Virtual private networks (VPNs) continue to increase in popularity, and one of the most famous services is offering a great deal to entice new customers. NordVPN is selling two-year subscription plans for up to 68 percent off, depending on which tier you go with. You also get three free months of service when you sign up, which is never a bad thing.

Here’s how the deal breaks down. The company’s Standard plan is 62 percent off, costing $108 for two years, while the Advanced plan is 68 percent off, coming in at $140 for two years. The Standard plan is likely the best option for average consumers, unless you run a crypto mining farm in your basement or something. This plan gives you access to the VPN itself for secure browsing in addition to ad-trackers, ad-blockers, malware protection software, a file-sharing service and a dark web monitor.

The Advanced plan is for power users and includes all of the above plus access to a dedicated and permanent IP address you can use when browsing. The fluctuating IP address available with the Standard plan is fine for most people, but using a static IP address is good when pursuing online activities that demand higher security, like online banking or remotely accessing sensitive data.

NordVPN just missed our list of best virtual private networks, due to a higher-than-average price point, so this deal certainly solves that problem. The company's generally considered to be solid, with well-performing networks and an active customer service arm. There’s a reason NordVPN's been around since 2012, which is an eternity in the volatile VPN industry.

If you aren’t even sure what you would need a VPN for, they are actually quite useful for those who spend a lot of time online. These services are nearly-mandatory if you often access public Wi-Fi, to protect from nefarious cybercriminals. VPNs also work to block malicious sites and help keep your personal data private. Finally, they let you pretend you are in other locations, allowing you to access your favorite streaming platforms when, say, traveling abroad.

General Motors is taking Google’s AI chatbot on the road. The automaker announced today that it’s using Google Cloud’s Dialogflow to automate some non-emergency OnStar features like navigation and call routing. Crucially, the automaker claims the bot can pinpoint keywords indicating an emergency situation and “quickly route the call” to trained humans when needed. GM says the system frees up OnStar Advisors to spend more time with customers requiring a live human.

According to GM, the OnStar Interactive Virtual Assistant (IVA) has used Google Cloud’s Dialogflow under the hood since IVA’s 2022 launch. The virtual voice assistant can handle common customer questions and help with routing and navigation, including turn-by-turn directions. The companies see the collaboration as expanding down the road. “The successful deployment of Google Cloud’s AI in GM’s OnStar service has now opened the door to future generative AI deployments being jointly piloted by General Motors and Google Cloud,” the companies wrote in a joint press release.

The automaker says Google Cloud’s AI has allowed OnStar to better understand customer requests on the first try. In addition, it says customers have reacted positively to avoiding hold times as they can quickly begin chatting with an AI-powered bot with a “modern, natural sounding voice.” GM says the virtual assistant now handles over one million customer inquiries per month in the US and Canada. OnStar IVA is available in most GM vehicles, 2015 and newer, with OnStar connections.

GM has also reportedly worked on developing a ChatGPT-powered assistant for its vehicles, although it isn’t yet clear if that project is still on the table.

“Generative AI has the potential to revolutionize the buying, ownership, and interaction experience inside the vehicle and beyond, enabling more opportunities to deliver new features and services,” Mike Abbott, GM’s executive vice president of software and services, wrote in the press release. “Our software-led approach has accelerated the creation of compelling services for our customers while driving increased efficiency across the GM enterprise. The work with Google Cloud is another example of our efforts to transform how customers engage with our products and services.”

The companies also announced today that Google’s Dialogflow tech is behind chatbots on the GM website, similar to the slew of OpenAI-powered assistants that began popping up since the launch of the ChatGPT API earlier this year. GM’s web bots can “conversationally help answer customer questions about GM vehicles and product features based on the technical information from GM’s extensive vehicle data repositories,” according to the automaker.

“General Motors is at the forefront of deploying AI in practical and effective ways that ultimately create better customer experiences,” Thomas Kurian, Google Cloud CEO, wrote today. “We’re looking forward to a deepened relationship and more collaboration with GM as we explore how the company uses generative AI in transformational ways.”

Cult of the Dead Cow (cDc), a hacking group known for its activist endeavors, built an open source tool for developers to build secure apps. Veilid, launched at DEF CON on Friday, has options like letting users opt out of data collection and online tracking as a part of the group’s mission to fight against the commercialization of the internet.

“We feel that at some point, the internet became less of a landscape of knowledge and idea sharing, and more of a monetized corporate machine,” cDc leader Katelyn “medus4” Bowden said. “Our idea of what the internet should be looks more like the open landscape it once was, before our data became a commodity.”

Similar to other privacy products like Tor, cDc said there’s no profit motive behind the product, which was created “to promote ideals without the compromise of capitalism.” The group emphasized the focus on building for good, not profit, by throwing slight shade at a competing conference for industry professionals, Black Hat, held in Las Vegas at the same time as DEF CON. “If you wanted to go make a bunch of money, you’d be over at Black Hat right now,” Bowden said to the audience of hackers.

The design standards behind Veilid are “like Tor and IPFS had sex and produced this thing,” cDc hacker Christien “DilDog” Rioux said at DEF CON. Tor is the privacy-focused web browser best known for its connections to the “dark web,” or unlisted websites. Run as a non-profit, the developers behind Tor run a system that routes web traffic through various “tunnels” to obscure who you are and what you’re browsing on the web. IPFS, or the InterPlanetary File System, is an open-source set of protocols behind the internet, mainly used for file sharing or publishing data on a decentralized network.

The bigger Veilid gets, the more secure it will be as well, according to Rioux. The strength doesn’t come from the number of apps made on the framework, but by how many people use the apps to further the routing of nodes that make up the network. “The network gains strength by a single popular app,” Rioux said. “The big Veilid network is supported by the entire ecosystem not just your app.” In the presentation, cDc likened the nodes to mutual aid in the sense that they work to strengthen and support each other to make the entire network more secure.

Rious explained that VLD0 will be the cryptography — the protocols that keep information secure — behind Veilid. It’s a mix of existing cryptography frameworks, like Ed25519 to support authentication efforts and xChaCha20-Poy1305 as its 192-bit encryption support. But, recognizing that advancing technology will change cryptography needs over time, cDc already has a plan to handle updates. “Every new version of our crypto system is supported alongside the old ones” so that there are no gaps in security, Rioux said. cDc also put other measures in place like anti-spoofing, end-to-end encryption even at rest and data protection even if you lose your device.

Veiled and cDc aim to build an approachable internet with fewer ads and more privacy, according to Bowden. Veilid Chat, a messaging app similar to Signal, will be the first app built on the framework. You’ll be able to sign up without using a phone number, to decrease personal identifiers, Bowden told Engadget in an email.

cDc is currently in the process of putting together a community and foundation to support the project. “There are a lot of folks who can’t see past web3 as far as privacy (we are more like the web2 we should have had), and really can’t process the idea that we’re doing this without a profit motive,” Bowden said.

Known as the “original hacking supergroup,” cDc’s most noted accomplishments include inventing hacktivism, helping to develop Tor and pushing top companies to take privacy seriously. Notable members include former US representative from Texas, Beto O'Rourke.

Late last year, Nikkei Asia reported that Japan was planning to add thousands of personnel to its military cyber defense unit. Now, we might know why — according to a report from the Washington Post, hackers in China had "deep, persistent access" to Japanese defense networks. When the National Security Agency is said to have first discovered the breach in late 2020, NSA Chief and Commander of US Cyber Command General Paul Nakasone flew to Japan with White House deputy national security advisor Matthew Pottinger to report the breach to officials.

Despite briefings that reached as high as Japan's prime minister, the Washington Post reports that hacking from China remained an issue for several months, persisting through the end of the Trump administration and well into early 2021.

US Cyber Command initially offered Japan assistance in purging its systems of malware but were reportedly rebuffed because the country was not comfortable with another nation's military accessing their systems. Instead, Japan elected to use domestic commercial security firms to find vulnerabilities, relying on the US only for guidance on what those firms found. Japan would eventually adopt a more active national security strategy, which is said to include a new cyber command to monitor networks around the clock, and as many as 4,000 active cybersecurity personnel.

Google has announced several updates to Search aimed at making it easier for people to control information about them that appears in results. The company released a tool last year to help people take down search results containing their phone number, home address or email. Now, the company has updated the "results about you" tool to make it more effective.

A new dashboard will become available in the coming days that will let you know when such personal information pops up in Search. When you get an alert, you'll swiftly be able to ask Google to remove those results.

Earlier this year, the company debuted a Google One feature that can scour the dark web to see if your information has been included in a data breach. This "results about you" update seems to work in a similar way. The fact that it proactively finds results containing your personal info and helps you remove them should make it easier to protect your privacy.

Google

You can access the tool from the Google app by tapping your profile photo and selecting "results about you" or from a dedicated webpage the company has set up. It's available in the US in English for now, but Google plans to offer the tool in other languages and regions soon.

Along similar lines, Google is updating a system that aids users in taking down explicit photos of them. The company has long provided the option for people to request the removal of non-consensual explicit images from search results. It's now expanding that policy to include consensual imagery.

Perhaps you uploaded explicit content of yourself to a website at one point, but decide you no longer want it to be available. If you delete the imagery from that website, you can now ask Google to remove it from search results if it has been published elsewhere without permission. The company notes that the policy doesn't apply to any content you're still commercializing. 

It's not exactly rare for owners of websites that deal in explicit imagery to report content from elsewhere. Removing such content from Google Search results won't scrub it from the web entirely, but that may make it more difficult for people to find. You can search for "request removals" in the Google help center to get started.

Google

On top of all that, Google is rolling out updates for parental controls and SafeSearch. Starting this month, Google is blurring explicit imagery (which it defines as adult or graphic violent content) in search results by default, a move it announced earlier this year. You'll be able to turn off SafeSearch blurring from your settings, unless a school network admin or a guardian has locked the setting on your account.

Last but not least, it'll now be much easier to access parental controls from Search. Punch in a query like “google parental controls” or “google family link” and you'll see an information box that explains how to adjust the settings.

Google

“Tor” evokes an image of the dark web; a place to hire hitmen or buy drugs that, at this point, is overrun by feds trying to catch you in the act. The reality, however, is a lot more boring than that — but it’s also more secure.

The Onion Router, now called Tor, is a privacy-focused web browser run by a nonprofit group. You can download it for free and use it to shop online or browse social media, just like you would on Chrome or Firefox or Safari, but with additional access to unlisted websites ending in .onion. This is what people think of as the “dark web,” because the sites aren’t indexed by search engines. But those sites aren’t an inherently criminal endeavor.

“This is not a hacker tool,” said Pavel Zoneff, director of strategic communications at The Tor Project. “It is a browser just as easy to use as any other browser that people are used to.”

That’s right, despite common misconceptions, Tor can be used for any internet browsing you usually do. The key difference with Tor is that the network hides your IP address and other system information for full anonymity. This may sound familiar, because it’s how a lot of people approach VPNs, but the difference is in the details.

VPNs are just encrypted tunnels hiding your traffic from one hop to another. The company behind a VPN can still access your information, sell it or pass it along to law enforcement. With Tor, there’s no link between you and your traffic, according to Jed Crandall, an associate professor at Arizona State University. Tor is built in the “higher layers” of the network and routes your traffic through separate tunnels, instead of a single encrypted tunnel. While the first tunnel may know some personal information and the last one may know the sites you visited, there is virtually nothing connecting those data points because your IP address and other identifying information are bounced from server to server into obscurity.

In simpler terms: using regular browsers directly connects you and your traffic, adding a VPN routes that information through an encrypted tunnel so that your internet service provider can’t see it and Tor scatters your identity and your search traffic until it becomes almost anonymous, and very difficult to identify.

Accessing unindexed websites adds extra perks, like secure communication. While a platform like WhatsApp offers encrypted conversations, there could be traces that the conversation happened left on the device if it’s ever investigated, according to Crandall. Tor's communication tunnels are secure and much harder to trace that the conversation ever happened.

Other use cases may include keeping the identities of sensitive populations like undocumented immigrants anonymous, trying to unionize a workplace without the company shutting it down, victims of domestic violence looking for resources without their abuser finding out or, as Crandall said, wanting to make embarrassing Google searches without related targeted ads following you around forever.

Still, with added layers of security can come some additional hiccups, like lag or longer loading times. That could be true for some users depending on what they do online, but anecdotally it's gotten a lot faster in recent years, and users have said they barely notice a difference compared to other browsers. Sameer Patil, associate professor at the School of Computing at the University of Utah, studied this by having students and staff try out Tor as their main browser. “I was personally very surprised at how many sites and things just work fine in the Tor browser. So not only did they work as intended, but they also were fast enough,” Patil said.

But even if online privacy isn’t your main concern personally, using Tor can help support industries that heavily rely on it. By using the anonymous and secure browser, you’re supporting activists, journalists and everyone else’s privacy because the more people that use it, the more secure it gets, according to Patil. If only certain sensitive groups use it, it’ll be easier to deanonymize and ultimately track down identities. When you’re one in a billion using it, that task becomes nearly impossible.

ExpressVPN has become a household name – or at least as close to one as a VPN is likely to get – taking over mainstream advertisements on sites like YouTube. On our roundup of the nine top providers in June, it came out tops for streaming services, frequent travel and gaming. But, notably, it wasn’t the overall best, falling short on areas like security and user friendliness.

There are three main VPN use cases on top of general security: geoblocking, streaming and gaming. That means my tests looked like watching Shrek on the clock, by using a VPN to access Canadian Netflix from my US-based home office, where the ogre movie isn’t currently available.

ExpressVPN was easy to sign up for, download and use, but compared to the other services, it didn't wow me. Competitors like ProtonVPN, for example, had easier ways to sign in across platforms. But an ExpressVPN subscription does come with a password manager to store and autofill credentials across websites. That’s a plus in a world where complex passwords are crucial to keeping your accounts secure.

The best VPNs stay out of your way and you'll barely even notice they’re running. But one oddity was that ExpressVPN internet speeds outperformed our baseline internet speed measures. The service is likely circumventing traffic shaping by the internet service provider or a similar anomaly because every other VPN will hurt internet speed in some way. But it did successfully mask the IP address, and pass the DNS and WebRTC leak tests as privacy measures.

ExpressVPN

It was also easy to access geo-blocked content using ExpressVPN, with little-to-no buffering. There were some loading delays that only lasted a few seconds when I tried to stream the news on YouTube using ExpressVPN, but no lag came up after that. Finally, ExpressVPN passed the gaming test by avoiding lag and maintaining a normal loading time. Although, it was a pretty basic test where I logged into online game Slither.io from a UK-based VPN to play the worm-eating competition with international users. Surfing the web with ExpressVPN was just as easy as being online without it. With ExpressVPN, a ping test measured how long data takes to travel from the computer to the server and back at 100 milliseconds, versus 16 milliseconds with no VPN turned on.

ExpressVPN’s biggest perk is that it supports up to five devices at once. That means I could conduct all tests simultaneously and still had no slowdown. That’s great for sharing it with a family, or folks that like to game, watch TV and scroll on their phone at the same time. It’s the main reason ExpressVPN landed as our top choice for streaming and gaming. The connectivity was solid, it had a wide range of servers in 94 countries and provided clear instructions on configuration for any device.

But security-wise, I found myself wanting more. ExpressVPN is based in the British Virgin Islands, which the company touts because the territory lacks any foreign intelligence operations and does not participate in 14 Eyes intelligence-sharing agreements. But it is owned by Kape Technologies, which also owns competitor CyberGhost, and Kape has a problematic history that includes spreading malware. Not only that, in 2021, the Department of Justice charged ExpressVPN CIO Daniel Gericke for cyberspying activities on behalf of the UAE. ExpressVPN stood by the CIO in a blog post.

But it’s not all bad. ExpressVPN publicly shared security audits of its mobile apps, protocol and desktop apps last year. That’s a win for security transparency. Still, a 2021 Consumer Reports study found that ExpressVPN didn’t support multifactor authentication, did not meet brute force mitigation checks and retained some data even after an account was terminated. ExpressVPN did, however, exceed industry standards in protections against unauthorized access, implement a vulnerability disclosure program and said it would not pursue legal action against security researchers. That means when it comes to security standards and practices, ExpressVPN as a company has a few too many misses and not enough hits.

I recommended ExpressVPN as our top choice for gamers, frequent travelers and heavy users of streaming services because it lets users access a wide range of locations from a variety of devices with high speed connections and no lag. With options to configure directly to routers and gaming consoles, it’s a solid choice for people that put a lot of strain on their ISPs. Still, there are better VPNs for the security-minded or those who want something more affordable.

The Jack Dorsey-backed decentralized social network Bluesky has launched a paid domain service in partnership with Namecheap as a way for users to verify their identity. In a post discussing its plans to make Bluesky sustainable, the team said "users become the product" when a company relies on ads. Since Bluesky set out to "build a protocol where users can own their data," it chose to explore "other avenues of monetization" instead. It's worth noting that the social app started as a project funded by Twitter, but it has lost its connection to the website after Elon Musk took over. 

Since earning by ads isn't an option, the team thought of offering paid services, starting with domain names. Users can already set up custom domain names to use with Bluesky, but they have to go through a separate process with a domain registrar first. This integration will supposedly allow them to do so in under a few minutes. They can simply log into their account, search for a domain name to use as a handle and then pay for it all within Bluesky's interface. For a Twitter competitor that doesn't have a centralized verification system, using a domain name is the best way for a user to verify that they are who they say they are. US Senators, for instance, have apparently been using the senate.gov domain to verify their identities. 

Users who use the integrated service will be able to manage their domain settings and configurations within Bluesky, and they can forward emails sent to their domains to an address of their choice. They can also choose to redirect their domain to their Bluesky profile or any URL they want. And in the event they decide to leave the platform or to use another registrar, they can transfer their domain away. 

Based on Bluesky's announcement, domain integration is just the first in what could be several paid services available on the platform. It says it's exploring other services it "can bundle to users to provide a more seamless experience." That said, Bluesky is still in private beta, and those interested will have to join a waitlist before they can get in. 

President Joe Biden will today announce the details of how $42 billion in funding to bolster broadband internet access will be allocated. The investment, which was funded by the 2021 Bipartisan Infrastructure Law, aims to give all Americans access to high-speed internet by 2030.

Last year, the White House announced an initiative that would allocate at least $100 million to participating states through the Broadband Equity, Access and Deployment (BEAD) Program. The remainder of the funding was on hold until the Federal Communications Commission (FCC) drew up a more detailed coverage map showing which homes and businesses lacked high-speed internet access. The funding will be allocated based on the map.

The FCC released its first draft of the overhauled map, which incorporates more granular data, in November. Still, politicians on both sides of the aisle were concerned it left out millions of businesses and homes and urged the White House to delay the broadband funding efforts until issues were resolved.

After taking feedback from the public and states, the FCC unveiled an updated version in May. According to The Washington Post, the updated map addressed around 4 million mistakes, resulting in approximately half a million more homes, businesses and other locations without any internet access being identified. In all, the FCC determined that more than 8.3 million homes and businesses lack access to high-speed internet.

States will first focus on bringing broadband to locations that have no access at all. If they have any funding left over, they can use it to improve internet access for those with slow speeds.

It could take up to two years for the government to dole out all the funding. States will submit their initial plans later this year and that will open up a fifth of the funding, according to Reuters. The rest of the $42 billion will be unlocked after states finalize plans for investing the funds.

Many of the locations that lack broadband access are in rural areas. By and large, major providers have shied away from rolling out broadband in these locales due to their smaller populations and the high cost of installing infrastructure.

As anyone who regularly games online can attest, DDoS (dedicated denial of service) attacks are an irritatingly common occurrence on the internet. Drawing on the combined digital might of a geographically diffuse legion of zombified PCs, hackers are able to swamp game servers and prevent players from logging on for hours or days at a time. The problem has metastasized in recent years as enterprising hackers have begun to package their botnets and spamming tools into commercial offerings, allowing any Tom, Dick, and Script-kiddie rental access to the same power. 

It's a big internet out there, and bad actors are plentiful. There are worse things than spammers and scammers swimming in the depths of the Dark Web. In his new book, Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks, Dr. Scott J Shapiro, Professor of Law and Philosophy at Yale Law School traces the internet's illicit history through five of the biggest attacks on digital infrastructure ever recorded.

Farrar Straus Giraux

FANCY BEAR GOES PHISHING: The Dark History of the Information Age, in Five Extraordinary Hacks by Scott J. Shapiro. Published by Farrar, Straus and Giroux. Copyright © 2023 by Scott J. Shapiro. All rights reserved. 

Crime as a Service

Not all Denial of Service attacks use botnets. In 2013, the Syrian Electronic Army (SEA)—the online propaganda arm of the brutal Bashar al-Assad regime—hacked into Melbourne IT, the registrar that sold the nytimes.com domain name to The New York Times. The SEA altered the DNS records so that nytimes.com pointed to SEA’s website instead. Because Melbourne IT contained the authoritative records for the Times’ website, the unauthorized changes quickly propagated around the world. When users typed in the normal New York Times domain name, they ended up at a murderous organization’s website.

Conversely, not all botnets launch Denial of Service attacks. Botnets are, after all, a collection of many hacked devices governed by the attacker remotely, and those bots can be used for many purposes. Originally, botnets were used for spam. The Viagra and Nigerian Prince emails that used to clutter inboxes were sent from thousands of geographically distributed zombie computers. In these cases, the attacker reaches out to their army of bots, commanding them to send tens of thousands of emails a day. In 2012, for example, the Russian Grum botnet sent over 18 billion spam emails a day from 120,000 infected computers, netting its botmaster $2.7 million over three years. Botnets are excellent spam infrastructure because it’s hard to defend against them. Networks usually use “block lists”: lists of addresses that they will not let in. To block a botnet, however, one would have to add the addresses of thousands of geographically disbursed servers to the list. That takes time and money.

Because the malware we have seen up till now — worms, viruses, vorms, and wiruses.— could not work together, it was not useful for financially motivated crime. Botnet malware, on the other hand, is because the botnets it creates are controllable. Botmasters are capable of issuing orders to each bot, enabling them to collaborate. Indeed, botnet malware is the Swiss Army knife of cybercrime because botmasters can tell bots in their thrall to implant malware on vulnerable machines, send phishing emails, or engage in click fraud allowing botnets to profit from directing bots to click pay-per-click ads. Click fraud is especially lucrative, as Paras Jha would later discover. In 2018, the ZeroAccess botnet could earn $100,000 a day in click fraud. It commanded a million infected PCs spanning 198 countries, including the island nation of Kiribati and the Himalayan Kingdom of Bhutan. 

Botnets are great DDoS weapons because they can be trained on a target. One day in February 2000, the hacker MafiaBoy knocked out Fifa.com, Amazon.com, Dell, E*TRADE, eBay, CNN, as well as Yahoo!, then the largest search engine on the internet. He overpowered these web servers by commandeering computers in forty-eight different universities and joining them together into a primitive botnet. When each sent requests to the same IP address at the same time, the collective weight of the requests crashed the website. 

After taking so many major websites off-line, MafiaBoy was deemed a national security threat. President Clinton ordered a countrywide manhunt to find him. In April 2000, MafiaBoy was arrested and charged, and in January 2001 he pled guilty to fifty-eight charges of Denial of Service attacks. Law enforcement did not reveal MafiaBoy’s real name, as this national security threat was only fifteen years old. MafiaBoy later revealed himself to be Michael Calce. “You know I’m a pretty calm, collected, cool person,” Calce reported. “But when you have the president of the United States and attorney general basically calling you out and saying, ‘We’re going to find you’ . . . at that point I was a little bit worried.” Calce now works in the cybersecurity industry as a white hat — a good hacker, as opposed to a black hat, after serving five months in juvenile detention. 

Both MafiaBoy and the VDoS crew were adolescent boys who crashed servers. But whereas MafiaBoy did it for the lulz, VDoS did it for the money. Indeed, these teenage Israeli kids were pioneering tech entrepreneurs. They helped launch a new form of cybercrime: DDoS as a service. DDoS as a service is a subscription-based model that gives subscribers access to a botnet to launch either a daily quota or unlimited attacks, depending on the price. DDoS providers are known as booter services or stressor services. They come with user-friendly websites that enable customers to choose the type of account, pay for subscriptions, check status of service, launch attacks, and receive tech support. 

VDoS advertised their booter service on Hack Forums, the same site on which, according to Coelho, Paras Jha spent hours. On their website, www.vdos-s.com, VDoS offered the following subscription services: Bronze ($19.99/month), Silver ($29.99/month), Gold ($39.99/month), and VIP ($199.99/month) accounts. The higher the price, the more attack time and volume. At its peak in 2015, VDoS had 1,781 subscribers. The gang had a customer service department and, for a time, accepted PayPal. From 2014 to 2016, VDoS earned $597,862, and it launched 915,287 DDoS attacks in one year. 

VDoS democratized DDoS. Even the most inexperienced user could subscribe to one of these accounts, type in a domain name, and attack its website. “The problem is that this kind of firepower is available to literally anyone willing to pay thirty dollars a month,” Allison Nixon, director of security research at business-risk-intelligence firm Flashpoint, explained. “Basically what this means is that you must have DDoS protection to participate on the internet. Otherwise, any angry young teenager is going to be able to take you off-line in a heartbeat.” Even booter services need DDoS protection. VDoS hired Cloudflare, one of the largest DDoS mitigation companies in the world. 

DDoS as a service was following a trend in cybercrime known as “malware as a service.” Where users had once bought information about software vulnerabilities and tried to figure out how to exploit those vulnerabilities themselves, or had bought malicious software and tried to figure out how to install and execute it, they could now simply pay for the use of malware and hack with the click of a button, no technical knowledge required.

Because customers who use DDoS as a service are inexperienced, they are particularly vulnerable to scams. Fraudsters often advertise booter services on public discussion boards and accept orders and payment, but do not launch the promised attacks. Even VDoS, which did provide DDoS service, did so less aggressively than advertised. When tested by Flashpoint, VDoS botnet never hit the promised fifty gigabits/second maximum, ranging instead from six to fourteen gigabits/second.

The boards that advertise booter services, as Hack Forums once did, are accessible to anyone with a standard browser and internet connection. They exist on the Clear Web, not on the so-called Dark Web. To access sites on the Dark Web you must use a special network, known as Tor, typically using a special browser known as the Tor Browser. When a user tries to access a website on the Dark Web, the Tor Browser does not request web pages directly. It chooses three random sites—known as nodes—through which to route the request. The first node knows the original sender, but not the ultimate destination. The second node knows neither the original source nor the ultimate destination—it recognizes only the first node and the third node. The third node knows the ultimate destination, but not the original sender. In this way, the sender and receiver can communicate with each other without either knowing the other’s identity.

The Dark Web is doubly anonymous. No one but the website owner knows its IP address. No one but the visitor knows that they are accessing the website. The Dark Web, therefore, tends to be used by political dissidents and cybercriminals—anyone who needs total anonymity. The Dark Web is legal to browse, but many of its websites offer services that are illegal to use. (Fun fact: the U.S. Navy created the Dark Web in the mid-1990s to enable their intelligence agents to communicate confidentially.)

It might be surprising that DDoS providers could advertise on the Clear Web. After all, DDoS-ing another website is illegal everywhere. In the United States, one violates the Computer Fraud and Abuse Act if one “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization,” where damage includes “any impairment to the . . . availability of data, a program, a system, or information.” To get around this, booter services have long argued they perform a legitimate “stressor” function, providing those who set up web pages a means to stress test websites. Indeed, booter services routinely include terms of service that prohibit attacks on unauthorized sites and disclaim all responsibility for any such attacks.

In theory, stressor sites play an important function. But only in theory. Private chats between VDoS and its customers indicated that they were not stressing their own websites. As a booter service provider admitted to Cambridge University researchers, “We do try to market these services towards a more legitimate user base, but we know where the money comes from.”