I was assuming that it's a loss-leader sort of business strategy at play before reading your comment. Do you care to share any insights/references to support this claim?
Gotcha. Yeah, I mean all of these platforms are certainly juicy targets for room 641A [0] shenanigans. I just wondered if there had been some public leaks or something which we might not all be aware of yet.
I'd also point out the following from Cloudflare CEO Matthew Prince's wiki page [1]:
> "Prince co-founded Unspam Technologies, which supported the development of Project Honey Pot [2], an open source data collection software created by Prince and Lee Holloway designed to gather information on IP addresses used by email-address harvesting services."
> In 2008, the Department of Homeland Security (DHS) contacted Unspam Technologies, asking, "Do you have any idea how valuable the data you have is?" The DHS' email served as the impetus for Cloudflare, a technology company Prince co-founded with Holloway and fellow Harvard Business School graduate Michelle Zatlyn the following year
> The DHS' email served as the impetus for Cloudflare
Emphasis mine. I love Cloudflare, their tech is amazing, but to bury our heads in the sand that it wasn't started from day one to be a government spying program would be extremely naive.
Again, an offhand comment about an email from the DHS is given all the weight in the world while a direct statement from Cloudflare is nitpicked to death.
The whole point is it's not a direct statement. It is a lot of words which fails to answer the core question: is cloudflare syphoning data off to any of the Five Eyes (and I almost wrote Five Guys . . ) government intelligence agencies or their allies?
For example, in your link:
"One of the ways we limit the scope of orders we receive is by limiting the data we store. I have written before about how CloudFlare limits what we log and purge most log data within a few hours. For example, we cannot disclose the visitors to a particular website on CloudFlare because we do not currently store that data."
So if they are MITMing everything they totally could just send everything out straight away and not contradict what they're saying at all. Them storing the data or not is completely beside the point.
US based companies (like china and europe based ones) are not allowed to talk about it, when state actors implementing their spying tools. It is just naive to think that cloudflare doesn't give access to state agencies. As others have said, it is more likely that cloudflare as a company is entirely built around the idea to provide a singe point of surveillance to US agencies.
Love the double standard here. An offhand comment about an email from the DHS is considered strong evidence that Cloudflare was "started from day one to be a government spying program" while anything Cloudflare could say to deny it is brushed off as not strong enough.
>> At CloudFlare, we have never been approached to participate in PRISM or any other similar program […because we approached them]
>> To date, CloudFlare has never received an order from the Foreign Intelligence Surveillance Act (FISA) court […because they never had to ask in the first place]
My paranoia was cemented by the book When Google Met Wikileaks. Silicon Valley types do not have to be coerced to share data with 3 letter agencies, they have aligned incentives to ensure American dominance. Which is fine with me, as an American, but I won’t pretend there’s some rivalry where Cloudflare won’t comply without a court order.
They have the nickname "Crimeflare" for a reason and there is a reason so many threat actors, phishers, and malware people use CF on their landing pages and c2s.
When you file an abuse ticket with CF, CF takes the route of "oh we are only routing the data and content, not hosting it" and will refuse to terminate the CF accounts of someone being malicious. Threat actors know this which is why so many use em.
>When you file an abuse ticket with CF, CF takes the route of "oh we are only routing the data and content, not hosting it" and will refuse to terminate the CF accounts of someone being malicious. Threat actors know this which is why so many use em.
Their abuse page says they forward abuse tickets to the origin hosting provider. The origin hosting provider could ignore your tickets, but I don't see how that's any different than if they didn't use cloudflare to begin with.
They still have the ability to terminate the accounts of the threat actors using their platform (which would fuck up their scam/spam/malicious campaigns) yet seem to not want to under their guise of "oh its not us".
Ok but why can’t they take responsibility for the abuse and terminate the accounts themselves, forcing the malicious actors back to being in a position of not being protected by cloudflare?
DDoS protection stops their site from going offline, it doesn't stop them from advertising their services on some obscure forum, which seems to be what they used to do and still do today.
They didn't hesitate with 8chan, even when it was known that fedposting was a thing here and that the straw that broke the camel's back they pointed to could have well been a false flag.
So the deep state is smart enough to take over the corporation and inject all this secret squirrel tech, but didn't think to cook the books to make it look like a marginally-profitable (but boring) business?
It reminds me of the counterargument to UFOs where they say "so the UFO flew here from 100 light-years away, through extreme cold, deep space, intense radiation, dodged space rocks, but as soon as it came into a lukewarm atmosphere with a modest gravity and tame weather, it crashed into a field in New Mexico?"
To be fair, you could see how a vehicle designed rigidly for extreme cold, extreme vacuum, zero gravity, etc. might fail catastrophically when introduced to modest temperatures, a modest atmosphere, and a modest gravity.[1]
It wouldn't say much for the foresight of the alien designers, mind.
[1] "100 KILOpascals? KILO? I thought you said milli, you blithering nixflorp!"
What? What does business profitability or viability have to do with anything? Cloudflare can serve both customers at the same time. They still make amazing products, have incredibly talented engineers, and provide extremely valuable commercial services.
PRISM worked with numerous participants from well-oiled tech startups to aging why-wont-you-just-die companies.
PRISM revealed secrets. It also revealed that some companies fought back as much as possible. It's also possible to design core tech so that even when forced to participate, you reveal as little or no information.
I believe the implication is that cloudflares usefulness is not in her source code but rather her physical infra, there is not some free as in freedom alternative to that.
Idk if they're open source, but netlify was the company that I thought sort of made this feature free and easy to use.
Github pages is also a free alternative.
Someone was (incidentally?) ddos'ed on Netlify last year and was served a 104k bill. The fees were waved in the end, but the caveat remains on all these free services that you pay by bandwidth.
That's why I like Bunny, the only such service I could find with prepaid pricing. I would rather have service shut off than to have to pay $104k for a day or two of service.
