“Semantic attacks directly target the human/computer interface, the most insecure interface on the Internet.”
— Bruce Schneier
For example: Opponents of the Linux-based DVD playing program called “DeCSS” won a court case and then tried to eliminate the program from the net. So clever hackers wrote another “DeCSS,” a mostly worthless program that had nothing to do with DVD technology, and spread it online far-and-wide to make it difficult to find the contraband version.
Another group encrypted the original DeCSS source code by splitting it up and cryptographically embedding it in the image encoding of a picture of a cow — and then set up a service that attached alternate halves of this image to comments emailed to the U.S. Copyright Office. These comments became part of the public record, thereby enabling anyone with the encryption key to view the DeCSS source code. The DeCSS opponents would have to break the encryption to see that the “illegal” code had been distributed, though, and their own legal argument was that this sort of encryption reverse-engineering is illegal copyright infringement, so although they’d rather squelch the distribution, they’re in a bit of a bind.
Creative thoughtcriminals have also represented the DeCSS algorithm printed on the front of a T-shirt, discovered in the digits of a prime number, as a 43,016 base pair DNA sequence, recorded as a spoken prose-poem, and sung lyrically, among many other possible renditions. The idea being that at least one of these is likely to fall under the alleged free-speech protection of the U.S. Constitution (or alternately, that we can all be amused as Congress makes the publication of a prime number illegal). David S. Touretzky’s Gallery of CSS Descramblers keeps a running tab on these methods.
The artists’ group etoy had been on-line with their web site for two years before the eToys company was formed with an on-line toy store. Still, eToys felt it was within their rights to shut down the etoy site for infringing on their brand new brand name — they sued and won a temporary injunction.
Network Solutions, the company that supervises the assignment and maintenance of domain names (like “etoy.com”) was just getting started in the rolling-over to corporate interests business, but they got the hang of it quick. They shut down the etoy.com domain.
This infuriated on-line activists, like John Perry Barlow of the Electronic Freedom Foundation, who were horrified by the idea that a corporation could form in the U.S., adopt a trademark, and then use that to steal the site of a previously established Swiss group with a similar name.
Rather than attack in the courts or the arbitration system of Network Solutions, both of which are hopelessly biased in favor of business interests — friends of etoy went on the offensive in their own way — launching what they called TOYWAR:
“TOYWAR worked like a swarm of bees. hundreds of well-informed people and media experts contested the aggressor on every level… result: within 2 months the eToys Inc. stock (NASDAQ: ETYS) dropped from $67 (the day the battle started) to $15 (the day eToys Inc. finally dropped the case). TOYWAR was the most expensive performance in art history: $4.5 billion in damage!”
Most cyberterrorist stories are ignorant scaremongering, but Jim Bell invented an interesting theoretical protocol by which a widely distributed group of people could conspire, more-or-less out in the open, to put out a contract on the life of the President of the United States or some other such figure, and get away with it.
Q: What’s worse for the reputation of your company than having to put up with a parody web site that mocks its unethical behavior? A: Trying to shut the site down.
One of ®TMark’s parody sites, World Trade Organization / GATT, so smoothly parodied the real WTO site that the organizers of the Conference on International Services in Salzburg, Austria mistakenly invited a hacktivist from the site to speak at the session on international trade. Hilarious hijinks ensued, naturally, as the speaker — “Dr. Bichlbauer” — modestly proposed what the rest of the WTO more immodestly insists (“The essential thrust of his speech appeared to be that Italians have a lesser work ethic than the Dutch, that Americans would be better off auctioning their votes in the Presidential election to the highest bidder, and that the primary role of the WTO was to create a one-world culture,” one worried conferencee wrote).
The same group, or a similar one anyway, was mistakenly invited to send a speaker to an international textiles conference. They sent Hank Hardy Unruh. “Hank argued that the U.S. Civil War (in which slavery became illegal) was a useless waste of time and resources, because slavery (imported labor) would have eventually been replaced by the much cheaper system of remote labor — like we have in sweatshops today.”
That lecture ended with a confederate ripping off Hank’s business suit to reveal the “Management Leisure Suit” of the future - a comically phallic virtual panopticon in vivid gold.
In 1986, a fellow going under the name Captain Midnight took over the HBO network’s satellite signal and used it to broadcast his own message.
A couple of years earlier, the outlawed independent Polish labor union Solidarity figured out how to break into the official government nightly television news broadcasts. According to one account:
Soon after the seven o’clock television news began, a printed legend, “Solidarity lives,” flashed quickly but legibly over the head of the announcer. After a short interval another message appeared saying, “Listen to Radio Solidarity in half an hour” and giving the frequency that would be used for the broadcast.
The way some search engines work is this: if they find that a word or phrase, such as “hacktivism” is linked to a page like this one, they assume that someone has categorized this page as a “hacktivism” page, so if you enter that word in the search engine, it’ll list this page as being one that may very well be the one you’re looking for.
Makes sense, but when HugeDisk linked the phrase “dumb motherfucker” to the George W. Bush Online Store, that’s what unlikely seekers of “dumb motherfucker” were shown as Google’s best guess of what they were after.
The on-line bookstore Amazon was hacked in a similar way when their recommendation system suggested that purchasers of evangelist Pat Robertson’s Six Steps to Spiritual Revival might very well also be interested in The Ultimate Guide to Anal Sex.
There’s some incipient guerrilla webfare that involves flooding websites with spurious requests for data — the tactics and countermeasures are a virtual arms race that’s interesting to watch. See, for example, the electrohippies.
And a 14-year-old guerrilla geek from Israel penetrated and wiped out an Iraqi government web site by impersonating a Palestinian bent on doing the same damage to Israeli sites.
More recently, hackers on both sides of the Israel / Palestinian conflict have been hacking one anothers’ web sites and engaging in other such hacktivist attacks. 2003 saw the Yaha worm enlisted to serve India in its battle against Pakistan.
Not to be outdone by freelancers, the government of Indonesia organized “lightning simultaneous attacks from countries as far apart as Australia, Japan, Holland and the United States” on computers in Ireland that were supporting the then-virtual country of East Timor.
Read more about “netwar” in the RAND publication The Zapatista “Social Netwar” in Mexico.
To trip up the spambots scanning the web for email addresses, some bright CGI artist came up with a page that contains randomly-generated email addresses and a number of links that point back to the same page. Address-harvesting robots get caught in an endless labyrinth of pages. Here’s a good example. (More anti-spam resources can be found at this page)
Two popular Chinese blogs pretended to have been shut down by the authorities as a way of calling attention to political blogs that had been censored.
Extra credit assignment: The Mesh and the Net: Speculations on Armed Conflict in an Age of Free Silicon.
The use of memetic warfare — crafting self-perpetuating propaganda viruses — is emerging as an artform with thusfar mostly unharnessed potential.
Bruce Schneier, chief technologist for Counterpane Internet Security, calls these sorts of things the third wave of network attacks. The first wave was attacks against the computers and wiring themselves, the second wave was attacks against vulnerabilities in the software and network protocols, the third wave (“much more serious and harder to defend against”) “comprises semantic attacks: attacks that target the way we, as humans, assign meaning to content.”
One possible example of this sort of thing was The Deadly AOL.EXE Virus of 2001 — a joke perpetrated by Ray Owens on his Joke A Day site that took on a life of its own. The joke, in the form of those mosquito-like “email virus” urban legends, urged readers to delete a file called “AOL.EXE” from their machine or risk triggering a virus that would mess up their machine and sap their intellect. Predictably, the joke morphed into the form it was parodying, and was forwarded to the inboxes of AOL subscribers, some of whom did delete the file and found themselves no longer able to get on-line.
|On This Day in Snigglery||July 15, 1998: The Nevada Democratic Party tries to place an embarrassing personal ad in the Reno News & Review in the name of a Republican Congressman — but they’re caught when a reporter traces the fax number. (See Guerrilla Hacks for more on this sort of thing)|