I take your point if they were actually using our bandwidth to launch attacks. That's not what's happening here. Instead, they're putting marketing sites behind us. I'm not sure where the line gets drawn:
• A site that actively encourages 3rd parties to launch attacks
• A Twitter account that takes requests on sites that people want DDoSed
• A phone number that you can call and request attacks get launched
• A blog that provides instructions on how to launch attacks
• A company that sells boxes that facilitate oppressive regimes censoring the Internet
• The political sites of the oppressive regimes themselves
• A search engine that includes DDoS for hire sites in its index
Agree that if there's something that is per se harmful then the choice is easy. What's hard is that the universe of per se harmful is pretty small.
Thank you for the thoughtful reply, I see where you're coming from.
I personally think the line can be drawn, not perfectly, but pretty comfortably at the point where they are taking payment to execute the attack. In this context, they would either be accepting money with intent to commit a crime, or committing fraud by taking payment to not conduct that activity. Either way, it is highly obvious that a crime will be committed there.
I've seen parallels of this approach in hitman-for-hire stings. Payment for the assassination is usually the point where criminal intent to murder is made - they don't wait for someone to actually be killed to determine if it's "the real deal" or not.
Your follow-up will probably note that this involves law enforcement, and I understand why you don't want to go there. I run a service with 90,000 hosted sites and I run into similar issues all the time. But outsourcing this to public law enforcement to go after is a really tall order. They're simply not going to have the resources to approach this problem. And even if they do, they're being expected to focus those resources on the more "critical" issues of our time (terrorism, murder, etc).
There is also, IMHO, a general understanding that (forgetting the illegal NSA dragnets for a moment), as a trade off for government generally leaving their hands off the internet, we police ourselves voluntarily in situations where it's necessary for the network to function. Up until now, we've done a pretty good job at that. After watching DDoS attack capabilities triple within a year, I'm not so sure anymore.
I fear what might happen if we cannot figure out how to come together to take on the DDoS problem (for everyone, not just a few large autonomous organizations), and we start to see more government intervention in this space to address the problem. Any such legal intervention would likely also contain a bunch of wonderful earmarks by the lobbyists-of-the-moment, further constraining our ability to provide people with free speech protections.
Anyways, I'll stop here because I think we've both made our points. I don't think it's as blurry of a line as you do, but I agree that it's a blurry line. Thanks for chiming in.
• A site that actively encourages 3rd parties to launch attacks
• A Twitter account that takes requests on sites that people want DDoSed
• A phone number that you can call and request attacks get launched
• A blog that provides instructions on how to launch attacks
• A company that sells boxes that facilitate oppressive regimes censoring the Internet
• The political sites of the oppressive regimes themselves
• A search engine that includes DDoS for hire sites in its index
Agree that if there's something that is per se harmful then the choice is easy. What's hard is that the universe of per se harmful is pretty small.