This is a captivating questions and answers part reflecting a debate between CloudFlare’s Matthew Prince and Brian Krebs over accusations previously expressed.
Question from Matthew Prince: So, Brian, you reached out to me and I actually wrote back to you trying to schedule some time to call, and you never called me. So, where would you draw the line? If someone, let’s say The New York Times put an article up and said: “Here’s how you launch a DDoS attack,” – I know you wouldn’t take that down; if there were merely an advertising site that said: “We offer great DDoS, call this phone number,” – would you knock that offline?
Brian Krebs: I don’t know…
Matthew Prince: So, again, what I’m going to say is these aren’t simple questions, and I’m totally happy to have this discussion. You know, we have 1.5 million customers, among them the Turkish government, the Muslim Brotherhood – organizations that do suppress freedom of speech and cause me great consternation – use us like crazy. And so, I’d love to have this discussion with you and I proposed some times that you could call me, and you never called. That was very sad. And if you’d like to talk, I’d be happy to do this. But it’s not an easy position that we sit at. So, I appreciate this, and this is great work.
Brian Krebs: So, is there any interest in taking down the booter sites?Matthew Prince: Again, my Ops team would love me if I took all the booter sites off CloudFlare. We hate this. They don’t pay us. If they do pay, they pay with stolen credit cards, so that’s just a disaster. So, you know, what I would love is due process to work its way through. I think it’s really tricky when private organizations act as law enforcement, and so we try to follow what is due process.
Brian Krebs: Have you gotten any requests from law enforcement to take down any booter sites?
Matthew Prince: We’ve gotten two different types of requests. This is something that I would have loved to talk to you about if you’d ever called me. I looked the emails up and I was like: “Did I drop the ball somewhere?” But three emails with specific times, I’m available at any of these times – but who needs to actually ask questions as a journalist? So, we have two issues. Sometimes we have law enforcement issues that ask us to take things down, and we have court orders, too. Strangely – and again, this is the “rock and a hard place” – we sometimes have court orders that order us to not take sites down. For example, the Carderprofit site, the FBI’s site – that was a CloudFlare customer.
Brian Krebs: I understand. So, the answer to the question is No?
Matthew Prince: No, we’ve had court orders and we comply with every court order that we receive unless we feel that it’s truly abusive, and this case is related.
Brian Krebs: Booter-related?
Matthew Prince: Again, what’s a booter and what’s not a booter? There have been some hacking-related sites that we have been asked to take down.
Brian Krebs: Any other hecklers out there? There must be more hecklers, come on!
Question: How long do you estimate it’s going to take those script kiddies to smarten up? Maybe law enforcement should be asked to investigate who’s been doing those things on the Internet?
Brian Krebs: Are you asking about OpSec?
Question follow-up: No, it’s not me and not you. There’s obviously no problem with OpSec there. What I’m trying to say is that they might take it further than just swatting people. You know, we all started as script kiddies.
Brian Krebs: …Like send heroin to your house, something like that?
Question follow-up: I mean, if you’re not law enforcement, you shouldn’t maybe act like them, because they are acting within a certain legal framework, and the rules are supposed to be the same for everyone. And the kiddies abusing the rules is probably not a good idea. And I believe in leading by example.
Lance James: It’s funny because it’s sort of a dichotomy. There’s really bad OpSec where they hide behind the legal. So you are getting this trade-off, like: “Yes, you know who I am but what are you gonna do about it?” Which is kind of a teenage mentality in some sense, right? I think here’s the problem – I was discussing this with a law enforcement guy who was pretty innovative – and I was like: “Look, we could actually make a simple anti-swatting thing, a website that basically he (Brian) can sign up to and says this happens.”
And if you look at swatting, TTY terminals or what’s been used – there’s no voice in the phone; the only voice you have is an operator on the other end. And you can sit there and say: “I don’t want to be swatted, I’m going to put my name on this, I’m likely a target.” And you can start building a cognitive awareness as to the 911, saying: “Hey, send a SWAT,” or “Here’s an authentication method of calling back”. And the problem is they said: “Now you’re asking the 911 dispatching to slow down something.” Now, the only time we’re going to actually really stop this problem or start solving this problem is when someone gets shot.
So, when I looked at what happened to Brian, I’m like: “This is bordering on terrorism.” It may look like a bullying thing to those kids because all they see is their computers and this tool, and it sounds cool. So, yes, I expect that we have to find this balance, and all of us – law enforcement, the InfoSec community, journalists, etc. – are trying to come together. That’s why these conferences exist so we can sit there and have discussions with Matthew over here and maybe figure out how we can find this balance that will still protect people, especially as you’re seeing more kinetic incidents happening with cyber. I think, as we go along, that’s the idea – we’re trying to preemptively do this. And that’s why these arguments come up.
Question: Where do you guys draw the line between DDoS attacks and adequate, perhaps similar, response in return: like if they DDoS’ed me – I’m gonna DDoS them?
Lance James: I think that’s a terrible idea because you continue the retaliation. There are a lot of lines. The work I do is behind a lot of legal things; there are a lot of permissions gotten, steps to take, and things like that. A lot of it is very passive forensics. And, really, when I worked with Brian we handed all of this to the law enforcement. I don’t know whether CloudFlare is with this, but I do work a lot with their abuse team and I happily report issues there. And I expect them to do what they’re supposed to do on their end. But that also comes down to their business, and it’s like different pieces. If things start getting hard, you want to push harder and figure it out; or you get creative and figure out how we get movement on stuff. It’s not a right-away process, it is law enforcement; and it is a due process, it’s not always where we want to be. So, I don’t know where there are certain lines, but it really is down to an individual situation in most cases as long as you know where you’re supposed to stop and what your duties are.
Question: Lance, you made your investigation look really easy, which to me means that you showed real-time access to data, passwords in the clear. So either this kid was really dumb and he didn’t configure anything – you could just grab the files, or you have some kickass tools and know the right people. Which one was it?
Brian Krebs: A lot of these booter services are based on the same source code, which is now open source. So, what you tend to find is the same vulnerabilities across multiple services.
Comment: I was just going to respond to one of the questions out here. We have responded to a lot of different incidents where there was kinetic option given to our clients. There is not an answer for every single incident. But the problem we’re dealing with in different scenarios is – this is either going to be the state department issue with your government or a law enforcement issue with your government. Either way, you’re not going to be getting justice for a minimum two years most of the time. And if your intellectual property is walking out the door, what’s that doing to, you know, the 10-year turnaround time on your return on an investment for your intellectual property?
You have different options in different countries, just by the nature of how those different countries operate when you’re dealing with international incidents. So there is a place, in my opinion, for the free market to maybe show up to some sad bad guy, buy him a beer and say: “We know what you’re doing – please stop!” It doesn’t mean we totally turn around on the other side, but I think you guys can get creative on some of these problems.
Brian Krebs: Thank you guys for your attention!
Read previous: Spy-jacking the Booters 6: Types of DDoS Used