Do it right, or don't do it at all. Part III
When the thugs come knocking...
When Kolab got going, we took vowed to ourselves that we would be different. We would not promise more than we could deliver. We would not participate in the race of snake oil vendors. We wanted better solutions. For everyone. As Open Source, Open Standards, with software freedom attached.
Kolab stands by these principles. Especially in the face of adversity.
Tuesday this week we received the following ransom note via our web form, sent from a Tor exit node:
Message: We are Armada Collective.
Do you know us?
If not search Google for "ProtonMail DDoS". Don't want the same to happen to you?
Pay exactly 10.02 Bitcoin to 1NpWoBdnLD3jWwhEWe2KbBNjSNZyGptTpf
Do not reply. We will not read. Pay, we know it's you and you never hear us again.
You have 4 days.
Could this ransom note be just some copy cat? Absolutely. Can we take that chance? No.
So we've set in motion the process we've exercised mentally before, called the numbers that had been agreed upon for just this case, and started preparing to do what we believe in more than anything else: To defend the integrity and security of our users against a formidable group of thugs that may be standing at our gates with a huge battering ram.
Because never have we considered paying. Paying ransom would violate everything we believe in. It would contradict what we stand for. And it endangers others, who may be less prepared than us.
We immediately informed the federal police cyber crime unit and giving a heads-up to the Swiss Government Computer Emergency Response, which has been monitoring such groups for a while and has published some good and relevant information on these activities.   
We also spoke with our data centre operator and hosting partners we are working with in Switzerland. Expecting this kind of ransom note to reach us eventually, we had agreed upon an alerting process some time ago – so this was just the moment to see that the process we had put in place actually worked.
Together with the data centre operator, our technical team went to work on all the possible perimeter defence measures in order to then continue with the internal classification of our infrastructure, double-checking attack surfaces, looking into all the known ways we can mitigate the impact on our service. And to prepare injunctive relief for that moment when the bandwidth is saturated, and no regular traffic may be able to get through.
Because some kind of DDoS attacks may be comparatively defensible and the “DDoS for hire” services may be of varying quality. But a truly capable criminal actor or nation state will have means to saturate the bandwidth even of very large network operators. According to its own claims, the Armada Collective has offensive capabilities in the range of 1 Tbps. That should probably be taken with a grain of salt, given that it seems no attack of this order of magnitude has been observed so far.
But even 200-300 Gbps would force most data centres need to at least temporarily triage access to the victim of the attack in order to defend all other customers. When it comes to that, you're typically offline for as long as the attack persists. Unless you're using cloud based services, e.g. CloudFlare, which has a proven track record of defending against DDoS attacks at that scale.
Unfortunately, making use of their service would violate the promise we have made to our users.
Kolab remains the only serious fully featured solution in the enterprise collaboration realm that does not have personal, legal and/or financial ties to the United States of America.
Most of these services on the other hand are US businesses. According to CloudFlare it has cooperated voluntarily with US law enforcement in the past, but valiantly fought the NSA on behalf of its customers. At the same time, it has also made it clear that it is not allowed to truthfully and transparently report on the matter. And in order to use such a service, we'd have to route all traffic of our users through them. So we would have to place absolute trust in any such service as well as the US government to not monitor our users, and not to conduct Man-In-The-Middle (MITM) attacks.
So while using these services would be the most convenient and easiest path forward, it is once more the path we cannot take. Which we've gotten used to over the years. Where other service providers rented cheap virtual servers to provide allegedly “secure” messaging platforms – putting their users at the mercy of various intermediaries they have never heard of – we built out a cage with physical control and our own hardware. Where others outsource their system engineering and administration to third parties behind the scenes, we have gone through the pain staking process of building out our own operations. And where other providers rely on proprietary software written by companies with US holdings, we set out as a purely Swiss business with German origins to develop an entire stack that would follow a secure micro service architecture that is fully Open Standards and Open Source.
So now our Kolab Now service is being threatened. And once again the easier way would be to do what many others have been doing and sign up with cloud based defensive services. But in doing so we would violate the promise we have made to our users. The downside of being true to our promise this is that we may end up with a disrupted service.
In making that call to stand by our principles, we can only hope that our users will understand and agree. And stand with us. You can rest assured that if and when we come under attack, our team will not rest until it has done everything that is technically possible to minimize disruption while safeguarding the integrity and security of our users at all times.
We do all this so everyone can have confidence in collaboration.
And we thank everyone who supports us in this quest and hope this is all just a false alarm. For the latest updates, please follow our dedicated service status page.
Kolab Systems AG CEO