Anonymous Indictment Raises Serious Question: Is It Really A CFAA Violation To DDoS A Website?
from the questions dept
Way back in the fall of 2010, we wrote about how it was a really dumb idea for people associating themselves with Anonymous to run a series of DDoS attacks, under the name "Operation Payback," focused on the RIAA, MPAA, US Copyright Office and other websites. The attacks were protesting attempts to take down The Pirate Bay, as well as a variety of other complaints about general acts of copyright maximalism and copyright trolling. As we noted, such attacks do a lot more harm than good. Either way, the feds have finally gotten around to indicting thirteen individuals for somehow participating in that fall spree of DDoS attacks. While the indictment tries to make it out like this is a big conspiracy, it's unclear how connected some of the various attacks are, as it appears (as is frequently the case with Anonymous) that some individuals simply chose some sites to DDoS on their own and announced they were doing it as Anonymous. It's difficult to see a conspiracy when there's no real connection.That said, there's a much bigger question here. While DDoS attacks can be a nuisance, are they really criminal? In the midst of these attacks, we questioned if they were really criminal acts or more like the equivalent of a sit-in, in which people were disrupting a business for the sake of public protest. In fact, some people arrested for DDoS attacks have been making this claim in court -- and there was even a White House petition asking it to recognize DDoSing as a valid form of protest.
Instead, as the indictment shows, the feds are hitting these thirteen individuals with CFAA violations -- the broad, troubling anti-hacking law that is regularly abused by the feds for any crime that involves a computer. In this case, the focus is on 1030(a)(5)(A) which targets people who:
... knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;But is a DDoS really "damage"? I can see how there's a reasonable argument both for and against that. But I have trouble seeing how, as the feds claim, these DDoS attacks did more than $5,000 in damage to the various sites they took down. Furthermore, you can make an argument that these weren't done "without authorization," because all a DDoS does is point a ton of traffic at a website. If that web server is open to the public, then isn't there authorization? It's just that the web server gets flooded.
Again, I'll make clear that I think DDoS attacks are dumb, counterproductive and immature. But I have trouble seeing how they're criminal acts, that could lead to five years in jail.
Also, there's some oddities, in that one of the lawyers for one of the accused folks claims that he had been working out a settlement, which has now been "scuttled" by the indictment. I imagine that most of the accused will eventually come to some sort of plea bargain deal. The DOJ stacks the deck so that you're often crazy not to plea your way out of these deals. And it's unlikely that any of the individuals will appear particularly sympathetic for their alleged actions here. But I'm still quite troubled by the idea that these actions add up to that much in damage, and a computer hacking crime deserving of significant jail time.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Have to disagree with you there Mike. A normal computer user makes one request to the web server to access a site, but a DDOSer intentionally uses the bandwidth of thousands of computers to all hit the site at the same time, and not for the purpose of accessing and viewing the site as normal. A quick real-world analogy would be a business that gets one physical letter in the mail from each of its customers, but is then suddenly inundated by thousands of letters all spammed by the same individual.
[ link to this | view in chronology ]
Re:
Part of the ones participating in the attacks were using LOIC and other tools in some sort of "crowdfunded" ddos. I'd say a more accurate description would be a lot of individuals sending a lot of letters, with a few of them being responsible for a bigger portion of the letters when compared to others because they have more mailboxes available to dispatch such letters.
[ link to this | view in chronology ]
Re: Rikuo
Well they could probably get you for harassment. But that would probably just end with a restraining order and no fine.
[ link to this | view in chronology ]
Re: Re:
Where I can see this costing mony in support and bandwidth, for the sites attacked there is no other financial damage. It does cost them though for the bandwidth and DDoS mitigation costs.
[ link to this | view in chronology ]
Re: Re: Re:
A better analogy is a sit in, as Mike stated, and a sit in is considered a legal form of protest.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
If you can make this argument, then you can argue that privilege escalation by exploiting a flaw in a public-facing server is not criminal because the victim 'authorized' the public to exploit the flaw by decided both to use the flawed software and to allow public access to it.
The definition of 'authorization', as used in many of these cases, seems arbitrary. I suppose intent should matter in these cases. When the first Curiosity rover pictures of Mars arrived, NASA's website was overloaded by a flood of people wanting to see the pictures. I wouldn't count this as unauthorized access, since the intent of the people was to see Mars pictures, not to shut down NASA's website.
[ link to this | view in chronology ]
Re: Re:
That doesn't follow at all. A privilege escalation is actually cracking, an attempt at subverting a site to intrude on it in a way that was never authorized, even implicitly.
A DDOS attack is nothing like that. No subversion is happening, no cracking, no intrusion at all. All interactions with the site are exactly the interactions that are authorized and expected -- there's just a lot more of them than usual.
(I'm not arguing that there's nothing wrong with DDOS attacks. I'm arguing that there's a world of difference between DDOS and cracking/intrusion.)
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Actually, that's usually false. Let's take LOIC for example: Wireshark analysis
Typically, when defending these attacks they are usually a standard request. IE. GET /app/?id=1292337572944&msg=BOOM%2520HEADSHOT! HTTP/1.1
Somehow, I don't think "BOOM HEADSHOT!" is a typical query. The thing is using someone like CloudFlare or a DPI appliance can usually catch these requests from the patterns.
The more troublesome issues are related to udp, since millions of unprotected DNS servers, routers, and networks are spewing the packets and the end users are using those vulnerabilities to flood the target. See for example: http://openresolverproject.org/
[ link to this | view in chronology ]
Re: Re: Re: Re:
It's not, but that's irrelevant to my point. It is an allowed & legal query, just meaningless. It is not an attempt to subvert security.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Plus legitimate traffic brings in more advertising dollars to pay for more bandwidth whereas DDOS attacks do not interest advertisers.
[ link to this | view in chronology ]
Re: Re: Re: Re:
In all cases from the perspective of the server, it's receiving too many legitimate requests to handle, it's bandwidth and processing power is consumed, and it's overloaded and crashes bringing the site down for hours. There's nothing technologically different on it's end.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
If the site owner paid to serve 5000 legitimate users at a time and 10,000 legitimate users want to use it then only 5000 can get in. The site owner didn't pay to handle the rest of the 5,000, no harm no foul. But under an attack the site can now only serve 2,000 legitimate users which is less than what the site owner paid for and so the site owner is being harmed. Plus now advertisers are getting revenue from only 2000 legitimate users while paying to serve 5,000 which reduces the sites income while keeping expenses high.
The owner is concerned with the number of legitimate users the site can serve and reducing that amount works against the interests of the owner.
The owner doesn't care about your technical assessment. If my television breaks because the UPS guy dropped it on the way or because of a manufacturer defect I, the owner, do not care about technically why it doesn't work and about the technical aspects of how it works. I paid for x and got y and if I don't get what I paid for the law ought to make it right.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
But one scenario certainly makes more difference to me and the police. The Ends don't justify the Means or Intent.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
All the victim can do is start dropping packets until the attack stops. In the meantime, the server is dead.
Regarding "being public", I don't know about the US, but in my country we have rules against causing disturbances in communication channels, public or private.
A DDOS attack is the equivalent of jamming a radio channel or cell phones. And that's illegal, regardless of how public that channel is.
[ link to this | view in chronology ]
Re: Re:
No, a DDOS attack is more the equivalent of sending a few dozens truckloads of physical mail on the same day.
[ link to this | view in chronology ]
Re: Re:
Well, no. If there isn't sufficient bandwidth for all your traffic to reach the recipient (say because the recipient is being overloaded with other traffic) the packets might just get dropped by the routers in transit.
[ link to this | view in chronology ]
Re: Letters
[ link to this | view in chronology ]
Re: Re: Letters
i'm certain The They (tm) WOULD 'outlaw' sit-ins and other inconvenient protests if they could (which they have tried)...
it really has NOTHING to do with rational thinking, fairness, applying constitutional principles, blah blah blah; it is ALL about control: they don't want pesky sheeple making a stink over anything, anywhere, anytime...
*that* is the bottom line...
[ link to this | view in chronology ]
Re:
Presumably without their permission. In other words, the access to the computers actually PERFORMING the DDOS is unauthorized. Unless this guy just happens to have thousands of computers sitting around.
Hijacking my computer to make it participate in a "protest" without my permission SHOULD be a crime. It's like "borrowing" someone's car to drive around a business you don't like. Even if they weren't using it at the time, that doesn't make it OK.
[ link to this | view in chronology ]
Re: Re:
And it is. That really is the sort of thing that the CFAA was designed to address. The crime wasn't perpetrated against the site being DDOSed, though, but rather against the machines subverted to be part of the botnet.
However, with things like the LOIC, this component doesn't exist as every machine taking part in it is doing so voluntarily.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
1: DDOSing doesn't involve hijacking your computer.
2: Hijacking someone's computer is already a crime. You're thinking a BotNet.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
More like it's jammed by two actual protesters and thousands of bystanders dragged there by the protesters against their will.
[ link to this | view in chronology ]
Re: Re: Re:
Botnet takedowns with infected unknowing machines that are slaves is one thing, LOIC though requires you to activate it and join in, making it not against their will.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
A DDoS attack is more similar to a check-out line at the grocery store, but instead of using a single cart a user is using 500 carts to exit the check out lane and paying in change - holding up the cashier.
There is no 'damage' and the only thing that is being effected would be the hosting account that is being targeted. While it's an asshole thing to do, it shouldn't be considered hacking, if anything it should be something along the lines of a misdemeanor followed by a fine - not jail time.
[ link to this | view in chronology ]
Re:
Kind of like all the tons of peanuts sent to a television network when Jericho was cancelled? That wasn't criminal. Neither is sending thousands of letters to a business, as long as you pay the postage.
[ link to this | view in chronology ]
Re:
It's not *illegal* nor subject to years of jail time to send thousands of letters.
[ link to this | view in chronology ]
Are they? From your linked article:
There's nothing at all creative about taking down the MPAA and the RIAA -- and all it does is serve to reinforce their misguided prejudices that it's just a bunch unruly kids who dislike them. On top of that, it gives them more ammo to position themselves as being persecuted by a small minority. It's a dumb move that looks bad and does a lot more harm than good from a group that should know better.
Aren't any and all forms of revolt against an established system treated as such by the system itself? I have mixed feelings on ddos attacks mainly because usually there are botnets involved but if several thousand of people decided to load their LOICs and participate in a coordinated ddos what's the difference? What's the difference of defacing a website and Greenpeace setting a giant banner in a public monument?
I think those are part of the arsenal the people from this new millennium have at their disposal to revolt, to show discontent and vent their frustration with the contempt the Governments are showing towards them.
[ link to this | view in chronology ]
Re:
"should know better" is the kind of thing people say at protests in real life when they disagree with them. This is why you cna have protests that have police MACE people who are peacefully sitting around and doing nothing.
The establishment will always see a protest against the status quo as hostile, and many will protest the protest because it "makes things worse."
[ link to this | view in chronology ]
Re: @ "What's the difference of defacing a website"
a) "defacing a website" is invading private property
b) also causing actual harm in work needed to restore
c) also suppressing that entity's speech
d) the latter IS "free speech" on public property.
The c point pretty much covers my take: for you who rant about lawful actions taking down a website, you are totally inconsistent when it's done UNlawfully. Looks to me like you kids just okay whatever if like the criminal and/or don't like the victim.
[ link to this | view in chronology ]
Re: Re: @ "What's the difference of defacing a website"
b) No work is needed to restore, the site gets flooded with traffic and it goes down, once the traffic stops and the webhost turns the switch back on the site goes back up.
c) That entity has many avenues for speech, including after the DDOS. There is no permanent silencing effect on the speech, it frequently lasts a single day, if that long. Secondly, criminal charges on people for doing the equivilent of an internet sit in is silencing their speech.
d) What? This is free speech on the internet.
This isn't HACKING or DEFACING a website, which may be unlawful. This is simply preventing the website from working, something which actual protests are allowed to do to real physical businesses.
And let's not be silly, a companies website going down for a day, while disruptive, isn't causing any harm.
[ link to this | view in chronology ]
Re: Re: Re: @ "What's the difference of defacing a website"
Dude what?
[ link to this | view in chronology ]
Re: Re: Re: Re: @ "What's the difference of defacing a website"
A public facing website gives the public tacit permission to access it.
If the website goes down due to an overabundance of traffic, the underlying website is not affected, it's the hosting of the website that has buckled under the traffic load.
No alteration occurs to the site, nothing on the website is CHANGED, just that access to the site is unavailable.
[ link to this | view in chronology ]
Re: Re: @ "What's the difference of defacing a website"
No, it is not. And unlike a real building the only work needed is to restore a previous state and do the security job in a more efficient way. The public/private thing blurries when the buildings are private but open to the public which is the case for websites.
b) also causing actual harm in work needed to restore
Same with real world activism. You block traffic and disrupt a lot of everyday activities which have economic costs. And yet you don't condemn such protests at least not if you aren't some totalitarianism-apologist.
c) also suppressing that entity's speech
It's not, the site can be brought back to its previous state anytime. No physical hardware is compromised or need any repair.
d) the latter IS "free speech" on public property.
Both are.
for you who rant about lawful actions taking down a website, you are totally inconsistent when it's done UNlawfully
There is a point in the society when the law loses its meaning and law enforcement gets out of control. At those times, unlawful behavior is the only way to revert things back. Schindler's actions when saving these Jewish were unlawful according to the Nazi Germany law. History has much to teach us little padwan, don't turn your back on it ;)
[ link to this | view in chronology ]
Um, you do realize that people participating in a sit-in get arrested because they are committing a criminal act, right?
Furthermore, you can make an argument that these weren't done "without authorization," because all a DDoS does is point a ton of traffic at a website. If that web server is open to the public, then isn't there authorization? It's just that the web server gets flooded.
Do I have your authorization to DDOS techdirt.com, bringing down your website? This stuff isn't hard, Mikey.
[ link to this | view in chronology ]
Re:
This stuff isn't hard, AC.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
1. He presents his opinions as absolutes, that nobody could possibly disagree with: "This stuff isn't hard..."
2. He does it in the most condescending way possible: "...Mikey."
As it happens, you're incorrect, yet again:
Do I have your authorization to DDOS techdirt.com, bringing down your website?
You're confusing "permission" with "authorization." For the purposes of 18 USC 1030, "authorization" means "authorized to access a computer," not "authorized by the owner of the computer."
There is no question whatsoever that, on an individual level, every request made by a DDoS is authorized under the CFAA.
The question is whether the sheer bulk of authorized accesses, possibly in combination with the intent of the accessor, turns authorized access into unauthorized access.
Mike said that this is an open question. I think it is probably not unauthorized under the CFAA, you probably think it is. But either way, you're wrong when you said "this stuff isn't hard."
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
The DOJ just wants to win no matter how absurd their logic is, what the consequences will be, I don't think they waste time thinking about those things, they just see "shinny" and go for it.
[ link to this | view in chronology ]
I don't agree with the CFAA though or jail time, they should have to pay back the cost.
I only say that because back in 2001 I was running a game server that ended up coming under fire of an DDoS attack. It ended up costing just over $900 which brought my normal bill of $150 to $1050.
The end result was me closing my server down since I could not afford that kind of bill..
[ link to this | view in chronology ]
Re:
Also, sit-ins need police to be constantly watching which raises costs and the local business may suffer due to people avoiding the place. It's not that simple as you can see.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
http://torrentfreak.com/anonymous-members-indicted-for-ddosing-pirate-bay-enemies-131004/
Where is that indictment?
Or are we still playing corporations are people with special rights that put them above the law?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
of course it is! well, when one of the USA security services is taking the case to court and it's over a website that isn't seen as 'illegal'. i haven't come across any info as yet that says the website that was the subject of the 'revenge' had any charges against it for DDoSing TPB! i suppose that was because Hollywood, the US entertainment industries and the security services it has in it's back pockets thought it was not a problem. if court action is going to be taken against those accused of DDoSing AiPlex Software, the company that admitted being the culprits for the DDoS attacks against websites, including TPB, then there has to be a court case against AiPlex Software too.
the DoJ are doing this, yet again, because they have been told to by the heads of the entertainment industries and no other reason. they will also do the same sort of thing as they have tried against Kim Dotcom, ie, lie, cheat, deceive and manipulate what the law is, what it says, what the 'secret meanings' are and anything they can possibly think of just to get a conviction!
[ link to this | view in chronology ]
In a sit-in, you don't make sure the target gets billed an extraordinary amount of money, as where in a (D)DoS, the target will have to spend money to pay for the incoming attack, which can quickly go in the thousands of dollars depending on your provider.
Sure, you may bring some of the same effects to the target, but some are completely different and the consequences can be much more disastrous with an attack than a sit-in.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
That all depends on the particular hosting arrangement you have. If one of my websites is DDOSed, it won't cost me an additional penny in bandwidth fees, as I pay a flat rate. Once my cap is reached, then my site is disconnected until the next billing cycle, though.
Also, any quality host will allow you to set up thresholds so that if a DDOS is noticed, bandwidth can be automatically restricted or the site disconnected until the DDOS ends. This tends to be a very effective way of dealing with the problem.
In the end, with appropriate hosting plans, you can ensure that you won't get any surprise bills ever, for the small cost of simply disconnecting the site until the DDOS ends. (The cost is small because people probably can't reach the site until then anyway, so nothing is lost).
[ link to this | view in chronology ]
They can launder the evidence to be something unrelated all they want, but the rest of us know better.
They used it against Kim Dotcom and just about everything else non-terrorism related.
[ link to this | view in chronology ]
Not really a sit-in
DDOS, while I think the "damage" claim is ridiculous, causes me to give up nothing. I can DDOS ten thousand websites at a time, given the resources, so any "protest" I may be engaging in is costing me nothing, negating the whole concept of "protest." If you're not an idiot, you'll never be caught, and you're name will never be associated with a statement of any sort.
If it's a form of protest, it's one for lazy cowards.
[ link to this | view in chronology ]
Re: Not really a sit-in
If it's a form of protest, it's one for lazy cowards.
Really? Can't you think of other types of anonymous protests throughout history? And considering how computers and the Internet reduced much of the effort needed for many things (ie: you don't need to go through several piles of books on a library to research a subject) do you really think it's laziness? Does it mean that we should go back to search exclusively on libraries or risk being labeled lazy?
[ link to this | view in chronology ]
Re: Not really a sit-in
[ link to this | view in chronology ]
I don't see anyone from that company getting indicted, though. So much for justice being blind.
[ link to this | view in chronology ]
"Damage" to a "computer"
Also, a "website" isn't a "computer". A DDOS attack really doesn't hurt the computer at all - it just keeps it really, really busy. Yes, it may get so busy that the website effectively goes down, but the computer's is generally still fine (barring things like overheating or failing power supplies due to the extra work).
So it does feel like overreaching to apply this statute in this case.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
conspiracy, or peaceful assembly?
http://en.wikipedia.org/wiki/Conspiracy_(crime)#Common_law_offence
But then there is the matter of drawing a line between conspiracy and the right of peaceful assembly. A DDoS is not a riot, though prosecutors will make that claim.
[ link to this | view in chronology ]
CFAA and NSA
Sound familiar to anyone?
[ link to this | view in chronology ]
Which... that's kind of dubious don't you think?
Unfortunately, 1030(e)(8) says:
Eurgh.
[ link to this | view in chronology ]
Slashdot Effect
[ link to this | view in chronology ]
Yes, going to a web site once to read what is on it is a lot different to creating a bot to spam pings and shut down a web site. Its not how you shut the web site down, its you DID shut it down and why.
Its not how you do it, its what you did and why.
Motive and intent.
Yes, it is the same as jamming a TV broadcast of a radio broadcast.
The 'fine' would include, loss of trade, cost of restoration punitive damage and loss of goodwill, and legal expenses.
[ link to this | view in chronology ]
If a DDoS violates the CFAA...
[ link to this | view in chronology ]