Wednesday, December 8, 2010

An Ion Blast from Low Orbit

Sometimes I start to write about a topic, and every few sentences find myself resisting getting pulled down some new tangent. These topics can be approached in so many different ways, it's hard not to keep writing until a book comes out. Attempting to expose the backstory for the original point I wanted to make, I'll find myself repeatedly backing up, deciding there's something else I should tell the reader first.

Wikileaks is that topic d'jour. Why has its release of diplomatic cables caused so much more furious a response than anything else its leaked. What's the legal and moral implications of the event? How is everyone reacting, and where's it all leading?

But what I originally wanted to talk about is the fact that Anonymous is attacking the credit card companies.

Anonymous is hard to characterize, exactly. It's a loose affiliation of computer savvy individuals, who've taken on such organizations as Scientology and the RIAA. They fight against censorship, against perceived injustices perpetrated by major corporations against defenseless individual citizens. And lately they have dropped their attention from antipiracy organizations to focus on the financial behemoths behind the economy.

While previous leaks by WikiLeaks have created some controversy, the fallout over the release of classified diplomatic cables is somewhat unprecedented. Many members of many governments throughout the world have been falling over each other to condemn the organization in the strongest words possible. It's a terrorist organization whose members should be assassinated, according to some. Arguably in response to this rhetoric, companies with links to WikiLeaks have been quick to sever them.

Amazon dropped its hosting of the site. Paypal froze its account, refusing any new contributions. Mastercard and Visa have also banned any payments to wikileaks through there systems. The effect of all this is to deny the organization access to capital at the same time its facing major technical attacks and legal battles. It's an odd situation, legally. WikiLeaks has not been formally accused of any crimes, but the attempts to remove it from existence are not really government actions. Is Mastercard in the right deciding that certain organizations don't deserve access to donations? This is one of those tangents I'm going to avoid going down.

Anonymous has sided with Wikileaks, arguing that the companies are in the wrong for trying to cut off a whistle blowing organization, that regardless of the moral questions around the appropriateness of this set of leaks, it's not the government or private industries role to silence undesired speech, even the revelation of secrets. So it's attacking, in its own peculiar form. As a primary internet based group, it fights through the dissemination and stopping of information. Some see it as a illegal mob, others as modern activists: another tangent.

The primary weapon anonymous uses is the DDOS, a technique to bring websites down. A computer server can only handle so many requests for a webpage at a time. By running code to, in essence, refresh a webpage all day, you can slow the page down. By running that code on thousands of computers, you can block entry by anyone. So for much of today mastercard and visa websites (but not the transaction processing servers) were down.

The code in question is called the "Low Orbit Ion Cannon", and can be downloaded by anyone. I find people's participation very interesting. A DDOS attack is a crime. Participating could involve a multiyear jail sentence. Do they not know? Not care? Figure in such a large crowd they won't be singled out? The victim can easily log the requests coming in, and through subpoena's find out who the attackers were. But despite the risks, real or perceived or ignored, people download the code and let their computers bring down credit card websites.

Thinking about it, I've realized they may be protected by an odd ally: the virus. It's easy to view the computer as just an extension of the self, but it is not necessarily only in our control. A traditional DDOS is not a group affair, but the tool of virus writers. a DDOS requires many computers spread out between many networks. Virus ridden machines will often spring silently to life to attack a distant server, without the owner noticing anything except perhaps a slower than usual internet. These botnets are almost certainly also involved in the attack against the credit card companies.

So how do you know who was attacking, and who just had a secretive virus buried in their machine? I suspect computer forensics could tell, but after the first round of trials for this, that would change. Activists would just visit unsafe sites, download trojan-laced programs, knowing that they were helping the attack while retaining plausible deniability.

This technique doesn't stop there, either. There have been horror stories over the years of viruses that pull kiddy porn onto your machine. I suspect these are written by the purveyors of such filth to avoid having to host the content themselves: much safer to let anonymous infected computers handle that risk. But if it's not already used as a screen, I suspect it will be eventually: a virus that downloads inappropriate material to your machine for you. Thousands will be infected unknowingly, a few will seek out the computer infection for the files, and how do you ever tell the two groups apart?

Identity theft was just the start. With computers in between us, it becomes impossible to test for intention. As more of our lives go online, as more crimes are committed in the digital ether, detection of crime may become the easy part of law. The hard part would be figuring out who the computer committed the crime for.

No comments:

Post a Comment