-----Original Message----- From: Trei, Peter [mailto:ptrei@securitydynamics.com] Sent: Tuesday, December 15, 1998 11:23 AM To: cypherpunks@toad.com; cryptography@c2.net; dcsb@ai.mit.edu Cc: Trei, Peter Subject: DoS considered harmful [WAS: RE: Anyone striking?]
Someone using the name Carlos Gomes [GomesC@netsolve.net] wrote:
[...] There were several ideas floating around: a) detach from the net and from work b) create a signed letter of disapproval published to appropriate orgs c) _short_ loosely organized burst of DoS against select online targets from widely distributed sources.
All valid forms of protests (when properly organized and executed) all with varying forms of impact and visibility. For the record, I think option c) could be a valid and effective form of active protest. It is a form which has not been used in support of the cpunks' agenda (or many agenda's for that matter) to date and one that merits a review. [...]
regards, C.G.
A DoS (Denial of Service) action is a really, really, really bad idea.
It's both illegal and counterproductive. It's the sort of thing I would expect to hear from an 'agent provocateur' bent on discrediting critics of government policy, by casting them as malicous hackers.
We went through this once before. Back when I was getting the DES challenges going, some one proposed that the target should be a live bank transaction (I think in Germany). I argued strenuously against such a move, and in favor of a specifically created target This goal was fullfilled when I got RSA to set up and sponsor the Symmetric Key Challenges. [deletia]
Hmm... I agree that Peter's representation of my suggestion would not be a good idea nor would it be productive-- especially in the long run. And his interpretation of my writing was correct given the current understanding of what a DoS is. So let me flesh out a bit what I think option c) above should have said. In my first mail to the list on the strike subject I offered a couple references outlining some possible forms of electronic civil disobedience (ECD). The analogy used in those texts is to a "sit in" or, as explained in other references not mentioned, the activity can be looked at as a large scale letter writing campaign like the ones organized by Amnesty International which are aimed at prison officials holding political dissidents or political prisoners. The idea is to maximize awareness (to the targets as well as mass media) of the protest while minimizing the likelyhood of severe litigation or other punitive action against those involved in the protest. It's basically an indismissible show of dissent in large numbers aimed directly at the source of the dissent. As commonly understood, a DoS (Denial of Service) attack would entail an undisclosed group of hackers and script kiddies attempting to knock out a server/site for as long as possible-- which usually requires that the group be destructive and remaining as anonymous and untrackable as possible. This was _not_ what I had in mind as option c). In an effective ECD campaign you would want to publicize what your agenda is including a listing of possible spokespersons/leaders for negotiation to both the target and the media. You would also want to control the extent of the Disruption of Service (instead of Denial of Service) to somewhere between more than barely being noticed to less than breaking any laws. Example: A public web page is setup with information on the next "sit in" or "log writing campaign" containing the agenda behind the protest, contact persons for more information, target site with explanation of choice, start time and stop time. Let's further that the cause is able to get a couple hundred or couple thousand supporters to, for example, repeatedly telnet to port 80 on the remote server during a specific 5 minute window and type in: GET I do not support your sites views on such and such see www.stop_this_now.org for details. Given the right level of logging on the server you'd quickly fill up the target's logs with a record of the number of people (or actually computers) that don't agree with the target's agenda. In Trei's last copied paragraph he mentioned setting up a dedicated target for the DES challenge. I think a similar scenario would also be an effective tool for ECD for testing support as well as being an alternate site since some target sites could be ominious enough to keep supporters at bay and a guinea pig site with full logging could be used to gather data to present to the media directly instead of to the media through a target site. I'd rather not get into a lengthy arguement about the legality of the above or whether it can be implemented since judging from the result of some of the last calls to protest within this group I don't think this type of action will see a real implementation anytime soon so it's legality and feasibility would be mostly speculation IMHO. I just wanted to clarify what I had in mind as option c) in the original mailing. It's late and there's a bunch of good jazz happening the next two nights at the Mercury Lounge in downtown Austin. The crypto revolution will have to wait for a less festive time of year :-)... waves, C.G. -- the above are my views-- and possibly my views alone :-(