It’s funny how much effort we put into building redundant and reliable systems (e.g.: “cloud computing”) that scale and replicate well – yet they are subject to the simplest of attacks that can disable them.
An old joke from the 90s was to extend the OSI layering model:
(random image from google image search)
I’ve also seen layer 9 described as the “political” layer. It’s silly, but there’s something to it. We can provide segregation at layer 7 or 5 or 4 using a variety of load balancers or firewalls, and self-secured applications, but so what if the system can be attacked at layer 9 by Elon Musk buying your hosting company and fucking it into the ground? One of my old security buddies used to refer to capitalism as a backdoor in all security. Together, over a memorable dinner at The Tabard Inn in Washington, we invented the following koan:
Q: How do you steal the source code for any important application?
A: Ask nicely in the boardroom.
This actually turned out to be prescient, because a few years later Microsoft gave the Chinese government a copy of the Windows source code so they could analyze it for backdoors, and Blackberry (remember them!?) gave the government of India the encryption keys for their communications layer, against the threat of the devices being banned because the government’s security service could not monitor citizen communications.
You probably noticed freethroughtblogs was down recently. In security terms what happened was a lawyer-amplified denial of service attack (specifically a resource consumption attack [RCA] against ftb’s DNS provider) – the response was designed to deflect blame from the provider in case there was some kind of lawsuit regarding who owned and controlled what domain, but because the provider is not adequately staffed and their workflow automatically kicks in, in order to be legally responsive it amounts to a denial of service. Almost certainly there are equal and opposite cutouts that prevent the same workflow from kicking in if someone, for example, attempted to launch a similar attack against truth social. But how deep are those cutouts? Perhaps someone in some operations center would respond more quickly if the attack was launched against truth social, but Sam Harris’ site would be down for days like freethoughtblogs was. Of course the people who design these systems are not designing them for redundancy and accuracy, they are designing them for liability coverage, so the rest of the system is probably also vulnerable to a variety of channel-stuffing attacks. [channel stuffing] Imagine if you simultaneously filed 1,000 such takedown requests, overstressing the inboxes of the overworked underpaid analysts who are expected to process the takedown requests. Or if you amplified all of that by doing a conventional denial of service attack against the provider’s email server. The analytical process for identifying weaknesses in such complex systems is actually pretty simple. Here’s a term that used to be classified (no shit!): target analysis. The idea is that you list the salient properties of the target, along with the weaknesses of those processes, then put your evil hat on and do some combinatorics. By the way: expect AIs to turn out to be pretty good at that sort of thing, since they are fast, creative, and have lots of time on their hands.
stable diffusion rendering of the 9 layer network stack model
One of the interesting facets of the recent attack [documented by PZ:] is that the hosting company’s workflows kicked in, right on schedule, without any analysis of whether or not the attacker was obviously bogus, or the accusation was obviously bogus. “Deathlord Al-Zawahiri” would have rung some bells, if a human had been in the loop. But humans were taken out of the loop for reasons of cost-cutting and, probably, to prevent accusations that the hosting service was specially caring for one account or another. I wonder if my previous posting outlining how DMCA is a framework for denial of service [stderr] had anything to do with it.
How to fix this sort of mess? The obvious answer is: shatter the system. If there were so many takedown requests that the providers were overwhelmed, they would probably do something like require a phone call, responsive email address, verifiable address of an attorney, etc. Those are easily faked, but it’d skim 95% of the problem off the top. The other, better, answer would be to get lawyers to attack lawyers (fun fun fun, except the lawyers coincidentally have the situation arranged so that they make money no matter what and would be perfectly happy to fight World War III as long as the hours are fully billable) I will say that there are conferences attended by sober security professionals and operations specialists, who keep track of the latest emerging problems with services, and who would be preparing to do the legally required minimum to protect their organizations, if there was a significant judgement.
Rob Pike once said: “distributed computing is when a system you don’t know anything about and have never heard of brings your system down.”
Or, as my friend Ron says, “another cloud computing success story!”
You also missed that being able to automatically generate large amounts of trash is a positive for this sort of attack. Even if they can catch the stuff automatically that still requires processing and network capacity, as well as increasing their risks from false positives. Especially if there’s a way to close the loop and have it generate slightly new trash automatically based on feedback from the target
I’m glad I don’t do IT security, it seems like a complete mess
I feel that big gains could be made in the Tressjerf layer, but standards compliance might suffer.
Looks like they do some pretty kinky stuff at that motel – got an address?
Rob Pike was likely riffing on Lesley Lamport. From the 2nd edition of “Distributed Systems” (Mullender, ed., 1993): ‘Leslie Lamport’s definition of a distributed system: “You know you have one when the crash of a computer you’ve never heard of stops you from getting any work done.“’ https://archive.org/details/distributedsyste0000unse_i0x7/page/4/mode/2up?q=%22crash+of+a+computer%22 . A citation in “Distributed Fault Tolerance – Lessons
Learnt from Delta-4” (1993) says it was also in the 1989 first edition.
dangerousbeans@#1:
You also missed that being able to automatically generate large amounts of trash is a positive for this sort of attack.
I missed that completely. Yes, an AI could write convincing complaint letters by the zillion. Hm.
I’m glad I don’t do IT security, it seems like a complete mess
It really is. I started to realize how dysfunctional it was back around 1999, which was when I started getting sarcastic and dark. There were a lot of runnels of sewage feeding into the main-stream, and it became obvious that the approach security was following was going to be an expensive failure. Part of the problem is that that failure is hidden behind a bow-wave of “progress” that makes it so that security is always trying to catch up to a moving target. That kind of obscures the situation. But there are good arguments (I’ve made them many times) that the approach being followed by software development and corporate IT are never going to result in systems that are any good, let alone secure enough for their stated purpose. Basically, we have a system that works, such as it does, because it is obscure and generally indemnifies the people that matter (the companies) from all wrong while leaving the burden on the customers.
Reginald Selkirk@#2:
I feel that big gains could be made in the Tressjerf layer, but standards compliance might suffer.
Layering violations are not allowed! The standards committees will call SEAL Team 6.
Pierce R. Butler@#3:
Looks like they do some pretty kinky stuff at that motel – got an address?
I think the address is 127.0.0.1
Now I’m picturing someone using this to generate false applications for my work as a denial of service attack. Fuck that would mess things up. We’re not in a position of being able to automatically ignore stuff for legal reasons
I’ll raise it with my managers, it’s been a while since I’ve made them regret asking me about security