Tuesday, October 25, 2016

It Was The Russians! No, Wait, It Was A Shadowy Collective! DDoS, IoT, and WTF

Last week I wrote about a minor DDoS attack that harnessed an army of small household appliances and cameras to take down websites. Then this week, there was a major DDoS attack that harnessed an army of small household appliances and cameras to take down major parts of the internet. Am I surfing the zeitgeist or what?

Reaction to these events has been somewhat puzzling. The party line seems to be something like "It was the Russians." At CBS News, the "homeland security consultant" Fran Townsend immediately pointed to Russia, asking "Is this sort of a brushback pitch from the Russians sending us a message that we should be pretty careful about engaging in this sort of cyberactivity with them because they are very capable[?]" A Guardian writer who, like me, wanted a chance to fly off the handle about the Internet of Things (IoT) and how stupid and pointless it is got the headline "Do you want your shower to help Russian hackers?"

But the same CBS story quoting expert opinion alleging state sponsored cyber-terrorism then goes on to explain that a "shadowy collective" called "New World Hacking" had claimed responsibility. People speaking anonymously and claiming to be associated with New World Hacking said they did it to "test power," that they "sought only to expose security vulnerabilities," and that when it came to demands, there was only one: "We will make one demand actually. Secure your website and get better servers, otherwise be attacked again."

I don't know about you, but I thought these seemed like intelligent and reasonable things to say. I don't know if they're true -- whatever that means in this day and age -- but, as we say nowadays, whatever.

I was standing in the espresso line when I first encountered this news on my phone, and I decided to go and look up New World Hacking. From Google I was able to easily find their website, where I saw a simple form with boxes and a simple message -- offering DDoS attacks. Not powerful enough to bring down a government, they said, but if you want to harass your friends and stir up trouble, you've come to the right place!

OK I am paraphrasing that part -- because New World Hackers took down their site. On their Twitter account they said they've retired, hanging it all up. Now when you try to visit their page, you just get "The fact that you are seeing this page indicates that the website you just visited is either experiencing problems or is undergoing routine maintenance."

When we're entering the realm of thermostats and children's toys taking down the internet, things are sufficiently bizarre that I can't claim to have a handle on the situation. But here are some questions I have.

1. Why am I the only one freaking out about this?

This DDoS attack was treated as news but it was not treated as major, earth-shattering news. This seems bizarre to me. If, as seems utterly plausible, someone manages to stymie major parts of the internet -- meaning people can't communicate, can't move money around, and probably can't even make stop lights work -- how long do you think it's going to be before there's no more food in the supermarket, no more water coming out of the tap, and no more electricity to charge your phone?

I feel like people have this idea that somehow because we used to do all these things without the internet we can go back to doing things "the old way." But as we've said before, that's an illusion. The analogue systems of society aren't somehow buried somewhere, ready to be dusted off and used. They're over. For example: masses of people used to be employed in huge buildings all over North America to old-fashioned banking a thing. There's no simple "going back to the way it was."

2. Why doesn't the media talk to actual hackers?

These stories are always the same: they talk to security experts, they talk to the target of the attack (who knows nothing), they talk to some political person. Everyone says the same thing: we don't know the motives, sinister forces are out there trying to get us, there is a problem with internet security because blah blah blah reasons that people have known about for a long time.

As far as I know, one AP reporter had one DM with New World Hackers on Twitter, and some people tried to talk to people who said they'd been involved with a similar hack before. Aren't there other people who know more about this who can be interviewed? Not "security experts" but people who actually do these things and know why people do them and have relevant thoughts instead of just dumb boiler-plate? Why not talk to those people?

3. What is going on with "decentralized" control?

Part of the relevant "blah blah blah" in these circumstances always has to do with how there's no one really in charge of the internet, because it's not really that kind of thing, and there's no governing body that is supposed to oversee stuff and make sure things are secure, and there's no government that contains a bureaucracy devoted to such matters. Sometimes you get the feeling that there are people who think this is a really good thing, because governments are "political" and because "decentralized" control is actually safer because of the way nodes and important parts are all distributed around instead of being physically or logically organized.

But it's no secret that when you leave things alone to organize themselves, they often ... organize themselves. What results is the opposite of decentralized control and is more like massively centralized control. This DDoS attack, for example, worked so well because the target, Dyn, was providing infrastructure and domain name support to a large number of large clients like Twitter, Netflix, and PayPal. It's not really decentralized. It's more like auto-centralized: it centralized itself.

4. Do some people sort of want it to be proto-war with Russia? 

There's a lot I just don't understand.

No comments: