Google launches Project Shield, to protect news sites from DDoS attacks

Insecure desktop operating systems (and even server/CMS vulnerabilities) has led to the creation of enormous, powerful botnets comprised of thousands, hundreds of thousands, or even millions of machines — and thanks to the law of supply and demand, it's remarkably cheap and easy to rent time on a botnet and blast any site of your choosing off the Internet.

This problem will only get worse, as badly secured smart lightbulbs and networked rectal thermometers are compromised en masse and put into botnet service.

DDoS attacks are sometimes used for petty revenge (say, against an opponent who trash-talks you on a game's chat channel); sometimes for extortion (shutting down betting websites just before the Superbowl); sometimes for political action (see, e.g., the Anonymous raids on Paypal in retaliation for blocking payments to Wikileaks), but increasingly, DDoSes are deployed by governments and political movements to shut down news sites that are critical of them.

This is especially hard on independent news sites in autocratic and developing nations, where the governments they criticize are able to buy state-level cyberweapons (often from western companies like Hacking Team and Blue Coat) and use them to attack shoestring operations. It's not just the developing world, either — the Catalan independence movement in Spain was targeted by "advanced persistent threat" attacks more commonly used by governments to attack other governments.

This is where Google's Project Shield comes through: sites pre-register with Google to "reverse proxy" their traffic through Google's cloud platform. By making a change in DNS, publishers can route all their traffic through Google. This means that a DDoS attack has to be sufficiently robust as to take down Google's cloud (much harder than taking down a WordPress install on a rack in a commodity hosting provider). It also means that Google gets to man-in-the-middle the traffic to the publisher, decrypting and re-encrypting it in transit. Google says it only uses data from its proxy service to improve the service and provide usage stats to publishers.

Routing your traffic through Google also means that your site will be unavailable in countries whose censorship regime blocks all Google IP addresses.

Importantly, Google Shield is free. Publishers can already sign up for other cloud platforms, from Cloudflare to Amazon, to protect themselves from DDoS. But those services charge by the byte, meaning that an "unsuccessful" DDoS can succeed anyway, by bankrupting small publishers with bandwidth bills.

Google says you can sign up for Shield in 10 minutes.

This is an example of what Bruce Schneier calls feudal computing, where individuals and groups swear allegiance to a large and powerful "lord" who protects them from bandits and opposing lords.

I'm not saying that feudal security is all bad. For the average user, giving up control is largely a good thing. These software vendors and cloud providers do a lot better job of security than the average computer user would. Automatic cloud backup saves a lot of data; automatic updates prevent a lot of malware. The network security at any of these providers is better than that of most home users.

Feudalism is good for the individual, for small startups, and for medium-sized businesses that can't afford to hire their own in-house or specialized expertise. Being a vassal has its advantages, after all.

For large organizations, however, it's more of a mixed bag. These organizations are used to trusting other companies with critical corporate functions: They've been outsourcing their payroll, tax preparation, and legal services for decades. But IT regulations often require audits. Our lords don't allow vassals to audit them, even if those vassals are themselves large and powerful.

Yet feudal security isn't without its risks.

Our lords can make mistakes with security, as recently happened with Apple, Facebook, and Photobucket. They can act arbitrarily and capriciously, as Amazon did when it cut off a Kindle user for living in the wrong country. They tether us like serfs; just try to take data from one digital lord to another.

Protecting news from
digital attacks

(via /.)