Hacker News new | past | comments | ask | show | jobs | submit login
I ran the worlds largest DDoS-for-Hire empire and Cloudflare helped (rasbora.dev)
359 points by Rasbora on Sept 4, 2022 | hide | past | favorite | 228 comments



The deplatforming logic is practical but pretty shaky as a long term strategy. Kiwifarms absolutely may have been a despicable place causing real harm to people. In that case, the police should initiate a request to take them down that Cloudflare or ISPs etc. are obligated to follow. The problem is the government is completely ineffective and regularly offloads their responsibility to platforms like Facebook, Cloudflare etc. A private company should not be making decisions on essentially freedom of speech. Its just one more responsibility that law enforcement has completely shirked leaving others to clean up the mess.


You're focusing so hard on the rights of kiwifarms that you completely forget that cloudflare also has rights. Cloudflare has the liberty of association, and that includes the right to terminate contracts with others who actively harm Cloudflare and its costumers.

And if Kiwifarms sending out bytes to the internet is free speech, then compelling cloudflare to send those same bytes is impernissible forced speech.


I just don't think its ever going to be realistic for a company to be held responsible for everything every customer puts up on the web, because there are millions/billions of them.

The problem is any organized body of people can start a similar pressure campaign against Cloudflare or Facebook or Reddit. It is now their job to be a complete legal system - listen to each complaint, adjudicate who is right and who is wrong, what is ethical or not, and respond. Which websites are allowed to exist, which subreddits, which ads and messages are okay and which aren't..

This is an incredibly dangerous & undemocratic precedent because those companies answer to stockholders not citizens. There is a reason the judicial system is set up the way it is, with elected lawmakers and juries of ordinary people.


> ever going to be realistic for a company to be held responsible for everything every customer puts up on the web

It's good that this is not what people expect from them then. We're still taking about most egregious examples discussed for years with documented lethal real world impact. Just like they already say in their TOS they would act on.


>It's good that this is not what people expect from them then. We're still taking about most egregious examples discussed for years with documented lethal real world impact.

So it's a justice system that only gets pulled out in the event of mass social pressure? Is that supposed to be something to be proud of?


The problem with your argument is that CloudFlare didn’t act to benefit ordinary citizens, it acted to protect its shareholders from a material risk to the company. It’s always been the case that businesses have to choose who they do business with and that clients can take their business elsewhere if they don’t like how a company behaves, very much including demanding that other clients are dropped.

Companies started acting like they shouldn’t need to know what their clients are doing only 20 years ago and it’s given us widespread counterfeiting, scam robocalls and DDoS attacks. Of course they want to continue doing it, because they’re making money hand over fist. Doesn’t mean we should let them.


> Companies started acting like they shouldn’t need to know what their clients are doing only 20 years ago

Only _some_ companies, and for obvious reasons: there is good money to be made in shady business. Playing the naivité card is apparently enough to convince some. But it's just a card, they know precisely why they are doing it, and supporting free speech ain't it.


Than lets go one level closer to the user.

Should ISPs proactively block certain websites to all clients under threat of leaving of a group of clients?

I think we want some companies to behave like utilities and be agnostic.


Honestly, there’s quite a few firms that want to have their cake and eat it on this one. Not just internet firms, but credit card companies. And I’m 100% not onboard with that.


"organized body of people can start a similar pressure campaign against Cloudflare or Facebook or Reddit"

Cancel culture is when people assemble and then say things in support of a cause I disagree with- in particular, it's really bad when they petition a company or government to do something I think is wrong. It's more and more common, and it's a real threat to free speech. I think the government should ban it.


To steal a line of discussion I heard on a podcast some time ago—at what point along the chain does this stop being acceptable? In other words, which of the following scenarios are you okay with?

• A data center refusing to host Kiwifarms.

• An ISP refusing to provide internet to the data center that hosts Kiwifarms.

• A power company refusing to provide electricity to the data center that hosts Kiwifarms.

• An ISP refusing to provide internet to the homes of Kiwifarms members.

• A power company refusing to provide electricity to the homes of Kiwifarms members.

• A water utility company refusing to provide running water to the homes of Kiwifarms members.

• A doctor refusing to treat Kiwifarms members.

I don't think I know the answer myself right now.


I am okay with 100% of these scenarios.

If I am a Jewish Doctor and a card-carrying Nazi came in, I should have the right to say "he can sit over there and I will not treat you". And if that causes him to die, that is his fault not mine.

If I am a Jewish contractor for a power company and I enter the home of a card-carrying Nazi, I should have the right to say "I will leave now, and you can sit in the dark until you find someone willing to do the work."

If I all the ISP administrators threaten to leave the IPS leaving them without workers because they are also serving Nazi websites, they should have the right to cut off that internet and tell them to find an ISP with Nazi workers to keep things running. And the same can be true for their homes.

Point here is: If you are a danger to society, society is not obligated to work with you as-is. You can certainly make your argument, but society isn't obligated to accept it.

People think just because they exist, they are owed. They are not owed. They are part of a collective, and if the collective deems they are a harm to itself, the collective will absolutely have the right to refuse to work with them. Think about the converse, would any of these Nazis help out Jews out of obligation to some sort of freedom doctrine? Hell no. They operate in the mentality "right for me, wrong for thee!"

So point is, there is no slippery slope. If you ask should the police arrest Nazis? Probably not, not unless they are breaking freedom of speech limitations. But since the _state_ is not blocking their speech, doesn't mean private citizens have to listen to it.


> If I am a Jewish Doctor and a card-carrying Nazi came in, I should have the right to say "he can sit over there and I will not treat you". And if that causes him to die, that is his fault not mine.

Not exactly. I don't think medical ethics work that way in matters of life and death. For example:

https://www.timesofisrael.com/medics-told-to-treat-attackers...

Israeli medics told to treat terrorists the same as victims

"New rules from Israeli Medical Association require that the wounded be aided in order of severity of injury, even if that means helping assailants before victims"


"If I am a Jewish Doctor and a card-carrying Nazi came in, I should have the right to say "he can sit over there and I will not treat you". And if that causes him to die, that is his fault not mine."

Would you be okay with dying if a doctor refused to treat you based on this post on HN?

Suppose a doctor has strong convictions about free speech, detests cancel culture and is willing to let you die to make a point?


Cloudflare also allows other to remove any websites free speech by allowing illegal booters to use their protection.

Supporting the economy of illegal DDOS-for-Hire by protecting them from attacks from rivals lowers the cost to launch the attacks. That forces many webmasters to use large DDOS migration providers for which Cloudflare is the only one affordable to them.

Cloudflare is stopping many from avoiding using them by allowing booter websites and if it wants to play gatekeeper, the website should face legal action as it non-neutral platforms (rather than carriers) are subject to S.230 and allowing illegal website under that would mean losing safe harbor and Cloudflare being sized and its top people thrown in prison.


Oh no, that poor billion dollar corporation that controls over half the internet. What about THEIR rights?


If it is indeed a quasi-utility, then a utility cannot just shut off someone's water or electricity, just because they don't agree with a person's politics or anything else. A utility has to keep serving, unless the person doesn't pay.

I'm personally more on the side that these are utilities, because really, one cannot get by without an internet connection. I mean, why don't we get the electricity company to turn off electricity if a customer is a pornographer or something that they don't like.

As long as a person is paying their bills, a utility has to serve them.

That's how I see it.


The problem here is that DDoS mitigation requires centralization. There aren't cheap alternatives. Same goes for any utility. Would it be okay for Visa to permanently turn off all your current and future credit and ATM cards if you used Visa in objectionable way, say you paid a meth dealer and then resold at scale? Because it's "much faster" to turn off Visa than to do a police investigation and issue an arrest warrant. Would it be okay for Google to delete your Google account to suddenly cut you off from your Android phone? Would it be ok for an electric company to suddenly turn off your electric service because they suspect you cook meth? Would it be ok for a water company to stop providing water to a building, because a criminal lives in one of the apartments?


Visa et al. already do this for legal business/speech: see Patreon[0], OnlyFans[1], Gab[2]. Payment processing is not regulated as a utility and probably never will be in the States.

0: https://www.vice.com/en/article/vbqwwj/patreon-suspension-of...

1: https://www.protocol.com/policy/onlyfans-visa-mastercard

2: https://bitcoinist.com/coinbase-paypal-ban-gab/


While I strongly agree with your broader point- payment processing is absolutely regulated at close to a utility-level. Congress sets the rates that Visa & Mastercard can charge for credit & debit cards via statute. That's getting pretty close to say electric utility levels of regulation


Even though they aren’t regulated as a utility, they are very highly regulated. The examples you gave are just highly-politicized examples of a now-common standard and practice that all processors operating in the US have been required to uphold (not that it was involuntary) for decades. That’s part of why Stripe and other Payment Facilitator services have exploded: it’s not easy to open a traditional payment processing account, and very easy to get it shut down for seemingly random reasons.

Despite the online fervor over this, payment processors are clearly within their legal rights to shut down payment processing for abuse - even if it is only suspected.


Yes to the private companies and no to the public utilities.

The problem is that you say "used Visa" like it's an inanimate object without its own agency and responsibilities. It's not and as a company it's both capable and has the responsibility of choosing whether or not to be in business with meth dealers.


I like this argument and situation if only because it makes people admit that forced speech is tyranny… but I like it besides that too.


Nope. You just conflated the parent comment with an argument of rights.


> A private company should not be making decisions on essentially freedom of speech.

This comes up a lot and makes me think I’ve misunderstood US free speech dynamics. I thought the USA traditionally limited the government’s ability to regulate free speech, leaving it to private / social regulation. In other words, it was up to individuals, communities, companies and so on to decide what was acceptable.

But perhaps that’s a misunderstanding. Can anyone recommend books or papers to better understand the history of free speech in the USA? I guess The Federalist Papers are often a good place to start?


You’re confusing the First Amendment — a particular law about the government’s requirement to uphold the principle of freedom of speech — with the principle of freedom of speech more generally.

In this context, the First Amendment is irrelevant - it doesn’t apply here; it says nothing about the actions of private companies. Instead, people are discussing the principle of freedom of speech, and in particular the extent to which private companies should be able to limit speech.


A problem arises when those private companies--especially in the aggregate--elect not to do business with you. At some level I suppose you don't need to do business with Google, Apple, Microsoft, Amazon... But most would find it difficult. Maybe add the one ISP you have available.


> and in particular the extent to which private companies should be able to limit speech.

This is incoherent with the idea it's not a government matter. If it's not a government matter, then there's nothing to talk about - Cloudflare can do whatever they like because the law does not bind them otherwise.


We’re not talking about law, we’re talking about morality.


You might be right. I interpreted the parent comment as saying the government should do more and started thinking about the government’s role in free speech.


I don't think it's confusion; the two are inherently connected. How can a law (and it's consequent enforcement) dictating some types of speech not play into freedom of speech more generally?

Freedom of speech is rightly often characterized as a core American principle; it's emphasized in civic education, and most of the country will, if anything, overstate what is actually allowed by it. Generally though, I think it does follow the common interpretation; people can say what they want is the default, and courts have carved out specific exceptions over the centuries (libel, public endangerment, etc). Looking at the history of these laws, all the examples I know of started off to be assumed legal, and in specific cases those scenarios were deemed sufficiently bad to now be illegal.

In recent years, we've seen increasing amounts of misinformation that are hard to track down thanks to social media, and so there is now increasing debate about how to combat this. I think there are two parts to this question:

- Does (or how much of) this misinformation constitute a necessary legal response? Put another way, in the context of social media, which depending on platform and settings might not even be fully public, what defines whether something is serious enough of libel or a danger to the public to require legal action against its perpetrators? Explicitly calling for a lynch mob against someone probably breaches current laws, but claiming that Trump should have won the 2020 election probably doesn't (even if the person saying it knows its false; lying isn't normally a crime!).

- In an online world, how do we enforce these laws? Social media is often anonymous. Should public profiles be required to have verified contact information? How can we track and police international actors? Does liking a criminal post count as a crime? What about a retweet to millions of followers? Given these challenges, there is a push to have platforms take a role in this enforcement, whether through account verification, removal of potentially criminal speech, or other methods.

Both these questions are unsettled. The common person probably isn't thinking too much about the first question, and the courts will mostly hash it out over time. The second one is what gets more public debate.

Personally, I'd say the American enthusiasm for free speech, and wariness of business regulation more generally, make it unlikely to take significant action there, particularly since the big platforms themselves are clearly putting a lot of time into trying to address these things. If Europe creates a legal framework around platform responsibility, the US might follow, but otherwise will probably let the platforms keep working at it. That's just my guess though!


Another parallel to these tensions between free speech, commercial responsibilities and rights is a kind of tension between the ability to be anonymous on the internet (on social networks especially) and the inability to track down dangerous things on social networks and/or prevent them. But - it's not just about anonymity in lies or persuasiveness on the internet.

I love being able to be anonymous or pseudo-anonymous on the internet. At the same time, the ability of people to persuade others of dangerous, destructive lies on social networks is terrible for society. It's not just the us of course, there have been multiple other countries where people were persuaded to attack the 'other' minority group or religion or whatever because they were secretly attacking them.

I'm in the us and social media has destroyed the ability to have some basic agreement on what has happened in the world (such as the issues of the election in 2020). But it's not just social media. It's certain conservative news outlets that push these lies, persuasively!

And I don't know what to do about these problems. I honestly don't see how we as humans will develop a better ability to study what happens and get to a basic understanding of reality - even in the face of conflicting information. My own dad was an EE and a cfo of a billion dollar a year company and now he's fallen into the sway of a certain american network's lies and racial animus. Maybe he was always sympathetic to these views.


This is a modern reappropriation of the phrase, really. There are two issues: what should the government be allowed to do to limit speech (historically, this was called "free speech") versus how companies should be compelled to police or host objectionable content (this is the "new" connotation).

It's unfortunate that these two concepts are often lumped together in online discussions, because they are obviously very different, and many people who would agree with the First Amendment and the classical notion of "free speech" as a restriction on the government could have diverse opinions on the regulation of platforms and how they display content.


I'm also not very familiar, but I understood it differently:

The government did not let it for private sector to regulate when it explicitly guaranteed the right in the constitution...


The text better supports GP's understanding:

> Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

This is explicitly about what sorts of laws Congress may not pass, and not about the conduct of private citizens or institutions.


Further, the Tenth Amendment:

    The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.
Because the Constitution doesn't delegate the power to regulate speech to the US, but rather prohibits it, by definition the power to regulate speech is reserved by the States and the people.


That’s interesting. Would the Tenth Amendment prevent the federal government regulating free speech in the opposite direction, e.g. a law saying “companies can’t do anything to limit free speech”?


> Kiwifarms absolutely may have been a despicable place causing real harm to people. In that case, the police should initiate a request to take them down that Cloudflare or ISPs etc. are obligated to follow.

That approach is fairly easy to work around. Just make sure your site is in a country whose police cannot issue requests that Cloudflare is obligated to follow. For added protection pick a country that your victims are not in, ideally one that does not have good relations with the US or the countries of your victims so there is little law enforcement cooperation between them.

> A private company should not be making decisions on essentially freedom of speech

I'd much rather see private companies doing it than see just government doing it.

Consider a site that is not bad enough to be illegal under current law but bad enough that a solid majority of people think it should be stopped.

If it is only government that deals with these things eventually the law will be expanded to cover that site. We'll end up with an ever expanding boundary on what is illegal. A boundary that will probably be very hard to ever shrink. The law is unlikely to handle subtleties well and will catch sites that aren't actually bad but might appear to be so.

If private companies are also looking at what sites they facilitate are doing and dropping those that they think have gone too far it adds fuzziness that allows the system as a whole (private companies plus government) to deal with the bad sites in a way that isn't as blunt and permanent as making the sites illegal.

Government works best as the last level in a multilayered approach to problems.


I currently for for a Fintech and our investors don’t want to do anything with asbestos companies. That includes asbestos removal companies. Which is pretty idiotic considering these companies are actually doing a good thing. This is the kind of solution that the industry will tend to if it is expected to self-police.


> A private company should not be making decisions on essentially freedom of speech

On the other hand, a private company has limited obligation to uphold what is essentially a government concern ... Unless we start redefining a lot of things related to private obligation.


This particular private company wants to get out of being forced into a role of content moderator for a fifth of the Internet. This is an infinite time sink with no good outcomes for them.

More importantly, this seems to have no good outcomes for us, the viewers. I also don't want Twitter mobs and DDoS-ers to have a say in what I can and can't read.


> I also don't want Twitter mobs and DDoS-ers to have a say in what I can and can't read.

This is honestly what I find the most disturbing about the entire story.

This "keffals" person -- an individual! -- managed to organise enough attention to make all of this happen. From what I understand the argument is based on a threat towards this person, but considering the (public) information they were gathering on them (From what I recall it was stuff like flirting with underaged people, selling HRT drugs via Discord, old sexist tweets, etc.) I don't see why it was not in their interest to pseudo-anonymously have these threats posted themselves. Of course it could just be that some user was stupid enough to post these threats themselves, but I believe the fact remains that "keffals" had more to gain from threats against themselves, since most of what was being posted was perhaps vulgar and certainly impolite, but practically harmless -- more embarrassing for those being "investigated". Just some people with too much time on their hands.

The site is probably going to be resurrected some way, soon enough. I believe hearing that they were considering an onion site. When this happens, I'd be interested to see the post histories of those issuing threats. But of course, since this is a private entity, they have no obligation to look at any evidence that would run contrary to the accusations. Of course this is their right, when considered in isolation, but CloudFlare has become a disproportionately significant player that thinking of them as just another company is rather difficult. In the end this all speaks for the fact that the internet was never intended to work on the scale it does. It is almost a miracle that it appears to do so most of the time ^^.


It’s already back at the .ru TLD with ddos-guard


> most of what was being posted was perhaps vulgar and certainly impolite, but practically harmless

It was this mild but cloudflare took it down?


As I said, "most" of it. Apparently there were bomb threats and people posting pictures from outside "keffalas" residence, which naturally is concerning, but at the same time was against KiwiFarms rules.


Here is an overview of some of the terror that was organized from kiwifarms:

https://twitter.com/oneunderscore__/status/15657972205318144...


Yes, the U.S. Constitution protects free expression, so the U.S. government's hands are completely tied on this issue. Even if government officials personally think a site probably facilitates behavior that violates the law, actually taking a website offline, rather than targeting individuals for criminal charges only after they've violated the law, unless that website is owned and operated, perhaps, by an individual who has been found guilty of violating the law, is most likely unconstitutional. This is one of those, "private companies are forced to step up because the state's powers are limited," situations.


If it's not illegal then it probably isn't causing any serious harm, so Cloudflare doesn't need to block it. If it is, say a direct death threat or telling others to harm someone, then it's already illegal and your explanation isn't needed.


Yep. The government is limited in its powers here exactly so that people are treated fairly and loud factions don’t unduly oppress others.


> police should initiate a request to take them down that Cloudflare

Police is executive, not legislative, they cant willy-nilly decide such things.


The trouble of course is that you have a technology enhanced libertarian movement convincing everyone that government shouldn’t be regulating anything except property rights

EDIT: shout out to all the techno libertarian hacker news bros downvoting my critique of techno libertarianism


So he ran a DDoS network that wasn't behind Cloudflare, but used Cloudflare to stop his website being DDoSed by competitors, and this means Cloudflare was helping him DDoS others?

No, it means Cloudflare was helping keep his website up, in a neutral manner.

In other words, exactly what Cloudflare have stated their policy is.

Now if Cloudflare allowed him to run DDoS code on its Workers, then yes, that's Cloudflare helping him.

Very false equivalence.


> No, it means Cloudflare was helping keep his website up, in a neutral manner.

I think it's more subtle than that. It was keeping his website up to make a profit. It benefits Cloudflare to have powerful, well run bot networks out there ready take out any site which do not have Cloudflare's protection.

Yeah, it's a neutral manner on one level, but at a higher level it's bit more nuanced.


I feel like that's assuming a lot about Cloudflare - what evidence is there of such Machiavellian maneuovres on their behalf?

Would it be impossible to run DDoS as a service for profit without Cloudflare? People were doing fine at just that before Cloudflare ever existed.


> Would it be impossible to run DDoS as a service for profit without Cloudflare?

Quite frankly, yes. Before CloudFlare won the race to the bottom, you'd have to front thousands of dollars per month for bulletproof DDoS shielded hosting to get started.

There is a finite amount of DDoS-for-hire business that used to keep itself in check because they were constantly throwing attacks at each other raising everyone's "cost of goods sold" so to speak. By protecting these providers shops and ignoring abuse complaints CloudFlare helps more of them stay in business increasing the frequency and size of attacks needing to be mitigated.

I do not believe CloudFlare really thought this out. I believe it was a happy accident.


> Before CloudFlare won the race to the bottom, you'd have to front thousands of dollars per month for bulletproof DDoS shielded hosting to get started.

Before Cloudflare there was decent DDoS protected hosting available for low hundreds of dollars per month, you didn’t have to pay prolexic.


Cheers :) Happy accident makes a lot more sense than "deliberate policy".


These defenses of Cloudflare's behavior are getting very silly. Is there anything that Cloudflare could protect that you wouldn't be OK with? Because a DDoS-for-hire service is illegal, unethical, and contradictory of Cloudflare's stance that "cyberattacks, in any form, should be relegated to the dustbin of history."[1] Most importantly, it should be obvious to anyone that a company that has a purported goal of protecting its customers from some harm should not also be attempting to facilitate that same harm.

[1] https://blog.cloudflare.com/cloudflares-abuse-policies-and-a...


I don't really give two hoots about Cloudflare, I just don't like false statements, like when "Cloudflare helped me run a DDoS network" actually means "Cloudflare kept my website from being DDoSed", with the addendum "and I'm bad, therefore, not protecting KiwiFarms is hypocritical."

It's just dumb.


It is like renting a storefront in a mall and selling goods stolen from other shops in the mall. What the storefront is doing is illegal, and offering them free rent hurts the other legitimate shop owners in the mall.

To extend the analogy, the mall also refuses to tell the other store owners who owns the shop so they can take legal action. (Cloudflare quite famously will just forward your complaints about hosting illegal services to the service themselves)


You have admitted in your earlier comment that "Cloudflare was helping keep his website up." You are saying that "Cloudflare helped keep his website up" does not logically imply "Cloudflare helped me run a DDoS network".

Even if you genuinely believe that, how are you confident enough that people generally share your interpretation of what constitutes help to call the statement in question "false"?


Following this, their ISP, their electric company, their server hosting location, and presumably their government (with their monopoly on violence) also helped them run a DDoS network.

What's next, is the landscaper helping run the DDoS network because they cut the grass outside so people can access the building better?


The most important factor to consider here is knowledge.

If it is the case that Cloudflare provided services to this website with full knowledge that it was a DDoS-for-hire service, which seems likely, this would significantly increase their culpability. This may also apply to the server host, if the server host directly worked with them.

I find it difficult to believe that the ISP, electric company, or government knew of the actions that this DDoS service was taking, and how their own actions benefitted them, since these entities are so far removed from the DDoS service. But if they did have knowledge of what was happening, of course they would be culpable to some extent.

I also disagree with the implication that we have to make a black-and-white judgment of "they helped" or "they didn't help". Depending on the extent of involvement, a third-party can have varying levels of culpability in the DDoS service's actions.


> with the addendum "and I'm bad, therefore, not protecting KiwiFarms is hypocritical."

That is not how I read it at all; I didn't read a strong conclusion in the article one way or the other, but if anything I would say it's "if you kicked off KiwiFarms, then why not all the DDoS services?"

But most of all, I think it's a nice example on how "being neutral" is actually quite tricky around the edges.


> with the addendum "and I'm bad, therefore, not protecting KiwiFarms is hypocritical."

Is that the takeaway people have from this article? My reading wasn't that the author is advocating that Kiwi Farms should have been left up. They're asking for DDoS sites to be added to the ban list.

The "hypocrisy" that they keep bringing up is Cloudflare's claim that inaction in these instances is a neutral stance, and that in actuality Cloudflare is an active participant in helping these sites stay online.


It could be argued that the website was an integral part of the operation, presumably for getting clients, or advertising the services. Even if the website itself or Cloudflare don't do the DDoS themselves, it's still something that's presumably important.

This kind of pedantic reasoning could be applied to any forum: the forum software doesn't do any active harm to anyone. It "only" serves to coordinate the bad actors.

Just like the DDoS site does. So, how is it different?


This article seems to have been posted to make a false equivalence with the current Kiwifarms situation. There’s a pretty clear difference in urgency between taking down DDOSers and deplatforming a forum that is a gathering point for a mob engaging in mass harassment, stalking, and SWATing. One is a nonviolent crime. The other is a crime targeting an individual that had already escalated to the point of a high risk of violence, with no sign of slowing down.


Cloudflare still protects all those forums which harm people. Kiwifarms is the only one which was sensationized by the twitter crowd.

Look at crime.to. They still send bomb threats [1], exchange stolen credit card data [2], harass people to the point where they lose their houses [3] (SWATing, breaking in into their house and much more included), and probably more on a daily basis.

Still protected by cloudflare. Pretty hypocritical if you ask me.

[1] https://archive.ph/mOBGB

[2] just browse the forum

[3] https://www.merkur.de/bayern/nuernberg/drachenlord-youtube-w...


While working in security, about 80% of attacks were hidden behind Clouflare. And guess what... they never bothered by my complains.


This is a good thing. We have to worry once this is no longer the case. Meanwhile tell your clients to stop calling eval on user input.


What is hypocritical? I'm sure there are many sites that I'd like to see Cloudflare take down. If I don't list every single one of them is that hypocritical?

Kiwifarms just comes to mind for me because someone I know kill themselves and the site took a serious role in that. I'm sure I'd be disgusted, and advocate for the takedown of, many sites.


There's something very wrong with the game community.

I've learned enough during stupid internet fights I have had on reddit to never continue a conversation with an avid gamer, no matter the subject. Stories like this one you linked to on merkur.de (read via Google Translate, but I think they got it right) confirm to me that that was the correct call.


I've been playing more games online lately and I've found two things:

1. Lots of really nice people. I just spent an hour playing a game with a man in Brazil and we used Google translate to chat and teach each other our respective languages while we played.

2. It's actually really easy to get angry. Like, I'm an adult and even I have to be like "hey it's a game chill" to myself - I've never blown up at anyone but... holy shit, it's kind of insane how bad some people are lol. And it's frustrating. Like go to the objective, the game is literally blaring that you should go there, why are you going elsewhere????? over and over again.

With regards to gaming it's just a sort of "worst case" for human collaboration. It's fast paced, high pressure, and communication is both the most important part and also by far the hardest. It is absolutely no surprise to me, whatsoever, that anyone who plays a lot of video games might get angry easily.

Also, as someone who grew up very "on the internet", there's a lot of bitter and angry people out there. They're kind of relatable in a way. Like the whole "I want to fucking die" meme is sort of a meme but also sort of real and relatable, but when you smash that into your brain every day it stops being a meme, and I think that's the case with most irony poisoned internet discussions.


Why game community?

It's more like all of the world enjoy games, including these sociopaths.

You are chasing a red herring.


> Why game community?

At some point you have to blame the community itself, that example OP linked to is not an isolated incident, unfortunately.

Later edit: This [1] is a very sick and not ok community, a very sick one. Harassing a person in his own village, in his own house, on the streets of his own physical community, it's not ok. I didn't know who that Drachenlord person was until seeing OP's link, I'm left wondering how come all of that is legally possible, how come those persons that physically harass him are not in prison by now.

[1] https://youtu.be/-__r5B84Ymg?t=488


I think you have to be really in denial if you think that, on average, gamers are not a more toxic community than others. I think it's not that video games make people bad or something like that. But you probably have some demographics - like young men, for example - who have a lot going on in their lives and aren't always well equipped to handle it. The internet desensitizes everyone and I think that that can be a really bad mix with some people who spend time online and might have a hard time in their actual lives.

Online harassment would presumably be cathartic for some of those people. People lash out for a reason and this is just lashing out at scale.


This can be generalized to any passionate interest community. Like body builders. Young men will be toxic. You just see gamers more because they spend more time on the internet by default.


Being on the internet more is a key factor when talking about toxicity on the internet.


crime.to is a bit different in that the owners and moderators themselves are involved and eventually get caught, whereas kiwifarms love to pretend it's merely a gossip site (even if people on it are not notable and the conversation exceeds gossip quite often). It's more the spiritual successor to 1337crew or carders (the later of which had a policy of all staff using names of greek OR roman gods - sometimes duplicates, which tells you all you need about it)

Also, Drachenlord is being harassed from essentially every german speaking website that doesn't have good moderation policies (hi pr0gramm) or doesn't enforce them (hi twitter); crime.to is not really the flashpoint. He also has a thread on Kiwifarms that's quite active.


I was active quite a lot in that scene a few years ago. The dude who threw eggs at drachenlord was someone from cnw. The dude who broke into his house was from cnw. BasedGod was from cnw too (he’s fortunately in jail today).

But yes, the userbase of cnw and pr0gramm is overlapping. But pr0gramm is at least „only“ allowing bullying. Not the hard stuff such as actual murder, trading narcotics and your grandma’s credit card number + ID. And yes, cnw is way more ruthless than 1337crew ever was.

Anyway, I wanted to point at this because cloudflare said they took KF down because they felt like legal enforcement wasn’t moving fast enough. CNW destroyed lots of lifes too and it isn’t a secret that a few of cnw‘s users are well connected to rocker gangs which pull of murder for hire.


Twitter hosts Antifa types who use it to recruit and coordinate political violence. Takes about 2 minutes to find an example, so they clearly don't moderate this stuff:

https://nitter.net/zelda_in_black

Let's disconnect Twitter from the Internet!

The same people gravely concerned about an infrastructure website being neutral are perfectly fine being on a social media platform that's used for coordinating all kinds of sketchy shit.

"Whataboutism!!!" is the only reply one usually gets when pointing it out.


None of that is recruiting and coordinating political violence. It's hyperbolic and absurd but the only thing any of the posts in there proposed is for people to get armed, trained, and organized. I see posts like this from their political opposition all the time. Neither is organizing or coordinating violence and neither is remotely illegal or threatening.


There are posts about specific events and dates on that Twitter feed. And it's just a quick example I found in 2 minutes, one of countless such accounts.


He’s right you know. Let’s not forget all the evidence of CP reported [0] [1] [2] that Twitter has failed to remove and they seem to have a problem taking it down and hosting it and allowing this CP content to spread is illegal.

No outrage here of course, even when the fact is that it is all true.

[0] https://www.aljazeera.com/news/2021/6/30/india-twitter-kashm...

[1] https://www.courthousenews.com/judge-rules-twitter-can-be-su...

[2] https://www.bloomberg.com/news/articles/2021-08-20/twitter-f...


> a forum that is a gathering point for a mob engaging in mass harassment, stalking, and SWATing

I keep hearing this allegation but it seems to be supported only by a poorly sourced twitter thread[1] and some articles that dance around the issue. How do we know this, especially the swatting?

And why isn't law enforcement stepping in? The operator is an American afaict. It's not like he's some bond villain living in a cave on the other side of the world.

[1] https://twitter.com/oneunderscore__/status/15657972205318144...


You can go look at the forum yourself at https://kiwifarms.ru/ (WARNING: DO NOT DO THIS IF YOU MIGHT BE ONE OF THEIR TARGETS! This would be EXTREMELY bad for your mental health!)

You'll struggle to find swatting, organized harrassment and non-internet stalking, but you'll see plenty of extremely unpleasant comments. If you were a kiwifarm target... well... see my comment above.


> How do we know this, especially the swatting?

Out of all things, I think the swatting is the most easily believable. Swatting is commonly done to streamers, such that I am not surprised at all that it would be used for targeted harassment.


> And why isn't law enforcement stepping in?

Because 1) they have limited resources and must prioritise and 2) America law enforcement seems to have a distinct lean towards the transphobic / homophobic / white supremacist / right-wing, etc.

Just because something is not being actively policed does not mean it's not an actual crime (cf motorists running red lights for an easy example.)


Traffic violations are actually policed pretty closely because it's a source of revenue. High tech is employed to identify drivers, and even some shady tricks like shortening the yellow light. So it's not a good example.

Regardless, it's a public forum(?), there should be tons of evidence if they routinely instigate swattings.


> Traffic violations are actually policed pretty closely

I can stand on the main road where I live in London and see 100+ violations an hour with no enforcement.

> So it's not a good example.

Perfect example if you're in London, though.


Can you also skim Kiwi Farms and find at least a few of these supposed swattings?


Traffic enforcement varies widely. Larger jurisdictions here in the Pacific Northwest seem to not enforce anything outside of parking rules in paid areas.

Meanwhile some neighboring suburban jurisdictions come down harshly on passerbys, even when the stop was unjustified and no crime occured.


How does one reconcile the idea that KiwiFarms is guilty of unspecified crimes that threaten lives and require emergency intervention, but also those alleged crimes aren't urgent enough that authorities would prosecute them? Is that entirely handwaved by calling the whole of U.S. law enforcement "transphobic / homophobic / white supremacist / right-wing"?

As this submission shows, cybercrime is prosecuted in the U.S.


> As this submission shows, cybercrime is prosecuted in the U.S.

You're missing the qualifier "some" before "cybercrime".


DDOSs can have more impact than you think. Such as taking down hospitals and the war in Ukraine. Not really sure which one can be worse though...

https://www.radware.com/security/ddos-experts-insider/ert-ca...


Precisely, once human lives are in extreme danger, it's a different situation


DDOSing is illegal, any illegal content on KF is quickly removed.


I think this is becoming increasingly common for Cloudflar e which sets a bad precedent. They can scream however much they want that they don't want to make these decisions nor do they like to be put on the spot but it doesn't save them from the backlash of being a "curator of the internet".

Moderators get the worst backlash everywhere in the world. The only difference is that Cloudflare continues to refuse the fact that they have quite a lot of power over whose traffic they let through. When you, basically, govern 20% of internet traffic you must take the responsibility for it as well.

This article is a nonsensical shout in the air. Cloudflare, like Google, is not looking over every single request that goes through them. They take these actions after enough noise is raised to highlight the issue. The problem is that Cloudflare will become prone to bullying.

What I mean is that if I have a good number of fanatic followers, I can raise noise against a rival platform and get Cloudflare to, at least, scrutinize it and, at worst, deplatform it. Cloudflare will need to set in place some policies to protect themselves from this.

If Cloudflare does this kind of thing enough times, they will unintentionally become a policing force. That's really not a good place to be in for a business.


JUST ONE SINGLE NOTE:

Cloudflare is a private company responsible for a product that they sell which they can choose not to sell to someone as is any company's rights.

The Fire department is a public sector entity, funded by our taxes, and we don't have any choice in which fire department we choose.

Anyone can come up with a cloudflare competitor for nazi materials, they have all the ability, money, and ability to build out data centers. All they need to do is to find people willing to build/fund it all. And it turns out those leading the charge don't know how to run a good business, and don't want to put money in, and can't find talent willing to work for them.


There already is one in Russia called DDoS Guard. They're collecting all the nazi sites under their umbrella lately


And there you go, and if DDoS Guard is not sufficient for your traffic in say... the United States... Well you can certainly pay DDoS Guard a couple of hundred million to expand into the united states. I'm sure your lord and savior will happily foot that bill (/s).


How is that not an indictment of basic internet infrastructure such that basic freedom of association has tradeoffs with needing to pay protection money to anti-DDoS companies in order to stay online?


Am I missing something or does everyone here unironically believe that Cloudflare should be punished for kicking a customer off? Because your comment has absolutely zero relevance to the point made by the article.


I feel that a lot of people do. :shrug: maybe I am wrong. If so I hang my hat in shame.


> As the infrastructure provider for over 20% of all www traffic traversing the internet today, CloudFlare is in a position to enforce it's beliefs on a global scale.

> Who interprets what qualifies as hate speech?

Exactly the issue. We should not give “activists” a free pass on this one. I wonder now which one(s) of them will commit the crime of actually DDoSing KiwiFarms. We probably will never know.

Vigilante “justice” is problematic because it leaves room for people to harm others without proper evidences of wrong doing. Mind you, I’m no way denying that Kiwifarms are reprehensible, but there are people out there claiming that KF is literally causing people to die, which I’m wondering where is the evidence of that? If someone is suicidal, one of the better ways to help them is to (among other things of course) make them understand that they have power over their circumstances by telling them that they are responsible for their actions. Claiming that some internet bullies can cause you to kill yourself is not helpful, nor is it true.


> Vigilante “justice” is problematic because it leaves room for people to harm others without proper evidences of wrong doing.

Isn’t this exactly what the people are KF were doing? Only instead of trying to get a website kicked off the internet, they were trying to get people fired from their jobs, weaponizing the police, trying to drive people to suicide. And not in the service of any sort of justice, but for entertainment. That is sick and it is evil.

They should absolutely be shunned and ostracized for their antisocial behavior. Free speech means that other people have the right to show you the door if you are acting like a jerk.


This article is not very articulate on the point, but goes to the real touchy point with the Kiwifarms decision. Based on what I know it seems Cloudflare made a good decision, but:

1. The internet is vast.

2. Figuring out what someone is doing on the internet even if you did somehow have full transparency over the data they send/receive is hard.

3. Any policy of intervention is going to leave behind a stream of poorly prioritised actions that are highly questionable.

4. Just because we see something doesn't mean it is there. It is usual for the first impressions to be wrong. Often even after researching an issue thoroughly.

I don't think there is a free speech issue here, but I do question whether Cloudflare has the motivation or capability to actually execute a policy of policing the internet fairly. All the pressure is going to be to police the internet for specific political goals.


It's a great argument against the scale that cloudformation has, and regulation would help.

If you can't figure out that one of your clients is doing this bad things, you shouldn't have so many clients


> It's a great argument against the scale that cloudformation has, and regulation would help.

Agreed. It's very annoying that such services like ddos protection have an ever-growing scaling advantage (because the sizes of ddos attacks grow).

> If you can't figure out that one of your clients is doing this bad things, you shouldn't have so many clients

What kinds of entities would you extend this to? I would guess you wouldn't day the same thing about hardware stores (which sell dangerous tools).


(2) doesn't seem important. This problem is easy - take down kiwifarms. No one is asking for Cloudflare to take down 100% of every single site that may or may not be classified as "bad" - they're asking for this one site to be taken down. Maybe even some others, too. There's a huge grey area of "bad", but there are also plenty of sites that very clearly fall to one side or the other. Solving "grey" is hard, solving kiwifarms is not.


> No one is asking for Cloudflare to take down 100% of every single site that may or may not be classified as "bad" - they're asking for this one site to be taken down

Who are they?

Why are Cloudflare listening to this "they" instead of all the alternate "they" who object to alternate sites? There is someone group organised to go after every "bad" site and a lot more besides. How do you even know that they've correctly identified Kiwikarms as a problematic site? Are you a Kiwifarms regular to be so sure about what how it works?

Cloudflare have already banned the Daily Stormer and I can find people who are willing to call ~30% of any country neo-nazis with a straight face, so it isn't clear what they boundary is here. They certainly don't agree with your boundaries for what is "very clear", unless you happen to be posting on behalf of the Cloudflare CEO.


> Who are they?

People. Me. Others. I don't have a list.

> Why are Cloudflare listening to this "they" instead of all the alternate "they" who object to alternate sites?

They're presumably listening to both? I don't understand the question.

> There is someone group organised to go after every "bad" site and a lot more besides. How do you even know that they've correctly identified Kiwikarms as a problematic site?

Because there's a long history of documented problems.

> Are you a Kiwifarms regular to be so sure about what how it works?

I don't understand why that would be relevant. Again, long documented history.

> Cloudflare have already banned the Daily Stormer

Right, the Daily Stormer was a self-described site for neo-nazis.

> I can find people who are willing to call ~30% of any country neo-nazis

Irrelevant.

> They certainly don't agree with your boundaries for what is "very clear", unless you happen to be posting on behalf of the Cloudflare CEO.

The first half of this sentence doesn't go with the second half.


>> Who are they? > People. Me. Others. I don't have a list.

>> I can find people who are willing to call ~30% of any country neo-nazis > Irrelevant.

I mean, the vibe I'm picking up here is they are the ones who decide, but not them?

Who are these they?

> I don't understand why that would be relevant. Again, long documented history.

There is a long documented history of the US being the Great Satan, or technically Shaytân-e Bozorg, based on a long history of documented problems. I'm not sure how to communicate with "them", but how do we make the call on whether "they" agree or disagree with that epithet? Pretty open and shut case I suppose, the US has done some pretty evil things as a group. Do "they" have a preference for booting the US or Iran off the internet, or are they sanguine about this and only worried about micro-scale harassment rather than macro-scale problems?

Things are done that are substantially worse than what Cloudflare has just acted on. And I suspect "they" will agree on a lot of it. And be wrong on a lot of it, because "they" are famously unreliable sources of information. Why aren't they going to act on all that stuff? It would be irresponsible to ignore it.

I don't think your stance is fundamentally workable, and suspect it hasn't made a serious attempt at engaging with the sheer diversity of human experience and perspective out there. Particularly when it comes to in-groups redefining words to shut people in other in-groups.


You're focusing a lot on "they", and I don't really get why. You can instead focus on the argument being made and at that point it'll be a lot easier to engage. If you're trying to say that we shouldn't make decisions based on the feelings of vague interest groups, ok, but I wasn't making the argument that we should.


Your argument seems to be that it is possible to characterise an extreme site in some sort of systemic manner.

But your argument has a gaping hole in it - you haven't identified what that systemic manner is. You initially started with a "well its obvious to all of us" point. That is a poor foundation, because you literally can't identify who "us" is. And you don't have a counter to numerous groups - also part of this "us" of humans who make decisions - who simply don't agree with you on basic things. Which is likely to include whether Kiwifarms is an acceptable site.

The little handwave where you appeal to what we all know may seem minor to you, but that is literally the failing point for the entire strategy of benign censorship. You've missed something important here to the point where your argument is basically collapsing - the world is a lot more diverse than your frame and argument are able to deal with.

You also haven't articulated how you know so much about Kiwifarms and what actually happens on the site. I suspect you've read a few articles by people you feel are credible, or noted a mob forming and decided that mobs don't form without a good reason. If either of those is the case, let me assure you that we disagree about how easy it is to get to the truth - because that is not enough evidence for me to feel confident Cloudflare will get an 80% hit rate with their strategy. Mobs and journalists are both really bad at getting things right.

Now I do think it is acceptable for Cloudflare to occasionally boot good actors off the internet for no reason, but the point stands - they are wading in to water where they will make regular mistakes, and those mistakes will start to take on a political tinge as the radicals amongst us notice that they can get away with a few "mistakes" and silence people they find intolerable. Plus if they're going to start booting people they're going to have to justify themselves a lot more - there are worse than Kiwifarms out there.


> Your argument seems to be that it is possible to characterise an extreme site in some sort of systemic manner.

My argument is exactly the opposite. That there are lots of grey areas that can not be categorized, but Kiwifarms is not one of thsoe grey areas, as Cloudflare discovered when they started getting dox'd by KF. There's no need for a system here, KF is very squarely a horrible site.

The rest of your post with regards to my argument is obviously moot since it is the opposite.

I am very familiar with KF and have been for quite a few years. I actually haven't kept up (much) on KF in recent years, but I saw that people were pushing for its removal and I was very glad to see it.

As for other sites being "way worse", there are a few... but not that many, actually. Most of the really bad sites are relegated to onion and are much harder to access. Those are really more of a problem for the FBI at that level of shit. I'd advocate for them to be taken down too, of course, if they were worse and also using CF or other services.


> they are actively lighting these fires and making money by putting them out!

A bit of an odd take - it's like the fire department putting out the fire at the known arsonist-for-hire's house, and the police chief happens to run the fire department while doing nothing about the suspiciously wealthy arsonist.

The difference is that Cloudflare isn't an actual public service and has no obligation to DDOS protect anyone.


A simpler example: AWS hosts fakeLVbags.com. This site sells counterfeit luxury handbags, and says so clearly on the site.

Now AWS does not realize this as they are large and have lots of operations.

However, one day a journalist asks Amazon directly about this website, and there is an official press release by Amazon made about it.

AWS has had this illegal activity brought to their attention, as well as the fact that they are facilitating this activity. They openly acknowledge the site existing.

Legally this is very different from not knowing about what is going on! Not only does Amazon in this hypothetical know, they have admitted publicly that they know!

So… now to Cloudflare. Did Cloudflare, experts in this domain, not know about these DDOS vendors? And did not realize they were offering protection to those? Maybe not! But maybe. And knowing makes things a lot worse for them. Especially if Cloudflare connected the dots internally about the usage for illegal activity. But! CF simply might not have known, or had a complete picture. Or anything in between.


A DDoS Protection company doesn't know what the state of the market is? Really? Feigning ignorance on this matter is not very honest.

Your aws story is completely irrelevant since AWS doesn't sell counterfeit luxury handbag insurance. Would you argue amazon webstore doesn't know about fake products in their marketplace?


to be clear I'm not trying to defend Cloudflare. The sort of generous interpretation is that even if CF understands this at a high level that doesn't necessarily lead to them knowing where these services are and which companies they are hosting that have this (though ... honestly, for B2B services like CF it feels pretty reasonable to at least do the vaguest sanity check)


The issue (I believe according to the author) is that Cloudflare is now choosing to withhold protection for Kiwi Farms, taking a moral stance and should be more responsible for other moral obligations or none at all. IE. Should they stop providing protection for more sites? When is the next Kiwi Farms?

I don't agree with the author because it is still early (and the author might be putting Cloudflare under pressure for some personal gain in some rhetoric), but these questions are interesting and is part of the cancel culture we are seeing more of.


As they mentioned in their article on Wednesday, cutting service to site A means that they're going to get a lot of angry people and/or governments wondering why they could dare to provide service for the equally vile (in their eyes) sites B, C, and D. They've just exacerbated this situation.


The problem is that demand for Cloudflare services is furthered by allowing illegal booters. If thoes sites were not protected by Cloudflare, they would attack each other offline. That would be the death-nail for most DDOS-for-Hire operations and the few remaining would raise prices, making it nearly impossible for a single person to boot other offline.

By allowing the attackers to use their services, while deciding other websites are not allowed to. Cloudflare is removing others freedom of speech.


Political neutrality is important for the tech industry. I appreciate Cloudflare trying its best to be neutral. When harm is done, the fault lies at the feet of the perpetrator. Blaming their utility company, hosting provider, DNS registrar, grocer, butcher, barber, etc. is lunacy.


In the US at least, the getaway driver is to blame even if all they did was drive a car and receive payment for their driving


Sure, but what about the company that they rented the car from? Or the company they bought car insurance from?

In the eyes of the law, the intent of the person is often (not always) extremely relevant.


> Sure, but what about the company that they rented the car from? Or the company they bought car insurance from?

I expect if they said "I want to rent a car to use as a getaway vehicle for a bank robbery" whilst standing next to a TV showing a picture of them committing a bank robbery, yes, the rental company would have some culpability.


Did cloudfares customer tell them they wanted their services for DDOS?


By the nature of how Cloudflare works, you have to provide them with your domain name and the content of your website.

See if you could come up with a simple regular expression to deny services to these well known DDoS providers that are actively using Cloudflare:

CryptoStresser.com Instant-Stresser.com FreeStresser.so StresserAI.com Booter.sx Flystress.net Bootyou.net


Say you go to a bank to get a loan, and you give the bank your details, including your address. The address you give is in a notorious crime-infested neighborhood. Does the bank have the moral obligation to deny you a loan, in order not to support criminal activity? I mean, they most likely will. However, most people instead like to attribute this behavior to banks being racist. Are you saying that this should instead be mandatory for the banks to do?


If you were getting that loan to buy a house to use as a base of operations for harassing people in the neighborhood, the bank would rightfully deny your application.

You're strangely trying to tie this to someone simply living in a high-crime neighborhood. It's racist to deny a qualified person because the neighborhood is "high-crime" because often neighborhoods are high-crime because they're also over policed (which increases crime stats). In your analogy, the person isn't a known criminal, and isn't more likely to commit crime simply by living in an area that has a higher crime rate.


I’m using banks denying a loan to a high-crime neighborhood address as an analogy to explain why it’s also bad to deny hosting or service based on the domain name alone. It’s basically the Scunthorpe problem.


It's not being based on the domain name. KF was created with the intent of harassing someone, and has continued that to harass people both online and offline. The content on the site is hate, and the content occasionally includes illegal activities.


Even if they take an unsuspecting taxi?


Exactly as expected. The more websites CloudFlare bans, the more its reputation will sink, the more enraged and demanding the pro-censorship mob will become.

I note this one more time: almost no posts talking in favor of banning stuff here specify any objective limiting principle of where it should stop. It's like an exercise of deliberately creating a slippery slope.


The slippery slope is banning DDoS-for-hire sites?

This is like complaining, "if Apple removes hate speech from its app store, then next people will ask it to remove malware."


But Brain virus, the slippery slope isn't real. It's a fallacy /s


Twitter seems to be the social lubricant that makes all slopes it touches slippery. It massively accelerates social change and was basically the only place the KF story ever gained any traction at all. It's hard to overstate just how powerful that site is in the USA.


How do we prevent DDOS without centralized services like these? There has to be something.

It would be nice if these attacks were blocked before they even get to a transit provider, but cheap server / VPN providers seem unmotivated to try to solve the problem (since they barely lose any money when they facilitate the DDOS, and/or the attacking devices are rogue IoT devices and booting them would mean booting legitimate customers who don't know the first thing about auditing their network for compromised devices).


Transfer away from HTTP and DNS. Use something like global NATS clusters for content delivery. Make sure there are many providers.

Problem is, this is not what Big Tech actually wants.


Thinking out loud: Maybe by decentralizing the things being attacked? AFAIK it's much harder to DDoS a torrent than a website. Of course, moving a p2p/decentralized websites would require solving a number of other problems.


Trust, we prevent DDOS with a trust system between nodes.

But this would put Cloudflare out of business so...


There's a Dutch co-operative between many big and small ISPs and hosting providers called "Nationale Beheersorganisatie Internet Providers" who provide a service for their members called "NaWas" (Afterwash?). Any service provider can choose to route their traffic through there in a matter of minutes.

It's not as broad and sophisticated as Cloudflare may be, but at least it's not one big centralized entity all the time, it's only activated as needed and run by a co-op, basically.


Pay per packet.

I remember maidsafe was working on this for many years without much success. Then they got into crypto for micropayments a decade later and it all got a bit messy. Not sure how the project is doing these days but it was a solid concept at heart.

https://maidsafe.net/

> legitimate customers who don't know the first thing about auditing their network for compromised devices

An IoT device not suddenly working is a good signal to endusers that it is compromised and being used illegally.


So you want to put everyone on a metered internet connection?

And then hit them with massive bills if they have a device that gets hacked?

Seems unreasonable given the current state of security.


If you don't hold people accountable for their devices, what reason do they have to care about that security?


I think that it's morally wrong to push the burden to end-users. If anyone should be accountable it must be the companies producing the devices and software.


End-users would likely end up in large class actions against the manufacturers in such a hypothetical situation.

While turbulent for a brief moment it would be a strong market incentive for those who pump out insecure devices to change their ways.


That was not how the airlines was (very successfully) secured. It was by goverment regulations.


Was referring to a separate network if you briefly care to check the link I posted. DDOS'ing becomes a very costly endeavour, site owners don't need third parties to step in.

> And then hit them with massive bills if they have a device that gets hacked?

A ddos botnoet uses very little bandwidth in total for the individual, but yes someone should pay and there's certainly far worse things that can happen if they weren't made aware of a compromised device.

At some point global society has to decide whether we just employ more body scrapers to clean up the mess or stop letting people drive as drunk as they want on the roads. Cloudflare is the former.


> An IoT device not suddenly working is a good signal to endusers that it is compromised and being used illegally.

Given the overall quality of cheap electronics, if I had a camera on the fritz, even knowing what I do, the last thing I’d suspect is that it’s been compromised.


We dismantle the service providers that provide cover for the forums in which DDoS attacks are advertised and purchased, like Cloudflare themselves.


What a weird argument.

Cloudflare is like a fire department that still fights fires in the homes of known pyromaniacs. Whether or not they set the fires themselves is irrelevant to the job of the fire department, if someone needs to stop them it’s the police.


Not pyromaniacs necessarily but definitely “firestarter for hire”. Also a fire department that can scale and is paid privately. More fires mean more business.


More fires mean more business, but that’s kinda irrellevant to the goal of the fire department, which is to prevent burned out houses.

If the police never does anything about the firestarters for hire, it’s a bit hard to see how that would be the fire departments fault (and certaily not something they should solve by not fighting fires any more).


Or they are like an insurance provider that doesn't consider the risk of a particular client. That is good for growth but not ideal in the long term.


What's at the heart of the entire Cloudflare situation is this discussion around the platform's alleged neutrality.

I do not understand this at all. If I run a business, and I see that unambiguously bad actors namely abusers, criminals, stalkers, harassers or whatever use my services to facilitate their actions I have a very clear ethical obligation to step in. I don't go "well the law isn't here, it's not my problem". Making money of unsavory individuals, metaphorically selling both shields and guns at the same time is unethical. Dodging that responsibility is moral cowardice.

The law isn't in every place, it's slow as hell and dysfunctional anyhow in some jurisdictions in particular but that's no excuse for inaction when it is within ones power to prevent harm. It should be that simple.


It really depends on the business you run. If you run the local electric company, and you read in the paper that some guy in your service area has been doing terrible things, do you turn off his power? Cloudflare sees their anti-DDoS services as a similar infrastructure-level service, and while you might not agree with that (I'm not sure I do either), it's not immediately unreasonable.


Is CF a utility in that way? I think you can argue that their DDOS-mitigation might be.

But that comes with the additional benefit of hiding the origin. This resembles a post-forwarder service or a bank that knows the customer's real identity, but provides a way for them to conduct business without exposing it. Is there a good-faith argument that this service is a public utility and should be provided even if the customer is using it for criminal activity?

If someone used FedEx to run a fake pharmacy and deliver fake medication to people while staying out of reach for law enforcement and regulators by using a FedEx-provided return address, would you say that FedEx should enforce their T&C and shut that customer down?


In that hypothetical I'd grant that the answer is clearly yes, but it's not obvious to me how DDOS mitigation would help a company stay out of reach of law enforcement or regulators, unless Cloudflare is refusing to comply with subpoenas for customer information.


For most of the world, that's what it does: it only answers to US courts [1]. I'm sure you can imagine that this will only be a way for major crimes (murder, maybe, state level espionage and large scale ransom ware attacks, probably), essentially shielding all the common criminals like DDOS-for-hire from prosecution outside the US.

From their policy:

Cloudflare has long held the view that non-US governments should have to follow the same due process requirements to obtain any records about our customers. A number of US laws, like the Stored Communications Act or the Electronic Communications Privacy Act restrict companies from providing particular types of data, such as the content of communications, to any person or entity, including foreign law enforcement agencies, without US legal process. While there may be situations in which it might be appropriate to provide basic subscriber information in response to non-US legal process that complies with principles of due process, we generally believe that the best way forward at this time is for governments outside the United States to issue requests to us through a US court by way of diplomatic process like a mutual legal assistance treaty (MLAT) request.

[1]: https://www.cloudflare.com/trust-hub/law-enforcement/


If SWATing is the weapon of choice for harassment mobs, then fix that first.

Note that this particular SWATing wasn't in the US, it was in Canada -- so it's not necessarily even a uniquely American problem.


> If SWATing is the weapon of choice for harassment mobs, then fix that first.

How do you counter this weapon? Obviously you have to break the kill chain, but which part?

1. A target is geolocated; this is impossible to prevent if the target shares this information about themself freely.

2. The attacker makes a phone-call to emergency services, likely but not necessarily using a method they believe will anonymize them. Is it technologically feasible to close anonymity holes in the phone system? Should 911 calls from anonymous numbers be null-routed?

3. The attacker needs to persuade the emergency operator that an armed police response is necessary. This is theoretically possible in any country that believes armed police responses are sometimes needed, even those in which police normally patrol without weapons.

4. The armed police response will probably fail to kill the target. This seems to be the weakest part of the kill chain, where most murder-by-swatting attempts fail. Training police for this scenario could reduce the risk even more, but the possibility of an accident will always be non-zero if you have armed police responding to what might be some sort of murder in progress.

I think SWATings would probably continue to happen even if you completely resolved that third or fourth stages, eliminating the possibility of an accident completely. The anonymous troll probably still gets his rocks off at waking up the victim in the middle of the night by unarmed conflict resolution social workers banging on his door looking to resolve the [probable] misunderstanding. Breaking the kill chain at the second stage seems more promising for this reason, but I am not sure eliminating anonymous 911 calls is practical or ethical.


Maybe a better analogy is an energy provider: You don't expect them to turn off somebody's power because they are listening to the wrong kind of music.

Energy companies are publicly traded companies as well, I don't see what difference this fact makes in the analogy and the argument.

Policing is the police's job, not that of infrastructure and utility companies, precicely because that would bring a lot of hairy questions that the author raises as well.


> You don't expect them to turn off somebody's power because they are listening to the wrong kind of music.

But you would expect them to turn off somebody's power if they were, e.g., using that power for a marijuana farm or torturing kittens with electrical shocks and standing outside their house shouting "I'M USING THIS ELECTRICITY FOR CRIMINAL MEANS, YOU KNOW".


I would expect the police to step in if the power was used for a marijuana farm (assuming it's illegal in your jurisdiction of course, skipping the discussion whether it should be illegal).

A corporation deciding to cut off my power without due process because they think there may be a marijuana farm – which may or may not be true – does not sound like something that's desirable.

Either way, I don't think analogies like this are very helpful, because the situations are too different, and the analogy doesn't really help clarify anything IMO.


One of the laziest articles I've read recently. I was looking for a gotcha, some concrete evidence Cloudflare actually helps booters to boost their own sales, and the closest he comes is saying DDoS sellers host their websites behind Cloudflare. It feels like this was written to take advantage of the moment and tie the Kiwifarms to actual online criminal activity.


You should not drag others into your criminal actions. You decided to do it on your own and for your own benefit. You did it and must now live with it. But done blame others and drag them in and say they "helped". This is on you alone.


The linked post by Prince is pretty frustrating.

“This is not our stance, but we do it anyway for all the reasons we just said are bullshit.”

I have a ton of respect for Prince but this spineless double standards stuff is BS.

PS: I have no idea what the deal is with Kiwifarms and frankly I don’t care. If it’s really that bad then we need to have a judge order an injunction.


I thought it was pretty clear that they basically said "Things went from 'freedom of expression we don't like that we find questionable' to things that are almost certainly illegal, so we are forced to move, even though we would prefer law enforcement did it."


I would expect a lot more detail from Cloudflare like a list of alleged crimes and some supporting facts. Maybe even an injunction from a judge, perhaps? You know, the stuff you would normally expect in a case like this before law enforcement decided to intervene.

Honestly anything supporting the “there was an emergency and deplatforming kiwifarms just avoided it” claim would help.

They weren’t forced to do anything.


Isn’t DDOS pretty illegal? In my opinion, selling illegal services is a strong case for CF to kick them out because they quite clearly break the law.


The issue that arises with "thats illegal, CF should ban them", is that they need to pick some jurisdiction, and become an executing power in that. A lot of wacky things are illegal in some less free countries - if a website clearly breaks a saudi arabian law they care about a lot, does that count? What about a german law that is very important to germans?

Does CF have to be an executive force in keeping the law of the US regarding non-US customers, or should the laws of the country the customer is in count instead, ...

You see the issue. The solution is that CF should remain as neutral as they can without breaking the law in their country themselves.


One thing I don't see covered here - cost. Specifically, the cost of providing DDoS protection vs the cost of processing every complaint and evaluating if the complaint is legitimate.

At Cloudflare's scale, providing service to one additional site costs exactly $0. It's actually beneficial because it spreads their fixed costs (hardware, staff) over more customers. Great (for Cloudflare and the site).

But that only works if they don't have to do any marginal work for each site. Actually investigating each new website, going through potentially each page on the website, making a judgement call on if there is sufficient moderation to allow it or they shouldn't - it could take several hours or days of a skilled worker for each website. Just putting an example out there - how long would it take you to evaluate if reddit.com adheres to all the terms in Cloudflare's TOS? There's a different standard for user generated content, but it gets a pass if there's a good faith attempt to moderate the site. This stuff is actually hard.

If they actually had to process every complaint, regardless of where it came from, the economics of their business might not make sense. And of course, they open themselves up to false positives. They might ban a forum that looks dodgy but ends up being a leukaemia support group, which spawns yet another #dropCloudflare. And lastly, if they're going to listen to outrage from Twitter, they don't have a leg to stand on if they receive lawful requests from sovereign governments in Turkey, Saudi Arabia etc.

They hoped to sidestep all of these issues - money, false positives and state sponsored takedown requests by saying "we don't take down anyone for any reason". Well, it didn't work out.


Can we just skip to the end where the internet breaks into fiefdoms? AOL almost did it in the 90s.


It already is imo, there's very different internets for different languages.


Technically, by way of the analogy provided in the article, Cloudflare is simply putting out fires at all houses, even those that are known to start fires. Their moral game is that it's not their responsibility to act on this knowledge, unless, it seems, there is some clear and present imminent danger, which is something for them to determine.

This community, by which I mean HN, likes to have its cake and eat it too. Perhaps they're not all the same people, but HN also gets upset that VISA polices what businesses are deserving of accepting credit card payments.

Regardless of which side you fall on, consistent and clear messaging is important. In that way, Cloudflare deserves some respect for attempting this, when every other corporation, be it VISA, or the FAANGs, simply do whatever is expedient to avoid negative attention, be it PR-wise, stock market wise, or regulatory wise.


HN and Matthew Prince really struggling with these two things:

1. A company can arbitrarily do whatever it wants within the confines of the law. Additionally a company's chief executive and/or leadership team can do whatever it wants so long is it is not in breach of their bylaws and/or they have the support of the board.

2. A company which is publicly traded is beholden to public perception if it affects current and future shareholders views on share price and health of the company. If shareholders believe being associated with potentially illegal activity means Cloudflare could be open to lawsuits, then leadership kicks off that activity. Leadership can't give an honest answer on this because it would admit they were worried about being complicit in illegal activity. This is why you see the response of 'we don't believe this is our responsibility, we're just a neutral entity' PR spin.

To return to OP's post, Cloudflare directly benefits by letting DDoS-for-hire operators use their service. They've been informed of this, this post is one of many on the topic. If you go a few comments back in my comment history you'll note I mentioned Cloudflare also pulled down sex worker sites in the fallout from SESTA being enacted. Why didn't they make the same argument then? Unlike SESTA at the time the caselaw on CFAA supports that DDoS-for-hire is illegal activity, going back a little over 10 years with plenty of prosecutions. The US prosecutor handbook on it was updated around 2010 to add it https://www.justice.gov/criminal/file/442156/download, the last time I remember anyone trying to claim it was legitimate protest was back in 2013 when some Anonymous indictments were handed out. Cloudflare also responds to DMCA takedowns even though they don't host the content, why would they do that if there's no liability?

Lets break it down a little more then: If my business is damaged because my website gets DDoS'd by a protected service Cloudflare knows will make me require the purchase of a service like theirs, why wouldn't I name them as a conspirator in a legal complaint?


> However CloudFlare is not a neutral utility, they are a publicly traded company and have shareholders to report to, can any fire department in the world say the same?

Publicly traded? No, but fire depts in the US were commercial entities paid for by insurance companies. Arguably just as bad.

You had to be a paying member if you wanted them to put out the fire burning your house down.

Well documented that fire depts would stand idly by and do nothing for the neighbours.

But yeah, that's what you get with Cloudflare's shitty analogy.


Aah.... an attempt to give more de-platforming powers to more private companies...


I don't think the author's argument makes sense.

Cloudflare's position is that they are neutral and will provide their services to anyone and everyone. They do not make those value judgements deciding who deserves their services or not.

The fact that they thus provide their service to booters isn't a flaw in Cloudflare's argument, in fact it's consistent with their position.

The author is implying that Cloudflare should independantly make that value judgement against a booter, rescind their services from the booter, thus allowing other booters to take that booter down? That's ridiculous. All the booters should be dealt with by some legal authority.

EDIT: So according to some comments cloudflare sometimes does decide independantly to rescind their services from some users? That would make them inconsistent in that case. The authors argument, that the solution to booting is more booting, still doesnt make sense tho imo. It's like the solution to too many guns is more guns.


I would agree with you, however please take a look at a statement from CloudFlare earlier today: https://news.ycombinator.com/item?id=32707821

"Our decision today was that the risk created by the content could not be dealt with in a timely enough matter by the traditional rule of law systems."

Booter services have been using CloudFlare for the better part of a decade, sure individual services come and go but the trend is persistent. So for booter services a decade is enough time for the rule of law to make the decision but another type of controversial platform follows it's own arbitrary timeline, and I would argue that is setting the most dangerous precedent of all, especially when the 'risk' created by a particular type of content doesn't outweigh any potential financial incentives.


Ok, I honestly know nothing about this topic, I just read the article and my comment is merely a critique of the original article's internal logic and nothing more.


Cloudflare is neutral... Unless you are 8chan, Stormfront, or KiwiFarms.

It's an odd definition of neutrality that allows one to take decisive values positions.


I think it would be intellectually dishonest to imply that there is no objective “bad”. At some point it goes beyond yelling fire in a theater, into the realm of certain and immediate harm to the whole.

We seem capable of recognizing certain actions and behaviors as universally abhorrent. Nobody can say “Cloudflare is neutral… Unless you are CSAM”, or “Cloudflare is neutral… Unless you are a live video feed of a mass murder event”, and call it an odd definition of neutrality.

There are a lot of sick individuals out there, an unfortunate number of people unable to discern trolling from legitimate discourse, people who may be convinced to commit abhorrent acts or think that they found like minded supporters of their abhorrent behavior. It is not neutral to actively defend and support the ability of a platform to take advantage of those people and or to allow the promotion of such abhorrent behaviors.

It seems like Cloudflare finds themselves walking a tightrope across a bottomless chasm. Any misstep will have dire consequences for the future of Cloudflare and the precedence it sets for the internet as a whole. It seems at this point they have taken a path of extreme caution and attempted to weigh that against collective voice of reason.


Those are odd definitions of neutral.

More properly, they want to b political in some way without people being able to criticise them for it. "Neutrality"


Cloudflare’s line seems to be where bodily harm comes into play (e.g. Kiwifarms people enabling SWATing via doxxing, stalking by mobs, etc) which is above and beyond just normal criminal activity. The situations really are not very similar.


And yet they continue to work with innumerable other services causing bodily harm. This was all about countering the negative publicity.


>enabling SWATing via doxxing

Cloudflare is still hosting other sites that let you search for people's public information. The line to me seems to be whenever a mob of people starts complaining loudly that a site should be removed. Misinformation is used by the mob to make sites look as bad as possible to try and get them removed. Since these are small sites there are not many people who know it's false. The public check wikipedia and see a biased article that reaffirms the narrative.


Maybe we should redefine "neutrality" in this post-truth era


I feel that, if cloudfare wants to be neutral, they should simply do that.

In my eyes, as long as they dont break any laws themselves, they are okay.


We simultaneusly act annoyed that Visa/Mastercard act as gatekeepers, and demand Cloudflare should become the new moral police


My side getting our way is good. Their side getting their way is bad.

It seems rational for any partisan to think this way, no? People standing on opposite sides of the battlefield, shooting at each other with the same sort of weapons, both believing in the goodness of their cause.


Cloudflare is oddly political for an infrastructure provider. Every few months or so they seem to be forced to explain why they have decided to deplatform this or that website contrary to their no interference policy.

You don’t see AWS or Microsoft having the same frequency of these sorts of reports. What am I missing?


It's the exact opposite. They try to be, and I believe are, the least political out of all networking infrastructure companies, so in the very rare cases where they do decide to deplatform (Daily Stormer, 8chan, and Kiwi Farms are the only three) it always makes huge press.

AWS or Azure doing the same wouldn't make news because they would immediately drop a site like Kiwi Farms, and anything like it, after the first report or two. If you're routinely kicking people out, people don't scrutinize you when you do it. To bastardize Stalin's quote: three deplatformings is a tragedy, thousands is a statistic.


Thanks, that makes sense.

Still, I don’t understand why Cloudflare goes out of its way to be a white knight when its peers have far less mercy. What’s in it for them? Companies at this scale remove the “don’t be evil” slogans they adopted when they were smaller.


If we take them at their word, it's ideological. They seem to be somewhat libertarian and believe they shouldn't interfere except for the most serious cases. If I recall, they've even stated that the 8chan/Daily Stormer decisions might not have been made today.


I recall some anger when Microsoft closed some GitHub repos. I think the diversification of these companies helps silo the scale of scandals.


Normal service providers normally remove violent/hate sites as a matter of course, which makes it not news. Cloudflare has set themselves up as a sort of refuge of last resort, for [redacted] reasons. Fill in the blank yourself.


The kinds of sites that need a refuge of last resort often have dedicated haters. Cloudflare can then monitor the patterns in DDoS attempts to better improve their enterprise services. It's a better picture of realistic attacks from motivated attackers than if they only hosted morally-acceptable sites.


You're missing that nobody makes a fuss about AWS removing things. Unsavory and/or illegal sites are removed from AWS every day for TOS violations - a somewhat recent and notable example was Parler, the extreme-right-wing Twitter clone that was used to plan the January 6th insurrection.


Sorry to hijack this discussion thread. I've come across your comments on https://news.ycombinator.com/item?id=28425379 and I think you have brought up some really good points what modern DBs should support. Especially, the queue support for atomic state changes and message sending can be a powerful primitive. I am currently looking into this area and would love to have a chat with you if you like. You can reach me via my twitter @stsffap.


I strongly believe abuse claims should be handled by the actual hosting providers behind CloudFlare.


Can I ask you. For all intents and purposes, what is the difference between Cloudflare and a regular host except an expiry time on the content they host?

Cloudflare: - Makes a website available through their IP addresses - Resolves a site's DNS - Stores the content of the website on their servers, to serve to clients. The fact that there's an expiration on that content is of no consequence.

The fact that the final source-of-truth lies offsite makes no difference. If I rent a regular, run of the mill server and have it proxy all requests to a different server, does that suddenly make the first host bulletproof to any and all scrutiny?

Cloudflare likes to pretend they are a neutral entity, impartial, just like regular Internet Providers but they are decidedly not. They are being paid by their customers to store and serve their content from their servers and to perform traffic filtering.


... which are unknown because CloudFlare's service includes "hide your backend".

If CloudFlare provided a way to find out the host of a website they run, and gave said host a way to find out what servers specifically are hosting it, they'd have a much better argument, because they'd make it easy for anyone to use the legal system to go after offenders.

I don't know how easy it is for US citizens or law enforcement to get that information from CF, but from what I've heard, it's very, very hard to do so from Europe, and will basically only be used for major crimes, but not for a common "scam a granny" operation. CF is essentially providing cover for these.


CloudFlare forwards all abuse claims to the providers, so filling an abuse with CloudFlare is practically equal to filling it with the providers. The only difference is that you don't know who the providers are.


It's not. They do forward it, but the provider can simply chose to ignore it, since it's not addressed to them and there's no legal implication - it's purely informational for them, letting them know that CF has received a complaint.


> If CloudFlare provided a way to find out the host of a website they run

Surely they respond to subpoenas and warrants.


If you're in the US, probably. If you're outside the US, from what I understand, they require you to file in the US (or have US law enforcement work on your behalf).

For all intents and purposes, that means they don't for anyone outside the US, except for very high profile cases. For everything else, they're providing a legal shield.


> That is the equivalent argument in the physical world that the fire department shouldn't respond to fires in the homes of people who do not possess sufficient moral character

So, to continue the analogy, we are reading the post by (ex-)arsonist?


As far as I understand, protecting from DDoS attacks is a big enough part of Cloudflare business. Doesn't it create the conflict of interest here? I can imagine how it makes sense for Cloudflare to facilitate DDoS attacks by sheer ignorance with plausible deniability, to sell more DDoS protection to the targets.

Using their own analogy, the real fire departments actively prevent fires by enforcing safety policies, not merely fighting existing ones. If fire department is paid only for the fires extinguished, they are strongly disincentivised to enforce safety policies.


Everyone wants to bully and pick on Cloudflare now because it’s the cool thing to do I guess.

The issue is not Cloudflare — it’s just the sad reality of the Internet in 2022.

Imagine a criminal pumps a full tank of gas into his vehicle and then uses that vehicle to commit crimes. Nobody goes out and blames the gas station or holds them accountable.

The owner of the vehicle should and would be held accountable in real life. And in any case related to the Internet or Cloudflare, the owner of the website should be held accountable.


> Nobody goes out and blames the gas station or holds them accountable.

If the gas station operator knows the criminal's identity and hides it, I'm pretty sure everyone would go after the gas station.

DDOS-protection is one of Cloudflare's services. The other one is hiding where you host your stuff, so people cannot contact your host to have them shut down the illegal operation.


What a nonsense storm in a teacup.


It's not complete crap: Cloudflare facilitates the operation of "load testing" (DDoS) services by overwhelmingly providing the front end. Cloudflare claims to not care about content and provides security services to all, but perhaps Cloudflare is incentivized to do this by the fact that they make money on the DDoS they facilitate.

Cloudflare isn't a protection racket, but doesn't have completely clean hands, either.


The author mentions he doesn't want us to judge him on his past. But I don't think teenagers are that different from adults so I doubt there is any real basis for that. He'd probably still do it if that was the best way to make money. If he had not written that, I probably wouldn't have given it any second thought though. It's a good article just don't tell people what not to think they might just start to think what you didn't want them to.

I strongly agree with the points made. What Cloudflare is doing is terrible. They should remove this protection and publish an apology to the victims before a court decides to think the same.


If the numbers from DoJ are to be believed, this was far from the largest DDoS-for-Hire operation by revenue.


It's incredible that cloudflare compares itself to a firefighter answering all calls wherever they come from. They are more like a private security company working for a mafia boss that pays them well.


The fact that DDoS protection is a viable market and losing it is tantamount of kicking a website offline belies fundamental flaws with the infrastructure of the internet.


What a stupid fucking article, including "I grew up with cloudflare, therefore know nothing about how the internet works", and "cloudflare is a racket because I said so and give the benefit of doubt to myself". Web hosters never cared about what content they host. It was previously the norm to not even check for child porn and wait for law enforcement to make any decisions, and rightly so, as it's, literally, not their concern. Some web hosters did care about their content, but there were few and you could quickly move to another. Cloudflare are one of the new generation of webshit services, run by little babies, enamored by their big userbase (yeah, I had a big userbase when I was 12 and quickly got over that phase), and feel some sort of moral but mainly pretentious need to save the world, often by limiting who uses their service, or implementing some sort of snake oil.

New conspiracy theory: all these drama about absolutely irrelevant websites like 8chan[1] and kiwifarms are to distract from the fact that cloudflare has killed anonymity on the internet. Since 2011 or so, browsing any website behind cloudflare over Tor or pretty much shared IP address got you essentially blocked. You would have to fill out a captcha to even see the front page, and not just any captcha, but the worst one which almost never works when on a shared connection: recaptcha. THEN you had to open up the cdn.myshitwebsite.com and repeat the same bullshit, and then you can see images, css, scripts, whatever on the site. ONLY in 2018 they fixed this (it was always possible to bypass it by changing your user agent to a specific string and such things, but almost nobody knew about this), and then broke it again, I'm not sure what the current state is. Then around 2020, a bunch of cloudflare imitators popped up, which includes having the pointless captcha at the front of pages. Cloudflare literally killed Tor, it was solely their fault.

1. "But oh no, a jihad thing was posted on it", same with facebook but 1000x worse


[dead]


He was sentenced to 13 months in prison, followed by 3 years of probation, plus forfeiting $500k of proceeds

https://www.justice.gov/opa/pr/former-operator-illegal-boote...


Ok then. Better to have lead with that if it's going to be a central topic in the article.


Write your own article then.


It's the second link in the article and part of the header abstract.


The second link in the article is the Cloudflare blog post and I'm not seeing a header abstract on my device, just a title and text.


Third link, (my bad) with the abstract | header | opening being that part above the first sub heading.

Point being, it's there in the lead.


It's a rare "inside" viewpoint, so it's really not a bad option for initiating the conversation.

Let's also leave 'the law' to determining whether Rasbora should be paying fines. As well functioning, or otherwise, 'the law' is...


Apparently the law did determine in this case, and sought prison as well which is definitely more than I would have called for.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: