On The Digital Life podcast this week, we discuss the distributed denial of service attack (DDoS) that took down the Internet on the East Coast for a sustained period of time last Friday. Dyn, a Domain Name System (DNS) services company from New Hampshire was hit with multiple waves of attacks on its Internet directory servers.
This DDoS attack was propagated by an IoT botnet — essentially webcams, DVRs, and routers from all over the world — that were infected with malware. This is a very public example of an IoT outcome that was malicious rather than beneficial, an interesting case study for this emerging technology that raises serious questions about its future implementation.
Jon: Welcome to Episode 179 of the Digital Life, a show about our insights into the future of design and technology. I’m your host, Jon Follett, and with me is founder and co-host, Dirk Kmemuyer.
Dirk: Greetings, listeners.
Jon: For the podcast this week, we’ll discuss the distributive denial of service attack that took out the Internet on the East Coast of the United States on this past Friday. The attack was aimed at DYN, which is an Internet infrastructure company, which is actually in New England. It’s in New Hampshire. They offer DNS services or domain name services. There are these multiple waves of attacks on their Internet directory servers, just this deluge of malicious requests. It totally disrupted their DNS servers and equivalently took out the Internet for a little while. What I think is interesting about this particular attack, aside from the fact that it shut down the Internet for a large number of people on the East Coast, is that it was propagated by this Internet of Things, this IOT, Bot Net. Essentially things like: your webcam, your DVR, your router. Those can be altered with malicious code, malware. Right? We all hear about malware. It was this Bot Net that was actually attacking DYN, sending all these malicious requests. I thought this was a very public example of an IOT outcome, that is just patently malicious, rather than beneficial. We hear a little bit about the security issues with the Internet of Things. It’s becoming a growing concern. We also hear about how miraculous the IOT is going to be, once everything is wired up. Right?
This is an interesting case study because this is an emerging technology and right now, one of the most public events associated with the IOT is now this Internet outage. It makes you ask a few more questions about the future of this kind of implementation, when you’re talking about smart cities, you’re talking about smart buildings, and what kinds of security concerns there are going to be. Dirk, were you inconvenienced on Friday? Were you trying to get on Netflix or Twitter or something and unable to do so?
Dirk: I got to be honest. I wasn’t even aware of it. I’m perpetually online, so, I’m not sure why that is. It either didn’t hit me or it was so short, that it had no impact on me. The first question, in my mind is, was Vladimir Putin behind it, Jon?
Jon: Oh no. We’re going to go down that rabbit hole. Since everything-
Dirk: I’m trying to make our listeners laugh a little bit.
Jon: Since everything will be blamed on Putin, you know, any sort of internet problem, then we can safely say that that’s probably what the case was. Aside from that, this is a show about emergent technology, and we often, at least I tend to take a sunny-side up sort of view about the great things that we’ll be able to do. It seems to me like, as with a lot of technologies, the hacking community is miles ahead, at least right now. They’re the earliest.
Dirk:Criminals always are. Criminals drive security. Not security drives criminals.
Jon: Yeah, and it’s interesting to me, because you don’t hear … I assume that there are lots of smart traffic flow implementations that are benefiting me in the Boston area. Things like that. I guess, the public nature, this is something that’s almost like, it’s not quite the equivalent of water or electricity, but you sort of take for granted that when you type in your website address, unless you’re on a bad connection, that you’ll be able to get where you need to get. You’re going to do business, your entertainment is online, et cetera. In some ways, it’s like a public utility being taken out for a few hours by a malicious Internet of Things implementation.
Dirk: No I think it is. I don’t think it’s “like”. I think it is. I mean, water, we would literally die without water, so let’s put water aside. Electricity, to me, would I rather have general electricity for other things, or just be able to use the internet? I’d probably pick the internet. I think it gets lumped in. To me it gets lumped in at that level. I think certainly for, or I’m assuming, for our listeners out there. For a lot of knowledge workers like myself. When I do have internet outages, I will tell you, it makes me feel like a comedy character in a dystopian sci-fi show. Which is to say, I’m there just like, “Start working, start working, start working.” It’s not like, you know I go home, “Okay, let me go and read some poetry now,” right? I don’t have this normal flexible response. I’m just like this automaton like, “I need you to start working again. I need you to start working again. I need you to start working again.” Which always makes me feel a little bit self aware, but it doesn’t change my behavior. This may be apropos of nothing, but I think the loss of the internet, I’ll just speak for myself personally, is pretty crucial at this point.
Jon: I guess for me, looking at it in that way, and we’ve talked about hacking public utilities before. We talked about the Ukrainian power-plant that, actually I think it might have been a nuclear power-plant, that was hacked. We’ve talked about-
Dirk: That’s Putin again, Jon. That Putin guy, he gets around baby.
Jon: We’ve talked about these utilities being taken offline by hackers before, but this is now part of the conversation in a way that it was not, say like, 24 months ago. From a design perspective, we’re talking about also our interactions with these utilities, right? As a designer one of the things that you’re considering is how reliable your materials are and if you’ve got applications online. Part of that experience is the always-on connection. That’s what they sell you on when you’re buying SAS software. You can access it anytime. Any place. You can get in. You can see your information. It’s all safe. It’s in the cloud. Now we’re introducing a level of instability that I don’t think has really been thought of for the past decade or so. It’s been a foregone conclusion that you’re going to have an always-on connection, and it’s going to work. This is reminding me in some ways of the late ’90s when engineering around online software anyways, or websites. You built in this idea that the service was not going to be reliable all the time. That was just part of what you lived with, and in part was why the internet was just not nearly as valuable. At the very early stages. Or at least the value was different, right? It didn’t have that same public overlay where everybody could access it. In some ways, I think we’re being introduced to a whole another wave of factors that includes instability with your online presence now. I don’t think this can be ignored. I think this is the first in what is going to be replicated. These kinds of attacks.
Dirk: I think that’s right. I think immunizing ourselves from them will require a change. You mentioned always-on, which is true, but it’s more than just always-on. It’s always-on, and it’s immediate. Which is to say more than just being on. Whenever we want something it just immediately appears. It’s not like we make a request, the request goes away for a while, and then something comes back to us when it’s ready, right? It’s just always ready.
Dirk: You know, we’ve talked about this before, but it’s been a while, so I don’t mind talking about it again a little bit. If you think about in the physical world, how do you protect against viruses? How do you protect against diseases? You need a safe room. You need to go in a place that’s totally cut off from the bad environment and the good environment, and you need to detox. Then you need to take that detox into the good environment, right? Internet is always on. It’s always in and out, and in and out, and in and out. There isn’t that notion, really, of the safe room. The safe room is required, I believe, to make things truly safe. To make things really … To have a chance even to make things bullet proof from hackers. That would by definition require not immediacy in response. It would require things being held up. Being taken into an environment where they could be scrubbed and cleaned and washed. In a world of AI, that starts to become more possible from a speed perspective. Maybe to solve it, there’s a lag in our relationship between sending requests out and getting the information. Getting the transaction back. That would be weird to deal with, right?
Jon: Yeah, and when you think about the value of the services that you consume online, one of those services, certainly, is entertainment. Netflix is the giant in that space. It’s up-ending cable models, and people talk about cutting the cord all the time, right? All of a sudden, if, you’re not able to … Netflix was clearly not accessible to a lot of the east coast for a chunk of Friday. It loses some of it’s shine if you can’t go and watch your show, or whatever it is you want to do on Netflix, when you want to do it. It’s attractive because it’s on demand. It’s inexpensive and you can have it when you want it.
Dirk: Now, acknowledging that this conversation is quickly going way above my pay grade. I’m becoming an ignoramus who’s going to start saying stupid shit. My perception is that a service like Netflix could be relatively immune from that. The virtue of that is it is streaming a chunk of information at you, right? If you assume that all Netflix engineers are not corrupt. If you assume there isn’t hacking going on inside the Netflix organization, they should be able to create a climate that is protected, basically. To take simple data requests from us that aren’t more sophisticated packets, then stream back this giant pipe of, “Here’s The Hunt for Red October.” To name a movie that people [crosstalk 00:12:20]
Jon: Sure. I mean, in this particular example, because it was a DNS attack, anybody who’s going to Netflix.com is not getting there.
Dirk: Amen, amen, amen. From a DNS perspective. I apologize, I’ve sort of gone to more hacking.
Jon:No, you’re right.
Jon: That would be a long term solution. I think part of it is that, at least from what I understand, most of the services are not architected that way to deal with this. This is, maybe not a unique event, but I’ve certainly never heard of an IOT bot net bringing down a large chunk of the internet for people as yet. This was an interesting and new event, at least to me.
Dirk: I’m not sure if it’s unique, but it’s certainly unusual. It’s certainly unusual, and it may be unique in the scale and in the fact that it’s in the United States, as opposed to hitting a smaller, less developed nation. From the standpoint of internet infrastructure and such.
Jon: Right. Ultimately we’ve got to build in this changing landscape. Especially when we’re considering merging technologies like the Internet of Things, which is really just starting to get traction, right? Part of this is all about the trust level. Now, all of a sudden, starting to think about all of the devices in your house that could be infected with Malware. It’s no longer just like, “Okay, we’ve got to make sure your laptop or desktop computer, that those things are scrubbed and cleaned and virus free.” You could have any number of connected devices, whether it’s related to entertainment or home automation or what have you.
I think it, at least for me, starts to introduce questions about what are we wiring up that’s really close to us physically, in our environments, and how sure are we that those things that are getting wired up or safe? Or at least clean? For me, this is almost like the proof of concept, right? The security hack that introduces additional variability, at least from my perspective.
Dirk: We’ve talked a lot about embeddables in the past, and that’s the end game. That’s where these things can take the more dire of turns.
Jon: I’m sure that’s fodder for another show, but yes. You don’t want an IOT bot net that’s made up of a bunch of people’s pace makers. That would seem the worst possible scenario.
Dirk: That might not be good Jon.
Jon: Listeners, remember that while you’re listening to the show, you can follow along with the things that we’re mentioning here in real time. Just head over to thedigitalife.com. That’s just one L in the digitalife, and go to the page for this episode. We’ve included links to pretty much everything mentioned by everybody. It’s a rich information resource to take advantage of while listening, or afterward if you’re trying to remember something that you liked. You can find The Digital Life on Itunes, SoundCloud, Stitcher, PlayerFM and Google Play. If you want to follow us outside of the show, you can follow me on Twitter @Jonfollett that’s J-O-N F-O-L-L-E-T-T. Of course the whole show is brought to you by Involution Studios, which you can check out at goinvo.com. That’s G-O-I-N-V-O.com. Dirk.
Dirk: You can follow me on Twitter @Dknemeyer that’s @D-K-N-E-M-E-Y-E-R. Thank you so much for listening.
Jon: That’s it for episode 179 of The Digital Life. For Dirk Knemeyer, I’m John Follett, and we’ll see you next time.