
The Democratization of Censorship - rfreytag
https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/
======
runeks
Are DDoS attacks really a problem for journalists getting out information to
the public, or are they more so just a problem for journalists who want to
distribute content via their own website? Wanting to run a website is
reasonable, as it enables journalists to make money on ads as well, but does
the inability to run your own website truly hamper free speech?

This seems more like an architecture problem to me, not with regards to the
Internet, but with regards to how articles are distributed: by contacting a
server who responds with the article. If I really wanted to get some
information out, I would upload it to: Google Drive, Dropbox, Amazon S3 and
any other free/cheap hosting service I know, and spread the links out on
Twitter, Facebook, HN, Reddit, etc. Would it really be possible for any
attacker to take down all these services, thus preventing the information from
getting out? Or is this more about distributing articles via a web app?

~~~
wmf
To be protected against DDoS it sounds like you need to be hosted by Google,
CloudFlare, or Akamai. Yet these companies are so influential and critical to
the Internet that journalists need to feel that they are free to criticize
them.

AFAIK Google Drive, Dropbox, Amazon S3 etc. will drop you in a second with a
"we're not getting paid enough to deal with this" error message if you bring a
DDoS down on them.

~~~
eastdakota
This is such an important point. And it is exactly why, when we launched
Project Galileo, CloudFlare's initiative to protect politically or
artistically important work online, we decided it was critical that CloudFlare
wasn't the one deciding what was "politically or artistically important."
Instead we rely on the input of civil society organizations like the EFF, CDT,
ACLU, Access, etc. If one of the partner organizations says something meets
the criteria then we have committed to protecting it, for free and no
questions asked.

[https://www.cloudflare.com/galileo/](https://www.cloudflare.com/galileo/)

We offered to protect Brian's site under Galileo for free. Had he taken us up
on our offer, which remains open, I would hope he would continue to be as
critical of CloudFlare as he always has been.

And I hope we've established some credibility in not abusing the position of
trust we occupy. For instance, when we protected Spamhaus from a large DDoS
attack years ago we specifically made it clear we'd never ask them to treat us
any differently than any other organization they monitor. And we haven't. And,
to this day, Spamhaus remains one of our biggest critics. And they remain a
CloudFlare customer.

Here's a talk I gave last year at Blackhat about the risks of ideas being
suppressed on an Internet that is increasingly controlled by a small handful
of providers:

[https://youtu.be/V-Pj0lrr168](https://youtu.be/V-Pj0lrr168)

It's something we worry about all the time and I'm glad more people are
beginning to discuss the risks it poses.

~~~
fdsaaf
Does Project Galileo cover political expression you consider problematic
though? It's easy to support free speech with which you agree. The real test
is whether you support it when it's reprehensible

~~~
eastdakota
Yes. There are lots of things that I personally believe are incredibly
abhorrent that use our network. I'm not proud of them, but I am proud that we
don't censor them.

~~~
kyledrake
It seems to me that a vast majority of the for-profit DDoS attack sites
([https://www.google.com/#q=ddos+booter](https://www.google.com/#q=ddos+booter))
use Cloudflare to protect the component of their operations that take the
payments to attack people like Brian Krebs, including the one he wrote about
that triggered this entire thing
([http://krebsonsecurity.com/tag/cloudflare/](http://krebsonsecurity.com/tag/cloudflare/)).

Forget "state sponsored actors", people executing these attacks are just as
likely teenagers with a spare $20 that can use these DDoS attack services to
execute a serious DDoS attack in minutes, just for the hell of it.

The point Brian is trying to make in this article is that DDoS attackers have
become the true censors of the web. By protecting their ability to profit from
DDoS attacks, are you protecting their "free speech rights", or are you
instead protecting the real censors of consequence here?

I know you take action on malware and phishing attacks being propagated from
your service. A lot of us out here in the NOC world struggling to keep the
internet running (and now starting to fail at it) would really appreciate it
if you added "DDoS attack sites" to that list.

~~~
eastdakota
Yes, you can see Brian's critique of us here:

[https://www.youtube.com/watch?v=wW5vJyI_HcU](https://www.youtube.com/watch?v=wW5vJyI_HcU)

Skip to minute 19:35. Then skip to the Q&A at minute 45:00 to hear my
response.

~~~
kyledrake
I'm glad to hear about your concern about "the risks of ideas being suppressed
on an Internet that is increasingly controlled by a small handful of
providers". I share the same concerns. But I think we differ on the best way
to improve this problem.

Your approach is to try to avoid taking down any content proxied behind a
single consolidated service, which is controlled by a single organization and
is managed under ASNs and IP addresses assigned to you and under your control.

The approach I prefer is to try to improve the problem by _decentralizing_
control of autonomous systems - putting more ASNs, IP blocks and SSL
terminators into the hands of independent operators, which makes it harder for
governments to single out organizations for things like, for example, mass
scale wiretapping via FISA court orders. ASNs are also previously where legal
precedent generally accepted that autonomous service providers exist for
purposes of handling legal issues, and are the spot where one's strong control
over their "Terms of Service" generally begins (though the IP transit provider
will usually set a few anti-network-abuse policies
([https://he.net/tos.html](https://he.net/tos.html)), including DDoS related
ones, realizing that protecting speech has to be balanced with maintaining the
health of the internet).

The point I want to make is that the problem with adding "DDoS-for-hire" sites
to your list of protected speech is that it directly harms the latter approach
of improving decentralization and diversity of ownership in a way that no
other service that has existed has ever done before. By making it so that
those independent groups require an enormous amount of routing equipment and
bandwidth in order to run their own services without risk of DDoS attacks, or
being forced to hide their autonomous systems behind another autonomous system
(like yours), I strongly believe that not only is your organization directly
contributing to the consolidation problem on the net, but that your
organization, by enabling these attackers, may even be the leading cause of
it.

I have no problem with your anti-censorship policy. I don't think anyone in
here does. I would even defend your right to proxy a terrorist web site. But
even IP transit providers make exceptions related to DDoS for the health of
the internet itself. If it comes down to a choice between protecting DDoS-for-
hire sites and protecting the internet itself, which one is the right choice?

~~~
striking
It's hard to say exactly what "protecting the internet itself" really means.
And besides, if Cloudflare can offer this protection to both bad apples and to
legitimate journalists, then they never even have to make that choice. It'd
just be a false dichotomy.

I appreciate your concerns in the sense that the web is no longer
decentralized. You might be interested in
[http://zeronet.io/](http://zeronet.io/), which is at least an interesting
attempt in encouraging decentralization. But let's face it. Cloudflare is
hardly forcing the rest of the web into centralization. They're just helping
to protect people that sign up for it, regardless of who they are. They're not
here to judge who stays up or not. I feel like that is more in the spirit of
the internet than anything.

If Krebs worked with Cloudflare when they had made their offer, I don't think
his website would have been down. He's using Project Shield now. And that's
fine too.

~~~
kefka
If I were subject to multiple insults, on stage, by the Cloudflare CEO, I'd
sure as hell stay away. There is no good that can come from a dialogue from
such a bad actor as he is.

And I can only combine his direct insults on stage (Whereas Krebs was directed
at the service, not the man) with CF's insistent take on Tor. They are a bad
actor, bar-none.

~~~
striking
> multiple insults, on stage, by the Cloudflare CEO

Interesting. Do you have a source for that? I'd like to check it out.

~~~
kefka
eastdakota (CEO of cloudflare) posted this:

____________________________________________

Yes, you can see Brian's critique of us here:

[https://www.youtube.com/watch?v=wW5vJyI_HcU](https://www.youtube.com/watch?v=wW5vJyI_HcU)

Skip to minute 19:35. Then skip to the Q&A at minute 45:00 to hear my
response.

____________________________________________

He repeatedly badgers Krebs on "why didnt you respond to my emails to meet",
to the point they nervously laugh/cough on stage.

"Who needs to actually ask questions, as a journalist?", said eastdakota
([https://youtu.be/wW5vJyI_HcU?t=2887](https://youtu.be/wW5vJyI_HcU?t=2887)).
This was what got me. I expect better composure from a CEO than childish and
churlish jabs.

(edits were purely for formatting and separating eastdakota's writing from
mine.

------
jsn
Yes, and this is old news, actually. We observed the rise of DDoS as a form of
censorship in Russia roughly 10 years ago. People usually think that DDoS
attacks are mostly used for extortion purposes, but in Russia it was routinely
used to suppress some independent news outlets since 2006. Of course, now
(since 2014) they have full-blown Internet censorship in Russia, so they don't
need it anymore.

------
oliwarner
Democracy isn't separate groups of individuals having —here— total power to
take a website, datacentre, even CDN offline. What's actually happened is the
consumerisation of weapons of mass destruction.

Glamourising stuff like this isn't useful. Everybody involved is doing
_something_ wrong. We should be doing more at network level to remove botnets
by removing (reporting then blocking) infected computers and servers.
Continuing to ignore them isn't working.

~~~
vintermann
Seconded. "Super-powered individuals" are the opposite of democracy, whether
they are in that position because of jockeying and electioneering, or by
buying malware services.

------
bogomipz
He mentions:

"There is every indication that this attack was launched with the help of a
botnet that has enslaved a large number of hacked so-called “Internet of
Things,” (IoT) devices — mainly routers, IP cameras and digital video
recorders (DVRs) that are exposed to the Internet and protected with weak or
hard-coded passwords."

How was the source being compromised IoT ascertained? The only way I could
imagine being able to determine that is by looking at the vendor bits on the
MAC addresses of the source. But being that IoT devices are generally on a LAN
on with some RFC 1918 address you wouldn't have that information. You wouldn't
even have the MAC address of the default gateway that routed it.

Can anyone comment on this?

~~~
mhays
You can ascertain information pointing towards specific IoT devices from
things like HTTP header information. I saw an blogpost a couple months ago
detailing how the author ID'd an IoT DDOS botnet, which I can't find now, but
here is a similar one: [https://blog.sucuri.net/2016/06/large-cctv-botnet-
leveraged-...](https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-
ddos-attacks.html)

------
a3n
> BCP38 is designed to filter such spoofed traffic, so that it never even
> traverses the network of an ISP that’s adopted the anti-spoofing measures.
> However, there are non-trivial economic reasons that many ISPs fail to adopt
> this best practice.

So, it costs too much to run clean internet pipes.

As the internet is a major part of the economy, as well as access to
government (as well as government access to surveillance), it's probably time
to regulate ISPs and related players for healthy operation, like water
utilities.

~~~
meanduck
No No No. There are probably ~100K of ISPs, many of them in judicially-weak
countries. This will never work. ISPs are not the problem. Its fundamental
oversight in routing architecture of internet.

BCP38 is Best Current Practice. Not a protocol requirement. Once it becomes a
requirement this will be solved in a _week_.

The 5 RIRs[1] are the non-profit organizations that allocates IPs and
regulates ASNs. I dont know how but we (or the big internet boys) should
petition them to force ASNs to fix their routers.

[1]:
[https://en.wikipedia.org/wiki/Regional_Internet_registry](https://en.wikipedia.org/wiki/Regional_Internet_registry)

~~~
a3n
> No No No. There are probably ~100K of ISPs,

Good point. I was thinking in a US-centric way.

Still, I'd like my ISPs in the US to be the internet equivalent of lead-free
water.

~~~
pjc50
In the current lobbying environment you're more likely to end up with a
statutory minimum of lead in your ISP (surveillance, filtering, anti-
competitive measures, anti-net-neutrality, etc)

------
andrewstuart2
He's also put up a blog post about the incident. Apparently it's back up under
Google's "Project Shield":

[https://news.ycombinator.com/item?id=12575047](https://news.ycombinator.com/item?id=12575047)

[https://krebsonsecurity.com/2016/09/the-democratization-
of-c...](https://krebsonsecurity.com/2016/09/the-democratization-of-
censorship/)

~~~
yohui
You may be thinking of this discussion, "KrebsOnSecurity is now up and hosted
on Google Cloud":

[https://news.ycombinator.com/item?id=12574428](https://news.ycombinator.com/item?id=12574428)

~~~
andrewstuart2
That's exactly what I'm thinking of. And actually, that's where I meant to
leave this comment. I must have had both open in two tabs for copy/pasting the
URL and picked the wrong one.

Much less consequential tab-tastrophe than the time I dropped a table in
production because I thought I was in my Dev tab. Backups saved my job that
day. And I never kept two SQL servers up at once after that day. :-D

------
78ytuhuyh
Your migration is interesting, since it now censors me out because I live in
Iran. So I can not read your article. Here is my browser capture, for your
article, tab 2 for twitter, tab 3 for blogspot, tab 4 is sourceforge, and tab
5 is Nvidia!
[https://my.cloudme.com/d358b17/Capture](https://my.cloudme.com/d358b17/Capture)

------
rasz_pl
In other news we now know it at least ~700Gbps to shut down companies hiding
behind Akamai.

------
kyledrake
Mirror:
[https://web.archive.org/web/20160925143639/https://krebsonse...](https://web.archive.org/web/20160925143639/https://krebsonsecurity.com/2016/09/the-
democratization-of-censorship/)

------
tomlock
Kudos to Google for stepping up here! Krebs is a valuable voice of the free
internet.

------
tjpnz
When I first saw the headline I thought this was going to be about YouTube
Heroes.

------
cantagi
Something very weird is going on - krebsonsecurity.com is resolving to
127.0.0.1 . Could this be an attempt by someone's DNS servers to make the
machines in the original attacking botnet DoS themselves?

~~~
0xcde4c3db
I'm seeing the same thing. IIRC it was a mitigation measure by Akamai, perhaps
to prevent new bots from joining the attack.

~~~
nathanielc
From the post:

> I asked Akamai to redirect my site to 127.0.0.1 — effectively relegating all
> traffic destined for KrebsOnSecurity.com into a giant black hole.

Since Akamai was going to drop the "shields" on the site, instead of smashing
the hosting provider with the attack, DNS was pointed at localhost.

~~~
Senji
This seems like an ineffectual measure. Instead of giving the domain to the
individual nodes in the DDoS. I'd resolve it once and pound the IP until it
changes.

With a simple script curling the page and looking at the content to check if
it's pointed to the right server. Ignoring unroutable or inane IPs returned by
the DNS.

