Brian Krebs's "Spam Nation"

In Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door, Brian Krebs offers a fascinating look at the mass-scale cybercrime that underpins the spam in your inbox and provides an inside peek at a violent fight among its principle players. Cory Doctorow reviews.

Read the rest

Online activism and why the Computer Fraud and Abuse Act must die

Courts have appreciated that even distributed denial of service attacks can be legitimate form of public protest. Molly Sauter on the insane U.S. law used to criminalize them and other forms of online activism.

Read the rest

Microsoft non-pologizes for misleading judge, seizing No-IP's DNS


Yesterday, Microsoft convinced a judge to let it take over No-IP's DNS service, shutting down name service for many websites, in order to stop a malware attack. Today, the company fake-pologized.

Read the rest

Cyber-crooks turn to Bitcoin extortion


Security journalist Brian Krebs documents a string of escalating extortion crimes perpetrated with help from the net, and proposes that the growth of extortion as a tactic preferred over traditional identity theft and botnetting is driven by Bitcoin, which provides a safe way for crooks to get payouts from their victims.

Read the rest

Basecamp, Meetup hit by extortionist's 20Gb/s DDoS

If you're a Basecamp user who couldn't get into your account yesterday, here's why: the company refused to pay ransom to a criminal who hit them with a 20Gb/s denial-of-service flood, apparently by the same person who attacked Meetup, who uses gmail addresses in this pattern: "dari***@gmail.com." Cory 6

How UK spies committed illegal DoS attacks against Anonymous

A new Snowden leak, reported by NBC, documents the UK spy agency GCHQ's attacks on Anonymous, which included Denial-of-Service attacks, which are strictly forbidden under UK law. As the Slashdot story notes, "Regular citizens would face 10 years in prison and enormous fines for committing a DoS / DDoS attack. The same applies if they encouraged or assisted in one. But if you work in the government, it seems like you're an exception to the rule."

NBC has published a minimally redacted version [PDF] of the GCHQ slide-deck detailing the agency's illegal hacking attacks on alleged Anonymous participants.

Read the rest

MIT Master's Thesis on Denial of Service attacks as a form of political activism

Molly sez, "For the past two years I've been researching activist uses of distributed denial of service actions. I just finished my masters thesis on the subject (for the Comparative Media Studies program at MIT). Guiding this work is the overarching question of how civil disobedience and disruptive activism can be practiced in the current online space. The internet acts as a vital arena of communication, self expression, and interpersonal organizing. When there is a message to convey, words to get out, people to organize, many will turn to the internet as the zone of that activity.

"Online, people sign petitions, investigate stories and rumors, amplify links and videos, donate money, and show their support for causes in a variety of ways. But as familiar and widely accepted activist tools--petitions, fundraisers, mass letter-writing, call-in campaigns and others--find equivalent practices in the online space, is there also room for the tactics of disruption and civil disobedience that are equally familiar from the realm of street marches, occupations, and sit-ins? This thesis grounds activist DDOS historically, focusing on early deployments of the tactic as well as modern instances to trace its development over time, both in theory and in practice.

"Through that examination, as well as tool design and development, participant identity, and state and corporate responses, this thesis presents an account of the development and current state of activist DDOS actions. It ends by presenting an analytical framework for the analysis of activist DDOS actions."

This is a subject I've given some thought to -- after reading the introduction to Molly's thesis, I'm convinced that this is something I need to read in full.

DISTRIBUTED DENIAL OF SERVICE ACTIONS AND THE CHALLENGE OF CIVIL DISOBEDIENCE ON THE INTERNET (Thanks, Molly!)

DDoS storm breaks records at 300 Gbps

The Internet has been groaning under the weight of a massive distributed denial of service (DDoS) attack on the Domain Name Service, apparently aimed at anti-spam vigilantes Spamhaus, in retaliation for their blacklisting of Dutch free speech hosting provider Cyberbunker. At 300 mbps, the DDoS is the worst in public Internet history.

“These things are essentially like nuclear bombs,” said Matthew Prince, chief executive of Cloudflare. “It’s so easy to cause so much damage.”

The so-called distributed denial of service, or DDoS, attacks have reached previously unknown magnitudes, growing to a data stream of 300 billion bits per second.

“It is a real number,” Mr. Gilmore said. “It is the largest publicly announced DDoS attack in the history of the Internet.”

Spamhaus, one of the most prominent groups tracking spammers on the Internet, uses volunteers to identify spammers and has been described as an online vigilante group.

In the past, blacklisted sites have retaliated against Spamhaus with denial-of-service attacks, in which they flood Spamhaus with traffic requests from personal computers until its servers become unreachable. But in recent weeks, the attackers hit back with a far more powerful strike that exploited the Internet’s core infrastructure, called the Domain Name System, or DNS.

As bad as this is, it could be a lot worse. An anonymous paper called Internet Census 2012: Port scanning /0 using insecure embedded devices reports on a researcher's project to scan every IPv4 address for publicly available machines that will accept a telnet connection and yield up a root login to a default password. The researcher reports that 1.2 million such devices are available online (s/he compromised many of these machines in order to run the census). These machines are things like printers and routers with badly secured firmware, visible on the public net. They are often running an old version of GNU/Linux and can be hijacked to form part of a staggeringly large botnet that would be virtually unkillable, since the owners of these devices are vanishingly unlikely to notice that they are silently running attackware, and the devices themselves are completely unregarded.

Firm Is Accused of Sending Spam, and Fight Jams Internet [NYT/John Markoff & Nicole Perlroth]

(via Hacker News)

Skype's IP-leaking security bug creates denial-of-service cottage industry


It's been more than a year since the WSJ reported that Skype leaks its users' IP addresses and locations. Microsoft has done nothing to fix this since, and as Brian Krebs reports, the past year has seen the rise of several tools that let you figure out someone's IP address by searching for him on Skype, then automate launching denial-of-service attacks on that person's home.

In the above screen shot, we can see one such service being used to display the IP address most recently used by the Skype account “mailen_support” (this particular account belongs to the tech support contact for Mailien, a Russian pharmacy spam affiliate program by the same name).

Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (one of these services was used in an attack on this Web site, and on that of Ars Technica last week). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel.

Beyond exposing one’s Internet connection to annoying and disruptive attacks, this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.

Privacy 101: Skype Leaks Your Location

HOWTO survive a DDoS attack

The Electronic Frontier Foundation has published a comprehensive, multi-lingual guide to keeping sites that are undergoing distributed denial-of-service (DDoS) attacks alive.

Denial of service (DoS) and distributed denial of service (DDoS) attacks are increasingly common phenomena, used by a variety of actors—from activists to governments—to temporarily or indefinitely prevent a site from functioning efficiently. Often, the attack saturates the target with server requests designed to flood its bandwidth, leaving the server unable to respond to legitimate traffic.

Though the owners of major sites often have the resources to fend off or even prevent such attacks, smaller sites—such as those belonging to small independent media or human rights organizations—are sometimes permanently disabled due to a lack of resources or knowledge.

This guide aims to assist the owners of such websites by providing advice on choosing an appropriate webhost, as well as a guide to mirroring and backing-up their websites so that the content can be made available elsewhere even if their site is taken down by a DoS or DDoS attack.

Keeping Your Site Alive

Denial of service, sit-ins and the politics of the cloud

Make Magazine's just reprinted my column, "Moral Suasion," in its online edition. It's a discussion of the politics of cloud computing, including denial-of-service attacks against cloud providers who cave to government pressure:
I grew up in the antiwar movement and participated in my first sit-in when I was 12. Sit-ins are a sort of denial of service, but that's not why they work. What they do is convey the message: "I am willing to put myself in harm's way for my beliefs. I am willing to risk arrest and jail. This matters." This may not be convincing for people who strongly disagree with you, but it makes an impression on people who haven't been paying attention. Discovering that your neighbors are willing to be harmed, arrested, imprisoned, or even killed for their beliefs is a striking thing.

And that's a crucial difference between a DDoS and a sit-in: participants in a sit-in expect to get arrested. Participants in a DDoS do everything they can to avoid getting caught. If you want to draw a metaphor, DDoSers are like the animal rights activists who fill a lab's locks with super glue. This is effective at shutting down your opponent for a good while, but it's a lot less likely to draw sympathy from the public, who can dismiss it as vandalism.

Moral Suasion

(Image: Sit-in "Giornata degli studenti", a Creative Commons Attribution Share-Alike (2.0) image from retestudentimassa's photostream)

Anonymous infighting: IRC servers compromised, IP addresses dumped, claims of coup and counter-coup

The IRC servers used by AnonOps have been compromised and taken over by "Ryan," who is reportedly a young man in Essex, England. These servers were used to plan and coordinate many of the denial-of-service attacks that flew the Anonymous flag, including the recent attack on Sony. Ryan says he seized control of the servers and lots of other infrastructure in protest of a secretive cabal of Anonymous "leaders" whom, he claims, secretly steer Anonymous's debate over which targets to hit and for how long using private IRC channels.

Anonymous claims to have no leaders, but it also lacks any sort of structure through which such a claim could be made -- that is, lacking any constitution or formal decision-making structure, there is no clear way in which an official "no leaders" policy could be ratified and articulated. If no one can speak for Anonymous, can anyone say (on behalf of Anonymous), "We have no leaders?" It's the key question in this bit of drama, because the ousted "leaders" have made counterclaims that Ryan acted as he did in order to establish himself as leader of Anonymous.

Others argued against this equivalence. "Ryan was the dictator, not the one who decided to solve the dictator problem," said one. Another responded, "Lol, how do you know? For all you know, Owen and Ryan are just the classic generals duking out to take over."

For his part, Ryan told the UK's Thinq today that he shared the concerns over private decision making. Owen and the other leaders "crossed the barrier, involving themselves in a leadership role," Ryan said. "There is a hierarchy. All the power, all the DDoS--it's in that [private] channel."

But among those who backed AnonOps, one thing was clear: Ryan needs to get got. Anons quickly embarked on a mission to find Ryan "dox," and quickly unearthed what they said was his full name, his home address (in Wickford, Essex, UK), his phone number, his Skype handle, and his age (17).

The hackers hacked: main Anonymous IRC servers invaded

(Image: Anonymous Declaration of IndepenDance. Wallpaper (3923x4656), a Creative Commons Attribution (2.0) image from thinkanonymous's photostream)

Westboro Baptist Church attempts to lure Anonymous into attacking it?

Last week, many news sources reported that the Anonymous movement had issued a threat against the notorious real-world trolls at the Westboro Baptist Church, comprised mainly of the extended family of Fred Phelps, who picket AIDS funerals with "God Hates Fags" signs, as well as trolling Jewish groups, military funerals, and other sensitive sites.

Now, some members of Anonymous have issued a press release disclaiming any threats against the Church. They claim that the Church had trumped up the threat in order to lure Anonymous supporters into launching a denial-of-service attack on the Church's site, which the Church could backtrack and use as the basis of a series of lawsuits against Anonymous participants.

I believe it. Close observers of the "Church" have opined that Phelps and his family have no particular strong beliefs, but that rather they are aggressive litigants who use shock tactics to lure private individuals and local police and governments into attacking them or abridging their rights. The family then brings lucrative civil action against all parties. It sounds like a sweet little racket if you're an utter sociopath.

If the threat from Anonymous was really trumped up, it's a pretty fine forgery, one that shows a high degree of attention and subtlety from the Phelps side -- someone there is a damned fine mimic of hacker bombast. It's also clever in that it attacks Anonymous in its weakest spot: the absence of any visible, formal governance structure makes it hard to sue or shutter Anonymous, but it also makes Anonymous vulnerable to these false-flag attacks and hoaxes (and it means that Anonymous has no institutional basis with which it might, for example, hire attorneys to sue Phelps or defend its members should Phelps sue them).

"You thought you could play with Anonymous. You observed our rising notoriety and thought you would exploit our paradigm for your own gain," said the group in a press release.

"When Anonymous says we support free speech, we mean it. We count Beatrice Hall among our Anonymous forebears: 'I disapprove of what you say, but I will defend to the death your right to say it.' "

The hacktivist group said that, along with looking for more attention, the Westboro Baptist Church wanted to lure DDoS attackers into a "honeypot."

"They've got their ports wide open to harvest IPs to sue. Don't DDoS, and boycott Operation Westboro," warned Anonymous.

'We're not attacking Westboro Baptist Church' - Anonymous (via /.)