[HN Gopher] Tavis Ormandy: Cloudflare lobbied FTC to stifle secu... ___________________________________________________________________ Tavis Ormandy: Cloudflare lobbied FTC to stifle security researchers Author : zccrkn Score : 188 points Date : 2022-09-03 18:21 UTC (4 hours ago) (HTM) web link (twitter.com) (TXT) w3m dump (twitter.com) | cassonmars wrote: | For starters, these events are totally unrelated, and are a very | strange false equivalence. Would be very curious to see more | details of Tavis' claim though. That being said, CF is still in | the right for the stand they're taking on not being a content | regulator of their base internet utilities. | phillipcarter wrote: | > That being said, CF is still in the right for the stand | they're taking on not being a content regulator of their base | internet utilities. | | This is entirely unrelated to the issue of if they should stop | offering their services to known Very Bad People. Nothing about | current events with CF is related to regulating content. | cassonmars wrote: | It absolutely is about regulating content. Just because the | content and the people that generate it are vile does not | mean an internet backbone utility should play great internet | censor about it. I say this as exactly the kind of person | (trans) that the community in question loves to attack. | phillipcarter wrote: | CF isn't a utility. KF is perfectly capable of operating on | their own, without CF's products. This is strictly a matter | of CF's desire to continue to do business with them. Their | whole spiel on the blog post about how they're a utility is | just dancing around the issue - they have no legal | obligations that an actual utility does. It's an | interesting discussion if they, and others like them, | _should_ be considered a utility. But that 's neither here | nor there because they aren't one. | 6c737133 wrote: | Nothing better than claiming the perks of "being a utility | provider" while bearing none of the burdens lol | | If CF didn't offer free DDoS protection - ironically, whilst | providing cover & protection to the greatest # of DDoS-4-hire | websites on the clear-web - they would have nothing else to | offer that would be considered best-in-class | | But yeah, they're the preeminent force in ensuring free speech | on the internet lol | llama052 wrote: | I think they offer a lot of best in class services, have you | used the enterprise tier or just the free tier? | fjfbsufhdvfy wrote: | A lot of their services, such as R2 storage, have literally | no competition. | fjfbsufhdvfy wrote: | Hope the guy who down voted me enjoys paying 100-1000 times | more to Amazon's egress racket! | markovbot wrote: | not the one who downvoted you, but backblaze has similar | pricing: https://www.backblaze.com/b2/cloud-storage- | pricing.html | trollied wrote: | Backblaze also has free egress to Cloudflare. Which is | _very_ cost efficient. | fjfbsufhdvfy wrote: | Using this for significant amounts of non-html content | will get your account disabled. They only allow it for | R2. | badrabbit wrote: | I am all for a law compelling companies like CF to cooperate | with LE and censor on behalf of the state if that is the will | of the people. They are a utility provider that has not been | expected by society to fund and administer a censorship | operation. Go and vote if you think they should be compelled | to censor. | Hamuko wrote: | Unless I'm misunderstanding your idea, that sounds like it | goes against the First Amendment. | badrabbit wrote: | That's why I said vote. | | But not neccesarily, companies are not people they are | not protected by the bill of rights and this is already | happening when LE forcibly takeover domains to censor | them with cause of course. Also, freedom of speech does | not include speech made with thr intent and effect of | causing demonstrable harm. | Hamuko wrote: | > _That 's why I said vote._ | | Constitutional amendments are so tricky that I'm not sure | if just going out to vote is gonna change anything. | | > _Also, freedom of speech does not include speech made | with thr intent and effect of causing demonstrable harm._ | | I don't think that is a legal standard for the First | Amendment. Advocacy of violence is protected speech under | the First Amendment. | braingenious wrote: | This is tangential but kind of on-topic since Tavis mentions KF | in the replies, but I've found it pretty amusing that | Cloudflare's position on enabling doxxing, harassment and DDOS- | for-hire has been "Aw shucks, we're just too darn powerful to do | anything about any of this!" | | It's as if _anybody_ could fall ass backwards into a situation | where they built up an organization that dictates what's on the | internet as a whoopsie, and oh no, _you too_ would have to enable | harassment, doxxing and DDOS-for-hire because shucks, all that | darn unlimited, unchecked and unregulated power, access to money | and legal resources is _actually_ the same thing as having no | power at all! Poor Cloudflare, they can do literally whatever | they want and that means they can't do anything at all! | EarlKing wrote: | No, their argument was that they shouldn't do anything about it | because the two times they did it wound up causing every tinpot | dictatorship to show up on their doorstep and demand they do | the same for people that hadn't done anything wrong except piss | off the wrong dictator. This is why rights exist in the first | place: so that when some idiot erroneously says your sight is | "enabling doxxing, harassment and DDOS-for-hire" when all you | actually do is document the bad behavior of bad individuals on | the internet, well, you don't get run out of town on a pole... | because the guy with the pole knows that today it's you, but | tomorrow it could be him. | braingenious wrote: | > times they did it wound up causing every tinpot | dictatorship to show up on their doorstep and demand they do | the same for people that hadn't done anything wrong except | piss off the wrong dictator | | Which they wielded their unlimited power to ignore. | OrangeMonkey wrote: | Lets pretend that private firefighters exists and you had to | pay for them to protect your house. It was a thing for most of | the world. | | It _sounds_ like you are suggesting that private firefighters | should let houses burn down if its something disagreeable. | | I have that wrong, I'm sure, so feel free to correct me. | badrabbit wrote: | Your cops suck so you blame anyone but them? Should ISPs also | be liable by your logic? Just like CF they can monitor and | censor content. Make the Tor foundation liable as well since | they run the Tor network while you are at it. Can't people | criticize a company without trying to criticize everything | about it? This isn't even related to the topic at hand. | [deleted] | penrouse wrote: | Seems to me they're operating on a matter of principle. | | The Christians who run my local food bank do similar. Their | clients include some of the worst people: rapists, paedophiles, | murders - released from prison, with nothing and no-one to help | them, other than these kind churchly individuals. Their | principle is that Jesus would want them to help their fellow | humans in need, no matter what their sins. So they do. | | Obviously it's a bit different with Cloudflare as they're a | for-profit company of diversely ideological employees, not a | non-profit charity of devoutly religious volunteers. But the | former type of organisation can run on principles other than | making money hand-over-fist too. | sofixa wrote: | I think you can appreciate the difference between not letting | former criminals (released from jail) starve and helping them | integrate back in society, and actively providing them tools | that they use to do terrible things, including crimes. | ThrowawayTestr wrote: | KF is just a forum, nothing posted there is illegal. | zorpner wrote: | The devil has enough advocates. Don't feel the need to | throw your hat into the ring. | ThrowawayTestr wrote: | I've seen nothing but lies being posted about KF. Yes | it's an abrasive community but nothing illegal is posted | there. | kevingadd wrote: | Sadly, laws do in fact prohibit the posting of certain | kinds of information and messages - for example, death | threats, dox or hate speech, depending on your locale. | Being "just a forum" does not change this. We can debate | whether the laws should restrict speech that way, but | don't pretend the laws in western countries don't exist. | ThrowawayTestr wrote: | I have never seen illegal content on KF and it's usually | quickly removed. | OrangeMonkey wrote: | Sounds great - if a website is hosting content that is | illegal, then there are laws that can be enforced by the | government. | | The government, in the united states at least, cannot | restrict freedom of speech. Its kind of a big deal. | Hoping that corporations revoke their ddos protection so | that terrorists can ddos them down is laughable. "I know | the government can't do it, but ... just walk away wink | wink and I am sure the problem will be fixed wink wink". | | Come on. | braingenious wrote: | >Seems to me they're operating on a matter of principle. | | That's what I'm talking about. The "principle" argument is | genuinely funny! They have unlimited power but because | they've _chosen_ to follow an arbitrary rule based on their | arbitrary definition of neutrality, they have no power. It's | a coincidence that they enable doxxing, harassment and DDOS- | for-hire because they're religiously bound by a sacred | covenant! They dare not cross the ancient gods lest blood and | pestilence rain down upon all our heads! | | They're not making a _choice_ to continue enabling | harassment, doxxing and DDOS-for-hire, they are simply doing | as the sacred runes prescribe, as all orthodox stewards of | the realm should and would do. It's actually noble, we should | actually be thanking them for acting this way. | | It's just plain funny. | | As for your food bank analogy, do they provide food for | _active_ murderers and pedophiles? Like, if they were visited | by current victims and the families of victims asking them | for help, would they respond with a box of food for the | perpetrators and tell the victims to kick rocks? | ThrowawayTestr wrote: | >DDOS-for-hire | | KF uses cloudflair specifically because it's haters try to | DDOS the site. | OrangeMonkey wrote: | The only reason someone would advocate to turn off ddos | protection for a site, is so someone can perform | terroristic acts against the site and ddos it until it goes | down. | | How about it - you tell me. What reason would so many | people, maybe in this thread chain, argue so strongly for a | company to revoke its ddos protection of a website they | dont like. Its weird right? | braingenious wrote: | I would suggest that you take that question up with | Cloudflare, as they just disabled DDOS protection for KF. | OrangeMonkey wrote: | Got it - but I'm asking you. | | It appears you were hoping that they would remove it. | What possible reason did you have to hope that a site | took away their ddos protection? | | Its weird right? | badrabbit wrote: | Good luck fighting about CF's morality HN. But the root-cause | here is lack of legislature explicitly defining rights and | obligations of security researchers and the vulnerability | reporting process. | | As it stands, you can get raided for vuln reporting (doesn't | happen a lot because if common sense not law), harrassed, face | retaliation and have the vendor silently fix it without crediting | you. | | For some reason everyone thinks this is a matter to be legislated | and resolved by poularity contests (don't use vendor X) and/or | capitalism. Which is interestingly why the FTC is even involved I | guess? | | In an ideal society you wouldn't need such laws and the default | is liberty but in this society the only reason researchers are | even being allowed to do their job is things like twitter and | fears of PR nightmares (which won't work with every | vendor/company ). | trasz wrote: | Between shielding openly pro-nazi employees | (https://news.ycombinator.com/item?id=32699639), promoting far- | right terrorism (https://news.ycombinator.com/item?id=32699595, | https://twitter.com/oneunderscore__/status/15657972205318144...), | using dirty tricks to ban critics | (https://twitter.com/vcsjones/status/1566066031587721216), and | now this, Matthew Prince and the rest of the Cloudflare clique | have some explaining to do. | | EDIT: Also, "We find that several providers are | disproportionately responsible for serving misinformation | websites, most prominently Cloudflare", | https://ojs.aaai.org/index.php/ICWSM/article/view/19292/1906.... | zccrkn wrote: | Cloudflares indifference to DDOS-for-hire providers using their | service is also raising some eyebrows, considering a large part | of their business is mitigating DDOS attacks. Do a search for | "stresser" or "booter" services (euphemisms for DDOS-for-hire) | and check their DNS records, 9 times out of 10 they're hiding | behind Cloudflare. | | Intentional or not, helping the attackers stay online while | also selling mitigations for their attacks is basically a | protection racket. | badrabbit wrote: | I echo the top comment on that pro-nazi post, too much missing | info to form an opinion. | | I don't like or hate CF either way but quit this "_______ also | did some bad shit" that's not the topic of discussion and is a | clear attempt at "cancelling" instead of discussing the topic | at hand. Which so happens is also missing a lot of info and | HNers are jumping the gun without knowing who did lobbying and | why and what consequences they faced. | [deleted] | jgrahamc wrote: | I saw this Tweet earlier and reached out to our public policy and | legal teams. Also reached out to Matthew (eastdakota here). They | all have no idea about this. We appreciated Tavis/P0 finding and | making us aware of Cloudbleed. Kicked off a very stressful time | for the team at Cloudflare but glad the bug got found and | addressed. | | Tavis: happy to chat, I've dropped you an email. | | Follow up: https://twitter.com/taviso/status/1566159561148362753 | ferdowsi wrote: | Reminds me about how yall had "no idea" that you had banned | benchmarking. Remarkable how much leaders can not know about | their company's operations! | | https://news.ycombinator.com/item?id=29468771 | bawolff wrote: | Big companies having the left hand not know what the right is | doing is hardly a new phenomenon. | hn_throwaway_99 wrote: | > Remarkable how much leaders can not know about their | company's operations! | | Oh please. These are large corporations, I would honestly be | flabbergasted if leadership knew every mundane detail. | Particularly in the benchmarking issue you noted, it's pretty | easy to understand how that could have been added as legal | boilerplate, but just went too far. | stefan_ wrote: | Leadership doesn't know where their lobbying dollars go? | What on earth are they paying lobbyists for? What, other | than representing company leadership, do lobbyists do? This | is not credible. | mook wrote: | Leadership might not know every detail, but that doesn't | absolve them of the responsibility to know (and find out, | and correct it once they do so similar things don't happen | again). This one only came to their attention because Tavis | Ormandy is famous and it got on HN front page; how many | other insurance didn't? | jonnybgood wrote: | You're talking about unknown unknowns. You can't deal | with the problem unless you know the problem actually | exists. | altdataseller wrote: | .. which doesnt really absolve them of responsibility. | ch33zer wrote: | So an ostrich with its head in the sand is the ideal CEO | for any large corporation? Come on. | kelnos wrote: | That's quite the straw man. | | It's possible to be thoughtful and introspective, and try | to learn about the things you don't know, but still fail | to learn literally everything. We're only human. | adw wrote: | It also speaks to culture. | | Decisions individuals make in large organisations are, on | average, downstream of institutional culture, so if a | large organisation is responsible for a lot of bad | decisions then the leaders are responsible for the | culture which made those decisions seem reasonable. | still_grokking wrote: | Everything in the TOS isn't some "mundane detail" but core | to how a company is positioned in the legal field, as those | things are _legally binding_ and will determine for what | you can or can 't be sued. | | Therefore it's completely implausible that even one word | written there hasn't been discussed with C-level staff. | | Saying the opposite is just throwing PR smoke grenades in | the hope some naive people will believe that kind show. | | The fish always stinks from the head. (That's why | "plausible deniability" is of so great importance to those | people, btw). | judge2020 wrote: | There's definitely more to this, given jgc made such a public | statement here, especially with how their legal team is | supposedly unaware of any lobbying (who else "at cloudflare" | would have the ability to speak with the FTC?). I'm sure | we'll have a public blog post within a few days to address | this. | tptacek wrote: | The followup appears to confirm that this did in fact happen. | Tavis Ormandy didn't claim that Matthew Prince personally | lobbied the FTC. | zorpner wrote: | jgc knew about it in mid-2018, at least, since I was still | involved with P0 at that point and spoke with him about it. I | guess he forgot. | stavros wrote: | To be fair, it was arguably not even _the company_ that did. | An employee talking to an acquaintance who happens to work at | the FTC about it doesn 't mean the company ordered (or even | wanted) them to. | tptacek wrote: | It got back to Tavis, which suggests it was not just a | single private conversation between acquaintances. | stavros wrote: | Could it get back to him via the FTC (in a "this is your | accuser" way)? | FreakLegion wrote: | From the available information it sounds like | _backchanneling_ or another less charged term, not | _lobbying_. _Lobbying_ isn 't some low-caliber word to | point at any old conversation. It has a specific meaning | and implications that so far aren't in evidence here. | tooltower wrote: | A follow-up of this tweet indicates that you found the person | responsible for this mess, and was not authorized by Cloudflare | to do this. | | Great. But it also sounds like a reasonably common occurrence, | and hence a systematic problem. | trasz wrote: | >They all have no idea about this. | | Source: trust me bro. | | For a Stanford paper documenting Cloudflare widespread | involvement in spreading lies see https://ojs.aaai.org/index.ph | p/ICWSM/article/view/19292/1906.... | Bilal_io wrote: | Is this LTT? | gzer0 wrote: | Thank you for addressing this. As a long term customer, you | have earned my respect and continued business. | | Speaking up about events like this is hard to do as an | executive and I appreciate the honesty here. | pfadmool wrote: | Tangentially related question: are there any plans to permit | Cloudflare users to configure proxying directly to onion hidden | services? | | Given the current controversy, it would be much more reassuring | to enter an .onion address rather than an IP address, to be | entirely sure that servers can't be unmasked. At least not | without compromising Tor or exploiting the proxied-to web | server. | balentio wrote: | Someone just posted up a pull quote the other day on Hacker News | about how Cloudflare doesn't bend to cancel culture, and I | remarked that they all ready had more than once. Now the big | reveal is they ARE Cancel Culture, but they have no idea they | are! | 1vuio0pswjnm7 wrote: | Unlike Google, Cloudflare has not been at constant odds with the | FTC. Its "business plan" is not to intake as much data as | possible about computer users and then profit from online | advertising services. As such, it would be reasonable to question | the potential bias of anyone from Google commenting about the | FTC. | | Voters have no control over Google but they do have some control | over the FTC. If a citizen computer user disagress with the | actions of Google, what is their recourse. "Stop using websites | and software under the control of Google." Good luck with that. | | Google's lobbying budget is enormous. It is laughable to see a | Google employee complaining about "lobbying". We will never see | Google security researchers commenting about what _Google_ is | lobbying the government to do or not do. We will never see a | Google security researcher question whether ever-increasing | personal data collection by their employer puts computer users at | greater risk. | xenago wrote: | This is a really bad look. InfoSec is a very tight-knit industry | and this will really make working with/using CF an unpleasant | proposition to many. | dsl wrote: | If it wasn't already, you aren't paying attention. | | Cloudflare is quite literally the largest bulletproof hosting | provider for bad actors on the internet, and unless you know | someone at the company personally takedowns are like pulling | teeth. | zccrkn wrote: | Not to mention that CFs policy is to forward takedown | requests, unredacted, to the site you're trying to takedown. | CF users like KiwiFarms have been weaponizing this policy for | years by publishing their takedown requests, knowing their | userbase will seek retribution against whoever sent them. | charcircuit wrote: | >CF users like KiwiFarms have been weaponizing this policy | for years | | If your complaint is that the host should be the only one | to see the full report then your point doesn't stand since | Josh pays to have his own ASN so he can personally handle | reports for it. | | If your point is that only Cloudflare should have the name | I don't think it counts as a valid DMCA takedown since it's | not like you have a signed document from the copyright | holder or someone on their behalf. ___________________________________________________________________ (page generated 2022-09-03 23:00 UTC)