return to table of content

17-year-old student exposes Germany's 'secret' pirate site blocklist

wkat4242
59 replies
1d2h

I'm really surprised this list doesn't contain any of the big names I'm using. In fact I've never heard of any of these sites.

I'm using many of the book sites and general torrent ones (I won't name them here), but none of these are on the list.

I also think the point is kinda moot because everyone doing torrents in Germany will already use VPN because it's only a matter of time before you get serious letters from lawyers there, demanding about 400 euro per move they've seen you download. ISPs always cooperate in giving subscriber info for each IP. Some lawyer firms actually specialise in this and go after downloaders on their own.

I wonder if they leave the big torrent sites out to provide income for these lawyers?

sudobash1
25 replies
1d2h

Ot of curiosity, how does this work? If a site is over https, then the only information I would think the ISP would have is the subscriber downloaded from randompiratesite.xyz what seems to be a single X GiB file. They could see that the size roughly corresponds to FooBar.mp4 on that site (plus some HTTP headers). But this seems pretty unreliable. (Like what if someone was using a download manager to get multiple large files at once, using multiple download streams per file?)

I'm sure that you can get in plenty of trouble for downloading a ton of data from randompiratesite.xyz or whatever, but how the ISP determine the number of movies they've seen you download?

loeg
13 replies
1d1h

If a site is over https, then the only information I would think the ISP would have is the subscriber downloaded from randompiratesite.xyz what seems to be a single X GiB file

That isn't how torrent sites work. You visit site.xyz and download a .torrent file in the realm of 10s-100s (typically) of kB and that contains some metadata that a dedicated torrent client consumes. The torrent client connects to (1) some tracker via http (or https, but usually http) which may or may not be associated with the site the .torrent came from, to register as part of the swarm, and (2) any number of peer torrent clients. The actual data (X GiB) transfer comes from those peers; not the original site.xyz nor the tracker.

ISPs can observe DNS lookups / connections to site.xyz; tracker "announces" (that's (1) above), especially if they are http. And even the peer-to-peer traffic has a distinct protocol which is recognizable with packet inspection. But the main avenue for finding offenders, I believe, is just downloading the same .torrents for some specific copyrighted content and using the torrents' associated tracker(s) to enumerate swarm peer IP addresses.

Hypnosis6173
12 replies
1d1h

Thats not how piracy in germany works. Torrenting for german content is quite uncommon. Normally the pages either point to sites hosting a streamabale version of the video content or point to a external file hoster (e.g. Rapidgator).

bonoboTP
8 replies
22h47m

Torrenting for german content is quite uncommon.

Obviously, because, as the chain of comments above your shows, torrent users are easily caught and get fined to hundreds of euros per downloaded movie. Then they stop using torrent and tell all their friends about the experience. This has been going on for more than a decade, maybe two. So by now, German culture has adapted and people don't use torrents.

yokaze
7 replies
19h13m

You don't get fined for downloading, you get cease-and-desist with a fine (?) from a lawyer representing the copyright owner for uploading.

Downloading copyrighted is not illegal, offering is.

You could try to argue technicalities in court, but that'll probably exceed the hundreds of Euro the copyright owner demands.

Ray20
5 replies
19h1m

Downloading via torrents by default implies distribution (from technical point of view).

threecheese
4 replies
18h49m

My understanding is that one can download without seeding/uploading; is this inaccurate?

bonoboTP
1 replies
18h44m

Since the whole system relies on people seeding, even if this may be possible technically, clients don't tend to support it as a feature.

yardstick
0 replies
18h28m

There are some services where you send a torrent file/magnet link and it’ll download the file for you, so you can download over HTTPS. I believe those particular services intentionally don’t reseed.

yardstick
0 replies
18h30m

You are correct.

Years ago I did exactly this by modifying my client to never seed/share, and also to fake my reported sharing stats so the private trackers wouldn’t boot me for failing to share.

Those were the days.

Now, I no longer fear the ISP or copyright holder chasing me (seems ISPS and laws moved on where I am) and don’t bother with modifications any more.

mediumsmart
0 replies
13h38m

The cease and desist fine (about 900 euros these days) is what the lawyer wants. Max return on investment for a single letter. You don’t have to react to this letter which will bring about the second letter with the generous offer to pay less, this repeats until around 340 Euro are reached.

Then you may get a court order that states what the lawyer accuses you of and this you have to react to. The court just states this and gives you 2 checkboxes. If you check the one saying “I reject the accusation completely” the lawyer needs to decide. He invested some 40 euros into the court order but going to court is a different ballgame and not his main business model so they have to weigh the chances.

The owner of the router that the file went through is responsible for access to the router. Since the owner has so far not said anything to his Defence there is a possibility that multiple people including family members had access to the router and the lawyer might, in court, be presented with a list of people and their addresses which satisfies the defendants task to erschütter the accusation for the court and leave the lawyer with the option to figure out whodunnit or rather who in the list is going to fold and pay.

This is really not his business model. That said they do go to court and people get sentenced to pay the fine.

looperhacks
1 replies
22h38m

You are downvoted, but from my experience, you are pretty correct. Most people I know will use a streaming site, then sharehosters (good old boerse comes to mind - Megaupload, Rapidshare and Uploaded were the big hosters I remember)

I even know of more people using Usenet then torrents! The amount of work to use torrents safely just isn't worth it for most people.

tourmalinetaco
0 replies
22h19m

They are downvoted because it was an obvious and low-quality statement, as another comment outlined. Torrents publicly expose IPs and thus can be seen by copyright Nazis, but streaming/direct downloading has so far been safe.

Semaphor
8 replies
1d2h

It's not the sites, it's torrenting. Without a VPN, they get your IP, and you are on the hook for "commercial distribution" (as clients also upload) unless you pay X00 euros.

rurban
7 replies
1d1h

Private torrenting is certainly not commercial distribution.

gruez
5 replies
1d1h

Commercial distribution isn't the only way you can violate copyrights

Semaphor
4 replies
1d1h

Just violating copyright wouldn't really matter. Damages would be tiny, and so would be what the lawyers can blackmail you for. It's being on the hook for the damages of distribution that gets the high fees.

Semaphor
3 replies
21h35m

Please tell me what's wrong about my comment instead of blindly downvoting, thank you.

throwaway48540
2 replies
11h56m

It's simply not true, from my personal experience. Who cares it's tiny when it's still more than I want or can pay.

Semaphor
1 replies
11h5m

You have personal experience with being sued for downloading without distribution in Germany?

throwaway48540
0 replies
2h45m

I wasn't sued at the end of it, but nearly. Had to pay few hundred euro. Still sucked.

Semaphor
0 replies
1d1h

Tell that to our courts ;)

leafmeal
1 replies
1d2h

If they're also downloading or seeding the torrent, the learn the IPs of their peers, so they know you were downloading that particular file.

wkat4242
0 replies
1d1h

Yeah you can use peerblock/peerguardian, but in general there's no point. It's much less risky to simply use a VPN because there's always a risk that new IPs are not on the blocklist.

imhoguy
23 replies
21h45m

Sci-Hub domains are listed, that is big.

wkat4242
20 replies
21h20m

What is that? I've never heard of it.

__MatrixMan__
18 replies
21h19m

It's where we go to get peer reviewed scientific journal articles.

mazdayasna
13 replies
19h39m

It's also run by a Putin and Stalin worshipping crazy lady

orlp
3 replies
18h56m

What are you basing that on?

cristoperb
1 replies
16h3m

I don't see anything about Putin on that page

skissane
1 replies
12h48m

Her argument that Stalin is the Christian God is rather, intriguing – https://www.sci-hub.ru/why-stalin-is-god

Not convinced myself, but to each their own.

defrost
0 replies
12h29m

It's an argument ... it may also be an inside joke and more than a bit of a leg pull <shrug>.

Soviet and post Soviet literature tends to be layered and full of oblique messages, many of these suffer in translation.

matrix87
1 replies
17h15m

Idrc who she worships, she thinks information should be free. The parasitic corporations in the west don't. Rich people are more of a threat to the well-being of society than foreigners who see the world differently

HeatrayEnjoyer
0 replies
14h32m

It's not an either or choice.

EnigmaFlare
1 replies
17h30m

It's not a surprise at all that people doing extraordinary things aren't quite the same as regular people. The average same-belief-having person isn't going to do anything like make sci-hub because fitting in is their priority.

beaglesss
0 replies
16h45m

More like it requires protection from one of the few blocks of nations resistant to extradition to the US.

lenkite
0 replies
14h4m

She technically identifies as a communist. Besides, she needs some protector to prevent being extradited to the Land of The Free & Home of The Brave. You saw what happened to Kim Dotcom.

desumeku
0 replies
19h16m

At least she respects scientific freedom.

082349872349872
0 replies
6h14m

Starting a panegyric to JV Stalin with words from IE Aleshkovsky is an editorial choice which shows AA Elbakyan takes CE Shannon seriously; I for one am looking forward to a future essay equating pirate site shutdowns with the 7 June (415 BC) early morning mutilation of the herms.

Lagniappe: https://www.youtube.com/watch?v=Nu6oziDE5wc

wkat4242
2 replies
14h52m

Ah for that I tend to go to Z-Library. But to be honest i don't have much need for that kinda stuff

defrost
1 replies
14h24m

Sci-hub is an OG source of journal papers and the source that Z-lib | anna's archive copy from.

Love it | Hate it, either way the Alexandra Elbakyan story is worth a read: https://sci-hub.se/alexandra

As a general rule pirate sites tend to not go in for founder bio's.

082349872349872
0 replies
7h32m

As a general rule pirate sites tend to not go in for founder bio's.

I'm no Data Scientist, but would be willing to bet a small round that were we to look, presence of founder bio's and their domicile's extradition policies are not uncorrelated.

[AFAICT there was a lot of paranoia on the Soviet side, and as a basis for that paranoia they pointed to all the Capitalist forces active in russia during the revolution, but in retrospect some part of all that foreign intervention had been due to a problem of their own making: they believed world revolution was only a few years off (and just maybe they didn't want to look inconsistent with their own ideology?), so instead of doing what any reasonable mafia would've done and kept on paying dividends on imperial paper (perhaps even after negotiating an acceptable haircut?) and maybe even paying lip service to IP rights, on both fronts they rather rudely essentially told all the now-former investors to "go to wood"]

Lagniappe: somewhere in Abai's қара сөздері, he says something similar to "you know, it wouldn't do us Kazakhs much harm if once in a while we were to think of something other than how to grift more cows"; with that in mind: https://www.smbc-comics.com/comic/life-3

manmal
0 replies
21h7m

An alternative that often works being annas-archive.org.

Sakos
0 replies
20h7m

You haven't heard of the biggest source of paywalled research papers on the planet? It's a fantastic resource for when you don't want to pay 40 Euros for a single paper and you don't happen to be part of a university that happens to be subscribed to the right journal.

rightbyte
0 replies
19h38m

It wouldn't surprise me if not having access to Sci-hub is about as bad for research and academiaishnesshood as ... dunno... like really bad.

amelius
0 replies
21h14m

And libgen?

Krasnol
1 replies
23h55m

They've been blocked because they became too popular.

I've heard from kinox from people I would have never suspected to be even capable of finding such a site.

Guess those people have been the marker.

Sakos
0 replies
20h5m

Probably been told about it by friends. Whenever I find a decent site, I pass it on to anybody I know who needs it. kinox used to be one of those sites.

Green-Man
1 replies
23h23m

700€ per movie is a current rate, plus a couple of hundreds as legal fees.

wkat4242
0 replies
14h51m

Yeah ridiculous. Only in Germany...

slightwinder
0 replies
8h12m

I'm really surprised this list doesn't contain any of the big names I'm using.

This might be more a proof for this whole blocking-business actually working. kinox, serienjunkies and similar named domains were very famous and huge 5-10 years ago. Since then, they have been raided, sued, blocked, etc. So it seems they've been fallen in grace and awareness with their target-group.

gardenmud
0 replies
3h46m

I actually kind of appreciate the laws there. It's sort of weird because it's one of those things where -- if you just use a VPN it totally negates the problem. Like somehow it's just "common knowledge" that you can do any of that with a VPN and you're risk free. It's this loophole that... you can't really close as a government without being completely authoritarian.

So it's not shocking that some might want to shut down VPNs or make using a VPN illegal (like, uh, North Korea, Belarus, Iraq, Oman, Turkmenistan... oof).

bowsamic
0 replies
12h48m

Yeah I didn’t know about this when coming to Germany and downloaded something without a VPN. Thankfully I was spared. But now I always use one with a reasonable good kill switch setup and forcing the torrent client to use the vpns network device

ThatMedicIsASpy
0 replies
21h47m

nsw2u is something I've used when I wanted to look at the current state of switch emulation

Sakos
0 replies
20h8m

I use and have used a large number of these. Many of them are primarily German streaming sites. Ziperto is a file hosting site, which you'd only come into contact with through certain kinds of direct download piracy sites. I'm not surprised you haven't heard of any of them, even though they are actually quite popular in some circles.

treprinum
36 replies
1d3h

I can confirm, they are banned but VPN or Tor can access them without any issues. So it's only to prevent normies from accessing them.

johannes1234321
33 replies
1d2h

It's even simpler: Those blocks are implemented in DNS. Pick 8.8.8.8 or some other public DNS server and blocks are bypassed.

(And pick another ISP - it's their job to provide neutral net access, not mess with it, especially not mess with it without court order or something just by request of some private companies)

SoftTalker
32 replies
1d2h

Some ISPs prevent you from using other DNS. Comcast/Xfinity modem/routers for example.

saghm
7 replies
1d2h

Is it possible to use your own router/modem for Comcast? Between my last two apartments and my current one I've had Spectrum, Optimum, and RCN as ISPs in the past decade or so, and with all three of them I was able to use my own router and modem (doing a quick google ahead of setup to make sure that I found instances of people online saying the hardware I had worked for them). It definitely _shouldn't_ be something people have to do in order to be able to have unrestricted internet, but sadly it's far from the only thing that sucks about ISPs. In my current apartment, I have no other option for ISP other than Spectrum, and they seem to get outages far more often than they should (and don't "notify" me until around 20 minutes after I check their website for outages in my area and it says there aren't any).

pxc
3 replies
1d2h

You can always plug your own router into the LAN port of a shitty ISP's combo modem/router device, too, even if they won't give a connection to any other device than their own and they defeat all your spoofing attempts.

I haven't used a proprietary router in my entire adult life, except as a WAN connection for my 'real' router with some shitty ISPs.

0xffff2
1 replies
1d1h

even if they won't give a connection to any other device than their own

AFAIK they are legally required to maintain a list of compatible devices and accept any modem that is on that list.

pxc
0 replies
23h39m

My cellular ISP doesn't seem to be bound by that, even though every cable ISP I've been with has. :(

If there's some US law I can cite at them like a magic invocation to make their dumb combo device go away in favor of my own cellular modem, though, I'd like to.

SoftTalker
0 replies
1d2h

Yes, you can use your own modem, but they give you incentives to use theirs. You can also put their combo modem/router into bridge mode and use your own router. But that's a bit more of a reach for the average person, vs. just changing the DNS addresses in a config page (which is already more than 95% of people will do).

staplers
2 replies
1d1h

They make it difficult but I've done it for over a decade. They incentivize by offering no data cap if you use their bs router.

However, once you learn how much data is collected/sold about you from the router level you won't want to go back.

salad-tycoon
0 replies
21h43m

1.2 tb is a lot according to them.

However, once you learn how much data is collected/sold about you from the router level you won't want to go back.

I need to be scared straight. Go on.

SoftTalker
0 replies
1d1h

They incentivize by offering no data cap if you use their bs router.

Yes, this is why I switched over to their modem-router, I was starting to hit their caps every month and it was costing me a lot of money.

I really don't care if they monitize that my live-in mother-in-law streams game shows all day.

chii
6 replies
1d2h

how does that work? You can just set your operating system to not use the ISP provided DNS server, even if the ISP provided router/modem is locked and cannot be changed.

cortesoft
5 replies
1d2h

They could block all outgoing traffic to port 53, although you could work around that by setting up a DNS server on a different port outside the network

SoftTalker
3 replies
1d1h

Yes I'm pretty sure this is what they do. The DHCP from the router gives 75.75.75.75 and 75.75.76.76. I've tried overriding that with different resolvers in my /etc/resolv.conf and it doesn't work. And logging in to the modem/router config does not offer any option to change DNS settings.

SoftTalker
0 replies
1d

I just tried it. I enabled it at the "Max Protection" level, used the default provider setting (Cloudflare) and it works. So it seems the answer is yes. So that's a pretty simple workaround that covers most cases. I'm guessing that most of the DNS lookups that people would want to be private are happening via a web browser.

INGSOCIALITE
0 replies
4h28m

edit the /etc/resolv.conf with your chosen nameservers then chattr +i /etc/resolv.conf

pimeys
0 replies
21h25m

I'm in Germany, and running my custom opnsense router with adblocker DNS connected to one of the big DoH providers. Never had any issues, not even with using plain old DNS in port 53.

Vodafone Kable, so YMMV.

Always a bit scared to switch providers of course, you never know if you get cgnat and blocked DNS servers. They are building a Deutsche Telekom fiber to our street this summer. It's tempting for the 200 Mbps uplink, But I have no idea is it then CGNAT and do they even provide real IPv6. It's never mentioned in the advertisement.

lasr_velocirptr
4 replies
1d2h

I am sure if you use DoT or DoH it's going to be very hard for ISP to block using your own DNS even if you rented a modem/router from them. It does need client-side support though.

codedokode
1 replies
1d

ISP can simply compile a blacklist of publicly available encrypted DNS resolvers and block them.

lasr_velocirptr
0 replies
19h39m

not really feasible for non technical folks but at that point you start to run a dns proxy in cloud with static ip and proxy all your dns requests using DoH to that IP. That would be really hard to block without blocking all outbound https connections

pxc
0 replies
1d2h

It does need client-side support though.

Not really! You can buy a router that ships with OpenWrt out-of-the-box and just toggle a little checkbox. Plug that into your ISP's router (or use a wireless bridge in client mode, that's supported, too) and connect all of your devices through that. Now all your devices use DoH and don't even know it.

Asmod4n
0 replies
1d1h

No need for client support, you could just deploy it on a Linux vm running somewhere on your network and let that be the dns server served via dhcp.

For extra points you could deploy a firewall which intercepts all DNS requests and forwards them to that machine. Some apps have hardcoded DNS servers and ignore what you have configured.

loeg
2 replies
1d1h

I was a Comcast customer for 10+ years prior to 2017 and at the time they did not block foreign DNS servers.

SoftTalker
1 replies
23h27m

They don't block them generally, but their newer consumer modem/router/WAP "appliances" do. If you use your own, you can set whatever DNS you want, but you will have lower data caps and lose some incentive pricing that you can get if you use theirs.

I'd guess if you get business tier service you have more options also, but I've never had that.

loeg
0 replies
22h22m

I was on ordinary residential service. At the time, using their device cost more money than BYO, and the data caps were identical (or rather, there mostly weren't data caps).

hobofan
1 replies
1d2h

Most stock ISP routers in Germany I've seen allow you to set custom DNS in a straightforward manner.

And even if they don't, for a few years now there is a law that guarantees you the right to choose your own router (because previously we had quite bad bundling that forced you to rent the ISPs router), so ISPs can't lock you in like that.

Asmod4n
0 replies
1d1h

There are two types of routers consumers get here. Those where you can nearly change everything regarding DHCP and such and those given you by cable companies where you can’t even change the IP address of said router.

The latter usually allows you to disable its IPv4 DHCP sever though but enforce itself as the IPv6 DNS server across your network, which can’t be disabled on your own.

Systemmanic
1 replies
1d2h

Looks as though this Comcast “security feature” can be disabled via your account settings.

Also, DNSSec?

vladvasiliu
0 replies
1d1h

I'm not an expert on DNS, but I don't think DNSSec can actually help here, and by help I mean "unblock".

Sure, their NXDOMAIN (or whatever) response will appear bogus, but your client won't be able to rebuild the missing response.

redprince
0 replies
1d1h

As this particular issue of DNS blocking pertains to Germany: By law (EU Commission Directive 2008/63/EC and national law TKG § 73 Abs 1) the ISP must allow the free choice of routers and has to provide all access codes. So even if an ISP provided router would be uncooperative, there is always the choice of just not using it.

pxc
0 replies
1d2h

Do they block DNS-over-HTTPS? I bet not.

matheusmoreira
0 replies
1d1h

ISP equipment should be considered compromised. They even have remote access. We should buy our own routers and bridge them to the networks of ISPs.

haswell
0 replies
1d2h

This can still be overridden on each client system behind those routers, but this is also another good reason to avoid renting your modem/router.

Products like NextDNS also provide a client app to simplify the process of overriding DNS.

baby_souffle
0 replies
16h27m

Comcast/Xfinity modem/routers for example.

In that they DNAT traffic to _their_ DNS or they just don't expose a configuration flow to the user?

sulandor
0 replies
23h12m

true

it's an annoying precedent besides the tech-support labor of folks like us trying to fix it.

marci
0 replies
1d2h

I imagine a lot of the normies that got blocked trying to get to sci-hub didn't remain normies for long.

krtkush
28 replies
1d2h

I have a RPi 5 running as a Tailscale exit node in my parent's house in a developing country. The said country does not care much about what people download. qbittorrent-nox makes it very easy to download stuff by just using my browser. Plus, I have access to local, region locked streaming content and very cheap Netflix subscription.

bloqs
13 replies
1d2h

Is there a service to rent these?

everforward
5 replies
1d

This sounds similar to a seedbox, a server rented to do piracy so DMCA complaints and such are sent to your seedbox provider instead of you.

The seedbox providers are typically headquartered somewhere where they can just burn DMCA notices. The servers themselves are also often located in piracy friendly jurisdictions (the Netherlands used to be common, not sure what’s current).

They usually come pre-installed with a remotely accessible torrent client like Deluge, Transmission, etc. Also often includes other software like VPNs, Plex, etc.

You should be relatively safe using one. The server does all the torrenting, you just download the files over FTP so you never appear in the swarm directly. It’s also a huge pain in the ass for law enforcement because it becomes international quickly. You’re in country X, the server with its IP in the swarm is in country Y, and the company that has the rental agreement with the data center for the server is in country Z.

Anecdotally, I used to spend some time in the space and I can’t recall a seed box provider ever getting raided. I think they just generally don’t bother with folks technical enough to go that far; there are easier fish to fry.

princevegeta89
3 replies
23h56m

Are these guaranteed to be permanently online?

Do they come with root access if we end up renting one?

lyu07282
1 replies
23h42m

Depends on the seedbox most will give you root/ssh, others just give you a APi/web interface to a managed torrent client which can be convenient. Check r/seedboxes

princevegeta89
0 replies
23h36m

thanks! this sounds interesting

everforward
0 replies
23h4m

They’re guaranteed to be permanently online as much as such a thing can be for $20/month or whatever. They don’t shut it down if you’re not using it, if that’s what you’re asking but they do occasionally come down for upgrades/migrations/incidents/etc. I’d ballpark most providers in the 99% uptime range.

Some provide root, some don’t. Last I checked, you’ll pay more for root because most of the servers are physical so you have to rent a whole server basically.

The servers are typically IO bound on the NIC so they aren’t super picky about what you do with CPU and memory. They won’t let you run a crypto miner or do heavily parallel transcoding, but if you want to chuck a Python+SQLite web app on there I doubt they’d care.

Xen9
0 replies
23h32m

It's by the way interesting idea that developing countries entertrainment industries may develop very differently due to internet piracy being already prevalent, though foreign investment may lead to this not happening, IE an "agreement" like TiSA or TTP will mean laws that lead to loss of investments like "no copyright" would become "illegal."

I'd hope someone prepares for that, and when it happens proposes a vote or public address, for laws that make the attempts backfire.

veqq
3 replies
1d2h

How much would you pay for that - compared to existing VPN solutions? You can find cloud hosts or server rentals in Bosnia, Colombia or wherever fairly easily.

amatecha
2 replies
1d

You can technically just get any ol' VPS and install the respective/relevant software on it. Just check that the VPS provider doesn't forbid torrenting/etc. in their ToS, I guess :)

giobox
0 replies
18h22m

I used to do this, but virtually all streaming sites etc block VPS IP ranges now. The beauty of OPs idea is that you get a nice domestic IP instead of one belonging to AWS/GCP/etc.

I've also resorted to putting tailscale exit nodes in foreign relatives homes with Pis in the past.

There are enough weird issues with pretending to be a domestic internet connection from a VPS IP that I've given up trying.

Ray20
0 replies
18h48m

Just check that the VPS provider doesn't forbid torrenting/etc. in their ToS They almost always do. But many of them forbid only in tos, and not exactly do something about it
fragmede
1 replies
1d1h

A service like that would be worth a premiumize amount

kridsdale3
0 replies
1d1h

ISWYDT

sulandor
0 replies
23h21m

"residential proxy"

providing such a service (-network) is a popular monetization option for all kinds of useless crapware. this is very useful, but even more shady than regular vpn providers.

killingtime74
10 replies
1d2h

New Zealand?

d3m0t3p
7 replies
1d2h

New Zealand, developing country ?

kridsdale3
6 replies
1d1h

Until all the sheep have iPhone 15 Pro Max in their hooves, it is.

passwordoops
4 replies
1d1h

I get the sense New Zealand is too Australia what Canada is to the US

tamimio
0 replies
21h39m

Replace sheep with moose and kiwis with geese first.

rukuu001
0 replies
1d1h

So you’re just insulting everyone now?

red-iron-pine
0 replies
23h48m

a vast source of natural resources and hockey stars?

grecy
0 replies
19h54m

More importantly, Australia is to New Zealand what the US is to Canada.

(Note: I'm Australian, been living in Canada for almost 20 years and only recently had someone explain that to me and suddenly it all made sense!)

lostlogin
0 replies
1d

There aren’t many sheep. We have moved on to cows.

slyall
0 replies
17h46m

Actually in New Zealand getting into trouble for downloading is fairly rare.

The Studios and Music Companies lobbied and got a law passed but the ISPs managed to have the law include a small charge ($20 from memory) for each notice. So the Movie/TV people never bother sending any notices and the music people only rarely do it.

Brajeshwar
0 replies
1d2h

I think Maharashtra, India.

princevegeta89
2 replies
1d

Netflix subscription - Netflix stopped access to streaming for accounts unless you're in the original country of billing. Are you streaming Netflix through your tunnel as well?

manmal
0 replies
21h5m

Why not, that’s one of the main use cases for Tailscale.

krtkush
0 replies
20h32m

Are you streaming Netflix through your tunnel as well?

Yep!

mrinfinitiesx
16 replies
1d

Openvpn / Wireguard service is preferable, but for free: https://github.com/DNSCrypt/dnscrypt-proxy

sudo apt install dnscrypt-proxy

sudo systemctl enable dnscrypt-proxy (or system service dnscrypt-proxy start|enable)

sudo mv /etc/resolv.conf ~/resolv.conf.bak

sudo rm /etc/resolv.conf

sudo nano /etc/resolv.conf

nameserver 127.0.0.1

#back up to dns over plaintext not recomennded if your dnscrypt-proxy service stops for whatever reason (enable in systemd, too lazy to write here)

#nameserver 1.1.1.1

sudo chattr +i /etc/resolv.conf

Always use DoH / DoT (DNS over HTTPS / TLS)

in firefox, settings -> DNS in search select Max protection choose NexDNS, make a NexDNS account for further privacy/setting up your local DNS restrictions like ad/tracker blocks

or use cloudflare.

Cheap VPS proxy:

on a VPS, do said dnscrypt-proxy

ssh -D 8080 -i ~/.ssh/sshkey username@vps.server (always use SSH key auth, no passwords)

in firefox, set up proxy 127.0.0.1 8080 select 'Use DNS through proxy' - can set proxy settings at OS level to use DNS.

There's some options for you. Tailscale works, haven't tried it though.

codedokode
13 replies
1d

Both openvpn and wireguard protocols are trivially blocked by DPI. Why do people make custom protocols today? Everybody should use something standard and indistinguishable, like QUIC, DTLS or TLS1.3, for their transport layer.

nine_k
2 replies
21h49m

something standard and indistinguishable, like QUIC, DTLS or TLS1.3, for their transport layer.

Exactly this does exist, search for xray / xtls-reality.

A node pretends to be a valid web site, with a valid third-party TLS certificate (like a CDN node serving that website), until a correct secret key is presented, then it looks like regular TLS-encrypted web traffic.

E.g. https://github.com/XTLS/Xray-core — most documentation, sadly but expectedly, is in Chinese and Russian, because these folks seem to need this most.

codedokode
1 replies
18h10m

I actually did some fiddling with Wireshark, and it looks to me that it should be easy to make a tunnel masquerading as TLS 1.3 in Python. Firefox's TLS requests mostly look the same except for several fields (like RandomId, SessionId, SNI) and it is easy to write a tunnel in Python that would send similar initial packets (so that they look exactly like the ones sent by the browser), and after pretending to setup a TLS session, incapsulate real traffic as TLS Application Data records. You don't need to implement real TLS protocol, you just need to make several initial packets by template.

The project you mentioned seems to be pretty complicated; I think it is possible to implement the tunnel in a single Python file without any external libraries. But I was not intending to implement any serious crypto, just masquerade traffic.

Yes, I saw that project and even the English documentation is not easy to read.

nine_k
0 replies
10h19m

Yes, Xray does more than just making the traffic look like typical web traffic. It also makes the open VPN server port look exactly like a port serving a legitimate third-party site, with the proper TLS certificate and all. Put it on port 443, make it proxy something like samsung.com or whatever else your censors find inoffensive.

This protects the VPN node from being blocked after a port scan, and gives you plausible deniability: "Yes, I have visited this IP. Let's open it. Ah, I just wanted to look at the newest Samsung phone model."

ignoramous
2 replies
22h54m

wireguard protocols are trivially blocked by DPI

There's at least 2 or more different efforts to make WireGuard DPI resistant. Ex: https://github.com/database64128/swgp-go

Interestingly, Cloudflare (and Apple?) have begun switching to MASQUE: https://blog.cloudflare.com/zero-trust-warp-with-a-masque

Everybody should use something standard ... like QUIC, DTLS or TLS1.3, for their transport layer.

Very common for anti-censorship tools (V2Ray, XRay, Clash, Hysteria, Trojan, uTLS, Snowflake, SingBox, Outline etc) to use these.

codedokode
1 replies
18h21m

The first project (swgp-go) which makes traffic resemble random noise, can be trivially blocked. The DPI calculates the ratio between number of 0 and 1 bits, and if their amount is approximately equal, and traffic doesn't match allowed protocol (like HTTPS), then the connection is blocked.

If you don't want to stand out you should use steganography and masquerade as a legitimate and popular protocol. It seems that MASQUE does exactly this.

kevincox
0 replies
7h34m

HTTP/3 is QUIC. So you can tunnel whatever you want over a connection that is not reliably distinguishable from HTTPS. (You can do heuristics based on packet sizes and timings)

red-iron-pine
1 replies
23h49m

makes me think of the Harvard kid that called in a bomb threat via Tor -- and was the only one on campus using Tor.

so even though that stream was itself encrypted, it was trivially easy to track down that one guy and tie it to him.

whatindaheck
0 replies
5m

I’ve never heard this story but it made me think of this old XKCD[0].

[0]: https://xkcd.com/1105/

lyu07282
1 replies
23h48m

Correct me if I'm wrong but I don't think any ISP does DPI for mass censorship, that would be way to expensive

codedokode
0 replies
23h43m

Russia and China uses DPI, although they often use relatively simple heuristics (like matching a SNI in the beginning of a TLS session).

jiiam
1 replies
11h42m

Both openvpn and wireguard protocols are trivially blocked by DPI.

I don't understand why this matters, it's not like your ISP will ever block this kind of traffic since every company that has any form of IT department uses some form of VPN making it not only a legitimate kind of traffic but also quite common.

npteljes
0 replies
1h47m

I'd think that companies use commercial grade internet, and normal people use residential internet. If so, then it would be easy to imagine that the ISP blocks some features for the residential subscriptions.

ordu
0 replies
12h20m

> Both openvpn and wireguard protocols are trivially blocked by DPI.

Not so trivially as it seems. I use wireguard from Russia despite their efforts to block it. It needs some tricks to connect, but it works. I believe that openvpn will work too with those tricks.

> Everybody should use something standard and indistinguishable, like QUIC, DTLS or TLS1.3, for their transport layer.

Let them first learn how to block wireguard properly. No point to show them the full scale of the problem they face, so they could get more funding. :)

On a more serious note, it is whack-the-mole game, the idea that sounds like "everybody should use X" for some value of X is not a good idea. Everybody should look for their own way to bypass censorship, and they should do it with as much creativity and tech skills as they have.

manuel_w
1 replies
10h26m

sudo chattr +i /etc/resolv.conf

Why that?

BenjiWiebe
0 replies
3h6m

That makes the file immutable - when your network manager tries to rewrite the file because you reconnected to your wifi, it can't.

grishka
15 replies
1d1h

DNS-based blocking? As someone living in a country with ever-increasing internet censorship, that's not blocking, that's a trivially ignorable gentle suggestion to not visit these sites.

pwg
12 replies
1d1h

For 99.8% of internet users, DNS based blocking is a hard stop (for them).

For the remaining 0.2% who know how things work, they are a brief bump in the road to getting to the site they want to pull up.

sho
2 replies
15h1m

Do you have any citation for those numbers?

You need to spend more time with the normies. 99.8% is probably an exaggeration, but if so, not by much. It's easy to forget just how little the average person knows, or wants to know, about how technology works, or their ability to change it to their advantage.

The vast majority of people not only do not understand DNS, they couldn't tell you with any specificity what a domain or IP address even are, and they're afraid of doing anything which might break their computer in a way they don't understand enough to fix.

defrost
0 replies
14h33m

Doesn't require much understanding to bypass a DNS block or use a VPN.

Easily two thirds of FiFo (Fly In | Fly Out) mine workers in this state, the full on beer swigging head butting rail labourers et al have a rough understanding of the problem and have traded a carton or three with a mate of mate to fix it on their phone | home network so they can get all the p0rn and free movies they can watch on time off.

Real understanding of layered networking protocols from fibre and wire upwards is rare; bypassing DNS blocks is common as muck even sans that fancy CISCO certification.

amy-petrik-214
0 replies
2h3m

in fact I would say >90% of -internet users- who are motivated to do so would figure a way to bypass the block. And they don't need to know DNS for that. They find some board that gives them the steps necessary without needing to understand how it all works. Or they know a guy. Why are they motivated? Probably for games, videos, netflix, social media, etc. The walled gardens would motivate them.

Thing is here, only a minority are going to be "into" the pirate site scene, so way less are motivated in the first place. And a lot of them probably have a perfectly fine way to get their stuff from non-blocked pirate sites.

When I look at my grandma use the internet, she knows very little about it, but if she's motivated to do something with tech she always seems to figure out a way.

Krasnol
0 replies
23h52m

Blocking content, even or especially not pirate content, is common in Turkey.

It is not in Germany.

Therefore, more people in Turkey would know about measures to circumvent it than in Germany.

redprince
3 replies
1d1h

The solutions are just a Google search away and easy to implement. If that stops anyone even slightly motivated I must wonder what they are generally able to achieve with a computer.

dunefox
1 replies
23h23m

So, 99.8% of people on the internet. I know of maybe four people who could circumvent this DNS block, three of which I work with at the it department.

scbrg
0 replies
21h39m

For your anecdata is somewhat relevant you need to know around 2,000 people well enough to accurately judge whether they're capable of circumventing a DNS block :-)

bonoboTP
0 replies
22h40m

wonder what they are generally able to achieve with a computer

Stuff they actually do day to day. Scroll social media, use messaging apps, watch Netflix, Youtube, Twitch etc, in the older generations (millennial and up) also email and MS Office.

bonoboTP
2 replies
22h37m

It's a hard stop because Germans don't really care so much. They are rich enough that they can just pay for a legal streaming platform or to just buy the movies and games. In actually poor countries where the price is a real stumbling block, people do figure out how to use the required tools. In Eastern Europe, usage of torrent is common knowledge among average people. Everyone has some friend or family member who will explain and install it for them and they are motivated to learn. It's remarkable how much better people become at computer skills once it's about getting access to your favorite TV shows, movies or games.

throwaway290
0 replies
22h10m

In Eastern Europe, usage of torrent is common knowledge among average people. Everyone has some friend or family member who will explain and install it for them and they are motivated to learn

Germans are not using torrent not because they don't have the knowledge but because they will get sued unless they take other anonymization measures that cost money and slow down speed so why not just pay for Netflix. In developing countries enforcement is not so great that's all

afh1
0 replies
18h14m

I have all the streaming platforms you can think of and still have resort to torrent for any movie older than the 80s it seems...

sulandor
0 replies
23h10m

germany had really nice internet until a few years ago

but yea, it's very annoying

azernik
0 replies
1d1h

The point is:

1. Cynically, for bureaucrats to be able to claim they're doing something about an issue the politicians care about, but which the bureaucrats think is a non-issue. 2. Less cynically, to take away plausible deniability for the torrenter about whether the thing is allowed or not.

submeta
4 replies
1d

Will using NordVPN help? Anyone knows this?

stuffoverflow
1 replies
3h38m

Since you didn't get a serious answer yet... Yes, VPNs typically use their own DNS and NordVPN is no different. As far as I've seen, the copyright trolls in Europe always go for the lowest hanging fruit which are the IP addresses of residential users. I imagine IP addresses belonging to servers or VPNs are basically disregarded.

submeta
0 replies
2h47m

Thank you very much for the detailed response

BLKNSLVR
0 replies
19h15m

No, NordVPN sucks.

I can tell by the fact that so many sites with trash content sing it's praises.

The lady doth protest too much, methinks.

konstantinua00
2 replies
1d2h

why was it kept secret?

marcosdumay
0 replies
1d

To be fair, a public list of DNS blocking is guaranteed to work even worse than a secret one.

gsich
0 replies
17h57m

it wasn't

6510
2 replies
1d1h

Besides my opinion about file sharing this scheme seems to bypass the legal system but pretends to be based on legal grounds. What we have here is [more] privatization of the legal system and bypassing democracy.

To state the obvious: If you have someone doing things you don't like in office you can vote them out and replace them with someone who doesn't do those things. This is already a slow and cumbersome process that may take decades to materialize.

Or does this provide a framework for implementing direct democracy? Have a website with law proposals that can be implemented in a privatized way, have the citizens vote for and against them then pressure corporations to implement them.

matheusmoreira
1 replies
1d1h

Copyright monopolists employ lobbyists. They basically buy laws which favor and protect their own monopolies and rent seeking. Voting does absolutely nothing to stop this trillion dollar industry.

6510
0 replies
9h23m

Democracy is like Voodoo, it only works if you believe in it.

ulbu
1 replies
1d3h

(unimportant comment, but) clean up the internet by blocking sci-hub? excuse me, are you f*ing daft?

netsharc
0 replies
23h29m

The use of clearing here means something like https://en.wikipedia.org/wiki/Clearing_house_(finance) , i.e. an independent body so that copyright holders don't have to contact every single ISP, and ISPs just have to argue against the DNS blocks with a single party instead of many copyright holders.

wkat4242
0 replies
1d2h

Yeah I bet this is exactly why they didn't publish the list :)

janandonly
1 replies
14h7m

I am shocked that sci-hub is on that list. Could this explain the economic and academic decline of Germany these last few years?

bowsamic
0 replies
12h47m

No? What a bizarre suggestion

gustavus
1 replies
22h39m

Just imagine how easy this pirate list could be turned into a "misinformation" list. Makes you think.

tamimio
0 replies
21h38m

Wait till you know that airplanes and landlords also maintain secret, unregulated lists.

darreninthenet
1 replies
1d3h

What's the betting that cuiiliste.de is added to the list next at the "request" of some anonymous rights holder...?

Retr0id
0 replies
1d1h

UK ISPs block similar list-of-other-sites sites

2-3-7-43-1807
1 replies
1d1h

so many interesting new websites to check out ... LOL ...

pazimzadeh
0 replies
20h44m

yeah I appreciate them putting this together

silexia
0 replies
22h32m

Sunlight and transparency are good. All attempts at secrecy should be eliminated.

nilsherzig
0 replies
10h2m

How nice of them to collect this list of working piracy solutions haha

mtron_
0 replies
23h58m

Austrian Provider liwest is since many years very transparent about their DNS blocks. All of them are based on court orders / eu sanctions.

https://netzsperre.liwest.at/

mattdee
0 replies
20h21m

save

fsckboy
0 replies
1d3h

the site also links to various options available to the public to circumvent the blocking efforts. This includes switching to third party DNS resolvers

says what is blocked is at the DNS level; I guess that means not blackholing routing to the IP addresses

interestingly, the benchmark sites I use to conduct my censorship research are not even in their list?

cynicalpeace
0 replies
1d2h

"Secret" and "German" in the same sentence makes your ears perk up

_blk
0 replies
1d3h

Given the secrecy of the list, the lack of court orders and little to no accountability, I'm very impressed to find "only" 104 main domains.

WhatsName
0 replies
1d1h

My theory is that DNS blocking is chosen deliberately. There are more effective means of blocking, but if the bypass is just 5min work, those who care will bypass it and those who don't care enough will get blocked.

It's just after people get accustom to having a censorship infrastructure in place, it slowly starts spreading like cancer and gaining momentum...

Jun8
0 replies
1d2h

Other than sci-hub they seem to be almost wholly sports and movie sharing sites (one site I saw had Nintendo switch games). Surprised that libgen is not on the list.