Slashdot Mirror

We will never sell-out our and compromise our principles. It would be like murder.

Failing to post to social media is not like murder. But more importantly, one could reasonably read this as being true no matter what happens. One merely has to understand that whatever the organization does, no matter how contradictory today's choices are given yesterday's statements of uncompromising principles, the organization always acts in line with their current principles.

Consider that organization representatives sometimes lie (or is that "compromise their principles"?). Cloudflare tells the public "Even if it were able to, Cloudflare does not monitor, evaluate, judge or store content appearing on a third party website." and Cloudflare CEO Matthew Prince said "We're the plumbers of the internet. We make the pipes work but it's not right for us to inspect what is or isn't going through the pipes." even as pro-ISIS websites used Cloudflare's website caching service. It was reported that changing this would be submitting to "mob rule". From the coverage on Gizmodo.com

Prince explained in an internal email to staffers that he doesn't think CEOs of internet companies should be in the position of policing content on their networks—he told Gizmodo he thinks that's a job that should ultimately be left up to law enforcement if the content violates the law—but felt pushed to act because the operators of the Daily Stormer are "assholes."

"I realized there was no way we were going to have that conversation with people calling us Nazis," Prince said. "The Daily Stormer site was bragging on their bulletin boards about how Cloudflare was one of them and that is the opposite of everything we believe. That was the tipping point for me."

Rather than post a followup, or use his apparently ready-made access to media to let everyone know that Matthew Prince and Cloudflare do not agree with the Daily Stormer's politics but stand up for free speech and not "inspect[ing] what is or isn't going through the pipes", on August 16, 2017 Prince said he "woke up [one] morning in a bad mood and decided to kick them [the Daily Stormer] off the Internet." (really, he was kicking Daily Stormer off Cloudflare). It seems wise to be prepared for a here-and-gone-again service model even from organizations whose principles once seemed so clear and uncompromised.

"has never terminated a customer or taken down content due to political pressure" They totally did, once as I recall, and Matt Prince back pedaled that like a MFer.

The crazy part of this is cloudflare themselves raised this same point.

"We're going to have a long debate internally about whether we need to remove the bullet about not terminating a customer due to political pressure. It's powerful to be able to say you've never done something. And, after today, make no mistake, it will be a little bit harder for us to argue against a government somewhere pressuring us into taking down a site they don't like."

https://blog.cloudflare.com/wh...

Apparently they decided not to even though it is obvious to everyone they did exactly this.

Given documented self-admitted instance of lying about a canary why would anyone believe ANY assertions of cloudflare about remaining canaries?

https://blog.cloudflare.com/ar...

And that matches up from what I've read about ARM performance. It's competitive on relatively simple loads for data compression, encryption, and shoveling data out the door. Once you start doing regex / database / complex transnational loads, performance suffers.

Seems like a perfect solution for Cloudflare, who, basically, shovels data out the door. Not so much for a hadoop / SQL based application stack.

At some point ARM will implement transaction acceleration, and database and application platforms will be tuned for the ARM architecture, but until then I think it will be more of a niche player in the server market.

I dunno... looks pretty competitive to me, for a first try:

https://blog.cloudflare.com/ar...

You can be sure that in the year hence, and with Amazon rolling their own, that they are now at least on a par with some more traditional setups.

They literally only have to be a dollar cheaper (whether in power usage or purchase cost) to start taking over.

Most people *aren't* maxing out their servers 24/7/365.25. As such, ARM could be a serious threat. Especially if they can come in anywhere near cheap or they offer other advantages (e.g. presumably, if Amazon are making their own chips, they know EXACTLY what's running on their hardware and can optimise to their exact needs, like Google does with its own motherboards etc. in-house - both security and performance get a boost from that).

There is nothing to worry about.

SIDH in Go for quantum-resistant TLS 1.3

It's the crappy mega corporations that we cannot necessarily trust with our security but even stinking Google has stepped up!

TSL is already moving to quantum algorithms. Microsoft have developed a version of Open VPN that is also quantum resistant.

I did my own research but you can just have fun looking at these two links and figuring it out for yourself; the highlights I noticed is that they respond to USA subpoenas, that they can but usually don't tolerate resource abuse, and follow US laws:

https://www.cloudflare.com/tra...

https://www.cloudflare.com/pri...

I did my own research but you can just have fun looking at these two links and figuring it out for yourself; the highlights I noticed is that they respond to USA subpoenas, that they can but usually don't tolerate resource abuse, and follow US laws:

https://www.cloudflare.com/tra...

https://www.cloudflare.com/pri...

The first hit in this google search.

So how will the GDPR affect this?

Below is a link to Cloudflare's FAQ regarding this...

https://developers.cloudflare....

Cloudflare will collect only the following information from Firefox users:

        Timestamp
        IP Version (IPv4 vs IPv6)
        Resolver IP address + Port the Query Originated From
        Protocol (TCP, UDP, TLS or HTTPS)
        Query Name
        Query Type
        Query Class
        Query Rd bit set
        Query Do bit set
        Query Size Query EDNS
        EDNS Version
        EDNS Payload
        EDNS Nsid
        Response Type (normal, timeout, blocked)
        Response Code
        Response Size
        Response Count
        Response Time in Milliseconds
        Response Cached
        DNSSEC Validation State (secure, insecure, bogus, indeterminate)
        Colo ID
        Server ID

Cloudflare claims they will only store that info for 24 hours... but there will be other info that will be stored long term... But in the world of collecting info I'd imagine the GDPR would have some sort of effect...right?

Or am I over thinking...? :-/

Whoops meant to post this here.

https://developers.cloudflare....

You can draw your own conclusions.

https://developers.cloudflare....

Eh I'll just post this link here and you can draw your own conclusions.

>It should not be, at all, trying to decide whether or not a customer's data or business practices are unacceptable in various regions around the world, especially at a level where Cloudflare itself is supposedly criminal liable.

And yet, its TOS says it can do exactly that https://www.cloudflare.com/terms/

SECTION 11: INVESTIGATION Cloudflare reserves the right to investigate you, your business, and/or your owners, officers, directors, managers, and other principals, your sites, and the materials comprising the sites at any time. These investigations will be conducted solely for Cloudflare’s benefit, and not for your benefit or that of any third party. If the investigation reveals any information, act, or omission, which in Cloudflare’s sole opinion, constitutes a violation of any local, state, federal, or foreign law or regulation, this Agreement, or is otherwise deemed harm the Service, Cloudflare may immediately shut down your access to the Service.

>It should not be, at all, trying to decide whether or not a customer's data or business practices are unacceptable in various regions around the world, especially at a level where Cloudflare itself is supposedly criminal liable.

And yet, its TOS says it can do exactly that
https://www.cloudflare.com/terms/

SECTION 11: INVESTIGATION
Cloudflare reserves the right to investigate you, your business, and/or your owners, officers, directors, managers, and other principals, your sites, and the materials comprising the sites at any time. These investigations will be conducted solely for Cloudflare’s benefit, and not for your benefit or that of any third party. If the investigation reveals any information, act, or omission, which in Cloudflare’s sole opinion, constitutes a violation of any local, state, federal, or foreign law or regulation, this Agreement, or is otherwise deemed harm the Service, Cloudflare may immediately shut down your access to the Service.

And, no IPv6 endpoint seems like a big missing component when "competitors" have it.

it doesn't?

On the surface, yes. But, there are a number of options available for transport privacy that do not require using a VPN (provided you actually trust Cloudflare not to use your data and are savvy enough to setup one of the options) https://developers.cloudflare....

ARM camp does not have compelling enough solutions in that space.

Check out these benchmarks.

https://blog.cloudflare.com/arm-takes-wing/

Looks like the situation is rapidly deteriorating for Intel.

TFA doesn't give any detail around this. How does one generate that much traffic without the need of a botnet?

It depends on what you mean by "botnet". The attacker sent spoofed memcached requests to UDP servers, which were then replicated and forwarded to the victim. I some sense, these UDP servers are acting as a "botnet" even though they are not running any malware controlled by the hacker. More info here.

A bigger question is: Cui bono? Why is someone attacking Github?

Maybe next time do a ten second Google search before you rant. You'll look better informed (and not foolish). Because, you see, They're part of the HTML5 spec and almost every current browser or platform supports them. But hey - boo Microsoft etc.

And now Cloudfare have let the genie out of the bottle it seems like any site can be nuked, either because the CEO wakes up deciding to do it or due to a court order.

Somebody got out of the wrong side of bed this morning and is walking around in delusion land.

Of course Cloudfare, like every other substantial company complies with court orders, always has.

Last year Cloudfare received 153 court orders world wide and complied with the vast majority of them. We know this because they documented it in their biannual transparency report https://www.cloudflare.com/tra...

What ever your view on the actions around The Daily Stormer it is a completely independent issue to Cloudfare complying with lawfully issued court orders.

Actually, not so quickly. Only because of Kernel-mode JIT.

Read it very carefully.

• * AMD chips are only vulnerable to variant 1.
• * Variant one works on eBFP bytecode which is either interpreted or JIT'd by the kernel. If the malcode is JIT'd by the kernel, it is executed by the kernel in kernel space.
• * AMD is thus still maintaining security and not speculatively executing instructions that violate security - as far as the chip is concerned, this is the kernel accessing kernel memory!

The fixes are being more careful in the bytecode verifier prior to JIT'ing (if that's even possible!), or isolating the JIT'd code into its own space, or considering eBFP bytecode loading to be as security sensitive as insmod. And... I can't see how splitting kernel space into its own page table would avoid this particular variant.

For more info about BPF, check this. Sadly, "... Tcpdump asks the kernel to execute a BPF program within the kernel context. This might sound risky, but actually isn't." didn't take timing attacks into consideration.

They haven't demonstrated a user-mode reading kernel memory just yet. Securing a Linux box on AMD is as trivial as disabling eBPF.

However, it really uncovers a fundamental issue in all JITs allowing what should be interpreted code to read things, using timing attacks, that it should not be able to (escaping its sandbox). Hence all the references about JavaScript - similar attack allows JavaScript code to read memory outside the JavaScript world, but as far as I can tell, not read anything that the JavaScript interpreter couldn't read (although it seems to require JIT compilation). If anything, it's a general class of attacks allowing anything to read about its underlying environment.

The gotcha on Intel chips is that user-mode-x86 code can use this same timing attack on the kernel. On AMD, the timing attack is nullified because speculative reads fail before triggering cache loads.

CloudFlare ( https://www.cloudflare.com/ ) has a free tier that can provide https and a CDN at no cost. Pay for a plan if you need any of the features. Otherwise, as others have said, use Let's Encrypt. I use both for different sites, they both work well.

The tipping point for us making this decision was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology.

Cloudflare didn't care if the world called them Nazi supporters, so long as they weren't using Cloudflare to do so. The Daily Stormer used Cloudflare to call Cloudflare Nazi supporters, so Cloudflare gave them the boot.

The tipping point for us making this decision was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology.

And they were well within their rights to take action to stop someone from using their own platform against them. If I may opine, I'd say it's literally the only legitimate reason to boot someone off such a service; if you're going to slander someone, it's wise to not do so on their own platform, after all.

What you are describing is a DDOS attack, and that is not being hacked. Cloudflare may be able to help you with some of this.

Here are multiple definitions of "hacking", as it refers to a computer:
Cyber Law DefinitionComputer hacking refers to the practice of modifying or altering computer software and hardware to accomplish a goal that is considered to be outside of the creator's original objective. Those individuals who engage in computer hacking activities are typically referred to as “hackers.”
Wikipedia Definition...someone who breaches defenses in a computer system...

You are right. The FBI is not going to take a 3GB log file and do the work for you. You need to point them to the relative data. If you don't want to do the work, you can hire someone to work through it with you. You should be redacting your data before you give it to anyone; you should never just turn over 3GB of logs to anyone.

I think you have made the case as to why this needs to be left up to an agency tasked with this type of work.

--
"I'm just a cricket singing my way from hearth to hearth, but let me tell you what made me change my mind" - Jiminy Cricket

Avoid Vice and go directly to Cloudflare's own ad:
https://blog.cloudflare.com/unmetered-mitigation/

There also is a more technical post:
https://blog.cloudflare.com/no-scrubs-architecture-unmetered-mitigation/

Avoid Vice and go directly to Cloudflare's own ad:
https://blog.cloudflare.com/unmetered-mitigation/

There also is a more technical post:
https://blog.cloudflare.com/no-scrubs-architecture-unmetered-mitigation/

See subject & these domains to block out in hosts files:

0.0.0.0 u.axclick.store
0.0.0.0 g.axclick.store
0.0.0.0 p.axclick.store
0.0.0.0 axclick.store
0.0.0.0 com.luckybooster.app
0.0.0.0 luckybooster.app

* Per https://blog.cloudflare.com/the-wirex-botnet/

APK

P.S.=> Of course, nothing builds a custom hosts file for more speed, security, reliability & anonymity online better than APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ ... apk

See subject & these domains to block out in hosts files:

0.0.0.0 u.axclick.store
0.0.0.0 g.axclick.store
0.0.0.0 p.axclick.store
0.0.0.0 axclick.store
0.0.0.0 com.luckybooster.app
0.0.0.0 luckybooster.app

* Per https://blog.cloudflare.com/the-wirex-botnet/

APK

P.S.=> Of course, nothing builds a custom hosts file for more speed, security, reliability & anonymity online better than APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ ... apk

See subject & these domains to block out in hosts files:

0.0.0.0 u.axclick.store
0.0.0.0 g.axclick.store
0.0.0.0 p.axclick.store
0.0.0.0 axclick.store
0.0.0.0 com.luckybooster.app
0.0.0.0 luckybooster.app

* Per https://blog.cloudflare.com/the-wirex-botnet/

APK

P.S.=> Of course, nothing builds a custom hosts file for more speed, security, reliability & anonymity online better than APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ ... apk

They put up a blog post explaining their decision a little while ago.

You might be a bit confused. I'll help.

Basically one or more of Cloudflare's bigger customers said, "If you don't stop dealing with group X, we'll find another provider". Its business, and once again businesses are not obligated to provide a platform for anyone and everyone.

According to the interview with Matthew Prince (Cloudflare CEO), he felt that he had to boot the Daily Stormer from Cloudflare because the Daily Stormer started claiming that Cloudlfare was run by Neo-nazis, and used Cloudflare's refusal to boot them as evidence to support their claims.

At first glance, this sounded like bullshit. So I checked, and that is exactly what happened.

From https://blog.cloudflare.com/wh...

The tipping point for us making this decision was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology.

So, the operators of The Daily Stormer decided to run their mouths about the one company that tolerated their content. Not bright, unless they secretly craved a backwater existence on Tor.

They put up a blog post explaining their decision a little while ago.

I take some umbrage at Cloudflare's rationale. Their position regarding this site, as well as various other sites, seems to be "we're just a proxy." The issue with that defense is that by proxying for a site, the Cloudflare service hides and obfuscates whatever provider is actually hosting the content. This is a) by design, and b) necessary in order to make the DDoS protection effective. That doesn't make it any less problematic.

Cloudflare wants to pass the buck somewhere else in the "infrastructure stack," as they call it, and I don't necessarily disagree that what amounts to a glorified transit provider is the wrong place to be implementing blocks. But given the very nature of Cloudflare's service, how does one figure out where else to complain? When a site is using Cloudflare, all roads dead end in Cloudflare's network. The site's name servers are in the cloudflare.com domain. The site's A records are inside Cloudflare IP space. Cloudflare is the primary visible service provider in these scenarios, whether they host any content or not.

Case in point, I've watched this story play out with some interest over the past couple of days. I still have no idea where Daily Stormer's content was actually being hosted. It almost certainly would have violated the AUP/TOS of that hosting provider, and they probably would have terminated the site directly. But with Cloudflare in the way, no one knows who to complain to.

When your business model is being a black-box opaque front for all comers, don't be surprised when the world directs its anger at you.

...and doxing anybody who complains about a hate site.

don't forget that part.

To be fair, you'd be pretty stupid to miss where it says they may release your contact information (name and email address) to the site owner. I think CloudFlare's general stance is they aren't interested in policing content that is not demonstrably illegal.

By submitting this report, you consent to the above information potentially being released by CloudFlare to third parties such as the website owner, the responsible hosting provider, law enforcement, and/or entities like Chilling Effects.

Ref: CloudFlare's Abuse Page

How is it a "doxx" to forward complaints about a site to the site owner after telling people that you will forward complains to the site owner? Just look at the CloudFlare abuse report form -

By submitting this report, you consent to the above information potentially being released by CloudFlare to third parties such as the website owner, the responsible hosting provider, law enforcement, and/or entities like Chilling Effects.

(emphasis added)

They're not looking up your information, they're forwarding your feedback about the site to the people who actually control the site. It's your fault if you don't even read the damned page and send your contact info to some site telling the people who run it just how much you hate them.

DDoS blackmail isn't a thing, though some do fall for the scam:

Given that the attackers can't tell who has paid the extortion fee and who has not, it is perhaps not surprising to learn that they appear to treat all victims the same: attacking none of them. To date, we've not seen a single attack launched against a threatened organization. This is in spite of nearly all of the threatened organizations we're aware of not paying the extortion fee. We've compared notes with fellow DDoS mitigation vendors and none of them have seen any attacks launched since March against organizations that have received Armada Collective threats.

...except when it isn't.

Read the article then. It shows it pretty plainly: https://blog.cloudflare.com/ho...
I was going to try to guess what they were doing, but they have some actual code snippets.

AFAICT, a unit test wouldn't have caught this either (unless they planned for this sort of error, in which case the code wouldn't have been broken either). From TFA:

RRDNS doesn’t just keep a single measurement for each resolver, it takes many measurements and smoothes them. So, the single measurement wouldn’t cause RRDNS to think the resolver was working in negative time, but after a few measurements the smoothed value would eventually become negative.

So, a unit test with one negative example (which may have been difficult to mimic anyway, due to the direct usage of Time.Now()) probably wouldn't have triggered the issue on its own.

IMHO, blaming a misconception of time always going forward is just convenient here. The fix was changing this bit:
if rttMax == 0 {
      rttMax = DefaultTimeout
}

They just changed "==" to "<=". There was no reason not to have it as "<=" to begin with, even if one ignores where rttMax comes from. Any time I check if something is == to something else, and I don't have else conditions covering the other cases, I ask myself what should happen in those other else cases and ensure I'm covered. That may still have caused it to break, but it could have done:
if rttMax == 0 {
      rttMax = DefaultTimeout
} else if rttMax < 0 {
      panic("What the fuck happened to rttMax to make it negative!?!")
}
...though it probably would have been better to just log that somewhere and set it to the DefaultTimeout.

Anyway, I think it's a great example of a one character bug that only triggers on very obscure events under significant load.

The blog post about this incident says:

RRDNS is written in Go and uses Go’s time.Now() function to get the time. Unfortunately, this function does not guarantee monotonicity. Go currently doesn’t offer a monotonic time source (see issue 12914 for discussion).

and then later it says:

When RRDNS selects an upstream to resolve a CNAME it uses a weighted selection algorithm. The code takes the upstream time values and feeds them to Go’s rand.Int63n() function. rand.Int63n promptly panics if its argument is negative. That's where the RRDNS panics were coming from.

So to me it sounds like this incident was at least partially due to limitations with the Go programming language and its libraries.

Would this incident still have happened if this software were written in the Rust programming language?

As a Dyn customer, who refuses to give even one lousy cent to Oracle, I'll be on the lookout for alternatives. Suggestions are welcome.

https://www.cloudflare.com/

Who cares? The whole point of having TOS is so you can stop bad behavior before it requires resolution through the legal system. Any company that just ignores abuse complaints may as well burn its TOS and hire more lawyers.

From CloudFlare's own Terms of Service:
"Cause for such termination shall include, but not be limited to: ... (g) you have engaged or are reasonably suspected to be engaged in fraudulent or illegal activities;"

from TFA
https://t.co/gfK3VdR0zn
https://www.cloudflare.com/med...

http://www.networkworld.com/ne...
http://www.dshield.org/diary/U...
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...
http://www.networkworld.com/ne...
http://politics.slashdot.org/s...
http://www.theregister.co.uk/2...
http://blog.cloudflare.com/dee...
http://threatpost.com/dns-base...
http://www.webroot.com/blog/20...

APK

P.S.=> Router DNS issues are next... apk

If Cloudfare had got some decent security appliances, the DPI analysis mechanisms can still catch and mitigate all sorts of attack vectors even when the IP sources are widely distributed.

You mean like this?

Perhaps know what you're talking about before you write 3 paragraphs on the subject? CloudFlare has developed, and is continually improving upon, their own systems for doing this; this gives them much finer-grained control over things so, of course, they aren't buying off-the-shelf solutions.

I strongly disagree with his recommendation for DNS. That’s because I want to spread DNSSEC.

The problem with services like Amazon Route 53 is they generate DNS records dynamically. That means they need the signing key to be online, on the DNS load balancer, and they don’t bother to do so. If you really need your DNS to be globally distributed (How many people actually look for your domain, anyway? How many times is the answer cached on Google public DNS already?), you should look into CloudFlare. CloudFlare uses a custom implementation of ECDSA to decrease the cost of DNSSEC signatures, making it practical to do online signatures and also very effective NSEC white lies.

CloudFlare have another pragmatic proposal - require CAs to randomize the certificate serial numbers instead of using predictable sequential numbers. Note that this precaution would have made even MD5 certificates safe against current known attacks.

https://blog.cloudflare.com/why-its-harder-to-forge-a-sha-1-certificate-than-it-is-to-find-a-sha-1-collision/

No way! Cloud Flare assured me that they could hand 520 Unknown error

I don't think that means they can handle 520 different unknown errors...

No way! Cloud Flare assured me that they could hand 520 Unknown error

I'm at Slashdot waiting for Voat to get some capacity in place. Right now it's behind a CloudFlare DDOS mitigation tool that blocks NoScript users.

CloudFlare blocks any IP address that sends an insane number of page hits in a short period of time

Then it blocks search engines and reduces the SEO of its customers' sites on search engines that aren't big enough to get whitelisted the way Google and Bing are.

CloudFlare was treating Amazon's web crawler bot's IP range as a potential spammer and showing it a captcha page for every result

If any other CloudFlare customer sees behavior like this, try whitelisting each smaller search engine on which you want your site to appear.

[CloudFlare's CAPTCHA] is trivial for end users to get around and thus is not a true block

Even for blind users?

CloudFlare blocks any IP address that sends an insane number of page hits in a short period of time

Then it blocks search engines and reduces the SEO of its customers' sites on search engines that aren't big enough to get whitelisted the way Google and Bing are.

CloudFlare was treating Amazon's web crawler bot's IP range as a potential spammer and showing it a captcha page for every result

If any other CloudFlare customer sees behavior like this, try whitelisting each smaller search engine on which you want your site to appear.

[CloudFlare's CAPTCHA] is trivial for end users to get around and thus is not a true block

Even for blind users?