
CloudFlare: Stop supporting the Target heist  - conductor
http://www.cloudflare-watch.org/target.html
======
chimeracoder
Let me play devil's advocate for a moment.

Cloudflare does not host the website itself. If Cloudflare were to stop
providing their services, the website might be inundated with traffic, or more
susceptible to DDoS attacks, etc., but even if they terminated their
relationship, this would not prevent rescator.la from doing their damage. The
Pirate Bay is an excellent example of how little power one actually wields
simply by controlling the DNS level.

Second, I'm a little concerned by the idea of a third party independently
deciding that their client is guilty of a crime and unilaterally terminating
that relationship. What if Krebs's analysis happened to be incorrect? What if
someone had compromised rescator.la's servers and happened to be carrying out
a false flag operation[0]?

I use Cloudflare for a site I operate, and I would feel more than a bit uneasy
if they terminated their relationship with a client in this manner. Maybe OP
and Krebs are correct and rescator.la are completely guilty. But what's to
stop them from making that decision (incorrectly) in the future?

It's one thing to cooperate with law enforcement in an investigation[1], but
it's quite another to appoint yourself the judge and make that ruling
yourself.

[0] Unlikely, but the point is that it's hard to be certain of what you think
you know.

[1] Which, as evidenced by the NSA debate, is not always so cut-and-dry
either.

------
jwcrux
Brian Krebs actually brought this up in his talk at DefCon (on my phone so I
don't have a link). Then, the CloudFlare CEO got up to argue his case.

While I can't summarize everything he said, he basically brought up that
CloudFlare chooses to take a hands off approach to managing their customers.
This makes sense, IMO- if they choose to censor one customer without
appropriate legal backing, where does it stop? Saying CloudFlare supports this
is different than saying CloudFlare simply protects the rights of its
customers to publish content freely.

In fact, Cloudflare also pays the price for this stance. Many of the
fraudsters who either target cloudflare in some way, or aim to undermine it's
infrastructure (eg DDoS services) actually use cloudflare, and CloudFlare
doesn't shut them down.

------
gojomo
Target or banks or law enforcement can ask CloudFlare to take action (or
perhaps explicitly _not_ take action), depending on what's appropriate. Third
party vigilantes and 'social pressure' that can't be calibrated to the wishes
of real victims and responsible authorities should not.

The cards are out there; having a sketchy resale site routing its traffic, and
paying, CloudFlare may be better for maximum long-term justice than forcing
such a site to their next-best options. And given how often law enforcement
itself has run 'carding' forums, for the purpose of eventually rolling them
up, who knows what's really going on?

The same Krebs post also mentions a major bank bought card info from the site,
to learn what was out there. Shame that bank into stopping that practice, too?
Or trust that the bank knows what's in its long-term interest, since it faces
more risk and has more professional staff aimed at this problem?

------
JoahanaT
You know how that say "If you don't stand for something you`ll fall for
everything"? Well, that's just how I see it myself. Inaction is an action
within itself. IMO, providing indiscriminate protection is not a vote for
"freedom of speech", it's a vote against basic sense of morality. Case in
point:
[http://www.bullyville.com/?page=articles&id=651](http://www.bullyville.com/?page=articles&id=651)
Protecting an under age revenge porn site that hurts young adults, scaring
them for live, is not a freedom of speech issue. There should be a some
balance between morality and bullheaded ideology and it's called "basic sense
of decency". Social awareness begins with recognizing the suffering of the
victim - not with defending the rights of the villains.

------
rascalflatus
Echo jwcrux. Krebs has a hard on for discrediting Cloud Flare for not playing
morality police amongst their customer base. I'd hate for Krebs' mentality to
make it to the ISP or government level!

Also at Blackhat, CEO Cloud Fare destroyed Krebs on stage. It sounds like he
did a follow up pwn at Defcon. Not that I put much faith in anything involving
Krebs being more than theater.

------
glimmung
Due Process Fail.

