April 16, 2014

avatar

Security Lessons from the Big DDoS Attacks

Last week saw news of new Distributed Denial of Service (DDoS) attacks. These may be the largest DDoS attacks ever, peaking at about 300 Gbps (that is, 300 billion bits per second) of traffic aimed at the target but, notwithstanding some of the breathless news coverage, these attacks are not vastly larger than anything before. The attacks are news, but not big news.

The attacks were aimed at Spamhaus, which publishes lists of purported spammers. Unsurprisingly, the attackers appear to be associated with spamming—specifically, with Cyberbunker, which is accused of hosting spammers.

One interesting aspect of the attacks is the way they exploited externalities. “Externality” is an economics term. For our purposes, it describes a situation where a party could efficiently prevent harm to others—that is, a dollar’s worth of harm could be prevented by spending less than a dollar on prevention—but the harm is not prevented because the party has little or no incentive to prevent harm to strangers. Externalities are a common problem in security—they’re one of the reasons the market has trouble providing adequate security. The recent DDoS attacks exploited three separate externalities.
[Read more...]

avatar

How the DMCA Chills Research

I have a new piece in Slate, on how the DMCA chills security research. In the piece, I tell three stories of DMCA threats against Alex Halderman and me, and talk about how Congress can fix the problem.

The Chilling Effects of the DMCA: The outdated copyright law doesn’t just hurt consumers—it cripples researchers.

“These days almost everything we do in life is mediated by technology. Too often the systems we rely on are black boxes that we aren’t allowed to adjust, repair, or—too often—even to understand. A new generation of students wants to open them up, see how they work, and improve them. These students are the key to our future productivity—not to mention the security of our devices today. What we need is for the law to get out of their way.”

avatar

The New Freedom to Tinker Movement

When I started this blog back in 2002, I named it “Freedom to Tinker.” On the masthead, below the words Freedom to Tinker, was the subhead “… is your freedom to understand, discuss, repair, and modify the technological devices you own.” I believed at the time, as I still do, that this freedom is more than just an exercise of property rights but also helps to define our relationship with the world as more and more of our experience is mediated through these devices. I also believed that the legal tide was running against the freedom to tinker, as creative uses of technology were increasingly portrayed as illegal or deviant behavior. Now, at last, things may be starting to change.
[Read more...]

avatar

How the DMCA Serves as a Barrier to Accessibility

My op-ed on the DMCA’s barriers to accessibility just went live at Slate’s Future Tense. Here’s an excerpt:

[A]mong the DMCA’s many flaws is a significant one of which most people aren’t aware: For more than a decade, the act has imposed a barrier to access for people with disabilities. It hinders access to books, movies, and television shows by making the development, distribution, and use of cutting-edge accessibility technology illegal.

The full piece is here.

avatar

First Principles for Fostering Civic Engagement via Digital Technologies #2 and #3: Keep it Simple and Leverage Entrepreneurial Intermediaries

In my previous blog post, I set out the first of ten principles that local governments and communities should look to as they evaluate whether their community is using digital technology effectively to promote civic engagement and solve local problems. Today, I’m setting forth my second and third principles, “Simplicity – Bang for the Buck” and “Digital Intermediaries.” I have chosen to present these two principles together because they are linked thematically.

In almost every community, people are seeking information on public safety, jobs, education, transportation and healthcare. My second principle, “Simplicity – Bang for the Buck” suggests that governments, when determining which problems they can solve through an investment in digital technology, should look to improving government processes related to these core issues. My third principle acknowledges the reality that government itself cannot alone provide all of the information residents are seeking. Therefore, in a community which is engaged digitally, “Digital Intermediaries” – entrepreneurs, including journalists, who are a trusted source for providing local or hyper-local information to residents – will develop Internet and mobile broadband-based businesses providing people with information on these important topics.

Principle #2: “Simplicity – Bang for the Buck”
[Read more...]

avatar

Singapore Punishes Net Freedom Advocate

Over the last few days my activist self has come out.  I was a tenure reviewer for Dr. Cherian George at Nanyang Technical University, one of Singapore’s most high-profile universities.  His tenure case was overturned at the top, where university administration meets the country’s political elites.

It is difficult to dismiss George on the basis of academic merit. With degrees from Cambridge, Columbia, and Stanford, his pedigree is admirable. He has three books under his belt: the eviscerating “Air Conditioned Nation”, the evocative “Freedom From the Press” and a scholarly tome comparing independent online journalism in Singapore and Malaysia that was actually published at home by Singapore University Press. Through a string of academic articles, George has been equally critical of the government and the press, so it is not surprising that the country’s journalists have not rushed to his defense. He has revealed to colleagues that the decision to deny his tenure was solely because of “non-academic factors”—the university administrators told him as much. He’s had positive teaching evaluations. This wasn’t a merit based decision.
[Read more...]

avatar

White House Statement on Cell Phone Unlocking: A First Step Toward DMCA Reform?

Yesterday, the White House officially responded to the online petition to “Make Unlocking Cell Phones Legal,” which garnered more than 100,000 signatures in under 30 days. The Administration’s headline was emphatic: “It’s Time to Legalize Cell Phone Unlocking.” The tech press heralded this significant but symbolic first step in addressing some of the most egregious shortcomings of the Digital Millennium Copyright Act (DMCA). I hope the White House’s response signals a new chapter in the struggle to regain the freedom to innovate, research, create, and tinker. Last week, I discussed the petition and its context with Derek Khanna, who has been a champion of the cause. You can watch the video here:

As Derek pointed out, this battle is connected to a much larger policy problem: the DMCA bans many practices that are good for society–and without clear counterbalancing benefits. Reading the White House statement, it is hard to tell whether the Administration appreciates this fact.
[Read more...]

avatar

How much does a botnet cost, and the impact on internet voting

A brief article on how much botnets cost to rent (more detail here) shows differing prices depending on whether you want US machines, European machines, etc. Interestingly, the highest prices go to botnets composed of US machines, presumably because the owners of those machines have more purchasing power and hence stealing credentials from those machines is more valuable. Even so, the value of each machine is quite low – $1000 for 10,000 infected US machines vs. $200 for 10,000 random machines around the world. [Reminds me of my youth where stamp collectors could get packets of random canceled stamps at different prices for "world" vs. specific countries - and most of the stuff in the world packets was trash.]

So what does this have to do with voting? Well, at $1000 for 10,000 infected American machines, the cost is $0.10/machine, and less as the quantity goes up. If I can “buy” (i.e., steal) votes in an internet voting scheme for $0.10 each, that’s far cheaper than any form of advertising. In a hard-fought election I’ll get a dozen fliers for each candidate on the ballot, each of which probably costs close to $1 when considering printing, postage, etc. So stealing votes is arguably 100 times cheaper (assuming that a large fraction of the populace were to vote by internet), even when considering the cost of developing the software that runs in the botnet.

Granted, not every machine in a botnet would be used for voting, even under the assumption that everyone voted by internet. But even if only 10% of them are, the cost per vote is still very “reasonable” under this scenario.

And as John Sebes responded in an earlier draft of this posting:

“You compared digital vote stealing costs to the costs of mere persuasion. What about the costs of analog vote stealing? It’s all anecdotal of course but I do hear that the going rate is about $35 from an absentee vote fraudster to a voter willing to sell a pre-signed absentee ballot kit. Even if the bad guys have to spend 100 of those dimes to get a 1-in-a-hundred machine that’s used for i-voting, that $10 is pretty good because $10 is cheaper than $35 and it and saves the trouble of paying the gatherers who are at risk for a felony.”

avatar

Now Available in Print and eBook: “Democracy’s Fourth Wave? Digital Media and the Arab Spring”

I am happy to announce that my new book, co-authored with Muzammil M. Hussain, is now available in print (Oxford University Press, Amazon, Google Books) and eBook (Kindle).

In April of last year, I presented some of our initial findings and described the methodology in a presentation at the Center for Information Technology at Princeton. You can listen to that presentation here:
Democracy’s Fourth Wave? Information Technologies and the Fuzzy Causes of the Arab Spring

Democracy’s Fourth Wave? Digital Media and the Arab Spring
Philip N. Howard and Muzammil M. Hussain

Did digital media really “cause” the Arab Spring, or is it an important factor of the story behind what might become democracy’s fourth wave? An unlikely network of citizens used digital media to start a cascade of social protest that ultimately toppled four of the world’s most entrenched dictators. Howard and Hussain find that the complex causal recipe includes several economic, political and cultural factors, but that digital media is consistently one of the most important sufficient and necessary conditions for explaining both the fragility of regimes and the success of social movements. This book looks at not only the unexpected evolution of events during the Arab Spring, but the deeper history of creative digital activism throughout the region.

Philip N. Howard is Associate Professor in the Department of Communication at the University of Washington, with adjunct appointments at the Jackson School of International Studies and the Information School.

Muzammil M. Hussain is a Ph.D. candidate in Communication at the University of Washington and Visiting Scientist at the Center for Comparative and International Studies, ETH Zurich.