

Feedly gets hit by DDoS attack, refuses to give in to blackmail - chmars
http://grahamcluley.com/2014/06/feedly-blackmail-ddos/

======
ksec
Do people really get punished for it? I mean the actual ones behind those bot,
not the innocent ones that had their computer hacked without knowing.

If yes, how long does it normally take to get them? If At all? Weeks? Months?
Years?

These days DDoS seems far too easy, far too common.

~~~
claudius
Why do you think someone is innocent if they let some third party use their
computer without permission? For essentially all malware that makes your
computer part of a larger botnet, you have to be extremely careless to let it
get on your device, not dissimilar to leaving your car unlocked when it is
subsequently stolen and used in a crime (or just misused by playing kids). The
latter is illegal[0], why should the former be ok?

[0] [http://www.gesetze-im-
internet.de/stvo_2013/__14.html](http://www.gesetze-im-
internet.de/stvo_2013/__14.html)

~~~
paulhauggis
"not dissimilar to leaving your car unlocked when it is subsequently stolen
and used in a crime"

In the US at least, this is not a crime. If someone leaves their car unlocked
by accident, why should they get punished if someone steals it and uses it for
a crime?

Victim blaming is not the answer, it's just silly.

~~~
claudius
> In the US at least, this is not a crime. If someone leaves their car
> unlocked by accident, why should they get punished if someone steals it and
> uses it for a crime?

Negligence. If you own a powerful tool, you are at least in part responsible
for it not to be misused. Similarly to how you are usually required to keep
your guns locked away and are held responsible (at least ideally…) if someone
steals them from your kitchen table and misuses them, you are held responsible
if someone just sits in your car and drives off to kill someone.

> Victim blaming is not the answer, it's just silly.

Except that the victim in a DDoS is the person being ddos’d, not the random
user who installed malware. If someone gave you a key and said “Enter this
flat over there, take the computer, bring it to me and I’ll give you 10€“, you
couldn’t later claim to be a “victim” because they stole your time. If someone
sends you a file and goes “double-click this and you’ll get _fantastic_ porn”,
I don’t see how you could later claim to be a victim if they stole part of
your data cap.

~~~
antsar
If someone tells you "Enter this flat over there, take the computer, bring it
to me and I’ll give you 10€", its on you to realize that that is illegal (and
morally wrong) and refuse to comply.

"Double-click this for fantastic porn", on the other hand, will sound
perfectly legitimate to many unsuspecting computer users. And there is nothing
inherently illegal about the act.

------
mwill
I was just wondering why I couldn't hop on Feedly.

I feel sort of bad that this is what makes me finally self host my RSS reader,
since it's totally out of their control, but I've been planning on jumping
ship for a while, it's just been low priority for me. Goread has been tempting
me though, so I guess I'll check it out.

~~~
madeofpalk
If you were a former Google Reader user, you might like Feedbin. I've been
with them for the last year or however long and have been fairly happy.

~~~
publicfig
I've been using Digg Reader for a while and I'm actually kind of shocked that
most people haven't moved to that. It has its bugs (sometimes showing
incorrect numbers, the mobile app locks up sometimes), but it's honestly the
best alternative that I've found so far.

Maybe it has to do with its free-ness, as people worry about them shutting
doors like Google Reader, but if you're looking for a free solution then I'd
definitely recommend it.

~~~
dilap
I was a very happy Digg Reader user for a while, but the bugs just kept
getting worse and worse, and I jumped ship.

Now I'm on BazQux, which works very, very well and very, very quickly, but has
no mobile version and a design straight out of 1996.

~~~
__mp
And it's written in Haskell. Which makes me want to take a look at Haskell
again :)

~~~
codygman
I thought they used Ur/Web.

~~~
vshabanov
Ur/Web is used mostly for generating JavaScript and part of web server. Most
backend is written in Haskell.

You could look more here [https://github.com/bazqux/bazqux-
urweb](https://github.com/bazqux/bazqux-urweb)

------
aliasnexus0
I've been using Fever since Google Reader shutdown:
[http://feedafever.com/](http://feedafever.com/)

I have put together install instructions here:
[http://thornelabs.net/2014/05/10/install-fever-rss-reader-
on...](http://thornelabs.net/2014/05/10/install-fever-rss-reader-on-fedora-
rhel-or-centos-with-ssl-and-selinux.html)

------
gkya
I wonder why nearly every self-hosted alternative RSS-reader here is a web-
app; isn't using a desktop-application desirable? Like Firefox, Thunderbird,
Liferea[1], Akregator[2], and probably lots of OS X applications?

[1] [http://lzone.de/liferea/](http://lzone.de/liferea/)

[2]
[http://www.kde.org/applications/internet/akregator/](http://www.kde.org/applications/internet/akregator/)

~~~
kingnight
So much of what you're reading in RSS-reader is web content, naturally you'd
want to click through things in your existing browsing experience. At least
that's how I view it. I'd like to use a desktop-app but find myself never
opening running it and instead jumping to feedly/google-reader etc.

I'd really like to have a desktop-app w/o web service that sync'ed to my phone
which I also like to read rss on.

~~~
alxndr
Multiple devices is the main reason I rely on a web service.

~~~
mike-cardwell
That's why I read RSS via IMAP. All of my devices have an IMAP client on them.
I have a script which downloads RSS feeds and sends an email to me for each
item, which is then filtered into a News folder via a Sieve filter. I spend
half my time in my email clients anyway so I may as well get my RSS fix in the
same place.

~~~
alxndr
Interesting flow!

Personally I'm beginning to hate email... sorta wish the actually-important
stuff in my email were sent to my RSS reader...

------
jackgavigan
I wonder why they're not using Cloudflare.

~~~
hueving
Cloud flare is a protection racket. Some people don't use them on principle.
They are the vendor selling chastity belts to stop rape. It is in their best
economic interest that these attacks continue.

It's sad that to run a service now the expectation is to shovel money to
another service to absorb UDP packets.

~~~
vdaniuk
It is a protection racket ONLY if they are aiding or doing the attacks. I
don't see how protecting a company from DDoS attacks is a protection racket by
itself, care to elaborate?

~~~
nothxbro
From what I have read, Cloudflare takes considerable flack because they
willingly provide services to the websites that let you buy and sell ddos-for-
hire services.

Also, I believe their defense is "we are a proxy, not the host, go elsewhere
to complain". So, yes- They appear to allow these booters to exist and thrive
in a world where they were unable to (at this level) before.

* [http://www.webhostingtalk.com/showthread.php?t=1235995](http://www.webhostingtalk.com/showthread.php?t=1235995) * [http://www.organicweb.com.au/17240/internet/cloudflare-secur...](http://www.organicweb.com.au/17240/internet/cloudflare-security-review/) * [http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gb...](http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/)

~~~
danielweber
If Cloudflare is knowingly providing cover to the DDOS-for-hire companies
after being informed of what they are doing, that's a big bunch of bullshit
right there.

Just because a company temporarily relocates behind Cloudflare doesn't mean CF
is guilty, though. They can't vet every website before it goes up and each
time it updates.

If they aren't kicking these guys off their network for performing the same
activities they defend against, though . . . well, "racket" is kind of the
term for it.

~~~
jessaustin
If Cloudflare kicked accused DDOS-for-hires, the first step in any DDOS
campaign would become "accuse target of being DDOS-for-hire". That wouldn't
actually be a step forward for DDOS victims who use Cloudflare, because then
they would have to provide human input to some sort of appeal process ASAP,
rather than Cloudflare just working automatically to thwart an attack.

~~~
pktgen
An accusation should not be sufficient, obviously. Why can't CloudFlare take
abuse complaints, verify and take action based on that?

In fact, this is precisely what they've done in the past, though they'd only
provide the host details rather than stopping service to a site. (I don't
think they'll even go this far anymore, rather they'll give you the abuse
email for the host and tell you to have the host contact them, which is
ridiculous.) I've filed a few such complaints myself. In one instance, the
booter site didn't provide any info about its services without registration,
so I linked to the hackforums thread where it was being offered. CloudFlare
declined this as sufficient proof. Luckily, I could register an account
without payment, and that gave me the options to pay to launch attacks, so I
sent the login details to CloudFlare and they accepted that.

~~~
jessaustin
Your experience seems to contradict the insinuation that "Cloudflare is
knowingly providing cover to the DDOS-for-hire companies after being informed
of what they are doing", to which I responded. So I guess there's no problem
after all?

~~~
pktgen
I don't think it contradicts that. CloudFlare is indeed knowingly providing
cover to them. The fact that they'll give you an abuse email to the actual
host doesn't change them continuing to provide service to such sites, even
when they acknowledge a site is a booter.

~~~
jessaustin
I think we agree, that any defensible policy would lie somewhere between
"ignore all accusations of booting" and "credulously believe all accusations
of booting". Re-reading your comment, I'm not sure, but are you saying that CF
are at the former end of the policy spectrum? That's regrettable.

I wonder, however, if even the latter policy would solve the booter problem.
Accessible websites are convenient for commerce, but they aren't required.

Also, any argument you make about CloudFlare could also be made about Google:
I see [http://quantumbooter.net](http://quantumbooter.net) as the second link
and [http://top10booters.com/](http://top10booters.com/) as the fifth link at
[https://www.google.com/search?q=booter+services](https://www.google.com/search?q=booter+services)

~~~
pktgen
> I think we agree, that any defensible policy would lie somewhere between
> "ignore all accusations of booting" and "credulously believe all accusations
> of booting".

I agree with this.

> Re-reading your comment, I'm not sure, but are you saying that CF are at the
> former end of the policy spectrum? That's regrettable.

Somewhat. As of my last experience with them (which was like a year ago), they
will accept abuse complaints for booters. If you can prove to them the site is
a booter, by providing documentation on the site itself (not hackforums or
anywhere else where it's being advertised, which is understandable as it's
basically hearsay, though a bit difficult) indicating the site offers a DDoS
service, they will provide the abuse@ email of the hosting company. They will
tell you to have the abuse@ people contact them directly for further details.
This is the only action they will take.

But my opinion is they should, upon confirming the site is a booter, terminate
their service to the site. It would also be nice if they would continue to
provide the host details, in addition, so the reporter can contact the actual
host and have the site taken down from there as well.

> Also, any argument you make about CloudFlare could also be made about
> Google: I see [http://quantumbooter.net](http://quantumbooter.net) as the
> second link and [http://top10booters.com/](http://top10booters.com/) as the
> fifth link at
> [https://www.google.com/search?q=booter+services](https://www.google.com/search?q=booter+services)

Very good point, thank you for mentioning.

The difference I see is that CloudFlare actively provides a service to them,
while Google is merely maintaining a keyword-based search listing for them.
That being said, I can see both sides of this one.

My views on the legitimacy (rather, lack thereof) of booters: they are a
service that serves absolutely no legitimate purpose. The sole purpose is to
perform an illegal act against another person. I know a bunch of them are sold
on hackforums as "stressers," i.e. "stress test your own server," but that
also isn't a legitimate purpose - I can see no case where one would want to
stress test their own services with some UDP or SYN flood over the Internet.
Such a thing would only be done over a private network using your own packet
generator.

------
Sharphunter
One of the problems is that the Android app is draining the battery whilst it
can't connect to the Feedly servers.

------
dewey
The original posting on their blog: [http://blog.feedly.com/2014/06/11/denial-
of-service-attack/](http://blog.feedly.com/2014/06/11/denial-of-service-
attack/)

> We are working in parallel with other victims of the same group and with law
> enforcement.

Last.fm is also experiencing "network difficulties" for a few days now, I'm
curious if they are also on the same group.

[0] [http://status.last.fm/](http://status.last.fm/)

------
septerr
When they said in their post that they were working to neutralize the attack,
I started wondering how they are doing that. If anyone else is curious, this
article - [http://www.infosecisland.com/blogview/22518-How-to-
Protect-a...](http://www.infosecisland.com/blogview/22518-How-to-Protect-
against-Denial-of-Service-Attacks-Refresher.html) \- briefly describes how
DDoS are neutralized.

------
NicoJuicy
I posted it on HN a month ago, but it wasn't popular then:
[http://selfoss.aditu.de/](http://selfoss.aditu.de/) (yes, it's opensource)

------
n1ghtmare_
What kind of low life do you have to be to do this kind of crap ? Is this what
"hackers" do these days ?

------
dailen
Best thing they can do is offer a bounty :-D that seems to be extraordinarily
effective

------
kwestro
It looks like they got hit by a second one today.

------
frou_dh
How's this blackmail? What secret are they threatening to reveal?

~~~
rickyc091
Yep, from their blog.

"2:04am PST – Criminals are attacking feedly with a distributed denial of
service attack (DDoS). The attacker is trying to extort us money to make it
stop. We refused to give in and are working with our network providers to
mitigate the attack as best as we can."

[http://blog.feedly.com/2014/06/11/denial-of-service-
attack/?...](http://blog.feedly.com/2014/06/11/denial-of-service-
attack/?utm_content=bufferf6540&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer)

------
stevejyim
yes.

------
coldcode
I guess the demise of XP is still a long ways off. If there were no XP users
remaining, could there still be enough hackable computers to create a large
enough botnet?

~~~
xeroxmalf
Considering a lot of intrusions happen via the web browser / plugins installed
in the web browser (flash/java come to mind right off the bat), I don't think
XP being retired has anything to do with future botnet sizes.

~~~
aikah
it's a coktail,you cant only blame flash or java,the browser and the os
running these stuff shares some responsibility.

~~~
Dylan16807
Exactly how is the OS supposed to stop an exploited browser from doing
anything malicious? Even if you have strict access controls like SELinux, that
won't stop a browser from participating in a DDOS attack and changing settings
like cache or homepage to get reinfected next session. And if you _don 't_
have strict access controls, like 99% of desktops, the exploited browser can
freely install all the user-mode malware it wants. So XP vs. not-XP is
completely meaningless at this stage.

