HOPE9 Talk: Activist DDOS: When Similes and Metaphors Fail

EDIT: The video of this talk is now up! Check it out.

I presented this talk last night at HOPE Number Nine, which has been a super fun conference.  Don’t forget to check out the slide deck, which is full of lolcats.

In the interest of getting this up fast, I’m posting the raw version of my notes.  I’ll be adding citations over the next couple of days.



Previous characterizations of activist DDOS campaigns have traditionally fallen into one of two camps: those that unilaterally condemn activist DDOS campaigns as bullying and censorship, and those that align such actions with IRL sit ins.  Both these characterizations, however, cannot be applied to the entire landscape of activist DDOS campaigns as a whole. Rather, each campaign must be examined individually before a judgement can be made regarding its validity as a protest action.  DDOS as a tool cannot be wholly condemn or lauded without its surrounding context.

In this talk, I’ll be examining those previous characterizations, and at different DDOS campaigns that do and do not fit those models.  Next I’ll be outlining the current state of play of activist DDOS.  Finally I’ll be presenting a new analytical model for looking at activist DDOS campaigns, and presenting an analysis of the December 2010 Operation PayBack DDOS campaign against PayPal.  Also, to reward all you find people for coming out so late for this talk, there will be lots of pictures of cats.

Continue reading

Back from Kenya! And The Atlantic!

Yesterday I got back from the Global Voices Citizen Media Summit in Nairobi.  It was a pretty epic trip all around and I’ll be writing more about it soon.

A few hours after I touched down, The Atlantic posted my latest article on internet regulations and the hacker folk devil.  My sixteen-year-old self just gave my 26-year-old self the biggest high five.

Books that get you banned from the internet in Texas

A version of this article originally appeared on the EFF’s Deep Links blog

Earlier this month, an inmate in Texas was denied access to computers and an electronic messaging system because he ordered a copy of the information security handbook Hacking Exposed.  Does simply ordering a copy of an information security handbook render an individual a threat to the safe, secure, and orderly operation of a federal prison? Almost certainly not.

Hacking Exposed was written by three well-respected information security professionals, two of whom work at McAfee, and is intended to educate infosec professionals about the threat landscape. But the warden of the prison, and subsequently a federal district court, found that just by ordering the book, Reginald Green constituted a substantial enough threat to the orderly running of the prison to ban him from accessing the TRULINCS electronic messaging system or using computers for the rest of his incarceration.  Could the exploit information contained within Hacking Exposed be misused in the right environment? Sure, but so could lots of other things, like the hammers in the prison workshop or the weights in the prison gym.

This is an unfortunate, aggressive reaction to the social concept of “the hacker,” without pausing to consider the facts of the case.  If the book had been called “Offensive Information Security” instead of “Hacking Exposed,” would it have been confiscated, or Mr. Green deemed a threat?  We’ve seen many examples of security researchers and others calling themselves hackers and falling under undue and aggressive legal scrutiny because their motives and actions were misconstrued.  This is in part because the term “hacker” can, in general parlance, mean anything from a DIY enthusiast building portable chargers in Altoids tins to a hardcore cybercriminal selling stolen credit card numbers on a deep web message board. Individuals either calling themselves hackers or dubbed so by the media have been repeatedly targeted for publishing information on how to jailbreak your own devices. For example, Sony sued members of the hacker group fail0verflow after they revealed at CCC that they’d mathematically calculated the keys Sony uses to ensure only approved code runs on the PS3. In the same suit, Sony also sued George Hotz, better known as GeoHot, jailbreaker of the iPhone, for publishing the PS3 root key, even though he made clear he didn’t do so to enable people to run pirated games. People have also been targeted for offering jailbreaking services commercially. For instance, prosecutors brougth criminal charges against Matthew Crippen for modding XBOX 360s to run DRM-free games, which were ultimately dismissed.

Whether you call them hackers, makers, tinkerers, or information security researchers, people on the hacking spectrum have been a boon to society for decades.  They power innovation in all sectors and operate as a valuable check on the security and stability of the technology that forms the basis for our modern society.  Their curiosity drives our economy and challenges entrenched corporate and governmental interests.  However, the word “hacker” has changed since its origins in creative prank culture and innovative computing at MIT, and is now popularly used, more often than not, as a pejorative one that encourages fear-based knee-jerk reactions. Hackers are used as go-to villains by policy makers, who wave the nightmare scenario of rampant cybercrime and imminent cyberwar to justify legislative proposals that threaten to encroach on your digital civil liberties.

Rather than evaluating the actual threat posed by Mr. Green having ordered the Hacking Exposed book, the warden in this case appears to have latched onto the word “Hacking” and overreacted.  The security paranoia displayed in banning Mr. Green from the TRULINCS electronic messaging system and access to computers entirely also doesn’t bode well for their information security practices.  Theoretically, if the Bureau of Prisons is truly concerned about users within the prison system compromising TRULINCS, it ought to have measures in place to prevent users from, say, uploading or downloading attachments, installing and running programs, accessing the Internet, or gaining admin access to the workstation or local network.  If the system does potentially allow these actions, and is relying on the lack of knowledge in its user group to protect itself (aka security by obscurity), then that is a much bigger problem than one guy ordering one book.  A Bureau of Prisons memo (http://www.bop.gov/policy/progstat/5265_013.pdf), states that an inmate can be banned from the system if they have “special skills or knowledge” of computers or the internet.  Unless those skills or knowledge were used in the commission of a crime, the BOP wouldn’t necessarily be aware that an individual possessed those skills.  So rather than strengthening the TRULINCS system against unknown, potentially strong actors (people who enter the system with “special skills and knowledge” or outside attackers), the BOP here appears to be opting to take punitive action against a known weak actor (if he had the requisite skills and knowledge to compromise the network, one would assume he wouldn’t have needed the book).

What is being attacked here is the ability of individuals to pursue technical knowledge.  Rather than evaluating the actual threat posed by Mr. Green having ordered the Hacking Exposedbook, the warden in this case appears to have latched onto the word “hacking” and overreacted.

What I Did at SXSWInteractive: Hackers in the Media!

First, I’d like to point out that I’m posting this blog entry FROM A PLANE IN THE SKY.  How awesome is this particular slice of the future?

SXSW was, as usual, awesome and exhausting and loud.  I had a great time delivering my talk on depictions of hackers in the media and how that affects computer crime legislation and jurisprudence.  The audience was engaged and sharp, with excellent questions.  There’s a recording of the talk floating around somewhere, but until I find it, please check out my slides from the presentation.  There will also be a paper coming out of this research, so stay tuned for that as well.

EDIT: Audio from my talk is now up! (and when I say that the CFAA was passed in the mid nineties, what I meant to say was it was passed the mid eighties.  Oops. ::facepalm:: )