I'd be very wary about investing my time and resources on a platform with such a corrupt CEO. Just a few months ago he was blatantly lying* about the massive security issues they were having.
Most likely relying on second-hand info that was just wrong. I doubt he based that post entirely on searching the caches himself. That whole incident was a mess though, tying up a lot of peoples' time who didn't work for CloudFlare. Centralization of services is always painful when things go wrong, and that may be a reason to avoid CloudFlare.
The only other beef I can think of against CloudFlare is how they play both sides of the DDoS game, hosting the sites selling them (free speech!) and charging the victims for protection.
PS. CloudFlare does deserve some flak / second thoughts for the whole Cloudbleed thing, but I don't think your response is quite on target.
He might not have known it was second-hand info, or could have been led to believe it was good info from a good source (we'd need the message that led him to believe that thing -- and publicly throwing a subordinate under the bus for giving you bad info will obviously not go well).
I would differentiate that from lying, and fairly, he gets to deal with the consequences either way because he is the CEO.
The moment CF stops hosting DDoS websites is the moment the censorship will burst wide open. Besides CP (which is too hot to try to defend), as soon as they start judging which businesses are allowed to host then they'll be forced to restrict their offerings all around.
What if a booter site advertises itself and says "you must confirm you have legal authority to run an attack test against this site"? What if it's legal in <some jurisdiction>?
CF should only take down sites after getting a direct court order to stop services (even then jurisdiction is an issue).
> Most likely relying on second-hand info that was just wrong.
I would have been happy to give him the benefit of the doubt and still would. To me it seems to me he continually repeated these claims over the whole incident and ignored people who pointed out that what he was saying was obviously false. I only pointed to the most egregious example.
To be clear, I'm not super worried about companies just screwing up, shit happens. However, I have a personal bias against dealing with people who are dishonest when that happens.
To me, only passingly familiar with what happened, your initial comment left out too much of the detail you added later (specifically, the repeated part).
If I ever become CEO, remind me never to post online ever. People hang on every dinky statement, take it for gospel, and then try to burn your house down with it.
When Anonymous ran some anti-ISIS operation, they accused CloudFlare of "hosting" dozens of pro-ISIS sites[1]. It turns out Anonymous was entirely wrong about the CloudFlare customer sites (confirmed by DHS) and hypocritical (because CloudFlare tried to remain content-indifferent and, as such, protects lots of Anonymous sites). But their image took a spanking for it in the news, despite (1) investigating the claims, (2) contacting DHS to confirm they were in the right, (3) having a rational counterargument (even if it wasn't as simply as "TERRORISTS!!!!1!!1one").
Remaining quiet isn't the solution either. @eastdakota was actively corresponding with the HN community while his security+product teams were actively mitigating the "CloudBleed" damage.
Sometimes you will lose the news cycle, even if you are in the right and did everything right as a company should.
Most likely relying on second-hand info that was just wrong. I doubt he based that post entirely on searching the caches himself. That whole incident was a mess though, tying up a lot of peoples' time who didn't work for CloudFlare. Centralization of services is always painful when things go wrong, and that may be a reason to avoid CloudFlare.
The only other beef I can think of against CloudFlare is how they play both sides of the DDoS game, hosting the sites selling them (free speech!) and charging the victims for protection.
PS. CloudFlare does deserve some flak / second thoughts for the whole Cloudbleed thing, but I don't think your response is quite on target.
Making claims based on unreliable second-hand info, as a CEO, is almost as bad as lying IMO.
Cloudbleed (most specifically what I will call the marketing side of the response) reflects poorly on the tech people at CloudFlare, for sure.
It's unusual to see someone accused of blatantly lying on HN and I put my alternative interpretation out there to hopefuly temper that opinion a bit.
As you mentioned, the end result is pretty much equivalent since all we have is the completely wrong output.
He might not have known it was second-hand info, or could have been led to believe it was good info from a good source (we'd need the message that led him to believe that thing -- and publicly throwing a subordinate under the bus for giving you bad info will obviously not go well).
I would differentiate that from lying, and fairly, he gets to deal with the consequences either way because he is the CEO.
The moment CF stops hosting DDoS websites is the moment the censorship will burst wide open. Besides CP (which is too hot to try to defend), as soon as they start judging which businesses are allowed to host then they'll be forced to restrict their offerings all around.
What if a booter site advertises itself and says "you must confirm you have legal authority to run an attack test against this site"? What if it's legal in <some jurisdiction>?
CF should only take down sites after getting a direct court order to stop services (even then jurisdiction is an issue).
I mentioned it as a conflict of interest to be aware of. I personally use CloudFlare for DNS for most of my personal sites.
Your comment seems to fairly accurately reflect CloudFlare's position: Thoughts on Abuse | https://blog.cloudflare.com/thoughts-on-abuse/ (2012)
Here is a semi-recent take from one of their more vocal opponents: Spreading the DDoS Disease and Selling the Cure | https://krebsonsecurity.com/2016/10/spreading-the-ddos-disea... (2016)
Here is how it works out in practice for a few fellow HN-er's: The New Normal: 200-400 Gbps DDoS Attacks | https://news.ycombinator.com/item?id=7242377 (2014)
The problem with this flawed line of argument is that CloudFlare applies their own Pro-Platforming views that might fly in the US globally.
So this jurisdiction issue actually goes both ways.
> Most likely relying on second-hand info that was just wrong.
I would have been happy to give him the benefit of the doubt and still would. To me it seems to me he continually repeated these claims over the whole incident and ignored people who pointed out that what he was saying was obviously false. I only pointed to the most egregious example.
To be clear, I'm not super worried about companies just screwing up, shit happens. However, I have a personal bias against dealing with people who are dishonest when that happens.
To me, only passingly familiar with what happened, your initial comment left out too much of the detail you added later (specifically, the repeated part).
Thanks for following up!
Trump exclusively relies on second hand info. Lets not hold him accountable either.
If I ever become CEO, remind me never to post online ever. People hang on every dinky statement, take it for gospel, and then try to burn your house down with it.
That's not a winning solution either.
When Anonymous ran some anti-ISIS operation, they accused CloudFlare of "hosting" dozens of pro-ISIS sites[1]. It turns out Anonymous was entirely wrong about the CloudFlare customer sites (confirmed by DHS) and hypocritical (because CloudFlare tried to remain content-indifferent and, as such, protects lots of Anonymous sites). But their image took a spanking for it in the news, despite (1) investigating the claims, (2) contacting DHS to confirm they were in the right, (3) having a rational counterargument (even if it wasn't as simply as "TERRORISTS!!!!1!!1one").
Remaining quiet isn't the solution either. @eastdakota was actively corresponding with the HN community while his security+product teams were actively mitigating the "CloudBleed" damage.
Sometimes you will lose the news cycle, even if you are in the right and did everything right as a company should.
[1] https://www.theregister.co.uk/2015/11/18/cloudflare_ceo_rubb...
Yup. Karma wheel. Best you can do is be transparent and consistent with what you know when you know it.