Should DDoS be Protected as Free Speech?

I read an article today, that quoted the lawyer representing some Anonymous folks saying that he thinks DDoS is a form of free speech, and should be protected as such. He equated it to the civil rights demonstrations where people would crowd a venue to the point that “Legitimate” customers were unable to use their services. While I can understand the logic, I find fundamental flaws with this argument.

In the cases of Sit-in protests, each participant is willingly making the free speech statement involved in shutting down the offending business for that day or period of time. in most, if not all cases of DDoS, it is done with the aid of bot nets, or zombie computers. this means that the people infected with the bot net virus, or other form of compromise, are most times unaware their computer is being used in such a form of protest. That means it is inherently NOT free speech, because the person who is making the statement (each zombie, or bot) is not intentionally making said speech, and would likely not even agree with the protest.

However, if the attack was legitimately conducted by thousands of people jointly flooding the site willingly, I can agree with the argument. That would be pure protest. My issue is that too often it is using unwilling, and unknowing participants to perpetrate the attack.

However, if it is protected free speech, does that mean we as white-hats, or even grey-hats be able to use the same form of attack against our targets or causes that we disagree with? In short, I think that legalizing DDoS attacks because they are “Free Speech” I believe opens a pandora’s box. If it was legalized, I think we would honestly see a much larger scale of attacks against companies, causes, and individuals increase dramatically. That would be the same as giving loaded guns to convicts upon their release from prison. Yes, guns are not illegal, and shouldn’t be, but there are restrictions applied to those who have demonstrated they lack the responsibility to handle guns in a safe way.

I created a poll, to see what you all think

Advertisements

I love #infosec, but hate Skiddies

I love the Information Security world. I love the free flow of information, and the hard work of great people smarter and more amazing than I who fight every day for your privacy. I’m a hacker, I love to trick you into giving up your privacy, or working on breaking things.

one of the main problems I’ve seen in the current fighting in the interwebs, is that many new hackers try to fight for fame, or their 15 minutes, by releasing some DB. These “hackers” generally use cookie-cutter attacks that they copied off some forum or blog. we “affectionately” call them Script Kiddies (Skiddies) because they have no idea how the attacks they are using work, or WHY, but simply just try everything they can find and hope that SOMETHING sticks. This presents a few problems that I would like to outline.

Collateral Damage:
When a company is compromised, and the entire database is leaked publicly for the “lulz” you’re not really hurting the company. You hurt all the users, most of whom have no way to know that an attack happened, or that their account information just got leaked. Compounding that, many of those users reuse the same email/password or username/password combinations on multiple sites to make things easy. This now has impacted other potential customers and companies than the one you were targeting. Many who hack under the banner of Anonymous claim they are targeting companies and governments for corruption and they are trying to help the users, but by releasing the data in the manner that happens most often lately, they do the opposite.

Trust, or the Lack of:
Our industry is an industry of secrets. A secret is the most important and powerful weapon you can wield, and when you scream to the rooftops that you have no ability to keep a secret, you will not gain the trust of ANYONE. and you stand a great chance of losing any trust you have managed to aquire in a field where trust is everything.

Placing Bullseye on your back:
The last drawback I’ll cover regarding public release of data, is that you instantly place a target on your back. The government really seems to be working hard lately on busting hackers, so when you announce “HEY LOOK OVER HERE, I’M DOING ILLEGAL THINGS” all it does is get you in trouble.

I enjoy hacking as much as anyone else, I just worry that all the negative attention thats coming from skiddies is going to undo much of the hard work to bring hacking to the front lines as a legitimate industry.