Cloudflare CEO: Football piracy blocks will claim lives(torrentfreak.com) |
Cloudflare CEO: Football piracy blocks will claim lives(torrentfreak.com) |
Paella and sol heh, not CDN's
Of course, that similar organizations (paid by huge copyright companies) tried the same in my country. And luckily our government listens to local experts (NIC.cz and others) and not to mention, pirating has big tradition here. So they failed to pass this ridiculous law. (blocking IP addresses)
1. La Liga (Spanish Football) finds pirates streaming their games objectionable
2. They notice that many of these streamers use Cloudflare for something, presumably CDN and load balancing.
3. They appear in court in Spain and get an ex-parte TRO blocking all Cloudflare IPs. (Ex parte TRO: restraining order granted without Cloudflare being summoned to court)
4. Based on this, they tell ISPs to block pretty much all of Cloudflare in Spain.
5. Cloudflare goes public in frustration, noting that they could just send take down requests for infringing content like every other rights holder in the world, and that many Spanish utilities and civil resources use Cloudflare.
Interesting. My gut is that it’s hard to beat La Liga on their home turf, as evidenced by not even being invited to the court hearings which shut you down across all of Spain.
Long term, I’d guess CF wins this one? Probably they will have to escalate in some way to Eurozone courts, although I have no idea how this might work. No cloud business could meet the standard put forward by La Liga; but also there are only so many CDN companies. Meantime I guess illegal streamers can move to Google and see which legal group wins that battle.
one of the claims were that this is somewhat a procedural fraud since the plaintiff (Telefonica Audiovisual) and the defendant (Telefonica Spain) is technically the same thing. the order was granted after the defendants admitted, and therefore there wasn't any hearing with CF.
And DDoS protection.
Sports broadcast piracy has a history of serious organized crime involvement, and then some, such as https://www.theregister.com/2002/03/13/murdoch_company_crack... where the allegation was NDS did the hacking and leaked the keys of the rival tech to various mob groups for exploitation.
1. IP holder representative sends notice to Cloudflare 2. Cloudflare sends automated notice to account manager 3. Cloudflare informs person from step 1 of who actually hosts the site 4. Person from #1 emails web host who is probably a shady company who in turn ignores email 5. Nothing happens
Live sports piracy has the unusual property that you have to be able to get the block in place within the ~90 minutes of a football match, even at weekends and across time zones. Otherwise there’s no point.
If the courts let Cloudflare slow roll this, at the legal system’s normal snail-like pace, the law would be effectively useless.
The huge majority of europeans have nothing against the american people. Please, do not propagate these claims.
In my circles of high level Spanish/European motorcycle racing, we continue to have a very positive reception as Americans in the paddock. The (Spanish) TV announcers have been positive towards our riders, the teams and crew are positive and helpful. We have more people wanting to talk about Route 66 than trade policy. Most Spaniards I know tend to roll their eyes at their own government more than anything happening in the U.S. The only exceptions are hysterical US expats on Facebook groups acting like the sky is falling. But they do that reliably every time a Republican gets elected.
Anecdotes aren’t data of course, but vocal people online don’t represent broader thought.
I know that people here would love to live in an alternate reality where everybody in the EU is fuming at the US having a right-wing government but that's not here at least yet. The US has done so many terrible things throughout history; they will survive this too.
There's no rationale behind that.
I don't know how this doesn't count as a net neutrality violation.
it feels like incapable "experts" are placed in position or authority for something like this to happen.
It's not even about the power. It's about how freaking dumb of a "solution" that is.
It's not "you're too powerful" (la liga and the judges enforcing this) but really "you're too fucking dumb".
Yes, sometimes CloudFlare used for some actually bad stuff, but same can be said for any cloud service. Having major internet infrastructure provider react to every whim of every single government in the world is not a good idea.
Cloudflare does not fight censorship. It actively helps create it. They have a strong team that delivers great products, but at the end of the day, it’s a for-profit company with as much for-profit morals that exist.
Lookup Tor project problems and CrimeFlare. Cheers.
https://gitlab.torproject.org/tpo/applications/tor-browser/-...
Then my in-laws got tricked into sending login credentials to a phishing page fronted by cloudflare. It was obviously spoofing IDP logins of Yahoo, Microsoft, etc. I sent a request assuming they would disable the domain and it was immediately closed (in minutes) as not an issue. It made no sense that they would want to front phishing sites. I eventually got them to look more closely and it was removed, but it soured my perception of them.
I think large scale internet businesses may need to start having more liability in matters like this. Being blocked from an entire country seems extreme, but if there are financial incentives to solve the problem, the problem will get solved.
I'm sure while someone's in the process of keeling over is the perfect time to arbitrarily scrutinize their connecting details. You need to contact your doctor ASAP. Okay, but did you neighbor have a virus last week? Is your neighborhood in your city more "problematic" than average? You may have forgot to check these details before you fell ill.
Cloudflare sites should come with a big banner warning all users their connection will be arbitrarily approved by an algorithm with chilling effects built in as dark patterns.
Last I checked, Cloudflare does basically no educating of customers how badly their website will be broken for users arbitrarily when they don't use the ISP or browser Cloudflare likes. No explanation for how many customers you will lose when your website can't be visited by someone who doesn't know how to change their IP, no explanation that if you're offering a critical service then Cloudflare will give that service thousands of tiny downtimes left unknown, the screams too quiet to carry the weight of a tech CEO worried about something similar.
I'm not saying you aren't experiencing this, but I am curious: what is your setup that Cloudflare and Google treat you with such suspicion / hostility?
If you don't clear your state or keep its original origin VPN only, you're breaking a big point of using VPNs.
I don't like the way that large football conglomerates abuse copyright, but then those same rules _should_ be open to me for anything I produce. The main difference is I don't have a team of lawyers.
If you read between the lines, he’s claiming people will die because Cloudflare doesn’t want to take the time, effort, or money to fix the problem that they easily could by creating a separate system for critical services.
This type of “tech hypochondria” should be absolutely dragged at every opportunity. This guy runs a business and whines that his clients don’t deserve what his business agrees to provide? FOH with that ish mang I ain’t buying it.
If you define censorship as packet loss, then anything that drops packets is inherently evil, and your business (which ultimately boils down to sending packets along) is inherently good. Ergo anything you do is good and anything that questions or checks your power is evil.
This understanding of free speech didn't evolve in a vaccum, though. It was a response to the "copyright hypochondria" of the publishing industry outfits that have been insisting that "censorship is when free movies". One of the most irritating tenets of copyright maximalism is the idea that copyright somehow backstops free speech, because having an economic incentive to publish is supposed to make politicians think twice[0] about stupid censorship bullshit?
So we have two industries here that have both psyopped themselves into thinking their profit margins are a moral good, unwilling to compromise in any way that would allow legal websites to remain online. Or at least I'm assuming both sides are unwilling to compromise, because La Liga isn't saying anything, and Cloudflare is going to the public rather than the actual courts imposing this blocking order.
[0] The logic doesn't logic here, this is the same kind of thinking that gave us "capitalism has won" in the 1990s and "military alliances will make war impossible" a century prior. Politicians are ultimately polite brokers of violence, and economics is a tool they impose upon us to make us do things in lieu of guns to head. Not the other way around. Politicians will happily censor economically valuable art all day long.
I'm tempted to say "the master's tools can't destroy the master's house", but that saying is complete bullshit for different reasons.
Bundesliga, F1, NHL and FIFA world cup, that's all I (they) needed.
It turned to total mess. Service A shows F1 but not NHL. Service B shows NHL but not all NHL, only games where my city team plays. Some show LaLiga but not Bundesliga. All cost $30/mo but still show ads. Periodically they show ads instead of the event. If they can't, they split screen show the event in a little rectangle that's 25% of screen space. Dazn, TSN, ESPN are all total scam. You can see a lot of bull riding though.
We cancelled all this nonsense and just moved to pirate sites. Screw this bs.
Piracy is almost never about the price -- it's almost always about the availability. Especially when it comes to live sports.
They just stop watching.
My company's website is behind Cloudflare and I discovered this whole situation because someone couldn't access it. Also my home assistant is not accessible from the internet the days with a match. And we use it to open the garage and the house. We learned the lesson the hard way being locked outside until I managed to connect with a VPN. This is just nuts and incredibly frustrating. And for La Liga we are just a bunch of "frikis" (nerds) complaining about it... because we are the only ones that understand what the problem is.
Unfortunately, someone would have to die and a lawsuit to follow, and maybe that could stop this crazy nonsense. E.g. A few days ago I read about someone with diabetes whose device was malfunctioning because of these blocks.
They split the rights up in much more imaginative ways, like local channels can broadcast sold out local games and then the nfl itself or an rsn or major network can broadcast the remote half. I would guess that a lot of local games are over the air but if you follow a team somewhere else you might need a fairly inexpensive subscription
Are there multiple? I thought DDoS-Guard [1] had a near-monopoly on CDN services for international piracy.
[1] https://krebsonsecurity.com/2021/01/hamas-may-be-threat-to-8...
So there a lot of convinience and free stuff. It's quite obviously that when I had commercial customers where for whatever reason free tier wasn't anough I juse used them as well. Why not? There are horror stories about their corporate pricing, but for smaller company paying $20-200 for CDN is no brainer.
Also huge massive advantage of CloudFlare is that majority of their services are not metered so it's hard to wake up to $100,000 bill like it can happen with AWS and almost any other CDN provider.
I still believe this kind of centralized MiTM is bad for us all, but honestly I'd rather it be CloudFlare than Amazon, Microsoft or some other "evil corp".
Similarly there's quite a lot of push from the most powerful teams in some of these leagues to break off and form a European Super League; with Spain's two biggest teams being the biggest backers of the project.
ETA: not agreeing with how aggressive they are exactly, but do think long term they're probably in a lot of trouble if/when money starts to properly force a European Super League into existence.
(I'm generally pro-piracy and don't know the details here, but am also old enough for "the people like MONEY" to not be a particularly noteworthy quality. The things that jump out to me here are A) is Cloudflare's attempted implication that they just need a better injunction true? B) The sophomoric argument that "people will die due to this" is my "people like MONEY" smell)
I stopped pirating stuff when content platforms gave a compelling easy to use product, I’m back to pirating because it’s genuinely a better product compared to the endless hoops you have to jump through to use streaming services
People being stolen from most likely aren't going to advocate for the class stealing from them. Capitalism has one rule to wit: an in-group that is not bound but protected by the law and an out-group that is bound by but not protected by the law.
As a working class person if you 'pirate' materials you could be facing fines or even jail time.
If the capital owning class wants your IP, they'll just take it.
You might want to reach out to the moderation team.
Also, CDNs have inherent economies of scale and network effects, so it is natural that there would be just a few at the top.
Now, the question really turns out to be "Is a law stating that large swaths of the Internet must be censored to stop a handful of piracy sites just?"
No. It isn't.
Maybe with IPv6 it will become normal to assign each customer their own IP? But I don't see it. This also reduces privacy because we are moving towards Encrypted Client Hello in TLS but we have made no progress to hide IPs.
Bot protection, waiting rooms, cheap static assets, WAF.
Odds are if you are running a popular platform, you need all of these things.
Stop. Trusting. Companies. To. Do. The. Right. Thing.
Cloudflare could’ve prevented this if they’d taken a stand on anything but profit motives, but they’ve repeatedly chosen not to. Piracy sites pay the bills just like Porn or Government sites, after all, and companies won’t turn down money unless forced to through regulation.
AFAIK BunnyCDN is the only service that comes close but their cloud offerings are kinda new and they charge egress.
Google, X, Facebook, Cloudflare.
All minor player are absorbed or eliminated.
My impression is that everyone knows that Cloudflare is blocking some legitimate people, but nobody -- neither the customer, nor Cloudflare -- cares enough to solve that problem.
It's similar to why Google doesn't have much tech support. Or why people can be locked out of their Google or Apple accounts without recourse. Caring about the people who fall through the cracks that you created isn't profitable.
When the Internet is part of the basic material of society, we need to rediscover ideals like "it is better that ten guilty persons escape than that one innocent suffer".
And we need to start removing from power the entities who are too lazy or greedy to uphold our ideals.
(Before someone jumps on literal numbers: That doesn't mean let through 10 botnet floods, rather than prevent grandma from finding a doctor. That could just mean, for example, don't block grandma because one of her browser headers looks suspiciously like an incompetent script kiddie, even though you can see that her traffic isn't yet part of a DDoS flood. Once you change the parameters to be more consistent with a fair and just society, maybe that means that, say, a Web site's servers do see a brief blip, as a new DDoS attack spins up, so it's not a perfectly smooth ride, but every legitimate person remains served. First, don't run over grandma; apply your engineering creativity with that hard requirement in mind.)
It sucks, but no sane business would be so invested in equality of experience that they’d allow it to be completely broken for everyone.
The choice isn't necessarily between 99% and 0% of legitimate users/visitors getting through.
What if you, and every other customer of Cloudflare or its competitors, applied pressure to make that 100% of legitimate users/visitors getting through?
What if legislators also mandated that 100% for many sites?
For people who put stuff online to help people as well as to extract pure profit, knowing the anguish of your users really helps look out for them.
* If we want the internet to be a place of anonymity and free speech, then we shouldn’t be putting critical services on the public internet - or we need to stop using intermediaries like Cloudflare where a single court order could disrupt legal services
OR
* If we want critical services online and widely available, then verifiable identity is a must from the outset, such that these sorts of blocks can be highly targeted when enforced.
Piracy exists between those two forces: an anonymous internet would be rife with piracy, while an authenticated internet would see minimal amounts of it because it’s so easily eradicated. Coexistence of both worked because the internet was optional, which is no longer the case.
But nobody wants to talk about that, I find. Everyone wants the status quo to continue unabated forever, because it’s familiar. Familiarity does not mean permanent, though.
Consider an HTTP daemon serving static content on a physical server. If that physical server has a 10Gig NIC it will withstand 90%[0] of the real-world DDoS attacks which would affect the same server with a 1Gig NIC.
"Dumb" DDoS filtering means blocking UDP and SYN floods, and other simple attacks. Your goal is essentially to block traffic which could be spoofed, making your downstream traffic somewhat attributable. Many ISPs provide functions like this, and is not nearly as complicated or invasive as letting Cloudflare MITM every bit of your traffic.
Any effort past that point should just be made in caching static assets, and optimizing dynamic pages. If your website uses sessions, you can implement basic rate controls very easily. No WAF required!
[0]: I made it up
Then lobby the government to change the laws or other requirements so that any IP holder can have a more effective process.
The solution is not to hack some workaround.
Now, there is also a conflict of interest, because Telefonica (the main telecom provider here, think Deutsche Telekom in germany or any formerly-public ISP) is also a rights holder to some football, meaning their interest is to block everything instead of their internet users, who suddently can't work on Github, visit Twitter or many other large sites; or even can't buy in many places online because Redsys (the largest payment processor here) also uses Cloudflare to protect their infra, and Cloudflare IPs were being blocked indiscriminately. All of this while being able to force other ISPs to block those IP ranges too, and without any possible recourse by either Cloudflare or the sites themselves, which according to Tebas "are only used by 4 nerds who like to complain".
They may never recover from decades of top secret intelligence being compromised.
Right, because extrapolation is famously applicable to human history.
But for fun, go pay for a legit ticket to watch a movie like "The Godfather" or "The Irishman." Count the dead bodies.
Yeah, you're in a bubble and you're likely misreading their politeness. I don't know any Spainards who would want to get into pointless political arguments with Americans who they guessed to be right of center in the off chance they were supporters of the current US government. Unless of course they were Vox affiliated, but even then I'm not sure they would bother engaging. They'd probably prefer to stick to talking about common interest stuff (like motoracing). "Anti-American sentiment" in the European context usually means being Anti-American government, not being dicks to individual Americans. The few cases where it actually crosses into Anti-Americanism the way you describe it seems to happen when the US militarily attacks a country they consider to be "brothers" or very close to. One example would be Greeks during the NATO bombing of now Serbia. Definitely one of the worst times to visit the Acropolis for an American.
I think your error is that you are gauging "Anti-American sentiment" by measuring how much you witness them bitching about Americans or Israelis. Whereas you should measure it by their actions. Tesla sales dropped signifcantly in Spain as it did in the rest of Europe. BYD sales are up 644%. See what they think about taking family vacations to the US.
Spanish people often end up buying local alternatives when available anyway but don't mind buying whatever when there are no alternatives (iphones, sneakers etc)
You ask the Spaniards if you want to send ammunitions to a country convicted of war crimes, the majority will most likely say no. And if your government is actually acting in accordance with that position and pushing the rest of Europe on that front, there's even less reason to bitch about Israelis to random foreigners.
> Most Spaniards I know tend to roll their eyes at their own government more than anything happening in the U.S.
This we can agree on. As it should be. Why bother with things out of your control?
It's more than just familiarity. It's what works.
If someone had a significantly better alternative I think the world would jump on it. But many have tried to disrupt this equilibrium and failed.
It is little more than a multitude of computers talking to each other in a similar “language”. It is not a singular place or entity, and attempting to regulate the entirety of it as such is fundamentally impossible.
And the sooner people and governments understand that, the sooner we can resume difficult discussions on its use.
The shops themselves were not in the software business. One of them was specialised in turntable needles, and it was pretty popular. You had to go to the counter and specifically ask for "the menu" in order to access the "other side" of the business. It was an open secret though, as there was a lot of traffic in the shop for "the menu". You'd choose what you wanted, paid for your copy and leave with a bunch of floppy disks with it. They charged extra for the actual disks but you could also bring your own and only pay for the service.
If you mean electronic music bootlegs, then I don't see why the media or the format is that relevant. It's still just regular bootleg, and it's been popular since whenever copying and selling music was made possible.
Based on your first question, I think you might already know this, but just in case you don't: This is a myth.
> The idea that choosing a 1% strategic internal investment over a 4.5% T-bill constitutes actionable "financial malpractice" or a breach of fiduciary duty leading to successful lawsuits is incorrect. Courts recognize that running a business requires strategic choices and risk-taking, not just maximizing immediate, risk-free yield. A lawsuit would fail unless plaintiffs could show the decision was tainted by disloyalty, bad faith, or gross negligence in the decision-making process, none of which are implied by simply choosing a lower-yield strategic project.
> Hence why no one ever gets sued for this. It doesn't happen. It lives in the minds of HNers and Redditors to provide a very convenient excuse for their employers, or in general companies, making abhorrent decisions purely based on feels and short-term next-quarter profits/stock price, regardless of the negative externalities they inflict on society.
The only notions of empathy or trust you see from publicly traded companies nowadays is the over-engineered calamity of ESG. If you have a single example of a moderately-adopted trend which demonstrates a genuine desire to do right by their society, or to build long-term trust at the expense of short-term profits, I'll readily adopt it into my world model.
You can define the term that way, but then it doesn't apply to anything that actually exists. Firms do have enforceable legal obligations to their shareholders, but that isn't one of them.
(OTOH, for a widely-held publicly-traded firm, the set of incentives facing management will encourage much the same behvior that that mythical obligation would require, but the mechanism is entirely different.)
And some percentage of the rest will act like jerks once it's to their advantage.
But society still holds corporations to account on some societal values.
Mostly through legislation. But sometimes through consumers (and B2B) voting with their pocketbooks.
https://blog.cloudflare.com/why-we-terminated-daily-stormer/
TL;DR: "The tipping point for us making this decision [to discontinue service] was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology."
I was saying that:
* For-profit companies like Cloudflare have a vested interest in preserving as many paying customers as possible
* Their own process for getting content taken down makes it deliberately difficult to remove content, as that would harm their business model
* We have willfully chosen to sink large swaths of the internet behind companies like Cloudflare
* As a result, the only tools left to governments and the judiciary are often draconian in nature, harming innocent parties in pursuit of criminals
* We are naive to believe that any for-profit entity will act in the best interests of society, especially when those interests conflict with their profit-motives.
I appreciate the honesty, at least
[0]: I made it up, again.
Is there anything even remotely comparable to twitter (outside of the PRC)?
It's a geometric progression (power law) and it almost always devolves into that.
Cloudflare's captchas are only convenient for a subset of users, I'll bet there'd be decent money in one of the competing CDNs (Fastly maybe?) including an Anubis-like captcha.
It can’t be done. If someone is on a home network whose router has been compromised and is part of a ddos attack, there’s no way their innocent HTTP traffic is getting through. Ditto if their machine has been compromised. Lots of scenarios where an innocent user must be blocked, unless the entire internet is reinvented. Which is beyond the scope of my project.
To me, this sounds like giving up way too easily on engineering problems.
One distinction to start with: Let's say grandma's router isn't part of a DDoS attack. Even if she might be trying to talk with a site that someone is trying to attack.
After solving that one, maybe the solution also somehow solves the problem of when grandma's router is involved in DDoS (or that site? of a different one?), or maybe we have to think harder.
Some states are trying this now with porn sites and users are rightfully not having it.
It works better than your typical propaganda as players become heroes, managers and clubs make great money. Distributors get their cut. The machine is well oiled with solid monetary incentives.
Football (and other sports watching): cheap but deep rooted emotions, press here to get your dose.
I'd categorically say that focusing that sort of person on sports is by far the lesser of the two evils.
Democracy only chooses as wisely as the average intelligence of its voters.
Cloudflare’s consistent response to accusations it defends illicit or harmful content has been some variation of “they’re paying customers and it’s not our place to judge their content”. Which, sure, noble hill to die on and all that jazz, but also something of a cowardly defense for speech whose sole purpose is creating harm.
Using a CDN for DDoS typically has multiple levels of protection:
- caching reduces load on your server
- In the event of a (D)DoS attack, the cdn can absorb the attack traffic with their much higher capacity than your server(s)
- The CDN can block certain kinds of attacks, especially low level (D)DoS attacks without the traffic ever touching your servers
- Since the CDN fronts many sites, it can have more information about which IP addresss, and user agents are more suspicious. This one is a little controversial, because there is a conflict between getting an accurate profile of how suspicious a request is, and preserving the privacy of users.
- It may have built in support for some kind of bot detection, such as captcha or a proof of work. IDK about the free tier of cloudflare, but for paid offerings at least, this is usually optional.
In short, Anubis could be part of a DDoS mitigation plan, but if you are worried about a targeted attack, it probably isn't sufficient. And critical services are potentially a valuable target for attacks.
The root issue here is that La Liga is able to get a court to shut down a web host. It's shouldn't be anyone's problem but La Liga's that people pirate their stream, but a court let them make it everyone's problem. And there are any number of dumb things the court could have let them do, and turning CF into a utility company that can get shut down by the court doesn't solve the issue.
Finally, the main/original reason CF is useful is because the internet was created naively with no protections against bad actors. Weakening CF just empowers bad actors like LaLiga that much more at the expense of the rest of us. Being able to cloak my origin behind CF so that LaLiga or any other overpowered government or private entity doesn't know who I am is a feature. LaLiga having no option but to throw a tantrum that takes down half the internet is also a feature, and not one we should quickly hand away just because, idk, we can imagine some utopian vision where CF is unnecessary.
You're missing the part where it's a single company, not just "the entire anti-DDoS infrastructure", that's being talked about here.
It would be perfectly possible (no idea how practical offhand) to have an entire ecosystem of competing CDNs all doing the same thing that Cloudflare does, rather than just Cloudflare making those decisions all by itself.
What do you have to do to characterize packets sufficiently to shield against DDoS with negligible false-positive significant blocking? (Without needing to associate packets with an identifiable person, nor zero-knowledge proofs of a person, etc.)
It's OK to discard some prior requirements. (For example, it's OK to insert occasional brief latency (not barge-in Web browser JS) to some traffic, if that permits an approach that greatly reduces false-positive blocking. And it's OK to pass some traffic with a suspected single client, but then change your mind later. It's OK to forget about connection abstractions and clients, and look only at stateless packets and the entirety of traffic.)
Isn't it, quite literally, the opposite?
The appeal of Peak Netflix was that it had everything in one place with reasonably working discovery mechanisms. You could pay $10 or so per month and be satisfied. The current streaming era is "if you want to see all your favourite shows, it will cost $60 per month and you'll have to bounce around among 12 apps to find what you want."
If we had a mandatory-licensing regime, I'd expect multiple choices would work great. Services couldn't survive on "Only we have The Office/Game of Thrones/Bluey" alone and would have to differentiate based on other factors like "best discovery tools" or "built to better suit your specific devices"
I pay to stream La Liga and it's about as easy as hitting 'Watch Live'
But really the most important benefit of piracy is the one you're already taking advantage of. The cost would be significantly higher if they had a true content monopoly, instead they have to price with the idea that should the cost be too high, the inconvenience of piracy becomes increasingly worthwhile.
How would you go about accomplishing this?
Maybe if we lived in a "HTTP 402" secure micro-transaction world, it would be a different story.
It is very much not "trivial" to buy 100Gbps+ of DDoS. I'm highly confident the majority of D/DoS attacks are from single servers, because it works. If you have a 10Gbit server and your target has 1Gbit (or you 1Gbit and them 100Mbit, it still happens), it's not a question of if you can take the target down, but how long you can sustain that traffic level before your upstream notices.
Painting every D/DoS as the most bandwidth ever is a play out of Cloudflare's marketing. If every website operator knew that 1, you don't need that much bigger of a pipe, and 2, you shouldn't buy pipes that charge you $20+/TB like AWS anyway, then Cloudflare would have a much harder time selling you a downgrade in quality, and we would have faster and cheaper networks to boot.
Taking down a single endpoint that can issue commands no longer stops the attack and the attack is now going through multiple layers of DNS obscuration.
Architecture of a modern DDoS service looks much like any modern geographically distributed production application and network.
Attacks are getting quite sophisticated, and are extremely, extremely cheap.
Then the streams are on sites with names like fins38gy2m.ws a new URL for every game.
The hosts of the streams can set up an URL days in advance, and post it to the aggregators at the start of the game.
Anecdotally: oh yes. I don’t know anybody who pays, although that may say more about the populations I work with and hang out with.
I hear there’s plenty of headroom for the direct economics to work, if you’re reselling for less than the ~EUR100/month range the commercial providers charge [1]. Gross median income in Spain is on the order of EUR27000 annually, for reference [2]—so I’m not sure how many of the pirate viewers would be able to afford the legit product if the pirate channels dried up.
I also hear [0] there’s a robust side trade in exploiting pirate viewers’ machines though malware-style techniques while they’re there and feeling enticed to click yes to things…
[0] https://www.webroot.com/blog/2021/05/12/we-explored-the-dang...
[1] https://www.reddit.com/r/LaLiga/comments/1fksf3i/how_much_do...
[2] https://www.ine.es/dyngs/INEbase/en/operacion.htm?c=Estadist...
Note that the ads were for things like VPN providers and pirate IPTV feed services, which people are willing to pay for.
Sorry, you mean WhatsApp detects and prevents the sharing of piracy links? I wasn’t aware of this, good to know. Is there a source of the various checks they have like this?
[0] https://en.m.wikipedia.org/wiki/Domain_generation_algorithm
I didn't say it was simple. I said I thought it was more achievable than "it can't be done."
I suspect one of the barriers to it being done is that it's not a top requirement like I assert it should be, for basic resources of society.
When led with that requirement, I have faith that some smart engineers and product management can figure it out.
With apologies to JFK, "We do these things, not because they are easy, but because--" they need doing. Even if they are hard.
The people most interested in doing away with the problem altogether are not Cloudflare, but its customers.
My subscriptions: Hulu (with a bunch of premium channels), Prime Video (with MGM, Acorn and BritBox), Netflix, Max, Peacock, Apple TV, Criterion Collection, Fubo, ESPN+
In the off chance something is not available on one of the above (again, really hasn't happened), it is usually on PPV via either Prime Video or Play for 4.99.
To the point of piracy -- I don't like the poor UX argument, personally. But, if you're struggling to make ends meet and the above subscriptions are just unaffordable (which they are for many), I'm not going to think any less of anyone for perusing some torrents. The world is hard and entertainment can really help people through the bullshit. The very last thing people need when struggling is to be deprived of their escape.
It's a little harder to justify not paying for any reason other than inability to pay.
If the ecosystem were truly more competitive, it would be much more likely that, for instance, if you went to block the CDN serving one particular football piracy group, it would not block half your government websites at the same time.
I bet they could figure out a way to check for fleas that doesn't involve kicking puppies.
But I don't want to get into the flea-checking business myself.
The comic depicts "Netflix" -> "Netflix Amazon Apple Disney+ Hulu YouTube", and you later implicitly say there are multiple choices, but, you don't think it works well. "If we had a mandatory-licensing regime, I'd expect multiple choices would work great."
> Services couldn't survive on "Only we have The Office/Game of Thrones/Bluey" alone and would have to differentiate based on other factors like "best discovery tools" or "built to better suit your specific devices"
I'm not sure how either of those are differentiators for people selling content, rather than people coding apps.
Let's avoid that simple argument.
Let us instead assume mandatory licensing exists, which I presume means that as soon as content is released, it is a right to be able to license it, i.e. pay the content creator to have it on your service.
I have a hard time understanding how that would lead to all content being on all services - surely, this adds up to some finite sum, but is that finite sum enough to mean its trivial to license everything, so there's no differentiator anymore?
And that's before we bring in that, presumably, we have some shared understanding that it's more expensive to license, say, Bluey Game of Thrones Edition, than, idk, hmmm...Karate Kid.
Let's set all those little things aside.
A screen is a piece of glass with pixels behind. A video takes up the pixels.
Is there room to "build to better suit your specific devices"?
Can we avoid an example that ends up creating exclusive content in the process?
Let's set that aside: what are discovery tools?
Are they differentiable? Or does it boil down to "a way of presenting N choices I might like"?
You will notice that in most places, grocery store market has stabilized to an oligopoly, where almost every where multiple grocery stores exist, all of whom offer more or less the same range of products with some variations.
I would imagine if any streaming-app could license any content, the market would evolve to a similar equilibrium. Largely similar products, with some minor variations (some stores offering discount/luxury items at cheap/higher prices). Margins would be fairly low. But most customers will be fine with going to exactly one store/app over and over again.
The obvious example would be ecosystem support. For example, (last I checked) Crunchyroll didn't have an app for my WebOS TV.
I could also see more technical choices, like encoding options that make sense based on the type of device and network you're targeting. One of the reasons YouTube is better than a lot of the alternative video hosts was that they could support a huge array of different connection speeds and device types.
Improved UX might also come into play. There's the "Jitterbug Phone" business model of making a product simple to use for less-technical and low-mobility users, or the ten-thousand-knobs options on every encoding detail and playlist management for enthusiast videophiles.
> what are discovery tools? Are they differentiable? Or does it boil down to "a way of presenting N choices I might like"?
I believe they're very differentiable. Some possible examples:
- Tradeoffs between length and complexity of the onboarding/profile management process versus precision of recommendations - Sophistication of the metadata and algorithms used to make the connections between "I liked A" and "I might like B" - Super-fine-grained ratings and filtering technology for sensitive audiences (this might not even be censorship but things like "flashing light warnings" or "PTSD trigger warnings") - Account siloing/combination (You might watch Final Destination alone, your kids might watch Caillou alone, but can it provide suggestions you'd like together?) - Smarter series management (I occasionally pull up a sitcom episode, but I don't want to systematically work through those from S01E01 onwards, I want a semi-randomized assortment like broadcasters running reruns do)
With regards to licensing costs and available content, it could pan out one of two ways:
- If the licensing meter only dings on consumption, there's negligible cost to listing ALL THE THINGS, especially if there are archives that can be pulled from on demand (i. e. "You want episode 11 of Samurai Catboy Locomotive Engineer (1977)? Please wait 30 seconds while we torrent it and package it for use in our service") - If there has to be some advance "catalog building" phase, you'd still end up with "most mainstream services have most mainstream selections".
It's like books. If you're opening a mainstream bookstore, you're probably going to sell the latest Stephen King novel. Nobody says "I HAVE to go to Barnes and Noble to get that specific book." Conversely, you might not carry the full range of Knuth volumes unless you're an academic/technical speciality store.