Anonymous Indictment Raises Serious Question: Is It Really A CFAA Violation To DDoS A Website?

from the questions dept

Way back in the fall of 2010, we wrote about how it was a really dumb idea for people associating themselves with Anonymous to run a series of DDoS attacks, under the name "Operation Payback," focused on the RIAA, MPAA, US Copyright Office and other websites. The attacks were protesting attempts to take down The Pirate Bay, as well as a variety of other complaints about general acts of copyright maximalism and copyright trolling. As we noted, such attacks do a lot more harm than good. Either way, the feds have finally gotten around to indicting thirteen individuals for somehow participating in that fall spree of DDoS attacks. While the indictment tries to make it out like this is a big conspiracy, it's unclear how connected some of the various attacks are, as it appears (as is frequently the case with Anonymous) that some individuals simply chose some sites to DDoS on their own and announced they were doing it as Anonymous. It's difficult to see a conspiracy when there's no real connection.

That said, there's a much bigger question here. While DDoS attacks can be a nuisance, are they really criminal? In the midst of these attacks, we questioned if they were really criminal acts or more like the equivalent of a sit-in, in which people were disrupting a business for the sake of public protest. In fact, some people arrested for DDoS attacks have been making this claim in court -- and there was even a White House petition asking it to recognize DDoSing as a valid form of protest.

Instead, as the indictment shows, the feds are hitting these thirteen individuals with CFAA violations -- the broad, troubling anti-hacking law that is regularly abused by the feds for any crime that involves a computer. In this case, the focus is on 1030(a)(5)(A) which targets people who:
... knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
But is a DDoS really "damage"? I can see how there's a reasonable argument both for and against that. But I have trouble seeing how, as the feds claim, these DDoS attacks did more than $5,000 in damage to the various sites they took down. Furthermore, you can make an argument that these weren't done "without authorization," because all a DDoS does is point a ton of traffic at a website. If that web server is open to the public, then isn't there authorization? It's just that the web server gets flooded.

Again, I'll make clear that I think DDoS attacks are dumb, counterproductive and immature. But I have trouble seeing how they're criminal acts, that could lead to five years in jail.

Also, there's some oddities, in that one of the lawyers for one of the accused folks claims that he had been working out a settlement, which has now been "scuttled" by the indictment. I imagine that most of the accused will eventually come to some sort of plea bargain deal. The DOJ stacks the deck so that you're often crazy not to plea your way out of these deals. And it's unlikely that any of the individuals will appear particularly sympathetic for their alleged actions here. But I'm still quite troubled by the idea that these actions add up to that much in damage, and a computer hacking crime deserving of significant jail time.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: anonymous, cfaa, ddos, protest, sit-in


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Rikuo (profile), 4 Oct 2013 @ 5:13am

    "because all a DDoS does is point a ton of traffic at a website. If that web server is open to the public, then isn't there authorization? It's just that the web server gets flooded. "

    Have to disagree with you there Mike. A normal computer user makes one request to the web server to access a site, but a DDOSer intentionally uses the bandwidth of thousands of computers to all hit the site at the same time, and not for the purpose of accessing and viewing the site as normal. A quick real-world analogy would be a business that gets one physical letter in the mail from each of its customers, but is then suddenly inundated by thousands of letters all spammed by the same individual.

    link to this | view in chronology ]

    • icon
      Ninja (profile), 4 Oct 2013 @ 6:06am

      Re:

      but is then suddenly inundated by thousands of letters all spammed by the same individual.

      Part of the ones participating in the attacks were using LOIC and other tools in some sort of "crowdfunded" ddos. I'd say a more accurate description would be a lot of individuals sending a lot of letters, with a few of them being responsible for a bigger portion of the letters when compared to others because they have more mailboxes available to dispatch such letters.

      link to this | view in chronology ]

      • icon
        Thomas (profile), 4 Oct 2013 @ 8:57am

        Re: Rikuo

        I don't think it's criminal to mail a company as many letters as you want, is it?

        Well they could probably get you for harassment. But that would probably just end with a restraining order and no fine.

        link to this | view in chronology ]

      • icon
        Berenerd (profile), 4 Oct 2013 @ 9:58am

        Re: Re:

        I think it would be better stated as, If you go to Walmart, and buy something, that is what walmart expects. They even expect people to come in from time to time and not buy anything. But if suddenly you have a few thousand people in the isles just standing there and not letting legitimate customers shop, then that would be a real world version of a DDoS attack.

        Where I can see this costing mony in support and bandwidth, for the sites attacked there is no other financial damage. It does cost them though for the bandwidth and DDoS mitigation costs.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 4 Oct 2013 @ 10:13am

          Re: Re: Re:

          That happens every year the night before Black Friday sales begin. They don't call the police. No one is arrested for it.

          A better analogy is a sit in, as Mike stated, and a sit in is considered a legal form of protest.

          link to this | view in chronology ]

          • icon
            Ninja (profile), 4 Oct 2013 @ 10:15am

            Re: Re: Re: Re:

            Agreed. But he has a point too, I'd say it's a sort of mix of people sitting in to protest against Walmart torturing kittens. Most people would find it reasonable despite the financial damages Walmart could suffer.

            link to this | view in chronology ]

    • identicon
      boomslang, 4 Oct 2013 @ 8:03am

      Re:

      "Furthermore, you can make an argument that these weren't done "without authorization," because all a DDoS does is point a ton of traffic at a website. If that web server is open to the public, then isn't there authorization? It's just that the web server gets flooded."

      If you can make this argument, then you can argue that privilege escalation by exploiting a flaw in a public-facing server is not criminal because the victim 'authorized' the public to exploit the flaw by decided both to use the flawed software and to allow public access to it.

      The definition of 'authorization', as used in many of these cases, seems arbitrary. I suppose intent should matter in these cases. When the first Curiosity rover pictures of Mars arrived, NASA's website was overloaded by a flood of people wanting to see the pictures. I wouldn't count this as unauthorized access, since the intent of the people was to see Mars pictures, not to shut down NASA's website.

      link to this | view in chronology ]

      • icon
        John Fenderson (profile), 4 Oct 2013 @ 8:41am

        Re: Re:

        If you can make this argument, then you can argue that privilege escalation by exploiting a flaw in a public-facing server is not criminal because the victim 'authorized' the public to exploit the flaw by decided both to use the flawed software and to allow public access to it


        That doesn't follow at all. A privilege escalation is actually cracking, an attempt at subverting a site to intrude on it in a way that was never authorized, even implicitly.

        A DDOS attack is nothing like that. No subversion is happening, no cracking, no intrusion at all. All interactions with the site are exactly the interactions that are authorized and expected -- there's just a lot more of them than usual.

        (I'm not arguing that there's nothing wrong with DDOS attacks. I'm arguing that there's a world of difference between DDOS and cracking/intrusion.)

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 4 Oct 2013 @ 9:53am

          Re: Re: Re:

          I sort-of agree with this. A DDoS can be a precursor to a cracking attempt, or a complement to it, but is not, in and of itself, a cracking attempt.

          link to this | view in chronology ]

        • identicon
          Anonymous Coward, 4 Oct 2013 @ 10:11am

          Re: Re: Re:

          A DDOS attack is nothing like that. No subversion is happening, no cracking, no intrusion at all. All interactions with the site are exactly the interactions that are authorized and expected -- there's just a lot more of them than usual.

          Actually, that's usually false. Let's take LOIC for example: Wireshark analysis

          Typically, when defending these attacks they are usually a standard request. IE. GET /app/?id=1292337572944&msg=BOOM%2520HEADSHOT! HTTP/1.1

          Somehow, I don't think "BOOM HEADSHOT!" is a typical query. The thing is using someone like CloudFlare or a DPI appliance can usually catch these requests from the patterns.

          The more troublesome issues are related to udp, since millions of unprotected DNS servers, routers, and networks are spewing the packets and the end users are using those vulnerabilities to flood the target. See for example: http://openresolverproject.org/

          link to this | view in chronology ]

          • icon
            John Fenderson (profile), 4 Oct 2013 @ 1:24pm

            Re: Re: Re: Re:

            Somehow, I don't think "BOOM HEADSHOT!" is a typical query


            It's not, but that's irrelevant to my point. It is an allowed & legal query, just meaningless. It is not an attempt to subvert security.

            link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2013 @ 8:14am

      Re:

      The thing is, popular websites like slashdot or Penny Arcade can effectively DDoS a website they link to, just due to sheer number of fans going to look at a website that isn't up to that level of traffic. Not intentional attacks, but that's the way it works out. They could likely manage the same thing intentionally if they so wished. So you'd really need to be a bit more nuanced in your definition if you don't want to include some normal behavior as "hacking".

      link to this | view in chronology ]

      • identicon
        boomslang, 4 Oct 2013 @ 8:22am

        Re: Re:

        This is an interesting point. It's certainly conceivable that someone could post to a forum-like site in such a way to attract a large number of users to visit a link and flood the server, effectively DDoS-ing it. It would be very difficult to prove malicious intent in this case.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 4 Oct 2013 @ 8:34am

          Re: Re: Re:

          That's just silly, how does more legitimate traffic constitute an attack? The site is intended to serve legitimate traffic, that a website can not handle the amount of legitimate traffic it receives is not the fault of those visiting it. Would the site owner rather reduce or limit the amount of legitimate traffic it receives?

          Plus legitimate traffic brings in more advertising dollars to pay for more bandwidth whereas DDOS attacks do not interest advertisers.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 4 Oct 2013 @ 9:01am

            Re: Re: Re: Re:

            There's no difference from the server's perspective between some guys using bot nets to continuously send 100,000 requests to a server that can only handle 50,000 requests, Slashdot posting a link that gets 300,000 people continuously attempting to connect to a server that can only handle 50,000 requests, or one of the makers of Penny Arcade posting an angry rant about someone and linking to their website, resulting in 500,000 people continuously attempting to connect to a server that can only handle 50,000 requests.

            In all cases from the perspective of the server, it's receiving too many legitimate requests to handle, it's bandwidth and processing power is consumed, and it's overloaded and crashes bringing the site down for hours. There's nothing technologically different on it's end.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 4 Oct 2013 @ 9:58am

              Re: Re: Re: Re: Re:

              An attack reduces the amount of legitimate users that can visit the site. The site owner's objective is to serve (more) legitimate users and directing more legitimate traffic to the site better serves more legitimate users whereas an attack prevents the site from serving (as many) legitimate users.

              If the site owner paid to serve 5000 legitimate users at a time and 10,000 legitimate users want to use it then only 5000 can get in. The site owner didn't pay to handle the rest of the 5,000, no harm no foul. But under an attack the site can now only serve 2,000 legitimate users which is less than what the site owner paid for and so the site owner is being harmed. Plus now advertisers are getting revenue from only 2000 legitimate users while paying to serve 5,000 which reduces the sites income while keeping expenses high.

              The owner is concerned with the number of legitimate users the site can serve and reducing that amount works against the interests of the owner.

              The owner doesn't care about your technical assessment. If my television breaks because the UPS guy dropped it on the way or because of a manufacturer defect I, the owner, do not care about technically why it doesn't work and about the technical aspects of how it works. I paid for x and got y and if I don't get what I paid for the law ought to make it right.

              link to this | view in chronology ]

              • identicon
                Anonymous Coward, 4 Oct 2013 @ 9:59am

                Re: Re: Re: Re: Re: Re:

                "which reduces the sites income while keeping expenses high." (because now advertisers will pay less).

                link to this | view in chronology ]

            • identicon
              Anonymous Coward, 4 Oct 2013 @ 10:20am

              Re: Re: Re: Re: Re:

              And if I am hit by a car crossing the street and break my leg, it makes no difference to my leg whether it was a pure accident or if it was the result of malicious vehicular assault. In either case, my leg is broken.

              But one scenario certainly makes more difference to me and the police. The Ends don't justify the Means or Intent.

              link to this | view in chronology ]

          • identicon
            Anonymous Coward, 4 Oct 2013 @ 10:21am

            Re: Re: Re: Re:

            So if legitimate traffic shuts down a website by overloading it, it's legal, but if illegitimate traffic shuts down a website as a form of protest, it's not? I think the constitution has something to say about that form of reasoning.

            link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Oct 2013 @ 10:19am

        Re: Re:

        Is Oprah guilty of DDOSing the KFC website a few years back? Is Axl Rose guilty of DDOSing the Dr. Pepper website by releasing a new album and causing everyone to go ask for their free Dr. Pepper?

        link to this | view in chronology ]

    • identicon
      Me, 4 Oct 2013 @ 8:18am

      Re:

      That's a lot of postage.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2013 @ 8:26am

      Re:

      Plus, the IP protocols (TCP, UDP) pretty much ensure that you will receive the traffic that's headed to you no matter what you do (bar some fault in the hardware along the way). There's no way to say "Hey everyone! Stop sending me data from *this* guy because he's spamming me.".

      All the victim can do is start dropping packets until the attack stops. In the meantime, the server is dead.


      Regarding "being public", I don't know about the US, but in my country we have rules against causing disturbances in communication channels, public or private.

      A DDOS attack is the equivalent of jamming a radio channel or cell phones. And that's illegal, regardless of how public that channel is.

      link to this | view in chronology ]

      • icon
        John Fenderson (profile), 4 Oct 2013 @ 8:43am

        Re: Re:

        A DDOS attack is the equivalent of jamming a radio channel or cell phones


        No, a DDOS attack is more the equivalent of sending a few dozens truckloads of physical mail on the same day.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Oct 2013 @ 5:46pm

        Re: Re:

        "Plus, the IP protocols (TCP, UDP) pretty much ensure that you will receive the traffic that's headed to you no matter what you do (bar some fault in the hardware along the way)."

        Well, no. If there isn't sufficient bandwidth for all your traffic to reach the recipient (say because the recipient is being overloaded with other traffic) the packets might just get dropped by the routers in transit.

        link to this | view in chronology ]

    • icon
      MikeC (profile), 4 Oct 2013 @ 8:56am

      Re: Letters

      How would sending some business thousands of letters be illegal. They publish an address, accept mail. Don't see how that would be illegal and by your analogy a ddos attack isn't either.

      link to this | view in chronology ]

      • icon
        art guerrilla (profile), 4 Oct 2013 @ 1:03pm

        Re: Re: Letters

        it does NOT matter if it is IDENTICAL to 'sit-ins', in both intent and practice: The They (tm) don't like it, and that is all that matters...

        i'm certain The They (tm) WOULD 'outlaw' sit-ins and other inconvenient protests if they could (which they have tried)...

        it really has NOTHING to do with rational thinking, fairness, applying constitutional principles, blah blah blah; it is ALL about control: they don't want pesky sheeple making a stink over anything, anywhere, anytime...

        *that* is the bottom line...

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2013 @ 9:04am

      Re:

      "but a DDOSer intentionally uses the bandwidth of thousands of computers"

      Presumably without their permission. In other words, the access to the computers actually PERFORMING the DDOS is unauthorized. Unless this guy just happens to have thousands of computers sitting around.

      Hijacking my computer to make it participate in a "protest" without my permission SHOULD be a crime. It's like "borrowing" someone's car to drive around a business you don't like. Even if they weren't using it at the time, that doesn't make it OK.

      link to this | view in chronology ]

      • icon
        John Fenderson (profile), 4 Oct 2013 @ 9:25am

        Re: Re:

        Hijacking my computer to make it participate in a "protest" without my permission SHOULD be a crime


        And it is. That really is the sort of thing that the CFAA was designed to address. The crime wasn't perpetrated against the site being DDOSed, though, but rather against the machines subverted to be part of the botnet.

        However, with things like the LOIC, this component doesn't exist as every machine taking part in it is doing so voluntarily.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 4 Oct 2013 @ 10:25am

          Re: Re: Re:

          I'd also note: if LOIC is illegal, so are the tools used by every company that does load testing.

          link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Oct 2013 @ 9:36am

        Re: Re:

        >Hijacking my computer to make it participate in a "protest" without my permission SHOULD be a crime.

        1: DDOSing doesn't involve hijacking your computer.
        2: Hijacking someone's computer is already a crime. You're thinking a BotNet.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2013 @ 9:11am

      Re:

      I largely agree. Except it seems that a better analogy is that the public sidewalk in front of your store is jammed by thousands of protesters prohibiting legitimate customers from accessing it.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Oct 2013 @ 9:19am

        Re: Re:

        "jammed by thousands of protesters"

        More like it's jammed by two actual protesters and thousands of bystanders dragged there by the protesters against their will.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 4 Oct 2013 @ 9:34am

          Re: Re: Re:

          LOIC requires opt in.

          Botnet takedowns with infected unknowing machines that are slaves is one thing, LOIC though requires you to activate it and join in, making it not against their will.

          link to this | view in chronology ]

        • identicon
          Anonymous Coward, 4 Oct 2013 @ 10:12am

          Re: Re: Re:

          Good point. I agree.

          link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2013 @ 9:34am

      Re:

      Actually no. Your analogy about mail is incorrect.

      A DDoS attack is more similar to a check-out line at the grocery store, but instead of using a single cart a user is using 500 carts to exit the check out lane and paying in change - holding up the cashier.

      There is no 'damage' and the only thing that is being effected would be the hosting account that is being targeted. While it's an asshole thing to do, it shouldn't be considered hacking, if anything it should be something along the lines of a misdemeanor followed by a fine - not jail time.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2013 @ 10:10am

      Re:

      A quick real-world analogy would be a business that gets one physical letter in the mail from each of its customers, but is then suddenly inundated by thousands of letters all spammed by the same individual.

      Kind of like all the tons of peanuts sent to a television network when Jericho was cancelled? That wasn't criminal. Neither is sending thousands of letters to a business, as long as you pay the postage.

      link to this | view in chronology ]

    • identicon
      tek, 5 Oct 2013 @ 1:41pm

      Re:

      Which refutes your own point.

      It's not *illegal* nor subject to years of jail time to send thousands of letters.

      link to this | view in chronology ]

  • icon
    Ninja (profile), 4 Oct 2013 @ 6:11am

    Again, I'll make clear that I think DDoS attacks are dumb, counterproductive and immature.

    Are they? From your linked article:

    There's nothing at all creative about taking down the MPAA and the RIAA -- and all it does is serve to reinforce their misguided prejudices that it's just a bunch unruly kids who dislike them. On top of that, it gives them more ammo to position themselves as being persecuted by a small minority. It's a dumb move that looks bad and does a lot more harm than good from a group that should know better.

    Aren't any and all forms of revolt against an established system treated as such by the system itself? I have mixed feelings on ddos attacks mainly because usually there are botnets involved but if several thousand of people decided to load their LOICs and participate in a coordinated ddos what's the difference? What's the difference of defacing a website and Greenpeace setting a giant banner in a public monument?

    I think those are part of the arsenal the people from this new millennium have at their disposal to revolt, to show discontent and vent their frustration with the contempt the Governments are showing towards them.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2013 @ 7:54am

      Re:

      Going to have to agree with this.

      "should know better" is the kind of thing people say at protests in real life when they disagree with them. This is why you cna have protests that have police MACE people who are peacefully sitting around and doing nothing.

      The establishment will always see a protest against the status quo as hostile, and many will protest the protest because it "makes things worse."

      link to this | view in chronology ]

    • identicon
      out_of_the_blue, 4 Oct 2013 @ 8:27am

      Re: @ "What's the difference of defacing a website"

      "What's the difference of defacing a website and Greenpeace setting a giant banner in a public monument?"

      a) "defacing a website" is invading private property
      b) also causing actual harm in work needed to restore
      c) also suppressing that entity's speech
      d) the latter IS "free speech" on public property.

      The c point pretty much covers my take: for you who rant about lawful actions taking down a website, you are totally inconsistent when it's done UNlawfully. Looks to me like you kids just okay whatever if like the criminal and/or don't like the victim.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Oct 2013 @ 8:43am

        Re: Re: @ "What's the difference of defacing a website"

        a) A public website is not private property, the site is not altered in a DDOS.

        b) No work is needed to restore, the site gets flooded with traffic and it goes down, once the traffic stops and the webhost turns the switch back on the site goes back up.

        c) That entity has many avenues for speech, including after the DDOS. There is no permanent silencing effect on the speech, it frequently lasts a single day, if that long. Secondly, criminal charges on people for doing the equivilent of an internet sit in is silencing their speech.

        d) What? This is free speech on the internet.

        This isn't HACKING or DEFACING a website, which may be unlawful. This is simply preventing the website from working, something which actual protests are allowed to do to real physical businesses.

        And let's not be silly, a companies website going down for a day, while disruptive, isn't causing any harm.

        link to this | view in chronology ]

        • icon
          Thomas (profile), 4 Oct 2013 @ 8:58am

          Re: Re: Re: @ "What's the difference of defacing a website"

          "a) A public website is not private property, the site is not altered in a DDOS."

          Dude what?

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 4 Oct 2013 @ 9:10am

            Re: Re: Re: Re: @ "What's the difference of defacing a website"

            The site is A) up, or B) down.

            A public facing website gives the public tacit permission to access it.

            If the website goes down due to an overabundance of traffic, the underlying website is not affected, it's the hosting of the website that has buckled under the traffic load.

            No alteration occurs to the site, nothing on the website is CHANGED, just that access to the site is unavailable.

            link to this | view in chronology ]

      • icon
        Ninja (profile), 4 Oct 2013 @ 10:14am

        Re: Re: @ "What's the difference of defacing a website"

        a) "defacing a website" is invading private property

        No, it is not. And unlike a real building the only work needed is to restore a previous state and do the security job in a more efficient way. The public/private thing blurries when the buildings are private but open to the public which is the case for websites.

        b) also causing actual harm in work needed to restore

        Same with real world activism. You block traffic and disrupt a lot of everyday activities which have economic costs. And yet you don't condemn such protests at least not if you aren't some totalitarianism-apologist.

        c) also suppressing that entity's speech

        It's not, the site can be brought back to its previous state anytime. No physical hardware is compromised or need any repair.

        d) the latter IS "free speech" on public property.

        Both are.

        for you who rant about lawful actions taking down a website, you are totally inconsistent when it's done UNlawfully

        There is a point in the society when the law loses its meaning and law enforcement gets out of control. At those times, unlawful behavior is the only way to revert things back. Schindler's actions when saving these Jewish were unlawful according to the Nazi Germany law. History has much to teach us little padwan, don't turn your back on it ;)

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2013 @ 7:58am

    In the midst of these attacks, we questioned if they were really criminal acts or more like the equivalent of a sit-in, in which people were disrupting a business for the sake of public protest.

    Um, you do realize that people participating in a sit-in get arrested because they are committing a criminal act, right?

    Furthermore, you can make an argument that these weren't done "without authorization," because all a DDoS does is point a ton of traffic at a website. If that web server is open to the public, then isn't there authorization? It's just that the web server gets flooded.

    Do I have your authorization to DDOS techdirt.com, bringing down your website? This stuff isn't hard, Mikey.

    link to this | view in chronology ]

    • icon
      Chris Rhodes (profile), 4 Oct 2013 @ 8:33am

      Re:

      Do I have your authorization to DDOS techdirt.com, bringing down your website? This stuff isn't hard, Mikey.
      I don't want people to call me an asshole on the internet, but that doesn't mean it's a violation of the law to do so.

      This stuff isn't hard, AC.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2013 @ 8:44am

      Re:

      Except sit in's arent criminal acts.

      link to this | view in chronology ]

    • icon
      Karl (profile), 4 Oct 2013 @ 10:46pm

      Re:

      Oh, good, Cowardly A.J. takes another swipe in the Techdirt comments. You know it's him, because:

      1. He presents his opinions as absolutes, that nobody could possibly disagree with: "This stuff isn't hard..."

      2. He does it in the most condescending way possible: "...Mikey."

      As it happens, you're incorrect, yet again:

      Do I have your authorization to DDOS techdirt.com, bringing down your website?

      You're confusing "permission" with "authorization." For the purposes of 18 USC 1030, "authorization" means "authorized to access a computer," not "authorized by the owner of the computer."

      There is no question whatsoever that, on an individual level, every request made by a DDoS is authorized under the CFAA.

      The question is whether the sheer bulk of authorized accesses, possibly in combination with the intent of the accessor, turns authorized access into unauthorized access.

      Mike said that this is an open question. I think it is probably not unauthorized under the CFAA, you probably think it is. But either way, you're wrong when you said "this stuff isn't hard."

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Oct 2013 @ 5:27pm

      Re:

      I don't expect anyone whose best argument for months is "Bawk, bawk, cluck, moo" to have the technical capability and gumption to DDOS a website.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2013 @ 8:08am

    Sit ins too were illegal once.

    The DOJ just wants to win no matter how absurd their logic is, what the consequences will be, I don't think they waste time thinking about those things, they just see "shinny" and go for it.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2013 @ 8:10am

    Well to be fair a DDoS attack could "most likely would" cost considerably more than a sit-in. The last sit-in I saw did not prevent me from making a purchase. A DDoS attack can completely bring down any server if the attack is large enough.

    I don't agree with the CFAA though or jail time, they should have to pay back the cost.
    I only say that because back in 2001 I was running a game server that ended up coming under fire of an DDoS attack. It ended up costing just over $900 which brought my normal bill of $150 to $1050.

    The end result was me closing my server down since I could not afford that kind of bill..

    link to this | view in chronology ]

    • icon
      Ninja (profile), 4 Oct 2013 @ 10:32am

      Re:

      Seems your attack was malicious. There can be public demonstrations with malicious intent that will cause severe damage(Black Blocks, anyone?). Not that they are wrong per se, sometimes a little destruction may go long ways towards change (I don't quite agree with the BBs methods though). I think the intent of the damages has to be taken into account.

      Also, sit-ins need police to be constantly watching which raises costs and the local business may suffer due to people avoiding the place. It's not that simple as you can see.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2013 @ 10:33am

      Re:

      Sounds like small claims court, not a federal crime.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2013 @ 8:12am

    Imaginary crimes to silence the masses .. next thing "woman hits attacker with smart phone "john wasntme who allegedly attacked jane cellphoneslinger is suing and the DoJ has his back under the CFAA she'll be charged and sentenced to public hanging

    link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 4 Oct 2013 @ 8:14am

    Ummm did we miss the original target was a company hired by the cartels to DDOS sites they didn't like?
    http://torrentfreak.com/anonymous-members-indicted-for-ddosing-pirate-bay-enemies-131004/

    Where is that indictment?
    Or are we still playing corporations are people with special rights that put them above the law?

    link to this | view in chronology ]

  • identicon
    mark, 4 Oct 2013 @ 8:28am

    Why aren't thease deals considered extortion? They should only prosecute if the chance of a guilty verdict are greater than 50%. So on the other side the promissed reduction in such deals shoudn't be allowed to offer more then a 50% reduction.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2013 @ 9:05am

    'Is It Really A CFAA Violation To DDoS A Website?'

    of course it is! well, when one of the USA security services is taking the case to court and it's over a website that isn't seen as 'illegal'. i haven't come across any info as yet that says the website that was the subject of the 'revenge' had any charges against it for DDoSing TPB! i suppose that was because Hollywood, the US entertainment industries and the security services it has in it's back pockets thought it was not a problem. if court action is going to be taken against those accused of DDoSing AiPlex Software, the company that admitted being the culprits for the DDoS attacks against websites, including TPB, then there has to be a court case against AiPlex Software too.
    the DoJ are doing this, yet again, because they have been told to by the heads of the entertainment industries and no other reason. they will also do the same sort of thing as they have tried against Kim Dotcom, ie, lie, cheat, deceive and manipulate what the law is, what it says, what the 'secret meanings' are and anything they can possibly think of just to get a conviction!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2013 @ 9:35am

    It's not even close to a sit-in. Whoever thinks that has no idea how technology works.

    In a sit-in, you don't make sure the target gets billed an extraordinary amount of money, as where in a (D)DoS, the target will have to spend money to pay for the incoming attack, which can quickly go in the thousands of dollars depending on your provider.

    Sure, you may bring some of the same effects to the target, but some are completely different and the consequences can be much more disastrous with an attack than a sit-in.

    link to this | view in chronology ]

    • icon
      Ninja (profile), 4 Oct 2013 @ 10:29am

      Re:

      Really? So if the sit in drives customers away it's ok, right? Nop, not a problem. In a ddos you can turn off the connection to avoid further costs. In a sit in you can't turn off the people and sit ins can last for weeks or months.

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 4 Oct 2013 @ 1:32pm

      Re:

      in a (D)DoS, the target will have to spend money to pay for the incoming attack


      That all depends on the particular hosting arrangement you have. If one of my websites is DDOSed, it won't cost me an additional penny in bandwidth fees, as I pay a flat rate. Once my cap is reached, then my site is disconnected until the next billing cycle, though.

      Also, any quality host will allow you to set up thresholds so that if a DDOS is noticed, bandwidth can be automatically restricted or the site disconnected until the DDOS ends. This tends to be a very effective way of dealing with the problem.

      In the end, with appropriate hosting plans, you can ensure that you won't get any surprise bills ever, for the small cost of simply disconnecting the site until the DDOS ends. (The cost is small because people probably can't reach the site until then anyway, so nothing is lost).

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2013 @ 10:00am

    They only know the identities of the indicted individuals for this and other Internet related crimes simply because of the NSA's backbone and service logging abilities.

    They can launder the evidence to be something unrelated all they want, but the rest of us know better.

    They used it against Kim Dotcom and just about everything else non-terrorism related.

    link to this | view in chronology ]

  • identicon
    michael, 4 Oct 2013 @ 10:14am

    Not really a sit-in

    A sit-in requires me to be present -- it's a form of protest because I give up my anonymity and my free time. It's me giving up something in exchange for making a statement.

    DDOS, while I think the "damage" claim is ridiculous, causes me to give up nothing. I can DDOS ten thousand websites at a time, given the resources, so any "protest" I may be engaging in is costing me nothing, negating the whole concept of "protest." If you're not an idiot, you'll never be caught, and you're name will never be associated with a statement of any sort.

    If it's a form of protest, it's one for lazy cowards.

    link to this | view in chronology ]

    • icon
      Ninja (profile), 4 Oct 2013 @ 10:20am

      Re: Not really a sit-in

      It depends. What you said is true if botnets are used. When a bunch of people use LOICs for instance things change. You are voluntarily donating your computer and resources. And it can be identified from the logs (unless you use anonymizing methods but I'm not sure if the attack would be efficient).

      If it's a form of protest, it's one for lazy cowards.

      Really? Can't you think of other types of anonymous protests throughout history? And considering how computers and the Internet reduced much of the effort needed for many things (ie: you don't need to go through several piles of books on a library to research a subject) do you really think it's laziness? Does it mean that we should go back to search exclusively on libraries or risk being labeled lazy?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2013 @ 10:29am

      Re: Not really a sit-in

      The fact that it's a protest does not hinge in any way at all on you giving anonymity or even free time. If you wear a mask at a sit-in does it magically make it not a sit-in? You also contradict yourself rather extremely when you go from claiming you give up nothing to saying you could "DDOS ten thousand websites at a time, given the resources." Which is it, do you give up nothing or do you need resources?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2013 @ 10:14am

    It's worth pointing out that the DDoS attacks in question were a retaliation against an antipiracy company announcing that it was going to DDoS the Pirate Bay.

    I don't see anyone from that company getting indicted, though. So much for justice being blind.

    link to this | view in chronology ]

  • identicon
    Chris Brand, 4 Oct 2013 @ 10:18am

    "Damage" to a "computer"

    To my mind, "damage" doesn't go away when the thing causing it goes away - you can't "damage" my car by putting a sheet over the windshield. The effects of a DDOS attack only last as long as the attack itself.

    Also, a "website" isn't a "computer". A DDOS attack really doesn't hurt the computer at all - it just keeps it really, really busy. Yes, it may get so busy that the website effectively goes down, but the computer's is generally still fine (barring things like overheating or failing power supplies due to the extra work).

    So it does feel like overreaching to apply this statute in this case.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2013 @ 10:36am

    DDoS attacks are also used against pedophile sites. Why does the DoJ want to support pedophiles? Think of the children!

    link to this | view in chronology ]

  • identicon
    Aon, 4 Oct 2013 @ 11:28am

    conspiracy, or peaceful assembly?

    The difference between a DoS and DDoS is conspiracy. That word has been demonized/criminalized only recently (1977).
    http://en.wikipedia.org/wiki/Conspiracy_(crime)#Common_law_offence
    But then there is the matter of drawing a line between conspiracy and the right of peaceful assembly. A DDoS is not a riot, though prosecutors will make that claim.

    link to this | view in chronology ]

  • identicon
    Xycaler, 4 Oct 2013 @ 11:46am

    CFAA and NSA

    This CFAA is great stuff. While looking up the section quoted in the article, I surfed around and found 1039(a)(4):


    (4) accessing customer accounts of a covered entity via the Internet, or by means of conduct that violates section 1030 of this title, without prior authorization from the customer to whom such confidential phone records information relates;


    Sound familiar to anyone?

    link to this | view in chronology ]

  • identicon
    Xycaler, 4 Oct 2013 @ 11:51am

    1030(e)(2)(b) says:
    (2) the term “protected computer” means a computer—
    (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;


    Which... that's kind of dubious don't you think?

    Unfortunately, 1030(e)(8) says:
    the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information;


    Eurgh.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2013 @ 2:21pm

    Slashdot Effect

    Invoking the slashdot effect is the ultimate legal form of DDOS. It is perfectly legal legitimate traffic that brings it crashing down. Say if the RIAA website went down in the wake of a scandal from people checking to see what insane form of logic they used to defend themselves or emailing complaints to them.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2013 @ 5:14pm

    its not really about "HOW" you did it, its about what you achieved and WHY !

    Yes, going to a web site once to read what is on it is a lot different to creating a bot to spam pings and shut down a web site. Its not how you shut the web site down, its you DID shut it down and why.

    Its not how you do it, its what you did and why.

    Motive and intent.
    Yes, it is the same as jamming a TV broadcast of a radio broadcast.

    The 'fine' would include, loss of trade, cost of restoration punitive damage and loss of goodwill, and legal expenses.

    link to this | view in chronology ]

  • icon
    Bergman (profile), 4 Oct 2013 @ 10:41pm

    If a DDoS violates the CFAA...

    Wouldn't the way ICE seizes websites also be a CFAA violation?

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.