DDoS Repercussions

Over the past few months law enforcement and rogue groups have been battling over the Wikileaks controversy in an on-line battlefield. The players are the same as those of the crypto-wars, albeit a few generations younger on both sides.  Recently the entire thing ended in a raid of forty suspected DDoSers' homes.  But were those raids justified?  To what extent should you expect privacy on-line, and exactly why are both of these groups that are promoting liberty doing it in such different manners?

Wikileaks Timeline:

For those of you that have been living under a rock for the past few months, here is a quick time-line of events:

• November 28, 2010 - Wikileaks releases a quarter of a million diplomatic cables. That day a DDoS attack is conducted upon the site causing it to shut down.
• November 29, 2010 - Wikileaks moves to Amazon's EC2 cloud.
• December 1, 2010 - Amazon drops Wikileaks under supposed pressure from the U.S. Government.
• December 2, 2010 - Wikileaks loses its DNS records.
• December 8/9, 2010 - DDoS attacks are conducted upon Mastercard and Visa sites through "Operation Payback" by Anonymous.
• January 27, 2011 - The Federal Bureau of Investigation paired with international law enforcement conducts searches of forty suspected DDoS perpetrators (surprisingly absent are warrants for the original DDoS attack on Wikileaks). 

What is DDoS?

To begin with the legality of raids, we must examine what DDoS attacks actually are.  Essentially a Distributed Denial of Service attack, is a flood of requests to a server, when a server receives such a flood it slows down considerably or can even crash; these attacks have been around for years and can have quite simple defenses.  What makes DDoS attacks so powerful is that on one side, you have a few servers, and on the other thousands of individuals (or infected hosts in a botnet) to distribute the load of connections, so the attacker's Internet doesn't slow down in the process.  These attacks used a fairly simple tool called the Low Orbit Ion Cannon (LOIC) which essentially conducts these attacks automagically.  What makes it so powerful is that script kiddies/"hacktivists" can easily download it and fire it up (easier than metasploit, sqlmap or firesheep).  A major drawback when using the LOIC is that it dosen't mask the originating IP of the attackers (this plays a key role later on).

Denial of Service attacks have been likened to different things depending on which side of the law one resides on.  For attackers denial of service attacks can be likened to ringing a doorbell and running away, except it can be done hundreds of times a second.  For law enforcement such attacks constitute criminal offenses under Title 18 U.S.C. § 1030, specifically because the computers "attacked" were "protected computers" being that they belonged to a financial institution in the United States.


Tooting the Same Horn:
What is most confusing about the DOS attacks and the raids is that both sides argue that they are promoting freedom.  From Anonymous' viewpoint, companies that attempted to stop the flow of stolen diplomatic cables, (as they were undeniably stolen), were restricting the freedom of the individual's right to know about their government's proceedings.  From the alternative viewpoint, by tracking the users of the LOIC, law enforcement was able to determine sources of the attack and stop them.  There are a few problems with the way they decided to do this however, cheifly:

• Some of the people whose doors were broken in didn't participate in the attack (IP addresses change, and there are multiple users per IP).
• No individual caused the sites to experience service outages, rather a collective did.  The same thing happens to twitter quite often, too many people start tweeting and cause outages, the publicity of these outages oftentimes make them worse.
• The publicity these sites received during the attack drove people to "see what was happening" causing a snowball effect.
• The (inept) security firm that aided in the capture of the suspected criminal IP addresses used legally questionable social engineering type searches to find the reported ringleaders.

Being that security and freedom really is key, what should be done in the future to mitigate these problems?
Part of the problem of the Internet, along with the best thing about it, is that it is dynamic.  If I wanted to commit a crime, I could just patch myself in anywhere (coffee shop, McDonalds, my neighbor's wireless etc.) and begin attacking; within an hour I could be gone and could have left their fingerprints all over the mess.  Either the government needs to be able to trace packets as they are traveling, or better yet ISPs just need to drop the traffic that their clients ask them to.  If doors are going to be knocked [on | down] then the government needs to make sure that it isn't some kid running a free piece of software on their computer, or my grandma that got infected with a bot.
The statement listed above by the FBI said that the individuals could win a free ten year trip to prison along with significant civil liability.  We all know that this is like music sharing, if the government went after every DDoS participant they would be in more of a financial mess than they are now.  There seems to need to be some middle ground here, a fifty dollar ticket would deter more people than ten years in prison, because they know tickets are easier to do than taking everyone to a drawn out legal procedure.
As far as snowball goes, perhaps a media campaign could fix that, say ISP, DDoS, IP, SYN ACK, and TCP to your neighbor and their eyes will glaze over; we know not to visit a site under attack, but they don't.  To them a computer is a magic device that does stupid things for some reason, (to us it is an electric-impulse physics god that we screw up by doing stupid things).  To them Google is just out there *points to the sky*, rather than on a rack server at the other end of a screaming fast trans-continental fiber optic line; the public just needs to know that they shouldn't check things out for themselves.
What Anonymous did was like civil disobedience, although someone in there had a nefarious intent.  That does not excuse the use of social engineering to deconstruct the organization.  Social engineering is a dangerous practice as anyone can easily mimic another person to use as a decoy, and there is no way to really know on-line (proxies/onion routing/etc.).  It is moronic to believe that social-engineering against social-engineers is sensible; especially when you are using silly methods like the law-enforcement contractor did.  Now that these methods are out in the open, we'll probably see an influx of spoofed half-true seemingly linked accounts that in actuality are run by different people.

While we may be over these particular raids right now, and not much can be done about them, what happened was none-the-less wrong.  What kind of a future do you want, one in which everyone is "safe" from attacks (that come from US individuals, rather than bot-nets or foreign entities), or one where civil disobedience comes at almost no price (other than social backlash) to the corporations being "attacked"?

XKCD Fetcher

Problem:  You want every XKCD in existence on your harddrive.  Solution: Pirate this script!

Instead of going through and raping the XKCD website, they have provided a nice JSON document for every comic.  The script below can produce two outputs, one is a nice list of comics that includes number, title, and alt-text, that looks like this:

• 405 - Journal 3 - Oh, and, uh, if the Russian government asks, that submarine was always there.
• 406 - Venting - P.P.S. I can kill you with my brain.
• 407 - Cheap GPS - In lieu of mapping software, I once wrote a Perl program which, given a USB GPS receiver and a destination, printed 'LEFT' 'RIGHT' OR 'STRAIGHT' based on my heading.
• 408 - Overqualified - To anyone I've taken on a terrible date, this is retroactively my cover story.
• 409 - Electric Skateboard (Double Comic) - Unsafe vehicles, hills, and philosophy go hand in hand.
• 410 - Math Paper - That's nothing. I once lost my genetics, rocketry, and stripping licenses in a single incident.

The other will just print a list of URLs to stdout, that you could write to a file or possibly pipe to a wget script.  To use this function just invoke the program with a -w option.

One caveat, this script will only fetch comics until the second number in the range statement, so change it before running. This script is licensed under an Apache/GPL/MIT/Other OSI approved license, just be sure to attribute me, thanks :) Remember that XKCD comics are CCbyNC so you are free to copy them to your heart's content.

#!/usr/bin/env python
#Copyright 2011 Joseph Lewis <joehms22 gmail com>
#MIT License/GPL 2+ License/Apache License

import urllib2
import time
import sys

WGET = False
try:
    if sys.argv[1] == "-w":
        WGET = True
except IndexError:
    pass

for i in range(1, 850):
    if i == 404:  #Skip the 404th comic which is an error 404 page.
        continue
    url = "http://xkcd.com/%i/info.0.json" % (int(i))
    comic_json = urllib2.urlopen(url)
    time.sleep(.2)
    comic = eval( comic_json.read() )

    number = comic['num']
    title  = comic['title']
    image  = comic['img']
    alt    = comic['alt']

    if WGET:  #Just list urls for wget :)
        print(image)
    else:
        print("<li><a href='%s'>%s - %s</a> - %s</li>\n" % (image, number, title, alt))

TI BASIC

I just dug out my old TI-83 Plus and was poking around the PRGM menu and found a few old programs that I had made.  Most of them were little helper programs that I created while the teacher was lecturing in my tenth grade pre-calculus class (I didn't take calculus until three years later, by then most of it was gone).

I had learned BASIC two years prior to learning TIBASIC, in an old math textbook that a teacher of mine had collected.  My original programs were written on a sheet of lined paper, and did simple things like solve triangles.  I was unable to find an suitable interpreter as BASIC had taken its leave years prior, I was simply born about ten years too late.

A freshman in that class (who was a genius and later became a dear friend of mine), was very patient in teaching me the essentials of the language, I started off with a few simple things such as making the program distributed by the teacher to solve quadratic equations run twice as fast.  I also made a minesweeper, but that seems to have disappeared off the calculator.  Later on I also made PONG, but this too has gone (PONG ran very slowly, but none-the-less worked).  There was another game I made that made you race around the screen attempting to collect items...

Anyhow that is enough reminiscing for today :)

Modeling The St. Petersburg Paradox

Background:

The St. Petersburg game is a game of chance; the person placing the wager is asked for a certain amount. After paying the casino to play a fair coin is flipped until a tails is reached. The player wins 2^{number of flips} dollars. The chances of winning the nth round are given by 1/2^n for example the chances of winning the eighth round are 1/256 and the payoff for that round is 256. The expected payoff for any particular round is the chance of winning multiplied by the payoff, for this game it is always 1. The expected payoff for a game is the sum of all possible rounds. In this case there are an infinite number of rounds so the expected payoff is infinity.  Hypothetically then, the perfectly rational person will pay any amount in order to play, but how realistic is this?

Setup:

I decided to write a simulation in Python (of course) to actually check what the average player should pay to play.

#!/usr/bin/python
'''stpetersburg.py -- A saint petersburg simulator.

Copyright 2011 Joseph Lewis <joehms22@gmail.com>

MIT License http://www.opensource.org/licenses/mit-license.php

'''
import random

def play():
    total_won = 0
    payoff_matrix = {}

    print("Iter:\tFlips:\tWinnings:\tWon?")

    for i in range(iterations):
        winnings = 0
        flips = flip(max_game)  #Flip the coin until tails.

        #Determine winnings based upon the wager multiplier and flips.
        if flips:
            winnings = multiplier**(flips)

        #Stats
        total_won += winnings
        if flips in payoff_matrix.keys():
            payoff_matrix[flips] = payoff_matrix[flips] + 1
        else:
            payoff_matrix[flips] = 1

        print("%i\t%i\t%i\t\t%s" % (i, flips, winnings, winnings >= initial_wager))

    #Do some basic stats.
    avg_won = float(total_won) / iterations
    print ("Avg. Winnings:\t%d" % (avg_won))
    print ("Flips x Frequency")
    for k in payoff_matrix.keys():
        print("%s x %s" % (k, payoff_matrix[k]))
    print ("Money Won:   %s" % (total_won))
    print ("Money Waged: %s" % (iterations * initial_wager))


def flip(max_flip):
    '''Flips a coin until max_flip is reached or the coin turns up
    tails.  Returns the number of flips that came up heads.

    If max_flip is -1 flipping will continue until a tails is reached.
    '''
    numflips = 0

    while numflips != max_flip:
        numflips += 1
        if random.randint(0,1): #0 = heads 1 = Tails:
            return numflips


    return numflips


def ask_int(question, default):
    '''Asks the user for an int printing out the default and question.
    '''
    num = raw_input(question + " (Default: %s)\n" % (str(default)))
    if num == '':
        return default
    return int(num)


if __name__ == "__main__":
    print __doc__ #Notify the user of the license (top of file)

    #Set up simulation
    iterations = ask_int("How many iterations?", 100000)
    initial_wager = ask_int("What is the initial wager?", 2)
    multiplier = ask_int("What is the multiplier per win?", 2)
    max_game = ask_int("What is the bound on the number of games -1 for infinity?", -1)

    #Start simulation
    play()

Running:
This is an output of the default settings (which can be tweaked to easily accommodate other versions of the problem).

Avg. Winnings:  18
Flips x Frequency
1 x 50078
2 x 25019
3 x 12474
4 x 6286
5 x 3085
6 x 1455
7 x 791
8 x 396
9 x 197
10 x 110
11 x 51
12 x 32
13 x 17
14 x 5
15 x 2
16 x 1
18 x 1
Money Won:   1858488
Money Waged: 200000

The output was fairly consistent the several times I have run it, the amount won is about ten times the money wagered, so therefore you should want to bet no more than about twenty dollars.  There you have it, a rational cutoff for playing the paradox :)