Hacktivism efforts get a bad rap when it comes to web security, but it’s possible they are actually doing more good than harm. In a security world empowered by big data tools, information gleaned from the countless attacks on LulzSec and Anonymous provide invaluable information to help stop similar attacks in the future. They are like baits that attract hackers en masse.
Curiously, however, the proposed SOPA antipiracy legislation that has drawn such strong negative reactions from web-based service providers could end up playing right into hackers’ hands. Or so says Matthew Prince, the co-founder and CEO of popular security service CloudFlare and professor at the John Marshall School of Law.
Although it is a security company that tries to prevent websites from DDoS and other types of attacks, Prince told me CloudFlare actually counts a number of antiestablishment and arguably nefarious groups as users. LulzSec, along with various other hacktivist sites, is a CloudFlare user, as are most of the various “Occupy” sites. Their methods and objectives might be different, but all of those organizations share a common characteristic in that they attract a lot of attention from other hackers trying to bring them down to boost their own notoriety.
If you’re trying make the Internet safer, that’s a good thing. “Security is really a data problem at the end of the day,” says Prince, so companies such as CloudFlare will take all the data they can get. As with most analytics use cases, the more information that security systems have to analyze, the smarter they get and the faster they can identify those attacks in the future. That’s why so many security services, whether for personal use or enterprise firewalls, now utilize a cloud-based model — so they can route all of their customers’ traffic through a central network and let everyone benefit from the collective intelligence.
It’s in the spirit of the greater good that made CloudFlare, at least, decide to keep serving its hacktivist users, despite what Prince calls “a lot of internal debate about . . . the right approach.” Because most services don’t actually host content — as was the case with Amazon Web Services and Wikileaks, as well as Rackspace and Reverend Terry Jones — deciding whether to keep a user is really an ethical decision more than a legal one.
“There are lots of things on the Internet that I find very personally troubling,” Prince said, but he doesn’t think he’s in the position to decide what’s on the Internet (or, in his company’s case, what’s protected from attacks). Generally speaking, he added, invoking the theory that reason will prevail in the marketplace of ideas, “sunlight is rarely a bad disinfectant” for information that some find dangerous.
Most of the time. While LulzSec and other less-known hacktivist groups remain as customers, Prince said CloudFlare has worked closely with law enforcement to deny protection to child pornography sites that are uncovered as users.
Copyright laws do not discriminate
While hacktivism actually enhances the greater mission of Internet security, though, Prince thinks the Digital Millenium Copyright Act actually does a lot to hinder it. The proposed SOPA legislation, he wrote in a blog post on Wednesday, would “effectively streamline DDoS attacks.” That’s because, unlike the ethical decision that serving hacktivists poses, these laws don’t give service providers like CloudFlare a meaningful choice on how they should act.
As I’ve written before, the DMCA is somewhat unfair to service providers, because it places on them the onus of being judge, jury and, in some cases, executioner with regard to copyright-infringement claims. Prince writes that although CloudFlare does the best job it can, it’s becoming difficult to detect legitimate claims as criminals’ requests get more sophisticated:
Imagine the challenge for someone on CloudFlare’s support team. If someone writes to us alleging that they are a photographer who took a picture that appears on a website, or a designer who drew a logo, or an author who wrote some text, how can that claim be verified? I’m an attorney and member of the bar. I teach a course on intellectual property and technology law at the John Marshall Law School. I serve on the Board of the Center for Information Technology and Privacy Law. I’ve reviewed many of these requests and, even with my training in the subject, I have no idea how to effectively and efficiently tell the difference between valid and invalid complaints. (emphasis added)
Essentially, Prince explains, when network services such as CloudFlare receive valid complaints under the DMCA, they must expose the host domain so takedown actions can commence. The problem is that cybercriminals are aware of this law, and they are increasingly making bogus requests against legitimate sites. Once they have the host information they need, they can attack.
SOPA takes things a step further, Prince says, because it keeps the same adjudication onus on the service provider while ramping up the response. Whereas exposing a host domain pursuant to DMCA still requires technical acumen to exploit, SOPA actually requires network providers to stop resolving DNS for infringing sites. “The allegation merely needs to include some evidence and does not need to be validated by a court,” Prince writes. “In other words, a carefully crafted letter could be all it takes for a future attacker to knock a site offline. No botnet needed, just a passable mastery of legalese.”