Can Someone Please Explain Whether Cloudflare Blackmailed Canonical?

https://www.flyingpenguin.com/can-someone-please-explain-whether-cloudflare-blackmailed-canonical/

82•speckx•1h ago

Comments

AntonyGarand•34m ago

Relevant post from last week:

> Why is Cloudflare protecting the DDoS'er (beamed.st) attacking Ubuntu servers?

https://news.ycombinator.com/item?id=48025001

deadbabe•32m ago

They didn’t.

superkuh•29m ago

Right. It's more abstract than that. They protect (from legal consequence or even discovery) the attackers and host them on their infrastructure so they're untouchable. Then they sell the same "protection" to the victims. It's the classic mafia protection scam.

gruez•27m ago

>They protect (from legal consequence or even discovery) the attackers and host them on their infrastructure so they're untouchable

Victims can't file a subpoena to get account details?

superkuh•26m ago

I've never tried a subpoena. I've tried reporting them to ICANN for whois abuse contact violations and never received a response (after I recieved a response from cloudflare saying, "Go away, we don't care, sign up for our services and pay us to care."). Perhaps I should set up a gofundme or something for the thousands of dollars needed to get justice via subpoena.

If I were hosting illegal malicious actors doing this stuff on my home servers and refused to even say who was doing it I would 100% get my door kicked down by the FBI. But some persons, corporate persons, are more equal than others.

gruez•23m ago

>I've tried reporting them to ICANN and never received a response.

So ICANN is complicit too? After all, if we adopt your interpretation, in some way ICANN is also turning an blind eye, both to what cloudflare is supposedly doing and also to what the domain registrars are doing.

Xirdus•14m ago

ICANN doesn't get any kickbacks from Canonical needing to protect itself as far as I can tell. Cloudflare literally sells the protection.

CrazyStat•8m ago

> If I were hosting illegal malicious actors doing this stuff on my home servers and refused to even say who was doing it I would 100% get my door kicked down by the FBI. But some persons, corporate persons, are more equal than others.

If you refused to tell some random person who asked? No, you wouldn’t. If you refused to respond to a legal authority—a court-issued subpoena, for example—then there would be consequences.

As far as cloudflare is concerned you’re just a random person asking. They have no legal obligation to provide you with information.

amatecha•29m ago

Yeah, probably not - because they don't explicitly have to, as outlined in the post. The very architecture of CF's services essentially enables "blackmail as a service" in the sense that, CF protects the attacker and essentially creates a coercive environment in which the victim "has" to pay CF to protect them from... the very attacker that CF protects.

jpereira•28m ago

This is insanely dumb. Cloudflare is providing free hosting services, not materially supporting the attacker. You can argue that cloudflare needs to be better, or adopt different values towards, taking down sites they host, but this organization could absolutely just serve elsewhere (or just advertise their services over telegram or the like).

Maybe there is a point to be made about monopoly power in hosting and ddos protection. I don't really see how this blog post, or labelling it blackmail, help make that point.

mjd•25m ago

It's not dumb. There's a conflict of interest.

sophacles•12m ago

Yeah, I demand all my hosting providers be 100% vulnerable to DDoS for this reason.

luma•24m ago

That'd be extortion, not blackmail. CF did neither thing.

jmuguy•23m ago

It seems disingenuous to assume that CF offering some (unknown) amount of service to a malicious actor amounts to "blackmailing" someone that actor is attacking. CF could, and probably should, be better about not offering services to criminals but making a leap of logic certainly doesn't help anything.

jwitthuhn•20m ago

"Renting attack capacity from [cloudflare]" is inaccurate as I understand things. That group hosts their site behind cloudflare but I have not seen anyone claim that cloudflare's infra is used for the attacks.

This whole article seems conflate hosting an informational site run by the attackers and hosting the attack itself.

wood_spirit•19m ago

The article puts it very succinctly: Cloudflare fronts attackers for free and bills the victims for relief.

Ddos protection services can be cast as a digital protection racket where they have a perverse incentive to keep attackers attacking. “It's a dangerous internet out there; you'd better pay us to protect your website from the attackers using our free tier.” At the least, even if there is no active collusion or profit sharing or anything like that, there is not a clear side that the DDos protector service is on?

okanat•14m ago

The thing is, you can control a neighborhood, a country etc. from attackers and establish control over violence.

How can we do that, if we would like to preserve relative anonymity and global nature of the internet?

People can indeed form cooperatives to handle the protection, but this is hard to manage globally as an entity. DDoS protection is done by primarily having too much capacity to tank it and then filter it. The required investment is rather high.

idle_zealot•10m ago

This seems like one of those cases where you need to assign responsibilities and obligations to those enabling the damage, even if their offerings also enable a lot of good. If you have the capacity to offer cheap/free VPS, then you also need to cover the cost of protecting against the DDoS attacks that service enables. You don't get to offload that burden on to the victims. If that makes your VPS offerings more expensive then so be it; that's the result of pricing in the externalities.

johnmaguire•5m ago

> People can indeed form cooperatives to handle the protection, but this is hard to manage globally as an entity.

This is a fascinating idea. Is this something anyone is working on?

api•3m ago

It's a protection racket born of fundamental weaknesses in the Internet's bedrock protocols.

PcChip•19m ago

I always assumed ubuntu was brought down to prevent ubuntu servers from patching copy.fail, so that hacking group could exploit as many targets during that time as possible

bayindirh•11m ago

copy.fail patches can be applied with minimum downtime, and a VM reboots in 30 seconds, tops, regardless of size. I believe all the apex servers are configured as HA to keep the load distributed, so normal users won't feel anything when copy.fail is patched.

Our users didn't feel a thing when we rolled out the patches.

Lukas_Skywalker•2m ago

But the Ubuntu update servers are required to serve the update. Taking them down prevents the users from downloading the update.

AntiUSAbah•18m ago

Completly agree, cloudflare protects scammers on a huge scale and no one cares...

All the faceshops I have reporeted to cloudflare, all these phising pages behind cloudflare I reported, never came down.

None of them.

For a company making billions, protecting people, they should take this stuff serious.

altairprime•10m ago

If you’re not using the legal system to seek action from Cloudflare, you’re unlikely to be heard by them. “I was injured for $20 and I seek as redress the customer payment details (issuing bank, account number) provided to Cloudflare so that I can identify and file a claim for financial redress against them” would be a lovely small claims lawsuit, for example. I haven’t heard of anyone trying that yet but I’d love to admire the results if someone does!

aggakake•16m ago

With this kind of logic we can blame keyboard manufacturers for the illegal things their products wrote.

nicce•10m ago

Or water companies for selling water for them. Where is the line?

mcmcmc•1m ago

[delayed]

TZubiri•12m ago

Yes.

I find a similar pattern to Meta's scammer ads.

Huge publicly traded companies benefitting from the illegal actions of their clients, turning a blind eye, or conveniently delaying their takedowns.

Big companies need to absorb the liability of small companies, otherwise you get this delegated Sybil Good bank/Bad bank attack

mcmcmc•7m ago

[delayed]

anonym29•10m ago

Crimeflare - proudly extorting DDoS victims and protecting criminals while building a global surveillance dragnet since 2009!

Mac App Store Review Times Increasing

FormulaBase: A Markdown editor with LaTeX support

A modern desktop music player for people tired of streaming apps

Myst's Game Design Proposal document (1991)

Expat 2.8.1 released, CVE-2026-45186 and CVSS unreliability

Golden Testing a CAD Library

I built a simpler, more powerful "Dropbox" for devs and creators

MobyDB – The Geospatial-Native Database

DepthWork – iOS app that scores focus quality with a neuroscience-based index

Sunburn inspired a new way to store energy

Cloudflare "issue" blocking legitimate access from humans for days

Privacy, ownership, and freedom are being taken away from you

History of CRMs APL

Using LLM in the shebang line of a script

Landslide created a 500-meter-high tsunami in a major tourist area

The Last Company

The Biggest Conspiracy Theories in Open Source

London's Smallest Public Sculptures

I rebuilt Voicy with agents instead of rewriting it myself

Hermes Agent surpassed OpenClaw as top app on OpenRouter leaderboard

A new JavaScript test runner called Decaf

Palantir to be granted "unlimited access" to UK NHS patient data

Accelerating Android Builds on AWS: From 3 Hours to Under 5 Mins with SourceFS

AI versus Microservices

Banks try to offload AI data-centre debt as exposure mounts

Natural-language messages between LLM agents are an architectural anti-pattern

Mammals May Have a Hidden Limb Regeneration Ability We Never Knew About

Do we absorb information better on paper, rather than screens?

Building a Redis Clone in Zig–Part 5

Minimizing and Finding Satisifaction with Less