Since I wrote the post about the DMCA takedown notices the other day, someone kindly offered to provide alternative hosting for hardbin.com that should be more resilient to bogus DMCA takedowns, so happily hardbin.com is back online (but not operated by me any more).
Also I emailed Sean Lang (the guy with the github repo with dozens of example DMCA emails from these guys) and it turns out that in the last few months he also took his IPFS gateway offline because dealing with the takedowns was too much trouble.
Yeah, I took ipfs.slang.cx down after Hetzner threatened to kick me off their service.
I was able to stay on top of the takedowns by writing a script to create & deploy nginx block rules for each URL in the DMCA emails. Obviously I had no time for manual review of the URLs. But I guess that didn't matter and Hetzner got annoyed with all the emails and decided my business wasn't worth the trouble.
How did Hetzner become aware of the notices? Were they CC'd to them?
I ask because I'm building a web site currently hosted on Hetzner that will provide access to files that have fallen into the public domain, but also files that for all intents and purposes appear to copyright orphans. I will take down anything where an entity asserts a valid copyright against anything where a mistake has been made, but I don't want Hetzner just arbitrarily shooting down my site.
First the ciu-online.net people sent DMCA notices to myself and Cloudflare, since I used Cloudflare as a caching proxy. Eventually Cloudflare gave them the IP address of my server and the ciu-online.net people were able to determine that IP address was owned by Hetzner.
Now they send DMCA notices to myself, Cloudflare, and Hetzner. I think the goal is to annoy as many people as possible. Even after I shut off my IPFS gateway they continued sending notices.
Anyway, if you're hosting anything that might generate a DMCA notice, don't use Hetzner. They will kick you off even if you're complying with the DMCA process. Also, they make you submit a statement on abuse.hetzner.com for every single DMCA notice that gets sent to them. If you don't submit the statement in 24 hours they threaten to block your IP address. It is extremely tedious and annoying.
>Eventually Cloudflare gave them the IP address of my server and the ciu-online.net people were able to determine that IP address was owned by Hetzner.
Wait... isn't the point of paying cloudflare to prevent DoS attacks?
I guess if you want to do a DoS attack, send a few bogus DMCA notices to Cloudflare first to get the real IP of the server they're supposed to be protecting. Then you can hammer the server directly without Cloudflare getting in the way.
No trail leading to the DDoS attack, which would be executed by a botnet from compromised home computers, and paid for in bitcoin passed via a mixer, or something.
>Wait... isn't the point of paying cloudflare to prevent DoS attacks?
Hahahahahaha..
Cloudflare exists to get in the way of your users from accessing your site and you who are trying to run a site. They claim to be an anti-DoS service but I've never seen any evidence they actually do that. I still get Cloudflare messages a plenty that the website is down. And of course that moronic time waster where it wants me to perform a captcha constantly without actually serving the captcha.
They do provide a pretty decent anti-ddos service. They regularly sink gigabytes of traffic before it hits our origin servers. There's lots to complain about them, but this is something they actually do well.
Don't know why it didn't work for you, but there are a few things that can trip up ops.
That has not at all been my experience with Cloudflare. At a previous job, it took us just a few hours to set up and configure all the options and WAF details, etc., then they took our drive-by probes and bot spam from thousands per day to near zero. Over the course of the next year, we had less than 3 reports of blocked access from real humans; one was traveling and another was behind a shared IP organization. Is it possible some customers were blocked and left frustrated without ever telling us? Yes, but that business kept growing, and it was in an industry where most of our customers were repeat dealers that would let us know very quickly if they couldn't access the website. So if there were false positives, there weren't many.
Cloudflare saved us immeasurable time vs manually configuring firewalls and blackholes and honeypots and open-source lists -- all for $20/mo. It was an amazing service. And they blew their competitors at the time out of the water (Imperva, etc.)... much higher quality blocking at like 1/10 the cost.
If you see a Cloudflare message that the website is down, well, chances are the website is down. If they set it up a certain way, Cloudflare may have been able to cache some pages beforehand, or not... but either way, it's probably not Cloudflare's fault. The site probably would've been down even more often without Cloudflare, just without the CF error page. (That said, DNSSec is a pain and can often cause issues with Cloudflare and other proxies)
As for hCaptcha, I don't think I've ever had an issue with it (besides being unable to tell what something was, I mean)... did you have JS turned off or strict third-party blocking, perhaps?
Weirdly most of my pirated IPFS content is hosted by and served directly by Cloudflare’s own IPFS cache. I can choose which IPFS gateway to download the content from and I always click “Cloudflare” because it’s ridiculously faster than the rest (thanks to Cloudflare caching/serving it).
Didn't they voluntarily ban The Daily Stormer? And while horrible, I don't recall there being anything illegal about that, whereas IPFS likely requires them to take manual action repeatedly to avoid legal penalty.
It wasn't exactly "voluntarily" -- more like "banned it after sustained public pressure", I think. They were reluctant at first but eventually caved after pressure continued to mount. The CEO wasn't happy about it.
They defended them for a long time, and then banned them shortly after one of the Stormer admins started bragging that they had Cloudflare in their pocket.
CloudFlare will sometimes go to the court to actively protect their abusive customer from being exposed to legal liability. But apparently they don't do that unless you're really nasty and exposing you would mean they are actually able to provide information about their customers - that's a line they won't cross even for attempted murders.
Would it be unethical to send additional nonsensical take down requests to Hetzner? I mean, if you are going to be like a child and pretend every email is both true and in good faith the thing you really need is more outlandish nonsense so that one might mature? (make it less fun to host and more like hard work) Then again, Germany is just about the worse place to host "infringing" content.
Perhaps one should send regular take down requests to ones own host complaining about ones own website and point at example.com/<php echo $website[0]; ?> as the proof. Then change hosts if they chose to act weird on it.
I read "good" things about Hosted Network Pty. Ltd who in 2018 had a complaint response time near 20 days. "Worse" in the industry.
Thank you for the advice. I will shop around. The trouble is that Hetzner are almost an order of magnitude cheaper than the next best. You get what you pay for.
I would take a look around for eastern european hosters that dont really care for western bs and pick up a vps from there to use as a reverse proxy. You can continue enjoying hetzner and still be insulated by putting it behind a different server that will get (and toss) any abusive takedown requests.
The lowendtalk forums are a good place to find any number of hosters that will fill your need.
Don't directly expose your servers to the web, proxy them through some other provider so that whenever that provider falls under pressure you already have the infrastructure to move to different ip addresses and you don't have to deal with the hassle of migrating your data to other servers.
These are different state by state, but Anti-SLAPP is meant to protect from vexatious litigants, that is someone rich threatening to sue you to shut you up. I'm not a lawyer, I just listen to Serious Trouble podcast.
The DMCA is protection for an operator because instead of the first step being “get sued,” you get a letter and if you comply, you are protected.
If you ignore them, it’s basically as if the DMCA never existed and they can just sue you. And without the DMCA, you are liable if it’s some random user uploading copyrighted content to your website.
> If you ignore them, it’s basically as if the DMCA never existed and they can just sue you.
Pretty sure jes is in the UK though, and it's not the sort of thing you'd ever be extradited over... so not really sure why the notices matter. I guess some hosting providers are more sympathetic here than others.
Don't be so sure. The English courts agreed to extradite Richard O'Dwyer to America for link sharing. In the end he avoided it by signing a deferred prosecution agreement and paying a fine.
What exactly do you mean by counterexample? Assange has had access to UK courts to attempt to challenge his extradition, but he hasn't been successful. He's nearly exhausted all the possible things to appeal.
US-UK extradition agreements are so lopsided and wide-ranging, you can basically assume that one will be extradited for breaching US law while on Airstrip One.
That infamous treaty has turned the Special Relationship into full-on vassalage.
for all practical reasons, the DMCA is global law.
I mean it obvious that it's not, but are you willing to test how far they can reach when you have stories like of Peter Sunde and Kim Dotcom to see what happens?
Since I wrote the post about the DMCA takedown notices the other day, someone kindly offered to provide alternative hosting for hardbin.com that should be more resilient to bogus DMCA takedowns, so happily hardbin.com is back online (but not operated by me any more).
Also I emailed Sean Lang (the guy with the github repo with dozens of example DMCA emails from these guys) and it turns out that in the last few months he also took his IPFS gateway offline because dealing with the takedowns was too much trouble.