Friday, August 07, 2009

Dood...We Were Jobbed.

Say it Ain’t So, Joe(job)
If you’re a fan of micro-blogging medium, Twitter, I think you’d agree that yesterday morning was just a bit of a bummer. Our Daily Affirmation-in-a-(Dialog) Box was wrested from us for better than six hours (depending on your locality) by what was originally assumed to be a coordinated DDoS (Distributed Denial of Service) attack on several social media vehicles, including Twitter, Facebook, LiveJournal and YouTube, but which is now believed to actually have been directed at silencing the political views of one individual; a well-known anti-Russian blogger, who has been particularly vocal in his criticism of the Kremlin’s policies toward the Republic of Georgia. I actually found that somewhat easier to stomach than the usual ‘because I can’ reasons many hackers choose as motivation for their mischief.

But politics aside, what I found most appalling of all wasn’t the kill-the-fly-with-a-hand-grenade approach that was taken in carrying out their mission, but rather the mindless assist these hackers got from the general public in accomplishing it.

This was no a sophisticated surgical strike of technical programming prowess, folks. It was a freaking ‘Joe job.’

What’s a ‘Joe job?’ you ask? Well the term was a new one on me too until I read this newsflash from the British IT website, The Register. To quote the author, “Joe jobs are spam messages that are designed not to push Viagra but to induce someone to click on a link in the hopes of harming the site being linked to.”

Sounds harmless enough. I mean, we’ve all received and deleted hundreds of these spam emails over the years; even more that we don’t see are corralled by our email client’s spam filters. But should one or two a day slip through, we know not to even open them, much less click on the links they offer, right? I mean what are we, stupid?

Um...weeeel...

Dis and DDoS
DDoS attacks are usually performed by malicious software (or ‘bots’) exacting furious request activity on a particular web site or service, over a short period of time; the result being overloaded servers and the target site being rendered inaccessible. Since DDos bots can’t be everywhere and thereby are traceable by IP address, their attacks are usually short-lived. However in this case, the attackers were people all over the world — who didn’t even realize they were attacking. And when thousands of people worldwide click the same links at essentially the same time, the impact is virtually impossible to combat; you just have to wait it out and hope that the damage of being out o’ commission was minimal.

So there you have it. What we thought were the coordinated efforts of cunning hackers in the shadows, perhaps making a power statement on the highly visible stage of the social media Web, now appears to have actually been an old-school, comparatively unsophisticated attack that became insurmountable only through the unwitting collaboration of thousands of know-nothing link-clickers in broad daylight.

The Register article explains:
"This was not like a botnet-style DDoS; this was a joejob where people were just clicking on links in email and the people clicking on the links were not malefactors. They were just the sort of idiots that click on links in email without knowing what they are."
Bill Woodcock, Research Director, Packet Clearing House
Now I don’t know about you, but THAT pisses me off a helluva lot worse than the thought of some pimple-faced hacker dude, holed up in his Mom’s basement, hatching a plan to receive his fifteen minutes of fame.

But whatvs. People either get it or they don’t. But if they don’t understand the implications of their carelessness now, will they ever learn?

When will folks understand that clicking on links in emails you receive from unknown sources just to see where it goes is about as smart as sticking your finger in a light socket just to see if it’s on?

♫ And I get on my knees and pray...We won’t get fooled again ♪
Y’know, I can’t help but think the person or persons who actually launched this joe job are feeling like they just won the lottery. They must be bustin’ their buttons over their unexpected brilliance right about now. I mean this has gotta be better than Christmas for these guys.

Not so much for the rest of us, however.

Traditional DDoS attacks can be mitigated. User carelessness/stupidity cannot.

You don’t think other would-be copycat hackers are taking notes here? I mean, c’mon people.

Look before you leap.

Think before you click.

Google before you ogle.

This scenario could (and likely will) be repeated. It’s up to us to defuse the idiot-bomb before it explodes on our faces again once again.

WE caused Twitter, Facebook and the others to go down.

WE were the ones who made Joe Hacker’s job easier than it should have been.

And WE can be the ones to keep it from happening again.


finis
blog comments powered by Disqus