[HN Gopher] Tavis Ormandy: Cloudflare lobbied FTC to stifle secu...
___________________________________________________________________
Tavis Ormandy: Cloudflare lobbied FTC to stifle security
researchers
Author : zccrkn
Score : 188 points
Date : 2022-09-03 18:21 UTC (4 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| cassonmars wrote:
| For starters, these events are totally unrelated, and are a very
| strange false equivalence. Would be very curious to see more
| details of Tavis' claim though. That being said, CF is still in
| the right for the stand they're taking on not being a content
| regulator of their base internet utilities.
| phillipcarter wrote:
| > That being said, CF is still in the right for the stand
| they're taking on not being a content regulator of their base
| internet utilities.
|
| This is entirely unrelated to the issue of if they should stop
| offering their services to known Very Bad People. Nothing about
| current events with CF is related to regulating content.
| cassonmars wrote:
| It absolutely is about regulating content. Just because the
| content and the people that generate it are vile does not
| mean an internet backbone utility should play great internet
| censor about it. I say this as exactly the kind of person
| (trans) that the community in question loves to attack.
| phillipcarter wrote:
| CF isn't a utility. KF is perfectly capable of operating on
| their own, without CF's products. This is strictly a matter
| of CF's desire to continue to do business with them. Their
| whole spiel on the blog post about how they're a utility is
| just dancing around the issue - they have no legal
| obligations that an actual utility does. It's an
| interesting discussion if they, and others like them,
| _should_ be considered a utility. But that 's neither here
| nor there because they aren't one.
| 6c737133 wrote:
| Nothing better than claiming the perks of "being a utility
| provider" while bearing none of the burdens lol
|
| If CF didn't offer free DDoS protection - ironically, whilst
| providing cover & protection to the greatest # of DDoS-4-hire
| websites on the clear-web - they would have nothing else to
| offer that would be considered best-in-class
|
| But yeah, they're the preeminent force in ensuring free speech
| on the internet lol
| llama052 wrote:
| I think they offer a lot of best in class services, have you
| used the enterprise tier or just the free tier?
| fjfbsufhdvfy wrote:
| A lot of their services, such as R2 storage, have literally
| no competition.
| fjfbsufhdvfy wrote:
| Hope the guy who down voted me enjoys paying 100-1000 times
| more to Amazon's egress racket!
| markovbot wrote:
| not the one who downvoted you, but backblaze has similar
| pricing: https://www.backblaze.com/b2/cloud-storage-
| pricing.html
| trollied wrote:
| Backblaze also has free egress to Cloudflare. Which is
| _very_ cost efficient.
| fjfbsufhdvfy wrote:
| Using this for significant amounts of non-html content
| will get your account disabled. They only allow it for
| R2.
| badrabbit wrote:
| I am all for a law compelling companies like CF to cooperate
| with LE and censor on behalf of the state if that is the will
| of the people. They are a utility provider that has not been
| expected by society to fund and administer a censorship
| operation. Go and vote if you think they should be compelled
| to censor.
| Hamuko wrote:
| Unless I'm misunderstanding your idea, that sounds like it
| goes against the First Amendment.
| badrabbit wrote:
| That's why I said vote.
|
| But not neccesarily, companies are not people they are
| not protected by the bill of rights and this is already
| happening when LE forcibly takeover domains to censor
| them with cause of course. Also, freedom of speech does
| not include speech made with thr intent and effect of
| causing demonstrable harm.
| Hamuko wrote:
| > _That 's why I said vote._
|
| Constitutional amendments are so tricky that I'm not sure
| if just going out to vote is gonna change anything.
|
| > _Also, freedom of speech does not include speech made
| with thr intent and effect of causing demonstrable harm._
|
| I don't think that is a legal standard for the First
| Amendment. Advocacy of violence is protected speech under
| the First Amendment.
| braingenious wrote:
| This is tangential but kind of on-topic since Tavis mentions KF
| in the replies, but I've found it pretty amusing that
| Cloudflare's position on enabling doxxing, harassment and DDOS-
| for-hire has been "Aw shucks, we're just too darn powerful to do
| anything about any of this!"
|
| It's as if _anybody_ could fall ass backwards into a situation
| where they built up an organization that dictates what's on the
| internet as a whoopsie, and oh no, _you too_ would have to enable
| harassment, doxxing and DDOS-for-hire because shucks, all that
| darn unlimited, unchecked and unregulated power, access to money
| and legal resources is _actually_ the same thing as having no
| power at all! Poor Cloudflare, they can do literally whatever
| they want and that means they can't do anything at all!
| EarlKing wrote:
| No, their argument was that they shouldn't do anything about it
| because the two times they did it wound up causing every tinpot
| dictatorship to show up on their doorstep and demand they do
| the same for people that hadn't done anything wrong except piss
| off the wrong dictator. This is why rights exist in the first
| place: so that when some idiot erroneously says your sight is
| "enabling doxxing, harassment and DDOS-for-hire" when all you
| actually do is document the bad behavior of bad individuals on
| the internet, well, you don't get run out of town on a pole...
| because the guy with the pole knows that today it's you, but
| tomorrow it could be him.
| braingenious wrote:
| > times they did it wound up causing every tinpot
| dictatorship to show up on their doorstep and demand they do
| the same for people that hadn't done anything wrong except
| piss off the wrong dictator
|
| Which they wielded their unlimited power to ignore.
| OrangeMonkey wrote:
| Lets pretend that private firefighters exists and you had to
| pay for them to protect your house. It was a thing for most of
| the world.
|
| It _sounds_ like you are suggesting that private firefighters
| should let houses burn down if its something disagreeable.
|
| I have that wrong, I'm sure, so feel free to correct me.
| badrabbit wrote:
| Your cops suck so you blame anyone but them? Should ISPs also
| be liable by your logic? Just like CF they can monitor and
| censor content. Make the Tor foundation liable as well since
| they run the Tor network while you are at it. Can't people
| criticize a company without trying to criticize everything
| about it? This isn't even related to the topic at hand.
| [deleted]
| penrouse wrote:
| Seems to me they're operating on a matter of principle.
|
| The Christians who run my local food bank do similar. Their
| clients include some of the worst people: rapists, paedophiles,
| murders - released from prison, with nothing and no-one to help
| them, other than these kind churchly individuals. Their
| principle is that Jesus would want them to help their fellow
| humans in need, no matter what their sins. So they do.
|
| Obviously it's a bit different with Cloudflare as they're a
| for-profit company of diversely ideological employees, not a
| non-profit charity of devoutly religious volunteers. But the
| former type of organisation can run on principles other than
| making money hand-over-fist too.
| sofixa wrote:
| I think you can appreciate the difference between not letting
| former criminals (released from jail) starve and helping them
| integrate back in society, and actively providing them tools
| that they use to do terrible things, including crimes.
| ThrowawayTestr wrote:
| KF is just a forum, nothing posted there is illegal.
| zorpner wrote:
| The devil has enough advocates. Don't feel the need to
| throw your hat into the ring.
| ThrowawayTestr wrote:
| I've seen nothing but lies being posted about KF. Yes
| it's an abrasive community but nothing illegal is posted
| there.
| kevingadd wrote:
| Sadly, laws do in fact prohibit the posting of certain
| kinds of information and messages - for example, death
| threats, dox or hate speech, depending on your locale.
| Being "just a forum" does not change this. We can debate
| whether the laws should restrict speech that way, but
| don't pretend the laws in western countries don't exist.
| ThrowawayTestr wrote:
| I have never seen illegal content on KF and it's usually
| quickly removed.
| OrangeMonkey wrote:
| Sounds great - if a website is hosting content that is
| illegal, then there are laws that can be enforced by the
| government.
|
| The government, in the united states at least, cannot
| restrict freedom of speech. Its kind of a big deal.
| Hoping that corporations revoke their ddos protection so
| that terrorists can ddos them down is laughable. "I know
| the government can't do it, but ... just walk away wink
| wink and I am sure the problem will be fixed wink wink".
|
| Come on.
| braingenious wrote:
| >Seems to me they're operating on a matter of principle.
|
| That's what I'm talking about. The "principle" argument is
| genuinely funny! They have unlimited power but because
| they've _chosen_ to follow an arbitrary rule based on their
| arbitrary definition of neutrality, they have no power. It's
| a coincidence that they enable doxxing, harassment and DDOS-
| for-hire because they're religiously bound by a sacred
| covenant! They dare not cross the ancient gods lest blood and
| pestilence rain down upon all our heads!
|
| They're not making a _choice_ to continue enabling
| harassment, doxxing and DDOS-for-hire, they are simply doing
| as the sacred runes prescribe, as all orthodox stewards of
| the realm should and would do. It's actually noble, we should
| actually be thanking them for acting this way.
|
| It's just plain funny.
|
| As for your food bank analogy, do they provide food for
| _active_ murderers and pedophiles? Like, if they were visited
| by current victims and the families of victims asking them
| for help, would they respond with a box of food for the
| perpetrators and tell the victims to kick rocks?
| ThrowawayTestr wrote:
| >DDOS-for-hire
|
| KF uses cloudflair specifically because it's haters try to
| DDOS the site.
| OrangeMonkey wrote:
| The only reason someone would advocate to turn off ddos
| protection for a site, is so someone can perform
| terroristic acts against the site and ddos it until it goes
| down.
|
| How about it - you tell me. What reason would so many
| people, maybe in this thread chain, argue so strongly for a
| company to revoke its ddos protection of a website they
| dont like. Its weird right?
| braingenious wrote:
| I would suggest that you take that question up with
| Cloudflare, as they just disabled DDOS protection for KF.
| OrangeMonkey wrote:
| Got it - but I'm asking you.
|
| It appears you were hoping that they would remove it.
| What possible reason did you have to hope that a site
| took away their ddos protection?
|
| Its weird right?
| badrabbit wrote:
| Good luck fighting about CF's morality HN. But the root-cause
| here is lack of legislature explicitly defining rights and
| obligations of security researchers and the vulnerability
| reporting process.
|
| As it stands, you can get raided for vuln reporting (doesn't
| happen a lot because if common sense not law), harrassed, face
| retaliation and have the vendor silently fix it without crediting
| you.
|
| For some reason everyone thinks this is a matter to be legislated
| and resolved by poularity contests (don't use vendor X) and/or
| capitalism. Which is interestingly why the FTC is even involved I
| guess?
|
| In an ideal society you wouldn't need such laws and the default
| is liberty but in this society the only reason researchers are
| even being allowed to do their job is things like twitter and
| fears of PR nightmares (which won't work with every
| vendor/company ).
| trasz wrote:
| Between shielding openly pro-nazi employees
| (https://news.ycombinator.com/item?id=32699639), promoting far-
| right terrorism (https://news.ycombinator.com/item?id=32699595,
| https://twitter.com/oneunderscore__/status/15657972205318144...),
| using dirty tricks to ban critics
| (https://twitter.com/vcsjones/status/1566066031587721216), and
| now this, Matthew Prince and the rest of the Cloudflare clique
| have some explaining to do.
|
| EDIT: Also, "We find that several providers are
| disproportionately responsible for serving misinformation
| websites, most prominently Cloudflare",
| https://ojs.aaai.org/index.php/ICWSM/article/view/19292/1906....
| zccrkn wrote:
| Cloudflares indifference to DDOS-for-hire providers using their
| service is also raising some eyebrows, considering a large part
| of their business is mitigating DDOS attacks. Do a search for
| "stresser" or "booter" services (euphemisms for DDOS-for-hire)
| and check their DNS records, 9 times out of 10 they're hiding
| behind Cloudflare.
|
| Intentional or not, helping the attackers stay online while
| also selling mitigations for their attacks is basically a
| protection racket.
| badrabbit wrote:
| I echo the top comment on that pro-nazi post, too much missing
| info to form an opinion.
|
| I don't like or hate CF either way but quit this "_______ also
| did some bad shit" that's not the topic of discussion and is a
| clear attempt at "cancelling" instead of discussing the topic
| at hand. Which so happens is also missing a lot of info and
| HNers are jumping the gun without knowing who did lobbying and
| why and what consequences they faced.
| [deleted]
| jgrahamc wrote:
| I saw this Tweet earlier and reached out to our public policy and
| legal teams. Also reached out to Matthew (eastdakota here). They
| all have no idea about this. We appreciated Tavis/P0 finding and
| making us aware of Cloudbleed. Kicked off a very stressful time
| for the team at Cloudflare but glad the bug got found and
| addressed.
|
| Tavis: happy to chat, I've dropped you an email.
|
| Follow up: https://twitter.com/taviso/status/1566159561148362753
| ferdowsi wrote:
| Reminds me about how yall had "no idea" that you had banned
| benchmarking. Remarkable how much leaders can not know about
| their company's operations!
|
| https://news.ycombinator.com/item?id=29468771
| bawolff wrote:
| Big companies having the left hand not know what the right is
| doing is hardly a new phenomenon.
| hn_throwaway_99 wrote:
| > Remarkable how much leaders can not know about their
| company's operations!
|
| Oh please. These are large corporations, I would honestly be
| flabbergasted if leadership knew every mundane detail.
| Particularly in the benchmarking issue you noted, it's pretty
| easy to understand how that could have been added as legal
| boilerplate, but just went too far.
| stefan_ wrote:
| Leadership doesn't know where their lobbying dollars go?
| What on earth are they paying lobbyists for? What, other
| than representing company leadership, do lobbyists do? This
| is not credible.
| mook wrote:
| Leadership might not know every detail, but that doesn't
| absolve them of the responsibility to know (and find out,
| and correct it once they do so similar things don't happen
| again). This one only came to their attention because Tavis
| Ormandy is famous and it got on HN front page; how many
| other insurance didn't?
| jonnybgood wrote:
| You're talking about unknown unknowns. You can't deal
| with the problem unless you know the problem actually
| exists.
| altdataseller wrote:
| .. which doesnt really absolve them of responsibility.
| ch33zer wrote:
| So an ostrich with its head in the sand is the ideal CEO
| for any large corporation? Come on.
| kelnos wrote:
| That's quite the straw man.
|
| It's possible to be thoughtful and introspective, and try
| to learn about the things you don't know, but still fail
| to learn literally everything. We're only human.
| adw wrote:
| It also speaks to culture.
|
| Decisions individuals make in large organisations are, on
| average, downstream of institutional culture, so if a
| large organisation is responsible for a lot of bad
| decisions then the leaders are responsible for the
| culture which made those decisions seem reasonable.
| still_grokking wrote:
| Everything in the TOS isn't some "mundane detail" but core
| to how a company is positioned in the legal field, as those
| things are _legally binding_ and will determine for what
| you can or can 't be sued.
|
| Therefore it's completely implausible that even one word
| written there hasn't been discussed with C-level staff.
|
| Saying the opposite is just throwing PR smoke grenades in
| the hope some naive people will believe that kind show.
|
| The fish always stinks from the head. (That's why
| "plausible deniability" is of so great importance to those
| people, btw).
| judge2020 wrote:
| There's definitely more to this, given jgc made such a public
| statement here, especially with how their legal team is
| supposedly unaware of any lobbying (who else "at cloudflare"
| would have the ability to speak with the FTC?). I'm sure
| we'll have a public blog post within a few days to address
| this.
| tptacek wrote:
| The followup appears to confirm that this did in fact happen.
| Tavis Ormandy didn't claim that Matthew Prince personally
| lobbied the FTC.
| zorpner wrote:
| jgc knew about it in mid-2018, at least, since I was still
| involved with P0 at that point and spoke with him about it. I
| guess he forgot.
| stavros wrote:
| To be fair, it was arguably not even _the company_ that did.
| An employee talking to an acquaintance who happens to work at
| the FTC about it doesn 't mean the company ordered (or even
| wanted) them to.
| tptacek wrote:
| It got back to Tavis, which suggests it was not just a
| single private conversation between acquaintances.
| stavros wrote:
| Could it get back to him via the FTC (in a "this is your
| accuser" way)?
| FreakLegion wrote:
| From the available information it sounds like
| _backchanneling_ or another less charged term, not
| _lobbying_. _Lobbying_ isn 't some low-caliber word to
| point at any old conversation. It has a specific meaning
| and implications that so far aren't in evidence here.
| tooltower wrote:
| A follow-up of this tweet indicates that you found the person
| responsible for this mess, and was not authorized by Cloudflare
| to do this.
|
| Great. But it also sounds like a reasonably common occurrence,
| and hence a systematic problem.
| trasz wrote:
| >They all have no idea about this.
|
| Source: trust me bro.
|
| For a Stanford paper documenting Cloudflare widespread
| involvement in spreading lies see https://ojs.aaai.org/index.ph
| p/ICWSM/article/view/19292/1906....
| Bilal_io wrote:
| Is this LTT?
| gzer0 wrote:
| Thank you for addressing this. As a long term customer, you
| have earned my respect and continued business.
|
| Speaking up about events like this is hard to do as an
| executive and I appreciate the honesty here.
| pfadmool wrote:
| Tangentially related question: are there any plans to permit
| Cloudflare users to configure proxying directly to onion hidden
| services?
|
| Given the current controversy, it would be much more reassuring
| to enter an .onion address rather than an IP address, to be
| entirely sure that servers can't be unmasked. At least not
| without compromising Tor or exploiting the proxied-to web
| server.
| balentio wrote:
| Someone just posted up a pull quote the other day on Hacker News
| about how Cloudflare doesn't bend to cancel culture, and I
| remarked that they all ready had more than once. Now the big
| reveal is they ARE Cancel Culture, but they have no idea they
| are!
| 1vuio0pswjnm7 wrote:
| Unlike Google, Cloudflare has not been at constant odds with the
| FTC. Its "business plan" is not to intake as much data as
| possible about computer users and then profit from online
| advertising services. As such, it would be reasonable to question
| the potential bias of anyone from Google commenting about the
| FTC.
|
| Voters have no control over Google but they do have some control
| over the FTC. If a citizen computer user disagress with the
| actions of Google, what is their recourse. "Stop using websites
| and software under the control of Google." Good luck with that.
|
| Google's lobbying budget is enormous. It is laughable to see a
| Google employee complaining about "lobbying". We will never see
| Google security researchers commenting about what _Google_ is
| lobbying the government to do or not do. We will never see a
| Google security researcher question whether ever-increasing
| personal data collection by their employer puts computer users at
| greater risk.
| xenago wrote:
| This is a really bad look. InfoSec is a very tight-knit industry
| and this will really make working with/using CF an unpleasant
| proposition to many.
| dsl wrote:
| If it wasn't already, you aren't paying attention.
|
| Cloudflare is quite literally the largest bulletproof hosting
| provider for bad actors on the internet, and unless you know
| someone at the company personally takedowns are like pulling
| teeth.
| zccrkn wrote:
| Not to mention that CFs policy is to forward takedown
| requests, unredacted, to the site you're trying to takedown.
| CF users like KiwiFarms have been weaponizing this policy for
| years by publishing their takedown requests, knowing their
| userbase will seek retribution against whoever sent them.
| charcircuit wrote:
| >CF users like KiwiFarms have been weaponizing this policy
| for years
|
| If your complaint is that the host should be the only one
| to see the full report then your point doesn't stand since
| Josh pays to have his own ASN so he can personally handle
| reports for it.
|
| If your point is that only Cloudflare should have the name
| I don't think it counts as a valid DMCA takedown since it's
| not like you have a signed document from the copyright
| holder or someone on their behalf.
___________________________________________________________________
(page generated 2022-09-03 23:00 UTC)