30 Months In Prison For Denial Of Service Hit On Politicians' Websites

from the seems-a-bit-extreme dept

For all of those participating in the denial of service attacks being put together by “Anonymous,” you might want to consider that a guy who took down various politicians’ websites with DDoS attacks just got 30 months in prison — along with over $50,000 in fines and 3 additional years of “supervised release.” This certainly seems like punishment way out of line with the actual actions, but in this day and age of law enforcement and the legal system not really understanding technology, it’s not all that surprising.

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “30 Months In Prison For Denial Of Service Hit On Politicians' Websites”

Subscribe: RSS Leave a comment
73 Comments
fogbugzd (profile) says:

Pretty serious crime

Taking down a politician’s web site is a pretty serious crime in a democracy because it is a direct attack on freedom of speech. I don’t think 30 months is out of line at all.

I just wish it was a more uniform principle. We have provided too many legal methods such as DCMA and expansive interpretations of copyright and trademark law that let companies suppress free speech without consequences or penalties.

In my mind the only reason the penalties in this case are excessive is that don’t defend freedom of speech nearly as aggressively when it is big companies suppressing the speech of the little fellow.

Anonymous Coward says:

Re: Pretty serious crime

It seems we’ve reached the case where if a poor guy does something to a rich and powerful guy (politician or CEO) or entity (ie: corporation) he gets excessive punishment. If a rich and powerful guy or entity does something to a whole lot of poor people (ie: pharmaceutical corporations deliberately breaking laws) the punishment is a slap on the wrist.

Chris (profile) says:

Re: Pretty serious crime

I have to disagree with you. 30 months in prison for simply brining down a website for a while? How is that not excessive? The analog equivalent would be if someone took down a poster for a day and then put it back up. I really don’t think anyone would actually care if someone did that. Should he be punished? Absolutely there is no excuse for a DDoS, it’s just rude. I just don’t think 30 months in jail fits his crime. A better use would be to force them to teach computer security classes.
If you are saying that a DDoS is an attack on free speech then, any site take down should be met with such force. Including ones that people don’t like or think are offensive. This would also apply to ISPs and gov’ts messing with sites. If you are ok with that then, I would agree with you on the attack of free speech part.

Anonymous Coward says:

Re: Pretty serious crime

Have you spent even 5 minutes thinking about how much 30 months in jail would ruin your life? For Bill O’Reilly’s website?

The fines would have been more than adequate. This guy would have been severely punished, but would have had a chance to contribute to society. Now he’ll spend time in jail and have extreme difficulty getting a job.

This is a completely non-violent crime. Violent criminals need to be separated from society. Guys like this can be handled with fines.

Free Capitalist (profile) says:

Re: Pretty serious crime

Taking down a politician’s web site is a pretty serious crime in a democracy because it is a direct attack on freedom of speech.

In an ideal world I would agree taking down a politician’s website, even for a while, would be very significant suppression of free speech.

However, all of the affected politicians fall into the “no stand” paradigm, i.e., they did not bother to list their positions or explicit opinions regarding specific legislation. There are very few “two party” candidates who do bother to put their positions on their websites.

In light of the absence of information or honest expression, I am left wondering just what, if any, detrimental effect these attacks actually caused.

Still, he did the crime. That our judicial system favors the rich and powerful was a preexisting condition the hacker could have factored into his decision making process.

ChronoFish (profile) says:

Re: Pretty serious crime

I have to agree.

I don’t know how it could be any more blatant an attack on freedom of speech, freedom of assembly, and an attempt to sway an election by blocking access to information.

I agree that it is a travesty that there are cases where murders and repeat offenders get off easier. But I take the side that those punishments should be stiffer – not that this punishment should be lessened.

If TechDirt where taken down it would be a serious crime and I would expect the perpetrators to be held accountable – and I assume you (readers of techdirt) would too.

If Mike Masnick were to run for office and his personal political website received a similar DDoS I would expect his supporters here to rally and demand those responsible to be punished with the full weight of the law behind it.

-CF

nasch (profile) says:

Re: Re: Pretty serious crime

I’m a TechDirt fan, and I wouldn’t want to see anyone put in prison for taking down the Masnick for Congress web site. Certainly not for two and a half years. Is it a “serious crime”? I don’t know, murder, sex abuse, kidnapping, robbery, and large scale fraud are serious crimes. I have a hard time putting a denial of service attack in that same category.

Anonymous Coward says:

Re: Re: Pretty serious crime

What will end up happening is that those who actually represent the public will have their websites taken down by corporate interests and rich and powerful people and those taking down those representative sites (and Mikes blog has been subject to various attacks already and the attackers were never held accountable, not even once, as an example) will never, not even once, be held accountable. If one person even tries to take down the website of the rich or a big corporation the punishment will be huge. That will be the future if people don’t step up to prevent it.

Jason says:

Re: Pretty serious crime

Bull, the DDoS was little more than a well planned protest, a case of one free speech act being louder than another. The prison term was handed down for a truckload of other offenses in concert with this one.

“30 Months In Prison For Denial Of Service Hit On Politicians’ Websites?” No this cowboy was caught wearing a much darker hat.

Jared (profile) says:

Re: Guess we shouldn't be surprised

I think there needs to be far stiffer punishment for these sorts of crimes especially because drunk drivers are often repeat offenders and revoking their licenses doesn’t seem to do much. I’d like to see a zero tolerance with drunk driving.

On a somewhat related note, my uncle was killed by a woman in an giant SUV while talking on her phone, performing an illegal u-turn. She got a $25 ticket. Meanwhile 30 months for a DDoS.

Paul L says:

Re: Guess we shouldn't be surprised

I think the 18 months is a light sentence and it should have been much higher. But I do agree that 30 months sounds fine considering the attack on political sites. I don’t think it’s fair to compare the two or you could easily end up with a situation of cherry-picking a light sentence for one crime to justify a light sentence in another.

Carefully executed DDoS attacks *COULD* have an impact on elections which should be a serious matter.

btrussell (profile) says:

Re: Re:

What is it worth to be cut off of the internet for a year after a third strike?

Seems to me they see the importance of having an internet connection. 30 min. = 30 months + $50,000 in fines +

1 yr. suspension therefore equivalent to 525,600 months (43,800yrs.)+ $876 000 000 +

What 3 songs/movies are equivalent to that in denying someone an internet connection?

DH's Love Child (profile) says:

Re: Re:

What does technology have to do with it? Just because it may be easy to do something doesn’t make it right. Infamous Joe, what do you think the charge would be if you stopped a politician on the street, then tied him up and held him against his will in a van for 30 mins?

There are so many disconnect with that analogy that it boggle my mind that any reasonably intelligent adult could have made it. i will attack the obvious though.

A DDOS on a web site is not even REMOTELY close to physically holding a PERSON hostage. I would say it is more along the lines of unplugging his microphone for 30 minutes. He can still talk and use other platforms, like say a different microphone.

I think you need to see a doctor about your cranial-rectal reversal disorder.

Anonymous Coward says:

Re: Re: Re:

I would say it is more along the lines of several people suddenly showing up with several large speakers and powerful amplifiers, and playing “Never Gonna Give You Up” in a VERY HIGH volume, drowning out completely the speaker even if he put his (weaker) amp up to 11, until after 30 minutes the crowd gets bored, unplugs their gear, and goes to the next target.

And I think this example shows why analogies are a poor way of explaining something.

Michael (profile) says:

Re: Re: Re:

I honestly cannot figure out how a DDOS attack can be a crime.

It is perfectly legal for me to open my browser to the content they have published. It is legal for me to open 2, 3, 4, 5, …oh wait, somewhere I hit my upper limit of ok connections?

When apple’s website goes down because they release a new product and the entire world connects at once, did the last person who successfully connected break the law?

This is not like holding someone hostage. This is like thousands of people standing outside Wal-Mart to protest something. Yup – that will mean people that want to shop may get stuck trying to walk through the crowd.

letherial (profile) says:

Re: Re: Re: Re:

DDOS attacks come in a form more then just “opening browsers” these kind of attacks dont happen on accident or because your trying to log in but cant, they abuse the TCP/IP system to bring down servers and there is no other way to do it.

while i do think 30 months is a bit harsh, taking down a politicians website is trying to stop a fair election and thats nerve racking on any side; nobody should do that, despite how much they may disagree with the other side, let voters decide….this is how our country works.

Michael (profile) says:

Re: Re: Re:2 Re:

They are not an abuse of of the “TCP/IP System” (I don’t really know what that means).

They often do not use a traditional browser, but many are a simple http connection to the website repeatedly until the server can no longer handle the number of incoming requests.

Calling this a crime is saying that it is legal to connect to their website, but illegal to connect some x number of times – with no real definition of x. Now, I can see something like this becoming a TOS issue, but a crime?

harbingerofdoom (profile) says:

Re: Re: Re:3 Re:

1. the TCP/IP system that he is talking about is how computers transmit data on the internet. everything you do on the internet eventually breaks down into bits of data and its the TCP that makes sure everything gets there, while the IP makes sure that its going to the correct place (that is a *VERY* nutshell version)

2. its a degree of crime combined with intent.
you open a webpage (even just refresh a web page 500 times as fast as you possibly can) any decent server is not going to be bothered by that type of action. you try sending data that is designed to be malformed and not compliant with TCP/IP protocols (which is intended to cause an adverse reaction by the server) and combine that with a coordinated effort to have thousands of people do it at the same time using software that is designed to multiply those effects and that is where it crosses into criminal.

you cant really put a number on it to define it as you state because there are lots of variables that have to be taken into account. the amount of bandwidth the server has, the amount of requests the server can handle before it crashes and most importantly, the talent of the IT guy responsible for that server and the talent of the network admin responsible for the routers the server has to go through and exactly how distributed the attack actually is.

and *ALL* TOS verbiage includes inclusion of DDOS as a violation of the TOS these days.

Michael (profile) says:

Re: Re: Re:4 Re:

I know what TCP/IP communication is, I am not sure what an abuse of it would mean.

“its a degree of crime combined with intent.” and then “any decent server is not going to be bothered by that type of action”

That does not match up. Intending to cause a denial of service and failing is not a crime? Just because my effort is not going to work?

“try sending data that is designed to be malformed and not compliant with TCP/IP protocols”

Now, that, I could argue could be a crime, but a DDOS attack does not need any malformed requests – it can be completely legitimate, working, valid connections – just millions of them at once. To me, that is like saying you can only have 10 protesters outside the store you do not like – but if you bring 11, you are going to jail.

Bengie says:

Re: Re: Re:5 Re:

“To me, that is like saying you can only have 10 protesters outside the store you do not like – but if you bring 11, you are going to jail.”

Let me fix that

“To me, that is like saying you can only have 10 protesters outside the store you do not like – but if you bring 65,000, you are going to jail.”

Michael (profile) says:

Re: Re: Re:6 Re:

Ok, but what is the magic number? If someone has a REALLY weak server and the number is lower, is a DDOS attack on them legal? I would question any law that makes it illegal to do something completely legal repeatedly – particularly when it stifles a form of protest.

And what is wrong with bringing a million people to protest? In the US, this is not only legal, but a constitutionally protected right.

Jason says:

Re: Re: Re:4 Re:

“you try sending data that is designed to be malformed and not compliant with TCP/IP protocols”

Bull, to you and to the dude that conceded this point without thinking about it.

Just because I send malformed data, that makes it a crime? I mean one piece of malformed data is just an error. But somehow simply blabbermouthing a whole bunch of jibberish in the general direction of a server goes from free speech to crime? Bull.

Anonymous Coward says:

It’s only because it’s against politicians. Most of those assholes have huge bankrolls and lots of connections. The only way to deal with a politician is to vote it out. If that doesn’t work then use your imagination. But to leave a trail that they could follow and arrest you is just stupid and you got what you deserve. If you are going to hack then do it and don’t get caught. Duh.

Daryl (profile) says:

Not just a site takedown....

“”Frost also admitted gaining access to other computers and computer networks by various means, including scanning for computer networks which were vulnerable to attack or unauthorized intrusion, gaining unauthorized access to and control over such computers, and fraudulently obtaining user names and passwords for users on such systems. Frost admitted using the compromised machines to spread malware and harvest data from the compromised systems, including user names, passwords, credit card numbers, and CVV security codes, and for the purpose of launching Distributed Denial of Service (DDoS) attacks on computer systems and Internet websites.

The former student also admitted initiating denial of service attacks against University of Akron computer servers on or about March 14, 2007, which caused the entire University of Akron computer network to be knocked off-line for approximately 8 1⁄2 hours, preventing all students, faculty and staff members from accessing the network. The University claimed that response and remediation efforts to restore network services cost over $10,000.””

Sounds to me like the punishment fit the crime. If he only just took the website down for a little while, then i could see how 30 months would be insane. But this seems fitting i believe.

harbingerofdoom (profile) says:

Re: Not just a site takedown....

although, he probably should be given some sort of credit for showing the university of Akron that they need to make some pretty large changes to their IT department if he actually did take the entire school down for 8.5 hrs and it cost them 10 grand to fix it.

unless it was a very distributed attack, that sounds more like overpaid undertalented staff to me….

Anonymous Coward says:

Re: Not just a site takedown....

I usually like Techdirt, but sometimes they really do come up with some horribly misleading headlines.

Here’s a more accurate headline:

30 months in prison for fraud, credit card theft, malware distrbution, hacking, illegal access to computers, DDoS attacks on multiple systems.

Yeah, not looking like such a severe punishment after all.

Overcast (profile) says:

What does technology have to do with it? Just because it may be easy to do something doesn’t make it right. Infamous Joe, what do you think the charge would be if you stopped a politician on the street, then tied him up and held him against his will in a van for 30 mins?

80 years.

Now if it was you or I in the Van – even if we were killed after the fact; probably 8 years – Max. Probably less.

out_of_the_blue says:

@ChronoFish: taking a web site down is *not* a "serious crime".

Good heavens. It’s a mere machine tampered with but easily restored to as before. If your notion were correct, then *everyone* at Microsoft should be executed for criminal incompetence.

A “freedom of speech” justification, with an imagined Masnick tie-in yet, will appeal to tyrants of the political class who will turn it against you.

Griff (profile) says:

Let me get this straight

If I write to my representative, that’s OK.
If a million people in my state write to their representative, that might create a DoS . Are they all liable ? Or is it only the ringleader (it’s unlikely to happen by chance) ?

If I encourage people to write to their representative to protest a crappy law and 1 million people do so am I guilty of orchestrating a DoS ?
(Assuming I’m not daft enough to suggest that they do it for that reason).

I know that organisations such as Amnesty and Avaaz have campaigns where they encourage people to email/call/fax some evil official in a far away land over some applaing crime against someone. Is that a DoS attack ? I’d have thought that it doesn’t take many faxes to render someone’s fax line useless.

Now a DDoS is a different matter – that implies control over a bot network without lots of PC owners’ permission, but wasn’t there that Israeli company that allowed you to effectively opt in as part of a protest network – running their software meant they used your PC as part of a mass protest against spammers’ sites.
Would that guy have been jailed in the USA ?
Or is it only a crime when it’s against the government ?

justmyopinion (profile) says:

unfortunately this is reality. the bigger stronger person kicking the smaller weak persons a$$ because they can. its not ok to ruin someone’s life because you have the connections and resources available to you. is there really any difference between this and someone getting beat up on the street because they pissed off some well connected street thug. hopefully this will get appealed and presented in front of a judge and the ensuing backlash will shed some light on why such a severe punishment was even handed out.

Flack (profile) says:

You're missing the point

Any denial of service should be prosecuted and punished. If the attacker doesn’t like a politician today he may not like a bank or your hospital or city mayor tomorrow.

DoA at a bank could prevent people from getting access to their money when they need to eat or pay a mortgage and avoid late fees/foreclosure. And certainly we can think of medical systems that supply life critical information OK for him to DoA? Is it OK if he attacks your town’s traffic systems causing hours of delays, pollution and emergency access?

Punishment should be sever so that attackers won’t say “It was just a harmless joke or a lark.” Peoples lives, livelihoods, and safety are sometimes the unanticipated consequences of those DoA masking as pranks.

DoA is an intentional crime. The manslaughter mentioned above is sad, but mainly punishment for negligence (We don’t know all the circumstances obviously – and there is unfairness in sentencing out there.)

If a DoA attack on a city or hospital causes people to die is that when you want to increase the penalty?

Flack

harbingerofdoom (profile) says:

Re: You're missing the point

“If a DoA attack on a city or hospital causes people to die is that when you want to increase the penalty?”

some states already have laws that pretty much say if you do something illegal and someone dies as a result (even your accomplice) you can be charged with murder and its automatically a felony… id imagine those in those states the increase of the penalty would be already there.

marak (profile) says:

Re: You're missing the point

re: Flack’s
“Any denial of service should be prosecuted and punished. If the attacker doesn’t like a politician today he may not like a bank or your hospital or city mayor tomorrow.

DoA at a bank could prevent people from getting access to their money when they need to eat or pay a mortgage and avoid late fees/foreclosure. And certainly we can think of medical systems that supply life critical information OK for him to DoA? Is it OK if he attacks your town’s traffic systems causing hours of delays, pollution and emergency access?

Punishment should be sever so that attackers won’t say “It was just a harmless joke or a lark.” Peoples lives, livelihoods, and safety are sometimes the unanticipated consequences of those DoA masking as pranks.

DoA is an intentional crime. The manslaughter mentioned above is sad, but mainly punishment for negligence (We don’t know all the circumstances obviously – and there is unfairness in sentencing out there.)

If a DoA attack on a city or hospital causes people to die is that when you want to increase the penalty?

Are you nuts?

Dos a bank – they should be smart enough to have internal systems in place for this, switching ips to the next one(while temp banning the high freq incoming for 30 mins).

Dos a hospital – Since when is the equipment accessable over the internet? At the very least they should be running multiple networks, with a few physically seperated.

Dos traffic lights – Again, if not on a seperate system – why not?

To stop people from using their money your attempting to take down all ADSL traffic from the EFTPOS machines – which all have a manual option for when the networks are clogged/down to allow purchases anyway.

What im saying is all important services are not vunerable to this so stop scare mongering 😛

The guy did take down a university, but again, THEY should have been prepared(if i dont insure my car and i crash into someone, can i blame them as i wasnt prepared?) – my uni site was recently taken down by a ddos, it was back up quickly with a work around(its a tech uni, id hope to hell my lecturers know what their doing).

30 months for a prank? Glad i dont live over there.

– Marak

Anonymous Coward says:

“some states already have laws that pretty much say if you do something illegal and someone dies as a result (even your accomplice) you can be charged with murder and its automatically a felony”

You have it backwards. If you commit a felony and someone involved in the felony dies, they charge you with felony murder. If you are shoplifting nd a cop dies on his way to arrest you, you are not going to be hit with a murder charge unless of course, you did something to raise the charge to a felony.

Revelati says:

Well at least its not all solitary confinement, I guess they didnt think this guy could launch nuclear missiles from a cell phone like Kevin Mitnick.

It doesn’t matter if your smoking a joint, spraying graffiti, or defacing a web page. If they catch you the government will go as far out of its way as it possibly can to screw you. This case is a big ol’ gold star on a prosecutors resume. So if you plan on committing acts of social disobedience, either don’t get caught, or prepare to serve the max sentence on every charge they give you. Remember the justice system is a a game, and the more time the prosecutors doll out the more points they score.

MadderMak (profile) says:

Mike dropped the ball on this one...

I have to agree whith a couple of AC’s.
Mike’s articles are usually well researched or thought out… yet unless he chose not to link further information he had access to…

30 Months for Hacking and DOS’s University network, Distributing malware and botnet to computers, controlling botnets, harvesting finacial data *AND* DDOSing some political websites

… is a *MUCH* more valid title.
Sorry Mike – I expect sensationalist headlines and brief ill-thought statements that misrepresent the facts from the **AA’s and mainstream Journo’s – not from you.

Anonymous Coward says:

AC, he is talking about engaging someone in a 30 min. conversation, wasting his time. A DOS isn’t like that because the person (through his website) can’t walk away. And a DOS really can’t be compared to engaging someone in a conversation now, can it?

A DOS is shutting somone up and keeping them shut up until they can figure out a way around what you are doing. The physical equilivant is duct taping someone’s mouth shut.

Anonymous Coward says:

Ever tried to report a serious IT issue to a univeristy IT department?

If you have, you probably realize that ‘resistance is futile’… wait wrong movie…

First you’ll be asked to explain HOW you know there is a security issue. Be very careful what you say, as it will be used against you (by the university IT department, if not in court).

If you can somehow explain the issue in a way that they can understand the issue without incriminating yourself, they will thank you and promptly ignore the issue (since it was just a loud mouth student making waves, they don’t really know what they are doing). After the issue has been ignored for an appropriate amount of time (2-3 years), the IT department will suddenly identify a huge security issue that requires them to hand over truck loads of cash to consulting companies to come in and ‘fix’ the issue (which will probably fail miserably at actually correcting the issue, and will probably create a few new vulnerabilities in the process… for the consulting company to come back and fix later… they need continued employment you know).

While it may not be ‘legal’, crashing the system via the vulnerability is often the ‘easiest’ way to get the issue actually addressed (it’s a little hard to hide the fact that the site was down for 8 hours from upper management, it’s much easier to hide a report of a vulnerability from a student).

What do I know, I’m just a cynical government employee. Now get off my lawn….

Jenkins, Leeorryy Jenkins!!!! says:

hmm Ill try and give The VERY best analogy i can give this is like a guy stopping the speakers of a political rally for 30 mins And, an obvious breach of “i have money/power/friends and you don’t many people don’t understand the internet. I believe the the internet shouldn’t be govern by any body except one like Nato instead of being so secular. Btw

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »