At the GNU Public Dictatorship we are nothing if not grateful for your support, as the open source model demands the participation of all. After our post yesterday about the Paper-Based Junkmail Distributed Denial of Service attack (PBJ DDoS) we received a great deal of information from you, helping us to fill in the missing details.
Many of you indicated that you had been recruited via paper mail to send letters on behalf of a mailing company, and that you had been promised that you would receive compensation for the materials. All but a very few of our supporters ignored the letter and soon forgot about it. A few of you, however, did as the letter suggested. (Note: Our lawyers would like to point out that those who did as the letter suggested are more aptly labeled "former supporters" of "provisional supporters" as their lack of judgment in this case calls into question their fitness for the New Future)
Based on our research, it appears that the entity behind this campaign was none other than the New Company, and that they thought they would avoid our scrutiny by using nearly-obsolete paper mail. They did use one of their sister companies to avoid the liability from the sure-to-come lawsuits, but it was clearly carried out on the orders of the New Company. They appear to have purloined postage from several legitimate enterprises to send their solicitations, and they appear to have, not surprisingly, not paid any of their recruits.
The total cost to the New Company for this attack, then, was minimal. They effectively distributed the postage cost to their recruits, and they even made the recruits use their own toner and paper to print the letters, essentially creating a botnet out of unsuspecting individuals around the world. We had hoped that some of the letters had come from actual robots, but I guess we can't always get our way. Here's hoping that next time someone launches a PBJ DDoS that it will use real robots!
Wednesday, October 29, 2014
Tuesday, October 28, 2014
A Paper-based Distributed Denial of Service Attack
In yesterday's post we alluded to "technical difficulties" that have kept us from posting regularly to this forum. In fact, we hadn't been able to post here since August 22, 2014, and before that May 16, 2014. This was not, unfortunately, by design.
In early May of this year our local GNU Public Dictatorship offices around the world began to report an elevated level of submissions via paper mail, and asked for some extra assistance getting through the correspondence. Consistent with the GPD's operating guidelines, we began to distribute our staff around the world and asked them to help with the massive influx of paper mail. This approach appeared to work quite well initially, and our posts continued as normal, but as the volume increased at local offices our staff became more and more spread out, and, unfortunately, the communication lines we normally use to keep this sort of attack from being effective were strained so much by the influx of paper mail that it began to break down. During the weekend of May 16, 2014, these communications were completely cut off, but we didn't learn of the lapse in communications for another four days. At that point, we switched gears into incident cleanup mode, but due to the volume of mail and the unfortunate distribution of our staff it took several months to get the lines of communication back up.
We believed we had stabilized the situation and we were able to post on August 22, 2014, but it soon became clear that another wave of attacks was just beginning. This time we were much more prepared, but due to the nature of the communication we receive it became apparent that we couldn't just recycle all of the correspondence we had received. It has taken the last two months to clean up the piles of paper mail we received and to simultaneously implement some controls to prevent this situation from occurring again. At this point we believe we have the protocols in place to not be taken by surprise again.
We have learned several lessons from this attack, but the outstanding questions we are trying to adequately answer are:
In early May of this year our local GNU Public Dictatorship offices around the world began to report an elevated level of submissions via paper mail, and asked for some extra assistance getting through the correspondence. Consistent with the GPD's operating guidelines, we began to distribute our staff around the world and asked them to help with the massive influx of paper mail. This approach appeared to work quite well initially, and our posts continued as normal, but as the volume increased at local offices our staff became more and more spread out, and, unfortunately, the communication lines we normally use to keep this sort of attack from being effective were strained so much by the influx of paper mail that it began to break down. During the weekend of May 16, 2014, these communications were completely cut off, but we didn't learn of the lapse in communications for another four days. At that point, we switched gears into incident cleanup mode, but due to the volume of mail and the unfortunate distribution of our staff it took several months to get the lines of communication back up.
We believed we had stabilized the situation and we were able to post on August 22, 2014, but it soon became clear that another wave of attacks was just beginning. This time we were much more prepared, but due to the nature of the communication we receive it became apparent that we couldn't just recycle all of the correspondence we had received. It has taken the last two months to clean up the piles of paper mail we received and to simultaneously implement some controls to prevent this situation from occurring again. At this point we believe we have the protocols in place to not be taken by surprise again.
We have learned several lessons from this attack, but the outstanding questions we are trying to adequately answer are:
- Why would someone launch this attack, at such great expense to themselves as postage for billions of letters starts to get expensive?
- How many people were involved?
- Were the people involved part of a botnet?
- Were the people involved actually robots?
We do know that the attack was a well-coordinated distributed denial-of-service attack, the likes of which are unprecedented in the world of paper mail, We will provide more detail as we get it!
Monday, October 27, 2014
"Elections" are coming up very soon!
As most of you are already aware, the "elections" to the GNU Public Dictatorship's Board of Dictators are coming up next month. The deadline for applications to be considered is Saturday, November 8, 2014 at midnight UTC. Due to some technical difficulties that will be expounded upon in future posts we have not been able to post about this in this forum, but, lest you complain about the short notice let us remind you that this information has been available at your local GPD County Offices for several months, and had you been a more active participant in world affairs you would have known about this earlier.
As a quick reminder, the "elections" to the Board of Dictators are not your typical democratic elections. Instead they combine the best of democracy, the open-source movement, and the management practices that high-performing corporations and dictatorships employ and that universities use for admissions. The first step is the application, which is about as democratic as it can get. Anyone is welcome to submit an application, and there are no fees to process the application. The next step is a thorough review of the applications. The purpose of this review is to separate the "serious" applicants from those who are applying for the wrong reasons. This is not, however, a thorough background check; it is more like a checksum or a consistency check on the application. We don't verify that everything you say in your application is true and that you, the applicant, is who you say you are. We simply verify that the application taken as a whole makes sense and appears to be complete. Once the serious applicants are identified, the claims made in those applications are evaluated in depth. During this evaluation the applicants are notified that they are being seriously considered for membership in the Board of Dictators, and various "tasks" are assigned to them and their performance evaluated. These two steps are probably the third and fourth steps of the process, but they are so intertwined that it's hard to say which is the third and which is the fourth. The fifth step, should it be necessary, is to take any applicants who have performed adequately on their "tasks" and whose claims are awesome enough to warrant it and to discuss them in a special formal meeting of the Board of Dictators. If a qualified applicant is found and all members of the Board of Dictators agree that the applicant is a good match for the GPD, the applicant is made a provisional member of the Board of Dictators. If they continue to perform adequately, they will be made full members of the Board of Dictators at some future time.
As you can all see, this process is clearly better than a simple "first past the post" election system, where voters are often asked to choose between terrible candidates but are not given the choice to say "none of the above." At the GPD we are nothing if not dedicated to excellence!
Application materials are available here (note that they are the 2012 forms, which is okay as no applicants were "elected" during that cycle):
As a quick reminder, the "elections" to the Board of Dictators are not your typical democratic elections. Instead they combine the best of democracy, the open-source movement, and the management practices that high-performing corporations and dictatorships employ and that universities use for admissions. The first step is the application, which is about as democratic as it can get. Anyone is welcome to submit an application, and there are no fees to process the application. The next step is a thorough review of the applications. The purpose of this review is to separate the "serious" applicants from those who are applying for the wrong reasons. This is not, however, a thorough background check; it is more like a checksum or a consistency check on the application. We don't verify that everything you say in your application is true and that you, the applicant, is who you say you are. We simply verify that the application taken as a whole makes sense and appears to be complete. Once the serious applicants are identified, the claims made in those applications are evaluated in depth. During this evaluation the applicants are notified that they are being seriously considered for membership in the Board of Dictators, and various "tasks" are assigned to them and their performance evaluated. These two steps are probably the third and fourth steps of the process, but they are so intertwined that it's hard to say which is the third and which is the fourth. The fifth step, should it be necessary, is to take any applicants who have performed adequately on their "tasks" and whose claims are awesome enough to warrant it and to discuss them in a special formal meeting of the Board of Dictators. If a qualified applicant is found and all members of the Board of Dictators agree that the applicant is a good match for the GPD, the applicant is made a provisional member of the Board of Dictators. If they continue to perform adequately, they will be made full members of the Board of Dictators at some future time.
As you can all see, this process is clearly better than a simple "first past the post" election system, where voters are often asked to choose between terrible candidates but are not given the choice to say "none of the above." At the GPD we are nothing if not dedicated to excellence!
Application materials are available here (note that they are the 2012 forms, which is okay as no applicants were "elected" during that cycle):
Version | Word | |
US | US2983-2012M | US2983-2012M |
International | W2983-2012J | W2983-2012J |
Subscribe to:
Posts (Atom)