| ▲ | Can Someone Please Explain Whether Cloudflare Blackmailed Canonical?(flyingpenguin.com) |
| 90 points by speckx an hour ago | 41 comments |
| |
|
| ▲ | wood_spirit 29 minutes ago | parent | next [-] |
| The article puts it very succinctly: Cloudflare fronts attackers for free and bills the victims for relief. Ddos protection services can be cast as a digital protection racket where they have a perverse incentive to keep attackers attacking. “It's a dangerous internet out there; you'd better pay us to protect your website from the attackers using our free tier.” At the least, even if there is no active collusion or profit sharing or anything like that, there is not a clear side that the DDos protector service is on? |
| |
| ▲ | okanat 24 minutes ago | parent | next [-] | | The thing is, you can control a neighborhood, a country etc. from attackers and establish control over violence. How can we do that, if we would like to preserve relative anonymity and global nature of the internet? People can indeed form cooperatives to handle the protection, but this is hard to manage globally as an entity. DDoS protection is done by primarily having too much capacity to tank it and then filter it. The required investment is rather high. | | |
| ▲ | idle_zealot 19 minutes ago | parent | next [-] | | This seems like one of those cases where you need to assign responsibilities and obligations to those enabling the damage, even if their offerings also enable a lot of good. If you have the capacity to offer cheap/free VPS, then you also need to cover the cost of protecting against the DDoS attacks that service enables. You don't get to offload that burden on to the victims. If that makes your VPS offerings more expensive then so be it; that's the result of pricing in the externalities. | |
| ▲ | altairprime 8 minutes ago | parent | prev | next [-] | | [delayed] | |
| ▲ | johnmaguire 15 minutes ago | parent | prev [-] | | > People can indeed form cooperatives to handle the protection, but this is hard to manage globally as an entity. This is a fascinating idea. Is this something anyone is working on? |
| |
| ▲ | api 13 minutes ago | parent | prev [-] | | It's a protection racket born of fundamental weaknesses in the Internet's bedrock protocols. |
|
|
| ▲ | jwitthuhn 30 minutes ago | parent | prev | next [-] |
| "Renting attack capacity from [cloudflare]" is inaccurate as I understand things. That group hosts their site behind cloudflare but I have not seen anyone claim that cloudflare's infra is used for the attacks. This whole article seems conflate hosting an informational site run by the attackers and hosting the attack itself. |
|
| ▲ | AntonyGarand 44 minutes ago | parent | prev | next [-] |
| Relevant post from last week: > Why is Cloudflare protecting the DDoS'er (beamed.st) attacking Ubuntu servers? https://news.ycombinator.com/item?id=48025001 |
|
| ▲ | AntiUSAbah 28 minutes ago | parent | prev | next [-] |
| Completly agree, cloudflare protects scammers on a huge scale and no one cares... All the faceshops I have reporeted to cloudflare, all these phising pages behind cloudflare I reported, never came down. None of them. For a company making billions, protecting people, they should take this stuff serious. |
| |
| ▲ | altairprime 20 minutes ago | parent [-] | | If you’re not using the legal system to seek action from Cloudflare, you’re unlikely to be heard by them. “I was injured for $20 and I seek as redress the customer payment details (issuing bank, account number) provided to Cloudflare so that I can identify and file a claim for financial redress against them” would be a lovely small claims lawsuit, for example. I haven’t heard of anyone trying that yet but I’d love to admire the results if someone does! |
|
|
| ▲ | JeremyJaydan 10 minutes ago | parent | prev | next [-] |
| I'm not sure how correct this is but when you upgrade your tier on Cloudflare aren't the costs basically up to Cloudflare? With the horror stories heard over the years I think a real issue is no hard pricing cap with forced shutdown. Unless that's changed? I booted them a year ago.. |
|
| ▲ | btilly 7 minutes ago | parent | prev | next [-] |
| Hanlon's Razor applies here. "Never attribute to malice that which is adequately explained by stupidity." Pretty much anyone can get onto the free tier for Cloudflare. The fact that someone is, doesn't mean that there is a business relationship with Cloudflare. There isn't. In order to make this business model work, Cloudflare does essentially no due diligence. Getting onto the free tier before you need it, is cheap. And then if you really need them, you have every reason to start paying. Ideally you'd hope that they would allow third party takedowns. But the ability to do third party takedowns provides a target for the exact attackers that their business is trying to protect against. They wouldn't have a business if they made that a viable target! But the result of these business decisions, made for their main customer acquisition flow, makes them a tempting place to host malicious content, as well as good. Black hats make a sport out of taking each other out. And so have every reason to use Cloudflare. Still doesn't indicate a relationship between Cloudflare and the bad actors who are taking advantage of the setup. |
| |
| ▲ | duskwuff 3 minutes ago | parent [-] | | > Ideally you'd hope that they would allow third party takedowns. But the ability to do third party takedowns provides a target for the exact attackers that their business is trying to protect against. I don't think that argument holds water. There's a world of difference between knocking a site offline with a DDoS and making a legal request which results in a hosting provider shutting it down. |
|
|
| ▲ | PcChip 29 minutes ago | parent | prev | next [-] |
| I always assumed ubuntu was brought down to prevent ubuntu servers from patching copy.fail, so that hacking group could exploit as many targets during that time as possible |
| |
| ▲ | bayindirh 21 minutes ago | parent [-] | | copy.fail patches can be applied with minimum downtime, and a VM reboots in 30 seconds, tops, regardless of size. I believe all the apex servers are configured as HA to keep the load distributed, so normal users won't feel anything when copy.fail is patched. Our users didn't feel a thing when we rolled out the patches. | | |
| ▲ | Lukas_Skywalker 12 minutes ago | parent [-] | | But the Ubuntu update servers are necessary to serve the update. Taking them down prevents the users from downloading the update. I don't know whether the update servers were affected though. |
|
|
|
| ▲ | aggakake 26 minutes ago | parent | prev | next [-] |
| With this kind of logic we can blame keyboard manufacturers for the illegal things their products wrote. |
| |
| ▲ | nicce 20 minutes ago | parent [-] | | Or water companies for selling water for them. Where is the line? | | |
| ▲ | mcmcmc 11 minutes ago | parent | next [-] | | If a billboard company accepted an ad that included a threat on the president’s life or recruitment info for a known terror organization, are they complicit in the crime? Water is a basic utility so I don’t think that’s a fair comparison This is more like a firearms dealer selling a gun to someone after they put their intended usage as “robbing banks” in the ATF form | |
| ▲ | sophacles 5 minutes ago | parent | prev | next [-] | | Obviously we need to go after supermarkets and corner stores since criminals eat, so somewhere past that. | |
| ▲ | naikrovek 6 minutes ago | parent | prev [-] | | how does anyone not know where the line is? An example that makes it more clear: "by that logic it's my fault that i was robbed for leaving the door to my house unlocked." No, it's the robber's fault you were robbed. The robbery is the illegal part. It is not illegal to leave a door unlocked. Back to your train wreck of an example: it is not illegal to sell keyboards, and it is not illegal to provide water to people. Extortion is illegal. Denial of Service attacks are illegal. That's where the line is. It is the border between legal and illegal. |
|
|
|
| ▲ | luma 34 minutes ago | parent | prev | next [-] |
| That'd be extortion, not blackmail. CF did neither thing. |
|
| ▲ | jpereira 38 minutes ago | parent | prev | next [-] |
| This is insanely dumb. Cloudflare is providing free hosting services, not materially supporting the attacker. You can argue that cloudflare needs to be better, or adopt different values towards, taking down sites they host, but this organization could absolutely just serve elsewhere (or just advertise their services over telegram or the like). Maybe there is a point to be made about monopoly power in hosting and ddos protection. I don't really see how this blog post, or labelling it blackmail, help make that point. |
| |
|
| ▲ | jmuguy 33 minutes ago | parent | prev | next [-] |
| It seems disingenuous to assume that CF offering some (unknown) amount of service to a malicious actor amounts to "blackmailing" someone that actor is attacking. CF could, and probably should, be better about not offering services to criminals but making a leap of logic certainly doesn't help anything. |
|
| ▲ | deadbabe 42 minutes ago | parent | prev | next [-] |
| They didn’t. |
| |
| ▲ | amatecha 39 minutes ago | parent | next [-] | | Yeah, probably not - because they don't explicitly have to, as outlined in the post. The very architecture of CF's services essentially enables "blackmail as a service" in the sense that, CF protects the attacker and essentially creates a coercive environment in which the victim "has" to pay CF to protect them from... the very attacker that CF protects. | |
| ▲ | superkuh 39 minutes ago | parent | prev [-] | | Right. It's more abstract than that. They protect (from legal consequence or even discovery) the attackers and host them on their infrastructure so they're untouchable. Then they sell the same "protection" to the victims. It's the classic mafia protection scam. | | |
| ▲ | gruez 37 minutes ago | parent [-] | | >They protect (from legal consequence or even discovery) the attackers and host them on their infrastructure so they're untouchable Victims can't file a subpoena to get account details? | | |
| ▲ | superkuh 35 minutes ago | parent [-] | | I've never tried a subpoena. I've tried reporting them to ICANN for whois abuse contact violations and never received a response (after I recieved a response from cloudflare saying, "Go away, we don't care, sign up for our services and pay us to care."). Perhaps I should set up a gofundme or something for the thousands of dollars needed to get justice via subpoena. If I were hosting illegal malicious actors doing this stuff on my home servers and refused to even say who was doing it I would 100% get my door kicked down by the FBI. But some persons, corporate persons, are more equal than others. | | |
| ▲ | CrazyStat 18 minutes ago | parent | next [-] | | > If I were hosting illegal malicious actors doing this stuff on my home servers and refused to even say who was doing it I would 100% get my door kicked down by the FBI. But some persons, corporate persons, are more equal than others. If you refused to tell some random person who asked? No, you wouldn’t. If you refused to respond to a legal authority—a court-issued subpoena, for example—then there would be consequences. As far as cloudflare is concerned you’re just a random person asking. They have no legal obligation to provide you with information. | |
| ▲ | sophacles 7 minutes ago | parent | prev | next [-] | | No you wouldn't. Unless you failed to comply with subpoenas/warrants/etc for it. That assumes of course that like Cloudflare you were hosting a web page and not the actual illegal activity, and were following the laws around hosting things. | |
| ▲ | gruez 32 minutes ago | parent | prev [-] | | >I've tried reporting them to ICANN and never received a response. So ICANN is complicit too? After all, if we adopt your interpretation, in some way ICANN is also turning an blind eye, both to what cloudflare is supposedly doing and also to what the domain registrars are doing. | | |
| ▲ | Xirdus 24 minutes ago | parent [-] | | ICANN doesn't get any kickbacks from Canonical needing to protect itself as far as I can tell. Cloudflare literally sells the protection. | | |
| ▲ | joemi 5 minutes ago | parent [-] | | So ICANN is alright because they're protecting them for free, but Cloudflare is bad because they're protecting them for money? |
|
|
|
|
|
|
|
| ▲ | TZubiri 22 minutes ago | parent | prev | next [-] |
| Yes. I find a similar pattern to Meta's scammer ads. Huge publicly traded companies benefitting from the illegal actions of their clients, turning a blind eye, or conveniently delaying their takedowns. Big companies need to absorb the liability of small companies, otherwise you get this delegated Sybil Good bank/Bad bank attack |
| |
| ▲ | mcmcmc 17 minutes ago | parent [-] | | If they accept money to display malicious ads they should be prosecuted as accessories to the crime tbh |
|
|
| ▲ | worik 9 minutes ago | parent | prev | next [-] |
| I am curious about the existence of https://beamed.su/ The best IP Stresser service since 2022.
That is one way of putting "DOS" for hireWTF does it really mean? |
| |
|
| ▲ | anonym29 20 minutes ago | parent | prev [-] |
| Crimeflare - proudly extorting DDoS victims and protecting criminals while building a global surveillance dragnet since 2009! |
