Using a misconfigured, unmanaged DNS server is like stealing a car

. lecture : 2 minutes

One of my pet peeves is the use of "real world analogies" in technological articles, especially those dealing with piracy and computer security. More often than not, it is a technique used to associate something benign with a much harder crime, probably to try to justify the time and money wasted on the topic.

Downloading for free is stealing
piracy warning you would not steal a car

On May 13th, Brian Krebs published on his website a detailed article on the world of “bulletproof hosting” providers, companies that host content on the web, without asking too many questions. Krebs also writes a bit on the attack aimed at Spamhaus, a non-profit fighting against spam, who suffered a massive DDoS attack earlier this year.

While the article is fascinating, and I invite you to read it to learn more about "DNS reflection and amplification attacks",  I found this quote by Rodney Joffe, vice president and senior technologist at Neustar :

If you want real world analogues you can say, hey, that car was left open so I broke into it,” Joffe said. “That’s like saying, hey, all I did was open the car door, put a brick on the gas pedal and let the car run down the road and smash into someone’s house, but the guy who owned the car shouldn’t have left it unlocked. Put another way, just because I have a non-functioning lock on my door doesn’t give you permission to use my property.

Rodney Joffe, Neustar

Here, we show the attackers as people who would send a car against someone's house, which doesn't make much sense. But what I find really infuriating is the fact that, once more, we put the blame solely on the attackers, and not on the guys who kept their servers misconfigured and opened to whoever.

It's the same thing with hacking websites : I used to read titles like "a teenager hacks into company X's website". When I read that I'm not thinking "Oh, criminality is really getting worse", I think "who are the idiots managing this website, that a teen can hack into ? Do they keep information on their customers ? What was stolen ?".

With more computers connected to the internet each day, botnets and distributed attacks are getting more powerful. I don't think it's too much to ask that everyone do their part to keep the internet secure. If you like real world analogies, I prefer this one : "using someone else's DNS server is like using someone's gun to rob a store. The gun that the guy kept on his lawn, loaded, with no one watching and no security measures".