Kudos to both Krebs and Google for their courage. I have profound admiration for Brian's work and Google's technology.
I didn't know about Project Shield and I think it's an interesting initiative. However, for some reason it leaves me a bit unease (not as much as the idea of being taken down by a 650Gbps DDoS at will!) - not sure what it is, but we might be moving towards an Internet where only the "approved" would have "free" speech.
I really hope ISP naming and shaming takes over, so we can make DDoS a little bit more difficult.
> I really hope ISP naming and shaming takes over, so we can make DDoS a little bit more difficult.
I think naming and shaming would have little impact and whatever impact it did have would be short lived. Consumers tend to have short attention spans and zero long term memory. Take the banking/finance industry for example, were egregious, predatory and at times criminal tactics are par for the course. Banking institutions are named and shamed all the time, yet the Bank of Americas, Wells Fargos and Goldman Sachs of the world still exist.
From what I hear about the US, many people there don't even have any alternative ISP to change to...
Also changing a service provider often can be a huge inconvenience for one. For instance, if I were to learn today that my ISP makes DDoS very easy and doesn't care about the issue, I'd have a choice between one or two random small providers I don't know, and two big telecom operators that are already on my "do no ISP-related business with" list due to their annoying telemarketing.
It's also fairly standard to suffer 1-2 weeks of outages when changing ISP's, which is somewhere between unwelcome and prohibitive for a lot of people. Worse, even places with "competitive" markets often have only one provider giving decent speeds - 1-5 Mbps maximum is not a realistic option for a lot of uses.
The banking industry is heavily regulated, and getting more so. Described criminal tactics as being "par for the course" is not true.
Also, regular consumers have little recourse against large banks for many reasons (e.g many consumers have little direct contact or influence with investment banks), which is who it is up to governments and regulators. ISPs are similar in some ways, but are way more consumer controlled.
There were prior systems designed to be effectively immune to many forms of code injection or DOS from external input. They used tagged CPU's, verified protocols, separation kernels, app-level firewalls on PCI cards, etc. Many were connected to the Internet without any reported breaches.
They're mainly mutually exclusive in the common case due to lack of adoption of high-assurance techniques for security. Hell, even medium that knocks out low-hanging fruit doesn't usually get adopted. So, the problems we see were an inevitable result for all the mainstream stacks and security tech.
I may need to retract my comments about Akamai. Apparently 680gbps (or whatever it's at now) is the total amount of traffic the busiest site on the internet can be hosed with before the internet itself poops the bed.
So, you know, we did learn something from this whole saga.
I saw them report a cannon with 1.5tbps capacity (based on multiple sources), wasn't clear they were getting hit by that load though (it looked like 991gbps from what I could gather, which still I didn't know of and is mind-blowing!)
> We’ve met news organizations around the world who suffer crippling digital attacks when they publish something controversial.
Good...except Google doesn't protect you from such attacks once the US gov deems it illegal. We need a safe, anonymous protocol not the network of X corporation.
Technology alone is never going to solve this problem.
IMHO, focusing on Google's actions is not productive. All large corporations need to be watched carefully, and Google is no exception, but their motives are fairly transparent.
The real culprit here is government overreach. This is the core problem that we should be focusing on.
The law will always be abused by those in power be it corporations, individuals or governments so I think technology is actually the main part of the solution.
Google along with other parties can contribute to technologies(i.e. end to end encryption) that protect our liberties but this friendship/network sharing proposal seems just wrong to me. They can't stand to MPAA requests, let alone NSA or its friends(i.e. UK's GCHQ).
In live threatening situations you can't trust a corporation not to give your data to the local governmental authorities. I'm not even considering that their network could be hacked or they are simply a rough actor. `Fairly transparent` is not enough. The latest revelations just proved it.
If you can't publish sensitive information there can't be a debate/case for government overreach/abuse in the first place thus the reason why technology became so important.
A network like Freenet would be more appropriate for a situation like this. Its peer to peer nature is like bittorrent, so the more popular content is, the more it is replicated, and thus becomes easier to access.
It shouldn't be impossible to design a distributed network that has a positive feedback loop that makes a DDOS counterproductive, by actually boosting the targeted materials.
It was one of early threats I described on the Tor network. NSA et all could easily pay for it to be done. Consistently. Year after year. I think the only reason they haven't is that U.S. and foreign intelligence services themselves find Tor so useful. Can't take down one's own tool for disrupting the competition. ;)
Tor has too many friends. I dislike the trend of Tor being used to control botnets, but the upside is that an entire underworld now sees tor as an asset. Any non-state attacking Tor would make some very interesting enemies.
Tor can obfuscate the origin of https requests (assumedly, if we continue to believe Tor isn't infiltrated and surveiled, which it probably is). It cannot protect against DDoS attacks.
Rather than seeking a technical solution, I wonder if there is a social one.
If Google promised to upweight DDOSed articles in their (news) rankings in perpetuity, that's a strong incentive not to DDOS. It also makes sense that material one person is spending resource trying to suppress is extremely likely to be interesting to others, so it's not necessarily a bad experience for someone using the Google news.
Obviously, in the short term it's also useful if they can link to a cached copy that is still working. A systemic Streisand effect.
That's true. Although institutions deal with that kind of moral hazard in insurance all the time, so perhaps similar mechanisms could be applied here.
Perhaps sites uprated for having been DDOSed could be marked as such. We already have to make many decisions about the trustworthiness of news sources, so maybe it's just another factor.
I can also see why Google would just like to make DDOSing very hard and make the whole problem go away, rather than the mechanism I'm proposing.
That said, I think there's something gratifying about using an attacker's willingness and ability to commit resource to removing information as a signal about the value of that information. Judo chop!
> Perhaps sites uprated for having been DDOSed could be marked as such. We already have to make many decisions about the trustworthiness of news sources, so maybe it's just another factor.
Then I'll DDoS your already highly-ranked site just to trigger the "untrustworthy" mark for it in the results.
The problem with going social is the infinite capability of humans to game things like that. I strongly sympathize with the desire to "make the whole problem go away" instead.
> Rather than seeking a technical solution, I wonder if there is a social one.
there's always a social solution if you're enough of a utopian idealist. why do we go to war? isn't there a social solution? can't we all just get along?
technology steps in and makes the ground truth of the situation something incontrovertible and not subject to social disagreement. we need it specifically because we cannot rely on social solutions.
By nature, a personal (clearnet) domain is a single point of failure, because forever and always attackers know where the site is hosted. This is how DNS works unfortunately and it's very broken. No such problem exists with TOR hidden services, so krebs could have his own .ONION and it would prove very tricky to uncover the servers and boot them offline.
Another mitigation (and there are many DDOS mitigations I'm leaving out here) is duplicating the content at several different locations, which already have their DDOS mitigations in place. So if you really want to be heard, hit Google Plus, Blogger, Twitter, Pastebin, etc. Just copy and paste your message all over the Internet, and it can prove nearly impossible to censor. Bonus points for multiple 'backup TLDs' so you could have:
So, does that mean Google (and thus the American State) MitM your website traffic to protect free speech? I am thrilled! I am so happy that at least large corporations that cooperate with the ever-more pervasive surveillance state care about our privacy. /s
It does mean Google is MitMing you, but this is a service they're providing to organizations that are already at serious risk of DDoS or have been DDoS'd. Like Krebs' site, which was just hit with a 600+ Gbps DDoS.
Plus, I mean, Google Analytics and various Google-owned ads are already present on tons of HTTPS sites. That's enough to nullify HTTPS due to the XSS potential.
How are you getting Google = American State, though?
There is barely a company that visits the white house more than Google. I wouldn't be surprised if the American state has direct access right into Google's data center - it wouldn't be the first company whose server building included a government surveillance room.
This isn't going to defend content that threatens the "national security", age of consent, and copyright laws of the States. So isn't it just a declaration that Google wants to be the imperialist content police of the internet, spun under a more benevolent-seeming light?
These are at odds. One person's (politician's? corporation's?) "propaganda" is another's "Declaration of Independence." How will can you possibly tell the difference?
What would be interesting if they handover this project to an organization like the ICIJ to oversee and run while they merely take care of the infrastructure.This sort of setup can work.Provided Google provides a transparent organisation which handles the daily workings.
I do not have any issues if a any X corporation provides such opportunities.The kind of attack that Krebs faced, there is absolutely no possible scenario where a non-profit could cater to.
Every organization has a bunch of people who support the open web.This could be their voice from within Google.
PS: I am not from google or a fan boy.Just that never judge a book by its cover.Let this unfurl before we pass the judgement.
>"I’ve been toying with the idea of forming a 501(c)3 non-profit organization — ‘The Center for the Defense of Internet Journalism’, if you will — to assist Internet journalists with obtaining the kind of protection they may need when they become the targets of attacks like the one that hit my site."
Now this is an interesting proposal. A 501(c)3 would need to be unbiased, and also require a large amount of starting capital. On the other hand, a non-profit that strives to protect internet free speech is pretty alluring. I wonder if something like this could be in the next YC fund.
Of course I'm not blaming Google or Cloudflare, but it is kind of sad that larger and larger part of the Internet is moving behind their networks. I don't think this kind of centralization is good for the Internet.
The problem is that governments services and organized police and military are effectives solution to many of the problems faced in medieval times.
It's fairly easy to evade attribution, let alone apprehension, if you're a ne'er-do-weller with a broadband connection. You have no option left but to hide inside rich people's castles.
That's interesting, in the context of a quote from the KerbsOnSecurity piece which prompted this post:
John Gilmore, an American entrepreneur and civil libertarian, once famously quipped that “the Internet interprets censorship as damage and routes around it.” This notion undoubtedly rings true for those who see national governments as the principal threats to free speech.
However, events of the past week have convinced me that one of the fastest-growing censorship threats on the Internet today comes not from nation-states, but from super-empowered individuals who have been quietly building extremely potent cyber weapons with transnational reach.[1]
and also:
But as my friend and mentor Roland Dobbins at Arbor Networks eloquently put it, “When it comes to DDoS attacks, nation-states are just another player.”
At the end, if nation states are helpless on preventing this, and only being part of the problem, I say this - our benevolent feodal overlords - is the preferable solution.
That's what the "benevolent feudal overlords" want everyone to think. From all the defeatist DDoS comments I'd say they're doing a good job at it.
As Brian Krebs, myself and numerous other people have pointed out, Cloudflare could end almost all of the DDoS-for-hire attacks in an hour if they actually wanted to https://news.ycombinator.com/item?id=12577289
* Cloudflare has a growing number of competitors, like Incapsula.
* These services only protect the front-end of the booter websites. These are barebones CRUD apps for managing accounts and typing the IPs you want DDoS'd. It'd be pretty easy to throw that template up on any other server or domain. Most of that whole workflow could be replaced by IRC, Slack, Discord, Skype along with Bitcoin or similar payment methods. As proof, booter sites do still regularly get DDoS'd (usually by exposing their origin server IP or otherwise fucking up configuration) and breached (often exposing the entire user DB and source code) yet pop back up within a few days and still retain most of their customer base.
* They could just move everything to a Tor hidden service, or the equivalent to I2P.
It's the botnet and/or list of IPs and URLs (scripts and shells on compromised servers they planted or paid for access to) that serves the foundation of booter services. If that remains untouched, then the booter can stick around indefinitely.
As for whether they have a moral obligation to stop reverse proxying these sites... I think he makes a pretty good argument for why they should be considered a common carrier. They do forward all abuse reports to the respective hosting providers.
Yeah, that's pretty simplistic. There's no evidence at all that somehow removing DDOS protection for the payment part of blackmailers web presence will somehow make them go away.
Sure, chase down how they do payment. But ultimately a web front end isn't the thing that makes the payment happen.
> But ultimately a web front end isn't the thing that makes the payment happen.
The "brochure" argument makes 100% sense to me for something like the distributed web, but not for a dynamic web application. Brochures just sit there and look at you. Brochures don't take payments and process callbacks, and send commands to attack.
I don't think this is some sort of centralization.
In the end you always end up with some sort of a cable or router between you and the website that you want to visit. And these companies provide you with protection of that cable / router.
This opens more doors than the ones that it closes.
And sure, you can just detach from CloudFlare and own your traffic, but overall the benefits of using their service are more than the downsides.
another option is to host your blog on a decentralised network like IPFS. Though a massive DDoS would annoy people who use it, it's unlikely it would bring it down.
Better security models for internet connected devices is ultimately needed so people can't build these kind of botnets in the first place.
Is this something Wikileaks requested but Google turned them down? I'm wondering if there's some context to your comment or if you're just being dismissive.
I am just being dismissive. I just tend to be triggered by comments like "Most of the world lives in countries that censor the internet" that assume that USA does not do that. Wikileaks is the most blatant example, but sci-hub and Pirate Bay are other examples of US influences censoring the net.
>We’ve met news organizations around the world who suffer crippling digital attacks when they publish something controversial or that questions powerful institutions.
> Project Shield is a free service that uses Google technology to protect news sites and free expression from DDoS attacks on the web.
So CloudFlare is a service you pay for, and they seem to be hosting every despicable backwater of the internet so presumably they take no stance of the 'goodness' of the site they protect.
Whereas Shield is a free service, but only extended to those who Google deem righteous enough to protect?
I think there's room for both. There could also be room for Google extending it to a paying service, although I'd be surprised if Google would take the brand risk of extending their protection to porn sites etc irregardless of fees.
And of course every time Google stand up and protect sites like KrebsOnSecurity for free, the tech world loves them that little bit more and its a massive PR opportunity miss for CloudFlare.
Of course, every time Google stand up and protect sites like KrebsOnSecurity for free, its a massive PR loss for Akamai who wouldn't/couldn't.
Heck even at 100% on my 1080p monitor it reads 'make people in the afer?' After zooming out to 67% I have a chance. It actual content it is kind of irksome that they have 'End repressive censorship' followed by 3 items that generally are considered censorship at some level.
This is just paranoid ranting. Google is offering one way to protect yourself from DDoS. Without Google you could still do it.
Pointlessly contrarian criticism with a solid dose of conspiracy theory. Just vague complaints with no threat model. If you think there's a credible threat, provide a sequence of steps that could occur for that dangerous action to take place. Describe a potential PoC.
>while google is the master of spreading consumer propaganda and spying on people.
Equating automated behavioral analysis or ad targeting with willful communications-spying, like NSA does, is retarded. Yes, Google has been guilty of many invasive tactics and holds too much power right now, but claims that they're doing that to "suppress dissent and unpopular opinion" or "spread propaganda" will need a lot of evidence.
>The commercialization of news is the best form of censorship. You don't need to censor much when the vast majority of news is meaningless bullshit stuffed with ads and promotions, and is already controlled by organizations like Google.
How is this Google's fault in any way? Google owns a lot of those ad networks, but beyond that they're not responsible for news quality.
>Google is one of these organizations that operate without scrutiny and transparency alongside organizations such as the NSA.
Aka every other private corporation in the US? You really seem to be grasping at straws trying to make them out to be as bad as intelligence agencies.
>If you think Google will help you with anonymity, free speech, or 'unfiltered' news, you are retarded.
They're dedicating their network resources to preventing independent news websites from being censored by oppressive governments or DDoS'd by hostile entities, pro bono, and it appears to be working quite well. You've cited no specific examples of them doing the opposite, while there are many examples of them doing as they say.
I am no Google fanboy. I hate advertising and ad networks and think (or at least hope) they'll mostly die within a decade or two. I use ad blockers on all my devices and have never put a single ad on any website I've operated due to the ethical concerns.
I mean, if you want to go all out on the "propaganda" and "alongside the NSA" claims, don't just look at advertising. Google Ideas is pretty explicitly about political and government-linked activity. Any tech company can operate alongside the NSA (they don't have much choice), but most of them don't employ Jared Cohen and send their executives to tour Iraq's green zone.
I don't want to veer into conspiracy territory here - I absolutely think DDoS protection is a great project, and we need it no matter who it's being provided for.
But reading The New Digital Age was a creepy experience that made me stop equating Google's political standing with that of Apple or other US tech companies. It was very openly a love letter to state power in a way I haven't seen even from topical companies like Palantir.
I haven't read the book and was not aware of some of Google Ideas' more shady activities. Thank you, because otherwise I wouldn't have heard of any of this.
>In an email addressed to the deputy Secretary of State under Hillary Clinton dated on July 25, 2012, Cohen revealed that Google Ideas was working on a project, together with Al Jazeera, to track defectors of the Syrian Army with the explicit goal of "encouraging more to defect and giving confidence to the opposition."
I started from Assange's scathing review and decided I had to read the thing for myself. From an inside view, it's just terrible futurism (who wants to read the news on a transparent screen facing a window?), but from an outside view it's a fascinating position paper from Schmidt/Cohen.
I'm usually unimpressed with the "tech companies are all government conspirators!" paranoia, but I do have the sense that Google has chosen a way more active role in international politics than others.
>We know google spies on its users for the NSA and other agencies
No we don't. For one, every publicly-known piece of evidence suggests that after the Snowden leaks revealed the NSA illegally tapped Google's network connections, they immediately began implementing full transport encryption both between and within their own data centers. You could say they just did that to save face, but no evidence has ever suggested Google has ever wittingly provided the NSA or other agencies with intelligence (excluding responding to NSLs and similar orders).
>Google makes its money from consumer propaganda
Could you elaborate? That's very vague.
>Of course google is responsible for what content it shows in its search engine and other products, and which content providers they reward.
Google claims their news-ranking algorithm is 100% algorithmic and that humans are never involved. Is this true? Who knows. But, again, no one has provided evidence to the contrary yet.
>You seem to have one goal here - defend Google. Somehow other corporations doing wrong is what absolved google (and probably all other corporations) in your eyes. Nice try.
Most private corporations in the US lack transparency. They create tax havens, keep proprietary algorithms secret, and don't tell the public that much about their internal structure and processes. Sometimes lack of transparency is the right of the company, sometimes it's an ethical violation, sometimes both sometimes neither. Again, you'll need to cite specific examples of Google skullduggery for this accusation to hold any weight.
>Nope, they participate in censorship and will remove and website or content from their results if some government (like the US government) asks them to.
How is it so ruinous? It's a fairly bog standard way to say "naïve", "ill-advised", and so on. Hopefully you wouldn't let the rest of the content be overshadowed or dismissed by a particular pejorative. OP still makes points worthy of discussion.
Many words were once bog-standard that are now frowned upon. I agree though, it's pretty gay that you're gypped out of calling a spade a spade by these uppity, autistic commenters..
But "retarded" is in fact a different word than the alternatives you posted. Different words have different implicit and explicit connotations. So word choice and style of communication are entirely valid factors when evaluating whether an opinion is worth one's time given that we now live in a vast sea of opinions.
I suspect that people who think that how they communicate is distinct from what they communicate have not thought very carefully about the problem of communication.
What the word "retarded" communicates about the person who uses it is something I think you can work out on your own. It's one of many similar words that I often use accidentally when I mean something more precise.
It was definitely bog-standard at my middle school in the 90s, but it is definitely not in my adult world of people who have learned to empathize with people and avoid pointlessly insulting them. There are plenty of better words to use for this.
Looking at projects like this, it almost looks like Google is actively seeking to become some kind of additional branch or agency of the government -- one with powers to do what the Fed can't, so they sell their services to those same Feds. Furthermore, the revolving door around tech giants and the government atop the Snowden leaks and Google's complete dismissal of them make me think the only "transparency" Google works toward is transparency of the citizen, never the state. That kind of transparency, which we call the surveillance state, or the Panopticon to illustrate the psychological effect, produces an enormous power imbalance against whomever has less information (the citizenry). These aren't benevolent acts. They are state power plays, and Google plays along with them.
Schmidt's behavior as described by Assange is extremely concerning and bordering on frightening, but, so far, no evidence has been produced that he's dedicated any of Google's resources to his personal goals. Just because the CEO of a company has an agenda (bordering on conflict of interest) doesn't necessarily mean Google itself shares that agenda.
Indeed, China is probably the place that needs this kind of "shield" the most. But Google is already blocked there.
Ideally, we should use some kind of P2P network against censorship, but such networks aren't mature enough.
BUT, if you consider the other way: China's attack on western sites, then this "shield" is valuable.
I remember no long ago China uses GFW to inject malicious code in some analytics javascript. Then all of a sudden millions of internet users started ddosing Github. It was probably because someone put something Chinese gov didn't like on Github. Github for some reason is not banned in China , but China was using this kind of ddos to force Github to take down the pages it didn't like.
Couldn't agree more; no idea who is downvoting you, this is the most insightful comment here. Also, it's fucking hypocritical claiming to support 'net neutrality' while hand-picking sites to receive support of a massive private-fiber global conglomerate with very strong senior management political affiliations. Engineers with ethics at google should start a rebellion.
A reverse proxy that connects from the internet to the internet does not need to be neutral. Free hosting does not need to be neutral. Net neutrality is about packets getting between an end user and the core of the internet fairly. This service is in a different area entirely.
Great, now the political status quo are even more under Google protection. What is the selection criteria? To receive money from some of americans NGOs? Hold yourselves, more Arab Springs are coming.
I didn't know about Project Shield and I think it's an interesting initiative. However, for some reason it leaves me a bit unease (not as much as the idea of being taken down by a 650Gbps DDoS at will!) - not sure what it is, but we might be moving towards an Internet where only the "approved" would have "free" speech.
I really hope ISP naming and shaming takes over, so we can make DDoS a little bit more difficult.