Unless you are a bad guy intent upon nefarious schemes to exploit technology in order to make money, then you probably have a great amount of respect for security reporter Brian Krebs. The crimes, breaches and attacks he has exposed have been so stunning that it boggles the mind. If cyber thugs have a “most wanted” list, then Krebs is likely at, or very near, the top. Yet what kind of messed up world do we live in if criminals can exploit horribly insecure internet-of-things devices with such success that it can silence the voice of a journalist like Krebs?
He most recently ticked off allies of vDOS; Krebs wrote about the DDoS-for-hire company and the two teenagers allegedly behind it were arrested. Although it’s nothing new for his site, KrebsOnSecurity, to come under attack, like it did after his vDOS exposé, nearly two weeks later, Krebs’ site was hit “with the largest DDoS the internet has ever seen. 665 Gbps” (gigabits per second). Some of the POST request attacks included the string “freeapplej4ck,” referring to one of the alleged teenage owners of vDOS.
His site has been protected by Prolexic, which was acquired by Akamai; yet after sustained attacks were hitting his site with about 620 Gbps of junk data, Akamai opted to stop providing Krebs with pro bono protection service; protecting his site was affecting the company’s paying customers.
Akamai, which Krebs does not fault for dropping him, claimed a sustained DDoS attack against Krebs’ site could have cost millions of dollars to mitigate. Akamai told The Boston Globe that the scale of attack on Krebs “stunned its engineers” since it was “almost twice as much traffic as Akamai had ever seen in a previous attack.”
Dropped like a hot potato, given only a two hours’ heads-up that Akamai would no longer protect his site for free, Krebs needed a new solution for the massive DDoS attacks crippling his site. Oh sure, he was offered DDoS mitigation, but the same level of protection he had under Akamai would cost him a jaw-dropping $150,000 to $200,000 annually. That’s hardly a sum any independent journalist could scrounge up by digging for pocket change in their couch. Krebs said, “Ask yourself how many independent journalists could possibly afford that kind of protection money.”
“Free speech in the age of the internet is not really free,” Krebs told Ars Technica. “We’re long overdue to treat this threat with a lot more urgency. Unfortunately, I just don’t see that happening right now.”
Yet Krebs needed to bring his site back up, so he opted for Project Shield which offers “free, unlimited protection.” The service is built on Google Cloud Platform in order “to protect news sites and free expression from DDoS attacks on the web.”
The free service claims:
No matter the size of your website or the size of the attack, Project Shield provides free protection for news, journalist, human rights, and elections monitoring sites.
In “The Democratization of Censorship,” the first post since Akamai dropped him and his site was down for days, Krebs wrote, “Why do I speak of DDoS attacks as a form of censorship? Quite simply because the economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists.”
Krebs was not the only one under heavy attack via botnets exploiting compromised IoT devices last week, but he doesn’t believe nation state actors are the ones learning to take down the internet.
Regarding the massive attack responsible for the latest chaos and upheaval pointed his way, Krebs said the botnet of IoT devices include “routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords.” Most can be purchased for less than $100 and, for right now, “criminals at the helm of these huge DDoS crime machines are content to use them to launch petty yet costly attacks against targets that suit their interests or whims.”
DDoS attacks leveraging millions of insecure-by-design IoT devices will only get worse and something needs to be done “to address this growing threat to free speech and ecommerce.” Krebs added:
But what we’re allowing by our inaction is for individual actors to build the instrumentality of tyranny. And to be clear, these weapons can be wielded by anyone — with any motivation — who’s willing to expend a modicum of time and effort to learn the most basic principles of its operation.
The sad truth these days is that it’s a lot easier to censor the digital media on the Internet than it is to censor printed books and newspapers in the physical world. On the Internet, anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor.
