Yeah, probably not - because they don't explicitly have to, as outlined in the post. The very architecture of CF's services essentially enables "blackmail as a service" in the sense that, CF protects the attacker and essentially creates a coercive environment in which the victim "has" to pay CF to protect them from... the very attacker that CF protects.
This is the part that's wrong. CF is not creating the fact that sites are vulnerable to DDoS, and these attacks would happen even if the sites were kicked off.
If some guys are going around slashing tires, would we demand that tire repair shops not sell to them? Would we say it's blackmail because the tire shop sells to anyone, and selling tires to them "creates a coercive environment"?
That gets confusing because it sounds like a special thing they're doing in addition to their main function.
If the back of the store was a convention center that allowed basically any small club to use it for free, and of their many thousands of hosted clubs one or two were focused around tire slashing, that wouldn't cause the same reactions.
Right. It's more abstract than that. They protect (from legal consequence or even discovery) the attackers and host them on their infrastructure so they're untouchable. Then they sell the same "protection" to the victims. It's the classic mafia protection scam.
I've never tried a subpoena. I've tried reporting them to ICANN for whois abuse contact violations and never received a response (after I recieved a response from cloudflare saying, "Go away, we don't care, sign up for our services and pay us to care."). Perhaps I should set up a gofundme or something for the thousands of dollars needed to get justice via subpoena.
If I were hosting illegal malicious actors doing this stuff on my home servers and refused to even say who was doing it I would 100% get my door kicked down by the FBI. But some persons, corporate persons, are more equal than others.
> If I were hosting illegal malicious actors doing this stuff on my home servers and refused to even say who was doing it I would 100% get my door kicked down by the FBI. But some persons, corporate persons, are more equal than others.
If you refused to tell some random person who asked? No, you wouldn’t. If you refused to respond to a legal authority—a court-issued subpoena, for example—then there would be consequences.
As far as cloudflare is concerned you’re just a random person asking. They have no legal obligation to provide you with information.
They have a legal obligation to provide a working abuse contact address. I guess you're saying that it is working when they say, "go away." and yeah, I can see that point of view.
But it also means that any domain fronted by cloudflare won't actually have contact information for the owner of the domain required by their legal contact with ICANN as a registrar.
No you wouldn't. Unless you failed to comply with subpoenas/warrants/etc for it.
That assumes of course that like Cloudflare you were hosting a web page and not the actual illegal activity, and were following the laws around hosting things.
>I've tried reporting them to ICANN and never received a response.
So ICANN is complicit too? After all, if we adopt your interpretation, in some way ICANN is also turning an blind eye, both to what cloudflare is supposedly doing and also to what the domain registrars are doing.
In a way, yes, that makes it more okay. You can't have a conflict of interest if you have no interest. Cloudflare has clear interest in hosting the malicious actors and it's in clear conflict with providing services to their other users.
