I do not want to talk about piracy, trolls, viruses, worms, spam and scams on the internet. That would be boring. We are all fed up with all the discussion about it. But how do you deal with real trolls standing at the reception counter of your company? How do you handle a DDoS attack that isn't targated against your web server but against your whole personal life? What do you think about piracy when people 'download' your restaurant? What do you think about the methods of cybercrime when it happens in the real world? And no, you don't have to be a geek to understand any of this. I'm going to talk about my offline reality as it happens in a physical domain — Hungary.
Hungarians have learned to use methods of cybercrime in the real world. I'll only show you a couple of examples to illustrate my point.
Online piracy is when people download movies, software, music, books without paying for it. Yeah, it's illegal, but who cares. They say downloading isn't stealing. It's like stealing your car, but you look out of the window and your 'stolen' car is still there in front of your house. They say they didn't steal anything. Most people agree, some people don't. Nevertheless, online piracy is there and we couldn't yet do anything effective about it.
Online piracy - of course - is very advanced in Hungary. The absolute majority of people don't even consider buying stuff. But I don't want to bore you with stats, I'll just show you one recent example from my life.
You know what copyright is about. It means it's not okay to steal my writing from my blog without my permission. I wrote a post that become a huge hit. It was reblogged all over the world more than 100 times, it got translated to more than a dozen languages and reposted in many different countries.
People who asked for my permission:
In Hungary: 0 out of 10
Other countries: 9 out of 10
In fact I got so many requests from all around the world, that I decided to put out a creative commons license - that means it's free to copy with some limitations. But people from around the world still feel the need to ask for my permission. It didn't happen in 1 case in Hungary. No Hungarian has asked for a permission. They aren't even aware of the fact, that it's not okay. They think it's normal. If I would whine about it, people would say I'm an asshole. Come on, it's in your interest, it's free promotion for you, bla-bla-bla.
Let me show you just one screenshot:
This is my blogpost reblogged by a mainstream political party called Jobbik. It's a party in the Parliament. They are far-right extremists, the opposite of my political preference. They didn't ask for my permission to use my text for their purposes. I'm just showing this to illustrate the concept of how much they don't care about it. I'm sure that they didn't even want to hurt me with this in any way. On the contrary, I guess they wanted to 'help' me spreading the word. But you see, even a political party in the Hungarian Parliament doesn't care about my rights as an author. Maybe you think I should sue them. But that's because you don't know how these things work out in Hungary. And also, I do not want to sue anybody because of a silly blog.
But restaurants are also stolen the very same way:
This is a Subway restaurant operated the Hungarian way. The Hungarian franchise operators think they have learned everything they need from Subway, now they are better off without the owner of the brand. So they changed the logo to Myway and that's it. They continue without them. I have nothing to do with Subway, but it also happened with EVERY business I used to own. They were all stolen from me until the point I couldn't compete any more with the competition who used my know-how but didn't respect any of the quality guidelines, nor any laws and regulations or just generic decency is business. I went to court and lost ALL cases. I didn't win a single case, although I spent a fortune on legal proceedings that took 5 years. It's annoying, because my cases weren't as 'questionable' as the "Myway" thing you see on the photo.
2.) Troll tactics
The interesting part of the above detailed 'piracy' case is that in Hungary we have EU conform law. It isn't China where the law is different. It is a criminal case in Hungary too as much as in the USA. I had all the physical evidence of people stealing my 1) logo without any change 2) software 3) know-how 4) advertising materials. It's a clean-cut legal case, but I still didn't win any of the numerous cases at the courts. Not a single case, not even partially.
How is it possible?
It wasn't just clever legal defence from their side. In fact law doesn't have anything to do with it. They used troll tactics. In case you didn't know what it is:
In Internet slang, a troll is someone who posts inflammatory, extraneous, or off-topic messages in an online community, such as an online discussion forum, chat room, or blog, with the primary intent of provoking readers into an emotional response or of otherwise disrupting normal on-topic discussion.
I experience the very same tactics that internet trolls use in online discussion forums, comment threads to dismantle any kind of online community in legal proceedings, and in everyday life too. People have mastered how to do it online, but it did not stop there.
Now I see it every day in restaurants, in real-world customer relations, and yes, even at legal proceedings. They are very clever! It's not at all easy to protect yourself from troll tactics. I'm not sure if its possible at all. I couldn't so far.
Show me 1 online community that is now free of trolls. I don't know any. And it's relatively easy to handle internet trolls. You can't just ban, downvote a real life troll. When they are using the same tactics in the real world, you are just screwed and that's basically it. They will never really do anything illegal. They know the law better than anybody. But that's the whole point. No matter what the rules are, they will always find a way to abuse them.
3.) DoS attacks
A DoS (Denial of Service) attack on the internet means that a website gets a huge amount of 'fake' readers from the attacker. The attacker uses a program that will read your webpage a million times a second. You get the idea. The webserver will get so much traffic that it will slow down, or stop working. It will be out of service, people will not be able to access it. It's very difficult to protect a webserver from this kind of brute-force attack. It's difficult to filter out the attacking traffic without making the whole site available to the 'normal' public too. Especially when the attack is distributed among hundreds or thousands of computers around the world. This is called a distributed denial of service attack or DDoS. The attacking computers are often part of a 'botnet', machines infected with malicious software. Owners of these computers aren't even aware of the fact that they are part of such an attack.
In reality I experienced attacks in similar fashion. It has always been a national sport in Hungary. It's in our blood to call the police on our neighbours, and report the companies we don't like to all sorts of authorities. And of course, fighting legal battles with our competition. And there are legal battles between competitors everywhere else. There are so called 'patent trolls' in the international arena too. But those attacks are legal attacks. They want to win the legal case against you. And you get no more than 3-4 cases at a time. But I recently see a lot of attacks, that are very different in nature.
The real world DDoS attack:
- 50-500 different legal, bureaucratic cases, reports to authorities.
- These do NOT have any legal ground.
- The attacker does NOT aim to win the cases.
- The real aim is to OVERLOAD you and your company.
It goes like this:
- 5-10 different lawsuits are filed against you - without any legal base.
- You can't just 'filter' these out, you are legally obliged to handle them. If you would fail to do so, the attacker immediately has a real case too.
- Next week you find 20 different print and online news about the lawsuits.
- 100 customers and business partners are asking what's going on.
- Your tax authority starts an investigation on you based on anonymous claims.
- 3 other authorities will ask you to send them documents and reports.
- Your story is discussed on 200 different online forums. You can recognize 5-10 frequent commenters from their nickname choice and writing style.
- You are also charged with criminal defamation because you said that a false claim against you is 'lie'. Now you have another case to deal with.
- By this time you had to hire a whole team of lawyers and spend money you don't have on legal proceedings. You spend your time at the police, authoritites, and courtrooms, and when you get back to your office, 10 new laswuits wait for you.
- Your company isn't strong enough to maintain 100% quality of service during the attack. It wouldn't be a problem, your normal clients wouldn't even recognize it. But your attackers are monitoring it closely. Next day 50 different claims are reported to authorities, that your service is awful and they want their money back (of course there's no legal base for it).
- A DDoS attack is very frustrating when it's overloading your IT infrastructure. But people have nerves too. The attacker counts on this and expects you to make a mistake out of frustration, so that new attacks can be initated upon those mistakes.
- The generic public doesn't have a clue about what's happening. Nobody wants to hear your story that is too difficult and long to explain. People assume that something must be wrong with you, otherwise you wouldn't be attacked for no reason. People assume that it must be your fault.
- Dealing with so many issues is also very expensive. If you can't afford to pay anything in time, it's 100% sure you will immediately have new cases.
- You don't neccessarily go out of business. But you don't have any energy left for doing your normal work. Legal proceedings in Hungary take 3-5 years. During this time you can't concentrate on the development of your company.
- In the meantime the attackers can do whatever they want, steal whatever you have, because they know you don't have any resources left for another 20 legal cases. Unless you are very good at this, you just give up the fight.
It didn't only happen to me. I saw this happening in large scales to at least 50 other businesses in Hungary. What makes it unique is the obvious effort to overload the target. The attackers know their stuff very well. They know exactly how court proceedings, authorities work, and they are very skilled in abusing the system. If you haven't experienced this, if you aren't prepared for it, you have no chance. It's just a question of time when, and how strong the attack will be, but it will come.
You can't just put out a webserver on the internet without any security. Now if you do business in Hungary, you must protect yourself from very similar attacks, otherwise there's zero chance to survive on the long run. It's especially tough for small business owners. Large corporations with professional customer support, and a huge legal department are much better prepared to handle it.
What's the moral of the fable?
I don't know. I just wanted to describe the situation. Maybe it's just me who thinks this is insane. Maybe it's just how business is nowadays. I don't know. But I think there are two things to consider about it.
- Offline business could learn some important lessons from cyber security folks. Who have already figured out the logic of how to protect online assets in a hostile environment built on distrust.
- Online folks could think about if it's really okay to do this kind of stuff. Because I think we in Hungary have evidence, that this mentality doesn't stay online forever. Once people get used to it, they start doing it in realityspace too.
Care to comment?
On my blog there are no comments. Part of the reason is that by new Hungarian law I am legally responsible for the comments you make. It would be a huge security hole on the incognito firewall. You can comment on my Facebook page though. That's probably safe enough for now.