The mere fact that CloudFlare and similar services are a "requirement" for not being beaten in to submission for pennies of traffic flooding in to a website is a clear design flaw of the global communications system.
No site or service should be forced to receive //every// bit of information sent at it. Nor should they be forced to blackhole (route) /themselves/ (giving in to the terrorists) out of existence.
Clearly, we are lacking a means for pushing 'cancer' filtering over to the source side of data transit. To the point where it becomes the problem of the source ISP. "Block this customer" (for a while) and "don't send us any traffic at all" (for a while; in response to /far too many/ abusive customers) are the necessary solutions.
That problem is hard. It's not just that we need a way to tell the source ISP to drop the traffic on their end, it's that we need a way for them to trust that you are the actual destination and not someone trying to cause a denial of service by having them drop legitimate traffic.
Which is basically the key distribution problem, i.e. one of the hardest problems in security.
And it's not clear it would even fix it because of the way DDoS works. The attacker has some huge botnet with hosts all over the place. Each of the hosts don't have to send an unusually large amount of traffic, there are just many more of them than there are normal users, which is enough to overload the servers. But unless you have a way to distinguish the attackers from the normal users -- and it has to be something they can't compensate for once you start doing it -- you don't know who to block.
What Cloudflare does is to just absorb the traffic by brute force, and then the problem is that they themselves become a centralized target for imposing censorship.
So it feels like the solution is some kind of decentralized Cloudflare, in the nature of IPFS or BitTorrent, which causes content to be hosted on more sources the more popular it is. So that if you get a huge traffic surge targeting some specific data, every node hosting it sends it to another node which doubles the number of hosts, and then doubles it again until there are enough sources to handle the traffic.
I think a large part of it could be solved by a combination of (1) egress filtering and (2) the ISP enforcing TCP congestion control -- so that if a DDoS'd server stops sending an ACKs to an attacker, the attacker get limited (at its own ISP) to 1 packet every few seconds. For UDP, something similar could probably be done -- e.g., if no packets are received from the other host, then drastically rate-limit the bandwidth to that host. (I'm not sure if this would break any widely used UDP protocols, though.)
The current dark age where nearly everything uses TLS/443 has been the net result, because for a significant minority of networks nothing else can get through. People are now even running DNS over TLS, even though DNS itself is allowed and DNS over TLS is complicated and inefficient, because the middleboxes prevent the DNS protocol from evolving to have better security.
Inviting more interference would only create more problems. For example, suppose I want to create a multipath UDP-based protocol where the acknowledgments can be consolidated (and so only sent along one path). That proposal would break it and force me to use something less efficient. In general it creates asymmetric routing problems at the ISP level.
Middlebox "solutions" cause problems that are hard to predict and even harder to fix after the fact, because once 20% of networks are doing something it's hard to get half of them to stop even after the problems are discovered.
And it may not even solve the original problem. What happens when the DDoS is just a botnet acting like a huge number of normal users?
I thought that's exactly what the first `D` stood for...
That amplifies the attacker's bandwidth but is a lot easier to distinguish from normal traffic, and would be prevented if everyone did egress filtering because then the attacker couldn't spoof the requests.
But that only prevents the amplification, not the general problem. A botnet with millions of computers in it has enough bandwidth even without amplification to cause plenty of trouble.
Why not do this? Is it impossible to design it in a non-abusable way, or is there too much overhead to store and apply a possibly long list of arbitrary blocking rules?
The command and control network would authenticate the source request via some means and if it's authentic act accordingly.
The benefit of this is that it also allows for identifying infected or otherwise abusive customers and actually being proactive about getting them cleaned up.
Of course all of that degrades the 'customer' experience, and costs money. Both of which are probably why no one does this right now.
This situation involves a private company that is no longer serving data from a domain found to be in violation of the law. It does not meet the same definition.
So large collective action is required. Or we continue to pay cloudflare.
> No site or service should be forced to receive //every// bit of information sent at it.
They aren't, but usually public websites/services want to receive everything. Determining what's legitimate or not isn't easy because of the distributed part of DDoS.
- a design perspective (they are a somewhat single point of failure for much of the web, and add complexity/potential vulnerability), and from
- a control perspective, you are giving them control over your site and they have shown themselves a capricious in the past as well as vulnerable to legal coercion. (For instance, could a malicious actor take down a website by sending CloudFlare fake DMCA notices?)
If I may offer a few points, in the interests of helping you understand why people might make a decision that seems so obviously silly?
First, bandwidth is still fairly expensive. It adds up much faster than many people expect. A CDN, especially one that doesn't meter or charge for bandwidth, is a lifesaver. Yes, it's adding a complex potential point of failure to your system. As you completely correctly point out, that is not a desirable thing. However, what you get in exchange for that complexity and potential failure is more controllable costs and a greater ability to fend off some major attacks.
On the control point, you're once again absolutely right! With the potential caveat that this puts CloudFlare on a level with every single other service on the internet. Unless you're one of the few people who owns all the infrastructure starting with your server and ending with a full backbone network, you're already relying on capricious companies vulnerable to legal coercion. So this isn't really a new risk for most people. It is, again, a risk people take because they judge the costs and added risks to be worth taking on.
And one would have to work pretty hard at it to get a fake DMCA notice through. CF's legal department doesn't screw around.
So you're absolutely, completely, 100% right on all counts. It's a lot of risk to take on, and your concern is wise and justified! For a lot of people, the gains to be realized justify the risks taken.
The important distinction is that you're relying on a local ISP, not some company based in the jurisdiction of some foreign government (for everyone outside of the US like sci-hub).
You're relying on every single local, national, and international ISP between client and server. In many places, at least one of those is going to be owned outright by a government that might take a keen interest in what bits it transports. You're also relying on a variety of DNS providers and other services.
The number of services that have to cooperate for you to use any given website is staggering. And they're all capricious and vulnerable to legal coercion.
I'm not aware of cases where a government has coerced someone like level3 to drop a peering relationship to an ISP in a foreign government or conduct BGP hijacking to take down a website under that governments jurisdiction.
Cloudflare is a significant risk for anyone pushing the boundaries of US laws in a different company.
For example, at one point a Pakistani ISP accidentally black-holed YouTube worldwide (briefly) through BGP while attempting to comply with a court ruling to block it.
Awkwardly, the internet already has a lot of those. Remember when DynDNS went down under attack? A lot of websites stopped working that day. They're not the only major DNS provider, either. There are only a few certificate authorities that most commercial certs trace back to. There's a very small number of tier one ISPs.
Ultimately, it's about risk and cost tradeoffs to service providers. How much risk are you comfortable with, and how much as you willing and able to spend resources to reduce? There are no easy answers here, and services that trade on economies of scale (like CDNs) will tend towards concentration.
As a developer, I'm willing to try and help sci-hub secure their network against DDoS or other malicious traffic, assuming this was their reason for using Cloudflare services, and assuming sci-hub were to open source some of this effort publicly.
There is, however, a possible catch. As a developer, there's a sharp limit to what can be done purely in server-side software to mitigate a DDoS attack. Some classes of attack rely on particular kinds of server-side vulnerabilities, and against these your skills are very valuable! I'm sure your contributions of skill would be most welcome.
But against pure bandwidth-flooding attacks, it's more likely that writing more code is of at best marginal benefit. The state of the art for responding to these requires a big network, a lot of bandwith, and active management. Things difficult to deliver as a lone developer who cares deeply.
I think you just assume the best from people and I really like that.
Mostly I assume people mean well but suggest silly things because they're ignorant. Reading Dale Carnegie taught me that you have to tell people they're right and stroke their egos a bit before you can imply that they might have the wonderful opportunity to become more right.
It's honestly exhausting to implement. It's a lot of hoops to jump through to tell someone that they don't actually understand what they're talking about. However... most people do not typically respond well to being flatly told they're wrong. Explaining how and why they are wrong does not generally improve matters, as people usually stop honestly listening as soon as they hear "You're wrong".
As you say, it does run the risk of coming off as patronizing. It's hard to avoid that entirely, as different people sometimes have drastically different standards.
Definitely. I read your post as very patronizing (even though I agree with it) because you started with "Your heart is in the right place." That's just a sugar-coated way tell a child "nice try but you're extremely naive". IMO it's better to skip telling someone they are wrong like a child and skip right to the rebuttal without including any references to the parent author (an ad-hominem).
I agree, and I think there'd be a lot of developers who feel the same way (re: wanting to help, valuing freedom of access to scientific information). I wonder, though, if there's really that much we can do as developers. There are of course some vulnerabilities that can be mitigated with good code on the server, but most attacks are impossible to prevent without the resources that a company like CloudFlare can marshal. Unfortunately, the state of the art for responding to DDoS attacks requires a big network, a lot of bandwidth, and active management.
But, obviously, I did not. What I've found is that, if you run light on the praise and ego-stroking, people often either view it as token and ignore it or skip past it entirely. It's a fishhook that lets you smuggle your actual points past defensive mechanisms. You have to set it deep before it's actually useful.
And then you have to wrap your point in completely unjustified uncertainty anyway, to be sure that whoever you're interacting with doesn't feel attacked. People who feel attacked generally aren't listening to, engaging with, or learning from your points.
Orchestration scripts and test suites are of minimal value here. They already exist for pretty much every configuration you might need, and already in open source ways. Open sourcing the tools is of very little value in meeting the needs of a site like SciHub in protecting itself from DDoS attacks. What's actually needed is servers and bandwidth.
Which is to say your heart is in the right place. You have the right ideas, and it's wonderful how much you care! It's just possible that the need at hand might be other than a maximal fit for your skills.
I hope this conversation has been as educational for you as it has for me, and thank you for the opportunity to engage!
When using Tor you had the possibility of using captcha-free SciHub with their own onion service: http://scihub22266oqcxt.onion/ (it's down for now)
Or how there's no downside for an ISP to not filter outbound connections (ip spoofing). Or how there's no downside for people to send unlimited traffic because their devices were compromised (imagine if their bill suddenly went up).
The internet is broken. Complaining that people use CloudFlare doesn't solve it.
Also, CloudFlare is far less capricious than any other company, even free speech crusaders like Twitter and Reddit. AFAIK, CloudFlare has capriciously banned just one site in its history.
I really hope we see a competitor for cloudflare and I'd immediately switch. But as far as I know, all others bill you for traffic and are focused on CDN more than protection.
Cloudflare showing they could take down some websites because of their content conveniently set them up to be a pressure point in other cases as well such as this one. The argument that they are 'just a common carrier' and have no influence over the content they serve went out the window that day.
Is this the incident you are referring to? https://www.theregister.co.uk/2017/08/16/cloudflare_ceo_dail...
> "We could not remain neutral after these claims of secret support by Cloudflare."
So common carrier status is forfeited if a company reasonably terminates a contract due to the actions of the other party?
That being said, this argument is a recurring theme. It came up when spez edited comments on "/r/the_donald" and comes up any time a company enforces it's own TOS to a way the alt-right and libertarian crowds don't like.
I can come up with dozens of examples of companies exercising control over the content of their networks without issue. Reddit removed "fatpeoplehate" and related subs, youtube removes terrorism recruitment videos, and even Cloudflare removes malware (if pushed hard enough). None of those cases resulted in this mythical "common carrier" status from being removed, or caused them legal issues in other ways. If I'm wrong it should be easy enough to come up with examples proving it, but that won't happen.
sci-hub is appreciated by far more people than the alt-right and libertarian crowds. Is there any particular reason you felt the need to try to politicize it?
For some reason the alt-right has been all over this claim, and they use it whenever they get censored (either on reddit or twitter), and the libertarian crowd does the same here on this website.
Also, I do want to point out something- saying that someone's argument isn't valid because they have a misunderstanding of the law is not the same thing as taking a side. I think sci-hub is awesome, but I'm not going to defend it by making stuff up.
I have never seen "the libertarian crowd" (of which I count myself a member of) use "common carrier" language on anything outside Internet Service Providers, NN, and Title II regulations.
We defend free speech, and want to hold organizations that claim to support free speech to actually supporting free speech, We believe if a website says "They support free speech and want to allow free exchange of ideas" that they actually uphold those claims... to make a public claim of supporting free exchange of ideas or free speech on your platform then use heavily handed censorship is in our opinion very similar to bait and switch fraud and should be considered as such under the law even if you sneak in some provisions on page 100 of your 8point font legalese terms of service...
I know we libertarians are soo crazy with our ethics and principles...
"We don't take sites down if the content is not illegal" is a pretty clear consistent position to fall back on.
"We don't take sites down if the content is not illegal except that one time the CEO decided we would" is not, so you need a different reason, and they don't have one anymore.
Yes. That's why I can trash Verizon or smear Verizon's CEO name from a Verizon phone and Verizon cannot use it to terminate my service. Neither can AT&T.
[Edit: Responding here because HN is saying I'm posting too fast]
Non physical plant phone companies have never had any decisions on them that would affirm if they are or they are not common carriers. Verizon Wireless' data services subs behave as if they were.
Brand X decision is largely misunderstood because it deals with LECs, CLECs and companies that would like to get access to CLEC like benefits without being CLECs. Its scope was incredibly narrow which is why it took that many years for FCC's net neutrality rules be overturned ( and why it was done by the FCC ) and why it allowed FCC rules to stand.
Being disconnected due to utilizing it for harassment is also rather complicated ( and has lots of possible legal theories that have not been tested ):
- it is known that a phone company cannot disconnect the last "live line" service, even for non-payment.
- phone company may restrict one's ability to use the service as long as it continues to provide live line service ( for wireless service it is what allows one to use a locked or administratively disabled phone to make emergency calls ). There are however tons of hoops to jump through.
Things become a lot more interesting with MVNO because they are really nothing other than buying clubs even if what they buy is a network access. I believe MVNOs can actually terminate services for any reason as they should not fall under the common carrier label.
This in turn makes me wonder if Verizon/Sprint/ATT/TMO are actually MVNO themselves as I know for certain that entity from which customer's buy services are not the entities that operate it.
I'll point out too that Verizon or AT&T can terminate services for other things. If your line is used to harass people or make prank phone calls then it can be shut down. Common carrier doesn't mean that they have to allow everyone to use their service.
Note that this is subject to change in the present.
Why not because of their countless previous similar moves?
I am proud that as an ISP in the 90s, and then as a VDN (CDN for video) in 2000s, we successfully kept all our clients online despite countless acts of bullying including CDA and DMCA.
We even had a major satellite carrier go after our various DC real estate providers and backbone connections.
You’d be amazed how long you can keep a client online just by requiring DMCA notices to adhere to the letter of the law before complying — usually weeks!
More than enough time to give clients notice and for clients to make arrangements.
My comment you replied to is still sitting at -4 :(
I merely pointed out the consequences of exercising editorial control: that once you show you can do it you lose any kind of argument based on your ability to do it or that you are only taking down content when the law requires it, such as when ordered to do so on account of a ruling by a judge.
My position is pretty consistent:
- Cloudflare for the longest used a broken argument to leave all kinds of crap websites up longer than they should have (for instance: booter sites)
- Their argumentation was that they would not censor sites based on content unless a court order was presented to them
- And so they were aiding and abetting many illegal schemes, which were too costly for the people suffering from those schemes to prosecute (for instance: because they were abroad)
- But when the Daily Stormer thing happened Cloudflare crossed their self imposed line
- At the time I pointed out that they would regret this, just like Slashdot folding for Scientology would regret it.
- And now we've come to the end of that line and Cloudflare now takes down sites because some vested commercial interest is harmed, as predicted.
So, I argue that they should exercise editorial control, and that they never had any shot at achieving common carrier protection (because (a) they are not a phone company and (b) because they are not essential, and (c) they never litigated that).
In this case it would have been nice for them to make a stand. Unfortunately for Cloudflare the publishing houses can now point at Cloudflare taking down the Daily Stormer without a court order, and there is no helping them for that. But just like before, Cloudflare simply is a commercial service, they have the ability (and sometimes the responsibility) to take down content. They are simply bad at picking their battles.
Then finally, I see the likes of Cloudflare as a cancer on the web. Way too much power in the hands of one entity in a jurisdiction that is too expensive to litigate in for the vast majority of the world. I hope the net/webservers will get fast enough and that bandwidth on the server side will get cheap enough that we do not need CDNs anymore.
I thought you were taking the position that CF should be a common carrier. Which to me seems like the logical stance.
Upthread you mentioned CF as not being essential, but based on the current limitations of the web - DoS protection is essential for small publishers. It would be too easy to silence marginalized communities with a small botnet.
Leaving it up to CF to be the judge jury and executioner is too much power for one company. We have democratic courts for this sort of thing. The web is broken and until then I think DoS protection is essential in exercising our first amendment.
CF took that position, in the past to defend their leaving all kinds of outright illegal stuff such as booter websites (sites that offer easy to use interfaces to DDOS tools) up and running.
> Which to me seems like the logical stance.
But that makes your argument more a strawman than anything else.
No, I don't think CF is special in any way, not until they litigate that and get an official stamp of approval that they are not going to have to comply with 'regular' takedown requests, since normally aiding and abetting criminals is bad.
CF does not have to provide service to every comer and they have gone out of their way to prove this.
> Leaving it up to CF to be the judge jury and executioner is too much power for one company.
That I agree with, but this is no different from Facebook, Google or any other tech giant. Cloudflare claimed to be somehow special in this respect, I've yet to see FB or Google make such an argument.
Though, Google to some extent tried to do this by claiming for a while that only their algorithms determined what is visible without human input. Nowadays human input is as important a signal as the algorithms and it has final say too.
> We have democratic courts for this sort of thing. The web is broken and until then I think DoS protection is essential in exercising our first amendment.
Unfortunately, your point of view is still US centric, which means you are missing an important piece of the puzzle here. The web is much larger than the United States, 'first amendment' protections do not apply outside of the US, and Cloudflare is routinely hiding behind that first amendment in a way that makes it very hard to prosecute - or even do anything about - the criminals they enable.
Cloudflare wishes to have it both ways: to claim first amendment rights when it suits them and to play judge, jury and executioner when it does not. And in the meantime the rest of the world has to dance to their tune because they are not in the jurisdiction of the victims. That's not a tenable stance in the long term and the Elsevier case shows you quite nicely just how hypocritical this is.
CF is closer to an ISP than something like FB because CF only provides the pipes. It's literally providing an internet service. I'm aware they haven't legally earned that distinction, but from a logical perspective - mirroring a server is nothing like providing a social networking platform.
Common Carrier is a legal term that refers to regulation under Title II of the Telecommunications Act. It grants the FCC the ability to classify certain communication companies as common carriers. That status can only be acquired by FCC action, not implicitly by following any standard set of rules.
The argument that taking action once creates a liability to police all content you're serving stems from an outdated court case.
The Communications Decency Act of 1996(!) specifically addressed the issue:
[..] Through the so-called Good Samaritan provision, [Section 230] also protects ISPs from liability for restricting access to certain material or giving others the technical means to restrict access to that material.
Agreed, they're not a phone company to begin with. But they did try to use that argument and they definitely did not help themselves.
A better argument would have been to claim they don't have the technical capability, that might have bought them some time but then too they should not have shown first that they do have that capability. All in all a less than stellar performance.
But you can see how their reasoning went from "If ISPs can be common carriers why couldn't a CDN be a common carrier?". That said I can see the case for domain registrars and the Tor network long before I can see one for a CDN.
Try hosting a site on cloudflare that significantly upsets a major SV company and see what happens.
Hardly a problem with most people, but they certainly exercise content-level discrimination (in the most neutral sense of the word).
That case is also complicated by the claim that they dropped that site in response to Daily Stormer people claiming CloudFlare supported their ideology. Given the number of objectionable sites which they continue to provide service to, that seems plausible.
I have no idea where the remark about the other tech giants comes from, though.
The idea that exercising some control over the content on someone's network or application removed their various liability shields is also completely false. Youtube removes pornography and terror related videos, and sites like reddit remove "abusive" (defined by their TOS, not any law) content, all the time. Never once has this broken their liability shield.
It doesn't break the liability shield because it's not being selectively enforced.
If YouTube deleted some porn but not others, this protection would no longer apply. Reddit is allowed to delete content that violates their ToS without needing to answer to anybody.
This is literally the opposite of what you are claiming. To quote wikipedia,
"The act was passed in part in reaction to the 1995 decision in Stratton Oakmont, Inc. v. Prodigy Services Co., which suggested that service providers who assumed an editorial role with regard to customer content, thus became publishers, and legally responsible for libel and other torts committed by customers. This act was passed to specifically enhance service providers' ability to delete or otherwise monitor content without themselves becoming publishers."
> 18 U.S. Code § 2257 ( https://www.law.cornell.edu/uscode/text/18/2257 )
This is the law requiring record keeping for producers of pornographic content. This has nothing to do with what we're discussing here.
> 47 U.S. Code § 231 ( https://www.law.cornell.edu/uscode/text/47/231 )
This law requires people who make porn available to not allow minors to access it. The closest thing I can see that relates to our point is that it grants immunity to ISPs for porn sent over their network.
You said it's completely false that exercising control over content on one's network diminishes a provider's ability to claim safe harbor. I've given you two laws on the books in the US that say otherwise. What are you basing your claims on?
Government/whatever party has to compensate a common carrier a reasonable amount of money for determining and filtering content. Not having tools to do it means a company gets to say "this would cost X, write us a check". If X is too big, government/other party tends to walk away. In my previous life, we have used this argument successfully to quash several court orders. The reason why we were successful is because a very smart attorney that happened to be a relative of a founder convinced him one day that under no circumstances should we develop such tools ahead of time.
One of our competitors had these tools developed. They had a similar court order served on them. They attempted to use the same argument we used. They failed because the government offered court the evidence that those tools already existed and were used by our competitor and hence there was no undue burden.
[Edit: Responding here due to rate limiting]
> It's FUD because it does not apply, at all, to the existing scenario. Common Carriers have specific legal meanings, and internet companies don't fall under that.
This is also unclear. Common carrier is reasonably well defined based on what was known about certain technologies at the time.
NSPs/webhosting providers/CDNs/etc have never litigated their common carrier status to my knowledge as in most of the cases it does not appear that being a common carrier is beneficial to them. This does not, however, mean that there cannot be a situation where being a common carrier would not be advantageous to a NSP/CDN/webhoster. This is why most of them would prefer to behave like common carriers even if they are not - it is optionality and having more options is typically better.
This comes up all the time. During the Obama administration there was talk about reclassifying network services so that this would apply (it would make things like home internet far more competitive if it was). That never happened.
ISPs actually do. And they are very much internet companies.
CF's whole mistake was to pretend that they were nothing more than dumb pipes and that what was legal or at least not explicitly ruled forbidden on a case-by-case basis was good enough for them. They never were dumb pipes, they always had editorial control and they provided the proof of this themselves.
EDIT: I'm unsure you can argue, with a straight face in front of a judge, that you're a common carrier when you've publicly blogged about determining to terminate a user because you felt like it. I'm not judging Cloudflare (anymore), just observing the pickle they've put themselves in because of their own decisions.
Sure you can, since “common carrier” is a centuries old common law classification that the FCC has nothing to do with, as well as also a statutory classification under the Telecommunication Act inspired by the common law classification, as well as a statutory classification under other laws.
And even for the classification under the Telecommunication Act, one could argue the definition in the Act whether or not the FCC has applied it in a particular way (this requires overcoming the deference that courts give to executive agencies delegated decision-making powers by Congress, but it is not an impossible argument to make in principle.)
Explanation for why I downvoted your comment:
Your comment is completely unconnected to the statement above it. It's only connected to the story in that Cloudflare was involved with both, but if you're going to try to connect it to this story your comment should go at the top level. But connecting a highly controversial subject to this one by posting inflammatory comments does not seem to be a good way to connect these two different stories.
Cloudflare wants to project the idea of being critical Internet infrastructure without the governance and responsibilities that go along with that.
No one wakes up at a root DNS server one day and deregisters a domain because they feel slighted by the content of that domain.
If cloud flare hadn't effectively given up its status as a common carrier, by blocking stormfront, maybe it would have been able to defend itself from the sci-hub court order.
Cloudflare being forced to take down content in the future is exactly what people predicted when they decided to give up their status as a common carrier.
In related news, I did not give up my status as a fish by breathing air.
They are trying very hard to be a common carrier, because they want the legal protections that it provides them.
But, because of their actions, they've lost the court cases, and are unlikely to recieve that status.
In fact, up until near the end of that century if anyone was using trade pressure to try to get copyright changes, it would have been other countries trying to get the US to change. The US copyright law at the time provided very little protection for foreign authors. Their works were essentially public domain in the US.
But that being said, no rational person could possibly believe that copyright exists only due to external state actor pressure from "the richest countries"... and not due to the fact that entrenched financial interests influence every nation on earth. Over-the-top zealotry only serves to discredit more sober critiques.
History suggests otherwise. Something that many of "the richest countries" have in common, including the US, is near-complete disregard of other countries' IP laws during their formative stages. Once these nations climb to the top on a heap of broken IP laws, they invariably set about building it even higher.
To begin with, a figurative threat to do so is being issued by USA with nowadays unsurprising regularity.
And the more of a paper-tigerness USA's trade policy demonstrates, the more countries ignore it wholehandedly.
Has the US invaded China over copyright? Has India been invaded or embargoed over lax IP laws? How about Russia, Argentina, Chile, Indonesia, Pakistan, Thailand?
Here's the Priority Watch List from the US Trade Representative naming the biggest IP offenders in the world:
We can note that the US hasn't sent a "Marine Expeditionary Force" to any country over the issue. The US hasn't even sent a cruise missle to send a message to prolific IP violators. A strongly worded letter has been the extent of the "invasion."
It's getting to be almost comical that the US is being presented as the cause of all that is wrong in the world. The anti-Americanism that's rife here is a bit ridiculous -- we're on Hacker News -- a site that is sponsored by an organization (YC) that's the epitome of American capitalism, located in the epicenter of one of the most successful and valuable regions on the planet: ground zero for the invention of the devices and software with which you're able to read this and type your responses.
It's ironic to be complaining about the country that invented much of the tech you're using right this minute enabled by the very laws about which you complain.
The United States isn't perfect, nobody is disputing that. However, the suggestion that the United States is going to send in the Marines over differences in IP law.. That's just absurd, based on zero logic, and needs to be called out for the nonsense it is.
Have you forgotten how India was made to agree with TRIPS in the 90's?
Unfortunately, this could be said on basically any forum on the internet. Do you happen to know of an alternative to Hacker News that doesn't have this problem?
Well—here's the other side of that—I frequently get thoroughly sick of the US parochialism, ignorance of history, denial of basic realities etc "that's rife here". Well, people swallowing whole the shiny story the US mass media seems to paint about the US' role in the world in the last 130 years is a large part of it I guess.
Not the first time I've read on here about someone sick of "the US being presented as the cause of all that is wrong in the world." But I don't think anyone says that.
You could have chopped out a page of your comment, the many lines of ridicule, as advised in the guidelines. Well, I can hardly advise you to stick to your point in a comment as off-topic as this. :-) But I thought your complaint needed counterbalancing.
- Sci-Hub is doing good, but breaking the US law.
- The US law in this case is immoral, people don't like the law, and the law is bad for the country.
- The US government is unable notice that these laws are bad, and so will continue to doing bad things (like shutting down Sci-Hub).
Can anyone test their i2p eepsite as well?
Another similar solution would be to setup ResilioSync or LibreVault repositories, again makes it decentralized by P2P, there are public repositories so anyone can join and leach/seed files, owner can update files.
I'm surprised they're not doing it already.
I'm not familiar enough with IPFS, but I think once onions play nicely with IPFS (i.e. when this is solved), then it could be very promising. I'm not sure how censorship resistant it could be.
 : https://github.com/ipfs/notes/issues/37
yes, that's the problem. Once you have a torrent they can't add new files to the torrent, they have to make a new one, and you have to download the new one.
Also this website is blocked in the UK.
Use the Tor Browser to access it: https://torproject.org/download
Is anyone else doing something similar?
Sci-Hub is important - it's one of the most important resources we have today. How can we support Sci-Hub?
This will remain the case, because the impact of tech-interested voters to whom elected officials' support of this status quo matters is trivialized by the apathetic majority. Therefore, the tech community's only recourse is to pressure the middlemen, such as CloudFlare, who can interfere with this type of corporate action.
Lately, I'm not impressed with our government or the people who elected it. I think both groups -- meaning corrupt people in the first instance and stupid people in the second -- have far too much power over the rest of us.
Subversion and disobedience on the part of everyone from multinational corporations to individual Internet users may, unfortunately, be the only remaining way forward. I don't pretend that this state of affairs is good for society, but it is what it is.
They are saying CloudFlare should behave like a common carrier and NOT have any policy to begin with.
But Cloudflare already lost that privilege. And now the Common Carrier Chickens are coming home to roost.
Public transport is a common carrier in the US oil and gas pipelines are also common carriers they don’t ask the FCC to classify them as such.
As a business user, I would absolutely want $CDN_PROVIDER to only allow / serve traffic in compliance with the laws of my country. I wouldn't want any chance of my non-controversial content being blocked because some third-party caused my host to be removed from the internet, either by direct action (BGP blackholing / similar) or by side-effect (IP or block being added to $FIREWALL blacklist).
So now I have to transfer all my domains away from them and go through all the trouble of setting up DNS elsewhere.
Also, use a app such as Authy to store your 2-way tokens.
why would they want to mess with cloudflare anyway.
There is some kind of weird disconnect between the reality of distributed communications, and people/companies who seem to think that they have a prayer of stopping them. You’d think that the near implosion of the music industry would habpve be a clue though. Where there is demand and anti-consumer practices, there will be piracy.
Is it just that people making these decisions are ignorant, or emotional? Does anyone know?
I am 100% for Sci-Hub; I think it and sites like Arxiv are the natural evolution of professional journals and the future of academic publications. But I do understand why Elsevier is fighting this. It's not a disconnect, it's not like they don't see the writing on the wall, they just want secure their benefits as long as they can and enjoy the good life while it lasts. If their lawyers succeed, then there's no worry, the party continues.
If they fail, at least they have plenty to rest on. If they're going to lose it all by not fighting, then it makes perfect sense to bet it all by fighting, because with Sci-hub and distributed systems (Tor, bit torrent), there is no winning in the long run. At least, not living with the revenue they are now.
So you don't have to be ignorant or emotional to make such a decision, you just have to make a calculated gamble and figure out which is going to hurt the least in the long run all things considered.
The music industry saw a revival of sorts, with Spotify and other streaming services offering a reasonably priced and extremely convenient alternative to piracy. That sort of an arrangement, while still not ideal, is probably the best Elsevier can hope for in the long term - provided they can offer a sufficiently interesting alternative to scihub.
That position is not what is "unreasonable", their existence is what is unreasonable. The fact that a company like Elsevier needs to be toppled by piracy at all is unreasonable.
The legal framework that has allowed Elsevier to profit from public research is unreasonable
>>But I do understand why Elsevier is fighting this.
I also understand why a serial killer would fight going to prison, that does not make the serial killer reasonable, ethical or just
>>If their lawyers succeed, then there's no worry, the party continues.
I disagree here, if their lawyers succeed then they do a great disservice to humanity, and further entrench copyright law, possibly even expanding it with legal precedent
The core problem seems to me that ethics has way too low impact on university courses, no matter if in STEM, finance, law or everything else.
For example, it is certainly justified for a lawyer to defend a serial killer (after all the right to representation in court is a basic human right, or at least should be) but a company has no moral right to legal assistance. No lawyer is bound by code or law to assist a company - but many do because of individual profit and ignore the loss that society has to shoulder.
Wow. That is harsh.
The current state of music is that artists need about 4 million Spotify plays per month to make minimum wage ($1160) . That's assuming the artist does not have to share the revenue with anyone and not counting the time needed to break even on the initial investment (if you even manage to break even before the recording is 'old' and you're up for a new one).
Realistically there is no money in recorded music anymore except for the John Mayers and Taylor Swifts, so nothing has been solved in that industry and there is no 'clue' to get.
There was a legitimate source of income, then technology devaluated the product to oblivion. It's not worthy of damnation that those in an industry that is being levelled with the ground are caught off guard and attempt to fix their problems.
It would do us good to empathise with the people in these industries, because there are going to be a heck of a lot of them in the coming years. If we value the product of their labor we should want to offer them an alternative source of income instead of berating them.
If you wanted to figure out the wage, you would have to take the number of hours spend creating the music (writing, practicing, recording), then divide by (revenue from streaming - costs to record). Since that streaming revenue can keep going long after they are done recording, you are going to hit minimum wage if you wait long enough and people keep streaming your music.
Artists deserve to be compensated for their work, but we should be thinking about it in terms of income per hour worked. No other job expects to be paid forever for work done years ago; if someone hires me to build a fence, I don't expect to keep being paid for every year that fence is up.
I completely agree. The minimum wage figure was just a reference point that aligns with the way we pay for it: monthly. It's ridiculous music has (been) moved into this area.
The same problem is in the software industry now. More and more companies move to subscription business models simply because a pay-upfront model isn't viable anymore. Sure, it's great to support developers in their endeavours, but what if I just want to buy this exact version of the app and decide for myself if I want to pay for bug fixes and extra features later? Maybe this version is fine for me. But the new business reality doesn't allow for this.
> No other job expects to be paid forever for work done years ago; if someone hires me to build a fence, I don't expect to keep being paid for every year that fence is up.
The entire intellectual property licensing space works in this way, and that space is badly broken. I agree that there's no moral requirement to pay someone for work done years ago, and the reality is that most musicians really aren't. A quality recording takes a long time to make and its average lifespan is about a year (if that) before attention (if any) dies out.
On top of that it requires a big investment to record, produce and promote an album (consider also a new website, logo and album art) and then after all you have to share the $0.00029 per song play with about five people and the label. You're lucky to break even at all.
1. Everyone could afford access to all the music in the world.
2. Tons of new music is being created. Creativity seems fine. Creators are still highly motivated to release their music and even without making a living through music there are still many benefits to being a musician.
And yes, it's hard to make a living through music. So what ? Why is this a necessity ?
Just because people keep doing something doesn’t mean it’s all “fine”. People make music in spite of the hardship. All of society benefits from their irrational, self destructive drive for creation. We could show some empathy and at least acknowledge that. Maybe even help find a way to make this beautiful gift they bestow on us less painful?
Currently it feels like we’re making them shit roses for us. Maybe let’s help trim the thorns :)
Source : I know several musicians first hand, and it’s not “fine”. :/
It would still be correct. Low average incomes for musicians and most apps not breaking even is a signal in both cases that the current supply is more than enough, and you should consider other opportunities.
People make music in spite of the hardship. All of society benefits from their irrational, self destructive drive for creation.
There's a difference between the total and marginal benefit to society. If all musicians spontaneously quit and nobody replaced them, we'd be worse off. But in the actual world, if somebody is deciding whether to pursue a career in music or engineering, the latter probably has a higher expected benefit.
That has ended.
As a programmer I sometimes reflect just how lucky I am to be born right at the historical moment when my abilities align with the economic demand. A few decades earlier or later and I'd be lucky to be an accountant or something.
Yet, what form should empathy and compassion take? Empathy isn't a policy prescription. It doesn't come with technical requirements. Artists have alternate sources of income available, but this often runs into the basic problem that they aren't structured like the album sales of yesteryear. Different skills and approaches are required.
So what's an empathetic lover of music and culture to do? I only know that the previous system didn't work any better - Courtney Love doing the math made that clear.
If you're pulling those numbers, and know what you're doing, you will almost always have opportunities to make (much) more money doing shows and placements.
Additionally: while the distribution of musical success was and still is bimodal, thanks to the fragmentation of culture caused by the Internet there is a growing middle creative class.
Have you seen Patreon?
Patreon, Bandcamp and Tunecore collectively pay out about $25 million per month . That's minimum wage for 21 000 people, assuming each artist gets an equal share (which they obviously don't). This doesn't seem like a lot to me.
Yes, it isn't a lot, but it's a good start that has already had some success. Hopefully it will continue to grow.
 e.g. the recent drama with Patreon changing their payment model
I would (and do) advise an artist (and a friend, or a random person off the street) to have income from more than one revenue stream.
> It would do us good to empathise with the people in these industries
there's no reason to be empathetic towards the industry, even if we are entirely and wholly in support of artists, their work, and expression.
to put a finer point on it: the fact that there is an "entertainment industry" frightens me. this is not to say we shouldn't find entertainment, and share artworks/creativity/etc... but that our need (or training) to be distracted from the horrors of modernity presents sufficient demand for An Industry of this scale is troubling. The existence of this Industry may be seen as an indicator that our civilizations are performing acts of violence upon ourselves and our homes that we would be better served by ending.
Imagine the area under the curve, and how much money that adds up to, if we went from a market with CDs and DVDs and happy cable subscribers to Spotify and Netflix and internet-only broadband as they are today overnight instead of over the course of the years.
Depends on just exactly how rational you want to be. If your planning horizon is quarterly and annual numbers it makes perfect sense. If you want your company still do business in the coming decades then holding on and denying change can make you blind to the necessary adaptions.
I think their planning horizon is Retirement
If large parts of the population disagree with a business model, they have the collective power to change it.
As a former scientist, I can't wait to desecrate Elsevier's grave. But I'm still uneasy about the prospect of people taking matters into their own hands simply because their technical capabilities are more advanced than those of their opponents. There are also journals, such as Science, that finance the valuable non-profit foundations publishing them.
Of course, this is to a large extend the fault of scientists and university administrators themselves, because they have all the power to refuse to publish in for-profit closed-access publications (as they are apparently doing in Germany.) And the political process in the US is basically broken.
But look at other examples of the same principle, and you might find one where you land on the other side: The Federal Reserve seems the safer bet vis-a-vis the libertarians that jumped on Bitcoin to topple it. Uber has a litany of problems from their "rule-breaking DNA". Or, for the political right: should "illegal" immigrants receive citizenship simply for evading border checks?
* stifled laugh *
our actions are governed by the reality of enforcement. our planning is governed by the expectation of enforcement of the rule of law.
this should be apparent by now.
But science publishers? These guys haven't made an honest buck in decades now. Their business is entirely due to inertia and regulatory capture. The short to medium term goal of all stakeholders is their entire elimination.
> Cloudflare has received the attached court order, Case 1:17-cv-OO726-LMB-JFA
I must clarify I'm not saying this is fair or unfair, I just doubt CloudFlare has much room for maneuvering.
Their "we're only a neutral pipeline" spiel is complete bullshit and I'm glad they are being held accountable for it.
(Short version: They are not neutral because they provide a paid service for the websites they host.. Yes, in some cases it's a free service but in that case you are still "paying" in good publicity. The fact that no money changes hands doesn't suddenly make them a neutral party.
They are also absolutely a hosting provider. Even though they don't host the central, permanent, authorative data of the sites themselves, they still host plenty. They store images, code, stylesheets even complete pages in their cache. The data is on their servers, being pushed onto the internet from their ip's. They host the DNS. They can even host some business logic with their page rules.)
Without going into whether the rules that apply to webhosts are fair, it is a very good thing that Cloudflare is being held just as accountable as any other service provider.
Their IP's, their responsibility just like any other party.
Edit: Those downvotes came quick. Care to comment on why you think Cloudflare should be held to a different standard than a traditional hosting provider?
Cloudflare serves up illegal content, let's say a phishing site.
Cloudflare refuses to stop serving the phishing site.
Cloudflare refuses to disclose who they are serving the site for.
By using your metaphor, the county would not even send out the sheriff to prevent a shipment from illegal material being driven over their highway once they were aware of it and would just flat out refuse to cooperate with state police.
It's not up to Cloudflare to decide what content is or isn't illegal. But Cloudflare actively prevents investigations to even start determining whether or not something is illegal.
You name cloudflare and a provider of the phishing site in a lawsuit. It makes it through courts. Cloudflare is unlikely to attempt to defend it. Your attorneys figure out how as a part of the redress get an order for cloudflare to disconnect the phishing site. You hire appropriate parties to service Cloudflare. Cloudflare disconnect the phishing site.
That's exactly how it is supposed to work.
Except CloudFlare refuses to name such an entity. All they're willing to do is forward my complaint to the "provider of the phishing site".
So they're willing to violate my privacy and put me in danger by possibly forwarding my details to possible criminals, but they refuse to do anything about the actual problem.
They say they will
> put a warning page up for when visitors try to access the specific link. We will also notify the site owner to have them clean the malicious files on their site. 
but that's a flat out lie. I've tried this avenue numerous times.
I shouldn't have to go to court for what is basic network hygiene.
What you're advocating is like having google, disable their spamfilter and me then having to sue every single spammer that sends me spam mail.
I'm not saying the same thing about routers.
Cloudflare is not operating routers that make the internet work. They act in the interest of their clients, not the internet in general.
Checking your browser before accessing stormfront.org.
This process is automatic. Your browser will redirect to your requested content shortly.
Please allow up to 5 seconds…
DDoS protection by Cloudflare
Ray ID: 3e87d9d41f9b5504
I would posit that, although speed is protected in many ways in the USA, there are cases where there are definite actions behind the speakers. And I would therefore argue, that when X person gives hatred against a group, and later takes violent actions against said group, their speech isn't just speech. It's a definite call to action of assault and murder.
I also recognize there are false flag operations that could demonize more legitimate groups. But then again, I don't believe that anti-war protestors, or the women protestors are going to advocate for killing Jews, blacks, and LGBT anytime soon.
Poe's law can become a cudgel when paired with takedown rules that companies don't want to (or can't) enforce with the level of thought as a real court decision. I don't like cloudflare saying that they're totally absolved of responsibility, but I do have a lot of sympathy towards their CEO's complaint about being the gatekeeper. If I was in their shoes, I wouldn't want to have to try and formulate a policy rule that keeps Solanas but bans whatever satire or allegory the alt-right publishes.
However, Charlottesville, and their speakers should absolve any idea that this is a joke. These white supremacists actively call for violence against other, and then proceed to enact it.
The distinction here, is the "call to arms"->"illegal action directly related to call to arms". And I do believe that Cloudflare and others have a distinct responsibility in this.
Tl;Dr: say the shit you want, but once you bring violence into it, all bets are off.
In my opinion Cloudflare should not be in the business of making judgement calls one way or the other. The law exists for a reason and, as in this case, when a group is seen as acting outside the law, Cloudflare can be directed to terminate access. They need not preemptively act as judge, jury, and executioner themselves. Another issue is that when you start refusing to accept some group or another, it leads to an implicit endorsement of all the other groups. You can certainly find all sorts of completely abhorrent sites that utilize Cloudflare. A social campaign showing this sites while emphasizing that Cloudflare can, and does, refuse service to sites for what might be perceived as 'lesser crimes' would leave them in a difficult to handle situation. And this will happen. By contrast, not all that long ago they could have simply and eloquently responded, "We do not judge content."
 - https://en.wikipedia.org/wiki/2017_Congressional_baseball_sh...
 - https://en.wikipedia.org/wiki/2016_shooting_of_Dallas_police...