Life, liberty, and Net anonymity
Janet Reno is on a tear
Internet anonymity. Somehow the recent denial-of-service attacks are
supposed to buttress the assertion that anonymity online is a
problem" that law enforcement needs new laws, new budget, and
new tools to solve.
Let's get two things straight. First, anonymity is not a thorny
problem, it's a basic
American Constitutional right. Second, the methods used by the unknown
DoS perpetrators to cover their tracks had very little to do with anonymity.
The right to speak anonymously has long and deep roots in this
country, beginning with Thomas Paine's polemic Common Sense, which
he published as "An Englishman." As recently as 1995 the US Supreme
that the Constitution grants citizens the right to
speak anonymously. Abolitionists and reformers have used anonymity
to avoid retribution, as have oppressed Kosovar Albanians in the
present day. Alcoholics, victims of abuse, and whistleblowers benefit
from anonymity both on the Net and off. News reporters' sources
enjoy extra-strength guarantees of anonymity via the First
Amendment. Weakening online anonymity could weaken these guarantees
by the argument that on the Internet everyone is a publisher.
Let's look at some of the techniques the DoS perps might have
employed to hide so completely.
A big part of their stealth was built into the tools they used to
bombard eBay.com, Yahoo, and the other victims. Distributed
denial-of-service tools such as
are carefully designed to baffle tracing and detection. The Net
traffic that clogs the victim's network comes from many compromised
"zombie" systems. In one mode of attack each Internet packet the
zombies send appears to originate from a different, random IP
address. Each zombie is triggered to attack by a single, short,
possibly encrypted command sent from yet another compromised system
(the "master") somewhere on the Net. The zombie machines are all
listening for this command on a port whose number is known only to
the perpetrators. Users of the zombies might not even notice any
slowdown while their machines are bombarding a victim.
The perps enlisted probably hundreds of innocent machines around the
Net as zombies to carry out the attacks. Some were at universities
where security may take a back seat to open access. They discovered
and compromised these victim machines in advance, up to several
months before the attacks were mounted.
Here's how a careful system cracker might have proceeded to generate
a zombie army.
- Start with one of the AOL 500-hours-free trial CDs that now
blanket North American to an approximate depth of three feet.
- Or use a previously compromised dial-up account whose details you
learned in an IRC chat room.
- Probe, visit, crack, and infect systems on the Net only through a
chain of at least 3 previously compromised systems, preferably on
- Encrypt every session by using ssh -- never telnet -- to hopscotch
across the "owned" systems.
Once a new system was penetrated, it would be infected with a "root
kit," replacing a dozen or more system programs with back-doored
versions that look and smell identical. (Root kits are easily
available for common Internet operating systems.) Finally, on the
way out the door our perp would alter system log files so that no
trace of the visit would linger.
The DDoS perps may have done by hand all the work of compromising a
few hundred systems. But some
that automated tools exist that can root-compromise large numbers of
systems and automatically install DDoS agents. (If such tools do
exist, they are closely held.)
In this scenario our perps didn't gain any particular advantage
from anonymity. Their invisibility relied on craft, guile, and
clever programming (not necessarily their own). What benefits would
law enforcement derive from limiting Net anonymity? If US laws were
passed requiring an ironclad and verifiable identity for every
Internet user, any person in one of 260-odd other countries could
still remain anonymous. If every device on the worldwide Internet
were required to generate a unique ID, how would you force every
piece of software to do the same? If every US ISP were required to
keep detailed records the way phone companies must, how would you
track someone who didn't enter the Net through a US ISP?