Headlines scream about “hackers” bringing top Web sites like Yahoo, eBay, Amazon, E-Trade and Buy.com to their knees. Otherwise respectable Web news services like Wired News rant about “blitzkriegs” with “armies of attacking computers.” U.S. Attorney General Janet Reno appears before a somber Washington press conference to assure the public that “preventing cybercrime is one of our top priorities.”
Over on MSNBC, an instant poll asks visitors, “Will you continue to shop online in the wake of the attacks on e-commerce sites?” — as though the mere fact that your favorite Web store might have been inaccessible for a couple of hours would be cause to stop shopping there. (Memo to MSNBC: Most “bricks and mortar stores” are “down” for up to 12 hours every night!)
| || |
The Web whodunit
No one knows who’s behind the wave of attacks on big sites — but everyone’s got a theory.
By Salon Technology Staff
With all this hysteria, you’d think that most of us poor Net users would be huddled in our virtual basement bunkers, waiting for the denial-of-service bombs to drop on us.
But of course one of the very first things many of us learned about the Internet is that it is a decentralized, “distributed” network. Therefore, even as vandals may be temporarily shutting the gates of a few high-profile megasites, you and I and most of the rest of the Internet universe can go about our merry business. If we weren’t actually trying to make a purchase on Amazon or visit a Yahoo page during the handful of hours that these sites were down, we’d never have known about the attacks if not for the overheated media response. And if we did encounter the “server unreachable” signals, we’d have probably just assumed that the sites had crashed on their own.
Most of the press has reported the wave of site shutdowns as a terrible sign of the deep vulnerability of the Internet. How can we build a new information economy on a structure that’s so open to attack? Somebody should do something, immediately!
A more sober response might be to see the attacks — malicious though they may be, and however responsible for real financial losses at targeted companies — as essentially large-scale nuisances. No one’s credit card numbers were stolen; no one’s data was compromised; no one’s privacy was violated.
The information currently available suggests that this week’s attacks — known as “distributed denial of service attacks” — aren’t direct break-ins to the sites targeted. Instead, the vandals plant nasty little programs (widely distributed underground) on the not-properly secured computers of unsuspecting third parties. These programs, in turn, flood the targeted site — Yahoo, eBay, whoever — with bogus requests for data that overload the site’s servers and make it impossible for legitimate users to get through.
People always love to use automotive metaphors for the Net, so here’s one: From the perspective of the targeted sites, this kind of attack isn’t like a burglary; it’s more as though someone parked stolen cars so as to block every entrance and exit to a mall parking lot. The store’s untouched, but customers can’t get in.
The biggest problem here, as the FBI’s Ronald Dick reported at a Wednesday press conference, is the multitude of computers on the Net that are wide open for would-be vandals to plant their parasitic programs. It’s as if cars all over town were left unlocked, so that the local hoodlums who want to block those mall entrances had their pick of vehicles to use in the prank.
As Dick argued, “Security on the Internet is a community effort.” If your machine or your company’s network isn’t properly secured, it’s a sitting duck — and can be used to make life miserable for someone else, without your knowing it.
Before we start lobbying for new laws to “crack down on cybercrime,” let’s keep a few things in mind: Existing laws already cover the recent wave of attacks, and whoever is responsible for them already faces serious penalties. (Dick said that if the attacks are considered to be intentional, they’d be treated as a felony.) The news media, by applying the entire lexicon of military history to these exploits, only satisfies the vandals’ likely hunger for notoriety. And in the end, the Internet technical community will probably find better ways to protect against these kinds of attacks than the legal system can provide.
The Internet is, and is likely to remain for a long time, a work in progress. Incidents like this week’s attacks serve as a prod for companies and organizations to solve longstanding problems. Indeed, the distributed denial-of-service vulnerability is something security experts have known about — and sounded alarms about — for some time.
Of course, there’s no excuse for downloading a mischievous program, planting it on someone else’s computer, pointing it at a site you don’t like and shutting the site down. But the vandals responsible for this week’s headlines have performed an unwitting service in forcing the Internet’s businesses and technical leaders to deal with the problem.
I don’t want to downplay the technical challenges in planning a successful defense against these complex attacks — which can involve “spoofing” to cloak the identity of the attacking computer as well as the simpler planting of Trojan Horse attack programs. But I also don’t have any doubt that the Internet engineering community will sooner or later figure out smart ways to foil the bad guys.
Once you turn down the volume of the “Hack Attack!” headlines, you’re left with a keener awareness of the interdependent nature of the Internet, and a renewed respect for its fundamental strength as an open platform. On this network, it turns out, where we are all our brothers’ computers’ keepers, news about problems travels fast, fixes travel fast — and today’s nightmarish “cybercrime” is likely to be a long-forgotten news blip tomorrow.