30 Months In Prison For Denial Of Service Hit On Politicians' Websites
from the seems-a-bit-extreme dept
For all of those participating in the denial of service attacks being put together by "Anonymous," you might want to consider that a guy who took down various politicians' websites with DDoS attacks just got 30 months in prison -- along with over $50,000 in fines and 3 additional years of "supervised release." This certainly seems like punishment way out of line with the actual actions, but in this day and age of law enforcement and the legal system not really understanding technology, it's not all that surprising.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Pretty serious crime
I just wish it was a more uniform principle. We have provided too many legal methods such as DCMA and expansive interpretations of copyright and trademark law that let companies suppress free speech without consequences or penalties.
In my mind the only reason the penalties in this case are excessive is that don't defend freedom of speech nearly as aggressively when it is big companies suppressing the speech of the little fellow.
[ link to this | view in chronology ]
Re: Pretty serious crime
[ link to this | view in chronology ]
Re: Re: Pretty serious crime
[ link to this | view in chronology ]
Re: Pretty serious crime
If you are saying that a DDoS is an attack on free speech then, any site take down should be met with such force. Including ones that people don't like or think are offensive. This would also apply to ISPs and gov'ts messing with sites. If you are ok with that then, I would agree with you on the attack of free speech part.
[ link to this | view in chronology ]
Re: Pretty serious crime
The fines would have been more than adequate. This guy would have been severely punished, but would have had a chance to contribute to society. Now he'll spend time in jail and have extreme difficulty getting a job.
This is a completely non-violent crime. Violent criminals need to be separated from society. Guys like this can be handled with fines.
[ link to this | view in chronology ]
Re: Pretty serious crime
In an ideal world I would agree taking down a politician's website, even for a while, would be very significant suppression of free speech.
However, all of the affected politicians fall into the "no stand" paradigm, i.e., they did not bother to list their positions or explicit opinions regarding specific legislation. There are very few "two party" candidates who do bother to put their positions on their websites.
In light of the absence of information or honest expression, I am left wondering just what, if any, detrimental effect these attacks actually caused.
Still, he did the crime. That our judicial system favors the rich and powerful was a preexisting condition the hacker could have factored into his decision making process.
[ link to this | view in chronology ]
Re: Pretty serious crime
I don't know how it could be any more blatant an attack on freedom of speech, freedom of assembly, and an attempt to sway an election by blocking access to information.
I agree that it is a travesty that there are cases where murders and repeat offenders get off easier. But I take the side that those punishments should be stiffer - not that this punishment should be lessened.
If TechDirt where taken down it would be a serious crime and I would expect the perpetrators to be held accountable - and I assume you (readers of techdirt) would too.
If Mike Masnick were to run for office and his personal political website received a similar DDoS I would expect his supporters here to rally and demand those responsible to be punished with the full weight of the law behind it.
-CF
[ link to this | view in chronology ]
Re: Re: Pretty serious crime
[ link to this | view in chronology ]
Re: Re: Pretty serious crime
[ link to this | view in chronology ]
Re: Re: Pretty serious crime
[ link to this | view in chronology ]
Re: Pretty serious crime
Exactly.
Remember kids, false DMCA takedowns are the way to go.
[ link to this | view in chronology ]
Re: Pretty serious crime
[ link to this | view in chronology ]
Re: Pretty serious crime
"30 Months In Prison For Denial Of Service Hit On Politicians' Websites?" No this cowboy was caught wearing a much darker hat.
[ link to this | view in chronology ]
Re: Pretty serious crime
are you sure this a 1st amendment violation?
[ link to this | view in chronology ]
Re: Pretty serious crime
[ link to this | view in chronology ]
Guess we shouldn't be surprised
[ link to this | view in chronology ]
Re: Guess we shouldn't be surprised
On a somewhat related note, my uncle was killed by a woman in an giant SUV while talking on her phone, performing an illegal u-turn. She got a $25 ticket. Meanwhile 30 months for a DDoS.
[ link to this | view in chronology ]
Re: Guess we shouldn't be surprised
Carefully executed DDoS attacks *COULD* have an impact on elections which should be a serious matter.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
questions
[ link to this | view in chronology ]
Re: questions
[ link to this | view in chronology ]
Re: questions
[ link to this | view in chronology ]
Re: Re: questions
[ link to this | view in chronology ]
Re: Re: Re: questions
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Seems to me they see the importance of having an internet connection. 30 min. = 30 months + $50,000 in fines +
1 yr. suspension therefore equivalent to 525,600 months (43,800yrs.)+ $876 000 000 +
What 3 songs/movies are equivalent to that in denying someone an internet connection?
[ link to this | view in chronology ]
Re:
There are so many disconnect with that analogy that it boggle my mind that any reasonably intelligent adult could have made it. i will attack the obvious though.
A DDOS on a web site is not even REMOTELY close to physically holding a PERSON hostage. I would say it is more along the lines of unplugging his microphone for 30 minutes. He can still talk and use other platforms, like say a different microphone.
I think you need to see a doctor about your cranial-rectal reversal disorder.
[ link to this | view in chronology ]
Re: Re:
And I think this example shows why analogies are a poor way of explaining something.
[ link to this | view in chronology ]
Re: Re:
It is perfectly legal for me to open my browser to the content they have published. It is legal for me to open 2, 3, 4, 5, ...oh wait, somewhere I hit my upper limit of ok connections?
When apple's website goes down because they release a new product and the entire world connects at once, did the last person who successfully connected break the law?
This is not like holding someone hostage. This is like thousands of people standing outside Wal-Mart to protest something. Yup - that will mean people that want to shop may get stuck trying to walk through the crowd.
[ link to this | view in chronology ]
Re: Re: Re:
while i do think 30 months is a bit harsh, taking down a politicians website is trying to stop a fair election and thats nerve racking on any side; nobody should do that, despite how much they may disagree with the other side, let voters decide....this is how our country works.
[ link to this | view in chronology ]
Re: Re: Re: Re:
They often do not use a traditional browser, but many are a simple http connection to the website repeatedly until the server can no longer handle the number of incoming requests.
Calling this a crime is saying that it is legal to connect to their website, but illegal to connect some x number of times - with no real definition of x. Now, I can see something like this becoming a TOS issue, but a crime?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:@Michael
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:@Michael
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
2. its a degree of crime combined with intent.
you open a webpage (even just refresh a web page 500 times as fast as you possibly can) any decent server is not going to be bothered by that type of action. you try sending data that is designed to be malformed and not compliant with TCP/IP protocols (which is intended to cause an adverse reaction by the server) and combine that with a coordinated effort to have thousands of people do it at the same time using software that is designed to multiply those effects and that is where it crosses into criminal.
you cant really put a number on it to define it as you state because there are lots of variables that have to be taken into account. the amount of bandwidth the server has, the amount of requests the server can handle before it crashes and most importantly, the talent of the IT guy responsible for that server and the talent of the network admin responsible for the routers the server has to go through and exactly how distributed the attack actually is.
and *ALL* TOS verbiage includes inclusion of DDOS as a violation of the TOS these days.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
"its a degree of crime combined with intent." and then "any decent server is not going to be bothered by that type of action"
That does not match up. Intending to cause a denial of service and failing is not a crime? Just because my effort is not going to work?
"try sending data that is designed to be malformed and not compliant with TCP/IP protocols"
Now, that, I could argue could be a crime, but a DDOS attack does not need any malformed requests - it can be completely legitimate, working, valid connections - just millions of them at once. To me, that is like saying you can only have 10 protesters outside the store you do not like - but if you bring 11, you are going to jail.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Let me fix that
"To me, that is like saying you can only have 10 protesters outside the store you do not like - but if you bring 65,000, you are going to jail."
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
And what is wrong with bringing a million people to protest? In the US, this is not only legal, but a constitutionally protected right.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Bull, to you and to the dude that conceded this point without thinking about it.
Just because I send malformed data, that makes it a crime? I mean one piece of malformed data is just an error. But somehow simply blabbermouthing a whole bunch of jibberish in the general direction of a server goes from free speech to crime? Bull.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Not just a site takedown....
The former student also admitted initiating denial of service attacks against University of Akron computer servers on or about March 14, 2007, which caused the entire University of Akron computer network to be knocked off-line for approximately 8 1⁄2 hours, preventing all students, faculty and staff members from accessing the network. The University claimed that response and remediation efforts to restore network services cost over $10,000.""
Sounds to me like the punishment fit the crime. If he only just took the website down for a little while, then i could see how 30 months would be insane. But this seems fitting i believe.
[ link to this | view in chronology ]
Re: Not just a site takedown....
[ link to this | view in chronology ]
Re: Not just a site takedown....
unless it was a very distributed attack, that sounds more like overpaid undertalented staff to me....
[ link to this | view in chronology ]
Re: Not just a site takedown....
Here's a more accurate headline:
30 months in prison for fraud, credit card theft, malware distrbution, hacking, illegal access to computers, DDoS attacks on multiple systems.
Yeah, not looking like such a severe punishment after all.
[ link to this | view in chronology ]
80 years.
Now if it was you or I in the Van - even if we were killed after the fact; probably 8 years - Max. Probably less.
[ link to this | view in chronology ]
@ChronoFish: taking a web site down is *not* a "serious crime".
A "freedom of speech" justification, with an imagined Masnick tie-in yet, will appeal to tyrants of the political class who will turn it against you.
[ link to this | view in chronology ]
Re: @ChronoFish: taking a web site down is *not* a "serious crime".
[ link to this | view in chronology ]
Let me get this straight
If a million people in my state write to their representative, that might create a DoS . Are they all liable ? Or is it only the ringleader (it's unlikely to happen by chance) ?
If I encourage people to write to their representative to protest a crappy law and 1 million people do so am I guilty of orchestrating a DoS ?
(Assuming I'm not daft enough to suggest that they do it for that reason).
I know that organisations such as Amnesty and Avaaz have campaigns where they encourage people to email/call/fax some evil official in a far away land over some applaing crime against someone. Is that a DoS attack ? I'd have thought that it doesn't take many faxes to render someone's fax line useless.
Now a DDoS is a different matter - that implies control over a bot network without lots of PC owners' permission, but wasn't there that Israeli company that allowed you to effectively opt in as part of a protest network - running their software meant they used your PC as part of a mass protest against spammers' sites.
Would that guy have been jailed in the USA ?
Or is it only a crime when it's against the government ?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
so what are you in for
assault causing bodily harm- time one year
so what are you in for
rape- time 36 months
so what are you in for
burglary , theft etc time one year
so what are you in for
i dossed a few idiot politicians websites ( cheers begin ) - 30 months
see a pattern here....
[ link to this | view in chronology ]
Re: so what are you in for
[ link to this | view in chronology ]
Re: Re: so what are you in for
[ link to this | view in chronology ]
[ link to this | view in chronology ]
You're missing the point
DoA at a bank could prevent people from getting access to their money when they need to eat or pay a mortgage and avoid late fees/foreclosure. And certainly we can think of medical systems that supply life critical information OK for him to DoA? Is it OK if he attacks your town's traffic systems causing hours of delays, pollution and emergency access?
Punishment should be sever so that attackers won't say "It was just a harmless joke or a lark." Peoples lives, livelihoods, and safety are sometimes the unanticipated consequences of those DoA masking as pranks.
DoA is an intentional crime. The manslaughter mentioned above is sad, but mainly punishment for negligence (We don't know all the circumstances obviously - and there is unfairness in sentencing out there.)
If a DoA attack on a city or hospital causes people to die is that when you want to increase the penalty?
Flack
[ link to this | view in chronology ]
Re: You're missing the point
some states already have laws that pretty much say if you do something illegal and someone dies as a result (even your accomplice) you can be charged with murder and its automatically a felony... id imagine those in those states the increase of the penalty would be already there.
[ link to this | view in chronology ]
Re: You're missing the point
"Any denial of service should be prosecuted and punished. If the attacker doesn't like a politician today he may not like a bank or your hospital or city mayor tomorrow.
DoA at a bank could prevent people from getting access to their money when they need to eat or pay a mortgage and avoid late fees/foreclosure. And certainly we can think of medical systems that supply life critical information OK for him to DoA? Is it OK if he attacks your town's traffic systems causing hours of delays, pollution and emergency access?
Punishment should be sever so that attackers won't say "It was just a harmless joke or a lark." Peoples lives, livelihoods, and safety are sometimes the unanticipated consequences of those DoA masking as pranks.
DoA is an intentional crime. The manslaughter mentioned above is sad, but mainly punishment for negligence (We don't know all the circumstances obviously - and there is unfairness in sentencing out there.)
If a DoA attack on a city or hospital causes people to die is that when you want to increase the penalty?
"
Are you nuts?
Dos a bank - they should be smart enough to have internal systems in place for this, switching ips to the next one(while temp banning the high freq incoming for 30 mins).
Dos a hospital - Since when is the equipment accessable over the internet? At the very least they should be running multiple networks, with a few physically seperated.
Dos traffic lights - Again, if not on a seperate system - why not?
To stop people from using their money your attempting to take down all ADSL traffic from the EFTPOS machines - which all have a manual option for when the networks are clogged/down to allow purchases anyway.
What im saying is all important services are not vunerable to this so stop scare mongering :P
The guy did take down a university, but again, THEY should have been prepared(if i dont insure my car and i crash into someone, can i blame them as i wasnt prepared?) - my uni site was recently taken down by a ddos, it was back up quickly with a work around(its a tech uni, id hope to hell my lecturers know what their doing).
30 months for a prank? Glad i dont live over there.
- Marak
[ link to this | view in chronology ]
You have it backwards. If you commit a felony and someone involved in the felony dies, they charge you with felony murder. If you are shoplifting nd a cop dies on his way to arrest you, you are not going to be hit with a murder charge unless of course, you did something to raise the charge to a felony.
[ link to this | view in chronology ]
It doesn't matter if your smoking a joint, spraying graffiti, or defacing a web page. If they catch you the government will go as far out of its way as it possibly can to screw you. This case is a big ol' gold star on a prosecutors resume. So if you plan on committing acts of social disobedience, either don't get caught, or prepare to serve the max sentence on every charge they give you. Remember the justice system is a a game, and the more time the prosecutors doll out the more points they score.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
2 yrs incl time served for shooting someone in the back while they are handcuffed and face down restrained by two other officers.
2 misdemeanour traffic charges for running over a bicyclist and leaving the scene
Yeah, that is justice alright.
[ link to this | view in chronology ]
Mike dropped the ball on this one...
Mike's articles are usually well researched or thought out... yet unless he chose not to link further information he had access to...
30 Months for Hacking and DOS's University network, Distributing malware and botnet to computers, controlling botnets, harvesting finacial data *AND* DDOSing some political websites
... is a *MUCH* more valid title.
Sorry Mike - I expect sensationalist headlines and brief ill-thought statements that misrepresent the facts from the **AA's and mainstream Journo's - not from you.
[ link to this | view in chronology ]
Re: Mike dropped the ball on this one...
Does this change the fact that the sentence is inconsistent?
[ link to this | view in chronology ]
A DOS is shutting somone up and keeping them shut up until they can figure out a way around what you are doing. The physical equilivant is duct taping someone's mouth shut.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Ever tried to report a serious IT issue to a univeristy IT department?
First you'll be asked to explain HOW you know there is a security issue. Be very careful what you say, as it will be used against you (by the university IT department, if not in court).
If you can somehow explain the issue in a way that they can understand the issue without incriminating yourself, they will thank you and promptly ignore the issue (since it was just a loud mouth student making waves, they don't really know what they are doing). After the issue has been ignored for an appropriate amount of time (2-3 years), the IT department will suddenly identify a huge security issue that requires them to hand over truck loads of cash to consulting companies to come in and 'fix' the issue (which will probably fail miserably at actually correcting the issue, and will probably create a few new vulnerabilities in the process... for the consulting company to come back and fix later... they need continued employment you know).
While it may not be 'legal', crashing the system via the vulnerability is often the 'easiest' way to get the issue actually addressed (it's a little hard to hide the fact that the site was down for 8 hours from upper management, it's much easier to hide a report of a vulnerability from a student).
What do I know, I'm just a cynical government employee. Now get off my lawn....
[ link to this | view in chronology ]
[ link to this | view in chronology ]