When the Internet Engineering Task Force (IETF) announced the TLS 1.3 standard in RFC 8446 in August 2018, plenty of tools and utilities were already supporting it (even as early as the year prior, some web browsers had implemented it as their default standard, only having to roll it back due to compatibility issues. Needless to say, the rollout was not perfect).
Toward the end of 2018, EMA conducted a survey of customers regarding their TLS 1.3 implementation and migration plans. In the January 2019 report, EMA concluded:
Some participantsβ organizations may find they have to go back to the drawing board and come up with a Plan B to enable TLS 1.3 without losing visibility, introducing unacceptable performance bottlenecks and greatly increasing operational overhead. Whether they feel they have no choice but to enable TLS 1.3 because major web server and browser vendors have already pushed ahead with it or because they need to keep pace with the industry as it embraces the new standard is unclear. What is clear is that security practitioners see the new standard as offering greater privacy and end-to-end data security for their organizations, and that the long wait for its advancement is over.
When EMA asked many of the same questions in an updated survey of 204 technology and business leaders toward the end of 2022, they found that nearly all the conclusions in the 2018/2019 report still hold true today. Here are the three biggest takeaways from this most recent survey:
While regulatory frameworks and vendor controls continue to push the adoption of the TLS 1.3 standard, adoption still comes with a significant price tag β one that many organizations are just not yet ready or able to consume. Technology improvements will increase rates of adoption over time, such as Cisco Secure Firewallβs ability to decrypt and inspect encrypted traffic. More recent and unique technologies, like Ciscoβs encrypted visibility engine, allow the firewall to recognize attack patterns in encrypted traffic without decryption. This latter functionality preserves performance and privacy of the encrypted flows without sacrificing the visibility and monitoring that 94% of respondents were concerned about.
Readers wishing to read the full EMA report can do so here and readers wishing to learn more about Cisco Secure Firewallβs encyrpted visibility engine can do so here.
Weβd love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Most people who operate DDoS-for-hire businesses attempt to hide their true identities and location. Proprietors of these so-called βbooterβ or βstresserβ services β designed to knock websites and users offline β have long operated in a legally murky area of cybercrime law. But until recently, their biggest concern wasnβt avoiding capture or shutdown by the feds: It was minimizing harassment from unhappy customers or victims, and insulating themselves against incessant attacks from competing DDoS-for-hire services.
And then there are booter store operators like John Dobbs, a 32-year-old computer science graduate student living in Honolulu, Hawaii. For at least a decade until late last year, Dobbs openly operated IPStresser[.]com, a popular and powerful attack-for-hire service that he registered with the state of Hawaii using his real name and address. Likewise, the domain was registered in Dobbsβs name and hometown in Pennsylvania.
Dobbs, in an undated photo from his Github profile. Image: john-dobbs.github.io
The only work experience Dobbs listed on his resume was as a freelance developer from 2013 to the present day. Dobbsβs resume doesnβt name his booter service, but in it he brags about maintaining websites with half a million page views daily, and βdesigning server deployments for performance, high-availability and security.β
In December 2022, the U.S. Department of Justice seized Dobbsβs IPStresser website and charged him with one count of aiding and abetting computer intrusions. Prosecutors say his service attracted more than two million registered users, and was responsible for launching a staggering 30 million distinct DDoS attacks.
The government seized four-dozen booter domains, and criminally charged Dobbs and five other U.S. men for allegedly operating stresser services. This was the Justice Departmentβs second such mass takedown targeting DDoS-for-hire services and their accused operators. In 2018, the feds seized 15 stresser sites, and levied cybercrime charges against three men for their operation of booter services.
Dobbsβs booter service, IPStresser, in June 2020. Image: archive.org.
Many accused stresser site operators have pleaded guilty over the years after being hit with federal criminal charges. But the governmentβs core claim β that operating a booter site is a violation of U.S. computer crime laws β wasnβt properly tested in the courts until September 2021.
That was when a jury handed down a guilty verdict against Matthew Gatrel, a then 32-year-old St. Charles, Ill. man charged in the governmentβs first 2018 mass booter bust-up. Despite admitting to FBI agents that he ran two booter services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the entire time by court-appointed attorneys.
Prosecutors said Gatrelβs booter services β downthem[.]org and ampnode[.]com β helped some 2,000 paying customers launch debilitating digital assaults on more than 20,000 targets, including many government, banking, university and gaming websites.
Gatrel was convicted on all three charges of violating the Computer Fraud and Abuse Act, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer. He was sentenced to two years in prison.
Now, it appears Dobbs is also planning to take his chances with a jury. On Jan. 4, Dobbs entered a plea of not guilty. Neither Dobbs nor his court-appointed attorney responded to requests for comment.
But as it happens, Dobbs himself provided some perspective on his thinking in an email exchange with KrebsOnSecurity back in 2020. Iβd reached out to Dobbs because it was obvious he didnβt mind if people knew he operated one of the worldβs most popular DDoS-for-hire sites, and I was genuinely curious why he was so unafraid of getting raided by the feds.
βYes, I am the owner of the domain you listed, however you are not authorized to post an article containing said domain name, my name or this email address without my prior written permission,β Dobbs replied to my initial outreach on March 10, 2020 using his email address from the University of Hawaii at Manoa.
A few hours later, I received more strident instructions from Dobbs, this time via his official email address at ipstresser[.]com.
βI will state again for absolute clarity, you are not authorized to post an article containing ipstresser.com, my name, my GitHub profile and/or my hawaii.edu email address,β Dobbs wrote, as if taking dictation from a lawyer who doesnβt understand how the media works.
When pressed for particulars on his business, Dobbs replied that the number of IPStresser customers was βprivileged information,β and said he didnβt even advertise the service. When asked whether he was concerned that many of his competitors were by then serving jail time for operating similar booter services, Dobbs maintained that the way heβd set up the business insulated him from any liability.
βI have been aware of the recent law enforcement actions against other operators of stress testing services,β Dobbs explained. βI cannot speak to the actions of these other services, but we take proactive measures to prevent misuse of our service and we work with law enforcement agencies regarding any reported abuse of our service.β
What were those proactive measures? In a 2015 interview with ZDNet France, Dobbs asserted that he was immune from liability because his clients all had to submit a digital signature attesting that they wouldnβt use the site for illegal purposes.
βOur terms of use are a legal document that protects us, among other things, from certain legal consequences,β Dobbs told ZDNet. βMost other sites are satisfied with a simple checkbox, but we ask for a digital signature in order to imply real consent from our customers.β
Dobbs told KrebsOnSecurity his service didnβt generate much of a profit, but rather that he was motivated by βfilling a legitimate need.β
βMy reason for offering the service is to provide the ability to test network security measures before someone with malicious intent attacks said network and causes downtime,β he said. βSure, some people see only the negatives, but there is a long list of companies I have worked with over the years who would say my service is a godsend and has helped them prevent tens of thousands of dollars in downtime resulting from a malicious attack.β
βI do not believe that providing such a service is illegal, assuming proper due diligence to prevent malicious use of the service, as is the case for IPstresser[.]com,β Dobbs continued. βSomeone using such a service to conduct unauthorized testing is illegal in many countries, however, the legal liability is that of the user, not of the service provider.β
Dobbsβs profile on GitHub includes more of his ideas about his work, including a curious piece on βsoftware engineering ethics.β In his January 2020 treatise βMy Software Engineering Journey,β Dobbs laments that nothing in his formal education prepared him for the reality that a great deal of his work would be so tedious and repetitive (this tracks closely with a 2020 piece here called Career Choice Tip: Cybercrime is Mostly Boring).
βOne area of software engineering that I think should be covered more in university classes is maintenance,β Dobbs wrote. βProjects are often worked on for at most a few months, and students do not experience the maintenance aspect of software engineering until they reach the workplace. Letβs face it, ongoing maintenance of a project is boring; there is nothing like the euphoria of completing a project you have been working on for months and releasing it to the world, but I would say that half of my professional career has been related to maintenance.β
Allison Nixon is chief research officer at the New York-based cybersecurity firm Unit 221B. Nixon is part of a small group of researchers who have been closely tracking the DDoS-for-hire industry for years, and she said Dobbsβs claim that what heβs doing is legal makes sense given that it took years for the government to recognize the size of the problem.
βThese guys are arguing that their services are legal because for a long time nothing happened to them,β Nixon said. βItβs difficult to argue something is illegal if no one has ever been arrested for it before.β
Nixon says the governmentβs fight against the booter services β and by extension other types of cybercrimes β is hampered by a legal system that often takes years to cycle through cybercrime cases.
βWith cybercrime, the cycle between the crime and investigation and arrest can often take a year or more, and thatβs for a really fast case,β Nixon said. βIf someone robbed a store, weβd expect a police response within a few minutes. If someone robs a bankβs website, there might be some indication of police activity within a year.β
Nixon praised the 2022 and 2018 booter takedown operations as βhuge steps forward,β but added that βthere need to be more of them, and faster.β
βThis time lag is part of the reason itβs so difficult to shut down the pipeline of new talent going into cybercrime,β she said. βThey think what theyβre doing is legal because nothing has happened, and because of the amount of time it takes to shut these things down. And itβs really a big problem, where we see a lot of people becoming criminals on the basis that what theyβre doing isnβt really illegal because the cops wonβt do anything.β
In December 2020, Dobbs filed an application with the state of Hawaii to withdraw IP Stresser Inc. from its roster of active companies. But according to prosecutors, Dobbs would continue to operate his DDoS-for-hire site until at least November 2022.
Two months after our 2020 email interview, Dobbs would earn his second bachelorβs degree (in computer science; his resume says he earned a bachelorβs in civil engineering from Drexel University in 2013). The federal charges against Dobbs came just as he was preparing to enter his final semester toward a masterβs degree in computer science at the University of Hawaii.
Nixon says she has a message for anyone involved in operating a DDoS-for-hire service.
βUnless you are verifying that the target owns the infrastructure youβre targeting, there is no legal way to operate a DDoS-for-hire service,β she said. βThere is no Terms of Service you could put on the site that would somehow make it legal.β
And her message to the customers of those booter services? Itβs a compelling one to ponder, particularly now that investigators in the United States, U.K. and elsewhere have started going after booter service customers.
βWhen a booter service claims they donβt share logs, theyβre lying because logs are legal leverage for when the booter service operator gets arrested,β Nixon said. βAnd when they do, youβre going to be the first people they throw under the bus.β