Slashdot Mirror

← Back to Stories (view on slashdot.org)

ProtonMail Restores Services After Epic DDoS Attacks

Posted by timothy on from the stronger-in-the-broken-places dept.

An anonymous reader writes: After several days of intense work, Switzerland-based end-to-end encrypted e-mail provider ProtonMail has largely mitigated the DDoS attacks that made it unavailable for hours on end in the last week. The attacks exceeded 100Gbps, and are still going on, but they are no longer capable of knocking ProtonMail offline for extended periods of time. The ProtonMail community of users proved to be invaluable for the company. In fact, in just a few days, they donated over $50,000 to the company's "defense fund," providing the resources to resist further attacks against email privacy.

26 of 57 comments (clear)

  1. That's some serious traffic by Falconnan · · Score: 5, Interesting

    State actors or malicious mischief? That is the real question.

    1. Re:That's some serious traffic by Anonymous Coward · · Score: 1

      State actors. They were paid off, but went ahead and DDoS'd anyway. The DDoS or dissolving of protonmail entirely were the goals.

    2. Re:That's some serious traffic by Anonymous Coward · · Score: 4, Informative

      Just to clarify:
      ProtonMail were *forced* to pay the ransom, it wasn't entirely their choice.

      "At this point, we were placed under a lot of pressure by third parties to just pay the ransom"
      due to... "hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us"

      And no doubt, this is the start of a series of attacks against them, by the likes of the terrorists at the NSA/GCHQ.

    3. Re:That's some serious traffic by GuB-42 · · Score: 2

      There are two different actors. The first was in for the ransom and stopped after being paid.
      The second uses a much more advanced attack, has unknown motives, and may have chosen to strike at the same time as an attempt to put the blame on the first group.

    4. Re:That's some serious traffic by myowntrueself · · Score: 1

      State actors or malicious mischief? That is the real question.

      We shall see.

      If these guys suddenly start getting payments of just over US$10,000 into their bank accounts, which are then reversed or cancelled, so that their bank is forced to close their accounts because they can't cope with the overhead of the constant stream of reporting on possible money laundering, then we'll know its a state actor.

      --
      In the free world the media isn't government run; the government is media run.
  2. "anonymous" and "secure" what a joke by Anonymous Coward · · Score: 3, Interesting

    They're asking for an email account so that they can send you an invite. How is this remotely anonymous?

    Being in .ch is nice and all, and gives you that "Swiss Bank Account" feel, but the XKCD coming about encryption & pipewrenches comes to mind. Since the Banks have rolled (because Nazis) what is going to keep your free email secure when the Polizei comes knocking?

    1. Re: "anonymous" and "secure" what a joke by Corwyn_123 · · Score: 2

      Simple, the admins cannot access the emails of their users, it's encrypted on the servers. The most the police can how to get, of they can get anything at all, would b header and routing information, which is the meta data, not the content.

    2. Re:"anonymous" and "secure" what a joke by Anonymous Coward · · Score: 1

      It depends on your threat model. If you're sufficiently interesting to the thugs that pipe wrenches become involved, then no, ProtonMail won't save you. But an encrypted email service will at least protect your mail from getting caught up in the "new normal" mass data collection. (And the use of encrypted mail may in turn make you more interesting to the thugs, sigh...)

    3. Re: "anonymous" and "secure" what a joke by SethJohnson · · Score: 1
      I think the goal they are trying to provide is sincere and valid. But, looking over their company, I don't see a reason to trust their implementation. Check the 'about' page and you'll see no description of anyone being a true data scientist with a Masters or Phd. To be credible, they would need to have a third-party security audit performed on their source code. No mention of that anywhere.

      Because it's closed-source, you have no assurance the client and server are not juggling SSL keys and allowing a MITM attack to be performed at the request of a subpoena.

      An easy step to credibility would be to publish their server's API and allow third-parties to implement their own mail client apps. Then they become a cloud service provider and leave the app development to others (in addition to a feature-poor POC app developed in-house).

      Finally, not to beat a dead-horse here, but this phrase isn't confidence-building--

      "By using open source encryption libraries, we can help guard against back doors designed to compromise your privacy."

      No guarantee against back doors. They're just helping to guard against them.

      --
      $5 / month hosted VPS on linux = awesome!
    4. Re: "anonymous" and "secure" what a joke by bartbutler · · Score: 1

      It's not closed source--the encryption library used is OpenPGPjs, which has been extensively audited, and the client, which is where all the encryption and decryption happens, is also open source: https://github.com/ProtonMail/... Nobody can really guarantee against back doors, but using open source certainly helps, as the more eyes on it the better. Also, not that it's terribly relevant, but there are at least 4 PhDs working for ProtonMail.

  3. Re:Attn Slashdot: I have a Penis by Maritz · · Score: 1

    Well, just because you have one, doesn't mean you're not one.

    --
    I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
  4. I wonder about the client base by Coisiche · · Score: 1, Interesting

    The article says:

    in just a few days, they donated over $50,000

    I would just complain to my ISP, over the phone obviously, and demand a compensatory cut in monthly bill... not give them *more* money.

  5. SubjectsInCommentsAreStupidCusTheSubjIsTheArticle by lesincompetent · · Score: 3, Informative

    Much more info on this official blog post: https://protonmail.com/blog/pr...

  6. Re:Which government is responsible? by TWTiger · · Score: 1

    Well, I don't know, but I do know which government that just approved a new surveillance law....

  7. Re:Attn Slashdot: I have a Penis by PopeRatzo · · Score: 1

    I have a Penis and im not afraid to use it

    You better ask the guy it's attached to first.

    --
    You are welcome on my lawn.
  8. Re:Which government is responsible? by nitehawk214 · · Score: 1

    Yes

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  9. Re:Donating money to fight a DDOS is dumb by nitehawk214 · · Score: 2, Interesting

    I would donate money to help fight it, but not if they are just going to give the money to the attackers. Which seems to be exactly what they did here.

    And it was probably the government of a country obsessed with surveillance of their own people, so no amount of ransom is going to make that go away. The internet service providers are, of course, in on it.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  10. Re:Donating money to fight a DDOS is dumb by Zorpheus · · Score: 1

    What? Are you claiming that Radware attacked them to get the contract to help them?

  11. Re:Attn Slashdot: I have a Penis by Tokolosh · · Score: 1

    And they say there are no women in tech.

    --
    Prove anything by multiplying Huge Number times Tiny Number
  12. Re:Donating money to fight a DDOS is dumb by Anonymous Coward · · Score: 1

    And it was probably the government of a country obsessed with surveillance of their own people, so no amount of ransom is going to make that go away.

    Heh. I do find it interesting that the FBI's official advice regarding CryptoWall is to just pay the ransom. Considering CryptoWall has plagued the world for several years now with no one caught, when other TOR-based crimes like online drug sales and child porn are easily busted, it sorta makes you wonder who's behind CryptoWall and why they're not busted, no? I can picture James Comey checking the FBI's clandestine Bitcoin balance when he arrives at work each morning, figuring out how many more Stingrays he can buy off the books.

  13. Re:The word Epic. by KGIII · · Score: 1

    What if the next writer is referring to a saga that is truly epic? What then, smart guy? Grind their nuts off just 'cause the word chafes your nether regions?

    Stand up, put a foot on one chair and the other foot on another chair. Use a brick to hit yourself in the head, over and over, until you've knocked some of the sand from your vagina. Life will be much easier then.

    --
    "So long and thanks for all the fish."
  14. Re: Question On How Proton Works by Anonymous Coward · · Score: 1

    Wasn't aware that they claires self-destructing mais but when I send an en crypted Mail to a non-protonmail account what they receive is a LINK to the encrypted message on the proton mail server where they must enter the password to read it. So I guess the link probably expires.

  15. Re:Question On How Proton Works by ale2011 · · Score: 1

    The fact than one finds more advertising than explanations already betrays the true nature of that feature. In short, you post a link to an ephemeral resource; but you may further encumber that with DRM-like stuff. More here and here.

    In fact, all email is self-destructing, eventually. Just not under the sender's control.

  16. Re:Donating money to fight a DDOS is dumb by nitehawk214 · · Score: 1

    I believe it was a government that sponsored the DDOS. Thus it did not stop when they were paid off. I don't know who Radware is.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  17. Re:Donating money to fight a DDOS is dumb by nitehawk214 · · Score: 1

    Of course, if people take the payoff, then the FBI doesn't have to bother with hunting for the criminals. Pretty convenient to skip out on doing their jobs.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  18. Re:Donating money to fight a DDOS is dumb by Zorpheus · · Score: 1

    According to the article Radware were paid the $50000 to handle this attack. Well, it is not that much to read ;)