WingNews logo WingNews
top | item 32704598

Cloudflare lobbied FTC to stifle security researchers

288 points| zccrkn | 3 years ago |twitter.com

113 comments

order

jgrahamc|3 years ago

I saw this Tweet earlier and reached out to our public policy and legal teams. Also reached out to Matthew (eastdakota here). They all have no idea about this. We appreciated Tavis/P0 finding and making us aware of Cloudbleed. Kicked off a very stressful time for the team at Cloudflare but glad the bug got found and addressed.

Tavis: happy to chat, I've dropped you an email.

Follow up: https://twitter.com/taviso/status/1566159561148362753

tptacek|3 years ago

The followup appears to confirm that this did in fact happen. Tavis Ormandy didn't claim that Matthew Prince personally lobbied the FTC.

tooltower|3 years ago

A follow-up of this tweet indicates that you found the person responsible for this mess, and was not authorized by Cloudflare to do this.

Great. But it also sounds like a reasonably common occurrence, and hence a systematic problem.

gzer0|3 years ago

Thank you for addressing this. As a long term customer, you have earned my respect and continued business.

Speaking up about events like this is hard to do as an executive and I appreciate the honesty here.

pfadmool|3 years ago

Tangentially related question: are there any plans to permit Cloudflare users to configure proxying directly to onion hidden services?

Given the current controversy, it would be much more reassuring to enter an .onion address rather than an IP address, to be entirely sure that servers can't be unmasked. At least not without compromising Tor or exploiting the proxied-to web server.

braingenious|3 years ago

This is tangential but kind of on-topic since Tavis mentions KF in the replies, but I’ve found it pretty amusing that Cloudflare’s position on enabling doxxing, harassment and DDOS-for-hire has been “Aw shucks, we’re just too darn powerful to do anything about any of this!”

It’s as if anybody could fall ass backwards into a situation where they built up an organization that dictates what’s on the internet as a whoopsie, and oh no, you too would have to enable harassment, doxxing and DDOS-for-hire because shucks, all that darn unlimited, unchecked and unregulated power, access to money and legal resources is actually the same thing as having no power at all! Poor Cloudflare, they can do literally whatever they want and that means they can’t do anything at all!

EarlKing|3 years ago

No, their argument was that they shouldn't do anything about it because the two times they did it wound up causing every tinpot dictatorship to show up on their doorstep and demand they do the same for people that hadn't done anything wrong except piss off the wrong dictator. This is why rights exist in the first place: so that when some idiot erroneously says your sight is "enabling doxxing, harassment and DDOS-for-hire" when all you actually do is document the bad behavior of bad individuals on the internet, well, you don't get run out of town on a pole... because the guy with the pole knows that today it's you, but tomorrow it could be him.

penrouse|3 years ago

Seems to me they're operating on a matter of principle.

The Christians who run my local food bank do similar. Their clients include some of the worst people: rapists, paedophiles, murders - released from prison, with nothing and no-one to help them, other than these kind churchly individuals. Their principle is that Jesus would want them to help their fellow humans in need, no matter what their sins. So they do.

Obviously it's a bit different with Cloudflare as they're a for-profit company of diversely ideological employees, not a non-profit charity of devoutly religious volunteers. But the former type of organisation can run on principles other than making money hand-over-fist too.

OrangeMonkey|3 years ago

Lets pretend that private firefighters exists and you had to pay for them to protect your house. It was a thing for most of the world.

It _sounds_ like you are suggesting that private firefighters should let houses burn down if its something disagreeable.

I have that wrong, I'm sure, so feel free to correct me.

tomjen3|3 years ago

Thats an extremely poor take on a very nuanced and complicated situation.

badrabbit|3 years ago

Your cops suck so you blame anyone but them? Should ISPs also be liable by your logic? Just like CF they can monitor and censor content. Make the Tor foundation liable as well since they run the Tor network while you are at it. Can't people criticize a company without trying to criticize everything about it? This isn't even related to the topic at hand.

xenago|3 years ago

This is a really bad look. InfoSec is a very tight-knit industry and this will really make working with/using CF an unpleasant proposition to many.

dsl|3 years ago

If it wasn't already, you aren't paying attention.

Cloudflare is quite literally the largest bulletproof hosting provider for bad actors on the internet, and unless you know someone at the company personally takedowns are like pulling teeth.

astrange|3 years ago

This is a good policy. Security people are universally annoying and full of themselves. Many other kinds of bugs (accessibility, performance, bad UI copy) harm users and none of them go around having cool Vegas conferences, giving names and logos to all their bugs, and seeming to think they’re characters in The Matrix.

I propose that anyone who gives a talk about anything first apologize for causing people to perceive them.

cassonmars|3 years ago

For starters, these events are totally unrelated, and are a very strange false equivalence. Would be very curious to see more details of Tavis’ claim though. That being said, CF is still in the right for the stand they’re taking on not being a content regulator of their base internet utilities.

6c737133|3 years ago

Nothing better than claiming the perks of "being a utility provider" while bearing none of the burdens lol

If CF didn't offer free DDoS protection - ironically, whilst providing cover & protection to the greatest # of DDoS-4-hire websites on the clear-web - they would have nothing else to offer that would be considered best-in-class

But yeah, they're the preeminent force in ensuring free speech on the internet lol

phillipcarter|3 years ago

> That being said, CF is still in the right for the stand they’re taking on not being a content regulator of their base internet utilities.

This is entirely unrelated to the issue of if they should stop offering their services to known Very Bad People. Nothing about current events with CF is related to regulating content.

badrabbit|3 years ago

Good luck fighting about CF's morality HN. But the root-cause here is lack of legislature explicitly defining rights and obligations of security researchers and the vulnerability reporting process.

As it stands, you can get raided for vuln reporting (doesn't happen a lot because if common sense not law), harrassed, face retaliation and have the vendor silently fix it without crediting you.

For some reason everyone thinks this is a matter to be legislated and resolved by poularity contests (don't use vendor X) and/or capitalism. Which is interestingly why the FTC is even involved I guess?

In an ideal society you wouldn't need such laws and the default is liberty but in this society the only reason researchers are even being allowed to do their job is things like twitter and fears of PR nightmares (which won't work with every vendor/company ).

hericium|3 years ago

Google Zero exists to discredit competition.

jgrahamc|3 years ago

You know, I hear this from time to time. And I hear criticism of Cloudflare's reaction when Project Zero told us what they'd found. I don't think they were discrediting Cloudflare and imagine the opposite scenario. Imagine P0 hadn't found Cloudbleed and it hadn't been stopped as fast as it was. As tough as Cloudbleed was, I am grateful Tavis spoke up. And a lot of people should be also.

UncleMeat|3 years ago

Yet GPZ regularly publishes serious vulns in Google products like Chrome and Android.

omegacharlie|3 years ago

Feel like there is more to this story than just a single tweet. What exactly was lobbied and under which grounds?

balentio|3 years ago

Someone just posted up a pull quote the other day on Hacker News about how Cloudflare doesn't bend to cancel culture, and I remarked that they all ready had more than once. Now the big reveal is they ARE Cancel Culture, but they have no idea they are!

trasz|3 years ago

[deleted]

zccrkn|3 years ago

Cloudflares indifference to DDOS-for-hire providers using their service is also raising some eyebrows, considering a large part of their business is mitigating DDOS attacks. Do a search for "stresser" or "booter" services (euphemisms for DDOS-for-hire) and check their DNS records, 9 times out of 10 they're hiding behind Cloudflare.

Intentional or not, helping the attackers stay online while also selling mitigations for their attacks is basically a protection racket.

badrabbit|3 years ago

I echo the top comment on that pro-nazi post, too much missing info to form an opinion.

I don't like or hate CF either way but quit this "_______ also did some bad shit" that's not the topic of discussion and is a clear attempt at "cancelling" instead of discussing the topic at hand. Which so happens is also missing a lot of info and HNers are jumping the gun without knowing who did lobbying and why and what consequences they faced.

kortilla|3 years ago

> EDIT: Also, “We find that several providers are disproportionately responsible for serving misinformation websites, most prominently Cloudflare”

Cloudflare is disproportionately responsible for serving all websites.