Bruce was on point if so, arguing a couple weeks ago that accountability needs to happen on the manufacturers:
"What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the Internet as part of the Internet of Things.
Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.
https://www.schneier.com/blog/archives/2016/10/security_econ... ("Security Economics of the Internet of Things")
DDOS attacks via IOT don't have to send much data per request. If my devices are doing an extra 10Mb/hour, I won't notice. 1000 homes is 10Gb/hour and that's just a few blocks in a city. 100,000 homes seems easy to hit, which is a petabyte of data per hour.
It's death by a thousand paper cuts. If my internet bill goes up a dollar per month, it's highly unlikely I'm going to debug my refrigerator to figure out how to stop it.
I would however take into consideration bandwidth bill effects of what I buy. By comparison: today I buy LED lightbulbs and energy efficient appliances because they will have a long term cost impact on my electricity bill.
I could've built something but honestly I don't have time for that anymore.
The people who bought the IoT devices probably don't even know that their device has been hijacked in a lot of cases and therefore have no incentive to sue the manufacturers.
The people being hit by the DDoS have a tricky attribution problem to prove which manufacturers are to blame and then the manufacturers could, in many cases, shift the blame to users who didn't read instructions/change default passwords/apply available security patches.
Also you have the problem of complex supply chain. A lot of the people selling these devices are just white-labelling someone else's product, so who's to blame there, the vendor or the ODM?
Lastly you have shrink-wrap style licenses that disclaim liability for flaws the the software market has been relying on for many many years to avoid any liability when their products misbehave...
Personally I don't see the market sorting this, its a classic case of negative externality where government regulation is the most appropriate way to rectify the problem
Hit the distribution channel and I suspect you'll see a rapid increase in accountability and security measures.
Remember that recently Biden openly threatened cyber attack on Russia if they make any attempt to tamper with the election. Which is completely unprecedented, as is the notion that DOD is openly saying Russia was behind DNC and other attacks.
In July 2016, Allies reaffirmed NATO’s defensive
mandate and recognised cyberspace as a domain of
operations in which NATO must defend itself as
effectively as it does in the air, on land and at sea.
This article says that "massive" cyber attacks can lead to invocation of Article 5: http://www.reuters.com/article/us-cyber-nato-idUSKCN0Z12NE
Wouldn't it be better that we on Hacker News stay above trying of define "act of war". Is it an act of war for one country to pollute air that floats over another country? Is it an act of war to launch satellites that pass over another country? These questions are governed by precise treaties today, but I can imagine politicians screaming "act of war, act of war!" at some point in the past.
It's just an arbitrary phrase used by politicians to justify whatever action or inaction they take. It will lead us to needless unproductive argument.
Why ? Because business.
Surveillance has for so long gotten all the money and mindshare A stockpile of zero days is considered a good and necessary thing. Back doors in hardware and software are considered clever and useful, and maybe even a workable compromise for domestic surveillance.
Imagine if the domestic surveillance budget had been spent instead on making Linux into an EAL6+ certifiable system and creating open, verifiable designs for chips and firmware for secure hardware platforms.
Secondly, we often joked that companies have such flawed backup and response procedures that triggering these things has a funny effect. More specifically, a lot of times in our experiences, we saw things like backups, up-scaling servers, etc. go noticeably unmaintained or poorly attended. A lot of people, especially years ago never did a great job of testing their backup systems, failovers, scaling, etc. and kept them up-to-date and secured as well as the main stuff. It's more interesting in some ways in this world of containers and VMs. One would assume things are updated, patched, and deployed exactly inline with the mainline stuff, but that's not always the case. It often takes only one slip-up and this is where a ton of people make mistakes for so many reasons. And sometimes it's easier to manipulate the protection systems to be the vector itself than the systems they are protecting.
That is to say, messing around with services sometimes can be a way of creating an open front or back door. Especially if there's malware and things that can be planted that will be less likely to be caught in the panic or otherwise deployed as a result of the panic response.
Of course all of this is more unlikely, but it's fun to think about in the same way stupid schemes that are similar in heist movies are fun.
IIRC this tactic was used during the massive Target data breach in 2014.
You tell me. Under their classification system, is stealing map data espionage?
Does application of the stolen data play a factor? ie considering the OPM breach an act of war if compromised individuals are blackmailed. Would Russia stealing the location data & capabilities of our missile defense system constitute an act of war?
You can't just have one without being able to hold all of those responsible accountable.
What Russia is trying to do with us (whether it's to influence our election or just make us seem weak) is very bad and should be met with a proportional response, but calling it an act of war seems a bit too far.
This woman is dangerous.
Did you know you're at war with North Korea?
Did you know you're not at war, and have never been, with Afghanistan?
Meaning of all that: what is or isn't "war", an "act of war" or "is" is up to people to define, and international law is easily ignored whenever states think that's a good idea.
The best definition is probably the UN's "act of aggression", see http://www.un-documents.net/a29r3314.htm. That definition does not include provisions for such situations – the only (theoretically) unarmed act of aggression is a blockade.
It reminds me of the run up to the Iraq war. Seems bad.
He's also threatening not just the Russians, but the American citizens as well... that if they try to challenge the system as it is, then the politicians would rather start a major war than to address any concerns of fraud/corruption.
I disagree with him on the point of "Who would do that?" He might be right about state level actors, but I think he discounts the motivations of crazy/disillusioned people, bored and curious people, and especially teenagers.
When I was a teenager, the Internet wasn't a thing yet, but we sure dreamed of all kinds of crazy schemes for taking out the phone company, power, anything really. We talked about anarchy and many "taboo" topics I can't mention here. The thing is we were good kids at heart and we had the discretion and morals not to act on those things. All of this happened in a time where our instant communication was the phone or meeting up in person. Today, it is infinitely easier to seek out like-minded people and to replace those who drop out. The ability to seek out confirmation and push is easier than ever as well.
Unfortunately, there are plenty of people that don't have that. Just because someone is a misguided teenager or crazy person does not mean they do not have intelligence, organization, and skills. Many of us certainly did our share of things and had the power, but I wonder what might have happened if we didn't stop ourselves in some cases. While perhaps the organization and probing nature likely hints at something else, it's really not that unusual for people to just mess around. Some people as they say also just want to watch the world burn. A couple of rough years in my teens, I certainly felt that way at times. I did plenty of things I'm not proud of, many people just have no shame and will take it that much further.
In the end I probably agree in terms of who is most likely, but I am kind of surprised that there were not more possibilities mentioned. Even 20 years ago, attacking Internet infrastructure seemed an obvious thing to do to us and we used to love talking about fun ways to ruin things over a burger at lunch. I mean is it really that hard to fathom people would think about attacking targets other than some organization, government, or other kind of company's servers?
> "But technology providers in the United States could suffer blowback. As Dyn fell under recurring attacks on Friday, Mr. York, the chief strategist, said such assaults were the reason so many companies are pushing at least parts of their infrastructure to cloud computing networks, to decentralize their systems and make them harder to attack."
Pushing your infrastructure to cloud computing is not decentralization - it's centralization, and we're all doing it. Imagine if an attack like this was against AWS... we'd all be screwed.
The downside of course, is that whilst their infrastructure can likely handle it, handling the bill associated with 'just scale up your service' could be worse than the attack itself.
Interestingly, the presenter notes that Amazon had seen a drop in DNS as an attack vector in 2015. I asked the presenter (Product Manager) why they hadn't productized the DDoS attack dashboard so you could be aware if you were being attacked (and it was being absorbed by AWS) and his response was that there was insufficient demand at that point to justify the developer staffing. He gave me his card and asked to request the feature so he could us it to make the case internally.
Does anyone here have stories of being successfully DDoS'd on AWS (other than by their own staff :) ?
If I am an AWS customer I expect AWS to handle/prevent DDoS, same way as they do with S3 to achieve 11 9's availability (the files are saved in multiple AZs in the same region - Glacier IIRC copy files on different regions to avoid data loss in case of physical disaster).
One of the reason for choosing AWS is because AMZ has deep pockets and has the means (financial and technical) to fight against large DDoS attacks, while a smaller provider might not have to do that. Putting clients in a position to have to buy that sort of protection doesn't sound very smart to me.
I see so many people confused about this. Eleven nines is their durability guarantee, their availability that they guarantee is only 99.99%
Durability is the % of your data that doesn't die. Eleven 9s means that if you store 1TB on AWS S3 you can expect to lose 10 bytes and still be within SLA.
i.e. you could expect to lose 10 bytes of your 1TB every year if your stored it as a trillion one byte objects, but if you stored it as a single object you could expect to lose the whole thing once every hundred billion years, but none of it the rest of the time.
As a very simplified example, imagine they are expecting to lose 2 servers every day, this percentage might be the probability of those two servers storing the same exact object (and thus, losing it irretrievably).
availability means you'll get your bits immediately.
If you are an AWS customer you should have done your due diligence and know that amazon won't do a very good job at that.
Someone will always have the upper hand in an arms race, and it's not service providers yet. It's just a matter of finding the choke point between their transit and your code.
Well, the whole point of AWS is not having to deal with the usual hosting stuff. They'll naturally have lots of customers with high expectations and very little understanding of how things work in the background.
Offtopic but relevant. One of my customer moved their email to O365 without understanding the differences from being ON-Prem. Now they are struggling to adopt their business processes to then limitations MS imposes.
If the attack is tiny, sure. Otherwise they'll just cut you off.
Yet they get to claim inexhaustible capacity.
Amazon might wave the fee, but you are the first party responsible.
> My website is on Blogger, Google Sites, or Google App Engine. Am I eligible?
> As Google products, these sites already have similar DDoS protection to Project Shield. Your website would not need to be set up with Project Shield.
Unless we can somehow secure every net-connected devices, ha (I don't know whether to cry or laugh right now)
I find your language to be of high interest like you had a "dUH" moment - which I am ignorant to get myself.
The Sons rays meat
Is this analogy accurate?
I have one road to get home. It got blocked so I create 2 more roads.
I now have 3 Roads to get home. All 3 become blocked. So now I have to make another road.
More roads is redundancy and requires capital.
The roads become unblocked but I now must expect future road blocks.
If you want HA at local level you'd go with AWS AZs but if you need real HA you need can do the same at region-level.
Of course not everyone has the money/need to go down that route, but it's possible and even advised for some AWS services.
It decentralises that one company's DNS -- instead of having one or two DNS servers, perhaps at two sites, they now have 20, at 20 sites. If someone wants to target them, they're probably better protected.
But it's the same 20 servers as a million other companies, so the chance of those servers being a target is much greater.
Yeah, that's what I was getting at. I feel like my chances of being collateral damage on an attack against someone else is way higher in the cloud.
Even today with GitHub and other SaaS platforms going down, we were all affected.
But that's a fraction of the cloud. It's hard to integrate every service the hopeful equivalent of every other service.
I know of a company that pays an AWS bill sufficient to buy the equivalent of their pre-cloud datacenter's hardware every 1.5 months. The extra staff required to perform hardware maintenance would also cost about 2 months' worth of AWS each year (that means they're paying ~3x more than they would with hardware). Yet they moved to the cloud because it's the hip thing to do.
Cloud has upsides and things that are useful, especially for smaller proprietors who can take advantage of cheap droplets from DigitalOcean et al, but for grown-up companies, moving off your hardware shouldn't be automatic.
In that scenario you have a bunch of entrenched groups fighting about capex, capacity planning and budget all to get barely enough hardware to account for what you're doing in the next 3-12 months. Instead of taking a step back and creating a long term simple process for regular growth and replacement they get caught in the weeds because they have very old school mindsets.
Then you have your old school finance groups who are using terrifyingly delicate and complex interconnected spreadsheets to manage hardware expenditures and depreciation while maintaining old school draconian policies concerning CapEx budgets but allowing you to basically go nuts with OpEx.
You could try to change the culture in these entrenched groups who will view your attempts to make things better as political moves against them or you could just say "we're moving everything into the cloud" and make a complete end run around all of the people and baggage. The former is probably the "right" thing to do but the latter is going to let you focus on your product letting you get you back to being competitive.
This is only ironic if you expected moving to the cloud to be what provides the redundancy.
The BBC was affected by the Dyn outage not because they themselves relied on Dyn, but because components of their site did.
I fully agree with you about the paradox of how, in the intent to de-centralize we centralize into cloud VPSes and managed services.
The real reason for the move is that same showtune that we keep hearing in our heads and wish we could tune it out: it's cheaper to move from physical infrastructure to the cloud. It's cheaper to skimp on security by not updating IoT devices. It's cheaper to skimp on security because features need to come first. It's cheaper to outsource operational management to parties with less expertise in places that pay less. To spend less time securing infrastructure perimeters because it costs money.
We feel almost as if we feel comfort hiding behind heavyweights like Google and Amazon will protect us from the bad elements of the world, where we hear about major breaches every few weeks (eg., Yahoo being the most recent). Will this strategy pan out long-term?
With this DDOS, articles about machine learning picking up better password-cracking/guessing algorithms by having previously analyzed large volumes of passwords, major breaches in the financial world, talk of state-sponsored attacks (a la DNC emails) it certainly FEELS like the Internet has gotten a little bit more wild.
Consumer devices have to be more secure because if the low user skill level - and interest.
I am always reluctant to say "there should be a law against it" but frankly if we cannot mandate minimum standards of uogradbility and security for devices we will just keep handing over our devices to the first person to scan them.
A remote site shouldn't be able to get you banned from the Internet (by it's self); but it MUST be able to say, "This host is being abusive, restrain them from sending me data". ISPs SHOULD use that information to evaluate if a host from their network might be compromised or otherwise a negative player. ISPs SHOULD also take steps to inform, and link to educational resources, customers which are being bad citizens of the Internet. ISPs SHOULD also be financially motivated (punishments to them) for allowing too many uncivil customers online; this might take the form of instead banning that ISP from the Internet as a whole.
Okay, if I'm going to be liable, financially or otherwise, well, then we're gonna have to make some changes around here.
First off, I'm going to have to heavily filter and restrict what traffic you can send out to the Internet. What isn't filtered or restricted is going to have to be inspected, logged, and retained for a period of time.
Next, because I can't be certain that you're RFC3514 compliant and that at least some of the bits you're sending aren't malicious, I'm going to have to prevent you from sending out any encrypted traffic. Instead of allowing you to use any DNS servers you want, you're going to have to use mine (DNS is heavily abused for DDoS attacks). Outgoing e-mail will be automatically redirected to my internal smart host (STARTTLS will be blocked, by the way) and I'm gonna have to log, read, and retain it all. HTTP traffic will be transparently proxied and all requests and responses will be logged and retained.
That's just the beginning. Are you sure this is what you prefer as your "solution"?
As a network operator, I believe that your ISP should be nothing more than a dumb pipe and allow the bits that you send to pass through freely. As an ISP customer, that's how I want my ISP to act. (If something gets reported or I "notice" you for some reason then, sure, I'll look into it. Otherwise, I try to fuck with my customer's traffic as little as possible.)
I'll agree that there is certainly a problem, but it is not because of ISPs.
I agree with some of your points, but fracturing the internet is not a viable option. It might make sense if it were a healthy, competitive market instead of the near monopolies that exist today. Imagine banning Comcast, or AT&T.
The Internet has grown without proper planning using a lot of "quick and dirty" hacks (for example NATs, peering agreements) and today we just see the result. It reminds me of poorly designed email protocols that resulted in spam being the biggest part of email traffic.
If internet should wait until all use cases were created, it wouldn't exist. It's power was exactly that people could think on how to create things on top of was available. Many RFCs came afterwards.
The amount of consumer IoT currently connected with default and often outdated device settings is beyond belief.
Downside is that radio leakage licensing is fairly simple scientifically. Proving something is unhackable is harder ...
What were these rumors?
Having said this I suspect that this is not what has happened and it is most likely just a case of complete incompetence.
> Thirty-one states and the District of Columbia allow internet voting for overseas military and civilians. Alaska allows any Alaskan citizens to do so.
I had no idea any states allowed voting online. I wonder if the general population will ever get access to that.
Is this a reference I'm not getting, a speech-to-text error, or a simple misspelling of "absentee"?
There is a lot of talk of iot botnets but little to no evidence. This seems too vague and up in the air.
If all it takes is script kiddies and random extortionists to generate such large 1 Tbps scale attacks then we appear to be reliant on an unbelievably fragile base.
There is a growing realization of the need for more decentralization of services but these kind of attacks is going to drive more centralization if only Google scale companies can manage to stay up. I think this is drop everything and fix time for the IT profession.
"Mr. Assange is still alive and WikiLeaks is still publishing. We ask supporters to stop taking down the US internet. You proved your point. "
If their claim is true, does anyone think, it will turn many sympathizers against them? I don't think attacking normal bushiness is a good thing to do.
The motives of the attackers are much less interesting than the fact that such attacks are now possible.
Currently, the internet is very very open (as long as you don't live in certain countries). A baby monitor in Kansas can send arbitrary traffic to a router connecting a major financial services company in Hong Kong to an internet backbone. The idea, in a very hippy, world peace kinda way, is nice. But... probably not something we need to happen, much less should want to happen or allow, if good sense prevailed.
We have hacks in place that can prevent that particular situation from becoming too much trouble, but if you have enough baby monitors, something somewhere is going to choke. And really this is the point to me: you [as the network service provider] should not have to have carrier-grade infrastructure to avoid this scenario. If Casey Brogrammer wants to prop up a start-up on her DSL line (do people still have DSL?) she should be able to without fear of DoS. How do we do that?
I have no idea. But i'm betting it would require some rearchitecting of the internet and heavily modified protocols. Personally, I think the global BGP tables are gross (and, let's face it people, depending on RAM to perpetually increase in size while simultaneously decreasing in cost ad infinitum is not a realistic scaling mechanism), I think the many flaws in modern tcp/ip protocols are not designed with specific enough use cases in mind, and that the generalist design of the modern Internet has become more of a hindrance to efficiency and progress than a benefit. There is absolutely no requirement that we keep engineering ourselves into a corner, and IPv6 sure as shit isn't going to solve it.
Is that really confirmed or just the reporter writing gossip.
According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet.
Seems in-between. Not confirmed, but not just conjecture either.
So my comment was a bit on the ironic / goofy side.
A conspiracy theorists dream.
I even kind of wish that somebody would do this, as it would finally provide a strong incentive for the manufacturers to think about security.
I think it's a good idea.
The energy spent for TCP/IP stack usage is negligible at best, even when pushing those embedded CPUs to 100%.
Not true, especially en masse. Even less true for wirelessly connected devices.
Also, what the power companies really care about are changes in consumption; once they've adjusted the grid parameters to compensate for an increase in power consumption, they're happy until the consumption drops off. Using wifi or any internet traffic to destabilize the grid is just not going to work because there just isn't enough raw drain available, even if the attackers could get their timing absolutely flawlessly perfect so every wifi model popped on at once.
I wouldn't call that significant (as in, impacting the global energy consumption significantly) even if thousands of devices started the attack at the same time.
Remember, people regularly operate toaster ovens, microwaves, hairdryers, etc on a fluxuating basis, and THOSE tend to consume more like 1200+ Watts for a /single/ device.
I know that DNS is organized in root zones with hierarchical subqueries. A global hosts file which contains the whole IP space is sort of unfeasible because domain names change within seconds.
However, in face of the current attacks the DNS maintainers should seriously consider to offer downloadable hosts files so that we could use them temporarily to circumvent DNS queries in cases of further attacks.
Personally, I fear we are closer to global-scale, machine-learning-based attacks that find vulnerabilities, exploit them, and change patterns on the fly. We may not have a stable internet any more.
Am I blindly fearmongering? I hope not. But these are new waters. Insecure IoT is growing every hour and there's no clear path to stop it from being exploited more and more.
If you're being attacked, I'm not sure what international law has to do with it. A country has the right to defend itself -- it doesn't require the UN to grant 'permission.' If you are in the midst of being attacked, waiting for the UN or some other disfunctional body to 'approve' would be like asking the teacher for permission to defend yourself while you're getting your face pounded in. Countries are sovereign. They shouldn't need permission to defend themselves when they are under an immediate threat.
If you're being attacked, I'm not sure what international law has to do with it.
That's incredibly naive. Trumpian almost. Even in the midst of real war (you know, when people are dying, not sitting on the couch unable to place a Prime order), we follow international law. Because we want everyone else to as well.
I mean.. only allow traffic from/to leaf nodes.
Any evidence to support that?
edit: apparently it's because I mostly read the site within the app.
"War? Whatever, so be it!". Right?
A complaint often surfaces from those that have actually lived through wars: How disconnected people are from war. Your country (I'm assuming) has been at war with various bits of the middle east for over a decade and you are not suffering the consequences. It's all remote for you. It's all drones, or "those men and women giving their life for our country gosh jolly gee we are so proud of them, so much respect".
It's not you, it's not your life, not your family's life, not your friends, your city, your streets being bombed, civilians being shot in the streets - none of that is what you've been through. The US has been exporting death, bringing none of it back home.
A warmongering country that is completely disconnected from the consequences; this is what leads to the "potentially nuclear war? pah, so be it, my internet is down anyway" attitude.
The point is not to let these guys do whatever they want. Go into Ukraine, kill UN volunteers in Syria. Let them become emboldened by different types of attacks and tomorrow we will have the type of war your talking about.
Handle these problems now that they are small.
Edit: I wanted to add that it is very often the ones who have seen what terrible tragedies happen when you let terrible people like Putin do what they want that are the biggest "warmongers". It is why you see the Israelis become so eager to defend themselves because they have seen what will happen if you don't take care of bad people like Putin when they are small.
If, on the other hand, you're saying that the Russia situation needs to be solved sooner rather than later, you'll have a hard time finding somebody who disagrees but that shouldn't come at the cost of the entire planet. That's just nihilism.
I am not advocating for war but I am saying that when dealing with things like this you have to prepare for the worst. There is one superpower here not two. You cannot let them do what they want and there has been real innocent bloodshed already because of Putins actions and positions.
I think we are closer in our line of thinking than it seems. I have a family and I would never advocate to end life on this planet. I am zealous about letting someone like Putin go with zero punishment because history has shown us time and time again where that will take us.
Like I said, you won't find anyone who disagrees (not here anyway), but you gotta know people are arguing with you because you are, in fact, in your other posts, advocating for war - even if you didn't intend to.
We do too.
Do you not think Hitler scared the whole world? If you let this guy scare you into inaction then he's already won.
But you keep telling yourself that.
The thing is that I think we don't need to repeat histories mistakes.
If the Russians are behind it, after being emboldened by Ukraine and Syria, the United States has to respond. I'm not saying all out war but I am saying we have to show the Russians that this affects everything we are about. It affects our businesses, our elections, and our way of life.
I am saying there should be military action and if that leads to war then so be it, everyone will think twice about this sort of thing again and we will all be safer because of it.
I don't think that war with any nation, much less Russia, should ever be such a casual consideration. Measured in human suffering, military conflict is inestimably more awful than brief internet downtime.
It's about messing with or elections it's about the invasions. You let it all go on long enough and you will have much bigger problems in a few years time.
But unfortunately, since Thiel has invited HN to go full /pol/ the answer you're gonna get is that it's a 400lb guy on a couch saving us from the devil.
Well gee, slow down there buddy
Sure. Respond to an cyber attack on infra by starting a physical war that will permanently remove all infrastructure. Its the equivalent of burning down your building because a neighbor cut your cable.
War should always be a last resort - only when all other options are exhausted. Especially nuclear war.