Denial of service, sit-ins and the politics of the cloud

Make Magazine's just reprinted my column, "Moral Suasion," in its online edition. It's a discussion of the politics of cloud computing, including denial-of-service attacks against cloud providers who cave to government pressure:

I grew up in the antiwar movement and participated in my first sit-in when I was 12. Sit-ins are a sort of denial of service, but that's not why they work. What they do is convey the message: "I am willing to put myself in harm's way for my beliefs. I am willing to risk arrest and jail. This matters." This may not be convincing for people who strongly disagree with you, but it makes an impression on people who haven't been paying attention. Discovering that your neighbors are willing to be harmed, arrested, imprisoned, or even killed for their beliefs is a striking thing.
And that's a crucial difference between a DDoS and a sit-in: participants in a sit-in expect to get arrested. Participants in a DDoS do everything they can to avoid getting caught. If you want to draw a metaphor, DDoSers are like the animal rights activists who fill a lab's locks with super glue. This is effective at shutting down your opponent for a good while, but it's a lot less likely to draw sympathy from the public, who can dismiss it as vandalism.

Moral Suasion

(Image: Sit-in "Giornata degli studenti", a Creative Commons Attribution Share-Alike (2.0) image from retestudentimassa's photostream)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: activism • ddos • hacktivism

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

Anonymous

Sitting in carries much more personal risk if conducted under a brutal dictatorship as opposed to a modern democracy.
Anonymous

I am surprised that no one took one certain facets of this thought any further. If DDOS attacks are cowardly and/or ineffective in changing behaviour because of their anonymity, how then can, in the digital age, people protest digitally in a way that is both VISIBLE and TRANSGRESSIVE (in the sense that what you are doing carries that “risk” of being arrested, sued etc… in public, i.e. the will to be, at least to a degree, a “public martyr” for your cause).

For example, to protest against constantly expanding and retroactive copright clauses, every facebook user could upload their own renderings and other blatantly derivate artworks of Micky Mouse. That would carry the risk of having your profile taken down, and of being sued by Disney. Yet if it was a widespread movement, it would carry a strong message.
AnthonyC

If your goal is to enact public opinion changes, then I think you’re right about visibility. At the very least, a DDoS would need to be accompanied by a visible public statement as to why the DDoS is happening. Anonymity may or may not hamper this, I don’t know.

But often the goal is to get the attention of a small group of individuals already strongly opposed to you- a corporation, a government body. Then what matters is impact- the actual disruption of their ability to do the thing that is bothering you. “We won’t let you get away with this, and our anonymity makes it nearly impossible for you to stop us without addressing our concerns.”
- Goblin
  
  Think about it, Anonymous has nothing on the Sea Shepards. You are making the assumption, a false one in my mind, that a website is the crux of operations for said actors. This may be true of modern services (Google etc.) but not for established actors.
  
  So I reject the “impact” characterization as well (unless the service exists exclusively online); for example, Taking down BPs website(s) has absolutely no effect on its operations in the Gulf of Mexico.
SKR

I’m going to have to go with Antinous here. History is replete with political activists that tried to persuade the public while remaining anonymous. Think of all the printed pamphlets authored under pseudonyms in which the vast majority of the audience had absolutely no idea what the author looked like or even if it was a man or woman or even if the author was a single person or a group.
- Goblin
  
  I don’t think you fully read my last post as I thought I made clear the idea that anonymity from a government isn’t equal to absolute anonymity from everyone else.
  
  To take an example, Thomas Paine, though publishing anonymously had the help of Benjamin Rush and R. Bell(the publisher). And beyond that we know that Paine was expressing the feelings of many within American soceity at that time. So he might have published under a pseudonym but I think it is quite the stretch to say that he was totally and completely anonymous.
  
  And there-in lies my point on what is different between this older notion of anonymity and the newer more modern one. American society is no longer homogenous like it was two hundred years ago. Frankly in the last two hundred years we’ve seen nothing even remotely equivilant to Common Sense.
  
  Did Common Sense cause the revolution, or did the collective feelings behind the revolution lead to Thomas Paine’s writing of Common Sense? I don’t think we can say with any certianty. And if you look towards history you won’t find many other examples like it.
  
  No, most change comes from those who are willing to risk themselves and their reputations in public: Martin Luther, Mother Teresa, Ghandi, Martin Luther King Jr., Malcom X, Hell even Julien Assange… The list goes on and on and there is even a historical theory named for this pattern, “the great man theory.”
  
  Recluses, and those seperated and disengaged from society don’t change soceity. And modern techno groups by being anti-social, in ways Thomas Paine was not, cannot hope to equal such success that Paine had with Common Sense
Gulliver

I agree with your assessment of why sit-ins can have an effect on society. But there is another way in which I think DDoS attacks differ starkly from other forms of protest. A brick-and-mortar place of business, such as a restaurant, isnâ€™t also the operatorâ€™s global voice. Whether a botnetâ€™s volley is leveraged against WikiLeaks or Glen Beckâ€™s rants, the effect is the same. It silences the opposition, for a brief time. Whether I agree with the politics of any particular group or not, I must ask if the denial of service strategy is a hammer that suddenly makes everything waver into nailhood the way Bugs Bunny becomes a scrumptious roast under the gaze of ever-armed Elmer Fudd. A more apt metaphor, IMHO, would be temporarily binding and gagging the targetâ€™s digital self. Is this vandalism? Of a sort, probably yes. But I think we should be cautious about simply porting meatspace actions onto cyberspace activities; much may be lost in translation. That said, a vandal may have a very noble cause. Yet is vandalism, or DDoSing, a sage tactic in its pursuit?

Addressing the other point of your article, there is another reason to be chary of the cloud. Ultimately the network on which your uploaded data resides relies on physical servers, and that means the security of those servers is a potential Achillesâ€™ heel, both to software exploits and social hacks.

But there is a larger context to the concern you raised. Our entire access to the internet, not merely cloud services, is ultimately vulnerable to the choke points of ISPs and IXPs. As long as the infrastructure of modern mass communications depends on expensive corporate-owned, government-subsidized backbones, the user must tread lightly. The more governments notice this, and the more courts notice they can enforce bureaucracy by taking ISPs to task for not using it to keep userâ€™s in line, the lighter we will have to tread if we want to stay online. Worst of all, this will primarily serve to censor those who do not know how to disguise their traffic, which leaves only a small percentage of relatively elite users and anyone with the forethought to hire such know-how. Hardly the hopeful dream of an open netizenry.

I am slightly concerned and surprised that more of the geekosphere has not, as yet, turned their attention to this difficult but not intractable problem.
phisrow

DDoSes certainly aren’t analogous to sit-ins; but I suspect that that is largely by design.

As you note, moral suasion doesn’t work against people strongly committed against you. Nor can it reasonably be expected to work against shareholder-value-focused amoral corporations(particularly ones with minimal consumer/retail presence: Mr. Retailer at least cares about his public reputation; but Mr. B2B or Mr. Defense contractor only cares about his customer reputation, and his customers are Not the public).

Whether one approves of them or not, DDoSes seem much more akin to the ‘plant a timebomb and then phone in enough warning for people to evacuate; but not enough to find it and save the infrastructure’ style attacks that are sometimes used.

The point is not to morally sway, since the target is the enemy who is strongly committed against your cause; but to (at the least possible cost to yourself, to have some hope of not being crushed out of hand) demonstrate to a superior force that you have ways of making them suffer if they mess with you.
- Cory Doctorow
  
  I think that, tactically, you’re probably right about when and how a DDoS is effective at attaining one’s goals. The problem is that DDoS’s practicioners often analogize their actions to sit-ins, which I think is just wrong.
Cowicide

Cory…

The corrupt kleptocracy is run by people who have the huge advantage of being able to widely disperse fear, confusion, distrust, war, sickness, death, hatred, loathing and lies through television and radio at an enormous rate. It’s toxic pollution through media dissemination and saturation.

As long as the majority get their information through these extremely wide channels, there’s really not much that can be done to spread (f)actual information except by slowly grinding away at it from within its core.

The only way to fight corporatists is where they are most weak… and their only weakness is their own greed and haste. To make a quick buck the national news media will sensationalize the attacks and through this haste some (f)actual information slips through the corporatist editors (censors).

Through the attacks, millions of people have learned (through national media) that other people actually DO support Wikileaks and that’s led to questions and dispersal of information. It’s given people hope that there are “the others” out there.

Will there always be idiot Americans who completely ignore all the atrocities/war crimes that are exposed by Wikileaks and merely focus all their hatred on the whistleblowers and hacktivists? Yes, absolutely. But the attacks aren’t for them. They are already long lost. They are the folks that will tow the corporatist line no matter what facts are put before them.

As I already said here in a thread of familiar vein (December 10th of last year) – In regards to how the attacks are “hurting the cause” for Wikileaks after elements of 2600 magazine raised concerns:

- – - – - – - begin snippet – - – - – - -

The people that had the critical thinking skills to support wikileaks in the first place; still support them now. Or is it only you, dear 2600 writer, that has those elite skills as well?

Do they need hacker skills to participate in protest? NO. They need critical thinking skills, thank you very much. These attacks are a call to action to the people who still have healthy skepticism and aren’t fully indoctrinated by television and radio.

Itâ€™s not a whimper. Itâ€™s a stern voice by the public, thatâ€™s says, â€œNO MORE. You corporatists have stepped over the line.â€ And, the more people support this stern voice, the better.

If you think a boycott is going to penetrate the indoctrinated through the corporatist media firewalls, GOOD LUCK with that, because it hasnâ€™t happened in decades.

The media will hardly cover the boycott and itâ€™ll die with a whimper if it’s not propagated by the mainstream media. The attack is covered by the mainstream media because it makes them money. It draws interest and advertising. A boycott will help, but will not work alone at this point… itâ€™s too quiet, my friend. You absolutely have to use the corporatist media in ways where it’s weak and it’s only weakness is greed. They will cover the actions only if it’s interesting to the general public and it makes them…. MONEY.

Are you trying to tell me there would be this much interest if there had only been a small boycott right now? C’mon… I thought you had elite critical thinking skills.

The boycott needs to get HUGE. These attacks will have made that possible, nothing else could get through the mainstream media corporatist firewall.

Meanwhile: WikiLeaks grows stronger as supporters fight back

I respect 2600 magazine… but, that 2600 Hz whistle doesnâ€™t work anymore, youâ€™ll just be blowing hot air and nothing else. Itâ€™s time to realize the dynamics of the day.

- – - – - – - end snippet – - – - – - -

The truth of the matter is, this IS working whether you’re comfortable with it or not.
- Cowicide
  
  haha… whoops… I’ve should’ve actually read through this before I hit submit… The second “begin snippet” should read “end snippet”… shiot.
  - Antinous / Moderator
    
    I’ll just tidy that up.
- Cowicide
  
  Also interesting how NPR seemingly wiped that article off their server… (my link at the bottom) – I can’t find it anywhere on npr.org now, not even a summary… and I guess it’s wiped from google too? Hmmm…
randomguy

“Discovering that your neighbors are willing to be harmed, arrested, imprisoned, or even killed for their beliefs is a striking thing.”

I’m sorry but I feel compelled to call bullshit on this statement. A sit-in held in North America (or even most places in Europe) will, at worst, result in a trip to the cop shop where you’ll be processed and released. The ringleaders might be arrested and charged. But even then, it’s unlikely. To pretend that you’re legitimately risking life and limb during a sit-in here is a completely self-serving fallacy designed to make you feel more heroic about your actions.
That’s not to say that sit-ins aren’t worth the time or effort. I think sit-ins can be effective. I just don’t think they’re the big deal the author would like to believe that they are.
- davidasposted
  
  Can sit-ins be effective in the 21st century? Can you think of a few examples from the last few decades where a sit-in was by most estimations successful? I can’t.
  
  “As long as you got a sit-down philosophy, you’ll have a sit-down thought pattern, and as long as you think that old sit-down thought you’ll be in some kind of sit-down action. They’ll have you sitting in everywhere. It’s not so good to refer to what you’re going to do as a “sit-in.” That right there castrates you. Right there it brings you down. What — What goes with it? What — Think of the image of someone sitting. An old woman can sit. An old man can sit. A chump can sit. A coward can sit. Anything can sit. Well you and I been sitting long enough, and it’s time today for us to start doing some standing, and some fighting to back that up.” Malcolm X, 1963
Anonymous

“grew up in the antiwar movement and participated in my first sit-in when I was 12″

Wat?

What war were you protesting in 1983?
- travtastic
  
  http://en.wikipedia.org/wiki/Timeline_of_United_States_military_operations
- Anonymous
  
  The massive Canadian Anti Falkland Island War Movement, obviously
- Antinous / Moderator
  
  The US invasion of Grenada?
RyanH

Yeah, I’d have to disagree with the idea that the effectiveness of a sit-in has very much to do with personal risk. A sit-in is a denial of service attack. In fact, almost all effective protest methods are, to one extent or another, from picketing to boycotts to more destructive methods.

Now, traditional protests definitely take significantly more physical and moral courage than the modern digital equivalents. But that doesn’t have much to do with the effectiveness of either.
- Goblin
  
  A DDoS Attack is not equivical or analogous to a “sit in.”
  
  The primary reason is that an old school sit in requires a group of people to be effective. With the force multiplication and anonymity of modern technology it is possible for a DDoS to be executed by a sole individual. A DDoS, thus, unlike a “sit in” lacks any true social peer pressure. The very fact that the DDoSer choses NOT to show his face for his cause undercuts his own commitment to that cause.
  
  There is a huge different between voting in secret and physically taking a political stand on an issue. You can’t both be a both an activist and anonymous, the two are mutually exclusive.
  
  So no DDoS aren’t even remotely comparable to a sit in as they lack both societal peer pressure and any visible sign that the DDoSer is even commited to his supposed cause.
  
  And there is another problem as well. A website is for all intents and purposes a public facade, however this public facade has no road in front of it. You can’t picket a website or organize in front of it.
  
  The only actions that can be done to websites fall into what would be termed vandalism. You can paint it, steal data from behind its walls (this might be a bit beyond vandalism), or you can force an access error. Now this last one,a forced access error, is probably the most ironic of these actions.
  
  Since website are public the DDoS Attacker might be inclined to think that his/her attack will inhibit public utility, and the attack does do this, however the attacker loses the explanatory “why”. Why is someone blocking this public utility? Well obviously nobody is standing there with a megaphone to explain themselves.
  
  There can’t be a group standing outside the website. So rather then promoting his/her cause the DDoSer simply hinders everyone, including himself.
  
  It should be no surprise then that the Lulz had to rely on their press releases/tweets and the attention of the Main Stream Media to do their actual promotion. The DDoS attack itself, unlike a sit in, accomplishes none of this.
  
  So there is no true analogy between a DDoS and a “sit in”, and to hyperbolically claim that there is only obfuscates the reality of the situation.
  
  Tron was a movie, not a model for poltical protest.
  - Antinous / Moderator
    
    You can’t both be a both an activist and anonymous, the two are mutually exclusive.
    
    Um. Most activists throughout history have operated in secret, what with the whole being executed when you get caught thing.
    - Goblin
      
      Your counter has merit; however, I wasn’t defining “activist” as “partisan” or “guerilla fighter”, I was defining it as “poltical activist” and truely how can any poltical campaign be waged in absolute secrecy?
      
      Sure you can hide from the government or any other group but it is important to keep in mind that activists, whether waging war or politics, are trying to build a broad base of support with that public. So in the end they are not “anonymous” to those they are trying to bring over to their cause.
      
      Who cares what someone’s name or nickname is when they’re right there in front of you? For example, is the person in front of you on the subway really “anonymous”? I think it is absurd to suggest that they are. Since I can ask you later, what was this person wearing? How was that person acting? And you could provide me with a description.
      
      Really we have a question here of trust. Since if you get right down to it nobody is ever completely anonymous. And this is where these online notions of activism break down. These people truely are completely anonymous and that is there unmaking. If I can’t interview someone about their views then they must not care enough about their own views to bother sharing them.
      
      Many of us here live in the western world and live in a democracy, and generally is is a bit odd to find people who are rather unwilling to share their opinions publicly. I mean what is there to hide?
      
      These activist make me think, how do we define “anonymous”? It certinly isn’t a black and white concept and in the modern context we might as well just substitue it with “forced ignorance.”
      
      As it is now the internet forces us to be ignorant of each other unless we deem it a necessity to overcome that ignorance (and even then we still have the issue of trust). Unlike the subway example, you aren’t in front of me, I can’t give your description since we don’t occupy the same space and I have no idea what you might look like.
      
      So I stand by what I said; you’re not completely “anonymous” (even if I don’t know your name) if we occupied the same space. Since I’ve been able to gather information about you and your actions, motivations, dress, manners etc.
      
      You may not trust one or more subset(s) of the population and you may wish to hide all your information (and yourself) from that/those subset(s), but that doesn’t mean that you are completely “anonymous.” Obviously there are people who you work with who know you, even if they don’t know everything about you. There are people who see you on your drive to school or work.
      
      Really its all about trust, as you highlight in your example. So if you don’t trust or act upon the greater portion of the population (or brave your face, body, and soul in front of a select group to contest their actions, like the Sea Shepards do) then how do you expect anything to change, poltical or otherwise?
      
      You can’t both be a both an activist and completely anonymous, the two are mutually exclusive within a poltical context.