New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
You've heard about "Offshore Hosting", but what about "Offshore CDN"?
valentinex
Member
in General
So guys what do you think? We all know about Offshore hosts, dmca ignored, etc. But what about CDN's? Does such service even exists?
Would love to hear your opinions... 
Comments
possibly related:
https://lowendtalk.com/discussion/211529/how-does-cloudflare-treat-dmca
I think Cloudflare is already pretty lenient judging by the amount of questionable sites I saw using their CDN.
Not really a "thing" yet but... https://fatcdn.com Still in very early stages and currently relies on Bunny's geodns but that is only for now.
Not "offshore" in the sense that most people looking for "offshore" hosting wants... But unless you want a CDN that consists of like... Russian, Moldovan and Romanian POPs only then you won't really get DMCA / free for all / allow whatever CDN.
EDIT: Cloudflare doesn't really care about your content. They just forward complaints to the hosting provider. It's rare that they take any sort of action themselves.
Yes, altrosky.net
@justaguy
Yes that's what i was thinking. Only in specific countries one can setup a CDN pop and be "fine" with everything.
Interesting, 0.5$ per TB seems kinda cheap, no?
IDK what those are or what that means.
I assume the first one is Kiwifarms.
If you've come up with 3 examples, out of the hundreds of thousands of likely sites behind Cloudflare I'll say that my statement that Cloudflare "rarely takes any action themselves" is still incredibly accurate.
Basically requires a huge mob and media campaign, at least in the case of Kiwifarms, to get Cloudflare to deplatform someone. At least that was how it was a couple of years ago, unsure if things have changed that much.
Cloudflare's abuse process:
Now, if this was someone famous and with enough pull to get their social media followers and other random people in a frenzy over this, they may have a campaign that puts enough pressure on Cloudflare to say, "Oh okay. We disabled access to this site." Otherwise, Cloudflare doesn't really care.
I'm not shilling for Cloudflare, I believe they're a data collection company first and a service provider second. But as far as abuse goes, they're incredibly lenient because they just forward things to the hosting provider. Some of the worst offending sites I've seen in regards to reported abuse has been behind Cloudflare, and they take no action on these things themselves.
ddos guard from Russia.
and few small Chinese CDNs. they are not big as Cloudflare Bunny or Fastly but good for DMCA.
yea DDoSGuard is probably a good one. Cloudflare is still really popular since they are lenient. Even if CF shuts down your account just use their free version and sign up with a new account.
π―ποΈ, πποΈ, π¬π (preemptive)
Someone had to have industry connection + some media to be able to trigger the soft rule.
https://madattheinternet.substack.com/p/online-censorships-institutional
Isn't that a good thing? I've used it in the past, good stuff.
America YEEHAAWW #1 company isn't really offshore, if you ask me.
Depends on the "need". Many people who want "offshore" just think they need "offshore" because they want to be an asshole on the internet.
That's fine in America. You'll be hard pressed to find a better jurisdiction for free speech than the US that also has good network connectivity to most of the rest of the world.
Of course, if you're wanting to distribute illegal materials or whatever, go for hosting in the old WW2 munitions warehouse turned crypto-farm / bulletproof hosting datacenter in some random com-block country. But you don't need to do that in most cases unless your use case very specifically requires it.
Matter of opinion, of course. Just my $0.02. OP never really said what they needed, just seemed like they were looking for more freedom loving alternatives than Cloudflare (Who already really doesn't give a shit what you do for 99.999% of use cases)
Why would you need it? cloudflare doesn't care anyways they just forward the abuse report
Just find sites hosting legal or gray-area but extremely taboo content and see the CDN they use.
A CDN has to be close to customers to be effective.
You might be better off making your own to be honest. Any CDNs that advertises as being offshore will charge a massive premium. Even vastly more than offshore web hosts.
I'm working on starting a local CDN service...
I've checked bunkr and gofile. Not my niche but the first one uses some sort of "maxko-hosting", they dont mention any CDN on their site, the second one uses "Global Secure Layer", again nothing about CDN.
VOD using HLS to serve sports clips. They care if bandwidth is high, for example i did over 10TB in one day through their network and my account was suspended because i used it for Video content
although it was not anything dmca related.
Any more information about this? How for example can i deploy a node in the US? As soon as they found the IP, they would just send the report to the host? Or is it possible to "fake" the IP?
Goodluck!
They aren't a CDN, no, but Maxko Hosting is quite good. I use them. They're here on LET, too.
Sounds like https://altrosky.net/ would be perfect for you. Whole of https://bgp.tools/prefix/194.48.200.0/24#dns is dedicated to HLS for sports livestreams.
https://urlscan.io/search/#asn:"AS207616"
For dmca related stuff the best place is usa. Think about it.
Guys would something like this work https://swarmcloud.net/ instead of CDN?
For whatever reason, my login credentials always seem to expire and I can never log into my client portal more than once with @maxko .
Look, right now there's a bit of a hole that some US courts have managed to dig themselves into, which is that they keep ruling on these cases that end up in default judgments on IP related cases that, while not entirely having precedential value, are persuasive to various courts as to how they should determine whether the conduct of a party who cannot be present to argue their case crosses the line into infringement under the DMCA. The problem is that because we're basically talking about lawyers in district court who are talking to judges who are opining a bit much on facts that nobody is there to say 'hey, wait, this is complete bullshit' until after it's published, and therefore too late, and whether out of genuine ignorance (when you know that the other side won't be present, why hire the best when you can hire any warm body who have heard of bit torrent?) or out of the misguided desire to flex in a metaphorical judicial circlejerk with the judge, what ends up happening is that judges are writing opinions presumably to refine the doctrine but in fact in practice would be eroding it if only the correct facts are applied. That's what happens when you have judges who are generally not very tech competent - they got to their position in many cases to dodge having to learn about tech, and the only circuit court judge I trust to not make a meal out of a case involving any novel-ish tech is Don Willet (5th Cir.) and I'm far from the only person who would say that, there's a running joke that he got his job because Trump needed him to stop tweeting and upstaging him. The problem is that there's only one of him and we got incredibly lucky, since it is 100% luck, that he was drawn onto the panel that decided Van Loon v. TREA, 122 F.4th 549 because you need someone who is able to, without really much of a formal background, understand the tech, the law, and explain it in laymen's (or lawyer's) terms why the supposed expertise asserted by the enforcement agency is a massive self-own. Anyone who know the tech would know that it's fundamentally lunacy to assign ownership and therefore rendering it subject on its own to sanctions to a piece of self-executing code replicated across thousands or tens of thousands of computers around the world and accessed by entities that may or may not be human or sometimes, another piece of self-executing code that is also likely to not be human. It's like putting a sanction on a particular spark plug thinking that the spark is some life spirit or something, but the courts is full of judges who do not, and also more importantly, cannot understand that.
What happens in reality when law is refined in dialogue with itself? Well, it's like training an LLM on its own slop. HB v. Faizan in the District of Hawaii is a good example. It's concerns the most basic, day one law school question of jurisdiction, and one side is not present - which should be obvious, since there's no visa category to "respond in person to federal civil complaint" and it is not clear that the complaint was properly served in the first place, and there are problems like "how does someone pay to get from Pakistan to Hawaii for a potentially long trial and not go broke or overstay their visa in the process". In a sense this whole opinion, and many like it, are just naval-gazing, but without anyone to stop them, the judge went and accidentally made a case that is thorough and specific and also, by accident, actually screws up fundamentally what makes one even subject to the jurisdiction of American courts when it comes to CDN use and the concept of 'purposeful availment'. Let's look at the mistakes the court makes and for a 45 page decision on the ground level question of jurisdiction, there's somehow a god damn ton of them.
a) The plaintiffs obviously don't know where the movie in question comes from, since one cannot both rip a BluRay AND a web stream and somehow mux one final work from it without, well, basically doing a lot of useless and idiotic waste of time. The pleading therefore implies fundamental uncertainty, but the judge, without someone to tell him that, assumes that somehow both methods can somehow co-exist. Not really important to the analysis is the baffling footnote about ripping that only refers to DVDs when DVDs are not even relevant to anything here, but that really is neither here nor there. What is important is that BluRays are physical objects that can be purchased overseas, but to legally stream the film at the time requires access to a streaming source unavailable in Pakistan. This alone could have determined the whole question, but without a lawyer on the other side pointing it out, the train now leaves the rails and goes into La-La Land.
b) The moment IP addresses comes up one should realize that some profound idiocy is about to happen, and it does here in a footnote. "Despite that possible imprecision, the practice of 'geolocating' IP addresses to physical locations, such as cities, has become fairly reliable." Sure, if you assume that all the IPv4 exhaustion didn't throw all that into question. I rent a server that geolocates to an address in Panama, but it's nowhere near it - it's in Abkhazia, which is de facto independent but as it's not recognized internationally, cannot join RIPE or be assigned a TLD or get is own allocation without purchasing or leasing from elsewhere, in this case the company in question leased a /24 originally belonging to an entity in Panama. There's a whole thread on this board about buy/sell/lease subnets, This is nothing new. It deserves more than just a footnote that misstates the crux of the uncertainty, but that's what we got. Of course, more than one person can use one IP. There are two people in my house and we have one IP on our fiber connection, and just from that alone whether it's me downstairs or her upstairs accessing a website isn't something that can be discerned without further evidence, but none of that exists either. If the plaintiff's lawyer wants the judge to believe that 1 IP = 1 machine = 1 person, then it's success! Except you know, manifesting or wishcasting does not make things true.
c) Then somehow, the allegation that a US-based IP must be tied to a US-based virtual machine becomes part of the fact. I mean, I can go out and pay something like 15 cents to rent an IP geolocated to a zipcode somewhere else in the US, connect to it as a SOCKS5 connection, and having no knowledge of the machine, or even who operates the service, appear to be in Maine, or Florida, or Kansas, or whereever. There are SIM farms that do this for mobile IPs, there are people leasing out their bandwidth on their home connections, there are botnets, there are datacenters. None involves necessarily a machine, virtual or not, that the end-user can actually access beyond passing through it. But when it come to geolocation, even that is unnecessary. When this case was argued in 2022, I managed to watch my legally purchased mlb.tv subscription in a part of the country where 6 teams are blacked out. That's 1/5th of the league, or on some nights 40% of games. But I rented the cheapest KVM VPS in Amsterdam, ran a dnsmasq container on it, added the akamai geolocation server's host and pointed my DNS settings at it and voila, no streaming data ever went to Amsterdam. I paid for baseball, I got baseball, it's crazy that it's necessary in the first place, but that shows that technology enables one to be served content without going through a machine in the jurisdiction. The court misses that completely and barges on.
d) The court then, citing a 10 year old case, describes bit torrent in a world without magnet links or DHT. Or apparently seedboxes, for that matter. In 2013 I think those existed as well, but has anyone rented a seedbox in Pakistan? Would anyone? The court doesn't go into it, or considers the possibility. We're not firmly off the tracks. There has been a bunch of assumptions that can easily be countered, but again, this is the court talking to itself, since the defendant cannot be and therefore is not present.
e) Then we make a Evel Knievel sized jump into the allegation that the person who allegedly ripped/muxed/magically obtained this movie and then initially seeded it ran a piracy site, and that site is basically located in the US. The evidence? It's behind Cloudflare, it bought the domain on Namecheap, and it uses GMail. They're not even alleging CF Workers or CF Pages, but that they're using CF so that they place themselves in the US and their specific selection of CF means they chose the US-based IPs for the page. Except as a CDN, what is one thing that you cannot choose especially on the free package? The edge server from where you serve the cached content. Now we've gone completely upside down. In fact the defendant cannot have chosen the US-based CF IPs, period, in question. They geolocate to Arizona because the plaintiff hired lawyers in Arizona. Somehow this made it into the record not as a farce but as an judicial opinion is worthy of a Youtube skit, as it might be too long for Tiktok. Now we're entirely in the K-Hole.
f) Is it even possible to open a US bank account from Pakistan without any pre-existing ties to the US? One can open a Paypal account, but they are, specifically, not a bank. The Bank Secrecy Act of 1970s, originally meant to flag transactions that today would be equivalent of around $80k, have imposed instead a regulatory burden that overwhelms entities and have left tons of Americans unbanked. KYC is not a federally prescribed checklist, but without an SSN, an individual usually would need an ITN, or a business an EIN. Try applying for one from Pakistan without a US address. The court somehow not understanding this part of the law is baffling. The facts that follow that to the end are all either erroneous or worse, utterly impossible. It cites two more CF IPs geolocated to the US by the US-based attorney, that one can seed a torrent from a CF CDN's IP and know the location of said CDN IP, and that the defendant, or really an IP address that may or may not be a VM, uploaded a torrent file onto a site using CF being the 'nail in the coffin' that establishes jurisdiction. This filing is so outlandish that it warrents not only dismissal but sanctioning, imo, but I'm not a judge, and the bar sanctions lawyers not for incompetence usually but for stealing money or screwing a client. Both kind of happened here, but not literally enough. Bad facts make for bad law, and the court will now run with the bad facts.
g) The judge, to his credit, actually describes the law in fairly plain and understandable terms. The purposeful availment test is not new, and here he refines some of the rough edges so that it fits better in the context. The problem is that the context is fictional and imagined and closer to a law school hypothetical than any actual facts that is possible to exist. Court decides that purposefully using a US server is what establishes jurisdiction, and so the purposeful availment test gets applied. The 9th Circuit requires not just US-based companies but the specific choosing for US-based servers, which is reasonable. The court is meticulous in examining precedent and really gets the law spot on. Unfortunately, getting it spot on but applying it to facts that are almost certainly entirely based on guesswork, conjecture, ignorance, or lies will get you a result that might be a symbolic victory now, but in a hypothetical case where somehow the defendant shows up in court, plaintiff will realize that they've polished the law so specifically so that fundamentally how internet actually works makes the law work in the exact opposite way as it had intended. It even shoots down the plaintiff's most outlandish legal theories but taking the nonsensical facts at face value, it makes the determination of jurisdiction on one fact that cannot be true - that the defendant deliberately chose to host a piracy site on US-specific IPs by Cloudflare. I hope the plaintiff's attorney facepalmed at this conclusion, but they probably just wrote up a fat bill for work that a computer-illiterate first year law student could have done.
It puzzles me that the court somehow seems incapable of understanding how CDNs work. The concept itself is really not that complicated and it seems to understand the individual parts just fine, but just can't put it together. It's understandable that most non-lawyers don't know how to properly respond to the DMCA, which is a travesty of a piece of legislation that makes no sense and enables bot-enabled heckler's vetos. The problem is that while it's possible to take the party to federal court and prevail and even make some money doing so, few are both either knowledgeable enough or friends with someone knowledgeable enough to litigate out what is effectively a sworn statement that is frequently not only perjurious but opens the sender to liability. I've gotten 13 DMCA notices in the last 15 or so years, mostly to my Github account. I countered 12 of them asking them to show up to federal court and none did. The one I didn't counter was too ludicrous to counter since literally no part of it was true. It also took down nothing since even the target of it did not exist. It also managed to allege, accidentally, of the lawyers' actual unlawful behavior, but that all showed up on my logs before anything was sent and really are just part of the noise. The funniest part is that it came from the NY Times and alleged that I hosted a piracy tool aimed at it specifically and I was hosting their files on Github, specifically audio files. How does one respond to that? And why did they try to use dirbuster on a domain that I don't actually have a server behind it but was on Cloudflare and used as a domain for webhooks and frontage for my B2 buckets and Protonmail account and decided to dirbuster it, well, attempting to violate the CFAA is also a crime but ineptitude is punishment enough.
There are of course lawyers who know exactly what all of this actually means and how all of these things work. Many of them are based out of Seattle, or Northern California, or New York City. I know some of them. I may have been recruited to join some firms that specialize in this kind of work by someone I consider a mentor who definitely knows all of this, someone who have sued Microsoft, Wizards of the Coast, Valve, and others on matters far more intricate than mere piracy. Thanks to him I have never needed to write a resume in my life since - a good cover letter can easily get you hired as a lawyer, if you wanted the job. The problem is that he hired everyone I knew who did anything like programming for fun or running a homelab at law school and understandably so. They got jobs that started in 6 digits and worked 40 hour weeks. My first job paid half that, I worked 80 hour weeks, and refurbished servers while waiting for my bar results. I'm happy for my friends, some of whom I'm still in touch with and gossip about people we knew and the state of tech and idiotic court opinions and Orin Kerr deserving to be a Supreme Court justice. However, their services cost so much that regular people, or even regular corporations, don't approach their boutique and highly rated firms. Their expertise means that settlements are the norm, trials are almost nonexistent, and many are also engaged in a sort of navel-gazing exercise. They deal with in-house or lawyers at a few other boutiques, send out impeccable form letters, and have boxes of rPi5s that they haven't set up. One took a weekend to set up Home Assistant, others settled for HomePod. That's the divide, and also, why the law is frequently actually favorable to many, but so few knows that, or how to even properly bring such a challenge, or what are the cruxes of the issue. I wish people are more willing to dare DMCA senders to show up to court under the right circumstances since sometimes it may even be a good idea, but i understand why one would avoid the issue instead. The answer to whether one should avoid being subject to the DMCA or not is always "it depends". Annas-archive certainly does but they have a setup that seems to be resilient. As for the rest of y'all, talk to a real lawyer, IRL, if you can. The law may actually be on your side, but don't take advice from randos online.
tl;dr: It depends.
This comes to mind
... Why would you need an offshore CDN if you can just make a selfhosted object storage and reverse proxy it from offshore servers?
Are you using Tor? That happens to me while using Tor for several providers, although I don't think Maxko Hosting is one of them.
Surprisingly not. But I am on a VPN.
Does the VPN IP rotate over time or something? Usually the only reason that happens is if the IP changes, which invalidates the session and forces a new login even if you still have valid authentication cookies.