You can't just blanket block all VPN access, that's not how the internet works... they could pick some common/well-known providers of VPN services and block their IPs/ASN/etc., but you can't just flip a switch and make all forms of VPN/proxy stop working, as there's no way to tell with certainty that someone is using one.
There are plenty of VPN and proxy detection services, either as a service (API) or downloadable database, which are surprisingly comprehensive. Disclaimer: I’ve run one since 2017. Years on, our primary data source is literally holding dozens of subscriptions to every commercial provider we can find, and enumerating the exit node IP addresses they use.
There are also other methods, like using zmap/zgrab to probe for servers that respond to VPN software handshakes, which can in theory be run against the entire IP space. (this also highlights non-commercial VPNs which are not generally the target of our detection, so we use this sparingly)
It will never cover every VPN or proxy in existence, but it gets pretty close.
> Years on, our primary data source is literally holding dozens of subscriptions to every commercial provider we can find, and enumerating the exit node IP addresses they use.
Assuming your VPN identification service operates commercially, I trust that you are in full compliance with all contractual agreements and Terms of Service for the services you utilize. Many of these agreements specifically prohibit commercial use, which could encompass the harvesting of exit node IP addresses and the subsequent sale of such information.
Those are pretty old cases that I think the courts have moved away from and even in those cases it was a TOS violation and explicit c&d that the company ignored.
Maybe the tables could be turned and we can build a service with dozens of subscriptions to every VPN detection service and report them for ToS violations ;)
... "the owner authorizes patrons, customers, or guests to access the computer network and the person accessing the computer network is an authorized patron, customer, or guest and complies with all terms or conditions for use of the computer network that are imposed by the owner;"
There's a little secret that most of the business world knows but individuals do not know: You don't have to follow Terms of Service. In most cases, the maximum penalty the company can impose for a ToS violation is a termination of your account. And it's not illegal to make a new account. They can legally ban you from making a new account, and you can legally evade the ban.
Unless you're the one-in-a-million unlucky user who gets prosecuted under the CFAA's very generic "unauthorized access to a protected computer" clause, like Aaron Swartz. It seems the general consensus is this doesn't apply to breaking a website ToS, and Aaron was only in so much trouble because he broke into a network closet, as well as for copyright violation. But consult a lawyer if unsure. (That's another difference: A business will ask a lawyer if it wants to do something shady, while an individual will simply avoid doing it)
Tangent: if you hold access to all VPN providers, have you thought about also releasing benchmarks for them? I would be interested in knowing which ones offer the best bandwidth / peering (ping).
just out of curiosity: if i'm located in spain and i setup an ec2 or digital ocean instance in germany and use it as a socks proxy over ssh, do you will detect me?
Much of the internet still does not support IPv6, so most providers will give you an IPv4 address. In fact only a few providers even support IPv6 at all.
Even with IPv6 it's not a huge problem. With a few samples we can know that a provider is operating in a given /64 or /48 or even /32 space, and can assign a confidence level that the range is used for VPNs.
Many websites including Soundcloud are still only accessible through IPv4, so this is moot, even if VPNs support IPv6 it's enough to block their V4 exit nodes for Soundcloud.
This will also cause problems with anyone that happens to (even accidentally/unknowingly) use apps that integrate services from companies such as BrightData/Luminati/HolaVPN/etc. where they sell idle time on your device/connection to their VPN/proxy customers.
The legitimate end-user will then no longer be able to use e.g. SoundCloud.
I’m with you on this one. Some of my projects are flooded with sus traffic from Brazil. I don’t believe there are a million eager Brazilian hackers targeting me in particular. It’s pretty clear from analysis that they’re all residential hosts running proxies, knowingly or otherwise.
The more concise word for this is “botnet”. Computers participating in one should be quarantined until they stop.
Often times random shovelware apps will have these proxy SDKs embedded in them, and the only mention of it being part of the software is buried in some long ToS that nobody reads.
GEOIP providers often sell a database of known VPN/Proxy endpoints. They take the approach of shoot first, ask questions later. Using one of these databases bans a lot of legitimate ip addresses that have seen been the source of known VPN or proxy traffic.
Its not perfect ofc, but its not meant to be. Its usually just used as a safety blanket for geoblocked intellectual property, like netflix.
For low-volume stuff you can always get a non-expiring 4G/5G bundle eSIM and tunnel through that. Because 4G/5G roaming always tunnels traffic through the home country, and then emerges from CGNAT so it can't be identified as foreign traffic.
But those data packages are expensive and not available with each wanted origin country. Also you need hardware on your side. But it is an option, just saying.
You know perfectly well what blocking VPN access means in common verbiage. I don't understand the motivation of these "hey look my WireGuard connection to home isn't blocked, you guys don't know the true meaning of VPN" comments that inevitably pop up in these discussions. Like come on, this is a tech forum, you're not impressing anyone for knowing the technical definition of VPN and how to set up WireGuard.
To flip that though, what about just using those sketchy-ass malware-laden "residential IP" VPN providers and route your traffic through someone else's hacked up VPN running on a Fire TV stick they bought off JimBob for $200?
Besides the political implications, I think we should try to find an objective taxonomy, it's clear that privacy VPNs and network security VPNs are different products semantically, commercially and legally, even if the same core tech is used.
Possibly the configuration and network topology is different even, making it a technically different product, similar to how a DNS might be either an authorative server for a TLD, an ISP proxy for an end user, a consumer blacklist like pihole, or an industrial blacklist like spamhaus. It would be a non trivial mistake to conflate any pair of those and bring one up in an argument that refers to the other.
Yeah, it's an ignorant and arrogant take on the legal system.
In most places the law is exercised pragmatically, interpreted by presumed intention. That's why legal precedent is important. You likely won't convince any judge being anal about the wording (maybe if the law gets applied for the first time). You can derail anything semantically. Furthermore, despite apparent belief, laws are frequently formulated in such a way that a particular wider term is extended to help interpretation. Eg. "It is prohibited to use a VPN in a way capable and intended to obscure one's physical internet access point identification". (Not a lawyer, not a native speaker, don't get anal with this wording, either.) I very much doubt any legally binding document would even use the term 'VPN' primarily to describe the technical means for anonymization, but rather describe it functionally.
And this is rather an anemic take. The (proposed) UK VPN ban that was recently discussed here have a definition on what exactly is a "VPN" for the purposes of the ban (basically "VPNs generally advertised to normal consumers") but a lot simply shouted "ssh go brr" (and definitely did not read the proposed law). These "let's go techical" thinking never flies with the poeple who makes such legislation, and in (probably unpopular!) opinion we should talk to them in terms that they can understand. Yes, we don't want that law, but having a purist take would probably alienate regular people.
It doesn't really matter that a single person has found a loophole because many, many other people don't have such a luxury, and that's what the lawmakers are aiming for.
I have worked for fintech companies that mandate VPN use as a security measure.
It's going to be interesting when the majority of the UK accesses the internet via VPN because of the increasingly ridiculous hoops that the UK makes them go through, and the government tries to stop them while also allowing VPNs to be used by the tech sector.
I agree, these are two separate legal processes powered by the same technology. But the internet doesn't have any awareness of legality (thankfully) so we're stuck with only the technical meaning.
> The (proposed) UK VPN ban that was recently discussed here have a definition on what exactly is a "VPN" for the purposes of the ban (basically "VPNs generally advertised to normal consumers")
It’s not taking about IPsec tunnels between networkers, or a connection back to your home. It’s talking about surfshark
Tailscale is really not that hard to set up. There's an Apple TV app for it, even. And who doesn't have some friend in another state or country that would like an Apple TV?
Your friends don't find it uneasy that you can be tunneling illegal activities through their internet connection and have the FBI knocking at their door in a few months?
Exactly, I have friends from other countries. Friends I really like, I would not give a VPN access to my internet connection to most of them. They have to be the perfect intersection of technically competent (so that their computer doesn't get turned into a botnet) and fully trustworthy.
I do actually give VPN access to my mother that is not technically competent but I have full access to her computer and locked her down as much as possible
I live a thousand miles from another country. No I don't have friends in another country and I don't even know anyone with friends in another country except immigrants or spouses of immigrants.
How is it out of touch? GP comment makes it sound like the technical know to setup a VPN exit node is this crazily esoteric super weird nerdy thing that no one would expect anyone normal to even know about. Installing an Apple TV app onto an Apple TV and mailing it to a friend requires zero command line usage.
But no, Tailscale did not pay me for this comment. I do happen to know someone that works there though.
Don't bother with these comments. I made a similar reply to yours a few days ago and while most found it useful, a surprising amount of whataboutism occurred - no, Apple TV hardware isn't common, or no, only old people have them, or no, why would you use an Apple TV when [X] can do it cheaper, or no, why not self-host and not be dependent on Apple and Tailscale?
Entirely missing the point that setting up a VPN exit node on your own or someone else's connection is a crazily esoteric super weird nerdy thing outside of communities like HN, and Tailscale on an Apple TV box will not only work but automatically update itself with no intervention on your part, and that the person whose house it is in needs extremely minimal technical skill to do what you tell them to over the phone.
Thanks. With people in their own independent bubbles it's hard to tell, but with a guess at 25 million Apple TVs out there in the wild, I didn't think it was that esoteric, but what do I know.
I'd say that even the idea that you could VPN into your own network and forward all traffic through it is pretty far from the mainstream. Let alone how to actually do it. Most people think of VPN as a way to avoid porn blocks or getting tagged for piracy. But, as you and I both noted, the technical know-how for setting up Tailscale is not that high, and for using it is almost nil. Turn it on, pick an exit node, go. Combine that with a device that's intended as a consumer appliance that makes maintenance a non-issue, and you have a very good solution for the family geek.
>I connect to my residential ISP in the USA via VPN all the time and have never had issues with being blocked for VPN use.
Bit of a non sequitur, you would have to outline your entire usage pattern to even submit that as N=1.
GEOIP providers dont sit on your home network. They do accept data from third parties, and are themselves (likely) subscribed to other IP addressing lists. Mostly they are a data aggregator, and its garbage in > garbage out.
If someone, say netflix, but other services participate, flag you as having an inconsistent location, they may forward those details on and you can get added to one of these lists. You might see ip bans at various content providers.
But the implementation is so slapshod that you can just as likely, poison a single ip in a CGNAT pool, and have it take over a month for anyone to act on it, where some other users on your same ISP might experience the issue.
These things can also be weighted by usage, larger amounts of traffic are more interesting because it can represent a pool of more users, or more IP infringement per user.
You can also get hit from poor IP reputation, hosting a webserver with a proxy or php reverse shell, or a hundred other things.
(Also, larger ISPs might deal with a GEOIP provider selling lists of VPN users that include their IP address space, legally, rather than just going through the process of getting the list updated normally. This means the GEOIP providers can get skittish around some ISPs and might just not include them in lists)
There is even a single company in the unique position to actually tell where exactly(-ish, considering CGNAT exists) where an IP address is located: Google. They do use the "enhanced location" data on Android devices to pinpoint where an IP is, so a single Android device can actually change fings for Google (and YouTube).
If using a VPN for access is forbidden by the ToS, you only need to detect a VPN connection once to prove violation.
The IPv4 address space to consider is limited and it is technically absolutely feasible to exhaustively scrape and block the majority of VPN endpoints. Realistically any VPN provider will have some rather small IPv4 subnets make do, shit's expensive. More so, for the trivial case, VPN anonymization works best, when many people share one IP endpoint, naturally the spread is limited. There are VPN providers, some may even be trustworthy, which have the mission of "flying under the radar" with residential IPs and all, but they are way, waaaay more expensive. For most people that's no option.
IPv6 is a different matter, but with the very increase in tracking and access control discussed here, that may be even more of a reason, IPv6 is not going to be a thing any time soon....
Thinking about it, maybe this AI monetization FOMO and monopoly protectionism, will incidentally lead to a technological split of the web. IPv4 will become the "corpo net" and IPv6 will be the "alt net". I think there may be a chance to make IPv6 the cool internet of the people, right now!
> you only need to detect a VPN connection once to prove violation
But an IP address is not a person (legally in the US at least), and many IPv4 addresses get re-used fairly often. My home 5G internet changes IP every single day, and it's a constant struggle because other users often get my IP blocked for things I didn't do. I cannot even visit etsy.com for example. Just for fun I even checked 4chan and the IP was banned for CP, months before I ever had this particular IP (because I'm paranoid and track all that stuff).
> But an IP address is not a person (legally in the US at least)
That's a completely different matter (and still probably reasonable suspicion for a search, anyway). If an account/service ID evidently uses a service through a VPN there is no uncertainty of ToS violation. Of course someone could have hacked your account and used a VPN, it doesn't ultimately prove you did it, but nevertheless the account can be flagged/blocked correctly for VPN usage.
> many IPv4 addresses get re-used fairly often
The VPN's servers won't be using changing, "random" IPs. That's something ISPs do when assigning residential IPs. VPNs with residential IPs are not common. (I am not sure those VPNs are even really legal offerings.)
If your ISP uses NAT for its subnet space, you could argue it's technically similar to a VPN. However, same as with VPN exit scraping/discovery, those IP spaces can be determined and processed accordingly. I am also sure those ISP subnets for residential IPs are actually publicly defined and known. Eg. the Vodafon IP may get temporarily flagged for acute suspicious behavior, but won't get your account flagged for VPN violation, or even blocked permanently, since it's known to be the subnet of a mobile ISP, which uses NAT.
Additionally, I presume e.g. SoundCloud prohibits anonymizing VPNs, not everything that's technically a VPN or similar.
And also it doesn't matter what the legally provable significance of an IP address is for the purposes of violating a ToS. A ban from SoundCloud is not a court proceeding. ToS agreements are allowed to have arbitrary rules, and they routinely do.
As long there isn't a critical risk, these kind of business decisions won't aim for certainity.
They probably assume some amount of collateral damage, a small number of VPN users still flying under the radar, the bulk of VPN users being properly targeted, and the vast majority of users not noticing anything.
It is easier to block all non-residential addresses, than block VPNs. As an added "bonus" it also kills personal VPNs running on VPS. VPNs in residential space exist but are sold as "premium" product.
yes and those users that happen to have their bw sold as residential VPN will be caught in the crossfire... many times they are not even aware of it because it's something buried in a ToS they didn't read for some random app.
Someone googles "free VPN" so they can watch region locked videos and now their connection is a part of that network too. They may or may not realize that this is the arrangement.
Maybe its a trick and they are logging all the people on VPN's trying to see if they are blocked over the next 24 hr. Then they can take the data and start blocking it lol. Maybe not lol?
They kinda do on Apple Private relay and most services don't block it. Funny thing if you put it in your router and point the tunnel to a certain country is a good way to source address launder since the endpoint will just think its an apple private relay user from local country.
Tradeoff is that it seems to be a browser only thing. Some tools like the default macOS curl seem to be integrated with it.
Unless Apple would make an anonymizing VPN connection mandatory, I don't see any difference to the situation as is. As long as people can be pressured to turn off the VPN, nobody loses any customers. Additionally, I don't think paying customers are the target, since they usually provide identifying information anyway.
If Apple started routing all iPhone/Mac traffic through some anonymizing VPN by default, services that block it would absolutely lose lots of customers.
Yes, but Apple wouldn't do this, because Apple is also at risk of losing customers when people get blocked by network security at work. We could also fantasize about Apple fighting all the tracking everywhere, including their own services...
Quite frankly, it's a bit silly to paint Apple as some privacy fortress, who wouldn't have to comply with law enforcement/intelligence to unmask/tap traffic. I mean, for a lot of people VPN choice is done considering legal jurisdictions somewhere far away. Apple could/would never possibly offer this level of protection.
It sucks that we need rely on a big company to make a big, scaled-up change like that in order to move the needle. This looks like a pretty fatal flaw in the design of TCP/IP. IPs should be randomized periodically and they should all be equal. You shouldn't be able to tell someone's country from them, let alone their city, ISP, whether it's coming from a business or somewhere residential, whether they are a bot or a human. The Internet shouldn't have boundaries like this, and the fact that it still does shows there's still work to do.
This comment would be more useful if you have the name of the product or linked to it. I’m also not aware of this offering and wasn’t able to find information on it.
Private relay is an Apple VPN-like service that only covers iOS safari. That means the SoundCloud app or desktop usage will not receive any privacy benefits.
They’re not big enough and some sites will hard block it with other VPNs, like the government of Delaware. Bigger sites still soft block it like Instagram which will randomly ban accounts using it, or Google with captchas every couple of searches.
Apple, parading as paragons of privacy, also allow companies like Facebook etc. to track you across reinstalls and EVEN DEVICE RESETS and NEW DEVICES through the iCloud Keychain API.
This shit has been going on for maybe 5 years but no one seems to know or care.
Should be interesting to see how the internet blocks those of us who don't want to be fingerprinted, ID'd, or reveal our home IP addresses. YouTube already blocks embeds to login and prove I'm not a bot, funnily it doesn't work and embeds never play. Reddit will block me unless I'm signed in which I don't mind too much, but the daily beast and many others block me which is a shame because I'm a real human being using the internet as intended.
Instead of blocking or limiting features to whitelist users with approved behavioral patterns and limit / block those that don't -- such as loading a page and immediately commenting or doing things that normal humans don't do, they block IP addresses and ASNs.
I just close the browser tab and remind myself not to waste my time caring, there'll be other platforms.
My router is setup for WireGaurd and it'll never be disabled.
>block those that don't -- such as loading a page and immediately commenting or doing things that normal humans don't do, they block IP addresses and ASNs.
As someone who has both spent quite a bit of time writing scrapers and later lots of headache on blocking malicious bots from accessing websites, I can tell you this has become futile. Bot makers aren't stupid. If you put in a check for how fast actions are performed, they will put in a sleep timer in their script. If you start blocking residential IPs because many people use it, you are probably just blocking a school or dormitory, while the real bots will quickly move to another IP once they smell something is off. Today with modern multimodal LLMs, you can bypass almost every "human-check" imaginable. And if they can't pass something, most of your users sure as hell won't either. Not because it is too hard, but because it will take too long to solve. The sweet 3-15s actionable human intelligence threshold has been passed by now. The cats and dogs type captchas were already solved more than 12 years ago by simple CV machine learning. The tech has progressed an insane amount since then. In the end I always ended up basically doing what SoundCloud did here if my service was sensitive: Block entire countries, all tor exit nodes and all known VPN ASNs. That will get it down by like 90%. Bear in mind that anyone who wants to put in some effort will still easily bypass this, but at least the low-effort guys from third world countries will take a while before they catch on. So you can go back to doing some actual work in the meantime.
What do you think "evil" means? In the real world, there's no one holding up a platonic ideal of moral action and swearing to do the opposite, like some comic book antagonist. Real world evil is acting with complete amorality, because if you don't care about right or wrong in your pursuit of some goal, you inevitably will do some heinous shit.
That's not to say corporations don't come awfully close to the comic book concept of evil. By definition, a corporation's prime purpose is an uncaring commitment to making money, and if you've gone public, making all the money. That's awfully close to being the opposite of the "good" ideals of generosity and kindness.
while i am sure that google was completely indifferent when they made their search engine return worse results in the name of increasing profits , this action did serve to directly increase human suffering
In the nicest way possible: who cares? So "they" know my vile pornographic proclivities, my daily commute, and probably what color my poop was this morning. Then what? I get embarassed?
Snowden showed the NSA has taps upstream, so in my book: that's over. I'm fairly convinced if your company reaches a size where it could potentially be a national security threat, the government comes knocking (Facebook, Apple, Twitter, etc.), so that seems like it's over. You have the AI companies scraping god knows what. And, I imagine most countries have corollaries.
Really, all the bad actors I'd encounter in my daily travels would be ones who want to steal money from me. That's a simple ideology. I can handle that. My identity gets stolen, my bank account...there's multiple levels of billion dollar companies with vested interest in me not losing faith in "the system," so I'm not worried about it really.
If a company wants to associate my phone number to glean all my purchases forever in order to target tailored ads to me, fine. Again, it's in the spirit of taking my money, which is a simple ideology.
If the neighbors want to snoop on my traffic, hats off to them for having the capacity to live two lives: both theirs, and mine after they figure out my day-to-day dealings. Doubt they have time to do much about it. Hard enough to live one life in 24 hours.
If the government wants to try and keep tabs on everything to see who's making ICBMs and who isn't, or whatever else they want to do, that's their prerogative but it seems like a complex goal that doesn't affect me.
This only works so long as you're not interesting to anyone. You never know what past information associated with your identity will be weaponized against you. By the government, corporations, or individuals to justify harming you. Even if you're safe and secure in the belief that your neighbors will never turn on you, others are not so lucky.
Did you travel to get an abortion? Someone might be interested in charging you with a felony. Did you associate too closely with non-citizens? Maybe you're one too. Did you reserve a hotel room? Probably willing to pay more for flights there. Do you frequent hacker news? Might not be so in favor of the current political establishment.
You make a couple of good points. The necessity to commit a felony in the name of healthcare as traveling to get an abortion is shameful. I can't believe it's come to that. Have people been rounded up into camps and exterminated for innate human qualities and beliefs? Yes. And it's disgusting I have to type that as well.
But beyond that I disagree with your sentiment.
These things need to be stopped as they come. Withholding data and living a life of fearful "what ifs" cannot preemptively stop atrocity. Of course I'll never know what past information can be used against me in the future; weaponized in ways I cannot fathom. It's a possibility. Hindsight is 20/20, but "you can't predict the future," so how would I know? I have to live my life. I gotta do SOMETHING.
The crux of all of those "what ifs" is beholden to if the person correlating that data has social agency to act upon it. If that's the case, anyone could be my next predator. Anyone could be the next Hitler waiting to exterminate me based on my non-citizen camaraderie or political leanings.
Data is just a predictor, it is not the truth. If my life provided a data point for a yet-to-be-born hostile dictator to perjure me, I will deal with that when it comes, but I can't live my life out of fear.
I compare it to ecology. You're saying you will deal with the sea when it has risen to your doorstep rather than reduce emissions, or even build a levy. You've chosen to not worry about the sea, either because you don't think you can stop it, or it is not convenient for the moment to try. People who believe the sea is rising can't help but fear it because they are rational. People building privacy levies are not living in fear, they are reacting rationally to a hazard.
That's one way to look at it, mine is no data goes out or in unencrypted, and for me it's simple. Adtech? "No." - let packet kiddies get my home IP address? "No."
It's as simple as that: No thanks, then I slide the slider on WireGuard and then I have an encrypted tunnel that all of my devices can communicate with each other, use a DNS through the tunnel with domains blocked and I can control what phones home and what doesn't. I'm not concerned with foreign governments, snoopy neighbors, war driving, or anything.
I can't solve all the problems but there are no what ifs on my end, *What if" -> No.
I'm not a number in some algorithm or malicious because I route my data securely, I'm a human being.
You may believe yourself and your actions to be ignored by the watchers, but you might still want everyone in general to be free of watchers. Both since being constantly watched is detrimental to the human condition, but also since some people may actually dare to improve society if they are not watched.
These vpn believers don't understand how concentrating all of the traffic thru a single chokepoint (the vpn provider network), they're infinitely easier to network monitor.
SoundCloud once messed up a huge song import - hundreds (as in more than 9 hundreds). There was no way to batch clean/edit, or even clear/nuke (i.e delete everything). Support refused to help. They clearly said they "won't" do it and they helpfully asked me to do it one by one because that was the way users were supposed to do it. I kept requesting that they could just delete everything and I would set up everything again because at that point my profile looked all garbage and noise. They refused and stopped responding. I found a CxO email and mailed seeking help. I never received a reply. A few days later, I just deleted that really old account. I used to use the site very regularly since the beginning. But after that, they never even came to my mind until I saw this here on HN.
same here. been a paying customer for 2 years, a soundcloud listener for 5+. this is where i switch back to downloading music off russian pirate websites.
well, life isn't all sunshines and rainbows after all :)
i'm glad there are lots of people who think just like i do and are ready to sacrifice convenience for the sake of privacy
VPNs is such a shady industry, I really don't blame companies for blocking them. 99% of people using a VPN do not understand they are giving all their traffic to a random company in a jurisdiction they can't verify, with privacy policies they didn't read, operated by people they've never heard of, based entirely on marketing claims and affiliate-driven "reviews".
There is pretty much zero regulatory oversight. The ownership structure of VPN companies is opaque, often owned by holding companies. For example Kape Technologies owns ExpressVPN, PIA, CyberGhost, etc.
Last night I was blocked from HBOMAX (or whatever brand they go by these days) for being on a VPN. That was the first time I've ever encountered something like that on HBOMAX. I wonder if there is some coordinating event here.
Having it spelled out as "Are you on a VPN?" on streaming services is pretty common these days. I guess with the popularity of consumer VPNs that term isn't just a technical one any more.
Soundcloud these days is nothing but a spambot filled website that have ripped countless users’ tracks and scam to earn fake followers, which the platform doesn’t block these bot but instead shallow banning proper users. The support is also nonexistent and my support ticket hasn’t being been responded for more than an year.
I ended up trashed my account because I got shadow banned for no reason while they keep on stripping off basic features. Some of the users in my community also faced the similar stories.
Unless there is an irreplaceable feature in SoundCloud you rely on, I see no reason to use it.
If you're using tailscale it's a true VPN, not a proxy, and it won't have any impact on you. If you're using the Mullvad add-on that's a different situation.
Still seems to work via the desktop interface while accessing the old.reddit version, at least it worked a couple of days ago for me, I can't speak for the new web version nor for their phone app, cause I'm not using those.
Across 3 VPN providers I use, none of them have issues accessing reddit anonymously. There are nodes/regions that are blocked, but finding a working server isn't hard.
Legislation. If a country requires age verification, identity verification, moderation, etc, it's easy enough to either block that traffic or enforce the local laws. However users can easily circumvent this with a VPN. For some countries, this traffic is still in scope, and so the only real way to prevent it is to block or impose the restrictions on all VPN users.
Could also be spam/abuse prevention. Credential stuffing often goes through VPNs, signup over VPN is a strong signal for future abuse or issues in various ways.
There is also age-requirement legislation for platforms that contain social media components or collect private information, which SoundCloud also does.
well, what if an artist put something controversial in the lyrics, like, something that radicalizes a minor into developing something maligned like, agency, or self awareness
I'm guessing you're on the younger side and don't remember: there was an enormous moral panic about music in the 90s. There were ostensibly serious, sober Congressional hearings about it. Multiple people (e.g. Tipper Gore) made it their specific political hobbyhorse. It was the thing corrupting the youth, before the pivot to video games after Columbine. It's why we still have those black-and-white stickers on CDs (to the extent anyone buys CDs anymore).
I'd like to like that won't come back, but voting rights for women are back on the table, apparently, and SoundCloud is apparently worth age-gating, so I guess not.
Yes mostly about this. I can't use SoundCloud (or Spotify) in Serato DJ Pro to connect and play songs, not available in my country. But Apple Music connected, so moving my archive there.
It doesn’t really matter if they’re using commercial VPNs or the same upstream providers as commercial VPNs. Blocking an ASN is a million times more effective than blocking single IPs (at the risk of blocking genuine customers). I’ve had customers reach out to me asking to be unbanned after I blocked a few ASNs that had hostile scrapers coming out of them. It’s a tough balance.
VPNs often use providers with excellent peering and networking - the same providers that scrapers would want to use.
AI scrappers made it so much worse. Now most things completely block VPN users who aren't logged in. Reddit and Youtube will refuse to load anything until you log in if you are on a VPN.
Even Russia and Iran has issues blocking VPN country wide…curious what SoundCloud is going to be able to do. I’m guessing it’s to block AI scrapers but ironically, they have way more resources than your customers. SoundCloud will end up pissing off their paying customers and AI bots will still be able to scrape.
>However, the company's response included a configuration change that disrupted VPN connectivity to the site. SoundCloud has not provided a timeline for when VPN access will be fully restored.
I tried creating a SoundCloud account recently for uploading DJ sets to and it just outright wouldn't let me. Didn't matter whether I was or wasn't on a VPN, or whether I had clean cookies. Crappy bot detection. You can be sure I'm never paying for such a hostile service.
Uhhh. Unless people are now using SC completely differently from how I was using it, the media people publish on SC is far too niche to be available via piracy.
I am so sick of these IP blocks. Same thing in Discord where a lot of servers deploy third-rate services like Double Counter that’s effectively a malware host. There’s nothing wrong with using VPN. I don’t want my IP exposed when my ISP doesn’t allow me to freely change it like they used to even a couple of years ago.
i’ve watched this VPN arms race get weird over the years... as a user i feel like the license wars always spill over onto my connection.
rights holders keep demanding geo fences and identity checks... service providers comply because they don't want to get sued.
BUT... the blunt tool is to block whole swaths of IPs... then we all scramble.
i think the conversation around Apple or any single company saving us is missing the point.
ALSO... even if a big platform rolled out an anonymizing proxy... regulators would still push for carve outs... copyright exemptions... law enforcement taps.
the root is the business model... ad targeting... licensing... fraud detection... all of which depend on tying a real person to a real IP.
HOWEVER... if enough of us treat VPN use as normal... the calculus changes.
blocking a few percent of weirdos is easy... blocking half your paying users is not.
i don't know the answer... but i suspect it's going to get more fragmented before it gets better.
How does this help Soundcloud's bottom line? They aren't a streaming service that curates and licenses's content intended for specific regions are they?
They have a lot of user-created music that doesnt exist anywhere else. Maybe they're trying to sell that dataset to AI companies for training their models. If they allow non-residential IPs, those potential customers could just scrape their site instead.
I thought for a moment while reading these comments that somehow SC had completely changed in terms of content and type of user. People seem to think it's a Spotify-like or something. I consumed essentially audio shitposts and DJ mix sets on SC, stuff that you're not going to find published in a pirateable form...
There are also other methods, like using zmap/zgrab to probe for servers that respond to VPN software handshakes, which can in theory be run against the entire IP space. (this also highlights non-commercial VPNs which are not generally the target of our detection, so we use this sparingly)
It will never cover every VPN or proxy in existence, but it gets pretty close.
Assuming your VPN identification service operates commercially, I trust that you are in full compliance with all contractual agreements and Terms of Service for the services you utilize. Many of these agreements specifically prohibit commercial use, which could encompass the harvesting of exit node IP addresses and the subsequent sale of such information.
Illinois law makes it a misdemeanor to violate web site ToS, though. And felony for the second time IIRC. Other states probably also.
Why? It's not like there's any real moral (or, likely, legal) reason to care beyond avoiding the service's ban hammer.
https://www.ilga.gov/Documents/legislation/ilcs/documents/07...
... "the owner authorizes patrons, customers, or guests to access the computer network and the person accessing the computer network is an authorized patron, customer, or guest and complies with all terms or conditions for use of the computer network that are imposed by the owner;"
Unless you're the one-in-a-million unlucky user who gets prosecuted under the CFAA's very generic "unauthorized access to a protected computer" clause, like Aaron Swartz. It seems the general consensus is this doesn't apply to breaking a website ToS, and Aaron was only in so much trouble because he broke into a network closet, as well as for copyright violation. But consult a lawyer if unsure. (That's another difference: A business will ask a lawyer if it wants to do something shady, while an individual will simply avoid doing it)
https://ip-ranges.amazonaws.com/ip-ranges.json
https://digitalocean.com/geo/google.csv
(And even if they don't publish them, you can just look up the ranges owned by any autonomous network with the appropriate registry.)
How does the buyer even know what the precision and recall rates might be?
Even with IPv6 it's not a huge problem. With a few samples we can know that a provider is operating in a given /64 or /48 or even /32 space, and can assign a confidence level that the range is used for VPNs.
You just track and block /24 or /16 as necessary.
The legitimate end-user will then no longer be able to use e.g. SoundCloud.
The more concise word for this is “botnet”. Computers participating in one should be quarantined until they stop.
Often times random shovelware apps will have these proxy SDKs embedded in them, and the only mention of it being part of the software is buried in some long ToS that nobody reads.
But the more sites that require a residential VPN for normal use, the less legitimate that argument becomes.
Its not perfect ofc, but its not meant to be. Its usually just used as a safety blanket for geoblocked intellectual property, like netflix.
But those data packages are expensive and not available with each wanted origin country. Also you need hardware on your side. But it is an option, just saying.
Maybe they mean commercial VPN providers that run on the cloud?
https://news.ycombinator.com/item?id=45926849
Besides the political implications, I think we should try to find an objective taxonomy, it's clear that privacy VPNs and network security VPNs are different products semantically, commercially and legally, even if the same core tech is used.
Possibly the configuration and network topology is different even, making it a technically different product, similar to how a DNS might be either an authorative server for a TLD, an ISP proxy for an end user, a consumer blacklist like pihole, or an industrial blacklist like spamhaus. It would be a non trivial mistake to conflate any pair of those and bring one up in an argument that refers to the other.
It's not that he doesn't know the difference. He's making the argument that since there's no _technical_ difference there can be no legal difference.
In most places the law is exercised pragmatically, interpreted by presumed intention. That's why legal precedent is important. You likely won't convince any judge being anal about the wording (maybe if the law gets applied for the first time). You can derail anything semantically. Furthermore, despite apparent belief, laws are frequently formulated in such a way that a particular wider term is extended to help interpretation. Eg. "It is prohibited to use a VPN in a way capable and intended to obscure one's physical internet access point identification". (Not a lawyer, not a native speaker, don't get anal with this wording, either.) I very much doubt any legally binding document would even use the term 'VPN' primarily to describe the technical means for anonymization, but rather describe it functionally.
It doesn't really matter that a single person has found a loophole because many, many other people don't have such a luxury, and that's what the lawmakers are aiming for.
It's going to be interesting when the majority of the UK accesses the internet via VPN because of the increasingly ridiculous hoops that the UK makes them go through, and the government tries to stop them while also allowing VPNs to be used by the tech sector.
I agree, these are two separate legal processes powered by the same technology. But the internet doesn't have any awareness of legality (thankfully) so we're stuck with only the technical meaning.
I doubt that.
The tech is the same, though. That's the point.
It’s not taking about IPsec tunnels between networkers, or a connection back to your home. It’s talking about surfshark
I do actually give VPN access to my mother that is not technically competent but I have full access to her computer and locked her down as much as possible
But no, Tailscale did not pay me for this comment. I do happen to know someone that works there though.
Entirely missing the point that setting up a VPN exit node on your own or someone else's connection is a crazily esoteric super weird nerdy thing outside of communities like HN, and Tailscale on an Apple TV box will not only work but automatically update itself with no intervention on your part, and that the person whose house it is in needs extremely minimal technical skill to do what you tell them to over the phone.
Thanks again, devilbunny
You're very welcome.
Bit of a non sequitur, you would have to outline your entire usage pattern to even submit that as N=1.
GEOIP providers dont sit on your home network. They do accept data from third parties, and are themselves (likely) subscribed to other IP addressing lists. Mostly they are a data aggregator, and its garbage in > garbage out.
If someone, say netflix, but other services participate, flag you as having an inconsistent location, they may forward those details on and you can get added to one of these lists. You might see ip bans at various content providers.
But the implementation is so slapshod that you can just as likely, poison a single ip in a CGNAT pool, and have it take over a month for anyone to act on it, where some other users on your same ISP might experience the issue.
These things can also be weighted by usage, larger amounts of traffic are more interesting because it can represent a pool of more users, or more IP infringement per user.
You can also get hit from poor IP reputation, hosting a webserver with a proxy or php reverse shell, or a hundred other things.
(Also, larger ISPs might deal with a GEOIP provider selling lists of VPN users that include their IP address space, legally, rather than just going through the process of getting the list updated normally. This means the GEOIP providers can get skittish around some ISPs and might just not include them in lists)
or in my case, have a VM on same subnet as other poor actors and thus get bad rep from others.
I just tried it with a well known commercial VPN and I had no problems accessing the site and its music content.
Here’s one database to check.
If using a VPN for access is forbidden by the ToS, you only need to detect a VPN connection once to prove violation.
The IPv4 address space to consider is limited and it is technically absolutely feasible to exhaustively scrape and block the majority of VPN endpoints. Realistically any VPN provider will have some rather small IPv4 subnets make do, shit's expensive. More so, for the trivial case, VPN anonymization works best, when many people share one IP endpoint, naturally the spread is limited. There are VPN providers, some may even be trustworthy, which have the mission of "flying under the radar" with residential IPs and all, but they are way, waaaay more expensive. For most people that's no option.
IPv6 is a different matter, but with the very increase in tracking and access control discussed here, that may be even more of a reason, IPv6 is not going to be a thing any time soon....
Thinking about it, maybe this AI monetization FOMO and monopoly protectionism, will incidentally lead to a technological split of the web. IPv4 will become the "corpo net" and IPv6 will be the "alt net". I think there may be a chance to make IPv6 the cool internet of the people, right now!
But an IP address is not a person (legally in the US at least), and many IPv4 addresses get re-used fairly often. My home 5G internet changes IP every single day, and it's a constant struggle because other users often get my IP blocked for things I didn't do. I cannot even visit etsy.com for example. Just for fun I even checked 4chan and the IP was banned for CP, months before I ever had this particular IP (because I'm paranoid and track all that stuff).
That's a completely different matter (and still probably reasonable suspicion for a search, anyway). If an account/service ID evidently uses a service through a VPN there is no uncertainty of ToS violation. Of course someone could have hacked your account and used a VPN, it doesn't ultimately prove you did it, but nevertheless the account can be flagged/blocked correctly for VPN usage.
> many IPv4 addresses get re-used fairly often
The VPN's servers won't be using changing, "random" IPs. That's something ISPs do when assigning residential IPs. VPNs with residential IPs are not common. (I am not sure those VPNs are even really legal offerings.)
If your ISP uses NAT for its subnet space, you could argue it's technically similar to a VPN. However, same as with VPN exit scraping/discovery, those IP spaces can be determined and processed accordingly. I am also sure those ISP subnets for residential IPs are actually publicly defined and known. Eg. the Vodafon IP may get temporarily flagged for acute suspicious behavior, but won't get your account flagged for VPN violation, or even blocked permanently, since it's known to be the subnet of a mobile ISP, which uses NAT.
Additionally, I presume e.g. SoundCloud prohibits anonymizing VPNs, not everything that's technically a VPN or similar.
They probably assume some amount of collateral damage, a small number of VPN users still flying under the radar, the bulk of VPN users being properly targeted, and the vast majority of users not noticing anything.
Banning by a hosted IP amongst billions of other IPs is different.
A lot of shady shit under that term. Used by all the harmful services - scammers, AI crawlers... :)
yeah sure, if you ignore the existence of literally every mobile isp.
Tradeoff is that it seems to be a browser only thing. Some tools like the default macOS curl seem to be integrated with it.
Quite frankly, it's a bit silly to paint Apple as some privacy fortress, who wouldn't have to comply with law enforcement/intelligence to unmask/tap traffic. I mean, for a lot of people VPN choice is done considering legal jurisdictions somewhere far away. Apple could/would never possibly offer this level of protection.
There were also plenty of corp-ware in existence that had Flash as *absolutely mandatory*.
If 20% of people are using VPNs, blocking them is going to be a double-digit hit.
It's a very limited VPN as it only works for Safari/Mail and only anonymizes you to your region/country.
This shit has been going on for maybe 5 years but no one seems to know or care.
Instead of blocking or limiting features to whitelist users with approved behavioral patterns and limit / block those that don't -- such as loading a page and immediately commenting or doing things that normal humans don't do, they block IP addresses and ASNs.
I just close the browser tab and remind myself not to waste my time caring, there'll be other platforms.
My router is setup for WireGaurd and it'll never be disabled.
Shame on SoundCloud
As someone who has both spent quite a bit of time writing scrapers and later lots of headache on blocking malicious bots from accessing websites, I can tell you this has become futile. Bot makers aren't stupid. If you put in a check for how fast actions are performed, they will put in a sleep timer in their script. If you start blocking residential IPs because many people use it, you are probably just blocking a school or dormitory, while the real bots will quickly move to another IP once they smell something is off. Today with modern multimodal LLMs, you can bypass almost every "human-check" imaginable. And if they can't pass something, most of your users sure as hell won't either. Not because it is too hard, but because it will take too long to solve. The sweet 3-15s actionable human intelligence threshold has been passed by now. The cats and dogs type captchas were already solved more than 12 years ago by simple CV machine learning. The tech has progressed an insane amount since then. In the end I always ended up basically doing what SoundCloud did here if my service was sensitive: Block entire countries, all tor exit nodes and all known VPN ASNs. That will get it down by like 90%. Bear in mind that anyone who wants to put in some effort will still easily bypass this, but at least the low-effort guys from third world countries will take a while before they catch on. So you can go back to doing some actual work in the meantime.
This is the main issue here, the web has become actively hostile to normal people in the quest to monetize every second of online activity.
"Completely indifferent" and "Corporations are completely amoral" are more accurate.
It's the difference between someone trying to drown you, versus someone trying to fish while you drown just off the bank. Same end, of course.
That's not to say corporations don't come awfully close to the comic book concept of evil. By definition, a corporation's prime purpose is an uncaring commitment to making money, and if you've gone public, making all the money. That's awfully close to being the opposite of the "good" ideals of generosity and kindness.
Snowden showed the NSA has taps upstream, so in my book: that's over. I'm fairly convinced if your company reaches a size where it could potentially be a national security threat, the government comes knocking (Facebook, Apple, Twitter, etc.), so that seems like it's over. You have the AI companies scraping god knows what. And, I imagine most countries have corollaries.
Really, all the bad actors I'd encounter in my daily travels would be ones who want to steal money from me. That's a simple ideology. I can handle that. My identity gets stolen, my bank account...there's multiple levels of billion dollar companies with vested interest in me not losing faith in "the system," so I'm not worried about it really.
If a company wants to associate my phone number to glean all my purchases forever in order to target tailored ads to me, fine. Again, it's in the spirit of taking my money, which is a simple ideology.
If the neighbors want to snoop on my traffic, hats off to them for having the capacity to live two lives: both theirs, and mine after they figure out my day-to-day dealings. Doubt they have time to do much about it. Hard enough to live one life in 24 hours.
If the government wants to try and keep tabs on everything to see who's making ICBMs and who isn't, or whatever else they want to do, that's their prerogative but it seems like a complex goal that doesn't affect me.
Did you travel to get an abortion? Someone might be interested in charging you with a felony. Did you associate too closely with non-citizens? Maybe you're one too. Did you reserve a hotel room? Probably willing to pay more for flights there. Do you frequent hacker news? Might not be so in favor of the current political establishment.
But beyond that I disagree with your sentiment.
These things need to be stopped as they come. Withholding data and living a life of fearful "what ifs" cannot preemptively stop atrocity. Of course I'll never know what past information can be used against me in the future; weaponized in ways I cannot fathom. It's a possibility. Hindsight is 20/20, but "you can't predict the future," so how would I know? I have to live my life. I gotta do SOMETHING.
The crux of all of those "what ifs" is beholden to if the person correlating that data has social agency to act upon it. If that's the case, anyone could be my next predator. Anyone could be the next Hitler waiting to exterminate me based on my non-citizen camaraderie or political leanings.
Data is just a predictor, it is not the truth. If my life provided a data point for a yet-to-be-born hostile dictator to perjure me, I will deal with that when it comes, but I can't live my life out of fear.
I compare it to ecology. You're saying you will deal with the sea when it has risen to your doorstep rather than reduce emissions, or even build a levy. You've chosen to not worry about the sea, either because you don't think you can stop it, or it is not convenient for the moment to try. People who believe the sea is rising can't help but fear it because they are rational. People building privacy levies are not living in fear, they are reacting rationally to a hazard.
It's as simple as that: No thanks, then I slide the slider on WireGuard and then I have an encrypted tunnel that all of my devices can communicate with each other, use a DNS through the tunnel with domains blocked and I can control what phones home and what doesn't. I'm not concerned with foreign governments, snoopy neighbors, war driving, or anything.
I can't solve all the problems but there are no what ifs on my end, *What if" -> No.
I'm not a number in some algorithm or malicious because I route my data securely, I'm a human being.
For a longer argument, see The Eternal Value of Privacy, by Bruce Schneier in 2006: <https://web.archive.org/web/20241203195026/https://www.wired...>.
As a bonus you may even get discount codes for your VPN!
For real tho, fuck all those rent-seeking control freaks. Piracy was almost dead, we had a good deal. But no, it's never enough, so here we are.
Also, some piracy boards are actually pretty steady, nice and cool communities, and listing to local files feels way more intentional.
There is pretty much zero regulatory oversight. The ownership structure of VPN companies is opaque, often owned by holding companies. For example Kape Technologies owns ExpressVPN, PIA, CyberGhost, etc.
They also block data center IP's
Signing up for Reddit through a VPN has been difficult to impossible for a long time.
The amount of abuse that comes through VPN-sourced IP addresses is much higher than normal. It's common to block it on any social media site.
... or were you simply using a VPN and that's the most likely culprit for a general failure of the service ?
Genuinely curious ...
Soundcloud these days is nothing but a spambot filled website that have ripped countless users’ tracks and scam to earn fake followers, which the platform doesn’t block these bot but instead shallow banning proper users. The support is also nonexistent and my support ticket hasn’t being been responded for more than an year.
I ended up trashed my account because I got shadow banned for no reason while they keep on stripping off basic features. Some of the users in my community also faced the similar stories.
Unless there is an irreplaceable feature in SoundCloud you rely on, I see no reason to use it.
edit: Ah, it's based on login status
[1] https://ipinfo.io/tools/vpn-providers-detected
Could also be spam/abuse prevention. Credential stuffing often goes through VPNs, signup over VPN is a strong signal for future abuse or issues in various ways.
I'd like to like that won't come back, but voting rights for women are back on the table, apparently, and SoundCloud is apparently worth age-gating, so I guess not.
VPNs often use providers with excellent peering and networking - the same providers that scrapers would want to use.
>However, the company's response included a configuration change that disrupted VPN connectivity to the site. SoundCloud has not provided a timeline for when VPN access will be fully restored.
https://www.bleepingcomputer.com/news/security/soundcloud-co...
I worked around it but it was a pain
there are more elegant solutions similar to yt-dlp. scdl is very user friendly and automatically embeds metadata.
https://github.com/scdl-org/scdl
https://github.com/miraclx/freyr-js
Patreon also banned VPN
YouTube, Reddit - locked out, requiring to log into account, on pretense of security and care concerns, yeah to identify and track VPN users.
with soundcloud, i just got a generic 403 from cloudfront
combine that with country-level internet filter, the internet is getting harder and harder to use :(
I used that once and got in trouble with the client since the ruleset was over blocking.
rights holders keep demanding geo fences and identity checks... service providers comply because they don't want to get sued.
BUT... the blunt tool is to block whole swaths of IPs... then we all scramble.
i think the conversation around Apple or any single company saving us is missing the point.
ALSO... even if a big platform rolled out an anonymizing proxy... regulators would still push for carve outs... copyright exemptions... law enforcement taps.
the root is the business model... ad targeting... licensing... fraud detection... all of which depend on tying a real person to a real IP.
HOWEVER... if enough of us treat VPN use as normal... the calculus changes.
blocking a few percent of weirdos is easy... blocking half your paying users is not.
i don't know the answer... but i suspect it's going to get more fragmented before it gets better.
Thanks for the heads up.
aren't Cloudflare exit nodes also content edge servers so impossible to block?
Lidarr relies on people ripping this music, and also adding the metadata to Musicbrainz, which just simply isn't going to happen for most SC uploads.