Cloudflare's CEO recently floated the idea of a service to block AI companies that scrape media content without compensation. It's an intriguing and possibly useful idea, and one that they could probably pull off to some degree. I didn't see this brief interview anywhere else so...
https://www.linkedin.com/feed/update/urn:li:activity:7287149126188691458/
Anyway, this idea is interesting coming from CF because their CEO has long argued that it doesn't want to be in the anti-abuse business absent a court order, as anything less amounts to a slippery slope of censorship. But as long as the CEO is talking about being the arbiter of good and bad, how about we start with something more prosaic, like making it easier for people to decide what parts of CF's network they don't want to see at all.
BTW, Cloudflare's mantra is that they don't "host" content in the conventional sense, but rather they are a pass-through that caches content in multiple places to make it more quickly and globally available. At the same time, their mantra on abuse has always been that selectively booting bad customers without a court order is akin to censorship, i.e. their being able to decide whether some content deserves to be online or not.
But here's the truth: Even if CF were to boot a site off its network, that doesn't "censor" the booted property, which will still have its content served from the original location. And this is why I find their argument for not doing more so disingenuous.
=> More informations about this toot | More toots from briankrebs@infosec.exchange
One refrain I tend to hear from a lot of infosec practitioners is that if CF were to somehow make it more inhospitable for abusive sites, that they will all just move to other CDNs in nations where we don't have as much access or influence, such as DDoS-Guard in Russia. Here's the thing, though: A) that would be a nice problem to have, because then the bad sites would be 1000 times easier to block. but also B) those abusive sites already have that option, and they choose CF by an overwhelming number. E.g., in one recent investigation into nearly 5 dozen RU-based cryptocurrency platforms that exchange crypto for cash in Russian banks, all were hosted in Russia or in Russian friendly ISPs, and all but one of them were using Cloudflare. This is just one example, yes, but it's a reality we see everywhere.
=> More informations about this toot | More toots from briankrebs@infosec.exchange
@briankrebs Just to note, though, CloudFlare's "customer" is the content host. So it's not really surprising that, from their perspective, allowing content hosts to block scrapers (i.e., allowing "writer" to block "readers") is more attractive than allowing "readers" to block "writers."
And it's not inconsistent with their CEO's (in my view, honest and principled) stance on free speech: if you believe, generally, in enabling more speech, enabling speakers to block some listeners (on grounds of IP violation or whatever) makes a lot of sense.
(I'm not saying I agree, but I think it's relevant that this is both aligned with their business interests and consistent with the philosophy Prince has espoused. It's not just some political pivot a la Zuck.)
=> More informations about this toot | More toots from _dm@infosec.exchange
@_dm @briankrebs Yes, good point. It looks like most independent sites are run by people with a lot of concerns about competing with AI that uses their work. When Cloudflare makes announcements like "Declare your AIndependence: block AI bots, scrapers and crawlers with a single click" it gets more people to set their sites up with Cloudflare. Pretty solid product marketing—find something people are complaining about, add a feature to fix it https://blog.cloudflare.com/declaring-your-aindependence-block-ai-bots-scrapers-and-crawlers-with-a-single-click/
=> More informations about this toot | More toots from dmarti@federate.social
@_dm @briankrebs I firmly know that CF is wholeheartedly in support of fascism as an avenue to improve shareholder value and that the CEO is just as principled as Musk.
They platformed ALL of the most vile of vile sites for years. It was good for business as they put those sites onto a small cluster of CDN nodes so their support of the sites wasn’t by accident it’s by design.
=> More informations about this toot | More toots from plambrechtsen@mastodon.nz
@_dm @briankrebs A sane and reasonable organisation has an acceptable use policy and terms of use.
CF has an acceptable use paragraph where as long as you’re not violating DCMA then it’s fine.
To believe that Prince is some free speech absolutist and the champion of the internet protecting us from DDoS means we disbelieve reality and the years of reporting showing all of the most evil sites have been CF clients to get their site established.
=> More informations about this toot | More toots from plambrechtsen@mastodon.nz
@plambrechtsen @briankrebs I mean, I don't know what's in his heart of hearts. I'll just say two things:
=> More informations about this toot | More toots from _dm@infosec.exchange
@_dm @briankrebs I judge people by their actions.
The fact Prince is such a free speech absolutist knowing full well sites like the daily stormer, 4/8chan and kiwifarms happily operated for years, on dedicated CDN infrastructure.
All while the “abuse” procedure was to forward any complaints to the site owner for you to then be DOXed and directly targeted in real life leading to someone taking their life.
Their entire platform is corrupt to the core.
=> More informations about this toot | More toots from plambrechtsen@mastodon.nz
@briankrebs have you ever tried reporting phishing sites to them?
Their reporting tool informs the person doing the reporting that CF will pass along the report, along with identifying information about the person doing the reporting, to "the website owner"
ie., the phishing site operator
No thanks.
is it any wonder this stuff flourishes behind their captcha gates? I won't help them by reporting if the result is greater risk for me.
They can figure this out by themselves.
=> More informations about this toot | More toots from threatresearch@infosec.exchange
@briankrebs with the recent takedown of DDoS services by Europol, I eventually got a list of the domains - all of them were pointed at Cloudflare before take down.
=> More informations about this toot | More toots from GossiTheDog@cyberplace.social
@GossiTheDog @briankrebs I analyzed the same list. If memory serves, two booter sites hid behind Cloudfront, the rest of the lot behind Cloudflare.
=> More informations about this toot | More toots from christopherkunz@chaos.social
@briankrebs “If I don’t sell alcohol to those teenagers, they’ll just get it from someone else,” says every sleazy dive on the edge of town. Many institutions would have no problems blocking all DDOS-GUARD IPs and probably should. I find it hard to have a lot of sympathy for Cloudflare’s laissez faire attitude given all the malicious activity it enables.
=> More informations about this toot | More toots from sig_ug@infosec.exchange
@briankrebs@infosec.exchange But if they move to RU wouldn't that make surveillance on them and their users more difficult?
=> More informations about this toot | More toots from gme@bofh.social
@gme Maybe. But that's infinitely a less important concern compared to the staggering level of abuse being propped up by CF.
=> More informations about this toot | More toots from briankrebs@infosec.exchange This content has been proxied by September (3851b).Proxy Information
text/gemini