Wednesday, January 18, 2012

The OTHER Internet Piracy

If you're like me, you use the Internet as a research tool. Constantly. And not just for professional endeavors. You're driving to Costco, and The Low Spark of High Heeled Boys comes over the satellite radio. Quick! Who was the bassist for the band, Traffic? You whip out your Android smartphone, and punch in "Traffic band." Google returns the Wikipedia entry "Traffic (band)" at the top of its search results. You tap, and you're instantly deluged with more information about the band than you'd ever wanted.

But not today.

Today, Wikipedia has voluntarily suspended operations to protest the proposed Stop Online Piracy Act (SOPA), otherwise known as House Bill 3261. Without going into my feelings on SOPA's utility or legitimacy, let's just say that I found myself with a bit more time on my hands than usual (in addition to an unsatisfied urge to know whether it was a Fender Telecaster or Stratocaster that Joe Strummer used). And, because of SOPA, my thoughts turned to internet piracy.

Most of the time, the phrase "internet piracy" is used to refer to electronic copyright infringement. However, I think it's important to take a closer look at the word "piracy." Piracy, according to the folks at the US Department of Defense means:

An illegal act of violence, depredation (e.g., plundering, robbing, or pillaging), or detention in or over international waters committed for private ends by the crew or passengers of a private ship or aircraft against another ship or aircraft or against persons or property on board such ship or aircraft.
- Dictionary of Military and Associated Terms. US Department of Defense 2005.
Internet piracy would, similarly, be an act of violence, depredation or detention in or over the Internet. And it happens. Every day. Take this little gem, for example about the ongoing cyber war in the Middle East. The Israeli stock market website was slowed to the point of uselessness, an that of the Israeli national airline, El Al, was knocked offline for more than an hour.

The electronic assaults, known as distributed denial of service (DDoS) attacks, use technology that, in internet terms is ancient. Couple this with the facts that they weren't carried out by government or state cyber warriors, but rather by regular people, and that all you need to initiate and/or coordinate such attacks is a computer, a browser and access to the internet, and things get really scary. In fact, it's not especially uncommon for companies to simply surrender to DDoS extortion attempts, paying would be attackers tens or hundreds of thousands of dollars in protection money to make the problem go away.

It gets better. There's almost no way to defend against these attacks. A leading online security journal, Security Week, recommended the following defense mechanisms:

  1. Over-Provision; that is preparing your network for up to an order of magnitude more capacity than you'll need in daily operations. That works beautifully if you're Lockheed-Martin; not so much if you're a small business dependent on someone else's servers.
  2. Redundant Monitoring; the use of third party services that monitor your site from many places around the clock, so that you'll know you're under attack as soon as the attack begins. Again, wonderful if you're 3M, not so much in the affordable zone if you're a mom and pop shop.
  3. Dumping the Server Logs; log data takes up space, and servers need space to respond to legitimate users. During an attack, logs can become large enough to literally shut down the server. Problem with this is, what if you neither own nor manage the server? (Bloggers, when was the last time Google offered you system administration rights to blogspot.com servers?)
  4. Know the People at Your Providers; have someone to call outside the normal customer service number who can provide fast, efficient help. Right. Because those of us who aren't Northrop-Grumman, General Motors or Lloyd's of London have a go-to guy at our internet provide who will a) answer the phone at three in the morning and b) will not hang up after the use of some choice language.
In other words, if you're just a regular person, you're out of luck when confronted by a DDoS attack.

I'm as big a fan of intellectual property rights as the next person...but given the potentially devastating consequences of DDoS attacks, and the ease with which they can be implemented, why aren't they given as much airtime as the other internet piracy?

PS - Strummer used a Telecaster.

2 comments:

  1. Love the Telecaster reference, Adam. The rest scares the crap out of me.

    ReplyDelete
  2. I love being vindicated as a card carrying Conspiracy Theorist. The only thing that keeps my suspense novels from being nonfiction is the govt's overt decision to keep us mushrooms in the dark. Or are they the vampires, keeping themselves in the dark? Both work, I guess. Another great article explained for the layman.

    ReplyDelete