Over the past few months law enforcement and rogue groups have been battling over the Wikileaks controversy in an on-line battlefield. The players are the same as those of the crypto-wars, albeit a few generations younger on both sides. Recently the entire thing ended in a raid of forty suspected DDoSers' homes. But were those raids justified? To what extent should you expect privacy on-line, and exactly why are both of these groups that are promoting liberty doing it in such different manners?
Wikileaks Timeline:
For those of you that have been living under a rock for the past few months, here is a quick time-line of events:
To begin with the legality of raids, we must examine what DDoS attacks actually are. Essentially a Distributed Denial of Service attack, is a flood of requests to a server, when a server receives such a flood it slows down considerably or can even crash; these attacks have been around for years and can have quite simple defenses. What makes DDoS attacks so powerful is that on one side, you have a few servers, and on the other thousands of individuals (or infected hosts in a botnet) to distribute the load of connections, so the attacker's Internet doesn't slow down in the process. These attacks used a fairly simple tool called the Low Orbit Ion Cannon (LOIC) which essentially conducts these attacks automagically. What makes it so powerful is that script kiddies/"hacktivists" can easily download it and fire it up (easier than metasploit, sqlmap or firesheep). A major drawback when using the LOIC is that it dosen't mask the originating IP of the attackers (this plays a key role later on).
Denial of Service attacks have been likened to different things depending on which side of the law one resides on. For attackers denial of service attacks can be likened to ringing a doorbell and running away, except it can be done hundreds of times a second. For law enforcement such attacks constitute criminal offenses under Title 18 U.S.C. § 1030, specifically because the computers "attacked" were "protected computers" being that they belonged to a financial institution in the United States.
Tooting the Same Horn:
What is most confusing about the DOS attacks and the raids is that both sides argue that they are promoting freedom. From Anonymous' viewpoint, companies that attempted to stop the flow of stolen diplomatic cables, (as they were undeniably stolen), were restricting the freedom of the individual's right to know about their government's proceedings. From the alternative viewpoint, by tracking the users of the LOIC, law enforcement was able to determine sources of the attack and stop them. There are a few problems with the way they decided to do this however, cheifly:
Part of the problem of the Internet, along with the best thing about it, is that it is dynamic. If I wanted to commit a crime, I could just patch myself in anywhere (coffee shop, McDonalds, my neighbor's wireless etc.) and begin attacking; within an hour I could be gone and could have left their fingerprints all over the mess. Either the government needs to be able to trace packets as they are traveling, or better yet ISPs just need to drop the traffic that their clients ask them to. If doors are going to be knocked [on | down] then the government needs to make sure that it isn't some kid running a free piece of software on their computer, or my grandma that got infected with a bot.
The statement listed above by the FBI said that the individuals could win a free ten year trip to prison along with significant civil liability. We all know that this is like music sharing, if the government went after every DDoS participant they would be in more of a financial mess than they are now. There seems to need to be some middle ground here, a fifty dollar ticket would deter more people than ten years in prison, because they know tickets are easier to do than taking everyone to a drawn out legal procedure.
As far as snowball goes, perhaps a media campaign could fix that, say ISP, DDoS, IP, SYN ACK, and TCP to your neighbor and their eyes will glaze over; we know not to visit a site under attack, but they don't. To them a computer is a magic device that does stupid things for some reason, (to us it is an electric-impulse physics god that we screw up by doing stupid things). To them Google is just out there *points to the sky*, rather than on a rack server at the other end of a screaming fast trans-continental fiber optic line; the public just needs to know that they shouldn't check things out for themselves.
What Anonymous did was like civil disobedience, although someone in there had a nefarious intent. That does not excuse the use of social engineering to deconstruct the organization. Social engineering is a dangerous practice as anyone can easily mimic another person to use as a decoy, and there is no way to really know on-line (proxies/onion routing/etc.). It is moronic to believe that social-engineering against social-engineers is sensible; especially when you are using silly methods like the law-enforcement contractor did. Now that these methods are out in the open, we'll probably see an influx of spoofed half-true seemingly linked accounts that in actuality are run by different people.
Wikileaks Timeline:
For those of you that have been living under a rock for the past few months, here is a quick time-line of events:
- November 28, 2010 - Wikileaks releases a quarter of a million diplomatic cables. That day a DDoS attack is conducted upon the site causing it to shut down.
- November 29, 2010 - Wikileaks moves to Amazon's EC2 cloud.
- December 1, 2010 - Amazon drops Wikileaks under supposed pressure from the U.S. Government.
- December 2, 2010 - Wikileaks loses its DNS records.
- December 8/9, 2010 - DDoS attacks are conducted upon Mastercard and Visa sites through "Operation Payback" by Anonymous.
- January 27, 2011 - The Federal Bureau of Investigation paired with international law enforcement conducts searches of forty suspected DDoS perpetrators (surprisingly absent are warrants for the original DDoS attack on Wikileaks).
 | ||
Denial of Service attacks have been likened to different things depending on which side of the law one resides on. For attackers denial of service attacks can be likened to ringing a doorbell and running away, except it can be done hundreds of times a second. For law enforcement such attacks constitute criminal offenses under Title 18 U.S.C. § 1030, specifically because the computers "attacked" were "protected computers" being that they belonged to a financial institution in the United States.
Tooting the Same Horn:
What is most confusing about the DOS attacks and the raids is that both sides argue that they are promoting freedom. From Anonymous' viewpoint, companies that attempted to stop the flow of stolen diplomatic cables, (as they were undeniably stolen), were restricting the freedom of the individual's right to know about their government's proceedings. From the alternative viewpoint, by tracking the users of the LOIC, law enforcement was able to determine sources of the attack and stop them. There are a few problems with the way they decided to do this however, cheifly:
- Some of the people whose doors were broken in didn't participate in the attack (IP addresses change, and there are multiple users per IP).
- No individual caused the sites to experience service outages, rather a collective did. The same thing happens to twitter quite often, too many people start tweeting and cause outages, the publicity of these outages oftentimes make them worse.
- The publicity these sites received during the attack drove people to "see what was happening" causing a snowball effect.
- The (inept) security firm that aided in the capture of the suspected criminal IP addresses used legally questionable social engineering type searches to find the reported ringleaders.
Part of the problem of the Internet, along with the best thing about it, is that it is dynamic. If I wanted to commit a crime, I could just patch myself in anywhere (coffee shop, McDonalds, my neighbor's wireless etc.) and begin attacking; within an hour I could be gone and could have left their fingerprints all over the mess. Either the government needs to be able to trace packets as they are traveling, or better yet ISPs just need to drop the traffic that their clients ask them to. If doors are going to be knocked [on | down] then the government needs to make sure that it isn't some kid running a free piece of software on their computer, or my grandma that got infected with a bot.
The statement listed above by the FBI said that the individuals could win a free ten year trip to prison along with significant civil liability. We all know that this is like music sharing, if the government went after every DDoS participant they would be in more of a financial mess than they are now. There seems to need to be some middle ground here, a fifty dollar ticket would deter more people than ten years in prison, because they know tickets are easier to do than taking everyone to a drawn out legal procedure.
As far as snowball goes, perhaps a media campaign could fix that, say ISP, DDoS, IP, SYN ACK, and TCP to your neighbor and their eyes will glaze over; we know not to visit a site under attack, but they don't. To them a computer is a magic device that does stupid things for some reason, (to us it is an electric-impulse physics god that we screw up by doing stupid things). To them Google is just out there *points to the sky*, rather than on a rack server at the other end of a screaming fast trans-continental fiber optic line; the public just needs to know that they shouldn't check things out for themselves.
What Anonymous did was like civil disobedience, although someone in there had a nefarious intent. That does not excuse the use of social engineering to deconstruct the organization. Social engineering is a dangerous practice as anyone can easily mimic another person to use as a decoy, and there is no way to really know on-line (proxies/onion routing/etc.). It is moronic to believe that social-engineering against social-engineers is sensible; especially when you are using silly methods like the law-enforcement contractor did. Now that these methods are out in the open, we'll probably see an influx of spoofed half-true seemingly linked accounts that in actuality are run by different people.
No comments:
Post a Comment