Of course it could claim lives. Hopefully Prince has considered people have also likely died as a result of Cloudflare's repeating captcha which holds the next page in front of you like a carrot on a stick, never letting you know that you will be clicking that box forever.
I'm sure while someone's in the process of keeling over is the perfect time to arbitrarily scrutinize their connecting details. You need to contact your doctor ASAP. Okay, but did you neighbor have a virus last week? Is your neighborhood in your city more "problematic" than average? You may have forgot to check these details before you fell ill.
Cloudflare sites should come with a big banner warning all users their connection will be arbitrarily approved by an algorithm with chilling effects built in as dark patterns.
Last I checked, Cloudflare does basically no educating of customers how badly their website will be broken for users arbitrarily when they don't use the ISP or browser Cloudflare likes. No explanation for how many customers you will lose when your website can't be visited by someone who doesn't know how to change their IP, no explanation that if you're offering a critical service then Cloudflare will give that service thousands of tiny downtimes left unknown, the screams too quiet to carry the weight of a tech CEO worried about something similar.
When I've tried to get a customer of CloudFlare to fix a consistent block of their site -- not safety-critical, but mission-critical, and costing them a SaaS sale -- nobody seemed to care.
My impression is that everyone knows that Cloudflare is blocking some legitimate people, but nobody -- neither the customer, nor Cloudflare -- cares enough to solve that problem.
It's similar to why Google doesn't have much tech support. Or why people can be locked out of their Google or Apple accounts without recourse. Caring about the people who fall through the cracks that you created isn't profitable.
When the Internet is part of the basic material of society, we need to rediscover ideals like "it is better that ten guilty persons escape than that one innocent suffer".
And we need to start removing from power the entities who are too lazy or greedy to uphold our ideals.
(Before someone jumps on literal numbers: That doesn't mean let through 10 botnet floods, rather than prevent grandma from finding a doctor. That could just mean, for example, don't block grandma because one of her browser headers looks suspiciously like an incompetent script kiddie, even though you can see that her traffic isn't yet part of a DDoS flood. Once you change the parameters to be more consistent with a fair and just society, maybe that means that, say, a Web site's servers do see a brief blip, as a new DDoS attack spins up, so it's not a perfectly smooth ride, but every legitimate person remains served. First, don't run over grandma; apply your engineering creativity with that hard requirement in mind.)
Do you ever find that advocating for these tenets feels "weird" nowadays? As in, don't you know these publicly traded companies are legally bound to extract profit without these silly notions of empathy or trust? What do you expect them to do? To start acting silly?
> As in, don't you know these publicly traded companies are legally bound to extract profit without these silly notions of empathy or trust?
Based on your first question, I think you might already know this, but just in case you don't: This is a myth.
> The idea that choosing a 1% strategic internal investment over a 4.5% T-bill constitutes actionable "financial malpractice" or a breach of fiduciary duty leading to successful lawsuits is incorrect. Courts recognize that running a business requires strategic choices and risk-taking, not just maximizing immediate, risk-free yield. A lawsuit would fail unless plaintiffs could show the decision was tainted by disloyalty, bad faith, or gross negligence in the decision-making process, none of which are implied by simply choosing a lower-yield strategic project.
> Hence why no one ever gets sued for this. It doesn't happen. It lives in the minds of HNers and Redditors to provide a very convenient excuse for their employers, or in general companies, making abhorrent decisions purely based on feels and short-term next-quarter profits/stock price, regardless of the negative externalities they inflict on society.
I know that some corporations behave like they are jerks who are full of poo.
And some percentage of the rest will act like jerks once it's to their advantage.
But society still holds corporations to account on some societal values.
Mostly through legislation. But sometimes through consumers (and B2B) voting with their pocketbooks.
As someone who implemented cloudflare because of a massive DDOS and bot problem, sorry, but I will cheerfully allow 1% of my visitors to find the site unusable rather than 100%.
It sucks, but no sane business would be so invested in equality of experience that they’d allow it to be completely broken for everyone.
What website? I'm guessing it is not health related or a "critical resource" if you are cheery about 1% of users being blocked?
For people who put stuff online to help people as well as to extract pure profit, knowing the anguish of your users really helps look out for them.
Thank you for honesty on this.
The choice isn't necessarily between 99% and 0% of legitimate users/visitors getting through.
What if you, and every other customer of Cloudflare or its competitors, applied pressure to make that 100% of legitimate users/visitors getting through?
What if legislators also mandated that 100% for many sites?
Mandating 100% availability sounds like regulating pi to 3.0.
It can’t be done. If someone is on a home network whose router has been compromised and is part of a ddos attack, there’s no way their innocent HTTP traffic is getting through. Ditto if their machine has been compromised. Lots of scenarios where an innocent user must be blocked, unless the entire internet is reinvented. Which is beyond the scope of my project.
> It can’t be done. If someone is on a home network whose router has been compromised and is part of a ddos attack, there’s no way their innocent HTTP traffic is getting through. Ditto if their machine has been compromised.
To me, this sounds like giving up way too easily on engineering problems.
One distinction to start with: Let's say grandma's router isn't part of a DDoS attack. Even if she might be trying to talk with a site that someone is trying to attack.
After solving that one, maybe the solution also somehow solves the problem of when grandma's router is involved in DDoS (or that site? of a different one?), or maybe we have to think harder.
We have thought harder. We know the solution. But you have to trade off privacy for security. It's having every person get a cryptographic key from the government to identify themselves.
Some states are trying this now with porn sites and users are rightfully not having it.
You know a solution, not necessarily the?
What do you have to do to characterize packets sufficiently to shield against DDoS with negligible false-positive significant blocking? (Without needing to associate packets with an identifiable person, nor zero-knowledge proofs of a person, etc.)
It's OK to discard some prior requirements. (For example, it's OK to insert occasional brief latency (not barge-in Web browser JS) to some traffic, if that permits an approach that greatly reduces false-positive blocking. And it's OK to pass some traffic with a suspected single client, but then change your mind later. It's OK to forget about connection abstractions and clients, and look only at stateless packets and the entirety of traffic.)
Great, please start a service to do this. From my perspective, it can’t be done. I would be thrilled to be wrong!
I would be thrilled if this one pest control company stopped kicking puppies.
I bet they could figure out a way to check for fleas that doesn't involve kicking puppies.
But I don't want to get into the flea-checking business myself.
The people behind Cloudflare spend all day, every day trying to solve these kinds of problems. They're just not as simple as you make it sound.
> They're just not as simple as you make it sound.
I didn't say it was simple. I said I thought it was more achievable than "it can't be done."
I suspect one of the barriers to it being done is that it's not a top requirement like I assert it should be, for basic resources of society.
When led with that requirement, I have faith that some smart engineers and product management can figure it out.
With apologies to JFK, "We do these things, not because they are easy, but because--" they need doing. Even if they are hard.
The people behind Cloudflare engineer this issue for profit, which is a very different motive than to "solve" the problem.
The people most interested in doing away with the problem altogether are not Cloudflare, but its customers.
What’s the alternative solution? We also don’t want to have critical services DDoS’d or spammed.
Then maybe don’t put critical services on the open internet. I know most tech people would balk at such a possibility, but the status quo isn’t really compatible with either long-term goal:
* If we want the internet to be a place of anonymity and free speech, then we shouldn’t be putting critical services on the public internet - or we need to stop using intermediaries like Cloudflare where a single court order could disrupt legal services
OR
* If we want critical services online and widely available, then verifiable identity is a must from the outset, such that these sorts of blocks can be highly targeted when enforced.
Piracy exists between those two forces: an anonymous internet would be rife with piracy, while an authenticated internet would see minimal amounts of it because it’s so easily eradicated. Coexistence of both worked because the internet was optional, which is no longer the case.
But nobody wants to talk about that, I find. Everyone wants the status quo to continue unabated forever, because it’s familiar. Familiarity does not mean permanent, though.
I think the status quo exists as a more-or-less stable equilibrium between those forces. (Plus another equilibrium of people wanting to get paid for content and the people who don't want to give cash but will sell their attention and privacy.)
It's more than just familiarity. It's what works.
If someone had a significantly better alternative I think the world would jump on it. But many have tried to disrupt this equilibrium and failed.
What if there’s no singular “we” and different people / companies have different needs?
That’s basically what I was getting at, albeit in (deliberately) far more inflammatory terms. There’s this misconception at a very fundamental level that the internet is a “place” that can be regulated, or obstructed, as human needs change and evolve.
It is little more than a multitude of computers talking to each other in a similar “language”. It is not a singular place or entity, and attempting to regulate the entirety of it as such is fundamentally impossible.
And the sooner people and governments understand that, the sooner we can resume difficult discussions on its use.
Simple: Connect larger NICs and do "dumb" DDoS filtering at your fattest point.
Consider an HTTP daemon serving static content on a physical server. If that physical server has a 10Gig NIC it will withstand 90%[0] of the real-world DDoS attacks which would affect the same server with a 1Gig NIC.
"Dumb" DDoS filtering means blocking UDP and SYN floods, and other simple attacks. Your goal is essentially to block traffic which could be spoofed, making your downstream traffic somewhat attributable. Many ISPs provide functions like this, and is not nearly as complicated or invasive as letting Cloudflare MITM every bit of your traffic.
Any effort past that point should just be made in caching static assets, and optimizing dynamic pages. If your website uses sessions, you can implement basic rate controls very easily. No WAF required!
[0]: I made it up
> I made it up
I appreciate the honesty, at least
This conclusion stems from that it is much easier to launch a DDoS from a single server w/ spoofed traffic than to use a botnet. If you have a single 10Gig server, you will likely not be able to take down another 10Gig server unless the target is already doing near 1gbps[0]. I believe most "noise" DDoS which effects random website operators is considerably less than 10Gbps, and pretty much every giant attack uses spoofed traffic which can be blocked upstream without a WAF. So long as your upstream is big enough.
[0]: I made it up, again.
DDoS is distributed denial of service. It isn't coming from one server. It's now trivial to buy 100 Gbps or more of DDoS so sites would need 400G or more to simply eat it.
If you have a single server flooding spoofed traffic, it appears as a DDoS to the victim. It's at this point that the distinction between DoS/DDoS breaks down slightly.
It is very much not "trivial" to buy 100Gbps+ of DDoS. I'm highly confident the majority of D/DoS attacks are from single servers, because it works. If you have a 10Gbit server and your target has 1Gbit (or you 1Gbit and them 100Mbit, it still happens), it's not a question of if you can take the target down, but how long you can sustain that traffic level before your upstream notices.
Painting every D/DoS as the most bandwidth ever is a play out of Cloudflare's marketing. If every website operator knew that 1, you don't need that much bigger of a pipe, and 2, you shouldn't buy pipes that charge you $20+/TB like AWS anyway, then Cloudflare would have a much harder time selling you a downgrade in quality, and we would have faster and cheaper networks to boot.