same here. been a paying customer for 2 years, a soundcloud listener for 5+. this is where i switch back to downloading music off russian pirate websites.
SoundCloud once messed up a huge song import - hundreds (as in more than 9 hundreds). There was no way to batch clean/edit, or even clear/nuke (i.e delete everything). Support refused to help. They clearly said they "won't" do it and they helpfully asked me to do it one by one because that was the way users were supposed to do it. I kept requesting that they could just delete everything and I would set up everything again because at that point my profile looked all garbage and noise. They refused and stopped responding. I found a CxO email and mailed seeking help. I never received a reply. A few days later, I just deleted that really old account. I used to use the site very regularly since the beginning. But after that, they never even came to my mind until I saw this here on HN.
You can't just blanket block all VPN access, that's not how the internet works... they could pick some common/well-known providers of VPN services and block their IPs/ASN/etc., but you can't just flip a switch and make all forms of VPN/proxy stop working, as there's no way to tell with certainty that someone is using one.
As long there isn't a critical risk, these kind of business decisions won't aim for certainity.
They probably assume some amount of collateral damage, a small number of VPN users still flying under the radar, the bulk of VPN users being properly targeted, and the vast majority of users not noticing anything.
There are plenty of VPN and proxy detection services, either as a service (API) or downloadable database, which are surprisingly comprehensive. Disclaimer: I’ve run one since 2017. Years on, our primary data source is literally holding dozens of subscriptions to every commercial provider we can find, and enumerating the exit node IP addresses they use.
There are also other methods, like using zmap/zgrab to probe for servers that respond to VPN software handshakes, which can in theory be run against the entire IP space. (this also highlights non-commercial VPNs which are not generally the target of our detection, so we use this sparingly)
It will never cover every VPN or proxy in existence, but it gets pretty close.
It is easier to block all non-residential addresses, than block VPNs. As an added "bonus" it also kills personal VPNs running on VPS. VPNs in residential space exist but are sold as "premium" product.
If using a VPN for access is forbidden by the ToS, you only need to detect a VPN connection once to prove violation.
The IPv4 address space to consider is limited and it is technically absolutely feasible to exhaustively scrape and block the majority of VPN endpoints. Realistically any VPN provider will have some rather small IPv4 subnets make do, shit's expensive. More so, for the trivial case, VPN anonymization works best, when many people share one IP endpoint, naturally the spread is limited. There are VPN providers, some may even be trustworthy, which have the mission of "flying under the radar" with residential IPs and all, but they are way, waaaay more expensive. For most people that's no option.
IPv6 is a different matter, but with the very increase in tracking and access control discussed here, that may be even more of a reason, IPv6 is not going to be a thing any time soon....
Thinking about it, maybe this AI monetization FOMO and monopoly protectionism, will incidentally lead to a technological split of the web. IPv4 will become the "corpo net" and IPv6 will be the "alt net". I think there may be a chance to make IPv6 the cool internet of the people, right now!
Maybe its a trick and they are logging all the people on VPN's trying to see if they are blocked over the next 24 hr. Then they can take the data and start blocking it lol. Maybe not lol?
It doesn’t really matter if they’re using commercial VPNs or the same upstream providers as commercial VPNs. Blocking an ASN is a million times more effective than blocking single IPs (at the risk of blocking genuine customers). I’ve had customers reach out to me asking to be unbanned after I blocked a few ASNs that had hostile scrapers coming out of them. It’s a tough balance.
VPNs often use providers with excellent peering and networking - the same providers that scrapers would want to use.
Even Russia and Iran has issues blocking VPN country wide…curious what SoundCloud is going to be able to do. I’m guessing it’s to block AI scrapers but ironically, they have way more resources than your customers. SoundCloud will end up pissing off their paying customers and AI bots will still be able to scrape.
Last night I was blocked from HBOMAX (or whatever brand they go by these days) for being on a VPN. That was the first time I've ever encountered something like that on HBOMAX. I wonder if there is some coordinating event here.
Should be interesting to see how the internet blocks those of us who don't want to be fingerprinted, ID'd, or reveal our home IP addresses. YouTube already blocks embeds to login and prove I'm not a bot, funnily it doesn't work and embeds never play. Reddit will block me unless I'm signed in which I don't mind too much, but the daily beast and many others block me which is a shame because I'm a real human being using the internet as intended.
Instead of blocking or limiting features to whitelist users with approved behavioral patterns and limit / block those that don't -- such as loading a page and immediately commenting or doing things that normal humans don't do, they block IP addresses and ASNs.
I just close the browser tab and remind myself not to waste my time caring, there'll be other platforms.
My router is setup for WireGaurd and it'll never be disabled.
I tried creating a SoundCloud account recently for uploading DJ sets to and it just outright wouldn't let me. Didn't matter whether I was or wasn't on a VPN, or whether I had clean cookies. Crappy bot detection. You can be sure I'm never paying for such a hostile service.
They kinda do on Apple Private relay and most services don't block it. Funny thing if you put it in your router and point the tunnel to a certain country is a good way to source address launder since the endpoint will just think its an apple private relay user from local country.
Tradeoff is that it seems to be a browser only thing. Some tools like the default macOS curl seem to be integrated with it.
Apple, parading as paragons of privacy, also allow companies like Facebook etc. to track you across reinstalls and EVEN DEVICE RESETS and NEW DEVICES through the iCloud Keychain API.
This shit has been going on for maybe 5 years but no one seems to know or care.
I am so sick of these IP blocks. Same thing in Discord where a lot of servers deploy third-rate services like Double Counter that’s effectively a malware host. There’s nothing wrong with using VPN. I don’t want my IP exposed when my ISP doesn’t allow me to freely change it like they used to even a couple of years ago.
i’ve watched this VPN arms race get weird over the years... as a user i feel like the license wars always spill over onto my connection.
rights holders keep demanding geo fences and identity checks... service providers comply because they don't want to get sued.
BUT... the blunt tool is to block whole swaths of IPs... then we all scramble.
i think the conversation around Apple or any single company saving us is missing the point.
ALSO... even if a big platform rolled out an anonymizing proxy... regulators would still push for carve outs... copyright exemptions... law enforcement taps.
the root is the business model... ad targeting... licensing... fraud detection... all of which depend on tying a real person to a real IP.
HOWEVER... if enough of us treat VPN use as normal... the calculus changes.
blocking a few percent of weirdos is easy... blocking half your paying users is not.
i don't know the answer... but i suspect it's going to get more fragmented before it gets better.
54 comments
[ 1.6 ms ] story [ 71.8 ms ] threadThey probably assume some amount of collateral damage, a small number of VPN users still flying under the radar, the bulk of VPN users being properly targeted, and the vast majority of users not noticing anything.
There are also other methods, like using zmap/zgrab to probe for servers that respond to VPN software handshakes, which can in theory be run against the entire IP space. (this also highlights non-commercial VPNs which are not generally the target of our detection, so we use this sparingly)
It will never cover every VPN or proxy in existence, but it gets pretty close.
If using a VPN for access is forbidden by the ToS, you only need to detect a VPN connection once to prove violation.
The IPv4 address space to consider is limited and it is technically absolutely feasible to exhaustively scrape and block the majority of VPN endpoints. Realistically any VPN provider will have some rather small IPv4 subnets make do, shit's expensive. More so, for the trivial case, VPN anonymization works best, when many people share one IP endpoint, naturally the spread is limited. There are VPN providers, some may even be trustworthy, which have the mission of "flying under the radar" with residential IPs and all, but they are way, waaaay more expensive. For most people that's no option.
IPv6 is a different matter, but with the very increase in tracking and access control discussed here, that may be even more of a reason, IPv6 is not going to be a thing any time soon....
Thinking about it, maybe this AI monetization FOMO and monopoly protectionism, will incidentally lead to a technological split of the web. IPv4 will become the "corpo net" and IPv6 will be the "alt net". I think there may be a chance to make IPv6 the cool internet of the people, right now!
VPNs often use providers with excellent peering and networking - the same providers that scrapers would want to use.
... or were you simply using a VPN and that's the most likely culprit for a general failure of the service ?
Genuinely curious ...
Patreon also banned VPN
YouTube, Reddit - locked out, requiring to log into account, on pretense of security and care concerns, yeah to identify and track VPN users.
Instead of blocking or limiting features to whitelist users with approved behavioral patterns and limit / block those that don't -- such as loading a page and immediately commenting or doing things that normal humans don't do, they block IP addresses and ASNs.
I just close the browser tab and remind myself not to waste my time caring, there'll be other platforms.
My router is setup for WireGaurd and it'll never be disabled.
Shame on SoundCloud
Tradeoff is that it seems to be a browser only thing. Some tools like the default macOS curl seem to be integrated with it.
This shit has been going on for maybe 5 years but no one seems to know or care.
rights holders keep demanding geo fences and identity checks... service providers comply because they don't want to get sued.
BUT... the blunt tool is to block whole swaths of IPs... then we all scramble.
i think the conversation around Apple or any single company saving us is missing the point.
ALSO... even if a big platform rolled out an anonymizing proxy... regulators would still push for carve outs... copyright exemptions... law enforcement taps.
the root is the business model... ad targeting... licensing... fraud detection... all of which depend on tying a real person to a real IP.
HOWEVER... if enough of us treat VPN use as normal... the calculus changes.
blocking a few percent of weirdos is easy... blocking half your paying users is not.
i don't know the answer... but i suspect it's going to get more fragmented before it gets better.