[jjoonathan]

It feels like this is more a result of Amazon not being able to connect you with the right escalation path to verify & act on these claims than a considered decision to ignore them.

Does anyone here know what an individual reporter should do? Is there an escalation ramp that exists but was so poorly marked that neither sloshnmosh nor Amazon support was able to find it? Does the ramp go through other organizations (e.g. report to CERT or some other org first and come back with a case ID)? Does the ramp not exist and need to be built?

[londons_explore]

Doesn't cloudfront generally act like cloudflare? Ie. We don't inspect your content. Law enforcement are the only people who can stop us hosting a site.

[jorvi]

Cloudflare has taken voluntary action on sites 2 (or 3?) times now. They can no longer claim complete neutrality. I don't know about Cloudfront.

[ignoramous]

If you violate policy (of which there are likely many varied yet incontestable interpretations), AWS pulls the rug out from under you faster than one can say "neutral". That's excluding they do not make newer policies on-the-fly.

Ex A: https://signal.org/blog/looking-back-on-the-front/

[0xbadcafebee]

It has nothing to do with "neutrality", they have Terms of Service like every single service provider in the world. If you violate them, there goes your infra. Spreading malware is almost certainly a violation of AWS' ToS (Amazon engs, correct me if needed)

[meowface]

It's a little more complicated than that in Cloudflare's case. The debate isn't really relevant to AWS/CloudFront or anyone else, but Cloudflare has famously had a policy of not kicking off any customers as long as they abide by US law. The CEO publicly identifies as a free speech absolutist. (Malware/phishing/etc. is still removed, since it's illegal.)

The CEO publicly broke their policy on this on two occasions: the neo-Nazi website The Daily Stormer, and 8chan. In each case, only after a long saga played out.

For The Daily Stormer: after they mocked the deceased victim of the Charlottesville rally, Cloudflare received public pressure to boot them but refused, and then the owner subsequently tried to troll them/the public by claiming Cloudflare executives secretly supported their ideology, causing them to finally be removed. (https://blog.cloudflare.com/why-we-terminated-daily-stormer/ )

For 8chan: Cloudflare received a lot of heat for not removing them after the first and second incidents of posters becoming mass shooters, eventually removing them after the third mass shooting. (https://blog.cloudflare.com/terminating-service-for-8chan/)

I forget the term/aphorism for this (like "double-bind", sort of), but they put themselves in an awkward position because they're probably one of the most neutral service providers out there - still far more than probably anyone else to this day - but by marketing themselves as 100% neutral, being only 99.99999% neutral created lots of lasting negative PR that people still regularly bring up.

Any other company would've kicked those people off way sooner and there would've been little to no publicity, because they routinely do such things, but now Cloudflare is hated by both the pro-censorship and the anti-censorship crowd. (See: https://en.wikipedia.org/wiki/Cloudflare#Mass_Shootings and everything below. It's quite a rollercoaster.)

[xorcist]

> Malware/phishing/etc. is still removed, since it's illegal.

They are known for protecting DDoS-for-hire and Cryptolocker services.

[meowface]

It's a gray area. They sometimes reverse proxy frontend portals for those services, but not the services themselves. Sometimes the frontend won't have anything obviously illegal.

Anything that's actively serving malware or phishing pages is removed.

[stevenicr]

clouflare stopped being like that long ago. they publicly posted that they will take down stuff they makes the ceo worry, and they will inspect what your users are reading/sharing - and notify agencies with powers and guns when they find stuff from now/then on.

- no longer a dumb pipe, no longer neutral, actually active in directing law enforcement to take you down and possibly take people out.

[stevenicr]

I just have to wonder if people downvote this thinking it's not possibly true, or they just don't like what is said.

Link to relative info is posted on another comment (https://news.ycombinator.com/item?id=27884821) - but for those who have not read it, here is an excerpt from a 2019 cloudflare post/statement:

"...what we have done to try and solve the Internet’s deeper problem is engage with law enforcement and civil society organizations to try and find solutions. Among other things, that resulted in us cooperating around monitoring potential hate sites on our network and notifying law enforcement when there was content that contained..."

So I stand by the statement, I can't see any other way to read it.

[livinginfear]

Why is this being downvoted? It's demonstrably true.

https://blog.cloudflare.com/why-we-terminated-daily-stormer/

[Volt]

Is Cloudflare a "pipe"? I don't think so.

[stevenicr]

reason for "no longer a dumb pipe," - is that I believe that was the 'defense' aka reason being used for a while to push back against different groups that were accusing and then trying to public shame cloudflare; for protecting alt-right(?) I know there were a few PR pieces pushed in the UK or Euro press about some things - maybe hookers or something.. anyway for a while cloudflare was all like, we are just a really big pipe that pushes data and can absorb ddos.. we don't get into content moderation or opposite-net-neautrality.. there were complaints that some groups 'on the right side of history (or whatever)' - were trying to take down the stormer site I think it was and that their co-ordinated takedown attempts were failing as cloudflare was protecting the send/receive, being a pipe, not a judge.. This is what I believe ATT was using as a defense some time ago; they don't stop drug dealers from making calls they just provide the 'pipe' There was also some groups complaining about cloudflare making it hard to find servers - to find jurisdiction, again uk /euro I think - I have those articles saved on one of my systems.. and may be linked to a HN comment long ago - where I said chipping away at this pipe thine will lead to a bifurcated internet - where we will have internet place X internet place Y - and companies like cloudflare may have to turn into a dozen different companies to keep up with the changing 'this speech is not okay' rules for various places..

funny how fast things can change.

I believe many of cloudflare's early customers especially felt protected and safe because of the stances - and I bet most don't know about the 180..

I also think most average web people would think if you set 'whatever' for your DNS - that the dns routing is basically a dumb pipe - it's not spying on you and sending copies of your data to gun agencies.

Just as I think most people would not expect their cell phone company or internet provider to spy on data and send snippets of your communications to agents. I would not expect my web server co to deep packet inspect all comms looking for bad things. (not without a warrant and being directed to look at a specific line, now a whole data center / cell co, etc.)

I think it was a terrible choice to make for cloudflare, but I know not an easy one either way.

So 'pipe' is a term that has been used in this way for a while now in similar fashion I thought - and it's not meant literally like a copper water line.

Also in some ways cloudflare has been a pipe - a pipe for flowing data that would be choked by ddos attack if were to try to send/receive across the net in most other ways kinda of.

[adreamingsoul]

The AWS forums are going to be the best way to start a discussion with people who can escalate.

[berto4]

always a narrative/explanation...right on

[jjoonathan]

If there is no escalation path, that's a big problem, and nobody here is pretending otherwise.

[Kiro]

It's always the other way around. A company can never do anything right. HN will always find an ulterior motive.

[b112]

It feels like this is more a result of Amazon not being able to connect you with the right escalation path to verify & act on these claims than a considered decision to ignore them.

Those two things are actually the same thing, both are wilfully ignoring situations like this.

[seanmcdirmid]

Never assume malice where ignorance and incompetence would suffice instead. Those two things are actually not the same thing at all, depending on how you define “willful.”

[toss1]

Yes, that is a good summary of Hanlon's Razor, a sort of corollary to Occam's Razor about mot creating unnecessary entities in your conceptual models.

Hanlon's Razor is a good first approximation or initial approach to a situation, not the end of the discussion. There are many situations where incompetence may appear to be an explanation, but is in fact not the root cause, and may even be being actively used as a cover for malicious actions.

The point of the razor is that it is up to us to sort out the difference, not to just jump to a conclusion that it is malice, or that it is incompetence.

In this case, Amazon has had plenty of time, resources, and skilled people to see the need and implement an escalation & resolution pathway. That they have so persistently failed to do so for so long indicates a cause beyond mere incompetence. Even if they are not being as actively malicious as the malware distributors, they clearly and actively DGAF.

[seanmcdirmid]

> That they have so persistently failed to do so for so long indicates a cause beyond mere incompetence.

So you are claiming that they have had so many opportunities to do the right thing, that they aren't merely incompetent, but are in bed with the evil doers? That would be a huge claim, to say the least.

[toss1]

There are many options between incompetence and being actually 'in bed with', which I read to mean 'knowingly cooperating with', the criminals.

The first example is that it's simply more profitable for them to turn a blind eye unless one of the relationships becomes a public problem. They wouldn't be actively aiding and abetting the crime, but neither are they stepping up to ensure that it isn't happening on their systems. It's being complicit several steps beyond incompetence, but not the same level as active cooperation.

And, considering that Amazon has no shortage whatsoever of funds and skilled people to prioritize anything they want to prioritize, I'd say more than sufficient time has passed that they're at least at something resembling this sort of willfully ignorant stage.

[csharptwdec19]

It's malice but from a different aspect; willful malice in the name of 'cost cutting'.

[xyzzy123]

How many FTEs should they have dedicated to triaging security complaints from (relatively speaking) randos on the Internet about their customers?

Also, would you take that job?

Some poor support person probably got this and punted because they couldn't pattern match to something in their handbook.

For every thoughtful, detailed security report there are about 500 others that involve voices from appliances, self-xss, csrf on logout and 5G coronavirus. It is extremely difficult for L1 support to make sense of these. Having a support contract or attracting attention on the forums are decent ways to pop out from the background noise.

[blacksmith_tb]

Not to worry, they'll replace their overworked human staff with sentiment analysis bots which will do an equally uneven job of sorting the wheat from the chaff, with even less hope of appeal.

[Nasrudith]

Malice is the wrong term for it even if we accept the premise. (I do not but that is another can of worms.) Malice implies a desire to hurt people. It would be utilitarian callousness if anything, negligence if there were legal obligations shirked. There is no law against just poor customer service like being a jerk isn't illegal.

[Forbo]

Never assume ignorance where greed would suffice.

[wolverine876]

Amazon could do it if they wished; they don't want to.

[atatatat]

Never assume ignorance where a scumbag can take new default level of societal ignorance and hide behind it....

[duxup]

They can be very different things.

Poor communication channels happen even when folks don't want it to. Humans are bad at doing such things.