Previous month:
November 2011
Next month:
January 2012

December 2011

One congressman's opposition to SOPA worth noting

On November 16, 2011, during a House Judiciary Committee hearing, Senator Ron Wyden asked that he be permitted to include a statement opposing the Stop Online Piracy Act. The full statement is published as a press release at Senator Wyden's web site. It is a thoughtful and carefully constructed expression of concern regarding SOPA and PIPA. 

In his closing statements, Senator Wyden asks that members of Congress respect the following principles:


Photo by DonkeyHotey

"1.  Be deliberate.   While rights holders and law enforcement are understandably eager to go after bad actors, we must be mindful of the precedents we set here at home, and around the world. 

"2.  Get the scope right.  Narrowly focus law enforcement’s authority on those who are willfully and deliberately breaking the law or infringing on others’ property rights for commercial gain. 

"3.  Avoid collateral damage.  Rather than frustrating the architecture of the Internet or establishing a censoring regime, consider instead promoting approaches that empower users and do no harm to the ‘Net.  More simply, fish for tuna without catching dolphins. 

"4.   Promote innovation over litigation.  Our efforts should be to protect copyrights and trademarks, not outdated business models."

These principles align very closely with an Advisory my SSAC colleagues and I prepared entitled DNS Blocking: Benefits Versus Harms. In our Advisory, we explain circumstances and care exercised where DNS blocking is used today and recommend these as principles to guide any blocking actions. Reworded slightly from the Advisory, the principles Congress should consider follow:

  1. Only imposelegislation on a network and users over which you exercise control.

  2. Determine that the legislation serves the objectives and/or the interests of your citizens.

  3. Implement the legislation using a technique that is least disruptive to network operations and users.

  4. Make a concerted effort to do no harm to networks or users outside your legislative domain. 

The similarites are striking. It's both comforting and disturbing that there is one Congressman who appreciates the gravity of the issues and the consequences of hasty, poorly constructed legislation. If you are a US citizen, contact your congressmen and encourage them to read Senator Wyden's thoughtful statement opposing SOPA.

SOPA: a great example of failing to know your enemy...or your friends

Proponents of SOPA want Congress to believe that DNS filtering will strike a death blow to online piracy. They argue that preventing the domain names that criminals use for infringing sites from resolving to Internet addresses will prevent criminals from distributing copyrighted material or selling knockoff versions of "brand" goods.

The premise is false.


Photo by LesHoward

Know Your Enemy

If we have learned nothing else about electronic crime in the past decade, we do know one thing for certain. Online criminals adapt.

When an attack, stealth, or evasion technique ceases to be effective, online criminals try something different. A recent article at Dark Reading reports that security consultants and government agencies are tracking a dozen groups responsible for advanced persistent threats. What these parties have learned about one group in particular provides a wonderful teaching moment for SOPA proponents. 

APT actors identified as the Comment Crew uses HTML comments (information for web developers that is not use by a browser to render a page) to remotely control infected computers that form its botnet. An obvious countermeasure here is to strip comments from web traffic. This will disrupt communications, the botnet will be contained, and additional measures will be taken to dismantle it. 

Blocking HTML comments will be effective against Comment Crew, but for how long? History suggests that the answer is "not long at all". Does anyone seriously believe that the Comment Crew will throw their hands up in dismay and abandon their criminal or state sponsored activities?  The Comment Crew will employ a different means to communicate with its bots; specifically, they'll find a way to bypass or evade the countermeasures deployed against them.  

An important aside here is that stripping HTML comments is a good example of a proportional measure. Organizations or ISPs will voluntarily implement the HTML comment filtering countermeasure at their own site. They will enforce it within the boundaries of their own administrative domain, and will try not to harm or interfere with the daily operations of other networks in the process. Blocking the domain names of every web site that hosts HTML containing comments is not proportional. It overreaches, the results are unpredictable, and there is a high probability of disruption of desired and intended operations or collateral damage.

An unintended consequence of implementing Draconian filters when a more granular solution would suffice is that not only will criminal actors seek a way to evade such measures but legitimate users will do so as well. In Mandates Can't Alter the Facts, Paul Vixie explains that users will evade mandated filtering by using any of "dozens if not thousands of off-shore Domain Name servers they can switch to with the click of a mouse." Paul's claim is corroborated by a recent Cisco 2011 Security Report that 7 of 10 employees admit to violating IT policies in order to access the Internet. We live in a world where the prevailing attitude is that Internet access is a basic human right, US citizens will no doubt scoff the law. 

[ED: With nearly perfect timing for my article, an Addon for Mozilla Firefox - DNS Evasion to Stop Oppressive Policy in America (DeSOPA) - is now available. "When turned on, DeSopa intercepts URLs, sends the base URL to three offshore DNS services via HTTP, makes a best effort to check that two of them are equivalent, caches the IP for the browser session, redirects to the equivalent URL using the IP, and substitutes out the domain name in the source code with the IP address for future requests."]

Comment Crew is one of dozens I could cite to illustrate that SOPA proponents neither understand nor respect their adversaries. SOPA presupposes that criminals, faced with a DNS filtering shock and awe campaign, will fold tents and leave the Internet. Good luck with this.

Friend or Foe?

Sadly, SOPA proponents neither know nor respect their friends nor do they distinguish friend from foe. Individuals who oppose SOPA are portrayed as "pro-piracy", insensitive to the harm and loss musicians suffer, and other equally ludicrous characterizations. 

Does anyone seriously think that the best Internet and security minds in the world have never considered broad brush filtering of domain names as a measure to stop online piracy? We have, and we concluded long ago that this measure will not work, is not scalable or enforceable, and not without consequences. Despite this, SOPA proponents argue something along the lines of "despite the warnings and criticisms you've offered regarding DNS filtering we still want to add the considerable weight of federal legislation and force everyone to use it because doing this is better than doing nothing." In doing so, these proponents dismiss and disrespect the members of the technical community that work daily to defeat all forms of online criminal activity. Ironically, some of these members are employed by the very organizations most vocal in supporting SOPA, and they are probably collaborating with security and law enforcement to takedown a piracy site as you read this article.