Victims can't file a subpoena to get account details?
If I were hosting illegal malicious actors doing this stuff on my home servers and refused to even say who was doing it I would 100% get my door kicked down by the FBI. But some persons, corporate persons, are more equal than others.
So ICANN is complicit too? After all, if we adopt your interpretation, in some way ICANN is also turning an blind eye, both to what cloudflare is supposedly doing and also to what the domain registrars are doing.
If you refused to tell some random person who asked? No, you wouldn’t. If you refused to respond to a legal authority—a court-issued subpoena, for example—then there would be consequences.
As far as cloudflare is concerned you’re just a random person asking. They have no legal obligation to provide you with information.
That assumes of course that like Cloudflare you were hosting a web page and not the actual illegal activity, and were following the laws around hosting things.
Maybe there is a point to be made about monopoly power in hosting and ddos protection. I don't really see how this blog post, or labelling it blackmail, help make that point.
This whole article seems conflate hosting an informational site run by the attackers and hosting the attack itself.
Ddos protection services can be cast as a digital protection racket where they have a perverse incentive to keep attackers attacking. “It's a dangerous internet out there; you'd better pay us to protect your website from the attackers using our free tier.” At the least, even if there is no active collusion or profit sharing or anything like that, there is not a clear side that the DDos protector service is on?
How can we do that, if we would like to preserve relative anonymity and global nature of the internet?
People can indeed form cooperatives to handle the protection, but this is hard to manage globally as an entity. DDoS protection is done by primarily having too much capacity to tank it and then filter it. The required investment is rather high.
This is a fascinating idea. Is this something anyone is working on?
Similarly, BitTorrent does roughly the same once the peer relationships are established.
Our users didn't feel a thing when we rolled out the patches.
On Ubuntu copy.fail could be mitigated against with some modprobe(8) config tweaks:
# echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
# rmmod algif_aead
All the faceshops I have reporeted to cloudflare, all these phising pages behind cloudflare I reported, never came down.
None of them.
For a company making billions, protecting people, they should take this stuff serious.
This is more like a firearms dealer selling a gun to someone after they put their intended usage as “robbing banks” in the ATF form
An example that makes it more clear: "by that logic it's my fault that i was robbed for leaving the door to my house unlocked."
No, it's the robber's fault you were robbed. The robbery is the illegal part. It is not illegal to leave a door unlocked. Back to your train wreck of an example: it is not illegal to sell keyboards, and it is not illegal to provide water to people. Extortion is illegal. Denial of Service attacks are illegal.
That's where the line is. It is the border between legal and illegal.
I find a similar pattern to Meta's scammer ads.
Huge publicly traded companies benefitting from the illegal actions of their clients, turning a blind eye, or conveniently delaying their takedowns.
Big companies need to absorb the liability of small companies, otherwise you get this delegated Sybil Good bank/Bad bank attack
With the horror stories heard over the years I think a real issue is no hard pricing cap with forced shutdown.
Unless that's changed? I booted them a year ago..
The best IP Stresser service since 2022.
WTF does it really mean?
Pretty much anyone can get onto the free tier for Cloudflare. The fact that someone is, doesn't mean that there is a business relationship with Cloudflare. There isn't.
In order to make this business model work, Cloudflare does essentially no due diligence. Getting onto the free tier before you need it, is cheap. And then if you really need them, you have every reason to start paying.
Ideally you'd hope that they would allow third party takedowns. But the ability to do third party takedowns provides a target for the exact attackers that their business is trying to protect against. They wouldn't have a business if they made that a viable target!
But the result of these business decisions, made for their main customer acquisition flow, makes them a tempting place to host malicious content, as well as good. Black hats make a sport out of taking each other out. And so have every reason to use Cloudflare.
Still doesn't indicate a relationship between Cloudflare and the bad actors who are taking advantage of the setup.
I don't think that argument holds water. There's a world of difference between knocking a site offline with a DDoS and making a legal request which results in a hosting provider shutting it down.
AntonyGarand•56m ago
> Why is Cloudflare protecting the DDoS'er (beamed.st) attacking Ubuntu servers?
https://news.ycombinator.com/item?id=48025001