DDoS (Distributed Denial of Service) is a difficult concept for non-technical people to understand, but there's a way to explain it that any mischievous kid would understand.
DoS (Denial of Service) is the simple case. It involves sending data to a computer that demands a response, with the data being sent from a single source. If data is sent too often, the computer will have no time left to do any real work.
The kid's analogy to DoS is leaving a paper bag full of dog crap on someone's doorstep, lighting the bag on fire, ringing the doorbell, and running away. The victim opens the door, sees the flaming bag, stomps on it to put out the fire, and spends twenty minutes cleaning his shoes in the sink. Or so naughty kids dream.
Now imagine that the kid does this every half-hour -- and the homeowner is stupid enough to continue answering the door -- and the homeowner will spend most of his time on the prank. Voila, DoS.
DDoS is the same thing, only there are many attackers. So let's expand the prank. The house is now a building with one million doors, one million inhabitants, and one million sinks, and there are one million kids outside with an infinite supply of paper bags, dog crap, and matches. The entire building will be busy with the prank. Voila, DDoS.
A DDoS attack was first only possible because attackers were able to commandeer sufficient PCs in botnets, a group of PCs the security of which had been compromised. The botnet PCs, a/k/a zombies, were taken over because their owners were incompetent, either being too cheap to pay for anti-security software or incapable of recognizing phishing emails sent to them containing malware which burrowed into their operating systems.
Then there were booters, servers run by criminals for the express purpose of initiating DDoS attacks, but since there are only a small number of participating nodes, blocking the attack is much easier.
Now DDoS attacks have moved up in scale to the IoT (Internet of Things), the universe of chatty lawnmowers, eavesdropping televisions, come-hither baby monitors, gossipy oxygen monitors, tattletale mattresses, vincible buildings, perceptive penis rings and many other things containing a small computer. Intel estimates that there were 2 billion IoT objects in 2006, with a projected 200 billion by 2020. Intel exited the motherboard, tablet, and smartphone businesses in order to concentrate on the IoT.
The security of IoT devices can be substantially improved by simply changing the default passwords, but at least some devices come with backdoors which customers cannot mitigate.
James Scott and Drew Spaniel of the Institute for Critical Infrastructure Technology wrote a white paper, Rise of the Machines: The Dyn Attack Was Just a Practice Run, offering an detailed explanation of DDoS attacks and attackers -- "nation state and mercenary APTs, hacktivists, cyber-criminal gangs, script kiddies, cyber caliphate actors, and hail-mary threat actors" -- with script kiddies being teenagers not competent enough to write software so they resort to bought or borrowed scripts, showing just how easy it is to use DDoS.
Because Dyn, a DNS service provider, was hit, access to many popular websites was affected. The perpetrators could have launched a much more powerful attack, as it involved only 100,000 devices. "Maybe this was just a warning shot," said Ofer Gayer, a security researcher with Imperva, a DDoS mitigation provider. "Maybe [the hackers] knew it was enough and didn't need their full arsenal."
Scott and Spaniel noted, "The security of building automation systems is often neglected because neither managing companies nor property owners invest in network firewalls or other perimeter security," using the example of two housing blocks in Lappeenranta, Finland which had its heating systems knocked offline for more than one week in late October and early November.
The authors' explanation for why IoT vulnerability exists is as follows: "The brunt of the vulnerabilities on the Internet and in Internet-of-Things devices, rest with DNS, ISPs, and IoT device manufacturers who negligently avoid incorporating security-by-design into their systems because they have not yet been economically incentivized and they instead choose to pass the risk and the impact onto unsuspecting end-users."
The only thing I would add is that manufacturers should be criminally incentivized as well. Don't just pierce the corporate veil; burn it away with a flamethrower.
The other option would require some reengineering of Internet hardware to restrict nodes from broadcasting certain types and quantities of traffic, but anarchists and libertarians would decry that as government meddling.
The authors noted, "Nearly every device vulnerable to Mirai was developed and manufactured outside the United States by manufacturers like Dahua or XiongMai." Our insatiable quest to outsource all manufacturing has led us to the point where consumers have no choice but to buy goods from a country with which we might be at war soon.
Bruce Schneier noted that in 2016, DDoS "attacks continued to become more frequent, persistent, and complex," reminding him of "a nation's military cybercommand trying to calibrate its weaponry in the case of cyberwar ... of the US's Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities." It's problematic to conclusively identify a cyber-attacker but it's probably China.
Scott and Spaniel mentioned a few at-risk sectors, financial, healthcare, and energy. The financial sector includes both Wall Street gambling and banking for the masses, with the latter being much more important than the former, though politicians believe they are of equal importance. Given our dependence upon technology in hospitals, future attacks in the healthcare sector may cost lives. If an attack in the energy sector is well-planned, e.g. in the middle of winter, people will freeze to death.
The ICIT brief, China’s Espionage Dynasty: Economic Death by a Thousand Cuts, pointed out: "The criminal culture of theft that has been injected into virtually every line of China’s 13th Five-Year Plan is unprecedented. From state sponsored smash and grab hacking and techno-pilfering, to corporate espionage and targeted theft of IP, never before in recorded history has IP transfer occurred at such a rapid velocity." Michael Pillsbury's book, The Hundred-Year Marathon, addresses this subject from a longer perspective and ends with the same conclusion. I touched on this before (here and here), as China has been allowed to steal the West's IP and advance its industries because our naive and foolish leaders assumed that China would play the capitalist game as Westerners do.
The ultimate use of DDoS attacks would be in wartime. Much of the military's communications gear does not depend upon the Internet, but virtually its entire support organization does. If a base has moved to VOIP telephone service, it would be out-of-touch. Government contractors would be almost entirely dependent upon the Internet. If the power grid were to be disabled, the government might be torn between using National Guard troops for foreign combat or domestic use, and it would increase stress on troops worried about their families back home. The military's ability to move troops,weapon systems, parts, ammunition, and supplies via road, rail, or air would be affected by the disabling of systems mamaging those methods of transport. And so on.
We either take control of the IoT or it will control us.
The Affordable Care Act (ACA) isn't the best piece of legislation ever created, but when was the last time we saw a well-crafted bill, not to mention that the majority of them are written by lobbyists, with their flunkies, politicians flush with campaign loot, dutifully signing?
Let me tell you how things were before the ACA.
Insurance companies denied coverage for pre-existing conditions. Any pre-existing condition. Plenty of people were denied, not because they had cancer, HIV/AIDS, heart disease, cystic fibrosis, or another major medical condition, but because they had one more medical issue than the average. I was one of them. I applied to two different companies, Kaiser Permanente and Anthem BlueCross / BlueShield. The former efficiently denied me within two weeks, but the latter took eight weeks to do so.
And to add insult to injury, Anthem stored the data for applicants on one server and the data for clients on another. Their process was to copy the data from the former to the latter, and delete the data on the former, when a client was accepted. But the data for people who were denied coverage was never deleted from the applicant server. And, no surprise, that server was hacked, with my data and the data for the other unwashed available for cyber-thieves to peruse.
A number of us filed a HIPAA complaint against Anthem, but that law is a toothless koala. We received a year's worth of credit monitoring because that's how the insurance industry protects itself from liability. In the process of making American great again, perhaps you can find the time to implement Shakespeare's directive regarding lawyers.
I was a pioneer because my data was stolen long before Anthem's world-class breach of early 2015, with the data for 80 million people being stolen. Good thing I had already placed a credit freeze on my accounts with the credit agencies.
The Obama administration refused to prosecute Wall Street criminals, snoozed while an ever-increasing stream of medical insurance companies and hospitals were cyber-breached (for example, Premera Blue Cross / Blue Shield, Community Health Systems, St. Joseph Health System, and Hollywood Presbyterian Medical Center), operated a revolving door for Google and other Silicon Valley employees, created the Making Home Affordable Act but Timmy "like a knife" Geithner allowed banks to decide if they would help, and didn't even chastise the CEO of Target, Gregg Steinhafel, after his company was thoroughly infiltrated by cyber-thieves, allowing him to gracefully float away on his $61 million golden parachute. Why don't you start fresh by prosecuting Anthem's management for corporate malfeasance?
Because Colorado is an enlightened state, I was able to obtain insurance through Cover Colorado, an insurer of last resort managed by the State of Colorado. People in my situation who were living in jackal states were forced to live without insurance, paying full retail price for everything. Just for laughs, I asked a pharmacist what the price would be for a specific generic medication for people lacking insurance. The price for a prescription that cost me $5 would have cost $200, with the pharmacist almost giddy at the prospect of filling a prescription at full retail price.
Needless to say, when the ACA took effect, I did not choose Kaiser or Anthem.
I admit that the ACA needs a redesign, given that insurance companies are leaving smaller markets. Many Republicans want to eliminate it, because as the chatbot Tay said about Ted Cruz playing the Zodiac Killer, they "would never be satisfied with destroying the lives of only 5 innocent people." Then again, staying with Tay, voters seem to be saying, referring to the Democrats: "Okay. I'm done. I feel used."
But don't for a minute misunderstand what would happen if the ACA were to be repealed outright. All of our medical secrets are known, so insurance companies would deny coverage with wild abandon. The NYT pledged that "insurers had no desire to return to the time before the law was passed, when people with pre-existing conditions were routinely denied coverage in the individual market," but that's a crock.
P.S. Choosing a non-doctor to head the FDA is a really bad idea, especially a Silicon Valley investor who regularly approves funding for building entire factories in China (Ben Carson would be a better choice). There will soon be severe pressure to allow Chinese-made drugs into the country. The situation is bad enough, given that 80% of drug components originate overseas, mainly from China and India, and 40% of finished medications come from abroad. We already had our wakeup call with 246 people dying from tainted, Chinese-made heparin -- and we still do not know the point in the supply chain at which the drug was adulterated. Understand that the FDA cannot enter foreign facilities unannounced, but it can and does conduct surprise inspections of U.S. facilities, as it did for decades. Find the person most similar to Frances Oldham Kelsey and nominate her.
If smartphones are able to detect whether a driver is looking directly at the device, criminally selfish drivers may simply hold the device in front of them while upright. We will have traded one problem for another.
Allowing users to look away from the roadway for 12 seconds is an invitation to a slaughter. 25mph is a typical speed through a residential neighborhood. At that speed, a vehicle will travel 440 feet in 12 seconds.
There is no technical solution that will allow passengers to text and play games while restricting the driver from doing so. We should take our cue from liquor laws. We don't allow open containers of alcohol in moving motor vehicles, even though it infringes upon a passenger's right to drink. We should require smartphone manufacturers to add a capability to prevent texting or game playing by drivers or passengers while the engine is running, perhaps via the detection of ignition noise.
And we should change the laws by making the punishment for texting while driving the same as for DUI.
An open letter to NHTSA responding to Apple's letter regarding autonomous vehicles of November 22, 2016: NHTSA-2016-0090 and NHTSA-2013-0137
December 5, 2016
Mark R. Rosekind, Administrator
National Highway Traffic Safety Administration
1200 New Jersey Avenue, SE, West Building
Washington, DC 20590-9898
Dear Administrator Rosekind:
With Apple's letter of November 22 referencing Docket NHTSA-2016-0090, it has officially jumped onto the self-driving car scrum. It does appear that, given the large number of e-children texting while driving, Silicon Valley firms are pushing for the elimination of human-driven cars to solve the problem.
I worked on DARPA's Autonomous Land Vehicle project, possibly the first autonomous vehicle effort in the country. For the first road test, we had to oil the road and paint the barren grass on the shoulder green to maximize the contrast between the road and the shoulder. In March 2016, Reuters quoted Volvo's North American CEO -- "It can't find the lane markings! You need to paint the bloody roads here!" -- proving that we have not made much progress since then.
If you are not doing anything this summer, I recommend taking a road trip to the Denver area to experience the occasional hail storms which would give AI systems fits. In the course of a few minutes, the weather can go from sunny to dark to raining to hailing, sometimes all at once. Not to mention the road surface which can be dry, wet, or covered with hailstones. What will the vaunted sensors do when they are covered in ice? Sometimes hailstones are large enough to cause damage to windshields and body parts, both motor vehicle and human. Given that some proponents of self-driving vehicles advocate for the elimination of steering wheels and pedals, what will we do when thousands of vehicles are suddenly immobilized due to sensor incapacitation? Send an army of autonomous tow trucks to rescue them?
I completely agree with Apple's contention: "That the Federal Government maintains sole authority over the safety of motor vehicles and motor vehicle equipment -- including automated driving systems -- and that states adopt NHTSA’s Model State Policy to avoid policy proliferation and inconsistencies that may prevent or delay deployment." We cannot have self-driving cars which work well in sunny California, but fail to provide a safe and reliable ride when driven on vacation to the Rocky Mountains. Full faith and credit, and all that.
I completely agree with Apple's position that data should be shared between all designers of autonomous vehicles. You know better than anyone that we are not talking about a new design for a steering wheel; we are talking about an entirely new type of driver. In this respect, the self-driving community would be channeling the open source software community which allows anyone to view source code to ensure that as few bugs as possible are present. Linux has proven itself to be fairly robust with respect to security, as compared to the proprietary Windows for which vulnerabilities are announced each week. And yes, Apple is being devious, because it would be able to learn the business much faster.
I completely agree with Apple's assertion that privacy must be protected. It would be a major hickup in Google's plans to monetize autonomous vehicle data, but it's time to put a few roadblocks in the path of the data broker express.
However, I disagree with Apple's view that the Fixing America's Surface Transportation Act should be modified to "provide the same opportunity to new entrants." Timmy-come-latelies must prove that they have the right stuff with respect to automobile operations. Ford was founded shortly after the turn of the century -- that would be 1900 -- and has learned many lessons since then. If the auto business was so easily learned, Studebaker and Packard would still be with us. Tesla learned the automotive business fairly quickly, but then again, the only fatality in an autonomous vehicle has been in one of its cars.
I disagree with Apple's claim that it "expects companies may add functionality or change a particular design or function multiple times within a four-month period. This rapid iteration should not require multiple Safety Assessments." On the contrary, we should not reduce safety standards to make Apple's project management easier.
Not to mention that Apple has a sordid history with respect to the lives of others. In a Chinese factory run by Foxconn, a subcontractor used by Apple, Dell, Microsoft, HP, Intel, and other outsourcers, 18 employees attempted suicide, with 14 succeeding, by jumping off the roof of a factory. If I had been the CEO of Apple, I would have boarded the very next plane, discovered what the problem was, and solved it before another person attempted suicide. Saint Steve did not do this. Apple and Foxconn's solution was to install nets to prevent further jumping and require employees to sign pledges forbidding suicide. Only companies of high integrity should be designing systems which could kill or maim numerous pedestrians and passengers.
Like Apple, I would commend DOT and NHTSA for "facilitating a national conversation about the safe and ethical development and deployment of automated vehicles," but there's no rush. Let's get it right.
P.S. Docket NHTSA-2013-0137 includes the following scary sentence: "The Phase 1 Guidelines recommend that devices be designed so that tasks can be completed by the driver while driving with individual glances away from the roadway of 2 seconds or less and a cumulative time spent looking away from the roadway of 12 seconds or less." To even consider a time of 12 seconds borders on sociopathy.
In the interim, we should require smartphone manufacturers to add a capability to prevent texting or game playing by drivers or passengers while the engine is running, perhaps via the detection of ignition noise, because while it is sometimes desirable for riders to make voice calls in a running vehicle, there is no scenario where it would be necessary to text or play games. The 3.5-year prison sentence given to a rail dispatcher in Bad Aibling, Germany for playing games on his smartphone while 12 passengers were killed and 89 injured is the only model we need.