Hi Dave and Jonathan I highly recommend you contact them and see what their approach is in regards to the protection of vile sites. I suspect you may be somewhat disappointed by their response, or perhaps you won't be. They protect *ALL* of the most utterly vile content on the internet including the chans and a number of other vile sites I won't mention. Other WAFs/CDNs such as AWS Cloudfront, Akamai, Fastly, MaxCDN, Project Shield don't seem to have this problem as they have an AUP and appear to enforce it. I made the mistake of attempting to use their abuse form to be then doxed as the company who runs the site is the same as the person who runs the hosting infrastructure on one of the sites actively hosting and promoting the video and manifesto. I haven't received any response from Cloudflare after I attempted to contact them saying I was doxed because I was following their process. It's my view Cloudflares role in providing DDoS mitigation on sites is to also have an acceptable use policy. Their lack of AUP speaks volumes about where they place that importance on if anything is unacceptable. Appreciate your opinion Jonathan, I have asked InternetNZ the same question but wondered if there was a view from NZNOG too. Cheers Peter On Fri, May 3, 2019 at 9:00 AM Dave Mill wrote:

I have a good contact at Cloudflare if we did want to discuss this with them at all. I find Cloudflare very good to deal with and deal with someone there regularly.

I personally think that service providers just peer with other providers to get content to our customers. We don't make ethical decisions when doing this - its about getting content to our eyeballs in the best possible manner.

Is it really Cloudflare's job to censor the internet? If anyone is performing censorship shouldn't that be our respective governments?

Just my 2c.

Dave

On Thu, May 2, 2019 at 1:54 PM Peter Lambrechtsen wrote:

...

I don't think this question has been asked but I think it's worth asking.

After the Christchurch attacks and the fact that Cloudflare clearly support terrorist and white supremacist sites has there been any consideration on if peering or engaging with Cloudflare is something that providers no longer wish to participate in.

Or there isn't a sense of morality when it comes to the internet.

Cloudflare have a LONG history of not caring about any and all vile material and have absolutely no intention to do anything about it from the engagements I have had with them post Christchurch.

https://arstechnica.com/tech-policy/2017/05/cloudflare-changes-abuse-policy-... https://www.theregister.co.uk/2018/12/19/cloudflare_terror_groups/ https://suespammers.net/tag/cloudflare-com-doing-nothing-about-spam-abuse/ https://krebsonsecurity.com/tag/cloudflare/

https://www.propublica.org/article/how-cloudflare-helps-serve-up-hate-on-the...

To me they are clearly supportive of all sorts of vile content and have zero interest in doing anything about it while they still earn money.

Has the horrific events of Christchurch given anyone pause to think if they want to engage with Cloudflare?

Are morals important when running a service?.

Peter _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

On Fri, 3 May 2019 09:10:50 +1200 Jonathan Brewer wrote:

InternetNZ is the forum to discuss this, not NZNOG.

Engineers have a personal responsibility to ensure that the actions they take, even on behalf of an employer, are ethically right. I do think therefore this is a discussion for NZNOG, being as it is a community of engineers who do the implementing. -- Michael

I have tried tweeting eastdakota when I was doxed and haven't had a response. If you get a response I would be interested. But I highly recommend you ask him the pointed question about the AUP of Cloudflare as brevity of it speaks volumes: https://www.cloudflare.com/terms/ And ask him why *all* the most vile sites on the internet seem to only use his services for WAF/DDoS protection and none of the other providers and why he doesn't do anything about it. It's no mistake that there isn't any validation of the email address you use when signing up to the Cloudflare service. Cheers, Peter On Fri, May 3, 2019 at 10:44 AM Mehmet Akcin wrote:

If you have concerns, email the ceo or tweet him @eastdakota. Good guy, reasonable, and he will take time respond. I know people who work there. They are not going to let anyone malicious use their platform knowingly.

‘Mehmet

On Thu, May 2, 2019 at 15:14 Michael Fincham wrote:

...

On Fri, 3 May 2019 09:10:50 +1200 Jonathan Brewer wrote:

...

InternetNZ is the forum to discuss this, not NZNOG.

Engineers have a personal responsibility to ensure that the actions they take, even on behalf of an employer, are ethically right.

I do think therefore this is a discussion for NZNOG, being as it is a community of engineers who do the implementing.

-- Michael _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

-- Mehmet +1-424-298-1903 _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

On Thu, 2 May 2019 16:11:01 -0700 Mehmet Akcin wrote:

They host too many sites and quantity brings more risk. Simple as that.

They were very happy to drop all hosting for Assembly Four last year, who provide positive and important services to sex workers and are not even horrible people: https://www.theverge.com/2018/4/19/17256370/switter-cloudflare-sex-workers-b... And they clearly know they protect sites like 8chan, yet mysteriously have done nothing about that. In my view these kind of problems are symptoms of a too-commercial and too-centralised Internet and are largely unsolvable given these preconditions. The real solution isn't for CloudFlare to be arbiters of what is good and bad on the Internet so much as for there to be no such company in CloudFlare's position in the first place. -- Michael

Hi all, InternetNZ are working on a well-considered response and I do support them, but I don't think they are the only organisation or group where this should be discussed. Especially where operational decisions are involved which may have downstream effects. I agree with Peter and Michael; the argument that "it's just content" and that ISPs have no role in layer 8+ policy decisions is a bit disingenuous, because we regularly filter our customers from bad things. We run spam filters, we block malware sites, we choose to stop working with abusive customers; we (try to) make the internet a hostile place for bad people to operate. This isn't censorship--they can still get content online--we just don't make it easy for them. Cloudflare have taken a commercial position based on a very US-centric "free speech" world view that they, effectively, shouldn't try to do any of this. Personally, I can understand their position, but I don't agree with it. Lacking any US amendment, the seemingly only way to change this commercial position is to apply commercial pressure, which is the point that Peter is making; is anyone considering operational changes to apply commercial pressure? I know on the consumer side, at $DAYJOB we're looking at edge services. Cloudflare are of course one of the options. Based on my personal experience with my free account I was going to strongly back them, but their continued non-response to these events has made me reconsider that and my personal IT involvement with them. Thanks, Jed. On Fri, 3 May 2019 at 11:06, Peter Lambrechtsen wrote:

I have tried tweeting eastdakota when I was doxed and haven't had a response. If you get a response I would be interested.

But I highly recommend you ask him the pointed question about the AUP of Cloudflare as brevity of it speaks volumes:

https://www.cloudflare.com/terms/

And ask him why *all* the most vile sites on the internet seem to only use his services for WAF/DDoS protection and none of the other providers and why he doesn't do anything about it. It's no mistake that there isn't any validation of the email address you use when signing up to the Cloudflare service.

Cheers, Peter

On Fri, May 3, 2019 at 10:44 AM Mehmet Akcin wrote:

...

If you have concerns, email the ceo or tweet him @eastdakota. Good guy, reasonable, and he will take time respond. I know people who work there. They are not going to let anyone malicious use their platform knowingly.

‘Mehmet

On Thu, May 2, 2019 at 15:14 Michael Fincham wrote:

...

On Fri, 3 May 2019 09:10:50 +1200 Jonathan Brewer wrote:

...

InternetNZ is the forum to discuss this, not NZNOG.

Engineers have a personal responsibility to ensure that the actions they take, even on behalf of an employer, are ethically right.

I do think therefore this is a discussion for NZNOG, being as it is a community of engineers who do the implementing.

-- Michael _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

-- Mehmet +1-424-298-1903 _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

Hi All, A long time lurker, but this one seems to be well worth the wait. Can someone online or offline please provide a list of those houses that use/support cloudflare as their infrastructure partner of choice. I don’t really want to wade through the DNC records looking for cloudflare DNS entries. Commercial pressure comes from business that buy services as well. Cheers Stu From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Jed Laundry Sent: Friday, 3 May 2019 11:21 a.m. To: Peter Lambrechtsen; nznog Subject: Re: [nznog] Using Cloudflare after Christchurch Hi all, InternetNZ are working on a well-considered response and I do support them, but I don't think they are the only organisation or group where this should be discussed. Especially where operational decisions are involved which may have downstream effects. I agree with Peter and Michael; the argument that "it's just content" and that ISPs have no role in layer 8+ policy decisions is a bit disingenuous, because we regularly filter our customers from bad things. We run spam filters, we block malware sites, we choose to stop working with abusive customers; we (try to) make the internet a hostile place for bad people to operate. This isn't censorship--they can still get content online--we just don't make it easy for them. Cloudflare have taken a commercial position based on a very US-centric "free speech" world view that they, effectively, shouldn't try to do any of this. Personally, I can understand their position, but I don't agree with it. Lacking any US amendment, the seemingly only way to change this commercial position is to apply commercial pressure, which is the point that Peter is making; is anyone considering operational changes to apply commercial pressure? I know on the consumer side, at $DAYJOB we're looking at edge services. Cloudflare are of course one of the options. Based on my personal experience with my free account I was going to strongly back them, but their continued non-response to these events has made me reconsider that and my personal IT involvement with them. Thanks, Jed. On Fri, 3 May 2019 at 11:06, Peter Lambrechtsen wrote: I have tried tweeting eastdakota when I was doxed and haven't had a response. If you get a response I would be interested. But I highly recommend you ask him the pointed question about the AUP of Cloudflare as brevity of it speaks volumes: https://www.cloudflare.com/terms/ And ask him why *all* the most vile sites on the internet seem to only use his services for WAF/DDoS protection and none of the other providers and why he doesn't do anything about it. It's no mistake that there isn't any validation of the email address you use when signing up to the Cloudflare service. Cheers, Peter On Fri, May 3, 2019 at 10:44 AM Mehmet Akcin wrote: If you have concerns, email the ceo or tweet him @eastdakota. Good guy, reasonable, and he will take time respond. I know people who work there. They are not going to let anyone malicious use their platform knowingly. ‘Mehmet On Thu, May 2, 2019 at 15:14 Michael Fincham wrote: On Fri, 3 May 2019 09:10:50 +1200 Jonathan Brewer wrote:

InternetNZ is the forum to discuss this, not NZNOG.

Engineers have a personal responsibility to ensure that the actions they take, even on behalf of an employer, are ethically right. I do think therefore this is a discussion for NZNOG, being as it is a community of engineers who do the implementing. -- Michael _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog -- Mehmet +1-424-298-1903 _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

Hi Stuart, I use CloudFlare as an infrastructure provider of choice & don't believe I fall into any of Peter's reductionist categories. I understand there are levers for suppressing illegal content at every layer of the network stack & there are a lot of hairy jurisdiction problems with doing so. Free Speech and harmful speech mean different things in different places. At the moment I'm staying somewhere a lot of CDN content that's available in NZ isn't served at all - and I'm ok with that. There's a New Zealand forum for discussing these issues called NetHui. It's coming up in October. https://2019.nethui.nz/ Why not discuss there what kind of content should be suppressed, and how NZ can require the CDNs like CloudFlare to stop serving it in NZ? There are also regional forums for discussion. I'll be at the Asia Pacific regional Internet Governance Forum https://aprigf.ru/ next week & happy to have a productive discussion with anyone who comes along about rational solutions for content suppression that don't involve pitchforks & bonfires. Cheers, Jon On Tue, 9 Jul 2019, 15:49 stuart pilling, wrote:

Hi All,

A long time lurker, but this one seems to be well worth the wait. Can someone online or offline please provide a list of those houses that use/support cloudflare as their infrastructure partner of choice. I don’t really want to wade through the DNC records looking for cloudflare DNS entries. Commercial pressure comes from business that buy services as well.

Cheers

Stu

*From:* nznog-bounces(a)list.waikato.ac.nz [mailto: nznog-bounces(a)list.waikato.ac.nz] *On Behalf Of *Jed Laundry *Sent:* Friday, 3 May 2019 11:21 a.m. *To:* Peter Lambrechtsen; nznog *Subject:* Re: [nznog] Using Cloudflare after Christchurch

Hi all,

InternetNZ are working on a well-considered response and I do support them, but I don't think they are the only organisation or group where this should be discussed. Especially where operational decisions are involved which may have downstream effects.

I agree with Peter and Michael; the argument that "it's just content" and that ISPs have no role in layer 8+ policy decisions is a bit disingenuous, because we regularly filter our customers from bad things. We run spam filters, we block malware sites, we choose to stop working with abusive customers; we (try to) make the internet a hostile place for bad people to operate. This isn't censorship--they can still get content online--we just don't make it easy for them.

Cloudflare have taken a commercial position based on a very US-centric "free speech" world view that they, effectively, shouldn't try to do any of this. Personally, I can understand their position, but I don't agree with it. Lacking any US amendment, the seemingly only way to change this commercial position is to apply commercial pressure, which is the point that Peter is making; is anyone considering operational changes to apply commercial pressure?

I know on the consumer side, at $DAYJOB we're looking at edge services. Cloudflare are of course one of the options. Based on my personal experience with my free account I was going to strongly back them, but their continued non-response to these events has made me reconsider that and my personal IT involvement with them.

Thanks, Jed.

On Fri, 3 May 2019 at 11:06, Peter Lambrechtsen wrote:

I have tried tweeting eastdakota when I was doxed and haven't had a response. If you get a response I would be interested.

But I highly recommend you ask him the pointed question about the AUP of Cloudflare as brevity of it speaks volumes:

https://www.cloudflare.com/terms/

And ask him why *all* the most vile sites on the internet seem to only use his services for WAF/DDoS protection and none of the other providers and why he doesn't do anything about it. It's no mistake that there isn't any validation of the email address you use when signing up to the Cloudflare service.

Cheers, Peter

On Fri, May 3, 2019 at 10:44 AM Mehmet Akcin wrote:

If you have concerns, email the ceo or tweet him @eastdakota. Good guy, reasonable, and he will take time respond. I know people who work there. They are not going to let anyone malicious use their platform knowingly.

‘Mehmet

On Thu, May 2, 2019 at 15:14 Michael Fincham wrote:

On Fri, 3 May 2019 09:10:50 +1200 Jonathan Brewer wrote:

...

InternetNZ is the forum to discuss this, not NZNOG.

Engineers have a personal responsibility to ensure that the actions they take, even on behalf of an employer, are ethically right.

I do think therefore this is a discussion for NZNOG, being as it is a community of engineers who do the implementing.

-- Michael _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

--

Mehmet +1-424-298-1903

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

On Fri, 3 May 2019 11:16:12 +1200 Jonathan Brewer wrote:

I disagree strongly. NZNOG is supposed to be an operational list. The more non-operational content we have, the more operators will gravitate towards other closed forums like Slack and Facebook.

Since when was the NZNOG list an "operational" list? As far as I can tell it's a discussion forum for the operator community - and we shouldn't pretend like the technical aspects of the Internet exist in a vacuum outside of their societal context. -- Michael

On Fri, 3 May 2019 11:31:57 +1200 Dave Mill wrote:

-Postings of a political, philosophical or legal nature are discouraged.

Fair cop. In any case, I think I've said everything useful I have to contribute. -- Michael

Within the context of this discussion, InternetNZ is holding discussions about issues that the Christchurch attack raises for the Internet. These are happening in Auckland, Wellington and Christchurch over the next few weeks. While we intended them for our members, we also invite you fine folks from NZNOG to come and join these discussions. The perspectives and issues you’re raising here are valuable. Where and when: Auckland on 7 May – 5:30 pm – Level 7, 62 Victoria Street West Wellington on 8 May – 5:30 pm – Level 11, 80 Boulcott Street Please RSVP here for Auckland and Wellington: https://docs.google.com/forms/d/e/1FAIpQLSc-Nl383AG0SkLzJdKI0PNU0sIyvTZeZhsz... Christchurch on 16 May - 5:30pm - venue TBC Please RSVP here for Christchurch: https://docs.google.com/forms/d/e/1FAIpQLSf1ylXVkm0jmA-G1vfpW3yCYHZOAUZb599f... We love to hear your thoughts during these discussions. Cheers, On Fri, May 3, 2019 at 11:50 AM Peter Lambrechtsen wrote:

On Fri, May 3, 2019 at 11:34 AM Michael Fincham wrote:

...

On Fri, 3 May 2019 11:31:57 +1200 Dave Mill wrote:

...

-Postings of a political, philosophical or legal nature are discouraged.

Fair cop. In any case, I think I've said everything useful I have to contribute.

I also agree with the statements above.

My main intention with the post to NZNOG is to shine light on Cloudflare and their practices while may appear noble or benign when considering the events in Christchurch and their response speak volumes of them as an organisation.

...

-- Michael _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

-- Sebastian Castro Chief Scientist @ InternetNZ desk: +64 4 495 2337 mobile: +64 21 400535