> No one was insane enough to blame the CD-RW and flash drive manufacturers.
cloudflare isn't acting like a CD-RW or a flash drive. They're acting like a storefront that sells fraudulent flash drives that say they're 1TB when they're actually 200MB, or don't work at all when you plug it in, or worse catch fire. A storefront that refuses to take the faulty products off the shelves when customers complain, refuses to stop selling merchandise they sourced from criminals, and refuses to do even basic due diligence to make sure the products they sell are legitimate.
People who operate stores have a responsibility to make sure that merchandise they sell to consumers isn't fraudulent and harmful. Companies offering their services online also have a responsibility to make sure that those services aren't being used to push fraudulent and harmful content onto consumers and that they aren't acting as safe-havens for criminals.
I can, as a google admin, block links from outside the org; or, as a non-google admin, block google docs. The business may decide not to block, but if I have good SIEM then I can still do something, possibly inspect the file before it hits the user's desktop.
I can't block cloudflare, unless I'm willing to block half the internet. If I try to do additional inspection, I've got huge amounts of noise and I'm going to make the internet unusably slow.
Whatever differences exist between a publicly accessible google drive and an innocuous seeming link to a cloudflare owned domain that takes users to a random malicious server without warning, we can be reasonably sure that those differences are meaningful because these scammers are flocking to the cloudflare service instead of using google drive.
Something about this cloudflare service is really attractive to these scammers in way that google drive isn't. Maybe it's because these scammers just haven't discovered how great google drive is as a malware delivery platform, but I suspect that they have.
Now maybe all the attention on how google drive became the hottest place in town to spread malware caused google to get off their ass and do something about the abuse of their online service, and it's become a less hospitable place for criminals than it used to be. Or, maybe google has continued to neglect their responsibility to keep criminals off their service and it's the public who have just gotten more suspicious of the links to google drive in their inboxes making google drive campaigns less effective and its the novelty of cloudflare tunnels that makes them so effective. Maybe it's just easier to create cloudflare links that don't require accounts than it is to keep creating google drive accounts.
Where it matters most though, there really isn't much difference between the two services. Both have a responsibility to keep their services from being used to facilitate crime. Both should respect RFC 2142, but don't. Both can eventually get around to removing links to malware after you report it to them enough while doing basically nothing to stop that same malware from going right back up again at another URL/account. Both have more than enough resources and talent to be doing a much better job at internet abuse handling than they have been. They both just don't care enough to bother.
I quite like the status quo. I don't want Cloudflare or Google to block the files I'm trying to download just because they got a bunch of reports from clueless people or bots.
I want both to behave like dumb pipes. They don't have enough context to make any decisions like the ones you described. Ideally everything would be end to end encrypted so it'd be impossible for them to make the decision for me.
> I don't want Cloudflare or Google to block the files I'm trying to download just because they got a bunch of reports from clueless people or bots.
Lots of scammers don't want Cloudflare or Google to block the files they're trying to trick people into downloading either. There are people who feel the same way about spam, that no service provider should have right to block or even flag messages as spam for anyone else. Thankfully, most people disagree and want service providers to act on abuse complaints instead of acting as safe-havens for criminals.
Even dumb pipes need to be maintained when they start carrying something toxic/harmful that isn't supposed to be there. These are nothing like dumb pipes though. They're watching everything you and everyone else does with the service and logging it all. They're collecting every scrap of data they can while we interact with these services and they're happy to use that data when they think it'll put money in their pocket, but much less interested in using it to prevent the harm being done.
It isn't hard to find this stuff. These types of scammers are not usually very subtle. In this case they're linking to .LNK and .VBS, but scammers using these kinds of services are doing things like repeatedly uploading the exact same malware infected file, or not even bothering to modify their phishing sites each time they reupload them, or using the same keywords/broken english in their spam, etc.
These companies could automate checking to see what's at the other end of a generated link, or run a quick AV scan on an uploaded file, or to look for domains that are registered with misspellings of banks and online shopping companies, or to see if the hash of recently uploaded content matches something they recently had to take down because it violated the law and/or their own ToS/AUP.
I'm not even suggesting that they take something offline immediately if they find something, just flag it for review by an actual human with eyes and a brain and have enough humans available that it doesn't take long before that review happens. Make it easy for people to send reports of internet abuse. It's not hard to act like responsible members of the internet community, it's just takes work.
> In this case they're linking to .LNK and .VBS, but scammers using these kinds of services are doing things like repeatedly uploading the exact same malware infected file
It sounds like you advocate for proxy servers to inspect traffic at the application layer. Is that right?
In the OSI reference model, the communications between systems are split into seven different abstraction layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application.
> It sounds like you advocate for proxy servers to inspect traffic at the application layer. Is that right?
In most cases you wouldn't need one. a URL shortener service can see what people are linking to. A webhosting company can see everything on their own servers. In the specific case of cloudflare and this particular product they may or may not need to. I notice that they do reserve the right to monitor and inspect any traffic on the Cloudflare network.
This text is non-responsive to the question. Maybe your purpose is to practice typing? Just because a company "can" do something doesn't mean that they will devote the resources to perform it.
Framing cloudflare as the enabler is missing the bigger picture.
I remember back in the day I needed to turn off autoplay on Windows to not get accidentally infected by malicious drives.
No one was insane enough to blame the CD-RW and flash drive manufacturers.