54 comments

[ 1.6 ms ] story [ 71.8 ms ] thread
Over five years of paid SoundCloud here, I thought something was wrong with my setup. If this continues I'll have to cancel, basically. What a pain.
same here. been a paying customer for 2 years, a soundcloud listener for 5+. this is where i switch back to downloading music off russian pirate websites.
SoundCloud once messed up a huge song import - hundreds (as in more than 9 hundreds). There was no way to batch clean/edit, or even clear/nuke (i.e delete everything). Support refused to help. They clearly said they "won't" do it and they helpfully asked me to do it one by one because that was the way users were supposed to do it. I kept requesting that they could just delete everything and I would set up everything again because at that point my profile looked all garbage and noise. They refused and stopped responding. I found a CxO email and mailed seeking help. I never received a reply. A few days later, I just deleted that really old account. I used to use the site very regularly since the beginning. But after that, they never even came to my mind until I saw this here on HN.
You can't just blanket block all VPN access, that's not how the internet works... they could pick some common/well-known providers of VPN services and block their IPs/ASN/etc., but you can't just flip a switch and make all forms of VPN/proxy stop working, as there's no way to tell with certainty that someone is using one.
As long there isn't a critical risk, these kind of business decisions won't aim for certainity.

They probably assume some amount of collateral damage, a small number of VPN users still flying under the radar, the bulk of VPN users being properly targeted, and the vast majority of users not noticing anything.

There are plenty of VPN and proxy detection services, either as a service (API) or downloadable database, which are surprisingly comprehensive. Disclaimer: I’ve run one since 2017. Years on, our primary data source is literally holding dozens of subscriptions to every commercial provider we can find, and enumerating the exit node IP addresses they use.

There are also other methods, like using zmap/zgrab to probe for servers that respond to VPN software handshakes, which can in theory be run against the entire IP space. (this also highlights non-commercial VPNs which are not generally the target of our detection, so we use this sparingly)

It will never cover every VPN or proxy in existence, but it gets pretty close.

Big part of the Internet blanket ban countries, why do you think VPNs are any different?
It is easier to block all non-residential addresses, than block VPNs. As an added "bonus" it also kills personal VPNs running on VPS. VPNs in residential space exist but are sold as "premium" product.
Yes, and email is decentralized in theory...

If using a VPN for access is forbidden by the ToS, you only need to detect a VPN connection once to prove violation.

The IPv4 address space to consider is limited and it is technically absolutely feasible to exhaustively scrape and block the majority of VPN endpoints. Realistically any VPN provider will have some rather small IPv4 subnets make do, shit's expensive. More so, for the trivial case, VPN anonymization works best, when many people share one IP endpoint, naturally the spread is limited. There are VPN providers, some may even be trustworthy, which have the mission of "flying under the radar" with residential IPs and all, but they are way, waaaay more expensive. For most people that's no option.

IPv6 is a different matter, but with the very increase in tracking and access control discussed here, that may be even more of a reason, IPv6 is not going to be a thing any time soon....

Thinking about it, maybe this AI monetization FOMO and monopoly protectionism, will incidentally lead to a technological split of the web. IPv4 will become the "corpo net" and IPv6 will be the "alt net". I think there may be a chance to make IPv6 the cool internet of the people, right now!

Hell, I remember malware (Trojans / RATs) from the 2000s that allowed you to use your victims IP as your personal proxy.
Maybe its a trick and they are logging all the people on VPN's trying to see if they are blocked over the next 24 hr. Then they can take the data and start blocking it lol. Maybe not lol?
They blocked *some* vpns. I was able to get it working just by switching location with my vpn provider.
Doesn't reddit block VPNs as well?
IME, only if you're not logged in.
The irony is that I tried to access the link here but reddit blocks VPN access aggressively.
What's the motivation for blocking VPN read access for this and other services? Are AI scrapers using commercial VPNs to get around rate limiting?
It doesn’t really matter if they’re using commercial VPNs or the same upstream providers as commercial VPNs. Blocking an ASN is a million times more effective than blocking single IPs (at the risk of blocking genuine customers). I’ve had customers reach out to me asking to be unbanned after I blocked a few ASNs that had hostile scrapers coming out of them. It’s a tough balance.

VPNs often use providers with excellent peering and networking - the same providers that scrapers would want to use.

Strange, it works here (Taipei based vpn and logged in)
I think it's the thought that counts. Presumably they will get better at blocking all VPNs.
And VPNs will get better at avoiding them. In the military world, this is called "C-squared" (counter-countermeasures).
Even Russia and Iran has issues blocking VPN country wide…curious what SoundCloud is going to be able to do. I’m guessing it’s to block AI scrapers but ironically, they have way more resources than your customers. SoundCloud will end up pissing off their paying customers and AI bots will still be able to scrape.
Financial times does as well for me on certain browsers but not others. Pretty annoying.
Last night I was blocked from HBOMAX (or whatever brand they go by these days) for being on a VPN. That was the first time I've ever encountered something like that on HBOMAX. I wonder if there is some coordinating event here.
Did the error condition actually call out "VPN use" ? Did the HBO UI actually call out, by that term, a VPN ?

... or were you simply using a VPN and that's the most likely culprit for a general failure of the service ?

Genuinely curious ...

They specifically used "VPN" in the error message but I can't remember the exact text of the whole message.
Yarr… when this happens to ye, it’s time to sail the high seas!
I don't even need to be blocked. I can't jump ahead so I just download and keep or discard.
Not the first,

Patreon also banned VPN

YouTube, Reddit - locked out, requiring to log into account, on pretense of security and care concerns, yeah to identify and track VPN users.

Should be interesting to see how the internet blocks those of us who don't want to be fingerprinted, ID'd, or reveal our home IP addresses. YouTube already blocks embeds to login and prove I'm not a bot, funnily it doesn't work and embeds never play. Reddit will block me unless I'm signed in which I don't mind too much, but the daily beast and many others block me which is a shame because I'm a real human being using the internet as intended.

Instead of blocking or limiting features to whitelist users with approved behavioral patterns and limit / block those that don't -- such as loading a page and immediately commenting or doing things that normal humans don't do, they block IP addresses and ASNs.

I just close the browser tab and remind myself not to waste my time caring, there'll be other platforms.

My router is setup for WireGaurd and it'll never be disabled.

Shame on SoundCloud

I tried creating a SoundCloud account recently for uploading DJ sets to and it just outright wouldn't let me. Didn't matter whether I was or wasn't on a VPN, or whether I had clean cookies. Crappy bot detection. You can be sure I'm never paying for such a hostile service.
Well, goodbye SoundCloud (and all services doing the same thing).
irony is this is posted on reddit, who also blocks VPN’s
Ironic posting that on reddit who also blocks vpn access.
I keep wishing “privacy” company, Apple, would release a VPN such that no business would be able to block it as they’d lose too many customers
They kinda do on Apple Private relay and most services don't block it. Funny thing if you put it in your router and point the tunnel to a certain country is a good way to source address launder since the endpoint will just think its an apple private relay user from local country.

Tradeoff is that it seems to be a browser only thing. Some tools like the default macOS curl seem to be integrated with it.

Apple, parading as paragons of privacy, also allow companies like Facebook etc. to track you across reinstalls and EVEN DEVICE RESETS and NEW DEVICES through the iCloud Keychain API.

This shit has been going on for maybe 5 years but no one seems to know or care.

I am so sick of these IP blocks. Same thing in Discord where a lot of servers deploy third-rate services like Double Counter that’s effectively a malware host. There’s nothing wrong with using VPN. I don’t want my IP exposed when my ISP doesn’t allow me to freely change it like they used to even a couple of years ago.
Ironically, I can't read the Reddit post with my VPN.
i’ve watched this VPN arms race get weird over the years... as a user i feel like the license wars always spill over onto my connection.

rights holders keep demanding geo fences and identity checks... service providers comply because they don't want to get sued.

BUT... the blunt tool is to block whole swaths of IPs... then we all scramble.

i think the conversation around Apple or any single company saving us is missing the point.

ALSO... even if a big platform rolled out an anonymizing proxy... regulators would still push for carve outs... copyright exemptions... law enforcement taps.

the root is the business model... ad targeting... licensing... fraud detection... all of which depend on tying a real person to a real IP.

HOWEVER... if enough of us treat VPN use as normal... the calculus changes.

blocking a few percent of weirdos is easy... blocking half your paying users is not.

i don't know the answer... but i suspect it's going to get more fragmented before it gets better.