The chilling effect of a DoS attack: why the KrebsOnSecurity incident should alarm all of us

Ars Technica recently reported on a troubling situation involving well-known security blogger Brian Krebs and his blog KrebsOnSecurity. Brian’s blog is now back online, thankfully, and he wasted no time firing off this post entitled The Democratization of Censorship which I will quote in part:

More than 20 years after [John] Gilmore first coined [the] turn of phrase [“The Net interprets censorship as damage and routes around it”], his most notable quotable has effectively been inverted — “Censorship can in fact route around the Internet.” The Internet can’t route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the “The Democratization of Censorship.”

Allow me to explain how I arrived at this unsettling conclusion. As many of you know, my site was taken offline for the better part of this week. The outage came in the wake of a historically large distributed denial-of-service (DDoS) attack which hurled so much junk traffic at Krebsonsecurity.com that my DDoS protection provider Akamai chose to unmoor my site from its protective harbor.

The blog post goes on to describe the details, namely that a denial of service (DoS) attack was aimed at Brian’s blog that was so massive that Akamai could no longer afford to protect him from it. Rather than allow his own hosting provider to get swamped with the traffic, Brian instead chose to take his blog offline by pointing it at the loopback address; given that the vast majority of users are not running a web server on their own PCs, and certainly not on their phones or tables if they are using such a device, this had the effect of taking the blog down. Brian finally put it back up under the protection of Google’s Project Shield.

As to what figurative fireant mound Brian managed to step in, I’m not even sure it really matters that much. The problem is that this happened. If it happens to someone like Brian Krebs, it can just as easily happen to any of us. The tragedy here is not that Akamai and Google are willing to protect sites like Brian’s from crippling denial of service attacks. No, the tragedy is that it’s even necessary that such protection even has a need to exist.

In this case, Google happens to be the good guys. However, it is worth mentioning I have been highly critical of Google in the past; always for a good reason of course, but it’s inevitable that a corporation like Google (or Akamai, for that matter) will get one wrong once in a while.

That’s not to say that Akamai are the bad guys here; they protected Brian’s site for as long as they could, until it became completely unfeasible to do so. To give you an idea of the scale of the chessboard Brian is playing on, here is another chilling quote from his blog post:

In an interview with The Boston Globe, Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.

[…]

That annual figure breaks down to $400 or so per day. For most of us that’s a crippling sum; I would think even Bill Gates, Warren Buffett, Jeff Bezos, or most other multi-billionares would probably throw in the towel if keeping a blog or website up cost that much (and was operated purely for free speech and not profit purposes; obviously that’s a drop in the bucket for Microsoft, Amazon, or most of the companies owned by Berkshire Hathaway, for their public-facing and profit-generating websites).

It almost goes without saying, but if it cost that $400 per day to keep this site online, it would be gone. I’m not even sure I could take the two free weeks in good conscience, because I’d be quitting immediately thereafter. I would likely even be afraid to try to distribute the archives via BitTorrent for fear anywhere I tried to seed it from would be hit with the same type of attack. I certainly couldn’t use BitTorrent for posting new updates; maybe I could use something like Freenet or ZeroNet. That would likely mean giving up WordPress, which I really do not want to do.

There has to be something that can be done about this cybervandalism at the Internet service provider (ISP) level. I don’t get why the heck any decent ISP still allows the kind of garbage in a DoS attack outside of its own network. It’s one thing for someone to take control of a botnet on, say, Comcast’s or AT&T’s network, and take someone offline that’s on that network. It’s another entirely to take control of botnets across the planet and blast someone right off of Akamai’s network. I don’t even know if cybervandalism is still the right word at that scale; it’s more like cyberwarfare at that point.

Google and payday loan sharks: the past versus the future

For once, Google does something truly worthy of commendation.

This recent story in The Atlantic states that effective in about two months, Google will no longer allow advertisements for companies which make loans due in less than 60 days, or in the US, with interest rates above 36% APR. (I have reviewed the terms for many such loans, and I have yet to see a payday loan or title loan company offer a loan anywhere near as low as 36% APR; usually it’s at least 200% APR, sometimes over 400% APR.)

I am not sure of the reason in the two-month delay in prohibiting the ads, but this is a rare occasion where I believe Google is doing the right thing. Even better, it appears the motivation behind this is completely moral and ethical, as opposed to just avoiding bad PR or lawsuits from end users. From a statement written by David Graff, director of global product policy at Google:

In that vein, today we’re sharing an update that will go into effect on July 13, 2016: we’re banning ads for payday loans and some related products from our ads systems. We will no longer allow ads for loans where repayment is due within 60 days of the date of issue. In the U.S., we are also banning ads for loans with an APR of 36% or higher. When reviewing our policies, research has shown that these loans can result in unaffordable payment and high default rates for users so we will be updating our policies globally to reflect that.

This change is designed to protect our users from deceptive or harmful financial products and will not affect companies offering loans such as Mortgages, Car Loans, Student Loans, Commercial loans, Revolving Lines of Credit (e.g. Credit Cards).

[…]

[O]ur hope is that fewer people will be exposed to misleading or harmful products.

Now, I will concede that it was perhaps not the brightest move for what was at the time called Google Ventures, now called GV (the venture-capital arm of what used to be Google, Inc., now Alphabet, Inc.), to provide some of the seed funding for LendUp back in 2013. (One of LendUp’s products is short-term, high-APR loans of the sort which won’t be able to be advertised on Google when the new rules take effect. LendUp’s other products are not nearly as predatory, and I have even applied for their credit card not too long ago. Still, a lot of people criticize LendUp for their high-APR short-term loans and I don’t blame them.)

GV would probably like to have that one back now, and I don’t blame them. There is a Chinese proverb which states “The best time to plant a tree was 20 years ago; the second best time is now.” I think a form of that certainly applies here. GV can’t fix the past, but Google can certainly make a move towards a better future. Even the best companies make mistakes: Ford’s Edsel marque, New Coke, the 1960-1963 Chevrolet Corvair just to name a few. While GV and Google are completely independent of each other now, it is my hope this move signals a true change in direction going forward for all companies under the Alphabet umbrella.

Censorship and the Hollywood Sign

I read with interest some months ago a Gizmodo article entitled “Why People Keep Trying to Erase the Hollywood Sign From Google Maps”. My interest came first as a freedom and digital rights advocate, and second as a frequent contributor to OpenStreetMap. The latter of these is particularly important as you will see shortly. (Yes, the article is a bit old, but the larger issues are just as important today, and will become no less important as time goes on.)

The Gizmodo article was written by Alissa Walker, who is perhaps best known for her blog awalkerinla.com and specifically this post from 2011 June entitled “The best way to see the Hollywood sign”. In the Gizmodo article, something very disturbing is noted: with the advent of GPS technology, area residents are resorting to putting pressure on the likes of Google, Apple, and Microsoft (Bing Maps) to divert those asking for directions to the Hollywood Sign to either Griffith Observatory or Hollywood & Highland Center.

Such is the problem with relying on corporations for one’s mapping data: corporations are controlled, in the end, by stockholders, who decide it’s in the corporation’s best interest to do such things to avoid a lawsuit. The article goes on to share Alissa’s own experience getting legal threats from a homeowner in the area of Lake Hollywood Park. The threat as quoted from the article:

Please immediately cease and desist from using 3204 Canyon Lake Drive and 6161 Mulholland [Hwy] or any other residence as the address for the Hollywood Sign and change the address to one of the two official viewing spots sanctioned by the Hollywood Sign Trust as shown in their map. The locations are: Griffith Park Observatory and the Hollywood and Highland Center…

Please be advised that up to this point your actions may have simply been due to an oversight of the local situation. However, should the address not be changed going forward, you may named in a lawsuit and be held liable for damages in an accident or due to your knowing and/or negligent continuing direction of visitors to the viewing spot at 3204 Canyon Lake Drive and 6161 Mulholland Hwy.

As mentioned later in the article, Alissa got some photos emailed to her as well from the same homeowner showing illegal parking attributed to her directions. The way I see it, the tourists driving in the area are the ones responsible for parking lawfully according to the laws of the state of California and the city laws of the appropriate city (whether Hollywood or otherwise). To pin vicarious liability on Alissa for the actions of others is absurd. Information, such as that Alissa gives out, carries with it the responsibility to use it wisely and obey the applicable laws. It is the same as if someone posted the location of a good fishing spot; the use of the information regarding the location of the spot would not be an excuse to violate daily catch limits or other boating regulations (unless the person posting the location were to do something stupid like include “warden never patrols this area” or “don’t worry about the limit”).

Alissa wrote another article for Gizmodo entitled “There Is No Such Thing As An Unbiased Map” a short time later. This one focuses more directly on OpenStreetMap, but also contains a couple of other gems. Such as this one:

“If I recall correctly, back in the days of MSN maps, searching for Infinite Loop in Cupertino [where Apple is headquartered] showed a blank spot on the MSN map, as if there wasn’t anything there,” said [former Code for America fellow Lyzi] Diamond. “There is no such thing as an accurate map. It’s all up to cartographers.”

Indeed, it’s a pretty low blow to blank out the campus of a competitor company on one’s own mapping service (though I would think trusting Microsoft to get you to an interview at Apple or Google is not exactly the brightest move either). But this is where OpenStreetMap (hereinafter OSM) really comes into play, as like Wikipedia, it maintains an audit trail of what was added, modified, or deleted, and by whom (at least a screen name, though I would assume the IP addresses are recorded as well somewhere). And yes, you can get accurate directions to the Hollywood sign using OSM data. The community behind OSM considers shenanigans like redirecting visitors to Griffith Park Observatory or Hollywood & Highland Center as vandalism, and rightfully so.

Would our angry homeowner really sue the OpenStreetMap Foundation, or any other non-profits that financially sustain OSM? It’s certainly possible, but I would like to think most people consider suing a non-profit to be off-limits. The mere existence of OSM, however, serves as a rather powerful check on the near-monopolies enjoyed by the likes of Google, Microsoft (Bing Maps), AOL (Mapquest), Apple, and others who, until OSM became a viable alternative, enjoyed an effective oligarchy on map data. Not only do I personally edit OSM, but I wish I could use OSM every time I needed to map something. As it is I still wind up using some other service (usually Google Maps) maybe 20% of the time as of this post.

Houston’s nominal equivalent of the Hollywood sign, the We Love Houston sign on the south side of I-10 near downtown, was among my additions to OpenStreetMap. And so far, there have not been similar issues regarding the We Love Houston sign; then again, it’s still relatively new, and while I admire and respect the work of David Adickes, I wouldn’t realistically expect it to be the same type of tourist draw in its infancy.

The Flappy Bird saga, or: why some people shouldn’t make games

I was originally going to let all the flap about Flappy Bird sail right over my head and into wherever this stuff goes in cyberspace when it’s done being popular. I am, after all, someone who is very un-picky about exactly which games I play, leaning towards GPL software instead of the latest shrink-wrapped XBox One, PS4, or Wii titles. I thought this didn’t really concern me, but then I read Dwight Silverman’s post to TechBlog about Flappy Bird.

For some reason when I was about to read this, I had thoughts of recent articles about “rape culture” in my head. I had just finished watching a video about a human trafficking problem in Europe.

And then it all made sense.

I’m saying this as someone who never played Flappy Bird (and probably will never get a chance to thanks to Mr. Nguyen’s selfish actions).

This is why I’m leery about depending on mobile phone apps:

[Flappy Bird creator Dong] Nguyen said the main reasons for pulling the game were guilt due to its addictive quality, and the fact that the attention has made his life more complicated[…]

Games are supposed to make people happy. To Mr. Nguyen, making Flappy Bird wasn’t about making people happy. No, Flappy Bird, in the end, wasn’t really the game itself, but a piece on Mr. Nguyen’s game board. A piece due to the design of today’s mobile devices, he could choose to take off the board at his own whim. It’s about control, about the opportunity to impose his own morals on those who partook of the game for whatever reason.

Indeed, I think Mr. Nguyen is exactly the kind of person Richard Stallman is warning us about when he refers to the emotional argument in his essay “Why Software Should Be Free”:

The emotional argument goes like this: “I put my sweat, my heart, my soul into this program. It comes from me, it’s mine!”

This argument does not require serious refutation. The feeling of attachment is one that programmers can cultivate when it suits them; it is not inevitable. Consider, for example, how willingly the same programmers usually sign over all rights to a large corporation for a salary; the emotional attachment mysteriously vanishes. By contrast, consider the great artists and artisans of medieval times, who didn’t even sign their names to their work. To them, the name of the artist was not important. What mattered was that the work was done—and the purpose it would serve. This view prevailed for hundreds of years.

(Richard goes on in his essay to mention the economic argument, which I don’t think applies here, as Mr. Nguyen deleted Flappy Bird in spite of it making him a relatively obscene amount of money.)

What if Mr. Nguyen were an arcade game programmer in the late 1970s or early 1980s? It would be as if, say, Taito could have decided those who haven’t yet played one game of Space Invaders at a given point in time could never do so for their entire lives in light of a shortage of 100 yen coins in Japan. (Set aside for the moment the shortage didn’t actually happen, because it easily could have if Space Invaders was as popular in 1978 and 1979 as Flappy Bird, or even something like Angry Birds, is today.) Or if Atari decided something similar for Pong or Asteroids during those crazes. You get the idea.

And the probable result? There would be an outrage. The video game scene succeeded and became what it was, and rebounded as quickly as it did from the 1983 crash, because the companies knew their role. Once an arcade game was sold, it was sold and there was little the companies could really do regarding how many people got to play them.

So, based on what I have read, and as an electronic game player and historian with over 30 years of experience, it is my expert opinion that Mr. Nguyen has no business making games and for him to do so is a detriment to the entire gaming community. It isn’t proper in the least for any game designer to impose their own morals or value judgments over the players of their games. Nobody else has tried to get away with this, and for good reason. Mr. Nguyen clearly doesn’t give a shit about the gaming community. It is most unfortunate indeed that Apple and Google (and, I would assume should he make Windows Phone games, Microsoft as well) will keep letting him sell games in their respective online stores in spite of this, but again, they don’t have to give a shit either, they get their cut of the revenue.

The personality of Mr. Nguyen and the personality of the average rapist are one and the same. Rape isn’t about sex, it’s about control. Control over a rape victim, control over a Flappy Birds player… one and the same. If you really love a game you’ve made, set it free (GPL).

How is a protest on Wall Street not news?

I had slacked off reading some of the latest news, so I missed some of the events going on. I particularly missed that a major protest had been going on near Wall Street, and more particularly has received a lack of coverage by the news media. If anyone needs evidence of the perils of corporate-owned mass media that have the power to band together and censor the free flow of information when it is bad for corporate interests as a whole, this is it.

For those new to this whole thing, the following makes for good background reading (note that most of these will display in reverse chronological order, so you might want to page to the end and read up):

  1. The AdBusters site for Occupy Wall Street.
  2. occupywallst.org.
  3. Reader Supported News coverage.

The most important events so far are that Yahoo censored emails about the demonstrations, and that dozens of protesters have been arrested (at least 80 at last count).

This is the problem with trusting large for-profit corporations to give us our news: Disney, Comcast, GE, News Corporation, CBS Corporation, Time Warner, Clear Channel, Google, Yahoo, AOL, Hearst Corporation, Gannett Company, just to name a few. No one corporation of these wants their own media outlets reporting on what could be considered an embarrassment to their own interests. Am I against the idea of for-profit media in principle? No. But something is really broken when a protest like this can go on for a week with barely any coverage in the major media outlets.

Worst of all is the flagrant censorship by Yahoo, a company I had honestly held in high regard and considered above such actions. Shame on you, Yahoo. You have no business scanning your users’ private emails for mentions of Occupy Wall Street. This in addition to being censorship is an invasion of user privacy and a betrayal of trust.

And shame on every so-called “news media outlet” that has chosen to ignore this, who has put their own corporate self-interest above doing what they have been entrusted to do: report the news. Occupy Wall Street is news. To ignore these protests is to ignore news.

I should have jumped on this sooner, and I apologize for not being more timely with this post. But the protests are still ongoing and the cause that the protests are being held for is still relevant, so I figure it is still not too late to spread the word.