The perils of going it alone

Commenter Patrick suggests that using “commercial” social media platforms leaves the user subject to being censored by the platform owner, and that to be more free one should use blogs and RSS.

The problem with this is amply illustrated by the recent (temporary) takedown of Brian Krebs’ self-hosted blog. His analysis is here. At least with a commercial hosting solution, you’re at the mercy of one, somewhat predictable, potential censor. One that can be named and shamed, or even sued for breach of contract if necessary. If you go it alone, you’re a lot more vulnerable to attack.

It’s all very well and good to say “well, this shouldn’t be possible.” But when you get down into the nitty gritty, it gets a lot more complex. And the easiest (and therefore cheapest) way for your upstream provider to protect their own interests is to cut you off. Facebook, Twitter, and Google can afford to pay for world-class DDoS protection. And, in fact, their “normal” traffic would look like a DDoS attack to Sebastian’s self-hosted solution.

There is no perfect solution, no magic bullet. But the reason people have gravitated towards Facebook and Twitter (and the rest) is because it makes a lot of the problems of running an internet presence Somebody Else’s Problem.

14 thoughts on “The perils of going it alone”

  1. That’s always my biggest fear. That the hosting provider will just cut you off because its easier than dealing with the issue.

    1. If you read the whole thing, either Akami cut him off as a very last resort, or didn’t cut him off at all.
      As a security professional in my day job, sometimes you have to take drastic action. We don’t like to dobthat, though, because it’s hard work, and messy.

  2. It’s an “economy of scale” issue.

    Facebook and Twitter have the corporate responsibility to run extensive security, redundant systems, and distributed data centers and access nodes. More to the point, due to their large user bases and revenues, they have the scratch to do it, too.

      1. His presentation was decent. You might be able to find it online. Look for the CoreBTS security conference and see if the video feed was archived.

  3. You pick your poison. I am in systems security, and do very large systems. I have patents on some arcane but deep technical security stuff. I’m also a former cryptologist.

    So with that out there, I agree that I could not independently withstand even a moderate DDoS attack aimed at shutting down a personal/activist blog. Sure, I could design the solution – I know what to do. But paying for it is something else.

    But maybe I don’t have to: the last time I had to worry about censorship (state gun activism), we decided to use multiple parallel outlets to get information to the people: social media, forums, blogs, signs (yes, actual ink on dead trees) and word of mouth. The technical solutions push data faster but we faced some shenanigans from the other side (limited hacking, DDoS and “other”).

    Channel diversity was the thing that worked. They could DDoS a forum or two (and they did), but we were in a half dozen more. We used TwitBook, but never to exchange detailed planning because we never trusted the security. We even distributed data via SMS to “leaders” who would then copy into another medium of their choice.

    I guess what I am saying is you cannot beat a determined community. We brought thousands to the capitol time and time again, and helped us win a few things we were not supposed to win. Tech helped us, but we never focused on a single platform too long. Yes it got confusing sometimes, but routing around multiple DDoS attacks taught us to fight on ground of our choosing.

    Translated to a single blog experience, I’d say make friends and help each other out. The nice thing about technology is that copy-n-paste is cheap. I think that’s the case here: multiple gun blogs link here and back again. If pagunblog got DDoS’d I think there would be no shortage of others who would spread the literal offending words far and wide. We saw this to some extent (elsewhere) with that veggie-lube dumpster fire last year. Trying to silence a community is hard.

    I’d do what Sebastian does: set up a personal blog (but on a hosted platform like Rackspace), but then use forums and TwitFace to amplify. They could take one or two, but not all at the same time. If only I had interesting things to say…

    So there is no single silver bullet. I think it’s more a matter of using everything you can to get the word out.

    1. Don’t disagree. The Streisand Effect is real, whether the “offended attacker” uses DDoS or the DMCA.

      OTOH, you may not like it, but the existing social media are powerful force multipliers for this kind of thing.

  4. It’s only going to get worse as the utterly moronic idea of an IoT spreads. At this point the only way to begin to stop it without outlawing the idea entirely would be to pass legislation mandating that IoT device modems be physically capable of less than 5kbps transmission.

    1. There goes the possibility of any legitimate high-bandwidth usage, including video cameras, personal media storage, off-site NAS, etc.

      I haven’t heard of a worse idea since the last time someone floated a bullet tax; or, more apropos, a caliber ban. Yeesh.

    1. Or you haven’t annoyed sufficiently technically competent people. Note that Brian Krebs basically makes his living by annoying cybercriminals.

Comments are closed.