I ran the worlds largest DDoS-for-Hire empire and Cloudflare helped

The deplatforming logic is practical but pretty shaky as a long term strategy. Kiwifarms absolutely may have been a despicable place causing real harm to people. In that case, the police should initiate a request to take them down that Cloudflare or ISPs etc. are obligated to follow. The problem is the government is completely ineffective and regularly offloads their responsibility to platforms like Facebook, Cloudflare etc. A private company should not be making decisions on essentially freedom of speech. Its just one more responsibility that law enforcement has completely shirked leaving others to clean up the mess.

So he ran a DDoS network that wasn&#x27;t behind Cloudflare, but used Cloudflare to stop his website being DDoSed by competitors, and this means Cloudflare was helping him DDoS others?<p>No, it means Cloudflare was helping keep his website up, in a neutral manner.<p>In other words, exactly what Cloudflare have stated their policy is.<p>Now if Cloudflare allowed him to run DDoS code on its Workers, then yes, that&#x27;s Cloudflare helping him.<p>Very false equivalence.

This article seems to have been posted to make a false equivalence with the current Kiwifarms situation. There’s a pretty clear difference in urgency between taking down DDOSers and deplatforming a forum that is a gathering point for a mob engaging in mass harassment, stalking, and SWATing. One is a nonviolent crime. The other is a crime targeting an individual that had already escalated to the point of a high risk of violence, with no sign of slowing down.

I think this is becoming increasingly common for Cloudflar e which sets a bad precedent. They can scream however much they want that they don&#x27;t want to make these decisions nor do they like to be put on the spot but it doesn&#x27;t save them from the backlash of being a &quot;curator of the internet&quot;.<p>Moderators get the worst backlash everywhere in the world. The only difference is that Cloudflare continues to refuse the fact that they have quite a lot of power over whose traffic they let through. When you, basically, govern 20% of internet traffic you must take the responsibility for it as well.<p>This article is a nonsensical shout in the air. Cloudflare, like Google, is not looking over every single request that goes through them. They take these actions after enough noise is raised to highlight the issue. The problem is that Cloudflare will become prone to bullying.<p>What I mean is that if I have a good number of fanatic followers, I can raise noise against a rival platform and get Cloudflare to, at least, scrutinize it and, at worst, deplatform it. Cloudflare will need to set in place some policies to protect themselves from this.<p>If Cloudflare does this kind of thing enough times, they will unintentionally become a policing force. That&#x27;s really not a good place to be in for a business.

JUST ONE SINGLE NOTE:<p>Cloudflare is a private company responsible for a product that they sell which they can choose not to sell to someone as is any company&#x27;s rights.<p>The Fire department is a public sector entity, funded by our taxes, and we don&#x27;t have any choice in which fire department we choose.<p>Anyone can come up with a cloudflare competitor for nazi materials, they have all the ability, money, and ability to build out data centers. All they need to do is to find people willing to build&#x2F;fund it all. And it turns out those leading the charge don&#x27;t know how to run a good business, and don&#x27;t want to put money in, and can&#x27;t find talent willing to work for them.

&gt; As the infrastructure provider for over 20% of all www traffic traversing the internet today, CloudFlare is in a position to enforce it&#x27;s beliefs on a global scale.<p>&gt; Who interprets what qualifies as hate speech?<p>Exactly the issue. We should not give “activists” a free pass on this one. I wonder now which one(s) of them will commit the crime of actually DDoSing KiwiFarms. We probably will never know.<p>Vigilante “justice” is problematic because it leaves room for people to harm others without proper evidences of wrong doing. Mind you, I’m no way denying that Kiwifarms are reprehensible, but there are people out there claiming that KF is literally causing people to die, which I’m wondering where is the evidence of that? If someone is suicidal, one of the better ways to help them is to (among other things of course) make them understand that they have power over their circumstances by telling them that they are responsible for their actions. Claiming that some internet bullies can cause you to kill yourself is not helpful, nor is it true.

This article is not very articulate on the point, but goes to the real touchy point with the Kiwifarms decision. Based on what I know it seems Cloudflare made a good decision, but:<p>1. The internet is vast.<p>2. Figuring out what someone is doing on the internet even if you did somehow have full transparency over the data they send&#x2F;receive is hard.<p>3. Any policy of intervention is going to leave behind a stream of poorly prioritised actions that are highly questionable.<p>4. Just because we see something doesn&#x27;t mean it is there. It is usual for the first impressions to be wrong. Often even after researching an issue thoroughly.<p>I don&#x27;t think there is a free speech issue here, but I do question whether Cloudflare has the motivation or capability to actually execute a policy of policing the internet fairly. All the pressure is going to be to police the internet for specific political goals.

&gt; they are actively lighting these fires and making money by putting them out!<p>A bit of an odd take - it&#x27;s like the fire department putting out the fire at the known arsonist-for-hire&#x27;s house, and the police chief happens to run the fire department while doing nothing about the suspiciously wealthy arsonist.<p>The difference is that Cloudflare isn&#x27;t an actual public service and has no obligation to DDOS protect anyone.

Political neutrality is important for the tech industry. I appreciate Cloudflare trying its best to be neutral. When harm is done, the fault lies at the feet of the perpetrator. Blaming their utility company, hosting provider, DNS registrar, grocer, butcher, barber, etc. is lunacy.

Exactly as expected. The more websites CloudFlare bans, the more its reputation will sink, the more enraged and demanding the pro-censorship mob will become.<p>I note this one more time: almost no posts talking in favor of banning stuff here specify any objective limiting principle of where it should stop. It&#x27;s like an exercise of deliberately creating a slippery slope.

How do we prevent DDOS without centralized services like these? There has to be something.<p>It would be nice if these attacks were blocked before they even get to a transit provider, but cheap server &#x2F; VPN providers seem unmotivated to try to solve the problem (since they barely lose any money when they facilitate the DDOS, and&#x2F;or the attacking devices are rogue IoT devices and booting them would mean booting legitimate customers who don&#x27;t know the first thing about auditing their network for compromised devices).

What a weird argument.<p>Cloudflare is like a fire department that still fights fires in the homes of known pyromaniacs. Whether or not they set the fires themselves is irrelevant to the job of the fire department, if someone needs to stop them it’s the police.

What&#x27;s at the heart of the entire Cloudflare situation is this discussion around the platform&#x27;s alleged neutrality.<p>I do not understand this at all. If I run a business, and I see that unambiguously bad actors namely abusers, criminals, stalkers, harassers or whatever use my services to facilitate their actions I have a very clear ethical obligation to step in. I don&#x27;t go &quot;well the law isn&#x27;t here, it&#x27;s not my problem&quot;. Making money of unsavory individuals, metaphorically selling both shields and guns at the same time is unethical. Dodging that responsibility is moral cowardice.<p>The law isn&#x27;t in every place, it&#x27;s slow as hell and dysfunctional anyhow in some jurisdictions in particular but that&#x27;s no excuse for inaction when it is within ones power to prevent harm. It should be that simple.

If SWATing is the weapon of choice for harassment mobs, then fix that first.<p>Note that this particular SWATing wasn&#x27;t in the US, it was in Canada -- so it&#x27;s not necessarily even a uniquely American problem.

Maybe a better analogy is an energy provider: You don&#x27;t expect them to turn off somebody&#x27;s power because they are listening to the wrong kind of music.<p>Energy companies are publicly traded companies as well, I don&#x27;t see what difference this fact makes in the analogy and the argument.<p>Policing is the police&#x27;s job, not that of infrastructure and utility companies, precicely because that would bring a lot of hairy questions that the author raises as well.

One of the laziest articles I&#x27;ve read recently. I was looking for a gotcha, some concrete evidence Cloudflare actually helps booters to boost their own sales, and the closest he comes is saying DDoS sellers host their websites behind Cloudflare. It feels like this was written to take advantage of the moment and tie the Kiwifarms to actual online criminal activity.

You should not drag others into your criminal actions. You decided to do it on your own and for your own benefit. You did it and must now live with it. But done blame others and drag them in and say they &quot;helped&quot;. This is on you alone.

The linked post by Prince is pretty frustrating.<p>“This is not our stance, but we do it anyway for all the reasons we just said are bullshit.”<p>I have a ton of respect for Prince but this spineless double standards stuff is BS.<p>PS: I have no idea what the deal is with Kiwifarms and frankly I don’t care. If it’s really that bad then we need to have a judge order an injunction.

Isn’t DDOS pretty illegal? In my opinion, selling illegal services is a strong case for CF to kick them out because they quite clearly break the law.

One thing I don&#x27;t see covered here - cost. Specifically, the cost of providing DDoS protection vs the cost of processing every complaint and evaluating if the complaint is legitimate.<p>At Cloudflare&#x27;s scale, providing service to one additional site costs exactly $0. It&#x27;s actually beneficial because it spreads their fixed costs (hardware, staff) over more customers. Great (for Cloudflare and the site).<p>But that only works if they don&#x27;t have to do any marginal work for each site. Actually investigating each new website, going through potentially each page on the website, making a judgement call on if there is sufficient moderation to allow it or they shouldn&#x27;t - it could take several hours or days of a skilled worker for each website. Just putting an example out there - how long would it take you to evaluate if reddit.com adheres to all the terms in Cloudflare&#x27;s TOS? There&#x27;s a different standard for user generated content, but it gets a pass if there&#x27;s a good faith attempt to moderate the site. This stuff is actually hard.<p>If they actually had to process every complaint, regardless of where it came from, the economics of their business might not make sense. And of course, they open themselves up to false positives. They might ban a forum that looks dodgy but ends up being a leukaemia support group, which spawns yet another #dropCloudflare. And lastly, if they&#x27;re going to listen to outrage from Twitter, they don&#x27;t have a leg to stand on if they receive lawful requests from sovereign governments in Turkey, Saudi Arabia etc.<p>They hoped to sidestep all of these issues - money, false positives and state sponsored takedown requests by saying &quot;we don&#x27;t take down anyone for any reason&quot;. Well, it didn&#x27;t work out.

Can we just skip to the end where the internet breaks into fiefdoms? AOL almost did it in the 90s.

Technically, by way of the analogy provided in the article, Cloudflare is simply putting out fires at all houses, even those that are known to start fires. Their moral game is that it&#x27;s not their responsibility to act on this knowledge, unless, it seems, there is some clear and present imminent danger, which is something for them to determine.<p>This community, by which I mean HN, likes to have its cake and eat it too. Perhaps they&#x27;re not all the same people, but HN also gets upset that VISA polices what businesses are deserving of accepting credit card payments.<p>Regardless of which side you fall on, consistent and clear messaging is important. In that way, Cloudflare deserves some respect for attempting this, when every other corporation, be it VISA, or the FAANGs, simply do whatever is expedient to avoid negative attention, be it PR-wise, stock market wise, or regulatory wise.

HN and Matthew Prince really struggling with these two things:<p>1. A company can arbitrarily do whatever it wants within the confines of the law. Additionally a company&#x27;s chief executive and&#x2F;or leadership team can do whatever it wants so long is it is not in breach of their bylaws and&#x2F;or they have the support of the board.<p>2. A company which is publicly traded is beholden to public perception if it affects current and future shareholders views on share price and health of the company. If shareholders believe being associated with potentially illegal activity means Cloudflare could be open to lawsuits, then leadership kicks off that activity. Leadership can&#x27;t give an honest answer on this because it would admit they were worried about being complicit in illegal activity. This is why you see the response of &#x27;we don&#x27;t believe this is our responsibility, we&#x27;re just a neutral entity&#x27; PR spin.<p>To return to OP&#x27;s post, Cloudflare directly benefits by letting DDoS-for-hire operators use their service. They&#x27;ve been informed of this, this post is one of many on the topic. If you go a few comments back in my comment history you&#x27;ll note I mentioned Cloudflare also pulled down sex worker sites in the fallout from SESTA being enacted. Why didn&#x27;t they make the same argument then? Unlike SESTA at the time the caselaw on CFAA supports that DDoS-for-hire is illegal activity, going back a little over 10 years with plenty of prosecutions. The US prosecutor handbook on it was updated around 2010 to add it <a href="https:&#x2F;&#x2F;www.justice.gov&#x2F;criminal&#x2F;file&#x2F;442156&#x2F;download" rel="nofollow">https:&#x2F;&#x2F;www.justice.gov&#x2F;criminal&#x2F;file&#x2F;442156&#x2F;download</a>, the last time I remember anyone trying to claim it was legitimate protest was back in 2013 when some Anonymous indictments were handed out. Cloudflare also responds to DMCA takedowns even though they don&#x27;t host the content, why would they do that if there&#x27;s no liability?<p>Lets break it down a little more then: If my business is damaged because my website gets DDoS&#x27;d by a protected service Cloudflare knows will make me require the purchase of a service like theirs, why wouldn&#x27;t I name them as a conspirator in a legal complaint?

&gt; However CloudFlare is not a neutral utility, they are a publicly traded company and have shareholders to report to, can any fire department in the world say the same?<p>Publicly traded? No, but fire depts in the US were commercial entities paid for by insurance companies. Arguably just as bad.<p>You had to be a paying member if you wanted them to put out the fire burning your house down.<p>Well documented that fire depts would stand idly by and do nothing for the neighbours.<p>But yeah, that&#x27;s what you get with Cloudflare&#x27;s shitty analogy.

Aah.... an attempt to give more de-platforming powers to more private companies...

I don&#x27;t think the author&#x27;s argument makes sense.<p>Cloudflare&#x27;s position is that they are neutral and will provide their services to anyone and everyone. They do not make those value judgements deciding who deserves their services or not.<p>The fact that they thus provide their service to booters isn&#x27;t a flaw in Cloudflare&#x27;s argument, in fact it&#x27;s consistent with their position.<p>The author is implying that Cloudflare should independantly make that value judgement against a booter, rescind their services from the booter, thus allowing other booters to take that booter down? That&#x27;s ridiculous. <i>All</i> the booters should be dealt with by some legal authority.<p>EDIT: So according to some comments cloudflare sometimes <i>does</i> decide independantly to rescind their services from some users? That would make them inconsistent in that case. The authors argument, that the solution to booting is more booting, still doesnt make sense tho imo. It&#x27;s like the solution to too many guns is more guns.

I feel that, if cloudfare wants to be neutral, they should simply do that.<p>In my eyes, as long as they dont break any laws themselves, they are okay.

We simultaneusly act annoyed that Visa&#x2F;Mastercard act as gatekeepers, and demand Cloudflare should become the new moral police

Cloudflare is oddly political for an infrastructure provider. Every few months or so they seem to be forced to explain why they have decided to deplatform this or that website contrary to their no interference policy.<p>You don’t see AWS or Microsoft having the same frequency of these sorts of reports. What am I missing?

I strongly believe abuse claims should be handled by the actual hosting providers behind CloudFlare.

&gt; That is the equivalent argument in the physical world that the fire department shouldn&#x27;t respond to fires in the homes of people who do not possess sufficient moral character<p>So, to continue the analogy, we are reading the post by (ex-)arsonist?

As far as I understand, protecting from DDoS attacks is a big enough part of Cloudflare business. Doesn&#x27;t it create the conflict of interest here? I can imagine how it makes sense for Cloudflare to facilitate DDoS attacks by sheer ignorance with plausible deniability, to sell more DDoS protection to the targets.<p>Using their own analogy, the real fire departments actively prevent fires by enforcing safety policies, not merely fighting existing ones. If fire department is paid only for the fires extinguished, they are strongly disincentivised to enforce safety policies.

Everyone wants to bully and pick on Cloudflare now because it’s the cool thing to do I guess.<p>The issue is not Cloudflare — it’s just the sad reality of the Internet in 2022.<p>Imagine a criminal pumps a full tank of gas into his vehicle and then uses that vehicle to commit crimes. Nobody goes out and blames the gas station or holds them accountable.<p>The owner of the vehicle should and would be held accountable in real life. And in any case related to the Internet or Cloudflare, the owner of the website should be held accountable.

What a nonsense storm in a teacup.

The author mentions he doesn&#x27;t want us to judge him on his past. But I don&#x27;t think teenagers are that different from adults so I doubt there is any real basis for that. He&#x27;d probably still do it if that was the best way to make money. If he had not written that, I probably wouldn&#x27;t have given it any second thought though. It&#x27;s a good article just don&#x27;t tell people what not to think they might just start to think what you didn&#x27;t want them to.<p>I strongly agree with the points made. What Cloudflare is doing is terrible. They should remove this protection and publish an apology to the victims before a court decides to think the same.

If the numbers from DoJ are to be believed, this was <i>far</i> from the largest DDoS-for-Hire operation by revenue.

It&#x27;s incredible that cloudflare compares itself to a firefighter answering all calls wherever they come from. They are more like a private security company working for a mafia boss that pays them well.

What a stupid fucking article, including &quot;I grew up with cloudflare, therefore know nothing about how the internet works&quot;, and &quot;cloudflare is a racket because I said so and give the benefit of doubt to myself&quot;. Web hosters never cared about what content they host. It was previously the norm to not even check for child porn and wait for law enforcement to make any decisions, and rightly so, as it&#x27;s, literally, not their concern. Some web hosters did care about their content, but there were few and you could quickly move to another. Cloudflare are one of the new generation of webshit services, run by little babies, enamored by their big userbase (yeah, I had a big userbase when I was 12 and quickly got over that phase), and feel some sort of moral but mainly pretentious need to save the world, often by limiting who uses their service, or implementing some sort of snake oil.<p>New conspiracy theory: all these drama about absolutely irrelevant websites like 8chan[1] and kiwifarms are to distract from the fact that cloudflare has killed anonymity on the internet. Since 2011 or so, browsing any website behind cloudflare over Tor or pretty much shared IP address got you essentially blocked. You would have to fill out a captcha to even see the front page, and not just any captcha, but the worst one which almost never works when on a shared connection: recaptcha. THEN you had to open up the cdn.myshitwebsite.com and repeat the same bullshit, and then you can see images, css, scripts, whatever on the site. ONLY in 2018 they fixed this (it was always possible to bypass it by changing your user agent to a specific string and such things, but almost nobody knew about this), and then broke it again, I&#x27;m not sure what the current state is. Then around 2020, a bunch of cloudflare imitators popped up, which includes having the pointless captcha at the front of pages. Cloudflare literally killed Tor, it was solely their fault.<p>1. &quot;But oh no, a jihad thing was posted on it&quot;, same with facebook but 1000x worse