Hacker News new | past | comments | ask | show | jobs | submit login
Cloudflare Beta (2009) (projecthoneypot.org)
139 points by O__________O on Sept 20, 2022 | hide | past | favorite | 47 comments



Unspam, Prince's company before Cloudflare, which created Project Honeypot, had a slightly unsavory (to me, at least) business model of lobbying state legislatures to pass laws requiring "no-contact" registries with requirements that were tailored for Unspam. Looks like they succeeded in 2 states and some version of the company exists: https://www.unspam.com Prince gave up on it and got an MBA at Harvard but he's still listed on the company website.


Benjamin Franklin called that "doing well by doing good" when he lobbied for a national postal service.


The whole concept wasn't feasible and had serious privacy issues. Good summary of why it was rejected at the national level here: https://www.govtech.com/security/us-turns-down-do-not-spam.h...

> A registry of individual e-mail addresses also suffers from severe security/privacy risks that would likely result in registered addresses receiving more spam because spammers would use such a registry as a directory of valid e-mail addresses. It ultimately would become the National Do Spam List. Furthermore, a registry of domains would have no impact on spam and a third-party forwarding service model could have a devastating impact on the e-mail system.

Also, the laws Unspam pushed for were intentionally tailored to make them the only suitable vendor. Leveraging personal connections and paid lobbying to compel taxpayers to fund a counterproductive, privacy-violating and monopolistic service is not what I'd call "doing good" but YMMV.


Why does the do not call registry work, but the do not email wouldn't?


What makes you think the do-not-call registry works? I still receive dozens of spam calls per day.


Weird, I receive 0



Here is an article from UCSC describing the UnSpam and Project Honey Pot work that grew out of the work of cofounder Lee Holloway (eg al)[1].

Disclosure: I worked there with Lee Holloway, Matthew Prince, and others.

[1] https://engineering.ucsc.edu/news/article/1183


Huh. Oddly enough I'd never read this.


I contributed some VM's to this early on in the project but then pulled out of it. There were no stats to show how my nodes were contributing and I was concerned that I might lose my VPS account since I could not tell how this was being used. I liked the idea.


That's funny, I figured they would have shown it to you for recruiting purposes. :)

I remember Matt always talking about how Cloudflare was his ultimate vision for the honeypot project -- a way to block bad actors on the internet by aggregating information.


He tried to recruit me very early on although I don't think in 2009 (I believe it was the year after) and I wasn't ready to go to the US and they weren't ready to have someone in London.


[flagged]


Didn’t down vote you, but generally bad form to hijack a thread just to pop a question about a completely unrelated topic; both from the thread and post itself.


Realize (now) you’re Cloudflare’s CTO, but might be worth pointing it out when you’re replying to Cloudflare related topics; you obviously have been around HN awhile so guessing it’s unlikely to make a difference, but in my experience on HN people generally appreciate the clarity.



In my experience, better to mention it, but understand your experience might say otherwise.


FWIW I agree with that approach. HN audience recognizes you anyway which gathers the upvotes, and if it’s really confusing someone will point out you’re the CF CTO anyway.


Think of it more as a name tag & uniform a franchise restaurant makes its employees wear, so you know who works there. Takes away the prestige pretty quick ;)


They have it in their bio which is the HN norm, not announcing one’s creds at every turn.

But I think these “HNers would appreciate it!” community spokesman kinds of comments are kinda lame. I don’t think HNers need to be spoon fed “I’m Cloudlfare’s CTO btw! :^D” every time the guy rears his head. Especially just to say he never read TFA before…


> They have it in their bio which is the HN norm, not announcing one’s creds at every turn.

No, appending something like "(disclaimer: CF employee)" is absolutely the norm anytime it could even remotely be construed as a conflict of interest. It might be fine here, but this is an edge case.


I disagree that every comment you make in a community has to stand alone and reintroduce yourself lest a newcomer flies off the handle without knowing who they’re responding to.

That is just annoying. Nor do I think it’s a convincing point coming from someone who suggests they aren’t new here.

imo people new to a community could slow their roll esp in a debate.


Alright; I've been on HN for 5 years. Since we're all friends who know each other so well, how about you tell me about myself? I'm reasonably active and I have an extremely recognizable username, so you should of course remember me quite well.


>I disagree that every comment you make in a community has to stand alone and reintroduce yourself lest a newcomer flies off the handle without knowing who they’re responding to.

I think it's circumstantial. For instance, I don't really think it's necessary for the CTO to have said, "disclaimer: CF employee/CTO/whatever" in this thread. But in this thread[1] from yesterday, I think it would've been helpful.

[1]https://news.ycombinator.com/item?id=32912075#32912276


Can you share for me some concerns you have about this disclaimer not being present on jgrahamc's post?

Do you feel you have been mislead by his post?


To me, it’s about the easy of connecting a comments relevance to the post, assuming CTO was on the founding team, so makes sense that them posting they had never seen the post adds value to the thread; anyone else posting comment like that would have likely been down voted.

To me, fair to assume everyone does not know everyone else, though they might be familiar with a subset of the information, for example, knowing who Cloudflare is. If a user appending affiliation to a comment adds context, to me it makes sense to add it - and not assume or expect users to click your profile, other users point out who you are, etc.


But even if you didn't know the user was a cloudflare exec, the comment just becomes a boring throwaway comment from some luser on the internet telling you their thoughts, like posting 'Me too!' like some braindead AOLer.


Are you recommending we do the world a favour and cap him like old yeller?


Sorry, but do not understand references or generally what you were expressing; highly suggest reading all my comments in thread to avoid forcing me to unnecessarily repeat myself.


My point is that adding a disclaimer about your employer only matters if the post has a possibility of being seen as astroturfing if the reader doesn't know about the relationship between the poster and the company.

For example, if jgrahamc said "I never knew that. Cloudflare is such an amazing company, everyone should apply for a job there!", then okay, request a disclaimer. But if someone just says "I didn't know that", then the comment goes from mildly interesting (if you know who they are) to boring (if you don't know who they are). The failure mode here for lack of disclaimer is the post just becomes a boring, low-effort comment.

I think jgrahamc adding "I'm the CTO of cloudflare, and I didn't know that!" might have been reasonable context, but no disclaimer is required, because the reader didn't need to be protected from the post. There was no conflict of interest in the post.


Said the user with “this account is a GPT-3 bot” in their profile.

Like I said, pointed this out 100s of times over years and my experience says otherwise; not my first account, nor will it be my last. Also, not dang, not trying to be dang, but also firmly believe HN is a community and important for the community to express themselves, but also would be more than happy to respect dang’s wishes.


I just flagged/downvoted as content-less/off topic (as it is) and move on. No need to simp for online execs


Don’t agree about the flagging/down voting, since normally community agrees it is appropriate; also, how would the user even know that was an issue.

Do agree there appears to be degree of simp like behavior going on, which is interesting.


Related, I guess:

Matthew Prince: CloudFlare Was Inspired by Project Honeypot and the DHS - https://news.ycombinator.com/item?id=21071978 - Sept 2019 (1 comment)

Project HoneyPot: The Web's Largest Community Tracking Online Fraud and Abuse - https://news.ycombinator.com/item?id=7614182 - April 2014 (1 comment)

1 Billion Spammers Served - Deep Insights into Spam - https://news.ycombinator.com/item?id=996698 - Dec 2009 (13 comments)


HN has become not only the front page of tech news but also a repository of tech history.


I hope it can get more that way over time, and that we can build better tools for accessing it.


Wow. That brings back memories.


A bit more about this as I’m remembering. Cloudflare’s original “data center” (which was really just a single server) was located in Chicago. We had the zip/postal code for Project Honey Pot participants from when they signed up so we emailed anyone within a certain radius around Chicago to be our first beta testers. We knew they were the folks most likely to have acceptable performance.

The original way you signed up for Cloudflare was to give us your GoDaddy username and password and we’d login, slurp the DNS records, then update the name servers. It was magic when it worked. But it was almost too easy so if something broke people didn’t know how to undo what we’d done. Worse: sometimes we’d miss a DNS record like an MX record and be unable to even contact the user.

The crazy thing is we emailed people basically with the content on this page and asking Project Honey Pot users to give us their user names and password. A scary number of people just did without asking any questions.

We put this page up to prove this was a legitimate project after a (scary) few people asked us: “How do I know this isn’t phishing??”

Fun to find it still kicking around 12+ years later.


> Provide the service at no cost... because you shouldn't have to pay to ensure your website is protected.

Was that a lie?

https://www.cloudflare.com/ddos/ says "Contact Sales"


Are you ignoring the part of that page where if you click sign up, you can create an account for free, and get protection and services for free? Sure, its not everything they offer is free, but enough for most users is.


No. Basic DDoS protection with Cloudflare is free.


It also says "Sign Up". With a very comprehensive free tier of services.


Aspirational business model goals in 2009 won’t be 100% realized 13 years later. That doesn’t mean the original goal was a “lie”. That word requires intent.

And DDoS mitigation is part of the free feature set. Im guessing some of their largest customers may be kicked off the free tier if they are too much of a resource burden.


I don't think it's terribly surprising that there might be companies out there who charge for things that they think should be free because they can get away with it. That said, in this case it sounds like pretty standard marketing speak, and I tend to be skeptical that anything sounding like that is a genuine profession of values rather than a catchy tagline (which probably explains my lack of surprise at the first thing as well)


I think one interesting thing about Cloudflare is that once enabled on a domain, it can be used to serve different versions of that domain to different audiences, enabling things like selective censorship and propaganda.

Cloudflare has also taken investments from the intelligence agencies (at least in the US).


To be fair, the ability to serve different content to different users was (is) a primary feature of essentially all web servers. This has been the case for multiple decades.


The difference is that this is a man-in-the-middle where you don't need coordination with the web server at all.


It’s important to understand and internalize the difference between capability and willingness/desire to do something.

Servicing different content based on different visitors is a feature of any web server. If you are insinuating that CloudFlare does this without the domain/website owner’s permission/knowledge, cite your sources. That is the kind of insinuation/rumor that can destroy/erode the reputation of a cybersecurity company.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: