www.nettime.org
Nettime mailing list archives

<nettime> Brian Krebs > The Democratization of Censorship
nettime_distributed-denialist on Sun, 25 Sep 2016 15:33:33 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Brian Krebs > The Democratization of Censorship


< https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ >

25 SEP 16 The Democratization of Censorship

Brian Krebs

John Gilmore, an American entrepreneur and civil libertarian,
once famously quipped that "the Internet interprets
censorship as damage and routes around it." This notion
undoubtedly rings true for those who see national governments
as the principal threats to free speech.

However, events of the past week have convinced me that one
of the fastest-growing censorship threats on the Internet
today comes not from nation-states, but from super-empowered
individuals who have been quietly building extremely potent
cyber weapons with transnational reach.

More than 20 years after Gilmore first coined that turn of
phrase, his most notable quotable has effectively been
inverted -- "Censorship can in fact route around the
Internet." The Internet can't route around censorship when
the censorship is all-pervasive and armed with, for all
practical purposes, near-infinite reach and capacity. I call
this rather unwelcome and hostile development the "The
Democratization of Censorship."

Allow me to explain how I arrived at this unsettling
conclusion. As many of you know, my site was taken offline
for the better part of this week. The outage came in the wake
of a historically large distributed denial-of-service (DDoS)
attack which hurled so much junk traffic at
Krebsonsecurity.com that my DDoS protection provider Akamai
chose to unmoor my site from its protective harbor.

Let me be clear: I do not fault Akamai for their decision. I
was a pro bono customer from the start, and Akamai and its
sister company Prolexic have stood by me through countless
attacks over the past four years. It just so happened that
this last siege was nearly twice the size of the next-largest
attack they had ever seen before. Once it became evident that
the assault was beginning to cause problems for the company's
paying customers, they explained that the choice to let my
site go was a business decision, pure and simple.

Nevertheless, Akamai rather abruptly informed me I had until
6 p.m. that very same day -- roughly two hours later -- to make
arrangements for migrating off their network. My main concern
at the time was making sure my hosting provider wasn't going
to bear the brunt of the attack when the shields fell. To
ensure that absolutely would not happen, I asked Akamai to
redirect my site to 127.0.0.1 -- effectively relegating all
traffic destined for KrebsOnSecurity.com into a giant black
hole.

Today, I am happy to report that the site is back up -- this
time under Project Shield, a free program run by Google to
help protect journalists from online censorship. And make no
mistake, DDoS attacks -- particularly those the size of the
assault that hit my site this week -- are uniquely effective
weapons for stomping on free speech, for reasons I'll explore
in this post.

Why do I speak of DDoS attacks as a form of censorship? Quite
simply because the economics of mitigating large-scale DDoS
attacks do not bode well for protecting the individual user,
to say nothing of independent journalists.

In an interview with The Boston Globe, Akamai executives said
the attack -- if sustained -- likely would have cost the
company millions of dollars. In the hours and days following
my site going offline, I spoke with multiple DDoS mitigation
firms. One offered to host KrebsOnSecurity for two weeks at
no charge, but after that they said the same kind of
protection I had under Akamai would cost between $150,000 and
$200,000 per year.

Ask yourself how many independent journalists could possibly
afford that kind of protection money? A number of other
providers offered to help, but it was clear that they did not
have the muscle to be able to withstand such massive attacks.

I've been toying with the idea of forming a 501(c)3
non-profit organization -- 'The Center for the Defense of
Internet Journalism', if you will -- to assist Internet
journalists with obtaining the kind of protection they may
need when they become the targets of attacks like the one
that hit my site.  Maybe a Kickstarter campaign, along with
donations from well-known charitable organizations, could get
the ball rolling.  It's food for thought.

CALIBRATING THE CANNONS

Earlier this month, noted cryptologist and security blogger
Bruce Schneier penned an unusually alarmist column titled,
"Someone Is Learning How to Take Down the Internet." Citing
unnamed sources, Schneier warned that there was strong
evidence indicating that nation-state actors were actively
and aggressively probing the Internet for weak spots that
could allow them to bring the entire Web to a virtual
standstill.

"Someone is extensively testing the core defensive
capabilities of the companies that provide critical Internet
services," Schneier wrote. "Who would do this? It doesn't
seem like something an activist, criminal, or researcher
would do. Profiling core infrastructure is common practice in
espionage and intelligence gathering. It's not normal for
companies to do that."

Schneier continued:

"Furthermore, the size and scale of these probes -- and
especially their persistence -- points to state actors. It
feels like a nation's military cyber command trying to
calibrate its weaponry in the case of cyberwar. It reminds me
of the US's Cold War program of flying high-altitude planes
over the Soviet Union to force their air-defense systems to
turn on, to map their capabilities."

Whether Schneier's sources were accurate in their assessment
of the actors referenced in his blog post is unknown. But as
my friend and mentor Roland Dobbins at Arbor Networks
eloquently put it, "When it comes to DDoS attacks,
nation-states are just another player."

"Today's reality is that DDoS attacks have become the Great
Equalizer between private actors & nation-states," Dobbins
quipped.

UM…YOUR RERUNS OF 'SEINFELD' JUST ATTACKED ME

What exactly was it that generated the record-smashing DDoS
of 620 Gbps against my site this week? Was it a space-based
weapon of mass disruption built and tested by a rogue
nation-state, or an arch villain like SPECTRE from the James
Bond series of novels and films? If only the enemy here was
that black-and-white.

No, as I reported in the last blog post before my site was
unplugged, the enemy in this case was far less sexy. There is
every indication that this attack was launched with the help
of a botnet that has enslaved a large number of hacked
so-called "Internet of Things," (IoT) devices -- mainly
routers, IP cameras and digital video recorders (DVRs) that
are exposed to the Internet and protected with weak or
hard-coded passwords. Most of these devices are available for
sale on retail store shelves for less than $100, or -- in the
case of routers -- are shipped by ISPs to their customers.

Some readers on Twitter have asked why the attackers would
have "burned" so many compromised systems with such an
overwhelming force against my little site. After all, they
reasoned, the attackers showed their hand in this assault,
exposing the Internet addresses of a huge number of
compromised devices that might otherwise be used for actual
money-making cybercriminal activities, such as hosting
malware or relaying spam. Surely, network providers would
take that list of hacked devices and begin blocking them from
launching attacks going forward, the thinking goes.

As KrebsOnSecurity reader Rob Wright commented on Twitter,
"the DDoS attack on  {AT} briankrebs feels like testing the Death
Star on the Millennium Falcon instead of Alderaan." I replied
that this maybe wasn't the most apt analogy. The reality is
that there are currently millions -- if not tens of millions --
of insecure or poorly secured IoT devices that are ripe for
being enlisted in these attacks at any given time. And we're
adding millions more each year.

I suggested to Mr. Wright perhaps a better comparison was
that ne'er-do-wells now have a virtually limitless supply of
Stormtrooper clones that can be conscripted into an attack at
a moment's notice.

SHAMING THE SPOOFERS

The problem of DDoS conscripts goes well beyond the millions
of IoT devices that are shipped insecure by default:
Countless hosting providers and ISPs do nothing to prevent
devices on their networks from being used by miscreants to
"spoof" the source of DDoS attacks.

As I noted in a November 2015 story, The Lingering Mess from
Default Insecurity, one basic step that many ISPs can but are
not taking to blunt these attacks involves a network security
standard that was developed and released more than a dozen
years ago. Known as BCP38, its use prevents insecure
resources on an ISPs network (hacked servers, computers,
routers, DVRs, etc.) from being leveraged in such powerful
denial-of-service attacks.

Using a technique called traffic amplification and
reflection, the attacker can reflect his traffic from one or
more third-party machines toward the intended target. In this
type of assault, the attacker sends a message to a third
party, while spoofing the Internet address of the victim.
When the third party replies to the message, the reply is
sent to the victim -- and the reply is much larger than the
original message, thereby amplifying the size of the attack.

BCP38 is designed to filter such spoofed traffic, so that it
never even traverses the network of an ISP that's adopted the
anti-spoofing measures. However, there are non-trivial
economic reasons that many ISPs fail to adopt this best
practice. This blog post from the Internet Society does a
good job of explaining why many ISPs ultimately decide not to
implement BCP38.

Fortunately, there are efforts afoot to gather information
about which networks and ISPs have neglected to filter out
spoofed traffic leaving their networks. The idea is that by
"naming and shaming" the providers who aren't doing said
filtering, the Internet community might pressure some of
these actors into doing the right thing (or perhaps even
offer preferential treatment to those providers who do
conduct this basic network hygiene).

A research experiment by the Center for Applied Internet Data
Analysis (CAIDA) called the "Spoofer Project" is slowly
collecting this data, but it relies on users voluntarily
running CAIDA's software client to gather that intel.
Unfortunately, a huge percentage of the networks that allow
spoofing are hosting providers that offer extremely low-cost,
virtual private servers (VPS). And these companies will never
voluntarily run CAIDA's spoof-testing tools.

As a result, the biggest offenders will continue to fly under
the radar of public attention unless and until more pressure
is applied by hardware and software makers, as well as ISPs
that are doing the right thing.

How might we gain a more complete picture of which network
providers aren't blocking spoofed traffic -- without relying
solely on voluntary reporting? That would likely require a
concerted effort by a coalition of major hardware makers,
operating system manufacturers and cloud providers, including
Amazon, Apple, Google, Microsoft and entities which maintain
the major Web server products (Apache, Nginx, e.g.), as well
as the major Linux and Unix operating systems.

The coalition could decide that they will unilaterally build
such instrumentation into their products. At that point, it
would become difficult for hosting providers or their myriad
resellers to hide the fact that they're allowing systems on
their networks to be leveraged in large-scale DDoS attacks.

To address the threat from the mass-proliferation of hardware
devices such as Internet routers, DVRs and IP cameras that
ship with default-insecure settings, we probably need an
industry security association, with published standards that
all members adhere to and are audited against periodically.

The wholesalers and retailers of these devices might then be
encouraged to shift their focus toward buying and promoting
connected devices which have this industry security
association seal of approval. Consumers also would need to be
educated to look for that seal of approval. Something like
Underwriters Laboratories (UL), but for the Internet,
perhaps.

THE BLEAK VS. THE BRIGHT FUTURE

As much as I believe such efforts could help dramatically
limit the firepower available to today's attackers, I'm not
holding my breath that such a coalition will materialize
anytime soon. But it's probably worth mentioning that there
are several precedents for this type of cross-industry
collaboration to fight global cyber threats.

In 2008, the United States Computer Emergency Readiness Team
(CERT) announced that researcher Dan Kaminsky had discovered
a fundamental flaw in DNS that could allow anyone to
intercept and manipulate most Internet-based communications,
including email and e-commerce applications. A diverse
community of software and hardware makers came together to
fix the vulnerability and to coordinate the disclosure and
patching of the design flaw.

deathtoddosIn 2009, Microsoft heralded the formation of an
industry group to collaboratively counter Conficker, a
malware threat that infected tens of millions of Windows PCs
and held the threat of allowing cybercriminals to amass a
stupendous army of botted systems virtually overnight. A
group of software and security firms, dubbed the Conficker
Cabal, hashed out and executed a plan for corralling infected
systems and halting the spread of Conficker.

In 2011, a diverse group of industry players and law
enforcement organizations came together to eradicate the
threat from the DNS Changer Trojan, a malware strain that
infected millions of Microsoft Windows systems and enslaved
them in a botnet that was used for large-scale cyber fraud
schemes.

These examples provide useful templates for a solution to the
DDoS problem going forward. What appears to be missing is any
sense of urgency to address the DDoS threat on a coordinated,
global scale.

That's probably because at least for now, the criminals at
the helm of these huge DDoS crime machines are content to use
them to launch petty yet costly attacks against targets that
suit their interests or whims.

For example, the massive 620 Gbps attack that hit my site
this week was an apparent retaliation for a story I wrote
exposing two Israeli men who were arrested shortly after that
story ran for allegedly operating vDOS -- until recently the
most popular DDoS-for-hire network. The traffic hurled at my
site in that massive attack included the text string
"freeapplej4ck," a reference to the hacker nickname used by
one of vDOS's alleged co-founders.

Most of the time, ne'er-do-wells like Applej4ck and others
are content to use their huge DDoS armies to attack gaming
sites and services. But the crooks maintaining these large
crime machines haven't just been targeting gaming sites. OVH,
a major Web hosting provider based in France, said in a post
on Twitter this week that it was recently the victim of an
even more massive attack than hit my site. According to a
Tweet from OVH founder Octave Klaba, that attack was launched
by a botnet consisting of more than 145,000 compromised IP
cameras and DVRs.

I don't know what it will take to wake the larger Internet
community out of its slumber to address this growing threat
to free speech and ecommerce. My guess is it will take an
attack that endangers human lives, shuts down critical
national infrastructure systems, or disrupts national
elections.

But what we're allowing by our inaction is for individual
actors to build the instrumentality of tyranny. And to be
clear, these weapons can be wielded by anyone -- with any
motivation -- who's willing to expend a modicum of time and
effort to learn the most basic principles of its operation.

The sad truth these days is that it's a lot easier to censor
the digital media on the Internet than it is to censor
printed books and newspapers in the physical world. On the
Internet, anyone with an axe to grind and the willingness to
learn a bit about the technology can become an instant,
self-appointed global censor.

I sincerely hope we can address this problem before it's too
late. And I'm deeply grateful for the overwhelming outpouring
of support and solidarity that I've seen and heard from so
many readers over the past few days. Thank you.

     © 2016 Krebs on Security.  

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime {AT} kein.org
#   {AT} nettime_bot tweets mail w/ sender unless #ANON is in Subject: