Anonymous Indictment Raises Serious Question: Is It Really A CFAA Violation To DDoS A Website?

from the questions dept

Way back in the fall of 2010, we wrote about how it was a really dumb idea for people associating themselves with Anonymous to run a series of DDoS attacks, under the name "Operation Payback," focused on the RIAA, MPAA, US Copyright Office and other websites. The attacks were protesting attempts to take down The Pirate Bay, as well as a variety of other complaints about general acts of copyright maximalism and copyright trolling. As we noted, such attacks do a lot more harm than good. Either way, the feds have finally gotten around to indicting thirteen individuals for somehow participating in that fall spree of DDoS attacks. While the indictment tries to make it out like this is a big conspiracy, it's unclear how connected some of the various attacks are, as it appears (as is frequently the case with Anonymous) that some individuals simply chose some sites to DDoS on their own and announced they were doing it as Anonymous. It's difficult to see a conspiracy when there's no real connection.

That said, there's a much bigger question here. While DDoS attacks can be a nuisance, are they really criminal? In the midst of these attacks, we questioned if they were really criminal acts or more like the equivalent of a sit-in, in which people were disrupting a business for the sake of public protest. In fact, some people arrested for DDoS attacks have been making this claim in court -- and there was even a White House petition asking it to recognize DDoSing as a valid form of protest.

Instead, as the indictment shows, the feds are hitting these thirteen individuals with CFAA violations -- the broad, troubling anti-hacking law that is regularly abused by the feds for any crime that involves a computer. In this case, the focus is on 1030(a)(5)(A) which targets people who:
... knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
But is a DDoS really "damage"? I can see how there's a reasonable argument both for and against that. But I have trouble seeing how, as the feds claim, these DDoS attacks did more than $5,000 in damage to the various sites they took down. Furthermore, you can make an argument that these weren't done "without authorization," because all a DDoS does is point a ton of traffic at a website. If that web server is open to the public, then isn't there authorization? It's just that the web server gets flooded.

Again, I'll make clear that I think DDoS attacks are dumb, counterproductive and immature. But I have trouble seeing how they're criminal acts, that could lead to five years in jail.

Also, there's some oddities, in that one of the lawyers for one of the accused folks claims that he had been working out a settlement, which has now been "scuttled" by the indictment. I imagine that most of the accused will eventually come to some sort of plea bargain deal. The DOJ stacks the deck so that you're often crazy not to plea your way out of these deals. And it's unlikely that any of the individuals will appear particularly sympathetic for their alleged actions here. But I'm still quite troubled by the idea that these actions add up to that much in damage, and a computer hacking crime deserving of significant jail time.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Rikuo (profile), Oct 4th, 2013 @ 5:13am

    "because all a DDoS does is point a ton of traffic at a website. If that web server is open to the public, then isn't there authorization? It's just that the web server gets flooded. "

    Have to disagree with you there Mike. A normal computer user makes one request to the web server to access a site, but a DDOSer intentionally uses the bandwidth of thousands of computers to all hit the site at the same time, and not for the purpose of accessing and viewing the site as normal. A quick real-world analogy would be a business that gets one physical letter in the mail from each of its customers, but is then suddenly inundated by thousands of letters all spammed by the same individual.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Ninja (profile), Oct 4th, 2013 @ 6:06am

    Re:

    but is then suddenly inundated by thousands of letters all spammed by the same individual.

    Part of the ones participating in the attacks were using LOIC and other tools in some sort of "crowdfunded" ddos. I'd say a more accurate description would be a lot of individuals sending a lot of letters, with a few of them being responsible for a bigger portion of the letters when compared to others because they have more mailboxes available to dispatch such letters.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Ninja (profile), Oct 4th, 2013 @ 6:11am

    Again, I'll make clear that I think DDoS attacks are dumb, counterproductive and immature.

    Are they? From your linked article:

    There's nothing at all creative about taking down the MPAA and the RIAA -- and all it does is serve to reinforce their misguided prejudices that it's just a bunch unruly kids who dislike them. On top of that, it gives them more ammo to position themselves as being persecuted by a small minority. It's a dumb move that looks bad and does a lot more harm than good from a group that should know better.

    Aren't any and all forms of revolt against an established system treated as such by the system itself? I have mixed feelings on ddos attacks mainly because usually there are botnets involved but if several thousand of people decided to load their LOICs and participate in a coordinated ddos what's the difference? What's the difference of defacing a website and Greenpeace setting a giant banner in a public monument?

    I think those are part of the arsenal the people from this new millennium have at their disposal to revolt, to show discontent and vent their frustration with the contempt the Governments are showing towards them.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 7:54am

    Re:

    Going to have to agree with this.

    "should know better" is the kind of thing people say at protests in real life when they disagree with them. This is why you cna have protests that have police MACE people who are peacefully sitting around and doing nothing.

    The establishment will always see a protest against the status quo as hostile, and many will protest the protest because it "makes things worse."

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 7:58am

    In the midst of these attacks, we questioned if they were really criminal acts or more like the equivalent of a sit-in, in which people were disrupting a business for the sake of public protest.

    Um, you do realize that people participating in a sit-in get arrested because they are committing a criminal act, right?

    Furthermore, you can make an argument that these weren't done "without authorization," because all a DDoS does is point a ton of traffic at a website. If that web server is open to the public, then isn't there authorization? It's just that the web server gets flooded.

    Do I have your authorization to DDOS techdirt.com, bringing down your website? This stuff isn't hard, Mikey.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    boomslang, Oct 4th, 2013 @ 8:03am

    Re:

    "Furthermore, you can make an argument that these weren't done "without authorization," because all a DDoS does is point a ton of traffic at a website. If that web server is open to the public, then isn't there authorization? It's just that the web server gets flooded."

    If you can make this argument, then you can argue that privilege escalation by exploiting a flaw in a public-facing server is not criminal because the victim 'authorized' the public to exploit the flaw by decided both to use the flawed software and to allow public access to it.

    The definition of 'authorization', as used in many of these cases, seems arbitrary. I suppose intent should matter in these cases. When the first Curiosity rover pictures of Mars arrived, NASA's website was overloaded by a flood of people wanting to see the pictures. I wouldn't count this as unauthorized access, since the intent of the people was to see Mars pictures, not to shut down NASA's website.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 8:08am

    Sit ins too were illegal once.

    The DOJ just wants to win no matter how absurd their logic is, what the consequences will be, I don't think they waste time thinking about those things, they just see "shinny" and go for it.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 8:10am

    Well to be fair a DDoS attack could "most likely would" cost considerably more than a sit-in. The last sit-in I saw did not prevent me from making a purchase. A DDoS attack can completely bring down any server if the attack is large enough.

    I don't agree with the CFAA though or jail time, they should have to pay back the cost.
    I only say that because back in 2001 I was running a game server that ended up coming under fire of an DDoS attack. It ended up costing just over $900 which brought my normal bill of $150 to $1050.

    The end result was me closing my server down since I could not afford that kind of bill..

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 8:12am

    Imaginary crimes to silence the masses .. next thing "woman hits attacker with smart phone "john wasntme who allegedly attacked jane cellphoneslinger is suing and the DoJ has his back under the CFAA she'll be charged and sentenced to public hanging

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 8:14am

    Re:

    The thing is, popular websites like slashdot or Penny Arcade can effectively DDoS a website they link to, just due to sheer number of fans going to look at a website that isn't up to that level of traffic. Not intentional attacks, but that's the way it works out. They could likely manage the same thing intentionally if they so wished. So you'd really need to be a bit more nuanced in your definition if you don't want to include some normal behavior as "hacking".

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    That Anonymous Coward (profile), Oct 4th, 2013 @ 8:14am

    Ummm did we miss the original target was a company hired by the cartels to DDOS sites they didn't like?
    http://torrentfreak.com/anonymous-members-indicted-for-ddosing-pirate-bay-enemies-131004/

    Where is that indictment?
    Or are we still playing corporations are people with special rights that put them above the law?

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Me, Oct 4th, 2013 @ 8:18am

    Re:

    That's a lot of postage.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    boomslang, Oct 4th, 2013 @ 8:22am

    Re: Re:

    This is an interesting point. It's certainly conceivable that someone could post to a forum-like site in such a way to attract a large number of users to visit a link and flood the server, effectively DDoS-ing it. It would be very difficult to prove malicious intent in this case.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 8:26am

    Re:

    Plus, the IP protocols (TCP, UDP) pretty much ensure that you will receive the traffic that's headed to you no matter what you do (bar some fault in the hardware along the way). There's no way to say "Hey everyone! Stop sending me data from *this* guy because he's spamming me.".

    All the victim can do is start dropping packets until the attack stops. In the meantime, the server is dead.


    Regarding "being public", I don't know about the US, but in my country we have rules against causing disturbances in communication channels, public or private.

    A DDOS attack is the equivalent of jamming a radio channel or cell phones. And that's illegal, regardless of how public that channel is.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    out_of_the_blue, Oct 4th, 2013 @ 8:27am

    Re: @ "What's the difference of defacing a website"

    "What's the difference of defacing a website and Greenpeace setting a giant banner in a public monument?"

    a) "defacing a website" is invading private property
    b) also causing actual harm in work needed to restore
    c) also suppressing that entity's speech
    d) the latter IS "free speech" on public property.

    The c point pretty much covers my take: for you who rant about lawful actions taking down a website, you are totally inconsistent when it's done UNlawfully. Looks to me like you kids just okay whatever if like the criminal and/or don't like the victim.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    mark, Oct 4th, 2013 @ 8:28am

    Why aren't thease deals considered extortion? They should only prosecute if the chance of a guilty verdict are greater than 50%. So on the other side the promissed reduction in such deals shoudn't be allowed to offer more then a 50% reduction.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Chris Rhodes (profile), Oct 4th, 2013 @ 8:33am

    Re:

    Do I have your authorization to DDOS techdirt.com, bringing down your website? This stuff isn't hard, Mikey.
    I don't want people to call me an asshole on the internet, but that doesn't mean it's a violation of the law to do so.

    This stuff isn't hard, AC.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 8:34am

    Re: Re: Re:

    That's just silly, how does more legitimate traffic constitute an attack? The site is intended to serve legitimate traffic, that a website can not handle the amount of legitimate traffic it receives is not the fault of those visiting it. Would the site owner rather reduce or limit the amount of legitimate traffic it receives?

    Plus legitimate traffic brings in more advertising dollars to pay for more bandwidth whereas DDOS attacks do not interest advertisers.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    John Fenderson (profile), Oct 4th, 2013 @ 8:41am

    Re: Re:

    If you can make this argument, then you can argue that privilege escalation by exploiting a flaw in a public-facing server is not criminal because the victim 'authorized' the public to exploit the flaw by decided both to use the flawed software and to allow public access to it


    That doesn't follow at all. A privilege escalation is actually cracking, an attempt at subverting a site to intrude on it in a way that was never authorized, even implicitly.

    A DDOS attack is nothing like that. No subversion is happening, no cracking, no intrusion at all. All interactions with the site are exactly the interactions that are authorized and expected -- there's just a lot more of them than usual.

    (I'm not arguing that there's nothing wrong with DDOS attacks. I'm arguing that there's a world of difference between DDOS and cracking/intrusion.)

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 8:43am

    Re: Re: @ "What's the difference of defacing a website"

    a) A public website is not private property, the site is not altered in a DDOS.

    b) No work is needed to restore, the site gets flooded with traffic and it goes down, once the traffic stops and the webhost turns the switch back on the site goes back up.

    c) That entity has many avenues for speech, including after the DDOS. There is no permanent silencing effect on the speech, it frequently lasts a single day, if that long. Secondly, criminal charges on people for doing the equivilent of an internet sit in is silencing their speech.

    d) What? This is free speech on the internet.

    This isn't HACKING or DEFACING a website, which may be unlawful. This is simply preventing the website from working, something which actual protests are allowed to do to real physical businesses.

    And let's not be silly, a companies website going down for a day, while disruptive, isn't causing any harm.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    John Fenderson (profile), Oct 4th, 2013 @ 8:43am

    Re: Re:

    A DDOS attack is the equivalent of jamming a radio channel or cell phones


    No, a DDOS attack is more the equivalent of sending a few dozens truckloads of physical mail on the same day.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 8:44am

    Re:

    Except sit in's arent criminal acts.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    MikeC (profile), Oct 4th, 2013 @ 8:56am

    Re: Letters

    How would sending some business thousands of letters be illegal. They publish an address, accept mail. Don't see how that would be illegal and by your analogy a ddos attack isn't either.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Thomas (profile), Oct 4th, 2013 @ 8:57am

    Re: Rikuo

    I don't think it's criminal to mail a company as many letters as you want, is it?

    Well they could probably get you for harassment. But that would probably just end with a restraining order and no fine.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    Thomas (profile), Oct 4th, 2013 @ 8:58am

    Re: Re: Re: @ "What's the difference of defacing a website"

    "a) A public website is not private property, the site is not altered in a DDOS."

    Dude what?

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 9:01am

    Re: Re: Re: Re:

    There's no difference from the server's perspective between some guys using bot nets to continuously send 100,000 requests to a server that can only handle 50,000 requests, Slashdot posting a link that gets 300,000 people continuously attempting to connect to a server that can only handle 50,000 requests, or one of the makers of Penny Arcade posting an angry rant about someone and linking to their website, resulting in 500,000 people continuously attempting to connect to a server that can only handle 50,000 requests.

    In all cases from the perspective of the server, it's receiving too many legitimate requests to handle, it's bandwidth and processing power is consumed, and it's overloaded and crashes bringing the site down for hours. There's nothing technologically different on it's end.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 9:04am

    Re:

    "but a DDOSer intentionally uses the bandwidth of thousands of computers"

    Presumably without their permission. In other words, the access to the computers actually PERFORMING the DDOS is unauthorized. Unless this guy just happens to have thousands of computers sitting around.

    Hijacking my computer to make it participate in a "protest" without my permission SHOULD be a crime. It's like "borrowing" someone's car to drive around a business you don't like. Even if they weren't using it at the time, that doesn't make it OK.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 9:05am

    'Is It Really A CFAA Violation To DDoS A Website?'

    of course it is! well, when one of the USA security services is taking the case to court and it's over a website that isn't seen as 'illegal'. i haven't come across any info as yet that says the website that was the subject of the 'revenge' had any charges against it for DDoSing TPB! i suppose that was because Hollywood, the US entertainment industries and the security services it has in it's back pockets thought it was not a problem. if court action is going to be taken against those accused of DDoSing AiPlex Software, the company that admitted being the culprits for the DDoS attacks against websites, including TPB, then there has to be a court case against AiPlex Software too.
    the DoJ are doing this, yet again, because they have been told to by the heads of the entertainment industries and no other reason. they will also do the same sort of thing as they have tried against Kim Dotcom, ie, lie, cheat, deceive and manipulate what the law is, what it says, what the 'secret meanings' are and anything they can possibly think of just to get a conviction!

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 9:10am

    Re: Re: Re: Re: @ "What's the difference of defacing a website"

    The site is A) up, or B) down.

    A public facing website gives the public tacit permission to access it.

    If the website goes down due to an overabundance of traffic, the underlying website is not affected, it's the hosting of the website that has buckled under the traffic load.

    No alteration occurs to the site, nothing on the website is CHANGED, just that access to the site is unavailable.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 9:11am

    Re:

    I largely agree. Except it seems that a better analogy is that the public sidewalk in front of your store is jammed by thousands of protesters prohibiting legitimate customers from accessing it.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 9:19am

    Re: Re:

    "jammed by thousands of protesters"

    More like it's jammed by two actual protesters and thousands of bystanders dragged there by the protesters against their will.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    John Fenderson (profile), Oct 4th, 2013 @ 9:25am

    Re: Re:

    Hijacking my computer to make it participate in a "protest" without my permission SHOULD be a crime


    And it is. That really is the sort of thing that the CFAA was designed to address. The crime wasn't perpetrated against the site being DDOSed, though, but rather against the machines subverted to be part of the botnet.

    However, with things like the LOIC, this component doesn't exist as every machine taking part in it is doing so voluntarily.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 9:34am

    Re:

    Actually no. Your analogy about mail is incorrect.

    A DDoS attack is more similar to a check-out line at the grocery store, but instead of using a single cart a user is using 500 carts to exit the check out lane and paying in change - holding up the cashier.

    There is no 'damage' and the only thing that is being effected would be the hosting account that is being targeted. While it's an asshole thing to do, it shouldn't be considered hacking, if anything it should be something along the lines of a misdemeanor followed by a fine - not jail time.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 9:34am

    Re: Re: Re:

    LOIC requires opt in.

    Botnet takedowns with infected unknowing machines that are slaves is one thing, LOIC though requires you to activate it and join in, making it not against their will.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 9:35am

    It's not even close to a sit-in. Whoever thinks that has no idea how technology works.

    In a sit-in, you don't make sure the target gets billed an extraordinary amount of money, as where in a (D)DoS, the target will have to spend money to pay for the incoming attack, which can quickly go in the thousands of dollars depending on your provider.

    Sure, you may bring some of the same effects to the target, but some are completely different and the consequences can be much more disastrous with an attack than a sit-in.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 9:36am

    Re: Re:

    >Hijacking my computer to make it participate in a "protest" without my permission SHOULD be a crime.

    1: DDOSing doesn't involve hijacking your computer.
    2: Hijacking someone's computer is already a crime. You're thinking a BotNet.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 9:53am

    Re: Re: Re:

    I sort-of agree with this. A DDoS can be a precursor to a cracking attempt, or a complement to it, but is not, in and of itself, a cracking attempt.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 9:58am

    Re: Re: Re: Re: Re:

    An attack reduces the amount of legitimate users that can visit the site. The site owner's objective is to serve (more) legitimate users and directing more legitimate traffic to the site better serves more legitimate users whereas an attack prevents the site from serving (as many) legitimate users.

    If the site owner paid to serve 5000 legitimate users at a time and 10,000 legitimate users want to use it then only 5000 can get in. The site owner didn't pay to handle the rest of the 5,000, no harm no foul. But under an attack the site can now only serve 2,000 legitimate users which is less than what the site owner paid for and so the site owner is being harmed. Plus now advertisers are getting revenue from only 2000 legitimate users while paying to serve 5,000 which reduces the sites income while keeping expenses high.

    The owner is concerned with the number of legitimate users the site can serve and reducing that amount works against the interests of the owner.

    The owner doesn't care about your technical assessment. If my television breaks because the UPS guy dropped it on the way or because of a manufacturer defect I, the owner, do not care about technically why it doesn't work and about the technical aspects of how it works. I paid for x and got y and if I don't get what I paid for the law ought to make it right.

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    Berenerd (profile), Oct 4th, 2013 @ 9:58am

    Re: Re:

    I think it would be better stated as, If you go to Walmart, and buy something, that is what walmart expects. They even expect people to come in from time to time and not buy anything. But if suddenly you have a few thousand people in the isles just standing there and not letting legitimate customers shop, then that would be a real world version of a DDoS attack.

    Where I can see this costing mony in support and bandwidth, for the sites attacked there is no other financial damage. It does cost them though for the bandwidth and DDoS mitigation costs.

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 9:59am

    Re: Re: Re: Re: Re: Re:

    "which reduces the sites income while keeping expenses high." (because now advertisers will pay less).

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 10:00am

    They only know the identities of the indicted individuals for this and other Internet related crimes simply because of the NSA's backbone and service logging abilities.

    They can launder the evidence to be something unrelated all they want, but the rest of us know better.

    They used it against Kim Dotcom and just about everything else non-terrorism related.

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 10:10am

    Re:

    A quick real-world analogy would be a business that gets one physical letter in the mail from each of its customers, but is then suddenly inundated by thousands of letters all spammed by the same individual.

    Kind of like all the tons of peanuts sent to a television network when Jericho was cancelled? That wasn't criminal. Neither is sending thousands of letters to a business, as long as you pay the postage.

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 10:11am

    Re: Re: Re:

    A DDOS attack is nothing like that. No subversion is happening, no cracking, no intrusion at all. All interactions with the site are exactly the interactions that are authorized and expected -- there's just a lot more of them than usual.

    Actually, that's usually false. Let's take LOIC for example: Wireshark analysis

    Typically, when defending these attacks they are usually a standard request. IE. GET /app/?id=1292337572944&msg=BOOM%2520HEADSHOT! HTTP/1.1

    Somehow, I don't think "BOOM HEADSHOT!" is a typical query. The thing is using someone like CloudFlare or a DPI appliance can usually catch these requests from the patterns.

    The more troublesome issues are related to udp, since millions of unprotected DNS servers, routers, and networks are spewing the packets and the end users are using those vulnerabilities to flood the target. See for example: http://openresolverproject.org/

     

    reply to this | link to this | view in thread ]

  44.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 10:12am

    Re: Re: Re:

    Good point. I agree.

     

    reply to this | link to this | view in thread ]

  45.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 10:13am

    Re: Re: Re:

    That happens every year the night before Black Friday sales begin. They don't call the police. No one is arrested for it.

    A better analogy is a sit in, as Mike stated, and a sit in is considered a legal form of protest.

     

    reply to this | link to this | view in thread ]

  46.  
    icon
    Ninja (profile), Oct 4th, 2013 @ 10:14am

    Re: Re: @ "What's the difference of defacing a website"

    a) "defacing a website" is invading private property

    No, it is not. And unlike a real building the only work needed is to restore a previous state and do the security job in a more efficient way. The public/private thing blurries when the buildings are private but open to the public which is the case for websites.

    b) also causing actual harm in work needed to restore

    Same with real world activism. You block traffic and disrupt a lot of everyday activities which have economic costs. And yet you don't condemn such protests at least not if you aren't some totalitarianism-apologist.

    c) also suppressing that entity's speech

    It's not, the site can be brought back to its previous state anytime. No physical hardware is compromised or need any repair.

    d) the latter IS "free speech" on public property.

    Both are.

    for you who rant about lawful actions taking down a website, you are totally inconsistent when it's done UNlawfully

    There is a point in the society when the law loses its meaning and law enforcement gets out of control. At those times, unlawful behavior is the only way to revert things back. Schindler's actions when saving these Jewish were unlawful according to the Nazi Germany law. History has much to teach us little padwan, don't turn your back on it ;)

     

    reply to this | link to this | view in thread ]

  47.  
    identicon
    michael, Oct 4th, 2013 @ 10:14am

    Not really a sit-in

    A sit-in requires me to be present -- it's a form of protest because I give up my anonymity and my free time. It's me giving up something in exchange for making a statement.

    DDOS, while I think the "damage" claim is ridiculous, causes me to give up nothing. I can DDOS ten thousand websites at a time, given the resources, so any "protest" I may be engaging in is costing me nothing, negating the whole concept of "protest." If you're not an idiot, you'll never be caught, and you're name will never be associated with a statement of any sort.

    If it's a form of protest, it's one for lazy cowards.

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 10:14am

    It's worth pointing out that the DDoS attacks in question were a retaliation against an antipiracy company announcing that it was going to DDoS the Pirate Bay.

    I don't see anyone from that company getting indicted, though. So much for justice being blind.

     

    reply to this | link to this | view in thread ]

  49.  
    icon
    Ninja (profile), Oct 4th, 2013 @ 10:15am

    Re: Re: Re: Re:

    Agreed. But he has a point too, I'd say it's a sort of mix of people sitting in to protest against Walmart torturing kittens. Most people would find it reasonable despite the financial damages Walmart could suffer.

     

    reply to this | link to this | view in thread ]

  50.  
    identicon
    Chris Brand, Oct 4th, 2013 @ 10:18am

    "Damage" to a "computer"

    To my mind, "damage" doesn't go away when the thing causing it goes away - you can't "damage" my car by putting a sheet over the windshield. The effects of a DDOS attack only last as long as the attack itself.

    Also, a "website" isn't a "computer". A DDOS attack really doesn't hurt the computer at all - it just keeps it really, really busy. Yes, it may get so busy that the website effectively goes down, but the computer's is generally still fine (barring things like overheating or failing power supplies due to the extra work).

    So it does feel like overreaching to apply this statute in this case.

     

    reply to this | link to this | view in thread ]

  51.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 10:19am

    Re: Re:

    Is Oprah guilty of DDOSing the KFC website a few years back? Is Axl Rose guilty of DDOSing the Dr. Pepper website by releasing a new album and causing everyone to go ask for their free Dr. Pepper?

     

    reply to this | link to this | view in thread ]

  52.  
    icon
    Ninja (profile), Oct 4th, 2013 @ 10:20am

    Re: Not really a sit-in

    It depends. What you said is true if botnets are used. When a bunch of people use LOICs for instance things change. You are voluntarily donating your computer and resources. And it can be identified from the logs (unless you use anonymizing methods but I'm not sure if the attack would be efficient).

    If it's a form of protest, it's one for lazy cowards.

    Really? Can't you think of other types of anonymous protests throughout history? And considering how computers and the Internet reduced much of the effort needed for many things (ie: you don't need to go through several piles of books on a library to research a subject) do you really think it's laziness? Does it mean that we should go back to search exclusively on libraries or risk being labeled lazy?

     

    reply to this | link to this | view in thread ]

  53.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 10:20am

    Re: Re: Re: Re: Re:

    And if I am hit by a car crossing the street and break my leg, it makes no difference to my leg whether it was a pure accident or if it was the result of malicious vehicular assault. In either case, my leg is broken.

    But one scenario certainly makes more difference to me and the police. The Ends don't justify the Means or Intent.

     

    reply to this | link to this | view in thread ]

  54.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 10:21am

    Re: Re: Re: Re:

    So if legitimate traffic shuts down a website by overloading it, it's legal, but if illegitimate traffic shuts down a website as a form of protest, it's not? I think the constitution has something to say about that form of reasoning.

     

    reply to this | link to this | view in thread ]

  55.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 10:25am

    Re: Re: Re:

    I'd also note: if LOIC is illegal, so are the tools used by every company that does load testing.

     

    reply to this | link to this | view in thread ]

  56.  
    icon
    Ninja (profile), Oct 4th, 2013 @ 10:29am

    Re:

    Really? So if the sit in drives customers away it's ok, right? Nop, not a problem. In a ddos you can turn off the connection to avoid further costs. In a sit in you can't turn off the people and sit ins can last for weeks or months.

     

    reply to this | link to this | view in thread ]

  57.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 10:29am

    Re: Not really a sit-in

    The fact that it's a protest does not hinge in any way at all on you giving anonymity or even free time. If you wear a mask at a sit-in does it magically make it not a sit-in? You also contradict yourself rather extremely when you go from claiming you give up nothing to saying you could "DDOS ten thousand websites at a time, given the resources." Which is it, do you give up nothing or do you need resources?

     

    reply to this | link to this | view in thread ]

  58.  
    icon
    Ninja (profile), Oct 4th, 2013 @ 10:32am

    Re:

    Seems your attack was malicious. There can be public demonstrations with malicious intent that will cause severe damage(Black Blocks, anyone?). Not that they are wrong per se, sometimes a little destruction may go long ways towards change (I don't quite agree with the BBs methods though). I think the intent of the damages has to be taken into account.

    Also, sit-ins need police to be constantly watching which raises costs and the local business may suffer due to people avoiding the place. It's not that simple as you can see.

     

    reply to this | link to this | view in thread ]

  59.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 10:33am

    Re:

    Sounds like small claims court, not a federal crime.

     

    reply to this | link to this | view in thread ]

  60.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 10:36am

    DDoS attacks are also used against pedophile sites. Why does the DoJ want to support pedophiles? Think of the children!

     

    reply to this | link to this | view in thread ]

  61.  
    identicon
    Aon, Oct 4th, 2013 @ 11:28am

    conspiracy, or peaceful assembly?

    The difference between a DoS and DDoS is conspiracy. That word has been demonized/criminalized only recently (1977).
    http://en.wikipedia.org/wiki/Conspiracy_(crime)#Common_law_offence
    But then there is the matter of drawing a line between conspiracy and the right of peaceful assembly. A DDoS is not a riot, though prosecutors will make that claim.

     

    reply to this | link to this | view in thread ]

  62.  
    identicon
    Xycaler, Oct 4th, 2013 @ 11:46am

    CFAA and NSA

    This CFAA is great stuff. While looking up the section quoted in the article, I surfed around and found 1039(a)(4):


    (4) accessing customer accounts of a covered entity via the Internet, or by means of conduct that violates section 1030 of this title, without prior authorization from the customer to whom such confidential phone records information relates;


    Sound familiar to anyone?

     

    reply to this | link to this | view in thread ]

  63.  
    identicon
    Xycaler, Oct 4th, 2013 @ 11:51am

    1030(e)(2)(b) says:
    (2) the term “protected computer” means a computer—
    (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;


    Which... that's kind of dubious don't you think?

    Unfortunately, 1030(e)(8) says:
    the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information;


    Eurgh.

     

    reply to this | link to this | view in thread ]

  64.  
    icon
    art guerrilla (profile), Oct 4th, 2013 @ 1:03pm

    Re: Re: Letters

    it does NOT matter if it is IDENTICAL to 'sit-ins', in both intent and practice: The They (tm) don't like it, and that is all that matters...

    i'm certain The They (tm) WOULD 'outlaw' sit-ins and other inconvenient protests if they could (which they have tried)...

    it really has NOTHING to do with rational thinking, fairness, applying constitutional principles, blah blah blah; it is ALL about control: they don't want pesky sheeple making a stink over anything, anywhere, anytime...

    *that* is the bottom line...

     

    reply to this | link to this | view in thread ]

  65.  
    icon
    John Fenderson (profile), Oct 4th, 2013 @ 1:24pm

    Re: Re: Re: Re:

    Somehow, I don't think "BOOM HEADSHOT!" is a typical query


    It's not, but that's irrelevant to my point. It is an allowed & legal query, just meaningless. It is not an attempt to subvert security.

     

    reply to this | link to this | view in thread ]

  66.  
    icon
    John Fenderson (profile), Oct 4th, 2013 @ 1:32pm

    Re:

    in a (D)DoS, the target will have to spend money to pay for the incoming attack


    That all depends on the particular hosting arrangement you have. If one of my websites is DDOSed, it won't cost me an additional penny in bandwidth fees, as I pay a flat rate. Once my cap is reached, then my site is disconnected until the next billing cycle, though.

    Also, any quality host will allow you to set up thresholds so that if a DDOS is noticed, bandwidth can be automatically restricted or the site disconnected until the DDOS ends. This tends to be a very effective way of dealing with the problem.

    In the end, with appropriate hosting plans, you can ensure that you won't get any surprise bills ever, for the small cost of simply disconnecting the site until the DDOS ends. (The cost is small because people probably can't reach the site until then anyway, so nothing is lost).

     

    reply to this | link to this | view in thread ]

  67.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 2:21pm

    Slashdot Effect

    Invoking the slashdot effect is the ultimate legal form of DDOS. It is perfectly legal legitimate traffic that brings it crashing down. Say if the RIAA website went down in the wake of a scandal from people checking to see what insane form of logic they used to defend themselves or emailing complaints to them.

     

    reply to this | link to this | view in thread ]

  68.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 5:14pm

    its not really about "HOW" you did it, its about what you achieved and WHY !

    Yes, going to a web site once to read what is on it is a lot different to creating a bot to spam pings and shut down a web site. Its not how you shut the web site down, its you DID shut it down and why.

    Its not how you do it, its what you did and why.

    Motive and intent.
    Yes, it is the same as jamming a TV broadcast of a radio broadcast.

    The 'fine' would include, loss of trade, cost of restoration punitive damage and loss of goodwill, and legal expenses.

     

    reply to this | link to this | view in thread ]

  69.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 5:46pm

    Re: Re:

    "Plus, the IP protocols (TCP, UDP) pretty much ensure that you will receive the traffic that's headed to you no matter what you do (bar some fault in the hardware along the way)."

    Well, no. If there isn't sufficient bandwidth for all your traffic to reach the recipient (say because the recipient is being overloaded with other traffic) the packets might just get dropped by the routers in transit.

     

    reply to this | link to this | view in thread ]

  70.  
    icon
    Bergman (profile), Oct 4th, 2013 @ 10:37pm

    Re: Re:

    Except that they are, once they are asked to leave. If they refuse, the crime is trespassing.

     

    reply to this | link to this | view in thread ]

  71.  
    icon
    Bergman (profile), Oct 4th, 2013 @ 10:41pm

    If a DDoS violates the CFAA...

    Wouldn't the way ICE seizes websites also be a CFAA violation?

     

    reply to this | link to this | view in thread ]

  72.  
    icon
    Karl (profile), Oct 4th, 2013 @ 10:46pm

    Re:

    Oh, good, Cowardly A.J. takes another swipe in the Techdirt comments. You know it's him, because:

    1. He presents his opinions as absolutes, that nobody could possibly disagree with: "This stuff isn't hard..."

    2. He does it in the most condescending way possible: "...Mikey."

    As it happens, you're incorrect, yet again:

    Do I have your authorization to DDOS techdirt.com, bringing down your website?

    You're confusing "permission" with "authorization." For the purposes of 18 USC 1030, "authorization" means "authorized to access a computer," not "authorized by the owner of the computer."

    There is no question whatsoever that, on an individual level, every request made by a DDoS is authorized under the CFAA.

    The question is whether the sheer bulk of authorized accesses, possibly in combination with the intent of the accessor, turns authorized access into unauthorized access.

    Mike said that this is an open question. I think it is probably not unauthorized under the CFAA, you probably think it is. But either way, you're wrong when you said "this stuff isn't hard."

     

    reply to this | link to this | view in thread ]

  73.  
    identicon
    tek, Oct 5th, 2013 @ 1:41pm

    Re:

    Which refutes your own point.

    It's not *illegal* nor subject to years of jail time to send thousands of letters.

     

    reply to this | link to this | view in thread ]

  74.  
    identicon
    Anonymous Coward, Oct 6th, 2013 @ 5:27pm

    Re:

    I don't expect anyone whose best argument for months is "Bawk, bawk, cluck, moo" to have the technical capability and gumption to DDOS a website.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This