[liberationtech] Message from Ricken on Avaaz cyberattack

Yvette Alberdingkthijm yvette at witness.org
Tue May 8 12:28:30 PDT 2012 

Hi List,

As someone who learns from and very much enjoys the community of this list, but also someone who runs an NGO - always hungry for more funding…to support the many out there who use video to document and protect human rights, 
I am a little concerned about the nature of this debate. Of course transparency and facts are paramount in positioning any issue, fundraising effort, or tech solution publicly. But the goal of this list's involvement is hopefully - as some folks have done, to provide a critical eye, call out the obvious untruths but then offer a helping technology hand. Not (in extremis) to catch every non-profit on the literal accuracy of every word it publishes. There is a debate to be had in this instance on the merits of these kinds of calls for help (any fundraising calls and positions we take, frankly) - from various angles (effectiveness, community building, or reputation and credibility), but not sure if beyond that critical eye that is the calling of this list…

YAT 


Yvette J. Alberdingk Thijm
Executive Director
WITNESS
80 Hanson Place
Brooklyn, NY 11217
phone: + 1(718) 783 2271
europe: +31 619031122
mobile: + 1 (347) 210 0152

skype: yvette-a or witnessyvette
email: yvette at witness.org
twitter: @yvettethijm, @witnessorg, #video4change
blog: blog.witness.org
 

When elephants fight, the grass suffers

On May 8, 2012, at 11:51 AM, jim youll wrote:

> Having dealt with these problems at various scales (but perhaps not at this scale-the facts are fuzzy) i am made very uneasy by the amount of money that is claimed both spent and additionally necessary for "DDOS protection." Those would be appropriate sums to pay an extortionist as "protection money" but they seem to be talking about technology spending here, and the whole story is just too much hyperbole and not much that seems reasonable at any scale, particularly the overt declaration that "DDOS protection" (whatever that means) is a linear function of money applied ( above a threshold that imo should have been passed several tens of thousands of dollars ago)
> 
> Yosem Companys <companys at stanford.edu> wrote:
> Message from Ricken on Avaaz cyberattack: 
> 
> Hi all - I've heard there's some concern on your list about Avaaz's DDoS trouble. Thanks so much for the offers of help, much appreciated and I know some of you have been great allies in the past, but I think we've got great people working on it and the attack ended last week. Also surprised to hear some of you thought we made this up! If you want to ask a third party, Datagram, Arbor Networks and to lesser degree Croscon were the three groups involved that we asked for advice and help from. 
> 
> The other concern I heard is, was this an exaggerated fundraising ploy? Datagram told our tech team it was one of the largest attacks they'd seen, and if we hadn't just 8 weeks ago spent $35k on much fancier DDoS protection it would have completely disabled our site for days. They also said the attacker was constantly adapting to our defenses, the attack was surprisingly sustained, and a key origin appeared to be Amsterdam where we were told some groups for hire operated from - suggesting someone was paying for this. All that triggered our level of concern in writing the fundraiser. Over the last 6 months, we've grown by an average of almost 300,000 people per week, so being disabled for a few days can be super costly. When we brought the guys from Arbor Networks in, they dialed down the concern a little bit, questioning the amsterdam part, and saying it was bigger than the large majority of DDoS attacks, but much larger ones were possible. But that last bit also dialed up our concern, because we knew we were at the limits of what we could handle and we didn't have budget for more. That had been the main reason for the fundraiser. 
> 
> And yes, of course we need the money - both for more DDoS protection and also for ramping up our tech security across the board - there was a short list of things in the email. That list also dealt with a wider range of needs, including the physical security of our staff in places like Russia and Lebanon, which also has a tech security component to it. Our community was extremely supportive so we ended up raising more than we need immediately, but this is the first appeal like this we've done in 5 years and we probably won't do another for a long while, so the money has to last. That's part of how online organizing works - you leverage bursts of engagement with particular campaigns and issues to support longer term objectives sustainably. If we find that our plans mean we don't anticipate using a lot of the money for the purpose raised, we email the donors and ask them to either request a refund or tell us what we can use the remainder of t he funds for. 
> 
> Hope that helps, and I hope you'll forgive us for a few days delay in replying and not being able to engage and collaborate with you all like we would if we were more a part of your community. We have a small team working in a dozen languages with staff spread across the world, and cover an enormous number of issues in an enormous number of countries. We run about 10-14 campaigns per week, and every campaign we run has a relevant civil society community and often several in different countries (e.g. a French tech community is also demanding our engagement on this one, and even threatening us with a DDoS attack if we don't!). So while I am told that you have norms about collaboration and engagement among you, I regret that we can't follow them. Hope you'll forgive us and judge us by the quality of our work over time. Good luck to you with yours. 
> 
> Ricken
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> 
> Should you need to change your subscription options, please go to:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> 
> You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> Should you need immediate assistance, please contact the list moderator.
> 
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120508/4e9a19c2/attachment.html>

More information about the liberationtech mailing list