care. I live in Spain and I’m not seeing much anti-American anything. Anti-Israel has reached hysterical levels on the other hand — at least in the media, though the average person really doesn’t care about that much either.
In my circles of high level Spanish/European motorcycle racing, we continue to have a very positive reception as Americans in the paddock. The (Spanish) TV announcers have been positive towards our riders, the teams and crew are positive and helpful. We have more people wanting to talk about Route 66 than trade policy. Most Spaniards I know tend to roll their eyes at their own government more than anything happening in the U.S. The only exceptions are hysterical US expats on Facebook groups acting like the sky is falling. But they do that reliably every time a Republican gets elected.
Anecdotes aren’t data of course, but vocal people online don’t represent broader thought.
sillyfluke · 1d ago
>Spanish/European motorcycle racing
Yeah, you're in a bubble and you're likely misreading their politeness. I don't know any Spainards who would want to get into pointless political arguments with Americans who they guessed to be right of center in the off chance they were supporters of the current US government. Unless of course they were Vox affiliated, but even then I'm not sure they would bother engaging. They'd probably prefer to stick to talking about common interest stuff (like motoracing). "Anti-American sentiment" in the European context usually means being Anti-American government, not being dicks to individual Americans. The few cases where it actually crosses into Anti-Americanism the way you describe it seems to happen when the US militarily attacks a country they consider to be "brothers" or very close to. One example would be Greeks during the NATO bombing of now Serbia. Definitely one of the worst times to visit the Acropolis for an American.
I think your error is that you are gauging "Anti-American sentiment" by measuring how much you witness them bitching about Americans or Israelis. Whereas you should measure it by their actions. Tesla sales dropped signifcantly in Spain as it did in the rest of Europe. BYD sales are up 644%. See what they think about taking family vacations to the US.
Spanish people often end up buying local alternatives when available anyway but don't mind buying whatever when there are no alternatives (iphones, sneakers etc)
You ask the Spaniards if you want to send ammunitions to a country convicted of war crimes, the majority will most likely say no. And if your government is actually acting in accordance with that position and pushing the rest of Europe on that front, there's even less reason to bitch about Israelis to random foreigners.
> Most Spaniards I know tend to roll their eyes at their own government more than anything happening in the U.S.
This we can agree on. As it should be. Why bother with things out of your control?
No comments yet
jaoane · 1d ago
I live in Spain and there is no rising anti-American anything. The average person doesn't care beyond the Trump hate that is spewed by the mass media, but the mass media spews hate about many things, so much that the average person can't really invest much energy into hating every little thing.
I know that people here would love to live in an alternate reality where everybody in the EU is fuming at the US having a right-wing government but that's not here at least yet. The US has done so many terrible things throughout history; they will survive this too.
twixfel · 1d ago
> The US has done so many terrible things throughout history; they will survive this too.
Right, because extrapolation is famously applicable to human history.
LoganDark · 1d ago
> The US has done so many terrible things throughout history; they will survive this too.
They may never recover from decades of top secret intelligence being compromised.
moffkalast · 1d ago
The EU should be sanctioning Spain the same way we're sanctioning Hungary for this sort of authoritarian behaviour. What's next, they're banning Google cause pirates use it to search for streams?
I don't know how this doesn't count as a net neutrality violation.
arp242 · 1d ago
Look, I don't like these blocks, but comparing it to the situation in Hungary is hysterical and ignorant. And the EU going around sanctioning every member state at the drop of a hat if it does something the other member states don't like would mean the end of the EU, as support for this kind of EU is extremely thin.
candiddevmike · 1d ago
Cloudflare becoming Too Big To Block. Sounds like it should become a utility.
haiku2077 · 1d ago
This situation also applies to any hosting provider which doesn't give every website a separate IP address. (The newest versions of TLS encrypt domain names, so the ISP only sees the IP.)
jfengel · 1d ago
Usually, they call that "nationalizing". For a worldwide company, would it be "globalizing"?
No comments yet
moralestapia · 1d ago
Why?
There's no rationale behind that.
mystified5016 · 1d ago
When a thing or technology becomes so large and so relied upon that removal of that thing causes real physical harm to unrelated citizens or indeed the government itself, you should think about the risk and benefits of allowing that thing to be controlled entirely by a private entity with no oversight or responsibilities.
hombre_fatal · 1d ago
This is just barking up the wrong tree and it applies to everything that people use.
The root issue here is that La Liga is able to get a court to shut down a web host. It's shouldn't be anyone's problem but La Liga's that people pirate their stream, but a court let them make it everyone's problem. And there are any number of dumb things the court could have let them do, and turning CF into a utility company that can get shut down by the court doesn't solve the issue.
Finally, the main/original reason CF is useful is because the internet was created naively with no protections against bad actors. Weakening CF just empowers bad actors like LaLiga that much more at the expense of the rest of us. Being able to cloak my origin behind CF so that LaLiga or any other overpowered government or private entity doesn't know who I am is a feature. LaLiga having no option but to throw a tantrum that takes down half the internet is also a feature, and not one we should quickly hand away just because, idk, we can imagine some utopian vision where CF is unnecessary.
danaris · 1d ago
> This is just barking up the wrong tree and it applies to everything that people use.
You're missing the part where it's a single company, not just "the entire anti-DDoS infrastructure", that's being talked about here.
It would be perfectly possible (no idea how practical offhand) to have an entire ecosystem of competing CDNs all doing the same thing that Cloudflare does, rather than just Cloudflare making those decisions all by itself.
Spivak · 1d ago
There is an ecosystem of competing CDNs. Blocking any one CDN necessarily impacts all the sites hosted on that CDN. This is a function of being a webhost with multiple customers not being Cloudflare specifically.
danaris · 1d ago
Except that the problem here is that Cloudflare, specifically, is so widespread that blocking it is highly likely to block many very important things.
If the ecosystem were truly more competitive, it would be much more likely that, for instance, if you went to block the CDN serving one particular football piracy group, it would not block half your government websites at the same time.
Zealotux · 1d ago
I live in Spain, while I find the whole "life-threatening" narrative a tad overblown: I agree these obnoxious blocks are unacceptable. Incredible how much power LaLiga is capable of wielding.
dakiol · 1d ago
Didn't one of the major ISPs in Spain go down like a weeek ago (movistar) and that caused some emergency numbers to not function properly for some time? I wouldn't be surprised if critical (digital) infrastructure would rely on Cloudflare. If Liga is banning blocks of IP addresses without distinction, then anyone is at the mercy of being shutted down in Spain.
gmuslera · 1d ago
In a globalized internet, your health institutions websites may run through, or depend on (i.e. 3rd party sites, js dependencies, etc) going through Cloudflare. Or emergency services, or whatever. With enough players you go from a side possibility to a certainty.
hirako2000 · 1d ago
Cloud flare even offers a CDN for npm libraries.
it feels like incapable "experts" are placed in position or authority for something like this to happen.
ipaddr · 1d ago
Why would anyone use a cloudflare js cdn for anything but a toy site? Those are bad decisions by developers.
arielcostas · 1d ago
They are, but that doesn't mean it's their fault when websites fail because LaLiga decided to block an entire ISP. That's pure victim blaming. "Oh, what did you expect when you rely on a third party and another company wields the power of blocking anything without a specific court order?"
gardenhedge · 14h ago
Huh? It is their fault though. They chose to rely on a third party service that they don't own and had no mitigation for when it failed.
lnxg33k1 · 1d ago
Also Serie A, in Italy we had people losing everything this winter due to floods, and clubs were still trying to not postpone matches, it's so crap that there are so many people following football
afarah1 · 1d ago
In Brazil it is not uncommon for fans to organize protests, sometimes violent, when a club starts performing poorly due to perceived slack on the players. At the same time, seemingly more pressing political issues often go unnoticed. It's beyond me how some people get more riled up by the sport, not being a sports person myself.
hirako2000 · 1d ago
It's designed for this purpose. Rome was organizing those games to thrill the romans, it worked splendid. When political concerns gets on the rise, you pump the show.
It works better than your typical propaganda as players become heroes, managers and clubs make great money. Distributors get their cut. The machine is well oiled with solid monetary incentives.
Football (and other sports watching): cheap but deep rooted emotions, press here to get your dose.
ethbr1 · 1d ago
Look at it the other way -- absent sports fanaticism, people with these personality traits would be involved in politics.
I'd categorically say that focusing that sort of person on sports is by far the lesser of the two evils.
Democracy only chooses as wisely as the average intelligence of its voters.
ithkuil · 1d ago
Perish the thought that our politics will turn into a low level entertainment spectacle based on primeval emotions.
eej71 · 1d ago
_Rollerball_ a movie from 1975 (not the 2002 remake) is an interesting take on this. A futuristic society that promotes an increasingly violent game to entertain and misdirect the masses.
lifestyleguru · 21h ago
If only Italians treated this seriously their economy, job market, and demography. Ooops, it's too late. Enjoy your bloody football.
lnxg33k1 · 4h ago
These are just so much useless phrases, don't italian treat their job market seriously? We have a referendum as soon as next month to remove laws introduced by neoliberals few years ago that removed job safety and made everyone expendables, among other things.
Fokamul · 1d ago
Who let laws, which allows IP blocking, to pass?
No comments yet
Yeul · 1d ago
Football clubs have a billion euro budget nowadays. Sport is business. Where does FC Barcelona get their money from? The tooth fairy?
TacticalCoder · 1d ago
> I agree these obnoxious blocks are unacceptable. Incredible how much power LaLiga is capable of wielding.
It's not even about the power. It's about how freaking dumb of a "solution" that is.
It's not "you're too powerful" (la liga and the judges enforcing this) but really "you're too fucking dumb".
quesera · 1d ago
BTW, your account seems to have been shadowbanned for the last 4 months.
You might want to reach out to the moderation team.
SXX · 1d ago
Many will disagree here, but I really respect Cloudflare fight against government-enabled censorship and abuse of power by anti-piracy whatever.
Yes, sometimes CloudFlare used for some actually bad stuff, but same can be said for any cloud service. Having major internet infrastructure provider react to every whim of every single government in the world is not a good idea.
phoronixrly · 1d ago
They aren't really fighting against censorship and especially anti-piracy censorship. If they were, they'd refuse to take down sites. Instead they've a streamlined process for just that purpose, and are only fighting because they have been censored, affecting their bottom line.
hashstring · 1d ago
Thank you, this is the truth.
Cloudflare does not fight censorship. It actively helps create it. They have a strong team that delivers great products, but at the end of the day, it’s a for-profit company with as much for-profit morals that exist.
Lookup Tor project problems and CrimeFlare. Cheers.
Might be something have changed recently, but CloudFlare is kind a infamous for not taking down some questionable services. At the same time companies like Apple and Microsoft still continue to censor stuff on requests from Russia where they supposedly not operate.
SoftTalker · 1d ago
Piracy only flourishes when the content is priced too high. Most people don't want to bother, pirate streams tend to be glitchy, low quality, and unreliable. But they will if they feel they are being bent over a barrel. Drop the price and most people will pay it. I.e. make it easy for people to do it the right way.
xk_id · 1d ago
I think it’s extremely naive to think Cloudflare is anti-government. It’s more likely that they’re a US Intelligence company, whose purpose is to decrypt and monitor global internet traffic.
blibble · 1d ago
sounds like centralising most of the the internet behind a single easy target (Cloudflare) is a bad idea
thayne · 1d ago
I don't entirely disagree, but at the same time, La Liga shouldn't have this much power to shut down large swaths of the internet because of a handful of piracy sites, that probably only have a minimal impact on their income anyway.
Also, CDNs have inherent economies of scale and network effects, so it is natural that there would be just a few at the top.
phoronixrly · 1d ago
Only it's not La Liga censoring, it's a court order as far as I can understand from the TF article. Should the judicial system of a country have the power to shut down large swaths of the Internet after presumably due process and in accordance with the law? IMO yes.
Now, the question really turns out to be "Is a law stating that large swaths of the Internet must be censored to stop a handful of piracy sites just?"
No. It isn't.
dakiol · 1d ago
Yeah. I think this is the elephant in the room. I keep stumbling upon "We need to verify you are a human" by Cloudflare in many sites around the web. Crazy.
kevincox · 1d ago
I agree that having so many sites behind one CDN (and related services) is a problem, but I don't think it is the elephant in this room. Even if there were 100 very popular CDNs having 1% of sites blocked because one user was streaming sports doesn't feel acceptable. Shared hosting has always been very popular and you have sites like Shopify, Squarespace, WordPress.com that are hosting thousands of sites.
Maybe with IPv6 it will become normal to assign each customer their own IP? But I don't see it. This also reduces privacy because we are moving towards Encrypted Client Hello in TLS but we have made no progress to hide IPs.
jtbayly · 1d ago
Sadly including on my site that kept getting overwhelmed by bots this year. I didn’t know what else to do.
Anubis is affective against certain kinds of bots and abuse, but wouldn't be that affective against large scale DDoS attacks. And it does have a negative impact on usability, as users have to wait for the browser to do the proof of work, which may or may not be worse than cloudflare's captchas.
DoctorOW · 1d ago
Anubis is a partial mitigant of DDOS attacks, since it's less resource intensive to serve the Anubis page than the origin[1].
Cloudflare's captchas are only convenient for a subset of users, I'll bet there'd be decent money in one of the competing CDNs (Fastly maybe?) including an Anubis-like captcha.
Yes, it's a partial mitigator, but it isn't as complete of a solution as a CDN, for a number of reasons. For one thing, with Anubis your server is still responding to requests, so a full scale DDoS could potentially take you down without having to actually complete the PoW, they just have to make enough requests.
Using a CDN for DDoS typically has multiple levels of protection:
- caching reduces load on your server
- In the event of a (D)DoS attack, the cdn can absorb the attack traffic with their much higher capacity than your server(s)
- The CDN can block certain kinds of attacks, especially low level (D)DoS attacks without the traffic ever touching your servers
- Since the CDN fronts many sites, it can have more information about which IP addresss, and user agents are more suspicious. This one is a little controversial, because there is a conflict between getting an accurate profile of how suspicious a request is, and preserving the privacy of users.
- It may have built in support for some kind of bot detection, such as captcha or a proof of work. IDK about the free tier of cloudflare, but for paid offerings at least, this is usually optional.
In short, Anubis could be part of a DDoS mitigation plan, but if you are worried about a targeted attack, it probably isn't sufficient. And critical services are potentially a valuable target for attacks.
jtbayly · 1d ago
I tried to figure it out for about 5 minutes, and decided that it probably wasn’t possible on my shared hosting.
throaway920181 · 1d ago
Also, if (when) their Captcha decides that you're a bad actor, there's literally no way around it. You can spend tons of time checking the box/trying again, but there's no way to "solve" it.
aspenmayer · 1d ago
I’m not sure if it fits your use case, but I think that CF has a browser extension that is supposed to help with that?
xk_id · 1d ago
The elephant in the room is actually one American company having unencrypted access to global internet traffic.
bearjaws · 1d ago
I have yet to find a platform that is as comprehensive as Cloudflare.
Odds are if you are running a popular platform, you need all of these things.
stego-tech · 1d ago
My sarcasm well is tapped, but this is why I was sus of CDNs like Cloudflare and Akamai at the outset. Yes, they’re highly convenient and enable more sites and services to weather large attacks or traffic spikes, but we willingly sunk a huge swath of the net behind a handful of for-profit entities and yet somehow expected nothing but sunshine and roses forever.
Stop. Trusting. Companies. To. Do. The. Right. Thing.
Cloudflare could’ve prevented this if they’d taken a stand on anything but profit motives, but they’ve repeatedly chosen not to. Piracy sites pay the bills just like Porn or Government sites, after all, and companies won’t turn down money unless forced to through regulation.
DoctorOW · 1d ago
You seen to be implying that Cloudflare has been abusing this position of power, but then listing things it allows? Porn, of consenting adults, is actually a great example of business Cloudflare's right to take on. You may not care for it, but legal/ethical pornography is a matter only of taste. We'd be far worse off if Cloudflare was blocking content based off of personal preference.
ipaddr · 1d ago
Didn't they kick off far right websites like stormfront? They still block from personal preference it's just preferences you agree with.
DoctorOW · 1d ago
(in)famously they refused to do that until ordered to by law enforcement.
TL;DR: "The tipping point for us making this decision [to discontinue service] was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology."
DoctorOW · 1d ago
That was sort of the PR spin they put on it. If Cloudflare was drawing an ideological line in the sand, they might have discussed where that line is lest others cross it. Instead, the post talks about when they do and don't comply with law enforcement and pleads with government not to try and force them to take other websites down. Posts on Stormfront were under immense legal scrutiny and the praising of Cloudflare brings that eye on them. Reading between the lines it's very obvious that legal made the decision.
GP was discussing the larger pattern, and the larger pattern is one of inaction until there's little choice left legally speaking.
pier25 · 1d ago
Unfortunately there aren't that many competing services.
AFAIK BunnyCDN is the only service that comes close but their cloud offerings are kinda new and they charge egress.
77pt77 · 1d ago
All systems seem to converge to these monopolies.
Google, X, Facebook, Cloudflare.
All minor player are absorbed or eliminated.
yoyohello13 · 1d ago
I think we are partially to blame for this too though. For the last 10-20 years the whole goal of a founder was to grow a business, get acquired then exit. If founders instead focused on building a sustainable business maybe we would have a more diverse tech landscape.
j_maffe · 1d ago
To be fair, even the ones that don't want to get acquired know the bitter road ahead from the opposition aggression.
SoftTalker · 1d ago
Nobody would fund a founder who wanted to build a sustainable business. It would have to be bootstrapped, and there are a lot of such businesses, but you never hear about them because they stay small.
okanat · 1d ago
It is the result of lack of regulation. They are all allowed to buy their competition.
brookst · 1d ago
Classic economies of scale. It’s a lot more efficient for one company to make one million services of lemonade than it is for one million people to make one serving each. Even if the homemade version is “better”.
shermantanktop · 1d ago
This is what happens when everyone is incented to trade low-probability risk for short-term profits. Because who would bet that a giant CDN would be blocked like this?
afiori · 1d ago
I agree that oligopolies are more stable than polyopolies, but a huge part of why the internet collapsed in a handful of companies is how stock markets and venture capital love monopolies.
__loam · 1d ago
X is a minor player. Replace it with AWS
77pt77 · 1d ago
I meant for what it does.
Is there anything even remotely comparable to twitter (outside of the PRC)?
__loam · 1d ago
Bluesky, Threads, mastodon, even reddit I guess even though it's more atomized into subreddits.
77pt77 · 1d ago
Twitter has like 3 times the users of threads and bluesky has a tenth of threads.
It's a geometric progression (power law) and it almost always devolves into that.
__loam · 1d ago
You asked if there was something remotely comparable and there is.
77pt77 · 12h ago
Three times less does not fit that.
30 times less neither.
globie · 1d ago
Of course it could claim lives. Hopefully Prince has considered people have also likely died as a result of Cloudflare's repeating captcha which holds the next page in front of you like a carrot on a stick, never letting you know that you will be clicking that box forever.
I'm sure while someone's in the process of keeling over is the perfect time to arbitrarily scrutinize their connecting details. You need to contact your doctor ASAP. Okay, but did you neighbor have a virus last week? Is your neighborhood in your city more "problematic" than average? You may have forgot to check these details before you fell ill.
Cloudflare sites should come with a big banner warning all users their connection will be arbitrarily approved by an algorithm with chilling effects built in as dark patterns.
Last I checked, Cloudflare does basically no educating of customers how badly their website will be broken for users arbitrarily when they don't use the ISP or browser Cloudflare likes. No explanation for how many customers you will lose when your website can't be visited by someone who doesn't know how to change their IP, no explanation that if you're offering a critical service then Cloudflare will give that service thousands of tiny downtimes left unknown, the screams too quiet to carry the weight of a tech CEO worried about something similar.
neilv · 1d ago
When I've tried to get a customer of CloudFlare to fix a consistent block of their site -- not safety-critical, but mission-critical, and costing them a SaaS sale -- nobody seemed to care.
My impression is that everyone knows that Cloudflare is blocking some legitimate people, but nobody -- neither the customer, nor Cloudflare -- cares enough to solve that problem.
It's similar to why Google doesn't have much tech support. Or why people can be locked out of their Google or Apple accounts without recourse. Caring about the people who fall through the cracks that you created isn't profitable.
When the Internet is part of the basic material of society, we need to rediscover ideals like "it is better that ten guilty persons escape than that one innocent suffer".
And we need to start removing from power the entities who are too lazy or greedy to uphold our ideals.
(Before someone jumps on literal numbers: That doesn't mean let through 10 botnet floods, rather than prevent grandma from finding a doctor. That could just mean, for example, don't block grandma because one of her browser headers looks suspiciously like an incompetent script kiddie, even though you can see that her traffic isn't yet part of a DDoS flood. Once you change the parameters to be more consistent with a fair and just society, maybe that means that, say, a Web site's servers do see a brief blip, as a new DDoS attack spins up, so it's not a perfectly smooth ride, but every legitimate person remains served. First, don't run over grandma; apply your engineering creativity with that hard requirement in mind.)
globie · 1d ago
Do you ever find that advocating for these tenets feels "weird" nowadays? As in, don't you know these publicly traded companies are legally bound to extract profit without these silly notions of empathy or trust? What do you expect them to do? To start acting silly?
maeil · 1d ago
> As in, don't you know these publicly traded companies are legally bound to extract profit without these silly notions of empathy or trust?
Based on your first question, I think you might already know this, but just in case you don't: This is a myth.
> The idea that choosing a 1% strategic internal investment over a 4.5% T-bill constitutes actionable "financial malpractice" or a breach of fiduciary duty leading to successful lawsuits is incorrect. Courts recognize that running a business requires strategic choices and risk-taking, not just maximizing immediate, risk-free yield. A lawsuit would fail unless plaintiffs could show the decision was tainted by disloyalty, bad faith, or gross negligence in the decision-making process, none of which are implied by simply choosing a lower-yield strategic project.
> Hence why no one ever gets sued for this. It doesn't happen. It lives in the minds of HNers and Redditors to provide a very convenient excuse for their employers, or in general companies, making abhorrent decisions purely based on feels and short-term next-quarter profits/stock price, regardless of the negative externalities they inflict on society.
neilv · 1d ago
I know that some corporations behave like they are jerks who are full of poo.
And some percentage of the rest will act like jerks once it's to their advantage.
But society still holds corporations to account on some societal values.
Mostly through legislation. But sometimes through consumers (and B2B) voting with their pocketbooks.
brookst · 1d ago
As someone who implemented cloudflare because of a massive DDOS and bot problem, sorry, but I will cheerfully allow 1% of my visitors to find the site unusable rather than 100%.
It sucks, but no sane business would be so invested in equality of experience that they’d allow it to be completely broken for everyone.
globie · 1d ago
What website? I'm guessing it is not health related or a "critical resource" if you are cheery about 1% of users being blocked?
For people who put stuff online to help people as well as to extract pure profit, knowing the anguish of your users really helps look out for them.
neilv · 1d ago
Thank you for honesty on this.
The choice isn't necessarily between 99% and 0% of legitimate users/visitors getting through.
What if you, and every other customer of Cloudflare or its competitors, applied pressure to make that 100% of legitimate users/visitors getting through?
What if legislators also mandated that 100% for many sites?
brookst · 1d ago
Mandating 100% availability sounds like regulating pi to 3.0.
It can’t be done. If someone is on a home network whose router has been compromised and is part of a ddos attack, there’s no way their innocent HTTP traffic is getting through. Ditto if their machine has been compromised. Lots of scenarios where an innocent user must be blocked, unless the entire internet is reinvented. Which is beyond the scope of my project.
neilv · 1d ago
> It can’t be done. If someone is on a home network whose router has been compromised and is part of a ddos attack, there’s no way their innocent HTTP traffic is getting through. Ditto if their machine has been compromised.
To me, this sounds like giving up way too easily on engineering problems.
One distinction to start with: Let's say grandma's router isn't part of a DDoS attack. Even if she might be trying to talk with a site that someone is trying to attack.
After solving that one, maybe the solution also somehow solves the problem of when grandma's router is involved in DDoS (or that site? of a different one?), or maybe we have to think harder.
jedberg · 1d ago
We have thought harder. We know the solution. But you have to trade off privacy for security. It's having every person get a cryptographic key from the government to identify themselves.
Some states are trying this now with porn sites and users are rightfully not having it.
neilv · 1d ago
You know a solution, not necessarily the?
What do you have to do to characterize packets sufficiently to shield against DDoS with negligible false-positive significant blocking? (Without needing to associate packets with an identifiable person, nor zero-knowledge proofs of a person, etc.)
It's OK to discard some prior requirements. (For example, it's OK to insert occasional brief latency (not barge-in Web browser JS) to some traffic, if that permits an approach that greatly reduces false-positive blocking. And it's OK to pass some traffic with a suspected single client, but then change your mind later. It's OK to forget about connection abstractions and clients, and look only at stateless packets and the entirety of traffic.)
brookst · 1d ago
Great, please start a service to do this. From my perspective, it can’t be done. I would be thrilled to be wrong!
neilv · 1d ago
I would be thrilled if this one pest control company stopped kicking puppies.
I bet they could figure out a way to check for fleas that doesn't involve kicking puppies.
But I don't want to get into the flea-checking business myself.
brookst · 23h ago
“I’m pretty sure they’re doing it wrong but can’t be bothered to figure out a better way” is not super persuasive.
neilv · 21h ago
How about this: "You just can't kick puppies. Find another way for whatever it is you're trying to do."
mvdtnz · 1d ago
The people behind Cloudflare spend all day, every day trying to solve these kinds of problems. They're just not as simple as you make it sound.
neilv · 1d ago
> They're just not as simple as you make it sound.
I didn't say it was simple. I said I thought it was more achievable than "it can't be done."
I suspect one of the barriers to it being done is that it's not a top requirement like I assert it should be, for basic resources of society.
When led with that requirement, I have faith that some smart engineers and product management can figure it out.
With apologies to JFK, "We do these things, not because they are easy, but because--" they need doing. Even if they are hard.
mvdtnz · 1d ago
I doubt a single person in Cloudflare would claim it can't be done.
globie · 1d ago
The people behind Cloudflare engineer this issue for profit, which is a very different motive than to "solve" the problem.
The people most interested in doing away with the problem altogether are not Cloudflare, but its customers.
spacebanana7 · 1d ago
What’s the alternative solution? We also don’t want to have critical services DDoS’d or spammed.
stego-tech · 1d ago
Then maybe don’t put critical services on the open internet. I know most tech people would balk at such a possibility, but the status quo isn’t really compatible with either long-term goal:
* If we want the internet to be a place of anonymity and free speech, then we shouldn’t be putting critical services on the public internet - or we need to stop using intermediaries like Cloudflare where a single court order could disrupt legal services
OR
* If we want critical services online and widely available, then verifiable identity is a must from the outset, such that these sorts of blocks can be highly targeted when enforced.
Piracy exists between those two forces: an anonymous internet would be rife with piracy, while an authenticated internet would see minimal amounts of it because it’s so easily eradicated. Coexistence of both worked because the internet was optional, which is no longer the case.
But nobody wants to talk about that, I find. Everyone wants the status quo to continue unabated forever, because it’s familiar. Familiarity does not mean permanent, though.
jfengel · 1d ago
I think the status quo exists as a more-or-less stable equilibrium between those forces. (Plus another equilibrium of people wanting to get paid for content and the people who don't want to give cash but will sell their attention and privacy.)
It's more than just familiarity. It's what works.
If someone had a significantly better alternative I think the world would jump on it. But many have tried to disrupt this equilibrium and failed.
brookst · 1d ago
What if there’s no singular “we” and different people / companies have different needs?
stego-tech · 1d ago
That’s basically what I was getting at, albeit in (deliberately) far more inflammatory terms. There’s this misconception at a very fundamental level that the internet is a “place” that can be regulated, or obstructed, as human needs change and evolve.
It is little more than a multitude of computers talking to each other in a similar “language”. It is not a singular place or entity, and attempting to regulate the entirety of it as such is fundamentally impossible.
And the sooner people and governments understand that, the sooner we can resume difficult discussions on its use.
globie · 1d ago
Simple: Connect larger NICs and do "dumb" DDoS filtering at your fattest point.
Consider an HTTP daemon serving static content on a physical server. If that physical server has a 10Gig NIC it will withstand 90%[0] of the real-world DDoS attacks which would affect the same server with a 1Gig NIC.
"Dumb" DDoS filtering means blocking UDP and SYN floods, and other simple attacks. Your goal is essentially to block traffic which could be spoofed, making your downstream traffic somewhat attributable. Many ISPs provide functions like this, and is not nearly as complicated or invasive as letting Cloudflare MITM every bit of your traffic.
Any effort past that point should just be made in caching static assets, and optimizing dynamic pages. If your website uses sessions, you can implement basic rate controls very easily. No WAF required!
[0]: I made it up
fwipsy · 1d ago
> I made it up
I appreciate the honesty, at least
globie · 1d ago
This conclusion stems from that it is much easier to launch a DDoS from a single server w/ spoofed traffic than to use a botnet. If you have a single 10Gig server, you will likely not be able to take down another 10Gig server unless the target is already doing near 1gbps[0]. I believe most "noise" DDoS which effects random website operators is considerably less than 10Gbps, and pretty much every giant attack uses spoofed traffic which can be blocked upstream without a WAF. So long as your upstream is big enough.
[0]: I made it up, again.
wmf · 1d ago
DDoS is distributed denial of service. It isn't coming from one server. It's now trivial to buy 100 Gbps or more of DDoS so sites would need 400G or more to simply eat it.
globie · 1d ago
If you have a single server flooding spoofed traffic, it appears as a DDoS to the victim. It's at this point that the distinction between DoS/DDoS breaks down slightly.
It is very much not "trivial" to buy 100Gbps+ of DDoS. I'm highly confident the majority of D/DoS attacks are from single servers, because it works. If you have a 10Gbit server and your target has 1Gbit (or you 1Gbit and them 100Mbit, it still happens), it's not a question of if you can take the target down, but how long you can sustain that traffic level before your upstream notices.
Painting every D/DoS as the most bandwidth ever is a play out of Cloudflare's marketing. If every website operator knew that 1, you don't need that much bigger of a pipe, and 2, you shouldn't buy pipes that charge you $20+/TB like AWS anyway, then Cloudflare would have a much harder time selling you a downgrade in quality, and we would have faster and cheaper networks to boot.
I was always unsure about cloudflare as an end user - I don’t want all my traffic going through one provider, but their business use case seemed reasonable.
Then my in-laws got tricked into sending login credentials to a phishing page fronted by cloudflare. It was obviously spoofing IDP logins of Yahoo, Microsoft, etc. I sent a request assuming they would disable the domain and it was immediately closed (in minutes) as not an issue. It made no sense that they would want to front phishing sites. I eventually got them to look more closely and it was removed, but it soured my perception of them.
I think large scale internet businesses may need to start having more liability in matters like this. Being blocked from an entire country seems extreme, but if there are financial incentives to solve the problem, the problem will get solved.
SoftTalker · 1d ago
Auto-closing an issue and waiting to see if there is followup is probably a decent filter for real complaints. Like you, a person with a legitimate concern will persist, at least for a while.
jorvi · 1d ago
I see so many people in these threads always complain about Cloudflare or Google CAPTCHA loops.. but even when using Private Internet Access (one of the most abused VPNs), I rarely if ever got on a full-on loop. Maybe Google CAPTCHA made me solve 3 things instead of one. Cloudflare is always just a checkbox. And I have my Brave and Firefox profiles hardened.
I'm not saying you aren't experiencing this, but I am curious: what is your setup that Cloudflare and Google treat you with such suspicion / hostility?
mac-mc · 1d ago
It's because you have previous cookies/state in your browser that you got from non-VPN addresses, which adds to your trust score. Do it with a clean browser with AdBlock and many, many things block you.
If you don't clear your state or keep its original origin VPN only, you're breaking a big point of using VPNs.
jorvi · 1d ago
Brave uses Forgetful Browsing, nuking all stateful site data after a tab close. I have Firefox configured to do the same via the Cookie Autodelete extension.
tekla · 1d ago
I use Firefox Focus on mobile, use-once containers on Firefox Nightly w/ Mozilla VPN or Mullvad and have never entered the doom loops that are described.
MallocVoidstar · 1d ago
I use Firefox Focus on Android (wipes its cookies on close) + Mullvad and Cloudflare captchas don't even make me solve anything, just tap on them and they let me through.
Filligree · 1d ago
Nothing unusual here; just Safari on OSX, with an ad blocker. CAPTCHA loops happen all the time, to the point that I try to avoid Cloudflare-served websites.
candiddevmike · 1d ago
Incognito mode with ad blockers triggers it for me
sionisrecur · 1d ago
And then the Spanish high sea robbers will just find other routes while the regular people will keep wondering why their bank doesn't work.
vvillena · 1d ago
This is literally the case. Pirated streams keep working, while a good chunk of the internet is rendered inoperative during weekends.
KaiserPro · 1d ago
So on the one hand I am sympathetic. On the otherhand, I'm also pretty sure cloudflare won't take down pirated stuff, so what do they expect?
I don't like the way that large football conglomerates abuse copyright, but then those same rules _should_ be open to me for anything I produce. The main difference is I don't have a team of lawyers.
renatovico · 1d ago
I live in Spain and love LaLiga games, but I dislike the executives. There's no straightforward way to stream all matches. The Cloudflare/piracy issue is the lack of clear streaming options. Even with DAZN, Movistar Plus, and TVBar, none offer complete coverage.
jedberg · 1d ago
How come no one is mentioning the obvious solution -- LaLiga needs to make their product as easy to access as piracy. If they offered worldwide streaming of the matches available on an easy interface at a reasonable price, then none of this would be a problem.
Piracy is almost never about the price -- it's almost always about the availability. Especially when it comes to live sports.
pixelesque · 1d ago
I suspect it's not quite that easy: it's likely similar to the situation with the Premier League in the UK (and other things like Formula 1 previously) where a particular broadcaster has been given exclusive distribution rights, and has paid a lot of money for those rights (which in theory go back into the game and pay for the huge salaries of players).
JambalayaJimbo · 1d ago
This solution clearly does not actually work. Musicians make pittances off of streaming in comparison to the money they made with physical media. Hollywood has seen strikes and streaming services continually raise prices.
razakel · 1d ago
Musicians make very little off physical media - it's merchandise that brings the money in.
jedberg · 1d ago
With piracy they make nothing, so they'd still make more than they make today. Almost all of the pirates are people trying to watch from outside the coverage area. It's not like stopping piracy gets those people to pay.
They just stop watching.
latchkey · 1d ago
He's been complaining a lot about Portugal on Twitter too.
Your/Our masters need newer, bigger and better handouts!
renewiltord · 1d ago
These countries all have the same problem: older generation has sufficient power to say "we don't need immigration or jobs or anything; we're fine" while Americans who visit say "wow this place is great; such good food for so cheap!" and young people are desperate to emigrate for jobs.
If I was the Portuguese government, I'd use the media to explain it like that too.
dpkirchner · 1d ago
I don't see anything about Portugal there, just hundreds of tweets sorted randomly.
jsheard · 1d ago
X now shows logged out visitors a "greatest hits" timeline instead of a users actual timeline. You can use a proxy like xcancel to get around that without an account.
Football company has authority to block IP addresses?
bilekas · 1d ago
In Spain LaLiga IS the government.
ErneX · 1d ago
They got a judge order that tells ISPs to block any IP they want during games.
gosub100 · 1d ago
NFL would absolutely do the same in the US if it were against a foreign ISP or network operator.
TheCondor · 1d ago
What’s the domestic piracy rate for NFL games?
They split the rights up in much more imaginative ways, like local channels can broadcast sold out local games and then the nfl itself or an rsn or major network can broadcast the remote half. I would guess that a lot of local games are over the air but if you follow a team somewhere else you might need a fairly inexpensive subscription
tedunangst · 1d ago
The NFL streaming services are truly bizarre. You can't stream local games, based on billing address, because you're supposed to watch TV. Which means if you go on vacation, you still can't watch, because they're not on TV and not streamable with your account.
otterley · 1d ago
Why does CloudFlare have these problems and other CDNs like CloudFront and Akamai don’t?
jsheard · 1d ago
CloudFlare is free/cheap, has (AFAIK) no KYC policy, and is generally unresponsive to abuse reports unless the courts get involved, so it's the default choice for nearly all piracy sites, phishing sites, DDoS providers, etc. The few which do get kicked out of CF generally have to resort to dubious Russian CDNs because none of the other mainstream CDNs will have them.
dankebitte · 1d ago
> dubious Russian CDNs
Are there multiple? I thought DDoS-Guard [1] had a near-monopoly on CDN services for international piracy.
No, CloudFlare is implicated as well. If you watch videos from any of the major pirate TVoD sites and inspect the traffic, you can see they're frequently using CloudFlare as their global CDN with a Chinese origin site.
AtNightWeCode · 1d ago
Entire Amazon AS-numbers are sometimes blocked so CloudFront consumers have the same issue. The thing with CF is the scale. They are really big and that is why it gets noticed. When it comes to Akamai they don't have shady customers in general and the risk of a problem is less. They also have a better infrastructure.
carlosbaraza · 1d ago
I live in Spain and my ISP is Digi, which uses the network from Telefonica. These blocks are incredibly frustrating, and a ton of people have noticed websites and services not working. However, because the block lasts some hours, people don't know what is happening: "is my mobile network bad?", "Is the website down?". They try a few hours later and it's back up, so they move on.
My company's website is behind Cloudflare and I discovered this whole situation because someone couldn't access it. Also my home assistant is not accessible from the internet the days with a match. And we use it to open the garage and the house. We learned the lesson the hard way being locked outside until I managed to connect with a VPN. This is just nuts and incredibly frustrating. And for La Liga we are just a bunch of "frikis" (nerds) complaining about it... because we are the only ones that understand what the problem is.
Unfortunately, someone would have to die and a lawsuit to follow, and maybe that could stop this crazy nonsense. E.g. A few days ago I read about someone with diabetes whose device was malfunctioning because of these blocks.
reynaldi · 1d ago
Ignoring the Spain block for a while, I wonder how/why these piracy sites use Cloudflare. Are they using something like R2 or Stream? This means someone still has to pay for it, right?
sinuhe69 · 22h ago
I wonder why the site owners and the users who are affected by such broad and indiscriminate blocking will not sue LaLiga AND the judges for damages and violation of freedom of speech?
vvpan · 1d ago
I am somehow out of the loop about why Cloudflare is as big as it is? There are many other CDNs, why them?
SXX · 1d ago
Free tier that let you hide your server IPs, cheap domain registry (with no margin) and even some also tunnels for zero trust. Like I used them for a lot of personal and tbh even commercial projects for years paying them $0. Also they have bandidth alliance with Backblaze so you can serve 100s of TBs for free.
So there a lot of convinience and free stuff. It's quite obviously that when I had commercial customers where for whatever reason free tier wasn't anough I juse used them as well. Why not? There are horror stories about their corporate pricing, but for smaller company paying $20-200 for CDN is no brainer.
Also huge massive advantage of CloudFlare is that majority of their services are not metered so it's hard to wake up to $100,000 bill like it can happen with AWS and almost any other CDN provider.
I still believe this kind of centralized MiTM is bad for us all, but honestly I'd rather it be CloudFlare than Amazon, Microsoft or some other "evil corp".
vvpan · 21h ago
Thanks for the thorough write-up. I am also conflicted that somebody has so much power in the market but at least they are not AWS/GCP.
wbl · 1d ago
Cloudflare is very easy for small sites to use. The enterprise market is where the competition is.
speedgoose · 1d ago
Descent free tier, not restricted to enterprise customers, many features, good overall quality.
Ekaros · 1d ago
Maybe they should separate vetted services behind different IP ranges. Or even company. And put in place massive financial penalties for those services if for any reason because of them they have to block traffic.
neom · 1d ago
Sometimes I wonder if people know who Matthew Prince is... Matthew is not someone you want to fight with.
tbrownaw · 1d ago
I seem to recall news a while back about how cloudflare was very deliberately making it impossible to block only some things they provide, specifically for the purpose of causing any blocks to have enough blast radius to cause popular outrage. At the time it was presented in terms of fighting back against political censorship.
lifestyleguru · 21h ago
Football is the cancer on European societies and economies. From low level hooligans literally bullying and beating children, to high level infuence on the broadcasting infrastructure. Sell it all to Saudis for billions of trillions and ship the football stadiums overseas as a bonus.
tough · 1d ago
They also did it to Vercel.
Paella and sol heh, not CDN's
pyb · 1d ago
The crux of the matter is that Cloudflare keep providing their protection service to huge piracy sites, for instance archive.is
Fokamul · 1d ago
This goes to Spain government (Nazi-like behavior has long tradition there) and Spain citizens letting laws, which allows this, to pass.
Because same law was or will be used to block opposition, etc.
Of course, that similar organizations (paid by huge copyright companies) tried the same in my country.
And luckily our government listens to local experts (NIC.cz and others) and not to mention, pirating has big tradition here.
So they failed to pass this ridiculous law. (blocking IP addresses)
6stringmerc · 1d ago
Actually, this is a Cloudflare problem - simply take extra steps to ensure your clients paying for your services aren’t harmed by natural market forces.
If you read between the lines, he’s claiming people will die because Cloudflare doesn’t want to take the time, effort, or money to fix the problem that they easily could by creating a separate system for critical services.
This type of “tech hypochondria” should be absolutely dragged at every opportunity. This guy runs a business and whines that his clients don’t deserve what his business agrees to provide? FOH with that ish mang I ain’t buying it.
No comments yet
stackedinserter · 1d ago
I never watched sports but my kids want to, so tried to buy them subscription to some sport broadcaster.
Bundesliga, F1, NHL and FIFA world cup, that's all I (they) needed.
It turned to total mess. Service A shows F1 but not NHL. Service B shows NHL but not all NHL, only games where my city team plays. Some show LaLiga but not Bundesliga. All cost $30/mo but still show ads. Periodically they show ads instead of the event. If they can't, they split screen show the event in a little rectangle that's 25% of screen space. Dazn, TSN, ESPN are all total scam. You can see a lot of bull riding though.
We cancelled all this nonsense and just moved to pirate sites. Screw this bs.
omnee · 1d ago
I have done something similar too, as I wanted to watch a specific football game - Barcelona v Real Madrid - and it was available on a different streamer to the THREE that I already have. So I simply took the easier route.
LocalH · 1d ago
A clear example of how piracy is really a service problem.
andrepd · 1d ago
Very telling how the article ends with a snippet about how the previous season had record-breaking revenues and how La Liga is one of the most profitable sports competitions in the world. It is never enough.
ryandrake · 1d ago
The people running these companies don’t know what “enough” even means. They have no concept of it.
padraigfl · 1d ago
Football leagues are in a bit of a weird position here where one league (English) being drastically stronger in pure monetary terms than the rest means the others can't really let up.
Similarly there's quite a lot of push from the most powerful teams in some of these leagues to break off and form a European Super League; with Spain's two biggest teams being the biggest backers of the project.
ETA: not agreeing with how aggressive they are exactly, but do think long term they're probably in a lot of trouble if/when money starts to properly force a European Super League into existence.
refulgentis · 1d ago
It's bad to steal things and we should try to prevent it.
(I'm generally pro-piracy and don't know the details here, but am also old enough for "the people like MONEY" to not be a particularly noteworthy quality. The things that jump out to me here are A) is Cloudflare's attempted implication that they just need a better injunction true? B) The sophomoric argument that "people will die due to this" is my "people like MONEY" smell)
budududuroiu · 1d ago
I’m gonna argue that piracy is the only thing keeping platforms somewhat in check to not get completely enshittified.
I stopped pirating stuff when content platforms gave a compelling easy to use product, I’m back to pirating because it’s genuinely a better product compared to the endless hoops you have to jump through to use streaming services
Enshittification is when there's multiple choices?
Isn't it, quite literally, the opposite?
hakfoo · 1d ago
You don't have multiple choices.
The appeal of Peak Netflix was that it had everything in one place with reasonably working discovery mechanisms. You could pay $10 or so per month and be satisfied. The current streaming era is "if you want to see all your favourite shows, it will cost $60 per month and you'll have to bounce around among 12 apps to find what you want."
If we had a mandatory-licensing regime, I'd expect multiple choices would work great. Services couldn't survive on "Only we have The Office/Game of Thrones/Bluey" alone and would have to differentiate based on other factors like "best discovery tools" or "built to better suit your specific devices"
refulgentis · 1d ago
> You don't have multiple choices.
The comic depicts "Netflix" -> "Netflix Amazon Apple Disney+ Hulu YouTube", and you later implicitly say there are multiple choices, but, you don't think it works well. "If we had a mandatory-licensing regime, I'd expect multiple choices would work great."
> Services couldn't survive on "Only we have The Office/Game of Thrones/Bluey" alone and would have to differentiate based on other factors like "best discovery tools" or "built to better suit your specific devices"
I'm not sure how either of those are differentiators for people selling content, rather than people coding apps.
Let's avoid that simple argument.
Let us instead assume mandatory licensing exists, which I presume means that as soon as content is released, it is a right to be able to license it, i.e. pay the content creator to have it on your service.
I have a hard time understanding how that would lead to all content being on all services - surely, this adds up to some finite sum, but is that finite sum enough to mean its trivial to license everything, so there's no differentiator anymore?
And that's before we bring in that, presumably, we have some shared understanding that it's more expensive to license, say, Bluey Game of Thrones Edition, than, idk, hmmm...Karate Kid.
Let's set all those little things aside.
A screen is a piece of glass with pixels behind. A video takes up the pixels.
Is there room to "build to better suit your specific devices"?
Can we avoid an example that ends up creating exclusive content in the process?
Let's set that aside: what are discovery tools?
Are they differentiable? Or does it boil down to "a way of presenting N choices I might like"?
abdullahkhalids · 1d ago
Streaming apps are like grocery stores. In both, there is very little value add besides that they aggregate products. And in both the customer wants to get to their product with the least amount of friction possible.
You will notice that in most places, grocery store market has stabilized to an oligopoly, where almost every where multiple grocery stores exist, all of whom offer more or less the same range of products with some variations.
I would imagine if any streaming-app could license any content, the market would evolve to a similar equilibrium. Largely similar products, with some minor variations (some stores offering discount/luxury items at cheap/higher prices). Margins would be fairly low. But most customers will be fine with going to exactly one store/app over and over again.
hakfoo · 1d ago
> Is there room to "build to better suit your specific devices"?
The obvious example would be ecosystem support. For example, (last I checked) Crunchyroll didn't have an app for my WebOS TV.
I could also see more technical choices, like encoding options that make sense based on the type of device and network you're targeting. One of the reasons YouTube is better than a lot of the alternative video hosts was that they could support a huge array of different connection speeds and device types.
Improved UX might also come into play. There's the "Jitterbug Phone" business model of making a product simple to use for less-technical and low-mobility users, or the ten-thousand-knobs options on every encoding detail and playlist management for enthusiast videophiles.
> what are discovery tools? Are they differentiable? Or does it boil down to "a way of presenting N choices I might like"?
I believe they're very differentiable. Some possible examples:
- Tradeoffs between length and complexity of the onboarding/profile management process versus precision of recommendations
- Sophistication of the metadata and algorithms used to make the connections between "I liked A" and "I might like B"
- Super-fine-grained ratings and filtering technology for sensitive audiences (this might not even be censorship but things like "flashing light warnings" or "PTSD trigger warnings")
- Account siloing/combination (You might watch Final Destination alone, your kids might watch Caillou alone, but can it provide suggestions you'd like together?)
- Smarter series management (I occasionally pull up a sitcom episode, but I don't want to systematically work through those from S01E01 onwards, I want a semi-randomized assortment like broadcasters running reruns do)
With regards to licensing costs and available content, it could pan out one of two ways:
- If the licensing meter only dings on consumption, there's negligible cost to listing ALL THE THINGS, especially if there are archives that can be pulled from on demand (i. e. "You want episode 11 of Samurai Catboy Locomotive Engineer (1977)? Please wait 30 seconds while we torrent it and package it for use in our service")
- If there has to be some advance "catalog building" phase, you'd still end up with "most mainstream services have most mainstream selections".
It's like books. If you're opening a mainstream bookstore, you're probably going to sell the latest Stephen King novel. Nobody says "I HAVE to go to Barnes and Noble to get that specific book." Conversely, you might not carry the full range of Knuth volumes unless you're an academic/technical speciality store.
kylecazar · 1d ago
What hoops? Payment?
I pay to stream La Liga and it's about as easy as hitting 'Watch Live'
Vicarium · 1d ago
Yeah, split payments across multiple streaming services can get tedious. Though I agree with you for the most part, piracy comes with more hurdles even with a fancy automatic setup.
But really the most important benefit of piracy is the one you're already taking advantage of. The cost would be significantly higher if they had a true content monopoly, instead they have to price with the idea that should the cost be too high, the inconvenience of piracy becomes increasingly worthwhile.
jen20 · 1d ago
Shitty non-platform-integrated UI 8: my particular bug bear. I want a native Apple TV app using native controls if I’m to pay money for a streaming service. That said, I just don’t bother watching if that isn’t available.
6510 · 1d ago
Say I want to watch some specific movie right now.
How would you go about accomplishing this?
6510 · 1d ago
it's a serious question. I've tried hoarding subscriptions. It doesn't work.
kylecazar · 1d ago
I have the subscriptions and it works for me. I do resent on principle needing so many different services, but once set up, I haven't hit a film that wasn't covered.
My subscriptions: Hulu (with a bunch of premium channels), Prime Video (with MGM, Acorn and BritBox), Netflix, Max, Peacock, Apple TV, Criterion Collection, Fubo, ESPN+
In the off chance something is not available on one of the above (again, really hasn't happened), it is usually on PPV via either Prime Video or Play for 4.99.
To the point of piracy -- I don't like the poor UX argument, personally. But, if you're struggling to make ends meet and the above subscriptions are just unaffordable (which they are for many), I'm not going to think any less of anyone for perusing some torrents. The world is hard and entertainment can really help people through the bullshit. The very last thing people need when struggling is to be deprived of their escape.
It's a little harder to justify not paying for any reason other than inability to pay.
refulgentis · 1d ago
Canistream.it, if not, rent and or buy from Google Play
beeflet · 1d ago
yeah, payment is too inconvenient for me. I am not going to give my CC info to every website that asks.
Maybe if we lived in a "HTTP 402" secure micro-transaction world, it would be a different story.
refulgentis · 1d ago
"Endless hoops"?
zoeysmithe · 1d ago
My words and art are constantly being stolen and mined for AI.
People being stolen from most likely aren't going to advocate for the class stealing from them. Capitalism has one rule to wit: an in-group that is not bound but protected by the law and an out-group that is bound by but not protected by the law.
As a working class person if you 'pirate' materials you could be facing fines or even jail time.
If the capital owning class wants your IP, they'll just take it.
mvdtnz · 1d ago
This is the second time I have seen an article on this topic that talks about "LaLiga" without ever defining it. As if ordinary people outside of Europe are expected to know what LaLiga is.
No comments yet
charcircuit · 1d ago
It's a taste of his own medicine. Having your entire service blocked due to a portion of it being illegal is not much different to how he personally terminated service for 8chan due to a portion of it he claimed was illegal.
1. La Liga (Spanish Football) finds pirates streaming their games objectionable
2. They notice that many of these streamers use Cloudflare for something, presumably CDN and load balancing.
3. They appear in court in Spain and get an ex-parte TRO blocking all Cloudflare IPs. (Ex parte TRO: restraining order granted without Cloudflare being summoned to court)
4. Based on this, they tell ISPs to block pretty much all of Cloudflare in Spain.
5. Cloudflare goes public in frustration, noting that they could just send take down requests for infringing content like every other rights holder in the world, and that many Spanish utilities and civil resources use Cloudflare.
Interesting. My gut is that it’s hard to beat La Liga on their home turf, as evidenced by not even being invited to the court hearings which shut you down across all of Spain.
Long term, I’d guess CF wins this one? Probably they will have to escalate in some way to Eurozone courts, although I have no idea how this might work. No cloud business could meet the standard put forward by La Liga; but also there are only so many CDN companies. Meantime I guess illegal streamers can move to Google and see which legal group wins that battle.
one of the claims were that this is somewhat a procedural fraud since the plaintiff (Telefonica Audiovisual) and the defendant (Telefonica Spain) is technically the same thing. the order was granted after the defendants admitted, and therefore there wasn't any hearing with CF.
Now, there is also a conflict of interest, because Telefonica (the main telecom provider here, think Deutsche Telekom in germany or any formerly-public ISP) is also a rights holder to some football, meaning their interest is to block everything instead of their internet users, who suddently can't work on Github, visit Twitter or many other large sites; or even can't buy in many places online because Redsys (the largest payment processor here) also uses Cloudflare to protect their infra, and Cloudflare IPs were being blocked indiscriminately. All of this while being able to force other ISPs to block those IP ranges too, and without any possible recourse by either Cloudflare or the sites themselves, which according to Tebas "are only used by 4 nerds who like to complain".
And DDoS protection.
Sports broadcast piracy has a history of serious organized crime involvement, and then some, such as https://www.theregister.com/2002/03/13/murdoch_company_crack... where the allegation was NDS did the hacking and leaked the keys of the rival tech to various mob groups for exploitation.
1. IP holder representative sends notice to Cloudflare 2. Cloudflare sends automated notice to account manager 3. Cloudflare informs person from step 1 of who actually hosts the site 4. Person from #1 emails web host who is probably a shady company who in turn ignores email 5. Nothing happens
Then lobby the government to change the laws or other requirements so that any IP holder can have a more effective process.
The solution is not to hack some workaround.
But for fun, go pay for a legit ticket to watch a movie like "The Godfather" or "The Irishman." Count the dead bodies.
The shops themselves were not in the software business. One of them was specialised in turntable needles, and it was pretty popular. You had to go to the counter and specifically ask for "the menu" in order to access the "other side" of the business. It was an open secret though, as there was a lot of traffic in the shop for "the menu". You'd choose what you wanted, paid for your copy and leave with a bunch of floppy disks with it. They charged extra for the actual disks but you could also bring your own and only pay for the service.
If you mean electronic music bootlegs, then I don't see why the media or the format is that relevant. It's still just regular bootleg, and it's been popular since whenever copying and selling music was made possible.
Live sports piracy has the unusual property that you have to be able to get the block in place within the ~90 minutes of a football match, even at weekends and across time zones. Otherwise there’s no point.
If the courts let Cloudflare slow roll this, at the legal system’s normal snail-like pace, the law would be effectively useless.
Then the streams are on sites with names like fins38gy2m.ws a new URL for every game.
The hosts of the streams can set up an URL days in advance, and post it to the aggregators at the start of the game.
Anecdotally: oh yes. I don’t know anybody who pays, although that may say more about the populations I work with and hang out with.
I hear there’s plenty of headroom for the direct economics to work, if you’re reselling for less than the ~EUR100/month range the commercial providers charge [1]. Gross median income in Spain is on the order of EUR27000 annually, for reference [2]—so I’m not sure how many of the pirate viewers would be able to afford the legit product if the pirate channels dried up.
I also hear [0] there’s a robust side trade in exploiting pirate viewers’ machines though malware-style techniques while they’re there and feeling enticed to click yes to things…
[0] https://www.webroot.com/blog/2021/05/12/we-explored-the-dang...
[1] https://www.reddit.com/r/LaLiga/comments/1fksf3i/how_much_do...
[2] https://www.ine.es/dyngs/INEbase/en/operacion.htm?c=Estadist...
Note that the ads were for things like VPN providers and pirate IPTV feed services, which people are willing to pay for.
Sorry, you mean WhatsApp detects and prevents the sharing of piracy links? I wasn’t aware of this, good to know. Is there a source of the various checks they have like this?
[0] https://en.m.wikipedia.org/wiki/Domain_generation_algorithm
The huge majority of europeans have nothing against the american people. Please, do not propagate these claims.
No comments yet
In my circles of high level Spanish/European motorcycle racing, we continue to have a very positive reception as Americans in the paddock. The (Spanish) TV announcers have been positive towards our riders, the teams and crew are positive and helpful. We have more people wanting to talk about Route 66 than trade policy. Most Spaniards I know tend to roll their eyes at their own government more than anything happening in the U.S. The only exceptions are hysterical US expats on Facebook groups acting like the sky is falling. But they do that reliably every time a Republican gets elected.
Anecdotes aren’t data of course, but vocal people online don’t represent broader thought.
Yeah, you're in a bubble and you're likely misreading their politeness. I don't know any Spainards who would want to get into pointless political arguments with Americans who they guessed to be right of center in the off chance they were supporters of the current US government. Unless of course they were Vox affiliated, but even then I'm not sure they would bother engaging. They'd probably prefer to stick to talking about common interest stuff (like motoracing). "Anti-American sentiment" in the European context usually means being Anti-American government, not being dicks to individual Americans. The few cases where it actually crosses into Anti-Americanism the way you describe it seems to happen when the US militarily attacks a country they consider to be "brothers" or very close to. One example would be Greeks during the NATO bombing of now Serbia. Definitely one of the worst times to visit the Acropolis for an American.
I think your error is that you are gauging "Anti-American sentiment" by measuring how much you witness them bitching about Americans or Israelis. Whereas you should measure it by their actions. Tesla sales dropped signifcantly in Spain as it did in the rest of Europe. BYD sales are up 644%. See what they think about taking family vacations to the US.
Spanish people often end up buying local alternatives when available anyway but don't mind buying whatever when there are no alternatives (iphones, sneakers etc)
You ask the Spaniards if you want to send ammunitions to a country convicted of war crimes, the majority will most likely say no. And if your government is actually acting in accordance with that position and pushing the rest of Europe on that front, there's even less reason to bitch about Israelis to random foreigners.
> Most Spaniards I know tend to roll their eyes at their own government more than anything happening in the U.S.
This we can agree on. As it should be. Why bother with things out of your control?
No comments yet
I know that people here would love to live in an alternate reality where everybody in the EU is fuming at the US having a right-wing government but that's not here at least yet. The US has done so many terrible things throughout history; they will survive this too.
Right, because extrapolation is famously applicable to human history.
They may never recover from decades of top secret intelligence being compromised.
I don't know how this doesn't count as a net neutrality violation.
No comments yet
There's no rationale behind that.
The root issue here is that La Liga is able to get a court to shut down a web host. It's shouldn't be anyone's problem but La Liga's that people pirate their stream, but a court let them make it everyone's problem. And there are any number of dumb things the court could have let them do, and turning CF into a utility company that can get shut down by the court doesn't solve the issue.
Finally, the main/original reason CF is useful is because the internet was created naively with no protections against bad actors. Weakening CF just empowers bad actors like LaLiga that much more at the expense of the rest of us. Being able to cloak my origin behind CF so that LaLiga or any other overpowered government or private entity doesn't know who I am is a feature. LaLiga having no option but to throw a tantrum that takes down half the internet is also a feature, and not one we should quickly hand away just because, idk, we can imagine some utopian vision where CF is unnecessary.
You're missing the part where it's a single company, not just "the entire anti-DDoS infrastructure", that's being talked about here.
It would be perfectly possible (no idea how practical offhand) to have an entire ecosystem of competing CDNs all doing the same thing that Cloudflare does, rather than just Cloudflare making those decisions all by itself.
If the ecosystem were truly more competitive, it would be much more likely that, for instance, if you went to block the CDN serving one particular football piracy group, it would not block half your government websites at the same time.
it feels like incapable "experts" are placed in position or authority for something like this to happen.
It works better than your typical propaganda as players become heroes, managers and clubs make great money. Distributors get their cut. The machine is well oiled with solid monetary incentives.
Football (and other sports watching): cheap but deep rooted emotions, press here to get your dose.
I'd categorically say that focusing that sort of person on sports is by far the lesser of the two evils.
Democracy only chooses as wisely as the average intelligence of its voters.
No comments yet
It's not even about the power. It's about how freaking dumb of a "solution" that is.
It's not "you're too powerful" (la liga and the judges enforcing this) but really "you're too fucking dumb".
You might want to reach out to the moderation team.
Yes, sometimes CloudFlare used for some actually bad stuff, but same can be said for any cloud service. Having major internet infrastructure provider react to every whim of every single government in the world is not a good idea.
Cloudflare does not fight censorship. It actively helps create it. They have a strong team that delivers great products, but at the end of the day, it’s a for-profit company with as much for-profit morals that exist.
Lookup Tor project problems and CrimeFlare. Cheers.
https://gitlab.torproject.org/tpo/applications/tor-browser/-...
Also, CDNs have inherent economies of scale and network effects, so it is natural that there would be just a few at the top.
Now, the question really turns out to be "Is a law stating that large swaths of the Internet must be censored to stop a handful of piracy sites just?"
No. It isn't.
Maybe with IPv6 it will become normal to assign each customer their own IP? But I don't see it. This also reduces privacy because we are moving towards Encrypted Client Hello in TLS but we have made no progress to hide IPs.
https://github.com/TecharoHQ/anubis
Cloudflare's captchas are only convenient for a subset of users, I'll bet there'd be decent money in one of the competing CDNs (Fastly maybe?) including an Anubis-like captcha.
[1] : https://news.ycombinator.com/item?id=43864108
Using a CDN for DDoS typically has multiple levels of protection:
- caching reduces load on your server
- In the event of a (D)DoS attack, the cdn can absorb the attack traffic with their much higher capacity than your server(s)
- The CDN can block certain kinds of attacks, especially low level (D)DoS attacks without the traffic ever touching your servers
- Since the CDN fronts many sites, it can have more information about which IP addresss, and user agents are more suspicious. This one is a little controversial, because there is a conflict between getting an accurate profile of how suspicious a request is, and preserving the privacy of users.
- It may have built in support for some kind of bot detection, such as captcha or a proof of work. IDK about the free tier of cloudflare, but for paid offerings at least, this is usually optional.
In short, Anubis could be part of a DDoS mitigation plan, but if you are worried about a targeted attack, it probably isn't sufficient. And critical services are potentially a valuable target for attacks.
Bot protection, waiting rooms, cheap static assets, WAF.
Odds are if you are running a popular platform, you need all of these things.
Stop. Trusting. Companies. To. Do. The. Right. Thing.
Cloudflare could’ve prevented this if they’d taken a stand on anything but profit motives, but they’ve repeatedly chosen not to. Piracy sites pay the bills just like Porn or Government sites, after all, and companies won’t turn down money unless forced to through regulation.
https://blog.cloudflare.com/why-we-terminated-daily-stormer/
TL;DR: "The tipping point for us making this decision [to discontinue service] was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology."
AFAIK BunnyCDN is the only service that comes close but their cloud offerings are kinda new and they charge egress.
Google, X, Facebook, Cloudflare.
All minor player are absorbed or eliminated.
Is there anything even remotely comparable to twitter (outside of the PRC)?
It's a geometric progression (power law) and it almost always devolves into that.
30 times less neither.
I'm sure while someone's in the process of keeling over is the perfect time to arbitrarily scrutinize their connecting details. You need to contact your doctor ASAP. Okay, but did you neighbor have a virus last week? Is your neighborhood in your city more "problematic" than average? You may have forgot to check these details before you fell ill.
Cloudflare sites should come with a big banner warning all users their connection will be arbitrarily approved by an algorithm with chilling effects built in as dark patterns.
Last I checked, Cloudflare does basically no educating of customers how badly their website will be broken for users arbitrarily when they don't use the ISP or browser Cloudflare likes. No explanation for how many customers you will lose when your website can't be visited by someone who doesn't know how to change their IP, no explanation that if you're offering a critical service then Cloudflare will give that service thousands of tiny downtimes left unknown, the screams too quiet to carry the weight of a tech CEO worried about something similar.
My impression is that everyone knows that Cloudflare is blocking some legitimate people, but nobody -- neither the customer, nor Cloudflare -- cares enough to solve that problem.
It's similar to why Google doesn't have much tech support. Or why people can be locked out of their Google or Apple accounts without recourse. Caring about the people who fall through the cracks that you created isn't profitable.
When the Internet is part of the basic material of society, we need to rediscover ideals like "it is better that ten guilty persons escape than that one innocent suffer".
And we need to start removing from power the entities who are too lazy or greedy to uphold our ideals.
(Before someone jumps on literal numbers: That doesn't mean let through 10 botnet floods, rather than prevent grandma from finding a doctor. That could just mean, for example, don't block grandma because one of her browser headers looks suspiciously like an incompetent script kiddie, even though you can see that her traffic isn't yet part of a DDoS flood. Once you change the parameters to be more consistent with a fair and just society, maybe that means that, say, a Web site's servers do see a brief blip, as a new DDoS attack spins up, so it's not a perfectly smooth ride, but every legitimate person remains served. First, don't run over grandma; apply your engineering creativity with that hard requirement in mind.)
Based on your first question, I think you might already know this, but just in case you don't: This is a myth.
> The idea that choosing a 1% strategic internal investment over a 4.5% T-bill constitutes actionable "financial malpractice" or a breach of fiduciary duty leading to successful lawsuits is incorrect. Courts recognize that running a business requires strategic choices and risk-taking, not just maximizing immediate, risk-free yield. A lawsuit would fail unless plaintiffs could show the decision was tainted by disloyalty, bad faith, or gross negligence in the decision-making process, none of which are implied by simply choosing a lower-yield strategic project.
> Hence why no one ever gets sued for this. It doesn't happen. It lives in the minds of HNers and Redditors to provide a very convenient excuse for their employers, or in general companies, making abhorrent decisions purely based on feels and short-term next-quarter profits/stock price, regardless of the negative externalities they inflict on society.
And some percentage of the rest will act like jerks once it's to their advantage.
But society still holds corporations to account on some societal values.
Mostly through legislation. But sometimes through consumers (and B2B) voting with their pocketbooks.
It sucks, but no sane business would be so invested in equality of experience that they’d allow it to be completely broken for everyone.
For people who put stuff online to help people as well as to extract pure profit, knowing the anguish of your users really helps look out for them.
The choice isn't necessarily between 99% and 0% of legitimate users/visitors getting through.
What if you, and every other customer of Cloudflare or its competitors, applied pressure to make that 100% of legitimate users/visitors getting through?
What if legislators also mandated that 100% for many sites?
It can’t be done. If someone is on a home network whose router has been compromised and is part of a ddos attack, there’s no way their innocent HTTP traffic is getting through. Ditto if their machine has been compromised. Lots of scenarios where an innocent user must be blocked, unless the entire internet is reinvented. Which is beyond the scope of my project.
To me, this sounds like giving up way too easily on engineering problems.
One distinction to start with: Let's say grandma's router isn't part of a DDoS attack. Even if she might be trying to talk with a site that someone is trying to attack.
After solving that one, maybe the solution also somehow solves the problem of when grandma's router is involved in DDoS (or that site? of a different one?), or maybe we have to think harder.
Some states are trying this now with porn sites and users are rightfully not having it.
What do you have to do to characterize packets sufficiently to shield against DDoS with negligible false-positive significant blocking? (Without needing to associate packets with an identifiable person, nor zero-knowledge proofs of a person, etc.)
It's OK to discard some prior requirements. (For example, it's OK to insert occasional brief latency (not barge-in Web browser JS) to some traffic, if that permits an approach that greatly reduces false-positive blocking. And it's OK to pass some traffic with a suspected single client, but then change your mind later. It's OK to forget about connection abstractions and clients, and look only at stateless packets and the entirety of traffic.)
I bet they could figure out a way to check for fleas that doesn't involve kicking puppies.
But I don't want to get into the flea-checking business myself.
I didn't say it was simple. I said I thought it was more achievable than "it can't be done."
I suspect one of the barriers to it being done is that it's not a top requirement like I assert it should be, for basic resources of society.
When led with that requirement, I have faith that some smart engineers and product management can figure it out.
With apologies to JFK, "We do these things, not because they are easy, but because--" they need doing. Even if they are hard.
The people most interested in doing away with the problem altogether are not Cloudflare, but its customers.
* If we want the internet to be a place of anonymity and free speech, then we shouldn’t be putting critical services on the public internet - or we need to stop using intermediaries like Cloudflare where a single court order could disrupt legal services
OR
* If we want critical services online and widely available, then verifiable identity is a must from the outset, such that these sorts of blocks can be highly targeted when enforced.
Piracy exists between those two forces: an anonymous internet would be rife with piracy, while an authenticated internet would see minimal amounts of it because it’s so easily eradicated. Coexistence of both worked because the internet was optional, which is no longer the case.
But nobody wants to talk about that, I find. Everyone wants the status quo to continue unabated forever, because it’s familiar. Familiarity does not mean permanent, though.
It's more than just familiarity. It's what works.
If someone had a significantly better alternative I think the world would jump on it. But many have tried to disrupt this equilibrium and failed.
It is little more than a multitude of computers talking to each other in a similar “language”. It is not a singular place or entity, and attempting to regulate the entirety of it as such is fundamentally impossible.
And the sooner people and governments understand that, the sooner we can resume difficult discussions on its use.
Consider an HTTP daemon serving static content on a physical server. If that physical server has a 10Gig NIC it will withstand 90%[0] of the real-world DDoS attacks which would affect the same server with a 1Gig NIC.
"Dumb" DDoS filtering means blocking UDP and SYN floods, and other simple attacks. Your goal is essentially to block traffic which could be spoofed, making your downstream traffic somewhat attributable. Many ISPs provide functions like this, and is not nearly as complicated or invasive as letting Cloudflare MITM every bit of your traffic.
Any effort past that point should just be made in caching static assets, and optimizing dynamic pages. If your website uses sessions, you can implement basic rate controls very easily. No WAF required!
[0]: I made it up
I appreciate the honesty, at least
[0]: I made it up, again.
It is very much not "trivial" to buy 100Gbps+ of DDoS. I'm highly confident the majority of D/DoS attacks are from single servers, because it works. If you have a 10Gbit server and your target has 1Gbit (or you 1Gbit and them 100Mbit, it still happens), it's not a question of if you can take the target down, but how long you can sustain that traffic level before your upstream notices.
Painting every D/DoS as the most bandwidth ever is a play out of Cloudflare's marketing. If every website operator knew that 1, you don't need that much bigger of a pipe, and 2, you shouldn't buy pipes that charge you $20+/TB like AWS anyway, then Cloudflare would have a much harder time selling you a downgrade in quality, and we would have faster and cheaper networks to boot.
Then my in-laws got tricked into sending login credentials to a phishing page fronted by cloudflare. It was obviously spoofing IDP logins of Yahoo, Microsoft, etc. I sent a request assuming they would disable the domain and it was immediately closed (in minutes) as not an issue. It made no sense that they would want to front phishing sites. I eventually got them to look more closely and it was removed, but it soured my perception of them.
I think large scale internet businesses may need to start having more liability in matters like this. Being blocked from an entire country seems extreme, but if there are financial incentives to solve the problem, the problem will get solved.
I'm not saying you aren't experiencing this, but I am curious: what is your setup that Cloudflare and Google treat you with such suspicion / hostility?
If you don't clear your state or keep its original origin VPN only, you're breaking a big point of using VPNs.
I don't like the way that large football conglomerates abuse copyright, but then those same rules _should_ be open to me for anything I produce. The main difference is I don't have a team of lawyers.
Piracy is almost never about the price -- it's almost always about the availability. Especially when it comes to live sports.
They just stop watching.
https://x.com/eastdakota
https://xcancel.com/eastdakota
They split the rights up in much more imaginative ways, like local channels can broadcast sold out local games and then the nfl itself or an rsn or major network can broadcast the remote half. I would guess that a lot of local games are over the air but if you follow a team somewhere else you might need a fairly inexpensive subscription
Are there multiple? I thought DDoS-Guard [1] had a near-monopoly on CDN services for international piracy.
[1] https://krebsonsecurity.com/2021/01/hamas-may-be-threat-to-8...
My company's website is behind Cloudflare and I discovered this whole situation because someone couldn't access it. Also my home assistant is not accessible from the internet the days with a match. And we use it to open the garage and the house. We learned the lesson the hard way being locked outside until I managed to connect with a VPN. This is just nuts and incredibly frustrating. And for La Liga we are just a bunch of "frikis" (nerds) complaining about it... because we are the only ones that understand what the problem is.
Unfortunately, someone would have to die and a lawsuit to follow, and maybe that could stop this crazy nonsense. E.g. A few days ago I read about someone with diabetes whose device was malfunctioning because of these blocks.
So there a lot of convinience and free stuff. It's quite obviously that when I had commercial customers where for whatever reason free tier wasn't anough I juse used them as well. Why not? There are horror stories about their corporate pricing, but for smaller company paying $20-200 for CDN is no brainer.
Also huge massive advantage of CloudFlare is that majority of their services are not metered so it's hard to wake up to $100,000 bill like it can happen with AWS and almost any other CDN provider.
I still believe this kind of centralized MiTM is bad for us all, but honestly I'd rather it be CloudFlare than Amazon, Microsoft or some other "evil corp".
Paella and sol heh, not CDN's
Of course, that similar organizations (paid by huge copyright companies) tried the same in my country. And luckily our government listens to local experts (NIC.cz and others) and not to mention, pirating has big tradition here. So they failed to pass this ridiculous law. (blocking IP addresses)
If you read between the lines, he’s claiming people will die because Cloudflare doesn’t want to take the time, effort, or money to fix the problem that they easily could by creating a separate system for critical services.
This type of “tech hypochondria” should be absolutely dragged at every opportunity. This guy runs a business and whines that his clients don’t deserve what his business agrees to provide? FOH with that ish mang I ain’t buying it.
No comments yet
Bundesliga, F1, NHL and FIFA world cup, that's all I (they) needed.
It turned to total mess. Service A shows F1 but not NHL. Service B shows NHL but not all NHL, only games where my city team plays. Some show LaLiga but not Bundesliga. All cost $30/mo but still show ads. Periodically they show ads instead of the event. If they can't, they split screen show the event in a little rectangle that's 25% of screen space. Dazn, TSN, ESPN are all total scam. You can see a lot of bull riding though.
We cancelled all this nonsense and just moved to pirate sites. Screw this bs.
Similarly there's quite a lot of push from the most powerful teams in some of these leagues to break off and form a European Super League; with Spain's two biggest teams being the biggest backers of the project.
ETA: not agreeing with how aggressive they are exactly, but do think long term they're probably in a lot of trouble if/when money starts to properly force a European Super League into existence.
(I'm generally pro-piracy and don't know the details here, but am also old enough for "the people like MONEY" to not be a particularly noteworthy quality. The things that jump out to me here are A) is Cloudflare's attempted implication that they just need a better injunction true? B) The sophomoric argument that "people will die due to this" is my "people like MONEY" smell)
I stopped pirating stuff when content platforms gave a compelling easy to use product, I’m back to pirating because it’s genuinely a better product compared to the endless hoops you have to jump through to use streaming services
Isn't it, quite literally, the opposite?
The appeal of Peak Netflix was that it had everything in one place with reasonably working discovery mechanisms. You could pay $10 or so per month and be satisfied. The current streaming era is "if you want to see all your favourite shows, it will cost $60 per month and you'll have to bounce around among 12 apps to find what you want."
If we had a mandatory-licensing regime, I'd expect multiple choices would work great. Services couldn't survive on "Only we have The Office/Game of Thrones/Bluey" alone and would have to differentiate based on other factors like "best discovery tools" or "built to better suit your specific devices"
The comic depicts "Netflix" -> "Netflix Amazon Apple Disney+ Hulu YouTube", and you later implicitly say there are multiple choices, but, you don't think it works well. "If we had a mandatory-licensing regime, I'd expect multiple choices would work great."
> Services couldn't survive on "Only we have The Office/Game of Thrones/Bluey" alone and would have to differentiate based on other factors like "best discovery tools" or "built to better suit your specific devices"
I'm not sure how either of those are differentiators for people selling content, rather than people coding apps.
Let's avoid that simple argument.
Let us instead assume mandatory licensing exists, which I presume means that as soon as content is released, it is a right to be able to license it, i.e. pay the content creator to have it on your service.
I have a hard time understanding how that would lead to all content being on all services - surely, this adds up to some finite sum, but is that finite sum enough to mean its trivial to license everything, so there's no differentiator anymore?
And that's before we bring in that, presumably, we have some shared understanding that it's more expensive to license, say, Bluey Game of Thrones Edition, than, idk, hmmm...Karate Kid.
Let's set all those little things aside.
A screen is a piece of glass with pixels behind. A video takes up the pixels.
Is there room to "build to better suit your specific devices"?
Can we avoid an example that ends up creating exclusive content in the process?
Let's set that aside: what are discovery tools?
Are they differentiable? Or does it boil down to "a way of presenting N choices I might like"?
You will notice that in most places, grocery store market has stabilized to an oligopoly, where almost every where multiple grocery stores exist, all of whom offer more or less the same range of products with some variations.
I would imagine if any streaming-app could license any content, the market would evolve to a similar equilibrium. Largely similar products, with some minor variations (some stores offering discount/luxury items at cheap/higher prices). Margins would be fairly low. But most customers will be fine with going to exactly one store/app over and over again.
The obvious example would be ecosystem support. For example, (last I checked) Crunchyroll didn't have an app for my WebOS TV.
I could also see more technical choices, like encoding options that make sense based on the type of device and network you're targeting. One of the reasons YouTube is better than a lot of the alternative video hosts was that they could support a huge array of different connection speeds and device types.
Improved UX might also come into play. There's the "Jitterbug Phone" business model of making a product simple to use for less-technical and low-mobility users, or the ten-thousand-knobs options on every encoding detail and playlist management for enthusiast videophiles.
> what are discovery tools? Are they differentiable? Or does it boil down to "a way of presenting N choices I might like"?
I believe they're very differentiable. Some possible examples:
- Tradeoffs between length and complexity of the onboarding/profile management process versus precision of recommendations - Sophistication of the metadata and algorithms used to make the connections between "I liked A" and "I might like B" - Super-fine-grained ratings and filtering technology for sensitive audiences (this might not even be censorship but things like "flashing light warnings" or "PTSD trigger warnings") - Account siloing/combination (You might watch Final Destination alone, your kids might watch Caillou alone, but can it provide suggestions you'd like together?) - Smarter series management (I occasionally pull up a sitcom episode, but I don't want to systematically work through those from S01E01 onwards, I want a semi-randomized assortment like broadcasters running reruns do)
With regards to licensing costs and available content, it could pan out one of two ways:
- If the licensing meter only dings on consumption, there's negligible cost to listing ALL THE THINGS, especially if there are archives that can be pulled from on demand (i. e. "You want episode 11 of Samurai Catboy Locomotive Engineer (1977)? Please wait 30 seconds while we torrent it and package it for use in our service") - If there has to be some advance "catalog building" phase, you'd still end up with "most mainstream services have most mainstream selections".
It's like books. If you're opening a mainstream bookstore, you're probably going to sell the latest Stephen King novel. Nobody says "I HAVE to go to Barnes and Noble to get that specific book." Conversely, you might not carry the full range of Knuth volumes unless you're an academic/technical speciality store.
I pay to stream La Liga and it's about as easy as hitting 'Watch Live'
But really the most important benefit of piracy is the one you're already taking advantage of. The cost would be significantly higher if they had a true content monopoly, instead they have to price with the idea that should the cost be too high, the inconvenience of piracy becomes increasingly worthwhile.
How would you go about accomplishing this?
My subscriptions: Hulu (with a bunch of premium channels), Prime Video (with MGM, Acorn and BritBox), Netflix, Max, Peacock, Apple TV, Criterion Collection, Fubo, ESPN+
In the off chance something is not available on one of the above (again, really hasn't happened), it is usually on PPV via either Prime Video or Play for 4.99.
To the point of piracy -- I don't like the poor UX argument, personally. But, if you're struggling to make ends meet and the above subscriptions are just unaffordable (which they are for many), I'm not going to think any less of anyone for perusing some torrents. The world is hard and entertainment can really help people through the bullshit. The very last thing people need when struggling is to be deprived of their escape.
It's a little harder to justify not paying for any reason other than inability to pay.
Maybe if we lived in a "HTTP 402" secure micro-transaction world, it would be a different story.
People being stolen from most likely aren't going to advocate for the class stealing from them. Capitalism has one rule to wit: an in-group that is not bound but protected by the law and an out-group that is bound by but not protected by the law.
As a working class person if you 'pirate' materials you could be facing fines or even jail time.
If the capital owning class wants your IP, they'll just take it.
No comments yet
https://xcancel.com/eastdakota/status/1924969551478804543