From: Anonymous <nobody@replay.com>
Date: Wed, 16 Dec 1998 14:35:45 +0800
To: cypherpunks@EINSTEIN.ssz.com
Subject: RE: DoS considered harmful [WAS: RE: Anyone striking?]
Message-ID: <199812160609.HAA31572@replay.com>
MIME-Version: 1.0
Content-Type: text/plain



> -----Original Message-----
> From: Trei, Peter [mailto:ptrei@securitydynamics.com]
> Sent: Tuesday, December 15, 1998 11:23 AM
> To: cypherpunks@toad.com; cryptography@c2.net; dcsb@ai.mit.edu
> Cc: Trei, Peter
> Subject: DoS considered harmful [WAS: RE: Anyone striking?]
> 
> Someone using the name Carlos Gomes [GomesC@netsolve.net] 
> wrote:
> 
> > [...]
> > There were several ideas floating around: a) detach
> > from the net and from work b) create a signed letter of
> > disapproval published to appropriate orgs c) _short_
> > loosely organized burst of DoS against select online
> > targets from widely distributed sources.
> 
> > All valid forms of protests (when properly organized
> > and executed) all with varying forms of impact and
> > visibility.  For the record, I think option c) could be
> > a valid and effective form of active protest.  It is a
> > form which has not been used in support of the cpunks'
> > agenda (or many agenda's for that matter) to date and
> > one that merits a review.
> > [...]
> 
> > regards,
> > C.G.
> 
> A DoS (Denial of Service) action is a really, really,
> really bad idea.
> 
> It's both illegal and counterproductive. It's the sort
> of thing I would expect to hear from an 'agent
> provocateur' bent on discrediting critics of
> government policy, by casting them as malicous hackers.
> 
> We went through this once before. Back when I was
> getting the DES challenges going, some one proposed
> that the target should be a live bank transaction (I
> think in Germany). I argued strenuously against such a
> move, and in favor of a specifically created target
> This goal was fullfilled when I got RSA to set up and
> sponsor the Symmetric Key Challenges.
[deletia]

Hmm... I agree that Peter's representation of my suggestion would not be a
good idea nor would it be productive-- especially in the long run.  And his
interpretation of my writing was correct given the current understanding of
what a DoS is.  So let me flesh out a bit what I think option c) above
should have said.

In my first mail to the list on the strike subject I offered a couple
references outlining some possible forms of electronic civil disobedience
(ECD).  The analogy used in those texts is to a "sit in" or, as explained in
other references not mentioned, the activity can be looked at as a large
scale letter writing campaign like the ones organized by Amnesty
International which are aimed at prison officials holding political
dissidents or political prisoners.  The idea is to maximize awareness (to
the targets as well as mass media) of the protest while minimizing the
likelyhood of severe litigation or other punitive action against those
involved in the protest.  It's basically an indismissible show of dissent in
large numbers aimed directly at the source of the dissent.

As commonly understood, a DoS (Denial of Service) attack would entail an
undisclosed group of hackers and script kiddies attempting to knock out a
server/site for as long as possible-- which usually requires that the group
be destructive and remaining as anonymous and untrackable as possible.  This
was _not_ what I had in mind as option c).

In an effective ECD campaign you would want to publicize what your agenda is
including a listing of possible spokespersons/leaders for negotiation to
both the target and the media.  You would also want to control the extent of
the Disruption of Service (instead of Denial of Service) to somewhere
between more than barely being noticed to less than breaking any laws.

Example: A public web page is setup with information on the next "sit in" or
"log writing campaign" containing the agenda behind the protest, contact
persons for more information, target site with explanation of choice, start
time and stop time.  Let's further that the cause is able to get a couple
hundred or couple thousand supporters to, for example, repeatedly telnet to
port 80 on the remote server during a specific 5 minute window and type in:

GET I do not support your sites views on such and such see
www.stop_this_now.org for details.

Given the right level of logging on the server you'd quickly fill up the
target's logs with a record of the number of people (or actually computers)
that don't agree with the target's agenda.  In Trei's last copied paragraph
he mentioned setting up a dedicated target for the DES challenge.  I think a
similar scenario would also be an effective tool for ECD for testing support
as well as being an alternate site since some target sites could be ominious
enough to keep supporters at bay and a guinea pig site with full logging
could be used to gather data to present to the media directly instead of to
the media through a target site.

I'd rather not get into a lengthy arguement about the legality of the above
or whether it can be implemented since judging from the result of some of
the last calls to protest within this group I don't think this type of
action will see a real implementation anytime soon so it's legality and
feasibility would be mostly speculation IMHO.  I just wanted to clarify what
I had in mind as option c) in the original mailing.

It's late and there's a bunch of good jazz happening the next two nights at
the Mercury Lounge in downtown Austin.  The crypto revolution will have to
wait for a less festive time of year :-)...

waves,
C.G. 

--
the above are my views-- and possibly my views alone :-(