Weighing in at more than 130 kilograms, or 290 pounds, Kim Dotcom makes an unlikely Christmas fairy. Nevertheless, he cast himself in that role on the weekend by buying off Lizard Squad, the guys who claimed to be running the distributed denial of service (DDoS) attack that was crippling the Sony PlayStation and Microsoft Xbox networks on Christmas Day. Thanks to Dotcom, Christmas went from gameless awful to game-filled awesome. Hurrah!
Everybody wins here, right? Gamers get to play again. Lizard Squad gets 3000 free vouchers for Dotcom's encrypted cloud storage service, Mega. With a list price of $99 each, those vouchers are now being on-sold for $50, potentially netting Lizard Squad a tidy $150,000. And Dotcom gets to do the whole sparkly tinsel thing in the media, boosting his already outsized profile.
No, everybody doesn't win.
In the long term, everybody loses.
We've rewarded a bunch of attention-seeking criminals for their bad behaviour. We've reinforced their particular worldview of how the information security industry operates. We've told them, in a nutshell, that crime does pay. Handsomely. And all that will doubtless inspire copycats -- which is the last thing we need, given that DDoS attacks have been steadily growing in number and severity over recent years.
Last month, independent news sites in Hong Kong that had been reporting the pro-democracy protests there were hit with DDoS attacks peaking at 500 gigabits per second.
"[It's] larger than any attack we've ever seen, and we've seen some of the biggest attacks the internet has seen," Cloudflare chief executing officer Matthew Prince told Forbes. That was up from a 400Gbps attack in Europe in February, and in turn, that was up from the 300Gbps attack against Spamhaus last year.
Lizard Squad claims that their attacks on Sony and Microsoft were hitting 1.2 terabits per second -- more than double the size of the Hong Kong attacks. If that's true, it means these guys are certainly smart. But their media interviews -- yes, I did say they were attention-seekers -- reveal what can most politely be called an excess of bravado.
"Microsoft and Sony are f---ing retarded, literally monkeys behind computers," a Lizard Squad member using the handle Omari told The Daily Dot. "They would have better luck if they actually hired someone who knew what they were doing. Like, if they went around prisons and hired people who were convicted for stuff like this, they would have a better chance at preventing attacks."
Another Lizard Squad member using the handle "Ryan Cleary" -- a reference to the LulzSec hacker of that name who was convicted of possessing child pornography last year -- explained their success.
"We've just got a bunch of people with really particular skill sets, and we've been working to get access to some of the core routing equipment of the Internet," Cleary told The Daily Dot.
"We've got some devices that are connected to the undersea cables that facilitate the internet connects between the United States and Europe. We have access to some of the devices that are in the middle of the ocean that have something like 100 gigabit per second internet connections. Not even the Russian government is doing attacks our size -- they were only managing 100 gigabits per second against some Estonian websites."
Infosec journalist Brian Krebs believes he's identified these Lizard Squad members as a 22-year-old from the UK, and a Finnish teenager believed to be 16 or 17 years old. Surprise surprise, they're typical of the denizens of hackforums[dot]net, which Krebs describes as "a forum that is overrun with teenage wannabe hackers who spend most of their time trying to impress, attack or steal from one another".
Now there's two things that I find most depressing about all this.
First, these attacks are really about a battle between two rival hackers groups, Lizard Squad and The Finest Squad. As Polygon reported, the battle has been running for a month. There's nothing noble here, just some youths out to prove they're as good as they claim to be.
This battle is part of what fuels many DDoS attacks. According to Akamai's State of the Internet report for Q3 2014, some 34 percent of DD0S attacks are targeted at the online entertainment industry.
"Online entertainment attacks are typically motivated by players seeking to gain a competitive advantage over other players and by malicious actors seeking to steal personal data from players. In some cases, malicious actors fuel online entertainment attacks to gain media attention or notoriety from peer groups," Akamai writes.
Second, Lizard Squad sees this world as perfectly normal. When a BBC Radio interviewer suggested that taking the Mega vouchers to stop the attack was "dirty, grubby, greed", one of the two, believed to be Omari, responded bluntly. "Well, that's what happens, I'm afraid. That's what it is like in the security business," he said.
So yes, Kim Dotcom, you stopped the Christmas Day attacks, and parents around the world are grateful. But you've also added fuel to the ego-rich flames of a hacker turf war. This won't end well.