Port 80

I’ve previously written at length about the evolution of counterstrike security systems on the Internet. Now, through the Internet Censorship Explorer project of the University of Toronto’s CitizenLab, there’s word of a different form of counterstrike system. (William Gibson fans will appreciate the acronym of the Internet Censorship Explorer project, which I assume was deliberately chosen.)

While my article on counterstrike systems suggested that major corporations might use their bandwidth to attack malicious internet users, Lycos has taken a different approach and constructed a “reverse botnet.” Lycos has begun distributing a screensaver across Europe which uses a home computer’s idle CPU cycles and bandwidth to attack webservers associated with spammers. Although the Lycos website for this campaign uses the tagline “Make Love, not Spam,” what Lycos is actually making is a white-hat DDoS attack.

The legal implications of this system could prove to be interesting: In my previous post, I assumed that major corporations would have the legal clout to survive court challenges to corporate-owned counterstrike systems relatively unscathed. Likewise, Lycos may be too big a target for spammers to sue. However, the individual users who download the Lycos screensaver and participate in this campaign may not be. Furthermore, the disclaimer on the download page makes it very clear that in the event of a lawsuit, users are on their own: “The use of the screensaver and its function is the responsibility of the user. Lycos or the developer shall not be responsible for any loss or damage, of any kind, direct or indirect.”

It is important to note that while most users who participate in DDoS’s are victims of worms and virii, those who downloaded this screensaver knowingly chose to participate in a DDoS. This distinction will prove critical if any user are taken to court by hosting providers, as court rulings on this system may set a new precedent for establishing the limits and extent of the legal liability of those who participate in a DDoS attack. Are individual members of a DDoS network liable for all of the expenses incurred by the target, or just their portion of it? Do members of a DDoS network have to actively choose to participate in the DDoS in order to be held liable, or is failure to exercise due diligence enough to establish culpability for the consequences of the attack? Since the targets for the DDoS are provided by Lycos, can the users be held responsible for the DDoS of a specific target at all? The possibility of getting legal answers to these questions is reason enough to watch the progress of this experiment closely.

Water shapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing. Therefore, just as water retains no constant shape, so in warfare there are no constant conditions. — Sun Tzu, The Art of War

The web is surely a wonderful thing. A simple Google search can bring you information on almost any topic. Such as, oh, nitrogen tire inflation.

If you choose to scroll down the list of Google results for nitrogen tire inflation far enough, you’ll find a link to a previous weblog entry I wrote about the state of science education in the United States. (Nota Bene: This may not be true since the server change in December 2004. My argument still stands.) The gist of my point went something like this: Isn’t it depressing that tire stores run commercials advertising that it’s safe to mix air with nitrogen, given that anyone old enough to drive should know that air is 78% nitrogen?

However, Google doesn’t understand subtlety or the use of examples to make a point. All it understands is that the words “nitrogen tire inflation” had appeared in that post a fair number of times, and therefore that my post should be returned as a result whenever someone searches on those terms. For some combinations of search terms, I have been informed that my post is the first result returned by Google.

(more…)