The article puts it very succinctly: Cloudflare fronts attackers for free and bills the victims for relief.
Ddos protection services can be cast as a digital protection racket where they have a perverse incentive to keep attackers attacking. “It's a dangerous internet out there; you'd better pay us to protect your website from the attackers using our free tier.” At the least, even if there is no active collusion or profit sharing or anything like that, there is not a clear side that the DDos protector service is on?
The thing is, you can control a neighborhood, a country etc. from attackers and establish control over violence.
How can we do that, if we would like to preserve relative anonymity and global nature of the internet?
People can indeed form cooperatives to handle the protection, but this is hard to manage globally as an entity. DDoS protection is done by primarily having too much capacity to tank it and then filter it. The required investment is rather high.
This seems like one of those cases where you need to assign responsibilities and obligations to those enabling the damage, even if their offerings also enable a lot of good. If you have the capacity to offer cheap/free VPS, then you also need to cover the cost of protecting against the DDoS attacks that service enables. You don't get to offload that burden on to the victims. If that makes your VPS offerings more expensive then so be it; that's the result of pricing in the externalities.
So if your kid downloaded a shady app, and it turned out that app had some residential VPN SDK, are you on the hook too? Does it stop at DDoS attacks? If it turned out they were scraping linkedin, can they sue you for a thousands of dollars of "harm" that you enabled?
Seems petty clear the intent of the post you are replying to isn't to hold random parents accountable for thousands and instead to hold app developers (add maybe too open app marketplaces) accountable for malicious app behavior
You can’t have both ‘sockpuppet-grade anonymity’ and ‘held liable for their actions’ in the same society, whether Internet or otherwise. Both in reality and online, those that create sockpuppet corporations-slash-identities are unmasked only when their web of sockpuppetry is pierced by e.g. ‘reused a mailbox’, ‘used a neighbor’s identity’, ‘used a family member’s identity’, and so on. Until such investigations, sockpuppets get away with billions of dollars-slash-gigabits of crimes every year, and barring the ever-incompetence of most criminals, the Internet is a vast improvement over shell corporations in that regard. Still. It is technically possible to be able to ban the controlling human of an online sockpuppet without violating their anonymity, but we lack the societal infrastructure to do so — and since our own techno-utopian societies have invested no effort in doing so, it seems like the core utopian ideal could be ‘freedom from consequences’, rather than ‘freedom of anonymity’. If that’s a valid interpretation, then the core issue is not ‘preserve relative anonymity’, it is ‘preserve relative non-liability’, which may offer new avenues for much cheaper investment than pseudoanonymity would cost.
Then there is going to have to be geographic separation. Someone completely out of your jurisdiction or control can bring essential services down, leadership only has one option, to put up a Great Firewall. Or the wider public internet will be abandoned naturally as AI slop infests it.
"Renting attack capacity from [cloudflare]" is inaccurate as I understand things. That group hosts their site behind cloudflare but I have not seen anyone claim that cloudflare's infra is used for the attacks.
This whole article seems conflate hosting an informational site run by the attackers and hosting the attack itself.
In The Before Times, there were very few problematic DDOS operations because... they would all DDOS one another offline. Websites, control infrastructure, anything.
DDOS protection services were provided by companies like Akamai; call for pricing, big companies only, absolutely no anonymous sign-ups.
Cloudflare revolutionised the industry by providing free DDOS protection to anyone, including DDOS-for-hire services. Preventing them from DDOSing one another offline really let the DDOS industry take flight.
So "big companies only, absolutely no anonymous sign-ups" should be the only ones able to put stuff on the internet without fearing that a random teenager can take your site offline for days just because they're bored?
Articles like these seem to hold a weird belief that Cloudflare does not react to security reports or legal orders? From my experience, they react appropriately and relatively quickly compared to rest of the industry.
Could Cloudflare be more proactive or add more friction to their signups? Yes, probably, but the reasons they have outlined for not playing internet police make sense to me.
I don't think it should be a requirement to provide your credit card, phone number and a copy of your ID in order to host content on the internet...
people will always be able to pick a handful of sites they think shouldnt be allowed to use cloudflare hosting services. the problem is that every person will have a different handful of sites. cloudflare should host everything and anything unless and until a lawful order is received.
if they start sticking their fingers into sites and determining whether the site's content is "appropriate" or whatever, based on some sort of nebulous set of criteria, people will get (justifiably) big mad about it, guaranteed.
the "renting attack capacity [from cloudflare]" should have some evidence behind it, because as far as i am aware, the attackers are not using cloudflare infrastructure for the actual attack.
(its really jarring to see the general sentiment on this submission vs. the general sentiment on google submissions)
Most companies have TOS that include not damaging or attacking the company itself. The advertised service attacks Cloudflare explicitly. It seems very straightforward that this would violate any reasonable TOS.
As a condition of your use of the Websites and Online Services, you will not use the Websites or Online Services for any purpose that is unlawful or prohibited by these Terms. You may not use the Websites or Online Services in any manner that could damage, disable, overburden, disrupt or impair any Cloudflare servers or APIs, or any networks connected to any Cloudflare server or APIs, or that could interfere with any other party's use and enjoyment of any Websites or Online Services. You may not transmit any viruses, worms, defects, Trojan horses, or any items of a destructive nature through your use of Websites or Online Services. You may not exceed or circumvent, or try to exceed or circumvent, limitations on the Websites or Online Services, including on any API calls, or otherwise use the Websites or Online Services in a manner that violates any Cloudflare documentation or user manuals. You may not attempt to gain unauthorized access to any Websites or Online Services, other accounts, computer systems, or networks connected to any Cloudflare server or to any of the Websites or Online Services through hacking, password mining, or any other means. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available through the Websites or Online Services. You may not to use the Websites or Online Services in any way that violates any applicable federal, state, local, or international law or regulation (including, without limitation, any laws regarding the export of data or software to and from the US or other countries).
Cloudflare retains the right (but not the obligation) to block content from its Distributed Web Gateway that Cloudflare determines (in its sole discretion) to be illegal, harmful, or in violation of these Terms. For these purposes, illegal or harmful content includes but is not limited to: (a) content containing, promoting, or facilitating child sexual exploitation and abuse or human trafficking; (b) content that infringes on another person’s intellectual property rights or is otherwise unlawful; (c) content that discloses sensitive personal information, incites or exploits violence, or is intended to defraud the public; and (d) content that seeks to distribute malware, facilitate phishing, or otherwise constitutes technical abuse."
cloudflare is not hosting the infrastructure doing the actual attacks. the attack is coming from residential proxy servers, not from the webpage being hosted by cloudflare, which is just a marketing page and a login portal. that clause is not really applicable.
in any case, its not a question of whether cloudflare can remove a website. of course they can, for whatever reason they want.
its a question of whether we want to be in a world where cloudflare starts making content-based decisions on website hosting. most people probably dont want that.
We already live a world where your service is terminated for illegal activity. Of course we want it, how is this even a question? And yes, that clause absolutely applies. They are using Cloudflare services to facilitate a blatantly illegal service that attacks Cloudflare infrastructure.
The mental loops people in these comments are using to support criminals is truly mind blowing. It makes me wonder how many of the comments here are in fact astroturfing for the DDoS organizations.
I think you may have missed the forest for the trees; the concern is about the slippery slope that may lead to a for-profit company (also the risk in case it's non-profit; see OpenAI shenanigans) controlling what content you can read, what operating systems you can download, etc... and the fear is about protection rackets leading us to being stuck with a monopoly or an oligopoly at best that enforce that censorship.
>We already live a world where your service is terminated for illegal activity. Of course we want it, how is this even a question?
you are misunderstanding me, but im not sure if you are doing it on purpose.
if they receive a lawful order of course they should oblige. and without a lawful order they should not make content-based decisions on what to host.
>The mental loops people in these comments are using to support criminals is truly mind blowing.
this is a complete mischaracterization of what i am saying. and implying that i am... astroturfing for ddos? plain offensive.
i just dont want cloudflare ai-scanning my blog, seeing the word "DDoS" because i am in networking, and proactively removing my site from the internet.
Your account can get terminated for any other random nonsense though. Happens all the time, with cloudflare, google, github, everywhere. Everyone just pretends that "this can't happen to me". You want cyberspace free from any "evil" state jurisdiction, nor "coddling" so this is what you get.
>if they start sticking their fingers into sites and determining whether the site's content is "appropriate" or whatever
They already pick and choose. They have not decided to sit outside of it. Any claim about them not getting involved should be read as tacit approval. Because we know they will drop users they sufficiently disapprove of.
I always assumed ubuntu was brought down to prevent ubuntu servers from patching copy.fail, so that hacking group could exploit as many targets during that time as possible
copy.fail patches can be applied with minimum downtime, and a VM reboots in 30 seconds, tops, regardless of size. I believe all the apex servers are configured as HA to keep the load distributed, so normal users won't feel anything when copy.fail is patched.
Our users didn't feel a thing when we rolled out the patches.
But the Ubuntu update servers are necessary to serve the update. Taking them down prevents the users from downloading the update. I don't know whether the update servers were affected though.
There may be some processes that use this functionality ("lsof | grep AF_ALG"), but it is not that widespread AIUI, and so disabling it should not be an issue for the vast majority of systems.
If you’re not using the legal system to seek action from Cloudflare, you’re unlikely to be heard by them. “I was injured for $20 and I seek as redress the customer payment details (issuing bank, account number) provided to Cloudflare so that I can identify and file a claim for financial redress against them” would be a lovely small claims lawsuit, for example. I haven’t heard of anyone trying that yet but I’d love to admire the results if someone does!
This is a service, not a device sale. Continuing to provide a service to an organization that is using it to support criminal activity is very different and terminating clients for illegal activity is not controversial.
Not the same case. If you get a bomb on a ups package, that's not UPS' fault.
But if you tell UPS someone is using them to send bombs to people, and they don't act on it in the least and even look like they are shielding bomb senders, then it starts being their fault a little bit, doesn't it?
If a billboard company accepted an ad that included a threat on the president’s life or recruitment info for a known terror organization, are they complicit in the crime? Water is a basic utility so I don’t think that’s a fair comparison
This is more like a firearms dealer selling a gun to someone after they put their intended usage as “robbing banks” in the ATF form
> If a billboard company accepted an ad that included a threat on the president’s life or recruitment info for a known terror organization, are they complicit in the crime? Water is a basic utility so I don’t think that’s a fair comparison
Yet Meta and Twitter are doing fine, while this has happened.
Water was kinda intentional extreme end. Is there a line? Where is the line? Giving food for someone before they make a murder can give you much bigger jailtime than not giving it, and then just ignoring the knowledge that they are going to make a murder. It is not what you do but the act itself.
An example that makes it more clear: "by that logic it's my fault that i was robbed for leaving the door to my house unlocked."
No, it's the robber's fault you were robbed. The robbery is the illegal part. It is not illegal to leave a door unlocked. Back to your train wreck of an example: it is not illegal to sell keyboards, and it is not illegal to provide water to people. Extortion is illegal. Denial of Service attacks are illegal.
That's where the line is. It is the border between legal and illegal.
Hanlon's Razor applies here. "Never attribute to malice that which is adequately explained by stupidity."
Pretty much anyone can get onto the free tier for Cloudflare. The fact that someone is, doesn't mean that there is a business relationship with Cloudflare. There isn't.
In order to make this business model work, Cloudflare does essentially no due diligence. Getting onto the free tier before you need it, is cheap. And then if you really need them, you have every reason to start paying.
Ideally you'd hope that they would allow third party takedowns. But the ability to do third party takedowns provides a target for the exact attackers that their business is trying to protect against. They wouldn't have a business if they made that a viable target!
But the result of these business decisions, made for their main customer acquisition flow, makes them a tempting place to host malicious content, as well as good. Black hats make a sport out of taking each other out. And so have every reason to use Cloudflare.
Still doesn't indicate a relationship between Cloudflare and the bad actors who are taking advantage of the setup.
> Ideally you'd hope that they would allow third party takedowns. But the ability to do third party takedowns provides a target for the exact attackers that their business is trying to protect against.
I don't think that argument holds water. There's a world of difference between knocking a site offline with a DDoS and making a legal request which results in a hosting provider shutting it down.
They are both denial of services. While there indeed differences between them, they don't seem relevant here.
If a third party takedown system is poorly implemented (and it's pretty hard to create a balanced takedown system at scale), it may become more effective to abuse it instead of using DDoS.
What you are saying is that Canonical should have first updated the DNS to point at the attacker's web site IP (hosted by Cloudflare) for a few hours to let Cloudflare eat 3.5Tbps for a bit? :)
This is insanely dumb. Cloudflare is providing free hosting services, not materially supporting the attacker. You can argue that cloudflare needs to be better, or adopt different values towards, taking down sites they host, but this organization could absolutely just serve elsewhere (or just advertise their services over telegram or the like).
Maybe there is a point to be made about monopoly power in hosting and ddos protection. I don't really see how this blog post, or labelling it blackmail, help make that point.
It seems disingenuous to assume that CF offering some (unknown) amount of service to a malicious actor amounts to "blackmailing" someone that actor is attacking. CF could, and probably should, be better about not offering services to criminals but making a leap of logic certainly doesn't help anything.
Yeah, probably not - because they don't explicitly have to, as outlined in the post. The very architecture of CF's services essentially enables "blackmail as a service" in the sense that, CF protects the attacker and essentially creates a coercive environment in which the victim "has" to pay CF to protect them from... the very attacker that CF protects.
Right. It's more abstract than that. They protect (from legal consequence or even discovery) the attackers and host them on their infrastructure so they're untouchable. Then they sell the same "protection" to the victims. It's the classic mafia protection scam.
I've never tried a subpoena. I've tried reporting them to ICANN for whois abuse contact violations and never received a response (after I recieved a response from cloudflare saying, "Go away, we don't care, sign up for our services and pay us to care."). Perhaps I should set up a gofundme or something for the thousands of dollars needed to get justice via subpoena.
If I were hosting illegal malicious actors doing this stuff on my home servers and refused to even say who was doing it I would 100% get my door kicked down by the FBI. But some persons, corporate persons, are more equal than others.
> If I were hosting illegal malicious actors doing this stuff on my home servers and refused to even say who was doing it I would 100% get my door kicked down by the FBI. But some persons, corporate persons, are more equal than others.
If you refused to tell some random person who asked? No, you wouldn’t. If you refused to respond to a legal authority—a court-issued subpoena, for example—then there would be consequences.
As far as cloudflare is concerned you’re just a random person asking. They have no legal obligation to provide you with information.
No you wouldn't. Unless you failed to comply with subpoenas/warrants/etc for it.
That assumes of course that like Cloudflare you were hosting a web page and not the actual illegal activity, and were following the laws around hosting things.
>I've tried reporting them to ICANN and never received a response.
So ICANN is complicit too? After all, if we adopt your interpretation, in some way ICANN is also turning an blind eye, both to what cloudflare is supposedly doing and also to what the domain registrars are doing.
In a way, yes, that makes it more okay. You can't have a conflict of interest if you have no interest. Cloudflare has clear interest in hosting the malicious actors and it's in clear conflict with providing services to their other users.
The article puts it very succinctly: Cloudflare fronts attackers for free and bills the victims for relief.
Ddos protection services can be cast as a digital protection racket where they have a perverse incentive to keep attackers attacking. “It's a dangerous internet out there; you'd better pay us to protect your website from the attackers using our free tier.” At the least, even if there is no active collusion or profit sharing or anything like that, there is not a clear side that the DDos protector service is on?
The thing is, you can control a neighborhood, a country etc. from attackers and establish control over violence.
How can we do that, if we would like to preserve relative anonymity and global nature of the internet?
People can indeed form cooperatives to handle the protection, but this is hard to manage globally as an entity. DDoS protection is done by primarily having too much capacity to tank it and then filter it. The required investment is rather high.
This seems like one of those cases where you need to assign responsibilities and obligations to those enabling the damage, even if their offerings also enable a lot of good. If you have the capacity to offer cheap/free VPS, then you also need to cover the cost of protecting against the DDoS attacks that service enables. You don't get to offload that burden on to the victims. If that makes your VPS offerings more expensive then so be it; that's the result of pricing in the externalities.
Same with ISPs.
So if your kid downloaded a shady app, and it turned out that app had some residential VPN SDK, are you on the hook too? Does it stop at DDoS attacks? If it turned out they were scraping linkedin, can they sue you for a thousands of dollars of "harm" that you enabled?
Seems petty clear the intent of the post you are replying to isn't to hold random parents accountable for thousands and instead to hold app developers (add maybe too open app marketplaces) accountable for malicious app behavior
You can’t have both ‘sockpuppet-grade anonymity’ and ‘held liable for their actions’ in the same society, whether Internet or otherwise. Both in reality and online, those that create sockpuppet corporations-slash-identities are unmasked only when their web of sockpuppetry is pierced by e.g. ‘reused a mailbox’, ‘used a neighbor’s identity’, ‘used a family member’s identity’, and so on. Until such investigations, sockpuppets get away with billions of dollars-slash-gigabits of crimes every year, and barring the ever-incompetence of most criminals, the Internet is a vast improvement over shell corporations in that regard. Still. It is technically possible to be able to ban the controlling human of an online sockpuppet without violating their anonymity, but we lack the societal infrastructure to do so — and since our own techno-utopian societies have invested no effort in doing so, it seems like the core utopian ideal could be ‘freedom from consequences’, rather than ‘freedom of anonymity’. If that’s a valid interpretation, then the core issue is not ‘preserve relative anonymity’, it is ‘preserve relative non-liability’, which may offer new avenues for much cheaper investment than pseudoanonymity would cost.
> People can indeed form cooperatives to handle the protection, but this is hard to manage globally as an entity.
This is a fascinating idea. Is this something anyone is working on?
In a sense, one can argue IPFS can do it, provided the content is syndicated widely enough. It is not, though.
Similarly, BitTorrent does roughly the same once the peer relationships are established.
Then there is going to have to be geographic separation. Someone completely out of your jurisdiction or control can bring essential services down, leadership only has one option, to put up a Great Firewall. Or the wider public internet will be abandoned naturally as AI slop infests it.
It's a protection racket born of fundamental weaknesses in the Internet's bedrock protocols.
"Renting attack capacity from [cloudflare]" is inaccurate as I understand things. That group hosts their site behind cloudflare but I have not seen anyone claim that cloudflare's infra is used for the attacks.
This whole article seems conflate hosting an informational site run by the attackers and hosting the attack itself.
In The Before Times, there were very few problematic DDOS operations because... they would all DDOS one another offline. Websites, control infrastructure, anything.
DDOS protection services were provided by companies like Akamai; call for pricing, big companies only, absolutely no anonymous sign-ups.
Cloudflare revolutionised the industry by providing free DDOS protection to anyone, including DDOS-for-hire services. Preventing them from DDOSing one another offline really let the DDOS industry take flight.
So "big companies only, absolutely no anonymous sign-ups" should be the only ones able to put stuff on the internet without fearing that a random teenager can take your site offline for days just because they're bored?
Articles like these seem to hold a weird belief that Cloudflare does not react to security reports or legal orders? From my experience, they react appropriately and relatively quickly compared to rest of the industry.
Could Cloudflare be more proactive or add more friction to their signups? Yes, probably, but the reasons they have outlined for not playing internet police make sense to me.
I don't think it should be a requirement to provide your credit card, phone number and a copy of your ID in order to host content on the internet...
I don’t think it should be a requirement to talk to cloudflare at all to host content on the internet. I certainly don’t.
people will always be able to pick a handful of sites they think shouldnt be allowed to use cloudflare hosting services. the problem is that every person will have a different handful of sites. cloudflare should host everything and anything unless and until a lawful order is received.
if they start sticking their fingers into sites and determining whether the site's content is "appropriate" or whatever, based on some sort of nebulous set of criteria, people will get (justifiably) big mad about it, guaranteed.
the "renting attack capacity [from cloudflare]" should have some evidence behind it, because as far as i am aware, the attackers are not using cloudflare infrastructure for the actual attack.
(its really jarring to see the general sentiment on this submission vs. the general sentiment on google submissions)
Most companies have TOS that include not damaging or attacking the company itself. The advertised service attacks Cloudflare explicitly. It seems very straightforward that this would violate any reasonable TOS.
edit: and here it is straight from their TOS
https://www.cloudflare.com/en-ca/website-terms/
"7. PROHIBITED USES
As a condition of your use of the Websites and Online Services, you will not use the Websites or Online Services for any purpose that is unlawful or prohibited by these Terms. You may not use the Websites or Online Services in any manner that could damage, disable, overburden, disrupt or impair any Cloudflare servers or APIs, or any networks connected to any Cloudflare server or APIs, or that could interfere with any other party's use and enjoyment of any Websites or Online Services. You may not transmit any viruses, worms, defects, Trojan horses, or any items of a destructive nature through your use of Websites or Online Services. You may not exceed or circumvent, or try to exceed or circumvent, limitations on the Websites or Online Services, including on any API calls, or otherwise use the Websites or Online Services in a manner that violates any Cloudflare documentation or user manuals. You may not attempt to gain unauthorized access to any Websites or Online Services, other accounts, computer systems, or networks connected to any Cloudflare server or to any of the Websites or Online Services through hacking, password mining, or any other means. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available through the Websites or Online Services. You may not to use the Websites or Online Services in any way that violates any applicable federal, state, local, or international law or regulation (including, without limitation, any laws regarding the export of data or software to and from the US or other countries).
Cloudflare retains the right (but not the obligation) to block content from its Distributed Web Gateway that Cloudflare determines (in its sole discretion) to be illegal, harmful, or in violation of these Terms. For these purposes, illegal or harmful content includes but is not limited to: (a) content containing, promoting, or facilitating child sexual exploitation and abuse or human trafficking; (b) content that infringes on another person’s intellectual property rights or is otherwise unlawful; (c) content that discloses sensitive personal information, incites or exploits violence, or is intended to defraud the public; and (d) content that seeks to distribute malware, facilitate phishing, or otherwise constitutes technical abuse."
cloudflare is not hosting the infrastructure doing the actual attacks. the attack is coming from residential proxy servers, not from the webpage being hosted by cloudflare, which is just a marketing page and a login portal. that clause is not really applicable.
in any case, its not a question of whether cloudflare can remove a website. of course they can, for whatever reason they want.
its a question of whether we want to be in a world where cloudflare starts making content-based decisions on website hosting. most people probably dont want that.
We already live a world where your service is terminated for illegal activity. Of course we want it, how is this even a question? And yes, that clause absolutely applies. They are using Cloudflare services to facilitate a blatantly illegal service that attacks Cloudflare infrastructure.
The mental loops people in these comments are using to support criminals is truly mind blowing. It makes me wonder how many of the comments here are in fact astroturfing for the DDoS organizations.
No. You want it because you are shortsighted. Others don't want that. If it is illegal, go and sue.
I think you may have missed the forest for the trees; the concern is about the slippery slope that may lead to a for-profit company (also the risk in case it's non-profit; see OpenAI shenanigans) controlling what content you can read, what operating systems you can download, etc... and the fear is about protection rackets leading us to being stuck with a monopoly or an oligopoly at best that enforce that censorship.
>We already live a world where your service is terminated for illegal activity. Of course we want it, how is this even a question?
you are misunderstanding me, but im not sure if you are doing it on purpose.
if they receive a lawful order of course they should oblige. and without a lawful order they should not make content-based decisions on what to host.
>The mental loops people in these comments are using to support criminals is truly mind blowing.
this is a complete mischaracterization of what i am saying. and implying that i am... astroturfing for ddos? plain offensive.
i just dont want cloudflare ai-scanning my blog, seeing the word "DDoS" because i am in networking, and proactively removing my site from the internet.
Your account can get terminated for any other random nonsense though. Happens all the time, with cloudflare, google, github, everywhere. Everyone just pretends that "this can't happen to me". You want cyberspace free from any "evil" state jurisdiction, nor "coddling" so this is what you get.
The split is on who decides when the account should be terminated as criminal for legal reasons, not whether we should support criminals regardless.
>if they start sticking their fingers into sites and determining whether the site's content is "appropriate" or whatever
They already pick and choose. They have not decided to sit outside of it. Any claim about them not getting involved should be read as tacit approval. Because we know they will drop users they sufficiently disapprove of.
Relevant post from last week:
> Why is Cloudflare protecting the DDoS'er (beamed.st) attacking Ubuntu servers?
https://news.ycombinator.com/item?id=48025001
I always assumed ubuntu was brought down to prevent ubuntu servers from patching copy.fail, so that hacking group could exploit as many targets during that time as possible
copy.fail patches can be applied with minimum downtime, and a VM reboots in 30 seconds, tops, regardless of size. I believe all the apex servers are configured as HA to keep the load distributed, so normal users won't feel anything when copy.fail is patched.
Our users didn't feel a thing when we rolled out the patches.
But the Ubuntu update servers are necessary to serve the update. Taking them down prevents the users from downloading the update. I don't know whether the update servers were affected though.
> I always assumed ubuntu was brought down to prevent ubuntu servers from patching copy.fail
On Ubuntu copy.fail could be mitigated against with some modprobe(8) config tweaks:
There may be some processes that use this functionality ("lsof | grep AF_ALG"), but it is not that widespread AIUI, and so disabling it should not be an issue for the vast majority of systems.Completly agree, cloudflare protects scammers on a huge scale and no one cares...
All the faceshops I have reporeted to cloudflare, all these phising pages behind cloudflare I reported, never came down.
None of them.
For a company making billions, protecting people, they should take this stuff serious.
If you’re not using the legal system to seek action from Cloudflare, you’re unlikely to be heard by them. “I was injured for $20 and I seek as redress the customer payment details (issuing bank, account number) provided to Cloudflare so that I can identify and file a claim for financial redress against them” would be a lovely small claims lawsuit, for example. I haven’t heard of anyone trying that yet but I’d love to admire the results if someone does!
With this kind of logic we can blame keyboard manufacturers for the illegal things their products wrote.
This is a service, not a device sale. Continuing to provide a service to an organization that is using it to support criminal activity is very different and terminating clients for illegal activity is not controversial.
Not the same case. If you get a bomb on a ups package, that's not UPS' fault.
But if you tell UPS someone is using them to send bombs to people, and they don't act on it in the least and even look like they are shielding bomb senders, then it starts being their fault a little bit, doesn't it?
Or water companies for selling water for them. Where is the line?
If a billboard company accepted an ad that included a threat on the president’s life or recruitment info for a known terror organization, are they complicit in the crime? Water is a basic utility so I don’t think that’s a fair comparison
This is more like a firearms dealer selling a gun to someone after they put their intended usage as “robbing banks” in the ATF form
> If a billboard company accepted an ad that included a threat on the president’s life or recruitment info for a known terror organization, are they complicit in the crime? Water is a basic utility so I don’t think that’s a fair comparison
Yet Meta and Twitter are doing fine, while this has happened.
Water was kinda intentional extreme end. Is there a line? Where is the line? Giving food for someone before they make a murder can give you much bigger jailtime than not giving it, and then just ignoring the knowledge that they are going to make a murder. It is not what you do but the act itself.
Firearms companies for wrongful death, keyboards for hacking, 3d printers for suicide drones. Shovels for holes.
Obviously we need to go after supermarkets and corner stores since criminals eat, so somewhere past that.
how does anyone not know where the line is?
An example that makes it more clear: "by that logic it's my fault that i was robbed for leaving the door to my house unlocked."
No, it's the robber's fault you were robbed. The robbery is the illegal part. It is not illegal to leave a door unlocked. Back to your train wreck of an example: it is not illegal to sell keyboards, and it is not illegal to provide water to people. Extortion is illegal. Denial of Service attacks are illegal.
That's where the line is. It is the border between legal and illegal.
That'd be extortion, not blackmail. CF did neither thing.
I'm not sure how correct this is but when you upgrade your tier on Cloudflare aren't the costs basically up to Cloudflare?
With the horror stories heard over the years I think a real issue is no hard pricing cap with forced shutdown.
Unless that's changed? I booted them a year ago..
Hanlon's Razor applies here. "Never attribute to malice that which is adequately explained by stupidity."
Pretty much anyone can get onto the free tier for Cloudflare. The fact that someone is, doesn't mean that there is a business relationship with Cloudflare. There isn't.
In order to make this business model work, Cloudflare does essentially no due diligence. Getting onto the free tier before you need it, is cheap. And then if you really need them, you have every reason to start paying.
Ideally you'd hope that they would allow third party takedowns. But the ability to do third party takedowns provides a target for the exact attackers that their business is trying to protect against. They wouldn't have a business if they made that a viable target!
But the result of these business decisions, made for their main customer acquisition flow, makes them a tempting place to host malicious content, as well as good. Black hats make a sport out of taking each other out. And so have every reason to use Cloudflare.
Still doesn't indicate a relationship between Cloudflare and the bad actors who are taking advantage of the setup.
> Ideally you'd hope that they would allow third party takedowns. But the ability to do third party takedowns provides a target for the exact attackers that their business is trying to protect against.
I don't think that argument holds water. There's a world of difference between knocking a site offline with a DDoS and making a legal request which results in a hosting provider shutting it down.
Sure. Any evidence such a legal request has been made in this case? If not, why the whining?
They are both denial of services. While there indeed differences between them, they don't seem relevant here.
If a third party takedown system is poorly implemented (and it's pretty hard to create a balanced takedown system at scale), it may become more effective to abuse it instead of using DDoS.
What you are saying is that Canonical should have first updated the DNS to point at the attacker's web site IP (hosted by Cloudflare) for a few hours to let Cloudflare eat 3.5Tbps for a bit? :)
This is insanely dumb. Cloudflare is providing free hosting services, not materially supporting the attacker. You can argue that cloudflare needs to be better, or adopt different values towards, taking down sites they host, but this organization could absolutely just serve elsewhere (or just advertise their services over telegram or the like).
Maybe there is a point to be made about monopoly power in hosting and ddos protection. I don't really see how this blog post, or labelling it blackmail, help make that point.
It's not dumb. There's a conflict of interest.
Yeah, I demand all my hosting providers be 100% vulnerable to DDoS for this reason.
Yes.
I find a similar pattern to Meta's scammer ads.
Huge publicly traded companies benefitting from the illegal actions of their clients, turning a blind eye, or conveniently delaying their takedowns.
Big companies need to absorb the liability of small companies, otherwise you get this delegated Sybil Good bank/Bad bank attack
If they accept money to display malicious ads they should be prosecuted as accessories to the crime tbh
It seems disingenuous to assume that CF offering some (unknown) amount of service to a malicious actor amounts to "blackmailing" someone that actor is attacking. CF could, and probably should, be better about not offering services to criminals but making a leap of logic certainly doesn't help anything.
They didn’t.
Yeah, probably not - because they don't explicitly have to, as outlined in the post. The very architecture of CF's services essentially enables "blackmail as a service" in the sense that, CF protects the attacker and essentially creates a coercive environment in which the victim "has" to pay CF to protect them from... the very attacker that CF protects.
Right. It's more abstract than that. They protect (from legal consequence or even discovery) the attackers and host them on their infrastructure so they're untouchable. Then they sell the same "protection" to the victims. It's the classic mafia protection scam.
>They protect (from legal consequence or even discovery) the attackers and host them on their infrastructure so they're untouchable
Victims can't file a subpoena to get account details?
I've never tried a subpoena. I've tried reporting them to ICANN for whois abuse contact violations and never received a response (after I recieved a response from cloudflare saying, "Go away, we don't care, sign up for our services and pay us to care."). Perhaps I should set up a gofundme or something for the thousands of dollars needed to get justice via subpoena.
If I were hosting illegal malicious actors doing this stuff on my home servers and refused to even say who was doing it I would 100% get my door kicked down by the FBI. But some persons, corporate persons, are more equal than others.
> If I were hosting illegal malicious actors doing this stuff on my home servers and refused to even say who was doing it I would 100% get my door kicked down by the FBI. But some persons, corporate persons, are more equal than others.
If you refused to tell some random person who asked? No, you wouldn’t. If you refused to respond to a legal authority—a court-issued subpoena, for example—then there would be consequences.
As far as cloudflare is concerned you’re just a random person asking. They have no legal obligation to provide you with information.
No you wouldn't. Unless you failed to comply with subpoenas/warrants/etc for it.
That assumes of course that like Cloudflare you were hosting a web page and not the actual illegal activity, and were following the laws around hosting things.
>I've tried reporting them to ICANN and never received a response.
So ICANN is complicit too? After all, if we adopt your interpretation, in some way ICANN is also turning an blind eye, both to what cloudflare is supposedly doing and also to what the domain registrars are doing.
ICANN doesn't get any kickbacks from Canonical needing to protect itself as far as I can tell. Cloudflare literally sells the protection.
So ICANN is alright because they're protecting them for free, but Cloudflare is bad because they're protecting them for money?
In a way, yes, that makes it more okay. You can't have a conflict of interest if you have no interest. Cloudflare has clear interest in hosting the malicious actors and it's in clear conflict with providing services to their other users.
I am curious about the existence of https://beamed.su/
That is one way of putting "DOS" for hireWTF does it really mean?
It is DDoS for hire. What are you asking exactly?
Crimeflare - proudly extorting DDoS victims and protecting criminals while building a global surveillance dragnet since 2009!