anti-censorship in network infrastructure

With AntiSec—and attendant censorship countermeasures—in full swing, Telex seemed like an appropriate subject.  In a nutshell, Telex offers a response to online censorship by placing anti-censorship technology into the Internet’s core network infrastructure, rendering it easy to distribute and difficult to detect and prevent. Governments tend to use firewalls in their network to block traffic or access to forbidden sites. Telex is different from previous anti-censorship systems in that it operates within the infrastructure at ISP points and non-blocked portions of the Internet, as opposed to network end points.

This “end-to-middle” proxying makes the system robust against censorship countermeasures. Furthermore, it emphasizes evading detection so that a censor may be circumvented without being alerted, complementing proxy and relay services like Tor. Telex employs and repurposes deep-packet inspection in its anti-censorship measures. Telex also does away with individual encryption keys or IP addresses that need to be communicated to users in advance, since the censor can block the system if it discovers this information. Telex is described, in short, as a “state-level response to state-level censorship” (Telex.cc).

Continue reading

LulzSec, Anonymous, and AntiSec: Thoughts on Lulz and Ethical Hacking

By now I think most people are familiar with LulzSec, Anonymous, and other anonymous hacking groups, as they are receiving more and more media coverage in mainstream outlets as well as tech-only reporting sources.  I’ve hesitated to blog about this, namely because I have yet to comprehend everything that is happening, but the longer I wait, the more I realize I’m never going to fully understand it.  Like much of the stuff I’m interested in, it’s too big to judge or sum up in a single blog post.

So instead, I’m going to try to break down my observations and thoughts about this phenomenon in a very basic sense.  I may have attempted in previous posts to make a distinction between malicious hacking and DDoS (distributed-denial-of-service) attacks, but I would like to refine that further using more appropriate terminology.  For some time now, the term hacker has been reclaimed in a positive or at least neutral usage, while “cracking” has been used to describe malicious hacking attempts.  A better classification system, and the one more popular with the hacking groups themselves, runs from “black hats,” or straight-up computer criminals, to “white hats,” or computer security experts.  Most pertinent to this discussion are “gray hats,” those hacking not for personal gain or out of malicious intentions but who technically commit crimes during their hacking endeavors.  Gray hats may seek improved security by breaching the cybersecurity of various organizations, or may leak internal governmental data in order to promote awareness of and accountability concerning human rights abuses by those nations.

DDoS attacks, which flood a server with so much data that the website is forced to go down, are considered gray-hat tactics.  I think I’ve stated previously my belief that DDoS attacks serve as modern-day peaceful protest.  However, I do think the gray area becomes even grayer for some when you take into consideration the motives behind these attacks.  Taking down and even defacing the Zimbabwe government’s website to protest its oppressive regime, for instance, seems more morally upright than taking down cia.gov for anti-establishment lulz.  But ultimately, neither attack is harmful, especially when compared to black-hat(?) tactics such as leaking 62,000 random logins into the hands of Twitter users, who promptly used the information to gain access to innocent individuals’ email, gaming networks, PayPal, Amazon, Twitter, Facebook, MySpace, and so on.

Despite this, I’m having a hard time condemning LulzSec.  I tend to be more supportive of them when they are targeting governments and corporations—i.e., institutions, whatever those may be—rather than when they are targeting individuals.  At the same time, if you use the same email/password for everything, can you really complain when everything is hijacked?

It’s not so simple, I realize, and the ends don’t justify the means, IRL or online.  In fact, I probably stated earlier that I support Anonymous for their ethical selection of targets, so it should be easy for me to write off LulzSec for their apparent lack of morality.  In conversations with friends and colleagues, however, I find myself against the wall trying to defend (or at least objectively view) hacker activity that can be plausibly likened to hurling bricks through a shop window IRL—damage for the sake of damage, breaking things because they can.  They have hacked, obtained, and disseminated databases from Sony, PBS, Fox, X Factor, Bethesda and other gaming servers (at the request of callers, according to them), pron.com, Infragard Atlanta (an FBI affiliate) and Senate.gov; they’ve dropped dox on Karim Hijazi, CEO/President of Unveillance and member of Infragard; they have played with the websites of individuals who exhibit unwarranted self-importance (e.g., claiming to be #1 hackers or hacker-proof).

At the same time, LulzSec has gained more media notoriety in a month or so than Anonymous has since it first entered the fray (Anon has been hacking for years, but as an ethical hacking group it really came together in 2010 during the height of WikiLeaks controversy).  And you can bet your ass Sony employees were chained to the desk toughening their defenses after being hacked multiple times in fairly rapid succession.  LulzSec has utilized “simple SQL injection and Local File Inclusion vulnerabilities, and botnet-powered Distributed Denial of Service attacks” (Ars Technica) that, to some, are too low-level to qualify as hacking.

But the Internet truly exploded on June 17, around 5:48, when LulzSec DDoS’d cia.gov.  By around 6:10, the main page had reappeared but as a facade, but none of the links were working. Immediate Twitter posts tagged #LulzSec include statements ranging from “oh shit they ddos’d the CIA” to “we’ll see who’s laughing when the FBI comes for them.”  Minutes later, th3j35t3r tweeted to LulzSec, “Gloves off […] expect me.”  And at that moment and only that moment, apparently, shit got real.

Continue reading