I saw this Tweet earlier and reached out to our public policy and legal teams. Also reached out to Matthew (eastdakota here). They all have no idea about this. We appreciated Tavis/P0 finding and making us aware of Cloudbleed. Kicked off a very stressful time for the team at Cloudflare but glad the bug got found and addressed.
To be fair, it was arguably not even the company that did. An employee talking to an acquaintance who happens to work at the FTC about it doesn't mean the company ordered (or even wanted) them to.
From the available information it sounds like backchanneling or another less charged term, not lobbying. Lobbying isn't some low-caliber word to point at any old conversation. It has a specific meaning and implications that so far aren't in evidence here.
Technically, this incident seems to be corruption.
When a person employed in the government interacts informally with their friends, relations, acquaintances, the unoffical involvement should stop with "here's the name of the office where you file that complaint" or possibly "my office handles that; send it in through the usual method and I will make sure that I don't work on it". But human nature is to make things a little easier for the people we like or are predisposed to like. That's often harmless. It is sometimes quite the opposite.
The "old boys' network" feels good to the participants but is corrosive to fair treatment.
Apologies - I'm not a lawyer or policy expert. Cloudflare personnel asked a friend at the FTC to initiate an investigation into someone they perceived as a critic. If lobbying is not the correct term for that, then I misused it.
So you dislike the word lobbying being used here, based on a seemingly pretty specific understanding of what that means.
Lobbying can happen in many ways, and have many different implications. It certainly sounds like it didn’t happen as a result of company/executive action (and at least Tavis believes that), and neither parent, gp or ggp claim so (in fact they agree the opposite is the case).
I rarely have casual discussions with friends working at regulatory agencies that come back to haunt other people. I also don’t think the word “lobbied” was used in a harmful or particularly egregious way, especially considering the context in which it was used (and explained).
Did this come to anything? Did you in fact talk to someone from P0 about Cloudflare lobbying the FTC over Tavis Ormandy's vulnerability research? Tavis just posted on the thread; did you get a chance to check that out?
> Remarkable how much leaders can not know about their company's operations!
Oh please. These are large corporations, I would honestly be flabbergasted if leadership knew every mundane detail. Particularly in the benchmarking issue you noted, it's pretty easy to understand how that could have been added as legal boilerplate, but just went too far.
Leadership might not know every detail, but that doesn't absolve them of the responsibility to know (and find out, and correct it once they do so similar things don't happen again). This one only came to their attention because Tavis Ormandy is famous and it got on HN front page; how many other insurance didn't?
Decisions individuals make in large organisations are, on average, downstream of institutional culture, so if a large organisation is responsible for a lot of bad decisions then the leaders are responsible for the culture which made those decisions seem reasonable.
It's possible to be thoughtful and introspective, and try to learn about the things you don't know, but still fail to learn literally everything. We're only human.
I didn't mention anything about not understanding why things happen; just that they're still responsible for it. Part of the reason they have higher compensation is because they have the responsibly and have the risk that they'll need to deal with things not entirely their fault?
Everything in the TOS isn't some "mundane detail" but core to how a company is positioned in the legal field, as those things are legally binding and will determine for what you can or can't be sued.
Therefore it's completely implausible that even one word written there hasn't been discussed with C-level staff.
Saying the opposite is just throwing PR smoke grenades in the hope some naive people will believe that kind show.
The fish always stinks from the head. (That's why "plausible deniability" is of so great importance to those people, btw).
Leadership doesn't know where their lobbying dollars go? What on earth are they paying lobbyists for? What, other than representing company leadership, do lobbyists do? This is not credible.
There's definitely more to this, given jgc made such a public statement here, especially with how their legal team is supposedly unaware of any lobbying (who else "at cloudflare" would have the ability to speak with the FTC?). I'm sure we'll have a public blog post within a few days to address this.
Tangentially related question: are there any plans to permit Cloudflare users to configure proxying directly to onion hidden services?
Given the current controversy, it would be much more reassuring to enter an .onion address rather than an IP address, to be entirely sure that servers can't be unmasked. At least not without compromising Tor or exploiting the proxied-to web server.
This is tangential but kind of on-topic since Tavis mentions KF in the replies, but I’ve found it pretty amusing that Cloudflare’s position on enabling doxxing, harassment and DDOS-for-hire has been “Aw shucks, we’re just too darn powerful to do anything about any of this!”
It’s as if anybody could fall ass backwards into a situation where they built up an organization that dictates what’s on the internet as a whoopsie, and oh no, you too would have to enable harassment, doxxing and DDOS-for-hire because shucks, all that darn unlimited, unchecked and unregulated power, access to money and legal resources is actually the same thing as having no power at all! Poor Cloudflare, they can do literally whatever they want and that means they can’t do anything at all!
No, their argument was that they shouldn't do anything about it because the two times they did it wound up causing every tinpot dictatorship to show up on their doorstep and demand they do the same for people that hadn't done anything wrong except piss off the wrong dictator. This is why rights exist in the first place: so that when some idiot erroneously says your sight is "enabling doxxing, harassment and DDOS-for-hire" when all you actually do is document the bad behavior of bad individuals on the internet, well, you don't get run out of town on a pole... because the guy with the pole knows that today it's you, but tomorrow it could be him.
> times they did it wound up causing every tinpot dictatorship to show up on their doorstep and demand they do the same for people that hadn't done anything wrong except piss off the wrong dictator
Which they wielded their unlimited power to ignore.
What? Cloudflare picks who to ignore every day. Nearly everybody that has a public email address has to decide who to ignore every day. What is so important about Cloudflare’s “feelings”?
Seems to me they're operating on a matter of principle.
The Christians who run my local food bank do similar. Their clients include some of the worst people: rapists, paedophiles, murders - released from prison, with nothing and no-one to help them, other than these kind churchly individuals. Their principle is that Jesus would want them to help their fellow humans in need, no matter what their sins. So they do.
Obviously it's a bit different with Cloudflare as they're a for-profit company of diversely ideological employees, not a non-profit charity of devoutly religious volunteers. But the former type of organisation can run on principles other than making money hand-over-fist too.
>Seems to me they're operating on a matter of principle.
That’s what I’m talking about. The “principle” argument is genuinely funny! They have unlimited power but because they’ve chosen to follow an arbitrary rule based on their arbitrary definition of neutrality, they have no power. It’s a coincidence that they enable doxxing, harassment and DDOS-for-hire because they’re religiously bound by a sacred covenant! They dare not cross the ancient gods lest blood and pestilence rain down upon all our heads!
They’re not making a choice to continue enabling harassment, doxxing and DDOS-for-hire, they are simply doing as the sacred runes prescribe, as all orthodox stewards of the realm should and would do. It’s actually noble, we should actually be thanking them for acting this way.
It’s just plain funny.
As for your food bank analogy, do they provide food for active murderers and pedophiles? Like, if they were visited by current victims and the families of victims asking them for help, would they respond with a box of food for the perpetrators and tell the victims to kick rocks?
The only reason someone would advocate to turn off ddos protection for a site, is so someone can perform terroristic acts against the site and ddos it until it goes down.
How about it - you tell me. What reason would so many people, maybe in this thread chain, argue so strongly for a company to revoke its ddos protection of a website they dont like. Its weird right?
I would suggest you take up that question with Cloudflare. Based off your previous statements, they’re now supporting “terroristic” acts. I’m not sure why you would want the opinion of some internet stranger over a corporation that is now directly supporting terrorism by your estimation.
This, my fellow citizens, is what we call a "bad faith actor". They volunteer a position on questionable premises, get asked about their internal philosophical consistency, then dodge the question.
I agree, the poster that was very obviously and hamhandedly trying to get me to say something that they could then twist into “I support terrorism” or whatever was indeed acting in bad faith. Thank you for highlighting this.
CF: >Over the last two weeks, we have proactively reached out to law enforcement in multiple jurisdictions highlighting what we believe are potential criminal acts and imminent threats to human life that were posted to the site.
It sounds like CF didn't ban them because of revolting or otherwise commonly illegal content, but actual death threats against individuals that have been reported to law enforcement.
I think you can appreciate the difference between not letting former criminals (released from jail) starve and helping them integrate back in society, and actively providing them tools that they use to do terrible things, including crimes.
Sadly, laws do in fact prohibit the posting of certain kinds of information and messages - for example, death threats, dox or hate speech, depending on your locale. Being "just a forum" does not change this. We can debate whether the laws should restrict speech that way, but don't pretend the laws in western countries don't exist.
Sounds great - if a website is hosting content that is illegal, then there are laws that can be enforced by the government.
The government, in the united states at least, cannot restrict freedom of speech. Its kind of a big deal. Hoping that corporations revoke their ddos protection so that terrorists can ddos them down is laughable. "I know the government can't do it, but ... just walk away wink wink and I am sure the problem will be fixed wink wink".
You seem to misunderstand - or at least I hope you are misunderstanding.
If a group is doing something illegal, the government should act. You seem to imply "Well if they are doing something illegal, people shouldn't have to work with them."
I think you know what I know - they aren't going to be targeted by the government because they are not, in fact, doing something illegal.
> If a group is doing something illegal, the government should act.
Yes but as you surely know, the government has limited resources which precludes them from acting on every illegal act in a timely manner. Which means that groups can, and do, get away with illegal acts for a long time before they get to the front of the queue for being dealt with.
> they aren't going to be targeted by the government because they are not, in fact, doing something illegal.
It is a fact that the government may not target you because you are not doing something illegal - 100%, yes. But it is also a fact that you can be doing something illegal for a long time before the government targets you. You cannot use government inaction as proof one way or the other.
Your cops suck so you blame anyone but them? Should ISPs also be liable by your logic? Just like CF they can monitor and censor content. Make the Tor foundation liable as well since they run the Tor network while you are at it. Can't people criticize a company without trying to criticize everything about it? This isn't even related to the topic at hand.
If it wasn't already, you aren't paying attention.
Cloudflare is quite literally the largest bulletproof hosting provider for bad actors on the internet, and unless you know someone at the company personally takedowns are like pulling teeth.
Not to mention that CFs policy is to forward takedown requests, unredacted, to the site you're trying to takedown. CF users like KiwiFarms have been weaponizing this policy for years by publishing their takedown requests, knowing their userbase will seek retribution against whoever sent them.
I'm suggesting there should be a path to complain to Cloudflare without the site being put into the loop, for cases like this where the site is not acting in good faith.
There is. Twitter mobs seem very effective these days.
The problem is what they do is legal, beneficial (because we have a lot of bad people) but not without downsides (again, because it helps some (or the same) bad people).
Since there's no easy way to sort out people and content it's hard to fault them for not doing so.
If what they were doing were 100% bad then it would be politically straightforward to ban it. But we already ban those things.
So what's needed is better systems, models, rules, processes that help with one of the underlying problems (eg. we need to either reduce the number of bad people or we need to get better at sorting content), then it again becomes politically simple to pressure providers to actually do better.
(One of the possible things that could be improved is a better way to do incremental changes. Currently CF can drop clients once, so they are not going take this lightly. If there were other ways to signal to clients that they are doing something problematic that would incentivize CF to utilize that incremental tool more.)
>CF users like KiwiFarms have been weaponizing this policy for years
If your complaint is that the host should be the only one to see the full report then your point doesn't stand since Josh pays to have his own ASN so he can personally handle reports for it.
If your point is that only Cloudflare should have the name I don't think it counts as a valid DMCA takedown since it's not like you have a signed document from the copyright holder or someone on their behalf.
This is a good policy. Security people are universally annoying and full of themselves. Many other kinds of bugs (accessibility, performance, bad UI copy) harm users and none of them go around having cool Vegas conferences, giving names and logos to all their bugs, and seeming to think they’re characters in The Matrix.
I propose that anyone who gives a talk about anything first apologize for causing people to perceive them.
For starters, these events are totally unrelated, and are a very strange false equivalence. Would be very curious to see more details of Tavis’ claim though. That being said, CF is still in the right for the stand they’re taking on not being a content regulator of their base internet utilities.
Nothing better than claiming the perks of "being a utility provider" while bearing none of the burdens lol
If CF didn't offer free DDoS protection - ironically, whilst providing cover & protection to the greatest # of DDoS-4-hire websites on the clear-web - they would have nothing else to offer that would be considered best-in-class
But yeah, they're the preeminent force in ensuring free speech on the internet lol
I am all for a law compelling companies like CF to cooperate with LE and censor on behalf of the state if that is the will of the people. They are a utility provider that has not been expected by society to fund and administer a censorship operation. Go and vote if you think they should be compelled to censor.
lol inevitably, the "muh censorship" and the "muh 1FA rights!!!" comments are always the most entertaining, and least informed comments on these subjects
CF has *no power to censor anyone*
Refusing to provide FREE DDoS Protection, and refusing to FREELY CACHE vitriol, are not "censorship"!
Nor are either of those actions an infringement on any American's rights as defined by the 1st Amendment [friendly reminder that there are nations, other than America, in the world]
Sure - CF are not content moderators ... but, neither are they "a public utility provider" ... they are, however, a *for-profit commercial enterprise*, and as such, they get to choose who they DO, or DO NOT, do business with
If you think any of the sites offloaded by CF deserve the free DDoS protection and caching services CF was providing - by all means, spin up some servers and provide it to them yourself - you have that right.
I agree with some of what you said but even banning someone from say HN is censorship. It just means you prevent them from saying something, they can bypass your censorship or find a different platform but banning for the cause of restricting content is censorship even if the censored can still get services elsewhere. Also, for the utility part, neither are ISPs technically so by that it just means they want the same telco rules to apply to them.
But not neccesarily, companies are not people they are not protected by the bill of rights and this is already happening when LE forcibly takeover domains to censor them with cause of course. Also, freedom of speech does not include speech made with thr intent and effect of causing demonstrable harm.
States needs to ratify amendments so having enough state legislatures and laws to support the amendment is the best way. Having someone propose it at the fed level is the easy part.
> That being said, CF is still in the right for the stand they’re taking on not being a content regulator of their base internet utilities.
This is entirely unrelated to the issue of if they should stop offering their services to known Very Bad People. Nothing about current events with CF is related to regulating content.
It absolutely is about regulating content. Just because the content and the people that generate it are vile does not mean an internet backbone utility should play great internet censor about it. I say this as exactly the kind of person (trans) that the community in question loves to attack.
CF isn't a utility. KF is perfectly capable of operating on their own, without CF's products. This is strictly a matter of CF's desire to continue to do business with them. Their whole spiel on the blog post about how they're a utility is just dancing around the issue - they have no legal obligations that an actual utility does. It's an interesting discussion if they, and others like them, should be considered a utility. But that's neither here nor there because they aren't one.
I don’t think CF ever said they had a legal obligation and I don’t think they ever wanted to be perceived as if they do so I don’t think the reminder in your comment changes any stances. The fact of the matter is that people are mad because CF is protecting a site against digital vigilante justice instead of finding a better means to approach taking down KF.
As a company CF could deny service to KF but then it would be giving power to the vocal dissidents who could seemingly quiet any site they find disagreeable.
Good luck fighting about CF's morality HN. But the root-cause here is lack of legislature explicitly defining rights and obligations of security researchers and the vulnerability reporting process.
As it stands, you can get raided for vuln reporting (doesn't happen a lot because if common sense not law), harrassed, face retaliation and have the vendor silently fix it without crediting you.
For some reason everyone thinks this is a matter to be legislated and resolved by poularity contests (don't use vendor X) and/or capitalism. Which is interestingly why the FTC is even involved I guess?
In an ideal society you wouldn't need such laws and the default is liberty but in this society the only reason researchers are even being allowed to do their job is things like twitter and fears of PR nightmares (which won't work with every vendor/company ).
You know, I hear this from time to time. And I hear criticism of Cloudflare's reaction when Project Zero told us what they'd found. I don't think they were discrediting Cloudflare and imagine the opposite scenario. Imagine P0 hadn't found Cloudbleed and it hadn't been stopped as fast as it was. As tough as Cloudbleed was, I am grateful Tavis spoke up. And a lot of people should be also.
Cloudflare is a neighbor player to poke. In general, I'm more worried about smaller players.
Tavis seems to have a very dopaminergic personality and I appreciate your position but I feel that (fully and professionally done) responsible disclosure means more than impulsive twitter posting.
Someone just posted up a pull quote the other day on Hacker News about how Cloudflare doesn't bend to cancel culture, and I remarked that they all ready had more than once. Now the big reveal is they ARE Cancel Culture, but they have no idea they are!
Cloudflares indifference to DDOS-for-hire providers using their service is also raising some eyebrows, considering a large part of their business is mitigating DDOS attacks. Do a search for "stresser" or "booter" services (euphemisms for DDOS-for-hire) and check their DNS records, 9 times out of 10 they're hiding behind Cloudflare.
Intentional or not, helping the attackers stay online while also selling mitigations for their attacks is basically a protection racket.
I echo the top comment on that pro-nazi post, too much missing info to form an opinion.
I don't like or hate CF either way but quit this "_______ also did some bad shit" that's not the topic of discussion and is a clear attempt at "cancelling" instead of discussing the topic at hand. Which so happens is also missing a lot of info and HNers are jumping the gun without knowing who did lobbying and why and what consequences they faced.
Tavis: happy to chat, I've dropped you an email.
Follow up: https://twitter.com/taviso/status/1566159561148362753